By John McCrank
NEW YORK (Reuters) - Equifax has been cooperating with regulators on issues resulting from the credit reporting agency's massive data breach and has addressed many of them, New York Attorney General Eric Schneiderman's office said on Thursday.
Schneiderman was one of several state attorneys general to launch formal investigations of Equifax after the firm disclosed on Sept. 7 that cyber-criminals had hacked its systems and accessed sensitive information on up to 143 million Americans more than a month earlier.
The regulator had a long list of complaints on how the firm handled the hack and its aftermath. The issues included the delay in notifying consumers of the breach, a forced arbitration clause in Equifax's free credit monitoring contracts and its failure to provide Spanish-language customer service to affected consumers.
- Prepare for GoT season 8 with this Game of Thrones whisky 8 Pictures
- PHOTOS: A look back at Queen performing in the 1970s and 1980s 22 Pictures
"Following conversations with our office, Equifax has addressed all of those issues," Clark Russell, deputy bureau chief of the state regulator's Bureau of Internet and Technology, said in prepared remarks to a New York State Senate Consumer Protection hearing.
He also noted that Equifax agreed to provide consumers the ability to lock and unlock their credit file for life at no charge.
But the facts behind the hack are still unfolding, Maria Vullo, superintendent of New York's Department of Financial Services (DFS), told the same hearing.
"It simply is unacceptable for a company that profits from consumers' private information to fail to have adequate protections," she said.
The DFS recently issued a subpoena to Equifax demanding more information about the breach. It has proposed including credit-reporting agencies in its landmark cybersecurity regulation, along with all regulated financial services institutions.
The regulation would require Equifax, along with rival firms Experian <EXPN.L> and TransUnion <TRU.N>, to have adequate controls in place to protect their information systems and to report known cyber breaches within 72 hours, among other things.
(Reporting by John McCrank; Additional reporting by Karen Freifeld; Editing by Dan Grebler)