It's been a year since the massive Equifax data breach was revealed, but Congress and federal agencies appear stuck in neutral when it comes to crafting a policy response that would address cybersecurity requirements for consumer credit agencies, including breach-notice and related issues.
The hack at Equifax -- which exposed Social Security numbers and other sensitive information on approximately 150 million Americans -- raised policy questions related to timing of that firm’s notification of consumers, its acknowledged failure to apply available patches for known vulnerabilities, and other issues.
It also highlighted a gap in regulatory oversight, but policymakers have been slow to offer fixes for any of these problems.
“The homework assignment is still out there” for lawmakers and regulators alike to develop the appropriate policies, said Tom Gann, McAfee’s chief public policy officer and head of government relations. “It’s late and people have a right to be irritated.”
The Federal Trade Commission has been investigating the 2017 breach -- and is the agency seen by many observers as the federal entity that, ultimately, will most directly respond to that specific incident.
In a response to Inside Cybersecurity, an FTC spokeswoman said the commission “will continue to use its enforcement authority to address unreasonable data security practices at companies that collect and store personal information. Additionally, the BCFP [Bureau of Consumer Financial Protection] has examination authority to look into the practices of the large national CRAs."
On a broader policy scale, data-breach legislation inspired by the 2017 Equifax incident could be marked up this month formalizing cyber requirements for financial institutions including credit rating agencies -- while the recently enacted banking reform law and a much touted “FinTech” report from the Treasury Department separately called for examinations of regulatory authorities related to credit agencies' cyber practices.
In a very real-world sense, the data-breach notification question arising from Equifax is being answered on the other side of the Atlantic, through the European Union’s General Data Protection Regulation and its 72-hour breach notice requirement.
“The vast majority of companies in the U.S. handle EU citizens’ data and will have to follow that,” McAfee’s Gann said. “While folks in the United States are still working on their homework, the EU has taken important action.”
At home, House Financial Services financial institutions and consumer credit subcommittee Chairman Blaine Luetkemeyer (R-MO) may move a revamped version of his draft data-breach legislation in September that focuses exclusively on financial institutions. That measure could make clear that security and notification rules apply to credit rating agencies like Equifax.
A congressional GOP source agreed that the regulatory response -- along with the legislative response -- to Equifax has been slow, inhibited at least in part by lack of clarity over which agencies have what jurisdiction over credit rating firms like Equifax.
But Rep. James Langevin (D-RI), a leader on cyber issues, offered an even sharper critique, saying the overall “response has been slow and low” on Equifax over the past year -- by both the executive and legislative branches.
Like Luetkemeyer, Langevin has also crafted a comprehensive breach notification bill, but said “there hasn't been enough attention to preventing future Equifaxes from happening or to notify consumers … No one is addressing these gaps, we need to take steps to address credit agencies.”
Other Democrats say GOP committee leaders haven't sufficiently exercised oversight responsibility in light of Equifax.
“Similar to congressional oversight of the Trump Administration, the current Chairman hasn’t exercised the degree of oversight needed when it comes to cybersecurity in both the private and public sectors,” according to a Democratic source on the House Oversight and Government Reform Committee. “For example, shortly after Equifax announced one of the largest data breaches in recent history last September, Ranking Member [Elijah] Cummings [D-MD] and all of the other Democrats on the Committee requested that the Committee hold hearings, but the Chairman [Trey Gowdy of South Carolina] declined. While the Committee has been looking into the breach, to date, no hearings have been held."
The OGR committee majority office didn't reply to a request for comment.
In the absence of concrete actions, lawmakers and departments alike have recognized the need to sort out what regulatory authority does exist for enforcing cyber standards at credit rating agencies.
The sweeping banking reform bill repealing Dodd-Frank regulatory requirements, which was recently signed into law, called for the Government Accountability Office to perform “an analysis of--(A) which Federal and State regulatory agencies supervise and enforce laws relating to how consumer reporting agencies protect consumer data; and (B) all laws relating to data security applicable to consumer reporting agencies.”
A proposal by Rep. Patrick McHenry (R-NC) requiring regulators to identify a specific agency with responsibility for overseeing cybersecurity at credit agencies didn't make it into the massive bank reform bill.
At the Treasury Department, a July “FinTech” report mandated by a Trump executive order, “A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation,” noted the FTC's expertise on consumer data protection, but also called for a new federal breach notice standard and an examination of existing regulatory authorities around credit rating agencies.
“The FTC has deep expertise on privacy and data security for nonbank financial companies,” the report stated. “The FTC exercises enforcement authority under [the Gramm-Leach-Bliley Act] with respect to some types of nonbank financial companies, including credit bureaus. However … credit bureaus are not subject to routine supervision by either the FTC or the Bureau with respect to the requirements implemented under section 501 of the GLBA for the protection of nonpublic personal information. Given the sensitive nature of the information credit bureaus collect, the bureaus have a heightened duty to protect the information they collect.”
The report said: “The FTC should retain its rulemaking and enforcement authority for nonbank financial companies under the GLBA. Additionally, Treasury recommends that the relevant agencies use appropriate authorities to coordinate regulatory actions to protect consumer data held by credit reporting agencies and that Congress continue to assess whether further authority is needed in this area.”
The Office of the Comptroller of the Currency declined to comment on whether or how use of these authorities is being examined.
The Treasury report also said: “Treasury recommends that Congress enact a federal data security and breach notification law to protect consumer financial data and notify consumers of a breach in a timely manner. Such a law should be based on the following principles: Protect consumer financial data; Ensure technology-neutral and scalable standards based on the size of an entity and type of activity in which the entity engages; Recognize existing federal data security requirements for financial institutions; Employ uniform national standards that preempt state laws.” -- Charlie Mitchell (cmitchell@iwpnews.com)