Less than a year after Equifax’s poor software management allowed hackers to steal the sensitive information of more than 145 million U.S. consumers, Congress is floating three bills that would let the company and other credit bureaus off the hook in future hack jobs.
It’s no doubt tricky for companies to safeguard sensitive data as cybercriminals become increasingly sophisticated in their attacks, but if Equifax and other companies are going to store the personal information of millions of consumers, they ought to be held to the highest and strictest standards to protect that information.
But three anti-consumer bills in Congress would do the opposite by exempting Equifax and other credit bureaus and financial institutions from notifying the public of data breaches. The proposed changes would allow Equifax and other credit bureaus to charge consumers fees for credit freezes after a breach and override any state laws protecting consumers from identity theft, financial loss, and other cyber attacks.
According to U.S. PIRG, a federation of state public interest research groups, the three bills that would weaken consumer protections in the face of another Equifax data breach or similar disaster are:
- S.2155 – The “Economic Growth, Regulatory Relief, and Consumer Protection Act.” In addition to putting borrowers at risk of mortgage fraud and discrimination and putting our economy at risk of another crisis, this bill includes a credit freeze provision that preempts and replaces state freeze laws with a new federal law that could weaken your credit security — and cost you even more, depending on where you live. If the bill passes, credit bureaus wouldn’t have to require passwords or PINs for removing freezes, making it easier for identity thieves to remove freezes on your credit reports and apply for credit in your name.
- Data Acquisition and Technology Accountability and Security Act – The bill would require merchants, telecoms, and some others to notify the public when they are hacked, but it exempts firms already covered under the Gramm-Leach-Bliley Act of 1999, which includes all banks and “other financial institutions,” including Equifax and the other big credit bureaus. Under GLBA, credit bureaus do not have to provide breach notices, only breach response plans. The proposed law would also override and replace stronger requirements that many states already have in place.
“This bill is the worst of both worlds,” said Mike Litt, consumer campaign director for U.S. PIRG in a news release. “If these industries want a uniform standard, they could take the strongest state laws and apply them to all consumers across the country – they don’t need Congress for that. This is simply an attempt to set weaker laws as the ceiling for what states can do to protect consumers.”
- H.R. 4028 – The “Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act of 2017.” This bill includes a credit freeze provision that allows the credit bureaus to charge consumers $5 for each freeze, temporary lift, and removal – not exactly the kind of relief consumers facing identity theft and financial loss through no fault of their own need.
“For all this talk about action after the Equifax breach, Congress hasn’t done anything in six months but is now moving to make things worse,” Mr. Litt said. “Why isn’t Congress voting on or having hearings about bills that would help prevent future data breaches, or better inform consumers when there are breaches, or give complete control back to us over our own information?”