Demands for data protection reform after Equifax

At the first of several hearings before a Congressional subcommittee, former Equifax CEO Richard Smith faced bipartisan reproach and questioning about the company’s massive data breach.  Coupled with the previous day’s revelation of another, initial data breach in March, and the tally of potentially affected consumers rising by 2.5 million, Equifax is certainly on the hot seat.  Members of the House Energy and Commerce subcommittee—part of the House Energy and Commerce Committee—that questioned Smith have begun the call to action for drastic improvements in security standards, breach notifications, and overall stronger regulation of the credit reporting industry.

During his testimony, Smith ultimately attributed the breach to a combination of human and technological error.  In March, when the Department of Homeland Security alerted Equifax to a vulnerability in software they used, an internal email to its technical staff to fix the problem went unheeded; according to Smith, “an individual did not ensure communication got to the right person to manually patch the application.”  Failure in Equifax’s scanning software to detect the issue exacerbated the problem, and now here we are.

I have to say, it was rare and fascinating to see such bipartisan agreement on an issue.  Like spotting a species thought extinct in the wild.

At any rate, representatives and lawmakers on the Hill aren’t the only groups expressing dissatisfaction with the status quo and seeking reform for the industry.  Advocacy groups like Consumers Union are insisting on free credit freezes and swift, decisive legislation from Congress to better protect consumer data, increase consumer rights, improve transparency, and hold responsible those who develop credit-scoring models.  “For too long, inadequate federal laws have allowed companies to collect and profit from the use of consumers’ personal information, without consumers’ knowledge or control, and without the incentives to properly steward that information and protect it from criminals,” the group wrote.

The National Consumer Law Center, meanwhile, endorses the Free Credit Freeze Act and the Freedom from Equifax Exploitation Act, introduced by Ron Wyden (D-Ore.) and Elizabeth Warren (D-Mass.), respectively.

As alluded to previously, this breach has also revitalized the conversation around the need for a single, national standard for data breach notification.  All but two states have their own notification laws, but many are inconsistent and insufficient, such as those that define personal information far too narrowly.  The advocacy group US PIRG, together with Frank Pallone Jr. (D-NJ.), has introduced the Secure and Protect Americans’ Data Act, which would require both faster notifications to consumers and tougher security standards.  According to the New York Times’ report, if this bill had been in effect for the Equifax breach, “it would have required that affected individuals were notified of the breach in writing,” and guaranteed them 10 years of free credit monitoring and freezes.

Let’s hope that laws like these are in place before the next Equifax or Yahoo happens.  Which it will.


By: Jonathan Weicher, post on October 5, 2017
Originally published at: http://www.netlibsecurity.com
Copyright: NetLib Security