In the 1970s, the American government and private businesses began to collect information about people at unprecedented levels. Private sector business involvement with data collection was led primarily by credit bureaus, insurance companies, and private investigative enterprises. These groups, whose viability depends on collected data—on knowing whether making an “investment” in a person is worthwhile—propelled private data collection and data sharing to new heights. Rampant data collection and storage during this period contributed to the modern creation of “digital people”– the start of an era in which a person’s identity is both of the body and of the computer, due to the amount of information readily available on them. Include anything from social security numbers and credit information, to debt payments, to other highly sensitive pieces of information, this data is highly valuable to would-be identity thieves. A lapse in the security of information as a result of a data breach is costly, as theft of financial identity threatens the livelihood of afflicted individuals across decades in acts like applying for a loan or mortgaging a home.
Once considered the “wild-west” of data collection because of pervasive accuracy and security issues, credit reporting has since found relative stability under the thumb of the big three reporting bureaus: Equifax, Experian, and TransUnion. The Fair Credit Reporting Act, which requires agencies to disclose information held on individuals, as well as to restrict who can access that information, was passed by Congress in 1970 to combat emergent privacy related concerns among the American public. Combined with action in 1973 under the FTC’s Fair Information Practice guidelines, which established a series of safeguards on digital data, baseline standards on the necessary treatment towards the digital identity of consumers were imposed on previously unbounded private entities. Perhaps it is to be expected in an era of rapidly progressing technology that technological advancements will outpace established law. In light of the recent Equifax breach, which compromised the personal information of nearly one-in-three Americans, the adequacy of laws related to data collection and the responsibilities of organizations who collect and maintain these records must be called into question.
New York State Assemblyman Jeffrey Dinowitz (D-Bronx) brought the conversation about data security and corporate responsibility to the forefront of New York State politics this past week. Calling Equifax’s reaction to the breach “outrageous,” Dinowitz announced intention to propose a new bill in Albany aimed at imposing heightened measures to increase consumer data protections and better examine and regulate credit monitoring agencies. Likely to be introduced in early October, Dinowitz’s new legislation will focus on the establishment of minimum requirements for credit reporting agencies to protect consumers in the event of a data breach. Specifically, the law would mandate that companies provide free identity theft protection monitoring for the lifetime of credit reports affected by a breach, as well as a prohibit these companies from charging fees for freezing and unfreezing impacted credit reports.
A range of responses have met the the soon-to-be-proposed legislation, which likely will face a battle once it enters the State Senate due to the influence that financial reporting agencies exert on the lawmaking process. Some claim the Dinowitz bill requires credit agencies to meet only the bare-minimum of responsibility which they owe to consumers. These critics dare the legislation to be expanded further to increase consumer protections. Actions like those of Queens Senator Leroy Comrie, whose proposed legislation similarly mandates protective action, yet expands greatly the level of corporate responsibility after data breaches, are a more satisfactory legislative step to individuals sharing this mindset.
To the contrary, however, it is possible to see any proposal of legislation of this nature as a victory. The legal history on the collection and maintenance of private data– and the inadequate response by Equifax following the breach– signals a gap in the legislative record. Inaccuracy in reporting and insecurity in the face of ever-more-common foreign data breaches need be a signal to lawmakers that action is needed. The ability to act in the past on a national level for greater protections on the safety and security of information should be held as a guide to navigate this increasingly important consumer issue from the shadowy corners of New York State politics into real, meaningful action for citizens.