The massive data breach at Equifax has quickly spurred a number of lawsuits on behalf of consumers. That was to be expected. Far more surprising is the fact that financial institutions have started to pile on, filing their own suits against the credit reporting agency. It’s a bold strategy, and one that carries considerable risk. Any financial institution that is claiming victim status in this disaster that has personally affected half the U.S. population, and that is competing with individual consumers for money damages, could see its efforts backfire. In fact, it is easy to imagine the financial institutions’ lawsuits drawing such unflattering attention to their dealings with credit reporting agencies that they redirect the public ire, lawsuits and proposed regulations now being aimed at Equifax onto the institutions themselves.
Summit Credit Union of Madison, Wisconsin, became one of the first financial institutions to sue Equifax, and is seeking class action status for thousands of credit unions. Other credit unions have joined with a state-chartered bank, the Bank of Louisiana, to file their own class action, and lawyers are reporting that they are gearing up to soon file suit on behalf of banks. Credit unions and banks have and will likely continue to suffer damages from the breach, including having to cover fraudulent charges on credit cards and canceling cards due to suspicious activity and reissuing new credit cards. They will also likely be impacted by the harmful effects on customers’ financial lives.
Nonetheless, at least three sources of concern about the suits immediately come to mind. The first surrounds the practical issue of loss distribution. Even if financial institutions prevail on their claims and recover damages, there would ordinarily be no court supervised process to ensure equitable distribution of recoveries to victimized members or customers of the institutions. This would be a difficult enough issue where a financial institution purports to act for its customer, but some may go much further. For example, Summit says Equifax must be held liable for “a cybersecurity incident so massive that it could prove detrimental to overall American economic growth.” Of course, most would agree with that statement, as far as it goes. What’s much more debatable, however, is whether a class action by credit unions or banks is the best vehicle to address the harm that Equifax’s data breach has inflicted on consumers and the overall U.S. economy.
This raises the second potential problem: when it comes to addressing the wrongs of Equifax, financial institutions have a perception problem. The Equifax breach has drawn into question the legitimacy of something that had previously been accepted without much controversy: large, loosely regulated private entities amassing, storing and selling for profit vast amounts of highly-sensitive personal consumer data. The breach has also raised awareness of the symbiotic business relationship between financial institutions (which provide billions in revenue to Equifax and its peers, and rely on their data to make their own profits) and credit reporting agencies. Consumers, state attorneys general and the Consumer Financial Protection Bureau (all of which have already sprang into action) should not be expected to stay quiet if they believe any recovery that financial institutions earn from Equifax should be going to consumers. The far more likely reaction is outrage.
Finally, financial institutions that decide to sue Equifax should be prepared for the possibility that the extent to which they monitored and managed their relationship with Equifax is a rock that may get turned over in discovery in any litigation. They should first review applicable regulatory guidance and assess their own relationship and dynamic with Equifax – in particular, national banks and federal savings associations should consider their obligations under the third-party vendor guidance from the Office of the Comptroller of the Currency. That guidance directs banks to ensure their third-party vendor relationships are assessed for risk exposure before engaging in such relationships and that those risks are mitigated by oversight and supervision of that vendor.
Further, even if an institution is not subject to such guidance or similar rules regarding third- party compliance, the same rationale could be used by plaintiffs to support some sharing of responsibility for Equifax’s lax security and failure to promptly notify consumers of the breach. That’s a legal argument – but also one that could play well in the court of public opinion. And that is where financial institutions are at the most risk with their legal actions against Equifax. Such suits invite a public backlash that could be more expensive than any costs it has incurred due to the breach thus far.
James Serritella, a partner in the Insolvency, Creditors’ Rights & Financial Products Practice Group of Davis & Gilbert, and Massimo Giugliano, an associate in the Insolvency, Creditors’ Rights & Financial Products Practice Group of Davis & Gilbert, contributed to this post.