At a subcommittee hearing this week, lawmakers heard from a representative of the trade association that represents the major credit reporting companies what they are doing to protect consumers data.
Rep. Bob Latta (R-OH), chairman of the House Subcommittee on Digital Commerce and Consumer Protection, said the size and scope of the recent Equifax breach has consumers confused and skeptical.
“What should we tell our constituents about how the credit reporting industry is securing their sensitive data?” Latta asked.
Francis Creighton, president and CEO of the Consumer Data Industry, which represents the major credit bureaus, said it is a constant fight to protect consumers data.
“We’re fighting this war on a daily basis,” Creighton said. “We’re getting attack non-stop from nation states, as one of our witnesses was mentioning, from criminals, and many others. We monitor, we test our system, we try to do data minimization and encryption, inside and while the data is in transit, to make sure that if in fact somebody is in the system the information is not useable and to try to keep them out of the system in the first place.”
Energy and Commerce Committee Chairman Greg Walden (R-OR) said the laws and regulations already in place did not do enough.
“The Gramm-Leach-Bliley Act prohibits financial institutions from disclosing non-public information without the consumer’s consent. That’s a law,” Walden said. “The Fair Credit Reporting Act deems the unauthorized disclosure of consumer reports to be an ‘unfair or deceptive act or practice.’ That’s a law. The Dodd Frank Act created an entirely new federal bureaucracy, the Consumer Financial Protection Bureau, and charged it, among other duties, with the task of protecting consumer financial information. Despite these new and sweeping powers, the Bureau seemed completely unaware that the company had failed to implement the necessary software patch that could have saved Americans’ data from hackers.”
Anne Fortney, partner emeritus at Hudson Cook LLP said that protection goes beyond creating new regulations.
“From what we’ve read, Equifax did not take appropriate measures to prevent the breach,” Fortney said. “The Fair Credit Reporting Act, if there’s any credit reporting information involved, would come into play. There are civil penalties, as well as the FCC’s authority to prevent future violations. The Gramm-Leach-Bliley rules also require Equifax to safeguard data on consumers that it holds, and there can be penalties there as well.”
James Norton, founder and president of Play-Action Strategies, added that the private sector’s cybersecurity problems cannot be blamed solely on a lack of federal regulation.
“Instead, a root cause of the problems is a failure of organizations, private sector and governmental, to establish a culture of cybersecurity awareness. Organizations should not assume that employees understand cybersecurity and, as such, must be diligent about training employees on their role in keeping information protected,” Norton said.