State AG’s Equifax case may portend big problems for data breach defendants


(Reuters) - We may be on the verge of a breakthrough in data breach litigation. A state judge in Massachusetts ruled Wednesday that the Massachusetts Attorney General can move forward with a potentially gigantic data breach case against the credit reporting firm Equifax. The AG, Maura Healey, is asking for statutory damages under Massachusetts consumer and data security law on behalf of every state resident whose private information was exposed when hackers broke into Equifax’s systems – regardless of whether the breach actually injured any consumers.

The breadth of the Massachusetts AG's potential damages is what makes this case so important. Equifax’s lawyers at Choate, Hall & Stewart had argued (among many other things) that the AG can’t wield the state consumer protection law, which prohibits businesses from making false, deceptive or unfair claims, without showing anyone was harmed by Equifax’s supposedly false assurances about data security. But Judge Kenneth Salisbury of Suffolk County Superior Court said that argument failed. “The Attorney General, unlike a private litigant … is required only to prove that unfair or deceptive acts or practices took place in trade or commerce; she is not required to prove or quantify resulting economic injury,” the judge wrote. “She is not required to allege or prove that any individual consumer was actually harmed.”

Regulators, in other words, can impose much more pain on data breach defendants than consumers suing in private class actions. Here’s why: Several federal appellate courts (though not all of them) have ruled in recent years that consumers can sue over data breaches simply because the exposure of their confidential information heightens their risk of identity theft. But when it comes to collecting damages, consumers in private class actions have generally focused on actual economic costs, demanding repayment for the time and expense of monitoring and repairing their credit records. For the most part, data breach class actions have settled for relatively small amounts of money, even if the breaches affected millions of consumers. I’ve said before that in the long run, class actions probably aren’t the best route to redress for data breach victims, or the best way to incentivize companies to make sure data is safe.


Return to News