How did they get that? Credit reporting and your personal information…

In the wake of the massive breach of consumer information at Equifax, many people are asking how, and why, Equifax has so much information about so many of us. One of your first questions might be something like:

“I have never been a customer of Equifax; how can they have any of my personal information?”

Many consumers may never have even heard of Equifax before, let alone been a customer of their consumer services. So how could so many have been affected?Equifax is one of a few national companies that collect and report consumer credit information. These companies, often called “credit bureaus” or “credit reporting agencies”, get regular reports about your credit history from banks, financial institutions, landlords, utilities and even employers. The credit bureaus then put all of this information from different businesses about your use of credit together into a single file — your “credit report”. Some of the bureaus have developed a scoring system to rate how “safe”, or how “risky” your credit habits may be, compared to other consumers. Any time you apply for a loan, credit card, utility account, etc., the lender will get your credit report from one or more of these bureaus. Using the credit report, the lender will review your credit history to decide whether to open an account for you, and what interest rate they wish to charge (often based upon the perceived “risk”).

The credit bureaus also supply information to companies for marketing purposes. If you have ever received an invitation to apply for a credit card in the mail, or other kinds of solicitations like that, it is likely the sender got your mailing address from a credit bureau. Marketers buy mailing lists from the credit bureaus that are tailored to meet their desired customer characteristics. For example, a credit card company may wish to market a new travel credit card. They might contact the credit bureau to buy mailing lists of people who have other travel cards, airline accounts, etc., and who may meet certain age, income or other demographic criteria.

With so much of our personal, sensitive financial information at their disposal, you may wonder how these credit bureaus are regulated. There are some specific laws, both federal and state, that govern how credit bureaus should report, manage and protect your information. The federal Fair Credit Reporting Act (FCRA) sets out such standards as the rights of consumers to dispute items on their credit report, security requirements, and more. Vermont’s Consumer Protection Act includes a subchapter on Fair Credit Reporting that requires, among other protections, that a company get your consent before they can access your credit report. Both federal and Vermont state law require each of the credit bureaus to provide you with a free credit report each year (meaning you can get two from each bureau, each year). There are also specific laws that require companies to keep sensitive personal information as secure as possible, and to report to law enforcement and consumers quickly if they discover a breach of those security measures.

It is likely that policy-makers in the state legislatures, Congress and regulatory agencies will be reviewing the current laws and rules in place to protect consumer information, considering the scale of the breach at Equifax. If you have concerns or thoughts about the current law, you may wish to contact your legislators to discuss these issues and keep up to date on any proposed changes. Our office will be active in these areas, and will be working to keep Vermonters informed throughout. If you have questions about consumer protections, or a complaint about a business that you would like assistance with, contact our consumer hotline, or file a complaint online.