The government needs to get tougher on financial institutions that endanger consumer data, as occurred in the recent Equifax breach, according to testimony at a Senate Banking, Housing, and Urban Affairs Committee hearing.
“While financial technology covers many different activities, all those activities rely on the responsible use and careful protection of data,” said Sen. Sherrod Brown, D-Ohio. “In the case of Equifax, that didn’t happen. Americans are now forced to worry whether the information that the hackers stole will have lasting impacts, from outright theft to damaged credit. I want to make sure that companies that use our private data are held accountable for its protection.”
Frank Pasquale, professor of law at the University of Maryland Francis King Carey School of Law, argued that companies that fail to adequately defend consumer data should have their access to that data revoked.
“I think this breach really ought to be a watershed, and we ought to really reconceive how we regulate this area. I think existing approaches are failing,” said Pasquale. “If you have a doctor, for example, in the States repeatedly committing malpractice, they lose their license. If you have a lawyer that shirks duties to clients, etc., they will lose their license. I think we really have to think seriously about licensing certain entities, as we do with the corporate level, with respect for the consumer finance information, because we have seen so many instances of failure here. And I think repeated instances of failure should lead to a revocation of such a license.”
Other witnesses advocated for nationwide standards for personal data cybersecurity.
“I think if we did have some sort of nationwide standard around cybersecurity, we could prevent instances like this in the future,” said Eric Turner, research analyst for S&P Global Market Intelligence.
Witnesses did applaud the work some parts of government were doing to examine and promote financial technology, or fintech, cybersecurity, such as an April 2017 Government Accountability Office report on fintech and the proposed Cybersecurity Disclosure Act of 2017, introduced by Sen. Jack Reed, D-R.I., in March.
“As the recent Equifax hack shows, concentration of information in almost any firm creates great risks to consumers,” said Pasquale. “Improving financial cybersecurity should be an essential goal of fintech policy, and I applaud the GAO for highlighting security issues in its report, as well as proposals by Sen. Reed to require cybersecurity expertise at large firms.”
However, witnesses also said that new fintech, developed entirely in a digital environment, can often be more secure than traditional financial institutions, which struggle with legacy systems.
“I think that fintech companies in general are pretty advanced when it comes to cybersecurity,” said Turner. “I think a lot of the problems lie in the fact that our banking system is a product of decades’ worth of consolidation. There are a lot of fractured technology systems, physical servers, and things where it’s hard to comply and keep an eye on cybersecurity when you’re really trying to keep these old systems running on a day-to-day basis.”
“The recent Equifax data breach reminds us of the critical need to ensure that areas like cyber and data security are given proper attention,” said Sen. Mark Crapo, R-Idaho.