The City of San Francisco Sues Equifax
San Francisco became the first city to sue Equifax over a recent data breach that exposed the personal details of an estimated 143 million Americans. Information stolen in the breach includes consumer names, social security numbers, birth dates and, in some cases, credit card numbers.
City Attorney Dennis Herrera said Equifax failed to protect the personal information of 15 million Californians.
“Equifax’s incompetence would be comical if the subject matter weren’t so serious,” Herrera said. “This company fell asleep at the switch and upended the lives of millions of people. The information that Equifax failed to safeguard is what people need to open a bank account, buy a home or rent an apartment. Now Californians have been put at risk of identity theft for years to come.”
The lawsuit claims Equifax violated “”state law governing unlawful, unfair or fraudulent business practices” by failing:
- to implement and maintain reasonable security procedures,
- to provide timely notice of the breach to consumers, and
- to provide complete and clear information to consumers when it did announce the breach.
Under California law, a business must notify customers about a data breach “immediately following discovery, if the personal information was, or is reasonably believed to have been acquired by an unauthorized person,” but Equifax did not notify consumers of the breach until September 7, six weeks after the company discovered the breach on July 29.
“Equifax made a bad situation worse,” Herrera said. “Their delay prevented more than 15 million California consumers from taking immediate action to protect themselves from the risk of identity theft and fraud.”
The lawsuit is seeking restitution for affected Californians and civil penalties of up to $2,500 per violation. The lawsuit also wants a court order that will require Equifax to implement and maintain appropriate security policies.