I have so many quibbles with this Bloomberg editorial on the Equifax data breach that it’s hard to know where to start. Let’s start at the beginning:
The three big U.S. credit reporting companies — Equifax, Experian and TransUnion — have an unusual combination of power and lack of accountability. They dominate the business of collecting information on consumers, influencing everything from who gets jobs to how much interest people pay on mortgages. But they’re not answerable to those consumers; they primarily serve the banks and other customers that buy their products. As a result, they lack strong incentives to invest in keeping sensitive data secure, or to fix mistakes that can ruin people’s lives.
The parallels how an old boss of mine characterized the perfect job: maximum impact, minimum accountability. But Equifax’s problems go beyond weak incentives. Weak incentives didn’t cause Equifax’s management to hold on to the news about the breach until after they’d sold their stock, for example. And it doesn’t absolve them from their responsibilities under Sarbanes-Oxley, which requires them to know what the heck is going on in their own companies.
They continue:
Granted, keeping data secure is difficult, and Equifax is hardly the first company to let people down in this fashion. Also, it’s too soon to know how the breach happened, whether the company was negligent, and what kinds of additional defenses could have made a difference.
Let’s stop right there. By definition if you’re robbed the controls you have in place were inadequate to prevent the robbery. You were negligent. What the editors of Bloomberg are talking about is criminal negligence.
That’s why I’ve been arguing for strict liability. Equifax should be held responsible for the consequences of their actions and inactions whatever its managers’ intent and whether or not they were reckless. It also explains the math I’ve been citing: if every individual whose data has been exposed due to Equifax’s heedlessness is compensated for a single hour of remedial action and/or worry about it, that alone would be enough to break the company.
The editors continue by arguing for the need for clarity:
Ideally, Congress would respond with new legislation to give the CFPB clearer authority to police the companies. It could even opt for a more utility-like approach, allowing the CFPB to cap profits until they meet benchmarks for accuracy and privacy. But the companies spend heavily on lobbying, and it would be unwise to rely on Congress: On the day Equifax announced the breach, the House Financial Services Committee was considering legislation to reduce their legal liability.
That, unfortunately, ignores the Congress’s core competency which is doing nothing and the editors recognize that:
Rather than waiting for new legislation, the regulators should do more with the powers they already have. Under FCRA, the CFPB can penalize companies for failing to make “reasonable” efforts to keep sensitive information out of the wrong hands. The bureau should thoroughly investigate whether such efforts were made in this case, and demand strong remedies for any transgressions. If it takes the lead in this, the CFPB can set a new standard for the firms’ protection of financial data.
IMO there are already plenty of laws on the books to deal with this situation. What is missing is the will to enforce them.
I have no love for ’em. As I’ve said, to hell for all I care.
“IMO there are already plenty of laws on the books to deal with this situation. What is missing is the will to enforce them.”
That’s the money line. Ignoring explicit warnings is beyond the “business judgment rule,” as is trading on bad information.