Equifax Inc. disclosed Wednesday that it has entered into a consent order with eight states that requires it to improve its data-protection practices in the wake of the huge data breach last year at the national credit-reporting agency.
The breach compromised personal data on approximately 148 million consumers, including Social Security numbers and other personal identifying information as well as about 209,000 payment card numbers. The event, which Equifax discovered in July but didn’t disclose publicly until September, triggered a tide of class-action lawsuits and governmental investigations.
The consent order involves financial regulators from Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina, and Texas, which assembled a team led by Texas to examine Equifax’s security systems and practices beginning last November. “The conditions Equifax agreed to in the consent order require the company’s board to remediate the deficiencies and unsafe practices that contributed to the breach,” the Texas Department of Banking said in a statement.
The order covers everything from risk assessments and improved oversight of information security and technology by Equifax’s board of directors and its audit committee to vendor management and the patching of software systems. Equifax is required to submit to the states by July 31 a list of all remediation projects it has begun or planned since the breach, and to submit progress reports going forward. The states will conduct on-site reviews to assess compliance.
While the order doesn’t impose fines, it doesn’t prevent the states or other governmental agencies from taking further actions against the company.
According to a recent Equifax regulatory filing, the company still faces consolidated proceedings in federal court stemming from hundreds of individual consumer and financial-institution complaints filed after the breach, consolidated class actions in Georgia state court, class actions in Canada, and other legal complaints stemming from the breach. “We dispute the allegations in the complaints described above and intend to defend against such claims,” the filing says.
Meanwhile, the federal Securities and Exchange Commission on Thursday said a former Equifax manager has agreed to settle its civil complaint of insider trading after he allegedly netted more than $75,000 after selling put-options when the company’s stock fell 14% after the data-breach disclosure. The employee has agreed to return the money, but also faces federal criminal charges, the SEC said.
The case was the second one filed by the SEC after the breach. In March, the SEC accused Equifax’s former chief information officer of insider trading.