Five months after Equifax data breach, debate over security rules continues, but new tools let individuals lock their credit files.
Editor’s note: This article was updated Oct. 2, 2018 to include new information about credit freezes.
Five months after learning about the massive data theft at Equifax, consumers’ best hope to protect their identity is … still their own efforts.Hackers took more than 145 million people’s Social Security numbers and other keys to identity, sparking a raft of investigations, lawsuits and reform proposals in Congress.
But despite outrage at Equifax’s security breach – and the 47-day period before victims were notified in September – disagreement over new security and notification standards is delaying tougher rules and penalties.
“My concern is, when you start to talk about a national standard, dealing with members of Congress from all different states, the national standard is usually a race to the bottom,” said Rep. Maxine Waters, D-Calif.
Waters made the remarks during a Feb. 14 hearing of the House Subcommittee on Financial Institutions and Consumer Credit, which highlighted divisions over how to tighten data security.
Meanwhile, some credit bureaus have offered online tools that let consumers control access to their credit reports, helping block fraud.
Options offered by credit bureaus to ‘lock’ your credit report
- Equifax released a free mobile and desktop app in January that lets you lock and unlock your Equifax credit file electronically, in less than one minute. The Lock & Alert service follows the company’s pledge to give individuals control over their credit file for free, permanently.
However, you have to agree to terms and conditions that allow the company to store your information and share it in limited circumstances. The company had previously offered one year of free access to its existing TrustedID credit control tool. People who signed up for TrustedID after the breach should switch to the free-for-life Lock & Alert.
- TransUnion’s free TrueIdentity service also lets you lock and unlock your credit report. However, sign-up includes a class-action waiver that blocks your right to take the company to court – a red flag to consumer rights experts.
Sign-up also means you will receive offers from TransUnion and partners, the terms agreement states. The TrueIdentity page has several links to fee-based extras including credit monitoring. TransUnion has not issued a pledge that the service will always be free.
- Experian, the third major credit bureau, has not announced plans for a free credit lock. Its existing CreditLock service is available as part of a service called IdentityWorks for $9.99 a month.
Freeze your credit for free – online or by phone
Starting Sept. 21, 2018, it is free to place or remove a freeze on your credit report. Here are the contact links and numbers to do so.
Be ready to supply your address and Social Security number to verify your identity. For more information about free credit freezes, read “How to free your credit: A step-by-step guide.”
Some services provided by credit bureaus offer free locking and unlocking of credit reports – similar credit freezes.
However, locks provided by credit bureaus fall short of the no-strings-attached control that consumer advocates call for. “Folks need to make sure that what they’re saying is free is really free,” said Ira Rheingold, executive director of the National Association of Consumer Advocates.
The debate over national standards for data security laws
Business groups call for a flexible national standard, tailored to different industries, to replace an array of breach notification rules under state laws. Opponents don’t want to toss out existing consumer protection at the state level.
“Federal standards should be a baseline standard … which allows states to regulate upward and respond to privacy threats as they emerge,” said Marc Rotenberg, president of the Electronic Privacy Information Center at the subcommittee hearing.
One key point: Data security laws won’t prevent future breaches, experts said.
“No solution we devise can be perfect – nothing will solve [data breaches] altogether,” said Paul Rosenzweig, senior fellow at the market-oriented R Street Institute and a law lecturer at Georgetown University.
The penetration of Equifax systems occurred from May through July in 2017, the company announced in September, exposing driver’s license numbers, birth dates and addresses in addition to Social Security numbers, and in some cases other identifiers.
The hack puts people at risk of having their accounts hijacked or their identity stolen by fraudsters using their identifying details – although the stolen data has not turned up on hacker websites yet.
Free credit monitoring and locking bills still pending in Congress
Credit bureaus profiting by selling ID theft protection became a flashpoint for anger after the breach, sparking calls for free credit monitoring and credit locking.
Efforts to make credit freezes free for consumers are continuing. More than one bill pending in Congress would give consumers control over their credit file, and advocates are pushing the idea.
“I think the message of this being an important issue was received loud and clear,” said Eva Velasquez, president of the nonprofit Identity Theft Resource Center.
More on the Equifax data breach:
Velasquez, formerly a fraud investigator in the San Diego District Attorney’s office, launched an online petition for free credit freezes after the breach. The drive delivered 150,000 signatures to the CEOs of the big three credit bureaus – none of whom responded, she said.
She said that an official credit freeze is more secure than company-provided services such as Lock & Alert, which permits credit reports to be viewed by prospective employers and by companies offering pre-approved insurance.
However, Equifax’s lock does shut out applications for new loans, credit cards and bank accounts, a powerful tool for fighting fraud.
“Both the lock and the freeze stop opening of a new line of credit,” Velasquez said.
Equifax’s price to pay for data breach still pending, too
Meanwhile, like new security measures, penalties for the credit bureau’s security lapse are still in the works:
- Equifax initially faced more than 240 class-action lawsuits in the U.S. and Canada as a result of the breach, according to its financial disclosure statement at the U.S. Securities and Exchange Commission.
Claims for damages are coming from investors and financial institutions as well as from consumers whose data was stolen. The lawsuits are being combined into one multi-district lawsuit in federal court.
- Investigations are underway by the U.S. Federal Trade Commission – which enforces data security standards at credit bureaus under the Gramm-Leach-Bliley Act – the Consumer Financial Protection Bureau, the SEC, state bank regulators and 50 state attorneys general, among other U.S. and international authorities.
- The SEC and the Justice Department are investigating stock sales by three company executives that occurred before the breach was made public. A panel of Equifax independent board members cleared the three of wrongdoing, saying they learned about the possible breach in August, after they had sold their shares.
However, Equifax said it has received subpoenas concerning the stock sales from the SEC and the U.S. Attorney’s Office in Atlanta. The company’s shares lost one-third of their value in the days after the breach was announced.
What’s next for class-action suits against Equifax
The consumer lawsuits against Equifax are being combined into a “multi-district litigation” case in U.S. District Court in Atlanta, where Equifax is headquartered.
The letters let consumers opt out of the case if they have an individual claim that would likely be larger than what’s available to them through the class action.
“When settlements get reached, or the case goes to trial, a lot of people will be looking closely to see that it is something that really does punish them,” Rheingold said, “and provides real remedies to consumers.”
Bills in Congress on data security, consumer protection
Numerous identity data security bills are pending in the 115th Congress. None has passed the committee-level review necessary to go to a vote of the full House or Senate.
- Data Breach Prevention and Compensation Act of 2018, S. 2289: Creates an Office of Cybersecurity at the U.S. Federal Trade Commission to supervise data security at consumer reporting agencies, write regulations and enforce penalties.
- Consumer Privacy Protection Act of 2017; S. 2124, H.R. 4081: To prevent and mitigate identity theft, require notice of security breaches involving sensitive personal information
- PROTECT Act, H.R. 4028: Sets federal standards for cybersecurity at credit bureaus and subjects them to on-site examinations. Creates national framework for credit freezes and reduces costs.
- Freedom from Equifax Exploitation Act, S. 1816: Extends fraud alerts on credit reports and expands consumers’ rights to free freezes of their report.
- Free Credit Freeze Act; S. 1810, H.R. 3878: Makes credit freezes and un-freezes free to consumers.
- Credit Information Protection Act of 2017, H.R. 3766: Makes credit freezes free from a credit bureau that has been affected by a data breach.
- Secure and Protect Americans’ Data Act, H.R. 3896: Tells FTC to regulate data security at companies including credit bureaus; sets notification requirements after a data breach.
- Comprehensive Consumer Credit Reporting Reform Act of 2017, H.R. 3755: Improves access to credit freezes and reduces cost; bans use of credit information for hiring decisions; enhances consumer rights in appealing disputes; tightens standards for accuracy of reports, among other provisions.
- Stopping Errors in Consumer Use and Reporting (SECURE) Act of 2017, S. 1786: Heightens accuracy standards for credit report information and gives consumers stronger legal rights to block reports containing errors.