Deal struck to increase security
ATLANTA — Ten months after announcing a massive data breach, Equifax has agreed to a consent order with regulators from eight states, including Georgia, that requires the company to report on how it is improving security.
Officials from the Atlanta-based company, which faced a firestorm of criticism for the breach, agreed to bump up security measures and report back periodically starting next month.
The agreement calls for Equifax “to take specific action to protect confidential consumer information,” according to a statement released by the Georgia Department of Banking and Finance. Department Commissioner Kevin Hagler signed the agreement, on behalf of Georgia.
The company’s board of directors must “remediate the deficiencies and unsafe practices that contributed to the breach,” according to the department statement.
Equifax will not only need to report back but also will face “on-site regulatory reviews,” the state said.
The company is required to identify “foreseeable threats and vulnerabilities” to the part of its business that involves keeping information that identifies individuals. The company has 90 days to do that, according to a statement from the California Department of Business Oversight.
The company also is required to improve its auditing within 30 days and to improve “standards and controls” for managing the software used to increase or update security.
Officials said the company’s actions will be reviewed by an independent expert.
A company spokeswoman said Thursday that Equifax already had done much of what the regulators wanted.
“In fact, the findings, with very few exceptions, are not new findings and are already part of our remediation plans,” she said. “We expect to meet or exceed all the commitments made under the Consent Order.
The breach that spurred the investigation was announced by the company in September, at least several months after it occurred. At first, Equifax said about 143 million people were affected, an estimate later raised to 147.9 million people.
Several top executives left the company after the breach was announced, including Richard Smith, the chief executive. The company has named a new CEO and a new technology chief.
In congressional hearings that followed, Smith faced fierce questioning, but there have thus far been no congressional sanctions.
One executive was charged in March with insider trading by federal prosecutors. His case is pending.
A second executive was arraigned Thursday: Sudhakar Reddy Bonthu, a former software development manager for Equifax, also was charged in connection with the breach, according to a statement by U.S. Attorney Byung Pak.