The massive Equifax Inc. data breach has triggered demands on Capitol Hill for stiffer rules and new requirements for what financial companies must do to fend off cyberattacks.
Yet tougher oversight would all but certainly require support from the Trump administration and buy-in from congressional Republicans — both of whom want to reduce financial regulation not stiffen it. Democrats so far have led the calls for more rules in the wake of Equifax’s disclosure that 143 million Americans’ personal information was stolen.
Tighter constraints would pose a particularly difficult choice for GOP lawmakers because it would most likely mean further empowering the Consumer Financial Protection Bureau, a controversial agency created after the 2008 financial crisis that many Republicans have been trying to weaken or put out of business almost from its first day of existence. No other federal regulator supervises Equifax or has officials inside the firm conducting on-site exams.
“Republicans by nature are loath to regulate,” U.S. Senator Dick Durbin, an Illinois Democrat, said in an interview. “But there comes a moment when a company has so much information and is not handling it in a professional way where I think we are duty-bound to step in on behalf of innocent citizens.”
While President Donald J. Trump has pledged to cut back government red tape, White House press secretary Sarah Huckabee Sanders said Monday that the severity of the Equifax breach could mean more rules are needed. She said the administration will look at the situation “extensively,” and that Trump’s homeland security adviser Tom Bossert will lead efforts to respond to the hack.
Equifax is among a handful of companies that control data such as credit histories that banks rely on to assess whether consumers should get loans. The Atlanta-based firm said Sept. 7 that the compromised information includes Social Security numbers, drivers license records and birth dates. Equifax faces multiple state and federal investigations, and at least one multibillion-dollar class action lawsuit.
In Washington, at least six congressional committees are examining the company. Issues lawmakers are scrutinizing include how the breach happened, why Equifax waited more than a month to disclose a hack that it says it first detected on July 29 and what prompted three senior managers to sell shares in the company in early August. A company spokeswoman has said the executives had no knowledge of the intrusion at the time of the stock sales.
Equifax is struggling to contain the bipartisan outrage directed towards the company. Over the past few days, Equifax has briefed staff on several committees in the House and Senate , including the Senate Banking Committee and House Financial Services Committee, congressional aides said. Staffers have left meetings frustrated because the company couldn’t answer basic questions about the breach and said some queries would have to be put to data-security experts, attendees have said.
“These are very complicated issues, and we expect to be engaging with regulators and legislators in the future,” Equifax said in an emailed statement. “We are listening to issues that consumers are experiencing, and their suggestions are helping to further inform our actions.”
Unlike banks, Equifax and competitors TransUnion and Experian Plc don’t have multiple regulators constantly looking over their shoulders. The Federal Reserve and Office of the Comptroller of the Currency, for example, have teams of supervisors assigned to specific lenders. The officials have daily responsibilities for monitoring any transactions and weaknesses in computer systems that could threaten financial stability.
Before the CFPB begin policing the industry in 2012, it faced almost no federal oversight. The Federal Trade Commission has authority to sanction the companies for failing to protect consumers, but it doesn’t engage in proactive monitoring. Durbin said the size of penalties that the FTC is allowed to impose aren’t big enough to adequately punish a breach on the scale of Equifax’s.
Much of the CFPB’s scrutiny of Equifax and its rivals has been on trying to ensure that credit reports are based on accurate data and that the firms are properly responding to consumer complaints. At least publicly, less of the agency’s focus has been on cybersecurity. The CFPB is led by Director Richard Cordray, who was appointed by former President Barack Obama.
In January, the consumer bureau accused Equifax and TransUnion of misleading consumers about credit products they had sold them. Without admitting or denying the allegations, Equifax agreed to provide almost $3.8 million in restitution to affected consumers, while paying a $2.5 million fine. The CFPB has said it is investigating Equifax’s data breach as well as the company’s response.
The CFPB has authority to make sure financial companies maintain standards to keep customer information safe. The agency brought its first cybersecurity case last year, fining online payment company Dwolla Inc. $100,000 for allegedly deceiving companies about how secure its systems were. The settlement could provide a roadmap for how the agency deals with Equifax’s breach.
Lawmakers have repeatedly tried to tighten restrictions for how companies report consumer breaches and to expand cybersecurity protections — with limited success in the face of intense corporate lobbying. Treasury Secretary Steven Mnuchin signaled Tuesday that the White House and Congress might have to revisit such issues, including what “liability and responsibility” companies should have over hacks.
“Americans shouldn’t expect these things to happen, and the current situation is obviously quite unfortunate,” Mnuchin said at CNBC’s Delivering Alpha conference in New York. “This is not something that the private sector can do alone, and this is not something that the government can do alone.”
When criminals get access to consumer data and use it to commit identify theft, it’s banks and credit unions that often bear the brunt of financial losses. Lenders also face costs associated with managing the fallout of a breach, such as reissuing new credit cards and managing consumer complaints. The Equifax breach has reinvigorated calls for Congress to create national standards to ensure all companies are adequately protecting data.
“It’s time for companies who lose consumer data or do not protect it to be held responsible,” said Dan Berger, president of the National Association of Federally-Insured Credit Unions. “I think you’re going to see Congress really take a closer look at this.”
Democrats have used the Equifax breach to push a number of policy goals, including their desire to impose new requirements on companies’ tracking of consumer data and to remove barriers to customer lawsuits. On Monday, a group of lawmakers led by Brian Schatz, a Hawaii Democrat, reintroduced legislation that would make it easier for consumers to deal with identify theft and mistakes in their credit reports.
Multiple congressional committees have called for hearings and sought information from Equifax to try to get to the bottom of what happened. While Republicans have been less vocal than Democrats in demanding more rules, they have said they want to know went wrong and whether Equifax violated any laws.
“This event certainly is striking,” U.S. Representative Patrick McHenry, the North Carolina Republican who is vice chairman of the House Financial Services Committee, said in an interview “These companies should be better, they should protect our data in much stronger forms and any failure to do that, we should have a broader discussion about how we improve this market.”