Equifax data breach focuses Washington’s attention on security of sensitive personal information

The massive data breach at credit reporting firm Equifax has put the company in the cross-hairs of congressional committees and one of the nation’s most aggressive attorneys general, while fueling a new push for stronger protections on Americans’ personal information.

Even the Trump administration, which has advocated slashing government rules, has indicated new regulations might be needed.

The revelation last week that a hack of Equifax’s computer system exposed the Social Security numbers and birth dates of as many as 143 million people also could scuttle Republican efforts to limit the liability faced by credit reporting companies and other financial firms in disputes with consumers.

The scale of the latest in a series of high-profile data breaches has refocused attention on the role of the three major credit reporting companies — Equifax, Experian and TransUnion — as repositories of a trove of sensitive data.


“This debacle should be a wake-up call to both consumers and policymakers about the industry’s broad reach,” said Rohit Chopra, a senior fellow at the Consumer Federation of America.

New York Atty. Gen. Eric Schneiderman has launched an investigation, while the Consumer Financial Protection Bureau is looking into the breach and Equifax’s response.

Three House committees — Judiciary, Financial Services, and Energy and Commerce — plan to hold hearings in coming weeks.

“This unprecedented data breach could impact tens of millions of Americans and raises serious questions about the security of our personal information online,” said Rep. Greg Walden (R-Ore.), chairman of the House Energy and Commerce Committee.

The panel’s hearing will examine “what went wrong and what we need to do to better protect consumers from serious breaches like this in the future,” he said.

In addition, the chairman and top Democrat on two Senate committees have written to Equifax Chief Executive Richard Smith demanding answers. That could be a prelude to hearings by those committees as well.

Asked if the data breach signaled that new regulations might be warranted for companies handling sensitive data, White House Press Secretary Sarah Huckabee Sanders indicated that was possible.

“I think this is something we have to look into extensively,” she said Monday.


Democrats have seized on the Equifax data breach to try to resuscitate previous attempts to increase oversight of the industry and provide new protections for consumers.

On Monday, Sen. Brian Schatz (D-Hawaii) reintroduced legislation designed to reduce inaccuracies in credit reports and give consumers more legal remedies when problems arise. And Rep. Maxine Waters (D-Los Angeles) said she planned to reintroduce a bill she pushed in 2016 that would overhaul the credit reporting system.

The consumer bureau and the Federal Trade Commission share oversight of the credit reporting industry, which has become increasingly important as the amount of financial information has multiplied. The credit scores that are calculated based on data collected by Equifax, Experian and TransUnion increasingly determine whether Americans can obtain a mortgage, finance a car purchase or even land a job.

The main law governing the industry, the Fair Credit Reporting Act, is more than 40 years old and needs to be updated, said Chopra, the former assistant director of the Consumer Financial Protection Bureau.


California and other states have taken the lead in enacting tough laws on data security and requiring consumers to be notified quickly of breaches.

Chi Chi Wu, a staff attorney at the National Consumer Law Center, said she’s worried the Equifax breach will be used as “a Trojan Horse” for the industry to push for a single nationwide standard that would be weaker than those in California and some other states.

“A national standard would be good if it was a strong standard and didn’t preempt strong state measures,” she said.

Consumer advocates and Democrats also are pointing to the Equifax data breach to try to stop Republican attempts to repeal a new consumer bureau rule that would make it easier for people to file class-action suits against financial firms.


Equifax came under fire last week for offering free credit monitoring and identity theft protection to U.S. customers, but only if they agreed to resolve all disputes in private arbitration.

“It’s shameful that Equifax would take advantage of victims by forcing people to sign over their rights in order to get credit monitoring services they wouldn’t even need if Equifax hadn’t put them at risk in the first place,” Sen. Sherrod Brown (D-Ohio) said last week.

Equifax has revised its frequently asked questions regarding the data breach to note that accepting the free service, called TrustedID Premier, “does not prohibit consumers from taking legal action.”

“Again, to be as clear as possible, we will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself,” Equifax said.


The controversy over the terms of the free service showed the importance of the consumer bureau’s new regulation, which bans arbitration agreements that block groups of consumers from bringing class-action cases.

“The fact that it took a public shaming to force Equifax to drop forced arbitration from TrustedID is further proof why the Consumer Financial Protection Bureau’s rule is needed,” Brown said Monday in reaction to Equifax’s change. “Too many financial companies, including Wells Fargo, continue to use forced arbitration to block customers from seeking justice once they’ve been cheated or harmed.”

The House voted in July to repeal the consumer bureau’s arbitration rule. The Senate has yet to vote on the repeal legislation and the Equifax controversy could make it more difficult to pass.


Twitter: @JimPuzzanghera