State Regulatory Developments

Credit Reporting Agency Signs Data Security Improvement Deal with 8 States

Regulators in eight states signed a consent order with a large, national credit reporting agency requiring it to improve its data security and information technology systems in order to prevent potential harm caused by an event akin to its 2017 data breach, wherein hackers stole the personal information of over 147 million people.  The multi-state consent order became effective on June 25, 2018.

Although the credit reporting agency says it has taken steps to remedy its data security issues, regulators in the participating states—Texas, California, New York, Massachusetts, North Carolina, Georgia, Alabama and Maine—required it to take further measures to address deficiencies in its current assessment and auditing programs.

The consent order requires that the credit reporting agency:

  • Require its board of directors to approve an information risk assessment within 90 days;
  • Review, approve, and improve oversight and documentation with regard to its vendor management, patch management, and information security programs;
  • Submit a list of its ongoing remediation projects to all eight participating states; and
  • Establish and intuit an internal technology audit program.

The consent order may be found here.