Will Massive Equifax Breach Spur State Regulation?
The unauthorized accessing of sensitive financial and personal information about 145.5 million consumers at Equifax, which the company made public last month, has prompted numerous lawsuits, congressional hearings, and investigations by federal agencies and state attorneys general, along with a big drop in the company’s stock price and the sudden retirements of its chief information officer, chief security officer and CEO. The massive breach could also lead to a state regulatory crackdown on credit reporting agencies, which aren’t currently subject to some of the requirements imposed on other businesses that manage sensitive consumer data, and possibly to tighter controls on that larger universe of businesses as well.
Equifax and the two other major consumer credit bureaus, Experian and TransUnion, compile and store confidential information, including credit card numbers, phone numbers, addresses, birth dates and Social Security Numbers, on about 200 million Americans. The companies use that trove of data to calculate the credit scores used to help decide whether someone gets a credit card, a home loan or a job, among many other things.
Despite the critical function they serve and the lucrative target they pose for identity thieves, however, the credit reporting agencies, though required to abide by many of the data security laws that apply to banks and other financial institutions, aren’t subject to the same level of federal regulatory oversight as those entities, according to a report by the New York Times. While banks are continuously monitored for compliance by a team of agencies, the credit bureaus generally only come under scrutiny after a problem has arisen, that report indicated.
“Credit reporting agencies are the plumbing of our financial system but are much less regulated than many banks,” Rohit Chopra, a senior fellow at the Consumer Federation of America, an association of nonprofit consumer organizations, told the Times.