Equifax must implement tougher cybersecurity measures following a massive data breach last year, according to an agreement with state regulators.
The consent order will require the credit-reporting agency to bolster its data security defenses, establish an internal audit program and issue a report to state regulators by the end of July.
“The breach never should have happened,” Jan Owen, commissioner of the California Department of Business Oversight, said in a statement. “This order will help ensure it doesn’t happen again.”
California was among eight states, including Texas and New York, that issued the consent order.
Equifax said it expects to “meet or exceed all the commitments” in the consent order.
“A good number of the action items agreed to in the Consent Order have been completed and in fact, the findings, with a very few exceptions, are not new findings and are already part of our remediation plans,” a spokesperson for the company said.
The hack, which Equifax disclosed in September, exposed names, addresses and Social Security numbers for nearly 148 million Americans. Federal investigators have launched probes into the incident, and a bill recently signed by President Donald Trump includes a provision that requires credit-reporting firms to offer free credit freezes.
Richard Smith, who was CEO during the breach, was forced out last October. Mark Begor, a former General Electric executive, took over as CEO in April.