One week after Equifax Inc. revealed a cybersecurity incident impacting some 143 million U.S. consumers, the credit reporting behemoth is facing legal and reputational repercussions of massive proportions.

For a legal department led by corporate vice president and chief legal officer John Kelley III, who seemingly has the last word on company security and compliance matters, the coming months and years are sure to be rife with high costs and what will likely be hard-fought battles to limit the damage done by class action suits.

Will Class Actions Survive?

Current external troubles for Equifax, which declined to comment for this story, began with the Sept. 7 announcement that sensitive consumer information, such as Social Security numbers, driver’s license numbers, birth dates and addresses, had been compromised. The incident, which was first discovered on July 29, prompted a number of investigations, backlash because of the company’s response and criticism due to a credit report monitoring site that’s vulnerable to hackers. Added to that are more than 20 proposed class actions suits, and counting.

Just hours after the announcement of the breach, a proposed class action suit was filed in the U.S. District Court for the District of Oregon in Portland, claiming Equifax negligently failed to maintain adequate technical safeguards to protect consumers. At least 22 proposed class actions have followed, claiming everything from violation of the Fair Credit Reporting Act and federal securities laws to breach of contract and violation of the California Data Breach Act.

Historically, data breach class actions have been far from a sure thing for consumers, largely because courts sometimes find that there’s no tangible injury. In a May 2 decision, for instance, the U.S. Court of Appeals for the Second Circuit rejected the argument that the threat of future harm as a result of a data breach at a Michaels Stores Inc. location was enough to establish standing.

On the other hand, the U.S. Court of Appeals for the District of Columbia, the Seventh Circuit and the Third Circuit have all ruled recently that victims may pursue data breach claims without showing actual loss.

These cases are often dismissed because it’s very difficult to show causation of harm, according to Laura Jehl, a partner at Baker & Hostetler, who was formerly general counsel and chief privacy and security officer at Resolution Health Inc., a subsidiary of Anthem Inc., where she helped handle a January 2015 cyberattack affecting 80 million customer records. If somebody steals a person’s identity or goes and files a fraudulent tax return, she explained, it’s a challenge to prove it was Equifax because it could be the result of any other of a number of breaches, which leads to courts having a “difficult time with standing.”

What’s more, if someone’s identity is compromised, for many it’s an uphill battle to show a tangible injury, as claims often center around the concern that there may be issues in the future, said Guillermo Christensen, partner at Brown Rudnick, who was formerly a CIA intelligence officer.

But with the cases against Equifax, given the high sensitivity of data that was compromised, he said plaintiffs might be able to get over this hurdle in court. “I think you have a stronger potential to show that you are going to spend the rest of your life or the next couple of years, anyway, at risk of people taking advantage of [compromised] information and that that prospect will impact your choices and what you do and how you do things,” he said.

It’s one thing to have credit card info compromised, said Edward McAndrew, partner at Ballard Spahr. “It’s quite another to have dates of birth, Social Security numbers, driver’s licenses numbers accessed.”

“I think that’s why the standing analysis is going to be far different here than any of the other data breach cases we’ve seen,” he added.

At the moment, there’s a push to consolidate all the class actions against Equifax into multidistrict litigation in the U.S. District Court for the Northern District of Georgia, but it’s not yet decided if or where MDL will take place, and this could be key to the outcome for Equifax’s legal department.

Initially, Jehl explained, these cases were often consolidated in the home district of the entity, which would be Georgia for Equifax, but more recently the jurisdiction where the predominant number of cases have been filed is also being considered.

“There’s often a lot of strategizing among plaintiffs’ counsel and among others in trying to get that center of gravity in a place where it may be more favorable,” Jehl said.

High Legal Costs

Equifax and its in-house lawyers will also face costs in dealing with litigation and forensic investigations that could climb into the tens of millions of dollars.

History shows the high price tag of data breaches. Since The Home Depot Inc.’s breach in 2014, for example, the company has incurred roughly $200 million in pretax net expenses, according to a U.S. Securities and Exchange Commission filing from earlier this year. The 2013 hack of Target Corp.’s systems, as of a 2015 SEC filing, had cost the company around $160 million in net expenses. And after Yahoo Inc.’s two massive data breaches, the company reported in March $16 million in expenses, $5 million of which was associated with the ongoing forensic investigation and remediation activities and $11 million was associated with nonrecurring legal costs.

Given the enormity of this breach, it wouldn’t be unexpected for Equifax to rack up a fairly hefty bill, McAndrew said. “Absent major class action litigation, the forensic investigative fees are usually greater by some multiplier than the legal fees. Now we’re shifting into class action mode, though, so those fees are going to skyrocket,” he said. “I will not be surprised if, at the end of the day, Equifax’s total for legal fees is in excess of $100 million.”

For Equifax, legal and forensic costs will likely be “enormous,” Christensen echoed. For a breach of any size, you want to bring in a security firm—Equifax is reportedly relying on Mandiant—and then you want to bring in lawyers who know breach laws in every state and who can defend the company in litigation, he said. “So they are going to have a lot of people on their payroll for a long time to deal with this.”

Not to mention, Christensen added, a corporate crisis like this can take away from a company’s ability to conduct its regular business. “It’s a big distraction that can have, obviously, long-term consequences for the health of the company,” he said.