Judge Salinger denied a motion to dismiss a lawsuit brought by the Massachusetts Attorney General against Equifax. The lawsuit stems from the massive Equifax data breach of 2017.
Moving under Mass. R. Civ. P. 12(b)(6), Equifax argued, among other things, that the Commonwealth did not adequately allege that Equifax “owns or licenses” personal information within the meaning of G.L. c. 93H (the Massachusetts Data Breach Notification Law).
Judge Salinger rejected Equifax’s argument, holding that the complaint’s “allegations plausibly suggests that Equifax should be treated as an ‘owner’ of [a proprietary] database and the personal information it contains for the purposes of G.L. c. 93H, even if the underlying data themselves belong to someone else or have been shared and thus are no longer confidential.”
Judge Salinger noted:
The Commonwealth alleges that the “primary business” of Equifax “consists of acquiring, compiling, analyzing, and selling sensitive and personal data.” It asserts that “Equifax largely controls how, when, and to whom the consumer data it stockpiles is disclosed.” The complaint further alleges that Equifax maintains proprietary databases that contain “consumer names, addresses, full social security numbers, dates of birth, and for some consumers, driver’s license numbers and/or credit card numbers.” And it contends that Equifax uses this data to create and sell “credit reports” that include this and other personal information. All of these subsidiary allegations readily support the Commonwealth’s express allegation that “Equifax owned or licensed personal information of at least one Massachusetts resident.”
Judge Salinger further noted:
An entity that creates and owns proprietary databases containing consumers’ personal information would appear to “own” that information within the meaning of G.L. c. 93H. As noted above, the statute distinguishes entities that merely “maintain” or “store” personal information from those that have an ownership interest in the data. Companies that offer cloud storage services, for example, may and probably do maintain and store personal information that they cannot sell or otherwise control as owners. In contrast, Equifax allegedly maintains its own proprietary database and sells reports containing consumers’ personal information.
Massachusetts v. Equifax
April 2, 2018
Full decision here.
- Senior Editor, Co-Chair, Business Litigation Practice Group