Last year, massive cyber-security failures at Equifax exposed personal information on over 145 million consumers to criminal hackers. This information includes Social Security numbers, credit card information, driver's licenses, telephone numbers and more. It is a clear case of gross negligence on part of Equifax, which waited several months before informing consumers. Although corrupt federal lawmakers and the current Administration are bending over backward to protect Equifax from liability, the infamous data breach is no longer the company's only problem.
According to a pending complaint, consumers who paid Equifax for a copy of their credit report received information that was at best inaccurate and at worst useless. Plaintiffs in the pending class action lawsuit allege that their “Equifax Credit Scores,” for which they were charged the price of $15.95, was not based on the credit scoring model provided to lenders, but was instead “...based on a vastly inferior and inaccurate model that is essentially useless to consumers.” Furthermore, Equifax deliberately misled consumers by “failing to prominently and clearly inform” them that the credit scores for which they were paying were based on a system “significantly different and greatly inferior” to those furnished to lending institutions.
Lies and Misinformation
In fact, Equifax provided false information. In order to entice consumers into purchasing their credit scores from the company, its website stated that “Equifax Credit Scores were accurate, reliable, and widely used” – and were identical to those used by lenders. Information on the Equifax website further suggested that consumers would be able to learn how their credit scores were calculated while implying there is only a single model for determining credit scores.
In an inadequate attempt to cover themselves, Equifax uses fine print that says “third parties use many different types of credit scores and will not use the Equifax Credit Score to assess your creditworthiness.” Aside from the fact that consumers usually miss such fine print, the statement fails to clearly state whether or not lending institutions and retailers actually employ the same model for evaluating credit risk as is used for the credit score it sells to consumers.
It turns out that the credit score for which consumers pay nearly sixteen dollars is not based on the model used for 90% of the reports sold to lenders, which are based on models developed by the Fair Isaac Corporation (FICO).
Was It Intentional?
This most recent deception appears to reflect a pattern of behavior on the part of Equifax. In January 2017 (twelve months prior to this writing), the Consumer Financial Protection Bureau (CFPB) entered into a settlement with Equifax and TransUnion in which the two companies were required to pay over $17.6 million in restitution to consumers and $5.5 million in fines to the federal government. The consent order notes that
“Equifax deceptively marketed credit scores to consumers by falsely representing...that the scores it marketed and sold to consumers were the same scores lenders typically use to determine creditworthiness...and deceptively marketed credit scores and credit-related products to consumers by falsely representing, in violation of the CFPA, that the scores and products were ‘free,’ when in reality, when a consumer signed up for a ‘ free’ trial, s/he was automatically enrolled in a subscription program for which s/he was charged a recurring monthly fee until s/he cancelled.”
“Equifax placed advertisements for its products on web pages that consumers accessed through AnnualCreditReport.com before they obtained their free annual file disclosure, in violation of the Fair Credit Reporting Act.”
The consent order further notes that Equifax engaged in these illegal practices for nearly 20 months between July 2011 and March of 2014.
The bottom line: Equifax fraudulently made hundreds of millions of dollars by selling consumers useless information, when they were legally entitled to receive much more accurate information free of charge (under the Fair Credit Reporting Act, consumers are entitled to access their credit reports from all three of the major reporting bureaus at no cost one time per year).
A Corporate Recidivist?
If corporate “people” were held to and judged by the same standards as natural humans, Equifax – like so many large corporations these days – would be considered a recidivist, a convicted criminal who commits crimes again and again. The company has drawn much criticism since its transformation in the 1970s from a primarily business-to-business information broker, mostly serving the insurance industry, to a massive, global conglomerate that collects and stores a wide range of data on 800 million people across the world. Since 2000, Equifax has been fined for violations of the FCRA and targeted in lawsuits by no fewer than nine individuals.
Equifax was founded in Atlanta, Georgia in 1899, when it was known as the “Retail Credit Company.” Over the next six decades, Retail Credit Company (RCC) acquired files on millions of consumers living and working in the U.S. and Canada. However, prior to 1970, most of these files were provided to insurance companies, where actuaries analyzed the information in order to determine risk on insureds as well as to provide assistance to adjusters in assessing claims.
By the mid-1960s, RCC was drawing suspicion and criticism because of the extent of its information holdings, as well as the fact that this data could be purchased by virtually anyone. In March 1970, a law professor at Columbia University named Alan Westin, who foresaw the threat of today's “surveillance state,” was interviewed for a piece in the New York Times, during which he pointed out that such files “may include facts, statistics, inaccuracies and rumors...about virtually every phase of a person's life; his marital troubles, jobs, school history, childhood, sex life, and political activities.” Westin presciently added that “Almost inevitably, transferring information from a manual file to a computer triggers threats to civil liberties, to privacy, to a man's very humanity, because access is so simple.”
In 1995, an article in Wired noted that although RCC and companies like them could legally collect all kinds of information on anyone they pleased, consumers had no right to see it – and in fact, were usually unaware that such files on them existed. Ultimately, fears of abuse led Congress to pass the FCRA in October, 1970.
The Wired article's author, Simon Garfinkel, also noted that prior to that time, RCC allegedly provided incentives to its employees to gather negative information on consumers. Whether or not those allegations were true, Retail Credit Company changed its name to Equifax in 1975 – according to some, in order to repair its tarnished corporate image.
Over the next 25 years, Equifax worked aggressively to become the largest clearing house of personal information – including patient medical data – on the planet. Their objective: to obtain and store personal and private information on every human being in order to sell it to anyone willing to pay the fee.
Their Mistakes Become Consumers’ Liabilities
With such massive stores of data, errors become almost inevitable. As pointed out by Canadian privacy advocate David Flaherty, “Inaccuracy is endemic in large databases, whether it's the National Crime Information Center or Equifax's credit reporting service.” Indeed it is; a 1991 study published in Consumer Reports found that 43 percent of files obtained from Equifax and its competitors contained errors.
Unfortunately, when it comes to correcting such errors, the burden of proof has been on consumers. Furthermore, Equifax, as well as Experian and TransUnion, have made it difficult for consumers attempting to get information about their own credit. In 2000, all three companies were ordered to pay fines totaling $2.5 million to the Federal Trade Commission (FTC) for failing to maintain a toll-free number for consumers, blocking consumer calls during normal business hours, and placing them on hold for as long as an hour. Apparently, Equifax failed to learn its lesson; just three years later, the FTC came after Equifax a second time for doing the same thing. Unfortunately, the fine of $250,000 amounted to little more than a slap on the wrist to a company with hundreds of millions of dollars in revenues.
A more substantial penalty was assessed against Equifax in 2013, when a federal jury awarded $18.6 million to an Oregon woman who had suffered because of the company’s failures and refusal to correct inaccuracies in her credit report after she had contacted them numerous times. The following year, Experian was sued twice – once by a Missouri woman the company had erroneously reported as being deceased, and again in New York City by a naturalized citizen from Russia with the unusual name of God Gazarov – because Equifax reported him as having no credit history, causing him financial difficulties. In September 2017, five people from Oklahoma filed a class action lawsuit against Equifax in connection with that year’s data breach, claiming they violated laws requiring financial institutions to safeguard consumers’ sensitive information, forcing them to incur the financial burden of credit freezes and monitoring.
Although the foregoing incidents are separate from the present case involving the fraudulent sale of faulty and useless information, they reflect a pattern of corporate behavior demonstrating a willingness to ignore the law in order to increase revenues and pad profits at the expense of those they are ostensibly serving.
When Words Fail to Match Actions
In their most recent filing with the Securities & Exchange Commission, Equifax readily acknowledges its obligations under the FCRA and laws of other nations in which it operates:
“We are subject to a number of U.S. federal, state, local and foreign laws and regulations that involve matters central to our business. These laws and regulations may involve privacy, data protection, intellectual property, competition, consumer protection, anti-corruption, anti-bribery, anti-money laundering, employment, health, taxation or other subjects. In particular, we are subject to federal, state and foreign laws regarding the collection, protection, dissemination and use of non-public personal information we have in our possession and to consumer financial protection. Foreign data and consumer protection, privacy and other laws and regulations are often more restrictive than those in the U.S. Failure to satisfy those legal and regulatory requirements...could have a material adverse effect on our results of operations, financial condition or liquidity” (emphasis added).
If and when this class action goes forward and Equifax is again found liable for disregarding the law, chances are that it will have little effect on its revenues. However, it will have an effect on its public image, reducing its credibility and further eroding public confidence at a time when the financial services industry in general is increasingly being regarded as corrupt, greedy and self-serving.
Hopefully, those who have been taken in and harmed by this company's latest scam will also receive some modicum of justice.