ARTICLE
12 July 2018

Equifax Reaches Agreement With States To Improve Cybersecurity Standards

CW
Cadwalader, Wickersham & Taft LLP

Contributor

Cadwalader, Wickersham & Taft LLP logo
Cadwalader, established in 1792, serves a diverse client base, including many of the world's leading financial institutions, funds and corporations. With offices in the United States and Europe, Cadwalader offers legal representation in antitrust, banking, corporate finance, corporate governance, executive compensation, financial restructuring, intellectual property, litigation, mergers and acquisitions, private equity, private wealth, real estate, regulation, securitization, structured finance, tax and white collar defense.
Explore
Consumer credit reporting agency Equifax agreed to a Consent Order with the New York State Department of Financial Services ("NYDFS") and seven other state banking regulators that will require the company ...
United States Technology
Photo of Joseph V. Moreno
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Consumer credit reporting agency Equifax agreed to a Consent Order with the New York State Department of Financial Services ("NYDFS") and seven other state banking regulators that will require the company to take corrective actions in response to the 2017 cybersecurity breach. The breach, which affected over 140 million consumers, was attributed to the company's failure to patch a known software vulnerability.

In accordance with the Consent Order, Equifax will be required to take various corrective actions, including:

  • producing a written assessment of cyber threats, risks and existing preventative controls to be reviewed and approved by the Board of Directors;
  • creating an effective internal audit program;
  • establishing an Information Security Program and an Information Security Policy to evaluate existing information security controls;
  • updating security incident-related procedures and clarifying incident response roles and responsibilities;
  • improving oversight of third-party vendors;
  • implementing an improved system for patch management; and
  • putting in place an improved system for overseeing information technology operations in connection with disaster recovery and business continuity.

Equifax will also be required to submit to the regulators a list of all remediation projects related to the 2017 breach, and to provide quarterly reports on its progress in implementing the reforms.

Commentary / Joseph V. Moreno

While the Equifax multistate Consent Order does not subject the company to a fine, it does impose a number of onerous new cybersecurity requirements and a strict three-month timeline for compliance. Cybersecurity and data protection is clearly a high priority for the NYDFS and other state regulators, and this settlement comes on the heels of an announcement earlier this week that credit reporting agencies will be required to register with the NYDFS and adhere to its cybersecurity regulations that previously applied only to banks and other financial institutions. Companies should continue to anticipate strong regulatory scrutiny in the event of a data breach, as well as new state-level cybersecurity standards on the horizon such as the California Consumer Privacy Act of 2018 that was enacted this week and imposes a variety of new protections applicable to consumers' personal data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Joseph V. Moreno
Joseph V. Moreno
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More