Yuka Hayashi and
Gabriel T. Rubin
WASHINGTON—Hours before Equifax Inc. announced its huge data breach Thursday, a congressional panel was debating a proposed bill that aims to reduce penalties for credit-reporting companies accused of harming consumers with inaccurate credit reports.
The legislation is part of congressional Republicans’ pushback against increasing regulatory scrutiny of an industry that until a few years ago escaped broad government oversight.
The Equifax hack, which potentially compromised the personal information of roughly 143 million U.S. consumers, around 55% of Americans ages 18 and older, is likely to throw up hurdles to that deregulatory push.
On Friday, a Consumer Financial Protection Bureau spokesman said the bureau was looking into the data breach and Equifax’s response, while the House Financial Services Committee and the House Energy and Commerce Committee said they would hold hearings on the hack. No dates were announced for the hearings.
- Equifax Reports Data Breach
- Consumers Blast Equifax’s Hack Response
- Equifax Shares on Pace for Worst Day in 18 Years
- Protecting Your Finances After the Breach
The Federal Bureau of Investigation and New York State Attorney General Eric Schneiderman have also launched investigations into the Equifax breach.
In 2012, the newly created CFPB gained supervisory authority over credit-reporting firms. Previously, if consumers had complaints about these companies, the cases were largely the province of private lawyers, with the Federal Trade Commission and state regulators occasionally stepping in with enforcement actions.
Consumer advocates on Friday called on the CFPB to strengthen monitoring of these companies’ data security. The CFPB’s oversight of credit agencies has focused on accuracy of data and marketing practices, while data security at these companies hasn’t been a focus of its supervisory work.
The data breach at Equifax could be particularly harmful because the attackers have gained in one swoop all the key consumer information needed to commit various forms of identity theft. Equifax said the hackers gained access to systems containing customers’ names, Social Security numbers, dates of birth and addresses.
Credit bureaus “determine who gets credit at what price and they are also used by employers, landlords and insurers,” said Chi Chi Wu, a lawyer specializing in consumer-credit issues at the National Consumer Law Center, an advocacy group. “You would think you want a strong regulatory scheme but they didn’t have one. We complained about it for years.”
The involvement of the CFPB, a federal agency created in 2011 as part of the Obama administration’s post-financial-crisis regulatory overhaul, was just beginning to affect the industry’s practices. Earlier this year, the bureau fined the top three credit bureaus—Equifax, TransUnion and Experian PLC—over allegedly misrepresenting the credit scores they marketed and sold to consumers. The three companies settled without admitting wrongdoing. In March, the CFPB issued its first report outlining its supervisory policy toward the industry, focusing on the accuracy of credit reports.
Some Republican lawmakers, meanwhile, have sought to curb these companies’ liability when disputes with consumers arise. The bill that the House Financial Services Committee was debating on Thursday was introduced in May. The bill would cap potential damages that consumers could win against credit-reporting firms in a lawsuit, and eliminate punitive damages against them entirely.
Consumers can seek class-action damages against the credit bureaus over violations of the Fair Credit Reporting Act, a 1970 law that limits who gets access to consumers’ information and requires credit-reporting firms to correct or delete any inaccurate information.
A spokesman for the committee said Friday that it had scheduled no further action on the bill, and five others related to consumer finance that were debated on Thursday.
“It’s been presented that this is a credit bureau protection act—this is false,” Rep. Barry Loudermilk (R., Ga.), the sponsor of the legislation, said at Thursday’s hearing. “This is to protect consumers and all Americans.” He said at the hearing that many industry groups support the bill, including the Consumer Data Industry Association, the trade group for credit bureaus. Equifax is one of the primary members, along with Experian, TransUnion and Innovis.
Equifax, TransUnion and Experian have all lobbied Congress this year on the legislation, according to lobbying-disclosure reports.
Oversight of data security has become an urgent issue for regulators and policy makers in recent years. Most states have passed laws requiring some form of data-breach notification but many companies and industry groups have been pushing for a unified federal standard.
Several bipartisan bills to establish such a standard have been introduced in the Congress, prompted by commercial data breaches at several major U.S. retailers in the past few years. All the proposals would require broad consumer notification and some establish new federal data-security standards.
Many lawmakers hope the massive Equifax breach will prompt Congress to both act on data-breach legislation and re-examine regulations around credit bureaus.
“Congress must diligently examine the way our credit reporting agencies are operating and impose additional statutory and regulatory reforms to protect the integrity of the country’s credit reporting system,” said California Rep. Maxine Waters, the top Democrat on the House Financial Services Committee. “I will reintroduce legislation that will enhance consumer protection tools available to minimize harm caused by identity theft.”
— Byron Tau and Michael Rapoport contributed to this article.
Write to Yuka Hayashi at firstname.lastname@example.org and Gabriel T. Rubin at email@example.com