Consent Order  Equifax, Inc. Consent Order

Information Security

1. Within 90 days from the effective date of this Order, the Board shall review and approve the written risk assessment that identifies:
   1. foreseeable threats and vulnerabilities to the confidentiality of personally identifiable information (PII)*;
   2. the likelihood of threats;
   3. the potential damage to the Company’s business operations; and
   4. the safeguards and mitigating controls that address each threat and vulnerability.

* “PII” shall mean as defined in 23 NYCRR 500.01(g)(2).

Audit

2. Within 30 days from the effective date of this Order, the Board or Audit Committee shall improve the oversight of the Audit function. Accordingly, the Audit Committee must oversee the establishment of a formal and documented Internal Audit Program that is capable of effectively evaluating IT controls and that complies with the Internal Audit Charter, which requires compliance with International Standards for the Professional Practice of Internal Auditing. The program must document and include:
   1. A defined audit universe, covering all auditable areas, and formal risk analysis process that is used to set the scope and frequency of the IT audits;
   2. An audit schedule that is prepared on a multi-year basis to ensure that critical, high- and medium-risk areas are audited with an appropriate frequency;
   3. Audit of critical and high-risk areas at least annually;
   4. Presentation of an issue tracking report and an issue aging report, containing all open issues, to the Audit Committee on at least a quarterly basis;
   5. Audit Committee monitoring of all findings identified by Internal Audit, regulators, and third party consultants that the Company retained to advise on breach remediation efforts until the issues are resolved;
   6. Validation by Internal Audit that critical, high-risk and medium-risk issues have been resolved on a timely basis; and
   7. Guidelines for ensuring that Internal Audit is not involved in the daily operations of the Enterprise Risk Management process.

Board and Management Oversight

3. Within 90 days from the effective date of this ORDER, the Company shall improve the oversight of the Information Security Program. Accordingly, the Board or, if appropriately authorized, the Technology Committee of the Board (TC) shall:
   1. Approve a consolidated written Information Security Program and Information Security Policy and annually thereafter;
   2. Review an annual report from management on the adequacy of the Company’s Information Security Program;
   3. Enhance the level of detail within the TC and Board minutes, or respective meeting package, by documenting relevant internal management reports (i.e. approval of a formal, written information security risk assessment). Reports to be reviewed should be documented in policy or charter document as appropriate;
   4. Review and approve the following IT and information security policies and ensure they are up-to-date and applicable:
      1. the Data Classification and Handling Standard;
      2. the End-User Security Policy;
      3. the Enterprise Identity and Access Management process; and
      4. by December 31, 2018, all other IT and information security policies
   5. Ensure that the Security Incident Handling Procedure Guide includes up-to-date incident related procedures and clarifies the roles and relationships of the groups involved with incident response, especially:
      1. Cyber Threat Center;
      2. Fusion Center for physical and environmental events;
      3. Network Operations Center for network and server operational events;
      4. Security Operations Center for security monitoring and security incident detection; and
      5. Security Incident Response Team.

Vendor Management

4. Within 90 days from the effective date of this ORDER, the Company must improve oversight and documentation of critical vendors and ensure that sufficient controls are developed to safeguard information, consistent with guidance provided in both the FFIEC’s “Outsourcing Technology Services” IT Examination Handbook, as further described below, and in the Payment Card Industry Data Security Standards (PCI DSS). Accordingly, the Board or TC must:
   1. Monitor management’s documentation of its efforts to comply with PCI DSS;
   2. Review and approve all policies and procedures related to Outsourcing Technology Services/Vendor Management** and ensure they incorporate provisions regarding oversight and controls of critical third-party service providers. In addition, interrelated policies should be cross-referenced;
   3. Oversee management’s development of a definition of “cloud service” for policies related to cloud-based services;
   4. Oversee management’s development of policies that provide guidance for when the use of cloud-based services is permissible and the types of cloud services that are acceptable.
      1. The definition and guidance should address security standards, service level agreements, and integration/linking with company systems and networks; and
      2. If acceptable cloud services involve PCI data and/or PII, management must ensure appropriate levels of security and encryption are defined within the policy(s) for data at rest and in transit.

** This means, specifically, the Third Party Compliance Policy and the External Party Information Security Policy.

Patch Management

5. The Company must improve standards and controls for supporting the patch management function, consistent with guidance provided in the FFIEC’s “Information Security” IT Examination Handbook, within 90 days from the effective date of this ORDER, unless stated otherwise. An effective patch management program must be implemented to reduce the number of unpatched systems and instances of extended patching time frames. Accordingly, the Board or TC is expected to oversee the Company’s efforts to:
   1. Identify and document a comprehensive IT asset inventory that includes hardware (including infrastructure devices), software (including applications and operating systems), and location of the assets;
   2. Formalize a process that can routinely identify what patches need to be updated and installed;
   3. Develop an action plan for decommissioning legacy systems, which includes compensating controls until the systems are removed and providing status update reports to the Board or the TC;
   4. Formalize the Patch Management Policy to reflect the personnel and procedural changes supporting the Company’s current patch management initiatives. The Board must oversee management’s efforts to apply patch management procedures consistently throughout the Company;
   5. By December 31, 2018, ensure the process described in 5(b) is implemented;
   6. By December 31, 2018, populate with current metrics and data the dynamic patch dashboard that is being implemented;
   7. By December 31, 2018, prioritize and address any outstanding critical, high- and medium-risk patch management audit findings;
   8. By December 31, 2018 provide programmers job-specific training covering secure coding; and
   9. By December 31, 2018, conclude the process of removing system access of development staff (programmers) to the production environment, or implement compensating controls.

Information Technology Operations

6. The Company must enhance oversight of IT operations as it relates to disaster recovery and business continuity function within 90 days from the effective date of this ORDER, unless stated otherwise. Accordingly, the Board, or if appropriately authorized, an appropriate committee of the Board, shall oversee the Company’s efforts to:
   1. Ensure that key processes of the business continuity plan are independently reviewed by Internal Audit at least annually; and
   2. Formalize emergency change standards and ensure they are expanded to provide for quick changes that are implemented in a well-controlled manner.

Validation

7. By July 31, 2018, the Board or TC shall submit to the Multi-State Regulatory Agencies for review a list of all remediation projects planned, in process or implemented in response to the 2017 breach, along with the Company’s prioritization of those projects. These projects will be designed to include developing a strategy for network segmentation, enhancing controls for protecting PII, and appropriately addressing the recommendations noted in the report of the third-party forensic firm that investigated the breach. Further, the Board or TC shall require management to have an independent party (which may be the Company’s Internal Audit function) to test controls relating to all such remediation projects and report to the Multi-State Agencies whether such controls are functioning effectively by December 31, 2018.

Progress Reports

8. The Board shall provide written reports to the Multi-State Regulatory Agencies outlining its progress toward complying with each provision of this ORDER and make such reports a part of the Board minutes. The Board shall provide these reports within 30 days after each calendar quarter end, with the first report due by July 31, 2018. Correspondence to the Multi-State Regulatory Agencies should be sent to Commissioner Charles G. Cooper, Texas Department of Banking, 2601 N. Lamar Blvd., Austin, Texas, 78705.

Additional Provisions

9. This Order is effective on the date of issuance, and will remain effective and enforceable except to the extent that, and until such time as, any provision or the ORDER itself has been modified, terminated, suspended, or set aside in writing by the Multi-State Regulatory Agencies. The provisions of this ORDER shall be binding upon the Company and any successors and assigns thereof.
10. The provisions of this Order do not bar, estop, or otherwise prevent any of the Multi-State Regulatory Agencies or any other federal or state agency or department from taking any other action against the Company that is authorized by law.
11. Except with regard to the enforcement of this Order, the Company’s consent to the provisions of this Order does not bar, estop, waive, or otherwise prevent the Company from raising any defenses to any action taken by any federal or state agency or department, or any private action against the Company. In addition, this Order is intended to apply to those Equifax businesses that serve U.S. business and consumer customers or that hold U.S. consumer PII.
12. To facilitate execution, this Order may be executed by the parties in as many counterparts as may be convenient or required. It shall not be necessary that the signature of each party, or that the signature of all persons required to bind any party, appear on each counterpart. All counterparts shall collectively constitute a single instrument.

This Order is issued to be effective on June 25, 2018.

Mike Hill
Superintendent of Banks
Alabama State Banking Department

Jan Lynn Owen
Commissioner
California Department of Business Oversight

Kevin Hagler
Commissioner
Georgia Department of Banking & Finance

Will Lund
Superintendent
Maine Bureau of Consumer Credit Protection

Terence McGinnis
Commissioner
Massachusetts Division of Banks

Maria Vullo
Superintendent
New York State Department of Financial Services

Ray Grace 
Commissioner
North Carolina Office of Commissioner of Banks

Charles G. Cooper
Commissioner
Texas Department of Banking

Equifax, Inc.
In their capacity as directors of the Company, the undersigned hereby accept and agree to the provisions of this ORDER on behalf of the Company:

Mark. W. Begor
Mark. L. Feidler
G. Thomas Hough      
Robert D. Marcus
Siri S. Marshall
Scott A. McGregor
John A. McKinley   
Robert W. Selander
Elane B. Stock
Mark. B. Templeton