Equifax Should Be a Public Utility

Will Equifax finally be the one?

Will this summer’s data breach involving 143 million of the credit bureau’s U.S. customers finally generate enough fear and outrage to cause Congress, the financial system and the rest of us to do something about identity theft?

It didn’t happen in 2013, when hackers compromised 110 million credit cards at Target Corp. A theft of 56 million customer accounts at Home Depot Inc. didn’t do the trick in 2014. Nor did break-ins at Anthem Inc. in 2015 (80 million) and Yahoo! in 2016 (1 billion!).

It’s scary each time, but never quite scary enough. Maybe a few executives get called on the carpet by Congress, while the company issues a public apology and offers to extend credit monitoring services to aggrieved consumers. Maybe it has to pay millions in class action settlements… But soon enough the outrage fades, and Congress and the public move on. Many experts are saying that the Social Security and credit card data stolen from Equifax is likely to do far more damage than a typical retail breach because the credit bureaus hold so much of our most sensitive financial data. And the outrage quotient is higher than I can recall in past incidents. Still, I doubt that the outcome will be different. This is doubly tragic because it’s not just data security that needs to be reformed; so do the credit bureaus themselves.

The main reason nothing happens is that the hackers “are getting so much better at how they use the stolen data,” the cybercrime journalist Brian Krebs told me. For starters, they’re patient. They wait for people to forget about the breach and let their guard down before they begin selling, say, stolen credit card data to crooks. By the time your stolen data is used to buy something, you can’t even pin the blame on a particular breach, because there have been so many subsequent ones.

They’re sophisticated: They now often use real Social Security numbers, combine them with phony identities and create synthetic identities, which they use to build credit histories and receive loans and credit cards. And they’re smart: they never make all the data available at once, but parcel it out, so that the number of people dealing with the consequences of stolen data at any one time is relatively small.

In addition, we’ve all helped the bad guys out by normalizing data theft. Having your credit card information used by a thief is so common that the ensuing ritual is little more than an annoying fact of life. As for full-on identity theft — the kind described this week by Bloomberg’s Drew Armstrong that upends your life for years at a time — there were only 2 million such cases in 2014, the last year for which the Bureau of Justice Statistics has published data. Yes, that’s a lot, but in a country of 325 million people, it’s not nearly enough to generate a sustained demand for change.

Finally, data theft offers no visuals the way, say, the 2010 BP oil spill did. So that sense of national emergency that gripped the nation back then — and really ought to be taking hold now — is missing. …

There are two core issues that the U.S. should be grappling with in the wake of the Equifax breach. The first is that this country’s methods for securing data are absurdly porous. …

The data experts I spoke to were unanimous in saying that the way we secure data doesn’t just need tightening. It needs to be overhauled, with old methods tossed out and new methods, using biometrics and other forms of validation, mandated.

The second issue is the credit bureaus themselves. In your financial life, there are few measures more important than the scores derived by the three credit bureaus, Equifax, Experian and TransUnion. Those scores are the difference between getting a loan and being turned down for one. With a poor score, you can’t buy a house or a new car. Credit card companies will cut you off. It even hurts your chances of getting a job, since many employers insist on looking at credit reports as part of their hiring process.

Yet these companies have no direct relationship with the consumers whose data they are collecting. Their customers are banks and other financial institutions. They have no incentive to ensure that data is correct. They can sell the data to any marketer who wants it. Consumers have no ability to restrict the information they gather. And there are no consequences if they make mistakes.

Most companies in an oligopoly — airlines, for instance — at least compete with each other. Not so the credit bureaus. “There is no market discipline,” says Adam Levitin, a Georgetown University law professor who has studied the credit bureaus.

What will this breach cost Equifax? The company will probably have to pay some money to plaintiffs’ lawyers. Smith, who is going to sit through some withering congressional hearings next month, may find himself out of a job. That’s about it. It’s not nearly enough. …

At a minimum, the government needs to create incentives that would reward the companies for accuracy, customer service, and ironclad data security.

And if that doesn’t do the trick, there is a solution that is both radical and sensible: treat the companies like public utilities. Levitin recently wrote a blog post proposing such a plan. The credit bureaus, he wrote, have no natural right to the data they collect; they only have it because the law tolerates it. Thus, he says, “It’s quite reasonable to qualify that right with a regulatory system.”

As public utilities, they would still be publicly-traded companies, but they would be overseen by a government body, just as utilities around the country are overseen by state utility boards. The regulator would set performance standards for accuracy, data security and the like, and could restrict dividends and executive compensation if they weren’t met.

For that to happen, though, we need a breach that finally jolts us out of our complacency. If not Equifax, then what?