Equifax must incorporate stronger data security measures after massive breach, consent order says


Credit reporting firm Equifax Inc. will be required to incorporate stronger data security measures after a massive breach last year that affected about 147.9 million Americans, according to a consent order reached with the firm and signed by regulators from eight states, including California.

The agreement specifically mandates that Atlanta-based Equifax increase oversight of the company’s information security program and important vendors to “ensure sufficient controls are developed to safeguard information,” according to a statement Wednesday from the California Department of Business Oversight.

Equifax also must identify “foreseeable threats and vulnerabilities” in keeping personally identifiable information private, evaluate the likelihood of threats to information security and determine safeguards — all within 90 days of the consent order.


The company also must improve supervision of its audit function within 30 days of the order and improve “standards and controls” for its software patch management function that provides enhanced security or system upgrades.

As part of the consent order, Equifax is required to provide written progress reports to the eight state regulatory agencies, with the first report due at the end of July. An independent party will test these enhanced security measures and report back to state regulators by the end of the year on whether they are working effectively.

An Equifax spokesperson said in a statement that the company expects to meet or exceed all of the commitments made under the consent order because “a good number” of the items already have been completed.

“The findings, with a very few exceptions, are not new findings and are already part of our remediation plans,” the spokesperson said.

Since the breach was first reported in September, the number of affected individuals has increased from an initial estimate of up to 143 million people to the current 147.9 million, about 15.5 million of whom were Californians, according to the state Department of Business Oversight.

The breach sparked bipartisan outrage in Congress, partly because it took place after federal officials had warned the company months earlier about a software flaw. Then-company Chief Executive Richard Smith stepped down after the breach was disclosed and then faced grillings on Capitol Hill shortly after.


“Equifax’s failure to properly secure confidential personal data caused widespread harm to California consumers,” Department of Business Oversight Commissioner Jan Lynn Owen said in a statement. “This order will help ensure it doesn’t happen again.”

Twitter: @smasunaga


1:25 p.m.: This article was updated to include a statement from Equifax.

This article was originally published at 1 p.m.