Equifax Inc. could get away with paying a mere $1 per personafter failing to protect almost half of America’s credit data.

While the 118-year-old credit-reporting firm has been hitwith more than 100 consumer lawsuits over its massive security breach, legal experts saythere’s room for a deal because neither side has a slam-dunkcase.

A global settlement of about $200 million is plausible, saidNathan Taylor, a cybersecurity lawyer with Morrison Foerster LLP inWashington. That’s a projection based on the $115 million AnthemInc. agreed to pay in June -- setting a U.S. record -- to resolveclaims that it didn’t protect a smaller number of people from a2015 criminal hack that stole similarly sensitive information,Taylor said.

With lawyers collecting as much as a third of any payout, thecompany may end up spending an average of less than $1 per personfor credit monitoring and out-of-pocket expenses for 143 millionEquifax consumers whose data was compromised.

That’s a good deal for the embattled credit reporting company asits exposure theoretically could amount to $143 billion under afederal law that carries damages of as much as $1,000 perviolation, plus punitive damages.

Equifax faces additional uncertainty around suits andinvestigations by state attorneys general and the Federal TradeCommission, as well as claims by financial institutions,shareholders -- and as of Tuesday -- small business owners. On topof that, the Justice Department is said to have opened a criminalprobe into whether top officials at the company violatedinsider trading laws when they sold stock before Equifax disclosedthat it had been hacked.

Amid all the negative publicity, the company may relish a chanceto put at least one legal headache behind it sooner rather thanlater. As of Tuesday, shares had fallen 30 percent since the hackwas disclosed Sept. 7, and company officials now face calls totestify before Congress.

‘Little Secret’

“It’s a dirty little secret, but a lot of defendants welcomethese lawsuits,” said Robert Schwartz, a lawyer with Irell &Manella LLP in Los Angeles. “They will kick up some dust but, witha sensible settlement, the problem goes away. That is the endgame.”

“We cannot comment on pending litigation, but we remain focusedon helping our customers, as well as their employees and consumers,to navigate this situation,” Equifax said in a statementWednesday.

For consumers -- or more precisely, their attorneys -- a modestsettlement would avoid the risk of winning nothing if no actualharm from the hack can be definitively traced back to thecompany.

With frequent high-profile hacks in recent years, it’s virtuallyimpossible to connect a specific instance of identity theft to aparticular breach, according to Taylor of MorrisonFoerster.

“If you want to buy my social security number on the Dark Web,you can probably get it from numerous sources,” Taylor said in aphone interview.

A deluge of cases has been filed in federal courts inCalifornia, Georgia, New York and other states againstAtlanta-based Equifax, accusing it of violating the U.S. FairCredit Reporting Act. The FCRA is intended to ensure that theinformation Equifax and its competitors provide is accurate andkept private.

Small business operators added their own complaint to the mixTuesday, with a class action in Atlanta federal court alleging thebreach could cripple access to small business credit by damagingthe linked credit of the individual who owns the enterprise. Theplaintiffs include real-estate companies and a law firm.

While the penalties from the FCRA claims could quickly add up tobillions, previous data-breach lawsuits have settled for a fractionof that amount, Taylor noted.

Home Depot, Target

Home Depot Inc. last year reached a $19.5 million settlementwith consumers over a hack that exposed payment information of 56million customers. Target Corp. a year earlier settled withconsumers over its data breach for $17 million, which includedalmost $7 million for attorney fees.

Anthem’s data breach compromised social security numbers, birthdates and other information of 78.8 million people and itssettlement ended class actions filed in several states. A judgegave preliminary approval to the accord in August.

Read More: Equifax Faces Multibillion-Dollar Lawsuit OverHack

The U.S. Supreme Court last year put the brakes on FCRA claimswhen no concrete injury is alleged. In a case brought by anunemployed Virginia man over a profile on a people search websitethat inaccurately stated he had a graduate degree, a spouse and“very strong” economic health, the Supreme Court said not everystatutory violation of the FCRA is sufficient to sue.

Regional appeals courts are still sorting out how the highcourt’s decision applies to other cases in which there is a disputeover whether a plaintiff suffered actual harm.

In the Equifax lawsuits, the absence of any actual identitytheft or other loss could become an obstacle to sue under the FCRA,according to Schwartz of Irell & Manella.

‘No Harm’

"The problem with these claims is that the only thing that hashappened is the breach," Schwartz said in a telephone interview."If there’s no harm, federal judges have no jurisdiction."

That outcome was typical of early cases, including one dismissedagainst Barnes & Noble Inc. over a 2012 security breach thatcompromised customer credit and debit cards at 63 stores across theU.S.

But over time, some courts have taken a broader view of whatconstitutes harm and have allowed consumers subject to accountfreezes and other expenses to proceed with claims. That’s whathappened in the litigation on behalf of tens of millions peopleaffected by the Target breach. The judge’s refusal to dismiss thelawsuit a year after the hack was disclosed in 2013 gave theconsumers leverage for the settlement that was reached monthslater.

At least one lawyer suing Equifax on behalf of consumersdisputes the notion that they haven’t suffered actual harm and maylack standing to sue.

‘We Don’t Know’

“The notion that no one is harmed yet is premature,” AndrewFriedman, with Cohen Milstein Sellers & Toll Pllc inWashington, said in a phone interview. “People already haveout-of-pocket damages for additional credit monitoring and forcredit freezes. We don’t know what’s happening with the data.”

Friedman represents a group of plaintiffs in a case filed Sept.8 in Atlanta who accused Equifax of acting negligently andviolating District of Columbia consumer protection law as well asthe FCRA. Any settlement with Equifax would have to include manyyears of credit monitoring for consumers because the stolen datacould be misused years from now, he said.

“The security risk goes beyond the potential for identity andcredit theft for nearly half of the U.S. population: it also posesa possible national security threat, as personal information ofgovernmental employees useful for cyberwarfare will be available onthe Dark Web for years to come,” Friedman and other lawyers said ina Sept. 12 request to have the lawsuits consolidated before afederal judge in Atlanta.

Equifax probably will try to get some of the consumers’ claimsdismissed or scaled back by a judge before negotiating asettlement, a process that may take as long as three years,according to Taylor.

“There’s not a chance they are going to litigate this to theend,” Taylor said. “Do you really want to litigate against 50percent of the county?”

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.