On April 17, 2020 the Massachusetts Attorney General Maura Healey announced that her state had reached a $18.2 million settlement with Equifax to resolve claims arising from the 2017 data breach, resulting in the exposure of personal information for almost 148 million consumers across the US, including 3 million residents in Massachusetts. Massachusetts is one of two states that, along with Indiana, filed separate lawsuits against Equifax, while 50 other states and territories joined a nationwide class action settlement that paid out $175 million back in July 2019. Massachusetts is also one of the final states to reach a settlement with the Equifax that, when coupled with Indiana’s recent settlement, effectively concludes the state AG matters with the company.
According to AG Healey, Massachusetts filed a separate lawsuit in order to address specific violations of Massachusetts consumer protection and data protection laws. Under this settlement, Equifax is required to significantly strengthen its security practices in order to comply with Massachusetts law, that includes minimizing the collection of sensitive data, regular network monitoring, the identification of critical security updates, and an independent assessment of its data security systems. Regarding consumer entitlements, Massachusetts consumers, much like to those in Indiana, get a few extras that the multi-state agreement didn’t cover, such as 2 free credit reports every 12 months until the end of 2024, as well as an Escalated Identity Theft Block Process that allows the Massachusetts AG’s Office to escalate matters within Equifax in the event the company fails to block potentially fraudulent information on Massachusetts consumers’ credit reports.
According to the Massachusetts AG’s Office, the $18.225 million penalty will be paid to the state’s general fund with a portion of the proceeds earmarked for local consumer aid programs. Unlike Indiana whose AG vowed to use most of its $19.5 million settlement as restitution for affected residents, Massachusetts consumers must seek relief from the Consumer Restitution Fund, a $425 million fund set up for the benefit of all consumers affected by the data breach. The Consumer Restitution Fund was established in 2019 as part of the global settlement reached between Equifax, the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 states and territories.