In his New York Times column Farhad Manjoo fumes over the Equifax data breach:
If a bank lost everyone’s money, regulators might try to shut down the bank. If an accounting firm kept shoddy books, its licenses to practice accounting could be revoked. (See how Texas pulled Arthur Andersen’s license after the Enron debacle.)
So if a data-storage credit agency loses pretty much everyone’s data, why should it be allowed to store anyone’s data any longer?
Here’s one troubling reason: Because even after one of the gravest breaches in history, no one is really in a position to stop Equifax from continuing to do business as usual. And the problem is bigger than Equifax: We really have no good way, in public policy, to exact some existential punishment on companies that fail to safeguard our data. There will be hacks — and afterward, there will be more.
There’s a simple, practical solution to that conundrum: let the courts decide. All that needs to happen to solve the problem is for Equifax to be held responsible for the costs, direct and indirect, of the data that it held’s becoming public and the problem along with the company will go away.
Holding vast amounts of private and sensitive data is a business model. When the profitability of the business model depended on inadequate controls as seems to be the case, why should the federal government act or not act to prop up that model? If the functions that Equifax performed are so vital to the functioning of our society as seems to be claims, perhaps we should not depend on a private company to perform them?
As to the executives who are alleged to have sold large blocks of their stock in Equifax prior to the announcement, the question will become what did they know and when did they know it? If they knew about the breach in anticipation of selling their stock, they should be indicted for insider trading and, if found guilty, subject to the maximum penalty—20 years in prison and a $5 million dollar fine. That will open the floodgates for what promises to be the largest class action suit in history.
We need to come to the understanding that size itself can be a problem. A company that is too large to be allowed to fail is too large to be allowed to exist.
I imagine there would be civil liability, but I think the bigger question is whether utilizing the crisis to enroll people in its credit monitoring service would fall under criminal looting laws.
Is there some legal requirement that any financial institution use all three credit bureaus? I’ve never been clear what the value-added is for all three. Individuals are not the customers though, but if I was running a financial institution, I think I would go with the other two because (a) the hack evidences bad practices and (b) Equifax has devalued the credit system, in the sense that there is now going to be misreporting of credit which may cost me business if I can not loan a creditworthy individual money because of the breach.
Another question, is there anything particularly interesting about these credit companies other than the number of people’s private information they hold? For example, my wife’s employer probably has her social-security number, driver’s license, etc. This seems like an issue of scale and simply looking at this as the weirdness that is credit agencies is misleading.
The looting laws point is an interesting one but the number of people in the class makes the scale of the liability mind-boggling.
Imagine that each person in the class spends just one hour dealing with the mess created by Equifax and is compensated for that time alone at minimum wage. That alone would be a $1 billion settlement. At average wage it would be $3.5 billion. Equifax is a $2 billion a year company. Add costs, etc. and I don’t see how it survives as a viable business.
And, as you note, the breach casts the entire notion of an individual credit rating into question.
If Equifax were to be sued out of existence, they would be forced to sell off all their assets — which is the data on each and every person in America. I cannot imagine this will make things better.
We don’t have a mechanism for just destroying a corporation, and all of its assets. We also don’t have any significant privacy laws.
It’s not a matter of the company being too big to fail, or too important to the way our economy functions. There are two other credit rating companies and few people would miss this one. We just have no way to destroy it.
Also, they likely have insurance.
It took me three months to straighten out my birthdate with Equifax, even though I supplied a copy of my official birth certificate.
And they fu’d my credit rating in the process because they did a hard credit check.
They can go to hell and back for all I care.
And do you know why I found all this out? The IRS requires a check with them before you can file online.