Credit reporting firm Equifax Inc. will be required to incorporate stronger data security measures after a breach last year that affected about 147.9 million Americans, according to a consent order reached with the firm and signed by regulators from eight states, including Maine.

In Maine alone, the personal information of more than 524,000 residents was breached.

The agreement specifically mandates that Atlanta-based Equifax increase oversight of the company’s information security program and important vendors to “ensure sufficient controls are developed to safeguard information,” according to a statement Wednesday from the California Department of Business Oversight.

Equifax also must identify “foreseeable threats and vulnerabilities” in keeping personally identifiable information private, evaluate the likelihood of threats to information security and determine safeguards – all within 90 days of the consent order.

The company also must improve supervision of its audit function within 30 days of the order and improve “standards and controls” for its software patch management function that provides enhanced security or system upgrades.

As part of the consent order, Equifax is required to provide written progress reports to the eight state regulatory agencies, with the first report due at the end of July. An independent party will test these enhanced security measures and report back to state regulators by the end of the year on whether they are working effectively.

An Equifax spokesperson said in a statement that the company expects to meet or exceed all of the commitments made under the consent order because “a good number” of the items already have been completed.

“The findings, with a very few exceptions, are not new findings and are already part of our remediation plans,” the spokesperson said.

Since the breach was first reported in September, the number of affected individuals has increased from an initial estimate of up to 143 million people to the current 147.9 million, about 15.5 million of whom were Californians, according to the state Department of Business Oversight.

The breach sparked bipartisan outrage in Congress, partly because it took place after federal officials warned the company months earlier about a software flaw. Richard Smith, the CEO, resigned down after the breach was disclosed and faced questioning on Capitol Hill shortly after.

“Equifax’s failure to properly secure confidential personal data caused widespread harm to California consumers,” Department of Business Oversight Commissioner Jan Lynn Owen said in a statement. “This order will help ensure it doesn’t happen again.”

The other states involved were: California, Texas, New York, North Carolina, Massachusetts, Georgia and Alabama.

Augusta and Waterville news

Get news and events from your towns in your inbox every Friday.


  • This field is for validation purposes and should be left unchanged.