Jordan Robertson of Bloomberg News provides media attention to a problem I’ve noted previously on this blog – that Experian suffers a lot of data breaches* where a client’s login is compromised and misused by unauthorized individuals. His coverage will hopefully inform national conversations about transparency, consumer protection, and breach notification.
First is the issue of transparency. We know that there have been at least 90 Experian data breaches since the beginning of 2006, the vast majority of which involve compromised client logins. I say “at least” because we do not know how many there have really been. It’s only a minority of states that have a central repository of breach reports and even fewer that make those reports readily available on a public web site. Much of what we know about Experian’s breaches we know only because volunteers at DataLossDB.org – this blogger included – file for reports under Freedom of Information laws. Experian’s breaches would likely have continued to evade public or Congressional scrutiny because there is no national central repository of breach reports available to the public and Congress. We need to remedy that.
In April of this year, after reading what Experian had reported to the North Carolina Attorney General’s Office about their security and post-breach remedies, I decided to take a closer look at everything we had compiled for Experian on DataLossDB.org, What I found concerned me as a consumer, and I filed a complaint with the FTC in my individual capacity. In that complaint, I asked the FTC to consider whether Experian’s practices constituted unfair practice under the FTC Act. As is its policy, the FTC never publicly announces whether it is investigating or pursuing a complaint. I suspect they will pursue my complaint, though, and that I won’t be getting any Christmas card from Experian this year. I can live with that. But it was time to put this problem under a strong spotlight.
I should point out that my complaint was filed months before the House Bipartisan Privacy Caucus sent letters to Experian and others asking about their privacy and security practices. The caucus was not aware of my complaint when they sent their inquiries. I would like to see Experian’s responses to the data security questions in their letter, but neither Rep. Markey nor Rep. Barton have made the response letter available to the public yet. What will the Bipartisan Privacy Caucus do now? And what will the Senate do? Senator Blumenthal told Jordan Robertson that this report is cause for further investigation. I hope he follows up. As Attorney General of Connecticut, Senator Blumenthal was a genuine advocate for his state’s residents when it came to privacy and data security. I hope he becomes the same positive force for change in the Senate.
And while Congress follows up on Jordan’s reporting, I hope some states attorney general also open their own investigations to determine if their residents are being adequately protected from breaches involving data-rich credit reports.
Not only is it time for Congress to enact legislation that creates a national repository of data breach notices that is available to the public on the Internet, but it’s time for Congress to enact legislation that requires more detailed disclosures in breach notices and sets a federal floor for breach notification that is at least as strong as the strongest state laws for breach notification. And some might argue that it’s time for Congress to enact data security standards that incorporate statutory penalties as an incentive for entities to do a better job of protecting consumers’ data. We do not choose to have our data in many of these databases and we are generally given no way to opt out. As consumers, we are at the mercy of their data security. And we need more protection.
The Experian report can be – and should be – be a wake-up call for Congress.
Thanks to Jordan Robertson and Bloomberg News for taking this to a national level.
* I realize that Experian claims that these are not their breaches but their clients’ breaches for failure to adequately protect their login credentials. As a non-lawyer, I reject their position, and agree with the statement made to Jordan by Maneesha Mithal, associate director of the FTC’s division of privacy and identity. It’s their database, their portal, and their rules for access. If they have somehow made it too easy for unauthorized individuals to authenticate and access their database, I think that’s on them. Others may disagree.