Regulators in almost every U.S. state have the authority to enforce cybersecurity compliance under their state’s laws, but until recently, they have rarely exercised this power, leaving enforcement mostly to federal agencies like the FTC. With the recent Equifax breach, this appears to be changing.
The Massachusetts Attorney General filed a complaint against Equifax on September 17, 2017, asserting that Equifax violated Massachusetts Data Security Regulations by failing to safeguard personal information of credit applicants. The complaint also includes claims for unfair acts and deceptive trade practices for the same alleged lapses in cybersecurity.
In addition, the complaint alleges that Equifax failed to provide the Massachusetts Attorney General and affected consumers with timely notice of the breach under the Massachusetts Security Breach Law. Section 3 of that statute requires that companies provide notice of a cyber breach to the Massachusetts Attorney General (and to the owner or licensor of the data if the company only maintains and does not own the data) “as soon as practicable and without unreasonable delay” once a company knows about the security breach. The Massachusetts Attorney General argues that Equifax’s six-week delay in notifying those affected by the breach was too long.
Other states could bring similar complaints. There are reports that Attorneys General (“AG”) from New York, Illinois, and Pennsylvania have contacted Equifax, and that New York’s AG, Eric Schneiderman, has opened an investigation. Almost every state has a breach notification requirement similar to the Massachusetts statute, and eighteen states, including Texas and New Jersey, also have requirements that companies protect personally identifiable information. In light of recent high-profile breaches, other states are likely to enact similar regulations. Additionally, most states have consumer protection statutes prohibiting unfair acts and deceptive trade practices similar to the ones being used by Massachusetts in the Equifax case. While these state statutes have not been used previously in actions relating to cybersecurity breaches, this also may change, depending on what happens in the Massachusetts case.
We will keep you posted on any significant developments in this case.