Five states’ attorneys general are investigating why exactly it was that Equifax didn’t disclose its data breach for almost six weeks after its discovery. Said breach left the personal data of 145.5 million American compromised.
State officials are particularly concerned with trying to understand why Equifax didn’t fess up to the problem sooner — and trying to determine whether or not Equifax’s relative slowness was a violation of state laws the require firms to disclose such breaches to their customer base.
“We’re definitely interested in the answer to that question,” said James Boffetti, chief of the consumer-protection bureau in the New Hampshire attorney general’s office. “We are looking for a fuller explanation.”
Officials in Illinois and Connecticut are also investigating the issue, according to people familiar with the matter. The AG of Indiana is also investigating. Massachusetts Attorney General Maura Healey filed a lawsuit alleging Equifax failed to provide “timely notice” last month.
Equifax, for its part, has maintained that its behavior around breach notification was both consistent with their internal policy and with state statutes.
In a statement, the embattled firm noted, “the timeline of the incident and consumer notification are among the topics we have discussed with the attorneys general.”
Once it became aware that it had been the victim of a very serious breach, Equifax says it “moved swiftly and without delay,” and “absolutely met” the states’ standards for notifying consumers.