Eric Zorn (a columnist for the Chicago Tribune) asked a couple of good questions in his column yesterday:
Why do consumers have to contact Equifax to find out if their data was hacked? Since Equifax apparently knows whose data was hacked (else how could they tell consumers when they ask), clearly has contact information for those people, and (also clearly) was at fault for the breach, why aren’t they reaching out to consumers to let them know their data was compromised?
Consumers can get a year’s free credit monitoring from Equifax on demand. Why do consumers have to ask? Why don’t they just provide the service free for a year to everyone, without them needing to ask for it?
I don’t think Zorn asked this one: Since “freezing” credit data seems to be the only defense to having a third party open accounts in your name, why isn’t Equifax automatically doing this and letting consumers opt out if they wish? It also seems to me that Equifax could cut a deal with Experian and Transunion to provide free or very inexpensive credit freezes that Equifax would pay for.
Is there some legal BS reason why Equifax isn’t doing all this? I was thinking that this would be an admission of fault, but it seems to me they’ve already admitted they were at fault.
What should happen to Equifax in light of the breach? I’m assuming they’ll get hit with a fine, but I suspect it won’t be large enough to really deter the kind of negligence they’ve exhibited. Given that, I’d like to see consumers get the opportunity to prevent Equifax from storing their data – let the companies that want your credit data go to one of the other firms. Yes, this may put Equifax out of business – but is that such a bad thing?
I’ve been told if the reason for a decision is not immediately evident the reason behind it is almost always sex or money. If I had to guess in this case I’d go with money.
Consumers aren’t Equifax’ customers. Credit reporting agencies’ customers are lenders. Of course, in this case Equifax has lost so much data that many of its actual customers’ data will be compromised too. As for preventing Equifax from storing your data, the only way to prevent that is to refuse to do business with lenders who work with Equifax. It’s probably not impossible; I vaguely recall that our mortgage lender only requested reports from TransUnion. Regarding credit freezes, it’s unlikely that most people affected will actually want them (whether or not they are advisable). So it doesn’t make sense to make freezes an opt-out thing.
Without more than just, “hackers have your personal data,” Equifax is not actually liable for anything. AFAIK, people affected will have to show actual monetary damages (though there may be some federal statute that says otherwise; it’s not my field).
Why do the credit reporting agencies have the right to store and disseminate data about me without my permission? Why do they have the right to make money off my data and not pay me? Seriously, who decided these data are available to business enterprises without any consideration of the rights of the person who actually owns the data? Or don’t I legally own the data? If I don’t own the information, who does?
So most people don’t want credit freezes. Still, given that Equifax caused the problem, shouldn’t they be responsible for effecting and paying for credit freezes? If nothing else, I should be able to call a toll-free number, validate who I am (the same as when calling for your free annual credit report) and opt in to credit freezes for all credit reporting agencies, that Equifax will have to put into effect and pay for.
Are you sure this is true? Have you read all of the fine print in all of your credit lines? You probably have given permission for all of this, and more.
It’s obvious they’re doing it without your knowledge, but I agree with Zipper that they almost certainly have your permission – unless you’re that one person in 100,000 (or 1,000,000?) who actually reads everything they’re signing to.
It’s not a matter of owning the information, it’s a matter of having the right to use it in various ways. A right which, again, you have almost certainly granted, whether you knew it or not.
Have you ever borrowed money from a professional lender? If you haven’t used credit at all, or none but borrowing from friends, then all they probably have on you is basic public record info like a name that a credit report was run under. If you have borrowed money, then you signed a form giving the lender permission to share your info with the credit reporting agencies. Part of the reason there’s a big long contract is that it covers things like this. Also, some things like bankruptcies and evictions are public record and so don’t need permission to go on the credit report.
Fundamentally what they’re doing is a scaled up version of a person in a small town getting all of the stores and people who loan money to tell him who pays back their debts and who’s in arrears, then showing the info to anyone who’s thinking about loaning money to a new person. If you don’t want him to have your info, then you can only borrow money from people who don’t talk to the guy, but most people who lend money make being allowed to talk to the guy a condition of you owning money.
Basically because any of those things would cost them money and no law obliges them to. What other answer did you expect. Now maybe a giant class action suit with 300,000,000 litigants might change their mind.
I agree they are within their rights to gather and sell this info, but I’m not sure why they oughtn’t bear the costs when they fail to safeguard it. Of course, I suspect the answer is that big money is generally favored over the consumer.
NOTE: Eric is a pretty good friend of mine, and plays a mean fiddle. It is truly nice to have a relatively prominent columnist whose views so often closely resemble mine.
I don’t think there’s much doubt that they are liable. Again, the issue is likely to be whether those affected can prove actual damages.
The idea that people can’t keep information about you for a profit is rather a novel one. Except for certain information which we have made exceptions for (e.g., medical records), anyone can keep any information about you they like, so long as they obtain the information legally. They can also disseminate that information, so long as it’s accurate. Suppose, for example, that I know your date of birth because your friend told me. There is absolutely nothing that prevents me from telling a third party when you were born in exchange for five dollars.
Equifax just does the same thing, on a much larger scale - and under greater constraints, since it is subject to the Fair Credit Reporting Act. You had the absolute right to opt out of the system, but you waived that right when you signed up for mortgages, credit cards, auto loans and so on. If you don’t want Equifax keeping information about you, stop borrowing money and wait seven years.
Haven’t really thought too hard about this, and am not in any way expert, but it does seem as though they disadvantaged people by failing to safeguard the info they amassed. If nothing else, freezing one’s credit (and eventually unfreezing) will cost some tens of dollars, and some amount of time and inconvenience. Seems to have been reasonably foreseeable and avoidable.
That’s not really a right to opt out. That’s like saying we could opt out of Freddie Mae and Fannie Mac by not using money. Simply participating in the economy uses them, without any choice in the matter. They have a triopoly with the other two. There is no reason this couldn’t be handled by a government entity
And I’m definitely going to become homeless to prevent an incompetent organization from mishandling my data. How in the world is that a reasonable action?
I have every reason to believe they will hold on to my data without breaches, and there is clearly actionable harm. There’s a reason they tried to get people to waive their rights.
There is no free market here. There is no opt out. These guys handle all credit–the thing our economy runs on.
It’s irrelevant whether the opt-out is reasonable. Equifax doesn’t make you give them your data. They don’t make the rules. Lenders do. You can borrow money without using lenders that report to credit agencies, but your rates will be higher because those lenders don’t know if you’re a deadbeat.
Yes, you can view it as lenders pooling repayment data, and outsourcing the management of that data.
I think the fundamental problem is really this broken model of treating our SSNO as a secret password. And that extends wider than just the credit agencies, with fake tax returns for example.
That’s what really creates the dangerous exposure to identity theft.
We both know that this is not a solution to prevent Equifax keeping information about you. Equifax keeps/disseminates far more information than just money borrowed. If you really want Equifax to stop keeping information about you, you literally have to drop off the grid – no job, cash only, no names, no rent, no ownership of anything that must be publicly registered, etc.
Bottom line, holding credit dossiers on the entire populace is something too important to be left to government and too risky to be left to private industry. So what are we to do?
I don’t object as much to private industry maintaining such records, as I do to their externalization of the costs resulting from their failure. I’m not sure why those costs cannot be built into the system, rather than imposed on every person on whom records are kept.
If I injure someone, I do what I can to make them whole. I don’t simply point them in the direction where they can spend their own time and money to do so.
Is it intrinsically risky? It seems to me that the risk stems from the fact that the provision of a name, a SSNO and a few other pieces of personal information are sufficient to steal an identity - to borrow money, to file a tax return. This is what needs to be reformed with a more secure procedure, including a security reset if we suspect our information has been compromised.
We had our identities stolen after the Anthem breach. Someone got away with nearly $10k after filing fraudulent tax returns using our names, SSNs, address, prior year’s AGI – all of which Anthem conveniently provided to them.
Identity theft is no fun. It’s been a constant PITA to deal with the IRS and state tax bureaus, the police, enrolling in credit monitoring, having to contact all the agencies to freeze our credit, then having to contact them and pay a fee to unfreeze our credit every time I wanted to open up a legit account in my name, etc. We moved primary residences, bought a second home, and financed a car all in the years after the breach, and having to deal with these agencies is a major headache.
Our only remedy from Anthem was them giving us 2 years of credit monitoring for free. Big whoopie. Now we have to pay for it on our own ($15/month) for the rest of our lives, because now our information is out there. Who knows when they’ll attempt to use it again?
My only advice in all of this is to get a PIN for your taxes NOW. Otherwise, they may try to use your information to get a fraudulent refund. It’s inexplicably easy to scam the government. Tax fraud is the BILLIONS now.