As most are aware, the Massachusetts Attorney General has won the race to the courthouse and been the first regulator to file suit against Equifax.
- The 28 page complaint is summed up on paragraph 4:Consumers do not choose to give their private information to Equifax, and they do not have any reasonable manner of preventing Equifax from collecting, processing, using, or disclosing it. Equifax largely controls how, when, and to whom the consumer data it stockpiles is disclosed. Likewise, consumers have no choice but to rely on Equifax to protect their most sensitive and personal data. Accordingly, it was and is incumbent on Equifax to implement and maintain the strongest safeguards to protect this data. Equifax has failed to do so.
- Paragraph 42 contains the key allegations regarding where Equifax fell short of its obligations to patch its software:As of or soon after March 7, 2017, Equifax knew or should have known, by virtue of multiple public sources but at least one or all of the Apache Security Bulletins, the NIST Notice, the US CERT Alert, and the Vulnerability Database (as well as one or all of the various collateral sources referenced in the foregoing), that the March Security Vulnerability existed in Apache Struts.
- Paragraph 63 alleges a failure to give timely notice to the Massachusetts regulators:As of or soon after July 29, 2017, Equifax knew or should have known that the “personal information” (as defined in G.L. c. 93H, § 1(a)) of at least one Massachusetts resident was acquired by an unauthorized person, and/or of a “breach of security,” and that it thus had a duty to provide notice to the Attorney General’s Office and the Office of Consumer Affairs and Business Regulation under chapter 93H, § 3(b) “as soon as reasonably practicable and without unreasonable delay.”
Interestingly, the complaint does not allege any actual harm from the breach. Also notably is among the prayers for relief is the request that the court order that Equifax: “Disgorge profits Equifax obtained during or as a result of the Data Breach.