Superior Court of Massachusetts, Suffolk, Business Litigation Session
File
Date: April 3, 2018
MEMORANDUM AND ORDER DENYING DEFENDANTâS MOTION TO
DISMISS
Kenneth W. Salinger, Justice Superior Court
This
lawsuit concerns a massive breach of databases maintained by
Equifax, Inc., as part of its credit-reporting business.
Equifax collects, organizes, analyzes, and stores data
concerning individual consumers, and then creates and sells
"credit reports" and "credit scores" for
those consumers. In 2017 hackers infiltrated Equifaxâs
computer systems. They accessed and presumably stole credit
card numbers and other personal identifying information
belonging to millions of people.
The
Commonwealth of Massachusetts, acting through its Attorney
General, has sued Equifax on behalf of Massachusetts
residents whose personal information was stolen. The
Commonwealth alleges that Equifax failed to properly
safeguard its databases and failed to provide prompt notice
of the data breach. It asserts claims under G.L.c. 93H (the
Massachusetts Data Breach Notification Law), 201 C.M.R.
§ 17.00 et seq. (the Massachusetts Data Security
Regulations), and G.L.c. 93A (the Massachusetts Consumer
Protect Act).
Equifax
seeks to dismiss all claims against it under Mass.R.Civ.P.
12(b)(6). The Court will DENY this motion because the
Commonwealth alleges facts plausibly suggesting that Equifax
violated Massachusetts law by not taking reasonable steps to
protect personal information and by not promptly informing
Massachusetts consumers about and taking adequate steps to
remedy the data breach.[1]
1.
Claims Under G.L.c. 93H and the Implementing Regulations
1.1.
Count II Adequately Alleges Violation of Data Security
Regulations
Count
II of the Commonwealthâs complaint alleges that Equifax
failed to develop, implement, and maintain an adequate
written information security program (or "WISP"),
and that this failure made the data breach possible. In
particular, the complaint alleges that Equifax knew or should
have known by March 7, 2017, that there was a serious
security vulnerability in certain open-source computer code
that Equifax used in its systems, that Equifax could have but
failed to patch or upgrade its software to eliminate this
vulnerability, and that as a direct result hackers accessed
and stole personal information from Equifaxâs databases. The
complaint also alleges that Equifax did not even take
reasonable steps to determine whether unauthorized parties
were infiltrating its computer systems. The Commonwealth
alleges that these failures by Equifax violated 201 C.M.R.
§§ 17.03 and 17.04.
These
allegations state a viable claim for violation of the data
security regulations. The Court agrees with Equifax that the
mere existence of a data breach "does not translate into
a violation of Chapter 93H or the Data Security
Regulations." But here the Commonwealth alleges that
Equifax knew for months it needed to patch its open-source
code in order to keep its databases secure-or at least that
it should have been aware that the software provider had
provided public notice of the software vulnerability and how
to fix it-and that it failed to do so. These allegations
plausibly suggest that Equifax breached its legal duties to
address all reasonably foreseeable risks to its data security
under 201 C.M.R. § 17.03(2)(h), and to implement
reasonably up-to-date patches to its software under 201
C.M.R. § 17.04(6) and (7).
Equifax argued for the first time during oral argument that
these regulations cannot be applied here because: (i) the
statute distinguishes between and imposes different data
breach disclosure obligations upon someone "that owns or
licenses data that includes personal information," on
the one hand, and someone "that maintains or stores, but
does not own or license" such data, see G.L.c. 94H,
§ 3; (ii) the Legislature authorized the Department of
Consumer Affairs and Business Regulation (the
"Department") to "adopt regulations relative
to any person that owns or licenses personal information of
residents of the commonwealth," but did not authorize
data security regulations to govern entities that maintain or
store but do not own or license such information, see G.L.c.
93H, § 2(a); and (iii) although Equifax may store or
maintain such personal information, the Commonwealth has not
adequately alleged that Equifax "owns or licenses"
such information. The Court is not convinced.[2]
The
facts alleged by the Commonwealth plausibly suggest that
Equifax owns or licenses data containing personal
information, for purposes and within the meaning of §
93H and the data security regulations. The Commonwealth
alleges that the "primary business" of Equifax
"consists of acquiring, compiling, analyzing, and
selling sensitive and personal data." It asserts that
"Equifax largely controls how, when, and to whom the
consumer data it stockpiles is disclosed." The complaint
further alleges that Equifax maintains proprietary databases
that contain "consumer names, addresses, full social
security numbers, dates of birth, and for some consumers,
driverâs license numbers and/or credit card numbers."
And it contends that Equifax uses this data to create and
sell "credit reports" that include this and other
personal information. All of these subsidiary allegations
readily support the Commonwealthâs express allegation that
"Equifax owned or licensed personal information of at
least one Massachusetts resident."
An
entity that creates and owns proprietary databases containing
consumersâ personal information would appear to
"own" that information within the meaning of G.L.c.
93H. As noted above, the statute distinguishes entities that
merely "maintain" or "store" personal
information from those that have an ownership interest in the
data. Companies that offer cloud storage services, for
example, may and probably do maintain and store personal
information that they cannot sell or otherwise control as
owners. In contrast, Equifax allegedly maintains its own
proprietary database and sells reports containing consumersâ
personal information.
These
allegations plausibly suggest that Equifax should be treated
as an "owner" of this database and the personal
information it contains for the purposes of G.L.c. 93H, even
if the underlying data themselves belong to someone else or
have been shared and thus are no longer
confidential.[3] Compare New England Overall Co. v.
Woltmann, 343 Mass. 69, 77 (1961) (employer had
proprietary interest in confidential customer database) with
American Window Cleaning Co. of Springfield, Mass. v.
Cohen, 343 Mass. 195, 199 (1961) ("Remembered
information as to the plaintiffâs prices, the frequency of
service, and the specific needs and business habits of
particular customers was not confidential") and
DiAngeles v. Scauzillo, 287 Mass. 291, 297-98 (1934)
(employer may own written list of customers, even though it
cannot own employeeâs memory or personal notes of client
information).
1.2
Count I Adequately Alleges Untimely Disclosure
Count I
alleges that Equifax violated the Massachusetts Data Breach
Statute by failing to provide prompt notice to the Attorney
General, the Department, and affected individual consumers
about the data breach. The Commonwealth alleges that Equifax
knew or should have known about the data breach by July 29,
2017; and that Equifax waited to provide the required notice
until September 7, 2017. It further alleges that Equifax did
not provide notice "as soon as practicable and without
unreasonable delays" as required by G.L.c. 93H, §
3(b).[4]
Equifax
argues that the facts alleged in the complaint do not
plausibly suggest that it failed to give the required notice
...