Mass. AG Healey and Division of Banks Continue to Lead in Equifax Data Breach Enforcement Action

The Association continues to remain engaged with developments concerning the massive data breach disclosed on September 7, 2017 at Equifax, one of the country’s three major credit reporting agencies. The incident revealed that criminal hackers exploited a U.S. website application vulnerability months earlier to gain access to the personal information of millions of U.S. consumers. Data accessed through this cybercrime event included individual customer names, social security numbers, birth dates, addresses, and related personally identifiable information. Equifax has confirmed that attackers entered its computer system in May 2017 through a vulnerability in Apache Struts web-application software, a widely used enterprise platform, with a patch available in March 2017. Since the breach was first reported, the number of affected individuals has increased from an initial estimate of up to 143 million people to the current 147.9 million.

Following the breach, Massachusetts Attorney General Maura Healey launched an investigation and filed a lawsuit against Equifax over its failure to protect consumers’ personal information. This action was the first official enforcement action brought against Equifax in the country. In further response, an examination team composed of state financial regulators from Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina, and Texas commenced a multi-state examination of the company to evaluate the company’s information security and cybersecurity controls.

Based on the investigatory findings, the Massachusetts Division of Banks and state financial regulators from the other seven states recently announced that they have entered into a Consent Order with Equifax Inc. requiring the company to take specific action to protect confidential consumer information in the wake of an extensive security breach last year.

Attorney General Maura Healey is the other entity that must be notified of data breaches and also agreed to the Consent Order. The Order is intended to apply to those Equifax businesses that serve U.S. business and consumer customers or that hold U.S. consumer personally identifiable information.

In general, the Order addresses several key areas, each with various completion dates following its effective date:


Board approved enhanced written risk assessment.  


Board or Audit Committee improved the oversight of the audit function including the establishment of a formal and documented Internal Audit Program that is capable of effectively evaluating information technology controls and that complies with the Internal Audit Charter.


Board or Technology Committee improved oversight of the Information Security Program including policies, meeting minutes, security incident handling procedures.


Board or Technology Committee improved oversight and documentation of critical vendors and adoption of sufficient controls to safeguard information, consistent with guidance provided in both the FFIEC’s “Outsourcing Technology Services” IT Examination Handbook and in the Payment Card Industry Data Security Standards (PCI DSS).


Board or Technology Committee improved standards and controls for supporting the patch management function, consistent with guidance provided in the FFIEC’s “Information Security” IT Examination Handbook.


Board or a committee of the Board enhanced oversight of information technology operations relative to disaster recovery and business continuity function.


Board or Technology Committee provided remediation projects planned, in process or implemented, in response to the 2017 breach, along with the prioritization of those projects including a strategy for network segmentation, enhancing controls for protecting personally identifiable information, and appropriately addressing the recommendations noted by the third-party forensic firm that investigated the breach.


Written progress reports to the multi-state regulatory agencies on a specified schedule. As part of the consent order, the first report is due at the end of July.

The breach also sparked bipartisan outrage in Congress, partly because it took place after federal officials had warned months earlier about a software flaw. Principles created by the Association’s Data Breach Working Group have guided its discussions with each member states’ Congressional delegations during federal advocacy meetings and include requirements to hold merchants accountable to independent security standards as well as cost reimbursement and notification provisions beneficial to credit unions. To further ensure that the rights of all member credit unions are represented in holding Equifax accountable, the Association joined a nationwide lawsuit and efforts are underway for class action status. Litigation claims are based in negligence and violations of Massachusetts Consumer Protection Act and other states’ laws.

At the local level, efforts continue to address the ramifications of the actions of Equifax. A Massachusetts conference committee is currently working in the Legislature on a data security bill. The bills pending in the conference committee, House 4241 and Senate 2492, remove fees associated with credit security freezes, along with other measures. Final legislation must be approved by both branches.

Please forward any questions to