In Wake of Equifax Data Breach, Van Hollen and Democrats Want Immediate Review of Consumer Data Protection at Top Consumer Reporting Agencies
In the wake of a massive data breach at Equifax, U.S. Senator Chris Van Hollen (D-Md.) today joined a group of Democratic Senators in calling for the Federal Trade Commission (FTC) to immediately review data security not only at Equifax, but also the other two major consumer reporting agencies, Experian and TransUnion.
"As one of the three major consumer reporting agencies, Equifax centrally holds the most sensitive PII [Personally Identifiable Information]-information that determines whether Americans will be able to purchase a car, secure a loan for a home, attain employment, and countless other functions that are critical to economic growth," the Senators wrote in a letter to FTC Acting Chairman Maureen Ohlhausen. "A breach of this size no doubt leaves other consumer reporting agencies a target."
In addition to Senator Van Hollen, the letter was signed by Senators Bob Menendez (D-N.J.), Sherrod Brown (D-Ohio), Brian Schatz (D-Hawaii), Al Franken (D-Minn.), Jack Reed (D-R.I.), Michael Bennet (D-Colo.), Catherine Cortez Masto (D-Nev.), Ed Markey (D-Mass.), Tammy Baldwin (D-Wisc.), Elizabeth Warren (D-Mass.), Maggie Hassan (D-N.H.), Tammy Duckworth (D-Ill.), Mazie Hirono (D-Hawaii), Cory Booker (D-N.J.), and Kirsten Gillibrand (D-N.Y.).
The Senators wrote that three data breaches at Equifax in two years, as well the company's failure to inform the public for weeks, "exposed serious fault lines in the company's ability to protect PII" and "suggests the possibility of similar foundational weaknesses at the other consumer reporting agencies."
In addition to investigating the cause of Equifax's data breach, the Senators called for the FTC to: develop data security standards for the holding of sensitive personal and related consumer financial information; review current standards at the consumer reporting agencies to determine whether Americans' personal data is secure; and consult with the Consumer Financial Protection Bureau to ensure that in the case of a data breach, consumers are being notified in a timely manner and have access to all of the necessary tools to protect themselves against identity theft.
The full letter is below and available here.
September 19, 2017
The Honorable Maureen K. Ohlhausen
Acting Chairman
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
Dear Acting Chairman Ohlhausen:
We write to request an immediate horizontal review of consumer reporting agencies in light of Equifax's disclosure of a data breach affecting nearly 44 percent of the country's population. According to Equifax, unauthorized parties accessed personally identifiable information (PII) including names, Social Security numbers, addresses, and driver's license numbers of approximately 143 million U.S. consumers.[1] In addition, 209,000 consumers had their credit card numbers stolen while 182,000 consumers' credit reporting dispute files were compromised.[2] For the millions of affected consumers throughout the nation, the impacts of this data breach could be catastrophic. As one of the three major consumer reporting agencies, Equifax centrally holds the most sensitive PII-information that determines whether Americans will be able to purchase a car, secure a loan for a home, attain employment, and countless other functions that are critical to economic growth. We were pleased to hear the Federal Trade Commission (FTC) confirm that it is indeed investigating the Equifax data breach, but a breach of this scale warrants a proactive review of data security at all three of the major consumer reporting agencies.[3] A breach of this size no doubt leaves other consumer reporting agencies a target.
The sheer magnitude of this event alone, affecting 143 million U.S. consumers, merits a comprehensive review. While the company's most recent data breach has appropriately garnered a new level of public scrutiny, this is not the first time Equifax has failed to protect the most important personal data for millions of U.S. consumers. In 2016, unauthorized parties accessed W-2 tax and salary data from an Equifax website.[4] Similarly, earlier this year, additional W-2 data was compromised from an Equifax subsidiary, TALX.[5] Equifax's inability to identify its weaknesses and strengthen its data security systems in the aftermath of these prior data breaches made vulnerable hundreds of millions of consumers in the U.S. and abroad. The rapid succession of three major data breaches in the span of less than two years suggests the possibility of similar foundational weaknesses at the other consumer reporting agencies.
Moreover, Equifax's actions around the discovery and disclosure of the data breach raise additional questions about the company's fidelity to the very consumers whose data they hold. Instead of quickly making this information available to the public and the affected consumers, Equifax waited six weeks before announcing the data breach. And yet, during those six weeks, Equifax's Chief Financial Officer, president of U.S. information solutions, and president of workforce solutions managed to find time to sell Equifax shares worth nearly $2 million in the span of a mere five days after the company discovered the breach. We are troubled by this revelation, and we find no reasonable justification for such a delay in informing those affected.
Equifax's security breach exposed serious fault lines in the company's ability to protect PII. We are deeply concerned that these problems may also exist at the other consumer reporting agencies. As such, we ask that you: (1) promptly investigate the causes of the Equifax data breach; (2) develop recommendations for data security standards for consumer reporting agencies' central holding of PII and related consumer financial information; (3) conduct a review of the existing data security standards at the consumer reporting agencies to determine whether Americans' personal data is secure; and (4) consult with the Consumer Financial Protection Bureau to ensure that in the case of a data breach, consumers are being notified in a timely manner and have access to all of the necessary tools to protect themselves against identity theft. In addition, we ask that you respond to the following questions no later than October 6, 2017:
- What specific safeguards are in place at the three major consumer reporting agencies to ensure that consumer data is secure? For example, are the agencies subject to internal and external data security audits? To what extent are the reporting agencies encrypting consumer data?
- What internal policies are in place at each of the three major consumer reporting agencies that govern when and how consumers, government, and law enforcement agencies are notified of actual or attempted breaches? Is a universal notification system appropriate?
- Do consumer reporting agencies share threat intelligence data so as to better guard against cyber-attacks? Do consumer reporting agencies regularly share threat intelligence data with law enforcement agencies and/or the intelligence community?
- Should the government and financial institutions reconsider using Social Security numbers as a national identifier?
- In the event of a data breach, what is the appropriate length of time that consumers should hold identity theft protection? Should a consumer reporting agency whose lax security was responsible for a breach be allowed to market credit monitoring and identify theft protection services to affected consumers?
- Would the institution of a monetary penalty framework incentivize consumer reporting agencies to better secure consumer data?
- Does the FTC require additional statutory authority to monitor and hold accountable consumer reporting agencies in the event of a data breach?
We look forward to working with you on this matter and we appreciate your prompt attention to this request.
Sincerely,
Cc:
The Honorable Richard Cordray
Director
Consumer Financial Protection Bureau
1275 First Street NE
Washington, DC 20002
###
[1] Press Release, Equifax Inc., Equifax Announces Cybersecurity Incident Involving Consumer Information (Sept. 7, 2017), at https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628.
[2] Id.
[3] Brian Fung, The FTC is investigating the Equifax breach. Here's why that's a big deal., The Washington Post (Sept. 14, 2017), at https://www.washingtonpost.com/news/the-switch/wp/2017/09/14/the-ftc-confirms-its-investigating-the-equifax-breach-adding-to-a-chorus-of-official-criticism/?utm_term=.53aaa6c38830.
[4] Tara Siegel Bernard, Tiffany Hsu, Nicole Perlroth, Ron Lieber, Equifax Says Cyberattack May Have Affected 143 Million in the U.S., New York Times (Sept. 7, 2017) https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html.
[5] Id.