I almost have to admire this defense logic: if you don’t know when our breach occurred or can’t allege it, you can’t prove any claims as to whether something happened before or after the breach, so we get to walk away from the consolidated class action lawsuit…?
Law360 has more, if you have a subscription. But I was so curious that I actually acquired the filing from PACER (you can all chip in towards the $3.00 fee), and have uploaded the filing here (47 pp, pdf).
But here is the overview of the argument:
Most fundamentally, plaintiffs do not allege the date on which the breach occurred. Yet, they speculate that they suffered damages because of Experian’s “delay” in providing notice of the breach. But the absence of an alleged date of beach renders these claims infirm. After all, no one was injured by delayed notification if there was no delay in providing notice. Some plaintiffs assert that they were victims of identity theft or fraud, speculating that the attacker must have used the data it stole to commit such crimes. But because plaintiffs do not allege a date of breach, it is unclear whether these alleged injuries occurred before or after the breach. If they occurred before the breach, they could not possibly have been caused by the breach. Some of the plaintiffs’ claims are grounded in fraud, yet none are pleaded with the particularity required by Rule 9(b).
I thought the breach occurred before October, 2015?? Why wasn’t there anything on that in the complaint, or was there?
Update: I went back to previous coverage on this site. Experian had announced the dates of the breach as being on September 14, 2015, and discovered on September 15, 2015. Was that really not included in the complaint? It seems to me that at least some plaintiffs should be able to argue that, “Hey, I signed up on September 1, 2015, so my data were in there… and I became of victim of fraud on…. <some date after September 14>.”
Weird, right? So I downloaded the consolidated complaint (you can all chip in for that one, too), and it does make claims of specific dates for specific plaintiffs who suffered fraud after the relevant period of the breach. But yes, looking at the complaint, I don’t see where the plaintiffs ever stated clearly that the breach itself occurred on September 14, 2015. Experian may have an argument afterall, although the September 16th window in their statement should serve the same purpose for determining whether something occurred after the breach.
Is this just a technicality that the plaintiffs failed to clearly state the date of the breach? If so, it sounds like an important technicality.
Thanks very much to the individual who reached out to me via encrypted chat with more details about the hacked database. Some data provided to me by that individual show that the last update of the database before the hack was on September 10th. Of course, I can’t verify the accuracy of the data, but it seems consistent with Experian’s report. The data, however, were not consistent with what I would expect to see in that particular database.
This is disgusting if not totally unpredictable behavior from Experian. Like all businesses they’re doing what they can to CYA in the face of a major consumer confidence disaster. I mean they had one job to do – protect the identity data (and therefore the credit scoring data) of their customers – and they failed to do so with the highest level of security practices that I think most consumer think is taking place at the vendors they do business with. Reality, in the face of an endless string of breaches and hack, and the proliferation of ransonware would unfortunately suggest otherwise.
I’ve been a customer of T-Mobile since December 2013, so presumably my data was in there when the Experian breach occurred – regardless of whether it was September 10 or September 14, and regardless of when it was detected. I also don’t believe that Experian detected the breach within 24 hours, and had sufficient time to have the sort of high-level impact-mitigating discussions it needed to have – including with top-level management at T-Mobile before going public with any notification. While the public should know as soon as possible for the sake of being on the lookout for signs of trouble, I have yet to see any company that thinks of the impact to their customers before they think of the impact to their corporate piggybank and shareholders.
I was notified by T-Mobile that my data was potentially at risk and I was given the industry standard two years of free credit monitoring – oddly enough by the same company that couldn’t keep my data safe in the first place – so I’m not putting a whole lot of trust in this “let’s save face gesture”. I continue to review my credit and lookout for signs of trouble, which is the best I believe I can do at this juncture. But in terms of the Experian class action suit, I feel as if any attempts made by them to wiggle out of this mess – created at their own hands – should be swiftly crushed by any judge that has the interest of the public anywhere in his or her mind and/or heart.
-Robert
I’m waiting for discovery because I want to know the encryption was compromised… if it was really deployed as they claimed.