Equifax Breach Prompts Data Broker Security Bill

News
By Nathaniel Mott
published

Equifax's recent data breach compromised the personal information of hundreds of millions of people. In response, Senators Richard Blumenthal (D-Conn.), Edward Markey (D-Mass.), Sheldon Whitehouse (D-R.I.), and Al Franken (D-Minn.) introduced the Data Broker Accountability and Transparency Act to hold the data broker industry responsible for the privacy and security of the personal data they collect about consumers.

By now you're probably familiar with the Equifax hack, but here's a quick refresher: The names, addresses, and Social Security numbers of 143 million people were compromised in May because of an Apache Struts vulnerability. A patch was released in March, but Equifax never used it, and that led to this data breach. The company has also come under fire for its protective service's arbitration clause.

Unlike other data breaches, which typically reveal information about people who sign up for the affected services, this hack endangered hundreds of millions of people who probably had no idea Equifax was even a thing. Consumers are the company's product, not its customers. That means 143 million people who unwittingly gave their data to Equifax now have to live with the fear of having their identity stolen or finances drained.

That's why these Democratic senators introduced the Data Broker Accountability and Transparency Act. Here's what they want the act to achieve:

The Data Broker Accountability and Transparency Act allows consumers to access and correct their information to help ensure maximum accuracy. The legislation also provides consumers with the right to stop data brokers from using, sharing, or selling their personal information for marketing purposes. The bill additionally requires data brokers to develop comprehensive privacy and data security programs and to provide reasonable notice in the case of breaches. The legislation empowers the Federal Trade Commission (FTC) to enforce the law and promulgate rules within one year, including rules necessary to establish a centralized website for consumers to view a list of covered data brokers and information regarding consumer rights.

All of those changes would stop companies like Equifax from being a black box into which their customers—and anyone smart enough to exploit a months-old vulnerability or guess the world's worst username / password combo—can peer. The data held by these businesses has a significant effect on people's lives, whether it's because companies base financial decisions on this data or because its theft puts them at risk of fraud.

Just to drive the point home: Nearly half of Americans now have to wonder for the rest of their lives if a company that gathered their personal data without their knowledge or consent didn't take basic security precautions. This bill, which you can read in its entirety here, could help change that. That won't do much to help people affected by the Equifax breach, but maybe it will help prevent a similar episode from occurring again.

Nathaniel Mott
Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

10 Comments Comment from the forums
  • gaknak
    This is a start but does not go far enough. The bill should require data brokers by default to freeze the access to the individuals data except for existing credit card and loan companies that currently do business with the individual. The bill should allow access to temporarily lift the freeze without cost for a reasonable number of times per year. Finally, the bill should make the data brokers to be personally responsible for any financial costs incurred by individuals that are related to a data breech.
    Reply
  • leoscott
    Gaknak:
    You don't even go far enough. It should also provide a legal course where anyone who has loss that can be associated with the data that was lost NOT be required that whoever sues does not have to prove that their losses were a direct result of the specific data loss. I.e., if my identity is stolen and data that is used was in the Equifax data breach, I don't have to prove that the source of the data stolen was in fact the Equifax data breach, just that it could have been.
    Reply
  • Andy_2521
    I have worked with Massdrop personally and they are a bunch of low life cry babies from my experience. They complain about every little thing even when you try to do all you can to help and allocate inventory for them they still cry and complain about something later. They have very bad ethics there from what I can tell.
    Reply
  • Giroro
    A failure to update software is only a small part of the issue. There is truly no such thing as a secure computer system and it's unreasonable to expect something impossible from every company.
    The real problem, is that companies are allowed to amass and profit off of private information in the first place.
    Even the Equifax breach is just the tip of the iceberg. We Americans desperately need a constitutionally guaranteed right to privacy. It's not even an individual rights issue, data breaches of this size are an extreme risk to national security.

    Something like 2 factor authorization on credit approvals would be nice ... but identity theft of an individual is actually not that severe of a consequence when you consider what ISIS and North Korea will almost certainly doing with this data. If you've ever had your fingerprints taken or applied for a government job, all information provided in that process was already stolen years ago. The only way to avoid these hacks, is to limit what these databases are allowed to indefinitely store in the first place.
    Reply
  • Hal-Jordan
    "The Data Broker Accountability and Transparency Act allows consumers to access and correct their information to help ensure maximum accuracy." This was not part of the problem, so it should not be part of the proposed solution.
    Reply
  • th3p00r
    with all the security breached happen and now they just introduce the bills? maybe because those senators' info was on the breach.
    Reply
  • Dadly_Edly
    The problem that hasn't, and probably won't, be addressed is the Social Security Number. If your credit or debit card is stolen, you can get a new one with a new number. It becomes useless to the thief. Once your SSN is stolen, you have no recourse. There is no way to get a new one.
    That is the elephant in the room that everyone is ignoring.
    Reply
  • turbotails23
    This joke of a bill doesn't really do much of anything from the summary. All of the companies that handle our stuff effectively do all of this already--Or risk being removed from the financial institution--After all, our 1% doesn't like their info being exposed.
    Reply
  • Kiers
    Pure Bull. ANYTHING coming out of US Congress is B********.
    Reply
  • th3p00r
    20190798 said:
    Pure Bull. ANYTHING coming out of US Congress is B********.

    they're career politicians. they're working to fatten up themselves, they wouldn't do anything for the people.
    Reply