This article discusses what the Equifax data breach of 2017 means for how credit reporting agencies (CRAs) — for-profit companies which buy and sell credit data — treat your personal credit information, and what you can do to protect yourself and your clients.

The Equifax data breach

A large-scale data breach occurred in March 2017 at Equifax, one of the nation’s three largest credit reporting agencies (CRAs). Equifax did not disclose the incident to the public. According to Wired, the breach was due to unpatched software, an easily correctable oversight.

In July 2017, Equifax discovered a second, much larger breach — the names, social security numbers, birthdates, addresses and driver license numbers of approximately 145 million consumers had fallen into the hands of hackers. Still, Equifax remained quiet — non-disclosure of a material fact affecting all persons whose data was stolen.

Days later, several higher-ups sold the shares they owned in Equifax, according to a report from Bloomberg. Equifax claimed these stock dispositions were unrelated to the breaches.

Finally, in September 2017, Equifax released a statement about the larger breach, including information about the timing and the scale of the incident.

Although the stock sales are being investigated by the Department of Justice (DOJ), there is little opportunity for regulatory bodies to hold Equifax accountable for its irresponsibility. With every step of its response to a breakdown of the security of personal informational, the credit agency left behind a trail of negligence or deceit.

CRAs hold all the cards — and personal information

But Equifax isn’t alone in its cavalier attitude toward protecting consumer data. Early in 2017, the Consumer Financial Protection Bureau (CFPB) found that Equifax and TransUnion, another of the three major CRAs, were guilty of misrepresenting the value of consumer credit reports in order to sell other credit-related services.

Nominally, CRAs assist lenders who make creditworthiness decisions by providing them with consumer credit information aggregated into a credit report, from which credit scores are divined. These agencies certainly fulfill that lender demand, but in practice their function is more complicated.

CRAs are the gatekeepers of a massive store of personal information on anyone who has ever used credit. They are for-profit companies — revenue is earned by selling consumer information in bulk to lenders. They have no incentives to keep information secure. Worse, the critical space they occupy in our credit-obsessed culture is one of implicit authority.

These agencies collect and store data without legislative or private mandate, and we let them do it without regulation. Need for their services is so widespread and so fundamental (if not primary) to the basic function of our economy that they actually act as a utility, in which case government regulation is necessary to protect the general public from exploitation.

Every American who has used a credit card or some other formal credit is in the CRAs’ systems, yet individuals have no say in it. But those of us who want to participate in the use of credit can’t have a say in it. After all, we have to buy cars and houses, purchase daily necessities and take out student loans.

So, as we’re forced to participate in this credit system when we make purchases requiring credit – cards, loans, mortgages – shouldn’t a system of accountability be in place to control the use of our data?

The “good” news: laws are in place to protect consumers from irresponsible acts of CRAs.

Well, sort of. By which we mean mostly not at all. (And with the de facto dismantling of the Consumer Financial Protection Bureau (CFPB), consumer protections are taking a backseat to banks and CRAs.)

Federal law

The Fair Credit Reporting Act (FCRA) is the primary federal law governing the relationship between CRAs and consumers. The FCRA:

  • requires CRAs to provide consumers a free credit report once a year;
  • establishes regulations for how reporting of disputed accuracy may be resolved; and
  • restricts some information from inclusion in a credit report, namely:
    • Title 11 bankruptcies which are more than 10 years old;
    • civil suits, civil judgments, and records of arrest which are more than seven years old or over the statute of limitations;
    • paid tax liens and accounts placed for collection or charged to profit and loss which are more than seven years old;
    • any other adverse information, other than conviction records, which is more than seven years old; and
    • the personal information of any medical provider which has notified the CRA of its status as a medical provider. [15 United States Code §1681c(a)]

All other information may be included in a consumer’s credit report.

However, the FCRA imposes few restrictions on the way CRAs handle our information. In fact, no actual provision in the FCRA mandates that CRAs protect the data they handle.

The pertinent part of the law reads: “Consumer reporting agencies have assumed a vital role in assembling and evaluating consumer credit and other information on consumers. There is a need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy.” [15 USC §1681(a)]

But what does this nice talk of a “need” mean in practice?

CRAs do not have to put anything in place for the protection of information. The FCRA doesn’t dictate how CRAs handle consumer information, nor do they regulate how CRAs respond to situations in which the security of personal credit information is at risk.

Consequently, when something happens to your personal information at the CRA (e.g., a data breach), no legal contingencies are in place at the federal level to ensure CRAs are held accountable for the damage they have imposed on you by their negligent management of your personal credit data. Or, as in this case, lack of management.

California law

Well, does California law come to your rescue?

California’s Consumer Credit Reporting Agencies Act (CCRAA) largely uses the same nonspecific, finger-wagging language as the FCRA — verbatim, in some cases — but the CCRAA covers one very important individual consumer protection: credit freezes.

A credit freeze is a measure a member of the public may take to severely limit access by others to their consumer’s credit report. CRAs can still access your personal credit information, as can government agencies. But otherwise, it is extremely difficult for anyone to get ahold of any consumer data which is frozen until the consumer — you — chooses to unfreeze their report.

By ordering a credit freeze, consumers take proactive measures. Thus, a credit freeze is not automatic, and CRAs routinely charge consumers fees for imposing and removing credit freezes (even though consumers did not give the CRA the authority to gather or use credit information in the first place).

By law, CRAs need to be held accountable for negligence

Despite its mandates regarding individual consumer protection, California law carries the vagueness of the federal warnings. Thus, CRAs are not on the hook for handling data irresponsibly.

Unsurprisingly, no specific provision in either the FCRA or the CCRAA outlines the ways CRAs are to protect consumer data. The imprecision of the FCRA’s general privacy provision is useless.

At first tuesday, we believe the law and regulations need to lay out specific rules of conduct. At the very least, CRAs need to be required to:

  • disclose any information (such as the existence of a data breach) which puts consumer data at risk to the public within a reasonable timeframe;
  • protect consumer information with state of the art security software; and
  • pay money losses, monetary penalties and attorney’s fees for negligent or unauthorized handling of consumer information.

What advice can you give to help protect your clients?

In the wake of the Equifax breach, the Federal Trade Commission (FTC) recommended individuals:

  • place a credit freeze on file with each major CRA;
  • check credit reports often (many credit card companies and other financial companies now offer this as a free membership benefit); and
  • monitor their bank accounts every month.

Credit freezes are the most effective line of defense an individual consumer has. Upon freezing their credit, a person receives a PIN which is used to reopen access to their credit report. When your client chooses to freeze their credit, they cannot lose track of the PIN, as it is the only way to regain access to their report.

Credit freezes bar the consumer ordering the freeze from opening new lines of credit which require a credit report. However, a credit freeze is not an effective method of protection for existing, ongoing identity theft — it functions as a precautionary measure to prevent additional theft.

Some CRAs offer services like credit monitoring. Credit monitoring is similar to a credit freeze, but CRAs use them to offer needless services, and charge hefty monthly fees.

Identity theft fallout

When your client has already been a victim of identity theft, recommend they cancel any credit cards which have been used by unauthorized parties, plus have them place a fraud alert on their account.

Fraud alerts don’t shut down access to one’s credit report the way credit freezes do — they simply alert lenders offering to extend credit that the consumer owning the account may be a victim of fraud. With a fraud alert in place, a person offering to extend credit to an individual is required to verify their identity.

Since the breach took place, Equifax has been the subject of hundreds of class-action lawsuits, but uproar in the public eye has largely died down in the last few months.

Until legislators and regulators get serious about holding CRAs accountable, the only thing standing between your personal credit information and any unauthorized individuals who may want to use and sell that information is the diligence of CRAs. They control what gets reported, to whom it gets reported, and how they can stop it from being reported. That’s a lot of control for private, for-profit corporations to have, especially when the laws in place are inadequate to regulate them.