Determining Whether the Client Has Been Affected
It is very likely that any client with a credit history is one of the 143 million adult Americans whose personal information was exposed in a data breach at Equifax, one of the three major nationwide credit reporting agencies. Equifax has stated that from mid-May through July hackers accessed people’s names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers.
While it is safest to assume that a client has been affected, one way to try to verify this is to go to the Equifax site, www.equifaxsecurity2017.com to see what Equifax says. The site is far from a model of clarity and there are media reports indicating the site is not working properly and questioning its reliability. To use the Equifax site, click on “Potential Impact” at the top of the page and enter the last six numbers of a Social Security number and last name. For most people, the site will respond: “Based on the information provided, we believe that your personal information may have been impacted by this incident.”
The site also mentions enrolling in “TrustedID Premier”—the client need not enroll. TrustedID Premier is a credit monitoring service that is only initially free and that does NOT fully protect a consumer. The site also initially had an arbitration clause, which has since been removed, but there has been significant confusion over the issue. The client can just exit the site.
Risks Implicit in the Data Breach
The hacker’s access to this personal information raises various risks for clients. Perhaps the greatest risk is that an identity thief will take the consumer’s Social Security number, name, address, and birth date, and use this data to open credit accounts in the consumer’s name, sometimes called “new account” identity theft. While a consumer ultimately is not liable for the charges on such unauthorized accounts, resolution of the matter will not be pleasant.
The unpaid credit charges can damage the consumer’s credit report and it may take significant effort to clean that up. The consumer could be subject to debt collection calls and even debt collection lawsuits. If the consumer defaults on such a lawsuit, wages and bank accounts can be garnished. The best measure to prevent new account identity theft is a credit freeze, discussed below.
Another risk is that unauthorized persons might gain access to certain of a consumer’s existing accounts using the hacked information, and direct the business to take certain actions. As a result, consumers should pay careful attention to their existing accounts—reviewing statements, noticing if monthly statements do not arrive, and accessing their accounts online to watch for fraudulent transactions.
Another risk is an identity thief with the consumer’s Social Security information may file a tax return in the name of the consumer, seeking a large refund, and directing that refund to a prepaid card held by the thief. The client filing the legitimate tax return as soon as possible may preempt a scam filing that is submitted later to the IRS. Clients in Florida, Georgia, and the District of Columbia, or who have been previously approved by the IRS, can obtained an Identity Protection PIN from the IRS.
For a detailed discussion of all aspects of identity theft, see NCLC’s Fair Credit Reporting Ch. 9.
A Credit Freeze Is Recommended to Prevent Identity Theft
The strongest measure a client can take to prevent an identity thief from opening a credit account in the client’s name is to request a credit freeze A freeze prevents creditors from accessing the client’s reporting file or credit score. Creditors that rely on a credit report or score in granting credit are likely to refuse to offer credit if they cannot obtain a report or score. However, a credit freeze does not prevent a thief from making charges on existing accounts. As discussed above, the client should pay close attention to those.
Because a creditor could seek a report from any of the three major national reporting agencies—Equifax, Trans Union, and Experian—the consumer must place a credit freeze with each of the three reporting agencies. Click on the below links to file online or call the below numbers to place the freeze:
- Equifax—1-800-349-9960 or 1-800-685-1111.
- TransUnion—1-888-909-8872 or 1-800-680-7289
Fees vary from $5 to $10 for each reporting agency, based on the client’s state, but Equifax states it will waive such fees for now.
There have been reports of consumers having difficulty obtaining freezes due to technical issues with the credit reporting agency websites. Unfortunately, the only advice is for clients to keep trying.
- Very Important:
- The reporting agency will display a unique PIN or password online on the screen or send a confirmation letter. In some cases, it may allow the client to select the PIN or password. The client will need to record and retain the PIN or password in a safe place, because the client will need the PIN to lift the freeze temporarily or permanently.
A freeze does not affect a client’s credit record or credit score, prevent the client from obtaining a free annual or other credit report, or prevent existing creditors or debt collectors from seeing the client’s file. The freeze though will require the client to take an extra step before the client applies for new credit, a new job, an apartment rental, or new insurance.
This extra step is called “thawing” the freeze, either for a specific time or for a specific creditor or other business. Thawing or lifting the freeze usually costs $5 or $10 for each agency. The client will have to thaw the freeze for all three agencies unless the client knows which agency the creditor, employer, landlord or insurer will contact.
If the client takes no steps, the freeze can last forever (seven years in a few states). This may be a good thing, because there is no time limit for when an identity thief will use the client’s Social Security number obtained from Equifax.
Freezes and thaws are examined in far more detail in NCLC’s Fair Credit Reporting § 9.4.3.
A Fraud Alert Is a Lesser Alternative
A fraud alert works somewhat like a freeze, but instead of freezing the account, the fraud alert requires a creditor obtaining the consumer’s credit report or score to take steps to verify the consumer’s identity, such as by calling the consumer. Fraud alerts rely on the creditor’s vigilance, whereas freezes automatically deny access to the creditor, which is why freezes are considered stronger. Fraud alerts also apply not just to applications for new credit, but to requests to issue an additional credit card or increase the credit limit on an existing account.
Three types of fraud alerts are available. The below links provide more information on fraud alerts for each, including links to online forms and phone numbers to apply for fraud alerts with each of the three nationwide reporting agencies:
- Initial Fraud Alert that works only for 90 days and is renewable.
- Extended Fraud Alert that works for seven years and requires the client to first file an identity theft report.
- Active Duty Military Alert applies to those in the military and lasts for one year.
All three types of fraud alerts are free and the client only need contact one of the three nationwide credit reporting companies. That company is required to refer the fraud alert to the other two credit reporting companies.
Fraud alerts are examined in far more detail in NCLC’s Fair Credit Reporting § 9.2.2.
Credit Monitoring Alone Is Not the Best Option and It's Available for Free
Clients can purchase credit monitoring services, but these are costly (in response to the data breach, Equifax until November 21 is offering a monitoring service free for the first year). Moreover, credit monitoring alone is not as effective as a freeze. Credit monitoring is supposed to identify new accounts opened in the client’s name or attempts to open an account, but it only does so after the fact and it does not always work successfully. In addition, like freezes and fraud alerts, creditor monitoring does not help to spot fraudulent charges on existing accounts—the client should be advised to carefully review statements on these existing accounts.
Instead of paying for credit monitoring, clients can do this themselves simply by obtaining for free and then reviewing their credit reports. The client has a right at annualcreditreport.com to obtain a free annual report from each of the three national reporting agencies. Stagger the requests every four months from a different agency, and the client can have a continual snapshot of the client’s credit file. In some states and in some circumstances, additional free reports are available, allowing for even more frequent self-monitoring. Requesting a fraud alert also entitles the client to another free report.
Even if an attorney has the client’s authorization to pull a credit report for the client, the client should always be present when applying for the report. The website for security reasons will ask personal information that the attorney is unlikely to know.
Some credit monitoring or identity theft prevention products also allow a consumer to “lock” their credit report. While a “lock” may share some features with a freeze, state laws provide consumers with the right to freeze their credit files, and in some states a violation of that state law is privately enforceable. It is unclear the legal status of a “lock” or even how the “lock” works.
Credit monitoring is examined in far more detail in NCLC’s Fair Credit Reporting § 126.96.36.199.