Things were supposed to change after credit reporting agency Equifax disclosed its massive data breach last year, but a year later, the changes have been fairly modest.
There was talk of replacing Social Security numbers, giving the Federal Trade Commission authority to inspect and supervise cybersecurity at credit reporting agencies, imposing mandatory fines for data breaches, and new digital privacy laws giving consumers control over their data.
One change takes effect this week: free credit freezes.
Freezing credit prevents criminals from opening accounts and is an important way to protect consumers from identity theft. Impersonators need to know the PIN to unfreeze the credit report before they can open any lines of credit. Consumers used to have to pay $2 to $10 per credit bureau to freeze their credit history—or $30 for putting a freeze with the three agencies—and then another fee to lift the freeze when trying to take out a loan or open a credit card.
No federal breach notification law, no data security regulations.
The new law passed by Congress—the Economic Growth, Regulatory Relief and Consumer Protection Act—makes freezing and unfreezing credit completely free. Consumers still need to freeze their credit separately at each of the three main credit bureaus, Equifax, Experian, and TransUnion, though. Considering the amount of personal information that has been stolen over the past few years and available for sale in criminal markets, making it easier to block criminals from accessing the individual credit file is a good idea.
The law also extends fraud alerts, which require businesses to verify identity before opening a new account, from 90 days to a year. Credit agencies will also be required to offer free credit monitoring to all active duty military personnel. Parents will also be able to get a free credit freeze for children under age 16. A number of data breaches over the past few years have included children’s Social Security numbers and personal information (for example, the breach at healthcare giant Anthem), so kids also need this level of protection until they are old enough to open their own accounts.
There has been some progress among states, though. Equifax has agreed to follow several data security rules under a consent order with eight states—Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas. The rules include conducting security audits at least once a year, developing written data protection policies and guides, closely monitoring outside technology vendors, and improving software patch management controls.
New York now requires credit reporting agencies operating in New York to comply with the state’s cybersecurity standard, which includes implementing a written cybersecurity program, conducting regular risk assessment, and reporting a “cybersecurity event” to the state’s Department of Financial Services within 72 hours. California enacted a sweeping set of privacy rules that give consumers more control over how companies use the data they collect. The law requires companies to tell consumers what data they collect and what they plan to do with it before any collection occurs, and to respect consumers wishes to not sell that data.
While welcome, the credit freeze and changes in the states' regulatory landscape is a very small step forward considering the general consensus that Equifax was a wake-up call for better data security and breach notification. There has been no consequences or changes in how things are done. Despite a flurry of data security and privacy bills being introduced after the Congressional hearings, all other legislation has completely stalled. No federal breach notification law, no data security regulations.
Equifax’s stock price is up, a year later.