The Equifax data breach exposed the personal information of an estimated 143 million Americans. It has led to a lawsuit against the company by the state of Massachusetts, an investigation by the Federal Trade Commission and the promise of congressional hearings. The episode, though, has revealed that up until now, the big three credit reporting companies have had a lot of clout in Washington, D.C., analysts say.
The credit reporting companies have to comply with rules set by the Federal Trade Commission and the Consumer Financial Protection Bureau, which regulate how the companies can sell your financial data to other companies.
But protecting that data is a kind of regulatory black hole. There is very little oversight — compared to banks, for example, says Rohit Chopra, a former assistant director of the CFPB. "To maintain a national bank license, banks have to prove that their standards are up to snuff," he says, "but credit reporting agencies don't face that same level of oversight, even though they hold data on the majority of American adults."
Chopra says what he calls the "meltdown at Equifax should be a wake-up call" to consumers about the outsized role credit reporting companies play "without our consent."
Chopra is now a senior fellow at the Consumer Federation of America, where he wrote up advice for those affected by the breach. Chopra says there are few rules protecting consumers' data or that require credit bureaus to immediately notify consumers in the event of a breach. It took Equifax some six weeks to reveal the hack, and the company left it up to consumers to try to find out if their data had been stolen.
Chopra says people have little control over their information, and that with credit bureaus, "in some ways you're not the customer, you're the product."
And Ed Mierzwinski of U.S. PIRG (Public Interest Research Group) says when it comes to choosing a credit bureau, consumers have no choice. "If you don't like AT&T or Verizon, you can go to T-Mobile, you can take your business elsewhere, you vote with your feet. You can't vote with your feet with a credit bureau," he says. "You're stuck with them."
Mierzwinski says the credit bureaus have fought attempts to make them more transparent. The three companies, Equifax, Experian and TransUnion, spent nearly $3 million to lobby lawmakers last year, according to figures compiled by the Center for Responsive Politics. In fact, he says, House lawmakers were considering legislation the industry favored on Sept. 7: "On the day of the Equifax breach announcement, the House held hearings on not one, but two bills to weaken consumer protections over the credit bureaus'."
One of the measures would cap the amount of damages that consumers could be awarded in a lawsuit against the companies. Its sponsor, Rep. Barry Loudermilk, R-Ga., defended the bill at that hearing, saying it had been presented "that this is a credit bureau protection act. This is false. This is to protect consumers and all Americans."
Since the breach was revealed, Loudermilk issued a statement saying that "given the unfounded attacks on me and the rampant misinformation circulating about this legislation, the Financial Services Committee has not scheduled further action on any bill at this time."
He also said that Equifax must be "held accountable" for the breach. A member of the Financial Services Committee, Loudermilk said he would be part of an investigation into the breach and that work had begun on legislation to require credit bureaus and other companies to promptly notify consumers if their data is breached.
Several Democratic senators, led by Elizabeth Warren of Massachusetts, have sponsored a measure that would forbid credit bureaus from charging consumers to freeze or unfreeze access to their accounts. It would also require the companies to refund any fees they have charged for credit freezes after the Equifax breach.
Equifax says it will waive fees for removing and placing security freezes through Nov. 21.