Atlanta-based credit reporting company Equifax has agreed to a Consent Order joined on by eight state regulators that requires the company to report on security improvements made as a response to the massive 2017 data breach. In the Order, the Georgia Department of Banking and Finance along with seven other state regulatory agencies have called for Equifax “to take specific action to protect confidential consumer information.” The Order is scheduled to go into effect this month and will require Equifax to submit regular progress reports on their implemented program and be audited at least once a year. The Order will remain in effect until the eight state regulatory agencies decide to discharge Equifax from all or part of the requirements of the Order.
See our guide here for more information about the Equifax breach and how you can protect yourself.
The 2017 Equifax Security Breach
In September 2017, Equifax announced a security breach which enabled hackers to access sensitive information on millions of consumers in the credit reporting agency’s database. The breach gave hackers access to personal information such as names, addresses, social security numbers, and in some cases, credit card numbers. According to Equifax, the hackers gained access to their systems and the information through a software flaw that the company was aware of, but unintentionally left unfixed. The breach affected an estimated 147 million consumers nationwide including 5 million Georgians, and the company is still working to identify every consumer whose information has been stolen.
In response to the breach, Equifax replaced many of its top executives, including former CEO Richard Smith. No congressional action has been taken against the CEO apart from extensive questioning, but several other former executives have pending federal court cases regarding charges stemming from the 2017 breach. The company has spent over $240 million thus far in connection with the breach, including legal fees and expenses for new security tools and monitoring services offered to customers free of charge. The company also maintains a website where consumers can check if they have been affected by the breach, but the website does not directly inform consumers if their information has been stolen.
Details of the Consent Order
The Consent Order, signed by both Equifax and regulatory agencies from 8 states including Georgia, requires that Equifax make significant changes to their security systems and regularly report these changes to the agencies signed onto the letter. Equifax will have to develop written data protection policies, monitor its technology vendors more closely, and improve its software patch management controls. Additionally, the credit reporting agency will be required to improve its auditing and “standards and controls” for managing software used to increase or update security within 30 days of the Order and identify “foreseeable threats and vulnerabilities” within 90 days. The board of directors of Equifax must submit a list of all completed, implemented, and planned projects made in response to the 2017 breach by July 31, 2018. This list will be supplemented with intermediate progress reports made within 30 days after the end of each calendar quarter. The Consent Order gives the regulatory agency signers the authority to take punitive action against Equifax if it fails to comply with any measures named in the Order. In several public statements following the Order, Equifax has claimed that many projects it has already implemented will “meet or exceed all the commitments” stipulated in the Consent Order.
See our guide here for more information about the Equifax breach and how you can protect yourself.