Submit to Digest

People of the State of California v. Equifax: San Francisco becomes the first city to sue Equifax over the massive data breach earlier this year.

Reports First Amendment Privacy

People of the State of Cal. v. Equifax, Inc., No. CGC-17-561529 (S.F. Super. Ct. filed Sept. 26, 2017) complaint hosted by consumerfinancemonitor.com

On September 26, 2017, the City of San Francisco (“the City”) initiated a suit against Equifax in a state court stemming from a data breach that occurred earlier this year. The City claimed Equifax has acted unlawfully, unfairly, and/or fraudulently in violation of Section 17200 of the California Business and Professions Code (“Section 17200”), Cal. Bus. & Prof. Code § 17200. This suit is one of the first city-led actions against a private company following a data breach.

Equifax is one of the largest national credit-reporting services in the United States and collects consumers’ personal and financial data from many sources to compile a consumer credit report. Credit reports are used in lending decisions, hiring decisions, and many aspects of modern life. Equifax owns and maintains the data of more than 820 million consumers worldwide, including 15 million Californian consumers. Between May 13, 2017 and July 30, 2017, data including consumers’ personal and credit card information was stolen from Equifax due to a vulnerability in an open-source Apache software used on Equifax’s website. As of July 29, 2017, the personal data of potentially 143 million U.S. consumers and the credit card details of 209,000 consumers were stolen.

Despite Apache discovering, announcing, and releasing a patch for this vulnerability in March 2017, the City alleged Equifax did not implement the patch or introduce additional security to protect consumer data the company held. The City also alleges that Equifax did not announce the data breach until six weeks after it was discovered, depriving affected consumers of the ability to limit the repercussions of the data breach.

The City argues Equifax violated Section 17200 by violating three separate provisions of California law. First, Equifax violated Section 1798.81.5(b) of the California Civil Code, Cal. Civ. Code § 1798.81.5(b) by failing to implement and maintain reasonable security to protect consumers’ data. Second, Equifax violated Section 1798.82(a) and (b) of the California Civil Code, Cal. Civ. Code § 1798.82, by failing to provide timely notice of the data breach to affected consumers. Third, Equifax violated Section 1798.82(d) of the California Civil Code, Cal. Civ. Code § 1798.82(d), by failing to disclose required information to affected individuals. The City is seeking monetary damages and an injunction requiring Equifax to comply with California data security and breach notification statutes.

Data breaches are not a new occurrence. Recently, Yahoo, Uber, Anthem, Home Depot, Target, the Office of Personnel Management, and Ashley Madison have experienced significant data breaches leading to lawsuits. These lawsuits have generally been consumer class actions in federal court, which have struggled to establish legal standing. In contrast, this case will be litigated in state court and rests on consumer protection issues, which is distinct from typical data breach litigation.

In certain cases, state attorney generals’ offices have been involved in investigations separate from the class-action lawsuit. Earlier this year, Target reached a $18.5m settlement with 47 states and the District of Columbia in the largest multistate data breach settlement with regulators to date. California received the largest settlement payout of any state. Target further agreed to update its data security procedures. In July, Ashley Madison reached a $11.2m settlement with the Federal Trade Commission and several states following a data breach in 2015 that exposed users’ personal details.

Yet even though Equifax faces several consumer lawsuits, there is little precedent for a city to sue a company for a data breach. Massachusetts has already filed suit against Equifax and, subsequent to San Francisco’s suit, the city of Chicago has filed suit against Equifax on behalf of Chicago residents. The severity of the data breach has already attracted much media attention, and there will be additional attention over the results of these suits.

Yi Yuan is a 1L student at Harvard Law School.