On today’s show, I discuss the news that data from Equifax was “hacked”. It appears that “only” 100,000 Canadians were impacted, but even if your data was not impacted by this event, it’s a good wake-up call for all of us:
Your data is vulnerable.
How to Survive the Equifax Hack
So how can you protect yourself? My full comments are in my post on Equifax Data Hack: Insolvency Trustee Gives Advice on How to Protect Yourself but here’s an important point: your data is already out there; you can’t pull it back.
If you have ever applied for credit, you have a credit file, even if you have paid off all of your debts. That means your data is vulnerable, so it’s up to you to keep an eye on your data. At a minimum, review all of your credit card, bank and loan statements regularly; don’t wait until the end of the month. I check my statements online every few days. If you see a problem, report it immediately.
Full details are in today’s transcript shown below.
Resources mentioned in this show:
- Consumer Reporting Act, Ontario
- Equifax statement on the impact on Canadian consumers
- Equifax credit monitoring
FULL TRANSCRIPT show #161 Debt Should Come With a Health & Safety Warning
Today I want to talk about a story that’s been in the news for the last month or so: the Equifax data hack.
As I’m sure you’ve heard, some computer hackers were able to get access to a lot of the data that Equifax keeps on consumers, including their names, addresses, and social insurance numbers.
According to a statement issued by Equifax released on September 19, in addition to the 140 million Americans impacted, the incident involves potential access to the personal information of approximately 100,000 Canadian consumers
It appears that most of the data relates to Americans, so unless you have an American credit card or other dealings in the U.S., your data may not have been stolen.
Or it may have; we don’t know for sure; Equifax has not exactly been transparent and forthcoming when it comes to telling us what’s really happened. Apparently they are sending a letter to all Canadians who were impacted, so presumably if you haven’t received a letter by now, you may not be impacted.
Even if you weren’t harmed by this incident, a lot of your data is “in the cloud”, so what can you do to protect yourself from future hacks, and what do I think the government should do to help protect us?
I’ve got a few thoughts on this subject.
First, wouldn’t it be great if debt came with a Health and Safety Warning?
You know when you buy any kind of over the counter medication, there’s all that fine print that tells you all of the side affects you might get if you take those pills?
The law says you can’t sell anything that might be dangerous unless it comes with a health and safety warning. Makes sense.
On every show here on Debt Free in 30 I talk about the dangers of debt, so why doesn’t debt come with a health and safety warning?
Maybe it should.
Did you realize that when you signed up for your credit card that the credit card company would be giving all of your data to Equifax?
They do. That’s how the credit reporting agencies work. There are two big ones in Canada, Equifax and TransUnion, and they get your personal data from the big banks and credit card companies when you borrow money.
This isn’t illegal. In fact, if you go back and look at the agreement you signed when you applied for that credit card or bank loan there was a bunch of fine print that said: “we will be sharing all of this data with the credit bureaus”.
Before this big data hack, no-one thought much about that, but now that we are thinking about it, wouldn’t it be nice if there was a big health and safety warning, in big print, on every loan application you signed?
I’d like to see big bold letters that say whatever you tell us may not be kept private.
I wonder if a warning like that would change our behavior?
Does the health and safety warning on a pack of cigarettes make you less likely to smoke? I assume it must be a good warning for some people, or it wouldn’t be there.
Since I don’t expect the government to create a health and safety warning on credit applications anytime soon, let’s talk about what you can do to protect yourself from credit bureau data hacks.
Let me start by telling you the most important point that you may not fully realize:
You are not a customer of Equifax. You are the product.
Let me say that again: You may think that because you can order a copy of your credit report from Equifax, Equifax is working for you.
You, and your data, is the product that Equifax is selling to the big banks, and credit card companies, and any other company that wants to lend you money.
You are the product.
Equifax and TransUnion generate most of their profit from selling your data to the big lenders. It’s true, they do make a few bucks by selling consumers their credit score, but the big money is from their big customers, and that’s why their priority is servicing their big customers, not helping you.
Probably the biggest complaint I get from clients is that, after they finish their bankruptcy or consumer proposal, they check their credit report and some of the information is wrong.
There is one big bank that regularly reports a consumer proposal as a bankruptcy, so when you read your credit report it shows the bank’s name, and your debt, and then it says “included in bankruptcy”, even though you never filed a bankruptcy; you filed a consumer proposal.
This is extremely frustrating, and when we talk to that bank they say “oh, sorry, that’s just how our system does it”, and when we talk to the credit bureaus they say “we just report the information we are given, so if that’s what the bank tells us, that’s what we report”.
Why isn’t the credit bureau more responsive to customer needs?
Because you aren’t the customer. You are the product.
Once you understand that you are the product being sold, you now have more incentive to protect yourself.
The obvious answer is to say “okay, I don’t want my information to be sold, so I’m going to cancel all of my credit cards and pay off all my loans and never have any credit again”.
That would save you a lot in interest, but unfortunately even if you paid off all of your debt and never applied for credit again, you would still have information on your credit report. Your name and birth date and social insurance number are still on your credit report, even if you stop borrowing money.
That’s the problem: once your information is “in the cloud”, it stays there for a very long time.
So if paying back all of your loans and never applying for credit again isn’t a fool-proof option, what can you do to protect yourself?
Here’s my eight point plan:
First, and most importantly, check your credit card and loan activity regularly. Personally, I go online and check my credit card statement every two days. That’s right, I don’t wait for my statement at the end of the month. Every day or two I go online and do a quick review of transactions and confirm that they are all legit.
Guess what: earlier this month, while I was reviewing my transactions, I found three charges for three taxi trips I had taken the day before in Toronto.
Unfortunately I was not in Toronto the day before, and I had not been in a taxi in a long time.
I also saw that apparently when I was not in Toronto I managed to have two meals at a restaurant in Toronto.
I immediately called the credit card company, and they immediately cancelled my credit card. They told me that my credit card number had been manually entered, meaning they knew no-one had my credit card, with the chip, and the PIN number. That’s why they believed me that it wasn’t me.
It took two days for them to send me a new card, and they reversed the fraudulent transactions, so it didn’t cost me anything.
In my case the total was around $300, so it wasn’t a big deal for the credit card company, but if I had waited a month to find the problem, it would have been a lot more money, and perhaps the credit card company would not have been so eager to help me out.
Point #1 – go online and check your transactions regularly.
Advice point #2: cancel any credit you don’t need. If you no longer use that old department store credit card, or gas company credit card, or credit card from that bank you no longer deal with, cancel it. If the card is cancelled, there is no way anyone can use it.
Personally, I believe that in a perfect world the ideal number of credit cards is zero, but since it’s difficult to book a hotel room or rent a car without one, my advice is to have at most two credit cards. Have one main one that you use for everything, and that’s the one you get your points or travel miles or rewards on, and have a second one as a back up, from a different lender. That way if your card is compromised, you have a back up card you can use while waiting for the new one to arrive.
Point #3 – keep your credit limits as low as possible. Just because the bank says you qualify for a $10,000 credit limit doesn’t mean you should accept the limit they suggest. If the most you ever spend is $2,000 in a month, like when you have to book plane tickets and a hotel for your vacation, get a card with a $3,000 or $5,000 limit. The lower the limit, the less risk for you.
Point #4 – where possible, get electronic copies of your statements, not paper copies in the mail. How hard would it be for someone to steal your mail? If they can, they now know your name, address, and credit card number. That’s not good.
Point #5 – this is obvious, but never share your PIN. That way, even if your card is stolen, it can’t be used at a chip reader machine.
But what do you do if you want to share your credit card with someone, like your spouse, or your child? Either get them a secondary card on your account, with a different card number, or apply for a new card that they can use, but with a small limit. So if your kid is going off to university and they need emergency access to credit, get them a card with a $500 limit, to minimize your risk.
Point #6 – only provide your social insurance number where required by law.
This is a big one. Your Social Insurance Number is a unique identifier for the federal government. They use it when you pay your taxes, or get unemployment insurance, or for your government pension or other government services.
The key point is that it is for use by the federal government, and no-one else.
So, when you open a savings account at the bank, the bank needs your social insurance number, because they have to report the interest you earn every year, so you can pay taxes on it. Makes sense.
So tell me this: when I buy a cellphone, why does the application form request my social insurance number?
What does a cellphone have to do with my taxes?
The answer, of course, is nothing, but the cellphone company wants it so when they do a credit check on you they are more likely to match you up correctly with your credit report.
Don’t give it to them. They don’t need it, and it’s not even lawful for them to ask for it.
The more people who know your social insurance number, the more likely it is that one of them will use that number to apply for credit in your name, so don’t give it out, unless it’s required by law.
Now those of you who are astute listeners will be saying “that’s all good advice, but checking my transactions on-line every few days won’t tell me if someone has stolen my identity and set up new credit in my name”.
That’s true; you don’t know to check your transactions on a card you don’t know exists.
So what can you do?
The obvious answer, and this is:
Point #7 – is that you should regularly get a copy of your credit report, and review it to see if there are any debts you don’t know about. Of course this a bit of a pain, because you have to go online, or phone, or fill out a form and mail it in, but it’s the only way to see what’s on your credit report.
The laws are different in each province, but for those of you who are listening to this podcast in Ontario, we have a law called the Consumer Reporting Act, and section 12 says that
Right of consumer to disclosure
- (1) Every consumer reporting agency shall, at the written request of a consumer and during normal business hours, clearly and accurately disclose to the consumer, without charge,
(a) the nature and substance of all information in its files pertaining to the consumer at the time of the request;
(b) the sources of credit information;
(c) the name and, at the option of the consumer reporting agency, either the address or telephone number of every person on whose behalf the file has been accessed within the three-year period preceding the request;
and shall inform the consumer of his or her right to protest any information contained in the file under sections 13 and 14 and the manner in which a protest may be made
The key point here is that, according to the law, there is no limit on how many times you can request a credit report, for free. I haven’t tried to get a credit report each month, but this may be a strategy to stay on top of your credit history.
We did call the Ministry of Government Services here in Ontario and they told us that you can only have your credit report for free once a year.
But we said, wait a minute, section 12 doesn’t say anything about once a year. The government employee said “well, I don’t know the specifics of that section, but I’ve attended a number of meetings where it has been discussed, and it was definitely limited to once a year.”
So, I don’t know who to believe: the written law, or the government employee that interprets the law.
I’d be interested to hear from listeners if you are denied a credit report if you request it more than once a year.
And yes, I realize that there are two main credit bureaus in Canada, so you could get your credit report from Equifax today, and then in six months get it from TransUnion, and then in another six months get it from Equifax again, so that way you are getting a credit report every six months, but that still means it’s six months before you realize there is a problem.
Point #8: There is another strategy you can use to protect yourself. Section 12.1 of the Act says that:
Alert to verify identity of consumer
12.1 (1) A consumer may require a consumer reporting agency to include, in the consumer’s file, an alert warning persons to verify the identity of any person purporting to be the consumer.
So, you could put an alert on your credit file requiring all lenders to verify your identity before giving you a loan.
How practical is this? I don’t know.
If you are planning to get a mortgage or car loan or new credit card in the near future, requiring the lender to verify your identity may slow down the credit granting process, so it may hurt you. I don’t know.
However, if you aren’t planning to borrow any money in the near future, this may be an extra level of protection for you.
Now of course there is a third option to protect yourself, but I’m reluctant to recommend it.
You can subscribe for alerts from Equifax.
Here’s the catch: the very people who exposed the data of 140 million Americans to hackers now wants to charge you $20 a month to tell you if there is any suspicious activity on your account.
What a great business? Put your information out there, and then charge you money to tell you if any of your information is out there!
Here’s the deal:
It costs $19.95 per month, and for that fee Equifax will give you alerts of any key changes to your Equifax credit file, and it gives you daily access to your credit score and credit report.
So is it worth paying $240 per year to find out if there are issues on your credit report?
I don’t know. That’s a question that only you can answer, but it certainly upsets me that I have to pay money to access my data.
Remember, you and I are the product, not the customer, so I’m not happy that I have to pay to see my data.
Think about it:
When you go to the gas station to buy gas, does the gas station charge you money to tell you if there is any gas in their tanks?
Of course not. Gas is the product; you pay to buy it; you don’t pay to find out if it’s there.
If my data is the product, why should I have to pay to see which of my data they have?
So those are my eight suggestions for how you can protect yourself.
Now let me tell you what I think the government should do.
Regular listeners to this podcast will know that I’m not a big fan of government rules and regulations. I find that they tend to just mess things up, rather than make things better.
However, in this case, I sign one form to apply for one credit card, and for the rest of my life all of my personal data is out there in the world for all to see, and there is nothing I can do to get it back. Even if I pay all of my debts, my information is still in the big computer in the sky.
Even if I pay off all of my debts, Equifax still has my name, address, birth date, employment history, and social insurance number, and that puts me at risk.So, here are my suggestions for changes to the law that I would like to see the government enact:
First, credit reporting agencies should be prohibited from having my social insurance number. They should not be allowed to report it on my credit report. They don’t need it, so eliminate it. That would make it slightly harder for hackers to steal my identity.
Second, since it’s my data, I should be allowed to access it whenever I want, for free. I realize that in the old days it was costly for Equifax and TransUnion to mail a copy of my credit report to me. They had to pay for the employee time to print the report, and the paper to print it on, and the stamp to send it.
But today, we have computers, so in theory there is virtually no cost to them providing on-line access to my data. Every consumer should have the right to access their data, online, as often as they want.
Since I’m a reasonable guy, I would agree that only my data would be available to me for free. So, data that Equifax calculates, like my credit score, would not be available to me for free. They could charge me for that data, and I could pay for it if I wanted it. That seems to me like a reasonable compromise.
Third, I think that as a consumer I should have the ability to create electronic alerts for myself, for free, so that whenever a new credit item appears on my credit report, or whenever anyone does a credit check on me, I will get an email or text alert. Again, this would all be done by computers so it wouldn’t cost Equifax that much, and it would give me greater protection.
In fact, I know that Equifax already has this technology, because they sell it to collection agents! A collection agency, or a bank, can put an alert on your file, so if they can’t find you, but then you apply for new credit or change your address or phone number, they get an alert, so they can resume collection activities against you.
Again, I realize that I am the product, not the customer, but since the technology exists, I think I should benefit from it.
Here’s the bottom line:
I realize that these suggestions I’m making will cost Equifax money, and they may make it more difficult for lenders to evaluate my credit worthiness.
But, Equifax violated my trust by exposing all of this secret data, so they are now going to have to suffer the consequences of their actions.
So, to conclude, here’s my advice:
To protect yourself:
- Review your credit card and other transactions at least once per week;
- Cancel any credit you no longer require;
- Keep your credit limits low;
- Get electronic copies of all statements, not paper copies;
- Only provide your Social Insurance Number where required by law;
- Request a copy of your full credit report as often as possible;
- Consider placing an alert on your credit report requesting that lenders verify your identity
And the government should do the following:
- Prohibit credit reporting agencies from having my social insurance number in their databases
- Allow consumers to access their data, for free, electronically, as often as they want, and
- Allow consumers to receive free electronic alerts whenever information on their credit report changes.
Will the government change the law? I don’t know, but if we don’t ask, it won’t happen. Regardless, there are things you can do to protect yourself, so you should take action now.
One final point: the world is changing, and changing fast. It’s likely the very concept of a credit bureau, a third party that is the guardian of our information, may not exist in the future. I assume that new technology will take their place. Perhaps banks will have facial recognition scanners in their branches to verify our identity, and perhaps block chain technology will be used to securely store our data.
Either way, I wouldn’t want to be Equifax right now.
That’s our show for today.
Full show notes, including a full transcript of today’s show and links to everything we talked about can be found at hoyes.com, that’s hoyes.com.
Thanks for listening, until next week, I’m Doug Hoyes, that was Debt Free in 30.