Congress must take action to ensure that consumer data is being adequately protected at consumer reporting agencies (CRAs), witnesses said at Tuesday’s House Committee on Oversight and Reform Subcommittee on Economic and Consumer Policy hearing.
During the hearing, witness and lawmakers examined recent data breaches at CRAs, as well as steps Congress can take to ensure stronger consumer data protection. CRAs “collect, maintain, and sell to third parties large amounts of sensitive data about consumers, including Social Security numbers and credit card numbers,” the Government Accountability Office (GAO) explained in a report released Tuesday. The most well-known CRAs include Equifax, Experian, and TransUnion, though there are hundreds of smaller, specialty CRAs across the country.
While all witnesses agreed that steps must be taken, they did not unanimously agree on what those steps should be.
“The 2017 data breach of Equifax highlighted the data security risks associated with CRAs and underscored the importance of appropriate Federal oversight in this market where consumers have limited control over whether or which CRAs possess their information,” said Michael Clements, director of Financial Markets and Community Investment at GAO, explaining the importance of creating stronger protections.
Clements focused specifically on the role the Federal Trade Commission plays in ensuring consumer data protection and enforcing existing laws and policies with CRAs. He urged Congress to equip the FTC with the ability to levy civil monetary penalties for violations of the Gramm-Leach-Bliley Act (GLBA)–legislation which requires financial institutions to detail how private consumer information is shared and secured.
Clements also urged the Consumer Financial Protection Bureau to do a better job including data security as part of its larger CRA examination process, saying the bureau doesn’t include sufficient data security provisions in its existing examination process. Finally, Clements said that across the board regulators need to do a better job informing consumers about available protections and what steps consumers can and should take following a data breach.
Andrew Smith, director of the FTC’s Bureau of Consumer Protection, concurred with Clements that giving the FTC the ability to levy civil monetary penalties would give the Commission a “practical enforcement tool that would benefit consumers.”
Smith also encouraged passage of Federal data security legislation that included three main priorities: “the ability to seek civil penalties effectively to deter unlawful conduct, jurisdiction over non-profits and common carriers, and the authority to issue targeted implementing rules under the Administrative Procedure Act.” Smith said that each priority is important to the Commission’s desire to “combat unreasonable security.” The rest of Smith’s testimony at the hearing was largely focused on touting the FTC’s current initiatives on data security, as well as its recent successes.
Mike Litt, consumer campaign director at the U.S. Public Interest Research Group, concurred with Clements and Smith, and explained there is a “need for financial penalties and strong oversight to make sure the CRAs, also known as credit bureaus, are doing everything they can to protect our personal data, which we did not give them permission to collect or sell in the first place.” His testimony largely mirrored that of Clements, including urging civil monetary policies for violations of GLBA and the need for CFPB to do a better job examining data security at CRAs. Litt said that “robust data breach notification” should be required.
“Breach notification to consumers should be required based on an acquisition standard, as opposed to a harm trigger,” he said. “Additionally, breach notification to the FTC and state attorneys general should be required for all breaches. If information has been lost, it should be presumed to be acquired and therefore require a notification. Harm triggers on the other hand only require notification if the breached entity determines that harm is posed to the individuals whose information was lost. Your right to know if your personal information has been lost should not depend on a determination of harm by the company that lost your information in the first place.”
Jennifer Huddleston, a research fellow at the Mercatus Center at George Mason University, disagreed with Litt, saying that regulators should avoid “an expansive theory of harm in their approach to data security.”
While their terminology differed, she was arguing that what Litt wanted would be harmful, rather than helpful. She said an overly broad definition doesn’t “reflect the realities of data usage and collection and the benefits consumers often receive.” Furthermore, she said an overly broad definition could “deter innovation” and “be nearly impossible to enforce.”
Litt also expanded on Clements’ calls for providing consumers with more information about steps they can take after a data breach by offering up specific steps and programs that should be in place, such as immediate credit freezes and moving away from using Social Security numbers as authentication tools.
Huddleston, unlike other witnesses, seemed to place significant responsibility on consumers when it comes to encouraging data security, seemingly discouraging Congressional intervention. “Consumer choice, consumer trust, and reputational risks can be powerful forces for encouraging solutions to data security problems,” she testified. “Agencies and policymakers can play a complementary and educational role that allows consumers to make their own choices of next steps rather than assuming they know the choices that consumers should make.”