The recent data breach that struck the credit rating service Equifax has, once again, resurrected a popular political adage: never let a crisis go to waste.
On Sept. 7, Equifax announced a cyber-security incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files, the firm said in a statement. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. Also, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.
Equifax discovered the unauthorized access on July 29 and “acted immediately to stop the intrusion,” the firm said in its post-breach statement. It “promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted.”
Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, was originally chastised for fine print (allegedly removed amid political pressure)) demanding that customers agree to arbitration to settle legal challenges, forfeiting the right to participate in any class action.
Potentially more bad news for the company arrived with reporting published by CNN and others, alleging that three Equifax executives, including Chief Financial Officer John Gamble, sold shares of the credit-reporting company worth nearly $2 million shortly after a massive data breach was discovered. The sales, it said, occurred before the company announced the breach to the public on Thursday. Equifax defended the transactions as a "small percentage" of what the executives own and that they “had no knowledge that an intrusion had occurred” when they made the sales.
The breach, and the stock dump, have inspired politicians to take the offensive. To start with, the initial demand for an arbitration agreement for affected customers has empowered proponents of the Consumer Financial Protection Bureau’s controversial arbitration rule.
The Dodd-Frank Act required the CFPB to study the use of mandatory arbitration clauses in consumer financial markets.
The CFPB’s rule restores consumers’ right to file or join group lawsuits. Companies can still include arbitration clauses in their contracts, but may not use arbitration clauses to stop consumers from being part of a group action. The rule includes specific language that companies will need to use if they include an arbitration clause in a new contract.
“The @CFPB's new rule would stop companies like @Equifax from avoiding legal accountability like this -- as long as @GOP doesn't reverse it,” tweeted Elizabeth Warren (D-Mass.).
“The Equifax breach potentially exposed sensitive personal information for over eight million New Yorkers,” said Attorney General Eric Schneiderman. “The victims of this breach shouldn’t also have to worry that they’ve waived their legal rights simply because they were trying to protect themselves.”
“It’s shameful that Equifax would take advantage of victims by forcing people to sign over their rights in order to get credit monitoring services they wouldn’t even need if Equifax hadn’t put them at risk in the first place. If Equifax is genuine about wanting to protect customers, it must remove forced arbitration immediately from TrustedID and any other services offered to victims of the data breach,” Sen. Sherrod Brown (D-Ohio) said. “This is just one more example why the CFPB’s rule banning forced arbitration is badly needed to protect the rights of working Americans.”
Although the arbitration demand was dropped, Brown was not ready to let the matter pass. Equifax’s corporate and affiliated websites still contain forced arbitration language and customers’ rights may not be fully protected,” he said.
“This is a step in the right direction, but customers cannot be sure their rights are truly protected until Equifax makes this policy clear for all products and websites,” he said. “The fact that it took a public shaming to force Equifax to drop forced arbitration from TrustedID, is further proof why the CFPB’s rule is needed. Too many financial companies, including Wells Fargo, continue to use forced arbitration to block customers from seeking justice once they’ve been cheated or harmed.”
Franken and Cortez Masto authored the letter to CEO Richard Smith.
“Forced arbitration provisions in consumer contracts erode Americans' ability to seek justice in the courts by forcing them into a privatized system that is inherently rigged against consumers and which offers virtually no way to challenge a biased outcome,” the senators wrote.
:Equifax is currently lobbying the United States Senate related to the CFPB's rule that would prospectively limit the use of forced arbitration clauses,” they added. “Presumably, Equifax is seeking to reverse the CFPB's rule and limit their liability via repeal legislation, S.J. Res 47. We therefore ask that Equifax clarify its position on this legislation following the breach. We are hopeful that Equifax will use this unfortunate event to reconsider its broader support of pre-dispute, forced arbitration.”
Below is a roundup of other reactions from in and around Washington.
Brian Marshall, policy counsel, Americans for Financial Reform: “At a moment when a major credit bureau has breached the trust of millions of consumers by allowing their Social Security numbers to fall into the hands of criminals, Congress should not be reducing the penalties for credit bureaus that mess up. And yet that’s exactly what a key congressional committee considered this week when it took up the FCRA Liability Harmonization Act and the Facilitating Access to Credit Act. Errors by credit bureaus stop people from getting loans, buying a home or car, renting an apartment or even getting a job. Consumers need more protection from credit bureaus’ errors, not less.”
Amanda Werner, arbitration campaign manager, Public Citizen and Americans for Financial Reform: “Repealing crucial consumer protections as new financial scandals break every week would send a clear signal to bad actors like Equifax and Wells Fargo that they can continue to plunder consumers for profit.”
Dr. Barbara Rembiesa, president and CEO of the International Association of IT Asset Managers : The second major Equifax data breach in four years is a clear indication that ‘corporate America still does not have proper information technology asset management techniques’ in place. It’s two strikes and you’re out for Equifax, which handles some of the most sensitive consumer information in the United States and now has permitted what is perhaps the worst breach of consumer information in our nation’s history. After the breach debacle that Equifax went through in 2013, just four years ago, there is no conceivable excuse in the world for this kind of failure to happen again. Equifax. Verizon. Yahoo. eBay. What we see is nearly weekly evidence that leading corporations are not practicing proper IT asset management to protect sensitive consumer information.”
More from Rembiesa: “What is perhaps most disturbing to me is how three top Equifax officials, including the CFO of the company, could cash out stock immediately before this kind of announcement and then claim ignorance as a defense for doing so. If this is what passes as acceptable management, at a leading U.S. company handling the most sensitive information about 100 plus million Americans, then we are going to see many more breaches like this in years to come, Consumers and shareholders can and must insist that companies like Equifax have proper ITAM procedures in place to protect their customers and the wealth of shareholders.”
National Association of Federally-Insured Credit Unions President and CEO Dan Berger: "The massive breach at Equifax, and the report that they had known about it for weeks without notifying consumers, is yet another demonstration of the need for a legislative solution. While financial institutions, including credit unions, have been subject to federal standards on data security since the passage of the Gramm-Leach-Bliley Act, retailers and many other entities that handle sensitive personal financial data are not subject to these same standards. Consequently, they have become the vulnerable targets of choice for cyber-criminals."