Following last year’s massive data breach, credit reporting company Equifax Inc. has agreed to take a set of corrective actions negotiated by the state Department of Financial Services.
The actions are part of a consent order announced Wednesday between Equifax and banking regulators from New York and seven other states. The agreement comes in the wake of a breach that compromised the data of 143 million people in the United States including eight million New Yorkers.
The company has agreed to enact stronger oversight and risk protection to improve digital security and protect consumers, DFS Superintendent Maria Vullo said.
“DFS continues to take aggressive action in holding Equifax Inc. accountable for the massive data breach that exposed the sensitive and private information of millions of Americans,” Vullo said in a statement. “The consent order announced today between Equifax and the commissioners of eight state banking departments demonstrates the necessity of continued state oversight of financial services companies, through measures such as examinations and actions such as DFS’s recently finalized credit reporting agency registration regulation.”
Equifax has agreed to take six major actions to avoid another breach like last year.
The company’s board members will have to review and approve a written risk assessment plan for future digital threats. The plan will have to address the vulnerabilities of personally identifiable information, the likelihood that another threat will happen, how to prevent that threat, the potential damage it could cause the company, and what the company will do if that happens.
Equifax will also have to improve oversight of its information security program. That will include a written information security policy that will be followed by an annual report on how the program is performing. The company’s board will also have to produce detailed minutes concerning management of its information security.
The board is also tasked with reviewing digital security policies and keeping them up to date and applicable to current threats. Those policies will have to include the roles and relationships of people involved in any response to threats, including the company’s information technology operations.
An audit committee of the Equifax board will also be tasked with evaluating information technology controls at the company.
Similar rules apply to vendors with the company. Equifax will have to improve oversight and documentation of any vendors to safeguard consumer information.
State banking regulators in Alabama, California, Georgia, Maine, Massachusetts, North Carolina and Texas joined New York on the consent order with Equifax Wednesday.
The consent order follows an announcement Monday from the DFS that credit reporting agencies will now be required to register with the state agency and follow its strict cybersecurity regulations. Until now, those rules only applied to banks, insurance companies and other financial institutions.
That rule includes many of the same requirements that were included in Wednesday’s consent order, include a mandate that credit reporting agencies develop their own comprehensive cybersecurity protocol to protect against future threats.
Equifax has three months from Wednesday’s announcement to implement all of the actions laid out in the consent order from the DFS and other regulators. An Equifax spokeswoman commented on the consent order in a statement Wednesday.
“We appreciate the time and effort the state banking regulators took to conduct their targeted review in the early part of 2018,” the spokeswoman said. “A good number of the action items agreed to in the consent order have been completed and in fact, the findings, with a very few exceptions, are not new findings and are already part of our remediation plans. We expect to meet or exceed all the commitments made under the consent order.”