Equifax is facing yet another legal woe from its massive data breach. This time, New York State’s financial services regulator has issued a subpoena to the company, demanding that it provide more information about the leak.
According to a Reuters news report, the New York’s Department of Financial Services (DFS) sent the subpoena to Equifax on Sept. 14, citing a source who declined to be named.
The subpoena is requesting documents related to the data breach that compromised the personal data of up to 143 million Americans, details on when Equifax learned of the leak and what actions it took after it was found, as well as additional information.
A spokesman for DFS declined to comment, while an Equifax spokesman was not immediately available.
New York has had a strong response to the Equifax hack. Governor Andrew Cuomo recently proposed regulation that would take effect in February, requiring all agencies – including TransUnion and Experian – to report their officers or directors who are responsible for compliance with laws and regulations involving financial services, banking and insurance each year. If the companies fail to register, they risk being barred from doing business with financial companies regulated by New York State.
The state would also be able to bar a credit reporting agency from doing business if it is found to engage in “unfair, deceptive or predatory practices.”
In addition, New York has a new cybersecurity regulation, the first of its kind in the country, which requires financial firms to take measures to protect networks and customer data from hackers and to disclose cyber events to state regulators. It took effect on March 1.
If Equifax had already been subject to the regulation, it would have had to report the breach within 72 hours of its discovery instead of the 41 days it took the company to make the leak known.
In addition to its issues in New York, Equifax is being investigated by multiple federal and state agencies, including the U.S. Department of Justice. The company is being sued by the state of Massachusetts, as well as the city of San Francisco, for not doing enough to protect consumers from the cyber breach.
And just this past week, the company announced its that Richard Smith, its chief executive, would retire and forgo his 2017 bonus. Smith is still expected to testify about the hack at congressional hearings next week.