Pursuant to a consent order with eight state financial regulators, Equifax agreed to take corrective actions following its record-breaking 2017 data breach, but avoided paying any fines or penalties.

Several states initiated action against the credit reporting agency, which reached a deal requiring improvements to functions such as information security, vendor management and information technology operations, some of which require board-level attention.

What happened

In September 2017, Equifax disclosed that roughly 145 million Americans had their personal information—including names, Social Security numbers, birth dates, addresses and driver’s license numbers—compromised when hackers gained unauthorized access to the company’s data between May and July 2017.

The reaction was fast and furious, from lawsuits to legislation to federal investigations. Several states took action against Equifax, but the credit reporting company reached a forward-looking deal with the Alabama State Banking Department, California Department of Business Oversight, Georgia Department of Banking and Finance, Maine Bureau of Consumer Credit Protection, Massachusetts Division of Banks, New York Department of Financial Services (DFS), North Carolina Office of Commissioner of Banks, and Texas Department of Banking.

Equifax must improve its information security, reviewing and approving a written risk assessment that identifies foreseeable threats to and vulnerabilities in the confidentiality of personally identifiable information, the likelihood of threats, the potential damages to the company’s business operations, and the safeguards and mitigating controls that address each threat and vulnerability. Board and management oversight of the information security program must be stepped up, with review and approval of the program’s policies.

Oversight of the audit function is also part of the deal, with the establishment of a formal and documented internal audit program capable of effectively evaluating information technology controls with an audit of critical and high-risk areas at least annually.

Equifax promised to focus on vendor management as well, bringing its practices into compliance with the Federal Financial Institutions Examination Council’s standards and applying increased oversight of cloud-based services. As for patch management, the credit reporting company agreed to improve standards and controls to reduce the number of unpatched systems and instances of extended patching time frames.

Finally, information technology operations related to disaster recovery and business continuity will be improved, with formalized emergency change standards expanded to provide for quick changes that are implemented in a well-controlled manner, according to the consent order.

Written progress reports are due to the eight regulators on a quarterly basis, with the first due on July 31, 2018. Although the changes include timelines, Equifax expects to meet or exceed the commitments made in the order, as many of the changes have already taken place.

To read the consent order, click here.

Why it matters

The Equifax settlement was announced just a few days after the DFS released a final regulation requiring consumer credit reporting agencies with significant operations in New York—e.g., Equifax—to register with the regulator and comply with its new cybersecurity standard, in further evidence of that regulator’s aggressive posture to extend the reach of its cybersecurity regulations to cover an expanding range of financial institutions. The regulation—which mandates an annual report and provides the DFS with the authority to deny, suspend and potentially revoke a credit reporting agency’s authorization to do business with New York financial institutions—imposes yet another requirement on Equifax, which is still defending a 50-state class action arising from the same breach, and demonstrates the continuing, increased supervision of both enterprise cybersecurity standards generally and credit reporting activities specifically by state regulators.