The information on the Consumer Financial Protection Bureau (CFPB) complaint is sparse, redacted — and very troubling.
It was filed against Equifax, a credit reporting company that suffered a massive cybersecurity data breach in 2017, affecting at least 145 million Americans. The complaint, No. 3074260, was submitted electronically Nov. 14 from Illinois. No city is listed, but the unnamed person’s Zip code begins with 622, which is in the southwestern part of the state. The person has boys, but even the number of children is X’d out.
The hack attack victim provided a short narrative in the CFPB complaint that was long enough to ooze anguish: “My life has been a complete nightmare, for I have been denied credit, turned down employment, and unable to provide adequate shelter for me and my XXXX sons. I am a victim of identity theft, from a data breach.”
That set the tone for a congressional hearing last week that explored issues related to consumer reporting agencies and the need for federal agencies to have more power to protect us. Consumer reporting companies calculate the all-important credit scores of individuals and “collect, maintain, and sell to third parties large amounts of sensitive data about consumers, including Social Security numbers and credit card numbers,” according to a Government Accountability Office report.
The report, requested by House Oversight and Reform Chairman Elijah E. Cummings (D-Md.) and Sen. Elizabeth Warren (D-Mass.), urged Congress to approve tougher penalty authority for the Federal Trade Commission (FTC).
“FTC lacks a practical enforcement tool for imposing civil money penalties that could help to deter companies, including CRAs (consumer reporting agencies), from violating data security provisions of [the law] and its implementing regulations,” Michael Clements, GAO’s financial markets and community investment director, told the hearing.
The FTC agrees.
“We vigorously use our existing authority to protect consumers, but we need additional tools,” said Andrew Smith, FTC’s bureau of consumer protection director. “We have called more broadly on Congress to enact comprehensive data security legislation that includes rulemaking, civil penalty authority and enhanced jurisdiction for the FTC.”
The FTC is investigating the Equifax breach, but the government’s power to punish is limited.
“If you’re a larger credit bureau and you don’t comply with the Federal Trade Commission’s safeguards rule, there should be mandatory penalties,” said Mike Litt, consumer campaigns director for U.S. PIRG, the Public Interest Research Group. “If you lose personal data, there should be mandatory fines. But at the very least, we need to make sure that the FTC can actually issue penalties for the first violation of the law. They are investigating the Equifax breach, but they’ll only be able to issue a consent order, and then only if Equifax breaks that order and then violates the law a second time can there actually be any fines. We need to change that.”
The plight of the Illinois parent animated the hearing and the need for stronger government enforcement of consumer reporting company regulations.
“I was deeply saddened to learn about one Illinois resident whose credit was so badly damaged by identity theft resulting from the Equifax breach that the person was denied — denied both employment and housing,” said Rep. Raja Krishnamoorthi (D-Ill.), chairman of the House Oversight and Reform subcommittee on economic and consumer policy. “This is but one example illustrating the extreme and decades lasting implications of allowing … Social Security numbers, birth dates, addresses, driver’s license numbers and credit card information to be exposed to cyber criminals.”
Equifax is one of the largest of hundreds of consumer reporting agencies. Information is power and they have lots of both. They hold, Krishnamoorthi said, “huge amounts of sensitive information.” A credit score, calculated from that information, can determine whether people are able to get a loan to buy a car or a house.
They “serve an essential function in the financial services industry,” Clements added. The credit and other data they collect “help determine whether and how much consumers pay for credit and can also be used in employment and rental decisions, among other purposes.”
But the government does not have enough power to regulate them and they don’t answer to consumers.
“CRAs also hold huge sway over the lives of consumers,” Krishnamoorthi added. “The information they control … can determine if someone gets a loan, a job, insurance, or a home. Yet, CRAs are not accountable to those same individuals.”
These agencies can control our lives, but unlike other companies, we don’t choose to do business with them, nor can we stop them from doing business with our information if we object.
“Consumers have limited choice in the CRA marketplace,” Clements said. “Unlike many other products and services, consumers can't exercise choice if they are dissatisfied with the CRA list choice. Further, consumers don't have the legal right to delete their records with a CRA. CFPB and FTC have noted that the level of consumer protection required can depend upon consumers exercising choice in the marketplace. Less choice implies the need for greater oversight.”
When Equifax updated, in March 2018, the number of individuals hit by the cyberattack, Paulino do Rego Barros Jr., then the interim CEO, said “we continue to take broad measures to identify, inform, and protect consumers who may have been affected by this cyberattack. We are committed to regaining the trust of consumers, improving transparency and enhancing security across our network.”
That trust would be stronger if consumers had more trust in federal enforcement power over Equifax and other consumer reporting agencies.