Identity Theft and Fraud

Equifax: Why the house always wins

Mon, 10/02/2017 - 3:00pm

On Sept. 7 Equifax announced that its computer systems had been hacked and as a result the identifying information of about 143 million of us had been exposed.

In response to the incident, Equifax is offering victims a free bundle of services that include credit monitoring and the ability to “lock” our credit reports. The credit lock seems to be very similar to the security freeze that has been free for Mainers since October 2015. Maine is one of only a few states that currently require a free freeze for their residents.

In response, U.S. Senators Elizabeth Warren (Massachusetts) and Brian Schatz (Hawaii) introduced the Freedom from Equifax Exploitation (FREE) Act, which would eliminate the fees for security freezes for residents of all states. The bill was co-sponsored by 10 other senators and is endorsed by a number of consumer and legal advocates.

On the face of it, the Equifax breach seems pretty much like other data breaches:  A company’s computers were hacked and it is offering a year of free services to those whose information was stolen.

This time, the situation is different. 

First, there’s the Jan. 31, 2018 deadline for free services. Folks who enroll with Equifax after that date will be charged for the security freeze if they live in a state that permits a fee.

The individual state fees to place a freeze range from $3 to $10 at each of the credit bureaus. If only 10 percent of the victims across the U.S. place a freeze with Equifax after Jan. 31, by our calculations it could mean $86 million in revenue to Equifax.  

Second, the free security “lock” offered by the company is undefined at this point.

In a call to the Equifax data breach line, we were told that the lock is essentially the same thing as a security freeze. Which begs a question a lot of us are asking: So why the need to distinguish between a “lock” and a “freeze”?

Could it be that security freezes are subject to state laws and are placed and paid for once with no expiration date?

The lock is not governed by state law — only by corporate policy — and could, at a future time, become bundled into services for which consumers must pay a monthly fee. The company at any time could declare that the lock is free as a part of other services for which there is a monthly charge. 

And if a customer chooses services that include a lock rather than a freeze, will they be paying Equifax each month for something that should either be free or a one-time cost under their state security freeze law? 

Finally, as a result of the Equifax breach, victims are signing up for credit monitoring in record numbers. LifeLock has reported that it has seen an increase in enrollment that is 10 times per hour greater than usual.

And here’s another reason that this breach is different:

According to a December 2015 SEC filing, LifeLock has an agreement to purchase credit monitoring services from Equifax.

If you signed up for LifeLock credit monitoring because of the Equifax breach, Equifax may be providing that credit monitoring. And since Equifax is paid by LifeLock for credit monitoring, Equifax may now be receiving revenue from the breach of its own systems. 

So there it is. The company that had the breach will be paid for the remedy. What used to be said about gambling houses also appears to be true of the Equifax data breach: Never bet against the house because the house always wins.