Senators bear down on credit reporting industry over data security

Lawmakers from both parties are bearing down on the credit reporting industry in the wake of the Equifax data breach, grasping for answers on what firms will do in the future to better protect Americans’ data. 

Senators grilled a trade association representative for the consumer data industry during a Senate Banking Committee hearing on Tuesday.

Many expressed frustration that an industry able to profit off of consumer data has little incentive to safeguard that data from compromise and ensure it remains accurate. 

“Your clients basically take my data — personal information about me — without my permission and as a business model they sell it to businesses. I am not compensated,” said Sen. John Kennedy (R-La.) when questioning Andrew Smith, a counsel for the Consumer Data Industry Association. 

{mosads}

“If they lose my data as Equifax did, or if someone submits to them data that is an error that undermines my credit score, the bureaus have no obligation or interest right now to work with me to try to get the credit score correct,” Kennedy continued. 

Kennedy warned the industry that it needs to “step up” and propose specific reforms that would help better protect consumers in the event of future breaches. 

“Your clients need to step up to the plate here and suggest some meaningful reforms, or reforms are going to be suggested to them,” Kennedy said. “My advice to you would be to step up to the plate and offer specific things that you and your clients are going to do to improve the situation. Not platitudes, not bromides — specific suggestions.” 

Lawmakers have been laser-focused on cybersecurity and the consumer data industry since Equifax, one of the three major credit bureaus in the United States, disclosed the massive breach in early September. The breach affected more than 145 million Americans. 

“Most of the adults in Louisiana had their data stolen,” Kennedy said Tuesday. “They’ve had to go to a lot of trouble to freeze credit. Some of them are going to have their identity stolen. It’s just not right.”

Legislators have scrutinized Equifax for waiting more than a month to disclose the cybersecurity incident to the public since it detected the suspicious activity at the end of July. 

Hackers exploited a vulnerability in a U.S. website application that offered them access to Social Security numbers, birth dates, and other personal information on millions of Americans between May and July of this year. 

Equifax has offered free credit monitoring and other services to individuals caught up in the breach. 

House and Senate lawmakers had the opportunity to question Richard Smith, the former Equifax CEO who resigned from his position amid backlash, on the circumstances surrounding the breach and the firm’s response two weeks ago. 

The incident has spurred debate over what Congress can do legislatively in order to prevent or mitigate the damage from such breaches going forward. 

Scrutiny of the industry continued on Capitol Hill on Tuesday following the Senate’s weeklong hiatus.

On Tuesday, Andrew Smith faced a barrage of criticism from senators that was aimed at the firms he represents.

“Credit reporting companies really have no reason to treat us well. We are not their customers; we are just their products. And it shows,” Sen. Elizabeth Warren (D-Mass.) said. “This market is clearly broken, and fixing it starts with giving customers more control over their own data.” 

Multiple senators indicated that the credit reporting industry needs to build trust with consumers by showing that they will do damage control in the event of future breaches and not place the responsibility on consumers to “clean up” the problem.

“If you have a breach, then you should be treating that consumer like you’ll move heaven and earth to clean up that problem,” said Sen. Thom Tillis (R-N.C.). “It shouldn’t be something that requires months of paperwork and hours of their time to clean up … if you can point it back to the breach. That’s something I’ll be interested to see how Equifax handles it.”

“I think you have a serious trust problem today,” Sen. Heidi Heitkamp (D-N.D.) later told Smith. “I think the lack of coming forth with solutions and the adversarial kind of approach that we have seen to this is not helping to solve the problem.” 

Tuesday’s hearing also featured testimony from Marc Rotenberg, the president of the nonprofit Electronic Privacy Information Center and Chris Jaikaran, a cybersecurity policy analyst at the Congressional Research Service.