Americans are no strangers to having personal information stolen, after a long string of hacks that includes data taken from companies as diverse as Target, Sonic, Home Depot, eBay, JP Morgan Chase and Citibank. But when 145.5 million Americans had personal information stolen from credit rating giant Equifax, different and serious concerns about something other than data security arose — the U.S. credit reporting system.
The Equifax breach, which took place in July but wasn't made public until September, was different from others because of the amount of personal data exposed, because individuals never chose to do business with Equifax and they cannot opt out of doing further business with it. It was also different because the millions of people whose data was stolen are not the company's customers, but its "commodity," experts say.
The data breach has had an impact on Equifax, which reported Nov. 9 that its profits for the third quarter were down $96.3 million compared with the same quarter in 2016. The company said it has incurred more than $87 million in breach-related expenses and acknowledged numerous government investigations. Meanwhile, former CEO Richard Smith and others were summoned by Congress to testify about the breach and several bills have been proposed that would impact how credit reporting bureaus operate. But Equifax will escape any class-action lawsuits by consumers. In October, Congress allowed a ban on such lawsuits to remain in place for consumers who are bound by arbitration agreements with financial companies, like Equifax.
Equifax is one of the "big three" credit rating agencies, alongside TransUnion and Experian. They collect information on how much credit consumers have, whom they owe, whether they pay bills promptly and if they have liens or lawsuits. The credit report issued by one of the big three impacts the interest rate one pays or whether a loan is available. Employers, insurance companies, government agencies, banks and credit unions, companies that market products and services, utilities, retail stores and others all use the information, says the Consumer Financial Protection Bureau.
Because consumers cannot opt out of the data mining, critics of the credit reporting system say Equifax had a heightened obligation to protect the data. And though the credit reporting bureau is offering yearlong free credit monitoring to those whose data was hacked, critics note that could make money for Equifax long term. If 1 percent of consumers pay to extend the monitoring, the company will make millions.
"They went around us, got our information, and then they hold it over our heads," said Al Bingham, a credit expert from Salt Lake. "They generated the file and they want us to pay them to make sure it's accurate. We would have nothing to do with any other business that does business like that. Do these companies need more regulation? Absolutely."
We asked several companies that use credit reports to comment on the effectiveness of America's credit reporting system but got little response. The American Bankers Association declined an interview, but spokesman Mike Townsend emailed that "an accurate understanding of an applicant's credit history helps lenders predict who is likely to repay a loan, allowing them to make better decisions on whether to grant credit. Having an efficient and accurate system helps ensure credit availability for eligible borrowers."
Equifax spokeswoman Nancy E. Bistritz-Balkan replied by email to an interview request, quoting a recent op-ed by interim CEO Paulino Barros: "We need to consider consumers' desire to control their personal financial data. No one thinks it makes sense for individuals to have to rely on a business — any business — to control access to their information. As part of our commitment to support consumers, we have announced that by Jan. 31, we will offer consumers a new service that will allow them to control access to their personal credit data. The service will be easy to use and available for free, for life. We hope our competitors will join us to give consumers the power to protect their credit data."
Whatever the product is, critics note, it's too late for the roughly half of American adults whose personal data was stolen.
Susan Grant, director of consumer protection and privacy at the Consumer Federation of America, said consumers who "manage their money and pay their bills on time do benefit from the credit reporting system, as long as it's accurate. They get good terms on their loans and find credit readily available.
"But when something goes wrong — either the information about them is not accurate or they can't easily correct problems or there is insufficient security — they are impacted in a very negative way."
She chuckled when asked how well the U.S. credit reporting system works. "There are all sorts of concerns about our credit reporting system in terms of accuracy of the information and consumers' ability to easily correct inaccurate information. And while the law has been strengthened over the years, there are still those kinds of problems, which have nothing to do with the breach. There are a lot of issues in general with credit reporting agencies."
The first reaction when there's a breach is to call for a "breach notice law" to tell people their data was compromised, she said; 48 states already have that. The "bigger issue is lack of security and a penalty for not having that security. There have been good bills that have been proposed in the past focusing on that, and I suspect some of those bills will now be resurrected."
"I don't think this is the best we can do," said Chi Chi Wu, an attorney for the National Consumer Law Center, who testified before Congress after the Equifax breach. "A lot of problems have been pointed out following the breach — things we've said for years," she told the Deseret News. "We have the big three credit reporting agencies that are so vital to people's financial lives. They can make or break you financially. … But if you don't want to deal with Equifax because they had a giant data breach, you can't walk. Normal market forces that keep businesses in check don't apply here. They've had a culture of impunity, without requirements to invest in compliance, accuracy or quality control. It appears they underinvested in data security, too."
Among the most common complaints has been inaccuracy that hurts a consumer's credit. Those have not always been easily fixed, she said.
If John Doe's file said he missed his May mortgage payment, for example, Doe might send a copy of his canceled check to the credit bureau, where a worker put a two-digit code meaning "customer says he paid" and sent it to the mortgage holder. Until recently, the canceled check was not included. The bank, which created the initial error, was likely to look in its files and respond with the equivalent of "We're right. He didn't pay," Wu said. "The credit reporting bureaus always side with their customer, which is the creditor, not the consumer." Bad data usually stayed in files.
Ed Mierzwinski, consumer program director at U.S. Public Interest Research Group, thinks the credit bureaus' customers and consumers have different goals. "We believe the customers, meaning businesses, would prefer that a credit report be less accurate as long as it tends to be less accurate by saying you are a worse risk than you actually are. It means they don't take as big a risk." Tolerance for inaccuracy keeps costs down, he added.
CBS' "60 Minutes" in 2013 documented problems consumers had trying to correct mistaken identity and other credit report issues, largely to no avail. A Federal Trade Commission study found 1 in 5 consumers had an error in a credit file corrected. It didn't say how many were unresolved.
People with similar names could be inadvertently mixed up with someone else's debt or criminal history, called a "mixed file," where data from two consumers is inadvertently merged. That can result from partial Social Security matches, often among siblings. Other problems have resulted from negative information being assigned to the wrong person with the same name, said Wu.
In 2015, 31 state attorneys and the credit reporting bureaus settled a lawsuit. The credit bureaus agreed to improve how they resolve disputes over credit file information. They have committed to having staff deal with fraud and mixed file cases, though consumer hawks aren't sure how much change will result.
Wu said the credit reporting companies still come in first, second and third some months in terms of complaints to the Consumer Financial Protection Bureau.
The three credit bureaus were also each recently assessed millions of dollars in fines for selling consumers "FICO scores" that were not the versions used to make credit decisions.
Mistaken-identity issues should become less common because under relatively new federal rules, credit reporting agencies must remove information they can't properly match, such as criminal or public records attached based on the name without ascertaining it's the right person.
On the day the Equifax data breach occurred, the House Financial Services Committee held hearings on bills that included two that would weaken laws on credit bureaus, Mierzwinski said. One sought to limit punitive damages after a jury this summer awarded $61 million to be shared by 8,000 consumers.
"TransUnion mistakenly said the 8,000 consumers appeared on the U.S. Treasury Department Office of Foreign Asset Control list of known drug traffickers and terrorists. Worse, TransUnion said in court the consumers weren't harmed," he said.
The data breach is egregious enough that critics of the credit reporting system believe change may result. Members of a Senate Banking Committee recently asked former Equifax CEO Richard Smith, who resigned after the breach, why consumers had to pay for monitoring to protect them from identity thieves. Calling it a "clever business model," Sen. John Kennedy, R-La., likened it to paying "extra in a restaurant to prevent the waiter from spitting in my food."
Wu said several bills proposed in Congress may give consumers "better tools to try to prevent identity theft after this breach." Among them:
A bill so consumers can freeze their credit for free. Consumers now pay to freeze and unfreeze their credit, which is supposed to prevent someone else from opening a new account using their data. Bingham warned that accounts are sometimes opened without pulling a credit report.
One proposal would make frozen credit the default.
Another bill would require credit reporting bureaus to adequately staff their dispute-investigation divisions to find and correct faulty information. It would also allow consumers to appeal.
Ongoing discussion of whether credit reporting should be in the hands of private corporations or whether some government or quasi-government agency should undertake it.
One important way to protect consumers, in Mierzwinski's view, is shielding the Consumer Financial Protection Bureau from efforts to weaken or eliminate it. It's also important, he added, to let the bureau levy penalties for initial violations.
Governments in some countries reportedly run their credit reporting system or license it and provide oversight.
But systems that are at least similar to America's are more common, and U.S. credit bureaus are active overseas. Equifax serves the same function in close to two dozen countries.
"Much like American companies have exported fast food, they are exporting this form of credit reporting to the world," Wu said.
Australia recently adopted American-style credit reporting.
Many European countries have three bureaus, two of them very familiar to Americans: Equifax, Experian and CallCredit. Canada has Equifax of Canada or TransUnion Canada. South Africa has Experian, TransUnion and Compuscan. A bank created the public registry China uses.
Credit reporting systems in less developed countries are becoming more robust as their economies and technological capabilities improve.
Change in America has been slow, said Mierzwinski, and usually has bowed to the wishes of the credit reporting agencies, partly because they benefit banks. "Banks have tremendous power in Washington." The creditor and consumer reforms of 2010 only happened, he said, because banks lost some clout due to their role in the recession. But a decade later, "banks and their friends on Capitol Hill are leading a campaign to roll back Dodd-Frank."
Oversight is complicated. The law covering credit reports and credit bureaus, the Fair Credit Reporting Act, was transferred to the then-new Consumer Financial Protection Bureau. That was when credit bureaus began forwarding documentation in a dispute, not just that two-digit code. Now John Doe's mortgage holder gets the canceled check, too.
But data privacy at credit bureaus and elements pertaining to data breaches stayed with the Federal Trade Commission, which has little rule-making authority, he noted.