Equifax needs to start answering questions, fast. And this better be a turning point in consumer rights around use and storage of their personal information.
It’s not even clear from the PR-worded statement that 143 million Social Security numbers were stolen, though that’s the clear implication. All we know is most Americans are “potentially” impacted. A bunch of driver’s license numbers were stolen, too.
Really, all we know is that criminals stole “certain files,” with 143 million people potentially impacted. That’s not nearly good enough. Victims are then told to go to a poorly constructed website that really does look like a site set up by a criminal.
Equifax ‘help’ unacceptable
Once at the Orwellian-named EquifaxSecurity2017, consumers are told to enter most of their Social Security number and last name and see if they are in the dataset that was stolen. But the responses are wildly unsatisfying. Readers tell me they range from “check back again soon” to “you’re a winner” to “sorry, you weren’t hit, but you can get a free credit monitoring and ID theft-related service anyway.”
If you’re like me, you’re wondering if this might be a clever marketing ploy to upsell Equifax’s TrustedID Premier. Will victims be auto-enrolled for a monthly fee at some later point?
Victims’ rights unclear
Meanwhile, TrustedID signup requires that consumers agree to one of those nasty rip-off clauses that make them waive their right to join a class-action lawsuit. Would that waiver apply to this incident? I would hope not, but I’d sure not want to give a judge a chance to tell me I’m wrong.
We need answers to questions like these: Who were the hackers? What were their motives? What exactly was stolen? What is the chance something bad will happen to me? Why did you wait more than a month to tell me? And finally, the big one:
Protection service moot
What good will one year of your ID theft protection service do if a clever criminal has my Social Security number? SSNs are forever. One year of free service is the most token of token gestures.
It’s hard to believe anyone at the firm, after having a month to contemplate the impact of this hack, believed yesterday’s announcement would be sufficient. Consumers deserve answers now. Consumer lawsuits already have commenced. Congressional hearings should be held.
Companies must face real consequences
Most of all, real consumer protections need to be put in place with real pain for companies that engage in this kind of behavior. A token fine and a temporary “gift” of credit monitoring-plus is no punishment at all.
As a postscript to this story, here’s something you should know that was happening yesterday in the halls of Congress. A House committee was debating a bill that would limit consumers’ ability to sue credit bureaus and cap potential damages—and end punitive damages. The Orwellian name for that legislation is the “FCRA Liability Harmonization Act and the Facilitating Access to Credit Act.”
Be wary when taking next steps
It’s still an OK idea to visit the Equifax site and see if you are in the at-risk pool. Doing so won’t do much for you, however. At the moment, I don’t recommend signing up for the firm’s ID theft service, at least not until we get more clear answers. Instead, do the things you should always do:
This article originally appeared on ThirdCertainty.com and was written by Bob Sullivan.