Equifax: A Breach Too Far

The breach has put the personal data of 143 million people at risk of identity theft.

When credit firm Equifax suffered a massive data breach this summer, the personal data of 143 million people remained accessible for at least two months, putting them at risk of identity theft. The data included names, dates of birth and Social Security numbers. The crisis was proof not only of the vulnerability of data held by large corporations, but also how a linchpin of the US financial market isn’t suitably regulated.

Equifax is one of the big three consumer-credit reporting firms in the US. The other two are TransUnion and Experian. They provide banks and financial institutions with credit reports on consumers, including personal information, plus records of credit cards and loans consumers have, spending limits on cards and the timeliness of their debt repayments. These reports help steer the cost and volume of credits.

Retailers, who once provided local payment data to Equifax or similar agencies, no longer run their own credit programs, but instead outsource these functions to third parties. Even though a credit card may have a retailer’s name on it, most are issued and administered by a bank or financial institution.

Paul Martino, vice president and senior policy counsel at the National Retail Federation, says that it is too early to tell the full impact of the Equifax breach and how it will affect the ability of retailers and banks to rely on its credit scores.

Adam Levitin, a professor of law at Georgetown University, suggests that consumer-credit reporting agencies are like public utilities, and should therefore be subject to regulation. “Credit rating agencies, or CRAs, are essential utilities for consumer credit markets,” Levitin wrote in a blog post. “Consumer credit markets depend on the integrity of the data collected by the CRAs, and part of that data integrity is its security, as with data stolen by a CRA it’s possible to open false accounts.”

Levitin has suggested a system in which the CRAs’ ability to pay dividends to shareholders and to dole out executive compensation would be restricted and tied to meeting various performance standards relating to the accuracy of consumer files, dispute resolution and data security. His proposal would pass along the cost that is now imposed on consumers, who are the actual victims of hackers, to the consumer-credit companies.