Sunday, September 17, 2017

Sunday Reading: On Data Breaches and Credit Reporting

John Oliver's very educational, pre-Equifax data breach segment about the American credit reporting system.

By now, if you're American, you're probably painfully aware of at least some of the messy facts and many remaining unknowns surrounding the recent data breach at Equifax, one of the three major companies responsible for recording individuals' credit histories in the United States. (The others are Experian and TransUnion.) If you're unfamiliar with the system, John Oliver's 2016 segment above offers an entertaining and accessible explanation. Heck, even if you are already familiar, I'd still recommend the clip, as it certainly taught me a few things I didn't know about the downsides of the system. As the clip progresses it's strongly implied that these companies are really very, shall we say, "amateur hour" in their handling of certain things, including by getting people with similar names mixed up or accidentally declaring someone dead. 

Most recently, and perhaps most catastrophically, Equifax suffered a security breach that compromised the personal information of an estimated 143 million individuals. I've read that this is roughly 44% of the U.S. population, which would pretty much mean that one has a rather close to 50-50 chance of being affected (by 44% do they mean of the adult population? regardless, the odds are really bad). It's unclear how much information was compromised, but the credit reporting agencies definitely have SSNs, address histories, essentially everything that's needed to open accounts in a person's name, which seems worse than just the loss of credit card information (as in the Target breach).  By the way, Equifax discovered the breach in late July, but did not inform the general public until early September. In the meantime, several Equifax executives sold some of their Equifax stock. 

To my knowledge, Equifax has not reliably confirmed who is affected, i.e. is it only people who had "hard" credit inquiries run on them in the last year, or something like that. They had a website for checking if one was specifically affected, but, at least at one point, it gave inconsistent results to people checking the same information multiple times. P.S., Equifax was originally charging fees for customers to use some of the tools (credit monitoring or a credit freeze) that could help protect those affected by the data breach. Oh and also, when that site for checking whether one was affected first opened, using it to sign up for certain protections also meant agreeing to a waiver limiting one's ability to participate in a hypothetical future lawsuit against Equifax. To be fair, Equifax has since publicly stated that the clause at issue will not actually preclude future legal action. But let's be real, has anything about this mess given you reason to trust this company? 

I have not, to my knowledge, been affected by previous high-profile data breaches (and there are many). With this one, given its size, I think it's safe to assume that I was affected, or have such a high likelihood of being affected, and that I must seriously consider preventative measures. At present, I'm not sure what I plan to do. I already conduct my own credit monitoring by logging in frequently to CreditKarma. While their information on your credit reports is not not quite as comprehensive as you'd get from running your own credit report, which Americans can do for free three times a year (once each from each of the big three), I've still found CreditKarma a reliable way to monitor my credit. Its reports have generally been consistent with the information I received when I formally ran my credit on rare occasions (no exact FICO score, but that might be an unrealistic expectation). As far as I can tell, the only other, stronger step to take is a credit freeze, which costs money, though not in certain states. (Even if public pressure has forced Equifax to waive fees for a time, one likely should initiate a freeze at all three agencies to be safe, so fees could apply elsewhere.) 

At this point, I'm dragging my feet on the credit freeze step because it sounds like a pain and a half. (I open new credit cards somewhat frequently to take advantage of new cash back or bonus travel points offers.) Still, I am somewhat likely to ultimately choose to take the step. One note from my research: Because a freeze requires a PIN number to un-freeze one's credit, one should sign up very carefully and make sure to record the number, which might, in the case of at least one agency, be delivered only over the phone.

Are you taking any steps to respond to the Equifax data breach? Have you previously been affected by one of the other major data breaches? How often do you check your credit reports? I only realized today that I'd never written about CreditKarma here before! It's been a constant, but less-used (compared to YNAB and Personal Capital), tool in my personal finance arsenal for years now, and they're fairly well-established. Totally not sponsored or anything, they don't offer referral or affiliate programs, and it wouldn't really make sense under their likely business model. (They promote credit cards and other financial services to users on their site, but I find that information easy to ignore if its unhelpful to me.)

Please note that, as with everything else I write here on this blog, nothing in this post should be construed as legal advice. I write about these topics purely from my personal perspective as a fellow consumer. If you're interested in any of the steps I've mentioned, I encourage additional research before taking the plunge. 

No comments:

Post a Comment

I love to hear from anyone who might be reading! Please feel free to leave a comment or question.