Letter to the Hon. Maureen K. Ohlhausen - Review of Consumer Data Protection at Top Consumer Reporting Agencies

Letter

Dear Acting Chairman Ohlhausen:

We write to request an immediate horizontal review of consumer reporting agencies in light of Equifax's disclosure of a data breach affecting nearly 44 percent of the country's population. According to Equifax, unauthorized parties accessed personally identifiable information (PII) including names, Social Security numbers, addresses, and driver's license numbers of approximately 143 million U.S. consumers.[1] In addition, 209,000 consumers had their credit card numbers stolen while 182,000 consumers' credit reporting dispute files were compromised.[2] For the millions of affected consumers throughout the nation, the impacts of this data breach could be catastrophic. As one of the three major consumer reporting agencies, Equifax centrally holds the most sensitive PII--information that determines whether Americans will be able to purchase a car, secure a loan for a home, attain employment, and countless other functions that are critical to economic growth. We were pleased to hear the Federal Trade Commission (FTC) confirm that it is indeed investigating the Equifax data breach, but a breach of this scale warrants a proactive review of data security at all three of the major consumer reporting agencies.[3] A breach of this size no doubt leaves other consumer reporting agencies a target.

The sheer magnitude of this event alone, affecting 143 million U.S. consumers, merits a comprehensive review. While the company's most recent data breach has appropriately garnered a new level of public scrutiny, this is not the first time Equifax has failed to protect the most important personal data for millions of U.S. consumers. In 2016, unauthorized parties accessed W-2 tax and salary data from an Equifax website.[4] Similarly, earlier this year, additional W-2 data was compromised from an Equifax subsidiary, TALX.[5] Equifax's inability to identify its weaknesses and strengthen its data security systems in the aftermath of these prior data breaches made vulnerable hundreds of millions of consumers in the U.S. and abroad. The rapid succession of three major data breaches in the span of less than two years suggests the possibility of similar foundational weaknesses at the other consumer reporting agencies.

Moreover, Equifax's actions around the discovery and disclosure of the data breach raise additional questions about the company's fidelity to the very consumers whose data they hold. Instead of quickly making this information available to the public and the affected consumers, Equifax waited six weeks before announcing the data breach. And yet, during those six weeks, Equifax's Chief Financial Officer, president of U.S. information solutions, and president of workforce solutions managed to find time to sell Equifax shares worth nearly $2 million in the span of a mere five days after the company discovered the breach. We are troubled by this revelation, and we find no reasonable justification for such a delay in informing those affected.

Equifax's security breach exposed serious fault lines in the company's ability to protect PII. We are deeply concerned that these problems may also exist at the other consumer reporting agencies. As such, we ask that you: (1) promptly investigate the causes of the Equifax data breach; (2) develop recommendations for data security standards for consumer reporting agencies' central holding of PII and related consumer financial information; (3) conduct a review of the existing data security standards at the consumer reporting agencies to determine whether Americans' personal data is secure; and (4) consult with the Consumer Financial Protection Bureau to ensure that in the case of a data breach, consumers are being notified in a timely manner and have access to all of the necessary tools to protect themselves against identity theft. In addition, we ask that you respond to the following questions no later than October 6, 2017:

What specific safeguards are in place at the three major consumer reporting agencies to ensure that consumer data is secure? For example, are the agencies subject to internal and external data security audits? To what extent are the reporting agencies encrypting consumer data?

What internal policies are in place at each of the three major consumer reporting agencies that govern when and how consumers, government, and law enforcement agencies are notified of actual or attempted breaches? Is a universal notification system appropriate?

Do consumer reporting agencies share threat intelligence data so as to better guard against cyber-attacks? Do consumer reporting agencies regularly share threat intelligence data with law enforcement agencies and/or the intelligence community?

Should the government and financial institutions reconsider using Social Security numbers as a national identifier?

In the event of a data breach, what is the appropriate length of time that consumers should hold identity theft protection? Should a consumer reporting agency whose lax security was responsible for a breach be allowed to market credit monitoring and identify theft protection services to affected consumers?

Would the institution of a monetary penalty framework incentivize consumer reporting agencies to better secure consumer data?

Does the FTC require additional statutory authority to monitor and hold accountable consumer reporting agencies in the event of a data breach?
We look forward to working with you on this matter and we appreciate your prompt attention to this request.