There’s nothing like a disaster to prompt a call for change.
In early October, Congress grilled Equifax’s former CEO, Richard Smith, in four separate committee hearings about how his credit reporting agency put the consumer records of over 145 million people in jeopardy.
How bad was the hack? Pretty bad.
We’ll be feeling the effects for “essentially a hundred years, until everybody is dead that was exposed by this breach,” said Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse.
Lawmakers are now trying to capitalize on consumer outrage by working to pass bills that would make Equifax and other companies like it more accountable to regular people like you and me, whose data they collect for profit. Right now your rights to learn about the theft of your data and your ability to freeze your credit report depend on the state you live in. Lawmakers aim to create federal laws that increase your rights and make them the same, no matter where you live in the US.
But there’s a catch: Any changes will be incremental.
The bills are focused on single issues, and they don’t let you prevent credit reporting agencies or anyone else from collecting your data in the first place. So if we’re lucky, our privacy may improve in the wake of the Equifax breach. But just a little.
Better than nothing?
Let’s start with where things stand. At present, federal law requires companies to tell you only about data breaches that affect specific health care information about you. In the case of financial information, only publicly traded companies must tell you when hackers steal personally identifiable information. The rest of your rights come from state laws, which vary. A lot.
One of the federal bills would mandate that companies notify you within 30 days for breaches that involve your Social Security number, email login information and other sensitive data. The other bill would freeze your credit for free indefinitely, something that isn’t currently a federal legal requirement.
If either bill passes, it would be the broadest federal regulation of its kind regarding your rights in the wake of a data breach. (Both are being proposed by Democratic lawmakers who currently don’t have Republican co-sponsors.)
It’s no surprise Equifax was lobbying lawmakers on the issue of cybersecurity and data breach notifications in the year leading up to the hack, not only because it looks bad when hackers steal its data, but also because it stands to lose money when you freeze your credit indefinitely. After all, your data is their source of revenue.
“They’re going to lobby very aggressively to prevent enactment of laws that would restrict their ability to use and monetize that.” Stephens said.
An Equifax spokeswoman said in an email that the company is reviewing the legislation and will “continue to work with Congress on all of their inquiries.”
Companies seem to have a hard time talking about data breaches.
It took Equifax five weeks from discovering hackers in its system before letting the world know. In his statements to lawmakers, former CEO Smith said the company stopped the hackers immediately and brought in cybersecurity firm Mandiant to assess the damage.
Others data breaches, like the theft of info on about 500 million Yahoo accounts (allegedly by state-sponsored hackers), took even longer to learn about. The internet giant waited almost two months to tell the public what happened, and there are concerns that higher-ups in the company knew about the hack for even longer than Yahoo first admitted.
So how long should a company wait before telling consumers about a hack of its systems?
There’s a different standard in every state, except for Alabama and South Dakota, which don’t have a legal requirement at all. The notification period ranges from 15 days to 45 days, though most states’ requirements amount to ASAP and don’t set a specific time limit.
Rep. Jim Langevin, a Democrat from Rhode Island, wants to change that. He’s calling for companies to tell consumers about data breaches within 30 days.
“Customers ought to know as soon as is practicable,” Langevin said in an interview, “so they can take additional steps to protect themselves.”
Faster, more transparent
Langevin’s bill, the Personal Data Notification and Protection Act, is the most strict data breach legislation lawmakers are considering, and it spells out what kinds of personal information would trigger the requirement to notify consumers.
The law says you should be told if hackers access information including your Social Security number, biometric information, credit card number or email password, among other things.
“We’re trying to be crystal clear about what we’re trying to protect, so there’s no ambiguity on the companies’ parts,” Langevin said.
The bill would also put the Federal Trade Commission in charge of enforcing these requirements. Right now no one enforces these rules on a federal level. With the FTC on the case, companies don’t get to decide for themselves whether they really have to tell you hackers stole your data.
Troy Hunt collects information on more than 2.5 billion breached accounts, from hacks going back to the 1990s, and shares it in a public database called Have I Been Pwned? He favors a 72-hour time window for companies to tell you about a data breach.
Equifax says it needed the five weeks it took before informing the public of the breach. “Because this incident involves a substantial amount of personal identifying information, the investigation was complex and time-consuming,” the Equifax spokeswoman said. “As soon as we had enough information to begin notification, we took appropriate steps to do so.”
Hunt acknowledges that every data breach is different and that it could be hard to apply that 72-hour standard in every situation.
“You also want to be cautious about reaching out to customers with too little information,” Hunt said. “But five weeks, that’s just — come on.”
Companies like Equifax, including the other two major credit reporting agencies, TransUnion and Experian, collect your data from lenders and financial institutions and sell access to it to creditors.
What do you get out of it? Landlords, credit card companies and car makers use that info to determine if you’re trustworthy enough for a rental agreement or loan.
There’s a way to stop Equifax from selling your information. It’s called a credit freeze. But that means companies can’t make inquiries about your credit and so might not approve your car loan, mortgage or credit card requests.
But a freeze can also stop fraudsters dead in their tracks. So why aren’t we all doing it?
Stop me if you’ve heard this before, but the credit freeze process can be cumbersome. And that process varies depending on where you live.
Some states require you to submit a police report showing you’re a victim of identity theft. In Kentucky, Nebraska and Pennsylvania, credit freezes expire after seven years. Also, asking for a credit freeze isn’t always free. Many states let credit reporting agencies charge up to $10 to freeze your credit. They can also charge you an additional fee if you want to lift the credit freeze. And 19 states have no laws requiring free or low-cost credit freezes that last indefinitely.
Democratic Sen. Elizabeth Warren of Massachusetts wants to make credit freezes free for life. Her bill, introduced in September and discussed in a hearing Tuesday, is called the Freedom from Equifax Exploitation Act. The idea, Warren said on Twitter, is that if credit reporting agencies can make money off of your data, you should be able to control who has access to it.
Warren’s bill could also help resolve confusion over Equifax’s free credit “lock,” which isn’t the same as a freeze, though you’d be forgiven for thinking it is. Though Equifax positions it as a freeze, the company hasn’t said whether it can spam you with credit card offers on behalf of other companies, saying they’ll “unlock” your credit for you if you’re interested.
Equifax didn’t clarify whether this was the case.
“At their most basic level,” the spokeswoman said, “both prevent new creditors from accessing your Equifax credit report, unless you give permission or take an action such as removing, unlocking or lifting the freeze or lock.”
Warren has 17 co-sponsors of her bill, all Democrats except for Bernie Sanders, who’s an Independent. But Rep. Patrick McHenry, a Republican from North Carolina, introduced a bill last week that aims to prevent future hacks of credit reporting agencies by requiring the companies to put in place cybersecurity protections.
And on Tuesday, Republican Sen. John Kennedy from Louisiana told Andrew Smith, a lawyer for the Consumer Data Industry Association, that companies like Equifax will be in hot water if they don’t show how they’re going to improve their practices.
At a hearing that discussed Warren’s bill, Kennedy said to Smith, “Your clients need to step up to the plate here and suggest some meaningful reforms, or reforms are going to be suggested to them.”
Batteries Not Included: The CNET team reminds us why tech is cool.
CNET Magazine: Check out a sample of the stories in CNET’s newsstand edition.