AG Shapiro Says Pennsylvania Equifax Fines Could Reach As High As $5B

Sep 27, 2017

The time lag between when Equifax discovered the massive data breach and when it notified the public might be longer than the six weeks company officials have acknowledged.

“[That’s] why we hit them with another subpoena demanding information that will help us figure out the timetable,” said Pennsylvania Attorney General Josh Shapiro.

The credit monitoring company revealed Sept. 7 that the breach exposed Social Security numbers and other personal data of some 143 million Americans.

Shapiro said that number includes 5.4 million Pennsylvanians, “about 75 percent of the adult population.”

He called the breach “outrageous” and said he and 46 other state attorneys general are partnering  to investigate Equifax.

“We will get to the bottom of this," he said. "We will change corporate behavior."

The CEO and Chairman of Equifax Richard Smith resigned Tuesday.

According to the attorney general, under Pennsylvania law, companies must inform the public of such incidents in a “reasonable" timeframe. 

Shapiro said he believes it’s questionable if the six-week lag period to which the company admitted is “reasonable."

“If it’s any longer than that, then it is likely unreasonable that they did not share that information with the public," he said. 

He said if the public notification law has been violated, it carries with it a $1,000 per person fine and a $3,000 fine per senior citizen. With 5.4 million Pennsylvanians having their personal data compromised, those fines possibly could exceed $5 billion.

Shapiro said he expects to receive more subpoenaed information from Equifax over the next several days. 

“We will hold Equifax accountable," he said.