An Indianapolis judge is deciding whether information in a complaint alleging Equifax could have, but failed to, prevent one of the largest cybersecurity breaches in United States history must be unsealed and made accessible to the public.
The state of Indiana is urging Marion Superior Civil Division 1 Judge Heather Welch to unseal dozens of currently redacted paragraphs in its complaint against Equifax, filed in May after a 2017 data breach that compromised the personal information of nearly 148 million Americans, including nearly 4 million Hoosiers.
According to court filings in State of Indiana v. Equifax Information Services LLC, et al., 49-D01-1905-PL-018398, Equifax provided documents to the state during an investigation by the Office of the Attorney General under the agreement that many of the documents would remain confidential. In keeping with the confidentiality agreement, the state filed two complaints: a redacted complaint available to the public, and an unredacted complaint that’s been kept under seal.
But the OAG in July moved to unseal the complaint, and Equifax countered with a request to keep some portions of the lawsuit confidential. Welch held a public hearing on the opposing motions Wednesday.
Pointing to the “immense public interest” in the litigation — which is seeking civil penalties, consumer restitution, costs and injunctive relief — Vanessa Voigt Gould, a deputy attorney general, told Welch that much of what Equifax wants to keep under seal can no longer be considered confidential. Multiple allegations detail cybersecurity shortcomings that led to the 2017 breach, but because those shortcomings have since been remedied, there’s no need to keep that information out of the public eye, Voigt Gould said.
But Jade Lambert, a Chicago attorney representing Equifax, told the court the allegations about those historical security shortcomings could still shed light on Equifax’s general cybersecurity systems — information that could be weaponized in the hands of hackers, she said. What’s more, Lambert noted the complaint alleges Equifax’s current systems still “expose consumers to risk without warning.”
Equifax’s overarching concern, Lambert said, is the unsealing of information related to the credit reporting company’s cybersecurity systems, protocols and practices. In court filings, the company points to concerns about allegations that “contain information regarding the number of externally facing servers that utilize specific programs at Equifax, system identificatins, particular user protocols, and internal processes, among other sensitive information.”
The public interest in the case can still be served without revealing allegations containing such “sensitive information,” Lambert told Welch. But Voigt Gould said the public interest weighs in favor of unsealing the complaint, noting some of the suit’s allegations are less specific than information that was revealed by a Congressional Oversight report about the 2017 breach.
Lambert also raised concerns about unsealing confidential business information, or information that could harm third-party business interests. But according to the state, Equifax has not presented any evidence to support its assertions that unsealing portions of the complaint would cause harm or prejudice.
The legal arguments turn on Indiana’s Access to Public Records Act and Indiana Administrative Rule 9(G)(4). The parties have agreed on unsealing certain portions of the complaint and leaving other portions redacted, but several disagreements persist.
Welch said she will rule on the motion to unseal within 30 days.