Emily Rusch
Vice President and Senior Director of State Offices, The Public Interest Network
Vice President and Senior Director of State Offices, The Public Interest Network
Good morning, and thank you so much for inviting me to speak before you today. My name is Emily Rusch and I am the Executive Director of CALPIRG, the California Public Interest Research Group. CALPIRG worked extensively on SB 168 by State Senator Debra Bowen in 2001, to require the credit bureaus to provide a credit “freeze” on a consumer’s account upon request. A credit freeze prohibits the credit bureaus from sharing your info without your consent. California was the first state to give consumers this proactive tool to protect our personal information. Since 2001, all fifty states have passed credit freeze laws. CALPIRG has also worked with various state legislators over the years to enact and build upon California’s data breach notification laws, to ensure consumers are notified when their information is compromised so that they can take action to protect themselves.
As you know, we’re all here today because Equifax, one of the nation’s big three credit bureaus, announced on September 7th that it had been hacked earlier this year. 145.5 million Americans, nearly half the U.S. population, were affected. Reports indicate that Equifax failed to install security updates it was told about two months before its breach.
Every American should be furious about this data breach.
Identity theft was already a serious problem before this breach – An estimated 17.6 million Americans, or 7% of all U.S. residents age 16 or older, were victims of one or more incidents of identity theft in 2014. A Javelin research report published earlier this year found the mean fraud amount per identity theft victim surveyed was $1,038.
And we have seen big data breaches before. But in most cases, consumers could quickly cancel their credit card, or in the case of the Yahoo data breach, change their online password to limit their risk of identity theft.
I can’t underscore enough that this data breach is far more serious and could negatively affect consumers for months, years, even decades to come.
The compromised information in the Equifax breach includes our names, Social Security numbers, birth dates, addresses and some driver’s license numbers. Social Security numbers and dates of birth in particular are the keys to new account identity theft, and they stick with us for life.
This means identity thieves could open new, fraudulent credit accounts and rack up tons of debt in your name before you realize it’s happening.
While victims are not individually liable for the fraudulent charges once they can prove that they are victims of identity theft, clearing our credit reports and restoring our good names can take endless time and hassle, and often real expenses. According to the Federal Trade Commission (“FTC”) it took credit bureaus more than six months to correct the credit reports of more than half of the identity theft victims surveyed. In the meantime, because of their poor credit rating as a result of the fraud, victims are charged higher interest rates for credit and risk losing out on a new job or housing.
The types of identity theft cases caused by the Equifax breach could be the more time consuming, more expensive kind of identity theft to fix. In addition to new account fraud, our Social Security benefits could be compromised. That would hit seniors especially hard right now. But those of us who have not claimed social security benefits yet are also at risk – and less likely to realize the problem.
Experts are also warning that we should all file our tax returns early, to prevent thieves from trying to use our stolen Social Security numbers to file fraudulent tax returns and snare refunds.
The repercussions could be especially severe for millennials, who have less credit history than older generations, are more likely to be ready to buy their first car or house soon, and/or want to refinance their student loans, and so depend on a strong credit score.
Unlike some earlier data breaches that mostly affected credit cards, lower income households are just as likely to be affected as upper income households by this data breach, and could be less likely to keep an eye on their credit reports to catch problems as they occur. If they are victims of fraud, the costs to repair their credit would be substantial.
What actions CALPIRG recommends consumers take now:
What actions CALPIRG recommends that the California state legislature consider:
California has an opportunity, and I would argue an obligation, to give consumers better tools and protections in the wake of this data breach. Here are a few of our recommendations:
California should consider new restrictions on the type or age of the data the credit reporting agencies keep:
California should require the credit reporting agencies to take better care of our data:
California should give consumers better tools for securing their own data:
California should ensure the credit reporting agencies can’t profit off of this mistake:
California should improve data breach notification laws, so that consumers find out if they are affected sooner:
California should ensure consumers can seek appropriate redress when they are the victims of identity theft.
In closing, the credit reporting agencies did not ask us to collect our information. They are profiting off of selling our information to other businesses. And they are not even keeping our information secure. This breach puts 145.5 million Americans’ personal and financial information at risk for the rest of our lives. We urge this legislature to act to give consumers better tools to protect their information in the wake of this breach, ensure the companies at fault are held accountable, and take appropriate measures to ensure this never happens again.