December 13, 2019

In Bipartisan Letter, Senators Warren, Paul, and Wyden Ask Credit Reporting Agencies Equifax, Experian, and TransUnion for Transparency About Their Handling of FBI Requests for Consumer Financial Data

New Documents Show FBI Has Frequently Requested Sensitive Information from Credit Bureaus


Washington, D.C. - United States Senators Elizabeth Warren (D-Mass.), Rand Paul (R-Ky.), and Ron Wyden (D-Ore.) yesterday sent letters to the Chief Executive Officers of the three major credit reporting agencies—Equifax, Experian, and TransUnion—regarding the companies’ lack of transparency in their handling of consumer financial information requested through national security letters (NSLs) from the Federal Bureau of Investigation (FBI). The letters follow the recent release of documents gained via a Freedom of Information Act lawsuit indicating that the three credit reporting agencies have frequently been the recipients of such requests.

NSLs are akin to administrative subpoenas that require the recipient to divulge information that the FBI deems relevant to national security investigations, which in the case of the credit agencies can even include full credit reports. They do not require prior approval from a judge, and are frequently accompanied by nondisclosure orders preventing companies from notifying consumers that the company has received a letter.

Under the USA FREEDOM Act, companies that receive NSLs from the FBI may publish information about the volume of NSLs they receive and release redacted versions of the letters if and when the nondisclosure orders are lifted by the FBI. However, while dozens of technology and telecommunication companies have been transparent about their receipt and handling of NSLs, Equifax, Experian, and TransUnion have not.

“Because your company holds so much potentially sensitive data on so many Americans and collects this information without obtaining consent from these individuals, you have a responsibility to be transparent about how you handle that data,” wrote the senators in their letters. “Unfortunately, your company has not provided information to policymakers or the public about the type or the number of disclosures that you have made to the FBI.”

To gain a better understanding of the content that the credit reporting agencies share with the FBI, the senators asked the companies to answer a series of questions about their receipt, handling, and reporting of NSLs, and asked if the companies would follow the lead of their peers and release regular transparency reports about NSLs.

“American consumers deserve to know what happens to the data that your company collects, which can encompass all of the major financial relationships that a consumer might have over the course of their lifetime,” the senators continued.
The senators requested a response to their letter by December 20, 2019.

Senator Warren has led efforts in the Senate to protect consumer privacy, increase transparency and oversight, and hold consumer credit agencies accountable.

  • In the aftermath of the massive Equifax breach in 2017, Senator Warren released the first comprehensive review of over 20,000 consumer complaints received by CFPB in the wake of the breach and conducted a four-month long investigation that revealed how Equifax failed to protect the personal information belonging to millions of Americans. Afterward she worked with her colleagues to take numerous oversight actions, call for stronger protections, and in May 2019, she and the late Representative Elijah Cummings (D-Md.), then-Chairman of the House Committee on Oversight and Reform, reintroduced the bicameral Data Breach Prevention and Compensation Act to hold large credit reporting agencies accountable for data breaches involving consumer data.
  • In September 2019, Senator Warren raised concerns with the Federal Trade Commission (FTC) regarding reports that consumers who opted to receive $125 in compensation as a part of the Equifax breach settlement received suspicious-looking emails forcing them to complete additional, complicated steps in order to receive payments, which appeared designed to discourage applications. She later requested an investigation of FTC’s misleading Equifax settlement descriptions which did not advise consumers affected by the Equifax breach of the likely reduction of their settlement payments.
  • In August 2019, she raised questions with Capital One regarding a massive data breach that compromised sensitive personal information of over 100 million Capital One customers.
  • In October 2019, she and Senator Wyden drew attention to a vulnerability in Amazon Web Services associated with the Capital One breach; Amazon fixed the vulnerability weeks later.

###