WASHINGTON, D.C. – U.S. Sen. Sherrod Brown (D-OH) – ranking member of the U.S. Senate Committee on Banking, Housing, and Urban Affairs – today demanded answers from Experian, the world’s largest credit monitoring firm, on actions the company is taking to address the recent security breach that exposed sensitive personal data of about 15 million T-Mobile customers.

In a letter, Brown called on Experian CEO Brian Cassin to explain how the company is addressing vulnerabilities to its data security systems and consumers’ financial information. Brown also requested information on the effectiveness of Experian's credit monitoring and identity resolution services, and how the breach of Experian's own systems will impact the advice the company provides to financial institutions.

“Experian has files on more than 220 million people. Protection of this information is of the utmost importance, especially because the scope of the information is vast and virtually no consumer can apply for credit without entering your system,” Brown wrote. “As we have seen repeatedly over the past few years, large companies are vulnerable to breaches of consumer information and the financial industry is a prime target for such attacks. I hope that your company takes meaningful steps to address vulnerabilities and to provide meaningful relief to those people whose privacy has been breached.”

Brown noted that Ohio and some other states charge consumers a fee to place a freeze on a credit report. He asked whether Experian has considered offering free credit freezes or any other additional relief to consumers.

“People should not have to pay any fees to prevent identity theft due to a breach by companies that have mishandled their information,” Brown wrote.   

Brown also called on Experian to explain how the forced arbitration provision in its credit monitoring products will impact consumers. These clauses, often buried in the fine print of checking accounts, private student loans, credit cards, and other contracts, prevent consumers from taking companies to court or participating in class action lawsuits when a dispute arises. The Consumer Financial Protection Bureau (CFPB) issued a study in March that found that the rights of consumers nationwide are being limited by forced arbitration in the financial services industry.  Last week, the CFPB announced that it will begin rulemaking to limit forced arbitration clauses.

Brown has urged the CFPB to eliminate the use of forced arbitration clauses. He is a cosponsor of the Arbitration Fairness Act of 2015, which would make forced arbitration agreements unenforceable in the case of employment, consumer, antirust, or civil rights disputes.

The full text of the letter is as follows:

October 14, 2015

Brian Cassin

Chief Executive Officer

Experian

475 Anton Blvd.

Costa Mesa, CA 92626

Dear Mr. Cassin,

The safety and security of their financial data is an issue of great importance to every American.  Earlier this month, we learned that the personal information of 15 million individuals from a server maintained at Experian was compromised.  According to T-Mobile’s press release, this information included information such as name, address, birth date, and fields with social security number and ID number (such as driver’s license or passport number).[1]  Experian has noted that it became aware of a breach on September 15, 2015, and that the breach covers any consumer who applied for T-Mobile postpaid services or products that required a credit check from September 1, 2013 through September 16, 2015.[2]

Experian has files on more than 220 million people.  Protection of this information is of the utmost importance, especially because the scope of the information is vast and virtually no consumer can apply for credit without entering your system.  To that end, please answer the following questions related to the data breach:

  • What systems and policies do you have in place to protect the consumer financial information that you have?  What additional steps, if any, will you take to address data security weaknesses revealed by the data breach?
  • Is Experian a member of information sharing organizations like Financial Services Information Sharing and Analysis Center?  If so, when did Experian share information related to the breach through these forums?  Are you aware of any similar activity at other companies?
  • Experian has offered two free years of its own credit monitoring and identity resolution services, including ProtectMyID.  Experian also offers these types of services for purchase as part of its business.  What research have you conducted on the effectiveness of these products in preventing identity theft or unauthorized credit? 
  • The Payment Card Industry (PCI) Security Standards Council sets minimum security standards, known as the PCI Security Standards, for merchants who accept credit cards.  Is your company compliant with the PCI Security Standards?  If you are compliant, why did the standards not prevent the data breach?  If you are not compliant, please identify which standards you did not meet.
  • Recent reports indicate that Experian’s T-Mobile customer information had been breached before, possibly as early as December 2013.  Can you provide more information about previous breaches and what may have been done to address earlier weaknesses?
  • Unlike credit monitoring, which informs a consumer after the fact that their information has been illegally used to obtain credit, a credit freeze will prevent misuse of consumer information.  In my home state of Ohio, the fee for placing a security freeze on a credit report is $5, but I understand that other states may permit higher fees.  People should not have to pay any fees to prevent identity theft due to a breach by companies that have mishandled their information.  Have you considered offering any additional relief to consumers impacted by this data breach, such as free credit freezes?    
  • Experian has a mandatory arbitration provision in its credit monitoring agreement for the affected individuals, as well as for other consumers of its credit monitoring products.  As the CFPB has noted in a recent report, arbitration clauses can act as a barrier to class actions and many people would benefit from class action settlements.[3]  How does this arbitration clause affect consumers seeking redress in this breach, including on a class basis?
  • Your company also provides a product, Experian Data Breach Resolution, which has “handled thousands of incidents and supported Fortune 500 companies and mid-size companies in nearly every industry, including government, health care, financial, entertainment, and education.” The product is a “turn-key solution” to “discreetly handle each breach of data,” including notification and fraud resolution.  Please provide additional information about what services you provide to financial institutions, including your role in handling notification and advising financial institutions on how to react to data breaches.  How will the breach of your own systems impact the advice that you provide to financial institutions?

Thank you for your attention to this important consumer protection issue.  As we have seen repeatedly over the past few years, large companies are vulnerable to breaches of consumer information and the financial industry is a prime target for such attacks.  I hope that your company takes meaningful steps to address vulnerabilities and to provide meaningful relief to those people whose privacy has been breached.  I look forward to hearing more about your plans to address my concerns.

Sincerely,

Sherrod Brown

Ranking Member

###