California DBO Reaches Settlement With Equifax Requiring Firm to Implement Stronger Anti-Breach Measures

Jun 27, 2018

Seven Other States Sign Consent Order with Credit Reporting Agency

Download this press release (PDF)

SACRAMENTO – The Department of Business Oversight (DBO) today announced an agreement (PDF) with Equifax, Inc. that requires the credit reporting agency to correct numerous information security deficiencies that led to the 2017 data breach which affected 147 million U.S. consumers, including 15.5 million Californians.

“Equifax’s failure to properly secure confidential personal data caused widespread harm to California consumers,” said DBO Commissioner Jan Lynn Owen.  “The breach never should have happened.  This order will help ensure it doesn’t happen again.”

Regulators from seven other states signed a consent order with Equifax.  The other states include: Texas, New York, North Carolina, Massachusetts, Georgia, Alabama and Maine.

In a joint regulatory examination led by Texas, the eight states found deficiencies in several facets of how Equifax operated and managed its information technology systems before the breach.  While Equifax has moved to correct some of the problems, the consent order addresses deficiencies that have persisted.

The consent order requires Equifax to implement corrective actions to shore up weaknesses across a wide spectrum of its information technology and data security operations.  Areas covered by the order include: information security, audit functions, board and management oversight, vendor management, patch management and information technology operations.

Specifically, the company must strengthen oversight of its information security program and critical vendors to ensure sufficient controls are developed to safeguard information.  In addition, the company must improve standards and controls for supporting the patch management function.

The board also must bolster oversight of the audit function and approve a written risk assessment identifying foreseeable threats to the confidentiality of personally identifiable information.

The order imposes deadlines by which Equifax must take corrective actions, and requires the firm to provide the regulators progress reports.

The DBO licenses and regulates more than 360,000 individuals and entities that provide financial services in California.  DBO’s regulatory jurisdiction extends over state-chartered banks and credit unions, money transmitters, securities broker-dealers, investment advisers, non-bank installment lenders and payday lenders, mortgage lenders and servicers, escrow companies, franchisors and more.