Equifax case shows big changes are needed
The data breach may ultimately generate higher profits for Equifax and its competitors.
Most of the 145 million Americans exposed to identity thieves by Equifax’s data breach will be surprised to learn they have no ownership of their personal information and have little recourse against the company.
The information that Equifax so assiduously vacuumed up from hundreds of sources belongs to the corporation, not you, even though it’s about you. The same is true of every other consumer data aggregator that buys, sells and trades your address, date of birth, Social Security number, credit record and hundreds of other pieces of vital information.
That ownership allows Equifax and other credit agencies to demand between $2 and $10 a month to withhold your information. Because when you freeze your credit rating, you are reducing the company’s revenue, so it charges you.
Last week, members of Congress hurled abuse at former Equifax CEO Richard Smith. They came prepared with humiliating barbs and sound bites. But none came ready to change the credit agency business model buy giving consumers ownership of their data, or even creating greater punishments for irresponsible behavior.
And irresponsible is the kindest description of Equifax’s behavior.
Smith told Congress that Equifax’s failure was caused by one person failing to make sure a manual patch was applied to vulnerable software. He chalked it up to one human’s error.
A closer examination, though, shows a pattern of his executive
team taking shortcuts on cybersecurity. For example, personally identifying information was not encrypted, and executives scheduled security reviews only once a quarter.
Smith need not fear any criminal consequences, though.
The Federal Trade Commission may sue Atlanta-based Equifax for the leak under the Fair Credit Reporting Act, but the settlements rarely amount to more than a slap on the wrist. Consumers can bring a class action lawsuit, but odds of a significant settlement are slim. And under current U.S. law, consumers can’t stop Equifax from stockpiling our personal information.
“I never said it was OK to have all my information, and now I want out. I want to lock out Equifax. Can I do that?” Rep. Jan Schakowsky, D-Ill., asked Smith on Tuesday.
“That requires a much broader discussion around the role of the credit reporting agencies,” Smith said, dodging the question.
The data breach may ultimately generate higher profits for Equifax and its competitors because more consumers will need to pay for credit monitoring and freezes.
Democrats have proposed legislation that would force credit agencies to offer free credit freezes, but no Republicans have signed on. Democrats have also proposed giving more power to federal regulators to protect consumer data, but again, there is no Republican support.
At a time when President Donald Trump is promising fewer regulations, Republicans don’t want to give more authority to the Consumer Financial Protection Bureau, the Obamaera agency that the president has promised to eliminate.
That leaves consumers paying credit agencies not to share our information.
A credit freeze, though, only prevents a criminal from obtaining a new credit card or loan using your information. A freeze does nothing to stop thieves from accessing your existing credit cards or bank accounts, which constitutes 86 percent of identity fraud cases, according to Bureau of Justice statistics. It doesn’t have to be this way. The European Union has much stricter rules protecting a person’s right to privacy and sets very high cybersecurity standards on companies and government agencies that possess sensitive personal information.
Under EU regulations that will take effect in 2018, data companies must obtain explicit written permission before they can access or process a person’s information. And the company must make withdrawing consent as free and easy as granting it.
Companies holding data are also legally responsible for protecting it. Failure can result in a fine equal to 4 percent of the company’s worldwide revenue. That would mean a $124 million fine for Equifax.
Companies must also identify regulators of a breach within 72 hours of detection. Canada is considering adopting these same rules.
Equifax’s mea culpas and offer of free credit monitoring are aimed at convincing Congress not to follow in the EU’s footsteps. The company has promised consumers they will have the power to lock and unlock their credit files at Equifax beginning on Jan. 31. No word yet from Equifax’s main U.S. competitors, TransUnion and Experian.
Congress’ ritualistic shaming of Smith and Equifax last week was at best mediocre political theater. The questions were mostly rhetorical, and the answers rote. They did little to cover up the fact that Congress is doing nothing to prevent another breach. Nor will Congress empower consumers to take control of their data.
Until that happens, consumers can do nothing but watch their financial data leak onto the internet and gird themselves for the inevitable consequences.