by Jeff Sovern
Equifax is, as expected, turning into a huge consumer protection story and as with many such stories, it is generating so much news that not only is it hard to keep up, it seems easier to give up. Still, I wanted to direct our readers to a report in the Times, Equifax Breach Prompts Scrutiny, but New Rules May Not Follow with predictions about what will change in the legal landscape. The prediction: not much. Here's an excerpt:
Regulators aren’t likely to fill the void. The F.T.C., which oversees data protection, can’t dole out big financial punishments. While the consumer bureau has shown a willingness to take on the industry, the agency is mainly focused on the accuracy of the data and the products that are sold to consumers.
“I have no reason to believe that this Congress has the capacity or will to actually legislate on those issues,” said Isaac Boltansky, an analyst at Compass Point Research & Trading. “The most we could see passing is targeted legislation aimed at enhancing consumer protections following identity theft.”
* * *
While forty-eight states have passed security breach notification laws, calls for a nationwide standard have repeatedly fizzled. And Equifax has been a powerful force in the legislative and regulatory arena.
Equifax spent $1.1 million on lobbying last year, * * *
Meanwhile, Equifax's chief information officer and chief security officer are leaving and Senator Wyden has introduced a bill to provide all consumers free credit freezes.
We need to be wary of a preemptive federal breach notification bill with sweeping impact. For years, industry has been trying to pass one. Of course, the bill would go much further than merely eliminating stronger state breach laws that provide for notifications more immediately and define harm much more broadly than they would like. No, industry broadly seeks to eliminate as much state authority over privacy and data security as they can get.