Equifax, the Credit Reporting Industry, and What Congress Should Do Next

Even for the experts, the recent data breach at Equifax was staggering. The data that undergirds the credit records of 143 million consumers was compromised. Social Security numbers, dates of birth, and drivers’ license records are used to authenticate identity. It is not difficult to change a credit card number, but changing Social Security numbers and birth dates is a whole different matter. Data breaches are on the rise in the United States. It’s time for Congress to act. Why does this require action by Congress? There are at least five major reasons that the private sector cannot handle this issue on its own:

Identity theft is one of the top consumer complaints. The Federal Trade Commission reported 399,225 cases of identity theft in the United States in 2016. Of that number, 29% involved the use of personal data to commit tax fraud. More than 32% reported that their data was used to commit credit card fraud, up sharply from 16% in 2015. A 2015 report from the Department of Justice found that 86% of the victims of identity theft experienced the fraudulent use of existing account information, such as credit card or bank account information. The same report estimated the cost at $15.4 billion.

Current measures do not work. When data breaches occur, consumers are urged to check a website to see if they were affected. They are offered time-limited credit monitoring services and encouraged to check credit reports for stray transactions. This protocol has done little to stem the rise in data breaches and identity thefts in the United States. And because most state laws about data breach notification fail to establish strict time limits, consumers learn that their data was stolen long after the crime occurred.

Equifax pulled that script, waited more than a month to notify the public of the breach, and then set up a website to provide information to consumers. Multiple problems ensued. The company asked for still more personal data (the last six of people’s Social Security numbers). The site didn’t work, and the company tried to use the interaction as an opportunity to disclaim liability.

This is not a workable business response or sensible public policy. Consumers should not carry the burden when data breaches occur. And the lax response imperils global data flows.

Data breaches could hurt U.S. trade with Europe. The announcement of the Equifax breach came the week before top officials from the European Union arrived in the United States to undertake the first annual review of “Privacy Shield,” an EU-U.S. data trade agreement that permits the transfer of personal data of European consumers to U.S. firms outside normal legal channels. The agreement is premised on the belief that the United States will provide sufficient data protection for the personal data obtained from across the Atlantic. Privacy Shield is necessary, as the White House explained last week, to “enable the free flow of information, which sustains the nearly $1 trillion dollars in goods and services trade across the Atlantic, and even more around the globe.” But Privacy Shield also faced fierce opposition from consumer groups on both sides of the Atlantic, leading European privacy officials, and now possibly European politicians. BBC reported that about 400,000 Britons were hit by the Equifax breach. Politicians in the U.S. and the EU will be looking for solutions, but small measures will not solve the problem.

Social Security numbers have been asked to do too much. It is time to end the use of the Social Security numbers (SSN) as a general-purpose identifier. Today American consumers experience record levels of identity theft and financial fraud, largely traced to the unregulated use of SSN in the private sector. The numbers contribute to insecure password schemes (many accounts still default to the last four digits of the SSN), incorrect identification, and secretive profiling and decision making. The SSN was never intended to be used this way, and we now live with consequences. Future uses of the SSN in the private sector should take place only with legal authority, and Congress also needs to take responsibility. If Congress does not authorize the use of the SSN, a number created by the federal government, then the number should not be used for commercial transactions.

The credit reporting industry is fundamentally flawed. The essential problem with the credit reporting industry is that it does not work. In the best of circumstances, the information provided by data brokers to businesses is inaccurate, incomplete, or out of date. In some circumstances individuals are wrongfully denied jobs, housing, and credit. In other circumstances, the data contributes to identity theft. In almost all circumstances, consumers are left in the dark about the collection and use of their personal data by others.

Next Steps

Reforms should not just fix these issues but also aim to transform the industry for the better. Credit reporting agencies should provide free, life-long credit monitoring services. Next, credit reporting agencies should change the default on access to credit reports by third parties. Instead of the current setting, which allows virtually anyone to pull someone’s credit report, credit reporting agencies should establish a credit freeze for all disclosures. Consumers would still retain the ability to disclose report when they choose to do so. Credit reporting agencies should also send a free annual report to all credit card holders, indicating in full the information about consumers that was collected, to whom it was provided, and for what purpose it was used. Current laws allow consumers access to free credit reports, but the process is cumbersome, and few consumers take advantage. A rationalized market would help ensure that consumers have as much information as possible about the use of their personal data by others.

The credit reporting industry is an easy target. It is well known and its problems are widely documented. But the reality is that consumer scoring is a rapidly growing field, with companies now scraping websites to gather profile data that is sold to third parties. Many of the errors familiar from the 50-year history of credit reports — inaccuracy, discrimination — are compounded in the field of consumer scoring. New principles for data protection such as data minimization and algorithmic transparency will be needed for modern regulatory frameworks.

Consumers and businesses face a real crisis. The risk of increased identity theft resulting from the breach is real. Equifax created this particular problem, and it should be responsible for the clean-up. But this problem is about much more than Equifax.

More transparency ensures more accountability — that is the essential paradox of privacy protection. But consumer privacy is not a goal achieved by markets. It must be mandated by Congress. After all, consumers are also voters.