WASHINGTON — Congress may soon try to limit the personal identifiable information that companies and the government can collect on consumers.
Senators on both sides of the aisle expressed more outrage Tuesday during former Equifax CEO Richard Smith’s second of four planned hearings on Capitol Hill this week probing the firm’s massive data breach.
Speaking after the Senate Banking Committee hearing, Chairman Mike Crapo, R-Idaho, predicted the anger would soon take the form of legislation to revamp the industry.
“[The] interest you saw on a bipartisan basis here will generate further discussion and I would expect that legislation would be generated from” that, he said.
Exactly what he and other lawmakers have in mind is unclear. But several lawmakers, particularly Democrats, have taken aim at the credit bureau business model itself, which involves collecting information on consumers without their knowledge or consent and selling it to businesses looking to extend credit or offer other products.
During the hearing Tuesday, Sen. Elizabeth Warren, D-Mass., said it is consumers, as well as financial institutions, who pay the cost of a data breach like Equifax, while the credit bureaus may even make a profit.
“The incentives in this industry are completely out of whack,” she said. “Because of this breach, consumers will spend the rest of their lives worrying about identity theft. Small banks and credit unions will have to pay to issue new credit cards. Businesses will lose money to thieves, but Equifax will be just fine.”
Warren has already introduced two bills to reform the industry—one to force credit bureaus to allow consumers to freeze their credit reports for free and another that would prohibit employers from accessing the credit reports of prospective employees. But she signaled she wanted to go further than that.
“Equifax and this whole industry should be completely transformed,” she said.
Time and again, lawmakers returned to the idea that Equifax and other credit bureaus do not require customer permission to collect data—and yet those consumers can be hurt by a breach.
“American citizens have no right to opt in,” said Sen. Mark Warner, D-Va. “We enter into no customer-based relationship with you. I think it raises a whole host of policy questions we can't get into today but, you know, but I think this committee needs to look at.”
Both Democrats and Republicans also noted that credit bureaus charge consumers to monitor their credit rating and ensure its accuracy.
“It just seems incongruent to me that you have my information. You don’t pay for it, you don’t have my permission. You make money collecting that information, selling it to business … and you also offer me a premium surface to make sure the information you collect on me is accurate,” said Sen. John Kennedy, R-La., “I don’t pay extra at a restaurant to prevent a waiter from spitting in my food.”
But if bipartisan legislation emerges out of the committee, Republicans may try to use it to also rein in the government’s data collection efforts. In particular, Crapo has long been worried about the Consumer Financial Protection Bureau’s collection of anonymized data so it can spot abuses in the financial services industry.
“I've mentioned many times in hearings the Consumer Financial Protection Bureau and its massive data collection that I'm very concerned about,” Crapo said during a hearing last week.
Though such data does not contain personally identifiable information, Crapo has fears about what fraudsters could do with it if there was a breach.
“My concerns have only grown given the disclosed cyber breaches at the [Federal Deposit Insurance Corp., the IRS, the [Office of Personnel Management], your commission and other agencies,” Crapo said.
A 2013 GAO report studied the CFPB data collection efforts, which included credit reporting information on 10.7 million individuals, credit card data on 25 million to 75 million individual consumers and data on 29 million mortgages on an ongoing monthly basis.
Sen. Thom Tillis, R-N.C., said that, while Equifax needs to be held accountable, Congress should act to protect consumer information more broadly.
“We need to be held accountable for actually getting beyond the shiny objects of this breach, which are really important, and you need to protect consumers and recognize we have a role to play to protect this economy otherwise,” Tillis told Smith.
Tillis added that the cyber data breaches are “not going to end.”
However, regulating the CFPB’s data collection may have unintended consequences pertaining to bad data collection.
Aaron Klein, a fellow in economic studies at the Brookings Institute, said the CFPB database is “the strongest incentive that the credit reporting agencies have to fix mistakes.”
“Consumers are complaining about credit bureaus, particularly about mistakes in their files,” Klein said. “Congress should consider broadening and further empowering CFPB and increasing private market incentives to fix mistakes and reduce faulty reporting.”
Lawmakers may also attempt to change how credit errors are fixed.
Sen. Chris Van Hollen, D-Md., pointed to a Federal Trade Commission report that found that 5% of consumers have errors in their credit files held at the major credit bureaus.
“Consumers who have information included on one of your reports, they often have to pay a lot of money to get it corrected,” Van Hollen said.
A consumer can get information corrected on her credit report, but it can be an arduous process to collect the needed documentation and force the credit bureaus to get the error cleared up. Credit repair services offer to help consumers for a fee, but they aren’t always successful and often overwhelm the credit bureaus with requests.
“Those industries are making billions of dollars, but they don’t really need to exist,” Van Hollen said.