The fallout from the Equifax data breach continues, reaching other credit reporting companies and all the way across the Atlantic Ocean.
In early September, Equifax disclosed that roughly 145 million Americans had their personal information—including names, Social Security numbers, birth dates, addresses and driver’s license numbers—compromised when hackers gained unauthorized access to the company’s data between May and July 2017.
The reaction was fast and furious, from lawsuits to legislation to federal investigations. Months later, the fallout continues.
Former Equifax Chairman and Chief Executive Officer Richard Smith testified at four congressional hearings over a three-day period, facing tough questions and offering answers that left lawmakers unsatisfied. Legislators even suggested that the company be fined for each piece of data compromised by the hackers—a potentially devastating proposition given that the personal information of roughly 145 million consumers was exposed.
At a hearing held by the House Energy and Commerce Committee, Rep. Joe Barton (R-Texas) suggested that requiring companies to pay consumers affected by a breach would encourage them to “pay a little bit more attention to [data] security.”
“I think it’s time at the federal level to put some teeth into this and require some sort of per-account payment,” Rep. Barton said. “I don’t want to drive credit bureaus out of business and all of that, but we could have this hearing every year from now on if we don’t do something to change the current system.”
The company also faces additional lawsuits, with actions now being filed by cities such as Chicago and San Francisco. According to Chicago’s Illinois state court complaint, “Equifax could and should have prevented the data breach by implementing and maintaining reasonable safeguards, consistent with representations Equifax made to the public in its marketing materials and privacy policies and compliant with industry standards, best practices and the requirements of Illinois state and Chicago municipal law. Equifax failed to do so.”
The breach has impacted the credit reporting agency (CRA) industry as a whole, demonstrated by letters sent by a coalition of 37 state attorneys general to the chief executive officers of Equifax competitors Experian and TransUnion.
Led by Illinois AG Lisa Madigan—who is also coordinating a multistate investigation into the breach—the letters request the companies to stop charging credit freeze-related fees. “Consumers should be able to protect themselves now by freezing their credit report with all the major CRAs,” the AGs wrote.
Seven states—Colorado, Indiana, Maine, New Jersey, New York, North Carolina and South Carolina—prohibit CRAs from charging fees to place a credit freeze, with two states (Illinois and Massachusetts) currently considering similar legislation and at least two bills pending at the national level requiring CRAs to offer credit freezes to all consumers free of charge.
The AGs predicted success for the measures “given the public outcry” in the wake of the Equifax data breach. “The crisis in confidence extends to the entire credit reporting industry,” they wrote.
Equifax’s troubles have spilled beyond the U.S. borders as well, with the chair of the House of Commons’ Treasury Committee demanding an explanation from the company about the delay in notifying United Kingdom citizens about the breach, which affected more than 15 million records and an estimated 700,000 citizens.
The chair followed up with a letter to the country’s Financial Conduct Authority, seeking an investigation into whether Equifax violated the terms of its license to operate in the country and whether compensation may be due to consumers. The U.K. Information Commissioner’s Office is also investigating the breach for potential violations of the country’s data protection rules.
To read the letter to Experian, click here.
To read the letter to TransUnion, click here.
Why it matters
The reverberations from the data breach show no sign of stopping, with Equifax facing additional litigation, continued oversight from lawmakers and multiple inquiries from international regulators as well as those in the United States. The pressure is also being felt on the credit reporting agency industry as a whole, from a movement to end fees for credit freezes to federal legislators considering fines for compromised data.