Last year, the company revealed that hackers had exploited a U.S. website application vulnerability to gain access to certain files. The unauthorized access occurred from mid-May through July 2017, with the information impacted including names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.
In order to avoid fines, Equifax made a deal with eight states’ banking regulators to perform a detailed assessment of cyberthreats, boost board oversight of cybersecurity and improve processes to fix known security vulnerabilities, according to Reuters. The consent decree was approved by regulators in Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas. Equifax said it had already completed “a good number” of the actions required through the deal.
“The findings, with a very few exceptions, are not new findings and are already part of our remediation plans,” the statement said. “We expect to meet or exceed all the commitments made under the Consent Order.”
Maria T. Vullo, head of the New York Department of Financial Services, said that state regulators had to act because federal agencies have, so far, failed to sanction Equifax for the breach.
“In an era of weakened federal government oversight, strong state regulation is essential,” she said.
Jamie Court, president of the Foundation for Taxpayer and Consumer Rights, agreed that the lack of a financial penalty set a bad precedent.
“Companies don’t change their practices unless they suffer financial consequences,” said Court. “The fact that Equifax is not required to pay any fines is sending the wrong message.”
Earlier this year, it was revealed that Equifax had spent $68.7 million in the first quarter on costs related to the breach. The company has, so far, spent $242.7 million on breach costs — and more is likely to come, with Equifax predicting in March another $275 million in related expenses.