Friday, September 22, 2017

Equifax hack: Time to get rid of credit bureaus?

You probably heard that Equifax suffered the worst hack in its history. Hackers viewed or stole the private personally identifiable information of approximately 143 million adult Americans. I am talking about your name, your maiden name if applicable, your address, your date of birth, city and state of birth, your income, your previous addresses, and of course your social security number. Equifax not only failed to secure this critical information but also some Equifax big shots allegedly sold Equifax stock after they discovered the hack but before the news became public. And Equifax took its sweet time before informing the public. Two corporate officers have retired but other than that Equifax or its principals haven't suffered any legal criminal or civil penalties. It's unclear as to exactly how much Equifax or its two other primary competitors, Experian and TransUnion CAN be regulated or fined. They theoretically fall under the bailiwick of the FTC and the Consumer Financial Protection Bureau but neither of those organizations have the power to impose harsh penalties. And the current Administration is not exactly known for its belief in keeping a short leash on corporate behavior. Nevertheless this is such a horrible breach that the various states and the FBI are reviewing what happened.

In the online age some have become blase about sharing personal information but this incident could change that. Individual consumers never handed over their information to credit bureaus. It was their employers, insurance companies, banks and/or creditors who did that. This data could be a jackpot for criminals around the world. There is literally no end of mischief someone can get up to if they have all of your personal information. 

Someone could claim unemployment and/or disability in your name. That happened to me once. Someone could take (and exaggerate) your federal income tax refund, causing you to attract unwelcome IRS attention. A shady doctor/dentist/insurance company could list you as a patient and claim payment from Medicare/Medicaid. Someone could open up credit in your name and go on a borrowing and spending spree that they never need pay back.

A person could use your information to work legally in the United States. A terrorist might use your information to claim that he is you and thus able to enter the US. A violent felon seeking to avoid longer incarceration could use your name as identification. Though fingerprinting would presumably eventually expose the deceit, in the meantime you could get an arrest record or jail term. You could owe tickets in places that you've never been. And so on. Most bureaucracies are not eager or adept in rectifying mistakes. In short this breach could cause some big problems. Or not. We just don't know. Equifax hasn't publicly detailed the damage.

I believe that people respond to incentives. I usually avoid speeding because I don't want to risk interactions with the police. I don't want to pay hundred dollar tickets and get higher insurance rates. But Equifax and its sister companies have the reasonable belief that the law can't really touch them, that they will pay no cost for their failings. Maybe we need to change that risk calculation.

Because of lax security at Equifax, one of the three major credit reporting companies, the private financial and personal details of as many as 143 million Americans have been exposed to hackers. We still don’t know what the full ramifications will be; the people who took this information — which includes birth dates, Social Security numbers and addresses — could hold on to it for as long as they want and deploy it in years to come.
Many consumers have scrambled to try to protect themselves. To anyone who tried to get through to Equifax customer service, though, it became clear: The company does not care about us. Months before the hack itself, Equifax could easily have patched the hole in its system that hackers exploited, but it simply didn’t.

That’s because we are not the customers of credit reporting companies, but the product. These private institutions hoover up our data, often without our knowledge and consent, and then sell it off to banks, landlords and even prospective employers. The companies rake in some $10 billion in revenue every year. They wield enormous power to ruin our lives — if not through a data breach, then through errors on our credit reports. One in four consumers has an error on his credit report that could affect his scores, yet it can be very difficult to correct the record. 

Although they call themselves bureaus, there is nothing governmental about what these private companies do. We let them take on a role that can have outsize consequences. And the free market doesn’t work here, because none of us can refuse to be a part of this system and opt out if we don’t like how we’re being treated. There’s no legal right to ask Equifax to remove your data from its registries or to stop it from getting more in the future. Why should we continue to allow private companies to make money from us while ignoring our needs? Let’s nationalize Equifax and the other two major credit reporting companies, Experian and TransUnion. We could follow other countries’ example and hand the duty of tracking our financial histories over to a public registry instead of a private profiteer.

The United States government is, of course, not impervious to data breaches, nor does it have a perfect track record of fending them off. In 2015, it announced that hackers had stolen “sensitive information” on 21.5 million people. But the government is at least accountable to public pressure. Equifax never will be, even under the tightest regulation. Credit bureaus have proved to be complete failures at safeguarding the public. Let’s demand we get our data back.


So what do you think? What would your solution be to this issue? Should people go to prison? Are lawsuits enough to make Equifax take security more seriously? Should society move away from using Social Security numbers for anything outside of Social Security functions? Are you ready to think about nationalizing a private company because of an egregious mistake? Should the government be able to do that? Are you worried about the possibility of identity theft? Did you place a freeze on your credit records?

Speak up!

blog comments powered by Disqus