Almost immediately upon announcement of the Equifax data breach, the plaintiff’s bar speedily initiated class litigation on behalf of consumers for purported failures by Equifax to protect its customer data. For instance, just one day after the breach became public knowledge, a multi-billion dollar class action suit was filed in Portland, Oregon.

We can undoubtedly expect to see more class action litigation crop up, as it has consistently on a daily basis since announcement of the breach. Nevertheless, the threat to Equifax does not stop at private litigation. Several state attorneys general have already announced plans to investigate the breach.

While the timeframe permitted to disclose a data breach varies from state to state, most states do have a requirement that the data breach be disclosed by the soonest reasonable date possible. The delay by Equifax in announcing the breach will certainly serve as the basis for many state-level investigations and penalties. It is reported that the breach occurred as early as May 2017, was discovered by Equifax in July 2017, but was not reported until September 7.

Several state attorneys general, including: Tom Miller, Iowa; Derek Schmidt, Kansas; Joshua Hawley, Missouri; and Douglas Peterson, Nebraska, have joined in a letter to Equifax expressing their concerns with the manner in which Equifax has handled the breach, thus far. Those concerns include many having to do with customer service and accessibility to information.

In particular, though, the state attorneys general have taken issue with Equifax reportedly requiring consumers to enter into mandatory arbitration agreements or pay fees for credit monitoring services that are otherwise available for free to the public. The letter states, “The fact that Equifax’s own conduct created the need for these services demands that they be offered to consumers without tying the offer to complicated terms of service that may require them to forego certain rights,” and “We remain concerned that Equifax continues to market its fee-based services to consumers affected by its data breach.”

The letter in its entirety is available here.

In excess of 143 million consumers’ personal information may have been compromised, and a software flaw is reported to be the cause. The compromised information includes names, dates of birth, addresses, social security numbers, credit card numbers, and even driver’s license numbers. Experts report that the number of affected consumers will likely increase as time passes.