Settlement Includes One of the Largest Penalties Obtained by a Single State AG in a Data Breach Case
In one of the largest settlements obtained in a Data Breach Case by a single state Attorney General’s office, Equifax has agreed to pay $18.2 million and undertake significant injunctive relief following a massive data breach that compromised the personal information of nearly three million Massachusetts residents. Equifax, which is one of the largest consumer credit reporting agencies in the country, first announced the data breach in 2017.
“Equifax had a duty to protect the private information of our consumers and it failed massively – leading to the worst data breach in history,” said AG Healey. “Our office secured a significant penalty from Equifax to ensure accountability for this inexcusable conduct. The company will implement stringent measures to strengthen its security practices and keep our data safe.”
The AG first filed a lawsuit in 2017 alleging that the consumer report agency had failed to patch a known vulnerability in its network. As a result, hackers were able to infiltrate Equifax’s system to access sensitive personal data of approximately 147 million U.S. consumers.
In a consent judgment, approved by a Suffolk Superior Court judge on April 12th, Equifax has agreed to pay a $18.2 million penalty to Massachusetts and will make significant improvements to its security practices in order to bring them into compliance with current Massachusetts law. This includes “…regular monitoring, identifying critical security updates, minimizing its collection of sensitive data, improving account management tools, and allowing third-party assessments of its data safeguards.
When Equifax’s data breach was first announced in September 2017, the AG’s office began an immediate investigation. The Attorney General eventually filed suit against Equifax pursuant to Massachusetts consumer protection and data privacy laws alleging that “…unauthorized third parties infiltrated Equifax’s computer system through its website for months without the company detecting them and stole sensitive and personal consumer information.” The complaint also argued that Equifax lacked sufficient safeguards in order to protect consumers’ personal data within its system.
The AG also stated that upon realization of the data breach, Equifax violated Massachusetts data breach law by failing to notify authorities of the breach within the timeframe mandated by law. It is believed that Equifax first became aware of the breach around July 29, 2017 bit did not notify the AG’s office nor consumers until September 7, 2017.
How affected consumers can seek relief
According to the AG’s office, Massachusetts consumers affected by the breach can seek available relief under the settlements that Equifax reached in July 2019 with 50 states and U.S. territories, the Federal Trade Commission, the Consumer Financial Protection Bureau, along with a national consumer class action suit.
Eligible consumers can file claims for relief from a Consumer Restitution Fund created under these settlements to obtain assistance in freezing and thawing their credit files, the opportunity to dispute inaccurate credit report information, and to seek payments and assistance in addressing to identity theft that results from the breach. More information about this consumer relief can be found here. For more information on Equifax’s Consumer Restitution Fund or on how to make a claim, visit www.equifaxbreachsettlement.com.