After Equifax breach, states clamp down
States are taking stronger role in enforcing compliance with cybersecurity standards following a recent cyberattack on credit reporting agency Equifax that exposed personal and financial data and Social Security numbers of as many as 143 million Americans.
New York Gov. Andrew Cuomo announced Monday he is directing the Department of Financial Services (DFS) to issue new regulations that would require credit reporting agencies like Equifax to register with the state and meet cybersecurity standards similar to those already enforced on banks and insurance companies.
In Massachusetts, state Attorney General Maura Healey said in a statement Tuesday that the state will file a lawsuit against Equifax, alleging that “Equifax knew about the vulnerabilities in its system for months, but utterly failed to keep the personal information of nearly three million Massachusetts residents safe from hackers.”
New York’s historically light regulation on credit monitoring agencies would be replaced by new rules enforced by the DFS Superintendent, who would assume responsibility for denying or potentially revoking authorization of credit reporting agencies to do business in the state if found out of compliance. Among the requirements of the proposed regulation are prohibitions against “unfair, deceptive, or predatory” acts against consumers. Credit reporting agencies would have to register annually beginning on or before Feb. 1, 2018.
The Equifax cyberattack led to the resignation of the company’s chief information officer, David Webb, and its chief security officer, Susan Mauldin, on Sept. 15, after it became evident that the agency had been aware of “suspicious network traffic” as early as July 29.
Meanwhile in Congress, Democratic senators from Massachusetts, Connecticut and Rhode Island are introducing new legislation designed to give consumers heightened power over their credit data and personal information.
Massachusetts Sen. Elizabeth Warren says her Freedom from Equifax Exploitation (FREE) Act would allow consumers “more control” over their data and prevent credit reporting agencies from profiting from consumer data during a credit freeze. In addition to her proposed legislation, Warren also sent letters to the credit reporting agencies, regulators, and Government Accountability Office requesting an investigation into the impact of the breach and further work to “reform this broken industry.”
Illinois Rep. Greg Harris introduced a similar measure Tuesday that would ban fees on credit freezes.
Massachusetts Sen. Edward Markey, Connecticut Sen. Richard Blumenthal and Rhode Island Sen. Sheldon Whitehouse are introducing a bill that would prohibit data brokers from selling personal information for marketing purposes.