Senate, Regulators Review FCRA Priorities Following Equifax Data Breach
Several members of the Senate Committee on Banking, Housing and Urban Affairs push for legislation to improve data security, credit reporting protections and enforcement when breaches occur.
7/12/2018 3:00 PM
As the investigation into the Equifax data breach by regulators including the Federal Trade Commission and Bureau of Consumer Financial Protection continues, members of Congress are working on data security protections and compliance requirements through legislation.
“I have long been concerned about data collection and data privacy protections by the government and the private sector. Given Americans’ increased reliance on the use of technology where information can be shared by the swipe of a finger, we should be careful to ensure that companies and government entities that have such information use it responsibility and keep it safe,” U.S. Sen. Mike Crapo, D-Idaho, chairman of the Senate Committee on Banking, Housing and Urban Affairs, said in the hearing “Overview of the Credit Bureaus and Fair Credit Reporting Act” July 12.
Crapo’s Economic Recovery Regulatory Relief and Consumer Protection Act (S. 2155), which was passed into law in May 2018, includes many data security protections for consumers, such as security freezes on credit reports and the option for consumers to request fraud alerts from consumer reporting agencies (CRAs).
Under the law, the FTC is tasked with creating regulations for free electronic credit monitoring services that at a minimum notify consumers, especially active duty service members, of changes or additions to their report on file at a CRA.
Maneesha Mithal, associate director of the FTC’s Division of Privacy and Identity Protection, testified during the hearing and said the FTC is working to issue a notice of proposed rulemaking on the regulations by the fall.
The FTC and BCFP play a key role in supervision and enforcement to help ensure data security for consumers and legislation discussed at the hearing is designed to increase those capabilities, especially to help veterans and low-income consumers.
“Credit reporting plays a critical role in the overall consumer financial services market and has enormous reach and impact,” said Peggy Twohig, assistant director for the BCFP’s Office of Supervision Policy, Supervision, Enforcement and Fair Lending Division, during her testimony at the hearing. “Accurate consumer credit report information is therefore important to creditors and other consumer report users to make good business decisions.”
U.S. Sen. Joe Donnelly, D-Ind., said Section 301 of S. 2155 allows every American to freeze and unfreeze their credit, set yearlong fraud alerts and opt out of pre-screened credit offers. Compliance is required by Sept. 21.
Twohig said the bureau is working expeditiously to update its resources for consumers including this information and to educate consumers in partnership with the FTC.
S. 2155 amends the FCRA to exclude certain medical debt from veterans’ credit reports. The exclusions would apply to medical services that predate the credit report by less than one year as well as paid or settled veteran’s medical debt characterized as delinquent, charged off or in collection. It also establishes a dispute process for consumer reporting agencies with respect to such veterans’ medical debt, ACA International previously reported.
U.S. Sen. Sherrod Brown, D-Ohio, ranking member of the committee, said during the hearing that the provision of the law needs to go further.
“Given that this type of debt is generally out of a person’s control, should we not pause medical debt reporting at least until more Americans have affordable insurance?” Brown said.
Mithal said the provision in S. 2155 is a good start and it is worth exploring efforts to further exclude medical debt from reports for all consumers.
“If [consumers] fall ill … they get unexpected medical costs on their credit report for years,” Brown said. “The consumer credit reporting system is stacked against Americans. Credit reporting presents a unique problem because often Americans don’t even know these corporations collect their data in the first place. It’s time for a serious overhaul [of the FCRA] that puts Americans in control of their own data.”
Bipartisan Legislation for Data Security
Senators at the hearing also asked for FTC and BCFP support of legislation to protect consumers and their input on how it would impact their ability to implement enforcement actions in the event of a data breach, for example, and continue supervisory work.
The legislation discussed at the hearing focuses on the FTC’s ability to issue civil penalties if wrongdoing by a CRA results in a risk to consumers’ personal information and a data breach.
For example, U.S. Sen. Robert Menendez, D-N.J., said the Consumer Data Protection Act (S. 2188) would require CRAs to quickly notify regulators and consumers of a breach and hold them accountable.
“My legislation also provides the FTC the authority to pursue fines for negligence or knowingly causing a data breach,” he said.
Committee members also stressed the role Congress has in ensuring regulators have the resources they need through legislation.
“The FTC and CFPB can’t fix this problem on their own without Congress acting to put a civil penalty process in place,” said U.S. Sen. Mark Warner, D-Va. “This is a problem that is not going to go away, this is a problem that is only going to exponentially increase.”
Warner is one of the sponsors of the Data Breach Prevention and Compensation Act with U.S. Sen. Elizabeth Warren, D-Mass.
The act would hold large CRAs accountable for data breaches and give the FTC more direct supervisory authority over the data security at CRAs, according to a news release.
“They (CRAs) should have an absolute obligation to protect that data from hackers and thieves,” Warren said during the hearing.
The act would also create an office of cybersecurity at the FTC.
The BCFP’s work to prevent data breaches comes from its supervisory authority and partnership with other regulators and it faces enforcement limitations as well.
Under the current leadership of Acting Director Mick Mulvaney, the bureau is focused on other ways it can ensure compliance and data accuracy at the CRAs, Twohig said.
“The acting director created an Office of Innovation with the goal to see what the bureau can do to spur innovation in many ways, and that would include the use of alternative data,” Twohig said.
And, through Twohig’s role with the bureau since its inception, she said the goal is to work with other entities.
“We place a priority on developing relationships with state regulators,” she said. “We have close and cooperative relationships with those regulators and the acting director has said he wants to improve that even more. In general, the bureau is using new supervisory authority to prioritize to look at national consumer reporting agencies and others to ensure they are looking at all aspects of accuracy.”
Follow ACA International on Twitter @ACAIntl and @acacollector, Facebook and request to join our LinkedIn group for news and event updates. ACA International members are welcome to submit news items for possible publication to firstname.lastname@example.org. Visit our publications page for news submission guidelines and subscriptions to ACA Daily, Collector magazine and Pulse. Advertising is available for companies wishing to promote their products or services. Be sure to visit the ACA Events Calendar on the Education and Training website to view our listing of upcoming CORE Curriculum and Hot Topic seminars featuring critical educational opportunities for your company.