Since credit reporting agency Equifax acknowledged a data breach during which hackers accessed the personal information of an estimated 143 million Americans, New York’s governor and at least one state legislator have proposed tighter regulations to protect and empower consumers. Now, a trade group whose member companies include Equifax is responding.
Equifax is a member of the Consumer Data Industry Association. Eric Ellman is senior vice president of Policy and Legal Affairs.
“The hack that we have been reading about should not impugn the good work of the credit bureau industry or the data that they have, which ultimately is used for a social good to get people into student loans and mortgages and car loans and to help law enforcement locate deadbeat dads, and victims, witness, and fugitives, and things like that,” Ellman says.
On Monday, New York Governor Andrew Cuomo directed the Department of Financial Services to issue new regulations requiring credit reporting agencies to register with the state by February 1, 2018, and comply with the state's strict cybersecurity standard. When it comes to implementing cyber protections, Cuomo says credit reporting agencies should be regulated the same way as banks and other credit institutions. Ellman weighs in.
“Based upon our cursory review of the proposed rule, we are not convinced that registration, for example, would actually prevent a cybersecurity attack,” says Ellman. “And I think we also have to focus on real solutions to real problems and not be looking for sensationalized solutions to problems that don’t exist or that could cause some downstream collateral damage to the credit reporting system and to consumers’ ability to get credit.”
New York state Senator David Carlucci, an Independent Democrat, commends Cuomo’s effort and has introduced two pieces of legislation to empower consumers. He’d like to see such legislation nationwide.
“Unfortunately, the current administration in Washington, the Trump administration, has not really shown a willingness to clamp down and tighten up the regulations. In fact, they want to really water them down,” Carlucci says. “And so that’s why if the federal government’s not going to do it, we’ve got to do it in New York. And there’s so many things that we can do to really bring this industry into compliance of the modern times.”
One of Carlucci’s proposed bills is to require that consumers be notified within 48 hours after the discovery of breach of credit or sensitive information. Equifax reports that it noticed suspicious activity at the end of July, but didn’t announce the massive data breach until six weeks later. On this bill, Ellman says he’d have to further review it before offering comment. Carlucci earlier this week introduced a second piece of legislation.
“And the legislation that I’m putting forward would say that any New Yorker could freeze and unfreeze their credit at any time, for free,” says Carlucci.
Ellman says the fee is how the companies recoup their administrative costs.
“We do not believe that the credit bureaus, in the absence of them having a hack, should have to pay for a credit freeze. The credit bureaus have a credit freeze system, for which the charge for a credit freeze is quite low, oftentimes cheaper than a copay to a doctor or a copay to a pharmacy. And that’s just an administrative expense that comes with the cost of running the credit freeze system.”
He says that charge is about $5 per credit freeze. Carlucci proposed his legislation prior to an upcoming hearing on identity theft. The state Senate Consumer Protection Committee, which he chairs, is holding the hearing September 26.
“I wanted to do it a little before the hearing to get it out there, to have the industry look at and tell me their criticisms of it and critique it, but we have to have this open dialogue and really New Yorkers have be empowered and know what’s going on,” Carlucci says. “Obviously, they’re going to fight each piece of legislation that I put out, the industry, but we need to empower New Yorkers.”
New York state Attorney General Eric Schneiderman opened an investigation immediately after learning of the Equifax breach.