Equifax gets new to-do list, but no fines or penalties

  • The order imposes no fines, but focuses on several areas of governance for the company's board.
  • Equifax is currently being sued by 50 states and the District of Columbia for the September incident, which exposed the personal information of more than 145 million people.
  • The company's CIO was accused in March of insider trading for selling stock in advance of the announcement of the breach.
An Equifax Inc. slide is displayed on a monitor in October 2017.
Andrew Harrer | Bloomberg | Getty Images
An Equifax Inc. slide is displayed on a monitor in October 2017.

A group of state regulatory agencies has laid out detailed new requirements for how Equifax must conduct business, but stopped short of imposing fines or penalties.

A consent order released on Wednesday by several state regulatory bodies is a response to the massive data breach that Equifax revealed in September 2017, and focuses on board governance and risk mitigation.

Among the requirements, the order demands Equifax comprehensively identify all its technology assets and their locations, and provide a formal process for patching. A missed patch within a business unit at Equifax was responsible for the September breach, which revealed the personal information of more than 145 million people in the U.S., and millions more abroad.

The order also asks the company to set up a cybersecurity “fusion” center, meant to consolidate security staff and allow for a better, more coordinated response to breaches in the future. The company has already begun building the facility near its headquarters in Atlanta, according to the spokeswoman.

A company spokeswoman said most of the findings “are not new” and the remediation steps are already underway. “We expect to meet or exceed all the commitments made under the consent order,” she said.

Equifax is under intense scrutiny from prosecutors, with a relatively rare 50-state and Washington D.C. class-action lawsuit filed in November of last year. The company said in its first-quarter earnings statement in April that the incident, which led to the ouster of security and technology executives as well as CEO Richard Smith, has cost the company $242 million thus far.

The company’s former chief information officer was indicted on criminal charges in March in Atlanta, and is accused insider trading by the SEC. The Commission said in a March statement that former CIO Jun Ying allegedly divested nearly $1 million in stock just prior to the breach, avoiding $117,000 in losses when the incident was announced.