Yesterday, the District Court for the Northern District of Georgia granted a motion to dismiss FCRA claims in a case involving one of the largest data breaches in history.
In the summer of 2017, Equifax’s systems were hacked repeatedly over the course of several weeks. During that time, hackers stole personal information for nearly 150 million Americans, about half of the US population. Among the data stolen were names, birth dates, Social Security Numbers, addresses, credit card information, and other sensitive material.
Victims of the hack, a putative class of consumers whose personal information was stolen during the data breach, filed suit against Equifax, alleging that they were harmed as a result, are subject to becoming victims of fraud, and were forced to expend time and resources monitoring their accounts and preventing fraud, among other things. The class asserts federal and state claims and also seeks injunctive and declaratory relief.
Among the claims brought, the plaintiffs allege that the Defendants violated FCRA by furnishing Class members’ consumer reports in violation of section 1681b of the FCRA, failing to maintain reasonable procedures designed to limit the furnishing of Class members’ consumer reports to permitted purposes, and failing to take adequate security measures that would prevent disclosure of Class members’ consumer reports in violation of section 1681e of the FRCA.
The Court disagreed.
In a lengthy decision, the District Court for the Northern District of Georgia dismissed Plaintiffs’ FCRA claims. The judge noted, first, that Equifax did not “furnish” Class members’ consumer reports. Although the statute does not define what it means to “furnish” a report, courts have held that information that is stolen from a credit reporting agency is not “furnished” within the meaning of the FCRA. The Court also found that the personal information stolen was not a “consumer report” within the meaning of FCRA. Hackers did not obtain credit files but, rather, “legacy data.” That is, the information did not bear on the user’s credit worthiness. While the Plaintiffs argued that the information could be used to bear on a person’s creditworthiness, the Court found that position unpersuasive. Finally, the Court found that Plaintiffs’ claims under section 1681e must fail because their 1962b claim was subject to dismissal. 1681e claims, which allege that a reporting agency violated the “reasonable procedures” requirement of section 1681e, must first show that the reporting agency released the report in violation of section 1681b.
While Plaintiffs’ FCRA claims were dismissed, the Court denied Equifax’s motion to dismiss many of the remaining causes of action.