The Equifax Breach Should Result in Legislation, But Not What You Think
This entry was originally posted on the blog at Foresight Resilience Strategies here.
As long-time cybersecurity expert Bruce Schneier points out, even if every single person takes the advice of experts and protects themselves through credit freezes, it will not change the business model for data brokers; change may require legislation. With a sufficient legislative and regulatory response, consumers will have less to fear from future breaches. On the other hand, businesses worry about the impacts of a regulatory approach in the cybersecurity arena. What follows is a deeper examination of what proposals have already emerged and a survey of approaches that might eventually become solutions.
Regulatory Landscape: The Patchwork Nature of Existing Controls on Information
The current regulatory environment around companies maintaining large data stores about individuals primarily as a third party (that is, without interacting directly with individuals) is fairly atomized and incomplete. The primary law governing the credit bureaus is the Fair Credit Reporting Act (FCRA). The FCRA imposes requirement on Equifax, Experian, and TransUnion as well as some more sector specific information organizations (such as Innovis, LexisNexis, and Telecheck).
Under the FCRA these consumer reporting agencies must offer the chance for consumers to access their records and correct them. Any obligation to protect the information in those files is generally limited to a duty to correct or delete incorrect information. In addition, the covered organization can face liability for intentionally releasing a consumer’s credit information to a third party without the consent of the consumer. Consumer reporting agencies have no general obligation to provide some minimum level of protection to the consumer’s information from unauthorized access. In other words, if a hacker calls the bureau and successfully requests a consumer’s information, the credit bureau has liability under the FCRA; if the credit bureau leaves that information on an insecure server and the same hacker accesses and downloads it, the credit bureau has no liability.
There are a series of other laws that cover specific types of information: For healthcare information held by covered entities, there is the HIPAA Privacy Rule; for information about children, there is COPPA. The Federal Trade Commission (FTC), in addition to its responsibilities under the FCRA and COPPA, can pursue “unfair or deceptive acts or practices in or affecting commerce” but that requires some evidence of deception. If the company says it will share your personal information with others for profit and then does so, there is no deception. Some of these mechanisms, especially a consumer protection mission similar to that of the FTC, exist in state attorneys general offices as well.
All of these authorities form an incomplete patchwork that means that even in the egregious situation we find in the Equifax breach, in which so many consumers are affected and it seems likely that the security practices of the company were insufficient, there may not be direct liability for failing to provide a basic level of security for consumers.
Data Breach Notification Requirements are Nearly Ubiquitous
At the state level, the most directly relevant form of regulation for events like the Equifax breach are data breach notification laws. Data breach notification laws prescribe how a company that has had a breach must notify the public. Some researchers have credited the nearly ubiquitous data breach notification mandates in U.S. states with creating a culture of transparency. Data breach notifications have driven greater privacy awareness within the U.S. business community, especially when compared with other countries that have more prescriptive privacy laws on their books.
A national data breach notification standard would help in some ways by adding enforcement at the federal level to the system we have now. There was nearly a national data breach notification law passed in 2015 and that bill has now been reintroduced in response to the Equifax breach. It is too early to determine its fate.
Data breach notification has had a positive effect but it seems unlikely that adding a national layer to the requirement will drive additional change in how businesses handle personal data. Data breach notification attempts to close the barn door after the horse has already escaped by imposing requirements on the after-action activities. It does not impose requirement for what companies must do before the breach occurs. Bad practices and a lack of incentives to protect your information are what led to this problem and regulation of those practices is the only way to ensure they improve.
At least one other proposal does the necessary work of improving the FCRA by increasing transparency for consumers and making it easier to seek remedies. This doesn’t change the fundamental lack of protection for consumers’ information before the fact.
How Could Congress Respond?
Legislative proposals to respond to the Equifax breach should regulate what companies that keep personally identifiable information do with that information. One current legislative proposal from Senators Markey, Blumenthal, Whitehouse, and Franken starts to focus on these elements of consumer privacy for the data broker industry. It carves out data brokers already regulated under the FCRA from most of its access, disclosure, and notice provisions. It does not except covered data brokers from the bill’s requirement that companies develop a security plan to protect consumers’ personal information against loss, unauthorized access, use, modification, destruction, or disclosure.
The previous Administration contemplated a more complete implementation of privacy principles into law, recognizing that consumers needed a more complete set of protections than the patchwork found in current law. That draft covered a broader swath of companies and imposed a more complete set of requirements including notice to consumer, consent, access, integrity, security, and enforcement. The proposal mostly relied on a reasonableness standard to determine the way a covered entity could comply with the requirements in each of those areas. It also introduced the concept of safe harbors that would rely on a certified set of privacy practices developed in multistakeholder processes (several have been completed) certified by the Federal Trade Commission.
The Challenge for Industry and Legislators
The Equifax breach is the perfect storm of a security incident:
- The breach broadly impacts the security of the personal information of potentially the majority of U.S. adults,
- Equifax collected and mishandled this sensitive information without ever asking the consumers’ permission, and
- The breach included sensitive data that, unlike a breach involving passwords, consumers cannot easily change
The message that Congress takes from this breach will determine whether it will drive changes to the business practices in this industry. To the extent that the public considers this breach business as usual, Congress will likely restrict its activities to hearings on the topic. Should a larger awareness of the dangers of identity theft from this breach cause a stronger movement for a solution that will try and address the problem before breaches occur, Congress may break the logjam on data breach notification legislation or even go further than that toward substantive privacy or cybersecurity regulation.