The city of Chicago has filed suit against Equifax in the wake of the credit monitoring company’s massive data breach.
In its filing Sept. 28 in Cook County Circuit Court, the city leveled counts against Georgia-based credit reporting bureau Equifax Inc., under the city’s Consumer Fraud, Unfair Competition or Deceptive Practices Ordinance. The city noted, from March 7 - July 30, Equifax “left at lest 143 million individuals’ sensitive and private information exposed and vulnerable to intruders by relying on certain open-source code (called ‘Apache Struts’) that Equifax knew or should have known was insecure and subject to exploitation.”
The city said Equifax failed to avail itself of patches, workarounds or other remedies for the identified vulnerability, such as data encryption or additional security data, and as such should bear responsibility for allowing its servers to be improperly accessed between May 13 and July 30. The city estimated in its complaint that, of the 143 million people whose data was compromised, 5.4 million are Illinoisans.
The complaint cited Illinois’ Personal Information Privacy Act, which required Equifax to provide Illinois residents timely notice of the data breach. In addition to not announcing the vulnerability until Sept. 7, the city said Equifax still has not provided disclosure notifications to Chicago residents as required and specified under both state law and city ordinance.
Formal allegations include failure to give prompt notice of data breach and two counts of failure to safeguard personal information — one as an unfair business practice and one as a deceptive practice. According to the complaint, statutory fines for violating the city ordinance for each of those three counts are between $2,000 and $10,000 per day for each violation involving potentially millions of Chicago residents.
According to the complaint, any violation of the state’s Personal Information Privacy Act automatically “constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Act,” and further that any such unlawful practice under the state fraud law is legally considered a distinct violation of the municipal ordinance. In addition to the statutory fines, which compile daily, the city also argued it is entitled to equitable relief, including restitution of $10,000 for each day Equifax has not properly notified a Chicago resident of the breach.
The city further alleged Equifax further committed deceptive practices by offering “complimentary identity theft protection and credit file monitoring” when enrollment in those services required people to sign agreements waiving rights to participate in class action or individual arbitration and that the services were subject to automatic paid renewal after the first year. Violations of that nature are between $2,000 and $10,000 per day per offense.
The city said it also is entitled to restitution of $10,000 per day for the deceptive practice claim, following the same chain wherein violations of the state law double as violations of city ordinance.
In addition to a jury trial, the city also wants the court to issue a preliminary and permanent injunction forcing “Equifax to use adequate security measures to protect its websites and computer systems from attacks by hackers and to prevent future unauthorized access of Chicago residents’ sensitive personal and financial information.”
With its legal action, Chicago has now joined San Francisco and Massachusetts on the list of state and local governments suing Equifax, ostensibly on behalf of their residents.
In articles published elsewhere, Chicago city aldermen have indicated damages for violating the ordinance could run well into the hundreds of millions of dollars, and the aldermen have held out hope such a windfall could help City Hall balance its budget.
Representing the city in the complaint is the city’s Department of Law.
No attorneys have yet registered appearances on behalf of Equifax.