The barrage of bad news for Equifax Inc. keeps getting worse. Here’s a recap of yesterday’s events:
▪ Mass AG Files Lawsuit – In the first enforcement action filed against Equifax Inc., the Massachusetts Attorney General filed a lawsuit yesterday seeking to hold the credit reporting agency “accountable” and not allowing it “to prioritize profits over the safety and privacy of consumers’ sensitive and personal data.”
The five-count complaint, filed in Suffolk County Superior Court, alleges that “Equifax left at least 143 million consumers’ sensitive and private information exposed and vulnerable to intruders … [and that the company] could have – and should have – prevented the [d]ata [b]reach had it implemented and maintained reasonable safeguards, consistent with representations made to the public in its privacy policies, industry standards, and the requirements of Massachusetts law.”
Massachusetts AG Maura Healey said in a statement yesterday that “[w]e are suing because Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again.”
The lawsuit seeks civil penalties, disgorgement of profits, restitution, court costs and attorneys’ fees.
▪ 43 Other AGs Investigating – Attorneys general from 43 other states and the District of Columbia have sent a letter to Equifax criticizing the company for its handling of the massive breach and are also investing the matter. Other enforcement actions are expected to follow.
▪ Earlier Breach? – The company also disclosed yesterday that it suffered a hack earlier in March 2017 – almost five months before disclosure on September 7th of the massive hack – but says the two are unrelated.
▪ NY AG Investigating Experian and TransUnion – The New York Attorney General announced that he’s looking into the data security practices of the other two big credit reporting agencies, Experian Plc and TransUnion LLC. Yesterday, Attorney General Eric Schneiderman sent letters to the CEOs of both agencies seeking information of what steps are being taken to safeguard sensitive consumer information as a result of the Equifax breach.