This is not a financial advice website. However, with the big Equifax data breach, there are all kinds of bad advice out there on what to do. In my case, I sent them a letter today. By snail mail, return receipt requested. I thought that some readers might find the letter useful, so I have copied the text into this post below.
The situation in the U.S. with the so-called "credit bureaus" (Equifax, Experian, TransUnion) is really quite bizarre. They obtain information that you provide in strict confidence to your bank or credit card company, supposedly for purposes of credit reporting, which is a valuable function. But the actual credit reporting function is mostly done by barter or something close to it (bank reports customer payment history and in turn gets access to full credit reports), so how to turn yourself into a multi-billion dollar infotech powerhouse? (Equifax and Experian both have reported market caps in the range of $14 billion; TransUnion is a private company, but clearly it made recent ex-Commerce Secretary and Obama Campaign Finance Chair Penny Pritzker very wealthy.) It's easy! Take the personal data obtained from consumers in strict confidence and re-sell it to thousands of customers without the consumers' permission. And since the credit bureaus have no direct relationship with the consumer, they don't have nearly the incentive of your bank or credit card company to safeguard the information they hold and then sell. What are you going to do, fire them? Thus, one big hack after another. (Experian last had a big breach in 2015. ChoicePoint -- a major customer of the credit bureaus -- had big breaches in 2004 and 2008. And so forth.) How our genius so-called "regulators" have allowed this situation to develop is a story that is too long for this post. But here we are.
You are welcome to use all of my letter for yourself, or as much as suits your circumstances. Clearly, it is not likely that you froze your credit with Equifax as I did back in 2009. But go ahead and demand the credit freeze for yourself today! (And while you're at it, do the same with Experian and TransUnion.)
Here are a few of the principles that inform this letter:
- Give them the absolute minimum amount of information that they will need to identify you as a unique individual. (In my case my name is very close to unique, so this is not difficult.) Every piece of information you give them about yourself is very valuable to them, because their main business is to package information about you and others and sell it without your permission. Just like your contacts list in Outlook, their database is full of inaccuracies and anomalies. Everything you give them, whether it be a current telephone number, a date of birth, an employer, or whatever, will be added to their database and sold and/or hacked to the world.
- Under no circumstances give them your social security number. Their data base has literally millions of social security number "anomalies," and they would dearly love you to help them clean it up so they can sell your information for a higher price to their customers without your permission. And if you should ever give it to them, and then try to object to their use of it for their own profit, their response will be, "he gave it to us without imposing restrictions and knowing that we re-sell it." Meanwhile, if you try to have any dealings with them by website, you will not be allowed to proceed without inputting your social security number. That's why you need to send a letter. I can state that I have obtained both credit reports and credit freezes from all three credit bureaus without ever providing my SSN. In some cases it took considerable persistence, but right now Equifax is not in a very good position to argue about this, so go for it.
- Their claimed basis for demanding social security number is to "identify" you. I have never understood how exactly name plus SSN constitutes good "identification" when they sell that information to thousands of customers. But that's why I offer to show up in person with my passport. What's their answer to that? (Fortunately, Equifax has an office in Manhattan.)
- Everybody should demand a license for use of their data for any purpose other than credit reporting with your explicit consent. The license would include a provision for a fee, a limitation on permitted uses, and a liquidated damages provision in case of use for non-permitted purposes and/or a hack. Of course they won't agree to this, but really, people should start being aware of what's going on and demanding decent treatment.
- They also won't agree to deleting the bulk of your "credit header." That's not a reason not to demand it.
With that, here's the text of the letter:
Francis J. Menton
U.S. mail return receipt requested
September 12, 2017
Equifax Credit Information Services, Inc.
P.O. Box 740241
Atlanta, GA 30374
Dear Sir or Madam:
I am writing you at this time because of the recent data breach experienced by your company. I am corresponding by letter because your online resources for dealing with this matter all require that I input my social security number or some portion of it. I have never provided you with my social security number and I will not do so now. Obviously, you cannot be trusted with it.
Here are my requests/demands:
· Kindly inform me if I have been a subject/victim of the data breach, and if so what pieces of my information have been disclosed and to whom.
· I would like to sign up for the free year of credit monitoring that you are offering to all who are subject/victims of the breach. This service must be made available to me in a manner that does not require me to provide any information about myself other than as contained in my letterhead above. For any other information about me, you will have to pay a fee and sign a license agreement as to use of the information, which will contain a provision for liquidated damages. Kindly advise if you would like to pursue this option, and I will provide a fee schedule and license agreement.
· As you know, I have had a credit freeze in place with Equifax since January 2009. Kindly advise if my PIN number for this credit freeze has been compromised by the recent data breach. If you are anything less than 100% confident that the PIN number has not been breached, I will obviously need a new PIN number. Therefore, either advise that you are absolutely 100% confident that the PIN number has not been breached, or provide me with a new PIN number.
· Kindly delete from your databases all so-called “credit header” information about me other than the information in the letterhead of this letter. This includes, but is not limited to, my social security number or taxpayer ID number (if you have such), any and all prior addresses, current or prior telephone numbers, my date of birth, and any employment information.
If you feel that you need to do more in order to verify my identity, I would be glad to meet in person with one of your representatives. I could bring my passport and/or driver’s license, and/or New York State attorney identification card to such a meeting. Although I will be glad to show these documents to your representative to verify my identity, I will not permit you to make copies of same, nor to make a record of any information or numbers on such documents, without payment of a license fee and signing of a license agreement with a liquidated damages provision, as indicated above.
The best way to communicate with me is by hard copy mail to the address above. Alternatively, you may respond by email via my website address above.
Very truly yours,
Francis J. Menton