5 months after Equifax breach, no new data security rules

0
370


[ccpw id=”6606″]

But consumers have better, sometimes free, ID theft protection tools

Senior Reporter
Expert on consumer credit laws and regulations

lock and alert

Five months after learning about the massive data theft at Equifax,
consumers’ best hope to protect their identity is … still their own efforts.

Hackers took more than 145 million people’s Social Security
numbers and other keys to identity, sparking a raft of investigations, lawsuits
and reform proposals in Congress.

But despite outrage at Equifax’s security breach – and the 47-day period
before victims were notified in September – disagreement over new security and notification standards is delaying tougher rules and penalties.

“My concern is, when you start to talk about a national
standard, dealing with members of Congress from all different states, the
national standard is usually a race to the bottom,” said Rep. Maxine Waters,
D-Calif.

Waters made the remarks during a Feb. 14 hearing
of the House Subcommittee on Financial Institutions and Consumer Credit,
which highlighted divisions over how to tighten data security.

Meanwhile, some credit bureaus have offered online tools
that let consumers control access to their credit reports, helping block fraud.

Options offered by
credit bureaus to ‘lock’ your credit report

  • Equifax released a free mobile and desktop app in
    January
    that lets you lock and unlock your Equifax credit file electronically,
    in less than one minute. The Lock
    & Alert
    service follows the company’s pledge to give individuals
    control over their credit file for free, permanently.
    However, you have to
    agree to terms and conditions that allow the company to store your information
    and share it in limited circumstances. The company had previously offered one
    year of free access to its existing TrustedID credit control tool. People who
    signed up for TrustedID after the breach should switch to the free-for-life
    Lock & Alert.

  • TransUnion’s free TrueIdentity service also lets you
    lock and unlock your credit report
    . However, sign-up includes a class-action
    waiver that blocks your right to take the company to court – a red flag to
    consumer rights experts.
    Sign-up also means you will receive offers from
    TransUnion and partners, the terms
    agreement
    states. The TrueIdentity page has several links to fee-based extras
    including credit monitoring. TransUnion has not issued a pledge that the
    service will always be free.

  • Experian, the third major credit bureau, has not
    announced plans for a free credit lock
    . Its existing CreditLock service is
    available as part of a service called
    IdentityWorks
    for $9.99 a month. 

Some services provided by credit bureaus offer free locking
and unlocking of credit reports – similar to state-mandated credit
freezes
, which typically cost about $10 per credit bureau.

However, locks
provided by credit bureaus fall short of the no-strings-attached control that
consumer advocates call for. “Folks need to make sure that what they’re saying
is free is really free,” said Ira Rheingold, executive director of the National
Association of Consumer Advocates.

“Folks need to make sure that what they’re saying is free is really free.”

The debate over
national standards for data security laws

Business groups call
for a flexible national standard, tailored to different industries, to replace
an array of breach notification rules under state laws. Opponents don’t want to
toss out existing consumer protection at the state level.

“Federal standards should be a baseline standard … which
allows states to regulate upward and respond to privacy threats as they
emerge,” said Marc Rotenberg, president of the Electronic Privacy Information
Center at the subcommittee hearing.

One key point: Data security laws won’t prevent future
breaches, experts said.

“No solution we devise can be perfect – nothing will solve [data breaches] altogether,” said Paul Rosenzweig, senior fellow at the market-oriented
R Street Institute and a law lecturer at Georgetown University.

The penetration of Equifax systems occurred from May through
July in 2017, the company announced
in September, exposing driver’s license numbers, birth dates and addresses
in addition to Social Security numbers, and in some cases other identifiers.

The hack puts people at risk of having their accounts
hijacked or their identity stolen by fraudsters using their identifying details
– although the stolen data has not turned up on hacker websites yet.

“No solution we devise can be perfect – nothing will solve [data breaches] altogether.”

Free credit
monitoring and locking bills still pending in Congress

Credit bureaus profiting by selling ID theft protection became
a flashpoint for anger after the breach, sparking calls for free credit monitoring
and credit locking.

Efforts to make credit freezes free for consumers are
continuing. More than one bill pending in Congress would give consumers control
over their credit file, and advocates are pushing the idea.

“I think the message of this being an important issue was
received loud and clear,” said Eva Velasquez, president of the nonprofit Identity Theft Resource Center.

Velasquez, formerly a fraud investigator in the San Diego
District Attorney’s office, launched an online petition for free credit freezes
after the breach. The drive delivered 150,000 signatures to the CEOs of the big
three credit bureaus – none of whom responded, she said.

She said that an official credit freeze is more secure than
company-provided services such as Lock & Alert, which permits credit
reports to be viewed by prospective employers and by companies offering pre-approved
insurance.

However, Equifax’s lock does shut out applications for new loans,
credit cards and bank accounts, a powerful tool for fighting fraud.

“Both the lock and the freeze stop opening of a new line of
credit,” Velasquez said.

Equifax’s price to
pay for data breach still pending, too

Meanwhile, like new security measures, penalties for the credit bureau’s security
lapse are still in the works:

  • Equifax initially faced more than 240 class-action
    lawsuits in the U.S. and Canada
    as a result of the breach, according to its financial
    disclosure
    statement at the U.S. Securities and Exchange Commission.
    Claims
    for damages are coming from investors and financial institutions as well as from
    consumers whose data was stolen. The lawsuits are being combined into one
    multi-district lawsuit in federal court.
  • Investigations are underway by the U.S. Federal
    Trade Commission – which enforces data security standards at credit bureaus
    under the Gramm-Leach-Bliley
    Act
    – the Consumer Financial Protection Bureau, the SEC, state bank
    regulators and 50 state attorneys general, among other U.S. and international
    authorities.
  • The SEC and the Justice Department are
    investigating stock sales by three company executives
    that occurred before the
    breach was made public. A panel of Equifax independent board members cleared
    the three of wrongdoing, saying they learned about the possible breach in
    August, after they had sold their shares.
    However, Equifax said it has received
    subpoenas concerning the stock sales from the SEC and the U.S. Attorney’s
    Office in Atlanta. The company’s shares lost one-third of their value in the
    days after the breach was announced.

“When settlements get reached, or the case goes to trial, a lot of people will be looking closely to see that it is something that really does punish [Equifax] and provides real remedies to consumers.”

What’s next for
class-action suits against Equifax

The consumer lawsuits against Equifax are being combined
into a “multi-district litigation” case in U.S. District Court in Atlanta,
where Equifax is headquartered.

The case, under Judge Thomas W. Thrash Jr., will eventually generate
letters notifying breach victims of their membership in the class, legal
experts said.

The letters let consumers opt out of the case if they have an
individual claim that would likely be larger than what’s available to them
through the class action.

“When settlements get reached, or the case goes to trial, a
lot of people will be looking closely to see that it is something that really
does punish them,” Rheingold said, “and provides real remedies to consumers.”

Bills in Congress on data security, consumer protection

Numerous identity data security bills are pending in the 115th Congress. None has passed the committee-level review necessary to go to a vote
of the full House or Senate.

See related: How credit freezes work, what they cost, Poll: 1 in 4 Americans checked their credit after Equifax breach




Original Source