Equifax has to July 31 to report back
to states on data breach fixes

July 12, 2018 -- Equifax, the giant credit reporting firm, has until July 31 to detail steps to regulators in eight states that the firm has taken to respond to a giant data breach last year – and 90 days to strengthen its data defenses -- in the first major regulatory punishment for the breach affecting 147 million U.S. consumers.

If the firm falls short on any promises it made that are outlined in a consent order reached June 27, it would face punitive action from the regulators in Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas.

The consent order found Equifax operated and managed its information technology systems in an inadequate manner before the breach. However, the order -- which the firm agreed to but did not admit or deny wrongdoing for the breach -- requires the credit reporting agency to make improvements in a number of areas, including information security, audit functions, board and management oversight, vendor management, patch management and information technology operations. 

The order gives the credit-reporting firm 90 days to strengthen its information-security defenses, including in vendor-risk management, patches and disaster response. Equifax has a month to create an annual internal audit program monitored by members of its board, and the company will have to issue reports to the regulators by July 31, detailing the steps it has taken to respond to the breach.