Equifax agrees to tighten data security in agreement with eight states

The credit-rating firm said it will upgrade its IT operations and conduct regular internal audits in response to its massive 2017 data breach.

The credit-rating company Equifax has agreed to conduct more audits and risk assessments and share the results with regulators in eight states as a consequence of a data breach last year that exposed the personal information of as many as 148 million people.

Under a consent order signed Wednesday, Equifax will overhaul its data security protocols and information technology practices. The company is also required to report back to banking regulators in the states that signed the order, including California, Texas, New York, Georgia, North Carolina, Massachusetts, Alabama and Maine.

The company has 30 days to establish a new internal audit program to evaluate internal IT controls, with frequent scans of high- and medium-risk systems. Equifax’s board of directors has 90 days to approve a new comprehensive information security plan, as well as a new framework for managing vendor contracts.

“Consumers need to be able to trust financial service providers with their personal information and know that these companies are making reasonable efforts to protect that information,” Ray Grace, the North Carolina commissioner of banks, said in a press release.


The Equifax breach, which was disclosed by the company last September, exposed names, dates of birth, Social Security numbers and other identifying information on 148 million people. The incident prompted several states’ regulators and attorneys general to move quickly to tighten rules on the companies that report Americans’ credit ratings.

Oregon, which is not part of the consent agreement, passed legislation in March that requires companies doing business in the state to disclose data breaches within 45 days and outlaws charging people for credit-monitoring services. Delaware Attorney General Matt Dunn launched a website last month that reports data breaches to the public, following a revision of that state’s laws to require all breaches affecting at least 500 residents to be publicized.

Once the Equifax board has approved the new procedures, the company has until Dec. 31 to carry them out, according to the consent order. The document also requires Equifax to submit regular written updates on implementation of the new data security plans.

Separately on Wednesday, the Securities and Exchange Commission filed insider trading charges against a former Equifax employee, alleging he acted upon knowledge of the data breach before it was revealed to the public. CyberScoop has more.

Latest Podcasts