10 Months Post-Breach, Equifax Agrees To Consent Order

Equifax agreed this week to fulfill a list of reforms in a consent agreement, which comes 10 nearly 10 months after a massive data breach at the Atlanta-based company.

Mike Stewart / Associated Press

Nearly 10 months ago, Atlanta-based Equifax admitted to a massive data breach. The credit bureau has said the personal information of about 150 million people had been compromised. This week, the company agreed to a list of reforms in a consent agreement with eight states’ attorneys general. It begs the question: what has changed since last year?

Equifax officials say a lot has.

It has new chief information security and transformation officers and even a new chief executive. Management skipped bonuses last year, and all told, Equifax has spent more than $100 million on addressing the breach.

The company also has separated the roles of chief executive and board chairman. Peter Topping, a business professor at Emory University, said that reform is overdue in corporations these days.

“I think they’re trying to catch up with where they should have been … The board’s role, while it is certainly to support the CEO is also to challenge the CEO,” he said.

Equifax said it already planned to fulfill most of the additional requirements in the consent order.

An Equifax spokesman said the company expects “to meet or exceed all the commitments made under the Consent Order.” The requirements include information security response policies, new “Cyber Threat” and “Fusion Center” groups, additional oversight of IT disaster-recovery operations and annual progress reports on it all for the foreseeable future.

Mike Litt is a national campaign director at the consumer advocate, U.S. Public Interest Research Group. He called the order “a good first step.” But, he is disappointed that it did not include any fines. Equifax has not been penalized in any way since the breach, he said. 

Given Equifax’s business model of selling consumer financial information, Litt said federal regulation is particularly needed.

“You need real incentives for Equifax to take our security seriously, and that would be by a legislative change … The fact of the matter is, we are not Equifax’s customer. We are really their product. And so, it’s especially important that you do have oversight on these companies,” he said.

Last fall, Congress held hours of hearings on the Equifax breach. Yet, a reform bill is stuck in committee.

“At this rate it probably doesn’t have a very good shot,” Litt said.

Equifax declined to make anyone available for an interview for this story.