American banks and retailers are sparring over whether financial firms should follow a new national standard to quickly notify consumers when they’ve experienced a data breach.
Equifax Inc. said last week that it would notify an additional 2.4 million consumers who were hacked during its massive data breach in 2017 -- but a draft of a House bill with bipartisan support would exempt the credit-reporting agency from the new requirements.
The proposal, backed by Representative Blaine Luetkemeyer, a Missouri Republican, and Carolyn Maloney, a New York Democrat, would establish a federal mandate for when and how certain companies, like retailers, tell customers about a data breach. Financial institutions, would be exempt, because they already have to adhere to the 1999 Gramm-Leach-Bliley Act, which establishes privacy protections for consumers, according to Luetkemeyer’s office. Equifax falls under that category because it collects sensitive financial information.
Despite multiple efforts in recent years, no bills have been passed that would establish a national standard for data breach notification. The Luetkemeyer-Maloney proposal is already drawing critics among consumer advocates.
The legislation as currently drafted is “the worst of both worlds,” said Mike Litt, consumer campaign director of the consumer advocacy group U.S. PIRG. “You are creating a national standard that exempts a company like Equifax or at the very least leaves it uncertain what their obligations are, which is disappointing.”
U.S. PIRG along with the Consumer Federation of America have said that any federal legislation should include financial institutions and clear the way for states to pass even tougher notification requirements.
‘Piecemeal Fashion’
Lawmakers have been pushing for a national standard following high-profile cyberattacks on Equifax, Uber Technologies Inc., and Yahoo! Inc., which compromised the personal information of millions of Americans. House and Senate panels have held hearings in recent months, with another one scheduled for Wednesday by a House Financial Services subcommittee to discuss proposals to reform data security and breach notification laws.
Pressure mounted last week after Equifax said it was belatedly notifying the additional consumers whose identities had been stolen last year because it had been unable to confirm who they were at the time since only partial driver’s license information was taken.
“While I credit Equifax for continuing to examine the scope of its massive data breach that lost sensitive personal and financial information, the company should have acted sooner to mitigate the impact on these additional affected consumers,” Senator John Thune of South Dakota said in a statement. “Equifax needs to put consumers first and shouldn’t be trying to clean up its mess in a piecemeal fashion.”