Reuters
WASHINGTON — Equifax Inc. must improve how it manages cybersecurity risk, regulators from eight states said Wednesday, responding to a 2017 data breach that exposed the personal data of nearly 148 million consumers.
The consent order, issued by regulators in Texas, California, New York and five other states, is the first major regulatory punishment for Equifax , which agreed to the order but neither admitted nor denied wrongdoing.
“The breach never should have happened,” Jan Owen, the commissioner of the California Department of Business Oversight, said in a statement. “This order will help ensure it doesn’t happen again.”
Under the terms of the order, the credit-reporting firm will have 90 days to strengthen its information-security defenses, including in vendor-risk management, patches and disaster response.
Also popular on WSJ.com: