(Bloomberg) — Massachusetts Attorney General Maura Healey put her state on track to be the first to sue Equifax Inc. over a massive data breach that affected about 143 million U.S. consumers, including 3 million in her state.
The lawsuit will allege that Equifax failed to maintain appropriate safeguards for the personal information in violation of state rules governing consumer protection and data privacy, Healey said Tuesday in a statement.
“This may be the most brazen failure to protect consumer data we have ever seen,” she said. “My office is acting as quickly as possible to hold Equifax accountable for the risks that millions of consumers now face.”
Ines Gutzmer, a spokeswoman for Atlanta-based Equifax, didn’t immediately return a call seeking comment.
The cyberattack at the credit-reporting firm, reported last week, may have compromised the personal data of almost half the U.S. population. New York Attorney General Eric Schneiderman opened an investigation last week, while Connecticut and other states have said they’d seek information about the breach.
The lawsuit will be the first of many by state attorneys general, with investigations by the Justice Department and the Federal Bureau of Investigation likely to follow, said Jon Barooshian, a former prosecutor in Massachusetts who isn’t involved in the case.
“This is an egregious failure to protect personal data by one of the three leading consumer credit reporting agencies who the public has no choice but to trust,” Barooshian said.
The company’s data are used by businesses to make decisions about consumers’ credit worthiness, affecting whether they can buy a house, get a loan, lease a car or even get a job.
“Consumers have little to no control over the information about them that Equifax acquires,” Healey said.
In the wake of the breach, Equifax said it was offering its credit-monitoring service at no charge, but customers were alarmed at what appeared to be a requirement that individuals give up their right to join lawsuits in exchange for the service. Equifax is already facing dozens of consumer class actions across the country.
Schneiderman’s office said in a separate statement on Tuesday that after a conversation with the company, Equifax updated its website to address those concerns. Consumers won’t be required to waive their legal right to join a class-action suit as a condition for taking advantage of the free credit monitoring and identify theft protection, according to the statement.
“The victims of this breach shouldn’t also have to worry that they’ve waived their legal rights simply because they were trying to protect themselves,” Schneiderman said in the statement.
Massachusetts already has some experience with probing another credit service, Experian. The state’s former attorney general, Martha Coakley, began investigating a security breach involving an Experian unit that allowed criminals access to Social Security numbers and other personal data of more than 200 million people.
That probe, which is ongoing, relates to a company called Court Ventures that Experian had acquired. Court Ventures had a data-sharing agreement with U.S. InfoSearch, where the security breach occurred. No breach occurred at Experian in that case.