The Federal Trade Commission needs the authority to fine credit bureaus for failing to protect consumer data they collect and sell to lenders, according to a report requested by lawmakers after the 2017 hack of Equifax.
The agency, which regulates credit reporting firms under a variety of federal laws and can impose civil penalties under some of them, lacks the power to do so for violations of the Gramm-Leach-Bliley Act, according to the Government Accountability Office, the investigative arm of Congress. That law requires adequate safeguards on personal data at the heart of the credit bureau business model.
The firms, which also include TransUnion and Experian, collect reams of information on consumers, including identification points such as birth dates, Social Security and driver’s license numbers, as well as payment histories that they sell to banks considering applications for credit cards, mortgages, and car loans.
Identification data, which unlike stolen account numbers can be difficult or impossible to alter, was among the items stolen in the breach at Atlanta-based Equifax that left nearly half the U.S. population at heightened risk of identity theft. The case “highlighted the data-security risks associated with consumer reporting agencies,” both because of the sensitive information they hold and the limited control individuals have over it, the GAO said in its report.
The review shows that two years after the Equifax theft, which prompted the departure of then-CEO Richard Smith, “vulnerabilities still exist,” said Sen. Elizabeth Warren, D-Mass., and Rep. Elijah Cummings, D-Md., who requested it. “The GAO has issued very clear recommendations on how to protect consumers, so let’s follow them. We need to give the Federal Trade Commission more tools to crack down on consumer data abuses.”
A March 26 hearing on the matter was scheduled by the economic policy panel of the House Committee on Oversight and Reform, which Cummings has chaired since Democrats regained a majority in the House in November’s midterm elections, and representatives of both the FTC and the GAO were asked to testify.
In March 2018, Equifax appointed 59-year-old Mark Begor, a General Electric veteran, as its new CEO, tasking him with restoring the firm’s tarnished reputation — an assignment that would be easier if the breach hadn’t revived a potentially existential threat to credit reporting companies.
Congressional hearings since examined whether consumers or credit bureaus own the data that such companies collect, and the answer could transform an industry that pays consumers nothing for their data and turns a profit from selling it to lenders. A bill introduced by Warren and Sen. Mark Warner, D-Va., that would have created a cybersecurity office within the FTC, died in the Senate.
