The DFS put out guidance to financial institutions on Sept. 18 about steps they should take to protect consumer information after the breach, but the issuing of the subpoena hasn’t been previously reported.
A spokesman for DFS declined to comment. An Equifax spokesman was not immediately available.
Reporting by John McCrank and Karen Freifeld; Editing by Nick Zieminski
The state also suggested on Sept. 18 credit reporting agencies be subject to its cybersecurity rule that went into effect on March 1 and requires banks and other financial institutions regulated by DFS to establish a program to protect consumer information and alert the regulator to material breaches.
Equifax has lost around $4.5 billion in market value since it revealed that the hack on Sept. 7, and that the Atlanta-based company said it detected on July 29 and occurred between mid-May and July.
Three Equifax executives, including the chief financial officer, are also under fire for selling $1.8 million in stock three days after the company said it detected the breach. Equifax said the executives were unaware of the breach at the moment.
New York’s Department of Financial Services (DFS) sent the subpoena to Equifax on Sept. 14, said the individual, who declined to be named because the matter hasn’t been made public.
The subpoena seeks information, as well as documents about the hack that compromised the personal data of up to 143 million Americans, details on what actions it took after it was discovered and when Equifax heard of the breach, the person said.
Released at Wed, 27 Sep 2017 18:01:47 +0000
Multiple federal and state agencies are investigating the problem, including the U.S. Department of Justice, which has launched a criminal investigation.
Smith, whose death followed the exit of Equifax’s chief information officer and chief security officer earlier this month, is still expected to testify at congressional hearings following week.
The company would be, left by its Chief Executive Richard Smith and forgo his 2017 bonus.
Had Equifax already been subject to the regulation, it would have had to report the breach within 72 hours of its discovery, rather than the 41 days that the company took after finding out that consumers’ social security numbers, birth dates, addresses and other sensitive information were compromised.
The fallout continued with Equifax, on Tuesday