Giving the regulatory agencies more power to punish companies after breaches could make industry invest more in cybersecurity, according to the Government Accountability Office.
Giving federal regulators more power to monitor and punish credit bureaus could help prevent massive data breaches like Equifax, according to a congressional watchdog.
In 2017, hackers spent months secretly harvesting data held by Equifax, one of the country’s three major consumer reporting agencies. By the time the intrusion was discovered, they’d made off with personal and financial information on nearly half of all Americans.
In a report published Tuesday, the Government Accountability Office said further empowering regulators at the Federal Trade Commission and Consumer Financial Protection Bureau could help prevent similar incidents from occurring in the future.
“While companies in many industries have experienced data breaches, [consumer reporting agencies] may present heightened risks because of the scope of sensitive information they possess and because consumers have very limited control over what information [consumer reporting agencies] hold and how they protect it,” auditors wrote. “These challenges underscore the importance of appropriate federal oversight of [consumer reporting agencies] data security.”
Under federal law, FTC can already penalize companies for violating consumer data security standards, but GAO found its current authorities are ill-equipped to handle breaches on the scale and scope of Equifax.
For one, the agency isn’t allowed to punish companies for first time offenses, but more importantly, it can only fine companies to compensate for consumer damages. Given the sheer number of victims and the difficulty of tying identity theft to a single breach, it’s nearly impossible to calculate the financial loss caused by a breach like Equifax, according to auditors.
By broadening the commission’s civil penalty authorities, GAO said regulators could punish bureaus for data security incidents without needing to calculate exact monetary losses, which could incentivize companies to invest more heavily in security. Auditors previously recommended a similar policy change to help the commission better pursue firms that violate privacy policies.
Auditors went on to recommend CFPB explore new mechanisms for collecting information on the country’s credit bureaus because current data sources don’t reflect all the companies under its jurisdiction. They also pushed the agency to factor in data security when calculating the risk different companies pose to consumers.
By “includ[ing] factors that would detect data security risks, CFPB can better ensure the effectiveness of its supervision and help prevent further exposure or compromise of consumer information,” they said.
The report was commissioned days after the Equifax breach by House Oversight Committee Chairman Elijah Cummings, D-Md., and Sen. Elizabeth Warren, D-Mass, who’s 2020 presidential campaign is largely rooted in reining in the tech and finance sectors.
"The Equifax breach revealed major gaps in how [consumer reporting agencies] protect and use consumers' private information, and the report we released today confirms that vulnerabilities still exist," Warren and Cummings said in a statement. "We need to give the FTC more tools to crack down on consumer data abuses and the CFPB needs to do its job, hold these firms accountable, and protect consumers."