Within the past few years, large-scale data breaches have frequently made headlines. Consequently, civil actions arising therefrom have followed—making data breach litigation a more common occurrence in the U.S.
Due to the growth of this legal field, we’ve highlighted four of the nation’s high-profile data breach cases.
(1) In re Equifax
Equifax is one of the three largest consumer credit reporting agencies in the United States, with annual revenue of over $3 billion. In late 2017, the company announced its systems had been breached and that sensitive data of approximately 148 million Americans was compromised, which included names, home addresses, phone numbers, dates of birth, social security numbers and driver’s license numbers. Additionally, it was reported that over 200,000 consumers’ credit card numbers were exposed.
Following the breach, Equifax became the target of several lawsuits and a governmental investigation.
In U.S. District Court for the Northern District of Georgia, a proposed class of consumers, payment card issuers and investors brought a securities action against the company alleging fraud, negligence and other claims arising from the breach. In late January, the plaintiffs’ complaint survived Equifax’s motion to dismiss. The same court is charged with overseeing a multidistrict litigation stemming from the breach, which involves, among other things, negligence claims of consumers and financial institutions.
In March 2019, the Senate Homeland Security Investigation Subcommittee found that Equifax was aware of cyber security weaknesses for several years before the breach occurred. In addition, the House Committee on Oversight released a report in December 2018, which found that this specific security breach was wholly preventable.
The cases are: In re; Equifax Inc. Securities Litigation, Case No. 1:17-cv-03463 and In re: Equifax, Inc., Case No. 1:17-md-02800, each in the U.S. District Court for the Northern District of Georgia.
(2) Hymes et al v. Earl Enterprises
On March 29, 2019, Earl Enterprises announced that it had become aware of a data breach that compromised customer credit card information at about 100 restaurant locations, most of which were Buca di Beppo, Planet Hollywood and Earl of Sandwich chains. The company reported the breach involved transactions between May 23, 2018, and March 18, 2019.
Husband and wife, Saul Hymes and Ilana Harwane-Gidansky, on behalf of themselves and those similarly situated, filed a proposed class action on April 3, 2019, against Earl Enterprises in the U.S. District Court for the Middle District of Florida, alleging negligence, unjust enrichment and violation of Florida’s Deceptive and Unfair Trade Practices Act. Plaintiffs alleged the company failed to comply with industry standards, leading to a breach of more than two million credit card numbers. Further, in addition to failing to prevent the breach, the plaintiffs claim that the company was unable to detect the breach for ten months.
The case is: Hymes et al. v. Earl Enterprises Holdings Inc., Case No. 6:19-cv-00644, in the U.S. District Court for the Middle District of Florida.
(3) Edoff v. T-Mobile
On August 20, 2018, T-Mobile announced hackers gained access to approximately two million of its customers’ personal information, including names, billing zip codes, phone numbers, e-mail addresses, account numbers and account types. Fortunately for T-Mobile, the hackers were unable to breach more sensitive information such as financial data, social security numbers or passwords.
In October 2018, Chad Edoff filed a proposed class action claiming that T-Mobile failed to protect its customers’ data, including his own. T-Mobile moved to remove the case from state court to federal court in December, asserting that size of the Maryland class was potentially tens of thousands of individuals and the damages at stake surpassed the $5 million amount in controversy threshold necessary for federal jurisdiction.
On April 2, 2019, U.S. District Judge Ellen L. Hollander agreed with the company and held the case should continue to reside in federal court.
The case is Edoff v. T-Mobile Northeast LLC et al., Case No. 1:18-cv-03777, in the U.S. District Court for the District of Maryland.
(4) In re Yahoo
The well-known internet service company, Yahoo Inc., suffered multiple data breaches from 2013 to 2016 that it did not make known to the public until 2016. Yahoo originally claimed the breaches affected somewhere near one billion accounts, but in October 2017, it disclosed that the breach that occurred in 2013 affected every single account that existed at the time, over three billion in total. The company stated that an unauthorized party stole data such as users names, e-mail addresses, telephone numbers, dates of birth, passwords and, in some cases, individual’s security questions.
Shortly after the 2014 breach was announced, a class action lawsuit was filed in the U.S. District Court for the Northern District of California, concerning allegations that Yahoo failed to protect consumer information and did not provide timely, accurate or adequate notice of the breach.
The parties in the litigation agreed to resolve the case for a value of approximately $50 million. The proposed class included all U.S. and Israeli residents and small businesses with Yahoo accounts active between 2012 and 2016. However, on January 29, 2019, Judge Lucy Koh rejected the settlement, finding that it was not fundamentally fair, accurate and reasonable.
In early April, Yahoo agreed to a revised settlement with the plaintiffs for $117.5 million. This proposed settlement is comprised of $55 million for claimants’ out-of-pocket expenses and other costs, $24 million for two years of credit monitoring, up to $30 million for legal fees and up to $8.5 million for expenses.
The case is In re Yahoo Inc. Customer Data Security Breach Litigation, Case No. 5:16-md-02752, in the U.S. District Court for the Northern District of California.