Equifax hack exposes some serious regulatory cracks

CYBERSLEUTH

Everyone who has ever gotten a home mortgage, car loan or credit card has been involuntarily beholden to the big three behemoth credit reporting bureaus — Equifax, Experian and TransUnion. Like the unconquerable monster described in ancient literature, the modern day Behemoth credit bureaus collect, store and disseminate vast amounts of consumer financial information without ever meeting or even communicating with those consumers. That’s because there is a cozy relationship between banks and other companies involved in consumer financial transactions such as hospitals and insurance companies that willingly hand over consumer information in exchange for obtaining credit information on other consumers housed in the credit bureau’s databases.

There’s nothing consumers can do to prevent their information from being given to the credit bureaus, and until the Fair Credit Reporting Act was passed in 1970, there was little a consumer could do to control the credit bureaus’ use of that information. The FCRA instituted the most basic consumer protection — an individual’s right to find out what is in his or her credit file. In addition, the FCRA gave consumers the ability to find out if information in their credit file is used against them and to dispute inaccurate information. What FCRA did not do was to impose the same level of privacy and security measures required of banks.

Earlier this month, Americans found out just how lacking regulation of the credit bureaus is when it was announced, months after the fact, that Equifax’s databases had been hacked leading to the theft of at least 143 million U.S. consumers’ credit files. From May through July, hackers exploited a known flaw in Equifax’s software. Even though a patch for the flaw had existed since March, Equifax hadn’t installed it. Even more disturbing, Wired magazine reported that the hack was accomplished through a web portal for handling credit report disputes that used the amateurish log-in credentials of “admin/admin.” Given the massive number of files stolen, it appears that Equifax must not have had in place even rudimentary monitoring procedures to detect suspicious activity or segmenting of network resources to prevent a hacker who has breached one are from being able to access records in other areas.

Because consumers don’t give their information to credit bureaus directly, or willingly, they should be subject to the same strict security requirements as banks, but they aren’t. Apparently credit bureaus have fallen through a regulatory crack.

The credit bureaus are overseen by the Federal Trade Commission. The problem is that the FTC is an enforcement, not a rulemaking agency, so it has limited ability to craft rules to protect consumers. It has been clear since 2015 that the FTC has authority to protect customer data from hackers, but only if a company’s actions are unfair or deceptive. In 2015, the 3rd U.S. Circuit Court of Appeals upheld a lower court decision holding that the FTC may regulate companies for failing to protect consumer data from hackers as an unfair practice if consumers are substantially injured by a data breach. FTC v. Wyndham Worldwide Corp.,799 F.3d 236 (3d Cir. 2015). The Wyndham case involved multiple breaches of Wyndham Hotels’ computer systems in which sensitive personal and financial information of guests was stolen, causing $10.6 million in fraudulent charges.

The FTC eventually reached a settlement with Wyndham Hotels requiring it to establish an information security program designed to protect guests’ credit card data and to conduct annual information security audits. The case took three years and resulted in no compensation for the guests whose data were stolen.

The Equifax lawsuits will likely take just as long and likely won’t compensate consumers for the time, effort and expense they will have to expend to monitor their credit accounts and attempt to repair the damage if the hackers use their data to steal their identities. In the meantime, the FTC’s advice is to monitor your credit scores, credit freeze or fraud alert on your credit files, and file your taxes early before a scammer can beat you to it using stolen personal information! Currently the burden is entirely on the consumer to fix the mess created by a careless credit bureau at their own expense. Until there is a law that holds the credit bureaus financially responsible for their mistakes, coupled with meaningful enforcement authority, credit bureaus have no incentive to improve.

Congress needs to devise a better system of national identity than the insecure nine-digit Social Security number, or at least make it possible to get a new number if a person’s identity is stolen. In the meantime, rather than relying on FTC enforcement or private lawsuits after the fact, lawmakers should move quickly to enact legislation that gives credit bureaus a financial incentive to improve their practices before consumers are harmed. Such legislation should be similar to the Fair Credit Billing Act, which limits a consumer’s liability for credit card fraud to $50. That legislation spurred credit card companies to spend resources on security and to implement features like chip credit cards, two-step authentication for transactions and real-time monitoring for suspicious transactions.

At a minimum, credit bureaus should have to provide free tools such as credit freezes, but more importantly, they should be required to reimburse consumers for any expenses they incur investigating and correcting harm arising from cybersecurity breaches. If credit bureaus were liable for such costs, they would undoubtedly put in place robust cybersecurity measures to limit their financial exposure to consumers just like credit card companies did.