Equifax Agrees to New Data Security Measures in Consent Order with Eight State Regulatory Agencies
On September 7, 2017, the consumer reporting agency Equifax announced one of the most highly publicized cybersecurity incidents in history, which may have exposed more than 143 million Americans’ personally identifiable information (PII). Equifax claimed that malicious actors gained unauthorized access to certain files containing consumers’ PII, including Social Security numbers and payment card information, between May and July of 2017. In addition to a slew of class action lawsuits, Equifax faces investigations by the Federal Trade Commission and several state regulators.
Equifax recently turned the page with a number of the state regulators examining the company in connection with the 2017 data security incident. Equifax’s board of directors entered into a voluntary Consent Order with eight state banking and consumer protection agencies, effective on June 25, 2018. The Order obligates Equifax to implement and adhere to a number of data security enhancement protocols. Although Equifax did not admit or deny any charges of unsafe or unsound security practices, the terms set forth in the Consent Order – entered into with the Alabama State Banking Department, the California Department of Business Oversight, the Georgia Department of Banking and Finance, the Maine Bureau of Consumer Credit Protection, the Massachusetts Division of Banks, the New York State Department of Financial Services, the North Carolina Office of Commissioner of Banks, and the Texas Department of Banking – constitute a declaration that state banking regulators may impose stiff sanctions, and possibly penalties, upon financial services firms for failing to comply with information security statutes, regulations, and standards.
The Consent Order includes obligations in six primary areas: information security, audit, board and management oversight, vendor management, patch management, and information technology operations. In addition, the Consent Order establishes Equifax’s ongoing reporting duties as well as the requisite validation of those reports by Equifax’s board. Within 90 days of the June 25 start date, the board must review and approve a written information security risk assessment that names and describes all foreseeable threats to the protection of PII, the likelihood of those threats coming to fruition, the damage they could cause to Equifax’s business, and safeguards that may be put in place to mitigate each of the identified vulnerabilities.
Additionally, the Consent Order effectively requires the implementation of two levels of oversight of the company’s data security and IT operations: first, by an internal audit function and, second, by the board or a committee thereof. By July 25, 2018, the board must oversee the creation of a formal internal audit program designed to evaluate IT and data security controls. The audit program must establish a “defined audit universe” and a “formal risk analysis process that is used to set the scope and frequency” of audits, that considers the risk associated with each area within the audit purview. In addition, the internal audit function must present to the board or its audit committee a report tracking all open issues on a quarterly basis. Finally, guidelines must be defined to ensure that the internal audit team is not involved in the daily risk management operations which they are tasked to monitor and evaluate.
Board oversight is a central theme of the Consent Order, underscoring that an organization’s information and data security posture is not just an IT issue, but an area that increasingly demands C-suite oversight. Within 90 days of the date of the Order, the board or a technology committee comprised of its members must approve an overarching written information security program as well as several related policies and incident response guidelines. The board is also required to ensure that Equifax’s vendors safeguard PII, consistent with the Federal Financial Institutions Examination Council’s guidance and the Payment Card Industry Data Security Standards. The board must also oversee Equifax’s patch management program, including an inventory of all hardware and software belonging to Equifax, and establishing a formal process to regularly install patch updates to those assets.
Going forward, Equifax’s board must keep the state agencies informed of its progress quarterly. A comprehensive report listing “all remediation projects planned, in process, or implemented in response to the 2017 breach” is due at the end of July. By the end of 2018, the board must report on the performance of all such projects. Although Equifax discovered the breach almost one year ago, a long road ahead remains to navigate the consequences. The Equifax Consent Order underlines how regulatory oversight is increasingly common in the wake of such high profile data incidents. With increased action by state regulators, companies should endeavor to ensure that they have reasonable data and information security measures in place to guard against unauthorized access to their networks and data.