Legal, Regulatory, and Privacy Issues

In the wake of Equifax hack, Congress proposes credit bureau reform


Lawmakers call for changes in credit report system to protect people’s data, or at least give them more control over it

The content on this page is accurate as of the posting date; however, some of our partner offers may have expired. Please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.

Editor’s note: This article was updated Oct. 2, 2018 to include new information about credit freezes.

The U.S. credit reporting system – which keeps data on nearly every American consumer – may be headed for changes designed to better secure the trove of personal information or at least give you more control over who sees your credit file.

In the wake of the Equifax breach, ideas are bubbling up from Congress, where members of both parties are incensed about the exposure of 145.5 million people’s identifying details. Equifax ex-CEO Richard Smith appeared before three congressional committees last week, and he got an earful from each of them.

Update: Freeze your credit for free – online or by phone

Starting Sept. 21, 2018, it is free to place or remove a freeze on your credit report. Here are the contact links and numbers to do so.

Be ready to supply your address and Social Security number to verify your identity. For more information about free credit freezes, read “How to free your credit: A step-by-step guide.”

“You’ve been able to accomplish something no one else could do – bring Republicans and Democrats together in outrage and frustration,” said Rep. Anna Eshoo, D-Calif.

The Equifax breach “exposed a major shortcoming in our nation’s cybersecurity laws and Congress must act,” Rep. Patrick McHenry, R-N.C., said in a statement Oct. 12.

McHenry announced a proposal to make the big three credit bureaus stop using Social Security numbers as identifiers by 2020. His PROTECT Act would also standardize credit freezes federally and subject the three largest credit bureaus to federal cybersecurity examinations, according to a bill summary.

As the vice chairman of the House Financial Services Committee and deputy House Republican whip, McHenry is viewed as an important backer for financial services legislation.

Under the present system, credit bureaus vacuum up data about individuals, mainly from lenders and other creditors. In return, you’re entitled to one free copy of your credit report per year.

You’re also entitled to dispute errors in your report – but don’t expect too much.

The three big credit bureaus – Equifax, Experian and TransUnion – get more consumer complaints aimed at them than any other companies in the U.S. Consumer Financial Protection Bureau’s complaint files. Most of the complaints concern errors in their credit reports. The companies correct the credit report cited in the complaints about 20 percent of the time, leaving the rest unchanged, CFPB records show.

After the data breach, “American consumers don’t need just answers; they need action,” said Rep. Janice Schakowsky, D-Ill.

Give consumers control of credit files
Several bills introduced would reduce or eliminate the cost of a credit freeze, giving individuals more control over who can view their credit report, and when.

Under state law, consumers may “freeze” their credit file at each credit bureau as an anti-fraud measure. That blocks identity thieves from opening new accounts with your information. But there’s usually a fee – $10 is typical – unless you are already a victim of ID theft. There also can be fees to unfreeze the file when you need credit to give lenders access to your file.

Giving consumers control of their credit is the remedy that some credit bureaus are embracing. Equifax is offering to waive its freeze fees temporarily for breach victims. But longer term, Smith repeatedly pledged to give consumers control of their files. Equifax would accomplish this via software that allows consumers to lock their file, then unlock it when they apply for credit, for free. TransUnion is also offering this ability through its free TrueIdentity online service.

Smith said the company’s software solution will work faster than state-mandated freezes, which in some cases can take days to implement when done by mail.

But some industry experts are skeptical that control offered by a credit bureau will be equal to freeze rights, which are codified by law.

“The degree it’s going to help – the devil is in the details,” said Evan Hendricks, former editor of the newsletter Privacy Times and author of “Credit Scores & Credit Reports: How The System Really Works; What You Can Do.”

“American consumers don’t need just answers; they need action.”

For example, company-provided systems are likely to be shielded by legal language that prevents users from taking the company to court if the lock malfunctions. Such language, called a mandatory arbitration clause, initially covered Equifax’s free credit monitoring service TrustedID, offered to people whose identifying details were exposed in the breach. The company removed the clause after an outcry that breach victims were being forced to sign away their legal rights.

Another problem is that the industry is not entirely on board with free credit locking. Experian, the third major bureau, has said it doesn’t plan to offer a free lock-and-unlock function. Such a move would likely cut the income of credit bureaus by reducing their opportunities to sell credit reports.

“There’s hundreds of millions of dollars being made selling credit reports,” Hendricks said. “The industry is not going to want to change that.”

Standards for data security
Schakowsky’s data security bill contains special provisions for “information brokers,” including credit bureaus. The companies would face heightened standards for information security and requirements to notify affected people as soon as possible – but no longer than 30 days after discovering the breach.

In addition, CFPB Director Richard Cordray has called for heightened authority to monitor credit bureaus.

Can regulation prevent data hacks from happening? Skeptics note that credit bureaus are already covered by data security standards under the Gramm-Leach-Bliley Act. The 1999 law requires the bureaus to ensure confidentiality of sensitive information and protect it from unauthorized access. Moreover, Equifax’s own security procedures should have closed the software vulnerability that hackers exploited, if the procedures had been followed.

“People talk about doubling fines, tripling fines,” Rep. Greg Walden, R-Ore., said. “But I don’t think we can pass a law that, excuse me for saying this, fixes stupid.”

“There’s hundreds of millions of dollars being made selling credit reports. The industry is not going to want to change that.”

What’s ahead
The FTC is investigating the Equifax data breach, which could shed more light on the company’s security lapses, the timing of its decision to notify consumers, and missteps in how it handled the remediation effort.

In a letter to the agency, Sen. Mark Warner, D-Va., calls for a detailed look at the company’s practices and also asks whether penalties “to deter unreasonable data security practices” are adequate. The FTC has authority to enforce the Gramm-Leach-Bliley provisions at credit bureaus.

With so much personal identifying information already exposed, however, the job of fighting off identity thieves is primarily in the hands of individuals, one consumer advocate said.

“People have to come to the realization that nothing can be 100 percent secure,” said Edgar Dworsky, a former assistant attorney general in Massachusetts and member of the credit bureau Experian’s consumer advisory panel.

Dworsky, who founded and operates the site, said he expects that credit freezes in some form will become free, at least for victims of a breach.

Taking advantage of the ability to control access to your credit file should become habitual for consumers, along with other security measures such as monitoring your accounts, transactions and credit report. “You have to be constantly alert,” he said. “You shouldn’t wait until your credit card statement comes a month later to see what’s on there.”

Measures introduced in Congress responding to the Equifax data breach:

  • PROTECT Act.
    • Institutes federal standards for cybersecurity at credit bureaus and subjects them to on-site examinations.
    • Creates national framework for credit freezes and reduces costs for active servicemembers, people over 65.
    • Requires the largest credit bureaus to phase out use of Social Security numbers by 2020.
    • Introduced by Rep. Patrick McHenry, R-N.C (H.R. 4028).
  • Freedom from Equifax Exploitation Act.
    • Extends fraud alerts on credit reports and expands rights to free freezes of their report for consumers.
    • Introduced by Sen. Elizabeth Warren, D-Mass. (S.1816).
  • Free Credit Freeze Act.
    • Makes credit freezes and un-freezes free to consumers.
    • Introduced by Sen. Ron Wyden, D-Ore (S-1810); Rep. Ben Lujan, D-N.M. (H.R. 3878).
  • Credit Information Protection Act.
    • Makes credit freezes free from a credit bureau that has been affected by a data breach.
    • Introduced by Rep. James Himes, D-Conn. (H.R. 3766).
  • Secure and Protect Americans’ Data Act.
    • Tells Federal Trade Commission to regulate data security at companies including credit bureaus, and institutes notification requirements after a data breach.
    • Introduced by Rep. Janice Schakowsky, D-Ill. (H.R. 3896).
  • Comprehensive Consumer Credit Reporting Reform Act of 2017.
    • Improves access to credit freezes and reduces cost to $3, or free for certain seniors and active military service members; bans use of credit information for hiring decisions; enhances consumers rights in appealing disputes; tightens standards for accuracy of reports, among other provisions.
    • Introduced by Rep. Maxine Waters, D-Calif. (H.R. 3755).
  • SECURE Act.
    • Heightens accuracy standards for information contained in credit reports and gives consumers stronger legal rights to block reports containing errors.
    • Introduced by Sen Brian Schatz, D-Hawaii (S. 1786).

Editor’s note: This article was update on October 12, 2017, to include Rep. Patrick McHenry’s proposal, the PROTECT Act.

See related: 1 in 4 Americans checked their credit after Equifax breach, Ex-CEO of Equifax proposes consumers control their credit files

Editorial Disclaimer

The editorial content on this page is based solely on the objective assessment of our writers and is not driven by advertising dollars. It has not been provided or commissioned by the credit card issuers. However, we may receive compensation when you click on links to products from our partners.

What’s up next?

In Legal, Regulatory, and Privacy Issues

3 immigrants share how they achieved credit scores over 750

Immigrants can achieve high credit scores in the U.S., even though our system is confusing

See more stories
Credit Card Rate Report
Cash Back

Questions or comments?

Contact us

Editorial corrections policies

Learn more