States Respond to Equifax Cyber Breach with Enforcement Actions and Calls for Enhanced Regulatory Powers

The Equifax cyber breach resulted in the theft of personal information belonging to millions of American consumers. While significant enforcement actions are generally initiated by federal agencies, several states have recently taken measures in response to the breach. In a memorandum, lawyers posited that the continuance of this trend may force organizations that are responsible for defending against cyberattacks or victimized by successful hacks to deal with both state and federal regulators.

The attorneys highlighted the following state investigative and enforcement measures:

• Massachusetts' civil action against Equifax. In the first enforcement action arising from the breach, the Massachusetts Attorney General charged Equifax with failing to adequately protect consumer data, and other related violations.

• State investigations into the breach. States such as New York, Illinois, and California have initiated investigations. The attorneys noted that most states have data breach notification laws that allow attorney generals ("AGs") to bring enforcement actions for non-compliance. (In New York, for example, the AG can seek to recover damages for affected customers and impose a fine of up to $150,000.) In addition, AGs and consumer protection regulators from over forty states signed a letter expressing concerns over the breach, and also demanded additional cybersecurity measures from other credit reporting agencies.

• New York efforts to expand regulatory powers. New York's AG renewed his call to pass the New York Data Security Act, which would (i) oblige businesses to develop and maintain certain data protection safeguards, (ii) expand the definition of "private information" to provide for greater protections, (iii) offer immunity from civil liability for companies that comply with certain security guidelines, (iv) incentivize companies to share information about data breaches with law enforcement, and (v) empower the New York AG to seek penalties up to $250 for each person whose private information is compromised in a breach, up to a maximum of $10 million (with increased thresholds for "reckless" violations). New York Governor Andrew Cuomo also directed the Department of Financial Services ("DFS") to propose regulations that would extend DFS jurisdiction to include credit reporting agencies, requiring these companies to (i) register with the DFS and (ii) comply with previously issued "first-in-nation" cybersecurity regulations.