Sort by

The Equifax Hack: We Need to Better Regulate Credit Reporting

Amy Traub

Your personal data was very likely stolen by hackers this summer—yet Congress wants less oversight of the company that failed to keep our private information safe.

On September 7, the credit reporting company Equifax revealed it had experienced a gigantic data breach affecting 143 million American consumers, equivalent to half of the U.S. population and nearly three-quarters of consumers with credit reports. Social Security numbers, birth dates, and drivers’ license numbers are among the pieces of sensitive data potentially compromised. To prevent identity theft, consumer advocates recommend that people who may have been affected by the breach consider placing a security freeze on their credit reports with all 3 of the major credit reporting companies. Experts at the U.S. Public Interest Research Group have additional tips for consumers dealing with the breach.

Why did the breach occur? Hackers are always on the lookout for vulnerabilities, and the New York Times reports that Equifax failed to improve its security practices after it experienced previous data breaches that devastated consumers. It’s worth considering Equifax’s business model and why it neglected to invest adequately in protecting consumer data.

Equifax, a multibillion-dollar private business, profits by gathering and reporting private financial data about individual consumers, often without their knowledge or permission. When Americans apply for any type of credit or loan, try to purchase insurance, apply for a job or rent an apartment, the lender, insurance company, employer or landlord can purchase a report of the consumer’s past borrowing activity (a credit report) from Equifax or one of the other two massive credit reporting companies. Individuals have no right to opt out of data collection or to cease doing business with Equifax. For more on the many problems with the for-profit credit reporting model, including the ways that the misuse of credit reporting can reproduce and deepen racial inequities, see Demos’ report Discrediting America.

The upshot is that while Equifax trades in our personal information, their profits derive primarily from the big lenders and insurance companies that use our data to determine who to lend to and how much to charge. Those corporations are the clients Equifax serves; American consumers are merely sources of marketable data.

The latest data breach is just another sign that credit reporting companies lack sufficient stake in the integrity of consumer information. If we’re going to continue to have a private, for-profit credit reporting system, companies must be subject to close oversight and regulation. As a last resort, consumers who are wronged by credit reporting negligence—which could cause them to become victims of identity theft, be shut out of job opportunities, be denied loans or pay much higher interest rates—must be able to hold companies fully accountable in court.

And yet on the very day that Equifax revealed the massive breach of consumer data, the House Financial Services Committee was holding hearings on legislation to reduce consumers’ ability to hold credit reporting companies accountable for their failures. Demos joined consumer advocacy organizations in a letter of opposition to H.R. 2359, the FCRA Liability Harmonization Act, arguing that the legislation would restrict Americans’ access to justice and reduce credit reporting companies’ incentive to abide by consumer protections.

At the same time, Congress is trying to undermine the Consumer Financial Protection Bureau, which regulates and oversees credit reporting companies along with other types of financial services companies. The Equifax hack vividly illustrates why we need that oversight and regulation strengthened rather than rolled back.