Consumer credit reporting agency Equifax agreed to a Consent Order with the New York State Department of Financial Services ("NYDFS") and seven other state banking regulators that will require the company to take corrective actions in response to the 2017 cybersecurity breach. The breach, which affected over 140 million consumers, was attributed to the company's failure to patch a known software vulnerability.

In accordance with the Consent Order, Equifax will be required to take various corrective actions, including:

  • producing a written assessment of cyber threats, risks and existing preventative controls to be reviewed and approved by the Board of Directors;
  • creating an effective internal audit program;
  • establishing an Information Security Program and an Information Security Policy to evaluate existing information security controls;
  • updating security incident-related procedures and clarifying incident response roles and responsibilities;
  • improving oversight of third-party vendors;
  • implementing an improved system for patch management; and
  • putting in place an improved system for overseeing information technology operations in connection with disaster recovery and business continuity.

Equifax will also be required to submit to the regulators a list of all remediation projects related to the 2017 breach, and to provide quarterly reports on its progress in implementing the reforms.

Commentary / Joseph V. Moreno

While the Equifax multistate Consent Order does not subject the company to a fine, it does impose a number of onerous new cybersecurity requirements and a strict three-month timeline for compliance. Cybersecurity and data protection is clearly a high priority for the NYDFS and other state regulators, and this settlement comes on the heels of an announcement earlier this week that credit reporting agencies will be required to register with the NYDFS and adhere to its cybersecurity regulations that previously applied only to banks and other financial institutions. Companies should continue to anticipate strong regulatory scrutiny in the event of a data breach, as well as new state-level cybersecurity standards on the horizon such as the California Consumer Privacy Act of 2018 that was enacted this week and imposes a variety of new protections applicable to consumers' personal data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.