Mass. Sues Equifax in First State Data Breach Enforcement Action

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Massachusetts Sept. 19 sued Equifax Inc. in the first state enforcement action over the credit reporting agency’s massive data breach of 143 million consumer records ( Massachusetts v Equifax, Inc. , Mass. Super. Ct., complaint filed 9/19/17 ).The suit comes less than two weeks after Equifax made the breach public. Equifax is facing inquiries from federal lawmakers, federal agencies, state attorneys general, state regulators, and affected consumers. Moreover, 34 state attorneys general have joined a letter seeking answers from Equifax regarding the breach.

According to the complaint, filed in Massachusetts Superior Court, Equifax violated state privacy laws because it didn’t employ reasonable security measures to protect consumer data. Equifax allegedly failed to implement recommended computer vulnerability patches and security controls “that would sufficiently protect consumers’ personal data,” the complaint said. The complaint also asserts a claim that Equifax failed to timely disclose the breach.

Equifax allegedly “knew about the vulnerabilities in its system for months,” but didn’t keep the sensitive consumer information “safe from hackers,” Massachusetts Attorney General Maura Healey (D) said in a statement. The credit bureau “needs to pay for its mistakes” and must fix any issues “so it never happens again,” she said.

The attorney’s general office is seeking civil penalties, restitution, administrative costs, and attorney’s fees. They also want to disgorge profits from Equifax “obtained during or as a result of the data breach,” the complaint said.

Healey opened an investigation into the breach the day after it was disclosed Sept. 7 by Equifax. On Sept. 12, she announced the state’s intention to sue. Under Massachusetts law, the attorney general had five business days to file the suit after informing Equifax.

An Equifax spokesperson told Bloomberg BNA Sept. 19 that although the company doesn’t comment on ongoing litigation, it is “cooperating with federal agencies, regulators and state attorneys general.” The company “reached out to state and federal regulators” when the public was notified of the breach “to establish open lines of communications,” the spokesperson said.

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Donald Aplin at

For More Information

Text of the complaint is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security