Emily Rusch
Vice President and Senior Director of State Offices, The Public Interest Network
Legislative Hearing on the Equifax Data Breach: Impacts and Future Precautions
Media Contacts
Good morning, and thank you so much for inviting me to speak before you today. My name is Emily Rusch and I am the Executive Director of CALPIRG, the California Public Interest Research Group. CALPIRG worked extensively on SB 168 by State Senator Debra Bowen in 2001, to require the credit bureaus to provide a credit “freeze” on a consumer’s account upon request. A credit freeze prohibits the credit bureaus from sharing your info without your consent. California was the first state to give consumers this proactive tool to protect our personal information. Since 2001, all fifty states have passed credit freeze laws. CALPIRG has also worked with various state legislators over the years to enact and build upon California’s data breach notification laws, to ensure consumers are notified when their information is compromised so that they can take action to protect themselves.
As you know, we’re all here today because Equifax, one of the nation’s big three credit bureaus, announced on September 7th that it had been hacked earlier this year. 145.5 million Americans, nearly half the U.S. population, were affected. Reports indicate that Equifax failed to install security updates it was told about two months before its breach.
Every American should be furious about this data breach.
Identity theft was already a serious problem before this breach – An estimated 17.6 million Americans, or 7% of all U.S. residents age 16 or older, were victims of one or more incidents of identity theft in 2014. A Javelin research report published earlier this year found the mean fraud amount per identity theft victim surveyed was $1,038.
And we have seen big data breaches before. But in most cases, consumers could quickly cancel their credit card, or in the case of the Yahoo data breach, change their online password to limit their risk of identity theft.
I can’t underscore enough that this data breach is far more serious and could negatively affect consumers for months, years, even decades to come.
The compromised information in the Equifax breach includes our names, Social Security numbers, birth dates, addresses and some driver’s license numbers. Social Security numbers and dates of birth in particular are the keys to new account identity theft, and they stick with us for life.
This means identity thieves could open new, fraudulent credit accounts and rack up tons of debt in your name before you realize it’s happening.
While victims are not individually liable for the fraudulent charges once they can prove that they are victims of identity theft, clearing our credit reports and restoring our good names can take endless time and hassle, and often real expenses. According to the Federal Trade Commission (“FTC”) it took credit bureaus more than six months to correct the credit reports of more than half of the identity theft victims surveyed. In the meantime, because of their poor credit rating as a result of the fraud, victims are charged higher interest rates for credit and risk losing out on a new job or housing.
The types of identity theft cases caused by the Equifax breach could be the more time consuming, more expensive kind of identity theft to fix. In addition to new account fraud, our Social Security benefits could be compromised. That would hit seniors especially hard right now. But those of us who have not claimed social security benefits yet are also at risk – and less likely to realize the problem.
Experts are also warning that we should all file our tax returns early, to prevent thieves from trying to use our stolen Social Security numbers to file fraudulent tax returns and snare refunds.
The repercussions could be especially severe for millennials, who have less credit history than older generations, are more likely to be ready to buy their first car or house soon, and/or want to refinance their student loans, and so depend on a strong credit score.
Unlike some earlier data breaches that mostly affected credit cards, lower income households are just as likely to be affected as upper income households by this data breach, and could be less likely to keep an eye on their credit reports to catch problems as they occur. If they are victims of fraud, the costs to repair their credit would be substantial.
What actions CALPIRG recommends consumers take now:
- Request a free credit report – all three credit bureaus will give you one free report per year.
- Consider placing a credit freeze (also known as a security freeze) with all three credit bureaus. See our step-by-step guide for getting credit freezes.
- Place a free fraud alert. Any consumer can place a free renewable 90-day fraud alert by law by contacting any one of the three credit bureaus. You’ll need to set a tickler on your calendar to renew it every three months.
- Don’t accept any deal from Equifax until you understand how Equifax has modified its terms of service, and read our summary of the limitations and potential risks of Equifax’s offering.
- If you’ve already been affected, take steps to recover from identity theft visiting identitytheft.gov.
What actions CALPIRG recommends that the California state legislature consider:
California has an opportunity, and I would argue an obligation, to give consumers better tools and protections in the wake of this data breach. Here are a few of our recommendations:
California should consider new restrictions on the type or age of the data the credit reporting agencies keep:
- A frequent refrain I am hearing from consumers is “Why do they have so much of my data in the first place?” We should consider establishing new restrictions on the type or age of the data that the credit reporting agencies keep.
California should require the credit reporting agencies to take better care of our data:
- We should require the use of best possible technology to encrypt our data.
California should give consumers better tools for securing their own data:
- California’s groundbreaking credit freeze law was passed 16 years ago, over the objections of the credit reporting agencies, and the process for consumers is more cumbersome and expensive than it should be. As a result, far too few consumers take advantage of it.
- We should consider requiring the security freeze to be on by default: The credit reporting agencies want to be able to share your data whenever they want to whoever they want, but that leaves us all open to risk. The Massachusetts Attorney General Maura Healy is backing legislation to prohibit the credit reporting agencies from sharing or selling your report or credit store without your written consent. We encourage the California legislature to consider a similar measure.
- Security freezes should be one-stop shopping for consumers: Consumers should be able to request a freeze from one credit reporting agency, and make it applicable to all three credit reporting agencies. TransUnion already has a $19.95-per-month monitoring service that allows you to lock both your TransUnion and Equifax files, so it would appear possible that the three bureaus could share these requests easily among one another.
- The timeline for turning the security freeze on and off has to be fast. The credit bureaus should be able to turn on the freeze within one day of receiving the request. And it should only take 15 minutes after receiving a request to turn it off by phone or electronic message during normal business hours. Other states already have these provisions in statute so California wouldn’t even be the first to enact these timelines.
- Security freezes should be free for all. Most Californians still have to pay $10 to each credit bureau every time they turn on or turn off a credit freeze. Many other states already have free freezes.
California should ensure the credit reporting agencies can’t profit off of this mistake:
- We should ban “free to pay” conversion products offered by the credit reporting agencies. Some financial analysts believe this breach will actually be GOOD for the credit bureaus’ bottom lines because we will spend more for credit monitoring services. We should not have to pay the credit reporting agencies to monitor OUR personal information.
California should improve data breach notification laws, so that consumers find out if they are affected sooner:
- Our statute only requires that companies notify consumers within a “reasonable” timeframe. The legislature should consider tightening up that language.
California should ensure consumers can seek appropriate redress when they are the victims of identity theft.
- The legislature should consider new measures to ensure consumers affected by this and other data breaches can be appropriately compensated by the companies at fault. This will be the focus of at least one of the speakers on the next panel so I won’t go into detail here.
In closing, the credit reporting agencies did not ask us to collect our information. They are profiting off of selling our information to other businesses. And they are not even keeping our information secure. This breach puts 145.5 million Americans’ personal and financial information at risk for the rest of our lives. We urge this legislature to act to give consumers better tools to protect their information in the wake of this breach, ensure the companies at fault are held accountable, and take appropriate measures to ensure this never happens again.
