On November 1, two committees of the U.S. House of Representatives held hearings on data security and its implications for consumers and for consumer credit. The first of the day was the Energy and Commerce committee’s hearing “Securing Consumers’ Credit Data in the Age of Digital Commerce.”
This hearing, held by Digital Commerce and Consumer Protection subcommittee, focused more directly on the implications of data breaches such as the Equifax hack for consumers’ credit data, including identity theft. Witnesses included Francis Creighton, the President and CEO of the Consumer Data Industry Association; James Norton, Adjunct Lecturer at Johns Hopkins University Zanvyll Krieger School of Arts and Sciences; and Bruce Schneier, Adjunct Lecturer in Public Policy for the Harvard Kennedy School.
Subcommittee Ranking member Rep. Jan Schakowsky (D-IL) asked Schneier that if consumers are not the customers of the credit reporting agencies (a sentiment expressed by multiple members in previous hearings) then who are the agencies’ customers? According to Schneier, it is the companies who send consumers “free offers” for credit cards and memberships, and who market products to consumers, are the true customers of the credit reporting agencies. Companies purchase credit data to figure out who to target. Schneier stated that because consumers are not the customers, credit reporting agencies make it deliberately complicated to get free credit reports, scores, and for people to cancel monthly credit monitoring subscriptions.
Norton touched on the NIST framework for cybersecurity, saying that the cybersecurity threat “hasn’t been digested by the private sector,” that is, private sector companies underestimate the threat. He said that government can serve as an advisor to the private sector to help them understand the threat, especially the cybersecurity threat posed by state actors (the Office of Personnel Management hack was widely suspected to have been carried out by a state actor, and some have said that the Equifax attack may have also been a state action).
Rep. Tony Cárdenas (D-CA) noted that the focus in discussing the breaches has been on the financial harms, but there are effects beyond that (such as loss of data privacy). He asked the witnesses to discuss harms beyond financial outcomes.
Schneier responded, saying an example of non-financial harms was the personal data in the hands of a foreign government in the case of the OPM hack. According to Schneier, the line between financial and non-financial harms if fuzzy. If a financial institution uses non-financial information (a mother’s maiden name, the name of a first pet, the street someone grew up on, etc.) to authenticate a user to get access to their account, then that non-financial info affects decidedly financial outcomes. Schneier told the committee that “secret questions” are actually not very secure and answers are easy to get. Schneier said he believed that companies have an incentive to not make security questions to be too difficult, because it would be harder for consumers to get an account or a card (which would affect that institution’s bottom line).
Rep. Joe Barton (R-TX) asked about the potential of levying fines or requiring reimbursement to consumers whose data was compromised. Specifically, he wanted to know whether such fines would “destroy” the credit agency in question or would that policy would strenghten credit agencies because they would have a greater incentive to protect data.
Creighton responded by stating that the industry already has an incentive to protect data, and that adding further punishments won’t protect consumers’ data. He noted that while government has an incentive to protect data, breaches of government data have still happened – such as the OPM breach or the hack of the Securites and Exchange Commission that occurred in September 2017.
Rep. Leonard Lance (R-NJ) inquired about the difference between credit lock products and credit freezes. According to Creighton, a credit lock product works functionally the same way as a freeze, but it does not require a PIN in the same way a freeze does it is app-based, and allows consumers to set different levels of a lock: red, for no offers of credit available, and green, to indicate that the consumer wants offers of credit.
Rep. Larry Buchson (R-IN) asked Creighton whether he believes consumers would benefit from a federal law mandating dislosure of a data breach to the affected consumers. Creighton answered in the affirmative.
The House Financial Services Committee held the second hearing that day, titled “Data Security: Vulnerabilities and Opportunities for Improvement.” Witnesses for this hearing included Kenneth Bentsen, Jr., President and CEO of the, Securities Industry and Financial Markets Association (SIFMA); Edmund Mierzwinski, Consumer Program Director at the U.S. Public Interest Research Group; and Debra Schwartz, President and CEO of the Mission Federal Credit Union, testifying on behalf of the National Association of Federally-Insured Credit Unions.
Rep. Lacy Clay (D-MO) wanted to know what information should be provided to consumers to assure they are fully informed of the rights and remedies available to them and the steps to protect against fraud, identity theft, other crimes.
Mierzwinski answered that consumers need to hear everything about their rights under the law and what the company will do. They need to learn about fraud alerts and credit freezes, and they need to understand that their social security number is the key to identity theft, and that the company may have lost that.
Rep . Roger Williams (R-TX) asked what kind of notification standards legislation Congress should consider (if any).
Schwartz said that while the best thing is to avoid breaches altogether, but, barring that, there should be a notification as soon as reasonably applicable. She said that financial institutions can take actions to prevent losses, such as issuing new cards or notifying customers when their accounts are compromised. She said that state-by-state standards for notifications are “somewhat nebulous right now.”
Rep. David Scott (R-GA) raised the issue of trust. That is, if Americans can’t trust the credit agency or their online merchant, why would they engage in commerce? Scott said that if consumers don’t trust their bank to safeguard their information, they may be hesitant to open up an account. Bentsen agreed with Scott, saying that confidence in the industry is incredibly important. The industry can build confidence in two ways: defense against attacks, and recovery from them (inluding being ready for a major incident such as the loss of account data).
Rep. Carolyn Maloney (D-NY) asked the question that many people have been asking since the Equifax breach was revealed: what do we need to do to secure consumer credit data, and how do we prevent situations like Equifax? She posed this question to Bentsen, Schwartz, and Mierzwinski.
Bentsen described the Equifax situation as not “consistent” throughout the financial services industry, implying that their lack of security was an outlier. Schwartz said that regulatory examinations are an important part of maintaining cybersecurity, and that the credit unions regularly receive regulatory examnations. She did not believe that there is a regulatory agency has the same authority for regulatory examinations of credit reporting agencies. Mierzwinski asserted that the Consumer Financial Protection Bureau (CFPB) should have examination authority, if it does not have it already.
For CR’s coverage of the Congressional hearings directly investigating the Equifax data breach, click here. Interested consumers have read the materials and listed to the archived video of the first hearing discussed in this article, here, and the second hearing, here.