Consumers aren’t the only ones suing over the Equifax data breach: Small businesses, including a law firm and a credit union, want to recoup financial losses tied to the massive cyberattack.
Summit Credit Union in Madison, Wisconsin, has brought a class action on behalf of all credit unions that have had to reimburse customers for fraudulent charges and forgo fees due to the breach, which has impacted 143 million people. Robins Kaplan brought that suit on Sept. 11 in federal court in Georgia.
Another class action was filed on Sept. 19 by three businesses and their owners, including Justin O’Dell, a partner at O’Dell & O’Neal in Marietta, Georgia, who also owns three real estate companies. The business owners claim that the breach, which Equifax announced on Sept. 7, could impact their ability to get loans and lines of credit. It’s the first time that small businesses have sued over a data breach, said Jason Doss, the attorney who brought the suit in federal court in Georgia.
“Equifax is not a retail store that happened to get some credit cards stolen; it’s the central nervous system of our credit lending services,” said Doss, of the Doss Law Firm, who is the former president of the Public Investors Arbitration Bar Association. “All the credit for my business is based on my personal financial information, so if someone hacked personal information about me, it could impact me but also the people I employ in my business.”
“This is somebody who goes and opens up a loan account in my name, somebody files a tax return in my name, somebody uses the information to access one of our accounts, including our IOLTA account,” O’Dell said.
“The ability of small businesses to obtain loans and other forms of credit is dependent on the creditworthiness of the business owner,” the suit says. Small businesses “heavily rely on personal and business credit to operate,” according to the suit, because they “lack access to public institutional debt and equity capital markets.”
That’s particularly true for law firms, often defined as small businesses, which the U.S. Small Business Administration and other federal agencies consider to be those with 500 or fewer employees.
And a business, which often relies on lines of credit for payroll, can’t just freeze its credit like a consumer can, O’Dell said. Not only that but, unlike consumers, who are entitled to an annual credit report for free under federal law, each business has to pay Equifax $99 to check the status of its credit, he said.
“If you’re a big law firm maybe you can absorb that. Maybe you have a person and department somewhere you can designate to that responsibility,” he said. “I don’t have those resources.”
But big law firms also have had to cope with cybersecurity risks. Dozens of them got linked to the leak of millions of internal documents at Panama’s Mossack Fonseca last year, and DLA Piper got hacked in June.
The Equifax breach impacts businesses in all industries, said Doss, who plans to file at least two more suits, including one later on Friday and one on behalf of small businesses outside of Georgia. “The phone is ringing off the hook,” he said.
“Businesses are incurring hundreds of dollars in fees that result from this data breach,” he said. He said his clients want Equifax to waive the $99 credit report costs and change the law so that businesses get notified about other information that could have been stolen, such as loan documents.
In addition to O’Dell & O’Neal, this week’s suit was filed by a consulting firm called Rafco and ChaseLight, a video production company, and their owners, on behalf of a class of U.S. businesses “whose creditworthiness is dependent on the creditworthiness of its business owners.”
But unlike those cases, the Equifax breach is not just about fraudulent charges made with stolen credit or debit cards, said Stacey Slaughter, a partner at Robins Kaplan in Minneapolis who filed the case. In this cyberattack, hackers stole Social Security numbers, birth dates and addresses.
“This is the type of information you can use to create a new account,” she said.
In other data breach cases, the financial firms have pursued their claims along separate tracks than those of consumers—though usually before the same judge. Slaughter said it’s too early to say whether that might happen in the Equifax cases, which are scheduled to go before the U.S. Judicial Panel on Multidistrict Litigation for potential pretrial coordination on Nov. 30.
“There are so many cases,” she said. “It’s probably a little too early to tell how these cases will be tracked.”