Equifax strikes deal with states to increase security measures

Equifax on Thursday agreed to a deal with eight states’ regulators on improving its data security. (Dreamstime)

Equifax on Thursday agreed to a deal with eight states’ regulators on improving its data security. (Dreamstime)

Ten months after announcing a massive data breach, Equifax has agreed to a consent order with regulators from eight states, including Georgia, that require the company to report on how it is improving security.

Officials from the Atlanta-based company, which faced a firestorm of criticism for the breach, agreed to bump up security measures and to report back periodically – starting next month.

The agreement calls for Equifax "to take specific action to protect confidential consumer information," according to a statement released by the Georgia Department of Banking and Finance. Department Commissioner Kevin Hagler signed the agreement, representing Georgia.

The company’s board of directors must “remediate the deficiencies and unsafe practices that contributed to the breach,” according to the department statement.

Equifax will not only need to report back, but will face “on-site regulatory reviews,” the state said.

The company is required to identify “foreseeable threats and vulnerabilities” to the part of its business that involves keeping information that identifies individuals. The company has 90 days to do that, according to a statement from the California Department of Business Oversight.

The company is also required to improve its auditing within 30 days and to improve “standards and controls” for managing the software used to increase or update security.

Officials said that the company’s actions will be reviewed by an independent expert.

A company spokeswoman said Thursday that Equifax had already done much of what the regulators wanted.

“In fact, the findings, with a very few exceptions, are not new findings and are already part of our remediation plans,” she said. “We expect to meet or exceed all the commitments made under the Consent Order.

The breach that spurred the investigation was announced by the company in September, at least several months after it occurred. At first, Equifax said about 143 million people were affected, an estimate later raised to 147.9 million people.

Several top executives left the company after the breach was announced, including Richard Smith, the chief executive. The company has named a new CEO and a new technology chief.

In Congressional hearings that followed, Smith faced fierce questioning, but there have thus far been no Congressional sanctions.

One executive was charged in March with insider trading by federal prosecutors. His case is pending.

A second executive was arraigned Thursday on similar charges: Sudhakar Reddy Bonthu, a former software development manager for Equifax, was also charged in connection with the breach, according to a statement by U.S. Attorney Byung Pak.