Indiana Sues Equifax

Indiana’s Attorney General filed a lawsuit against Equifax, one of the nation’s three largest credit bureaus, accusing it of placing profits ahead of cybersecurity. The state is seeking civil penalties, costs, injunctive relief, and consumer restitution.

In 2017, Equifax experienced a data breach that affected the personal information of nearly 150 million Americans, about 4 million of whom were Indiana residents. In their official complaint, Indiana claims that Equifax’s CEO Richard Smith implemented cost-cutting measures to increase profits, which included outsourcing some of the company’s IT functions to India, leaving it open to cyber attacks.

In addition, the State claims that Equifax repeatedly assured consumers that the company had sound cybersecurity standards in accordance with the Payment Card Industry’s Data Security Standard (PCI standards), even though the company was in direct violation of the PCI standards. According to Indiana, a company fully compliant with PCI standards has never had a cyber breach.

“Despite its knowledge, Equifax made a conscious choice to break the rules, and continues to break the rules even today, continuing to expose consumers to risks without warning,” said the State. “Data breaches such as this one cause real harm to real people … This action against Equifax results from an extensive investigation, and we will continue our diligent efforts to protect consumers from illegal or irresponsible business activities.”

Indiana joins several other states that have filed suit against Equifax, including Massachusetts, West Virginia, and the territory of Puerto Rico. Cities, such as Chicago and San Francisco, have also filed suit against the credit bureau, and to make matters worse, the company is also under investigation by the Federal Trade Commission, the Consumer Financial Protection Bureau, and New York’s Department of Financial Services, according to Law360.