December 11, 2017
You might not be aware of it, but there is a strong likelihood that you've recently been entered into a special lottery. This is not some kind of philosophical thought experiment. It’s a statistical fact. It is through no action of your own but the mere circumstance that you happened to have established credit in the U.S. economy. Those are the broad conditions for which participation in this lottery is necessary. It is certainly true that there are socio-economic barriers to establishing a good credit history in the U.S. Indeed, the number of online payday loans you've taken out, the degree to which you utilize your credit and, moreover, the age of your credit lines are all relevant factors in establishing a healthy credit score. However, such factors are largely irrelevant for the purposes of this discussion, because any poor credit history will suffice to qualify for this lottery. Now, you may not "win" this lottery. But, if you do, it will be a life-changing event. Does that sound like a good deal? Well, it shouldn't. As you may have guessed by now, this is not a lottery that you want to be participating in.
This summer, Equifax suffered a massive data breach, the ramifications of which have yet to be fully understood. Equifax is one of the “Big Three” credit reporting agencies based in the U.S. Due to a web application vulnerability in Equifax's system, the private information of up to 143 million Americans has been made available to hackers. This information includes addresses, dates of birth, social security numbers and some driver’s license numbers. As much as 44 percent of the U.S. population will see the repercussions of this breach in the years to come. This was entirely preventable. Importantly, the particular vulnerability exploited by hackers had a patch available in March, months prior to the data breach. Equifax had ample time to fix this vulnerability, and the company failed to do so.
Unfortunately, identity theft is a fact of life for Americans in the age of interconnectivity. The Bureau of Justice Statistics reports that an estimated 17.6 million people, around 7 percent of U.S. residents 16 or older, were victims of identity theft in 2014, when the study was conducted. But not only is the increased incidence of identity theft a tremendous liability for average people, it’s also a lucrative opportunity for a number of shrewd businesses. And, in light of the news that Equifax recently compromised the sensitive information of up to 143 million people, it would be a glaring omission not to mention the likelihood that Equifax will benefit from their own incompetence. In fact, fraud protection is a sizeable line of business for Equifax itself. Just three weeks prior to the breach, Equifax’s former Chief Executive Officer Richard Smith gave a speech, in which he said, “Fraud is a huge opportunity for us.” Smith retired following the data breach.
Senator Elizabeth Warren of Massachusetts was among the politicians who sounded off in a recent congressional hearing, in which Smith was questioned. Warren said, “Consumers will spend the rest of their lives worrying about identity theft. But Equifax will be just fine — heck, it could actually come out ahead.” It’s true. Equifax stands to make millions as a result this recent data breach. Following the incident, 7.5 million people signed up a free year of Equifax’s credit monitoring services. Customers will have to pay $17 a month after their free year is up. Assuming that even a fraction of the folks who’ve signed up choose to continue the service, Equifax potentially stands to make an additional hundreds of millions of dollars in revenue. That’s just one way in which Equifax stands to profit from the incident. There are others. An identity theft protection service called LifeLock has received a huge influx of new customers following the breach. Their premium plan, which most customers opted for, costs $29.99 per month. The kicker here is that LifeLock buys its credit monitoring service directly from Equifax. As such, the credit agency will receive a cut from these new customers, who are flocking to the service because of Equifax's negligence. Additionally, Equifax sells products to government agencies to assist in identity verification — a task that will be critically important after Equifax’s massive data breach.
It would be an understatement to say that incentives are misaligned here. Companies like Equifax clearly stand to gain from fraudulent activity. What real motive does the credit rating industry have to protect our information? Just days after the breach was discovered, three senior executives at Equifax sold shares worth nearly $1.8 million. Among those who sold shares was John Gamble, the agency's chief financial officer. According to the company, these executives had no knowledge of the breach at the time of their transactions. Conspicuous timing aside, it would appear these executives made the right move, seeing as Equifax’s stock plummeted after the breach was made public.
This security issue is not the first for Equifax. In January of this year, the company admitted that a data leak had occurred, resulting in small number of customers at LifeLock, Equifax’s aforementioned partner, being exposed to another user on the partner’s web portal. In May of last year, the company’s W-2 Express website was hacked, resulting a leak of 430,000 names, addresses, social security numbers and other information of one of its clients, the retail firm Kroger. Even now, after the latest data breach, the company continues to flounder in small but disconcerting ways. Shortly after the breach, the Equifax’s Twitter account mistakenly tweeted a link to a fake website pretending to be Equifax. The site was created by Nick Sweeting, a software engineer, in an effort to show people how easy would be to impersonate the real website.
It is difficult to exaggerate the profound misery that will occur as a result of this data breach. The experience of having your identity stolen is a waking nightmare. Victims of identity theft are subject to myriad woes as they must continually perform the very basic task of proving who they are — the task of proving that they are, in fact, themselves, and not the person who stole their identity. Amy Krebs described her first-hand experience as a victim of identity theft: "When you are a victim of identity theft, you are put in the position of having to prove who you are to a greater extent than the criminal had to get goods and services." It's like something out of a particularly unsettling Kafka novel. And, because social security numbers do not change, the impact of this breach will be felt for many years to come.
Now, those exposed by the breach have some legal recourse. In fact, a large number of class-action lawsuits have been proposed against the credit agency. The firm Olsen Daines PC along with Geragos & Geragos, for instance, is reported to seek up to $70 billion in damages. In addition, those affected by the breach can take Equifax to court on their own. A few people have already opted to do so. Ironically, this comes at a time when the rule making to possible to sue financial companies in such cases might be done away with by Congress. Needless to say, it is critically important that Congress not eliminate this rule.
Moreover, there need to be clear and extensive consequences for this level of incompetence. Not only should it be relatively straightforward to sue in these circumstances, the damages sought need to be high enough for corporations like Equifax to feel it. And there need to be harsh legal ramifications at the level of leadership for kind of negligence. Nonetheless, it is a convenient truth for Equifax that the average person doesn't have the time nor the inclination to mount a legal case against a huge corporation — one that is sure to fight them at every turn. As such, it is entirely probably that Equifax will never fairly compensate all the people negatively affected by this breach. In this regard, some have proposed wide-sweeping, transformational solutions. Some have even suggested that we nationalize the credit industry.
The way that the credit rating industry as a whole intersects with the broader economy is a topic beyond the scope of this piece. But one thing is clear: When profit is the underlying incentive in determining the trustworthiness of governments, companies and everyday people, incidents such as these are bound to happen with increasing likelihood. As evidenced by this breach, companies like Equifax hold an inequitable and increasingly untenable position in our society. This recent incident highlights just one way in which that is true. It's also worth noting that credit rating agencies played an essential role in the housing market collapse, spurring an economic recession in 2008.
This seems like an opportune time to point out an apparent incongruity with respect to the power dynamic between companies like Equifax and members of the general public. This is a company whose assessments affect people's ability to purchase homes and cars. In light of the fact that Equifax can't even secure its own website, it's worth asking the question: Why do they have this kind of power? This company compromised the private information of 143 million people. Equifax has roundly demonstrated that, in its current iteration, the company cannot effectively mitigate risk with respect to its own infrastructure. Why, then, should we, the public, allow them to assess risk when it comes to our sensitive information? Something is dreadfully wrong with a system that allows for the possibility of private company to jeopardize so many people's privacy and livelihoods. And considering that data is now more valuable than oil, perhaps it's time for a new set of laws and conventions with respect to the ethics of data stewardship. Let’s not leave it up to corporations like Equifax to shape those standards.