Eighteen months since news of the colossal data breach at Equifax broke, the company responsible for one of the country’s largest, and likely the most damaging, losses of personal information has yet to face monetary penalties. At the same time, very little has been done in the way of reform.
That could soon change.
According to Equifax’s annual report filed recently with the U.S. Securities and Exchange Commission, two federal agencies are poised to take action.
The Federal Trade Commission and the Consumer Financial Protection Bureau “intend to seek injunctive relief damages and, with respect to the CFPB, civil money penalties against us based on allegations related to the 2017 cybersecurity incident,” Atlanta-based Equifax said in the filing.
For many, such moves are overdue.
“One and a half years later, Equifax has still not paid a price for putting nearly 150 million Americans at risk of identity theft and other types of fraud for the rest of their lives,” said Mike Litt, consumer campaigns director for the Public Interest Research Group known as U.S. PIRG.
He considers the breach the worst in history because of the amount and type of sensitive data exposed, including Social Security numbers, birthdates, addresses and driver’s license numbers.
“Social Security numbers are really the keys to identity theft and other types of fraud,” he said.
Mr. Litt said the biggest way to prevent future large-scale breaches is to create the specter of large, looming fines.
Companies need to know, “if they fail to protect our personal information, there will be stiff penalties,” he said. “We really need an act of Congress to ensure that.”
The breach at Equifax was considered especially egregious in part because it and other credit reporting agencies collect personal information on consumers without their consent, and without consumers choosing to do business with them.
More than a year ago, Sen. Elizabeth Warren, D-Mass., and Sen. Mark Warner, D.Va., introduced a bill to hold large credit bureaus — such as Equifax, Experian and TransUnion — accountable for data breaches by imposing mandatory penalties, 50 percent of which would be paid to affected consumers.
If the bill had been law at the time of the Equifax breach, the company would have been facing a fine of about $1.5 billion, Mr. Litt said.
The bill also would require the FTC to conduct annual inspections to ensure compliance with cybersecurity measures and allow increased penalties for woefully inadequate cybersecurity or if a credit bureau failed to notify the agency of a breach in a timely fashion.
Meanwhile, investigations, class actions and other lawsuits have been piling up against Equifax, including probes by the U.S. Department of Justice, SEC and 48 attorneys general offices, including Pennsylvania.
In its SEC filing, Equifax said it disputed the allegations in complaints against it and intended to defend against the claims.
In June, financial regulators from eight states (not Pennsylvania) reached an agreement with Equifax following an examination of its cybersecurity controls. The agreement required the company’s board of directors to fix deficiencies and unsafe practices that contributed to the breach. The company must report on its progress and be subject to on-site regulatory reviews.
For victims of the Equifax hack, Mr. Litt recommends they monitor their credit reports for suspicious accounts or charges by ordering a copy for free annually from each of the three main credit bureaus at www.annualcreditreport.com or by calling 877-322-8228.
Staggering requests with each bureau every four months is the best way to keep tabs on the reports throughout the year.
Mr. Litt said the best protection against ID theft is to place a freeze on credit reports at the three main bureaus, plus the National Consumer Telecom & Utilities Exchange, a consumer reporting agency that specializes in reports about consumers' telecom and utilities payment history.
"There have been reports of consumers having fraudulent cell phone accounts made in their names even though they had freezes with the big three bureaus," Mr. Litt said.
Some consumer advocates also recommend freezing credit reports at another, lesser known bureau called Innovis.
One positive result of the Equifax breach is that Congress stepped in to eliminate fees that credit bureaus routinely charged people for freezing and unfreezing their accounts. That new law took effect Sept. 21.
People who still haven’t checked the website set up by Equifax to identify victims of the hack should visit www.equifaxsecurity2017.com/ to find out if they’re among the roughly 148 million people affected.
Crooks can do a lot of damage with stolen personal data, such as applying for credit cards or loans, ordering smartphones on payment plans, opening utility accounts, stealing federal tax refunds, and collecting someone else’s Social Security or health care benefits.
ID thieves also may apply for a job, get insurance, lease an apartment or commit crimes in someone else’s name.
For more information about ID theft, visit uspirg.org/news/usp/us-pirg-education-fund-launches-id-theft-protection-week-holidays or the FTC’s ID theft resources page at www.consumer.ftc.gov/features/feature-0014-identity-theft.