But consumers have better, sometimes free, ID theft protection tools
Expert on consumer credit laws and regulations
Five months after learning about the massive data theft at Equifax,
consumers’ best hope to protect their identity is … still their own efforts.
Hackers took more than 145 million people’s Social Security
numbers and other keys to identity, sparking a raft of investigations, lawsuits
and reform proposals in Congress.
But despite outrage at Equifax’s security breach – and the 47-day period
before victims were notified in September – disagreement over new security and notification standards is delaying tougher rules and penalties.
“My concern is, when you start to talk about a national
standard, dealing with members of Congress from all different states, the
national standard is usually a race to the bottom,” said Rep. Maxine Waters,
Waters made the remarks during a Feb. 14 hearing
of the House Subcommittee on Financial Institutions and Consumer Credit,
which highlighted divisions over how to tighten data security.
Meanwhile, some credit bureaus have offered online tools
that let consumers control access to their credit reports, helping block fraud.
Options offered by
credit bureaus to ‘lock’ your credit report
- Equifax released a free mobile and desktop app in
January that lets you lock and unlock your Equifax credit file electronically,
in less than one minute. The Lock
& Alert service follows the company’s pledge to give individuals
control over their credit file for free, permanently.
However, you have to
agree to terms and conditions that allow the company to store your information
and share it in limited circumstances. The company had previously offered one
year of free access to its existing TrustedID credit control tool. People who
signed up for TrustedID after the breach should switch to the free-for-life
Lock & Alert.
- TransUnion’s free TrueIdentity service also lets you
lock and unlock your credit report. However, sign-up includes a class-action
waiver that blocks your right to take the company to court – a red flag to
consumer rights experts.
Sign-up also means you will receive offers from
TransUnion and partners, the terms
agreement states. The TrueIdentity page has several links to fee-based extras
including credit monitoring. TransUnion has not issued a pledge that the
service will always be free.
- Experian, the third major credit bureau, has not
announced plans for a free credit lock. Its existing CreditLock service is
available as part of a service called
IdentityWorks for $9.99 a month.
Some services provided by credit bureaus offer free locking
and unlocking of credit reports – similar to state-mandated credit
freezes, which typically cost about $10 per credit bureau.
provided by credit bureaus fall short of the no-strings-attached control that
consumer advocates call for. “Folks need to make sure that what they’re saying
is free is really free,” said Ira Rheingold, executive director of the National
Association of Consumer Advocates.
“Folks need to make sure that what they’re saying is free is really free.”
The debate over
national standards for data security laws
Business groups call
for a flexible national standard, tailored to different industries, to replace
an array of breach notification rules under state laws. Opponents don’t want to
toss out existing consumer protection at the state level.
“Federal standards should be a baseline standard … which
allows states to regulate upward and respond to privacy threats as they
emerge,” said Marc Rotenberg, president of the Electronic Privacy Information
Center at the subcommittee hearing.
One key point: Data security laws won’t prevent future
breaches, experts said.
“No solution we devise can be perfect – nothing will solve [data breaches] altogether,” said Paul Rosenzweig, senior fellow at the market-oriented
R Street Institute and a law lecturer at Georgetown University.
The penetration of Equifax systems occurred from May through
July in 2017, the company announced
in September, exposing driver’s license numbers, birth dates and addresses
in addition to Social Security numbers, and in some cases other identifiers.
The hack puts people at risk of having their accounts
hijacked or their identity stolen by fraudsters using their identifying details
– although the stolen data has not turned up on hacker websites yet.
“No solution we devise can be perfect – nothing will solve [data breaches] altogether.”
monitoring and locking bills still pending in Congress
Credit bureaus profiting by selling ID theft protection became
a flashpoint for anger after the breach, sparking calls for free credit monitoring
and credit locking.
Efforts to make credit freezes free for consumers are
continuing. More than one bill pending in Congress would give consumers control
over their credit file, and advocates are pushing the idea.
“I think the message of this being an important issue was
received loud and clear,” said Eva Velasquez, president of the nonprofit Identity Theft Resource Center.
Velasquez, formerly a fraud investigator in the San Diego
District Attorney’s office, launched an online petition for free credit freezes
after the breach. The drive delivered 150,000 signatures to the CEOs of the big
three credit bureaus – none of whom responded, she said.
She said that an official credit freeze is more secure than
company-provided services such as Lock & Alert, which permits credit
reports to be viewed by prospective employers and by companies offering pre-approved
However, Equifax’s lock does shut out applications for new loans,
credit cards and bank accounts, a powerful tool for fighting fraud.
“Both the lock and the freeze stop opening of a new line of
credit,” Velasquez said.
Equifax’s price to
pay for data breach still pending, too
Meanwhile, like new security measures, penalties for the credit bureau’s security
lapse are still in the works:
- Equifax initially faced more than 240 class-action
lawsuits in the U.S. and Canada as a result of the breach, according to its financial
disclosure statement at the U.S. Securities and Exchange Commission.
for damages are coming from investors and financial institutions as well as from
consumers whose data was stolen. The lawsuits are being combined into one
multi-district lawsuit in federal court.
- Investigations are underway by the U.S. Federal
Trade Commission – which enforces data security standards at credit bureaus
under the Gramm-Leach-Bliley
Act – the Consumer Financial Protection Bureau, the SEC, state bank
regulators and 50 state attorneys general, among other U.S. and international
- The SEC and the Justice Department are
investigating stock sales by three company executives that occurred before the
breach was made public. A panel of Equifax independent board members cleared
the three of wrongdoing, saying they learned about the possible breach in
August, after they had sold their shares.
However, Equifax said it has received
subpoenas concerning the stock sales from the SEC and the U.S. Attorney’s
Office in Atlanta. The company’s shares lost one-third of their value in the
days after the breach was announced.
“When settlements get reached, or the case goes to trial, a lot of people will be looking closely to see that it is something that really does punish [Equifax] and provides real remedies to consumers.”
What’s next for
class-action suits against Equifax
The consumer lawsuits against Equifax are being combined
into a “multi-district litigation” case in U.S. District Court in Atlanta,
where Equifax is headquartered.
The letters let consumers opt out of the case if they have an
individual claim that would likely be larger than what’s available to them
through the class action.
“When settlements get reached, or the case goes to trial, a
lot of people will be looking closely to see that it is something that really
does punish them,” Rheingold said, “and provides real remedies to consumers.”
Bills in Congress on data security, consumer protection
Numerous identity data security bills are pending in the 115th Congress. None has passed the committee-level review necessary to go to a vote
of the full House or Senate.
- Data Breach
Prevention and Compensation Act of 2018, S. 2289: Creates an Office of Cybersecurity at the U.S. Federal Trade Commission to supervise
data security at consumer reporting agencies, write regulations and enforce
- Consumer Privacy
Protection Act of 2017; S. 2124, H.R. 4081: To prevent and mitigate identity theft, require notice of security breaches
involving sensitive personal information
- PROTECT Act, H.R.
4028: Sets federal standards for cybersecurity at credit bureaus and subjects
them to on-site examinations. Creates national framework for credit freezes and
- Freedom from Equifax
Exploitation Act, S. 1816: Extends fraud alerts on credit reports and expands consumers’ rights to
free freezes of their report.
- Free Credit Freeze
Act; S. 1810, H.R. 3878: Makes credit freezes and un-freezes free to consumers.
- Credit Information
Protection Act of 2017, H.R. 3766: Makes credit freezes free from a credit bureau that has been affected by a
- Secure and Protect
Americans’ Data Act, H.R. 3896: Tells FTC to regulate data security at companies including credit bureaus; sets
notification requirements after a data breach.
- Comprehensive Consumer Credit Reporting Reform Act of 2017, H.R. 3755: Improves access to credit freezes and reduces cost; bans use of credit
information for hiring decisions; enhances consumer rights in appealing
disputes; tightens standards for accuracy of reports, among other provisions.
- Stopping Errors in Consumer Use and Reporting (SECURE) Act of 2017, S. 1786: Heightens accuracy standards for credit report information and gives
consumers stronger legal rights to block reports containing errors.
See related: How credit freezes work, what they cost, Poll: 1 in 4 Americans checked their credit after Equifax breach
Three most recent Legal, regulatory, privacy issues stories: