Add the city of San Francisco to the list of those going after Equifax in the wake of the credit reporting agency’s massive data breach, which exposed the personal information of 143 million U.S. consumers to hackers.
The company is currently facing inquiries from the Consumer Financial Protection Bureau, the Federal Trade Commission, the House Financial Services Committee, the Senate Finance Committee, the office of New York Attorney General Eric Schneiderman, the New York Department of Financial Services, and a lawsuit from the state of Massachusetts over the breach.
The breach also cost three Equifax executives their jobs, already. Earlier this week, Equifax CEO and Chairman of the Board, Richard Smith, "retired," just two weeks after two of the executives charged with the security of Equifax’s credit data also "retired."
Now, two weeks after Massachusetts became the first state to take action against Equifax, San Francisco City Attorney Dennis Herrera announced that the city is suing Equifax too, making San Francisco the first city to pursue legal action against Equifax.
“Equifax’s incompetence would be comical if the subject matter weren’t so serious,” Herrera said in a statement. “This company fell asleep at the switch and upended the lives of millions of people. The information that Equifax failed to safeguard is what people need to open a bank account, buy a home or rent an apartment. Now Californians have been put at risk of identity theft for years to come.”
According to Herrera’s office, the personal information of more than 15 million Californians was exposed as part of the breach.
Herrera’s office said that the city’s lawsuit is filed on behalf of the people of the State of California, and alleges that Equifax violated state law governing unlawful, unfair or fraudulent business practices by:
- Failing to implement and maintain reasonable security procedures and practices
- Failing to provide timely notice of the data breach to affected California consumers
- When it finally provided notice, failing to provide complete, plain and clear information
According to Herrera, Equifax did not properly update its software, which led to the security flaw exposed by the hackers.
“When you’re dealing with highly sensitive information, keeping your software up to date is such a basic step,” Herrera said. “Equifax also could have encrypted this information or segmented the data in separate databases to prevent hackers from being able to access all of a person’s information at once. Equifax did none of that.”
Also at issue is the length of time between when Equifax found out about the breach and when it communicated it to the public, as well as how the company handled that communication.
Equifax reported initially that it discovered the data breach on July 29, 2017, but did not disclose the breach until Sept. 7, 2017.
“Equifax made a bad situation worse,” Herrera said. “Their delay prevented more than 15 million California consumers from taking immediate action to protect themselves from the risk of identity theft and fraud.”
Additionally, Herrera’s office noted that California law requires entities that do business in the state to notify the owner or licensee of the information about a data breach “immediately following discovery, if the personal information was, or is reasonably believed to have been acquired by an unauthorized person.”
Herrera said that the notice Equifax posted on September 7 contained “confusing and misleading information and didn’t include information required under California law.”
Herrera’s office said that the lawsuit seeks restitution for California consumers who purchased credit monitoring services from Equifax prior to Sept. 7, 2017, civil penalties of up to $2,500 per violation of the law, and a court order requiring Equifax to implement and maintain appropriate security procedures for the highly sensitive information it handles.