The Independent Community Bankers of America ("ICBA") filed a class-action lawsuit against Equifax in connection with its recent cybersecurity breach. The breach exposed the private information (including the names, Social Security numbers and dates of birth) of over 145 million consumers. The Complaint was filed in the U.S. District Court for the Northern District of Georgia. ICBA alleged that Equifax failed to take appropriate steps to safeguard customer data.

ICBA claimed that the breach resulted from Equifax' failure to implement effective cybersecurity and data protection measures. This failure, ICBA alleged, was evidenced by the fact that the breach was not detected for more than two months, in spite of red flags that should have alerted Equifax. By failing to protect customer data, ICBA said, Equifax caused significant financial damage to ICBA members that were forced to cancel and replace customer payment cards, cover fraudulent purchases, and take other measures to mitigate fraudulent activity facilitated by data accessed through the breach.

ICBA alleged that Equifax had a duty to protect the customer information received from ICBA members. ICBA also asserted that the breach occurred due to the active mismanagement of consumer data and failure to act appropriately in response to numerous warnings concerning a vulnerability in software used by Equifax. ICBA claims that Equifax violated federal security requirements, Federal Trade Commission requirements and industry standards. ICBA stated that its members have and will continue to experience substantial financial harm resulting from not only the direct effects of the breach – such as replacing payment cards and bearing losses for fraudulent charges – but also the "chilling effect this breach will have on consumers." ICBA also pointed to potential regulatory reporting difficulties for its members.

ICBA is seeking relief in the form of a monetary judgment in addition to enhanced cybersecurity compliance requirements for Equifax.

Commentary / Joseph V. Moreno

The lawsuit filed by ICBA is an example of the potential for significant financial consequences that await a firm whose data has been breached. In addition to facing regulatory scrutiny by the FTC, SEC, DOJ, and various state attorneys general, Equifax will no doubt be contending with significant litigation costs for years to come. It is yet another reminder of how important it is for firms to maintain a robust cybersecurity program, regularly pressure-test systems and controls, and quickly identify and patch vulnerabilities. And, if a breach does occur, following a well thought-out incident response and business continuity plan will be essential in making sure the proper internal stakeholders are notified and the various legal, compliance, technology, and public relations issues are properly managed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.