Equifax an Unfortunate Reminder of the Inadequate Remedies and Protections for Identity Fraud

September 17, 2017

Identity fraud is undoubtedly something to fear, as a consumer. Stories of the difficulties in getting one’s life back are likely familiar to most, possibly from TV commercials or personal relations with victims. And of course, no one wants it to happen to themselves. But with the increasingly digital nature of the world, data hacks are becoming more and more a part of life. Despite this fact, and as recent events show, resources and protections for consumers (especially those who become victims) have not really improved.
At the beginning of September, Equifax revealed to the general public that it was the target of a major hack which exposed nearly half of all Americans to potential identity theft. Equifax is one of the three major credit report agencies used by many Americans. Consequently, information which may have been stolen includes social security numbers, driver’s license numbers, names, birth dates, addresses, credit card numbers, and documents used in past disputes.
While this most recent data hack is certainly not the largest the United States has seen in recent years (Yahoo’s two were much larger), Equifax’s breach has the potential to be much more devastating to its victims. This time, the data stolen from Equifax contains much more personal information that that stolen from Yahoo — information that could lead hackers to access medical records, bank accounts, and employee accounts. This, for example, would mean that if the thief in possession of a victim’s personal information took out a prescription, it would go on the victim’s medical record and cause issues regarding future hospital visits or prescription needs. Alternatively (or additionally), the thief could rack up traffic violations under a driver’s license in the victim’s name. In a truly horrific scenario, victims of complex identity fraud have even found criminals serving prison sentences under the victim’s name.

It is unquestionable that identity fraud is a terrible and terrifying situation for the victims. So, with nearly half of the country now at risk, what recourse does one have? Not very much, as it turns out.

Equifax, after revealing the hack, announced it was offering potential victims free credit monitoring for up to one year. However, not only does this offer come many weeks after the hack was discovered (and possibly months after it happened), but initially this free service required providing credit card information upfront, requiring users to pay for the service unless they preemptively cancelled it a year from now. To add insult to injury, the initial offer required users to agree to an arbitration clause (which would waive consumer’s rights to benefit from a class action, amongst other things) in order to take advantage of the free service. Both requirements were relaxed in response to public scrutiny, with Equifax removing payment requirement from the sign up and then offering an opt out of the arbitration clause (though it is worth noting that one must notify Equifax, by mail, within 30 days of the agreement in order to successfully opt out).
While the Consumer Financial Protection Bureau called Equifax’s arbitration clause “troubling,” it isn’t all that uncommon for companies to include such a thing; largely because it often benefits the company. But forcing people to waive legal rights, particularly in response to a situation that is quite possibly, at least in some manner, the fault of the company, is rather distasteful (even if the clause may not actually be enforceable). Currently, a rule which would prevent these arbitration clauses from being forced onto consumers is set to apply starting in March. Unfortunately, however, it appears there is a chance Congress may repeal it before it goes into effect, as the House has already voted to repeal and the Senate could do so in the coming weeks.
Possibly even more important than the post-hack issues are the problems which helped to allow the hack to happen in the first place. Despite the incredibly sensitive and powerful information that Equifax (as well as similar companies) stores, Equifax has minimal oversight and regulations placed upon it. For example, when the tax company TaxSlayer was hacked earlier this year, they did not even have to pay a financial penalty due to the fact that it was their first offense in breaking the particular rule they violated.
With the lack of oversight and regulatory control resulting in little chance of breaches being prevented and limited options after the fact, the onus is really on consumers to protect themselves — which, considering how life-changing identity fraud can be, seems much too inadequate as a solution.