San Francisco City Attorney Dennis Herrera filed a lawsuit on Tuesday against Equifax, the credit reporting firm which suffered a massive data breach affecting personal identifying information of 143 million people — more than half the country's adult population.
The city attorney's office said in a notice that the lawsuit was filed against Equifax for failing to protect the personal data of more than 15 million Californians. That data included details such as Social Security numbers, names and birth dates.
San Francisco is the first city in the U.S. to sue the company over the data breach that eventually saw Equifax CEO and Chairman, Richard Smith, abruptly retire on Tuesday.
"Equifax's incompetence would be comical if the subject matter weren't so serious," Herrera said in a prepared statement. "This company fell asleep at the switch and upended the lives of millions of people."
A spokesperson for Equifax told CNBC that while the company "cannot comment on pending litigation," it wants to "reassure consumers that we are remaining focused on helping them navigate the situation and providing the best customer support possible."
Equifax is one of the three major credit reporting firms in the U.S. The company said on September 7 that it discovered a breach on July 29, affecting millions, including some outside the United States.
"The information that Equifax failed to safeguard is what people need to open a bank account, buy a home or rent an apartment," Herrera said. "Now Californians have been put at risk of identity theft for years to come."
The lawsuit was filed in San Francisco Superior Court and it stated that Equifax violated "state law governing unlawful, unfair or fraudulent business practices," according to Herrera's office.
The statement from Herrera's office accused Equifax of failing to implement and maintain reasonable security procedures and practices, not providing timely notice of the data breach to affected users in California and giving incomplete information when the disclosure was finally made.
The lawsuit is seeking restitution for affected consumers in California who purchased credit monitoring services from Equifax before Sept. 7, 2017. It also seeks civil penalties of up to $2,500 per violation of the law and a court order requiring Equifax to implement and maintain appropriate security procedures for highly sensitive information.
"When you're dealing with highly sensitive information, keeping your software up to date is such a basic step," Herrera said, adding the company's delay in informing users about the breach "made a bad situation worse."
"Their delay prevented more than 15 million California consumers from taking immediate action to protect themselves from the risk of identity theft and fraud," he said.
— CNBC's Liz Moyer contributed to this report.