Newsroom

October 12, 2017

Lawmakers take steps to rectify data security gaps in light of Equifax breach

Senate Banking Chairman Mike Crapo, R-Idaho, sent a letter to three federal agencies yesterday questioning their ability to oversee credit bureaus and ensure consumer data is protected. In it, Crapo expresses concern about a "regulatory gap" for data security standards.

Crapo sent the letter to the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency. He asks six questions about the banking agencies' ability to supervise the credit bureaus, including their legal authority and technical capability, and how credit bureau supervision compares with supervision of banking organizations.

Crapo requests the agencies respond to his questions by Oct. 20. The Senate Banking committee has a hearing on data security on Tuesday.

Also Thursday, Rep. Patrick McHenry, R-N.C., introduced the PROTECT Act, which would create uniform cybersecurity standards for national credit bureaus and subject them to examinations via the Federal Financial Institutions Examination Council (FFIEC), something for which NAFCU has advocated in the wake of the Equifax breach. It also establishes a national process for consumers to request a credit freeze and would prevent credit bureaus from using Social Security numbers as the basis for consumer identification beginning in 2020.

In addition to its recent data security breach, KrebsonSecurity reported Thursday that Equifax had removed third-party code from its website that prompted visitors to download an update for Adobe's Flash Player, which turned out to be malware.

NAFCU has been a leading advocate for a national data security standard that holds all entities that handle personal financial data to the same standards as credit unions and other depository institutions under the Gramm-Leach-Bliley Act (GLBA). It has called for action to ensure that credit unions do not bear the cost of negligent data practices by entities like Equifax.

The association has also advocated that credit rating agencies already subject to parts of the GLBA, like Equifax, be subject to the same regulatory requirements as depository institutions, which would be accomplished under McHenry's proposed legislation.