Column: Before its massive data breach, Equifax fought to kill a rule allowing victims to sue
The data collection and monitoring firm Equifax has been properly flayed for the massive data breach it disclosed last week, as well as for its weak and dishonest response to the breach.
The firm has rectified some of the flaws in its response to the breach, which exposed the personal data of 143 million American consumers to hackers. But it hasn’t backed off from another action that would undermine consumers’ ability to hold the entire consumer monitoring industry accountable for such breaches: A concerted campaign to repeal a federal regulation upholding consumers’ rights to sue.
The regulation, issued by the Consumer Financial Protection Bureau on July 10 and scheduled to go into effect in mid-January, came under attack by Republicans in Congress “before the ink was even dry,” says Amanda Werner of Americans for Financial Reform, which is fighting to retain the rule. Under its provisions, financial firms would be prohibited from saddling consumers with arbitration clauses that prevent the consumers from filing or joining class-action lawsuits against the firms.
The rule wouldn’t cover the latest Equifax breach, which occurred before it was made final. But it would have prevented the confusion that arose last week in the wake of the breach: Equifax was caught steering consumers trying to find out if they were affected to a one-year “free” credit monitoring service that contained an arbitration clause forbidding class actions.
The consumer reporting industry is adequately regulated and goes to great lengths to ensure consumer data is protected.
— Equifax’s lobbying group, CDIA
Following an uproar, Equifax amended its terms of service to remove the offending clause. On Monday, the company issued a statement affirming that enrollment in the free monitoring service it’s offering “does not waive any rights to take legal action.” The company also rectified another flaw by specifying that enrollees in the one-year free service won’t be automatically enrolled in the paid service after their free year expires.
Those steps do nothing to rectify the fundamental problems with the business model and lobbying interests of Equifax and its fellow credit monitoring giants, Experian and TransUnion.
The firms portray themselves as guardians of consumer privacy, but their interests really lie in invading consumers’ privacy. They collect an enormous amount of personal data — your current and former addresses, phone numbers, Social Security numbers, bank and credit card accounts and payment histories. They market this hoard of data to third parties who use it to reach out and touch you, often in places you don’t want touched, like your wallet. Then they turn around and try to sell you expensive services supposedly protecting you from identity theft if the data gets loose.
This may explain why the laws governing data collection firms have been so weak. As we observed last week, there are almost no laws or regulations worth mentioning that impose stiff penalties for allowing personal data in their possession to get hacked. Only eight states require that consumers be notified within even 90 days of the discovery of a breach. Equifax waited some six weeks after discovering it was hacked before making its announcement.
The industry’s campaign against the arbitration rule has been especially telling. Its lobbying arm, the Consumer Data Industry Assn., even opposed a proposal that would urge, but not require, the firms to tighten up their authentication practices so that the wrong people couldn’t get access to a consumer’s data.
But the industry’s more serious objection is to the CFPB’s arbitration rule. As early as August 2016, according to a comment letter ably unearthed by David Sirota and Alex Kotch of International Business Times, the CDIA groused that the rule could expose the firms to class-action verdicts forcing them to disgorge all their revenues from their credit-monitoring products.
This would be a real shame for consumers, the CDIA asserted. The inability of the firms to price their credit-monitoring services to accommodate the risk of adverse court judgments could have “the unintended effect of reducing the availability of those products and the amount of information … made available to consumers regarding their consumer reports.”
In other words, if they’re exposed to legal liability for data breaches or other misuse of people’s personal information, they might have to stop selling their products.
The financial industry enlisted Keith Noreika, President Trump’s appointee as comptroller of the currency, to try to block the rule. In July, Noreika demanded that CFPB director Richard Cordray delay the rule so his staff could make sure it wouldn’t erode the safety and soundness of the banking sector.
Cordray effectively laughed in Noreika’s face, replying that he failed to see “any plausible basis for your claim that the arbitration rule could somehow affect the safety and soundness of the banking system.” Since the CFPB analysis showed that the rule wouldn’t cost more than $1 billion a year to the entire financial services industry, while the banks alone earned more than $171 billion in profits last year, “on what conceivable basis can there be any legitimate argument that the rule poses a safety and soundness issue?” Noreika eventually dropped his objections to the rule.
The Congressional GOP continues to take up the cudgel. In July, the House voted to repeal the rule, with every Democrat and only one Republican, Rep. Walter Jones of North Carolina, voting to preserve it. The House measure is now before the Senate, which hasn’t said whether it will take it up. The Senate deadline for consideration expires in November.
Consumer privacy advocates hope that the Equifax debacle will remind senators of the importance of the rule. “We need to look at how consumers are going to be able to hold these firms accountable,” Werner says.
Much more is needed, including laws imposing strict penalties on firms that fail to safeguard consumer information, along with requirements that those suffering breaches inform the potential victims promptly — in days, not weeks. Public hearings would be a start, but as we observed last week, without legislation, the next major breach exposing you and your neighbors to identify theft won’t be long in coming.
Who knows? Given how lax big business has been about protecting your privacy and how light the penalties are for failure, it may already have happened. You just don’t know it yet.