October 19, 2019

October 18, 2019

Subscribe to Latest Legal News and Analysis

October 17, 2019

Subscribe to Latest Legal News and Analysis

October 16, 2019

Subscribe to Latest Legal News and Analysis

FCRA Claims Dismissed in Massive Equifax Data Breach Case

Yesterday, the District Court for the Northern District of Georgia granted a motion to dismiss FCRA claims in a case involving one of the largest data breaches in history.

In the summer of 2017, Equifax’s systems were hacked repeatedly over the course of several weeks. During that time, hackers stole personal information for nearly 150 million Americans, about half of the US population. Among the data stolen were names, birth dates, Social Security Numbers, addresses, credit card information, and other sensitive material.

Victims of the hack, a putative class of consumers whose personal information was stolen during the data breach, filed suit against Equifax, alleging that they were harmed as a result, are subject to becoming victims of fraud, and were forced to expend time and resources monitoring their accounts and preventing fraud, among other things. The class asserts federal and state claims and also seeks injunctive and declaratory relief.

Among the claims brought, the plaintiffs allege that the Defendants violated FCRA by furnishing Class members’ consumer reports in violation of section 1681b of the FCRA, failing to maintain reasonable procedures designed to limit the furnishing of Class members’ consumer reports to permitted purposes, and failing to take adequate security measures that would prevent disclosure of Class members’ consumer reports in violation of section 1681e of the FRCA.

The Court disagreed.

In a lengthy decision, the District Court for the Northern District of Georgia dismissed Plaintiffs’ FCRA claims. The judge noted, first, that Equifax did not “furnish” Class members’ consumer reports. Although the statute does not define what it means to “furnish” a report, courts have held that information that is stolen from a credit reporting agency is not “furnished” within the meaning of the FCRA. The Court also found that the personal information stolen was not a “consumer report” within the meaning of FCRA. Hackers did not obtain credit files but, rather, “legacy data.” That is, the information did not bear on the user’s credit worthiness. While the Plaintiffs argued that the information could be used to bear on a person’s creditworthiness, the Court found that position unpersuasive. Finally, the Court found that Plaintiffs’ claims under section 1681e must fail because their 1962b claim was subject to dismissal. 1681e claims, which allege that a reporting agency violated the “reasonable procedures” requirement of section 1681e, must first show that the reporting agency released the report in violation of section 1681b.

While Plaintiffs’ FCRA claims were dismissed, the Court denied Equifax’s motion to dismiss many of the remaining causes of action.

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Thomas M. Cull, Womble Carlyle, mid market corporations lawyer, limited liability companies attorney

As a member of the firm’s business litigation practice group, Thomas represents mid-market corporations, limited liability companies, and other business entities in commercial disputes involving claims for breach of contract, civil RICO, fraud, and breach of warranty, among others. He also frequently works on matters involving financial services and product liability litigation.

Thomas also works closely with clients throughout the appeals process. His corporate clients benefit from his experience working with the Innocence Project, a non-profit...

864-255-5442