"We have a shared interest on this Committee in ensuring that credit bureaus take the necessary measures to safeguard personal data and minimize risk of another massive data breach," Sen. Mike Crapo (R-Idaho), Chairman of the Senate Banking Committee, said in opening remarks at the committee’s hearing entitled "Consumer Data Security and the Credit Bureaus." As a follow up on its hearing on the Equifax data breach, the committee received testimony on the protection of consumer data at credit bureaus.
Regarding credit bureaus, Ranking Member Sherrod Brown (D-Ohio) said, "Because these businesses are not accountable to consumers, and because consumers have no choice over who is collecting their information, consumer protection is always an afterthought." Brown hoped that the hearing would not only explore strengthening cybersecurity but also "examine whether the current credit bureau model makes sense for American consumers."
Speaking on behalf of the Consumer Data Industry Association, Andrew M. Smith, of Covington & Burling LLP, focused his testimony on three points:
- The American credit reporting system provides critically important benefits to consumers and is indispensable to the economy.
- Nationwide credit reporting companies must comply with robust data security standards, not only because of the direct requirements of federal and state law, but also because of obligations imposed on credit reporting companies by their customers, such as banks, which are required by their prudential regulators to audit the data security of their vendors.
- Beyond these data security requirements, credit reporting companies are subject to a pervasive regulatory and supervisory scheme that effectively protects both consumers and the economy, and has persisted for nearly 50 years.
Marc Rotenberg, President of the Electronic Privacy Information Center, outlined the steps he believes Congress could take to minimize the risk flowing from the Equifax breach and to address the risk of future breaches in the data broker industry. Current laws do not protect consumers, he said. According to Rotenberg, legislation should:
- give consumers greater control of their personal data held by others;
- limit the use of the Social Security number in the private sector;
- minimize the collection of personally identifiable information;
- improve breach notification; and
- change the defaults in the credit reporting industry with: default credit "freezes" that give consumers opt-in control over the release of their credit report; free, routine monitoring services; and free access at any time for any purpose to a consumer who wants to see the complete contents of a credit report or other similar information product made available for sale.
Finally, the testimony of Chris Jaikaran, Analyst in Cybersecurity Policy at the Congressional Research Service, included: a discussion of data security as an element of cybersecurity and risk management; a case study and analysis on how data breaches occur; a description of cyber incident response; and possible options for Congress to address data security and data protection.
Jaikaran’s options for Congress included:
- authorizing a federal agency to engage in supervisory examinations of the credit reporting agencies for compliance with the safeguards rule;
- regulating the collection, use, and retention of data regardless of the type of entity housing that data; and
- requiring credit reporting agencies, or any entity that profits from consumer data, to identify and disclose their data model to consumers.
Companies: Consumer Data Industry Association; Electronic Privacy Information Center; Equifax
MainStory: TopStory BankingFinance ConsumerCredit CreditDebitGiftCards CyberPrivacyFeed FedTracker IdentityTheft OversightInvestigations Privacy TrumpAdministrationNews
Interested in submitting an article?
Submit your information to us today!Learn More