Editors’ Note: This is the fourth in a multi-part end-of-year series examining important trends in data privacy and cybersecurity during the coming year. Previous installments include analyses of HIPAA compliance, emerging security threats, and federal enforcement trends. Up next: a look at biometrics.
As state Attorneys General continue to flex their muscles in response to serious data security lapses nationwide, patchwork enforcement continues. Strategies employed by state Attorneys General in response to nationwide data breaches are as diverse as the profusion of data security threats alarming consumers on a daily basis. The recent Equifax data breach offers a prime example. The disparate reactions of Massachusetts, California, Texas and New York reflect the various tools at the disposal of state AGs in the increasingly difficult struggle to protect consumer information, and may foreshadow how those high profile offices will respond to similar crises in the coming years.
The Litigation Fallout from Equifax
Equifax’s unprecedented data breach shook consumers across the nation and riled many prominent state Attorneys General. As expected, all have decried Equifax’s lax data security measures and system vulnerabilities and have apprised their constituents of the potential risks flowing from the breach. Many have taken aim at Equifax with more pointed action. Along the spectrum of state responses, the Massachusetts Attorney General’s Office acted swiftly and decisively.
General Healey’s office sued Equifax in state court alleging violations of Massachusetts Consumer Protection Act (G.L. c. 93A) and the Massachusetts Data Security Law (G.L. c. 93H). The complaint includes allegations that Equifax did not maintain a written information security plan incorporating the minimum standards articulated in the Commonwealth’s data security regulations, and that Equifax did not timely notify consumers of the data breach. The crux of the lawsuit is that Equifax knew or should have known that the open source code it was using to support its dispute portal was insecure and subject to exploitation and that Equifax failed to utilize or implement available patches or workarounds to adequately protect consumers’ personal information. The complaint further asserts that, as a result of Equifax’s wanting data security apparatus, Equifax exposed over half of the adult population in Massachusetts (3 million people) to the risks of identity theft, tax return scams, financial fraud, health identity fraud, and other harm. The lawsuit seeks as remedies: 1) civil penalties; 2) disgorgement of profits; 3) restitution; 4) litigation costs and attorney’s fees; and 5) all necessary, appropriate, and available equitable and injunctive relief to remedy and prevent harm to Massachusetts residents.
Equifax and the Continuing Revisions to State Date Breach Statutes
In addition, the Massachusetts Attorney General’s Office has, in concert with state legislators, introduced legislation entitled “An Act removing fees for security freezes and disclosures of consumer credit reports” which aims to assist consumers in detecting and remedying the ill effects of the misappropriation and misuse of personal data. The bill imposes substantial obligations on nationwide consumer reporting agencies once a Massachusetts consumer receives notice that his or her personal information is compromised. These include providing at least 3 free copies of a consumer report at the request of the consumer and, if the consumer’s personal information is held by the consumer reporting agency, offer to provide free identity theft protection services for not less than 60 months. The bill also requires the state’s Office of Consumer Affairs and Business Regulation to promulgate regulations requiring any entity owning or licensing the personal information of 1,000+ residents to encrypt such personal information if technologically feasible. Finally, the bill prohibits consumer reporting agencies from charging consumers a fee for freezing or lifting a security freeze from a consumer report.
In contrast, the California Attorney General’s Office, while still strongly condemning Equifax’s behavior, has called for changes within the three major credit reporting agencies. In the aftermath of the breach which impacted 15 million Californians, Attorney General Xavier Becerra strongly urged the nation’s three credit reporting agencies to waive fees for security freezes and affirmatively to ensure that credits reports for affected consumers remain accurate and secure. The office has elected not to institute a formal investigation or legal proceedings; rather, it has engaged in robust consumer outreach and published consumer tips to ensure that Californians are aware of rudimentary yet effective defensive measures against data security threats. The office published these tips on October 30, 2017. Notably, the City of San Francisco filed a complaint against Equifax on behalf of the people of California on September 26, 2017, which may have influenced the Attorney General’s decision to forgo a sharper response.
Somewhere between the two extremes are Attorneys General in Texas and New York. In Texas, the Equifax breach affected the personal information of over 12 million consumers and Attorney General Ken Paxton responded with one of the more powerful weapons in the arsenal of a state attorney general – the Civil Investigative Demand. AG Paxton issued a CID to gather more information surrounding Equifax’s troubling conduct. The statute authorizing such inquiries states that whenever the Texas consumer protection division of the Attorney General’s Office believes that any person may be in possession, custody, or control of the original copy of any documentary material relevant to the subject matter of an investigation of a possible violation of this subchapter, it may issue a civil investigative demand.
Likewise, New York Attorney General Eric Schneiderman has employed a similar tactic by issuing letters to both Experian and fellow credit reporting agency TransUnion requesting information related to data security systems in place before the breach and the agencies’ remedial actions in response to the breach. Experian’s data breach affected more than 8 million New Yorkers. These requests for information will most likely result in more formal proceedings.
The responses of the Attorneys General in these four states run the gamut of possible AG action in response to a serious consumer data security crisis. In turn, they may provide a roadmap for how these offices will react to like situations moving forward. In any event, we will continue to monitor the Massachusetts litigation and flag any critical developments in the other three states.