Michael Maiello's picture

    Equifax and the CFPB

    Two days before we found out that credit reporting agency Equifax had been hacked and 143 million consumer records were compromised, I received an alert from my credit card company that somebody had attempted to buy $200 worth of merchandise at a Foot Locker in Queens.  Later, the Equifax website did acknowledge that my information may have been compromised.  I took the necessary steps to change cards and passwords.

    I also decided, in light of the fact that I was personally a victim among 143 million, to file a complain with the Consumer Financial Protection Bureau, at least in the hopes that if the government does do something about Equifax's negligence (and failure to report to the public in a timely manner) that offering an official complaint would help them along.

    The CFPB is, sadly, a joke.  To their credit, they dealt with my complaint quickly. I wrote up the facts and was delighted that the CFPB also asks complainants to suggest what they think would be a good remedy to their complaint.

    Equifax attempted top head off regulatory action by suggesting its own solution to what it calls "the incident," which is that the people it has collected data on can sign up for a free year of its credit monitoring service.  To me, this is a lot like setting fire to somebody's home and then offering them a free year of insurance, based on nothing but your own promises, and calling it even.

    I suggested to the CFPB that Equifax could make this right by:

    • Offering consumers a free copy of their Equifax report, on demand, for a number of years going forward, as well as the right to correct that report.
    • Equifax should pay for a third party credit monitoring service for at least a year, for all those affected.
    • Equifax should pay some monetary damage (I suggested $100) to compensate people for the inconvenience of changing credit cards numbers and using credit monitoring services that they never needed before.

    The CFPB helped me set up an online account with them and helpfully sent a few email updates so that I knew my report had been received and was being considered.  Today, I got a note saying that the case had been resolved and closed, and that I could view a response from Equifax. I logged in to find that the extent of the CFPB action here was to forward my complain to Equifax and to ask for a response, whcih Equifax quickly offered. Here is the Equifax response, in full:

    Thank you for contacting Equifax. We remain focused on consumer protection and committed to providing outstanding service and support. Protecting the security of the information in our possession is a responsibility we take very seriously and we apologize for the concern and frustration this cybersecurity incident causes. We have developed a comprehensive portfolio of services to support all U.S. consumers. Please refer to our dedicated website, https://www.equifaxsecurity2017.com, for the latest information and updates or contact our dedicated call center at 866-447-7559. The call center was set up to assist consumers and is open every day (including weekends) from 7:00 a.m. – 1:00 a.m. Eastern time.

    This is some amazing boilerplate.  It contains an apology, but not for Equifax losing my personal data (collected without my consent or even ability to review for free). The apology is that I have been "concerned" and "frustrated." This is a nice way of saying, "I'm sorry you feel that way," after you drunkenly hit somebody's dog with your car and they tell you they are not okay with it.

    Beyond that, the CFPB specifically asked what I thought would be a reasonable remedy and the main point of my suggestions was that Equifax cannot fix the consequences of an Equifax security lapse by offering an Equifax solution. Any future credit monitoring should be performed by a disinterested third party.

    Quite annoying is Equifax's reference to a "cybersecurity incident," which makes it seem like a large credit reporting agency that has been gathering and selling data on Americans, without consent, for decades, is as much a victim here as anybody.

    The CFPB accepted this response and closed the complaint.  They did ask me for feedback on the process, which I provided, but the complaint remains closed.  I know Republicans defanged the CFPB when it was created, but I didn't realize that the extent of their dental work is that we have an agency that will take your complaint, forward it to the company, get a response, forward it to you, and declare its work done.

    This is really the extent of any consumer protection you will get from any federal government agency.  They tell you they cannot advocate for you, so about all they can provide is a timely answer from the company, whatever that answer may be.  It's pointless to have the government offer such services if they are not allowed to do anything.

    From my perspective, or the perspective of about any of the 143 million, there really is no recourse against Equifax except to join a class action suit that will likely settle for some amount that will mean more to the partners of the settling law firm than anyone else potentially affected.

    Hopefully, the government will take forceful action against Equifax.  That any executives actually sold stock between the time of the identification of the leak and the months before the public revelation, is on its face worse than anything Martha Stewart actually went to jail for. But we need to actually empower government agencies to advocate for consumers against sufficiently large businesses. Leaving it all to the courts just does not work.



    Equifax at least implicitly admitted the incident occurred. Somehow, some place. And  its "this"  provides a weak indication that the particular incident to which it alluding is  one  Michael Maiello . Better than a poke in the eye with a sharp stick.

    They have given a very slight hostage to fortune and If it happens again you're at least one baby step closer to being able to accuse them of repeated failures. For what good that might do, if any.

    A copy of the correspondence to Elizabeth Warren might be grist for her mill.

    Congratulations on your public spirited effort. Really.

    Thanks most of all for scaring me to check all my accounts more often.

    Our government, or to be more specific, the Republican politicians who are in control of the House, the Senate, and the Executive Branch, are only concerned with prevailing in their next election.

    and....It's worse than you think:  Experian Site Can Give Anyone Your Credit Freeze PIN.

    I get that every security system will have its vulnerabilities, but this is pretty lame.

    Hopefully, the government will take forceful action against Equifax.

    Well ... not exactly.

    Latest Comments