Congress could create minimum breach notification standards, increase oversight and rein in Social Security numbers.
The breach of more than 140 million people’s personal information at the credit rating agency Equifax is a fait accompli. We can’t turn back the clock on it or mitigate the damage.
There are ways, however, to make the next major breach of a credit rating agency either less likely or less damaging, privacy and cybersecurity experts told lawmakers during a Senate Banking Committee hearing Tuesday.
Here are four ideas:
Create a Federal Minimum for Breach Notification
Congress should create a federal minimum for when credit rating agencies and other companies must notify consumers of a breach, Marc Rotenberg, president of the Electronic Privacy Information Center, said.
That would aid consumers because they’d know about breaches sooner and could more quickly freeze their credit or take other actions. It might also put pressure on credit rating agencies to raise their cyber defenses.
Laws governing how and when breached companies must alert the public currently vary widely from state to state. Efforts to create a federal standard have historically stalled, partly because privacy advocates worry that a federal standard would supersede more robust state-level requirements.
Rep. Jim Langevin, D-R.I., reintroduced legislation that would create a federal standard in the wake of the Equifax breach. It’s currently awaiting action in the House Commerce and Judiciary committees.
Rotenberg’s suggestion would ameliorate privacy advocates’ concerns by leaving in place more stringent state-level notification requirements. However, it would retain the current mishmash of state requirements, reducing the likelihood industry would see some advantage in the new law.
Unleash the CFPB
Congress might also explicitly direct the Consumer Financial Protection Bureau to examine how well credit rating agencies are meeting cybersecurity standards outlined by the Federal Trade Commission, said Chris Jaikaran, a cybersecurity policy analyst with the Congressional Research Service.
Thus far, the CFPB hasn’t issued any cybersecurity guidance—possibly because the agency is prohibited from bringing information security enforcement actions, Jaikaran said. The FTC, on the other hand, is authorized to create cybersecurity standards and sue companies for failing to meet them but can only take enforcement actions after a breach occurs.
“The dialogue created by CFPB and a [credit reporting agency] could lead to greater understanding of the cybersecurity risk faced by the [credit reporting agencies] and allow [credit reporting agencies] with deficiencies to correct their data security measures prior to referral to the FTC,” Jaikaran said in prepared testimony.
Enough with the Social Security Numbers, Already
Breached Social Security numbers are among the most valuable pieces of information for hackers and the most damaging to victims.
The government could significantly limit the damage caused by data breaches by prohibiting companies from collecting, requiring or storing consumers’ Social Security numbers except in explicitly authorized circumstances, Rotenberg said.
“The [Social Security number] serves an important purpose in the management of certain government record systems,” Rotenberg said. “The problem is that the SSN was adopted in the private sector and used as an identifier for general purposes. This has actually contributed to identity theft and financial fraud.”
Rep. Patrick McHenry, R-N.C., introduced legislation Thursday that would bar credit bureaus from using people’s Social Security numbers as a basis for identification by 2020.
Or, We Could Just Go After the Hackers
In addition to defensive and punitive measures imposed on credit rating agencies, Sen. Mike Rounds, R-S.D., argued, the government should also search for ways to punish the Equifax hackers and their brethren and disincentivize future breaches.
“Until we get down to the point where there are actually consequences for the bad guys involved, we’re not going to make the major dent that we have to in terms of cyber theft,” Rounds said. “I think we miss that sometimes. We’re focusing on the people who are trying to provide services. We’re not focusing on going after the guys who are actually causing the problems.”
The importance of punishing hackers is a regular refrain on Capitol Hill but one that’s been tough to implement so far. That’s partly because it’s often difficult to firmly attribute who was responsible for a particular breach.
When hacks are attributed, their perpetrators often turn out to be located in Russia and other nations that are unwilling to extradite them to stand trial in the U.S.