By Karen Freifeld and John McCrank
NEW YORK (Reuters) – New York state’s financial services regulator has issued a subpoena to Equifax Inc <EFX.N> demanding it provide more information about the massive data breach the credit-reporting firm disclosed this month, a person familiar with the matter said on Wednesday.
New York’s Department of Financial Services (DFS) sent the subpoena to Equifax on Sept. 14, said the person, who declined to be named because the matter has not been made public.
The subpoena seeks documents related to the hack that compromised the personal data of up to 143 million Americans, details on when Equifax learned of the breach and what actions it took after it was discovered, as well as other information, the person said.
The DFS put out guidance to financial institutions on Sept. 18 about steps they should take to protect consumer information following the breach, but the issuing of the subpoena has not been previously reported.
A spokesman for DFS declined to comment. An Equifax spokesman was not immediately available.
The state also proposed on Sept. 18 credit reporting agencies be subject to its cybersecurity rule that went into effect on March 1 and requires banks and other financial institutions regulated by DFS to establish a program to protect consumer data and alert the regulator to material breaches.
Had Equifax already been subject to the regulation, it would have had to report the breach within 72 hours of its discovery, rather than the 41 days the company took after finding out that consumers’ social security numbers, birth dates, addresses and other sensitive information were compromised.
Equifax has lost around $4.5 billion in market value since it disclosed the hack on Sept. 7, which the Atlanta-based company said it detected on July 29 and occurred between mid-May and July.
Multiple federal and state agencies are investigating the issue, including the U.S. Department of Justice, which has launched a criminal probe.
The fallout continued on Tuesday, with Equifax announcing its Chief Executive Richard Smith, would leave the company and forgo his 2017 bonus.
Smith, whose departure followed the exit of Equifax’s chief information officer and chief security officer earlier this month, is still expected to testify at congressional hearings over the hack next week.
Three Equifax executives, including the chief financial officer, are also under fire for selling $1.8 million in stock three days after the company said it detected the breach. Equifax said the executives were unaware of the breach at the time.
(Reporting by John McCrank and Karen Freifeld; Editing by Nick Zieminski)