Custom Search

Monday, July 9, 2018

You Need to Protect Your Kids AND Your Parents from Identity Theft

While perusing various articles about identity theft and other consumer issues this weekend, it became clear that age, whether young or old, does not protect consumers from being the victims of identity theft.  One article I read was about how more than 1 million children had their identity stolen in 2017.  ONE MILLION CHILDREN in just one year.  Let that sink in for a minute.

Then another article I read was about how the oldest World War II veteran had his identity stolen recently.  Richard Overton is a 112 year old veteran living in Austin, Texas.  He requires around the clock medical care and, obviously, is not out making a lot of charges.  But scammers stole his identity and his banking information, allowing them to make multiple withdrawals from his banking account.

Thus, consumers do not just need to protect their own identities and financial information.  They also need to help protect the identities of their children and elderly parents/grandparents.  How do you do this?  Well, you can’t go checking your family members’ credit reports looking for fraud, since to access someone else’s credit report without their permission violates the Fair Credit Reporting Act, among other laws.  But you can help your elderly parents and your minor children request and check their own credit reports.  Help your elderly family members balance their bank statements and thereby watch for fraud.  
Teach both your children and your parents NOT to give out their personal information to anyone that calls them and be hesitant to even give it out to people they call of not absolutely necessary for whatever they are trying to do.  Scammers are notorious for pretending to be Medicare employees and tricking older Americans into giving out their Social Security Number and banking information.  Minors often do not realize the potential consequences of sharing too much information, particularly online.  So teach your children and parents not to give out their information!

Make sure your parents understand and know how to spot the basic internet scams, like phishing e-mails.  Teach them that just because an e-mail looks like it comes from a trusted source, be careful if it asks them to log in or give out financial information.  Let them know that anything from Nigeria is a scam and that no complete stranger died and left them millions.

Identity theft affects all ages.  So we must do our best to educate and protect the most vulnerable amongst us.  The identity thieves won’t let their vulnerability stop them from becoming their next victims.  So protect your kids and your parents from identity theft. 

Sunday, July 8, 2018

Potential data breach by employee at Arkansas Children’s Hospital

A former employee of the Arkansas Children’s Hospital in Little Rock, Arkansas is under investigation for the potential misuse of patients’ private information.  The former employee accessed an unidentified number of patients’ personal identifiers while employed with the hospital.  The employee was employed from November 7, 2016 to February 6, 2018, at which time the employee was terminated.  Now, everyone whose accounts were accessed by the former employee are now at greater risk of identity theft.

According to the hospital, all patient accounts and by the terminated employee have been audited.  The hospital is in the process of alerting patients affected by the data breach and is also offering free credit monitoring to all affected patients.

Patients of Arkansas Children’s Hospital should monitor their credit reports for any suspicious activity, including the opening of new accounts that they did not authorize.  They should also watch their credit card statements and bank accounts for fraudulent charges.  Finally, since their health insurance information was possibly compromised, potentially affected patients should check their Explanation of Benefits for any fraudulent charges to their insurance for treatment not received by the patients.

Affected patients can also call the Arkansas Children’s Hospital at 855-880-9242.

Hospitals are a prime source of potential data breaches due to the treasure trove of cosnumers’ personal identifiers and financial information they are required to obtain to provide treatment.  Couple the amount of valuable personal information with high employee turnover and often lackluster data protection controls and you have a potential bonanza for those wanting to steal personal information for later identity theft.

Sunday, April 15, 2018

West Virginia sues Equifax over 2017 massive data breach

This past Thursday, West Virginia became the second state to sue Equifax due to last year’s massive data breach at the consumer reporting giant.

Patrick Morrisey, the West Virginia Attorney General, filed the lawsuit against Equifax, alleging that Equifax failed to safeguard consumer information of hundreds of thousands of state residents and for delaying alerting the public to a breach that exposed the personal data of about 148 million people.

Equifax is one of the three major credit bureaus in the United States and a frequent defendant in lawsuits filed by the Kittell Law Firm.  Last year, Equifax’s blunders allowed the largest data breach in the history of the world to occur, affecting roughly half the population of the United States, including approximately 730,000 West Virginians.

“Equifax’s failure to secure consumers’ personal information constitutes a shocking betrayal of public trust and an egregious violation of West Virginia consumer protection and data privacy laws,” Morrisey said in a statement.

Equifax is accused of failing to take action to secure its online dispute portal despite prior warnings of vulnerability within its framework and of failing to recognize that hackers had penetrated its system from May 2017 to July 2017.

West Virginia joins Massachusetts as the second state to sue Equifax over the 2017 data breach.  Maura Healey, the Massachusetts Attorney General, filed suit previously and recently beat back Equifax’s attempt to have the Massachusetts lawsuit dismissed.


Tuesday, September 26, 2017

Equifax CEO out! Barney Fyfe and Elmer Fudd appointed interim CEOs

Ok, so the second half of that title is a joke.  But I for one would not be surprised considering how Equifax has handled the rest of the fall out from their huger than huge data breach that exposed the lives of 143 million Americans to the financial and emotional ruin of identity theft.

Equifax CEO Richard Smith was not fired, however.  He decided to retire, much like the politician in the middle of a huge scandal that suddenly wants to spend more time with his or her family.

Paulino do Rego Barros, Jr., the president of Equifax's Asia Pacific region, has been named interim CEO until a new Sith Lord can be found to replace Smith.

Thursday, September 21, 2017

Lord Have Mercy! Equifax has been sending consumers to fake site for 2 weeks

As my momma used to say "when it rains, it pours".  If that's the case, Equifax is in the middle of a Hurricane Harvey-esque Cat 5 hurricane of pouring rain.

After "forgetting" to install a security patch to its website which led to the largest data breach in the history of ever, then "forgetting" to tell their 143 million victims that they are and will forever be at risk for identity theft for nearly two months, then "forgetting" to tell anyone about an earlier data breach that Equifax has now confirmed did indeed happen, but "remembering" to let their top execs know about both breaches so they could several million dollars worth of Equifax stock before Equifax stock priced dropped by over a third of its price and "remembering" to donate to their favorite Congressman Barry Loudermilk so he would propose a completely idiotic bill that would provide immense protection to Equifax and the other credit bureaus at the expense of his constituents and the rest of America, NOW it has come to light that, for approximately two weeks, Equifax has been sending victims to a fake website.

Yes, a fake website.  A spoof.  One that puts those victims at even greater risk of identity theft.

Instead of using its own website to help victims of its data breach, Equifax created a whole new site equifaxsecurity2017.com.  Guess that added the year so they can keep their breaches straight.  The problem with using a new website instead of their existing one is that phishers and scammers can much more easily create fake websites using variations of the legitimate website's address.  This would include reversing the order of the words or making sites with common typos of the real site name.  In this instance, a mere day after the launch of the legitimate site, scammers had created 194 phishing websites that used addresses similar to the legitimate site.

What's worse than Equifax's boneheaded move in creating a new site instead of using its own Equifax.com site?  Equifax directed victims of its data breach to the WRONG site.  On three separate occasions, Equifax tweeted the incorrect URL securityequifax2017.com for its victims to use. Two of the tweets occurred on September 9 and the last on September 18 (i.e. three days ago!).

The Fair Credit Reporting Act requires consumer reporting agencies such as Equifax to follow reasonable procedures to assure maximum possible accuracy of the credit reports they generate regarding consumers.  I have been suing Equifax for 18 years for violating that section by failing to have, much less follow, reasonable procedures to assure maximum possible accuracy.  Now the public is getting a taste of what I have been seeing for years ... ignorance on top of ineptitude.

Please remember this if and when your Congressman or Senator votes in favor of Barry Loudermilk's bill designed to harm consumers by protecting Equifax from its own gross negligence and boneheadedness.

Video of Briefing for Senate Staff and Press on CFPB Arbitration Rule and Congressional Review Act Attack on the rule

Here is a link to the streaming video of yesterday's Senate briefing about the Congressional Review Act attack on the CFPB's arbitration rule.

As usual, my colleague Paul Bland did a fantastic job protecting us consumers.  Thanks for all you do, Paul!

Tuesday, September 19, 2017

It Just Keeps Getting Deeper - Equifax Suffered Second Undisclosed Data Breach

Bloomberg.com is reporting that the gigantically huge data breach that Equifax disclosed less than two weeks ago is not the only hack the consumer reporting agency suffered this year.  There was allegedly a hack in March, two or more months before the big data breach that has put 143 million Americans at risk of having their identities stolen and their lives ruined.

According to Bloomberg, Equifax notified a small number of outsiders and banking customers in early March that it had suffered a breach.  At that time, Equifax brought in a security firm to determine the scope of the breach.  What Equifax did not do was tell the general public about the first data breach, either then or in July when it learned of the second, larger breach.

The second, big breach occurred (according to Equifax) when hackers gained access to Equifax's computer system through a known flaw in the company's web software that somehow was not patched until after the breach was discovered in late July.  Was the flaw in the system discovered by the security firm in March and Equifax negligently failed to implement the patch to fix the vulnerability?

While the Bloomberg article focuses on the first hack's implications for the three executives that dumped Equifax stock after the second breach was known by Equifax but before the public was informed and the subsequent stock price drop, one thing the article does not mention is how the timing of the first hack completely undermines Representative Loudermilk's claim that his Equifax protection bill was drafted before the Equifax data breach, not in response to it.  I posted about Loudermilk's position yesterday.

Loudermilk introduced his bill designed to protect Equifax and the other credit bureaus and hurt consumers (such as his constituents) in May, a few weeks before the second breach allegedly occurred.  However, now that we know that Equifax knew of the first breach in March, why would we think that Loudermilk was not attempting to shield Equifax, a donor to his campaign, from liability from the first breach by pushing a bill that does nothing but protect the credit bureau from having to pay for its malfeasance?  The timeline is looking very bad for both Equifax and Loudermilk.  If I were a citizen of the 11th Congressional District of Georgia, I would have some very serious doubts about where my congressman's loyalties lie.

Monday, September 18, 2017

Representative Loudermilk is STILL trying to protect Equifax instead of consumers

U.S. Representative Barry Loudermilk is still trying to give immunity to Equifax for its utter failure to protect the private information of over 143 million Americans and its subsequent bungling of the data breach it allowed to happen.

Prior to the breach (allegedly, since we really don't know when the breach actually happened since we only have Equifax's word that the breach occurred in late May through early June), Representative Loudermilk, who is a U.S. Representative from Georgia, the home state of Equifax, proposed legislation that, if passed, would gut the protections afforded consumers by the Fair Credit Reporting Act.  The proposed legislation, H.R. 2359, would change the Fair Credit Reporting Act in two ways, both of which are very damaging to consumers and, not by coincidence, very favorable to Equifax and the other credit bureaus.

First, it would eliminate punitive damages.  Yes, the one thing that big corporations like Equifax are scared of is a punitive damage award.  Their profits are soooo great that an award of just compensatory damages will never be enough for them to really notice in the long term.  Punitive damages, however, are used to punish a corporation for its wrongdoing.  Equifax, as seen by its shenanigans of first hiding the data breach and then trying to pull a fast one to get its victims to give up their right to sue, is up to its eyeballs in wrongdoing.  Equifax's conduct is the type of conduct that deserves a punitive damages award against it, since their conduct is willful, intentional and not just a mere accident or negligent mishap.  So H.R. 2359 would benefit Equifax in that way.

Further, and more importantly in the context of consumers getting justice for Equifax's negligently allowing the data breach to happen, H.R. 2359 caps what consumers can get via a class action at $500,000.  Not per consumer, per class action.  And, since all of the approximately 100 class actions filed against Equifax for the data breach will ultimately be merged into one big class, that means 143 million plus victims of the data breach (less those who wisely opt out and file individual lawsuits) will have to split a measly $500,000 if Representative Loudermilk's bill becomes law.  If my math is correct, that is roughly 3 cents per victim.  Yes, three cents.  Three shiny pennies.  How is that justice?!

And, instead of backing away from his bill like its a grenade about to explode, Representative Loudermilk released the following statement:

"The data breach at Equifax has placed an unimaginable number of Americans’ personal information at serious risk. Not only must Equifax be held accountable for the breach of their systems, they must also be held accountable for their failure to notify the public of the breach in a timely manner. Businesses such as Equifax that obtain and store massive amounts of information on individuals must be held to the highest data protection standards. I will be working with the Financial Services Committee on investigating this data breach and the inadequate response of Equifax executives. Furthermore, we have already begun working on legislation mandating businesses to notify consumers affected by data breaches in a timely manner.

"Unfortunately, the outrage that followed the announcement by Equifax caused a gross mischaracterization of a bill that I have been working on since early this year. It was falsely reported that this bill (H.R. 2359) was introduced to give immunity to Equifax from any liability over this data breach. This couldn't be further from the truth. The FCRA Liability Harmonization Act (H.R. 2359) was introduced back in May, and is aimed at curbing frivolous class action lawsuits against businesses under the Fair Credit Reporting Act (FCRA). The businesses affected by FCRA lawsuits include community banks, credit unions, auto dealerships, retailers, and many other small businesses that extend credit to consumers.

"Reports that this bill would grant any immunity to Equifax for liability in this data breach are completely false. The bill does not give any immunity from prosecution or civil lawsuits for wrongdoing to any business. Furthermore, data breaches are governed by state laws, not the FCRA, so this bill would not apply to Equifax in this case at all with respect to the 143 million people whose personally identifiable information was compromised.

"Finally, given the unfounded attacks on me and the rampant misinformation circulating about this legislation, the Financial Services Committee has not scheduled further action on any bill at this time."

So Representative Loudermilk is claiming that his bill would not grant immunity to Equifax?  While technically true, being capped at paying three cents a victim is about as close to immunity as one can get.  For Representative Loudermilk to make this grossly misleading statement is deplorable.  He obviously cares more about Equifax, his campaign donor, than he does about consumers, including his constituents.  I hope the people of the 11th Congressional District of Georgia are paying attention to whose side Mr. Loudermilk is one, because it sure isn't theirs.

Sunday, September 17, 2017

Don't Answer Calls from Equifax

As if the damage done by Equifax's negligence in allowing the massive data breach and its subsequent shenanigans in delaying publication of the data breach and its efforts to further screw consumers by stealing their right is not enough, now scammers (other than Equifax) are trying to profit off the data breach at the expense of consumers.

I have been told that scammers are placing calls to consumers posing as employees of Equifax attempting to "help" after the data breach.  These "employees" then ask for the consumers' personal identifiers (Social Security number, date of birth, full name, etc.) in an alleged effort to verify the identity of the consumer.  However, they really use want your information to use against you, so DO NOT GIVE IT TO THEM!

First of all, Equifax will never call you about anything. This scam has been around for years but usually the scammers claim to work for the IRS.  Just like the IRS, Equifax will only deal with you in writing, so a call from someone claiming to be from Equifax is a big red flag that a scam is happening.

Secondly, after Equifax's blatant interest in only helping and protecting itself in the wake of the data breach its negligence allowed to happen, why would anyone think Equifax would go out of its way to call a consumer to help.  Equifax never helps. It only hurts consumers and does its best to profit from selling all of our information.  Just like Experian and Trans Union, Equifax only cares about profits and avoiding liability for its wrongdoing and malfeasance.

So if Equifax or the IRS is calling, hang up.  It's a scam.

Friday, September 8, 2017

Too Little, Too Late - Equifax Adds Opt Out to Arbitration Provision regarding Data Breach

After a flurry of bad press and social media outrage (including from yours truly), Equifax has now added an opt out provision to the arbitration provision it snuck into the fine print for anyone accepting Equifax's "offer" of "free" credit monitoring and identity theft protection.

Couple of problems.  No one reads the fine print so they don't know about the arbitration clause, much less the opt out provision.  Why can't they just make it an opt in, if arbitration is such a great thing?  Of course, its not and they won't.

Second, the opt out provision is only available for a measly thirty days from when the data breach victim signs up for the "free" credit monitoring.  Equifax kept the data breach secret for longer than that!  Thirty days is way too short.

And, a common ploy on these opt out provisions for arbitration clauses is that, amazingly, the company whose arbitration clause it is almost always denies that the consumer ever opted out and then still try to force the consumer into proving that he or she opted out, instead of the burden being on the company to prove that the consumer agreed to arbitration. Equifax will likely try the same ploy since, as you can see, the play fast and loose with the rules.  Just do a pacer search for lawsuits where they have allegedly violated the Fair Credit Reporting Act.

The data breach is a very bad thing.  But Equifax's reaction to the data breach (i.e. keeping it secret for almost two months and then trying to screw the data breach victims out of their rights) is the worst of all.  Equifax and its executives should pay and pay dearly for this.


Equifax based in Georgia; Georgian Congressman seeks to gut FCRA. Coincidence? I think not!

Equifax is based in Atlanta, Georgia.  Three guesses which state's congressman proposed HR 2359, i.e. the Kill the FCRA bill.  Yep, that's right, Congressman Loudermilk of Georgia.  I wonder who put him up to it?

Representative Loudermilk is now being called on to withdraw his Equifax protecting bill by the National Association of Consumer Advocates (of which I am a proud member) and The Georgia Watch.  Their press release reads:

"NACA, Georgia Watch Call on Rep. Loudermilk of Georgia to Withdraw His Bill That Favors Equifax, Credit Bureaus Over Harmed Consumers

In light of the astonishing announcement of credit reporting agency Equifax’s security breach which impacts the personal information of more than 140 million consumers, National Association of Consumer Advocates and Georgia Watch call on Rep. Barry Loudermilk (R-Ga.) to withdraw his legislation, H.R. 2359, that would drastically reduce remedies for consumers who are victims of credit reporting abuses.

On the same day that Equifax announced the massive data breach, a subcommittee of the U.S. House Financial Services Committee held a hearing to consider legislation, including Loudermilk’s bill that would amend the federal Fair Credit Reporting Act to essentially shield credit reporting agencies from full accountability for willful and reckless conduct that upends individuals’ employment and financial lives.

Specifically, the “FCRA Liability Harmonization Act” would eliminate punitive damages, a tool used to punish the worst actors, and would impose an arbitrary $500,000 limit on statutory and actual damages in class actions. These illogical blocks on consumer remedies would obstruct individuals’ legal rights.

“Instead of running to Congress to seek a “get out of jail free” card to avoid accountability for its reckless handling of consumers’ personal and financial information, Equifax and its counterparts in the credit reporting industry should focus on protecting information from identity thieves,” said Christine Hines, legislative director at National Association of Consumer Advocates (NACA).

At Thursday’s hearing, witnesses for the credit reporting industry claimed that their violations of federal protections were merely technical and do not harm anyone despite evidence that consumers have been blocked from accessing credit, housing, and jobs due to industry’s irresponsible handling of consumer information. Industry representatives also used the hearing to bash a rule issued by the Consumer Financial Protection Bureau that would restore consumers’ ability to band together in class actions when harmed by unlawful financial industry practices.

Currently Equifax is rightly being criticized for its handling of the massive data breach. One of many of its missteps – it has inserted forced arbitration clauses in the terms and conditions of various credit monitoring services that it is encouraging affected consumers to enroll in.

“Equifax’s use of forced arbitration clauses and class action bans means that consumers cannot band together in court to seek remedies against it,” said Liz Coyle, executive director of Georgia Watch.  “This is unacceptable and will have disastrous effects on the marketplace.”

NACA and Georgia Watch insist that Rep. Loudermilk withdraw his bill and support consumers’ right to hold bad actors like Equifax fully accountable through the justice system."

Congressional Committee to hold Hearing Regarding Equifax Data Breach

Yesterday, the House Financial Services Committee held a hearing on a bill that would gut the protections of the Fair Credit Reporting Act, which is the only law protecting Americans from the ridiculously inept consumer reporting agencies such as Equifax.

Today, the public learned of a massive data breach of Equifax's treasure trove of secret information regarding consumers, including the full names, Social Security numbers, dates of birth and addresses of approximately 143 Americans.

Now, the House Financial Services Committee released the following press release:

"WASHINGTON – House Financial Services Committee Chairman Jeb Hensarling (R-TX) said his committee will hold a hearing on the Equifax data breach that has potentially compromised the personal information of roughly 143 million Americans.

“This is obviously a very serious and very troubling situation and our committee has already begun preparations for a hearing.  Large-scale security breaches are becoming all too common.  Every breach leaves consumers exposed and vulnerable to identity theft, fraud and a host of other crimes, and they deserve answers,” said Chairman Hensarling.

A date for the hearing will be announced at a later time."

Chairman Hensarling, if you want to protect Americans from data breaches and the damage caused by identity theft, your first step should be to kill HR 2359.  Only the Fair Credit Reporting Act stands in the way of Equifax and the other credit bureaus harming Americans by willfully and knowingly reporting erroneous information on Americans' credit reports.  That is the "answer" you seek.  Have you hearing, but start with killing HR 2359 and let the Fair Credit Reporting Act continue to protect Americans.

Equifax's data breach just keeps getting worse!

As if it is not bad enough that Equifax exposed 143 million Americans to the hellacious ordeal of identity theft, now its becoming crystal clear just how inept their response to the data breach was.

For instance, the website ARS Technica (www.arstechnica.com) reported the following:

"What's more, the website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details. It's no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.

Another indications of sloppiness: a username for administering the site has been left in a page that was hosted here. ... That by itself wouldn't allow for unauthorized access, but it's still something that should never have happened.

Meanwhile, in the hours immediately following the breach disclosure, the main Equifax website was displaying debug codes, which for security reasons, is something that should never happen on any production server, especially one that is a server or two away from so much sensitive data. A mistake this serious does little to instill confidence company engineers have hardened the site against future devastating attacks."

So Equifax's attempt to "fix" the damage done by its data breach doesn't just take away the rights of consumers to get justice for the damage caused by Equifax's negligence, it now opens those victims up to more potential privacy problems by using a website with obvious security holes to collect the names and Social Security numbers of the victims.  Sheeeeesh!

Equifax's unwillingness to investigate consumer disputes properly is starting to look like the lesser of their sins.

NCLC's statement regarding the Equifax data breach

Below is a statement from the National Consumer Law Center regarding the Equifax data breach. NCLC fights for the rights of you, the consumer, every day, even though you probably didn't know it and, for a large segment of America, vote for the very politicians that are doing their best to strip you of your rights and protect the big businesses that trample your rights every day.

Statement of National Consumer Law Center Staff Attorney Chi Chi Wu on the Equifax Data Breach that Affected 143 Million Consumers

The massive Equifax data breach is one of the largest in our country’s history, affecting half of the United States population and nearly three-quarters of consumers with credit reports. Chances are, this affects YOU. Plus, the stolen information is the mother lode of sensitive personal data that can be used for identity theft: Social Security numbers, dates of birth, and in some cases, driver’s license numbers. Also, was highly revealing credit reporting account information stolen, such as student loan or mortgage payment account numbers and payment histories? This information could be used for phishing schemes or other fraud.

Equifax should immediately pay or reimburse fees for security freezes to affected consumers at all three of the major credit bureaus, i.e. Experian and TransUnion in addition to Equifax. A security freeze is the most effective measure against “new account” identity theft, because it stops thieves from using the consumer’s stolen information. Equifax is offering one year of its credit monitoring and identity theft prevention product in response to the security breach, which it states includes “the ability to lock and unlock Equifax credit reports.” That is a first step, as the ability to lock Equifax reports is better than credit monitoring alone. Credit monitoring only informs consumers after the fact when there has been an attempt to open a fraudulent new account using the consumer’s personal information. However, consumers need the ability to “lock down” or freeze their credit reports at all three major credit bureaus, and for more than one year, because the stolen information could still be used to fraudulently apply for credit using a report from Experian or TransUnion as well.

Equifax should immediately remove the forced arbitration clause and class action ban from the Terms of Use for its website and any credit monitoring or identity theft prevention services it offers. The arbitration clause does give consumers the ability to opt out of forced arbitration by notifying Equifax in writing within 30 days, which consumers should do.  However, most consumers will not see that fine print and will be forced to give up their access to the courts. Through those terms, Equifax is purporting to prevent affected customers from access to the courts or the right to join together with the other hundreds of millions of injured consumers to jointly pursue claims against Equifax. A new rule by the Consumer Financial Protection Bureau would bar such forced arbitration clauses with class action bans, but members of Congress have threatened to block the rule.

Consumers affected by the breach should not wait to see if Equifax will pay for freezes at the other two credit bureaus; they should get freezes immediately if they are worried about identity theft. If consumers do not want to get a freeze, there is also the option of putting a 90-day “initial fraud alert” in their credit report that tells businesses they should verify your identity before they issue credit. The initial fraud alert must be renewed every 90 days.

Another risk of this massive data breach is tax identity theft, where crooks file phony tax returns in the consumers’ name. The Internal Revenue Service (IRS) had previously made available Identify Theft PINs for consumers in Florida, Georgia, and the District of Columbia, and consumers in those states should consider getting the pin (which they should do before getting a freeze). The IRS should make Identity Theft PINS available to all affected breach victims.

It’s ironic that, on the same day that Equifax announced this data breach, Congress was considering a bill that would dramatic reduce the consequences of violating the Fair Credit Reporting Act (FCRA) for the credit bureaus and other industry players. H.R. 2359, the so-called FCRA Liability Harmonization Act, was just heard yesterday by the House Financial Services Committee and would eliminate punitive damages plus limit class action damages under the FCRA. While the FCRA may or may not be directly implicated by the Equifax data breach, we need stronger, not weaker, consequences when companies violate long-standing privacy laws, such as the FCRA. Credit bureaus, such as Equifax, should not be rewarded with reductions in legal accountability given these recent events

###

Since 1969, the nonprofit National Consumer Law Center® (NCLC®) has used its expertise in consumer law and energy policy to work for consumer justice and economic security for low-income and other disadvantaged people, including older adults, in the United States. NCLC’s expertise includes policy analysis and advocacy; consumer law and energy publications; litigation; expert witness services, and training and advice for advocates. NCLC works with nonprofit and legal services organizations, private attorneys, policymakers, and federal and state government and courts across the nation to stop exploitative practices, help financially stressed families build and retain wealth, and advance economic fairness.

Equifax Data Breach Puts 143 Million Consumers at Risk

On July 29 (yes, nearly two months ago), Equifax discovered that it had suffered a data breach between mid-May and July.  The massive data breach exposed the personal identifiers of approximately 143 million Americans.  That means approximately half of the population of the United States just became even more likely to have their identities stolen.

The information that Equifax allowed to be stolen is the holy grail for identity thieves.  The names, Social Security numbers, dates of birth, addresses and, in some cases, driver's license numbers of 143 million Americans were pilfered from Equifax.  Even worse, Equifax sat on this information for nearly two months before alerting the public of Equifax's malfeasance putting them at risk.

Equifax is one of the last companies that should allow something like this to happen.  Equifax chose to enter the business of collected and disseminating the most private of information on nearly all Americans.  Equifax's credit reports are used nationwide for obtaining home loans, car loans, credit cards, bank loans and lines of credit.

Equifax's credit reports are used by many employers to decide whether to hire someone, particularly if there is any responsibility for financial accounts involved in the job description.

Equifax's credit reports are used by government agencies to determine whether you can have or keep a security clearance.  I have had many clients lose their security clearances (and thus their jobs) due to Equifax reporting erroneous information about them and the willfully refusing to correct the errors.

Equifax's credit reports are used by insurance companies to determine if you qualify for car insurance and homeowner's insurance.  And, if you do qualify, you may find that your premiums are higher because of the contents of your Equifax credit report.

Now, all of that uber sensitive information entrusted to Equifax (not that the consumer is given an option) has been exposed to identity thieves and hackers and is no doubt going to be sold on the dark web and used to victimize consumers across the country.

But what is even worse than Equifax allowing this tragedy to happen and then keeping its misdeeds secret for nearly two months?  Now, Equifax is offering free identity theft protection and credit monitoring to the victims of its data breach.  Sounds good, right?  Wrong!  Included in the sign up for that "free" identity theft protection are arbitration clauses that take away your rights to sue Equifax for the damage its data breach causes you.

When my wife woke me up this morning at 2:00 a.m. when she read about the Equifax data breach and then told me that Equifax was offering free credit monitoring and identity theft protection, I mumbled in my half awake state "do not sign up for it, they'll  have something bad in the fine print". How did I know this?  Well, for one, I have been suing Equifax for consumers they have wronged for nearly 18 years now.  Second, Equifax has done this type stuff before.  For instance, consumers are entitled under the Fair Credit Reporting Act to one free credit report per year.  But Equifax thought it right to make consumers agree to give up their right to a lawsuit to be able to exercise their right to a free credit report.  So Equifax stuck some arbitration language in the fine print of anyone accessing their free credit report online.  I warned you about this all the way back in 2009 - fcralawyer.blogspot.com/2009/05/truly-free-credit-report.html.  So it was no surprise that they would pull something like this again, especially since they are the root cause of the problem this time.

So, if Equifax's data breach causes your identity to be stolen which then causes your life to become a financial hell when your legitimate credit cards get closed, you lose your job and your home and auto insurance and then, due to the stress of it all, your health goes kaput, Equifax skates by free and clear because your only option is to bring an arbitration proceeding to be decided by Equifax's arbiter. Talking about heaping injustice on top of tragedy!

So, whatever you do, do not sign up for Equifax's "free" monitoring or identity theft protection.  To do so will cause irreparable harm to any potential lawsuit you may have if, God forbid, Equifax's data breach leads to theft of your identity.  And, if you do become the victim of identity theft, contact the Kittell Law Firm at 662-298-3456 or at ckittell@kittell-law.com.  I will sue Equifax in any jurisdiction in the United States for any victim of identity theft whose credit report is damaged as a result of Equifax's data breach provided that you have not agreed to throw your rights away by falling for Equifax's trap of "free" credit monitoring.