Equifax could get away with paying a mere $1 per person after failing to protect almost half of America's credit data.
While the 118-year-old credit-reporting firm has been hit with more than 100 consumer lawsuits over its massive security breach, legal experts say there's room for a deal because neither side has a slam-dunk case.
A global settlement of about $200 million is plausible, said Nathan Taylor, a cybersecurity lawyer with Morrison Foerster in Washington. That's a projection based on the $115 million Anthem Inc. agreed to pay in June — setting a U.S. record — to resolve claims that it didn't protect a smaller number of people from a 2015 criminal hack that stole similarly sensitive information, Taylor said.
With lawyers collecting as much as a third of any payout, the company may end up spending an average of less than $1 per person for credit monitoring and out-of-pocket expenses for 143 million Equifax consumers whose data was compromised.
That's a good deal for the embattled credit reporting company as its exposure theoretically could amount to $143 billion under a federal law that carries damages of as much as $1,000 per violation, plus punitive damages.
Equifax faces additional uncertainty around suits and investigations by state attorneys general and the Federal Trade Commission, as well as claims by financial institutions. On top of that, the Justice Department is said to have opened a criminal probe into whether top officials at the company violated insider trading laws when they sold stock before Equifax disclosed that it had been hacked.
Amid all the negative publicity, the company may relish a chance to put at least one legal headache behind it sooner rather than later. As of Tuesday, shares had fallen 30 percent since the hack was disclosed Sept. 7, and company officials now face calls to testify before Congress.
"It's a dirty little secret, but a lot of defendants welcome these lawsuits," said Robert Schwartz, a lawyer with Irell & Manella in Los Angeles. "They will kick up some dust but, with a sensible settlement, the problem goes away. That is the end game."
Representatives of Equifax didn't respond to a request for comment on the consumer lawsuits.
For consumers — or more precisely, their attorneys — a modest settlement would avoid the risk of winning nothing if no actual harm from the hack can be definitively traced back to the company.
With frequent high-profile hacks in recent years, it's virtually impossible to connect a specific instance of identity theft to a particular breach, according to Taylor of Morrison Foerster.
"If you want to buy my social security number on the Dark Web, you can probably get it from numerous sources," Taylor said.
A deluge of cases has been filed in federal courts in California, Georgia, New York and other states against Atlanta-based Equifax, accusing it of violating the U.S. Fair Credit Reporting Act. The FCRA is intended to ensure that the information Equifax and its competitors provide is accurate and kept private.
While the penalties could quickly add up to billions, previous data-breach lawsuits have settled for a fraction of that amount, Taylor noted.
Home Depot last year reached a $19.5 million settlement with consumers over a hack that exposed payment information of 56 million customers. Target a year earlier settled with consumers over its data breach for $17 million, which included almost $7 million for attorney fees.
Anthem's data breach compromised social security numbers, birth dates and other information of 78.8 million people and its settlement ended class actions filed in several states. A judge gave preliminary approval to the accord in August.
The U.S. Supreme Court last year put the brakes on FCRA claims when no concrete injury is alleged. In a case brought by an unemployed Virginia man over a profile on a people search website that inaccurately stated he had a graduate degree, a spouse and "very strong" economic health, the Supreme Court said not every statutory violation of the FCRA is sufficient to sue.
Regional appeals courts are still sorting out how the high court's decision applies to other cases in which there is a dispute over whether a plaintiff suffered actual harm.
In the Equifax lawsuits, the absence of any actual identity theft or other loss could become an obstacle to sue under the FCRA, according to Schwartz of Irell & Manella.
"The problem with these claims is that the only thing that has happened is the breach," Schwartz said in a telephone interview. "If there's no harm, federal judges have no jurisdiction."
That outcome was typical of early cases, including one dismissed against Barnes & Noble Inc. over a 2012 security breach that compromised customer credit and debit cards at 63 stores across the U.S.
But over time, some courts have taken a broader view of what constitutes harm and have allowed consumers subject to account freezes and other expenses to proceed with claims. That's what happened in the litigation on behalf of tens of millions people affected by the Target breach. The judge's refusal to dismiss the lawsuit a year after the hack was disclosed in 2013 gave the consumers leverage for the settlement that was reached months later.
At least one lawyer suing Equifax on behalf of consumers disputes the notion that they haven't suffered actual harm and may lack standing to sue.
"The notion that no one is harmed yet is premature," said Andrew Friedman, with Cohen Milstein Sellers & Toll in Washington. "People already have out-of-pocket damages for additional credit monitoring and for credit freezes. We don't know what's happening with the data."
Friedman represents a group of plaintiffs in a case filed Sept. 8 in Atlanta who accused Equifax of acting negligently and violating District of Columbia consumer protection law as well as the FCRA. Any settlement with Equifax would have to include many years of credit monitoring for consumers because the stolen data could be misused years from now, he said.
"The security risk goes beyond the potential for identity and credit theft for nearly half of the U.S. population: it also poses a possible national security threat, as personal information of governmental employees useful for cyberwarfare will be available on the Dark Web for years to come," Friedman and other lawyers said in a Sept. 12 request to have the lawsuits consolidated before a federal judge in Atlanta.
Equifax probably will try to get some of the consumers' claims dismissed or scaled back by a judge before negotiating a settlement, a process that may take as long as three years, according to Taylor.
"There's not a chance they are going to litigate this to the end," Taylor said. "Do you really want to litigate against 50 percent of the county?"