Mayor Rahm Emanuel, Chairman Edward M. Burke, and Chicago Corporation Counsel Ed Siskel today announced that the City of Chicago has filed a lawsuit against Equifax to ensure that the company is held accountable for its recent data breach and its failure to give timely notice to Chicago residents, as well as to force the company to offer remedies and restitution to those impacted by the breach.
“Chicago residents have been unnecessarily exposed to financial risks due to Equifax’s irresponsible and reckless actions that prioritized profit over the privacy and safety of consumer data,” said Mayor Emanuel. “We are taking action to hold this company accountable and to protect the residents of Chicago.”
From at least March 7, 2017 through July 30, 2017, Equifax left at least 143 million – with more than 5 million in Illinois – consumers’ sensitive and private information exposed and vulnerable to intruders by relying on certain open-source code that Equifax knew or should have known was insecure and subject to exploitation. Although patches, workarounds, and other fixes for the related vulnerability were available and known to Equifax, it failed to avail itself of these remedies, or to employ other security controls, such as encryption of data or multiple layers of security, that would help to protect consumers’ personal data.
As a result, hackers were able to access Equifax’s computer system from at least May 13, 2017 through July 30, 2017, and according to Equifax’s own estimates, reportedly stole sensitive and personal information of 143 million consumers. This data breach, which Equifax first disclosed to the public on September 7, 2017, exposed to still-unknown persons the most sensitive personal and financial data of Chicago residents, including full names, social security numbers, dates of birth, addresses, and for some consumers, credit card numbers, driver’s license numbers, and/or other personally-identifiable information.
“I commend Mayor Emanuel and Corporation Counsel Siskel for filing suit against Equifax,” said Chairman Burke. “This is a breach of epic proportions and Equifax should be prosecuted to the full extent of the law. Chicago citizens rely on City government to protect them.”
Chicago’s lawsuit claims that Equifax violated the Illinois Personal Information Privacy Act, the Illinois Consumer Fraud and Deceptive Business Practices Act and the Chicago Consumer Fraud ordinance by exposing this information, failing to provide prompt notice of the breach and misleading concerned consumers by initially falsely representing that it was offering “complimentary identity theft protection and credit file monitoring” while requiring a waiver from future legal action.
“The evidence in this case clearly points to violations of state law and the city’s consumer protection ordinance, and we have an obligation to any resident who has been impacted to seek remedies and fines as a penalty,” said Corporation Counsel Siskel.
Chicago’s lawsuit seeks civil penalties, restitution, and other available relief to address, remedy and prevent harm to Chicago residents resulting from Equifax’s actions and inactions. The penalty for violating Chicago’s ordinance is a fine of not less than $2,000 nor more than $10,000 for each offense, and each day that a violation continues shall constitute a separate and distinct offense to which a separate fine shall apply.