Explaining How the Equifax Breach Highlights Policy and Legislative Gaps

From the Blog

To paraphrase Shakespeare, I did not come here to vilify Equifax for its incompetence and malfeasance but to bury, hopefully, the model that has led us to this breach.

Here is the fundamental problem and one way to understand this situation:  as of this breach you almost certainly do not have a direct relationship with Equifax.  Equifax maintains a large amount of sensitive information about you.  That information store (and the others like it) have actually enabled a lot of economic activity.  The fact that you can reliably apply for credit and the use of credit scores based on an automated and instantaneous review of your credit information overcomes some otherwise daunting roadblocks to providing credit to a large population of individuals and organizations in the United States.  The existence of credit bureaus means that the size of credit markets in the United States exceeds that in the rest of the world when adjusted for population.  (There is a dark side to this capacity these credit bureaus provide in granting credit easily for those without credit or with bad credit.  Those are real problems, but they aren’t relevant to the questions raised by the breach so I’m skipping them for now.)

But the ways in which the system is unfair and the fact that it provides so much power of people’s economic destinies in the hands of a small number of private companies has led to a some pretty substantial controls around their business practices.  Some are written into law (or caselaw) or regulation at both the state and federal level.  The Federal Trade Commission (FTC) has general jurisdiction to make sure that many of the promises that the industry has made to avoid more stringent requirements in law or regulation are effectively binding.  (And in some cases, violations have resulted in consent decrees with the FTC that should bind the behavior of these companies.)

Even with all of that protection, these companies still have a disproportionate amount of power over consumers even though they don’t have a direct relationship with them.  Their capacity to endanger individuals through poor business practices has accelerated in recent years with an ever larger percentage of economic activity occurring on, over, or through the Internet.

Put simply:  The regulatory environment has not kept up.

It is outrageous that Equifax has cooked up a way to make their bad behavior here into a revenue driver.  They want you to sign up for their “free” identity monitoring service (which is useless anyway), but you have to provide your credit card so that in one year, when the free period expires it will automatically renew and charge you.  If you do sign up, you will be subject to a binding arbitration clause (similar to others that are all colloquially known as “rip off clauses”), which may limit your ability to hold Equifax responsible if you do suffer identity theft as a result of the breach.

Someone ought to go to jail for designing the solution this way.  But none of it is illegal.

It is true that data breaches happen a lot.  A lot like the old saying about homes with termites, there is the common perception that there are networks that have been hacked and those that will be hacked (some even say those that know they have been hacked and those that don’t yet know they have been hacked).  These are overstatements, certainly, but they obliquely recognize that total impenetrability of systems is a myth.  The best wall still has to have access points for authorized users and hackers will always succeed in hacking some of those authorized users even when they cannot hack the system directly.

In short, a regulatory and legislative solution is necessary to solve this problem and rebalance the interests between consumers and those who hold data on those individuals.  There aren’t good proposals out there yet but perhaps this event will precipitate some additional thinking in this direction.

Adam Bobrow