Equifax is forced to allow free lifetime credit locks/freeze to consumers which the company conceded should be under the control of the consumer in the first place.
It’s been a crazy few weeks for Equifax, one of three leading credit reporting agencies in the US, the other two being Experian and TransUnion. Ever since it announced a massive security breach due to hacking, things have been going downhill especially for the CEO in charge then, Richard Smith, who is now an unpaid adviser to the company. During the Senate hearing in early October, he was grilled by several Senate members.
The Senate members did not mince their words making statements such as: “Why should a company that has so many data security breaches be allowed to collect and store data without consent from the consumers?”; “Your company is making money off people’s sensitive data which you get from banks and employers without the consumers’ consent”; and “Your company is making millions by selling consumers’ data.”
One member asked whether consumers can request to delete their data for good, and the answer from Smith was “no, but they could effectively ‘toggle on and off’ through a web-based application to allow viewing by credit officers as and when needed” (paraphrased). This new service is expected to be rolled out end Jan 2018.
Another member even has figures at hand – Equifax has spent about USD250 million over the last 3 years on cyber security, yet a breach of this magnitude could happen. Even more discomfiting to Smith, he was alleged to have personally pocketed an estimated USD69 million since 2016. “In hindsight, shouldn’t Equifax spend more money on protecting consumers’ data than compensating you so well?” Smith was asked.
Worse, Smith was said to have previously boasted that “Equifax gets its information for free” – and that “Fraud is a huge opportunity for us—it’s a massive, growing business for us” (the latter in August after the breach was discovered).
A member also predicted, which Smith did not deny, that Equifax stands to make millions from their own breach through two ways. The first is selling its own credit monitoring product after the expiry of the free one-year credit monitoring and identity theft protection Equifax is currently offering right now.
After one year, consumers will have to pay for it at the standard rate of USD17 a month. So far, over 7.5 million people affected by the Equifax breach have signed up for the free monitoring. It was estimated that even if 1 million people subsequently continue with the monitoring for just another one year, Equifax would earn over USD200 million in revenue.
Equifax also earns money from LifeLock, another identity protection service on the market which purchases credit monitoring services from Equifax. Since the breach, it has seen a 10-fold increase in customer sign-ups.
Smith testified before the U.S. Senate Committee on Banking, Housing, and Urban Affairs early October.
Below is the relevant portions of his combined prepared and oral testimonies:
“The company failed to prevent sensitive information from falling into the hands of wrongdoers.
“Upon learning of suspicious activity, I and many others at Equifax worked with outside experts to understand what had occurred and do everything possible to make this right. Ultimately, we realized we had been the victim of a massive theft, and we set out to notify American consumers, protect against increased attacks, and remediate and protect against harm to consumers.
“We developed a robust package of remedial protections for each and every American consumer – not just those affected by the breach – to protect their credit information.
“The relief package includes:
1. Monitoring of consumer credit files across all three bureaus;
2. Access to Equifax credit files;
3. The ability to lock the Equifax credit file;
4. An insurance policy to cover out-of-pocket costs up to USD1 mil associated with identity theft; and
5. Dark web scans for consumers’ social security numbers.
All five of these services are free and without cost to all Americans.
Equifax also recently announced an important new tool that has been under development for months that will allow consumers to lock and unlock their credit files whenever they want, for life, for free. This puts the control of consumers’ credit information where it belongs – with the consumer. We have also taken steps to better protect consumer data moving forward.
“TOWARD A NEW PARADIGM IN DATA SECURITY
Where do we go from here? Although I have had little time for reflection regarding the awful events of the last few weeks, this humbling experience has crystalized for me two observations:
1. An industry standard placing control of access to consumers’ credit data in the hands of the consumers should be adopted. Equifax’s free lifetime lock program will allow consumers, and consumers alone, to decide when their credit information may be accessed. This should become the industry standard. They control who and when can have access. This just requires a simple tool in the form of a web application – the ability to ‘toggle on/off’ to allow credit officers to view as and when it’s needed. Equifax cannot unlock the freeze once it’s in place but it’s unclear whether the company would do so under orders from law enforcement authorities. I have to check on that.
2. We should consider the creation of a publicprivate partnership to begin a dialogue on replacing the Social Security Number as the touchstone for identity verification in this country. It is time to have identity verification procedures that match the technological age in which we live.”
On a positive note, if Equifax carries through with its promise to allow consumers to freeze their credit data as and when they want, free for life, this would be a step in the right direction. Paraphrasing Smith, “This puts the control of consumers’ credit information where it belongs – with the consumer. This should become the industry standard.”
The day will come when such cyberattacks become more frequent – when this happens, Equifax’s new policy would save millions of consumers from potential identity thefts or other crimes.