Blumenthal and McSweeny: Congress needs to immediately pass legislation that protects Americans from future security breaches
Strict penalties would give companies more incentives to be less reckless with our data, they write
Editor’s Note: Richard Blumenthal, a Democrat, is a US senator from Connecticut and Terrell McSweeny is a commissioner of the Federal Trade Commission. The opinions expressed in this commentary are their own.
You’d be forgiven if you merely shrugged your shoulders when you heard the news about the breach at Equifax and thought, “I’ve heard this story before.” That kind of ambivalence can be expected when it seems like every week there is a new cyberattack or unauthorized release of consumer records.
But you should not shrug your shoulders. This is not a story we’ve heard before. The Equifax breach is a five-alarm fire – a historic data disaster. The resignation of two senior executives at Equifax – the chief information officer and the chief security officer – and the sudden retirement of the CEO provides no meaningful remedy to the millions of consumers who bear the risk of breach.
Let’s be crystal clear: the personal and financial data of as many as half of American consumers may be affected. That’s because the information stolen is the lifeblood of our identities in today’s aggressively credit- and data-driven economy.
Equifax is one of three national, for-profit consumer credit reporting agencies (CRAs) that don’t need permission to amass your private personal information. These companies turn a profit collecting Social Security numbers, birth dates, drivers’ license numbers, loan information, credit card accounts, mortgage data, address histories, and keeping tabs on your payment records. If you have a credit card, these agencies undoubtedly have an electronic folder with your name on it.
Equifax is also a data broker. That means it makes millions from the collection, analysis, and sale of your data. And again, they don’t need your permission to profit from your personal information.
Unlike past retailers and institutions that have been hacked, Equifax doesn’t have to worry about consumers taking their business elsewhere. We have no choice but to trust that when they take our data, it is safe and secure.
If you’re not angry, you should be. And we share your outrage – the labyrinth of confusing, overlapping, and sometimes contradictory laws and policies designed to protect consumers simply isn’t strong enough. Year after year, identity theft is a top complaint to the Federal Trade Commission. Now millions more Americans must worry about the security of their identities.
That’s why Congress must immediately pass legislation that will compel companies to prioritize the security of our data. Until we strengthen the Federal Trade Commission’s authority to impose civil penalties against corporations and institutions that fail to protect our data, companies will have little incentive to reform their reckless approach to our data.
Under current law, even some of the most egregious examples of lax security can only be met with promises to do better the next time – not fines or other penalties. Our existing patchwork approach among the states and various sector-specific federal mandates is also clearly failing to make our data more secure.
That is why we’re teaming up to develop legislation to make it clear that the Federal Trade Commission can investigate any data breach of any company that holds sensitive consumer data.
Some argue that consumer harm must be proven before government can take action on a breach. Our proposal would make clear that being careless with consumer data in the first place is the harm.
If the entities that hold our data cannot be trusted to protect it, then the government needs to have the tools to not only go after the criminals, but to also go after the companies that treat our financial lives with such negligence and carelessness. Only stringent penalties that put pressure on companies like Equifax’s bottom lines will propel these companies to secure consumer data and take meaningful steps to ensure that their systems cannot be infiltrated by hackers and thieves.
Get our free weekly newsletter
Two years ago, the FTC established IdentityTheft.gov. The site should be a one-stop-shop where a breach victim can not only find resources, but also freeze or repair their credit across all three CRAs. To make this possible, we will need the help of the CRAs themselves so consumers can access all three simultaneously through one portal. While IdentityTheft.gov is operating and providing many good resources to American consumers, the CRAs must do their part to help make sure that victims of identity theft can recover as quickly, and with as little stress, as possible.
It is a travesty that Congress has held numerous hearings on this issue but has failed to act – even as the number and severity of breaches continue to mount. The federal government has known of the risks to the financial and personal information of Americans since the first data thefts began to crop up more than a decade ago, yet no serious steps have been taken to protect consumers.
Now is the time for Congress to act if it wants to avert further financial catastrophe for the American public.