The CFPB and Data Breaches, Plus WSJ: Equifax Hack Drives GOP Bill to Overhaul Credit Bureaus

by Jeff Sovern

The WSJ article is here.  Excerpt:

Rep. Patrick McHenry of North Carolina introduced a bill to require the three major credit firms—Equifax, Experian PLC and TransUnion—to submit to regular federal cybersecurity reviews for the first time. All three companies also would have to phase out their use of Social Security numbers to verify consumers’ identities by 2020.

* * * 

Separately, Sen. Mike Crapo (R., Idaho), chairman of the Senate Banking Committee, asked federal banking regulators if they needed more authority to supervise the credit-reporting firms to ensure they adequately protect consumer data. “I am concerned there may be a regulatory gap with respect to supervision of credit reporting agencies for data security standards,” Mr. Crapo wrote in a letter to the heads of the Federal Reserve, Office of the Comptroller of the Currency and Federal Deposit Insurance Corp.

On a related point, it looks as if the CFPB has very limited jurisdiction over the Equifax data breach, if it has any jurisdiction at all, as Ed Merizwinski pointed out in a comment earlier in the week (I had observed that critics had complained about the Bureau's failure to stop the Equifax breach, noting that "I haven't checked to verify that the Bureau has authority over data breaches at financial institutions, though others have argued that it does."). That conclusion comes from 15 USC 6801, which provides  (emphasis added):

(a) Privacy obligation policy
It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.
(b) Financial institutions safeguards
In furtherance of the policy in subsection (a), each agency or authority described in section 6805(a) of this title, other than the Bureau of Consumer Financial Protection, shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards—

(1) to insure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
Section 6804 gives the power to promulgate regulations in the area to the FTC.  I've seen claims that the Bureau could use its UDAAP powers against Equifax, so maybe there's something I'm missing, but I'm skeptical. Usually in statutory interpretation, the specific (here, the exclusion in section 6801) controls the general (the UDAAP powers). Going back to the WSJ article, it's interesting that Senator Crapo does not appear to have written to the FTC, though perhaps he did and the WSJ didn't report it.


Leave a Reply

Your email address will not be published. Required fields are marked *