WASHINGTON – Sen. Elizabeth Warren (D-Mass.) on Tuesday continued pushing Equifax-driven legislation that would give American consumers the ability to freeze access to their credit files.
The Freedom from Equifax Exploitation (FREE) Act would prevent credit-reporting agencies like Equifax from charging consumers for control over their credit files, and it would also prevent CRAs from profiting off consumer data while the files are frozen. The legislation, introduced a week after Equifax publicly disclosed a massive data breach on Sept. 7, has garnered 17 Democratic and independent co-sponsors.
During a hearing before the Senate Banking Committee, Warren blasted an attorney representing the credit-reporting industry. She cited a 2012 report from the Federal Trade Commission showing that about one-fifth of Americans have an error in their credit reports, errors that directly impact the interest a person might pay for a loan or eligibility for the loan in the first place.
“If you ran a restaurant and got your customers’ orders wrong 20 percent of the time and had the worst customer service in town, you would be out of business in a week,” Warren told Andrew M. Smith, an attorney representing the Consumer Data Industry Association trade group.
Marc Rotenberg, president of the Electronic Privacy Information Center, told the Senate panel that the FREE Act is an “excellent proposal.”
Sen. John Neely Kennedy (R-La.) spoke generally in support of credit-reporting agencies developing technology that would allow consumers to initiate credit freezes without charge. He noted that the majority of adults in his state were subject to the Equifax breach.
“Your clients need to step up to the plate and suggest some meaningful reforms,” Kennedy told Smith.
Atlanta-based Equifax was aware of potential data vulnerabilities as early as March 8, when the company received a US-CERT notification. Equifax leadership claims that the full extent of the breach was not understood until early August, when it notified the FBI of a potential break-in. The breach may have compromised personal information for an estimated 143 million Americans.
“(Reform) begins by converting to an opt-in model, allowing the consumer to decide in which circumstances it’s in their interest for their credit report to be released to someone else,” Rotenburg told the panel. “So many problems of the industry result from the industry pushing the burdens back onto the consumers to choose the freeze, to choose the monitoring service, to inspect their credit reports. It’s entirely upside down, and it’s the reason we have record levels of identity theft today in the U.S.”
Earlier in the hearing, Sen. Mike Rounds (R-S.D.) argued that authorities have focused too much on the credit reporting agencies in the breach’s fallout, and have not put enough emphasis on the criminal actors who carried out the breach in the first place. Rotenburg in his testimony suggested that the perpetrators could have been foreign actors.
Smith was asked if the industry would be open to taking on fiduciary responsibilities for future breaches, a suggestion to which he objected. He argued that the industry is already subject to a pervasive regulatory scheme, and legislation like the Fair Credit Reporting Act requires accuracy in credit reporting.
Rotenburg pointed out that the FTC, which polices the industry, does not have the authority to ensure data security standards before a breach; it only has the power to analyze breaches after the fact.
Rotenburg was asked if the U.S. should consider eliminating Social Security numbers and replacing them with more secure data identifiers. He recommended that the government instead draw stricter limitations for how Social Security numbers are used. He noted previous limitations that have allowed greater security: Social Security numbers are no longer found on medical benefits ID cards, state driver’s licenses or state voter rolls.