latest-news-headlines Market Intelligence /marketintelligence/en/news-insights/latest-news-headlines/after-equifax-it-s-still-unclear-who-is-liable-for-cyberattacks-41959652 content esgSubNav
In This List

After Equifax, it's still unclear who is liable for cyberattacks
Podcast

Next in Tech | Episode 46: Payments evolution in digital

Blog

LCD U.S. Loan Market Survey – Q4 2021: Pockets of volatility expected in 2022

Blog

Q3'21 smartphone shipments revert to a decline ahead of the holiday quarter

Research

US utility commissioners: Who they are and how they impact regulation


After Equifax, it's still unclear who is liable for cyberattacks

The Equifax Inc. breach has again raised the question of what parties are liable in a cyberattack, as financial services industry leaders call for clarity and Congress looks into the incident, which could affect 143 million U.S. customers.

Speaking to reporters Sept. 13, Sen. Thom Tillis, R-N.C., said policy discussions are particularly needed in the heavily interconnected financial services industry. Because Equifax is a credit reporting agency and not a consumer-facing financial services provider, consumers have been confused as to whether or not they are supposed to contact their bank for help on possible identity and credit theft.

Banks, for their part, are worried of continued fallout if hackers use breached information to fraudulently open up new loan or deposit accounts.

"The question becomes, when that happens, who should actually be responsible for cleaning it up?" Tillis said.

Senate Banking Committee Chairman Mike Crapo, R-Idaho, also acknowledged the ambiguity around how the current legal structure treats cyberattacks.

"Uncertainty remains around questions like data security and the proper regulatory treatment to ensure consumers and the financial system are safeguarded," Crapo said Sept. 12.

The Equifax breach has reignited discussion on Capitol Hill about stronger cybersecurity standards, as Republicans and Democrats express disappointment over the Equifax breach and dig for more information about its scale and scope.

Sen. Tim Scott, R-S.C., said in an interview that he has not heard of any upcoming legislation yet, but he said the question of liability in a data breach is not new.

"That goes back to the same conversation we've been having with the credit card companies and Target," Scott said. "I don't know that we've actually found a good answer to that."

Banks in particular have expressed a need for more legal clarity on who is responsible for data breaches.

In an interview with CNBC on Sept. 12, JPMorgan Chase & Co. Chairman, President and CEO Jamie Dimon said laws not only need to define who is responsible for a breach, but they also need to allow the exchange of information between the government and banks in the event of elevated cybersecurity risks.

"We don't have proper cyber law," Dimon said. "We need it to be part of the trade. We need to have a way to go after the bad guys."

Discover Financial Services Chairman and CEO David Nelms said Sept. 12 he expects financial institutions to continue grappling with the issue of data breaches and liability for some time.

"It's going to be playing out for many years," Nelms said.

The Independent Community Bankers of America made it a point to pin responsibility wholly on Equifax, urging the company to notify every customer affected and the issuers of the more than 200,000 credit cards breached.

"The millions of Americans and thousands of community banks affected by this breach deserve such a response," ICBA President and CEO Camden Fine wrote in a letter to Equifax Chairman and CEO Richard Smith.