The Equifax data breach is bad…so very bad…but their response has been even worse. Their “Free” Credit card monitoring requires your credit card…so they can bill..
So here’s the story frrom the La Times
Even worse, the TrustedID terms of service state that enrollees give up their right to sue Equifax and prevents them from filing or joining a class action in the case of any dispute — they’ll have to go to arbitration as individuals, which almost always places consumers at a disadvantage. It isn’t clear how those restrictions apply to preexisting data breaches, but judges have held in other cases that arbitration clauses may have retroactive effect. People should be very, very cautious about signing up with Equifax’s service.
The most important lesson in the Equifax breach is an old one: Consumers whose information is held by Equifax are not its customers or clients — they’re the product, and their personal information merely raw material to be exploited by the firm for its own profit. Equifax and its two major competitors in the credit-monitoring game, Experian and TransUnion, make their money by compiling detailed files on individuals and selling them to credit card firms, banks and marketers. In short, they don’t care about you, except so far as you’re an entry in their databases.
But the evidence contradicts that claim. Just last May, Krebs reported that thieves were able to access W-2 tax data of employees at client companies of Equifax’s payroll service subsidiary TALX, thanks to lax security. That breach lasted almost a year, starting in April 2016. The firm has suffered a string of other breaches, too.
The credit bureaus have “shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers,” Krebs wrote.
But lawmakers at the state and federal level have been inexcusably lax about regulating these data firms and any others holding sensitive consumer information. Only eight states — Connecticut, Florida, Maine, New Mexico, Ohio, Rhode Island, Tennessee and Vermont — impose a firm deadline on how quickly companies must inform consumers of a breach, usually 30 to 90 days after its discovery. (California requires “timely” notification, whatever that means, except for medical information, which carries a 15-day notification deadline.)