A year after the massive Equifax data breach was revealed, Congress and federal agencies are stuck in neutral when it comes to writing a policy response that would address cybersecurity requirements for consumer credit agencies, including breach-notice and related issues.
The hack at Equifax, which exposed Social Security numbers and other sensitive information on approximately 150 million Americans, raised an array of policy questions including: what’s a reasonable lag between discovering a hack and notifying the public; and how do you compel firms to apply available patches for known vulnerabilities?
It also highlighted a gap in regulatory oversight, yet policymakers have been slow to offer fixes for any of these problems.
The hack came to light on Sept. 7, 2017 — at least six weeks after it was discovered internally — setting off a frenzy of congressional hearings and denunciations, and investigations by the Federal Trade Commission and Bureau of Consumer Financial Protection, but little tangible action that’s visible to the public.
An FTC spokeswoman said the commission “will continue to use its enforcement authority to address unreasonable data security practices at companies that collect and store personal information. Additionally, the BCFP [Bureau of Consumer Financial Protection] has examination authority to look into the practices of the large national [credit reporting agencies].”
“The homework assignment is still out there” for lawmakers and regulators alike to develop the appropriate policies, said Tom Gann, McAfee’s chief public policy officer and head of government relations. “It’s late and people have a right to be irritated.”
On Capitol Hill, data-breach legislation inspired by the Equifax incident could be marked up this month, formalizing cyber requirements for financial institutions including credit rating agencies. Meanwhile, the recently enacted banking reform law and a much touted financial technology report from the Treasury Department separately called for examinations of regulatory authorities related to credit agencies’ cyber practices.
The data-breach notification question arising from Equifax is also being addressed on the other side of the Atlantic, through the European Union’s General Data Protection Regulation and its 72-hour breach-notice requirement.
“The vast majority of companies in the U.S. handle EU citizens’ data and will have to follow that,” McAfee’s Gann said. “While folks in the United States are still working on their homework, the EU has taken important action.”
After many months of talks with stakeholders and hearings, House Financial Services Committee member Blaine Luetkemeyer, R-Mo., may move a revamped version of his draft data-breach legislation in September that focuses exclusively on financial institutions.
That measure, which was scaled back from an initial draft that would have covered all kinds of companies, could make clear that security and notification rules apply to credit rating agencies such as Equifax.
A congressional GOP source agreed that the regulatory response, along with the legislative response, to Equifax has been slow, inhibited at least in part by lack of clarity over which agencies have what jurisdiction over credit rating firms.
But Rep. James Langevin, D-R.I., a leader on cyber issues, offered an even sharper critique, saying the overall “response has been slow and low” on Equifax over the past year, by both the executive and legislative branches.
Like Luetkemeyer, Langevin has also written a comprehensive breach-notification bill, but said “there hasn’t been enough attention to preventing future Equifaxes from happening or to notify consumers. … No one is addressing these gaps, we need to take steps to address credit agencies.”
Other Democrats say GOP committee leaders haven’t sufficiently exercised oversight responsibility in light of Equifax.
“Shortly after Equifax announced one of the largest data breaches in recent history last September, ranking member [Elijah] Cummings [D-Md.] and all of the other Democrats on the committee requested that the committee hold hearings, but the Chairman [Trey Gowdy of South Carolina] declined,” said a Democratic spokesperson for the House Oversight and Government Reform Committee. “While the committee has been looking into the breach, to date, no hearings have been held.”
The Oversight and Government Reform majority sharply rejected the idea that they haven’t aggressively pursued oversight in the Equifax matter, and said findings and recommendations are coming.
“In September 2017, Chairman Gowdy and [Science Committee] Chairman [Lamar] Smith opened a joint investigation into the Equifax data breach,” Amanda Thompson, communications director for the Oversight Committee, said in a statement. “The Committees have received and continue to review over 100,000 pages of documents, and have held multiple briefings with senior Equifax personnel. We have also interviewed a number of witnesses, including Equifax’s former CIO and CISO. The Committees look forward to releasing our findings and recommendations at the conclusion of our investigation.”
But lawmakers and departments alike have recognized the need to sort out what regulatory authority does exist for enforcing cyber standards at credit rating agencies.
The sweeping banking reform bill repealing Dodd-Frank regulatory requirements, which was recently signed into law, called for the Government Accountability Office to perform “an analysis of — (A) which Federal and State regulatory agencies supervise and enforce laws relating to how consumer reporting agencies protect consumer data; and (B) all laws relating to data security applicable to consumer reporting agencies.”
A proposal by Rep. Patrick McHenry, R-N.C., requiring regulators to identify a specific agency with responsibility for overseeing cybersecurity at credit agencies didn’t make it into the massive bank reform bill.
At the Treasury Department, a July financial technology or “FinTech” report — “A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation,” mandated by a Trump executive order — noted the FTC’s expertise on consumer data protection, but also called for a new federal breach-notice standard and an examination of existing regulatory authorities around credit rating agencies.
The Office of the Comptroller of the Currency declined to comment on whether or how the use of these authorities is being examined.
The Treasury report also said: “Treasury recommends that Congress enact a federal data security and breach notification law to protect consumer financial data and notify consumers of a breach in a timely manner. Such a law should be based on the following principles: Protect consumer financial data; ensure technology-neutral and scalable standards based on the size of an entity and type of activity in which the entity engages; recognize existing federal data security requirements for financial institutions; [and] employ uniform national standards that preempt state laws.”
Note: This story has been updated with a statement from the House Oversight and Government Reform Committee Republicans.
