Equifax case shows big changes are needed

Houston Chronicle Sunday - - BUSINESS - CHRIS TOM­LIN­SON

The data breach may ul­ti­mately gen­er­ate higher prof­its for Equifax and its com­peti­tors.

Most of the 145 mil­lion Amer­i­cans ex­posed to iden­tity thieves by Equifax’s data breach will be sur­prised to learn they have no own­er­ship of their per­sonal in­for­ma­tion and have lit­tle re­course against the com­pany.

The in­for­ma­tion that Equifax so as­sid­u­ously vac­u­umed up from hun­dreds of sources be­longs to the cor­po­ra­tion, not you, even though it’s about you. The same is true of ev­ery other con­sumer data ag­gre­ga­tor that buys, sells and trades your ad­dress, date of birth, So­cial Se­cu­rity num­ber, credit record and hun­dreds of other pieces of vi­tal in­for­ma­tion.

That own­er­ship al­lows Equifax and other credit agen­cies to de­mand be­tween $2 and $10 a month to with­hold your in­for­ma­tion. Be­cause when you freeze your credit rat­ing, you are re­duc­ing the com­pany’s rev­enue, so it charges you.

Last week, mem­bers of Congress hurled abuse at for­mer Equifax CEO Richard Smith. They came pre­pared with hu­mil­i­at­ing barbs and sound bites. But none came ready to change the credit agency busi­ness model buy giv­ing con­sumers own­er­ship of their data, or even cre­at­ing greater pun­ish­ments for ir­re­spon­si­ble be­hav­ior.

And ir­re­spon­si­ble is the kind­est de­scrip­tion of Equifax’s be­hav­ior.

Smith told Congress that Equifax’s fail­ure was caused by one per­son fail­ing to make sure a man­ual patch was ap­plied to vul­ner­a­ble soft­ware. He chalked it up to one hu­man’s er­ror.

A closer ex­am­i­na­tion, though, shows a pat­tern of his ex­ec­u­tive

team tak­ing short­cuts on cy­ber­se­cu­rity. For ex­am­ple, per­son­ally iden­ti­fy­ing in­for­ma­tion was not en­crypted, and ex­ec­u­tives sched­uled se­cu­rity re­views only once a quar­ter.

Smith need not fear any crim­i­nal con­se­quences, though.

The Fed­eral Trade Com­mis­sion may sue At­lanta-based Equifax for the leak un­der the Fair Credit Re­port­ing Act, but the set­tle­ments rarely amount to more than a slap on the wrist. Con­sumers can bring a class ac­tion law­suit, but odds of a sig­nif­i­cant set­tle­ment are slim. And un­der cur­rent U.S. law, con­sumers can’t stop Equifax from stock­pil­ing our per­sonal in­for­ma­tion.

“I never said it was OK to have all my in­for­ma­tion, and now I want out. I want to lock out Equifax. Can I do that?” Rep. Jan Schakowsky, D-Ill., asked Smith on Tues­day.

“That re­quires a much broader dis­cus­sion around the role of the credit re­port­ing agen­cies,” Smith said, dodg­ing the ques­tion.

The data breach may ul­ti­mately gen­er­ate higher prof­its for Equifax and its com­peti­tors be­cause more con­sumers will need to pay for credit mon­i­tor­ing and freezes.

Democrats have pro­posed leg­is­la­tion that would force credit agen­cies to of­fer free credit freezes, but no Repub­li­cans have signed on. Democrats have also pro­posed giv­ing more power to fed­eral reg­u­la­tors to pro­tect con­sumer data, but again, there is no Repub­li­can sup­port.

At a time when Pres­i­dent Don­ald Trump is promis­ing fewer reg­u­la­tions, Repub­li­cans don’t want to give more author­ity to the Con­sumer Fi­nan­cial Pro­tec­tion Bureau, the Oba­maera agency that the pres­i­dent has promised to elim­i­nate.

That leaves con­sumers pay­ing credit agen­cies not to share our in­for­ma­tion.

A credit freeze, though, only pre­vents a crim­i­nal from ob­tain­ing a new credit card or loan us­ing your in­for­ma­tion. A freeze does noth­ing to stop thieves from ac­cess­ing your ex­ist­ing credit cards or bank ac­counts, which con­sti­tutes 86 per­cent of iden­tity fraud cases, ac­cord­ing to Bureau of Jus­tice sta­tis­tics. It doesn’t have to be this way. The Euro­pean Union has much stricter rules pro­tect­ing a per­son’s right to pri­vacy and sets very high cy­ber­se­cu­rity stan­dards on com­pa­nies and gov­ern­ment agen­cies that pos­sess sen­si­tive per­sonal in­for­ma­tion.

Un­der EU reg­u­la­tions that will take ef­fect in 2018, data com­pa­nies must ob­tain ex­plicit writ­ten per­mis­sion be­fore they can ac­cess or process a per­son’s in­for­ma­tion. And the com­pany must make with­draw­ing con­sent as free and easy as grant­ing it.

Com­pa­nies hold­ing data are also legally re­spon­si­ble for pro­tect­ing it. Fail­ure can re­sult in a fine equal to 4 per­cent of the com­pany’s world­wide rev­enue. That would mean a $124 mil­lion fine for Equifax.

Com­pa­nies must also iden­tify reg­u­la­tors of a breach within 72 hours of de­tec­tion. Canada is con­sid­er­ing adopt­ing these same rules.

Equifax’s mea cul­pas and of­fer of free credit mon­i­tor­ing are aimed at con­vinc­ing Congress not to fol­low in the EU’s footsteps. The com­pany has promised con­sumers they will have the power to lock and un­lock their credit files at Equifax be­gin­ning on Jan. 31. No word yet from Equifax’s main U.S. com­peti­tors, Tran­sUnion and Ex­pe­rian.

Congress’ rit­u­al­is­tic sham­ing of Smith and Equifax last week was at best medi­ocre po­lit­i­cal the­ater. The ques­tions were mostly rhetor­i­cal, and the an­swers rote. They did lit­tle to cover up the fact that Congress is do­ing noth­ing to pre­vent an­other breach. Nor will Congress em­power con­sumers to take con­trol of their data.

Un­til that hap­pens, con­sumers can do noth­ing but watch their fi­nan­cial data leak onto the in­ter­net and gird them­selves for the in­evitable con­se­quences.

Pete Marovich / New York Times

A law­maker asked Richard Smith, for­mer CEO of Equifax, if she could take back her per­sonal data. dis­cus­sion around the role of the credit re­port­ing agen­cies,” Smith re­sponded. “That re­quires a much broader

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.