Lawmakers Grapple With Data Collection After Equifax Breach

By Rob Tricchinelli

The extensive data breach at Equifax has generated bipartisan calls for Congress to enact legislation that would better protect American consumers.

Former Equifax Chief Executive Officer Rick Smith faced tough questions from the Senate Banking Committee Oct. 4, as lawmakers from both parties called for changes to data-collection and security practices for the credit-reporting industry and beyond.

Congress needs to address the “use and protection of personally identifiable information that is being collected by the government, by the private sector, and others,” Sen. Mike Crapo (R-Idaho), the committee’s chairman, said during the oversight hearing on the Equifax data breach.

Data Security

The breach disclosed Sept. 7 by Equifax involved the personal data for 145 million consumers—nearly half the U.S. population. Lawmakers beat up on Smith but also called for a revamp of how the credit-reporting industry is structured.

“Consumers are trapped, there’s no competition, nowhere else for them to go,” Sen. Elizabeth Warren (D-Mass.) said at the hearing. “If we think Equifax does a lousy job protecting our data, we can’t take our data to someone else. Equifax and this whole industry should be completely transformed.”

Warren has called for specific changes to the credit-reporting industry and introduced a bill that would allow consumers to opt out of having their data collected and boost the bureaus’ obligations in case of breaches. Republicans on the banking committee have hinted at legislation that would address data collection more broadly.

“I’m interested in having a much more robust system in place that allows individuals to protect their private, personally identifiable information,” Crapo told reporters after the hearing, adding that he expects more discussion among lawmakers on the issue. “I believe there is bipartisan interest here,” he added.

At the hearing, Sen. David Perdue (R-Ga.) indicated support for pending legislation that would require “cyber breach notifications for people within the industry and also between the companies and different agencies in the federal government.”

Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) are working on a revised version of a data security act they introduced in previous Congresses that would harmonize state-law standards for investigating and reporting breaches.

“My first concern is data security,” Perdue told Bloomberg BNA. “The credit houses perform a useful service, otherwise you and I would have to go aggregate all our financial data to go apply for a loan, but it opens the possibility to big breaches like this.”

Scope?

Lawmakers will have to hash out the scope of any potential legislative fix.

“The conversation appears far more focused on data security than credit reporting, which reinforces our view that substantive credit reporting legislation impacting Equifax’s competitors is highly unlikely,” Isaac Boltansky, of Compass Point Research & Trading LLC, said in an Oct. 4 analyst note.

Accompanying Smith during his Hill appearance was former Sen. Saxby Chambliss (R-Ga.), now a partner in Atlanta with DLA Piper, which itself was hit with a cyberattack earlier this year.

To contact the reporter on this story: Rob Tricchinelli in Washington at rtricchinelli@bna.com

To contact the editor responsible for this story: Michael Ferullo at MFerullo@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.