Data breach is reminder of rating agency’s power
Businesses such as Equifax are charging consumers to access their own information
There’s a great deal of money to be made in being a “business intelligence provider.”
TransUnion, which promotes itself under the somewhat infelicitous branding line “Information for Good,” is a standout example. The Chicago-based consumer credit rating agency recorded revenues of $1.7 billion (U.S.) in 2016 and net income of $121 million.
I know, I know. The consumer credit rating agency in the news is Atlanta-based Equifax Inc., which took its unconscionable time in announcing a data breach of approximately 143 million consumers. There’s a Norm Macdonald joke in there somewhere: “143 million consumers hacked! That’s almost half the population of the United States, or the world!”
The seriousness of the breach, and its corporate mishandling, should reawaken Canadians to the power of consumer credit rating agencies.
In the case of TransUnion, a federal jury in California found the rating agency had violated the U.S. Fair Credit Reporting Act. The case hinged on lead plaintiff Sergio Ramirez, who applied for a car loan at a California dealership in 2011. The dealership, in turn, ordered a credit report on Ramirez from TransUnion. Ramirez was initially blocked from the purchase because, the dealership informed him, he has an OFAC alert on his report. Except they had the wrong Ramirez.
OFAC stands for Office of Foreign Assets Control, and red flags, especially post 9/11, designated persons financing terrorist activities in the U.S. The U.S. Treasury makes clear that verification is the essential next step in confirming that there has been no mix-up in identities.
Ramirez ended up as the lead plaintiff in a class action of more than 8,000 consumers accusing TransUnion of failing to ensure accuracy in its credit reports. In June of this year, a jury awarded the plaintiffs damages of approximately $60 million. In an email, TransUnion says it will be seeking relief from the judgment in court later this month.
The question that arises: do you know what the credit rating agencies have to say about you? When was the last time you asked for a copy of your credit report? Why isn’t a consumer’s credit score provided without charge to the consumer? Why should the consumer have to pay for anything from these agencies when it’s from the consumer’s own information that the agencies are profiting?
Consumer credit rating agencies are provincially regulated. Ontario’s Consumer Reporting Act stipulates free access to “the nature and substance of all information in (the agency’s) files pertaining to the consumer at the time of the request.” That includes the name of every person who has accessed the file in the previous three years.
But as a government spokesperson at the Ministry of Government and Consumer Services adds, the consumer report does not necessarily include a credit score.
We still don’t know the degree to which the Equifax breach has affected Canadian consumers.
In its Sept. 7 release, Equifax announced that in addition to the cybersecurity “incident,” it had identified “unauthorized access to limited personal information for certain U.K. and Canadian residents.”
Laggardly, Equifax Canada, which did not respond to the Star’s requests for information, updated its website to at least acknowledge that the hacking crisis reached north of the border.
Only a limited number of Canadians may have been affected, we are told. “At this point, it seems the personal information that may have been breached includes name and address and Social Insurance Number.”
While the U.S website allows consumers to check whether they might have been hacked by inputting their social security numbers, this does not work for Canadian consumers.
This puts me in mind of a weeks-long drama in my own home some months ago when, on the basis of the SIN number and address of one of my sons, a fraudster was able to secure a debit card in his name with a $1,500 overdraft. Account statements would have been sent to an email provided by the fraudster.
When the overdraft was tapped out, my son received notice from a collection agency saying he had five days to pay $1,486.98.
What followed were hours on the phone with the police, the bank that issued the card, and, yes, with the credit rating agencies.
God help the person who does not have the time (during business hours), the patience or the facility of language to survive this.
Six weeks later, a letter from TransUnion arrived stating, “This letter is written in response to your correspondence disputing the accuracy of certain information in your credit file. To investigate the item(s) we contacted the creditor (the bank) reporting the disputed information. They could not respond to us within a reasonable time, therefore we have removed the disputed item.”
Let’s consider that: the bank could not respond in a reasonable time.
One of the more interesting aspects of this exhausting absurdity came from the head of the fraud division for the bank, who stated that the details of the fraud — the $1,500 — would not be reported to any aggregator of fraud data. Say, the feds. So we might as well ignore any debit card fraud statistics we see reported. And we might consider how this has shaken the confidence in the banking system of at least one millennial.
Addressing the big breach, Equifax Canada recommends that consumers should remain “vigilant of fraud and identity theft by reviewing account statements and monitoring credit reports.” It also recommends signing up, at a cost of $19.95 a month, for its Equifax Complete Premier package, “our most comprehensive credit monitoring and identity theft protection product.”
That’s rich, asking consumers to pay up in order to protect themselves from identity theft. The client base for the agencies — the banks, the automobile dealers — pay handsomely for the service. The revenue generation should end there. Consumers shouldn’t have to pay a nickel. jenwells@thestar.ca