Equifax is facing its first lawsuit from a state prosecutor’s office over a massive security breach that exposed the personal data of up to 143 million Americans.
Maura Healey, the attorney general of Massachusetts, announced her official intent to take Equifax to court on Tuesday.
“In all of our years investigating data breaches, this may be the most brazen failure to protect consumer data we have ever seen,” said Healey, a Democrat, in a statement.
Massachusetts will claim that Equifax did not “maintain the appropriate safeguards to protect consumer data,” violating state consumer protection and privacy laws, the attorney general’s office said in a press release.
Under state law, the Massachusetts attorney general’s office needs to issue a five-day notice to the company it plans to sue.
Equifax said on Thursday that sensitive information — such as names, social security numbers, birth dates, addresses and some driver’s license numbers — had been accessed by cyber criminals sometime between May and July.
Since then, the firm has faced a public firestorm over the incident, as well as its response to it.
Equifax initially required people who enrolled in free credit monitoring to waive their rights to sue the company. It later said customers could sue if they sent Equifax written notice within 30 days. On Tuesday, the company made clear that those who use their credit monitoring services do not waive the right to take legal action.
New York Attorney General Eric Schneiderman said the clarification came as a result of conversations with his office.
Schneiderman’s office is currently investigating the breach, as are attorneys general in Pennsylvania, Connecticut and Illinois.
Private class action suits against Equifax are also pouring in across the country, from California to Alabama to New Jersey.
There could be action on the federal level, too. Members of Congress have called for hearings, and the Consumer Financial Protection Bureau has said it’s looking into what happened.