Research and Statistics

5 months after Equifax breach, no new data security rules


Five months after Equifax data breach, debate over security rules continues, but new tools let individuals lock their credit files.

The content on this page is accurate as of the posting date; however, some of our partner offers may have expired. Please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.

Editor’s note: This article was updated Oct. 2, 2018 to include new information about credit freezes.

Five months after learning about the massive data theft at Equifax, consumers’ best hope to protect their identity is … still their own efforts.

Hackers took more than 145 million people’s Social Security numbers and other keys to identity, sparking a raft of investigations, lawsuits and reform proposals in Congress.

But despite outrage at Equifax’s security breach – and the 47-day period before victims were notified in September – disagreement over new security and notification standards is delaying tougher rules and penalties.

“My concern is, when you start to talk about a national standard, dealing with members of Congress from all different states, the national standard is usually a race to the bottom,” said Rep. Maxine Waters, D-Calif.

Waters made the remarks during a Feb. 14 hearing of the House Subcommittee on Financial Institutions and Consumer Credit, which highlighted divisions over how to tighten data security.

Meanwhile, some credit bureaus have offered online tools that let consumers control access to their credit reports, helping block fraud.

Options offered by credit bureaus to ‘lock’ your credit report

  • Equifax released a free mobile and desktop app in January that lets you lock and unlock your Equifax credit file electronically, in less than one minute. The Lock & Alert service follows the company’s pledge to give individuals control over their credit file for free, permanently.
    However, you have to agree to terms and conditions that allow the company to store your information and share it in limited circumstances. The company had previously offered one year of free access to its existing TrustedID credit control tool. People who signed up for TrustedID after the breach should switch to the free-for-life Lock & Alert.
  • TransUnion’s free TrueIdentity service also lets you lock and unlock your credit report. However, sign-up includes a class-action waiver that blocks your right to take the company to court – a red flag to consumer rights experts.
    Sign-up also means you will receive offers from TransUnion and partners, the terms agreement states. The TrueIdentity page has several links to fee-based extras including credit monitoring. TransUnion has not issued a pledge that the service will always be free.
  • Experian, the third major credit bureau, has not announced plans for a free credit lock. Its existing CreditLock service is available as part of a service called IdentityWorks for $9.99 a month.

Freeze your credit for free – online or by phone

Starting Sept. 21, 2018, it is free to place or remove a freeze on your credit report. Here are the contact links and numbers to do so.

Be ready to supply your address and Social Security number to verify your identity. For more information about free credit freezes, read “How to free your credit: A step-by-step guide.”

Some services provided by credit bureaus offer free locking and unlocking of credit reports – similar credit freezes.

However, locks provided by credit bureaus fall short of the no-strings-attached control that consumer advocates call for. “Folks need to make sure that what they’re saying is free is really free,” said Ira Rheingold, executive director of the National Association of Consumer Advocates.

“Folks need to make sure that what they’re saying is free is really free.”

The debate over national standards for data security laws

Business groups call for a flexible national standard, tailored to different industries, to replace an array of breach notification rules under state laws. Opponents don’t want to toss out existing consumer protection at the state level.

“Federal standards should be a baseline standard … which allows states to regulate upward and respond to privacy threats as they emerge,” said Marc Rotenberg, president of the Electronic Privacy Information Center at the subcommittee hearing.

One key point: Data security laws won’t prevent future breaches, experts said.

“No solution we devise can be perfect – nothing will solve [data breaches] altogether,” said Paul Rosenzweig, senior fellow at the market-oriented R Street Institute and a law lecturer at Georgetown University.

The penetration of Equifax systems occurred from May through July in 2017, the company announced in September, exposing driver’s license numbers, birth dates and addresses in addition to Social Security numbers, and in some cases other identifiers.

The hack puts people at risk of having their accounts hijacked or their identity stolen by fraudsters using their identifying details – although the stolen data has not turned up on hacker websites yet.

“No solution we devise can be perfect – nothing will solve [data breaches] altogether.”

Free credit monitoring and locking bills still pending in Congress

Credit bureaus profiting by selling ID theft protection became a flashpoint for anger after the breach, sparking calls for free credit monitoring and credit locking.

Efforts to make credit freezes free for consumers are continuing. More than one bill pending in Congress would give consumers control over their credit file, and advocates are pushing the idea.

“I think the message of this being an important issue was received loud and clear,” said Eva Velasquez, president of the nonprofit Identity Theft Resource Center.

Equifax data breach stories

    More on the Equifax data breach:

  • Q&A: What to know, what to do about Equifax data breach
  • How to avoid unnecessary fraud freezes in the wake of the Equifax data breach

Velasquez, formerly a fraud investigator in the San Diego District Attorney’s office, launched an online petition for free credit freezes after the breach. The drive delivered 150,000 signatures to the CEOs of the big three credit bureaus – none of whom responded, she said.

She said that an official credit freeze is more secure than company-provided services such as Lock & Alert, which permits credit reports to be viewed by prospective employers and by companies offering pre-approved insurance.

However, Equifax’s lock does shut out applications for new loans, credit cards and bank accounts, a powerful tool for fighting fraud.

“Both the lock and the freeze stop opening of a new line of credit,” Velasquez said.

Equifax’s price to pay for data breach still pending, too

Meanwhile, like new security measures, penalties for the credit bureau’s security lapse are still in the works:

  • Equifax initially faced more than 240 class-action lawsuits in the U.S. and Canada as a result of the breach, according to its financial disclosure statement at the U.S. Securities and Exchange Commission.
    Claims for damages are coming from investors and financial institutions as well as from consumers whose data was stolen. The lawsuits are being combined into one multi-district lawsuit in federal court.
  • Investigations are underway by the U.S. Federal Trade Commission – which enforces data security standards at credit bureaus under the Gramm-Leach-Bliley Act – the Consumer Financial Protection Bureau, the SEC, state bank regulators and 50 state attorneys general, among other U.S. and international authorities.
  • The SEC and the Justice Department are investigating stock sales by three company executives that occurred before the breach was made public. A panel of Equifax independent board members cleared the three of wrongdoing, saying they learned about the possible breach in August, after they had sold their shares.
    However, Equifax said it has received subpoenas concerning the stock sales from the SEC and the U.S. Attorney’s Office in Atlanta. The company’s shares lost one-third of their value in the days after the breach was announced.
“When settlements get reached, or the case goes to trial, a lot of people will be looking closely to see that it is something that really does punish [Equifax] and provides real remedies to consumers.”

What’s next for class-action suits against Equifax

The consumer lawsuits against Equifax are being combined into a “multi-district litigation” case in U.S. District Court in Atlanta, where Equifax is headquartered.

The case, under Judge Thomas W. Thrash Jr., will eventually generate letters notifying breach victims of their membership in the class, legal experts said.

The letters let consumers opt out of the case if they have an individual claim that would likely be larger than what’s available to them through the class action.

“When settlements get reached, or the case goes to trial, a lot of people will be looking closely to see that it is something that really does punish them,” Rheingold said, “and provides real remedies to consumers.”

Bills in Congress on data security, consumer protection

Numerous identity data security bills are pending in the 115th Congress. None has passed the committee-level review necessary to go to a vote of the full House or Senate.

  • Data Breach Prevention and Compensation Act of 2018, S. 2289: Creates an Office of Cybersecurity at the U.S. Federal Trade Commission to supervise data security at consumer reporting agencies, write regulations and enforce penalties.
  • Consumer Privacy Protection Act of 2017; S. 2124, H.R. 4081: To prevent and mitigate identity theft, require notice of security breaches involving sensitive personal information
  • PROTECT Act, H.R. 4028: Sets federal standards for cybersecurity at credit bureaus and subjects them to on-site examinations. Creates national framework for credit freezes and reduces costs.
  • Freedom from Equifax Exploitation Act, S. 1816: Extends fraud alerts on credit reports and expands consumers’ rights to free freezes of their report.
  • Free Credit Freeze Act; S. 1810, H.R. 3878: Makes credit freezes and un-freezes free to consumers.
  • Credit Information Protection Act of 2017, H.R. 3766: Makes credit freezes free from a credit bureau that has been affected by a data breach.
  • Secure and Protect Americans’ Data Act, H.R. 3896: Tells FTC to regulate data security at companies including credit bureaus; sets notification requirements after a data breach.
  • Comprehensive Consumer Credit Reporting Reform Act of 2017H.R. 3755: Improves access to credit freezes and reduces cost; bans use of credit information for hiring decisions; enhances consumer rights in appealing disputes; tightens standards for accuracy of reports, among other provisions.
  • Stopping Errors in Consumer Use and Reporting (SECURE) Act of 2017S. 1786: Heightens accuracy standards for credit report information and gives consumers stronger legal rights to block reports containing errors.

See related: How credit freezes work, what they cost, Poll: 1 in 4 Americans checked their credit after Equifax breach

Editorial Disclaimer

The editorial content on this page is based solely on the objective assessment of our writers and is not driven by advertising dollars. It has not been provided or commissioned by the credit card issuers. However, we may receive compensation when you click on links to products from our partners.

What’s up next?

In Research and Statistics

Credit card comeback from recession nearly complete

New card accounts have risen to the level just below 2007, says American Bankers Association data

See more stories
Credit Card Rate Report
Cash Back

Questions or comments?

Contact us

Editorial corrections policies

Learn more