Credit reporting and monitoring company Equifax is facing at least 23 proposed class action lawsuits in the wake of its announcement Thursday that a cyber attack compromised the personal information of up to 143 million Equifax customers, USA Today reports.

Various law firms have filed suits in 14 different states as well as D.C., according to USA Today. More suits will likely come. Victimized customers may receive a pretrial settlement from Equifax, and/or may be entitled to some portion of any financially pejorative judgment levied against the firm.

“Equifax probably injured 143 million people, which is kind of a record…with 143 million people it doesn’t surprise me there are already 23 suits,” said John Coffee, who directs the Center on Corporate Governance at Columbia Law School.

USA Today notes that the number of people the breach potentially victimized represents 44 percent of the U.S. population.

“Assume that if you’re an American with a credit card or a mortgage, your data has been leaked,” Zach Whittaker, security editor for CBS’s ZDNet, tweeted.

Hackers carried out the attack from mid-May through July, seizing customers’ names, social security numbers, birth dates, addresses and, in some cases, driver’s license numbers. Equifax says it became aware of the breach in late July. The company alerted the public of the incident on September 7. In the interim, Equifax hired third-party consultants to investigate the crime and provide suggestions as to how the company might bolster its cyber-defenses.

Many of the lawsuits take issue with the lag time between Equifax’s discovery of the attack and the firm’s notification of the public. USA Today says one suit calls the delayed disclosure “willful, or at least negligent.” Another argues that the delay “deprived [consumers] of their opportunity to meaningfully consider and address issues related to the potential fraud, as well as to avail themselves of the remedies available under the FCRA (U.S. Fair Credit Reporting Act) to prevent further dissemination of their private information.”

The company would presumably argue that it was justified in assessing the nature and extent of the attack before alarming the public.

A third suit notes that Equifax fell victim to similar attacks earlier this year, as well as in 2013 and 2016. Therefore, said suit argues, Equifax “knew and should have known of the inadequacy of its own data security.”

Other filings take aim at TrustedID, an Equifax service that provides identity theft protection and credit monitoring. One document says the company “failed to disclose to consumers that it owned TrustedID,” and baited customers into signing up for the service.

To help customers identify whether their information was compromised by the attack, Equifax is offering free TrustedID service to all U.S. customers

New York Attorney General Eric Schneiderman, who is investigating the Equifax case, took issue with a clause in the agreement Equifax requires TrustedID members sign. The clause in question says that in signing up for TrustedID, a user waives his/her “right to bring or participate in any class action…or to share in any class action awards.”

“This language is unacceptable and unenforceable,” Schneiderman tweeted Friday. “My staff has already contacted @Equifax to demand that they remove it.”

Equifax subsequently explained that the waiver does not prohibit TouchID members from participating in class actions regarding the cyber security incident.

In addition to Schneiderman, other government entities are pursuing the Equifax case. USA Today obtained a copy of a letter Senators Omin Hatch and Ron Wyden, both of whom hold key positions on the Senate Committee on Finance, sent to Equifax requesting details about the attack and the manner in which the company is handling it.

The letter requests a timeline of the breach and asks how Equifax is identifying affected customers and what measures the company is taking to limit consumer harm. The document also asks Equifax to clarify the amount of information that was compromised.

Legal arguments must take place before the proposed suits achieve class action status. If the court grants class action status, USA Today says, a “federal panel on multi district litigation” will likely consolidate the suits into a single case, then assign that case to a judge, who would, in turn, appoint one law firm or a group of law firms as plaintiff counsel.

At the market’s close Tuesday, Equifax stock has dipped 18.7 percent since the original announcement. 4.7 percent of the drop has come since Monday morning when news of the proposed class actions broke.

Featured image via Pixabay