The State of Massachusetts brought a civil lawsuit against the credit reporting agency Equifax for failing to adequately protect consumer data and other related violations. This is the first enforcement action arising from the recent data breach.

In the Complaint, filed in Massachusetts Superior Court, Massachusetts Attorney General Maura Healey alleged that Equifax (i) failed to adopt appropriate safeguards of customer data, as required by state regulations regarding data security, (ii) failed to provide timely notice of the data breach to the state and to affected consumers, as required by the state's data breach notification law, and (iii) engaged in unfair and deceptive trade practices based on, among other things, the company's failure to abide by its own promises to consumers regarding its data security practices.

The Complaint charges that Equifax left the private information of 143 million consumers – including names, social security numbers, credit card numbers and other identifying information – susceptible to theft by hackers for a period of almost five months because it failed to implement a widely available security patch to a web application that had a well-publicized vulnerability. AG Healy further alleged that Equifax did not provide prompt notice of the breach to the Massachusetts Attorney General's Office and to affected consumers, waiting nearly six weeks before reporting the breach.

Finally, AG Healey took aim at the post-breach response itself, asserting that Equifax did not ensure that adequate call center staffing and online resources were available to answer questions from consumers affected by the breach, and that it is now improperly seeking to make a profit from consumers by charging for certain credit protection services beyond a one-year period.

According to AG Healey, customers have experienced and will continue to experience significant financial losses, lost time, and aggravation as a result of Equifax's misconduct. The State of Massachusetts is seeking redress in the form of injunctive relief, civil penalties, restitution and legal costs.

Commentary / Joseph Facciponti

This enforcement action shows the increasingly aggressive role being played by state attorneys general in the area of data security and consumer protection. Companies that possess sensitive customer data should take care to ensure that they have written cybersecurity policies and procedures, that they patch any well-known vulnerabilities in their computer systems, and that they have plans in place to handle any cyber incidents (including plans for handling disclosure to regulators and consumers).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.