Courts & Corrections

State mulls suing Equifax over lag in data breach notification

Vermont’s attorney general is considering going to court to protect the more than 240,000 Vermonters affected by a data breach at the credit rating agency Equifax.

The Vermonters affected are among the 143 million Americans whose information was exposed at Equifax, one of three major credit reporting agencies.

Those Vermonters may have had their names, Social Security numbers, addresses and other personal information exposed to hackers. A subset of them may have had their driver’s license numbers and credit card numbers compromised.

The breach happened July 29. Equifax went public about the event Thursday.

“I think it’s a huge concern that they failed to report, not only to the public, but to our office,” said Chris Curtis, the chief of the attorney general’s Public Protection Division. “There is a Data Breach Notification Act (in Vermont) that requires notice within 14 days of the breach.”

TJ Donovan
Attorney General TJ Donovan. File photo by Anne Galloway/VTDigger

“We are currently getting as much information as we can about this, and Vermonters can and should expect that we will enforce our consumer protection laws and our data breach laws,” Curtis said. “We’ll review all of our legal options.”

Violations of Vermont’s Data Breach Notification Act are treated as violations of Vermont’s Consumer Protection Act, according to Curtis. Each violation carries a penalty of up to $10,000, he said.

In the meantime, Attorney General TJ Donovan has sought official information from Equifax to ensure that Vermonters can check whether they are affected on without giving up their right to sue the company.

Donovan said in a news release that Vermonters will not be limited to binding arbitration for checking whether they are affected on the website; signing up for free credit monitoring through the website; or seeking a credit freeze as a result of being affected by the data breach.

Recommendations from the AG’s office

Vermonters who have general questions can go to to read material the attorney general’s office has prepared about the Equifax data breach, Curtis said.

They can also call the state’s Consumer Assistance Program at 800-649-2424, Curtis said. However, he said the hotline received hundreds of calls this weekend alone, and many people had to wait on hold, so they should check to see if the prepared material answers their questions.

Curtis encouraged all Vermonters, whether they are affected by the breach or not, to go to to get a free copy annually of their credit reports. If they notice any suspicious activity, such as a new account they did not open, they can take further action, he said.

To report suspicious activity, Vermonters can notify the police, credit rating agencies or the Federal Trade Commission, Curtis said. The two other major credit agencies are TransUnion and Experian.

Vermonters can also pay $10 to each credit rating agency to impose a credit freeze, which means no one can take out a new loan or credit card in the person’s name unless the person unfreezes the account.

Curtis warned that a credit freeze might not be the right option for someone planning to buy a home or car in the near future. A less drastic option would be to set up a fraud alert, he said, which can also be done through a credit agency’s website.

Most of all, he said Vermonters should be aware that there are phishing scams out there encouraging people to click on links purporting to be about the Equifax breach, but that actually seek to hack people’s personal information.

“Vermonters should not respond to unsolicited email correspondence from entities purporting to be Equifax,” Curtis said. “Those may be scammers attempting to prey on Vermonters who are rightfully concerned about the data breach.”

“Instead, Vermonters who believe they may be contacted by the company for some legitimate reason should call the company directly,” he said.

Correction, Sept. 13, 9:55 a.m.: The free credit report website was incorrect in the original version of this story. The correct website is

If you read us, please support us.

Comment Policy requires that all commenters identify themselves by their authentic first and last names. Initials, pseudonyms or screen names are not permissible.

No personal harrassment, abuse, or hate speech is permitted. Comments should be 1000 characters or fewer.

We moderate every comment. Please go to our FAQ for the full policy.

Erin Mansfield

Recent Stories

Thanks for reporting an error with the story, "State mulls suing Equifax over lag in data breach notification"