Before Equifax discovered a massive computer breach that exposed sensitive information about millions of Americans, the company lobbied Congress on legislation to limit how much it could be forced to pay if sued by consumers, and it pressed lawmakers to roll back the powers of its regulators.
Since at least 2015, the credit reporting agency repeatedly has lobbied lawmakers on issues related to “data security and breach notification,” according to federal disclosure forms.
Those issues are likely to take center stage now as the company deals with the outcry over its decision to wait six weeks before notifying the public about a cybersecurity attack that exposed the Social Security numbers, driver’s license information and other personal data of 143 million people.
The company’s spending on lobbying peaked at $1.1 million last year, and Equifax has spent $500,000 already this year, according to data collected by the Center for Responsive Politics.
The industry’s efforts have come as the Trump administration has made loosening regulations a key priority and Republicans have pushed to pare the powers of one of the credit agencies’ key regulators, the Consumer Financial Protection Bureau.
The industry, including Atlanta-based Equifax, appeared to be making headway earlier this year when a Georgia congressman introduced legislation that would limit the damages companies could be forced to pay if sued.
The legislation would “strike a fair balance,” putting the penalties credit reporting agencies could face under the Fair Credit Reporting Act on par with what businesses face under other laws, said Republican Rep. Barry Loudermilk said at a Sept. 7 hearing on the proposal.
ARTICLE CONTINUES BELOW ADVERTISEMENT
He noted that legislation had significant support from various groups, including the Consumer Data Industry Association, which represents the credit bureaus.
The timing of the hearing proved awkward. Equifax announced later that day that it had suffered a massive hack that put millions of people at risk of identity fraud.
The company said its security team first observed suspicious activity July 29 and that it hired a cybersecurity firm to conduct a forensic review on Aug. 2.
Equifax said it made its findings public “as soon as the company understood the potentially impacted population.”
The delay sparked a backlash, including criticism that Equifax had fumbled its response to the breach, leading Loudermilk to abandon the bill. The legislation was not a giveaway to Equifax and the other credit bureaus, as some critics complained, he said in a statement.
But “given the unfounded attacks on me and the rampant misinformation circulating about this legislation, the Financial Services Committee has not scheduled further action any bill at this time,” Loudermilk said.
The legislation would have addressed one of the industry’s biggest issues. The number of class-action lawsuits filed under the Fair Credit Reporting Act has increased 1,700 percent over the past 20 years, according to the U.S. Chamber of Commerce, which also supported the bill. And the industry has faced some expensive court losses recently, including in June, when a jury awarded more than a dozen plaintiffs $60 million after finding that Chicago-based TransUnion didn’t take reasonable steps to prevent them from wrongly being identified as potential criminals or terrorists on their credit reports.