09.12.17

Peters Urges the Federal Trade Commission to Investigate Equifax’s Breach by Hackers

WASHINGTON, D.C. – U.S. Senator Gary Peters (MI), a member of the Commerce, Science, and Transportation Committee, sent a letter urging the Federal Trade Commission (FTC) to investigate whether Equifax misled consumers with false claims of cybersecurity integrity and failed to maintain adequate security protocols to protect consumer data in light of a breach that exposed the personal information of 143 million Americans.

“Beyond merely compromising the personal data of millions of consumers, the breach poses a significant threat to the economic security of American citizens. The creditworthiness determinations of companies such as Equifax directly affect a consumer’s ability to secure loans, buy a vehicle, find housing, and gain employment,” wrote Senator Peters. “Based on Equifax’s disclosure of this breach and the potential volume of affected consumers, I respectfully urge the FTC to immediately initiate an investigation into whether Equifax failed to establish and maintain a comprehensive information security program to protect consumers’ sensitive personal information.”

The letter follows the September 7th disclosure that Equifax had been breached by hackers potentially compromising the sensitive personal information of 143 million consumers, including social security numbers, home addresses, and driver’s license numbers. According to the FTC’s cybersecurity guidance, companies with personal information must take steps to safeguard their data. The FTC regularly investigates the data security practices of companies that have access to consumers’ sensitive personal information.

The text of the letter is copied below and available here:

September 8, 2017

 

The Honorable Maureen K. Ohlhausen

Acting Chairman
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580

Dear Acting Chairman Ohlhausen:

I write to express my concern regarding Thursday’s disclosure that Equifax, one of the three major clearinghouses for Americans’ credit histories, had been breached by hackers – potentially compromising the sensitive personal information of 143 million consumers, including social security numbers, home addresses, and driver’s license numbers. 

Beyond merely compromising the personal data of millions of consumers, the breach poses a significant threat to the economic security of American citizens. The creditworthiness determinations of companies such as Equifax directly affect a consumer’s ability to secure loans, buy a vehicle, find housing, and gain employment.  Unlike previous breaches at Target and Yahoo, Equifax's unique role in the financial sector makes this breach far more concerning. For example, Equifax is entrusted with protecting much of the identity management data used by companies to recover personal information in the event customers lose access to their accounts or in response to external security breaches. In addition, many consumers will find their data compromised despite their only interaction with Equifax being through a third party intermediary, perhaps through a loan application, housing application, or employment background check.

According to Federal Trade Commission (FTC) cybersecurity guidance, companies with personal information must take steps to safeguard their data; otherwise, that information could fall into the wrong hands, resulting in fraud and other harm. The stated touchstone of the FTC’s approach to data security is reasonableness, which means a company’s data security measures must be reasonable in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities. Based on Equifax’s disclosure of this breach and the potential volume of affected consumers, I respectfully urge the FTC to immediately initiate an investigation into whether Equifax failed to establish and maintain a comprehensive information security program to protect consumers’ sensitive personal information. 

Equifax claims to have built their reputation on their commitment to protect the privacy and confidentiality of personal information about consumers and businesses. In addition Equifax maintains that safeguarding the privacy and security of consumer information, both online and offline, is a top priority. Equifax’s statements are backed by a global ISO 27001 security certification. Nevertheless, this breach provides potential evidence that Equifax has failed to adequately safeguard consumer data. This, coupled with corporate leadership’s failure to report the event in a timely, responsive manner, compels me to request that the FTC investigate whether Equifax has misled consumers with false claims of security integrity. I believe the statements and practices of Equifax may constitute unfair or deceptive acts or practices affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a).

I acknowledge that further investigation is required to determine the full scope, scale, and impact of this breach to the 143 million American consumers potentially affected by this event. But, given Equifax’s role as a trusted data steward for millions of consumers and thousands of financial institutions and businesses, these questions require fact finding and detailed analysis.  I appreciate your consideration.