CFA News

CFAnews Update – October 24, 2017

Consumers, Credit Unions Respond to Equifax Data Breach

Approximately 143 million American consumers were impacted by the massive data breach at Equifax. Names, addresses, Social Security numbers, birth dates, and driver’s license numbers were accessed. Hundreds of thousands of consumers also had their credit card numbers exposed. For consumers wondering what they can do, CFA’s Senior Fellow Rohit Chopra said they should consider, among other things, a security freeze.

“The best protection from many types of identity theft that can result from data breaches is to activate a security freeze,” said Chopra. But it comes with a price. “If you put a freeze on your credit file, prospective lenders, landlords, or employers won’t be able to access your credit report. If you – or a criminal – applies for a loan with your information, the lender will deny the application,” he said.

“But as the Federal Trade Commission explains in a blog about the Equifax breach, if you decide to freeze your credit file you’ll want to do it at all three of the major credit reporting agencies, and depending on the circumstances there may be a charge each time you set or lift it (though for a limited time, Equifax is allowing anyone who has a credit file there to freeze it at no charge),” said CFA’s Director of Consumer Protection and Privacy Susan Grant.

Allowing credit bureaus to charge people to freeze their credit files “isn’t right,” Grant said in a blog post. “The credit reporting agencies make lots of money from collecting and providing access to our personal information. Yes, we benefit from this – it wouldn’t be as easy to get credit, for instance, if lenders couldn’t easily check whether we have a history of paying our bills on time. We ought to be able to control access to our personal information, however, without having to pay for the privilege.”

About a month after Equifax announced the data breech, small financial institutions filed class action lawsuits against Equifax to recover financial harms related to the breach. The first lawsuit, led by Summit Credit Union, details the significant financial costs that will be incurred by small financial institutions due to the Equifax breach. The second lawsuit, led by Bank of Louisiana, Aventa Credit Union, and First Choice Federal Credit Union, alleges that Equifax violated federal law.

“By teaming up with others, credit unions stand a better shot at taking on a big company that harmed them,” said CFA’s Director of Advocacy Outreach Michael Best in a press statement. “Unfortunately, consumers are often thwarted from the same opportunity to be heard in front of a jury of their peers.”

Following Death of Another Child, CFA Demands Effective Action from IKEA and CPSC

An investigation by the Philadelphia Inquirer has identified another child killed by a recalled IKEA Malm dresser tipping over, prompting CFA and other consumer groups to call on IKEA and the U.S. Consumer Product Safety Commission (CPSC) to take effective action to prevent more families from losing children as a result of unstable dressers. “The disclosure of this most recent IKEA dresser death reinforces the dire need for IKEA and the CPSC to make this recall significantly more effective. The status quo is not acceptable,” said CFA Legislative Director Rachel Weintraub.

In May 2017, a two-year-old California boy died when an IKEA Malm dresser in his bedroom fell over, crushing him. His is the most recent of eight deaths and at least 36 injuries caused by IKEA dressers which were recalled in June 2016. The recall came after a year-long education campaign about their dangers, and continued pressure from consumers groups, including CFA, for CPSC to take stronger action against the danger posed by the dressers.

CFA, the American Academy of Pediatrics, Consumers Union, Kids In Danger, the National Center for Health Research, Public Citizen, Shane’s Foundation, and U.S. PIRG released a joint statement reacting to the latest death, and calling on IKEA and CPSC to amplify their efforts to promote awareness of the recall and reach out to affected consumers.

“From the delay in issuing a recall to lackluster efforts by IKEA to fully communicate the hazard and the recall to the public – relying instead on soft messages on securing any and all furniture – this death highlights the risks to children of tip-over incidents. Companies must be held accountable for their products’ safety and the CPSC must be strong enough to force companies to take action in ways that successfully get recalled products out of homes,” the groups stated.

According to records IKEA filed with CPSC, as of January 1, 2017 only three percent of the recalled dressers have been repaired or returned. In August 2016, CFA and other groups urged IKEA to increase transparency and share critical recall data and related internal records. As recently as this past July, some groups marked the anniversary of the recall with a call to improve its effectiveness. These groups have also reiterated the importance of the recall through an ongoing social media campaign.

VA Backs Down from Ethics Waiver Proposal After Objections from Consumer and Veterans Groups

The Department of Veterans Affairs (VA) announced last month that it intends to waive ethics requirements for VA employees who own stock and accept payments from for-profit colleges participating in GI Bill programs. The National Consumer Law Center (on behalf of its low-income clients), U.S. PIRG, and CFA, wrote to the VA objecting to this proposal. Soon after the filing of the comment letter, the Department withdrew the proposal.

The groups noted that, since a 1950 report to Congress from the Veterans’ Administration (the predecessor to the Department of Veterans Affairs), for-profit universities continue to raise concerns as documented by the investigations of the Government Accountability Office in the for-profit sector. “Given these ongoing concerns, it is critical that we continue to safeguard against a college using any affiliation with the Department of Veterans Affairs in an effort to burnish its own credentials in serving veterans,” said the group. “At the same time, no employee of the Department should be profiting from an affiliation with institutions accepting federal funds, pursuant to this federal statute.”

The groups stated other federal agencies are routinely prohibited from financial interests in companies regulated by the industry. “We acknowledge that there may be some legitimate waivers for a narrow set of employees,” the groups said. “However, these should be done on a case-by-case basis and appropriately documented to ensure that any employee receiving the waiver is completely segregated from communicating about any potential matter related to veterans’ education benefits. The notice published in the Federal Register fails to acknowledge this valid alternative.”

The Trump Administration announced that it would be withdrawing the proposal and determining next steps.

Smartwatches Used to Safeguard Children Could Put Them at Risk

CFA is calling on the Federal Trade Commission (FTC) to open an investigation of smartwatches for children after the Norwegian Consumer Council issued a report citing serious  privacy and security concerns that can put young children at risk.

Smartwatches allow parents to use an app on their smartphones to keep in touch with their children and track their locations, which parents may view as a safety feature. Three of the four watches that the Norwegian group and an independent security firm examined, along with accompanying apps, are available in the U.S. market. They are the Caref/Gator, SeTracker/Wonlex, and Tinitell.

CFA, in a joint letter with the Electronic Privacy Information Center, the Center for Digital Democracy, the Campaign for a Commercial-Free Childhood, Consumers Union, Public Citizen, and U.S. PIRG, pointed out a number of problems posed by these watches. These products may not be in compliance with the Children’s Online Privacy Protection Act (COPPA), which the FTC enforces. Possible COPPA violations include failing to provide clear information about what personal data is collected and how it is used, failing to obtain parental consent before collecting and using children’s personal data, transmitting unencrypted children’s location data, neglecting to promise to notify users of changes to terms of service, and making it impossible for users to delete their data from the service.

“We recognize that the FTC has done much to extend privacy protections for children and is also aware of the risks of Internet-connected devices. But the development of these products is accelerating and with little regulatory oversight, the risks to children are increasing,” warned the groups.

Furthermore, as the Norwegian report describes, hackers could take control of some of the apps, which would enable them to access children’s locations and personal details, and even contact them directly. In addition, some of the key features such as an SOS button that alerts parents when their children need help, and a geofencing function that sends alerts when the child enters or leaves a designated area, may not work reliably.

“It is ironic that products that are designed to protect children may actually put them in peril and give their parents a false sense of security,” said Susan Grant, CFA Director of Consumer Protection and Privacy. “We’re asking the Federal Trade Commission to look into these problems immediately and we want to send a strong message to manufacturers that they shouldn’t be putting products in the market that jeopardize kids’ privacy and safety.”