SF sues Equifax over massive data breach

San Francisco is suing credit monitoring company Equifax after the company announced earlier this month that its website was breached, affecting more than 140 million Americans.

The company, which collects people’s personal information, including social security numbers and financial information, has sparked outrage from local, state and federal officials. On Tuesday, Equifax CEO Richard Smith stepped down from his position effective immediately.

San Francisco is the first city in the U.S. to file lawsuit against Equifax. At least 15 million people were affected by the breach in California.

City Attorney Dennis Herrera, who announced the lawsuit against the credit motioning company, said in a statement:

“This company fell asleep at the switch and upended the lives of millions of people. The information that Equifax failed to safeguard is what people need to open a bank account, buy a home or rent an apartment. Now Californians have been put at risk of identity theft for years to come.”

The lawsuit states that Equifax failed to “implement and maintain reasonable security procedures and practices,” provide timely notice about the data breach to California consumers affected by the breach, and provide complete and clear information when the company did finally provide notice to consumers.

California law states that a person or business in the state must immediately contact those affected by a data breach that includes personal information, unless prohibited by a law enforcement agency due to an investigation.

Equifax discovered the breach on July 29 but did not make the announcement publicly until Sept. 7.

Herrera is seeking restitution of up to $2,500 per violation of the law for consumers who purchased the credit monitoring service before Sept. 7, 2017. The lawsuit also orders the court to make Equifax to “maintain and appropriate security procedures for the highly sensitive information it handles.”

Equifax could have avoided the breach if they had downloaded a free software patch earlier in March when there was a vulnerability with the software that the company was using at the time, said Herrera:

“When you’re dealing with highly sensitive information, keeping your software up to date is such a basic step.”

He added:

“Equifax made a bad situation worse. Their delay prevented more than 15 million California consumers from taking immediate action to protect themselves from the risk of identity theft and fraud.”