On Sept. 7, Equifax—one of America’s largest credit reporting agencies—disclosed that hackers had broken into its system and stolen highly personal information about more than 140 million Americans.
Since then, I’ve heard from working families in Massachusetts and across the country. The Equifax hack is a nightmare. At best, it’s a giant hassle—time on hold with the credit reporting agencies, fees for this service and that service, confusion about what’s been stolen and what to do about it. At worst, it could be ruinous—a lifetime of responsible spending and borrowing wiped out by identity theft and fraud.
People are outraged. They should be.
More from FORTUNE
It’s bad enough that Equifax was so sloppy that it let hackers into its system, but the company’s response to the hack has been even worse. First, it hid the breach from consumers for more than a month. When it finally came clean, it failed to directly inform people about whether their information had been stolen, instead directing them to its website.
The website was confusing, but it was crystal clear on one thing: Everyone should sign up for a free year of Equifax’s credit monitoring service called TrustedID Premier. But there was a catch: To sign up, consumers had to sign an arbitration clause that would give up their right to go to court if they had any future dispute with Equifax. In addition, if consumers didn’t cancel the service before the end of the free year, they would automatically be charged after that.
After much public shaming, Equifax backed up on some terms, but not before demonstrating that its first instinct was to gouge consumers and profit off the hack of its own system.
The Equifax hack has highlighted the strange role credit reporting agencies like Equifax play in our financial system. Banks and other big companies feed agencies like Equifax information about every major financial transaction we make. Every day, the credit reporting agencies package that information and sell it to other people. Sometimes it’s people you know about—like a landlord or a potential mortgage lender—but a lot of the time it’s people you’ve never heard of who are trying to sell you a new credit card, a gym membership, or a Caribbean cruise.
Companies like Equifax are making billions of dollars a year collecting, sharing, and selling highly personal information about you—all without your explicit permission or without paying you a penny.
It’s time for all of us to reclaim control over our own data. That’s why I partnered with Sen. Brian Schatz (D-Hawaii) and 11 other colleagues to introduce the Freedom from Equifax Exploitation Act, or FREE Act.
The FREE Act allows every consumer to freeze and unfreeze their credit file for free. A freeze is like a “Do Not Call” list for your credit information. When your file is frozen, no one can access your data, and the credit reporting agency can’t sell it either. It’s partially about security—if your file is frozen, hackers who might have stolen your personal information can’t open credit cards or take out loans in your name. But giving you the right to freeze and unfreeze your file for free is also an easy way to give you back some control over your data.
The basic idea is simple: Equifax and the other credit reporting agencies don’t pay you when they sell your data. You shouldn’t have to pay to stop them from selling it.
Second, our bill requires any credit-reporting agency to fully and automatically refund your money if it charged you for a credit freeze after the Equifax breach. No one in the industry should profit from this hack.
Third, the legislation gives consumers access to a free credit report if they request a credit freeze, in addition to the free credit report that every American is entitled to every year. If people have already received their free credit report for the year, they shouldn’t have to pay for another one to check on their credit after the Equifax breach.
Finally, the bill gives consumers whose personal data has been compromised access to fraud alerts. Fraud alerts are red flags in your credit report to alert whoever is looking at it that they should carefully verify your identity. The FREE Act also makes fraud alerts longer and prevents the credit-reporting agencies from selling the data in your files while they are in effect.
This bill certainly doesn’t fix all the problems in the credit-reporting industry. Congresswoman Maxine Waters has introduced comprehensive legislation to reform the credit reporting industry, and it deserves a close look. I’ve also launched an investigation, and, in the upcoming weeks, I will be gathering more information from Equifax, the other credit reporting agencies, federal regulators, and legal experts with an eye toward fixing this broken industry.
In the meantime, I’m fighting for Congress to pass the FREE Act as soon as possible. It’s time for consumers to have control over their personal information and credit data—starting now.
Elizabeth Warren is a United States senator from Massachusetts.