New Report: How to Protect Consumers 1 Year after Equifax Breach

CoPIRG Foundation

A year ago, Equifax announced that hackers had breached its system and accessed the data of nearly 150 million U.S. consumers. To mark the anniversary of that notorious announcement, CoPIRG Foundation is releasing a report containing suggestions on how Congress, state officials and consumers can safeguard personal information.

“One year after announcing the worst data breach in history, Equifax has yet to pay a price or provide consumers with the information and tools they need to adequately protect themselves,” said Danny Katz, CoPIRG Foundation Director. “This breach was so bad because the information stolen – names, birth dates, and social security numbers – are the identifying information we use for credit cards, bank accounts, loans, taxes, social security benefits, and to access medical services. Until that changes, thieves will be able to use this information not just this year and next year but for the next 50 years.”

The report, Equifax Breach: 1 Year Later – How to Protect Yourself Against ID Theft & Hold Equifax Accountable, contains charts, checklists and other tips to help consumers prevent and detect the types of identity theft and fraud made possible by the Equifax breach including:

• Existing Account Fraud: Check your monthly credit card and bank statements. 
• New Account Fraud (including cell phone, credit card, loan, and utilities): Get credit freezes at all three nationwide credit bureaus — Equifax, Experian, and TransUnion. A new federal law will eliminate fees for those credit freezes for consumers on September 21st, 2018.
• Tax Refund Fraud: File your taxes as soon as possible, before thieves do. Also, if you qualify, get an Identity Protection (IP) PIN.
• Social Security Benefits Fraud: Sign up for your “my Social Security” (MySSA) account before thieves claim it and change your direct deposit info to their own checking accounts. 
• Health Care Services / Medical Benefits Fraud: Sign up for online accounts with your health care and insurance providers to periodically check for any fraudulent services on your statements.
• Other Fraudulent Activity: Check your free annual consumer reports with companies that specialize in collecting information often misused by criminals.
• Phishing Scams: Ignore unsolicited requests for personal information by email, links, phone calls, pop-up windows, or text messages. 

According to the Federal Trade Commission’s Consumer Sentinel Network Data Book, in 2017 Colorado ranked 13th for most identity theft reports per 100,000 population with 6,051 total reports. Within that, credit card fraud made up 35% followed by employment or tax-related fraud at 27%, bank fraud at 16%, phone or utilities fraud at 12%, and loan or lease fraud at 6%. 

The report also has information about actions taken since the Equifax data breach a year ago including: 

• A recap of the main governmental and civil actions against Equifax over the last year (which have so far failed to hold the company fully accountable).
• A case for why we need both oversight and financial consequences to prevent future large-scale breaches.
• A recommendation that companies that have been hacked should be required to clearly explain to consumers how they can protect themselves against most types of identity theft.

Here in Colorado, Attorney General Cynthia Coffman has signed on to at least two letters involving the Equifax data breach. The first letter focused on Equifax’s response to the data breach and called on Equifax to get rid of its arbitration clause, fees for credit freezes, and links to paid credit monitoring services that they were offering to impacted consumers. 

Attorney General Coffman also signed onto a letter to congressional leaders opposed to a bad data breach notification bill that was being considered, which had weak notification provisions and preempted stronger state policies like the one passed in the 2018 Colorado General Assembly. That bill, HB18-1128, sponsored by Representatives Cole Wist and Jeff Bridges, and Senators Lois Court and Kent Lambert, requires companies to notify Colorado consumers within 30 days of determining a data breach occurred.  That law went into effect last weekend. 

The report also highlights the need for both penalties against and new oversight of Equifax to compensate the victims and prevent future breaches of this scale. 

“Ultimately, we are not the customers of Equifax or the other credit bureaus. We are their product. We did not ask or give them permission to collect or sell our personal information,” said Katz. “At the very least, breached companies should be required to provide consumers clear information about what can be done to protect themselves against most types of identity theft.”