Bureau Of Internet And Technology Discusses Investigation Into Equifax Data Breach, Importance Of State Enforcement Of Data Security Regulations.
New York, NY - October 25, 2017 - Today, Attorney General Eric T. Schneiderman’s office testified about data security at the House Financial Services Committee’s hearing on the Equifax data breach.
The Attorney General’s Bureau of Internet and Technology Bureau Chief Kathleen McGee highlighted Attorney General Schneiderman’s response to the Equifax breach:
“The Equifax data breach was unprecedented in scale and severity, affecting the private information of 145 million Americans, including more than 8 million New Yorkers. Our office acted immediately, launching a formal investigation of Equifax and pressing the company on a number of issues – including a delay in notifying consumers of the breach, a forced arbitration clause in free credit monitoring contracts, and the failure to provide Spanish-language customer service to consumers affected by the breach. Following conversations with our office, Equifax addressed all of those issues and later agreed to provide consumers the ability to lock and unlock their credit file for life. We also contacted the other major credit bureaus – TransUnion and Experian – to discuss their data security,” McGee testified.
“We have also been in touch with numerous other state AG’s offices – since we states often lead in consumer protection and data breach matters – as well as various federal agencies. While I cannot share details from ongoing investigations, I can say we are getting to the bottom of the Equifax breach and will ensure that all credit bureaus take effective steps to protect the sensitive information that millions of Americans have entrusted to them.”
Attorney General Schneiderman has provided New Yorkers with tips on protecting personal information following the Equifax data breach, which can be found here.
McGee also underscored states’ central role in protecting consumers and data and enforcing data security regulations – in instances of both megabreaches, such as Equifax, and smaller breaches that occur within states each year. McGee noted the success of states’ responses: “New York and other states used a well-established process to coordinate enforcement efforts against companies that violated consumer trust with inadequate data security. As a result, the states obtained not just data security reforms through injunctive relief, but also large civil penalty recoveries that are essential to deterring other companies from violating consumer trust through lax security practices.”
States occupy a leading role when it comes to enforcement, and McGee addressed the need for legislation and innovation to continue at the state level. “The law must be able to keep pace with the ever-increasing rate of change in technology. States have proven the ability to act quickly in that regard – from both legislative and enforcement perspectives. In contrast, bills have been proposed in Congress for many years but, for one reason or another, enactment has proven elusive. Even if a federal law were enacted, it could prove difficult to amend and would fall far behind new technologies that will inevitably continue to emerge. Thus, even a federal law providing the most stringent protections based on current state requirements will leave consumers more and more vulnerable over time.”
With first-hand experience policing data security in New York, the Attorney General’s Office has successfully avoided both “underenforcement that would leave consumers unduly vulnerable and overenforcement that would create undue burdens on local businesses.” McGee concluded by urging the Committee to ensure that any legislation they consider meets certain requirements vital to protecting states’ innovative role in consumer data protection, including that any new federal requirements not preempt state law, must be enforceable by state attorneys general in addition to a federal agency, and any federal penalties or other monetary relief must also be recoverable by the states.