After Equifax disaster, we must demand credit reporting reform

After Equifax disaster, we must demand credit reporting reform

This month, yet another company announced that the information of millions of Americans had been unwittingly exposed. This time, the number in question was 143 million, lower than the one billion Yahoo user accounts hacked last year but higher than the 40 million Target customers breached in 2013 and the 83 million JPMorgan customers breached in 2014. Moreover, the scope of the exposed information in the latest breach is much more dangerous than in previous ones.

Equifax, one of the largest consumer reporting agencies, revealed our most personal information, including our social security numbers, addresses, financial records, birth dates, driver’s license numbers and credit card numbers. Since there are roughly 250 million people over the age of 18 in the U.S., this means that nearly 60 percent of the typical credit report population may have been affected.

ADVERTISEMENT
Many important lessons have already come out of the Equifax breach. Much has been written about cybersecurity and how to protect oneself from identity theft, including credit freezes, credit monitoring and smart password management. Pressure from advocates, journalists and policymakers has forced Equifax to back down from tying its provision of post-breach credit monitoring to waiving one’s rights in a class action and from requiring affected individuals to provide a credit card number to sign up for its “free” service.

Much has also been written about the need for comprehensive data breach and cybersecurity reform. The numbness that we feel when we hear about yet another national data breach, whether from Equifax, Yahoo, Target, JPMorgan, Home Depot, LinkedIn or the Office of Personnel Management, is proof enough that our information is not secure and our laws have not kept pace with technology. But unlike the companies in most other data breaches, Equifax is not a firm with which any of us choose to interact.

We cannot opt out of using Equifax in the way we can boycott many of the other companies that have experienced a breach. Equifax is one of the big three consumer reporting agencies, which collectively compile information about us that is used in such life-changing decisions as whether to buy a home, work for certain employers, get a cell phone or obtain insurance. Equifax and its brethren exercise invisible power in every aspect of our lives. Incidentally, one of the other two major consumer reporting agencies, Experian, exposed the data of millions of its customers just two years ago.

What many people do not realize, however, is that there are not only the big three consumer reporting agencies. There are at least 400 consumer reporting agencies in the country, and thousands of additional companies that compile and use consumer data that are not characterized as consumer reporting agencies under the law. The consumer reporting agencies are governed by the Fair Credit Reporting Act (FCRA), a law whose structure has not been fundamentally updated since Richard Nixon signed it into law in 1970.

The biggest change to the structure of consumer reporting agency oversight occurred in 2010, when Congress created the Consumer Financial Protection Bureau (CFPB) as the first federal agency with authority to examine and regulate consumer reporting agencies. This was a needed improvement, but it’s not enough. The Congress of 1970 had not contemplated the future capacity for data collection, the many ways that data would be used in every aspect of people’s lives or the many companies that would develop internal credit decision processes that fall outside of the FCRA completely.

Thus, the Equifax breach teaches us one additional lesson: We need consumer reporting agency reform perhaps more urgently than we need data breach protection. The stakes are higher with consumer reporting agencies, because of the invisible power they wield over so much of our lives and how little we can control what data is being used against us. Just last week, the same day that the Equifax breach was announced, Congress held a hearing on legislation to reduce oversight of consumer reporting agencies.

Such deregulatory legislation over consumer reporting agencies, and many other aspects of financial markets, is exactly what we do not need. We need to demand that Congress pass laws strengthening oversight over consumer reporting agencies and to be vigilant when they attempt to undercut the existing laws, weak as they are. We don’t need more credit monitoring. We need to understand who is using our data and why, and mobilize to protect ourselves.

Jeanette Quick served as senior counsel to the U.S. Senate Banking Committee. She was previously an attorney at the U.S. Office of the Comptroller of the Currency.