NYT: Equifax Hack Exposes Regulatory Gaps, Leaving Consumers Vulnerable


Equifax warehouses the most intimate details of Americans’ financial lives, from the credit cards in their wallets to the size of their medical bills.

But the company doesn’t face the constant monitoring and auditing that help strengthen banks’ systems and data protections. Despite the wealth of sensitive information in its databases, Equifax, in essence, falls through the regulatory cracks.

The dangers of such lax oversight became apparent on Thursday when Equifax disclosed that hackers had compromised the personal and confidential information, including Social Security numbers, of nearly half of the American population.

Equifax is now scrambling to contain the legal and financial fallout.

New York’s attorney general, Eric T. Schneiderman, has opened an investigation into the data breach, while two potential class-action suits have been filed. Shares of the company were down nearly 14 percent on Friday.

A consumer backlash is growing over the company’s response to the breach. The remedy that Equifax has offered — one year of free credit monitoring — struck many as inadequate. Compounding the frustration, three senior executives, including the chief financial officer, sold $1.8 million worth of shares in the days after Equifax discovered the breach.

Equifax and two other consumer credit bureaus, Experian and TransUnion, create the reports used to calculate credit scores, the ubiquitous three-digit numbers that banks, insurers, lenders and employers rely on to make all manner of decisions. Those scores, the algorithmic assessment of a consumer’s entire financial history, help decide whether somebody gets a job or a new home.

The bureaus each have files on roughly 200 million Americans. And consumers have little choice, since banks and other companies hand over financial information and other data directly to the bureaus. The industry has been marred by complaints of mistakes on credits reports and difficulties in fixing them.

The data breach at Equifax, which affected 143 million people, could compound the problems, leaving consumers vulnerable to identify theft. It was the third hacking disclosed by Equifax this year.

“You cannot fire the three credit bureaus,” said Rohit Chopra, a former assistant director at the Consumer Financial Protection Bureau and now a senior fellow at the Consumer Federation of America. “Credit reporting agencies are the plumbing of our financial system but are much less regulated than many banks.”

TransUnion said it was investigating the nature of Equifax’s attack and what, if any, actions might be appropriate. Experian and Equifax did not return calls for comment. Equifax released a statement apologizing to customers for “the concern and frustration this causes.”

The credit bureaus fall into something of a regulatory gray area in Washington.

They are covered by many of the same data security laws that apply to banks. But banks face much stricter oversight, with a team of agencies working together to audit institutions and monitor their compliance. Non-bank companies, like the credit bureaus, generally are scrutinized only after something has gone wrong.

Federal laws require all companies to take reasonable steps to safeguard consumer data. While the Consumer Financial Protection Bureau has some supervisory and enforcement authority over the credit bureaus, the agency generally leaves data privacy enforcement to the main regulator in charge of it, the Federal Trade Commission. And the trade commission lacks the authority to impose big fines.

Last month, the commission punished TaxSlayer, a tax preparation website, for a weak security system that allowed hackers to gain access to nearly 9,000 customer accounts. TaxSlayer agreed to strengthen its systems and undergo compliance audits. But it paid no financial penalty, because the commission has no power to levy fines for first-time violations of certain rules.

“Both in terms of resources and authority, what the F.T.C. can do clearly doesn’t measure up to the scale of the problem,” said William McGeveran, a professor at the University of Minnesota Law School who specializes in privacy law.

A spokeswoman for the Federal Trade Commission, Juliana Gruenwald Henderson, said the agency does not comment on its investigations and declined to say if it had opened one on Equifax.

The Consumer Financial Protection Bureau is “looking into” the data breach at Equifax, according to Sam Gilford, a spokesman, but he declined to comment further.

Credit reporting is big business. Equifax made $3.1 billion in revenue last year, collecting the vast majority from businesses like banks and other financial service companies.

But the industry has been the subject of criticism over its data collection and reports. In some examples, two people were combined into a single file. In other instances, the bureaus have inserted a person’s information into the wrong credit report, which can occur when two people have similar Social Security numbers.

Two years ago, a coalition of more than 30 state attorneys general cracked down on the credit bureaus, negotiating a deal that required sweeping changes. The bureaus dropped some error-ridden data sources from their reports and agreed to provide more information to consumers who disputed data on the reports.

Problems have persisted. This year, Equifax and TransUnion agreed to pay a combined $23 million to settle allegations by the Consumer Financial Protection Bureau that they made “false promises” to lure customers into buying credit-related products. Those products were promoted as free, but came with monthly fees if customers didn’t cancel during the trial period.

The data breach at Equifax could expose the company to legal and financial challenges, although the regulatory environment isn’t likely to become stricter under the current presidential administration.

On Friday, Representative Ted Lieu, Democrat of California, sent a letter to the leaders of the House Judiciary Committee calling for a hearing to address the breach. In his letter, Mr. Lieu asked that representatives of the three bureaus be called to testify about what steps were being taken to prevent future intrusions.

“Congress has a strong role to play in preventing such attacks on our financial and I.T. infrastructure, and must hold those entrusted with our most sensitive data to account,” Mr. Lieu wrote in the letter.

As consumers digested the scope of the hacking, a website set up by Equifax to help was inundated. The site purported to determine whether people’s data was compromised, after visitors entered six digits of a Social Security number and other information.

It offered only vague responses, saying personal information was not impacted or that it “may have been impacted.” People who used the site quickly noticed that entering bogus names and numbers often generated the same messages.

“It requires trust where there is no trust,” said Justin Baxter, a consumer lawyer in Portland, Ore., who is an attorney in a suit seeking class-action status against Equifax. “Asking people to type in personal information to find out if their personal information has been breached — a lot of people are not going to do that.”

Equifax also recommended signing up for a monitoring services. But the program initially required users to give away their rights to legal action and agree to use arbitration to settle disputes.

It immediately drew outrage, with Mr. Schneiderman, the New York attorney general, calling on Equifax to remove language that could deny victims the right to sue. Equifax has since changed the clause, giving consumers the ability to opt out.

The company is now offering one year of free credit monitoring to all consumers, not just victims of the breach. It is also providing people the ability to freeze their Equifax reports, which, in theory, should prevent thieves from applying for credit in their name.

“This is a one-year solution for an eternal problem,” said Adam Levin, chairman of CyberScout, which provides data breach defense services. “The collateral damage can be devastating, and when you are talking about Social Security numbers the only expiration date a Social Security number has is yours.”

Original Story

ABC News: Jury Awards $18.6M For Equifax Credit Report Mix-up

For two years an Oregon woman tried without success to get mistakes in her Equifax credit report fixed. Now a jury has awarded her $18.6 million for her trouble.

Justin Baxter, one of the attorneys representing Julie Miller of Marion County, Ore., tells ABC he believes the judgment is unprecedented in its size. “I’m not aware of a larger one,” he says.

Miller’s troubles began in 2009, according to her complaint, when she was denied credit from Huybbard Bank based on her Equifax credit report. She requested and eventually received a copy of her report, which, she discovered, contained false identifying information, an incorrect Social Security number, a false birthday and false, derogatory collection accounts attributed to her.

She began disputing these inaccuracies starting in 2010. She repeatedly contacted the company and was repeatedly told Equifax needed further information before it could process her dispute.

Later in 2010 Miller was denied credit by Key Bank, based on her Equifax report.

After filing further protests with Equifax about the inaccuracies in her report, Equifax representatives told Miller her data had become “mixed” with another person’s. They told her she would need to dispute the false information directly to her creditors.

In all, Miller tried eight times to get her report corrected. Finally, she brought suit in Oregon Federal District Court in October 2011.

Baxter says Miller’s failure to qualify for credit cost her several ways. She wasn’t able to help her brother, who is disabled and who wasn’t able to get credit on his own. She was unable to help her husband, who needed a shop added onto the Miller’s home.

Asked what parts of Miller’s ordeal carried the most weight with the jury, Baxter tells ABC News: “She did what you’re supposed to do. She didn’t go running straight to the courthouse.” Instead, he says, she tried and tried again to get Equifax to fix its mistakes.

Baxter thinks privacy issues also had a bearing on the jury’s decision: The mixing of Miller’s credit data with another person’s meant that at the same time Miller was being sent the other person’s un-redacted personal information, her own unredacted personal information, including her social security number, were being sent to others.

Equifax did not respond to a request from ABC News for comment.

Baxter says he discovered that Equifax wasn’t even handling Miller’s complaint in-house. “We found that when complaints would come in, they’d run them through a scanner and then send them overseas.” Miller’s complaint, he says, was sent for processing to a subcontractor in the Philippines.

Original Story

NY Times: An $18 Million Lesson in Handling Credit Report Errors


Even after sending more than 13 letters to Equifax over the course of two years, Julie Miller could not get the big credit bureau to remove a host of errors that it inserted into her credit report.

That indifference should surprise no one who has ever tried to deal with any of the three big credit reporting agencies, Equifax, TransUnion and Experian. “You feel trapped, like you are in a box,” said Ms. Miller, a 57-year-old nurse who works in a dermatologist’s office. “You have no control over this, and you can’t call them up and say, ‘You’re fired.’ ”

So she tried suing. That worked.

A jury in Federal District Court in Portland, Ore., last week awarded her a whopping $18.4 million in punitive damages, which, according to consumer lawyers, is the largest individual case on record.

If you think this has taught Equifax and the other credit reporting companies a lesson, you are a lot more optimistic than close observers of the industry. They say that despite the huge judgment, little is going to change for the millions of Americans who discover errors in their credit reports.

The credit bureaus are willing to tolerate these errors — and settle with consumers out of court — as a cost of doing business, according to credit experts and lawyers who work on these cases.

“Their business model is to keep doing the same thing over and over again,” said Justin Baxter, the lead lawyer on Ms. Miller’s case. “They can buy off a number of consumers with small dollar amounts and get rid of the vast majority of cases. To Equifax, that’s the cost of doing business.”

Ms. Miller made every effort to fix her report, exactly as consumers are advised to do. She initiated the company’s dispute process about seven times, and in most instances, Equifax would spit back a form letter saying it needed more proof of her identity. So she sent her pay stub and her phone bill. When that didn’t work, she sent her pay stub and her driver’s license. And when that failed, she sent her W-2 form and an insurance bill — at least three times.

But nothing ever changed: Ms. Miller, a model financial citizen who once had the credit score to prove it, had become mixed up with another, much less creditworthy Julie Miller. After she was denied a line of credit from KeyBank, she discovered 38 collection accounts on her credit report, none of which belonged to her, along with an inaccurate Social Security number and birth date. Her financial life was no longer her own.

Mixed files, as they are known in the credit industry, most frequently involve people who share common names with individuals who have similar Social Security numbers, birth dates or addresses. These errors are notorious for being among the most difficult to fix, credit experts said, and require human intervention to untangle the mess. But given the huge number of disputes, the process to address them is largely automated. And that is the excuse the industry advances to consumers who get stuck in its web.

The bureaus often outsource thousands of disputes daily to workers overseas. Those workers, often overwhelmed by the sheer volume of cases, are largely told to translate the problem into a two- or three-digit code that defines the gist of the problem (account not his/hers, for instance) and feed it into a computer.

But that process won’t untangle a mixed credit report. The reason files become mixed to begin with can be traced back to the computer formula the bureaus use to match credit data to a specific person’s credit report. It allows credit data, say a late payment on a credit card, to be inserted into a person’s file even if the identifying information isn’t an exact match. In other words, the system might add a late payment to the credit report of someone like Julie Miller even if the Social Security number is off by two digits or a birth date is off by two years, but enough of the other identifying information matches. That’s roughly what happened to Ms. Miller.

Partial matches aren’t always wrong, of course. Solid estimates on the number of mixed files are hard to find, though a 2004 study from the Federal Trade Commission said that partial matches occurred in about 1 to 2 percent of credit files, citing data from the bureaus. That might not sound like much, but when you consider that there are 200 million individuals with credit files at each of the big three bureaus, that translates to two million to four million consumers.

Other estimates put the number of actual mixed files at less than 0.2 percent to nearly 5 percent. The F.T.C.’s report said that mixed files were not always harmful to consumers because most credit account information was positive.

To that I say: Consumers with mixed files are supposed to take comfort in the fact that their credit report doppelgängers, on the whole, are likely to pay their bills?

There is a reason the bureaus operate this way. They would rather err on the side of including too much information in your credit report than leave information out, according to consumer lawyers and advocates. They also need to account for typos and small errors that can cause the credit agencies to leave out information — both good and bad credit behavior. Financial services firms are paying the bureaus to receive the most complete financial profile possible, even that means sacrificing a bit of accuracy. (The F.T.C.’s report said that lenders might actually prefer to see all potentially derogatory information about a potential borrower, even if it can’t all be matched with certainty.)

“The bureaus would rather accept the possibility of some mixed-file risk rather than the possibility that a debtor who owes a debt gets away with it,” saidLeonard Bennett, a consumer lawyer in Newport News, Va., who said he has about 20 active mixed-file cases in any given month.

The dispute process is supposed to catch the people who fall through the cracks. But as people like Ms. Miller can attest, it doesn’t always work. The Fair Credit Reporting Act, the law that governs the big bureaus, requires the agencies to provide a reasonable investigation. Ms. Miller’s lawyer said their litigation revealed that there was no investigation at all. (It’s worth noting that Ms. Miller had problematic credit reports at the other two bureaus, but those agencies resolved the matter.)

“They testified that they get something like 10,000 disputes a day, so they don’t have the time to look at each one,” Mr. Baxter said. “Whether it is because the person has too many disputes to process or they choose not to, that is where the system falls apart.”

What else could she have possibly done? I asked the credit bureaus. Equifax declined to comment, and would only say that it was “very disappointed in the jury verdict” and was exploring its options, including an appeal. The other two agencies didn’t offer much guidance either, though TransUnion pointed out that the credit reporting industry resolved 70 percent of consumer disputes within 14 days.

Ms. Miller, however, had to endure repeated phone calls from debt collectors, who threatened to sue. She couldn’t co-sign a credit line for her son who was in his freshman year of college, and she said she put off refinancing her mortgage. It also meant that she couldn’t co-sign a car loan for her disabled brother. And plans to build a workshop on their property, which required a loan, would have to wait.

The jury’s giant award to Ms. Miller is generous and goes a long way toward compensating her for those lost opportunities. But lawyers say the initial awards are often reduced after being reviewed by the trial judge. An out-of-court settlement for the typical mixed-file case might be $50,000 to $250,000, depending on the case, while settlements for other errors may be far less.

Will Ms. Miller’s award have any lasting effect on the industry? Mr. Bennett, the consumer lawyer, is one of the optimists. “This case will change the calculus,” he said. “If they have to pay $2.5 million every time one of these folks gets to court, they might have to reconsider their procedures.”

It’s more likely, though, that the Consumer Financial Protection Bureau, which began overseeing the large credit bureaus last September, will have more impact. It has broad authority to perform on-site examinations, check records and examine how disputes are handled. Consumer advocates have long suggested that the credit agencies tighten up the way they match up data with consumers reports and strengthen the dispute process.

“Big punitive penalties may help force the bureaus to upgrade their 20th-century algorithms and incompetent dispute reinvestigation processes,” said Ed Mierzwinski, consumer program director at the United States Public Interest Research Group. “But C.F.P.B.’s authority to supervise the big credit bureaus is one of the most significant powers Congress gave it.”

Nearly every expert I spoke with conceded that Ms. Miller had few options. “She had two choices, and they both stunk,” said John Ulzheimer, a credit expertwho has served as an expert witness on more than 140 credit-related lawsuits. “She could live with it, or she could hire an attorney.”

Kitty Bennett contributed reporting.

Original Story

CBS News: Lessons from $18 million credit-reporting suit

(MoneyWatch) Oregon resident Julie Miller tried very hard, for two solid years, to get Atlanta-based Equifax Corp. to correct errors in her credit report she discovered when she was was turned down for a loan in 2009. When the company failed to correct the errors, she sued and won a multimillion judgment.

The verdict puts credit reporting agencies on notice that a failure to follow the dictates of the Fair Credit Reporting Act could have costly consequences, says Justin Baxter, Miller’s attorney. “Juries across the country have been returning multimillion-dollar verdicts like this,” Baxter said.

It also is good news for consumers who understand their rights. Despite updates to the act, which require credit-reporting agencies to pay closer attention to accuracy, federal regulators say that more than one in five credit reports still contain errors. Many of these can affect a consumer’s ability to get reasonably priced loans. However, the law not only gives consumers ways to fix their reports, but gives them the tools to fight back when their entreaties are ignored, as the Miller case makes clear.

Lenders are obliged to tell you whether a denial of credit is due to information on your credit report, as it was in Miller’s case. The trouble was, the negative information belonged to another Julie Miller — with a different birthdate, different Social Security number and different address.

Information about Julie Miller No. 2 was merged into the file of Julie Miller No. 1 file because they share a common name. An estimated 2 million to 4 million individuals have the same problem, says Baxter. Although it shouldn’t be difficult to differentiate one consumer from another with the aid of personal details like an address or Social Security number, a common name or a namesake — such as a child or parent who has the same name with a junior or senior attached — may cause the merging of files. Identity theft or transcription errors may cause such mergers.

The Fair Credit Reporting Act sets up a simple procedure to detect and correct errors when they arise. First, the law requires that each of the three major credit-reporting bureaus provide every consumer a free copy of his or her credit report every 12 months. All you have to do is ask. Consumers are also allowed a free copy of a credit report when they’ve been denied credit based on report information or suspect they are a victim of identity theft. To get a free copy, go towww.annualcreditreport.com or call 1-877-322-8228.

Any inaccurate items — such as loans mistakenly linked to you that are outstanding or incorrect addresses and identifying information — should be corrected in writing with a formal letter or informally by simply noting the inaccuracies on a copy of the report. Simply put, you can circle the inaccurate items and explain what’s wrong in the margins. If additional documentation is needed to prove your claim, it’s wise to attach a copy of those documents, but you should always hang on to the originals.

Corrections and documentation should be mailed back to the credit bureau by certified mail (with a return receipt) so you have proof the agency received the correction request. The Federal Trade Commission even has sample letters on its website for consumers who need further instruction.

The credit-reporting agency is required to investigate the claim and respond promptly — generally within 30 days. You can also request a corrected version of your report at the end of the investigation. The corrected report is also free.

Miller did everything right, attorney Baxter says. She identified the errors and provided numerous documents to prove her identity and demonstrate she was in no way connected to the other Julie Miller, who had run up bad debts. But Equifax failed to investigate or correct the report, Baxter says. (Equifax officials failed to return this reporter’s phone calls and have publicly declined to comment about the case.) So when repeated requests for action by Equifax were ignored, Miller sued.

On Monday she won an award of $180,000 in compensatory damages and $18.4 million in punitive damages. “This was an egregious case, and the jury wanted to send a message,” Baxter said.

Original Story

NPR Marketplace: Want Equifax to fix your credit score? Take them to court

by Stacey Vanek Smith

Tuesday, July 30, 2013 – 12:02

Your credit score determines a lot: Whether you get a loan or a credit card, and what interest rate you have to pay for that loan or credit card. Landlords look at it, insurers look at it and even employers look at it. So, what do you do when your credit report has an error on it?

That’s what Oregon resident Julie Miller was faced with back in 2009, when she discovered someone else’s unpaid debts on her Equifax credit report.

“She found out when she went into her local bank and tried to get a credit line with her son and was denied,” says Justin Baxter, Miller’s attorney. “Julie has perfect credit. The other person, unfortunately, did not.”

For the next two years, Miller tried to correct the mistake.

“She kept writing and they would just send her these form letters that said, ‘Send us more proof of your identity,’” Miller says. “She would send them her driver’s license, her W2 statement and she would just get that form letter back, saying, ‘Prove who you are.'”

Miller took Equifax to court, where a jury awarded her $18.6 million in damages. The size of the penalty is extraordinary, but having a mistake on your credit report isn’t, says Dave Jones, president of the Association of Independent Consumer Credit Counseling Agencies.

“Oh yeah, it’s extremely common,” he says. “They get account numbers mixed up, they get names mixed up.”

Jones says nearly 25 percent of credit reports have errors. A Federal Trade Commission study this year found that five percent of the credit report errors could force consumers to pay more for loans and insurance.

And, correcting the mistakes can be difficult, says Liz Weston, author of “Your Credit Score.”

“The big knock on the system is that it is so automated and it’s really hard to find a human being to help you,” Weston says. “So if it isn’t a cut and dried issue, it can be really hard to get it straightened out.”

The multi-million dollar fine Equifax has to pay might just help make it easier for consumers to correct mistakes, predicts Jones.

“I suspect all three of those bureaus are going to be seriously motivated now,” he laughs.

Julie Miller’s attorney, Justin Baxter, says he has already gotten hundreds of emails from people wanting to file similar cases.

Equifax did not respond to requests for comment.

Original Story

Oregonian: Equifax must pay $18.6 million after failing to fix Oregon woman’s credit report

Laura Gunderson | lgunderson@oregonian.com By Laura Gunderson | lgunderson@oregonian.com 

Email the author | Follow on Twitter
on July 26, 2013 at 6:29 PM, updated July 26, 2013 at 6:49 PM

A jury Friday awarded an Oregon woman $18.6 million after she spent two years unsuccessfully trying to get Equifax Information Services to fix major mistakes on her credit report.

The judgement, likely to be appealed, appears to be one of the largest awarded to a consumer in a case against one of the nation’s major credit bureaus.

Julie Miller of Marion County, who was awarded $18.4 million in punitive and $180,000 in compensatory damages, contacted Equifax eight times between 2009 and 2011 in an effort to correct inaccuracies, including erroneous accounts and collection attempts, as well as a wrong Social Security number and birthday. Yet over and over, the lawsuit alleged, the Atlanta-based company failed to correct its mistakes.

“There was damage to her reputation, a breach of her privacy and the lost opportunity to seek credit,” said Justin Baxter, the Portland attorney who teamed on the case with his father and law partner, Michael Baxter. “She has a brother who is disabled and who can’t get credit on his own and she wasn’t able to help him.”

Tim Klein, an Equifax spokesman, said Friday that he didn’t have any details about the decision from the Oregon Federal District Court. He declined to comment about the specifics of the case.

A Federal Trade Commission study earlier this year of 1,001 consumers who reviewed 2,968 of their credit reports found 21 percent contained errors. The survey, which is required as part of a 2003 law, found that 5 percent of the errors represented issues that would lead consumers to be denied credit.

A 2012 investigation by the Columbus (Ohio) Dispatch newspaper reviewed nearly 30, 000 consumer complaints filed with the Federal Trade Commission and attorneys general in 24 states about unresolved errors made by the largest consumer credit agencies — Equifax, Experian and TransUnion. The newspaper found that with complaints about errors, consumers reported it had taken many months to fix even the most basic mistakes.

Miller first discovered a problem when she was denied credit by a bank in early December 2009. She alerted Equifax and filled out multiple forms faxed by the credit agency seeking updated information.

In addition to requesting the changes, Miller had asked several times for copies of her credit report, the lawsuit alleged. Credit bureaus are required by law to provide reports to consumers for free annually and after that, for a small fee. On numerous occasions, Equifax failed to respond to Miller’s requests.

Miller had found similar problems in her reports with other credit bureaus. However, Baxter said, those companies had corrected their mistakes.

The issue wasn’t a result of identify theft, Baxter said. Instead, the information from another “Julie Miller” had simply been placed in the plaintiff’s record by mistake. In at least one case, the lawsuit alleged, the plaintiff’s private financial information was sent to companies inquiring about the other Julie Miller.

Since 2008, Oregon consumers have filed hundreds of complaints about credit bureaus with the state’s Attorney General. Those complaints include 108 against Equifax, 113 against Experian and 70 against TransUnion.

— Laura Gunderson; twitter.com/lgunderson

Original Story