Massive Data Breach at U.S. Credit Bureau Equifax Raises Many Questions, Including About U.S. Privacy and Data Security Laws and Lessons for Europe
On September 6, the U.S. data broker and consumer credit reporting company Equifax (one of the nation’s Big 3 credit bureaus, along with Transunion and Experian) finally revealed to the public that a months-long data breach it had discovered at least as early as late July had caused the loss of personally-identifiable information (PII) – including Social Security Numbers (SSNs), Dates of Birth (DOBs) and Drivers’ License Numbers (DLs) – of about 143 million (later upgraded to 145.5 million) consumers. The breach included 15 million UK records (that Equifax release is unclear, but these records apparently represented at least 693,000 actual UK consumers, as security experts report).
The breach is a cautionary tale about gaps in U.S. sectoral data protection laws even as U.S. data brokers, including Equifax, make efforts to expand globally. Fortunately, the breach has at least shifted the U.S. paradigm from one featuring only active Congressional consideration of industry-backed rollbacks to one including a search for reforms.
As reported in numerous papers and Congressional hearings (including several hearings “photo-bombed” by a consumer activist dressed as “the Monopoly Man”), Equifax first failed to heed numerous alerts as early as March 6th (or 7th) to install a security patch to Apache Struts open source web software that created the vulnerability, leading to a months-long breach.
According to a lawsuit filed by the Massachusetts Attorney General, much of the information breached was not encrypted, just one alleged violation of state data security law. Equifax’s “boneheaded” security – including the CEO’s repeated admission to Congress that the failure of just one employee who failed to take some action could be the problem — is discussed further by expert Brian Krebs here. For such a company collecting and selling so much personal information, the lack of a robust data protection system with redundant backups has raised numerous questions.
To add insult to injury, Equifax then bungled a series of public admissions and announcements and failed to scale up its customer relations staff to handle the predictable onslaught of emails and phone calls. Its websites have crashed, and reportedly have served up spyware. It has had to constantly walk back (for breach victims only, not its other credit monitoring customers) language in its terms of service requiring consumer disputes to be subject to mandatory arbitration, a form of alternative dispute resolution imposed in small-print in take-it-or-leave-it contracts long under fire in the United States, while fiercely defended by the U.S. Chamber of Commerce and financial firms.
Despite nearly 50 years of requirements to handle consumer disputes and over 20 years of aggressive-direct-to-consumer advertising of pricey subscription-based products, its ex-CEO repeatedly apologized to Congress that, as a business-to-business company, it had no idea how many consumers would call or email.
WE ARE NOT THEIR CUSTOMERS; WE ARE THEIR PRODUCT
This absurd disconnect is because of a market failure in credit reporting; we are not their customers, we are their product. The consumer credit reporting market is dominated by the Big 3 gatekeepers to financial and employment opportunity. Yet, when you are mad at your bank’s antics, you can vote with your feet and find a new bank. You’re stuck with the credit bureaus. Richard Cordray, director of the Consumer Financial Protection Bureau, calls credit reporting one of several “dead-end markets” in need of stricter regulation to counter that market failure.
As for the constant, maddening changes in its “consumer response package” and promises made by Equifax, one nationally-recognized consumer columnist for the New York Times, Ron Lieber, has maintained a set of Consumer FAQs, which he constantly updates whenever Equifax changes its mind or clarifies its responses.
In September, Equifax first axed two low-level security officials; then, had to immediate escalate and force the resignation of its CEO, Richard Smith. Nevertheless, Equifax still sent him to be grilled on Capitol Hill at four separate Congressional hearings, 2 each in the House and in the Senate.
The Senate Banking Committee has already held yet another follow-up hearing and its House counterpart, the Financial Services Committee, is holding one featuring consumer advocates on 25 October and plans others. Marc Rotenberg, of TACD member EPIC.org, was a witness at that second Senate Banking hearing. He outlines his views in a Harvard Business Review column “Equifax, the Credit Reporting Industry, and What Congress Should Do Next.”
The breach – while affecting about half of U.S. consumers — is not as large as a recently upgraded Yahoo breach, which now admits its breach affected all 3 billion of its user accounts, although the account information lost could primarily be used only for phishing schemes. A series of widely-publicized merchant breaches, such as a Target department stores breach, has resulted in loss of millions of credit and debit card numbers, which are useful for a short time to commit “existing account fraud.” But credit card numbers, like refrigerated dairy products that go stale, have a short shelf life on the Darknet before banks change them, and consumers generally face zero liability for theft unless they lose their actual cards.
Nevertheless, the Equifax breach is more notable than any other (except perhaps a similar loss of 22 million records including SSNs, DOBs, and some fingerprint scans of employees, applicants — and even friends/employers providing applicants with character references — by the U.S. Office of Personnel Management (OPM)) because of what was lost and which company lost it.
EQUIFAX IS A DATA BROKER, SO ITS BREACH IS WORSE
After all, the breach wasn’t of a corner store or even a nationwide retailer. It was of a company with the sole business model of collecting, aggregating and selling your information. Equifax is a data broker. One category of that business — selling consumer credit reports – is highly regulated but its other data brokerages are not, nor are its (or any firm’s) data security adequately regulated under federal law. Equifax should have a deeper moat and thicker castle walls, with more cross-bow archers and more cauldrons of boiling oil on top to defend your data than a merchant or even a government agency. It did not.
Unlike credit card numbers, your Social Security Number and Date of Birth don’t change and may even grow more valuable over time, like gold in a bank vault. Much worse, they are the keys to “new account identity theft.” While Equifax and other consumer credit reporting companies are required by the Fair Credit Reporting Act (FCRA) to make it hard for imposters to obtain another’s credit report; identity thieves don’t want your credit report. Instead, they use your SSN and DOB to apply for credit in your name; so that the bank or other creditor, which is a trusted third party with easy access to the credit reporting company, obtains your credit report and/or credit score and wrongly issues credit to the thief. In the U.S. such new account identity theft is fueled both by the high demand for “instant credit” and by that critical flaw in our credit granting system, where SSNs serve as both a matching identifier in databases and as an authenticator of a consumer applicant.
Further, the U.S. data protection system is sectoral – unlike the more comprehensive European systems derived from the concept of privacy as a human right. While the FCRA is generally considered one of the strongest of those sectoral rules and is somewhat based on the Code of Fair Information Practices, it applies to Equifax and its two consumer reporting competitors, Experian and Transunion (they are collectively known as “the Big 3”), only when they sell credit reports. Credit reports are consumer profiles sold to banks and firms to make decisions about whether to offer credit or insurance and for what price or whether to offer a job. Their other data broker businesses, and those of thousands of other data brokers, are poorly regulated. While the U.S. Federal Trade Commission (FTC) has long called for additional data broker legislation, Congress has idled.
To make matters worse, very weak U.S. data security laws, not the FCRA, apply to the protection of the information Equifax lost, although the firm is likely liable under state data breach and data security laws.
The 1999 Gramm-Leach-Bliley Financial Modernization Act was largely enacted to allow mergers of commercial banks, investment banks, securities firms and insurance companies. However, due to a persistent drumbeat at the time of banks caught sharing consumer records inappropriately, the law did include a modest privacy and data security provision, Title V, that gave consumers the ability to opt-out of sharing of their personal information only with non-affiliated, non-financial firms (but explicitly allowed sharing with affiliates or other financial firms, regardless of a consumer’s wishes). The law also required banks and certain non-banks, including consumer credit reporting firms, to comply with its limited data security provisions.
Although the 2010 Dodd-Frank Act enacted in the wake of the 2008 financial collapse transferred authority to regulate credit reporting under FCRA to the tough new Consumer Financial Protection Bureau, it retained Title V data security provisions for non-banks under the weaker FTC. Unlike CFPB, that agency cannot supervise the activities of firms on a day-to-day basis, nor can it impose civil money penalties for a first violation.
WE OPPOSE STATE LAW PREEMPTION (DOWNWARD HARMONIZATION)
In the absence of federal action to improve data security and fight identity theft, states began to enact laws requiring data breach notification and giving consumers the right to freeze their credit reports to prevent identity theft. Following successful passage of data breach and freeze bills in California, my organization, U.S. PIRG, along with fellow TACD.org member Consumers Union, drafted a model state law in 2004 which garnered support from the 40 million member AARP, an organization for older Americans, and other consumer groups. Nearly every state has now passed a version of it. However, every time there is a security breach, industry interests seek passage of narrower national data breach notice proposals that would also permanently restrict almost any state data security, data breach or identity theft reform. In Europe, this is known as harmonizing downward.
Further, while the state freeze laws were revolutionary at the time they passed 10-15 years ago, almost all allowed the credit bureaus to charge a fee as high as $10 to freeze or thaw (whenever you want to apply for credit) each of your credit reports, as our new interactive map shows. Several states are proposing improvements, as is Congress.
POSITIVE RESULTS
The Equifax breach has, however, also jump-started bi-partisan Congressional thinking about problems privacy and consumer advocates have raised for years.
We Have Little to No Control Over Data Broker Collection and Sale of Our Information: Again, although consumer credit reporting is subject to the FCRA, a strong, but imperfect, law, other data broker products sold by the Big 3 credit bureaus and thousands of other data brokers are barely regulated. While the U.S. Federal Trade Commission (FTC) has long called for additional data broker legislation, Congress has idled.
Consumer Credit Reporting Bureaus Make Mistakes And Don’t Fix Them, Harming Consumers, But More Can Be Done: Comprehensive credit reporting reforms, as introduced in both the House and Senate, have moved from impossible-to-pass ideas to items – strongly backed by consumer and civil rights groups — under active consideration. Conversely, on the day that the Equifax breach was announced, Congress had been actively considering two bills penned by the credit bureaus themselves to weaken their responsibilities. Now, the paradigm has shifted to reform but even so, a brazen witness for the association of credit bureaus told the Senate after the breach that the industry still would seek to limit its responsibilities and potential damages by law. (You don’t have to make this stuff up, it writes itself.)
Consumers Should Have the Right to Free Credit Freezes and Shouldn’t Credit Freezes Be the Default? Credit freezes (our PIRG tips) to prevent new account identity theft are needed at all three credit bureaus, otherwise you’ve locked one door of your house but left the others open. Depending on where you live, that could cost you $10 x 3 bureaus to freeze and $10 x 3 to temporarily lift. Numerous free freeze proposals are now under Congressional consideration. Further, the Equifax breach has raised the question: Why isn’t the credit freeze the “always-on default?” This logical provision, while once considered unrealistic, is also under bi-partisan consideration on Capitol Hill.
Beyond Equifax Are Bigger Questions: Use of Social Security Numbers in the Private Sector, Establishment of A U.S. Data Protection Agency, And Development Of Alternative Credit Reporting Systems. Marc Rotenberg raises some of these issues in his Senate testimony and Harvard Business Review article. This bill proposes a study (Title 6) of alternative credit reporting. In the past, we have gotten little to no traction on any of these ideas.
The Breach Has Enabled a Conversation About Our “Dramatic Loss of Privacy in the Digital Era:” “Equifax’s current business practices reflect how our personal data is traded, shared, and sold today.” See this blog from Jeff Chester of the Center for Digital Democracy, U.S. Co-Chair of the TACD Information Society Policy Committee.
The Breach Has Helped Us to Defend the Consumer Bureau, Which Is Under Relentless Attack by Powerful Special Interests Because It Does Its Job So Well. Like Wells Fargo before it, Equifax has become a poster child for defending the Consumer Financial Protection Bureau enacted after the 2008 financial collapse. Here is the PIRG campaign page on why the idea of the CFPB needs no defense, only more defenders.