WASHINGTON — There is an adage here that it takes a crisis to compel legislative reform. But a year after the massive data breach at Equifax came to light, the momentum behind fixing credit reporting and data security failings has largely fizzled.
In the weeks following news of the breach,
But with some exception, legislative efforts to prevent such breaches or mitigate their impact have lost steam. The immediacy of the Equifax breach dissipated, taken over by the tax reform overhaul and other legislative fights. The deregulation focus of the Trump administration and GOP-held Congress have also diverted attention.
“There has been little to no action in Congress that relates to the Equifax data breach or enacting legislation which creates future remedies or legislation designed to prevent such massive data breaches,” said Jim Francis, an attorney at Francis & Mailman, a firm that focuses on consumer protection litigation.
Equifax announced the breach, believed to have started as early as May 2017, on Sept. 7 of last year. Initial estimates were that it had affected 143 million consumers, but that figure was raised to 148 consumers.
What followed were
But all the focus on the breach did not result in significant reforms, including little movement on data security proposals that had been kicking around Washington in the wake of other breaches. Lawmakers introduced and reintroduced legislation dealing with breach notifications, how personal data is handled and instituting fines for data breaches at credit bureau, among other ideas. But none of them were enacted.
“It did not precipitate the enactment of a federal data breach notification law,” said Ed McAndrew, a partner at Ballard Spahr, who specializes in privacy and data security. “It just didn’t materialize.”
While Equifax took some voluntary steps to enable consumers to freeze their credit files, the credit reporting system dominated by the company and its two main rivals — Experian and TransUnion —
The only legislative reforms were three discrete measures in the Senate's regulatory relief law that became law in May. One requires consumers to be able freeze and unfreeze their credit record at least once a year, free of charge. There was also a provision barring medical debt related to the Choice Program and other Department of Veterans Affairs programs from being reported to credit reporting agencies for one year, and another establishing a dispute process for veterans seeking to remove adverse actions from their reports.
Francis Creighton, president and chief executive of the Consumer Data Industry Association, says the passage of these measures within a year has been significant, saying the regulatory reform law has “pretty robust responses in there to the crisis.”
But others say those provisions do little to address the problems associated with the data breach.
“We have never gone to the core root of anything,” said Ed Mills, a policy analyst at Raymond James.
Mills and other analysts attribute the absence of reform to the divisiveness in Washington, with Democrats pushing for more stringent regulations and enforcement of the credit reporting bureaus, and Republicans remaining cautious about pushing for immediate data breach regulations.
Observers also point to the leadership transition at the Consumer Financial Protection Bureau as emblematic of the issue losing steam. Under the Obama administration, the agency aggressively cracked down on consumer harm, but the agency's acting director appointed by President Trump, Mick Mulvaney, has pulled back on the agency's enforcement operation.
Another regulator, the Federal Trade Commission, has some supervision authority over the credit reporting agencies, but it cannot impose civil penalties on them for data security issues.
“Congress was in a deregulatory mode and there was a huge transition taking place at the CFPB,” Mills said.
Mills said the CFPB is unlikely to have a robust regulatory agenda under new leadership, which means the pressure is on Congress to enact reforms. But noting the added ability to freeze and unfreeze one's credit file, he said, “All of the response has put the responsibility on the consumer and not the credit bureaus.”
Francis said that the credit bureau measures in the regulatory relief law, known as S 2155, are helpful to consumers, but he added that they would not prevent another data breach in the future.
“Those small steps that were probably designed to appeal to some consumer political base would do nothing to prevent the type of serious data breach like the Equifax data breach last year,” Francis said.
The anniversary of the Equifax data breach comes as the Hill has a tight calendar for the end of this Congress. By the end of this month, Congress must pass a budget in order to keep the government open. And the November midterm elections are likely to keep members who are defending their seats away from Washington and on the campaign trail.
But some are still optimistic that Congress can strengthen consumer protections in the wake of the breach.
In an interview with American Banker, Sen. Heidi Heitkamp, D-N.D., suggested that the Senate could attach consumer protection measures to a capital formation bill being dubbed as the third iteration of the Jumpstart Our Business Startups Act, or JOBS Act 3.0.
“There’s a number of provisions, consumer protection provisions that I think would be attractive on both sides of the aisle,” Heitkamp said. “Maybe add some consumer protections, especially in the area of the credit bureaus. Everybody is still very concerned about what happened with Equifax.”
Though it is unclear what consumer protections would be able to pass before the end of the year.
“This is one of the areas where there is clear bipartisan support that consumers should have more protections, but there is not necessarily agreement on exactly what those protections should look like,” Mills said.
Chi Chi Wu, a staff attorney at the National Consumer Law Center, said there are several bills that have been introduced that would better regulate credit reporting agencies.
She noted a bill by Sen. Jack Reed, D-R.I., that would require the credit reporting agencies to confirm someone's identity and obtain written authorization before releasing a credit report in instances where a consumer may be especially vulnerable to identity theft or fraud. She was also supportive of
But neither provision was included in S 2155.
Under the bill proposed by Warren and Warner, the credit bureaus would face $100 fines for each consumer who has a piece of personally identifiable information compromised and another $50 for each additional piece of personally identifiable data. The penalties would be capped at 50% of the credit reporting agencies’ gross revenue from the prior year — except in cases of extreme negligence, in which case the fine would go up to 75% of the companies' prior year gross annual revenue.
“If we don't act, I think we are going to be irresponsible in ensuring that kind of activity doesn't take place,” Warner, who supported S 2155, said at a July hearing. “The incentives are not there at all for any CRA to clean up its act.
"There are no civil penalties, there's no liability regime, and I think we can do better and I think these professionals actually would want us to do better if we would give them the tools.”
Charles Gabriel of Capital Alpha Partners said there is going to be pressure on the moderate Senate Democrats who supported the regulatory relief bill signed in May by Trump to push to attach credit bureau reforms to JOBS Act 3.0. But he said a bill that includes the Warner-Warren provision wouldn’t pass Congress.
“If the Senate Democrats who have already kind of gone through this process and passed the bill and don’t want any more displeasure … they’re going to ask for this Warner-Warren bill and that’s going to kill this JOBS Act 3.0 bill,” Gabriel said.
McAndrew said the mandatory penalties that the legislation would impose could be problematic, because not all data breaches involve abuse by the companies. He said many companies that have been faced with security breaches “are being victimized in the first instance by criminals."
“To impose mandatory penalties in every single case of a data breach I think is really trying to create a bright light that doesn’t work and I think it’s very draconian,” McAndrew said.
Creighton said there is already enough pressure on the credit bureaus to avoid data breaches.
“Credit bureaus are already heavily incentivized to not have breaches,” Creighton said. “The market consequence is the most important discipline on them.”
Before the data breach was disclosed, Equifax’s stock traded above $140 a share. Shares dropped below $100 in the days following the announcement of the breach, though they have recovered since. Equifax shares are currently trading above $130.
Still, supporters of the Warner-Warren bill say the mandatory penalties will push the credit reporting agencies to clean up their acts.
“I applaud the Sens. Warren and Warner for that proposed legislation,” Francis said. “I think it would go a long way to making the credit reporting agencies take this issue seriously. I do not think it would go too far or be too onerous. I think it would wake up the companies to take this issue more seriously.”