WASHINGTON, D.C. – U.S. Sen. Sherrod Brown (D-OH) – ranking member of the U.S. Senate Committee on Banking, Housing, and Urban Affairs – today demanded answers from Experian, the world’s largest credit monitoring firm, on actions the company is taking to address the recent security breach that exposed sensitive personal data of about 15 million T-Mobile customers.
In a letter, Brown called on Experian CEO Brian Cassin to explain how the company is addressing vulnerabilities to its data security systems and consumers’ financial information. Brown also requested information on the effectiveness of Experian's credit monitoring and identity resolution services, and how the breach of Experian's own systems will impact the advice the company provides to financial institutions.
“Experian has files on more than 220 million people. Protection of this information is of the utmost importance, especially because the scope of the information is vast and virtually no consumer can apply for credit without entering your system,” Brown wrote. “As we have seen repeatedly over the past few years, large companies are vulnerable to breaches of consumer information and the financial industry is a prime target for such attacks. I hope that your company takes meaningful steps to address vulnerabilities and to provide meaningful relief to those people whose privacy has been breached.”
Brown noted that Ohio and some other states charge consumers a fee to place a freeze on a credit report. He asked whether Experian has considered offering free credit freezes or any other additional relief to consumers.
“People should not have to pay any fees to prevent identity theft due to a breach by companies that have mishandled their information,” Brown wrote.
Brown also called on Experian to explain how the forced arbitration provision in its credit monitoring products will impact consumers. These clauses, often buried in the fine print of checking accounts, private student loans, credit cards, and other contracts, prevent consumers from taking companies to court or participating in class action lawsuits when a dispute arises. The Consumer Financial Protection Bureau (CFPB) issued a study in March that found that the rights of consumers nationwide are being limited by forced arbitration in the financial services industry. Last week, the CFPB announced that it will begin rulemaking to limit forced arbitration clauses.
Brown has urged the CFPB to eliminate the use of forced arbitration clauses. He is a cosponsor of the Arbitration Fairness Act of 2015, which would make forced arbitration agreements unenforceable in the case of employment, consumer, antirust, or civil rights disputes.
The full text of the letter is as follows:
October 14, 2015
Brian Cassin
Chief Executive Officer
Experian
475 Anton Blvd.
Costa Mesa, CA 92626
Dear Mr. Cassin,
The safety and security of their financial data is an issue of great importance to every American. Earlier this month, we learned that the personal information of 15 million individuals from a server maintained at Experian was compromised. According to T-Mobile’s press release, this information included information such as name, address, birth date, and fields with social security number and ID number (such as driver’s license or passport number).[1] Experian has noted that it became aware of a breach on September 15, 2015, and that the breach covers any consumer who applied for T-Mobile postpaid services or products that required a credit check from September 1, 2013 through September 16, 2015.[2]
Experian has files on more than 220 million people. Protection of this information is of the utmost importance, especially because the scope of the information is vast and virtually no consumer can apply for credit without entering your system. To that end, please answer the following questions related to the data breach:
Thank you for your attention to this important consumer protection issue. As we have seen repeatedly over the past few years, large companies are vulnerable to breaches of consumer information and the financial industry is a prime target for such attacks. I hope that your company takes meaningful steps to address vulnerabilities and to provide meaningful relief to those people whose privacy has been breached. I look forward to hearing more about your plans to address my concerns.
Sincerely,
Sherrod Brown
Ranking Member
###