Little progress following Equifax breach fallout

Exterior of Equifax Corporate Headquarters on Peachtree Street in Atlanta. HYOSUB SHIN / HSHIN@AJC.COM

Exterior of Equifax Corporate Headquarters on Peachtree Street in Atlanta. HYOSUB SHIN / HSHIN@AJC.COM

In the weeks after Equifax disclosed its expansive database of Americans’ most personal information had been hacked, officials on Capitol Hill seethed with rage.

Congressional hearings with Rick Smith, the former top executive of the Atlanta credit bureau, were testy. Lawmakers from both parties vented and wagged their fingers, demanding that something be done to prevent another breach like Equifax's, which exposed the personal data of more than 145 million Americans and was concealed from the public for six weeks after first being discovered.

It has now been six months since the hack was first exposed, and Congress has yet to pass or even debate any major legislation strengthening the country's patchwork of data security laws.

Action on the state level has also been slow to come. Georgia legislators are only now beginning to discuss limited legislation that would make computer hacking a crime and eliminate fees for consumers seeking to freeze their credit reports.

Most activity so far has been limited to legal channels. A rare 50-state class action lawsuit against Equifax will be argued in Georgia, and some notable Atlanta attorneys, including former Gov. Roy Barnes and Peter Canfield, are part of the legal team leading the case against the credit bureau involving consumers and financial institutions.

Georgia Attorney General Chris Carr joined dozens of his counterparts from other states in a probe examining the circumstances surrounding the breach and how it has impacted Georgians. And Atlanta-based U.S. Attorney Byung "BJay" Pak is involved in a parallel federal investigation of the hack.

Legal action so far is focused mainly on the criminals who hacked the company and what Equifax did and didn’t do to protect its data, the reams of personal information that help banks determine who’s worthy of receiving credit to buy homes, cars or to get a credit card.

But when it comes to setting the rules of the road to ensure that such breaches won’t occur again, there is little certainty that lawmakers, particularly on the federal level, will be able to find much consensus.

That leaves consumers exposed to even more hacks.

“In some ways it seems like such a cut and dry issue that should be an easy one to tackle,” said Jason Kratovil, vice president of government affairs for payments at the Financial Services Roundtable, an advocacy group for the financial services industry that has been pushing for data breach legislation. “But when you start to think about it, it’s so big that it is very difficult to get Congress’ arms around it and get something to move.”

Legislative inaction

When Equifax disclosed last September that criminals had accessed the personal information of 145 million Americans — essentially half of the country's adult population — the news sent shudders down the spines of millions.

Dunwoody resident Stephen Patrick said he felt “violated” when he learned of the breach, and he doesn’t understand the lack of action by lawmakers and regulators.

“They are responsible for our personal information. They gather it, they give us a FICO score,” Patrick said, referring to the model used to score credit worthiness. “They’re the ones who dictate what I can and cannot buy.”

Social security numbers, addresses and birthdays were among the heaps of data stolen. But the punishments have been slow to come — there is no federal cop to regulate how companies protect themselves from this type of digital hacking.

Equifax offered a year of credit monitoring in the wake of the breach, and the company also waived fees for credit freezes and offered a service to “lock” credit files for free.

The company said it has enhanced its security controls and continuously reviews its technology to catch any system flaws. It also said it has changed its corporate structure to boost internal accountability.

“We have been hard at work since the cybersecurity incident, committed to deliver on two top priorities; to strengthen security and to rebuild trust with consumers,” an Equifax statement said. “Cybersecurity is a complex challenge that needs to be faced as an industry.”

Congress has done little since the internet was developed to regulate how companies such as Equifax should collect, store and protect their data.

Forty-eight states have stepped in and developed their own standards. But most, including Georgia, have kept their rules relatively lax.

The patchwork nature of the status quo has tripped up many large corporations, and some have lobbied for a single national standard to cut down on compliance costs and confusion.

But even that call has not led to action from Congress. Businesses and small-government conservatives worry the feds will overregulate, while consumer advocates don’t want a Washington mandate to supplant tighter state-level regulations in places like California.

“One problem is to decide how strict the federal law should be,” said cybersecurity expert Peter Swire, a professor of law and ethics at Georgia Tech’s Scheller College of Business. “Each side has been able to block the others’ goals so far.”

Perhaps the biggest obstacle for lawmakers so far has been infighting among the various sectors that would be regulated by such a law. Those industries, including banking, retail and telecommunications, have been unable to agree on any one approach. Many worry that legislators will not be able to keep up with the newest innovations in technology, or, even worse, stifle the wheels of commerce.

Supporters of a national data breach standard were hopeful that the Equifax hack would be the moment when the stars finally aligned on Capitol Hill after years of stops and starts.

A bipartisan working group of key senators was formed after the breach was disclosed, but it was promptly stymied by turf battles both internal and external. Meanwhile, higher-priority items like immigration and the tax overhaul have siphoned away much of the political oxygen on Capitol Hill.

Idaho Republican Mike Crapo, the chairman of the Senate Banking Committee, said his panel is vetting several different cybersecurity policy proposals, but that there are a number of other issues in the queue that the panel will likely tackle first, such as flood insurance and North Korean sanctions.

“The main thing is that there’s a number of senators who are working on pieces of legislation and we’re in the process of vetting those pieces with them and seeing if there can be a bipartisan agreement somewhere,” he said of data breach legislation.

‘Shouldn’t be trusted’

Liz Coyle, executive director of consumer advocacy group Georgia Watch, bemoaned the lack of progress on Capitol Hill and in state legislatures to tighten enforcement of the credit bureaus. In Georgia, proposed legislation has been introduced that would eliminate fees on consumers for freezing their credit reports.

Another bill designed to outlaw “hacking” in Georgia has caused some angst in the cyber security world because of its potential to chill legitimate research into cyber defense. The state is one of a handful where penetrating a computer network isn’t illegal. That bill, however, enjoys the backing the state’s attorney general.

The true betrayal, in the eyes of Coyle, is the pullback by the Consumer Financial Protection Bureau, or CFPB. The independent federal watchdog, created in the wake of the financial crisis to crack down on abuse by banks and other financial companies, has effectively been neutered under the Trump Administration. Reuters recently reported that acting director Mick Mulvaney, who took a light touch approach to financial regulation and often excoriated the agency as a member of Congress, has pumped the brakes on the CFPB's investigation of Equifax.

“The days of letting these credit reporting agencies self-police, for heaven’s sake, that went out the window a long time ago,” Coyle said. “This industry shouldn’t be trusted to regulate themselves.”

The Federal Trade Commission has announced it is also investigating Equifax through its authority to protect consumers against unfair and deceptive practices as it relates to data security.

Equifax said it is “cooperating” with regulators, federal agencies and legislators.

“We have been briefing federal and state regulators and agencies to ensure they are abreast of developments,” a company spokesperson said. “Additionally, we are committed to working with different groups to explore ways to work together as an industry to strengthen identity theft protection and to combat cybersecurity issues.”

Georgia in a ‘leadership role’

In July, Equifax alerted the FBI to the breach. The federal investigation continues.

In an interview in January, U.S. Attorney Pak, who oversees the Northern District of Georgia, acknowledged the ongoing hacking investigation and said his office is “very involved in it,” but he declined to discuss any specifics of the probe.

The northern district is among the nation’s top prosecutors of cybercrime. The office has charged 14 people, for instance, in association with a 2008 hacking of payment processor Worldpay, which has its U.S. hub in Atlanta.

The cases are complicated. Hackers often hide their tracks using servers across the globe. It’s up to investigators to track the cyber breadcrumbs to find the perpetrators.

Once suspects are identified, then comes another vexing challenge: how to apprehend the alleged hackers, who often operate in nations without strong judicial assistance treaties with the U.S.

“The challenge of course is not the complexity of how they did it, you can figure it out, it’s the extra-territorial nature of cybercrime,” Pak said, speaking about complex cybercrimes in general and not solely Equifax. “Some of them are state-sponsored hacking. Others are people based in countries that we do not have very good legal mutual assistance treaties and relationships.

“That adds additional complexity from a traditional criminal prosecution case,” he said.

Carr also wouldn’t discuss the specifics of the state attorneys general investigation, but he did say Georgia was taking a “leadership role” as a member of the probe’s executive committee. He said the group is also cooperating with businesses and the federal government.

“At the 50,000-foot level, we need to determine what occurred in this particular breach so that we can ensure that the law was followed,” Carr said in an interview. “And then we have an obligation to learn and to employ those lessons for the future. The ultimate justice needs to be to protect those people of goodwill that… through no fault of their own, [had their] information breached.”

‘Urgent need’

Credit bureaus such as Equifax, TransUnion and Experian are vital cogs in the global financial system. Not only are they the gatekeepers to help bankers determine who to give loans to, but they also weigh in when you’re seeking a job, rental housing or insurance, helping companies verify whether you are who you say you are.

Equifax holds data on when someone misses credit card payments and when they’re late on their mortgage. The company also likely knows people’s immigration status.

Last week, new revelations emerged that more consumer information was accessed than Equifax previously acknowledged.

The additional information includes email addresses and phone numbers that could leave consumer vulnerable to so-called “phishing” scams, according to the U.S. Public Interest Research Group.

“Why did it take Equifax so long to disclose this additional stolen information? And why hasn’t Equifax directly notified consumers about this yet?” Mike Litt, consumer campaign director with U.S. PIRG, said in a news release. “In addition to raising more questions over Equifax’s many failures, these new revelations show the urgent need for action.”

Summary of the Equifax breach

Equifax disclosed the hack in September, but the cyber-heist’s roots stretch back to early March 2017 when the U.S. Department of Homeland Security alerted Equifax of the need to patch a vital software application used on its websites and those of many major companies.

Former Equifax Chairman and CEO Rick Smith told Congress in October the alert was sent the next day via email to the Equifax personnel who oversee security of the application, known as Apache Struts. It’s Equifax’s policy that such security updates be made within 48 hours.

But in this case, it wasn’t.

That vulnerability allowed hackers to access some of the most valuable and sensitive personal information on the planet.

A week after Equifax first received the Apache Struts alert from DHS, a scan that “should have identified any systems that were vulnerable” didn’t, leaving the vulnerability in place, Smith told Congress in October. Equifax didn’t notice suspicious activity within its systems until July 29.

Equifax has said hackers gained access to the company’s systems from May 13 to July 30 of last year.

Key players

-Credit bureaus: Equifax and its two major competitors, TransUnion and Experian, dominate the business of collecting information about a person's credit-worthiness and then selling it to banks, landlords, credit card companies and others. They are an integral part of the country's financial system, and had previously fought government attempts to regulate aspects of their operations, including data collection and protection.

-Georgia officials: State Attorney General Chris Carr has joined dozens of his counterparts from other states to probe Equifax's actions. He has also endorsed legislation advanced in the state Senate by Bruce Thompson, R-White, that would make it a crime to hack or log into a computer without permission. Other state officials to watch are Congressmen David Scott, D-Atlanta, and Barry Loudermilk, R-Cassville, who sit on the House Financial Services Committee, the panel that will likely be integral to any final data breach legislation. Ahead of hack, Loudermilk authored legislation that sought to curb the use of class action lawsuits against companies such as Equifax, a measure that has since been effectively abandoned.

-Federal judiciary: There is a federal investigation into the Equifax breach, and Atlanta-based U.S. Attorney Byung "BJay" Pak, who oversees the Northern District of Georgia, has acknowledged his office is "very involved" in that probe. Little is known about what specific angles are being pursued, but Georgia's northern district is among the nation's top prosecutors of cybercrime.

-Trump administration: While the Trump administration has largely pursued a deregulatory agenda since arriving in Washington, it has also backed some federal cybersecurity initiatives. The Justice Department has reportedly opened a criminal investigation into the former Equifax officials facing insider trading allegations, while the Federal Trade Commission is probing the company through its authority to protect consumers against unfair and deceptive practices as it relates to data security. But Reuters also recently reported that Mick Mulvaney, the acting director of the Consumer Financial Protection Bureau, has effectively slow-walked the agency's Equifax investigation.

-Interest groups: Federal data breach legislation would impact a vast cross-section of industries, from telecom to retail to banking, all with their own interests. The inability to get those sectors behind a single plan has stymied past attempts to move cybersecurity legislation. Some cybersecurity experts said they were encouraged when nearly two-dozen trade groups representing bankers, credit unions and others recently wrote to a key House committee asking for new data security legislation. Separately, other interests such as consumer advocates and privacy groups have lobbied against past bills because of respective fears of federal overreach or Congress supplanting more rigorous state laws.

-Congress: Georgia's lawmakers have tread carefully since the Equifax breach, given that the credit bureau is one of the state's largest corporations and a major Atlanta employer. U.S. Sens. Elizabeth Warren, Sherrod Brown and other Senate Democrats have pushed particularly hard for steep penalties for Equifax and its former executives. Key players also include the Republican chairmen of the House and Senate committees that have partial jurisdiction over the issue, including House Financial Services leader Jeb Hensarling of Texas and Mike Crapo, who heads the Senate Banking panel.

The Story So Far

Previously: In September, Equifax announced a breach of its network and ultimately revealed that the personal information of more than 145 million Americans had been exposed.

The latest: The Consumer Financial Protection Bureau reportedly pulled back on its investigation of the company, and little progress has been made by lawmakers or regulators in coming up with fixes to prevent future breaches.

What's next: Investigations continue by the attorneys general of the 50 states and the federal government. A nationwide class action lawsuit against Equifax also is in progress.