Equifax hack must prompt lawmakers to enact protection
Equifax’s response to its huge data breach was so lame it would be laughable if the stakes were not so high. That’s why Congress and the states should take action to protect consumers from this, past and future data breaches.
At the very least, Congress should amend the Fair Credit Reporting Act to give consumers unlimited free access to their credit report at www. annualcreditreport.com so they can check to see whether anyone has been opening accounts in their names. Currently, they get only one free check a year from each of the three major bureaus — Equifax, Experian and TransUnion.
Congress or the states should let all consumers freeze and
unfreeze their credit reports for free rather than paying a fee. And they should let consumers place a fraud alert on their file that lasts forever, not just 90 days at a time.
Lawmakers also should require credit bureaus to place freezes or fraud alerts on all consumer credit reports as the default position. Instead of requiring consumers to take action to have their reports protected from fraudsters, they would have to take action to have them unprotected. This could prevent consumers in some cases from getting instant credit, which might cut down on impulse purchases, which is why corporate America almost certainly would fight it.
The Internal Revenue Service, meanwhile, should let all U.S. taxpayers get an Identity Protection Personal Identification Number, or IP-PIN, to prevent a thief from using stolen information to file a tax return, and collect a bogus refund, in their name. Today the IRS gives these security codes to victims of identity theft and to residents of Florida, Georgia and the District of Columbia, which it says “have higher levels of tax-related identity theft.” The IRS would only say it “continues to review and assess this serious situation to determine necessary next steps.”
These steps might prevent some types of fraud, but not all, given the vast amount of sensitive data disclosed.
Equifax said on Thursday that between mid-May and July, criminals “exploited a U.S. website application vulnerability to gain access to certain files.” The hack affected about 143 million U.S. consumers, or roughly half the population. It exposed names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. The thieves also gained access to credit card numbers for approximately 209,000 U.S. consumers and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.
“The Equifax dataset is so rich that it provides the keys to numerous other kinds of fraudulent activity,” Paul Stephens, director of policy and advocacy with the Privacy Rights Clearinghouse, said in an email. “For example, telephone access to personal financial and medical information can often be obtained by answering security questions. The answers to these questions often will be part of the Equifax dataset. The same may be true for online password resets. Likewise, criminals could use the breached data to file fraudulent claims for tax refunds or to open new bank and financial accounts. There are few measures in place to prevent this type of unlawful activity.”
The last time Congress gave consumers greater access to their credit files was in 2003, when it passed the Fair and Accurate Credit Transactions Act, which amended the Fair Credit Reporting Act to give consumers access to their credit reports once a year for free at annualcreditreport.com.
Limiting access to once a year “may have made sense in 2003. I don’t think it makes sense in 2017,” said credit expert John Ulzheimer.
A few states (not including California) let residents see each of their credit reports two or three times per year for free. Some banks and private-sector websites give consumers unlimited access to their credit reports, but they generally must be a customer of the bank or agree to receive the website’s marketing spam.
Ulzheimer and consumer advocates agree that all Americans should have greater or unlimited access to their reports without strings attached.
Consumers affected by the Equifax breach can sign up for its own credit-monitoring service, which will provide certain services for free, but only for one year. These include credit monitoring at all three bureaus, copies of their Equifax credit reports; the ability to “lock and unlock” Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers.
Critics have lambasted the offering, considering that victims will be at risk for the rest of their lives, and it was not entirely clear whether consumers who signed up for it gave up their rights to participate in class-action suits. (Equifax later clarified they would not.)
Consumer advocates are encouraging all consumers, affected or not, to place a security freeze on their credit files.
A freeze stops any company other than existing creditors from looking at your credit file, thus preventing anyone — thieves or yourself — from opening an account in your name. If you want to apply for credit, you can “thaw” it using a secret code, but in most states there is a fee and it can take up to three days.
In California, unless you are an identity theft victim or younger than 65, you generally must pay $10 to freeze your file at each bureau, or $30 total, and another $10 per bureau to thaw it. You must place the freeze at each bureau separately.
A fraud alert provides less protection, but it’s free. It’s essentially a red flag that tells potential creditors you might be a victim of identity theft, and they must take additional steps to verify your identity. It generally won’t prevent you from getting credit if you can prove your identity.
An initial fraud alert generally lasts for 90 days, but can be renewed every 90 days. There is no fee for placing or removing a fraud alert, and you only need to notify one bureau to have it placed at all three.
“The key public policy response (to the Equifax hack) should be to make the state security freeze laws free for all consumers, and the default switch position should be ‘freeze is on.’ When consumers want to apply for credit, they also should have the right to unfreeze their reports temporarily for free,” said Ed Mierzwinski, consumer program director for U.S. PIRG, a consumer group.
One of the “ironies” of credit reporting is that three bureaus “have all this information about us, but we have so little control over it,” said Chi Chi Wu, an attorney with the National Consumer Law Center. “Because of state laws, we can freeze our credit report, but we have to pay for it. We have asked Equifax to pay for the fee at all three bureaus.”
You’d think that the banking industry would be concerned about the breach, considering that banks — not consumers — foot the bill when thieves open accounts in customers’ names.
Although banks are concerned about any breach, and the Equifax breach “has a very long tail” considering the type of information disclosed, they have ways of preventing fraudulent activity, said Doug Johnson, senior vice president of payments and cybersecurity.
For example, any time a consumer changes their address, that’s a “red flag” that banks will look at closely before opening an account, he said.
Some thieves who have access to a customer’s personal information, but not the account number, might call the bank pretending to be the customer with an emergency to gain access to to the account. This is called pretexting. “We make sure our call centers are aware to know the nature of that kind of call,” Johnson said.
Battling fraud requires the cooperation of banks, credit bureaus and the consumer, he said. Consumers “are the best line of defense,” he added. They should be monitoring their accounts regularly for signs of unauthorized activity.
If consumers truly are the best line of defense, then government should make it easier for them to detect fraud.