While the 118-year-old credit-reporting firm has been hit with more than 100 consumer lawsuits over its massive security breach, legal experts say there’s room for a deal because neither side has a slam-dunk case.

Share story

Equifax could get away with paying a mere $1 a person after failing to protect almost half of America’s credit data.

While the 118-year-old credit-reporting firm has been hit with more than 100 consumer lawsuits over its massive security breach, legal experts say there’s room for a deal because neither side has a slam-dunk case.

A global settlement of about $200 million is plausible, said Nathan Taylor, a cybersecurity lawyer with Morrison Foerster in Washington, D.C. That’s a projection based on the $115 million Anthem agreed to pay in June — setting a U.S. record — to resolve claims that it didn’t protect a smaller number of people from a 2015 criminal hack that stole similarly sensitive information, Taylor said.

With lawyers collecting as much as a third of any payout, the company may end up spending an average of less than $1 per person for credit monitoring and out-of-pocket expenses for 143 million Equifax consumers whose data was compromised.

Component post 10516426 could not be found.

That’s a good deal for the embattled company as its exposure theoretically could amount to $143 billion under a federal law that carries damages of as much as $1,000 per violation, plus punitive damages.

Equifax faces additional uncertainty regarding lawsuits and investigations by state attorneys general and the Federal Trade Commission, as well as claims by financial institutions, shareholders — and as of Tuesday — small-business owners. On top of that, the Justice Department is said to have opened a criminal investigation into whether top officials at the company violated insider-trading laws when they sold stock before Equifax disclosed it had been hacked.

Amid all the negative publicity, the company may relish a chance to put at least one legal headache behind it sooner rather than later. As of Tuesday, Equifax shares had fallen 30 percent since the hack was disclosed Sept. 7, and company officials now face calls to testify before Congress.

“It’s a dirty little secret, but a lot of defendants welcome these lawsuits,” said Robert Schwartz, a lawyer with Irell & Manella in Los Angeles. “They will kick up some dust but, with a sensible settlement, the problem goes away. That is the endgame.”

Equifax said in a statement Wednesday, “We cannot comment on pending litigation, but we remain focused on helping our customers, as well as their employees and consumers, to navigate this situation.”

For consumers — or more precisely, their attorneys — a modest settlement would avoid the risk of winning nothing if no actual harm from the hack can be definitively traced back to the company.

With frequent high-profile hacks in recent years, it’s virtually impossible to connect a specific instance of identity theft to a particular breach, according to Taylor of Morrison Foerster.

“If you want to buy my Social Security number on the dark web, you can probably get it from numerous sources,” Taylor said in a phone interview.

A deluge of cases has been filed in federal courts in California, Georgia, New York and other states against Atlanta-based Equifax, accusing it of violating the U.S. Fair Credit Reporting Act (FCRA).

The law is intended to ensure that the information Equifax and its competitors provide is accurate and kept private.

Small-business operators added their own complaint to the mix Tuesday, with a class action in Atlanta federal court alleging the breach could cripple access to small-business credit by damaging the linked credit of the individual who owns the enterprise.

The plaintiffs include real-estate companies and a law firm.

While the penalties from FCRA claims could quickly add up to billions, previous data-breach lawsuits have settled for a fraction of that amount, Taylor noted.

Home Depot last year reached a $19.5 million settlement with consumers over a hack that exposed payment information of 56 million customers.

Target a year earlier settled with consumers over its data breach for $17 million, which included almost $7 million for attorney fees.

Anthem’s data breach compromised Social Security numbers, birth dates and other information of 78.8 million people, and its settlement ended class actions filed in several states. A judge gave preliminary approval to the accord in August.

The U.S. Supreme Court last year put the brakes on FCRA claims when no concrete injury is alleged. Regional appeals courts are sorting out how the high court’s decision applies to other cases in which there is a dispute over whether a plaintiff suffered actual harm.

In the Equifax lawsuits, the absence of any actual identity theft or other loss could become an obstacle to sue under the FCRA, according to Schwartz of Irell & Manella.

“The problem with these claims is that the only thing that has happened is the breach,” Schwartz said in a telephone interview. “If there’s no harm, federal judges have no jurisdiction.”

Some courts have taken a broader view of what constitutes harm and have allowed consumers subject to account freezes and other expenses to proceed with claims.

That’s what happened in the litigation on behalf of tens of millions people affected by the Target breach. The judge’s refusal to dismiss the lawsuit a year after the hack was disclosed in 2013 gave consumers leverage for the settlement that was reached months later.

At least one lawyer suing Equifax on behalf of consumers disputes the notion that they haven’t suffered actual harm and may lack standing to sue.

“The notion that no one is harmed yet is premature,” Andrew Friedman, with Cohen Milstein Sellers & Toll in Washington, said in a phone interview.

“People already have out-of-pocket damages for additional credit monitoring and for credit freezes. We don’t know what’s happening with the data,” Friedman said.

Equifax probably will try to get some of the consumers’ claims dismissed or scaled back by a judge before negotiating a settlement, a process that may take as long as three years, according to Taylor.

“There’s not a chance they are going to litigate this to the end,” Taylor said. “Do you really want to litigate against 50 percent of the county?”