The credit reporting giant Equifax has agreed to shore up its data security efforts after a massive breach of personal information sparked scrutiny from state regulators.

Regulators from Texas, California, New York and five other states have signed a consent order with the Atlanta-based company, state officials said Wednesday. The eight-page agreement does not include any financial penalties, but it does require Equifax to take various steps to prevent future data breaches.

“After the breach was announced, my state counterparts and I believed strongly that a targeted regulatory response was required,” Charles Cooper, the banking commissioner in Texas, which led the multistate examination, said in a press release. “This demonstrates the flexibility and responsiveness of the state financial regulatory system as we work together to protect all of our citizens.”

An Equifax spokesperson said in an email that a good number of the steps the company agreed to take under the consent order have already been completed, and indicated that most of the states’ findings are already part of the company’s remediation plans.

“We expect to meet or exceed all the commitments made under the consent order,” the spokesperson said.

A monitor displays Equifax signage on the floor of the New York Stock Exchange.
Bloomberg News

The multi-state consent order, which took effect on Monday, requires Equifax’s board of directors to approve an information risk assessment within 90 days. Other steps that Equifax agreed to take include establishing an internal audit program that is capable of effectively evaluating the firm’s information technology controls.

By the end of July, Equifax is required to submit to the participating states a list of all the remediation projects that it is implementing in response to the 2017 data breach. Equifax must also conduct testing related to its remediation efforts and report the results of those tests to the states by Dec. 31.

The five other states that signed the agreement are Massachusetts, North Carolina, Georgia, Alabama and Maine.

The data breach, which the company revealed publicly in September, affected roughly 148 million U.S. consumers.

Hackers accessed personal information such as names, Social Security numbers, birth dates, addresses, and in some cases, credit card numbers and driver’s license numbers.

Equifax drew criticism not only for its failure to prevent the breach, but also for waiting more than five weeks after the breach was detected to publicize what happened.

Since last fall, Equifax has made numerous changes in its executive suite, and also announced plans to make substantial investments to upgrade security.

In late September, Richard Smith stepped down as Equifax’s chief executive officer. He was succeeded on an interim basis by Paulino do Rego Barros Jr. Then in March, Equifax announced the hiring of Mark Begor, formerly a managing director at the private equity firm Warburg Pincus, as CEO.

Equifax has also hired Jamil Farshchi, who led The Home Depot’s response to a 2014 data breach, as its chief information security officer.

The company has said that it plans to invest roughly $275 million this year in response to the breach, approximately $75 million of which is expected to be offset by insurance payouts.

That spending will primarily be used to upgrade Equifax’s information technology and data security efforts, according to the company.

Equifax is cooperating with federal, state and city agencies, as well as foreign governments, regarding last year’s data breach, according to an April securities filing.

Specific agencies that have been involved include the Federal Trade Commission, the Consumer Financial Protection Bureau, the Securities and Exchange Commission and the Justice Department, the filing stated. The company has also been dealing with hundreds of class-action lawsuits in connection with the incident.

Kevin Wack

Kevin Wack

Kevin Wack is a California-based reporter for American Banker who covers the U.S. consumer finance industry.