Several California Assembly committees met Tuesday to discuss the Equifax Data Breach and its impact on up to 145 million people over a two-month period.
Assemblymember Matt Dababneh, D-Woodland Hills, brought together the Assembly Committee on Banking and Finance, the Assembly Committee on Privacy and Consumer Protection, and the Assembly Select Committee on Cybersecurity.
“While the Equifax breach is clearly going to impose long-term personal and financial costs on millions of innocent consumers, the legal authority and remedies that state and local government agencies, or even the public, have to call on are far less clear, and there is little reason to believe that a vigorous federal response is forthcoming,” the chair of the Assembly Committee on Privacy and Consumer Protection, Ed Chau, D-Monterey Park, wrote in an email to Techwire.
State agencies and non-governmental organizations testified, including attorneys, financial and cybersecurity experts.
Jan Lynn Owen, commissioner for the California Department of Business Oversight, recommended that the state list Equifax as an unsafe vendor and asked financial companies in California to not use them. Other states would follow California’s lead, she said.
Owen’s prepared comments for the meeting also included an advisory from the department requiring that “vendor security procedures are evaluated and approved, verifying that all security patches are installed as soon as possible, monitoring customer accounts for unusual activity, and providing customers with information to help prevent identity theft and protect themselves after a data breach.”
Mario Garcia, deputy commander of California’s Cybersecurity Integration Center, and Michele Van Gelderen, the supervising deputy attorney general, also testified about state agencies’ perspectives and possible next steps.
“California needs to act because we need to have a serious discussion about what reasonable security precautions should be, where responsibility lies when a breach occurs, and how consumers should be properly notified, so that we can be prepared for the next big breach,” Chau wrote. “Because, unfortunately, this likely won't be the last time California is going to have to deal with a problem like this.”
Owen’s prepared comments echoed Chau’s thoughts: “As we are all painfully aware, there are no guarantees. But important lessons should be learned from this massive theft of consumer data. The status quo should not continue, and cyberdefense must become a higher priority.”
Assemblymember Jacqui Irwin, D-Thousand Oaks, chair of the Assembly Select Committee on Cybersecurity, said a legislative solution is key to improving the security landscape.
“Any organization that holds this level of critical personal information on Californians must be held accountable for their information security decisions. I look forward to continued discussions with industry, consumer groups, and technical experts to craft meaningful legislation,” Irwin wrote in an email to Techwire.
