Equifax Data Breach
One of the area’s most recognizable TV news personalities, Jesse Jones, has asked me to help him pass new legislation that would make credit freezes free for all Washington state residents. Currently, all of those who’ve learned about the Equifax data breach (and there will be more breaches like this) have to pay at least $10 along with tax to freeze their credit with each credit bureau (Transunion and Experian… Equifax is currently waiving its fee).
When lawmakers convene at our state capitol in the new year, they will have the opportunity to hear my clients testify. I hope that hearing these individuals’ stories will open all legislators’ eyes.
Please watch the above story about one of my many clients and understand how breaches resulting from negligent safeguarding of our PII can wreak havoc on our lives — just as it did for my client, Kellie.
The Equifax breach seems to have a lot of folks angry. But not angry enough to notice that Congress along with VP Pence voted to strip us of our right to exercise our Seventh Amendment right. Why does this matter? Are you glad that we have the ability to sue Equifax for its willful violation of standard security practices? Please start from 2:55, if you don’t want to watch the entire six minutes. Congress + Pence = Death of the #RipOffClause (forced arbitration clause)= Now banks and companies like Equifax can get off scot free without any accountability.
As heavy hearted as I am, I’m also not quite ready to write about last night’s repeal of the CFPB arbitration/class action ban. All morning, I’ve gotten emails/calls about whether this means the end of any Equifax litigation, to which I reply, “No.” Below, however, is a terrific piece that reports on how @SenateGOP gored consumers’ rights from Yahoo.
‘This was the Wells Fargo Immunity Act’: Consumers lose the right to sue companies
Ethan Wolff-Mann Yahoo Finance October 25, 2017
Vice President Mike Pence broke a 50-50 tie on the Senate floor Tuesday evening to repeal a rule that prevents consumers from suing financial institutions — banks and credit card companies, for example.
The Consumer Financial Protection Bureau, which was built out of the financial crisis, created the rule after five years of studying forced arbitration clauses, the fine print inserted by companies to insulate them from lawsuits.
“Congress is standing up for everyday consumers and community banks and credit unions, instead of the trial lawyers, who would have benefited the most from the CFPB’s uninformed and ineffective policy,” said the White House in a press release.
For the 145 million consumers who watched Equifax play fast and loose with their financial data, it may be difficult to see how allowing companies to kill class-action lawsuits is a good thing.
“Tonight’s vote is a giant setback for every consumer in this country,” said Richard Cordray, the CFPB director, in a statement. “As a result, companies like Wells Fargo and Equifax remain free to break the law without fear of legal blowback from their customers.”
A popular bill for financial institutions, unpopular for consumers
“The bill was entirely and exclusively supported by the [finance] industry,” said F. Paul Bland, an attorney at Public Justice, a consumer group. “Every group that represents consumers was strongly against the bill.”
Bland listed special interest groups that opposed the bill: armed service member groups, senior citizen groups, civil rights groups. “Lots of polling said both Republicans and Democrats oppose the bill by heavy margins,” said Bland. “This was the Wells Fargo immunity act. It’s essentially a bailout for those companies.”
For Wells Fargo, Equifax, and other companies that behave badly on a major scale, preventing consumers from banding together to seek justice is a major boon that could save these companies from an unknowable amount of damages.
According to Bland, without class-actions, most consumers will not take action. “The argument that individual arbitration is better for consumers is laughable,” he said. “Look at Equifax: 145 million people. Each of them are supposed to separately file an individual arbitration for themselves? How many of them will even be able to find the American Arbitration Association’s website?”
Good lawyers and bad lawyers
The Trump administration said in the statement that the CFPB’s rule would have benefited “trial lawyers” with “frivolous lawsuits.” Putting aside judging whether suing Equifax or Wells Fargo for negligence might be considered “frivolity,” the Trump administration’s statement amounts to a blatant disregard for facts.
In the CFPB’s massive study on arbitrations, the agency examined more than 400 class-action lawsuits. The attorney fees ended up being just 18% of the money recovered on average — a far cry from lawyers-take-all.
Within the Trump administration’s comments about these “trial lawyers,” as the White House calls them, lies a hypocrisy, according to Bland.
“Mike Pence has a view of trial lawyers that basically adds up to: If you’re on the side of the rich and powerful you’re a good lawyer,” Bland said. “If a lawyer is representing an individual person, they’re a ‘trial lawyer’ and a leech on American society.”
Another scandal will happen, and this will bite the Republicans
In the past two years, two large companies have been exposed for bad behavior on a massive scale: Equifax and Wells Fargo.
“Down the road this is going to be a slow-rolling catastrophe for Republicans who voted for this bill,” said Bland. “I don’t think it’s likely the last significant time we’re going to see consumers totally cheated,” referring to Equifax and Wells Fargo
By removing consumers’ rights to class-action lawsuits, companies have less motivation to police their own behavior and play by the rules.
“The next time we discover something like Wells Fargo having a couple million people that they’ve opened phony unauthorized accounts for,” said Bland. “Fifty Senate Republicans and Mike Pence will own 100% of that scandal.”
If you’re like many clients with whom I’ve talked since the Equifax data breach news first surfaced, you are still processing how all of this may affect you and your family now and for the long term. Before diving into the steps, pat yourself on the back for your gumption for tackling your share of the unwieldy mess that Equifax has handed half this country. Also, while you take steps to protect your financial health, please remain on high alert for vultures. Most of you are likely exercising healthy skepticism when you see ads, unsolicited emails, bogus news stories, etc. that tell you that you need to sign up with them or click on a link. (Yes – this even happened on Equifax’s consumer site post-breach.) But note that the breach has brought out many bad actors to the fore, who are salivating at the thought of preying on the fear borne out of the Equifax debacle(s). *DISCLAIMER: NOTHING ON THIS PAGE OR WEBSITE CREATES AN ATTORNEY-CLIENT RELATIONSHIP. Please contact an attorney, if you seek counsel. I’m providing these steps as general guidance and NOT as your attorney. Feel free to email me, if you want to seek legal representation.
Step 1: Assume that your information was breached. The likelihood is great that your personally identifiable information (PII) is included in the 145+ millions of individual files compromised because of the Equifax breach.
Step 2: Place a freeze (a.k.a. “credit freeze” or “security freeze”). No – it’s not difficult or “cumbersome” (as former Equifax CEO, Smith, claimed in hearings earlier this month). It’s not an absolute protection, but will serve as a significant barrier for fraudsters to use your PII. And yes – there is typically a charge (if you reside in Washington State, for example, unless you’re an ID theft victim already). For “how to’s,” see the second bullet point.
- Please remember your children. While they probably don’t yet have a credit file (although some of my clients were surprised to find that their minors do have credit files), you want to protect against many ways that they can experience identity theft. If your child has a credit file, then you as a parent may request a security freeze. If your child doesn’t have a credit file, then the credit reporting agency (e.g., TransUnion, Equifax, etc.) is required to create a record for the child and is prohibited from releasing any PII about the child until the freeze is lifted. Prepare to provide proof that you are a parent and have authority as a legal guardian to act on behalf of the child. You’ll also need to provide proof of your child’s identification.
- How to freeze credit reports – You can call, if you’re not keen on entering your PII online (who can blame you?) You do need to contact each one of credit reporting agencies:
- NOTE: If you can show that you’re a victim of a data breach (hello, Equifax breach victims), you can request a free freeze with Equifax and TransUnion if you go online. But, I remain extremely cautious around any of these CRAs for good reason.
- Get a free annual credit report and scour it for anything that looks out of place. Beware of bogus websites that entice you with offers of free credit reports in exchange for your PII. Don’t do it. Go to AnnualCreditReport.com and no where else.
Step 4: Address potential/existing fraudulently opened utilities, pay TV or phone accounts. Again, it sounds incredible, but fraudsters have found that this is one of the best ways to use stolen PII.
Time to think about the ways that bad actors can use your stolen PII. Please don’t dismiss these possibilities because my clients have experienced all of these forms of ID fraud.
- Contact the National Consumer Telecom and Utilities Exchange and request your NCTUE Data Report. Again , scour it for anything that looks out of place.www.nctue.com or 1-866-349-5185 (The NCTUE data report is a record of all telecommunication, pay TV and utility accounts reported by exchange members, including information about your account history, unpaid accounts and customer service applications.)
Step 5: Guard against the real possibility that someone has or might have already created fake checking accounts. Order a free copy of your ChexSystems report, which compiles information about all of your checking accounts.
- Get your report from ChexSystems via 1-800-428-9623 or ChexSystems’ website consumerdebit.com.
- (If you find that individuals have already opened fraudulent checking accounts with your PII, you’ll need to contact every financial institution where a new account was opened. Ask them to close the accounts in writing.) Write down who you contacted and when. Keep copies of any letters you send.
Step 6: If you receive government benefits, contact that government agency and provide a written request for a report and a fraud alert.
Lather, rinse, and repeat. Please consider this part of your regular regimen to preserve financial good health. The aforementioned are not a “once and done” list of actions.
Finally, a word about “identity theft protection” services like LifeLock, TrustedId, ProtectMyId, AllClear, blah blah blah. Instead of going with any of these services/products, watch this entertaining yet informative clip from John Oliver’s show. There was a time not too long ago, when I would have said go for it if you don’t want to do it yourself. But, I’ve since revised my opinion and would advise you to take charge of your own identity and PII, by doing all of the above on your own. Why trust some third party who only stands to profit from identity theft and data breaches.
That ain’t workin’ that’s the way you do it
Money for nothin’ and chicks for free… ~ Dire Straits (“Money for Nothing”)
We’ve all heard Dire Strait’s old song “Money for Nothing” and that’s what monetizing web traffic is like for website owners. Publishers like NYTimes do it to stay alive as do behemoths like Amazon to generate additional revenue. So can we blame Equifax for wanting to make some do-re-mi off the tens of millions of new website visitors coming to their site? (cue the crickets…)
Equifax visitors, who wanted to determine if they were affected by breach, were led to the page above. Clicking on Free or Discounted Credit Report is how Equifax visitors would get served 3rd party malware. Not Equifax’s system, sure – but it’s definitely because they wanted to monetize that traffic. For those reporting Equifax’s line about “not our system that was hacked,” is similar to casting blame on Apache Struts for its issue. Let’s put on our thinking caps, shall we?
The Equifax hack news of the day seems unbelievable. After all the beating that the company and its ex-CEO has taken, you’d expect that it would have its act together by now. Right? Not so fast… On closer inspection, today’s news is predictable-–once you understand that problems will continue for Equifax as long as it has the same corporate mindset that led to the mammoth breaches of May-July 2017.
A closer look at the latest hack…
The problem starts from the fact that Equifax apparently uses a 3rd party, FireClick, as its provider for hosted application service. The purpose of using FireClick is to collect and store Web analytics re usage and data for its clients, like Equifax.
BTW: If you try to visit FireClick’s site right now, don’t bother. It’s apparently a defunct company still listed as a wholly owned subsidiary of Digital River:
The issue stems from how Digital River/FireClick integrated its ad network, including bad adware (i.e., Adware.Eorezo) in tracking, collecting and reporting Equifax’s site activity. To boil this down to the most basic terms:
- The unsuspecting consumers visit Equifax’s site
- When wanting to get details on Equifax’s Credit Report Assistance,
- The visitors are prompted to complete a form on a separate page—NOT on the original Equifax website. This is where the third party ad network comes into play. This is why Equifax is crying, “Not our system!”
- Of course, most unsuspecting visitors will proceed to fill this out and then get a prompt to download Adobe Flash Player.
- Once downloading this malware, voila! The website visitor’s machine is the happy new home of the newly acquired malicious program(s) (e.g., spyware, ransomware, etc.)
As with the Equifax breaches, one can always point to a third party (Apache struts for the May – July 2017 breaches). But the brutal fact is that the buck needs to stop with Equifax. For those naysayers who want to say that class actions don’t help, I will direct them to the Anthem Data Breach settlement terms, which requires Anthem to spend tens of millions of dollars and subject itself to security audits for years. As a class action attorney, you can bet that one of my major goals is to have Equifax (and hopefully all credit reporting agencies) subjected to external, rigorous security standards. And, as with my other data breach cases, I will fight for my clients tooth and nail (they’ll speak to you, if you are still incredulous).
A key takeaway for consumers for now (& especially for my many Equifax clients) – you are wise to steer clear of websites that Equifax and its competitors direct you to for now.
P.S. Check out Digital River’s site below. Yep – they claim that they are the “Industry Leading (sic) Fraud Prevention.” #Irony
Over the past few weeks, so many tragic headlines have gripped all of us. This includes the rising death toll and long-term devastation in Puerto Rico. Then, we continue to reel from the horrifying mass-shooting in Las Vegas. All the while, the stock market continues to rise to new highs and the GOP wants to pass a law to strip consumers’ rights to sue. That said, all of us need to stay informed about the many maneuvers that undermine consumer rights. I hope that some of you were listening closely to the words of the former Equifax CEO, Richard Smith. With his feigned concern for consumers, he continues to mislead and confuse. There are so many ways he has done so before the House Financial Services Committee. But I want to focus on one point, where he continues to show that lawmakers and the public should not trust anything he says.
Smith keeps insisting that a “lock” is preferable for customers because, he claims, a lock is very “user-friendly” and less cumbersome. But note: Locks are not the same as freezes. While activating and deactivating a security freeze takes more time. But note that state law governs security freezes, which translates to that consumers are not financially liability when executing a freeze on their credit files. So, if a consumer experiences fraud after activating a security freeze, then the consumer is in the clear. However, if you opt for a credit lock, which Smith promotes repeatedly in his testimony, it is unclear who is liable if/when fraud occurs.
A credit lock seems like an attractive choice, as you can do this by using an app with no PIN. And, it is typically instantaneous. But interestingly, only two credit monitoring bureaus—TransUnion and Experian—offers instant credit locks. Ironically, Equifax says its lock product included in TrustedID Premier requires 24 to 48 hours to process a customer’s request: the same as for a freeze. Also realize that you can’t lock and freeze at the same time. You need to choose one over the other.
Contrary to ex-CEO Smith’s testimony, don’t find comfort in the deceptively simple route of “locking” your credit. Why? Because we represent a number of clients who
have experienced identity theft on a jaw dropping level, after already having locked their files.
DISCLAIMER: By reading this blog post, there is no attorney-client relationship formed. Anything in this article should not be construed as an attorney’s advice. Please seek the advice and counsel of an attorney directly, if you are a victim of identity theft. We welcome your inquiries and will discuss your possible case with you at no cost. Email us at Equifax@Stritmatter.com and visit our Equifax page.