Because of lax security at Equifax, one of the three major credit reporting companies, the private financial and personal details of as many as 143 million Americans have been exposed to hackers. We still don’t know what the full ramifications will be; the people who took this information — which includes birth dates, Social Security numbers and addresses — could hold on to it for as long as they want and deploy it in years to come.
Many consumers have scrambled to try to protect themselves. To anyone who tried to get through to Equifax customer service, though, it became clear: The company does not care about us. Months before the hack itself, Equifax could easily have patched the hole in its system that hackers exploited, but it simply didn’t.
That’s because we are not the customers of credit reporting companies, but the product. These private institutions hoover up our data, often without our knowledge and consent, and then sell it off to banks, landlords and even prospective employers. The companies rake in some $10 billion in revenue every year. They wield enormous power to ruin our lives — if not through a data breach, then through errors on our credit reports. One in four consumers has an error on his credit report that could affect his scores, yet it can be very difficult to correct the record.
Although they call themselves bureaus, there is nothing governmental about what these private companies do. We let them take on a role that can have outsize consequences. And the free market doesn’t work here, because none of us can refuse to be a part of this system and opt out if we don’t like how we’re being treated. There’s no legal right to ask Equifax to remove your data from its registries or to stop it from getting more in the future.
Why should we continue to allow private companies to make money from us while ignoring our needs? Let’s nationalize Equifax and the other two major credit reporting companies, Experian and TransUnion. We could follow other countries’ example and hand the duty of tracking our financial histories over to a public registry instead of a private profiteer.
Equifax is the oldest of the Big Three credit reporting bureaus, and it got its start as a private investigator in the late 1800s. A client — a business or a bank — would ask it about a consumer, and it would go about digging up dirt on things like marital problems and convictions. That client would then pay it for its services.
This questionable business model raised eyebrows in the 1960s, when the companies were still compiling information on people’s “moral character” such as affairs or drinking problems. At the time, the reports weren’t available at all to the subjects themselves. That changed with the Fair Credit Reporting Act, which was signed in 1970. But even that reform put virtually no oversight on the bureaus’ practices.
Things haven’t changed all that much. Those who want to dig up dirt via a credit report pay one of the Big Three companies and voilà, they have a dossier of financial information.
The first step toward fixing this mess would be to limit who can use these reports and reduce how influential they have become. Credit reporting companies have experienced quite the mission creep over recent years. In 2010, 60 percent of employers used credit reports to evaluate potential hires. That means that a report that workers have no control over and frequently don’t even get a chance to see, which can have at least one error, is helping determine whether or not they get a job.
There’s no good reason for employers to use this information — credit reports haven’t been shown to predict employee performance. Senator Elizabeth Warren of Massachusetts agrees, and just reintroduced a bill that would bar employers from asking for credit histories.
But even such a crackdown wouldn’t fully get rid of the danger the credit reporting business model poses to people’s financial lives. Instead, given how poorly they operate and how little incentive their business model gives them to improve, their duties should be handed over to public institutions.
In at least 40 other countries — including Belgium, France, Germany, Italy and Spain — credit reporting can be done by a public credit registry. It is usually operated by a central bank that already oversees the financial institutions that feed information into the reports. These reports tend to be more accurate because the operators have a legal right to demand data from banks as well as a mandate to ensure it’s correct and that errors are fixed. Data on late payments and defaults are erased once a consumer has settled up.
Many of these public registries leave out things like medical debt, tax information and personal details like marital status, focusing only on loan amounts. Only about 40 percent of registries collect consumers’ addresses, and two-thirds collect taxpayer IDs — the kind of information leaked in the Equifax breach.
The United States government is, of course, not impervious to data breaches, nor does it have a perfect track record of fending them off. In 2015, it announced that hackers had stolen “sensitive information” on 21.5 million people. But the government is at least accountable to public pressure. Equifax never will be, even under the tightest regulation. Credit bureaus have proved to be complete failures at safeguarding the public. Let’s demand we get our data back.
By Bryce Covert