How the CFPB should respond to Equifax
In the worst possible way, the monumental data breach at Equifax — involving the names, addresses and Social Security numbers of some 143 million people — draws attention to a long-neglected gap in the U.S. system of financial oversight. The Consumer Financial Protection Bureau ought to take the lead in putting this right.
The three big U.S. credit reporting companies — Equifax, Experian and TransUnion — have an unusual combination of power and lack of accountability. They dominate the business of collecting information on consumers, influencing everything from who gets jobs to how much interest people pay on mortgages. But they’re not answerable to those consumers; they primarily serve the banks and other customers that buy their products. As a result, they lack strong incentives to invest in keeping sensitive data secure or to fix mistakes that can ruin people’s lives.
Granted, keeping data secure is difficult, and Equifax is hardly the first company to let people down in this fashion. Also, it’s too soon to know how the breach happened, whether the company was negligent and what kinds of additional defenses could have made a difference. But it isn’t too soon to say that the credit reporting companies need more rigorous oversight.
Over the years, U.S. authorities have acknowledged the problem. The Fair Credit Reporting Act, the Federal Trade Commission, the CFPB and state attorneys general have all pushed the companies to reduce errors and be more responsive to consumer complaints. As often happens, though, multiple regulators with overlapping responsibilities are collectively ineffective — and issues still abound.
The threat of lawsuits doesn’t provide much discipline, either. Although the FCRA allows for civil liability, it’s hard to link the companies’ failures to specific harm — and the Supreme Court recently raised the bar. Who, for example, will be able to prove that the Equifax hack led directly to the misuse of their data?
Equifax’s lamentable management of its hacking crisis illustrates how badly skewed its incentives still are. Criminals made off with enough information to steal the identities of millions of Americans, yet the company has shown astonishingly little concern for the people affected. The website it set up could not reliably indicate whose data had been stolen. It initially demanded that consumers waive their right to sue in return for “free” credit monitoring (which would convert into a paid service after one year).
Ideally, Congress would respond with new legislation to give the CFPB clearer authority to police the companies. It could even opt for a more utility-like approach, allowing the CFPB to cap profits until they meet benchmarks for accuracy and privacy. But the companies spend heavily on lobbying, and it would be unwise to rely on Congress: On the day Equifax announced the breach, the House Financial Services Committee was considering legislation to reduce its legal liability.
Rather than waiting for new legislation, the regulators should do more with the powers they already have. Under FCRA, the CFPB can penalize companies for failing to make “reasonable” efforts to keep sensitive information out of the wrong hands. The bureau should thoroughly investigate whether such efforts were made and demand strong remedies for any transgressions. If it takes the lead in this, the CFPB can set a new standard for the firms’ protectionof financial data.