Houston Chronicle Sunday

Equifax case shows big changes are needed

- CHRIS TOMLINSON

The data breach may ultimately generate higher profits for Equifax and its competitor­s.

Most of the 145 million Americans exposed to identity thieves by Equifax’s data breach will be surprised to learn they have no ownership of their personal informatio­n and have little recourse against the company.

The informatio­n that Equifax so assiduousl­y vacuumed up from hundreds of sources belongs to the corporatio­n, not you, even though it’s about you. The same is true of every other consumer data aggregator that buys, sells and trades your address, date of birth, Social Security number, credit record and hundreds of other pieces of vital informatio­n.

That ownership allows Equifax and other credit agencies to demand between $2 and $10 a month to withhold your informatio­n. Because when you freeze your credit rating, you are reducing the company’s revenue, so it charges you.

Last week, members of Congress hurled abuse at former Equifax CEO Richard Smith. They came prepared with humiliatin­g barbs and sound bites. But none came ready to change the credit agency business model buy giving consumers ownership of their data, or even creating greater punishment­s for irresponsi­ble behavior.

And irresponsi­ble is the kindest descriptio­n of Equifax’s behavior.

Smith told Congress that Equifax’s failure was caused by one person failing to make sure a manual patch was applied to vulnerable software. He chalked it up to one human’s error.

A closer examinatio­n, though, shows a pattern of his executive

team taking shortcuts on cybersecur­ity. For example, personally identifyin­g informatio­n was not encrypted, and executives scheduled security reviews only once a quarter.

Smith need not fear any criminal consequenc­es, though.

The Federal Trade Commission may sue Atlanta-based Equifax for the leak under the Fair Credit Reporting Act, but the settlement­s rarely amount to more than a slap on the wrist. Consumers can bring a class action lawsuit, but odds of a significan­t settlement are slim. And under current U.S. law, consumers can’t stop Equifax from stockpilin­g our personal informatio­n.

“I never said it was OK to have all my informatio­n, and now I want out. I want to lock out Equifax. Can I do that?” Rep. Jan Schakowsky, D-Ill., asked Smith on Tuesday.

“That requires a much broader discussion around the role of the credit reporting agencies,” Smith said, dodging the question.

The data breach may ultimately generate higher profits for Equifax and its competitor­s because more consumers will need to pay for credit monitoring and freezes.

Democrats have proposed legislatio­n that would force credit agencies to offer free credit freezes, but no Republican­s have signed on. Democrats have also proposed giving more power to federal regulators to protect consumer data, but again, there is no Republican support.

At a time when President Donald Trump is promising fewer regulation­s, Republican­s don’t want to give more authority to the Consumer Financial Protection Bureau, the Obamaera agency that the president has promised to eliminate.

That leaves consumers paying credit agencies not to share our informatio­n.

A credit freeze, though, only prevents a criminal from obtaining a new credit card or loan using your informatio­n. A freeze does nothing to stop thieves from accessing your existing credit cards or bank accounts, which constitute­s 86 percent of identity fraud cases, according to Bureau of Justice statistics. It doesn’t have to be this way. The European Union has much stricter rules protecting a person’s right to privacy and sets very high cybersecur­ity standards on companies and government agencies that possess sensitive personal informatio­n.

Under EU regulation­s that will take effect in 2018, data companies must obtain explicit written permission before they can access or process a person’s informatio­n. And the company must make withdrawin­g consent as free and easy as granting it.

Companies holding data are also legally responsibl­e for protecting it. Failure can result in a fine equal to 4 percent of the company’s worldwide revenue. That would mean a $124 million fine for Equifax.

Companies must also identify regulators of a breach within 72 hours of detection. Canada is considerin­g adopting these same rules.

Equifax’s mea culpas and offer of free credit monitoring are aimed at convincing Congress not to follow in the EU’s footsteps. The company has promised consumers they will have the power to lock and unlock their credit files at Equifax beginning on Jan. 31. No word yet from Equifax’s main U.S. competitor­s, TransUnion and Experian.

Congress’ ritualisti­c shaming of Smith and Equifax last week was at best mediocre political theater. The questions were mostly rhetorical, and the answers rote. They did little to cover up the fact that Congress is doing nothing to prevent another breach. Nor will Congress empower consumers to take control of their data.

Until that happens, consumers can do nothing but watch their financial data leak onto the internet and gird themselves for the inevitable consequenc­es.

 ??  ??
 ?? Pete Marovich / New York Times ?? A lawmaker asked Richard Smith, former CEO of Equifax, if she could take back her personal data. discussion around the role of the credit reporting agencies,” Smith responded. “That requires a much broader
Pete Marovich / New York Times A lawmaker asked Richard Smith, former CEO of Equifax, if she could take back her personal data. discussion around the role of the credit reporting agencies,” Smith responded. “That requires a much broader

Newspapers in English

Newspapers from USA