Last week, Congress held four hearings to investigate the Equifax data breach, which jeopardized the highly sensitive data of 145 millions Americans. The exposed consumer information includes social security numbers, prior addresses, student loans, credit card numbers, and other pieces of private data compiled into credit reports that determine if a consumer qualifies for employment, loans, or new lines of credit. For days, members of Congress questioned former Equifax CEO Richard Smith as to how the breach could have occurred and what steps the company was taking to protect consumers. Mr. Smith resigned in September after the extent of the breach was fully disclosed. During the hearings, he offered little in terms of solutions on how to protect consumers going forward, but his answers revealed significant problems with our current data security regime that Congress must address.
Consumers Have Little Control Over Their Own Data
One of the biggest problems the Congressional hearings highlighted is how little control consumers have over their own data. Several members of Congress expressed concern that many of their constituents were surprised to find out they were affected by the data breach because they had no idea Equifax had access to their data to begin with. As we’ve explained in the past, many of Equifax’s customers are third parties such as mortgage banks who share their own customers’ sensitive information with the credit reporting agency. Mr. Smith himself explained that Equifax is part of a financial data sharing ecosystem where banks and other third parties share data with credit reporting agencies to assess their customers’ credit risk. In other words, sharing consumers’ sensitive information between third parties is simply business as usual for credit reporting agencies and the financial industry at large. Unfortunately, the current system doesn’t give consumers notice of who has access to their sensitive information nor does it impose any liability on third parties who share their customers’ personal sensitive information.
Members of Congress were also concerned over the sheer amount of data Equifax collects on each individual. One Congressman mentioned that Equifax had collected ten years of sensitive personal information on his staffer dating back to her time in high school. The truth is credit reporting agencies collect vast amounts of information on individuals often exceeding what is necessary to determine creditworthiness. Given their core business model is based on selling consumer data to third parties, credit reporting agencies are incentivized to collect as much data as possible. As a result, consumers are often left at the mercy of these agencies, and are unaware of what data is being collected on them and who has access to it.
It is critical for consumers to have control over their own data, and members of Congress should make this a priority as they consider upcoming steps for data breach protection. Consumers should have notice over what information is being collected on them, who is maintaining their personal information, and the right to remove their personal information.
A National Data Breach Notification Standard Is Necessary
No matter how sophisticated a security system may be, data breaches are bound to happen. There are a number of state data breach notification laws in place, but we lack a national standard. Equifax found out about the data breach in mid-May but failed to provide any notice until September. For months, affected consumers were completely unaware that their sensitive information was exposed and could not take any steps to mitigate the potential harms.
Several members of Congress questioned Mr. Smith over the timing of the breach and why it took the company so long to provide notice. The former CEO tried to explain the extended time was needed to understand the extent of the breach and what information was compromised. While companies do need time to assess, they don’t currently have incentive to provide timely notice to consumers. The more consumers affected by a breach, the more credit reporting agencies have to gain by offering remedial services and products. In fact, Mr. Smith was quoted a few weeks before Equifax disclosed the breach as saying that “fraud is a huge opportunity for Equifax.”
Without a national data breach notification standard that provides a timely and clear notice to consumers, credit reporting agencies can continue to delay notifying consumers of breaches while profiting off of affected consumers.
Consumers Expect Adequate Protections After a Breach
Unfortunately, Equifax has offered a number of substandard protections after the breach occurred. Equifax initially offered a one year credit-monitoring service for affected consumers. After facing public outrage for the limited-time service, Equifax is now offering a credit freeze until January 31, 2018, after which they will offer affected consumers a ‘credit lock’ that will be free for life. However, several members of Congress questioned the potential harms associated with this new service. One member questioned whether Equifax’s credit lock will force participating consumers to share their data with third parties for marketing purposes. Other members questioned Mr. Smith as to why Equifax was offering a lifetime credit lock as opposed to a credit freeze, which is seen as a greater protection for consumers.
As we’ve previously discussed, Equifax’s use of forced arbitration agreements in their services also continues to be fundamentally unfair to consumers. Equifax initially required people to waive their right to sue simply to find out whether or not their data had been breached. Although Equifax eventually waived the clause, many consumers had already given up their right to sue just to get notice. Further, Mr. Smith conceded that Equifax continues to implement forced arbitration clauses in its other products, which would include its upcoming credit lock service. Ultimately, forced arbitration clauses limit the ability of consumers to seek relief for the misuse of their data.
At the end of the day, Equifax’s services are not enough to make consumers whole after the company failed to secure their data. Some members of Congress weighed whether Equifax should pay fines to each consumer whose data was exposed or set up a compensation fund for consumers who suffer financial harm from the breach. Overall, it’s clear that consumers expect better protections than notice of the breach combined with a credit monitoring service.
Credit Reporting Agencies Face Little Accountability
In all four hearings, Mr. Smith testified that the data breach happened on his watch, and he took full responsibility by stepping down. But it’s obvious that multiple people in the company were responsible for failing to protect consumer data. This raises another significant issue — companies face very little accountability when there’s a data breach. Several members of Congress questioned Mr. Smith as to why senior executives including the CFO would sell their stock just days after the company discovered the breach. Other lawmakers asked Mr. Smith whether it’s fair for him to receive an $18 million pension despite stepping down from the company. Mr. Smith dodged these questions by responding there was no connection between the executives selling their stock and the company’s data breach, and his own compensation was what he was owed. But his responses highlighted that those responsible often go unscathed while consumers suffer the consequences of the data breach.
Lawmakers also questioned Mr. Smith on the integrity of Equifax’s security system and how it could have suffered a massive breach. The former CEO explained that the breach was a result of a “human error” and a “technology error.” In simple terms, an employee did not properly communicate the system was vulnerable and needed to be patched, and the scanning technology failed to detect that the vulnerability was unpatched. Members of Congress expressed concern that a massive data breach could be caused by one person and questioned why the company did not set up additional safeguards.
Mr. Smith’s explanations only highlight the need to hold companies that have access to our data to a higher standard. One way to do this is by establishing an independent audit regime that can assess whether companies that hold sensitive data are adequately protecting it. Given the steps that lead to Equifax’s data breach, it’s clear more accountability is needed across the board.
Congress Should Take A Comprehensive Approach To Address These Problems
As Congress navigates how to address the Equifax data breach and provide consumers with better protections, lawmakers should consider all of the problems that lead to the breach as well as the lack of adequate remedies consumers have after the breach. Consumers need more control over their data and stronger remedies to hold companies that inadequately protect their data accountable. We may not be able to stop the next data breach, but policymakers should work to deter such sloppy corporate misbehavior in the future, and a comprehensive approach to improving data security systems should provide consumers with the tools they need to mitigate any damages they suffer.