In the wake of Equifax hack, Congress proposes credit bureau reform
Lawmakers call for changes to protect people's data, or at least give them more control over it
Expert on consumer credit laws and regulations
The U.S. credit reporting system – which keeps data on nearly every American consumer – may be headed for changes designed to better secure the trove of personal information or at least give you more control over who sees your credit file.
In the wake of the Equifax breach, ideas are bubbling up from Congress, where members of both parties are incensed about the exposure of 145.5 million people’s identifying details. Equifax ex-CEO Richard Smith appeared before three congressional committees last week, and he got an earful from each of them.
“You’ve been able to accomplish something no one else could do – bring Republicans and Democrats together in outrage and frustration,” said Rep. Anna Eshoo, D-Calif.
More on the Equifax data breach:
The Equifax breach “exposed a major shortcoming in our nation’s cybersecurity laws and Congress must act,” Rep. Patrick McHenry, R-N.C., said in a statement Oct. 12.
McHenry announced a proposal to make the big three credit bureaus stop using Social Security numbers as identifiers by 2020. His PROTECT Act would also standardize credit freezes federally and subject the three largest credit bureaus to federal cybersecurity examinations, according to a bill summary.
As the vice chairman of the House Financial Services Committee and deputy House Republican whip, McHenry is viewed as an important backer for financial services legislation.
Under the present system, credit bureaus vacuum up data about individuals, mainly from lenders and other creditors. In return, you’re entitled to one free copy of your credit report per year.
You’re also entitled to dispute errors in your report – but don’t expect too much.
The three big credit bureaus – Equifax, Experian and TransUnion – get more consumer complaints aimed at them than any other companies in the U.S. Consumer Financial Protection Bureau’s complaint files. Most of the complaints concern errors in their credit reports. The companies correct the credit report cited in the complaints about 20 percent of the time, leaving the rest unchanged, CFPB records show.
After the data breach, “American consumers don’t need just answers; they need action,” said Rep. Janice Schakowsky, D-Ill.
Under state law, consumers may “freeze” their credit file at each credit bureau as an anti-fraud measure. That blocks identity thieves from opening new accounts with your information. But there’s usually a fee – $10 is typical – unless you are already a victim of ID theft. There also can be fees to unfreeze the file when you need credit to give lenders access to your file.
Giving consumers control of their credit is the remedy that some credit bureaus are embracing. Equifax is offering to waive its freeze fees temporarily for breach victims. But longer term, Smith repeatedly pledged to give consumers control of their files. Equifax would accomplish this via software that allows consumers to lock their file, then unlock it when they apply for credit, for free. TransUnion is also offering this ability through its free TrueIdentity online service.
Smith said the company’s software solution will work faster than state-mandated freezes, which in some cases can take days to implement when done by mail.
But some industry experts are skeptical that control offered by a credit bureau will be equal to freeze rights, which are codified by law.
“The degree it’s going to help – the devil is in the details,” said Evan Hendricks, former editor of the newsletter Privacy Times and author of “Credit Scores & Credit Reports: How The System Really Works; What You Can Do.”
For example, company-provided systems are likely to be shielded by legal language that prevents users from taking the company to court if the lock malfunctions. Such language, called a mandatory arbitration clause, initially covered Equifax’s free credit monitoring service TrustedID, offered to people whose identifying details were exposed in the breach. The company removed the clause after an outcry that breach victims were being forced to sign away their legal rights.
Another problem is that the industry is not entirely on board with free credit locking. Experian, the third major bureau, has said it doesn’t plan to offer a free lock-and-unlock function. Such a move would likely cut the income of credit bureaus by reducing their opportunities to sell credit reports.
“There’s hundreds of millions of dollars being made selling credit reports,” Hendricks said. “The industry is not going to want to change that.”
Standards for data
Schakowsky’s data security bill contains special provisions for “information brokers,” including credit bureaus. The companies would face heightened standards for information security and requirements to notify affected people as soon as possible – but no longer than 30 days after discovering the breach.
In addition, CFPB Director Richard Cordray has called for heightened authority to monitor credit bureaus.
Can regulation prevent data hacks from happening? Skeptics note that credit bureaus are already covered by data security standards under the Gramm-Leach-Bliley Act. The 1999 law requires the bureaus to ensure confidentiality of sensitive information and protect it from unauthorized access. Moreover, Equifax’s own security procedures should have closed the software vulnerability that hackers exploited, if the procedures had been followed.
“People talk about doubling fines, tripling fines,” Rep. Greg Walden, R-Ore., said. “But I don’t think we can pass a law that, excuse me for saying this, fixes stupid.”
The FTC is investigating the Equifax data breach, which could shed more light on the company’s security lapses, the timing of its decision to notify consumers, and missteps in how it handled the remediation effort.
In a letter to the agency, Sen. Mark Warner, D-Va., calls for a detailed look at the company’s practices and also asks whether penalties “to deter unreasonable data security practices” are adequate. The FTC has authority to enforce the Gramm-Leach-Bliley provisions at credit bureaus.
With so much personal identifying information already exposed, however, the job of fighting off identity thieves is primarily in the hands of individuals, one consumer advocate said.
“People have to come to the realization that nothing can be 100 percent secure,” said Edgar Dworsky, a former assistant attorney general in Massachusetts and member of the credit bureau Experian’s consumer advisory panel.
Dworsky, who founded and operates the ConsumerWorld.org site, said he expects that credit freezes in some form will become free, at least for victims of a breach.
Taking advantage of the ability to control access to your credit file should become habitual for consumers, along with other security measures such as monitoring your accounts, transactions and credit report. “You have to be constantly alert,” he said. “You shouldn’t wait until your credit card statement comes a month later to see what’s on there.”
|PROPOSALS TO REFORM CREDIT REPORT SYSTEM|
Measures introduced in Congress responding to the Equifax data breach:
Editor's note: This article was update on October 12, 2017, to include Rep. Patrick McHenry's proposal, the PROTECT Act.
- 5 months after Equifax breach, no new data security rules – Five months after Equifax data breach, debate over tighter security rules continues – but new tools let individuals lock their credit files ...
- Wells Fargo: Fed's crackdown shouldn't hit cardholders – Wells Fargo cardholders won't be affected by the Federal Reserve's cap on bank's growth following the fake account scandal in 2016, banks says ...
- CFPB's structure is constitutional, appeals court rules – The D.C. Circuit Court of Appeals ruled that Congress can insulate the federal consumer protection bureau from political pressure by shielding the director from being fired ...