Following through on a threat made last week, the state of Massachusetts is suing Equifax over the credit reporting agency’s massive data breach, which exposed the personal information of 143 million U.S. consumers to hackers.
Massachusetts’ lawsuit is the first enforcement action taken by a state in the wake of the data breach at Equifax. The company is also facing inquiries from the Consumer Financial Protection Bureau, the Federal Trade Commission, the House Financial Services Committee, the Senate Finance Committee, and the office of New York Attorney General Eric Schneiderman, at least.
Last week, Massachusetts Attorney General Maura Healey said that her office planned to sue Equifax on behalf of the three million Massachusetts residents whose information was exposed in the breach.
And Tuesday, Healey’s office officially filed suit against Equifax, alleging that the credit reporting agency “did not maintain the appropriate safeguards to protect consumer data in violation of Massachusetts consumer protection and data privacy laws and regulations.”
In a statement, Healey’s office states that for a period of more than four months, , Equifax left “sensitive and private” consumer information exposed to hackers by using computer code that the company “knew or should have known” was vulnerable to hacking.
Healey’s office also suggests that Equifax was derelict in its duty to protect the information in its databases due to the company’s failure to implement recommended fixes to its systems, or put other safeguards and security controls in place, that would have protected consumers’ personal data.
Massachusetts’ lawsuit also accuses Equifax of failing to provide timely notice to the affected consumers, and the Healey’s office, as is required by Massachusetts state law.
As the company disclosed in its original announcement of the breach, it first learned of the issue in late July but did not disclose it publicly until September 7.
“We allege that Equifax knew about the vulnerabilities in its system for months, but utterly failed to keep the personal information of nearly three million Massachusetts residents safe from hackers,” Healey said in a statement. “We are suing because Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again.”
According to the Healey’s office, the state’s lawsuit seeks civil penalties, disgorgement of profits, restitution, costs, and attorneys’ fees.
Healey’s office stated that the lawsuit also seeks injunctive relief to “prevent harm to Massachusetts residents resulting from the company’s actions and inaction.”