The most disturbing thing about the data breach acknowledged [2 weeks ago] by the credit reporting agency Equifax is not that 143 million people’s personal data may have been exposed, nor even that there’s not much those people can do about it. It’s that Equifax probably isn’t going to suffer for it, at least not much.
The nature of the U.S. financial system protects Equifax and its two major competitors, TransUnion and Experian, from repercussions. These credit reporting agencies are, to use a familiar term, too big to fail.
As much as Equifax may refer to those 143 million people whose data it failed to protect as “customers,” they aren’t really. They didn’t ask Equifax or the other agencies to collect their data. They don’t buy anything from Equifax, except sometimes their own credit reports. Credit reporting agencies make it hard to fix sometimes ruinous mistakes.
The real customers are banks, credit card agencies and other lenders who buy credit reports to analyze borrowers’ credit-worthiness. Lenders don’t care that borrowers’ data may have been compromised, except as it could impact credit scores.
Credit reporting agencies are grease in the great American credit engine. Lenders need them, and borrowers need lenders. If Equifax were to go away, it would merely make TransUnion and Experian more powerful but probably no less vulnerable to hacking themselves.
So while Equifax is taking a public relations drubbing, it will survive, just as Anthem, Target and Home Depot survived data hacks. Three Equifax executives who sold $2 million in stock before the data breach was made public may face insider trading investigations.
Credit reporting agencies are largely unaccountable. They are modestly regulated by the Securities and Exchange Commission and the Consumer Financial Protection Bureau.
Before [2 weeks ago], Congress was talking about reversing a new Consumer Financial Protection Bureau rule that blocks credit reporting agencies from imposing arbitration rules on people who complain about their practices. Equifax offered a year’s free credit reports to people affected by the data breach. It initially contained an automatic arbitration requirement, which the company rescinded.
The data breach should cause congressional Republicans to rethink the effort to block consumer rights.
No one today can expect data like Social Security numbers and dates of birth to remain secure. They should expect companies that collect it to keep it safe from crooks. People affected have limited options except to sign up for a credit monitoring service to alert them to suspicious activity. There should be a mechanism available for people to freeze access to their credit registries if there’s no immediate need for them to be on file.
The long-term solution lies in requiring credit reporting agencies to pay for more sophisticated protection systems. Congress should demand it. What’s too big to fail is too big not to protect.