Regulators Make Sure That Companies Keep Playing with User Data – Equifax Goes Scot-Free
Equifax has managed to avoid fines even after having exposed personal data of over 147.9 million Americans. In a consent order released by several state regulatory bodies, the company has simply been handed a to-do list without any financial penalties. The consent decree has been approved by regulators in Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina, and Texas.
The credit reporting agency that plays with the data of hundreds of millions of people worldwide (without many of them ever knowing about it) gained worldwide attention last year for having exposed sensitive user data, including Social Security Numbers (SSNs) and driver's license information among other personally identifiable data.
"Equifax must perform a detailed assessment of cyber threats, boost board oversight of cyber security and improve processes for patching known security vulnerabilities, according to the terms of the agreement," Reuters reported. "Equifax, which collects information on over 800 million individuals and more than 88 million businesses worldwide, said in a statement it had already completed 'a good number' of the required actions."
Some demands but no fines or penalties for Equifax
Equifax has been asked to set up a cybersecurity “fusion” center designed to encourage better response to security breaches in the future. The consent order also requires it to identify its technology assets, their locations, and a plan to patch it. The company had failed to fix a vulnerability for which a patch had been released and the company was notified about. This security hole ultimately led to data of hundreds of millions of people, in and out of the US, to be exposed to criminals.
However, none of this is new since the company already started doing many of the above things after this security breach was reported. According to an Equifax spokesperson, the company has already started to build a fusion center in Atlanta, near its HQ.
But this consent order isn't even a slap on the wrist since Equifax gets no financial penalty, whatsoever. "Companies don’t change their practices unless they suffer financial consequences,” Jamie Court of the Foundation for Taxpayer and Consumer Rights said.
"The fact that Equifax is not required to pay any fines is sending the wrong message."