Keeping Credit Reporting Agencies in Check – Is it Enough?

In January 2018, two U.S. senators introduced a bill that would empower the government to impose severe fines on consumer reporting agencies that failed to protect stored sensitive personal data of individuals

The Data Breach Prevention and Compensation Act  comes in the wake of the Equifax breach that exposed the data of approximately 143 million people in the United States.   Per the draft, the Federal Trade Commission (FTC) – the part of the government with the mission of overseeing companies’ security practices – would be granted greater authority to penalize these firms for poor data security practices.

Per the bill, the FTC would be in charge of regulating cybersecurity for companies that earn in excess of $7 million USD a year from the sale of consumer information.  The FTC could levy fines of $100 USD for each consumer whose first and last name or first initial and last name and at least one additional piece of personal identifiable information (PII) was compromised.  What’s more, the FTC could impose an additional $50 USD for each additional piece of personal identifiable information exposed.  Money generated by the fines would presumably be returned to the victims impacted by the data loss.  Based on a credit-reporting agency’s revenue, total fines would be maxed but subject for an increase if it was determined that the victimized agency failed to follow basic security practices.

The Equifax breach has served as a catalyst for the government to get more involved in understanding why these immense data breaches are occurring, and finding out why in some instances, companies were late in disclosing the breaches and notifying the public.  Senior officials from Equifax and even Yahoo were called by Congress to testify about the circumstances around the breaches both had suffered.  In the aftermath of major breaches such as Anthem, the Office of Personnel Management, and even the Internal Revenue Service, the need for organizational accountability seemed imminent.  However, despite hearings and public outcry, the government did not appear to make any headway in breach losses – until now.

While a promising development, this still falls well short of a national strategy to increase data protection and institutional accountability.  Trying to develop a national response has been proposed in the past, but as of yet, without any tangible result.  In October 2017, a Congressman introduced the Consumer Privacy Protection Act, a bill that would compel companies to notify consumers if their sensitive information (which included digital photographs, geographical, and biometric data in addition to standard PII) was exposed in a data breach.  The bill held companies with more than 10,000 customers accountable, compelling them to notify customers within 30 days of a detected breach or suffer financial or imprisonment penalties.

While most states have laws in place, the push for a national standardized data protection law in the United States is long overdue, particularly as large data breaches exposing sensitive PII is becoming all too normal.  Failure to implement a national data protection plan threatens to put the United States behind the eight-ball behind similar strategies enacted by the European Union via the GDPR and China via its Cyber Security Law.  Without similar national data privacy laws in place, this invariably may prove to be an obstacle for the United States trying t to establish international agreements and memorandums of understanding on cyber security issues.

While there have been recent developments with regards to restructuring cyber programs associated with the Department of Homeland Security (i.e., the National Risk Management Center, the Cybersecurity and Infrastructure Security Agency, as well as assorted strategies), the United States still lacks a national data protection plan.  Furthermore, the longer the United States does not put a plan in place, the greater the impression that it’s more interested in the attack side of cyber (e.g., offensive capabilities, hacking back, deterring attacks) rather than investing time and effort into fundamentally protecting the very information that criminal and espionage actors are seeking.  And while it can’t dictate the extent with which the private sector protects itself, the government can certainly hold these organizations accountable for failing to do so when its citizens’ PII is stolen from their holdings.

Almost a year has passed since the bill was first introduced with little headway made in passing legislation that would demonstrate the government’s commitment to protecting its citizens on the individual level.  National cyber security strategies, the establishment of new bureaucratic entities (although dictating specific lanes in the road and creating a cyber hierarchy would prove more advantageous), and organizational restructuring are promising show pieces, but they only serve as a barking guard dog that signals a problem is near.  To mitigate that problem, it needs to be unshackled.  Enacted legislation would be the hand that opens the gate.

About the Author

Is a U.S.-Russia Cyber Security Working Group Silly? TechNativeEmilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals and blogs. Follow Emilio on Twitter