The Unfinished Business of the Equifax Hack

Companies must show they can take responsibility for personal data, rather than leaving the task to consumers.

Image: Shutterstock.

Remember the Equifax breach? In late 2017, the credit-reporting company revealed that hackers had stolen the personal data of more than 145 million people — including Social Security numbers, addresses, and in some cases even credit-card details. The incident was remarkable not only in scale, but also for the scant regard the company apparently showed for the individuals whose sensitive information it was supposed to manage.

Almost a year and a half later, almost nothing has changed. Authorities have neither sanctioned Equifax nor addressed the deeper industry-wide flaws that the incident exposed. It’s an omission that Congress must correct.

Equifax and its two main competitors, Experian and TransUnion, provide a valuable service. Their databases grease the wheels of commerce, allowing banks, employers and government agencies to quickly and easily check almost anyone’s identity and credit history. Yet their interests don’t always align with the public good. The people whose information they maintain are not their primary customers, so the firms lack an adequate incentive to ensure privacy and security, and to fix errors that can severely complicate lives. Breaches and bad data can even benefit them, helping sell products such as credit monitoring to frightened consumers.

Over the years, authorities have tried to adjust the incentives. The Fair Credit Reporting Act requires “reasonable” efforts to keep information accurate and prevent it from falling into the wrong hands — and empowers consumers to sue for damages. The 2010 Dodd-Frank Act gave the Consumer Financial Protection Bureau broad powers to supervise the largest credit-reporting companies. A 2015 settlement with state attorneys general requires the companies to deal with disputed information more effectively, and aims to curb the common practice of hard-selling paid services to people seeking to correct their credit reports.

Yet there’s been little real progress. In the last three months of 2018, consumers submitted almost 27,000 credit-reporting complaints to the CFPB, up from fewer than 11,000 two years earlier, before the Equifax hack. Granted, this is only a small fraction of the more than 200 million people with credit reports, and various factors — such as greater awareness — could contribute to the increase. But it certainly doesn’t suggest things are improving.

The Equifax case is especially discouraging. After its security failures exposed millions to identity theft, the company responded with a glitchy website and an offer of “free” credit monitoring — a service of dubious value, given that it alerts consumers only after their identity has been stolen. It fell to Congress to demand a basic concession from the industry: free security “freezes,” which allow consumers to prevent new accounts from being opened in their name. The Trump administration has shown little interest in further action. A joint investigation by the CFPB and the Federal Trade Commission has yet to yield results.

Consumers deserve better. Here’s what Congress can do:

Require the companies to meet more ambitious benchmarks for data privacy, security and accuracy. In security, for example, government and nonprofit organizations have created guidelines that supervisors could use to set standards and assess compliance. Place the burden of proof on companies in consumer disputes. If they can’t demonstrate that the information in question is correct, they should remove it. Make security freezes the default option, by requiring the companies to release personal information only with a consumer’s express consent. Give the CFPB responsibility for overseeing all aspects of credit reporting. Overlap with the FTC on data security, for example, has bred confusion and threatens to render the agencies collectively ineffective. Give consumers the power to sue for injunctive relief. This would allow courts to compel the credit-reporting companies — and those that provide them with data — to fix practices that harm consumers, as opposed to merely paying damages.Democratic legislators — including Senator Jack Reed and Representative Maxine Waters, the new head of the House Financial Services Committee — have introduced bills that would make many of these changes. All that remains is to get them to the president’s desk.

It’s unacceptable for credit-reporting companies to pose a threat, or even merely be a nuisance, to millions of people who never chose to do business with them. They must show that they can take responsibility for personal data, rather than leaving the task to consumers or charging for the service. They seem to need a firmer nudge, and Congress should provide it.

Copyright 2024 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.