Equifax Hack Drives GOP Bill to Overhaul Credit Bureaus -- Update
October 12 2017 - 2:53PM
Dow Jones News
By Andrew Ackerman
WASHINGTON -- Top congressional Republicans on Thursday made the
first significant moves to boost federal oversight at
credit-reporting firms in response to the massive hack disclosed by
Equifax Inc. last month.
Rep. Patrick McHenry of North Carolina introduced a bill to
require the three major credit firms -- Equifax, Experian PLC and
TransUnion -- to submit to regular federal cybersecurity reviews
for the first time. All three companies also would have to phase
out their use of Social Security numbers to verify consumers'
identities by 2020.
Mr. McHenry's sponsorship of the legislation is significant. As
a deputy GOP whip, he holds significant sway among House
Republicans. The bill is an important starting point for the House
Financial Services Committee as it considers a legislative
response.
Separately, Sen. Mike Crapo (R., Idaho), chairman of the Senate
Banking Committee, asked federal banking regulators if they needed
more authority to supervise the credit-reporting firms to ensure
they adequately protect consumer data. "I am concerned there may be
a regulatory gap with respect to supervision of credit reporting
agencies for data security standards," Mr. Crapo wrote in a letter
to the heads of the Federal Reserve, Office of the Comptroller of
the Currency and Federal Deposit Insurance Corp.
A spokesman for the Fed and a spokeswoman for the FDIC confirmed
the agencies received Mr. Crapo's letter and planned to reply. A
spokesman for the OCC didn't immediately respond to a request for
comment.
Representatives for the three credit-reporting firms didn't
respond to requests for comment. A person familiar with their
thinking said the companies support some aspects of the bill
sponsored by Mr. McHenry, including the heightened supervision.
The lawmakers' moves come after a series of hearings in the
House and Senate last week featuring former Equifax Chief Executive
Richard Smith. Mr. Smith repeatedly apologized for the hack and
said the company didn't initially understand its severity.
The Equifax hack "exposed a major shortcoming in our nation's
cybersecurity laws and Congress must act," Mr. McHenry said in a
written statement.
Equifax disclosed last month that data belonging to about 145.5
million Americans was potentially compromised by hackers who began
digging through its computer network this spring. The hack remained
undetected until an internal security team discovered the breach in
late July.
The attack, which is being probed by the Federal Bureau of
Investigation, is one of the most significant data breaches ever
given the scope of the information disclosed: names, addresses,
birthdays and Social Security numbers. Customers and regulators
have raised questions on whether Equifax took sufficient measures
to protect such sensitive information.
Mr. Smith expressed support for the idea of phasing out the use
of Social Security numbers, saying policy makers might need to
think about how secure the numbers are and if they are the best
identifiers going forward.
The move to replace Social Security numbers as a form of
identification is in its early stages, but also has the support of
the Trump administration. Rob Joyce, the White House's
cybersecurity coordinator, said at a conference last week that the
Social Security number had "outlived its usefulness" and that the
current system was "untenable." The White House has launched a
working group to explore reducing government use of Social Security
numbers to verify people's identities, a senior administration
official said last week.
The Equifax hack is viewed as far more serious than past data
breaches at private companies because people's Social Security
numbers and birthdays cannot be changed after they are compromised,
unlike passwords or credit card numbers.
Experts have for years warned about the vulnerability of the
Social Security number and urged government entities and businesses
to shift toward other means of personal authentication. The
National Institute of Standards and Technology, a government
agency, in June revised its guidelines for best practices for
digital identity verification, excluding the Social Security number
entirely.
Mr. McHenry's legislation leaves it up to the companies to
formulate a more-modern method of identification, in an effort to
spur the companies to innovate, according to a summary of the
legislation reviewed by The Wall Street Journal.
The legislation doesn't specify which federal agency will
inspect cybersecurity at the companies. Rather, the bill leaves it
up to a panel of bank regulators, the Federal Financial
Institutions Examinations Council, to designate one of the federal
banking agencies as the future supervisor of the three major
credit-reporting companies. The council, whose members include the
Federal Reserve and the Office of the Comptroller of the Currency,
also would set uniform cybersecurity supervision and examination
procedures, according to the summary.
At present, the Consumer Financial Protection Bureau, which is
also a member of the council, can oversee consumer-facing issues at
the credit-reporting companies -- such as reporting errors -- but
doesn't have the authority to supervise the companies'
cybersecurity.
Another plank of the bill aims to set a more streamlined system
for so-called credit freezes, which prevent a new creditor from
accessing a consumer's credit report and block anyone from opening
a new line of credit in the name of the consumer who enacted the
freeze. The provision would require the companies to provide free
credit freezes for certain groups of consumers, including the
victims of identity theft, minors and people older than 65.
Write to Andrew Ackerman at andrew.ackerman@wsj.com
(END) Dow Jones Newswires
October 12, 2017 14:38 ET (18:38 GMT)
Copyright (c) 2017 Dow Jones & Company, Inc.
Experian (LSE:EXPN)
Historical Stock Chart
From Jun 2024 to Jul 2024
Experian (LSE:EXPN)
Historical Stock Chart
From Jul 2023 to Jul 2024