As explained in this detailed press release, Massachusetts Attorney General Maura Healey today filed the nation’s first enforcement action against Equifax alleging that the company failed to protect the personal information of almost three million Massachusetts residents. Healey claims that “that Equifax knew about the vulnerabilities in its system for months, but utterly failed to keep the personal information of nearly three million Massachusetts residents safe from hackers.” “We are suing." she said, "because Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again.”
Read the complaint here. If you want details on how and why the data breach occurred, read paragraphs 21 through 49.
The complaint stresses that consumers don't consent to the acquisition and use of their information by credit reporting agencies and, for that reason, those agencies have a heightened duty to protect consumers:
Consumers do not choose to give their private information to Equifax, and they do
not have any reasonable manner of preventing Equifax from collecting, processing, using, or
disclosing it. Equifax largely controls how, when, and to whom the consumer data it stockpiles
is disclosed. Likewise, consumers have no choice but to rely on Equifax to protect their most
sensitive and personal data. Accordingly, it was and is incumbent on Equifax to implement and
maintain the strongest safeguards to protect this data. Equifax has failed to do so.