*This post is not legal advice but merely one attorney’s opinion.
On Thursday, September 7, 2017, the Atlanta-based credit bureau Equifax announced that the company had experienced a massive cyber hack that compromised the personal and financial information of over 143 million Americans. The hackers gained names, Social Security numbers, birth dates, addresses, and driver’s license numbers of three out of every four Americans over the age of 18. Additionally, the hackers gained access to credit card numbers for approximately 209,000 consumers, as well as other documents with personal identifying information for approximately 182,000 consumers.
If you are wondering whether you were affected, I will save you some time – you were. If you are an American adult who has ever held or inquired about a credit card, car loan, mortgage, cell phone account, bank account, internet service, an apartment, most jobs, or a security clearance, you are affected by this enormous and egregious data breach.
The fact that you did not consent to Equifax storing your information is irrelevant and also beside the point. This is part of the cost of living in our society so unless you have been living off the grid, which is pretty much impossible, then you are stuck.
The Equifax data breach is a completely different animal from other data breaches of recent memory, including the announcement in late 2016 that one billion Yahoo user accounts were hacked, or the revelation in 2013 that a data breach at Target compromised data for over 41 million individuals.
This data breach is much, much worse. The reason is that Yahoo and Target do not keep track of your social security number. They do not keep track of every bill you have ever paid. They do not keep track of everything you have ever bought (or tried to buy and been rejected). If something goes wrong with Target you just cancel your card, right? Well what do you do with Equifax, cancel your Social Security number?
Great, so now what happens?
Other than standing around with 143 million other Americans and crossing your fingers that your identity isn’t stolen, you can do the following:
1) Get a copy of your credit report immediately by going to annualcreditreport.com and having your credit report pulled from Equifax, Transunion, and Experian. The Federal Government requires all three of the credit agencies to provide you with one free copy of your credit report every year and annualcreditreport.com is the only website authorized to do so. BE ADVISED: Avoid websites and apps like Credit Karma and FreeCreditReport, at least for the purposes of dealing with the Equifax breach. Credit Karma and the like are not free, by any stretch of the imagination. Sure, they may not charge you but SOMEBODY is paying them to do what they do.
2) Freeze your credit. Call each credit agency and put a freeze on your credit. A freeze will insure that nobody (even you) will be allowed to inquire into your credit or open an account in your name until the freeze is removed. Freezing your account does not have an adverse effect on your credit score. For those in Massachusetts here is a useful summation of the subject of security freezes.
3) Report your identity theft. You can do that technically do that by calling your local police station and filing a report but it is much easier to do it through this website. Once you have reported your identity theft you can go to the next step and initiate a fraud alert.
4) Initiate a fraud alert. Here is the Federal Trade Commission website with instructions on how to implement a fraud alert. There will likely be a fee to initiate a fraud alert, however, there is no cost to remove it.
5) Do not go out and sue Equifax without consulting an attorney. Equifax has $3.1 billion in annual revenue. Translation: They have unlimited resources to fight you in court. Do not sue them without hiring a lawyer.
The Equifax data breach is a reminder that large corporations like Equifax do not have the consumers best interests in mind. Fine, that’s the game we all play. But the degree of recklessness on the part of Equifax seems to be particularly egregious in this case. Consider that Equifax waited six (6) weeks to disclose the breach to the public, during which time millions of people could have been the victim of identity fraud and not even known about it. Only eight (8) states (Massachusetts is not one of them) impose any deadline on how quickly companies must inform consumers of a breach, usually 30 to 90 days after discovery.
Three high ranking Equifax executives sold shares in the company and collected $1.8 million from those sales. The sales were made three and four days AFTER Equifax learned of the breach. A company spokesperson said that the executives were “unaware of the breach” at the time of their sales. One of the executives was John Gamble, CFO of Equifax. Does that make your blood boil?