On June 27, 2018, Equifax Inc., the credit reporting agency, agreed to implement stronger data security measures under a consent order with the New York State Department of Financial Services (“NYDFS”) and seven other state banking regulators.[1] The order imposes detailed duties on Equifax’s Board of Directors in response to criticisms raised by the regulators during an examination of Equifax’s cybersecurity and internal audit functions.  The examination followed the company’s massive 2017 data breach, which exposed sensitive personal information of nearly 148 million customers.  Equifax agreed to the order without admitting or denying any charges of “unsafe or unsound information security practices.”

The order does not impose any fines or monetary penalties.  Instead, it requires Equifax and its Board of Directors to take certain corrective actions over the next several months to address the “regulatory concerns” of the banking regulators regarding Equifax’s data security programs and to improve Equifax’s oversight of its information security.  Among other things, the order requires:

  • Equifax’s Board to review and approve the company’s written risk assessment of threats relating to personally identifiable information and the safeguards and controls to address those vulnerabilities.
  • The Board or Audit Committee must also oversee the establishment of a formal internal audit program to evaluate information technology controls.
  • The Board or Technology Committee must improve the oversight of Equifax’s information security program, including by (i) approving a written information security program and policy (as well as certain other policies), (ii) reviewing an annual report from management on the adequacy of the company’s information security program, (iii) enhancing the detail in the Board or Technology Committee minutes by documenting relevant internal management reports and (iv) approving certain IT security policies.
  • Given that the data breach resulted from a failure to timely patch a software vulnerability, the company must implement a patch management program that is consistent with FFIEC published guidelines.
  • The company must closely monitor its outside vendors and enhance oversight of its information technology operations that relate to disaster recovery and business continuity.
  • The Board or Technology Committee must provide the state regulators with a complete list of its remediation projects related to the 2017 data breach, as well as quarterly progress reports documenting the status of its compliance with the provisions in the order.

The state regulators’ investigation is one of many arising out of Equifax’s 2017 data breach and is the first to reach resolution.  Separately, the DOJ and the SEC have brought civil and criminal charges against a former Equifax executive and an engineering manager for insider trading in advance of the company’s September 2017 announcement of its data breach.  Equifax remains under investigation by the Federal Trade Commission and other regulators.  It also faces hundreds of civil lawsuits in state, federal, and Canadian courts brought by consumers, other financial institutions, and municipalities.

The order also comes on the heels of a new NYDFS regulation that requires credit reporting agencies to register annually with NYDFS and certify compliance with state cybersecurity rules.  It also adds to a growing list of settlements resulting from data breaches and cyberattacks.  In addition to Equifax, several well-known companies (including Verizon, Yahoo, and Whole Foods) suffered significant data breaches that were disclosed in 2017, while other companies (such as Target, Home Depot, and Anthem) reached substantial data breach-related settlements with government authorities and private litigants.  These settlements resulted in millions of dollars in fines and, like the Equifax order, imposed remedial schemes targeted at correcting shortcomings in companies’ data security programs.

The nature of the remedial schemes imposed in regulator settlements has varied to date, as regulators have traditionally been wary of imposing specific data security steps that may quickly become obsolete in the face of fast-moving changes in cybersecurity and data privacy risks.  The directives in the Equifax order, however, are markedly specific in mandating concrete actions by the company and in particular, its Board (and specific committees of the Board), and adherence to particular data security standards, such as the FFIEC’s Outsourcing Technology Services IT Examination Handbook and the Payment Card Industry Data Security Standards.  This stands in contrast to orders involving the FTC that typically require implementation of a “reasonably designed” data security program, one of which was recently vacated by the Eleventh Circuit Court of Appeals.  Unlike the FTC’s order against LabMD, which the Eleventh Circuit found failed to provide any “meaningful standard” for judicial enforcement, this order provides Equifax with a detailed to-do list of concrete steps to strengthen its data risk assessment and oversight programs.

That the order directs the Equifax Board to complete many of these remedial steps is also a somewhat radical departure from prior orders by regulators.  In particular, this order requires the Board to engage in the type of detailed policy review and approval activities, and progress reporting typically handled by company management.  As cybersecurity has become a key business risk, many companies have sought to add a director with cybersecurity expertise to their boards in order to provide oversight of cybersecurity risks.  This order raises the bar for the level of expertise that board members generally must have (or have access to) in order to not only oversee the company’s management of cybersecurity risks, but also be able to meaningfully discharge specific duties relating to cybersecurity that have historically been the focus of management.

Only time will tell whether more detailed remedial schemes will effectively address shortcomings in cybersecurity or, in light of the LabMD decision, whether other regulators will follow suit by giving companies more particularized data security requirements to remedy data security violations.  An open question likewise remains as to whether future orders will mandate a similar level of Board involvement in the management of data security programs.  Companies should, however, monitor these settlements to identify potentially useful security enhancements and as guidance to determine what regulators may deem to constitute a reasonable data security program, and, more specifically, how involved Boards of Directors should be in a company’s information security programs.

[1] The other participating state banking regulators include the Alabama State Banking Department, the California Department of Business Oversight, the Georgia Department of Banking and Finance, the Maine Bureau of Consumer Credit Protection, the Massachusetts Division of Banks, the North Carolina Office of Commissioner of Banks, and the Texas Department of Banking.