An official for the trade group representing credit reporting agencies told a panel of New York lawmakers at a hearing on cybersecurity Tuesday that the state already has sufficient regulations in place and policymakers should be focusing instead on how to prevent the attacks.
Eric Ellman, the senior vice president of public policy and legal affairs at the Consumer Data Industry Association, based in Washington, D.C., told a panel of members of the state Senate that in light of the Equifax breach, lawmakers may be “tempted to grasp headlines” but should be focusing on mitigating cybersecurity threats.
“What I would encourage your committee and your colleagues to consider is to focus on things that will actually prevent cybersecurity breaches. And while it may be tempting to grasp headlines and go for emotional arguments, I would strongly encourage all of your colleagues to take a step back and hit pause and figure out what can actually be done to solve whatever problems might occur,” Ellman told the panel.
In September, Atlanta-based Equifax Inc. announced that hackers had gained access to sensitive personal information on roughly 143 million Americans—later increased to 145.5 million—and 209,000 individuals’ credit card numbers. Following the breach, which affected roughly 8 million New Yorkers, Attorney General Eric Schneiderman’s office and the Department of Financial Services opened up investigations into the consumer credit monitoring company seeking more information about the breach (NYLJ Sept 28). The Federal Trade Commission made the rare disclosure that it was also investigating the data breach. And on Tuesday, the U.K.’s Financial Conduct Authority disclosed that it, too, is investigating after the breach affected as many as 694,000 British people, originally announced as fewer than 400,000, according to the BBC and other news sources.
Less than two weeks after news of the security breach, Gov. Andrew Cuomo proposed new regulations that would subject companies like Equifax, Transunion and Experian to the same cybersecurity rules the state enacted for banks and insurance companies (NYLJ Sept. 18) earlier this year. The requirements under the proposed rule would mandate that consumer credit reporting agencies have DFS-approved plans to deter cyberattacks and report any such attack within 72 hours of the occurrence.
At the hearing held by New York state Senate’s committee on government operations and investigations in New York City, state Sen. Terrence Murphy, a Republican representing part of the lower Hudson Valley, asked what the industry could learn from the Equifax breach.
“Make sure you have a full inventory of hardware and software assets. Make sure that there are people and systems in charge and fully aware of what holes might exist in those hardware and software systems in your inventory, what can be done and what can be done quickly to try and patch any holes that occur,” Ellman responded.
State Sen. Brad Hoylman, a Manhattan Democrat, asked Ellman whether he was supportive of the Cuomo administration’s proposed regulation to have the credit reporting industry be regulated by the state, calling the consumer reporting credit industry a “donut hole.”
“I’m not sure that we’re a donut hole as much as a bullseye,” Ellman responded.
“If there are going to be rules, regulation, it should be focused on actually solving a problem and I think to some degree, perhaps to a large degree, the proposed regulations are a solution in search of a problem,” Ellman later said.