Before the breach, Equifax sought to limit exposure to lawsuits

Washington Post

Before Equifax discovered a massive computer breach that exposed sensitive information about millions of Americans, the company lobbied Congress on legislation to limit how much it could be forced to pay if sued by consumers, and it pressed lawmakers to roll back the powers of its regulators.

Since at least 2015, the credit reporting agency has repeatedly lobbied lawmakers on issues related to "data security and breach notification," according to federal disclosure forms. Those issues are likely to take center stage now as the company deals with the outcry over its decision to wait six weeks before notifying the public about a cybersecurity attack that exposed the Social Security numbers, driver's license information and other personal data of 143 million people.

The company's spending on lobbying peaked at $1.1 million last year, and Equifax has spent $500,000 already this year, according to data collected by the Center for Responsive Politics.

The industry's efforts have come as the Trump administration has made loosening regulations a key priority and Republicans have pushed to pare the powers of one of the credit agencies' key regulators, the Consumer Financial Protection Bureau.

The industry, including Atlanta-based Equifax, appeared to be making headway earlier this year when a Georgia congressman introduced legislation that would limit the damages companies could be forced to pay if sued.

The legislation would "strike a fair balance," putting the penalties credit reporting agencies could face under the Fair Credit Reporting Act on par with what firms face under other laws, said Republican Rep. Barry Loudermilk said at a Sept. 7 hearing on the proposal. He noted that legislation had significant support from various groups, including the Consumer Data Industry Association, which represents the credit bureaus.

The timing of the hearing proved awkward: Equifax announced later that day that it had suffered a massive hack that put millions of people at risk of identity fraud. The company said its security team first observed suspicious activity July 29 and that it hired a cybersecurity firm to conduct a forensic review on Aug. 2.

Equifax said it made its findings public "as soon as the company understood the potentially impacted population."

The delay sparked a backlash, including criticism that Equifax had fumbled its response to the breach, leading Loudermilk to abandon the bill. The legislation was not a giveaway to Equifax and the other credit bureaus, as some critics complained, he said in a statement. But "given the unfounded attacks on me and the rampant misinformation circulating about this legislation, the Financial Services Committee has not scheduled further action any bill at this time," Loudermilk said.

The legislation would have addressed one of the industry's biggest issues. The number of class-action lawsuits filed under the Fair Credit Reporting Act has increased 1,700 percent over the past 20 years, according to the U.S. Chamber of Commerce, which also supported the bill. And the industry has faced some expensive court losses recently, including in June, when a jury awarded more than a dozen plaintiffs $60 million after finding that Chicago-based TransUnion didn't take reasonable steps to prevent them from wrongly being identified as potential criminals or terrorists on their credit reports.

TransUnion called the jury's award "grossly excessive" in court documents and said it would more than wipe out the profit it earned the year of the alleged misconduct. It is fighting to reduce the award or win a retrial.

The industry has been attempting to cap such liabilities for years, said Francis Creighton, chief executive of CDIA, the industry trade group. "We have been working on getting it done for a long while. We spent last Congress working within the industry to get it done" before Loudermilk introduced the legislation this year, he said.

"We continue to believe it's good legislation and that we should pass it. It has nothing to do with the incident that happened" with Equifax, he said.

"We were just trying to harmonize this one statute with the rest of the banking law. It didn't seem like something that controversial to us."

Equifax did not directly address the failed legislation, but it said in a statement that it "works to ensure that new legislation captures the benefits of credit reporting to the U.S. economy, as well as the effects of certain regulation on the financial system. We believe in fair industry regulation and advocating for policies that protect consumers' rights, as well as the integrity of the consumer data industry."

That balance is likely to tip in favor of the regulators in coming weeks and months. Equifax is already facing dozens of proposed class-action lawsuits, and Sen. Elizabeth Warren, D-Mass., has introduced legislation aimed at cracking down on credit bureaus. The Federal Bureau of Investigation, Federal Trade Commission and the Consumer Financial Protection Bureau have all said they are looking into the breach. Equifax chief executive Rick Smith is set to testify before Congress on the breach Oct. 3.

"It is just the opening salvo," Jaret Seiberg, an analyst with Cowen and Co.'s Washington Research Group, said in a recent report. "We would expect other lawmakers to introduce bills that more directly attack how credit bureaus operate. Debate over those bills may stretch well into 2018."

The industry, which has long been marred by complaints that their reports are full of mistakes that consumers struggle to fix, already falls outside many of the most aggressive regulatory structures. The FTC and the Consumer Financial Protection Bureau regulate different aspects of the credit reporting companies, but it is still far less rigorous than what even small banks face, consumer advocates say.

"Credit reporting companies serve as a major piece of our financial infrastructure in America but face less regulatory scrutiny," said Rohit Chopra, a former assistant director at the Consumer Financial Protection Bureau and now a senior fellow at the Consumer Federation of America. "A small regional bank might face far more intensive scrutiny compared to a credit reporting agency that touches far more consumers."

This has been updated to correct the last name of Equifax chief executive Rick Smith.

Copyright © 2017, The Virginia Gazette
61°