Mass AG Starts Equifax Litigation Derby

Equifax’s data breach involving the sensitive and personal information of 143 million consumers has sparked a national outcry and, investigations by over 30 state Attorneys General and the Federal Trade Commission.  Last week, Massachusetts became the first state to commence litigation against Equifax and is now considering amending its data breach law in response.


As the Washington Post explains in a useful history of the company:

“We manage massive amounts of unique data, we have data on approaching a billion people. We have data on approaching 100 million companies around the world. The data assets are so large, so unique,” Richard Smith, the company’s longtime chief executive, said in a speech at the University of Georgia business school in August.

“You think about the largest library in the world . . . the Library of Congress, we manage almost 1,200 times that amount of content every day, around the world.”


Last week, Massachusetts Attorney General Maura Healey filed the first state enforcement action against Equifax stemming from the breach.  According to the complaint, between at least March 7, 2017 through July 30, 2017, Equifax left sensitive and private consumer information exposed to intruders by relying on certain computer code that it knew or should have known was vulnerable to exploitation without having in place safeguards sufficient to prevent the consumer data it stored in its system.

Third parties infiltrated Equifax’s computer system through “Dispute Portal” – a page on its website that allows consumers to submit information to initiate and support a formal dispute of information in their credit reports.

The complaint asserts causes of action for failure to timely provide notice of a data breach, failure to safeguard consumer information and deceptive and unfair trade practices based on the following allegations:

  • Hackers were present in the Dispute Portal from at least May 13, 2017 through the end of July 2017 without Equifax detecting them;
  • Although fixes for the computer code vulnerability were available to Equifax and posted on at least one U.S. Government website, the company failed to implement the recommended fixes, or otherwise put in place other safeguards and security controls, such as encryption, that would sufficiently protect consumers’ personal data; and
  • Equifax also failed to provide timely notice to the AG’s Office and to affected consumers, as required by Massachusetts law. The company knew about the breach around July 29, 2017, yet did not notify the AG’s Office or consumers until Sept. 7, 2017.

This week, Attorney General Healey introduced legislation to require that credit reports be encrypted and to make it easier to freeze and unfreeze credit reports.


Healey explained:

For too long, protecting consumers has been an afterthought for Equifax and other credit reporting agencies.  This bill will give Massachusetts residents control over their personal data and help fix a system that needed reform long before the Equifax breach.

The Equifax Complaint is below.