Ever since the first news of Equifax’s data breach broke, savvy plaintiff’s lawyers around the country have wasted no time in filing a myriad of class action lawsuits. Following Equifax’s disclosure on September 7, 2017 that it had been the target of a data security incident that resulted in the criminal unauthorized access of the personally identifiable information of approximately 143 million U.S. consumers, class action lawsuits, with the potential to earn plaintiffs’ lawyers massive attorney’s fees, have sprung up in every state. Over 340 class actions have been filed already. Itis not difficult to understand why.
The playbook for such consumer class actions is fairly straight forward for the plaintiff’s bar as all one need do is find a viable client to serve as a class representative for one’s state and win the race to the courthouse. Once filed, the odds are high that the case will be removed to federal court, if not filed there already, and that the Judicial Panel on Multidistrict Litigation will determine that the many suits filed around the country should be centralized in one federal district court. The official basis of the transfer of the many suits to one federal court under 28 U.S.C. § 1407 is the need for “coordinated or consolidated pretrial proceedings” only, but very few cases are remanded back to their original federal courts for trial once multidistrict litigation (or MDL) commences, as global settlements are typically achieved.
Those global settlements promise handsome attorney’s fees for plaintiff’s lawyers (even if the awards to the consumers are sometimes less enviable), but the prospect of those fees for the Equifax MDL now pending before Judge Thomas Thrash in the U.S. District Court for the Northern District of Georgia may be in jeopardy if state attorney generals decide to jump into the fray to protect consumers themselves. Earlier this month, Suffolk County Superior Court Judge Kenneth Salinger denied a motion by Equifax to dismiss a lawsuit filed by Massachusetts Attorney General Maura Healy to recover for purported breaches of the state’s data security regulations.
Rejecting the standard argument that data breach victims have no Article III standing unless they establish their stolen data was actually misused, Judge Salinger concluded that “The Attorney General, unlike a private litigant…is required only to prove that unfair or deceptive acts or practices took place in trade or commerce; she is not require to prove or quantify resulting economic injury” and “is not required to allege or prove that any individual consumer was actually harmed.” Judge Salinger’s ruling is a vast departure from the ordinary requirement that an “injury in fact” that is “fairly traceable” to the data theft be demonstrated.
State regulators, unlike class action plaintiff’s lawyers, can often claim statutory penalties for violation of state law and it may well be the case that state attorney generals, if truly immune to the Article III standing arguments, may offer consumers their best opportunity for relief. Equifax is already under investigation by at least 40 state attorney generals and, just last week, West Virginia Attorney General Patrick Morrisey also filed suit against Equifax on behalf of consumers in his state. Morrisey is seeking $150,000 for each security breach and $5,000 for each violation of the state’s Consumer Credit and Protection Act, as well as reimbursement for all fees and costs related to the state’s litigation.
It is doubtful that the Equifax MDL will be stayed in favor of the data breach suits being filed by state attorney generals now that the ball is already rolling, but it is likely that this heightened interest by regulators will weigh heavy on the final global settlement to be approved by Judge Thrash nonetheless. Under the Class Action Fairness Act (CAFA), 28 U.S.C. §1715, notice of “a proposed settlement of a class action” must be provided to the “appropriate State official of each State in which a class member resides” and the settlement cannot be approved by the court if the proper notice has not been issued. While it is certainly true that not all settlements come under scrutiny from the recipients of CAFA notification, high profile cases often do, and, here, state attorney’s generals will be paying particular attention to the scope of the liability releases, the payouts to class members in their state, and how those payouts fare in comparison to the attorney’s fees earned by the class action plaintiffs’ lawyers.
For a recent example of this dynamic in play, one need look no further than the dispute that erupted between Maryland Attorney General Brian Frosh and class action plaintiffs’ lawyers over lead paint settlements in our neck of the woods just last July. Outraged by what amounted to an average payout of $7,500 for each lead-paint victim, Frosh intervened to demand a stay and a more equitable settlement that placed attorney’s fees under a far brighter spotlight. While that outcome is not certain to repeat itself in the Equifax MDL, the likelihood appears to be far higher than it did just a month ago. Stewards of sensitive data and consumers alike should continue to watch as these cases playout across the country.
Kambon “Kam” Williams represents insurers in administrative, regulatory, general tort and flood actions. He has extensive experience in complex commercial litigation, state and federal mass tort/class actions and a number of federal multi-district class actions. Kam’s cybersecurity litigation experience includes serving as chief architect and lead counsel in Bert Glaser v. AT&T, Inc. et al., Case No. 1:12-cv-00166 and Laura Maguire et al. v. Facebook, Inc., Case No. 5:12-cv-00807 both of which were class action suits involving, among other issues, whether any cyber liability insurance carried by any potential defendant could be triggered by the alleged statutory privacy and wiretap violations. Kam regularly monitors cyber liability issues, primarily in the insurance field context. He can be reached at 410-769-6142 or firstname.lastname@example.org.