Page 20 - GS171001
P. 20
Views
Good data security should not be a political football. It
Insider’sreport should be a tenant of doing business. Unfortunately, as
the Equifax case and other high-profile breaches suggest,
on payments: many companies put profits and public image ahead of
data security.
Data security should While there are no over-reaching federal laws on data
security, Equifax, as a consumer reporting agency, is
subject to the Fair Credit Reporting Act, which requires
be national priority it to protect consumer credit reports. Chi Chi Wu, an
attorney with the National Consumer Law Center, said it is
not yet clear if there were FCRA violations resulting from
By Patti Murphy the Equifax breach.
ProScribes Inc. The Federal Trade Commission has brought scores of
actions against credit reporting agencies and other
he Equifax hack revealed in September 2017 nonbank players in the payments space for inadequate
should be a loud wake-up call for policymakers, data security. The Consumer Financial Protection Bureau
consumers and any organization that touches also has authority to take steps against such firms, and last
T consumer financial information. Simply man- year fined the payment network Dwolla Inc. $100,000 for
dating security protocols through card-industry edicts misleading consumers about its data security practices.
and piecemeal legislation isn't cutting it. Overall attitudes
regarding financial data security have to change. Both the FTC and the CFPB have confirmed that
investigations are underway into the Equifax breach and
By now, everyone is familiar with what happened at the company's response. Meanwhile, several congressional
Equifax, one of three big companies that banks and other committees – including the House Energy and Commerce,
financial services providers rely on for assessing the Judiciary and Financial Services committees, and the
creditworthiness of consumers. Hackers were able to breach Senate Banking Committee – have announced hearings
the credit-reporting agency's network for three months specific to the Equifax breach.
obtaining personal information (Social Security numbers,
addresses, etc.) on more than 145 million Americans, or It's incredible, really, to think that merchants, banks and
about 40 percent of the population.
other businesses that accept, transmit and clear credit
card payments are held to higher standards (the Payment
It turns out the breach could have been prevented, too, Card Industry Data Security Standard) than the companies
as the software glitch that allowed hackers to penetrate that collect and maintain data used to determine the
Equifax's network was identified two months before creditworthiness of cardholders.
the hackers got in, but the company never got around to
installing a provided fix.
This disparity has not been lost on the American Bankers
Association, which wrote members of Congress in May
Making matters worse, Equifax waited six weeks after urging national data protection laws covering all companies
detecting the breach to tell the public, according to that handle sensitive consumer financial information. "It's
published reports. In other words, crooks had access to time to pass a strong, consistent national standard for
personally identifiable information on more than 145 fighting data breaches and give consumers the protection
million Americans, which they could use with wild they need," the banking trade group stated.
abandon to apply for credit and otherwise misuse for
weeks before any of those individuals had a chance to Several new congressional proposals have been triggered
protect themselves. by the Equifax breach, most directed at Equifax and/or
Let there be laws credit reporting agency practices generally. But one, the
Commercial Data Privacy Bill of Rights of 2017, is fairly
But Equifax may not have broken any laws. There are no comprehensive. The proposed legislation, crafted by
comprehensive federal laws governing the collection and Senator Bob Menendez, D-N.J., builds upon legislation
protection of consumers' personal financial information ‒ Menendez first tried to get Congress to act on back in 2013.
or for reporting breaches of such information. And states
have adopted varying requirements, including for when Provisions of the Menendez legislation would:
and how breached companies must notify consumers.
Georgia, where Equifax is headquartered, imposes no time • Limit the types of information a business can collect
frames for companies to notify consumers about breaches on consumers and how long they can retain such
of personal information, for example, while several other information.
states do. • Have the FTC write regulations covering the transfer
20
