Should Credit Bureaus Be Fined When Hacked?

Huge data breaches are becoming commonplace, exposing the personal information of thousands of consumers to potential identity theft – but the 2017 Equifax data breach may have been one of the most disappointing.

Data breaches often target retailers that store personal information on their customers. You have a choice whether or not to shop at that store, and sometimes whether to allow information to be stored there. The Equifax breach exposed the personal information of over 145 million Americans, with most of those Americans having no business with Equifax. Many of those consumers may not even know who Equifax is, or why they would have their information.

Equifax and their companion agencies Experian and TransUnion are the three primary credit reporting agencies in America. They receive information from creditors and lenders on virtually all borrowing and credit transactions. Therefore, they hold information on every American consumer who has borrowed money at any time. They’re rich targets for hackers and identity thieves. Shouldn’t they be held to the highest possible standard?

Congressional Democrats agree – or at least they agree that credit reporting agencies should suffer economic consequences if they fail to protect consumer information.

The Data Breach Prevention and Compensation Act, introduced in the Senate by Elizabeth Warren (MA) and Mark Warner (VA) and in the House by Elijah Cummings (MD) and Raja Krishnamoorthi (IL), would establish an Office of Cybersecurity to provide credit reporting oversight. The office would report to the Federal Trade Commission (FTC).

As part of the oversight, FTC would gain greater enforcement capability against poor credit reporting security practices – including a $100 penalty assessed for every consumer with at least one piece of their personal identifying information (PII) exposed in a credit reporting agency breach. (PII includes information such as Social Security numbers, passport numbers, and dates of birth.) Each additional piece of PII exposed would cost the credit reporting agencies an extra $50.

Had the law been in place for the Equifax breach, Sen. Warren estimates that Equifax would have paid over $1.5 billion in penalties. The company just reached a settlement that should cost them less than half that amount.

Sen. Warren also considers Equifax’s response to the breach inadequate. According to information compiled by Congressional staff, over 52,000 complaints were filed against Equifax in the eighteen months after the data breach was revealed on September 7, 2017 – and over 30,000 complaints were filed in the last twelve months of that time period. Essentially, consumers have given Equifax a chance to deal with their post-breach concerns and are dissatisfied with the results.

Credit reporting agencies will oppose this legislation for obvious reasons and are likely to win the fight for now. What can you do about the problem?

You may not have any control over credit reporting agency security, but you do have some control over your own. Review your own security practices today and take common-sense precautions to prevent identity theft.

Protect all accounts with strong passwords that are changed frequently. Use only secure connections and trusted websites. Store your personal information in as few places as possible – the fewer places your information is stored, the lower the odds that thieves will steal it. Shred any unnecessary documents that contain personal information and store important ones in a secure location. Let MoneyTips protect your credit and your identity with a free trial.