This can be fixed by a small change to privacy liability law. Current law requires litigants to show actual economic harm. That is hard to do in cases of identity theft and privacy violations, which is why the OPM case was just dismissed [1]. If this was changed so that a privacy violation could be litigated, companies like Equifax would need to buy insurance against such actions. Alternatively, there could be a new law that any company storing SSN-type data owed some nominal amount (say, $10) to the owner of that data if it is compromised for any reason. Either way, companies that aggregate large amounts of such data would end up buying insurance.<p>No insurance company would sell such policies without due diligence -- they would establish security requirements and pen testing. Consumers are protected by the existence of an actuarially fair insurance policy. not by the (nominal) compensation. Note that Equifax's customers are (primarily) not consumers. Regulations (in the form of liability law reform or nominal compensation) may not be required in industries where companies only hold the data of their own customers, but such companies could cite their insurance policy to convince their customers that they take security seriously. (Now it's always empty words.)<p>[1] <a href="https://www.washingtonpost.com/news/powerpost/wp/2017/09/20/federal-court-denies-cash-awards-to-22-million-opm-data-theft-victims/" rel="nofollow">https://www.washingtonpost.com/news/powerpost/wp/2017/09/20/...</a>
“Any company doing something I don’t like should be nationalized.”<p>No. They should be liable for the damage they cause with negligently allowing hacks like this, but the existence of private businesses should be default-allow.
Now here is a perfect, legitimate use of libel law. If a company with whom you have no relationship is lying about you to people with whom you're attempting to do business, that sounds like libel to me.<p>Of course, that's preempted by a federal law that Equifax & friends carefully purchased. Perhaps all we need is for them to lose that protection to give them a reason to care.
When a private company has a massive failure, customers have the freedom to go elsewhere and the company may go out of business.<p>When a government agency has a massive failure, we're of stuck with it, short of hoping politicians <i>might</i> do something about it.
I don't agree with trying to create a public government-run institution to track how "reliable" each citizen is. The solution to all of this is clear. Credit agencies provide a service primarily to lenders. These lenders count on the agencies' ratings to be a reliable predictor of the reliability of its potential customers. If those companies' products are no longer a reliable predictor, they shouldn't use them.
The interesting thing about this sentiment and reasoning is that it could equally be said of data brokers in general. Changes here could have big impacts on the ads ecosystem. I don't know my opinion here, but between things like GDPR and op eds like this I have to imagine there are ad and data broker executives doing some worst case analysis and spin/ talking point preparation.
I can understand the impulse to want Equifax punished for getting hacked and releasing all of this information. But I think these credit bureaus are small fry compared the size of the companies that are at the root of the problem: banks and other entities that make loans. The reason most people don't like the credit bureaus are the fear of "identity theft" not the spread of truthful information about themselves.<p>A bank makes a loan to a fraudster who is impersonating you. The fraudster defaults on the loan and the the bank tells a lie about you to the credit bureau, which gets spread around and hurts you in many ways. If we called this situation "bank slander" or "bank libel", the focus would be on who is creating the problem: the bank with its lie. Create high enough penalties for banks reporting false loan defaults and "identity theft" will disappear as the banks become more cautious of fraudsters. This is unlikely to happen as banks are concentrated and powerful institutions. "To big to fail" I believe is the term. I don't think the credit bureaus themselves are that influential in Congress but the banks want them and will lobby on their behalf.<p>It would be interesting to know how much money the banks get from people illegally each year from people paying off fraudsters debts to clear their credit reports from the false default reports from banks.
sp the government is better at security?<p><a href="https://www.nytimes.com/2017/09/20/business/sec-hacking-attack.html" rel="nofollow">https://www.nytimes.com/2017/09/20/business/sec-hacking-atta...</a>
I keep seeing calls for the government to revoke Equifax's corporate charter, because we citizens cannot vote with our wallets in this case; we are not Equifax's customers. But I wonder about Equifax's <i>actual</i> customers, the financial institutions that choose to rely on Equifax for credit reporting. What sensible institution would continue to trust Equifax after all of this nonsense? Perhaps banks and the like should all abandon Equifax as a credit reporting source and let the company die of natural causes.
The only proposal for any kind of action I have heard on this is the Warren and Schatz legislation which is appropriately titled" Freedom from Equifax Exploitation (FREE) Act"[1]<p>Aside from Senator Warren I have heard very little concern from lawmakers in Washington regarding the menace that these credit reporting agencies have become and the threat they pose to people.<p>[1] <a href="https://www.warren.senate.gov/?p=press_release&id=1837" rel="nofollow">https://www.warren.senate.gov/?p=press_release&id=1837</a>
I think the real problem is that we have no definitive way to prove who we are. A SSN is fine and all but it's just a number that anyone can obtain and say they are me. We need key pairs or some way to prove that when we are requesting credit that we are in fact the person that we say we are. Until that happens the systems is exploitable by even the most inept of criminals.
<i>In at least 40 other countries — including Belgium, France, Germany, Italy and Spain — credit reporting can be done by a public credit registry.</i><p>This is not true for Germany.<p><a href="https://en.wikipedia.org/wiki/Schufa" rel="nofollow">https://en.wikipedia.org/wiki/Schufa</a>
A pipe dream. As evidenced by the stock price, nothing will change. People don't care--at least not enough to <i>do</i> something like call their elected official, if they even know who they are.<p>Which brings me to a question of the "have things always been like this?" sort. Do we have data on the percentage of any population who's active in politics over the past, say, 7 decades?
This is a perfect opportunity for "distrupting" this sector.<p>Why is no one stepping up and flipping the business model on credit reporting?
> <i>Although they call themselves bureaus, there is nothing governmental about what these private companies do.</i><p>That is a naive statement, perhaps based on an idealized version of a few cherry-picked governments.
Individuals should have the option to tell companies requesting credit checks that they do not consent. Further more, it should be illegal to hold non-consent against the individual.
<i>> That’s because we are not the customers... but the product.</i><p>An increasingly familiar pattern.<p>The free market is flipping against the people.
> Equifax is the oldest of the Big Three credit reporting bureaus, and it got its start as a private investigator in the late 1800s. A client — a business or a bank — would ask it about a consumer, and it would go about digging up dirt on things like marital problems and convictions. That client would then pay it for its services.<p>> This questionable business model raised eyebrows in the 1960s, when the companies were still compiling information on people’s “moral character” such as affairs or drinking problems. At the time, the reports weren’t available at all to the subjects themselves. That changed with the Fair Credit Reporting Act, which was signed in 1970. But even that reform put virtually no oversight on the bureaus’ practices.<p>As if there aren't a bunch of companies trying to do exactly this with a combination of tracking cookies, browser history, purchase history, and ML.<p>Separately, from the article (emphasis mine):<p>> The United States government is, of course, not impervious to data breaches, nor does it have a perfect track record of fending them off. In 2015, it announced that hackers had stolen “sensitive information” on 21.5 million people. But the government is at least accountable to public pressure. <i>Equifax never will be, even under the tightest regulation.</i><p>Equifax may not have to change anything as there's a very real chance it goes bankrupt because of this. It's not just from the cost of lawsuits from consumers. There's a longer term cost of businesses not wanting to deal with them.<p>The risk of that happening to one of the other big credit reporting agencies is the biggest driver for them to clean up their act. The threat to their businesses is real and I'd imagine their internal responses will be as well. I also think regardless of what they do it's only a matter of time till they have a breach as well. You only have to screw up once.<p>> Credit bureaus have proved to be complete failures at safeguarding the public.<p>Nearly all companies are complete failures at data security. There's not special about credit bureaus here. They just happen to have <i>a lot</i> of sensitive data on a lot of people and thus are a hot target. As an example, we've had plenty of breaches in the health insurance industry as well.<p>Perhaps the best approach would be a "too big to fail" limit on the bureaus. Put a cap on the total size (in accounts / people covered) of a credit bureau. The libertarian in me is screaming at the thought of something like that but at least it has the advantage of limiting breaches to a max number of people.<p>> Let’s demand we get our data back.<p>It was never your data.
"Equifax could easily have patched the hole in its system that hackers exploited, but it simply didn’t."<p>We don't know why, though. Perhaps they were working with law enforcement to track the attacker. Closing the hole would certainly alert the attackers and end the chance to catch them.<p>This reads just like the Cuckoo's Egg.