Banking and Finance Law Daily Senate Committee holds hearing on FCRA and data security
News
Thursday, July 12, 2018

Senate Committee holds hearing on FCRA and data security

By Nicole D. Prysby, J.D.

On July 12, 2018, the Senate Committee on Banking, Housing and Urban Affairs held a hearing to discuss the Fair Credit Reporting Act (FCRA), credit bureaus, and related issues, including data security.

According to Committee Chairman Mike Crapo (R-Idaho), the hearing seeks to explore "the scope of the Fair Credit Reporting Act and other relevant laws and regulations as they pertain to credit bureaus; the extent to which the Bureau of Consumer Financial Protection and the FTC, whom the two witnesses represent, oversee credit bureau data security and accuracy; the current state of data security, data accuracy, data breach policy, and dispute resolution processes at the credit bureaus; and what, if any, improvements could be made." Ranking Member Sherrod Brown (D-Ohio) added that due to the critical nature of financial privacy and the role that it can play in Americans’ lives, he hopes that the "Committee will not only listen to the advice we get today, but will also take action to give people control over what should be their personal information."

The Committee heard testimony from Peggy Twohig, Assistant Director for Supervision Policy at the Consumer Financial Protection Bureau. Ms. Twohig provided an overview of the credit reporting system, noting that over 200 million Americans have credit files and stating that the FCRA helps ensure that the records are accurate for the benefit of consumers and businesses. She discussed the Bureau’s enforcement and supervisory authority over credit reporting agencies (CRAs) and other entities, pursuant to the FCRA and Title X of the Dodd-Frank Act, and noted that in its supervisory and enforcement work, the Bureau has focused on credit reporting accuracy and dispute handling by CRAs. Recent efforts have included: directing CRAs to improve oversight of incoming data and third-party public records service providers; institution of quality control programs; adherence to an independent obligation to reinvestigate consumer disputes; and improved communication with consumers regarding dispute results.

Ms. Twohig discussed the Bureau’s attention to data security issues, which increased following the Equifax breach. The Bureau conducts data security reviews to determine whether a nonbank’s practices violate federal consumer financial law. It also obtains information about the entities’ compliance management systems and detects and assesses risks of potential data security lapses. Finally, the Bureau’s website provides information to consumers with steps they can take to protect their personal information.

The Committee also heard testimony from Maneesha Mithal, the Associate Director for the Division of Privacy and Identity Protection at the Federal Trade Commission. Ms. Mithal discussed the FTC’s role in implementation and enforcement of the FCRA and the obligations imposed on CRAs by the FCRA. She also discussed credit report accuracy. A 2012 report found that 25 percent of consumers identified errors on their credit reports. Since that time, improvements have been made; a 2015 national settlement between credit bureaus and over 30 state attorneys general contained a number of provisions designed to improve the accuracy of credit reports and is in the final stages of implementation. The FTC continues to focus on FCRA enforcement as a top priority and has settled a number of cases against data furnishers and background-screening CRAs that failed to maintain adequate procedures for reporting accurate credit information.

With respect to data security, Ms. Mithal noted that the FTC is the primary data security regulator and enforces data security through Section 5 of the FTC Act, the Children’s Online Privacy Protection Act, and the Gramm-Leach-Bliley Act. The FTC has brought more than 60 law enforcement actions against companies that allegedly engaged in unreasonable data security practices, including actions against CRAs. For example, the FTC brought actions against a CRA for selling consumer reports to identity thieves who did not have a permissible purpose to obtain the information, and has brought actions against companies for failing to dispose of consumer report information securely. The FTC also provides guidance for businesses on data security practices, data breaches, and emerging threats, as well as guidance for consumers and policy initiatives to enhance data security.

Industry and consumer groups responded to the hearing. The Credit Union National Association (CUNA) expressed thanks for the hearing and provided suggestions for improving the FCRA. CUNA suggested that there should be caps on recovery in class action lawsuits under the FCRA and that the FCRA guidance and regulations should provide more clarity as to communications with consumers regarding information tangential to the credit report and the credit score impact of paying off debt. In addition, opt-out notice requirements should be streamlined and the tangential information that may be provided to a consumer in situations involving an approval for credit should be clarified.

Consumers Union also published a response to the hearing, advocating for more robust data security protections. The group argued for stronger incentives for CRAs to protect data and penalties for failure to do so, and for a default credit freeze bill under which consumers would opt-in to share their data in order to open a credit account. Consumers Union also expressed support for legislation holding credit bureaus and creditors to more extensive accuracy requirements.

Companies: Consumers Union; Credit Union National Association; Equifax

MainStory: TopStory CFPB CyberPrivacyFeed FairCreditReporting IdentityTheft OversightInvestigations Privacy

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More