Equifax Signs Cybersecurity and Data Privacy Consent Order with Eight States

Posted by Marion Bachrach Aristotle postulated that, in physics, nature abhors a vacuum. This principle applies to regulatory oversight as well.In the absence of federal legislation mandating appropriate controls to deal with cybersecurity and data privacy, state regulators have stepped into the void and are taking action. On June 25, 2018, eight state agencies signed a Consent Order with Equifax, which requires Equifax to take immediate corrective actions regarding cybersecurity and data privacy following the alarming breach that took place in 2017. The eight agencies include the:New York State Department of Financial Services;Texas Department of Banking;California Department of Business Oversight;Georgia Department of Banking;Alabama State Banking Department;Massachusetts Division of Banks;Maine Bureau of Consumer Credit Protection; andNorth Carolina Office of Commissioner of BanksThe Consent Order requires that within three months, Equifax must approve written risk assessments that identify and assess foreseeable threats to the confidentiality of personally identifiable information (PII) of customers, potential damage to business operations, and controls for each threat.The Order also requires immediate improvement, within 30 days, of oversight by the Audit Committee to ensure that sectors in critical risk areas are audited frequently. It mandates specific tasks and requires presentation of issue-tracking and issue-aging reports, and bars the Internal Audit sector from involvement in the daily operations of risk management.It further requires that the Board and Management improve, within three months, the Information Security Program by taking specific steps, including: approving a written Information Security Program and Policy, enhancing the level of detail in Board and Committee minutes, and reviewing and approving information security policies to ensure they are up-to-date and function effectively.Board and Management must now identify with clarity the roles and relationships of those involved with incident response relating to cyber threats, network operations, security monitoring, incident detection, and incident response teams. They must implement better patch management, with stricter controls for immediate updating and installation.The Order enhances oversight of disaster recovery and business continuity plans; it requires that business continuity plans be reviewed independently by Internal Audit on a regular basis.Significantly, the Order requires strict oversight of third-party vendors. It demands that within three months, the Company improve oversight and documentation of critical vendors to ensure that sufficient controls are developed to safeguard information. Also included is the requirement that management develop guidance for when use of cloud-based services is permissible and the types of cloud services that are acceptable.The Order requires the Board to submit for review a list of all remediation projects planned, in process, or implemented in response to the 2017 breach together with a third-party forensic report of the investigation of that breach. It further requires Management to have an independent testing of controls relating to remediation efforts and to report by year-end whether those controls function effectively.The eight states have served notice to entities in the financial sector – whether banks, credit card companies, credit reporting agencies, or insurers – that they will not tolerate lax controls that could compromise cybersecurity or data privacy. Companies doing business in any one of these eight states should take heed.