Predictions that Equifax Breach Will Not Lead to New Laws But Some Equifax Employees Out

by Jeff Sovern

Equifax is, as expected, turning into a huge consumer protection story and as with many such stories, it is generating so much news that not only is it hard to keep up, it seems easier to give up. Still, I wanted to direct our readers to a report in the Times, Equifax Breach Prompts Scrutiny, but New Rules May Not Follow with predictions about what will change in the legal landscape.  The prediction: not much. Here's an excerpt:

Regulators aren’t likely to fill the void. The F.T.C., which oversees data protection, can’t dole out big financial punishments. While the consumer bureau has shown a willingness to take on the industry, the agency is mainly focused on the accuracy of the data and the products that are sold to consumers.

“I have no reason to believe that this Congress has the capacity or will to actually legislate on those issues,” said Isaac Boltansky, an analyst at Compass Point Research & Trading. “The most we could see passing is targeted legislation aimed at enhancing consumer protections following identity theft.”

* * *

 

While forty-eight states have passed security breach notification laws, calls for a nationwide standard have repeatedly fizzled. And Equifax has been a powerful force in the legislative and regulatory arena.

Equifax spent $1.1 million on lobbying last year, * * *

 

Meanwhile, Equifax's chief information officer and chief security officer are leaving and Senator Wyden has introduced a bill to provide all consumers free credit freezes.

House Again Passes Bill to Put Consumer Protection at Risk, This Time, In an Appropriations Bill

by Jeff Sovern

Yesterday, the House passed an appropriations bill that incorporates provisions from the Financial Choice Act that would cripple the CFPB.  According to Law360:

The base bill would make a number of changes to the CFPB, including bringing it under the purview of the normal appropriations process. In addition, the bill would remove the bureau’s ability to target “Unfair, Deceptive, or Abusive Acts and Practices” under the law, and remove its ability to initiate rulemakings on small dollar loans.

Rep. Keith Ellison, D-Minn., offered an amendment to try and reinstate the agency’s authority over such “debt traps,” but was unsuccessful. Ellison also offered amendments on the agency’s authority over manufactured home loans and other rules, but they were defeated.

We had written about the bill at an earlier stage of the process here. While the House-passed Financial Choice Act seems unlikely to receive much, if any, consideration in the Senate, appropriations bills are another story.  By including anti-consumer in the must-pass appropriations bill, members of the House increase the chances that some of those provisions are enacted into law.

WSJ: Some Equifax Customers Who Sought Safety Got Burned in the Data Breach

by Jeff Sovern

Here. The customers in question had purchased Equifax's credit monitoring service. You know, the service it's now offering for free. Oh, and in addition to the CFPB investigation, the NY AG's investigation, and the class actions, the FTC is now investigating the security breach.

Ed Mierzwinski's blog post on republican efforts to weaken regulation of credit reporting agencies (posted just before Equifax made public its security breach)

Just two days before Equifax made public the massive hack of sensitive information of 143 million Americans -- which Equifax kept secret for many weeks -- U.S PIRG's Ed Mierzwinski posted this piece criticizing the three credit reporting agencies for their incompetence and congressional republicans for seeking to deregulate the industry. Here's an excerpt:

What would you do if you knew that the Big 3 credit bureaus (Experian, Equifax and TransUnion) were all among the Top Five leaders in complaints posted in the full Consumer Financial Protection Bureau Public Consumer Complaint Database (Equifax has more complaints than Wells Fargo!)? What would you do if you knew that their mistake-ridden reports cause consumers to either be denied jobs or pay more for or be denied credit due to those mistakes? Well, if you were the leadership of the House Financial Services Committee, you'd consider not one, but two bills to make this worse by both eliminating strong consumer protections, capping penalties and eliminating the deterrent of punitive damages when credit bureaus wreck consumer lives. (Note on the chart: The Top Ten companies are responsible for over half of the 848,325 complaints in the database today; the chart includes all complaints posted since the inception of the database until today; the CFPB has handled over 1.2 million complaints to date; some have been referred to other agencies; others are still being processed.)

 

What caused the Equifax data breach?

That's the first topic of this Consumerist article by Kate Cox. The article explains that Equifax had been given a fix for the computer vulnerability that the led to the hack, and Equifax had it well in advance of the breach. But the fix was not used at least in part because installing the fix was "labor intensive and difficult." Cox's article also explains that the Federal Trade Commission has launched an investigation into the circumstances surrounding the breach.

Public utility regulation for credit reporting agencies?

Over at Credit Slips, law prof Adam Levitin has written Equifax: A Call for Public Utility Regulation of Consumer Reporting Agencies. It's a comprehensive and interesting post, and it's worth reading the whole thing. He starts by explaining the hacking of Equifax in plain terms -- what it was (for instance, how it is different from the Target hack) and the harm it can impose on consumers. Then, he moves on to the heart of his argument, in which he maintains (in the part I've italicized below) that post-breach lawsuits will never solve the problem. He argues that credit reporting agencies be regulated as public utilities (the part in bold):

Let’s start with this. We’re not going to get rid of hacking. We can enact a Bloody Code or the like, but it’s not going to stop hacking, especially as it can increasingly be done internationally. Instead, we need a system that incentivizes CRAs to take the appropriate level of care. That means that the CRAs need to “internalize” the costs of the externalities that are produced when they are hacked as they are the “least cost avoider” of the hacking. How can we do that? Let me start with what I think won’t work: an ex post liability regime. There have been calls to increase CRAs’ liability for breaches and/or inaccurate consumer files. I’m all for that, but I don’t think an ex post liability regime will ever be enough to sufficiently change CRA behavior, especially as a host of procedural problems will continue to bedevil consumer litigation. There will never be complete cost internalization by CRAs even with a much stronger ex post liability regime. Instead, I think we need to consider moving to a public utility regulation regime for CRAs. What I have in mind is a system in which the CRAs’ ability to pay dividends to shareholders and to dole out executive compensation would be restricted and tied to their meeting various performance standards relating to consumer file accuracy, dispute resolution, and data security.

Levitin then goes on to discuss a couple "small ball" legislative fixes to be enacted before there's the political will to do the full-scale regulation that he'd like to see:

[First,] just as consumers have a statutory right to a free annual credit report, they should also have a right to place credit freezes on their accounts for free. State law in a number of states regulates credit freeze fees, but allows fees to be charged. That’s ridiculous. Freezes should be free in all circumstances. Second, federal law really ought to require that all consumer data be stored and transmitted solely encrypted formats. That should be a no-brainer.

I had the same thought about Levitin's first "small ball" fix. Right after the Equifax hack, I looked up the "free" credit monitoring being offered in its wake and learned that if you choose to do the thing most highly recommended -- a credit freeze -- you will have to pay to freeze the account and pay again when you unfreeze the account and then presumably again when you re-freeze the account. (As I understand it, a consumer would need to unfreeze the account whenever she wanted to apply for credit.) That's nuts.

Interesting article on driverless car design

Can a company designing a driverless car simulate "the little nods and go-ahead half-waves that keep people from getting into crashes"? That's a topic of this article by Michael Laris.

Thousands of small-claims suits against Equifax, thanks to technology

This article by Gabrielle Hernandez explains that

Chatbot company DoNotPay released a set of chatbots that can help consumers sue Equifax for negligence. Users provide their name and address to the bot, and it feeds the information into a state-designated form users can then print and file directly with the court. DoNotPay’s Equifax bots were first available specifically to residents of California and New York, and on September 12 Browder launched bots to file small claims against Equifax in all 50 states. The California and New York bots alone have already generated over 5,000 small claims alleging negligence. * * * That pressure largely depends on how many people file small claims against Equifax with or without the tool. If DoNotPay succeeds in creating a massive number of small claims around this issue, it could force Equifax to hire attorneys in essentially every state to defend against them, which could be far costlier than handling a class action claim.

Other articles concerning the pros and cons of this litigation strategy can be found here, here, and here.

23 class actions (and counting) against Equifax over its data breach

Read about it in this article by Kevin McCoy. An excerpt:

Filed in 14 states and the District of Columbia, the federal lawsuits target either Equifax or the company's Equifax Information Services subsidiary. The legal complaints cite a range of legal claims, including alleged security negligence by Equifax, the delay in alerting the public and concerns about the free credit monitoring service the company has offered consumers. Noting that Equifax experienced smaller cyberbreaches in 2013, 2016, and earlier this year, the lawsuit filed in California federal court on behalf of Ehud Gersten and Hannah Obradovich charges the company "knew and should have known of the inadequacy of its own data security." Equifax's delay in alerting consumers was "willful, or at least negligent," argued the case filed in Illinois federal court on behalf of Dan Lang and Russell Pantek. As a result, "consumers were deprived of their opportunity to meaningfully consider and address issues related to the potential fraud, as well as to avail themselves of the remedies available under the FCRA (U.S. Fair Credit Reporting Act) to prevent further dissemination of their private information," the Illinois lawsuit alleged. A California federal court lawsuit filed on behalf of Richard Spicer and Julia Gutierrez in part focused on Equifax's offer to register consumers for a free year of credit monitoring from TrustedID. "Equifax failed to disclose to consumers that it owned TrustedID, and its long-term business model turns on baiting consumers into signing up for its services," the California case alleged. "In other words, Equifax sought to turn its failure to protect consumers' sensitive data into a clandestine money-making opportunity."

Dep't of Education delays acting on requests for student-loan forgiveness

The Washington Post reports:

Tens of thousands of former students who say they were swindled by for-profit colleges are being left in limbo as the Trump administration delays action on requests for loan forgiveness, according to court documents obtained by The Associated Press.

The Education Department is sitting on more than 65,000 unapproved claims as it rewrites Obama-era rules that sought to better protect students. The rewrite had been sought by the industry.

The for-profit colleges have found allies in the new administration and President Donald Trump, who earlier this year paid $25 million to settle charges his Trump University misled customers. And it’s yet another example of the administration hiring officials to oversee the industries where they had worked previously.

The full article is here.