The lawsuit makes San Francisco the first city to take legal action against Equifax after an enormous data breach that compromised the personal data — names, Social Security numbers and information on financial accounts — of about 143 million U.S. consumers.
More than 20 private lawsuits have been filed against Equifax nationwide in connection with the breach, which has rattled the company.
On Tuesday, Equifax announced that its CEO and board chairman, Richard Smith, was stepping down immediately. Paulino do Rego Barros Jr., most recently president of Equifax’s Asia-Pacific region, has been appointed interim chief executive as the company searches for a permanent replacement.
The company named board member Mark Fielder as Equifax’s nonexecutive chairman.
“Speaking for everyone on the board, I sincerely apologize,” Fielder said in a statement referring to the data breach.
Equifax announced on Sept. 7 its computer systems had been compromised, six weeks after it had first detected a problem, on July 29. The company said it “acted immediately to stop the intrusion” once it was discovered, but the decision to wait more than a month to notify the public “made a bad situation worse,” Herrera said in a statement announcing the lawsuit.
“Their delay prevented more than 15 million California consumers from taking immediate action to protect themselves from the risk of identity theft and fraud,” Herrera said.
A subsequent investigation conducted by the cybersecurity firm Mandiant revealed that the company’s systems had been infiltrated between May 13 and July 30.
Herrera’s suit, brought on behalf of the people of California, also accuses Equifax of failing to update its computer systems with a critical software patch that Herrera alleges could have prevented the breach. The patch was made freely available in March 2017, months before the hack occurred.
“When you’re dealing with highly sensitive information, keeping your software up to date is such a basic step,” Herrera said.
Equifax spokeswoman Ines Gutzmer said the company would not comment on pending litigation, but encouraged consumers to sign up for a year’s worth of free credit monitoring services at www.equifaxsecurity2017.com that can detect potentially fraudulent activity.
Gutzmer added that Equifax wanted “to reassure consumers that we are remaining focused on helping them navigate the situation and providing the best customer support possible.”
Consumer privacy experts have also recommended that consumers monitor their credit reports and bank records to spot improper transactions or the creation of fraudulent accounts. Consumers are also being urged to place fraud monitors on existing bank and credit card accounts, if their financial institution offers them.
In addition to restitution for Californians who purchased Equifax credit monitoring services prior to Sept. 7, when the breached was disclosed, the suit seeks civil penalties of up to $2,500 per violation of state law and a court order requiring Equifax to maintain “appropriate” security measures in the future.
“The case has just started, and we’re still in the process of assessing all of Equifax’s unlawful conduct,” said John Coté, a spokesman for the city attorney’s office. “There are 15 million victims in California, and this case could involve many millions of dollars.”
©2017 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.