Don't Let Equifax Put Americans At Risk Again

One year after the historic Equifax data breach, consumer credit data is still vulnerable to hackers

By Consumers Union

September 7, 2018

The following was written by Consumers Union, the advocacy division of Consumer Reports.

A year ago today we learned that hackers had broken into the databases of credit reporting agency Equifax, making off with the personal information of nearly 150 million Americans.

The stolen data included names, home addresses, Social Security and credit card numbers, birthdays, phone numbers, email addresses, and driver’s license numbers—in other words, more than enough information for identity thieves to wreak havoc on the financial lives of nearly half the U.S. population.

This massive breach should have been a watershed event. Unfortunately, not much has changed in the 12 months since the theft was made public. Americans remain largely in the dark about the practices of the credit reporting industry—and, more generally, largely unable to control the use of their personal information. Equifax itself has suffered minimal consequences and continues to do business more or less as before. And the legal and regulatory system governing the credit reporting industry and data security more broadly remains inadequate, despite some recent progress.

All of that needs to change—fast.

To understand the urgency, it helps to have a clear picture of what credit agencies do and how they operate. These companies ingest reams of data related to the credit accounts of individuals like you, including how much credit you’ve applied for and been offered, how much money you’ve borrowed, a detailed history of your debt payments, and whether any of your bills have gone unpaid long enough to be referred to a debt collector.

As a result, the credit agencies have little financial incentive to serve consumers well. You have little-to-no say in whether your data is collected and only limited say as to how it’s used. Credit files are rife with errors—which can cost a consumer a mortgage or a good interest rate—and it’s notoriously difficult to get such errors corrected. And, as the Equifax breach demonstrated, the credit agencies haven’t done nearly enough to safeguard the private information they collect about us.

Legislative or regulatory muscle could surely spur the industry to do more to protect consumers, but the existing guidelines are out-of-date and toothless. The Gramm-Leach-Bliley Act, for example, now nearly 20 years old, requires financial companies like Equifax to “insure the security and confidentiality” of consumer data—but, importantly, doesn’t impose any fines for failing to do so. Meanwhile, only 13 states impose their own data security laws, and some of those carve out exceptions for credit agencies like Equifax.

The facts of the Equifax data breach make plain that this regulatory vacuum does not provide enough incentive for the company to maintain adequate security: The hackers are known to have exploited software vulnerabilities that had been public knowledge for months before the bulk of the data was swiped.

Nor did 2017’s catastrophic breach significantly affect Equifax’s fortunes. The company has not been hit with any major fines or penalties by government regulators. And though the company’s stock price plummeted in the days after the breach, it’s now back to within a few points of its pre-crisis level.

Little surprise, then, that Equifax isn’t doing much differently today than it was before the breach. In the immediate aftermath, Consumer Reports—armed with a petition signed by more than 180,000 consumers—asked Equifax to take seven key steps to protect consumers and make them whole. Equifax did agree to offer free credit freezes and, for a limited period of time, free credit monitoring, but the company did not otherwise reimburse victims—except for a handful who took the company to small claims court.

For the most part, it’s business as usual at Equifax and the other major bureaus. Only a small fraction of consumers has taken advantage of the credit freezes on offer at the big three bureaus, so the vast majority of American consumers remain as vulnerable to identity theft as before. In addition, consumers continue to report that it’s difficult to clean up errors in their credit reports, even when they’re the clear result of identity theft.

A handful of new federal and state laws have been enacted in response to the Equifax breach. In May, the federal government passed a law requiring credit freezes to be free for consumers, following the lead of numerous states that had already taken that step. Three states—Alabama, Colorado, and Nebraska—passed new data security laws, joining the dozen or so states that currently require businesses to maintain reasonable security standards. And eight states reached a legal settlement with Equifax requiring the company to improve data security practices. These incremental efforts will help protect consumers, to be sure—but still leave a vast amount of personal data vulnerable to hackers.

Only one newly passed law, the California Consumer Privacy Act, has the potential to force significant changes. Under one of its provisions, a company that fails to maintain reasonable data security practices can be sued for damages by any consumer whose information is breached. While over a dozen states already give consumers the right to sue if they are harmed by a data breach, it’s typically difficult to demonstrate harm as a result of a particular incident. The California bill would shift the burden of proof in favor of consumers.

Clearly, however, more needs to be done at the federal level. We see two key priorities.

One is a default credit freeze, which would prevent credit bureaus from sharing or selling consumers’ credit data without their affirmative consent. That would mean that you could temporarily unfreeze your file if you were, say, applying for a mortgage, but the credit bureaus couldn’t otherwise sell your credit files to third parties. We have endorsed a bill, proposed in February by Senator Jack Reed (D-RI), that would put such a freeze in place.

Second, more than 30 states currently lack broad data security requirements for the handling of private consumer data. That must change. Every company in every state should be held to baseline data security requirements, with appropriate penalties to ensure compliance.

Because of its sheer scope and the sensitivity of the information involved, the Equifax data breach should have been—and can still be—a catalyst for change. With continued consumer pressure, we can help ensure that companies like Equifax are doing all they can to keep consumer information safe and private.