The state of Indiana has filed suit in Indiana state court against Equifax, Inc. and two of its subsidiaries for civil penalties, injunctive relief and consumer restitution arising out of a 2017 data breach alleged to have compromised personal information of 3.9 million Indiana residents, and 147.9 million individuals throughout the US. The complaint alleges that in its pursuit of aggressive cost-cutting measures, Equifax ignored security updates for known vulnerabilities, and outsourced information security contracts irresponsibly, leaving the company with a ten-year information security deficit, while representing to consumers that their information, including payment card information, was secure.
Indiana claims that Equifax violated the Indiana Deceptive Consumer Sales Act, Ind. Code § 25-5-0.5-1 et seq, which prohibits a supplier from committing an “unfair, abusive or deceptive act, omission, or practice in connection with a consumer transaction,” by failing to follow its own policy on patching and remediating vulnerabilities, on replacing certificates, on password security and data encryption; by misrepresenting the state of its information security systems; and by failing to comply with payment card industry standards, resulting in a greater likelihood that 3.9 million Indiana residents would suffer an identity theft crime.
The state also alleges violations of the Indiana Disclosure of Security Breach Act, Ind. Code Chapter 24-4.9-3-1(a) and 24-4.9-3-4, which requires a database owner to disclose a breach to Indiana residents whose personal information may have been acquired by an unauthorized person.
The state seeks injunctive relief, restitution for aggrieved consumers, civil penalties for Equifax’ knowing violations and deceptive acts, and costs.