Equifax Hack Drives GOP Bill to Overhaul Credit Bureaus -- Update

Top congressional Republicans on Thursday made the first significant moves to boost federal oversight at credit-reporting firms in response to the massive hack disclosed by Equifax Inc. last month.

Rep. Patrick McHenry of North Carolina introduced a bill to require the three major credit firms -- Equifax, Experian PLC and TransUnion -- to submit to regular federal cybersecurity reviews for the first time. All three companies also would have to phase out their use of Social Security numbers to verify consumers' identities by 2020.

Mr. McHenry's sponsorship of the legislation is significant. As a deputy GOP whip, he holds significant sway among House Republicans. The bill is an important starting point for the House Financial Services Committee as it considers a legislative response.

Separately, Sen. Mike Crapo (R., Idaho), chairman of the Senate Banking Committee, asked federal banking regulators if they needed more authority to supervise the credit-reporting firms to ensure they adequately protect consumer data. "I am concerned there may be a regulatory gap with respect to supervision of credit reporting agencies for data security standards," Mr. Crapo wrote in a letter to the heads of the Federal Reserve, Office of the Comptroller of the Currency and Federal Deposit Insurance Corp.

A spokesman for the Fed and a spokeswoman for the FDIC confirmed the agencies received Mr. Crapo's letter and planned to reply. A spokesman for the OCC didn't immediately respond to a request for comment.

Representatives for the three credit-reporting firms didn't respond to requests for comment. A person familiar with their thinking said the companies support some aspects of the bill sponsored by Mr. McHenry, including the heightened supervision.

The lawmakers' moves come after a series of hearings in the House and Senate last week featuring former Equifax Chief Executive Richard Smith. Mr. Smith repeatedly apologized for the hack and said the company didn't initially understand its severity.

The Equifax hack "exposed a major shortcoming in our nation's cybersecurity laws and Congress must act," Mr. McHenry said in a written statement.

Equifax disclosed last month that data belonging to about 145.5 million Americans was potentially compromised by hackers who began digging through its computer network this spring. The hack remained undetected until an internal security team discovered the breach in late July.

The attack, which is being probed by the Federal Bureau of Investigation, is one of the most significant data breaches ever given the scope of the information disclosed: names, addresses, birthdays and Social Security numbers. Customers and regulators have raised questions on whether Equifax took sufficient measures to protect such sensitive information.

Mr. Smith expressed support for the idea of phasing out the use of Social Security numbers, saying policy makers might need to think about how secure the numbers are and if they are the best identifiers going forward.

The move to replace Social Security numbers as a form of identification is in its early stages, but also has the support of the Trump administration. Rob Joyce, the White House's cybersecurity coordinator, said at a conference last week that the Social Security number had "outlived its usefulness" and that the current system was "untenable." The White House has launched a working group to explore reducing government use of Social Security numbers to verify people's identities, a senior administration official said last week.

The Equifax hack is viewed as far more serious than past data breaches at private companies because people's Social Security numbers and birthdays cannot be changed after they are compromised, unlike passwords or credit card numbers.

Experts have for years warned about the vulnerability of the Social Security number and urged government entities and businesses to shift toward other means of personal authentication. The National Institute of Standards and Technology, a government agency, in June revised its guidelines for best practices for digital identity verification, excluding the Social Security number entirely.

Mr. McHenry's legislation leaves it up to the companies to formulate a more-modern method of identification, in an effort to spur the companies to innovate, according to a summary of the legislation reviewed by The Wall Street Journal.

The legislation doesn't specify which federal agency will inspect cybersecurity at the companies. Rather, the bill leaves it up to a panel of bank regulators, the Federal Financial Institutions Examinations Council, to designate one of the federal banking agencies as the future supervisor of the three major credit-reporting companies. The council, whose members include the Federal Reserve and the Office of the Comptroller of the Currency, also would set uniform cybersecurity supervision and examination procedures, according to the summary.

At present, the Consumer Financial Protection Bureau, which is also a member of the council, can oversee consumer-facing issues at the credit-reporting companies -- such as reporting errors -- but doesn't have the authority to supervise the companies' cybersecurity.

Another plank of the bill aims to set a more streamlined system for so-called credit freezes, which prevent a new creditor from accessing a consumer's credit report and block anyone from opening a new line of credit in the name of the consumer who enacted the freeze. The provision would require the companies to provide free credit freezes for certain groups of consumers, including the victims of identity theft, minors and people older than 65.

Write to Andrew Ackerman at andrew.ackerman@wsj.com

(END) Dow Jones Newswires

October 12, 2017 14:38 ET (18:38 GMT)