The massive Equifax Inc. data breach has triggered demands onCapitol Hill for stiffer rules and new requirements for whatfinancial companies must do to fend off cyberattacks.

Yet tougher oversight would all but certainly require supportfrom the Trump administration and buy-in from congressionalRepublicans—both groups that want to reduce financial regulation,not stiffen it. Democrats so far have led the calls for more rulesin the wake of Equifax's disclosure that 143 million Americans'personal information was stolen.

Tighter constraints would pose a particularly difficult choicefor GOP lawmakers because it would most likely mean furtherempowering the Consumer Financial Protection Bureau, acontroversial agency created after the 2008 financial crisis thatmany Republicans have been trying to weaken or put out of businessalmost from its first day of existence. No other federal regulatorsupervises Equifax or has officials inside the firm conductingon-site exams.

“Republicans by nature are loath to regulate,” U.S. Sen. DickDurbin, an Illinois Democrat, said in an interview. “But therecomes a moment when a company has so much information and is nothandling it in a professional way where I think we are duty-boundto step in on behalf of innocent citizens.”

While President Donald J. Trump has pledged to cut backgovernment red tape, White House press secretary Sarah HuckabeeSanders said Monday that the severity of the Equifax breach couldmean more rules are needed. She said the administration will lookat the situation “extensively,” and that Trump's homeland securityadviser Tom Bossert will lead efforts to respond to the hack.

Equifax is among a handful of companies that control data suchas credit histories that banks rely on to assess whether consumersshould get loans. The Atlanta-based company said Sept. 7 thatthe compromised information includes Social Security numbers,driver's license records and birth dates. It faces multiple stateand federal investigations, and at least one multibillion-dollarclass action lawsuit.

Unlike banks, Equifax and competitors TransUnion and Experiandon't have multiple regulators constantly looking over theirshoulders. The Federal Reserve and Office of the Comptroller of theCurrency, for example, have teams of supervisors assigned tospecific lenders. The officials have daily responsibilities formonitoring any transactions and weaknesses in computer systems thatcould threaten financial stability.

Before the CFPB begin policing the industry in 2012, it facedalmost no federal oversight. The Federal Trade Commission hasauthority to sanction the companies for failing to protectconsumers, but it doesn't engage in proactive monitoring. Durbinsaid that the size of penalties the FTC is allowed to impose aren'tbig enough to adequately punish a breach on the scale ofEquifax's.

Equifax Sanction

Much of the CFPB's scrutiny of Equifax and its rivals has beenon trying to ensure that credit reports are based on accurate dataand that the firms are properly responding to consumer complaints.At least publicly, less of the agency's focus has been oncybersecurity. The CFPB is led by Director Richard Cordray, who wasappointed by former President Barack Obama.

In January, the consumer bureau accused Equifax and TransUnionof misleading consumers about credit products they had sold them.Without admitting or denying the allegations, Equifax agreed toprovide almost $3.8 million in restitution to affected consumers,while paying a $2.5 million fine. The CFPB has said it isinvestigating Equifax's data breach as well as the company'sresponse.

The CFPB has authority to make sure financial companies maintainstandards to keep customer information safe. The agency brought itsfirst cybersecurity case last year, fining online payment companyDwolla Inc. $100,000 for allegedly deceiving companies about howsecure its systems were. The settlement could provide a roadmap forhow the agency deals with Equifax's breach.

Lawmakers have repeatedly tried to tighten restrictions for howcompanies report consumer breaches and to expand cybersecurityprotections—with limited success in the face of intense corporatelobbying. Treasury Secretary Steven Mnuchin signaled Tuesday thatthe White House and Congress might have to revisit such issues,including what “liability and responsibility” companies should haveover hacks.

“Americans shouldn't expect these things to happen, and thecurrent situation is obviously quite unfortunate,” Mnuchin said atCNBC's Delivering Alpha conference in New York. “This is notsomething that the private sector can do alone, and this is notsomething that the government can do alone.”

Bank Losses

When criminals get access to consumer data and use it to commitidentify theft, it's banks and credit unions that often bear thebrunt of financial losses. Lenders also face costs associated withmanaging the fallout of a breach, such as reissuing new creditcards and managing consumer complaints. The Equifax breach hasreinvigorated calls for Congress to create national standardsto ensure all companies are adequately protecting data.

“It's time for companies who lose consumer data or do notprotect it to be held responsible,” said Dan Berger, president ofthe National Association of Federally-Insured Credit Unions. “Ithink you're going to see Congress really take a closer look atthis.”

Democrats have used the Equifax breach to push a number ofpolicy goals, including their desire to impose new requirements oncompanies' tracking of consumer data and to remove barriers tocustomer lawsuits. On Monday, a group of lawmakers led by Sen.Brian Schatz, a Hawaii Democrat, reintroduced legislation thatwould make it easier for consumers to deal with identify theft andmistakes in their credit reports.

Multiple congressional committees have called for hearings andsought information from Equifax to try to get to the bottom of whathappened. While Republicans have been less vocal thanDemocrats in demanding more rules, they have said they want to knowwent wrong and whether Equifax violated any laws.

“This event certainly is striking,” U.S. Rep. Patrick McHenry,the North Carolina Republican who is vice chairman of the HouseFinancial Services Committee, said in an interview “These companiesshould be better, they should protect our data in much strongerforms and any failure to do that, we should have a broaderdiscussion about how we improve this market.”

Bloomberg News

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.