Compliance Blog

In the past few weeks, NAFCU has been focused on defending credit unions from the fallout of the Equifax breach specifically, and the cybersecurity risks posed by third parties generally. At this moment, the door is open to cybersecurity legislation that could have real positive impact for the credit union industry, and NAFCU is moving to seize on that opportunity. As legislation may be the best hope to protect credit unions from another breach like the one at Equifax, I'd encourage your credit union to engage with your Members of Congress to ensure they understand that credit unions must be protected in the future. Please visit our Grassroots Action Center for more information.

Equifax Botched It

Equifax was warned of the vulnerability which lead to the breach in December, 2016. This March, Equifax ignored a notification from the Department of Homeland Security, CERT to fix that vulnerability. In August, following the breach, Equifax established an insecure domain for its breach response site which was spoofed. In early October, Equifax's credit protection website was discovered to be hosting malware. The hits keep coming for Equifax, and whatever credibility Equifax might have still had after the breach, it is now completely gone. Equifax is trying to leave consumers, credit unions and other financial institutions to foot the bill for its mess. NAFCU is engaging on all fronts to make sure that doesn't happen.

The Regulators Are Quiet

NAFCU has been in touch with NCUA, but the agency lacks any real authority to take action on the Equifax breach or other third party cybersecurity issues. NAFCU has also reached out to the CFPB, and the Bureau continues to take the position that it would have needed additional authority over the credit reporting bureaus to have prevented the breach from occurring. The Bureau is currently investigating Equifax's use of a mandatory arbitration clause in connection with its breach response website.

The FTC is conducting its investigation into the Equifax breach and the response. NAFCU has encouraged the FTC to keep credit unions apprised of their findings, but we expect that investigation to continue for several years. No matter what that investigation finds, the FTC will not be able to prevent another breach like this from happening again unless Congress steps in.

The Hill Has Questions

The Equifax breach has Congress angry and looking for answers. On October 3, Equifax's former CEO, Rick Smith, testified before the House Energy and Commerce Committee, providing details for the first time about the internal failures at Equifax that lead to the breach, and accounting for the behavior of Equifax leadership in the days that followed. A few days later, the Senate Banking Committee and then the House Financial Services Committee both heard further testimony from Mr. Smith regarding the variety of failures in Equifax's response to and communication about the breach.

While both parties are actively engaged on this issue, it is worth noting the differing approaches of Republican and Democratic Members of Congress. Republican Members of Congress appear to be actively seeking the ways in which regulatory oversight failed with Equifax, and how these gaps can be fixed. Democratic Members of Congress have zeroed-in on how the Equifax breach will affect consumers, and what Equifax and Congress can do to try and make them whole.

While Equifax's current leadership has failed to show up for hearings so far, the credit union industry has come when called. On Wednesday, Debra Schwartz, NAFCU Board treasurer and President and CEO of Mission Federal Credit Union testified on behalf of NAFCU before the House Financial Services Committee about data security and what credit unions need from Congress. Ms. Schwartz explained the sufficiency of the Gramm-Leach-Bliley's existing Safeguard Rule pertaining to financial institutions, and pointed out that the Equifax breach was the failure of examination and oversight of the credit reporting bureaus, rather than a failure of the law itself. She emphasized that if there are not standards throughout the entire payments infrastructure, criminals will go to the weakest link, which is the merchants. She championed the industry and provided important, factual testimony that will aid Congress in drafting a bill that works and can pass. NAFCU will continue to work to ensure that credit unions' voices are heard in these Congressional hearings.

Legislation Is In the Works

There is a strong appetite on both sides of the aisle to pass legislation in response to the Equifax breach. So far, legislative proposals generally fall into one of three buckets: consumer protection proposals in response to the breach, proposals to correct or increase regulatory oversight over the credit reporting bureaus, and broader proposals regarding national standards for cybersecurity.

The PROTECT Act, recently introduced by Representative Patrick McHenry (R-N.C.), has garnered significant attention. This Act would have the FFIEC appoint a supervisory agency and examine the credit reporting bureaus for compliance with the GLBA's Safeguards Rule, correcting the "examination gap" that currently exists with the bureaus. This proposal also contains national requirements regarding the operation of credit freezes, something that is currently handled at the state law level. Of concern is a provision in the Act that seeks to phase social security numbers out of use by the bureaus as a personal identifier. Obviously this raises red flags as social security numbers are critical to properly identifying members, and NAFCU is currently raising these concerns to lawmakers.

While Congress's attention is focused on cybersecurity, NAFCU is pushing to ensure that credit unions can get the protection they need against third party breaches. There is real energy behind getting general data security legislation passed, and NAFCU is seeking to take advantage of that. As always, we are keeping a careful eye to ensuring that organizations subject to the Gramm-Leach-Bliley Act, like credit unions, do not end up being subject to stricter standards. But this may be our moment to get credit unions the protections they need from third party cybersecurity risk, and NAFCU is working to make sure we take as much advantage of the moment as we can.

Litigation Is on the Table

To date, multiple class action lawsuits have been filed against Equifax by financial institutions across the country. It is highly likely that all financial institution class actions suits will eventually be joined together. Filing or joining a lawsuit continues to be an available option which NAFCU closely considering. Only if NAFCU determines that litigation is viable and a worthwhile avenue for recovery for credit unions will we pursue that option.

NAFCU is continuing to engage everywhere we can to protect credit unions from the breach's continuing fall-out, and to demand Congress act so that this cannot happen again.