Taking It Personally: One Lawsuit Tries to Hold Individuals Accountable for the Equifax Data Breach

As we discussed recently, the Equifax data breach has inevitably brought a great deal of scrutiny and legal action against the credit reporting agency. Amidst the numerous brewing class actions and other reactions from government agencies and state AGs, it’s worth pointing out another front on which the company—and more importantly, individuals within the company—may face legal consequences.

One well known “veteran short-seller” and founder of Muddy Water Research, Carson Block, has filed a personal lawsuit against Equifax in the U.S. District Court for the Northern District of California seeking $500,000 in damages. Block is one of the 143 million U.S. consumers whose data was stolen in the Equifax breach. His complaint names Equifax and eleven Equifax employees/individuals, going down to mid-level people involved in security at Equifax. Block presented his rational for the lawsuit during an interview on CNBC:

There are a bunch of class actions that have been filed. They will eventually be consolidated, and class action attorneys are probably going to go home when every American gets a thirteen-cent check. Class action attorneys will have made money, and Equifax and individuals responsible for this, really will not have bled that much … If every individual in America had the resources to sue, or if every individual that was compromised, that would be great. But what I am also trying to do here is because we didn’t just name the company as a defendant, we named eleven individuals. And these are not all senior people, the kind that have indemnification built into their employment agreements. These go down to mid-level people involved in security. Because … the message I am trying to send is that if you work in a company that has critical data, and you are in security, and you see something wrong, you shouldn’t turn a blind eye to it.

Block v. Equifax, Inc. et al., No. 3:17-cv-05367-SK (N.D. Cal. filed Sept. 15, 2017) lists two causes of action: 1) negligence, brought against all of the defendants, and 2) a violation of the Unfair Competition Law, Cal. Bus. & Prof. Code § 17200, brought against Equifax only.

The complaint also alleges that Equifax’s practices were an unlawful violation of California Civil Code section 1798.81.5 of the Customer Records Act (CRA) because Equifax failed to take reasonable measures in protecting Plaintiff’s personally identifiable information (PII). California Civil Code section 1798.81.5(b) requires that a “business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

The Block v. Equifax initial case management statement is due by December 11, 2017, and the initial case management conference is set for December 18, 2017.