McHenry Introduces PROTECT Act of 2017 to Require Credit Bureaus to Broaden Cybersecurity Supervision and Phase Out SSN Use

PROTECT Act of 2017, H.R. 4028, 115th Cong. (2017).

On October 12, 2017, Representative Patrick McHenry (R-NC) introduced H.R. 4028, the Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act of 2017 (“PROTECT Act”). The proposed legislation would amend the Federal Financial Institutions Examination Council Act of 1978 (12 U.S.C. § 3301) by providing a “national framework” for credit freezes and requiring the cybersecurity supervision and examination of large credit bureaus like Equifax, Experian PLC, and TransUnion. The bill would also require all credit companies to phase out their use of Social Security numbers (“SSNs”) as a basis for customer identification by 2020.

The bill is one of the first legislative responses to the enormous Equifax hack disclosed in September, which exposed the SSNs and other sensitive personal information of an estimated 145.5 million Americans. In early October, in written testimony before the House Subcommittee on Digital Commerce and Consumer Protection, Equifax Chief Executive Richard Smith asserted the need to replace SSNs as “touchstone” identifiers: “It is time to have identity verification procedures that match the technological age in which we live.”

Security experts have long pressed for alternative methods of identification to SSNs, which were never meant to be more than a method of keeping track of workers’ earning histories to determine Social Security taxes. SSNs became the standard for everything from educational records to credit histories and medical records, however. In response to the growing concern over  the widespread use of SSNs as identifiers, Congress passed the Privacy Act of 1974, which made it “unlawful for any Federal, State or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his social security account number.” The Act was intended to cabin the use of SSNs to purposes where there existed “clear legal authority to collect the SSN.”

With no practical alternative, however, SSNs continued to be the “de facto national identifier.” Bruce Schneier, a fellow at the Berkman Klein Center for Internet & Society and the Belfer Center for Science and International Affairs at Harvard Kennedy School, told Bloomberg Politics that SSNs are as much “part of our aging infrastructure” as bridges, roads, and communications.

The Trump administration has asked federal departments and agencies to explore how to replace the existing reliance on SSNs as primary identifiers. Roy Joyce, special assistant to the President and White House cybersecurity coordinator, said that the administration is looking into options such as a “modern cryptographic identifier” such as public and private keys. Other alternatives suggested by security experts include biometrics, which are unique to each individual, and blockchain technology, which can create a public ledger of transactions. The Electronic Privacy Information Center (EPIC) has long argued for the need for context-dependent identifiers to enhance security via compartmentalization: as EPIC’s Executive Director Marc Rotenberg explained, “the better approach is to have customer IDs for specific purposes.”

The House Financial Services Committee will determine whether H.R. 4028 will move past the committee stage. Sen. David Perdue (R-GA) also introduced sister bill S.1982 to the Senate Committee on Banking, Housing and Urban Affairs.

 Saranna Soroka is a 1L at Harvard Law School.