The company is required to identify “foreseeable threats and vulnerabilities” to the part of its business that involves keeping information that identifies individuals. The company has 90 days to do that, according to a statement from the California Department of Business Oversight.
The company is also required to improve its auditing within 30 days and to improve “standards and controls” for managing the software used to increase or update security.
Officials said that the company’s actions will be reviewed by an independent expert.
A company spokeswoman said Thursday that Equifax had already done much of what the regulators wanted.
“In fact, the findings, with a very few exceptions, are not new findings and are already part of our remediation plans,” she said. “We expect to meet or exceed all the commitments made under the Consent Order.
The breach that spurred the investigation was announced by the company in September, at least several months after it occurred. At first, Equifax said about 143 million people were affected, an estimate later raised to 147.9 million people.
Several top executives left the company after the breach was announced, including Richard Smith, the chief executive. The company has named a new CEO and a new technology chief.
In Congressional hearings that followed, Smith faced fierce questioning, but there have thus far been no Congressional sanctions.
One executive was charged in March with insider trading by federal prosecutors. His case is pending.
A second executive was arraigned Thursday on similar charges: Sudhakar Reddy Bonthu, a former software development manager for Equifax, was also charged in connection with the breach, according to a statement by U.S. Attorney Byung Pak.