The Gulf Time Newspaper One of the finest business newspapers in the UAE brought to you by our professional writers and editors.
In the worst possible way, the monumental data breach at Equifax—involving the names, addresses and social security numbers of some 143 million people—draws attention to a long-neglected gap in the US system of financial oversight. The Consumer Financial Protection Bureau (CFPB) ought to take the lead in putting this right.
The three big US credit reporting companies—Equifax, Experian and TransUnion—have an unusual combination of power and lack of accountability. They dominate the business of collecting information on consumers, influencing everything from who gets jobs to how much interest people pay on mortgages. But they’re not answerable to those consumers; they primarily serve the banks and other customers that buy their products. As a result, they lack strong incentives to invest in keeping sensitive data secure, or to fix mistakes that can ruin people’s lives.
Granted, keeping data secure is difficult, and Equifax is hardly the first company to let people down in this fashion. Also, it’s too soon to know how the breach happened, whether the company was negligent, and what kinds of additional defenses could have made a difference. But it isn’t too soon to say that the credit reporting companies need more rigorous oversight, not least to provide full and authoritative answers to those questions.
Over the years, US authorities have acknowledged the problem. The Fair Credit Reporting Act, the Federal Trade Commission, the CFPB and state attorneys general have all pushed the companies to reduce errors and be more responsive to consumer complaints. As often happens, though, multiple regulators with overlapping responsibilities are collectively ineffective—and issues still abound. The companies are subject to the same data-security rules as banks, but don’t face the same level of oversight.
The threat of lawsuits doesn’t provide much discipline, either. Although the FCRA allows for civil liability, it’s hard to link the companies’ failures to specific harm—and the Supreme Court recently raised the bar. Who, for example, will be able to prove that the Equifax hack led directly to the misuse of their data? Equifax’s lamentable management of its hacking crisis illustrates how badly skewed its incentives still are. Criminals made off with enough information to steal the identities of millions of Americans, yet the company has shown astonishingly little concern for the people affected. The website it set up could not reliably indicate whose data had been stolen. It initially demanded that consumers waive their right to sue in return for “free” credit monitoring.
Ideally, Congress would respond with new legislation to give the CFPB clearer authority to police the companies. It could even opt for a more utility-like approach, allowing the CFPB to cap profits until they meet benchmarks for accuracy and privacy. But the companies spend heavily on lobbying, and it would be unwise to rely on Congress: On the day Equifax announced the breach, the House Financial Services Committee was considering legislation to reduce their legal liability.
—Bloomberg