By Charlene Crowell (Communications Director, Center for Responsible Lending)
Record-breaking, back-to-back hurricanes in Houston and Florida brought unprecedented winds and rains affecting millions of Americans. Yet another storm just as brutal, but financial in nature, is raging and affects at least 143 million Americans: that’s the Equifax data breach that took place from mid-May to July of this year.
On July 29, Equifax, one of the three major credit reporting corporations, discovered that unauthorized data access had occurred. Yet it was not until September 7 when the multi-national data breach was announced publicly. This massive cybersecurity breach includes federal income tax records, as well as employee records for government employees and those of Fortune 500 firms. Even recipients of major government programs like Medicare, Medicaid, and Social Security are affected.
For consumers, the personal information exposed to fraud and identity theft could mean a lifetime of closely monitoring and defending personal data to fight theft, fines and more. For businesses, questions will emerge as to whether millions of credit accounts were fraudulently opened and additionally whether they will be held partially responsible for its perpetuation.
In reaction to this cybercrime, a surge of federal class action lawsuits are going after Equifax. As many as 50 have been filed in at least 14 states and the District of Columbia as of September 12. The Federal Bureau of Investigation is reportedly examining what went wrong from a criminal perspective. On the civil side of the law, the Consumer Financial Protection Bureau (CFPB) is beginning its own independent investigation.
Now a growing number of bipartisan inquiries from Capitol Hill are demanding to know why these breaches of personally identifiable information (PII) came about, what actions Equifax took, and what the global firm intends to do on behalf of consumers whose names, birth dates, addresses, Social Security numbers and drivers’ licenses are all in jeopardy. Equifax also knew that an estimated 209,000 credit card holders and some 182,000 consumers in the U.S. who have a dispute on file with a creditor also had comprised PII.
“This hack into sensitive information compiled and maintained by Equifax is one of the largest data breaches in our nation’s history and someone has to be held accountable,” said Congresswoman Maxine Waters, the Ranking Member of the House Financial Services Committee in an article for “Business Insider.”
“Given the important role credit scores play in the lives and financial futures of hardworking Americans, Congress must diligently examine the way our credit reporting agencies are operating and impose additional statutory and regulatory reforms to protect the integrity of the country’s credit reporting system,” Waters continued.
In a September 11 letter to Richard F. Smith, Equifax’s Chairman and Chief Executive Office, the Chair and Ranking Member of the Senate Finance Committee went further to pose a series of questions to be answered by September 26. Issues raised in the letter include binding arbitration clauses that deny affected consumers the right of class action lawsuits, the firm’s security systems and controls, how consumers can expect to be officially notified, and what, if any, protections Equifax will offer to affected consumers.
“The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,” wrote Senators Orrin Hatch, Senate Finance Chair and Ron Wyden, the committee’s Ranking Member.
The following day, September 12, another letter to Equifax included questions on what data changes to Equifax’s security plans and procedures were made as this breach now becomes its third one in only two years; the letter was signed by 24 Members of Congress, who serve on the House Energy and Commerce Committee and represent 15 states. Three are also members of the Congressional Black Caucus: Representatives G.K. Butterfield of North Carolina, Brooklyn’s Yvette Clarke and Bobby L. Rush of Chicago.
“Your company profits from collecting highly sensitive personal information from American consumers—it should take seriously its responsibility to keep data safe and to inform consumers when its protections fail,” wrote the representatives.
“The massive Equifax data breach is one of the largest in our country’s history, affecting half of the United States population and nearly three-quarters of consumers with credit reports,” said Chi Chi Wu of the National Consumer Law Center. “A security freeze is the most effective measure against “new account” identity theft, because it stops thieves from using the consumer’s stolen information.”
To follow Wu’s advice, consumers will need to contact all three of the major credit reporting bureaus and request that no new accounts be opened in their names. Once requested, consumers will not be able to easily apply for new credit accounts or apply for a loan. An additional layer of precaution would be to contact every creditor and request that respective accounts be flagged for unusual or new credit activity. Detailed information on how consumers caught in the Equifax breach can take these and other steps to protect their credit is available on the Federal Trade Commission’s website.
The Consumer Financial Protection Bureau also has another consumer-friendly rule that Congress is currently fighting: preserving the right for consumers to file lawsuits when financial disputes could not be resolved otherwise. Announced on July 10, Richard Cordray, CFPB Director explained why the rule is important.
“Arbitration clauses in contracts for products like bank accounts and credit cards make it nearly impossible for people to take companies to court when things go wrong,” said CFPB Director Richard Cordray. “These clauses allow companies to avoid accountability by blocking group lawsuits and forcing people to go it alone or give up. Our new rule will stop companies from sidestepping the courts and ensure that people who are harmed together can take action together.”
Days later on July 20, Capitol Hill lawmakers turned to a seldom-used option, the Congressional Review Act, to deny the rule from taking effect. Sen. Mike Crapo, Chair of the U.S. Senate Committee on Banking, Housing and Urban Affairs Committee and Rep. Jeb Hensarling, Chair of the House Committee on Financial Services announced a coordinated legislative attack to roll back CFPB’s arbitration rule. The law allows Congress to fast track a veto of new federal regulation with limited debate and a simple majority vote in each chamber.
On July 25, the House passed its resolution on a highly-partisan vote of 231-190. To date, the Senate has yet to take a corresponding vote.
“The Equifax data breach is yet another reason to support the CFPB’s arbitration rule that would restore consumers’ day in court,” noted Melissa Stegman, a senior policy counsel with the Center for Responsible Lending (CRL). “When a company has injured consumers, it should not also decide whether those affected have a right to pursue justice. Although Equifax claimed it will not assert arbitration in the aftermath of its data breach, consumers must be able to challenge corporate wrongdoing in the courts and Congress should cease its efforts to quash the rule.”