The hack of credit reporting agency Equifax revealed last week may have compromised the personal information including the social security numbers and addresses of as many as 143 million people. Sen. Elizabeth Warren (D-Mass.), the financial industry’s main foe in Congress, announced on Friday that she will introduce a bill to prevent this from happening again—and to ensure that Equifax doesn’t make money off of its massive cyberbreach.
The bill, titled the Freedom from Equifax Exploitation (FREE) Act, would require credit reporting agencies to offer customers free options to impose or lift a “credit freeze” that stops the sharing and selling of personal credit information to third parties. Currently, there is no federal rule requiring that credit reporting agencies offer any sort of freeze option, and agencies that do, charge between $2-$10 each time a freeze is imposed or lifted. (Freezes need to be lifted when a customer applies for most financial products, like a mortgage or a credit card.)
“Credit reporting agencies like Equifax make billions of dollars collecting and selling personal data about consumers without their consent, and then make consumers pay if they want to stop the sharing of their own data,” Sen. Warren said in a press release. “Our bill gives consumers more control over their own personal data and prohibits companies like Equifax from charging consumers for freezing and unfreezing access to their credit files. Passing this bill is a first step toward reforming the broken credit reporting industry.”
The bill—also sponsored by Sen. Brian Schatz (D-Hawaii)—would also offer consumers better fraud alert protections in the wake of the breach, requiring credit reporting agencies to offer up to seven years of renewable fraud alert protections. The FREE Act proposes an automatic refund by credit reporting agencies to those customers who’ve already paid for a credit freeze following the hack and would require agencies to provide consumers with an additional free credit report so they can keep tabs on possible damage.
Along with the announcement of the bill, Sen. Warren also launched a broadened investigation into the massive data breach by sending letters to all three credit reporting agencies with detailed questions about their response and plans to shore up protections in order to avoid future problems. In her letter to Equifax, Warren issued sharp criticisms of the agency’s sluggish response, its lack of transparency about exactly what information may have been compromised, and Equifax’s initial attempt to enroll affected customers in free credit monitoring—provided they relinquish their right to sue the reporting agency.
Equifax learned of the hack on July 29, 2017, Warren noted, but did not inform the public until 40 days later, leaving consumers vulnerable to “credit card fraud, tax fraud, identity theft, and various other crimes.” She questioned why, “given the risk to so many Americans,” Equifax “delayed in notifying them of the breach.” Sen. Warren added: “Equifax’s initial efforts to provide customers information did nothing to clarify the situation and actually appeared to be efforts to hoodwink them into waiving important legal rights.”
Warren also sent letters to the federal agencies tasked with consumer protection—the Consumer Financial Protection Bureau and the Federal Trade Commission—with detailed questions seeking information on their response to the hack. She also wanted to know when they learned of the breach, and what steps they’ve since taken to protect consumers from further damage.
Warren has asked both the credit reporting agencies and federal consumer protection watchdogs to respond to her letters by September 29.