GOP Weighs Bill That Would Exempt Equifax From New Data Security Rules

Screengrab/CBS News/YouTube

Equifax and other credit agencies and financial institutions would be exempt from consumer notification standards.

As data breaches continue to be a concern the world over, U.S. lawmakers supposedly are looking to enact legislation that will protect consumers and ensure timely notification when sensitive information is compromised.

The Data Acquisition and Technology Accountability and Security Act, introduced by Rep. Blaine Luetkemeyer (R-MO) and Rep. Carolyn Maloney (D-NY), purports to address the issue of consumer protection, but naysayers contend the bill shields businesses at the expense of the public.

Equifax -- the credit agency which sustained a massive breach last year, reportedly affecting 148 million people -- is one company that would benefit from the bill's exemptions.

This week, a congressional hearing was held on a draft bill aimed at creating a national standard for breach notifications. It's a dubious piece of legislation for a number of reasons, not least that it would exclude Equifax and other credit agencies from its requirements.

No less troubling, it would exempt all banks and financial institutions, and would require notification by retailers and other businesses only if they believe there's "a reasonable risk that the breach of data security has resulted in identity theft, fraud or economic loss" to consumers.

By requiring notification only if there is a reasonable risk of harm to consumers, the law grants companies permission to keep breaches under wraps, protecting their reputations and potentially avoiding financial repercussions.

While in some cases it's clear that hackers are profiting from purloined data, frequently there's no immediate evidence of fraud, or no proof that an act of fraud can be tied to a specific breach.

This gives companies ample wiggle room to either go slow or keep mum after a breach, which means consumers can be left in the dark.

Why are banks and financial institutions exempt?

The financial services industry lobbied for the exemption because they're already covered by a separate law, known as Gramm-Leach-Bliley.

It says that if a firm learns it's been hacked, and that "misuse of its information about a customer has occurred or is reasonably possible," the company "should notify the affected customer as soon as possible."

Equifax, and other credit agencies, are treated as financial institutions under U.S. law, affording such companies an exemption along with banks.

But potentially the most significant aspect of the bill is the preempting of state laws that hold companies to stricter consumer notification standards:

On the 23rd of its 24 pages, the federal bill says it "preempts any law, rule, regulation, requirement, standard or other provision having the force and effect of law of any state."

"This is simply an attempt to set weaker laws as the ceiling for what states can do to protect consumers," said Mike Litt, consumer campaign director for the U.S. Public Interest Research Group.

He told me the requirements under the federal bill are so lax that, in many cases, "we wouldn't even know that a breach took place."