Could financial firms do more in response to data breaches?
WASHINGTON — As firms like Capital One and Equifax have tried to make whole consumers affected by their massive data breaches, many Democratic lawmakers and consumer advocates are saying they aren't doing enough.
Senate Democrats this week zeroed in on Capital One’s complex processes for accessing credit monitoring and identity protection services following a breach that affected roughly 100 million customers. Sen. Elizabeth Warren, D-Mass., has also been sounding the alarm on a settlement reached between the Federal Trade Commission and Equifax over a breach that compromised personal information of roughly 148 million Americans.
The lawmakers say the products that consumers are being offered as a result of data breaches are insufficient and that the companies are making it too difficult to access them.
“The reports we are getting are that it’s a labyrinth, and my instinct is that if there were revenue at stake, they would have made the process more straightforward,” said Sen. Brian Schatz, D-Hawaii, in an interview this week, speaking of the Capital One breach and its aftermath. “The way they roll is they make things confusing and a lot of the trap doors have to do with products they sell and this unfortunately is not an exception.”
Credit monitoring or freeze?
After it announced a breach in July, Capital One offered free identity theft protection and credit monitoring to all customers, including those who were not impacted. In the case of Equifax, as part of a settlement with the Federal Trade Commission, individuals affected by the breach could either sign up for free credit monitoring, or they could opt for a cash payment if they already had credit monitoring services.
In both cases, critics say that credit monitoring does not do enough to make consumers whole. Some question the value of credit monitoring, arguing it would be better to help consumers freeze their credit.
"The freeze locks your credit report, the monitoring is not as good," said Ed Mierzwinski, senior director of the federal consumer program at U.S. Public Interest Research Group. "Credit monitoring basically tells you when the horse has left the barn after the horse has left the barn. … Credit monitoring is a second rate product.”
Some consumers also ignore the credit monitoring they receive because of so many notifications.
“You get an alert when there are changes in your credit report and when there are inquiries,” said Chi Chi Wu, a staff attorney at the National Consumer Law Center. “You will get a number of emails because it will reflect changes that are not necessarily identity theft. And then when you get so many emails you may not be checking them.”
So far, senators still see credit monitoring as part of the solution, but wonder if they need to go further.
"That's a piece of it," said Sen. Catherine Cortez Masto, D-Nev., in an interview. “Any time there is a data breach through a company that gathers information from the general public, they should be offering that for free. … I think the role, particularly for Congress, also is to be holding them accountable to make sure they are protecting their systems.”
Industry representatives, meanwhile, defend free credit reporting as a useful tool.
"Identity protection services, including credit monitoring, are valuable tools millions of Americans use to not only help protect themselves from identity theft but also to better understand and take control of their credit,” said Francis Creighton, president and CEO of the Consumer Data Industry Association, said credit monitoring is a useful tool. "The U.S. Government thought it was so important that they recently mandated that members of the military have access to it for free.”
Data breach bill
The question looming over the discussion is whether the breaches will provide enough momentum to get stalled data breach bills across the finish line.
In a letter Wednesday to the FTC, Warren criticized its settlement with Equifax as “flawed,” noting that consumers requesting monetary compensation received an emailing asking them to either provide the name of their credit monitoring service or amend their claims and request free credit monitoring.
“On top of the growing list of flaws in the Equifax settlement, these additional steps that appear to be designed to weed out deserving claimants were not even initially communicated to the 147 million consumers affected by the breach," Warren wrote. "I am asking the FTC why the Equifax settlement was so flawed, why communications about the settlement were so misleading, and why the FTC hasn't stepped in to restrict the use of these latest tactics."
Warren, along with Sen. Mark Warner, D-Va., has introduced legislation requiring hefty mandatory penalties for companies that have been breached. Warner told American Banker in an interview that the legislation is still warranted because data breaches keep happening.
“The bill that I’ve got with Sen. Warren about the credit rating agencies or some variation on that, would be appropriate,” Warner said. “Because this problem is not going to go away if firms can, in a sense, build this into the cost of doing business.”
Equifax did not return calls seeking comment. A spokesperson for Capital One said that it is proactively encouraging anyone with concerns to contact the bank, and that those who call servicing lines will be transferred to an incident support team.
“From the outset, Capital One has proactively communicated with customers and has encouraged anyone with concerns to contact us — whether through our dedicated website, which we regularly update with the latest information, or by calling our customer service line, which is available on all of our digital platforms, and on the back of their respective card products, etc.,” the spokesperson said.
But consumer advocates haven't been impressed. Susan Grant, director of consumer protection and privacy at the Consumer Federation of America, said Capital One should at least have a “dedicated number” for consumers affected by the breach.
“It doesn’t so far seem to be a very clear and comprehensive response that provides easy to follow instructions for consumers who were affected,” Grant said.
The spokesperson responded that "there is no need to locate a specific phone number — those who call our servicing lines are transferred to a dedicated incident support team, which is standing by to answer questions and address any concerns.”
Some consumer advocates said firms involved in breaches may actually benefit from them. Mierzwinski said that the systems companies put in place to help affected consumers save companies money.
“It saves the company that did you wrong money,” Mierzwinski said. “If fewer consumers take advantage, the less the company has to pay. Consumers should not have to be trained seals to be compensated for harm.”
The Capital One spokesperson said that was not the case in its breach. "There is no financial incentive for Capital One to limit the number of activations," the spokesperson said.
But Avi Gesser, a partner at Davis Polk, said the companies also face challenges when they experience a breach.
“Imagine what it takes to set up a call center and a website that can accommodate a million people whose data might have been affected,” Gesser said. “You have to train people to answer the calls, you have to have a coherent message, and you have to be able to provide services at scale.”
Gesser also warned against new legislation that would enact stiffer penalties on firms that suffered a breach, saying that companies experiencing breaches are also often victims. In the case of Capital One, the person responsible has been arrested.
“You want those kinds of penalties only for the companies that didn’t take reasonable steps to protect that data that was compromised,” Gesser said.
Creighton said that law enforcement should be focused on the criminals, not the companies that are breached.
“Companies make substantial investments to protect customers’ data,” Creighton said. “When breaches do happen, the focus should be on shutting down the breach, restoring a secure environment and remediating any harm to citizens or customers. Law enforcement agencies need to focus on holding the attackers accountable to the fullest extent of law.”