Home – Will Massive Equifax Breach Spur State Regulation?

Will Massive Equifax Breach Spur State Regulation?

 The unauthorized accessing of sensitive financial and personal information about 145.5 million consumers at Equifax, which the company made public last month, has prompted numerous lawsuits, congressional hearings, and investigations by federal agencies and state attorneys general, along with a big drop in the company’s stock price and the sudden retirements of its chief information officer, chief security officer and CEO. The massive breach could also lead to a state regulatory crackdown on credit reporting agencies, which aren’t currently subject to some of the requirements imposed on other businesses that manage sensitive consumer data, and possibly to tighter controls on that larger universe of businesses as well.


Equifax and the two other major consumer credit bureaus, Experian and TransUnion, compile and store confidential information, including credit card numbers, phone numbers, addresses, birth dates and Social Security Numbers, on about 200 million Americans. The companies use that trove of data to calculate the credit scores used to help decide whether someone gets a credit card, a home loan or a job, among many other things.


Despite the critical function they serve and the lucrative target they pose for identity thieves, however, the credit reporting agencies, though required to abide by many of the data security laws that apply to banks and other financial institutions, aren’t subject to the same level of federal regulatory oversight as those entities, according to a report by the New York Times. While banks are continuously monitored for compliance by a team of agencies, the credit bureaus generally only come under scrutiny after a problem has arisen, that report indicated.


“Credit reporting agencies are the plumbing of our financial system but are much less regulated than many banks,” Rohit Chopra, a senior fellow at the Consumer Federation of America, an association of nonprofit consumer organizations, told the Times.


New York Gov. Andrew Cuomo (D) wants to change that situation. He has directed his state’s Department of Financial Services (DFS) to issue new regulations requiring credit reporting agencies to register with the state each year and giving the superintendent of the DFS the power to deny or revoke a credit bureau’s authorization to operate in the state for failing to comply with the state’s Cybersecurity Requirements for Financial Services Companies, which went into effect in March, or engaging in unfair, deceptive or predatory practices, among other things.


“A person’s credit history affects virtually every part of their lives and we will not sit idle by while New Yorkers remain unprotected from cyberattacks due to lax security,” Cuomo said, according to a DFS press release. “Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call, and with this action, New York is raising the bar for consumer protections that we hope will be replicated across the nation.”


Whether other states will heed that call remains to be seen. But the Equifax breach also highlighted other gaps in the laws governing credit reporting companies and other financial institutions. According to congressional testimony given by former Equifax CEO Richard Smith this month, the company didn’t disclose its breach to the public until over a month after initially detecting it, in part because it took time to ascertain the extent of the infiltration and because it was advised by outside cybersecurity counsel to have a plan in place for protecting consumers affected by the breach first. Yahoo added insult to that injury when it revealed last month that it had suffered a breach affecting 500 million of its users back in 2014.


Forty-eight states have laws requiring private or public entities to notify individuals of breaches of their personal information, according to the National Conference of State Legislatures. But the laws are somewhat vague, generally requiring only that notification be provided expeditiously. Disclosure is complicated by the fact that it can take time to determine the size of a breach and what, if anything, was taken, and companies also want to protect their reputations.


“Is it really ‘lost’ if you can’t find it out in the Darknet for sale?,” said Chris Roberts, chief security architect at Acalvio, a Santa Clara, California-based company that provides advanced threat detection solutions, as TheStreet reported. “Is it ‘lost’ if you have no trace of it leaving? Is it lost and do we have to disclose if we can’t actually work out what happened? Disclosure is a mess, and that’s putting it nicely. Lawyers are involved, and they care less about the ‘normal human’ and simply have a duty to protect the corporation. It’s as simple as that.”


Another issue that has likely become apparent to many impacted by the Equifax breach is that taking action to prevent the fraudulent use of the information that was illegally accessed, such as initiating a “credit freeze,” blocking lenders from pulling your credit report and, thereby, preventing someone from fraudulently opening a new account in your name, or lifting a freeze once it is in place, isn’t free, unless you live in one of handful of states that bar credit bureaus from imposing such fees or you can prove you were the victim of credit theft, such as by providing the number of a filed police report. According to the consumer research website ValuePenguin.com, the fees for a freeze, for instance, generally range from $3 to $10, making the expense of freezing your credit at all three major credit bureaus as much as $20 until Jan 31, 2018, when a waiver of the fee for a credit freeze at Equifax expires and the cost rises to $30.


Some members of Congress have indicated their willingness to address these issues. U.S. Rep. Jim Langevin (D-Rhode Island) has reintroduced legislation (HB 3806) that would establish a 30-day national standard for breach notifications and direct the Federal Trade Commission to help coordinate the disclosures, according to The Hill. The publication also reported that U.S. Sen. Chuck Grassley (R-Iowa), chairman of the U.S. Senate Judiciary Committee, said he’s been working with U.S. Sen. Dianne Feinstein (D-California) and other senators of both parties on a national breach notification standard for years.


“I remain committed to getting a good bill put together and over the finish line,” he said before his committee’s hearing on Equifax this month.


U.S. Rep. Jim Himes (D-Connecticut) and U.S. Sens. Ron Wyden (D-Oregon) and Elizabeth Warren (D-Massachusetts), meanwhile, have all introduced legislation providing for free credit freezes, HB 3766, SB 1810 and SB 1816, respectively, according to LexisNexis State Net’s legislative tracking system. But the enactment of any of the congressional measures seems unlikely with a presidential administration inclined to loosen rather than tighten government regulations, most recently evidenced by the Environmental Protection Agency’s move to repeal President Barack Obama’s signature policy for curbing carbon emissions from power plants.


But at least five states have also introduced bills this year, or prefiled measures for next year, that were likely prompted by the Equifax breach, given their subject matter and the fact that they were proposed after the breach was made public on Sept. 7 (see Bird’s eye view in this issue). The measures include New York SB 6879, which would require credit reporting agencies to automatically place a freeze on consumer credit files affected by a breach, and SB 6880, which would require any business that uses computerized data including private information to disclose breaches of its system within 15 days of discovering them unless directed otherwise by law enforcement, as well as measures providing for free credit freezes in Illinois (HB 4095 and SB 2230) and Michigan (HB 5055). Bills dealing with data breaches and credit freezes that were introduced prior to the Equifax breach was made public are also still pending in at least nine states. And those measures could get a boost from the abundant media coverage of the Equifax incident.