How to Respond to the Equifax Breach
The release of sensitive information about 145 million Americans has drawn attention to the role that Equifax and other credit reporting agencies play in the economy—and left many consumers feeling powerless to control their personal data and safeguard themselves. Yale SOM’s Shyam Sunder proposes putting the burden for protecting identities back onto major companies.
The breach of personal data on millions of citizens from Equifax has generated widespread concern about its consequences. The possibility that the stolen personal data may be used by miscreants for obtaining credit under faked identities is especially troublesome. While Equifax and some other credit reporting agencies have offered credit monitoring or freeze services, such offers have not been welcomed by all. Since the “free” credit freezes will expire after a year, many critics see such offers as a means of making more money for these agencies through credit freeze fees in the following years. The use of compulsory arbitration clauses, notorious for their business-friendly biases, is a second problem with these offers.
Congressional hearings taking place in the week of October 2 suggest some interest among the lawmakers to protect citizens from the credit-reporting oligopoly. Perhaps Congress could require the creditors—banks and merchants—to obtain direct verification of the credit applications from the respective borrowers before they extend credit. If they choose to extend credit without direct verification of the credit application, their claims on borrowers will not be enforceable. If they extend credit on the basis of a fake verification (based on stolen identity), the creditors will have to pursue their claim with the miscreants, or the agencies that leaked the information that facilitated fake verification.
Under such a regime, creditors and credit reporting agencies will have to deal with each other as business organizations on matters of personal data security. They would have the appropriate economic and organizational resources to keep proper checks on the handling of personal data; this is a function which is well beyond the capacity of 330 million citizens of the United States.