(Reuters) - We won’t know until November whether any of the scores of millions of consumers whose personal information was compromised in the 2017 Equifax data breach have a problem with a proposed $700 million settlement between the company, the federal government, state attorneys general and plaintiffs’ lawyers. The deal, as you probably recall, would be the biggest-ever data breach settlement, but has nevertheless been criticized as inadequate, especially when a fund offering consumers a cash payout instead of credit monitoring was oversubscribed. Class members in the litigation before U.S. District Judge Thomas Thrash of Atlanta have until Nov. 19 to register objections. Judge Thrash is holding a hearing on final approval of the settlement on Dec. 19.
But in a brief filed Tuesday, the city of Chicago has revived an argument that its claims against Equifax shouldn’t even be considered part of the class action. Chicago wants Judge Trash to reconsider an Aug. 5 order in which he denied the city’s motion to create a separate track for its suit against Equifax. Chicago, as I’ll explain, argues that the consumer class action settlement does not – and cannot – resolve the city’s own claim for restitution under a Chicago consumer fraud ordinance. More broadly, though, its brief raises a question I’ve asked before: In the long run, are consumer fraud class actions the best way to redress past data breaches and encourage companies to ward off future hacks?
Chicago originally asked Judge Thrash to establish a separate track for its Equifax case back in May 2018, long before last July’s settlement announcement. The city argued that even though its public enforcement action had been transferred into the consolidated Equifax litigation before Judge Thrash, its case was fundamentally different than the consumer class action against Equifax, both procedurally and in the damages sought. Unlike consumers, Chicago said, it didn’t have to establish Article III standing and didn’t have to meet class certification requirements. And though the city claimed restitution on behalf of its residents, it also demanded damages for its own municipal coffers.
In their arguments against a separate track for Chicago’s case, Equifax and lead plaintiffs’ counsel from Doffermyre Shields Canfield & Knowles, DiCello Levitt & Casey and Stueve Siegel Hanson argued, among other things, that Chicago’s claims were subsumed into those of a proposed subclass of Illinois residents. The Judicial Panel on Multidistrict Litigation, Equifax said, had already heard Chicago’s protests against being lumped together with consumers, and nevertheless decided to transfer the city’s suit to the Equifax MDL. Judge Thrash, Equifax said, should similarly reject Chicago’s insistence on a separate track for its case.
It took the judge more than a year to rule on Chicago’s motion, and when he finally issued a ruling last month, he took just a paragraph to toss aside the city’s arguments. The amended consumer complaint against Equifax encompassed Chicago’s claims, the judge said, and the city failed to offer any justification for complicating the litigation with a separate track for its suit.
In the newly filed motion for reconsideration, Chicago contends Judge Thrash’s “clearly erroneous” order seems to suggest that government entities can’t bring enforcement actions when their residents have brought private claims. According to Chicago, that implication would threaten all kinds of data breach suits: Chicago’s case against Marriott, in which U.S. District Judge Paul Grimm of Greenbelt, Maryland, agreed earlier this summer to carve out a separate track from the consumer class action; Illinois’ suit against Equifax, which was filed and settled in state court; and even Puerto Rico’s suit against Equifax, which is before Judge Thrash. Puerto Rico, as Chicago noted, joined its motion for a separate track. Equifax asserted that Puerto Rico’s claims, like those of Chicago, were subsumed into the consumer class action – yet in July, Judge Thrash entered an order requiring the company to make a payment to Puerto Rico.
“Governments,” Chicago wrote, “may enforce their own laws to recover relief for themselves, regardless of whether private plaintiffs seek relief arising out of the same conduct.”
The city argued that Judge Thrash need only look at settlement agreement’s list of actions the agreement resolves. Chicago’s suit is not on the list – which, according to the city, proves that Chicago’s claims on behalf of the city itself are not subsumed into the consumer case. “It would be manifestly unjust,” city lawyers told Judge Thrash, “to bar Chicago from having its day in court based on a misunderstanding about the nature of the city’s government enforcement claims.”
That seems to me to be a crucial point as data breach litigation matures. In most data breach settlements, defendants offer consumers some kind of credit monitoring. Sure, some consumers are eligible for cash in some cases, if they can show they actually experienced identity theft. But the vast majority of the relief consumers have obtained has taken the form of credit monitoring services. And given the proliferation of data breaches, it seems likely that there will come a day when every American who wants credit monitoring has received it through one data breach class action or another. A class action settlement offering credit monitoring isn’t very meaningful to consumers whose credit is already under protection.
Some cities and states, however, can bring claims for money damages (depending on their statutes) outside of the strictures of consumer class actions. As Chicago argued in its Equifax briefs, government entities aren’t hampered by the same constitutional standing requirements as consumers suing in federal court, and they don’t have to fight to be certified as a class. Smart lawyers like Jay Edelson have posited that in the long run, companies that have experienced data breaches may face more exposure to government plaintiffs than to consumers in class actions.
In that regard, it’s worth watching what happens to Chicago’s case against Equifax. If government enforcement actions are going to be the future of data breach litigation, Chicago is going to have to show that it’s not just a member of the class.
The views expressed in this article are not those of Reuters News.