Equifax Business Credit Report

Would you like to know more or become a registered client?

Government financial regulators charge Equifax for data breaches

Equifax undertook to take remedial measures following the record-breaking 2017 non-compliance, but avoids the payment of a fine or penalty, according to a compliance order with eight state fiscal authorities. A number of states have taken measures against the credit bureau, which has an agreement that requires enhancements to features such as information assurance, supplier stewardship and information technologies, some of which need to be dealt with at executive director levels.

Equifax announced in September 2017 that approximately 145 million Americans had compromiseed their identity information - which included name, social security number, date of birth, address and driver's licence number - when unauthorised individuals obtained unauthorised information from the organization between May and July 2017. A number of states have taken measures against Equifax, but the credit research firm has entered into a forward-looking agreement with the Alabama State Banking Department, California Department of Business Oversight, Georgia Department of Banking and Finance, Maine Bureau of Consumer Credit Protection, Massachusetts Division of Banks, New York Department of Financial Services (DFS), North Carolina Office of Commissioner of Banks and Texas Department of Banking.

The Equifax information assurance solution must enhance its information assurance by verifying and authorizing a documented information assurance process that includes a review and approval of a set of policies that identify predictable risks and weaknesses in the privacy of personal information, the probability of attacks, the damage that could be done to the company's business, and the guarantees and mitigating checks that apply to each of those risks and weaknesses.

Supervision of the information assurance programme by the Board of Directors and senior managers needs to be strengthened and the programme's guidelines reviewed and approved. Supervision of the auditing functions is also part of the agreement, with the creation of a formal compliant auditing programme able to assess information technologies control efficiently and to carry out audits of sensitive and high-risk areas at least once a year.

Ecuifax also pledged to concentrate on supplier governance, align its practice with the Federal Financial Institutions Examination Council's standard, and apply enhanced supervision over cloud-based service delivery. Concerning patches managment, the credit report firm has declared itself willing to upgrade credit report standard and control to decrease the number of non-patched schemes and cases of prolonged patches.

Lastly, IT surgeries related to catastrophic recoveries and business continuities will be enhanced, while formalised contingency management will be extended to allow rapid changes to be carried out in a way that is well managed according to the approval order. Fourthly incremental updates are to be submitted in writing to the eight regulatory authorities, the first of which is due on 31 July 2018.

While the changes contain timing requirements, Equifax anticipates that the obligations entered into in the purchase order will be met or exceeded as many of the changes have already occurred. Equifax's comparison was made public only a few working days after DFS published a definitive decree obliging credit bureaus with significant activities in New York, such as Equifax, to sign up with the regulatory authority and adhere to its new cyber-security standards, further demonstrating the regulatory authority's aggressiveness in extending the scope of its cyber-security rules to a growing number of banks.

Another demand on Equifax, which continues to defend a 50-state collective redress for the same violation and to demonstrate continued, enhanced oversight of both cyber-security corporate and credit bureaus, in particular by government supervisors, is the Ordinance, which requires an entity to report annually and authorises DFS to refuse, defer and possibly withdraw a credit agency's approval to conduct business with New Yorkers.