The Green Sheet Online Edition
October 09, 2017 • Issue 17:10:01
Data security should be national priority
The Equifax hack revealed in September 2017 should be a loud wake-up call for policymakers, consumers and any organization that touches consumer financial information. Simply mandating security protocols through card-industry edicts and piecemeal legislation isn't cutting it. Overall attitudes regarding financial data security have to change.
By now, everyone is familiar with what happened at Equifax, one of three big companies that banks and other financial services providers rely on for assessing the creditworthiness of consumers. Hackers were able to breach the credit-reporting agency's network for three months obtaining personal information (Social Security numbers, addresses, etc.) on more than 145 million Americans, or about 40 percent of the population.
It turns out the breach could have been prevented, too, as the software glitch that allowed hackers to penetrate Equifax's network was identified two months before the hackers got in, but the company never got around to installing a provided fix.
Making matters worse, Equifax waited six weeks after detecting the breach to tell the public, according to published reports. In other words, crooks had access to personally identifiable information on more than 145 million Americans, which they could use with wild abandon to apply for credit and otherwise misuse for weeks before any of those individuals had a chance to protect themselves.
Let there be laws
But Equifax may not have broken any laws. There are no comprehensive federal laws governing the collection and protection of consumers' personal financial information ‒ or for reporting breaches of such information. And states have adopted varying requirements, including for when and how breached companies must notify consumers. Georgia, where Equifax is headquartered, imposes no time frames for companies to notify consumers about breaches of personal information, for example, while several other states do.
Good data security should not be a political football. It should be a tenant of doing business. Unfortunately, as the Equifax case and other high-profile breaches suggest, many companies put profits and public image ahead of data security.
While there are no over-reaching federal laws on data security, Equifax, as a consumer reporting agency, is subject to the Fair Credit Reporting Act, which requires it to protect consumer credit reports. Chi Chi Wu, an attorney with the National Consumer Law Center, said it is not yet clear if there were FCRA violations resulting from the Equifax breach.
The Federal Trade Commission has brought scores of actions against credit reporting agencies and other nonbank players in the payments space for inadequate data security. The Consumer Financial Protection Bureau also has authority to take steps against such firms, and last year fined the payment network Dwolla Inc. $100,000 for misleading consumers about its data security practices.
Both the FTC and the CFPB have confirmed that investigations are underway into the Equifax breach and the company's response. Meanwhile, several congressional committees – including the House Energy and Commerce, Judiciary and Financial Services committees, and the Senate Banking Committee – have announced hearings specific to the Equifax breach.
It's incredible, really, to think that merchants, banks and other businesses that accept, transmit and clear credit card payments are held to higher standards (the Payment Card Industry Data Security Standard) than the companies that collect and maintain data used to determine the creditworthiness of cardholders.
This disparity has not been lost on the American Bankers Association, which wrote members of Congress in May urging national data protection laws covering all companies that handle sensitive consumer financial information. "It's time to pass a strong, consistent national standard for fighting data breaches and give consumers the protection they need," the banking trade group stated.
Several new congressional proposals have been triggered by the Equifax breach, most directed at Equifax and/or credit reporting agency practices generally. But one, the Commercial Data Privacy Bill of Rights of 2017, is fairly comprehensive. The proposed legislation, crafted by Senator Bob Menendez, D-N.J., builds upon legislation Menendez first tried to get Congress to act on back in 2013.
Provisions of the Menendez legislation would:
- Limit the types of information a business can collect on consumers and how long they can retain such information.
- Have the FTC write regulations covering the transfer of protected consumer financial information to third parties (like marketing partners) and consumer rights to opt out of such transfers.
- Impose strict data security requirements for credit reporting agencies, and require the FTC to approve those security plans.
- Have the FTC and CFPB study the need for any new rules necessary to protect financial information maintained by credit reporting agencies and other businesses.
It will be interesting to see how Equifax reacts should Congress muster the will to take on data breach legislation. According to a Sept. 11 report in the Wall Street Journal, Equifax spent over $1 million last year lobbying against several federal legislative initiatives that would impact the company, including those related to data security and breach notifications.
A Congress that lacks the conviction to take on complex and controversial issues like health care, the federal budget and tax reform, however, may also lack the gumption to take on the task of legislating federal data security standards and procedures. It is also worth noting that Sen. Menendez is currently fighting corruption charges in federal court, so he may not be in a position to push the legislation.
Implications for card payments
Everyone in the electronic payments space should be concerned about this situation because, as we know all too well, breaches of private consumer financial information are a leading contributor to payment fraud.
Consumers understand this. Among those participating in a recent survey sponsored by the ATM company Cardtronics, 84 percent said they are worried about data security. That's one reason why many use cash. Ninety-one percent of those surveyed reported they had made cash payments in the previous six months; debit cards were used by 72 percent, and credit cards by 68 percent of those consumers surveyed.
Cash charts especially high usage among consumers when they make small-dollar purchases, said Brian Bailey, Cardtronics Managing Director for North America. Fifty-five percent of those surveyed prefer cash for purchases under $20.
Bailey isn't convinced incidents like the Equifax breach will spur greater cash usage at the expense of cards. "There's an innate security risk with any payment method," he said. I suspect, however, it may render more difficult initiatives for migrating small-dollar cash purchases to cards and other electronic options.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.