10 Months Post-Breach, Equifax Agrees To Consent Order

The company also has separated the roles of chief executive and board chairman. Peter Topping, a business professor at Emory University, said that reform is overdue in corporations these days.

“I think they’re trying to catch up with where they should have been … The board’s role, while it is certainly to support the CEO is also to challenge the CEO,” he said.

Equifax said it already planned to fulfill most of the additional requirements in the consent order.

An Equifax spokesman said the company expects “to meet or exceed all the commitments made under the Consent Order.” The requirements include information security response policies, new “Cyber Threat” and “Fusion Center” groups, additional oversight of IT disaster-recovery operations and annual progress reports on it all for the foreseeable future.

Mike Litt is a national campaign director at the consumer advocate, U.S. Public Interest Research Group. He called the order “a good first step.” But, he is disappointed that it did not include any fines. Equifax has not been penalized in any way since the breach, he said. 

Given Equifax’s business model of selling consumer financial information, Litt said federal regulation is particularly needed.

“You need real incentives for Equifax to take our security seriously, and that would be by a legislative change … The fact of the matter is, we are not Equifax’s customer. We are really their product. And so, it’s especially important that you do have oversight on these companies,” he said.

Last fall, Congress held hours of hearings on the Equifax breach. Yet, a reform bill is stuck in committee.

“At this rate it probably doesn’t have a very good shot,” Litt said.

Equifax declined to make anyone available for an interview for this story.