Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Commonwealth v. Equifax, Inc.

Superior Court of Massachusetts, Suffolk, Business Litigation Session

April 2, 2018

COMMONWEALTH of Massachusetts
v.
EQUIFAX, INC.

          File Date: April 3, 2018

          MEMORANDUM AND ORDER DENYING DEFENDANT’S MOTION TO DISMISS

          Kenneth W. Salinger, Justice Superior Court

          This lawsuit concerns a massive breach of databases maintained by Equifax, Inc., as part of its credit-reporting business. Equifax collects, organizes, analyzes, and stores data concerning individual consumers, and then creates and sells "credit reports" and "credit scores" for those consumers. In 2017 hackers infiltrated Equifax’s computer systems. They accessed and presumably stole credit card numbers and other personal identifying information belonging to millions of people.

         The Commonwealth of Massachusetts, acting through its Attorney General, has sued Equifax on behalf of Massachusetts residents whose personal information was stolen. The Commonwealth alleges that Equifax failed to properly safeguard its databases and failed to provide prompt notice of the data breach. It asserts claims under G.L.c. 93H (the Massachusetts Data Breach Notification Law), 201 C.M.R. § 17.00 et seq. (the Massachusetts Data Security Regulations), and G.L.c. 93A (the Massachusetts Consumer Protect Act).

         Equifax seeks to dismiss all claims against it under Mass.R.Civ.P. 12(b)(6). The Court will DENY this motion because the Commonwealth alleges facts plausibly suggesting that Equifax violated Massachusetts law by not taking reasonable steps to protect personal information and by not promptly informing Massachusetts consumers about and taking adequate steps to remedy the data breach.[1]

         1. Claims Under G.L.c. 93H and the Implementing Regulations

         1.1. Count II Adequately Alleges Violation of Data Security Regulations

         Count II of the Commonwealth’s complaint alleges that Equifax failed to develop, implement, and maintain an adequate written information security program (or "WISP"), and that this failure made the data breach possible. In particular, the complaint alleges that Equifax knew or should have known by March 7, 2017, that there was a serious security vulnerability in certain open-source computer code that Equifax used in its systems, that Equifax could have but failed to patch or upgrade its software to eliminate this vulnerability, and that as a direct result hackers accessed and stole personal information from Equifax’s databases. The complaint also alleges that Equifax did not even take reasonable steps to determine whether unauthorized parties were infiltrating its computer systems. The Commonwealth alleges that these failures by Equifax violated 201 C.M.R. §§ 17.03 and 17.04.

         These allegations state a viable claim for violation of the data security regulations. The Court agrees with Equifax that the mere existence of a data breach "does not translate into a violation of Chapter 93H or the Data Security Regulations." But here the Commonwealth alleges that Equifax knew for months it needed to patch its open-source code in order to keep its databases secure-or at least that it should have been aware that the software provider had provided public notice of the software vulnerability and how to fix it-and that it failed to do so. These allegations plausibly suggest that Equifax breached its legal duties to address all reasonably foreseeable risks to its data security under 201 C.M.R. § 17.03(2)(h), and to implement reasonably up-to-date patches to its software under 201 C.M.R. § 17.04(6) and (7).

          Equifax argued for the first time during oral argument that these regulations cannot be applied here because: (i) the statute distinguishes between and imposes different data breach disclosure obligations upon someone "that owns or licenses data that includes personal information," on the one hand, and someone "that maintains or stores, but does not own or license" such data, see G.L.c. 94H, § 3; (ii) the Legislature authorized the Department of Consumer Affairs and Business Regulation (the "Department") to "adopt regulations relative to any person that owns or licenses personal information of residents of the commonwealth," but did not authorize data security regulations to govern entities that maintain or store but do not own or license such information, see G.L.c. 93H, § 2(a); and (iii) although Equifax may store or maintain such personal information, the Commonwealth has not adequately alleged that Equifax "owns or licenses" such information. The Court is not convinced.[2]

         The facts alleged by the Commonwealth plausibly suggest that Equifax owns or licenses data containing personal information, for purposes and within the meaning of § 93H and the data security regulations. The Commonwealth alleges that the "primary business" of Equifax "consists of acquiring, compiling, analyzing, and selling sensitive and personal data." It asserts that "Equifax largely controls how, when, and to whom the consumer data it stockpiles is disclosed." The complaint further alleges that Equifax maintains proprietary databases that contain "consumer names, addresses, full social security numbers, dates of birth, and for some consumers, driver’s license numbers and/or credit card numbers." And it contends that Equifax uses this data to create and sell "credit reports" that include this and other personal information. All of these subsidiary allegations readily support the Commonwealth’s express allegation that "Equifax owned or licensed personal information of at least one Massachusetts resident."

         An entity that creates and owns proprietary databases containing consumers’ personal information would appear to "own" that information within the meaning of G.L.c. 93H. As noted above, the statute distinguishes entities that merely "maintain" or "store" personal information from those that have an ownership interest in the data. Companies that offer cloud storage services, for example, may and probably do maintain and store personal information that they cannot sell or otherwise control as owners. In contrast, Equifax allegedly maintains its own proprietary database and sells reports containing consumers’ personal information.

          These allegations plausibly suggest that Equifax should be treated as an "owner" of this database and the personal information it contains for the purposes of G.L.c. 93H, even if the underlying data themselves belong to someone else or have been shared and thus are no longer confidential.[3] Compare New England Overall Co. v. Woltmann, 343 Mass. 69, 77 (1961) (employer had proprietary interest in confidential customer database) with American Window Cleaning Co. of Springfield, Mass. v. Cohen, 343 Mass. 195, 199 (1961) ("Remembered information as to the plaintiff’s prices, the frequency of service, and the specific needs and business habits of particular customers was not confidential") and DiAngeles v. Scauzillo, 287 Mass. 291, 297-98 (1934) (employer may own written list of customers, even though it cannot own employee’s memory or personal notes of client information).

         1.2 Count I Adequately Alleges Untimely Disclosure

         Count I alleges that Equifax violated the Massachusetts Data Breach Statute by failing to provide prompt notice to the Attorney General, the Department, and affected individual consumers about the data breach. The Commonwealth alleges that Equifax knew or should have known about the data breach by July 29, 2017; and that Equifax waited to provide the required notice until September 7, 2017. It further alleges that Equifax did not provide notice "as soon as practicable and without unreasonable delays" as required by G.L.c. 93H, § 3(b).[4]

         Equifax argues that the facts alleged in the complaint do not plausibly suggest that it failed to give the required notice ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.