Improving Data Security at Consumer Reporting Agencies

Tuesday, March 26, 2019 - 2:00pm
2154 Rayburn House Office Building, Washington, DC 20515
Subcommittee on Economic and Consumer Policy Hearing on Improving Data Security at Consumer Reporting Agencies


The hearing will examine: (1) the options available to the Federal Trade Commission and the Consumer Financial Protection Bureau to promote the improvement of cybersecurity at consumer reporting agencies; and (2) the Government Accountability Office’s recommendations for improving those options.


  • Consumer Reporting Agencies (CRAs) possess troves of highly sensitive personal information about nearly every American.  They collect information about consumers from businesses, package it into credit reports, and then sell the credit reports to third parties for use in making financial determinations.
  • CRAs are at high risk of attack from hackers.  The Equifax data breach highlighted the full extent of that risk when cyber-thieves gained access to the personal information, including Social Security Numbers, of 147.9 million people.
  • Facing no direct economic pressure from consumers, CRAs do not have the same financial incentives to protect consumer interests as other businesses.  As a result, regulation and oversight of CRAs data security is essential.
  • Federal agencies lack tools to adequately protect consumer information kept by CRAs. The FTC does not have the authority to impose a civil penalty for violations of its Safeguards Rule, but can only seek compensation for consumer losses. The CFPB does not routinely assess data security risks at CRAs, such as how institutions detect and respond to cyber threats.
  • In December 2018, the Democratic Committee staff issued a joint report with the Democratic staff of the Committee on Science, Space and Technology, which provided specific recommendations to prevent a recurrence of the Equifax data breach, including legislation to authorize new enforcement powers for the FTC.
  • GAO will discuss its report on consumer data protection by CRAs, which was requested by Chairman Elijah Cummings, Senator Elizabeth Warren, Senator Ron Wyden, and House Committee on Financial Services Chairwoman Maxine Waters.



Andrew Smith
Director, Bureau of Consumer Protection
Federal Trade Commission

Michael Clements
Director, Financial Markets and Community Investment
Government Accountability Office

Mike Litt
Consumer Campaigns Director

Jennifer Huddleston
Research Fellow
Mercatus Center at George Mason University

116th Congress