The cities of Chicago and San Francisco and the Massachusetts Attorney General have filed the first enforcement actions against Equifax following the announcement of a data breach affecting an estimated 143 million consumers.  Equifax announced the data breach on September 7, 2017, after hackers allegedly exploited a vulnerability in open-source software used by Equifax to create its online consumer dispute portal.

The first suits were filed on September 26th by the Massachusetts Attorney General and San Francisco.  Massachusetts’s complaint was filed in Superior Court in Suffolk County and alleges that Equifax knew or should have known about the vulnerability and that hackers were attempting to exploit it, but that Equifax failed to take known and available measures to prevent the breach.  Massachusetts asserts claims for violations of the Massachusetts data privacy statute and the Massachusetts Consumer Protection Act prohibiting unfair and deceptive practices based on Equifax’s alleged failure to give timely notice of the breach, failure to safeguard personal information, and failure to take other actions that Equifax was uniquely positioned to provide that would have mitigated damages to Massachusetts consumers.  The Massachusetts Attorney General is seeking unspecified civil penalties, disgorgement of profits, restitution, costs and attorney’s fees.

San Francisco’s complaint, filed in the Superior Court of San Francisco, asserts claims under the California Business and Professions Code for unlawful, unfair or fraudulent business practices, alleging that Equifax failed to maintain reasonable security practices and procedures, failed to provide timely notice of the security breach, and failed to provide complete, plain and clear information when notice was provided.  The lawsuit seeks restitution for all California consumers, civil penalties up to $2,500 per violation of law, restitution, costs, and a court order requiring Equifax to implement and maintain appropriate security procedures in the future.

Finally, the City of Chicago filed suit on September 28th in Cook County Circuit Court and asserts claims arising under both state law and city ordinance.  Specifically, Chicago alleges Equifax violated a local ordinance prohibiting fraudulent, unfair, and deceptive business practices, as well as the Illinois Consumer Fraud and Deceptive Business Practices Act.  Chicago’s claims are based on allegations that Equifax failed to give prompt notice of the breach, failed to safeguard personal information, and deceived consumers by requiring them to waive their legal rights in exchange for credit monitoring services and by misrepresenting that the offered credit monitoring was free.  Chicago seeks civil monetary penalties in the amount of $10,000 for each day a violation has existed that involves a Chicago resident, restitution, and injunctive relief requiring Equifax to maintain adequate security measures to prevent data breaches.

These are likely just the first of many lawsuits to be filed against Equifax by state and local officials.  Further action at both the federal and state level seems all but certain.  For example, the Federal Trade Commission and Department of Justice have confirmed they are investigating the breach, and the New York Department of Financial Services confirmed that it recently issued a subpoena to Equifax for more information about the breach.  This vigorous and immediate government enforcement effort further supports our position that private class action lawsuits are an unnecessary and inappropriate tool for vindicating any harm caused by the data breach.  We will continue to follow these significant cases and update you as events unfold.