Here's How Congress Should Respond to the Equifax Breach

There is very little doubt that Equifax’s negligent security practices were a major contributing factor in the massive breach of 145.5-million Americans’ most sensitive information. In the wake of the breach, EFF has spent a lot of time thinking through how to ensure that such a catastrophic breach doesn’t happen again and, just as importantly, what Congress can do to ensure that victims of massive data breaches are compensated fairly when a company is negligent with their sensitive data. In this post, we offer up some suggestions that will go a long way in accomplishing those goals.

A Federal Victims Advocate to Research and Report on Data Breaches

When almost half of the country has been affected by a data breach, it’s time for Congress to create a support structure for victims at the federal level.

Once a consumer’s information is compromised, there is a complex process to wade through to figure out who to call, what kind of protections to place on one’s credit information, and what legal remedies are available to hold those responsible accountable. To make it easier for consumers, a position should be created within the executive branch and given dedicated resources to support data breach victims.

This executive branch official, or even department, would be charged with producing rigorous research reports on the harm caused by data breaches. This is important because the federal courts have made it very hard to sue companies like Equifax. The judiciary has effectively blocked litigation by setting too high a standard for plaintiffs to prove they were harmed by a data breach. Federal research and data analyzing the financial harm Americans have faced will help bridge that gap. If attorneys can point to authoritative empirical data demonstrating that their clients have been harmed, they can make companies like Equifax accountable for their failures to secure data.

Federal Trade Commission Needs to Have Rule-making Authority

Speaking of the executive branch, the Federal Trade Commission (FTC) has a crucial role to play in dealing with data breaches. As it stands now, federal regulators have little power to ensure that entities like Equifax aren’t negligent in their security practices. Though Americans rely on credit agencies to get essential services—apartments, mortgages, credit cards, just to name a few—there isn’t enough oversight and accountability to protect our sensitive information, and that’s concerning.

Equifax could have easily prevented this catastrophic breach, but it didn’t take steps to do so. The company failed to patch its servers against a vulnerability that was being actively exploited, and on top of that, Equifax bungled its response to the data breach by launching a new site that could be easily imitated.

To ensure strong security, Congress needs to empower an expert agency like the FTC, which has a history and expertise in data security. This can be accomplished, by restoring the FTC’s rule-making authority to set security standards and enforce them. The FTC is currently limited to only intervening in matters of unfair and deceptive business practices, and this authority is inadequate for addressing the increasingly sophisticated technological landscape and collection of personal data by third parties.

Congress Should Not Preempt State Data Breach Laws

While empowering executive agencies to address data breaches, Congress should take care in ensuring that states don’t lose their own laws dealing with data breaches. Any federal law passed in response to the data breach should be the foundation—not the ceiling— upon which states can build upon according to their needs.

States are generally more capable of quickly responding to changing data collection practices. For example, California has one of the strongest laws when it comes to notifying people that their information was compromised in a data breach. Among other things, it prescribes a timeline to notify victims and the manner in which it should be done. By the time a company has to comply with California’s laws, the company has infrastructure in place to notify the rest of the country. Given this, Congress should not pass a law that would gut states’ ability to have strong consumer friendly data breach laws.

Create a Fiduciary Duty for Credit Bureaus to Protect Information

Congress must also acknowledge the special nature of credit bureaus. Very few of us chose for our most sensitive information to be hoarded by an entity like Equifax that we have no control over. Yet the country’s financial infrastructure relies on them to execute even the most basic transactions. Since credit bureaus occupy a privileged position in our society’s economic system, Congress needs to establish that credit bur