Energy and Commerce Committee Ranking Member Frank Pallone, Jr. (D-NJ) delivered the following opening remarks today at a Subcommittee on Digital Commerce and Consumer Protection hearing on “Securing Consumers’ Credit Data in the Age of Digital Commerce:"
I’m glad we are holding this hearing, and I hope the committee will focus on how the practices of the credit reporting and data collection industries affect consumers. But today’s hearing should not take the place of additional hearings on the data breach at Equifax. Too many questions remain unanswered. And that’s why every Democratic Member of this Subcommittee wrote to you, Mr. Chairman, requesting additional hearings with current Equifax executives.
The Equifax breach exposed more than 145 million Americans to lifelong threats resulting from their personal information being exposed. Equifax says that it is “taking responsibility" for its failures. But Equifax is only providing victims with protections for one year. It refuses to give people meaningful control over how Equifax shares and sells the personal information that it collects. That’s not “taking responsibility." It’s taking advantage.
Consumer reporting agencies collect vast amounts of personal information on almost every American, including children. This is the information that determines whether someone gets a job or a new home, or can afford medical care. And these companies are data brokers too, selling all of that information to advertisers and others.
You and I are not their customers. We are the product. These companies make their money selling our information to other companies, often without our knowledge and certainly without our approval. So they have no reason to limit the information they collect, to limit sharing or selling of that information, or to properly secure it.
Cyberattacks happen on an hourly basis, with more than eleven-hundred this year alone. Consumer reporting agencies and data brokers make rich targets for hackers because of the sensitivity and quantity of information they hold. And those companies know it. In fact, it was reported that Equifax was warned by a security researcher in late 2016 that Equifax was vulnerable to attack. Equifax did nothing and had no incentive to do anything.
Right now, there are gaping holes in the laws and regulations when it comes to collecting and securing our personal information. The bill that Ranking Member Schakowsky and I introduced, the Secure and Protect Americans’ Data Act, would close some of those holes. It would provide the Federal Trade Commission with the authority to assign monetary penalties against companies that fail to protect personal information or who fail to provide timely and meaningful notice to consumers that their information has been stolen. It would also give additional protections to victims after a breach. The bill would require that companies that failed to secure individuals’ personal information provide free credit freezing or locking to a victim for at least 10 years after a breach.
We also need to reexamine this industry’s approach to consumer protection, including on issues like forced arbitration, and the federal government’s examination or auditing of these companies. We should also look at freezing credit reports by default, ensuring the data that is collected is actually correct, and give people control over their own personal information.
In our hearing on the Equifax breach, Chairman Walden said that we “can’t fix stupid," but we have seen over and over again that breaches are not the result of stupidity. They happen because these companies choose not to invest in security. Ultimately, it’s the American people that pay the price for that choice.
Thank you, I yield back.
