[B]URLINGTON — Two Vermont women have filed a federal lawsuit against Equifax over its massive data breach that put private financial records in peril for at least 143 million Americans this summer.
Shirley Cole, who has lived in Ascutney for several years, along with Sandra Barrett, of Highgate Center, filed the lawsuit seeking unspecified compensatory damages and restitution from the massive consumer credit reporting agency.
The Windsor and Franklin County women also are asking a judge in U.S. District Court in Rutland to declare the case a class action lawsuit to include all other Vermonters similarly affected by the breach. As of Sept. 30, there have been more than 240 class action lawsuits filed nationwide against the company since it reported the breach earlier in September.
Vermonters have been placed “at an imminent, immediate and continuing increased risk of harm from identity theft and identity fraud,” the two women note in the lawsuit.
Equifax, including co-defendant Equifax Information Services, failed to alert millions of Americans about the data breach until Sept. 7 — about six weeks after the company became aware of the major incident, the plaintiffs maintain. They said the breach began in May and was uncovered on July 29.
The multi-billion dollar corporation based in Atlanta responded to the lawsuit with a statement through a spokeswoman last week.
“We cannot comment on pending litigation, but want to reassure consumers that we are remaining focused on helping them to navigate this situation and provide the best customer support possible. We are listening to issues consumers have experienced and their suggestions, which are helping to further inform our actions as we continue to improve this process,” the Equifax statement said.
In a quarterly filing with the Securities and Exchange Commission on Sept. 30, Equifax painted a bleak picture. While the company is taking steps to remediate the breach, the problem could happen again, it said.
The company, in the filing, wrote, “We cannot assure that all potential causes of the incident have been identified and remediated and will not occur again. Because our products and services involve the storage and transmission of personal information of consumers, we will continue to be routinely targeted by outside third parties, including technically sophisticated and well-resourced bad actors attempting to access or steal the data that we store.”
It goes on to say, “If we experience additional breaches of our security measures, sensitive data may be accessed, which could cause us significant additional legal and financial exposure and damage to our reputation that could have a material adverse effect on our business.”
The company will need to file a written response to the lawsuit by early next month.
The stolen data included names, addresses, Social Security numbers, birth dates and in some instances, driver’s license numbers, according to the 39-page lawsuit.
It says credit card numbers for about 209,000 U.S. consumers, along with other personal identifying information for another 182,000 Americans were accessed.
“The data breach was the inevitable result of Equifax’s inadequate approach to data security and the protection of the (Personal Identifying Information) that it collected during the course of its business. Defendants knew and should have known of the inadequacy of their own data security,” the lawsuit claims.
The company also had three similar cybersecurity breaches on smaller scales in 2013, 2016 and in January of this year, the plaintiffs maintain.
“Privacy researchers and fraud analysts have called this attack ‘as bad as it gets,’” the lawsuit noted. It added that on a 1-to-10 scale in terms of risk to consumers, “it is a 10.”
Cole and Barrett maintain they have invested considerable personal time monitoring accounts and taking other steps to protect their credit ratings and accounts from improper use of their stolen data. They said they had entrusted Equifax — one of the three largest consumer credit reporting agencies in the United States — with their personal information.
“While defendants took no steps at that time to inform the public in the interim, defendants did not hesitate to protect themselves; at least three Equifax senior executives, including CFO John Gamble, upon information and belief, sold shares worth $1.8 million in the days following the data breach,” the lawsuit said.
The stolen information is in the hands of third parties that “now possess keys that unlock consumers’ medical histories, bank accounts, employee accounts and more. Abuse of sensitive credit and personal information can result in considerable harm to victims of security breaches,” the lawsuit said.
“Criminals can take out loans, mortgage property, open financial accounts and credit cards in a victim’s name, obtain government benefits, file fraudulent tax returns, obtain medical services and provide false information to police during an arrest, all under the victim’s name,” the filing noted.
The seven-count lawsuit alleges Equifax had both willful and negligent violations of the Federal Fair Credit Reporting Act and violation of the Vermont Consumer Protection Act.
The suit also outlines two counts of negligence and one of unjust enrichment by getting paid to protect information, but failing to provide the proper services.
The women are represented by Woodstock lawyer Richard Windish with out-of-state assistance from attorney Kevin Sharp of Nashville, Tennessee.
The Nashville law firm has filed 35 Equifax lawsuits and plans to file a handful more in the coming weeks, said Jamie Moss, a spokesman for Sanford Heisler Sharp.
Because the cases are filed throughout the United States, the federal court is classifying its status as a multi-district litigation, which provides for a way to speed the process of handling complex cases, such as disasters and product liability situations.
The first meeting of lawyers involved in the MDL is scheduled in St. Louis on Nov. 30, Moss said.
The federal lawsuit is unrelated to a small claims suit filed in Orange County by Jessamyn West, a librarian from Randolph. The company has denied her allegations that it mishandled the recent data breach and a hearing is scheduled for Jan. 17 in Chelsea.
Mike Donoghue can be reached at vermontnewsfirst@gmail.com.