How Congress can protect you from credit bureaus
Banks and retailers have real money at stake when a data breach allows criminals to get at customers’ credit card data. Under federal law and credit card policies, customers have zero liability for fraudulent charges. Instead, banks and retailers are on the hook for losses.
But credit bureaus, such as Equifax, aren’t required to repay consumers for losses when precious personal data — such as Social Security numbers and birth dates — are exposed. Perhaps that’s why security was so lax at Equifax, where a massive breach discovered this summer gave hackers access to the data of nearly 60% of American adults.
Bad enough when bureaus are cavalier about protecting data, the industry has also opposed the best tool to protect against fraud after data are exposed: a credit freeze, which prevents the opening of accounts or loans in your name without your permission.
In the mid-2000s, as state legislators pushed to create this tool, an industry lobbyist traveled the country fighting these measures. The Consumer Data Industry Association lost the war, and freezes are now available in every state. But the lobby won an important battle: Consumers must pay for freezes in all but seven states.
It’s easy to see why credit bureaus dislike freezes: They lose money when they are prevented from selling your information. Freezing and unfreezing should be free. And in the wake of the Equifax breach, several Senate and House Democrats have introduced a measure to do just that.
Even more urgent is federal action to prevent breaches in the first place. In congressional hearings last week, former Equifax CEO Richard Smith acknowledged that the personal data that were breached weren’t even encrypted. Rep. Greg Walden, ROre., said, “I don’t think we can pass a law that … fixes stupid.”
But Congress can do plenty to make it damaging and expensive for credit bureaus to act so stupidly. Among the best ways:
uStrengthen federal standards to protect data and give the outgunned Federal Trade Commission the authority and manpower to enforce them. Better yet, get tech-savvy companies that deal with credit bureaus involved in creating minimum standards to secure data.
uSet uniform disclosure rules, mandating short deadlines to disclose breaches, written notification to consumers and a process in which state and federal agencies are notified. Rules now vary among states and are often loose.
uImpose large fines for breaches. Because companies have no money at stake for reimbursing consumers, there’s little incentive to spend to secure data.
It’s unconscionable that the federal government has failed to get more involved in protecting private information. The executive branch’s own data have been breached all too frequently. It’s time for Washington to step up and provide expertise, incentives and laws to prevent these crimes.
None of the major credit bureaus — not Equifax, Experian or TransUnion — would have a business if it weren’t for the data they vacuum up without permission from consumers or payment to them. If credit bureaus are going to use these data as a profit center, the least the bureaus can do is ensure that consumers aren’t left vulnerable to thieves.
Ex-CEO Richard Smith testifies last Wednesday.