The data breach at Equifax kicked over a rock on a little-known but very powerful industry. It has control over most people’s financial lives. Will Congress do more than vent outrage?
I lead a rich fantasy life. Among my more subversive daydreams is going off the grid: Returning to a hefty Franklin Planner for calendar and contacts, doing all correspondence on paper and commercial transactions in person, with a human.
But it’s too late. The digital beast has slipped its leash. It has us as prisoners, thanks to convenience and amazing frippery. It has our data. And the governmental regulation to give us a modicum of safety is clearly far behind.
With that comes risks that were unimagined when, say, many of us were setting up those Yahoo email accounts back in the 1990s.
As it turns out, hackers breached all 3 billion Yahoo accounts in 2013. The company was, let us say, apparently laid-back about disclosing the full extent of the disaster to Verizon when the telecom giant acquired it in July.
It is the largest data theft in history, but far from an outlier.
What consumers need to know about the Equifax data breach
- Five data-security ideas brought up during the Equifax hearing
- Equifax: 2.5 million more Americans may be affected by hack (Oct. 2, 2017)
- Equifax just changed the rest of your life | Liz Weston
- Washingtonians: Here’s how much it costs to freeze your credit after Equifax breach
- Getting up to speed on the Equifax data breach scandal that exposed 143 million people
- The Equifax breach: What you should do about it
- How to fix identity-theft issues posed by the Equifax hack
- Equifax may end up paying just $1 per customer in data-breach settlement
- CEO steps down after Equifax data breach; still likely to get $18M retirement package
- Equifax made data security a sales pitch, and that approach amplified the consequences of the breach
- Who will monitor the credit monitors? | Jon Talton
Among the biggest: 145 million customer accounts at eBay in 2014; more than 76 million households and 7 million small businesses at JPMorgan Chase the same year; 80 million patient and employee records at Anthem in 2015; 360 million accounts at MySpace, disclosed this year.
Even Whole Foods, recently acquired by Amazon, disclosed last month that customer-payment information had been hacked. If you can’t trust your pricey organic grocer, who can you trust?
The most notorious breach is Equifax, which reported in September that as many as 143 million people might be affected.
This is no ordinary cybercrime or company. Equifax, along with Experian and TransUnion, operates in a unique niche in credit-dependent America. It compiles financial information on people, turning it into a credit score, which is essential in everything from getting a loan or a job to qualifying for an apartment lease and landing an insurance policy.
You don’t have a choice, either in giving up your information or, in many cases, its necessity for navigating life. The credit-reporting industry, which sells the information to lenders and others, has quietly assumed a commanding height over most people’s lives. It is also very underregulated.
At Equifax, hackers got names, Social Security numbers, birth dates and addresses, which they can sell to criminals or otherwise exploit. Fake loans or credit cards could be taken out in your name, for example, wrecking your credit score.
“This is the nightmare scenario — all four pieces of information in one place,” John Ulzheimer, a credit specialist and former manager at Equifax, told The Wall Street Journal.
Three company executives sold shares after the breach was discovered but before the news was disclosed.
Also, Equifax sells security products, so it might even profit from the affair. It charged people who sought to freeze their accounts after the breach was divulged (and has since said it will refund those fees — we’ll see). It also requires “forced arbitration” in those cases, meaning the injured citizens give up their right to sue the company.
This past week, scandal turned to farce as the former CEO of Equifax was “grilled” before congressional committees.
The honorables of both parties displayed much outrage. Some of it was even sincere.
But the scrutiny didn’t stop the company from being awarded a $7.25 million no-bid contract from the feds to provide personal information to the Internal Revenue Service.
Interestingly, this Big Brother company is not a child of the digital age. It was founded in Atlanta in 1899 as the Retail Credit Co., at a time when consumer finance was small and most transactions happened face-to-face. A big part of its business was compiling and reporting insurance claims.
But Retail Credit grew fast and by the 1960s had files on millions of people.
Alan Westin, a Columbia University law professor and early student of privacy issues in the information age, criticized the company over the accuracy of its information. He also worried over the breadth of its data, which went far beyond finances or past addresses of borrowers. It included their sex lives, marital problems and political activities. And citizens had no rights to see their files.
His testimony before Congress was instrumental in passage of the 1970 Fair Credit Reporting Act, which gave consumers some rights about the information stored on them. It assigned the Federal Trade Commission some regulatory power over the credit bureaus. In 1975, Retail Credit changed its name to Equifax.
This history is useful because issues of cybersecurity risk being bogged down by technical complications and the large number of “black-hat” hackers, including state actors from Russia (which meddled in our election, too) and elsewhere. Just digging through the articles on how best to protect yourself can be daunting.
The Equifax case lacks any ambiguity or complexity.
The company was born at the same time the Progressive Era was about to gain real power in the United States. For example, the Pure Food and Drug Act of 1906 was pushed by President Theodore Roosevelt. It ensured that problems such as unsanitary meat processing, documented by the muckraker Upton Sinclair in “The Jungle,” were stopped.
This opened the way to a host of protections over the coming decades, most of them so invisible that we now take them for granted. But so powerful was big business that Roosevelt knew only the federal government could serve as a force to protect average Americans and to keep market forces honest.
It was still true in the Great Depression, when TR’s cousin Franklin pushed through more reforms, including to ensure safe banking and sober stock markets. Bigness needs a counterweight.
So the GOP-controlled Congress and the Trump administration have a clear path: legislation to protect citizens from the laxity and reach of the credit-reporting bureaus.
Equifax has already been the subject of 57,000 complaints to the federal Consumer Financial Protection Bureau, although its jurisdiction is unclear and Republicans oppose the independent agency.
The big credit agencies are counting that they won’t be Theodore Roosevelt Republicans. If not, voters have a choice starting next year.