On April 2, 2018, the Superior Court of Suffolk County, Massachusetts denied Equifax, Inc.’s motion to dismiss the Commonwealth’s case against it related to the company’s widely publicized 2017 data breach. Although the ruling does not determine who will ultimately prevail in the action, it outlines several key considerations for any company that stores consumer data.
In mid-2017, hackers accessed consumer information held by Equifax, one of three national credit reporting bureaus. On September 19, 2017, the Commonwealth of Massachusetts, acting through its Attorney General, filed suit against Equifax alleging that the company (1) failed to give prompt notice of the data breach to the Attorney General and affected consumers; (2) failed to adequately guard consumers’ personal information; and (3) committed unfair acts or practices by falsely advertising its data security and by failing to take adequate steps to mitigate public harm. Equifax moved to dismiss on numerous grounds including that the complaint failed to allege that Equifax had unreasonably delayed providing notice; that the mere occurrence of a data breach does not mean that the company failed to adequately safeguard information; and that the Commonwealth had failed to allege non-compliance with federal law.
The Superior Court denied Equifax’s motion in all respects. While the court agreed that a data breach is not a per se violation of the Massachusetts data security regulations, it concluded that the Commonwealth had sufficiently alleged that Equifax was on notice of software vulnerabilities but failed to address them in a timely manner. The court also concluded that Equifax’s other arguments could not be decided on a motion to dismiss because they were affirmative defenses or otherwise required findings of fact.
Storing and protecting consumer information is a fact of life for every financial institution. Massachusetts’ case against Equifax puts a spotlight on a handful of considerations. First, companies should ask themselves what procedures they have in place to monitor and regularly take advantage of software patches and updates. Second, companies should ensure their public statements about data security align with their actual practices. Third, and as always, companies should consider what their legal and contractual notification requirements are in the event of an incident. Notification requirements may be found in state law, federal law and regulations, and contracts. Further, companies should have policies and procedures in place to evaluate whether and what notifications may be required after a data security incident occurs.