NH set to join multistate probe of Equifax
Nearly half the state’s population affected by data breach
The state attorney general’s office will probably be collaborating with counterparts in other states looking into the massive Equifax security breach, which could affect almost half of the state’s population.
“I am confident we will participate in some sort of multistate investigation,” said Senior Assistant Attorney General James Boffetti, who runs the office’s Consumer Protection Bureau. The bureau has been fielding calls and emails ever since Sept. 7, when the credit reporting agency revealed that 622,458 state residents could be affected by the three-month-long breach, which Equifax discovered on July 29.
Altogether, criminals were able to collect the names, Social Security numbers, birthdates and sometimes driver’s license information of 143 million Americans. The breach has already prompted a congressional inquiry and at least 23 class action lawsuits. Vermont’s attorney general’s office said it is considering a lawsuit over the time it took Equifax took to disclose the information, which could have violated state law, according to the website VTDigger.
407 reported breaches
Boffetti said it was too soon to start talking about a lawsuit, but New Hampshire also has requirements about recording security breaches, an extremely common occurrence. Indeed, by the time Equifax reported its breach, 407 other companies had notified New Hampshire of breaches, an average of roughly two a day.
Some are national companies like Intuit, which revealed on Aug. 15 someone hacked into two New Hampshire residents’ tax returns. Velcro in Manchester reported on Sept. 1 that its payroll system was breached and there was an attempt to divert a dozen paychecks into pre-owned bank card accounts. The University of New Hampshire reported on Aug. 14 that two user accounts were hacked.
But none of the 407 reported breaches approach the massive breach at Equifax, one of the three major credit reporting agencies in the county.
Equifax response of setting up a website so consumers can check whether their data was compromised and offering services like fraud alerts and credit freezes – was roundly criticized, publicly and legally.
Boffetti – who found that he himself was affected by the breach – said he was frustrated that he tried to sign up for the alerts, but that the time to start that process kept on being pushed back.
“It’s frustrating,” he said. “They don’t seem to have their act together.”
The frustration goes deeper than that. Boffetti, who regularly checks on his credit report at Equifax to prevent identity theft speculated that such diligence may have made him vulnerable to it.
“They let us down,” he said. “It just seems ironic that the very place you go to protect your confidential information leaks that information.”
New York Attorney General Eric Schneiderman's office lambasted the company over an implication that those who registered for TrustedID would waive their rights to pursue class-action lawsuits and instead would have to pursue legal claims through arbitration. Equifax quickly clarified that this wasn’t a requirement, but some class action lawsuits also criticized Equifax for steering people to TrustedID, which it owns.
“Equifax sought to turn its failure to protect consumers' sensitive data into a clandestine money-making opportunity,” charged a California suit.
The company also waived fees for credit freezes for a month after it was roundly criticized in the media for charging for them.
Boffetti said that the Consumer Protection Bureau has been receiving a steady flow of inquiries about the breach. Some wanted to know about the class action lawsuits.
In addition to fraud alerts, he suggested that consumers keep a close eye on their credit card and bank statements, and not just those who might be impacted with the Equifax breach.
“The reality is that our personal information is not ours anymore,” said Boffetti. “Unless you only operate in cash, it is so widely available that it is very difficult to protect.”
What can the state do about it? State Rep. Neal Kurk, R-Weare, a strong privacy advocate, said not much.
“This is not a privacy issue but a security issue,” he said. “Privacy is what data could be collected and who should have access to it. Security is the obligation to keep that data safe. Equifax failed to do that.”