Smucker Amendment to CHOICE Act Protects Consumer Data Against Cyber Threats

June 6, 2017
Press Release

Washington, D.C. – U.S. Rep. Lloyd Smucker (PA-16) is working to protect consumers from the ever-increasing threat of cyberattacks. Today, Rep. Smucker introduced an amendment to the Financial CHOICE Act (H.R. 10) to express the sense of Congress that all Credit Reporting Agencies and their subsidiaries reevaluate their cybersecurity practices to ensure consumer data is adequately protected.

According to the Government Accountability Office, the IRS paid $5.8 billion in fraudulent refunds to identity thieves in 2015. Rep. Smucker’s amendment urges these entities to adopt more advanced multi-factor authentication standards to access consumer accounts to make them more secure against hackers and identity thieves.

“Millions of Americans trust credit reporting agencies with their personal information to help protect against fraud. But too often, these agencies are susceptible to the very cyberattacks they are charged with defending against,” said Rep. Smucker. “Modernizing multi-factor verification would not only provide for greater security, but could also save taxpayer money by reducing the number of fraudulent filings with the IRS.”


Equifax, Experian, Innovis, and TransUnion are regulated by the Fair Credit Reporting Act, but do not have any federal requirements for cybersecurity practices. Personally Identifiable Information (PII) is easily searchable online, often making Knowledge Based Authentication highly vulnerable.

These agencies could implement multi-factor authentication tools like:

  • One-time passwords that a website’s server sends to the requester’s cell phone or email address; or
  • Client VPNs in addition to a password

Recent Cyber Attacks on Credit Reporting Agencies:

  • Northrop Grumman: Notice of Data Breach (April 18, 2017)
    • “Equifax Workforce Solutions (aka TALX), our W-2 online portal provider, recently confirmed that an unauthorized third party(ies) gained access to its portal during various time periods from April 18, 2016 through March 29, 2017, and may have access your personal information and downloaded a copy of your 2016 W-2 form.”
  • CNBC: T-Mobile US ‘Incredibly Angry’ at Experian over data breach (October 3, 2015)
    • “The world’s largest credit checking company Experian suffered its biggest one-day fall in more than a year after hackers stole the personal details of up to 15 million T-Mobile US customers.”
  • NBC News: States Investigating Data Breach at Experian: Report (April 3, 2014)
    • “U.S. Attorneys General have launched a multistate investigation into a breach in which criminals gained access to a repository of some 200 million Social Security numbers through a unit of data provider Experian Plc.”