AG slams credit reporting agency over security breach


Attorney General Hector Balderas sent a scolding letter to a lawyer for the credit reporting agency Equifax concerning the company's handling of a massive security breach and its possible effect on 846,188 New Mexicans whose personal information might have been hacked.

That number is more than 40 percent of New Mexico's total population of slightly more than 2 million.

In a letter to Atlanta lawyer Phyllis B. Sumner, Balderas wrote that Equifax's recent announcement of the cybersecurity breach, which reportedly affects 143 million people nationwide, is "gravely concerning."

Balderas wrote, "Given the critical information that Equifax collects, including names, social security numbers, birth dates, and account information, this incident creates an unacceptable risk of fraud and identity theft. The people of New Mexico, who have placed their trust and their futures in the financial system, deserve a better explanation of what happened and why."

Equifax, which is headquartered in Atlanta, is one of three major consumer credit reporting agencies in the U.S., along with Experian and TransUnion. These companies collect detailed credit information on consumers through banks, credit card companies and other creditors. The companies assign credit ratings to consumers, assessing the debtor's ability to repay debt.

"The Office of the Attorney General has received a large number of calls from consumers who are concerned about the security of their personal information," Balderas spokesman James Hallinan told The New Mexican.

Balderas, in his letter to Sumner, said "I am especially concerned about the length of Equifax's delay prior to notifying affected individuals as well as Equifax's attempts to limit the legal rights of affected individuals who accept the company's offer of identity theft and credit monitoring services," the attorney general said in the letter. "Individuals who were victims of the breach should not be re-victimized by Equifax's response."

Equifax's offer of credit monitoring required those who signed up to agree to forced arbitration, opting out of any legal action in the event of a dispute with the agency over the security breach. But because of public backlash against that policy, Equifax announced that the arbitration clause and class action waiver wouldn't apply to victims of the hacking, Forbes magazine reported.

Balderas asked Sumner several specific questions about the breach, including:

• How many New Mexico residents had their personal information exposed?

• How did Equifax learn of the breach, and what was the earliest date at which Equifax knew or should have known that the personal information of any New Mexico resident had been exposed?

• What security measures did Equifax have in place prior to the attack?

• By what specific method did the attacker gain access to Equifax systems?

• What information has Equifax discovered about the identity of the attacker?

• What remedial measures has Equifax put in place to prevent this type of attack from recurring?

• What form of notice is Equifax providing to New Mexico residents who had their personal information exposed?

Hallinan said that after Balderas sent the letter, Equifax gave him the number of New Mexicans whose information may have been compromised. However, nobody has answered the other questions in the letter, he said.

Efforts to reach Sumner were unsuccessful.

Balderas wasn't the first state attorney general to complain about the arbitration policy. New York Attorney General Eric Schneiderman took to Twitter on Friday, saying, "This language is unacceptable and unenforceable. My staff has already contacted @Equifax to demand that they remove it."

About three hours later Schneiderman tweeted, "After conversations w my office, @Equifax has clarified its policy re: arbitration. We are continuing to closely review."

Schneiderman is one of several attorneys general around the country who have announced they are investigating the Equifax hacking.

Contact Steve Terrell at (505) 986-3037 or Read his blog at www.santafenewmexica­­dup. This story first published in The Santa Fe New Mexican, a sister publication of The Taos News.