Privacy & Information Security Law Blog

As reported in BNA Privacy Law Watch, on June 27, 2018, Equifax entered into a consent order (the “Order”) with 8 state banking regulators (the “Multi-State Regulatory Agencies”), including those in New York and California, arising from the company’s 2017 data breach that exposed the personal information of 143 million consumers.

Equifax’s key obligations under the terms of the Order include: (1) developing a written risk assessment; (2) establishing a formal and documented Internal Audit Program that is capable of effectively evaluating IT controls; (3) developing a consolidated written Information Security Program and Information Security Policy; (4) improving oversight of its critical vendors and ensuring that sufficient controls are developed to safeguard information; (5) improving standards and controls for supporting the patch management function, including reducing the number of unpatched systems; and (6) enhancing oversight of IT operations as it relates to disaster recovery and business continuity.  The Order also requires Equifax to strengthen its Board of Directors’ oversight over the company’s information security program, including regular Board reviews of relevant policies and procedures.

Equifax must also submit to the Multi-State Regulatory Agencies a list of all remediation projects planned, in process or implemented in response to the 2017 data breach, as well as written reports outlining its progress toward complying with the provisions of the Order.