Consumer Reports submitted comments to the Federal Trade Commission on proposed updates to the Safeguards Rule, which requires reasonable security procedures for financial institutions.
The key factor to help prevent future data breaches is to ensure that the potential consequences of a breach properly incentivize companies to keep data secure. The Equifax data breach was one of the worst in United States history, as over 145 million consumers had their data leaked, much of it sensitive data such as Social Security numbers that fraudsters can use to open up new accounts in consumers’ names. It’s not clear that more specific requirements would have prevented the incident: Equifax’s lapses clearly violated the security requirements of the Safeguards Rule by failing to take such basic measures such as patching known security weaknesses in their software architecture, and failing to notice the vulnerability for over four months. And even this historic and preventable breach has failed to spur sufficient change in the industry. Just this week, Capital One announced that a hacker had exploited a security vulnerability to obtain the account information of over 100 million consumers, including names, addresses, bank account information, and thousands of Social Security numbers. In light of these continuing lapses, the FTC should:
- Press Congress to provide significant penalties for violations of the Safeguards Rule;
- Press Congress for appropriate resources for oversight, and require third-party oversight of companies to ensure data security;
- Ensure that regulations accommodate differences in the size and circumstances of companies;
- Require companies to adopt an incident response plan, including notifying the FTC of security incidents;
- Identify specific standards to guide compliance, but make clear that adherence does not constitute a safe harbor; and
- Strengthen Safeguards provisions to ensure the strongest possible security.