It’s been almost two weeks since Equifax reported the hack of 143 million consumer records. Already, we are getting a picture of how the public reacts to a breach of such proportions.
Equifax, one of the three major credit reporting agencies, stores a remarkable amount of information on individuals in a single place. A hack of a bank, retailer or credit card company, while serious, might involve only account numbers and names.
As a literal storehouse of consumer credit data, Equifax records grouped names and addresses with associated dates of birth, Social Security numbers, bank accounts, credit accounts, loans and other personal financial information and histories. All that together makes the information a gold mine to identity thieves.
As folks begin to comprehend this, we’re learning the first lesson: consumers will place security over convenience.
Equifax — along with Experian and TransUnion, the two other credit reporting agencies — are seeing their websites inundated with requests for credit freezes. Speaking from personal experience, this is a cumbersome process. You are required to fill out large fields of information and create passwords and PINs for each adult member of your household. Depending on the state where you live, Experian and TransUnion charge as much $10 for each freeze.
Equifax currently is abashed enough to waive this.
With a freeze in place, consumers cannot take advantage of any “instant credit” offers because merchants can no longer get a credit report on the fly. This adds time and effort when it comes time to lease a car, rent an apartment, purchase a new sofa or apply for store credit because a consumer must first contact the credit agency to lift the freeze. Yet the Equifax debacle is showing us that many think the added hassle is worth the peace of mind.
This should be worrisome for the e-commerce barons who are building their business models on collecting and exchanging consumer information in return for speed and easy access to services and apps. If consumers are uncomfortable with how their personal data are curated, they might just unplug Alexa and Google Home and banish them to the attic.
A second lesson is that barriers to entry in credit reporting must come down. Hacks like these bring immediate calls for more regulation. Their scope can make it politically difficult for cooler heads to assess the cost-benefit ratios before laws are passed in the rush to “do something.”
As the Competitive Enterprise Institute’s Jim Harper points out, the credit rating cartel, of which Equifax is a part, is a result of the 1970 Fair Credit Reporting Act. As products of regulation, Equifax and its fellow credit agencies have to meet only the requirements of the law, not the industry best practices, which have more than eclipsed the FCRA’s 45-year-old standards.
Over the decades, this has made the agencies complacent. While the hack may have been due to a vulnerability in software, a patch for that fault had been available for months. Equifax failed to keep up.
Before enacting new laws that will only bake in more complacency, now is the time to consider whether deregulation would result in an increase in consumer options for accurate and secure credit reporting.
A third lesson is that the government should stop encouraging the assignment of Social Security numbers at birth. This simply enables lazy institutions to use an official government-issued identifier as a catch-all tag on everything from medical records to school lunch programs. There is no upside for the consumer. Social Security numbers do not serve their intended purpose until a minor takes his or her first job, usually at age 15 or 16, but often later.
The onslaught of hurricanes this fall has kept Equifax hack off the front page. But the hack is its own gathering storm.
There’s going to be bipartisan support for a response. Let’s be sure cooler heads prevail with policies that truly work to curtail future breaches, not facilitate more.