Data

Equifax Should Be a Public Utility

Credit bureaus have little incentive to take hackers seriously. Only government oversight can change that.

Exposed.

Photographer: Scott Eells/Bloomberg

Will Equifax finally be the one?

Will this summer's data breach involving 143 million of the credit bureau's U.S. customers finally generate enough fear and outrage to cause Congress, the financial system and the rest of us to do something about identity theft?

It didn't happen in 2013, when hackers compromised 110 million credit cards at Target Corp. A theft of 56 million customer accounts at Home Depot Inc. didn't do the trick in 2014. Nor did break-ins at Anthem Inc. in 2015 (80 million) and Yahoo! in 2016 (1 billion!).

QuickTake Cybersecurity

It's scary each time, but never quite scary enough. Maybe a few executives get called on the carpet by Congress, while the company issues a public apology and offers to extend credit monitoring services to aggrieved consumers. Maybe it has to pay millions in class action settlements. Maybe it gets trolled on Twitter.

But soon enough the outrage fades, and Congress and the public move on. Many experts are saying that the Social Security and credit card data stolen from Equifax is likely to do far more damage than a typical retail breach because the credit bureaus hold so much of our most sensitive financial data. And the outrage quotient is higher than I can recall in past incidents. Still, I doubt that the outcome will be different. This is doubly tragic because it's not just data security that needs to be reformed; so do the credit bureaus themselves.

The main reason nothing happens is that the hackers "are getting so much better at how they use the stolen data," the cybercrime journalist Brian Krebs told me. For starters, they're patient. They wait for people to forget about the breach and let their guard down before they begin selling, say, stolen credit card data to crooks. By the time your stolen data is used to buy something, you can’t even pin the blame on a particular breach, because there have been so many subsequent ones.

They're sophisticated: They now often use real Social Security numbers, combine them with phony identities and create synthetic identities, which they use to build credit histories and receive loans and credit cards. And they're smart: they never make all the data available at once, but parcel it out, so that number of people dealing with the consequences of stolen data at any one time is relatively small.

In addition, we've all helped the bad guys out by normalizing data theft. Having your credit card information used by a thief is so common that the ensuing ritual is little more than an annoying fact of life. As for full-on identity theft—the kind described this week by Bloomberg’s Drew Armstrong that upends your life for years at a time—there were only 2 million such cases in 2014, the last year for which the Bureau of Justice Statistics has published data. Yes, that’s a lot, but in a country of 325 million people, it’s not nearly enough to generate a sustained demand for change.

Finally, data theft offers no visuals the way, say, the 2010 BP oil spill did. So that sense of national emergency that gripped the nation back then—and really ought to be taking hold now—is missing.

There are two core issues that the U.S. should be grappling with in the wake of the Equifax breach. The first is that this country’s methods for securing data are absurdly porous. Thieves who have stolen your identity aren’t likely to have much a problem answering those “security questions” companies rely on. (“What is your mother’s maiden name?”)  Passwords are breakable. And it is crazy that companies force us to hand over our social security numbers as a security measure.

Many companies still don’t take data security seriously enough—including Equifax, even though, as its chief executive Richard Smith correctly noted, the breach “strikes at the heart of who we are and what we do.” As Wired reported on Thursday, a patch to fix the vulnerability was made available two months before the breach. Equifax failed to use it.

The data experts I spoke to were unanimous in saying that the way we secure data doesn’t just need tightening. It needs to be overhauled, with old methods tossed out and new methods, using biometrics and other forms of validation, mandated.

The second issue is the credit bureaus themselves. In your financial life, there are few measures more important than the scores derived by the three credit bureaus, Equifax, Experian and TransUnion. Those scores are the difference between getting a loan and being turned down for one. With a poor score, you can’t buy a house or a new car. Credit card companies will cut you off. It even hurts your chances of getting a job, since many employers insist on looking at credit reports as part of their hiring process.

Yet these companies have no direct relationship with the consumers whose data they are collecting. Their customers are banks and other financial institutions. They have no incentive to ensure that data is correct. They can sell the data to any marketer who wants it. Consumers have no ability to restrict the information they gather. And there are no consequences if they make mistakes.

Most companies in an oligopoly—airlines, for instance—at least compete with each other. Not so the credit bureaus. “There is no market discipline,” says Adam Levitin, a Georgetown University law professor who has studied the credit bureaus.

What will this breach cost Equifax? The company will probably have to pay some money to plaintiffs’ lawyers. Smith, who is going to sit through some withering congressional hearings next month, may find himself out of a job. That’s about it. It’s not nearly enough.

After the financial crisis of 2008, Congress passed the Dodd-Frank financial reform law, imposing new regulations on the banking industry intended to prevent future crises. That’s what needs to happen now with the credit bureaus.

A number of bills have been introduced that nibble around the edges of reform. Senator Elizabeth Warren, the Massachusetts Democrat, has cosponsored a bill to end the practice of using credit reports to make hiring decisions. And several senators, including Warren, are working on a bill that would allow consumers to freeze their credit reports without having to pay a fee.

But that is not going to end the real problem, which is that, to paraphrase the Lily Tomlin spoof of the old AT&T monopoly: they don’t care because they don’t have to. At a minimum, the government needs to create incentives that would reward the companies for accuracy, customer service, and ironclad data security.

And if that doesn’t do the trick, there is a solution that is both radical and sensible: treat the companies like public utilities. Levitin recently wrote a blog post proposing such a plan. The credit bureaus, he wrote, have no natural right to the data the collect; they only have it because the law tolerates it. Thus, he says, “It’s quite reasonable to qualify that right with a regulatory system.”

As public utilities, they would still be publicly-traded companies, but they would be overseen by a government body, just as utilities around the country are overseen by state utility boards. The regulator would set performance standards for accuracy, data security and the like, and could restrict dividends and executive compensation if they weren’t met.

For that to happen, though, we need a breach that finally jolts us out of our complacency. If not Equifax, then what?

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

    To contact the author of this story:
    Joe Nocera at jnocera3@bloomberg.net

    To contact the editor responsible for this story:
    Jonathan Landman at jlandman4@bloomberg.net

    Before it's here, it's on the Bloomberg Terminal.
    LEARN MORE
    Comments