Is Equifax Going to Be Punished for Losing Our Data?
In 1985, a counter-intelligence expert at the National Security Agency, George Jelen, wrote, “The power to protect [data] is equivalent to the power to control [data].” (Jelen, who was my father-in-law, passed away in 2000.) Jelen was ahead of his time in understanding how digital systems could exacerbate power imbalances. This imbalance was on full display last week in Equifax’s announcement that it had experienced a massive breach of information affecting about 143 million customers.
Unfortunately, today’s companies have found that protecting data isn’t as profitable as controlling it. In 2017, a form of data feudalism governs the digital ecosystem: Private companies control and reap value from big data with few obligations to the very people who generate their most prized asset. Equifax collects information about millions of consumers, frequently without ever having a direct relationship with them, and uses this information to generate determinations on credit. Financial institutions, credit card companies, and retailers report consumer credit activity to Equifax, which holds a treasure chest of sensitive personal information, including names, birth dates, addresses, Social Security numbers, credit card information, and driver’s license numbers. Last year, Equifax reported revenue of $3.145 billion.
If you think the data feudalism analogy is overblown, consider the fact that the basic service Equifax provides—assessing creditworthiness—is essential for everything from buying a car to taking out a student loan. Upward mobility is nearly impossible in modern society without access to credit, and our participation in this data-driven system is unavoidable.
The company hasn’t provided much detail on what occurred in this breach, blaming vulnerabilities in a “web application,” an issue presumably well known to Equifax as it played a role in an earlier breach. Equifax failed to report the breach for 40 days and directed potential victims to a website that both requests even more personal information and hawks the company’s own credit monitoring service. Altogether, it’s clear that Equifax is exploiting the utter lack of accountability when it comes to data protection under U.S. law.
There is limited incentive for Equifax to care if its data holdings are breached. Investing heavily in security doesn’t directly generate revenue and is thus harder to justify to shareholders. After weathering some bad press, and perhaps a dip in its stock price, business will likely go on as usual for Equifax, as it has for other breached companies like Target and Home Depot. Equifax’s cyber insurance is likely to cover any costs associated with the breach, including potential lawsuits.
As for everyone else, the individuals who had little say in whether their sensitive personal information was collected and held by the company? Hackers now have the keys to the kingdom of user accounts for most of the country. The only real unknown in all of this is who will now have their identities stolen, credit cards hacked, and medical records compromised.
The ubiquity of data breaches highlights not just a lack of capital investment in security, but the widespread inequality that has come to characterize the digital marketplace as a result of the federal government’s inattention. Market forces cannot correct this imbalance, as the power disparities are too large and consumers have no option for non-participation, but the government can through sensible regulation.
The goal of data breach legislation should not be to seek perfect security, a concept that Jelen called “elusive,” but instead be aimed at enacting affirmative rights for citizens and meaningful consequences for bad actors. For example, companies should be required to tell people at the very least what information they have about them and how it might be used. After a breach, any company that fails to adequately protect consumer data should face stiff fines, with the money going directly to the customers affected, and escalating repercussions for each breach. They should be obligated to offer victims a credit freeze, rather than credit monitoring, and compelled to undergo yearly public audits of their data security practices. Through federal data breach legislation, the government can stem the tide of breaches by making a company’s power to control data contingent on their power to protect it.
Michelle De Mooy is director of the privacy and data project at the Center for Democracy & Technology.