In the wake of Equifax hack, Congress proposes credit bureau reform

Lawmakers call for changes to protect people's data, or at least give them more control over it

Fred O. Williams
Senior Reporter
Expert on consumer credit laws and regulations

In the wake of Equifax hack, Congress proposes credit bureau reform

 

The U.S. credit reporting system – which keeps data on nearly every American consumer – may be headed for changes designed to better secure the trove of personal information or at least give you more control over who sees your credit file.

In the wake of the Equifax breach, ideas are bubbling up from Congress, where members of both parties are incensed about the exposure of 145.5 million people’s identifying details. Equifax ex-CEO Richard Smith appeared before three congressional committees last week, and he got an earful from each of them.

“You’ve been able to accomplish something no one else could do – bring Republicans and Democrats together in outrage and frustration,” said Rep. Anna Eshoo, D-Calif.

The Equifax breach “exposed a major shortcoming in our nation’s cybersecurity laws and Congress must act,” Rep. Patrick McHenry, R-N.C., said in a statement Oct. 12.

McHenry announced a proposal to make the big three credit bureaus stop using Social Security numbers as identifiers by 2020. His PROTECT Act would also standardize credit freezes federally and subject the three largest credit bureaus to federal cybersecurity examinations, according to a bill summary.

As the vice chairman of the House Financial Services Committee and deputy House Republican whip, McHenry is viewed as an important backer for financial services legislation.

Under the present system, credit bureaus vacuum up data about individuals, mainly from lenders and other creditors. In return, you’re entitled to one free copy of your credit report per year.

You’re also entitled to dispute errors in your report – but don’t expect too much.

The three big credit bureaus – Equifax, Experian and TransUnion – get more consumer complaints aimed at them than any other companies in the U.S. Consumer Financial Protection Bureau’s complaint files. Most of the complaints concern errors in their credit reports. The companies correct the credit report cited in the complaints about 20 percent of the time, leaving the rest unchanged, CFPB records show.

After the data breach, “American consumers don’t need just answers; they need action,” said Rep. Janice Schakowsky, D-Ill.

Give consumers control of credit files
Several bills introduced would reduce or eliminate the cost of a credit freeze, giving individuals more control over who can view their credit report, and when.

Under state law, consumers may “freeze” their credit file at each credit bureau as an anti-fraud measure. That blocks identity thieves from opening new accounts with your information. But there’s usually a fee – $10 is typical – unless you are already a victim of ID theft. There also can be fees to unfreeze the file when you need credit to give lenders access to your file.

Giving consumers control of their credit is the remedy that some credit bureaus are embracing. Equifax is offering to waive its freeze fees temporarily for breach victims. But longer term, Smith repeatedly pledged to give consumers control of their files. Equifax would accomplish this via software that allows consumers to lock their file, then unlock it when they apply for credit, for free. TransUnion is also offering this ability through its free TrueIdentity online service.

Smith said the company’s software solution will work faster than state-mandated freezes, which in some cases can take days to implement when done by mail.

But some industry experts are skeptical that control offered by a credit bureau will be equal to freeze rights, which are codified by law.

“The degree it’s going to help – the devil is in the details,” said Evan Hendricks, former editor of the newsletter Privacy Times and author of “Credit Scores & Credit Reports: How The System Really Works; What You Can Do.”

“American consumers don’t need just answers; they need action.”

For example, company-provided systems are likely to be shielded by legal language that prevents users from taking the company to court if the lock malfunctions. Such language, called a mandatory arbitration clause, initially covered Equifax’s free credit monitoring service TrustedID, offered to people whose identifying details were exposed in the breach. The company removed the clause after an outcry that breach victims were being forced to sign away their legal rights.

Another problem is that the industry is not entirely on board with free credit locking. Experian, the third major bureau, has said it doesn’t plan to offer a free lock-and-unlock function. Such a move would likely cut the income of credit bureaus by reducing their opportunities to sell credit reports.

“There’s hundreds of millions of dollars being made selling credit reports,” Hendricks said. “The industry is not going to want to change that.”

Standards for data security
Schakowsky’s data security bill contains special provisions for “information brokers,” including credit bureaus. The companies would face heightened standards for information security and requirements to notify affected people as soon as possible – but no longer than 30 days after discovering the breach.

In addition, CFPB Director Richard Cordray has called for heightened authority to monitor credit bureaus.

Can regulation prevent data hacks from happening? Skeptics note that credit bureaus are already covered by data security standards under the Gramm-Leach-Bliley Act. The 1999 law requires the bureaus to ensure confidentiality of sensitive information and protect it from unauthorized access. Moreover, Equifax’s own security procedures should have closed the software vulnerability that hackers exploited, if the procedures had been followed.

“People talk about doubling fines, tripling fines,” Rep. Greg Walden, R-Ore., said. “But I don’t think we can pass a law that, excuse me for saying this, fixes stupid.”

“There’s hundreds of millions of dollars being made selling credit reports. The industry is not going to want to change that.”

What’s ahead
The FTC is investigating the Equifax data breach, which could shed more light on the company’s security lapses, the timing of its decision to notify consumers, and missteps in how it handled the remediation effort.

In a letter to the agency, Sen. Mark Warner, D-Va., calls for a detailed look at the company’s practices and also asks whether penalties “to deter unreasonable data security practices” are adequate. The FTC has authority to enforce the Gramm-Leach-Bliley provisions at credit bureaus.

With so much personal identifying information already exposed, however, the job of fighting off identity thieves is primarily in the hands of individuals, one consumer advocate said.

“People have to come to the realization that nothing can be 100 percent secure,” said Edgar Dworsky, a former assistant attorney general in Massachusetts and member of the credit bureau Experian’s consumer advisory panel.

Dworsky, who founded and operates the ConsumerWorld.org site, said he expects that credit freezes in some form will become free, at least for victims of a breach.

Taking advantage of the ability to control access to your credit file should become habitual for consumers, along with other security measures such as monitoring your accounts, transactions and credit report. “You have to be constantly alert,” he said. “You shouldn’t wait until your credit card statement comes a month later to see what’s on there.”

PROPOSALS TO REFORM CREDIT REPORT SYSTEM
Measures introduced in Congress responding to the Equifax data breach:
  • PROTECT Act.
    • Institutes federal standards for cybersecurity at credit bureaus and subjects them to on-site examinations. 
    • Creates national framework for credit freezes and reduces costs for active servicemembers, people over 65. 
    • Requires the largest credit bureaus to phase out use of Social Security numbers by 2020.
    • Introduced by Rep. Patrick McHenry, R-N.C (H.R. 4028). 
  • Freedom from Equifax Exploitation Act.
    • Extends fraud alerts on credit reports and expands rights to free freezes of their report for consumers. 
    • Introduced by Sen. Elizabeth Warren, D-Mass. (S.1816).
  • Free Credit Freeze Act.
    • Makes credit freezes and un-freezes free to consumers.
    • Introduced by Sen. Ron Wyden, D-Ore (S-1810); Rep. Ben Lujan, D-N.M. (H.R. 3878). 
  • Credit Information Protection Act. 
    • Makes credit freezes free from a credit bureau that has been affected by a data breach. 
    • Introduced by Rep. James Himes, D-Conn. (H.R. 3766).
  • Secure and Protect Americans’ Data Act.
    • Tells Federal Trade Commission to regulate data security at companies including credit bureaus, and institutes notification requirements after a data breach. 
    • Introduced by Rep. Janice Schakowsky, D-Ill. (H.R. 3896).
  • Comprehensive Consumer Credit Reporting Reform Act of 2017. 
    • Improves access to credit freezes and reduces cost to $3, or free for certain seniors and active military service members; bans use of credit information for hiring decisions; enhances consumers rights in appealing disputes; tightens standards for accuracy of reports, among other provisions.
    • Introduced by Rep. Maxine Waters, D-Calif. (H.R. 3755).
  • SECURE Act.
    • Heightens accuracy standards for information contained in credit reports and gives consumers stronger legal rights to block reports containing errors.
    • Introduced by Sen Brian Schatz, D-Hawaii (S. 1786).

Editor's note: This article was update on October 12, 2017, to include Rep. Patrick McHenry's proposal, the PROTECT Act.

See related: 1 in 4 Americans checked their credit after Equifax breach, Ex-CEO of Equifax proposes consumers control their credit files


Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.




Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.


Updated: 12-13-2017