U.S. PIRG's Consumer Campaign Director, Mike Litt, was invited to testify at a hearing entitled "Improving Data Security at Consumer Reporting Agencies" before the House Committee on Oversight and Reform’s Subcommittee on Economic and Consumer Policy. Below are his opening remarks. His full written testimony is availabe here.
"Good afternoon - again, my name is Mike Litt with U.S. PIRG. I appreciate the opportunity to testify before you. In order to improve data security at credit reporting agencies, also known as credit bureaus, we need robust financial penalties, stronger oversight, and better consumer control over our personal data.
We only need to look at the Equifax breach to see the real dangers posed to real people when a credit bureau drops the ball on its data security and loses our data. I am one of the 148 million Americans who had their financial DNA exposed in what is the worst data breach in history. It has put us at risk of identity theft and other types of fraud for the rest of our lives. So far Equifax still has not paid a price for putting so many consumers in harm’s way. We have no choice over whether Equifax or the other credit bureaus collect and sell our personal information. And when they lose it, we can’t leave them the way we can other companies.
That dynamic is precisely why we need hefty financial consequences for losing our data and strong oversight to prevent data loss in the first place. If you’re a larger credit bureau and you don’t comply with the Federal Trade Commission’s Safeguards Rule, there should be mandatory fines. If you lose personal data, there should be mandatory fines.
But at the very least, we need to give the FTC the ability to issue civil penalties after a first violation of the law. The FTC has been investigating the Equifax breach, but all it can do is issue a consent order - and only if Equifax violates that order and botches its data security again can the FTC actually issue fines. That needs to be fixed.
Next, I’d like to discuss some ideas for oversight from my written testimony. The Consumer Financial Protection Bureau (CFPB) has tools the FTC does not. It can issue penalties after a first violation. It can examine companies for compliance with the law and catch problems ahead of time.
We know from Equifax’s SEC filing last month that the CFPB has been investigating the Equifax breach and is intending to issue civil penalties. The CFPB is clearly using its authority to take action on data security in the case of the Equifax breach. It should consider and prioritize data security as a factor when examining other companies as well.
The Oversight Committee’s report on the Equifax breach released in December shows that hackers exploited unencrypted data and weak data controls. The FTC just proposed an amendment to its Safeguards Rule this month, with some good first steps that would require basic types of security measures, such as data encryption, multi-factor authentication, and controls over who has access to data.
Finally, I’d like to talk about better consumer control over our own data. The best way to stop an identity thief from opening new accounts in your name is by getting a credit freeze, also known as a security freeze, at all three national credit bureaus. A credit freeze blocks or “freezes” access to your credit reports .
Before the Equifax breach, the credit bureaus charged for credit freezes in most states. After the breach, 19 states made freezes free. Congress followed suit and passed a free national freeze law.
In my written testimony, I explain problems with the national freeze we would like to see fixed and other ideas for better consumer control. But really the best solution would be if access to our credit reports was just automatically frozen by default. We shouldn’t have to opt-in to control access to our own data.
To summarize all of this - we are not their customers, but credit reporting agencies possess vasts amounts of our personal data, including the keys to our financial DNA. That’s why we need strong financial penalties and oversight to incentivize them to protect our data. The CFPB and FTC should use their authorities and have their authorities expanded for those purposes. Additionally, we should be given more control over our own credit data. I look forward to working with you, thank you so much."