January 28, 2019

U.S. District Chief Judge Thomas Thrash Jr.'s ruling called the 2017 data breach “unprecedented.”

A string of consolidated lawsuits against Atlanta-based Equifax stemming from a 2017 data breach that affected more than 146 million consumers may go forward, the chief judge of the U.S. District Court for the Northern District of Georgia ruled Monday.

Calling the data breach that affected nearly half the U.S. population “unprecedented,” Chief Judge Thomas Thrash Jr. largely rejected arguments by Equifax lawyers that he dismiss pending lawsuits filed on behalf of consumers whose personal and financial information was exposed, and financial institutions that issued debit or credit cards to affected customers and were then faced with helping customers clean up the resulting mess.

. . .

The breach, which extended over nearly three months in 2017, “was also severe in terms of the type of information that the hackers were able to obtain,” Thrash wrote. “The hackers stole at least 146.6 million names, 146.6 million dates of birth, 145.5 million Social Security numbers, 99 million addresses, 17.6 million driver’s license numbers, 209,000 credit card numbers, and 97,500 tax identification numbers.”

In an 80-page order addressing claims by 96 people on behalf of a proposed class of all consumers whose data was exposed, Thrash concluded that, based on facts alleged in the complaints, “Equifax owed the plaintiffs a duty of care to safeguard the personal information in its custody.” That duty “arises from the allegations that the defendants knew of a foreseeable risk to its data security systems but failed to implement reasonable security measures.”

The complete article can be accessed here.