Update: On May 24, 2018, President Trump signed into law the Economic Growth, Regulatory Relief, and Consumer Protection Act, enabling consumers to freeze and unfreeze their credit at all the credit bureaus free of charge starting September 21st, 2018.
Sorry, We Goofed – Now Pay Up
Unless you've been living in a cave for the past few weeks – and we wouldn't blame you if you chose to, given the news lately – you're aware of the significant data breach at the credit bureau Equifax. Sensitive personal data for approximately 143 million people was exposed in the breach – information that is highly valuable to thieves because it's comprehensive and contains lifelong data such as Social Security numbers.
From the consumer perspective, the credit bureau message sounds like: "Sorry we lost your data. For a few extra dollars, we'll try to protect it a little better. To be safe, pay up for a credit freeze, and keep paying every time you want to unfreeze it."
Granted, there are some costs associated with credit bureau activities, but in essence, the bureaus are making money off your sensitive data that has been involuntarily collected, while charging you for the privilege of managing your own credit status. After consumer outcry, Equifax has offered to waive fees for placing and removing credit freezes until November 21. Typically, the cost is $5-$10 per credit-freeze-related transaction per credit bureau – not terribly expensive, but, since you must request a freeze from all three major credit agencies, the costs quickly add up to become a burden for lower-income consumers and a nuisance for others.
State laws complicate the cost issue, as each state has different cost guidelines regarding security freezes. Check this list of state guidelines for security freeze details in your state, including groups that can place security freeze requests for free.
Credit bureau accountability is poor at best. Data protection by Equifax and the other credit bureaus falls under the scope of the Federal Trade Commission, which has limited ability to assess significant penalties. That may change given the scope of the Equifax breach and the cavalier nature of Equifax's actions pre-and post-breach.
Equifax, We Expected Better of You
The most egregious part of the Equifax breach may be how preventable it was. A flaw on a supporting web application known as Apache Struts, a framework that many large companies use to construct Java-based applications that operate Web servers, enabled the breach. A patch for this particular security flaw was repaired in March, yet hackers were able to exploit this flaw at Equifax in May – over two months after the patch became available. Equifax waited a few more months to inform us of the breach, increasing our vulnerability.
Tech website ArsTechnica reported that this patch is difficult and labor intensive for end-users to implement – but that's no excuse for failing to implement the patch, especially given the collective risk of exposure of sensitive consumer information.
If you really want something to worry about, consider this thought: if the repair is labor-intensive, how many other large corporations and agencies have not taken the time to fix their applications properly – and how many of them are aware of security breaches and are simply assessing the situation, as Equifax did? Even worse, how many sites have suffered breaches that haven't been detected yet?
Make Yourself Heard
Can the current do-nothing Congress actually make progress on credit bureau regulation? Both Senator Ron Wyden (D-Ore) and Senator Elizabeth Warren (D-Mass) are ready to make the effort.
Last Thursday, Sen. Wyden introduced the Free Credit Freeze Act, which proposes to amend the Fair Credit Reporting Act to allow consumers to freeze and unfreeze their credit without charge. Sen. Warren upped the ante the next day by introducing the Freedom from Equifax Exploitation Act, which provides free credit freezes but also includes enhanced fraud alerts and a second free credit report annually from each credit bureau. The act would also prohibit credit-reporting agencies from profiting from consumer's information that has been frozen.
Warren's or Wyden's efforts, or something similar, might pass the Senate, but such bills are unlikely to survive the House of Representatives. Consider that on the very day that Equifax announced its massive data breach, the House held a hearing on the FCRA Liability Harmonization Act and other legislation that would effectively reduce penalties for credit bureau actions that harm consumers. What impeccable timing.
The Equifax breach may cause regulation-averse Republicans to lie low, but it will take massive public outcry (and then some) to get real oversight through Congress – and there's no guarantee that President Trump would sign such a bill. Be a part of that outcry. There's no reason that the credit bureaus should be able to profit from your misfortune that they helped to create, and it should not be difficult, time-consuming, or expensive for you to be in control of your own credit.
Have you frozen your credit yet? If not, you should consider doing so and/or subscribing to an identity theft protection service. Identity theft is likely to reach new levels given the potential windfall of information that hackers have provided – and the windfalls to come that we aren't aware of yet. A free membership to MoneyTips includes our credit monitoring service at no charge. Premium MoneyTips members enjoy more protection, including advanced identity theft and fraud alerts as well as $1 million identity theft insurance, for less than $9 per month.
Meanwhile, let your Congressional Representatives and the President know how you feel. We wish them luck in attempting to hold the credit bureaus more accountable. We aren't going to wait for them.
Take credit protection into your own hands as much as possible, and don't engage in activities that undercut your other efforts. Don't use unsecured connections to transfer sensitive data. Use strong passwords and change them often. Avoid suspicious and unknown e-mails that may contain malware, and keep your anti-virus software updated. (If only Equifax had kept their software updated!) Only give out your Social Security number and account information when necessary, and verify that the recipient has an actual need for the data and that they are who they say they are.
Remember, a credit freeze only keeps people from opening new accounts in your name. Give thieves the information they need on current accounts, and they will be happy to exploit the opportunity.
Protect your credit – protect your identity – protect yourself with a free MoneyTips trial.
Photo ©iStockphoto.com/ adrian825