GAO: Equifax-Like Breaches Require Greater Civil PenaltiesReport Calls for New Rules to Pave the Way for Bigger Fines
One way to ensure greater protection for consumers and their personal information following massive data breaches is to give the U.S. Federal Trade Commission the ability to impose greater civil penalties against consumer reporting agencies, such as Equifax, a new government report concludes.
See Also: HIPAA Audits: A Revised Game Plan
That conclusion is part of the report issued on Tuesday by the Government Accountability Office, "Consumer Data Protection: Actions Needed to Strengthen Oversight of Consumer Reporting Agencies." The document is in response to questions raised by Sen. Elizabeth Warren, D-Mass., and Rep. Elijah Cummings, D-Md., about the Equifax data breach.
The report also comes as the House Committee on Oversight and Reform is conducting hearings about data security at consumer reporting agencies.
The investigation into what happened at Equifax started on Sept. 7, 2017, when the company issued its first statement about the breach, which eventually was determined to have led to the theft of personal information of more than 145 million U.S. residents, as well as other records related to U.K. and Canadian citizens.
Eventually, the breach led to the ouster of Equifax's CEO Richard Smith, along with the company's CIO and CSO. Executives would later blame "human error" for the failure to patch a flaw in the Apache Struts web application that hackers used to infiltrate the network and take the data.
In addition to the U.S. Justice Department and FTC, the state of New York and other regulators, both in the United States and overseas, began investigating what happened and who was responsible. A number of class action lawsuits filed by customers are also making their way through the courts.
One of the reasons why the GAO investigated consumer reporting agencies is that these companies collect large amounts of data on consumers who have little knowledge or control over what information is then passed along to third parties, which can include Social Security and credit card numbers.
As one of the largest consumer reporting agencies, Equifax has collected data on millions of consumers over many years.
"While companies in many industries have experienced data breaches, CRAs may present heightened risks because of the scope of sensitive information they possess and because consumers have very limited control over what information CRAs hold and how they protect it," according to the GAO report.
To protect that data, the GAO recommends that Congress give the FTC greater power to bring civil penalties against companies, such as Equifax, when their security missteps lead to them falling victim to cybercriminals who gain access to their networks and steal massive amounts of personally identifiable information that can then be used in criminal schemes, including identity theft.
The GAO report states that larger penalties would help to ensure that companies take better security precautions to protect consumer data.
"FTC staff told us and testified before Congress that civil penalties are often the most appropriate remedy for a data breach, and that such penalties serve as an effective deterrent in cases involving weak data privacy and security policies and practices," according to the GAO report. "FTC staff noted that in the case of a data breach, each consumer record exposed could constitute a violation; as a result, a data breach that involved a large number of consumer records could result in substantial fines."
Currently, the FTC has the ability to fine companies under the Fair Credit Reporting Act. But the GAO recommends that Congress expand the commission's ability to issue civil penalties under the Gramm-Leach-Bliley Act, which requires financial institutions to explain their data gathering process to consumers and to offer safeguards to protect that data.
Under the Fair Credit Reporting Act, the FTC must show that a company's action harmed consumers in order to impose a financial penalty. But because it can take years after a breach for evidence of harm to emerge, such harm is difficult to prove, according to the GAO analysis. By giving the commission the ability to enforce the safeguards built into the Gramm-Leach-Bliley Act, the FTC would have an additional tool to bring a fine or penalty against offending companies.
In addition to the FTC, the GAO report recommends that the Consumer Financial Protection Bureau, which Warren helped establish, be given more power to oversee and supervise consumer reporting agencies.
The FTC and the Consumer Financial Protection Bureau did not immediately respond to a request for comment on the proposed changes.
"The GAO has issued very clear recommendations on how to protect consumers, so let's follow them," according to a joint statement from Warren and Cummings. "We need to give the FTC more tools to crack down on consumer data abuses and the CFPB needs to do its job, hold these firms accountable, and protect consumers."