Equifax breach shows the need for radical overhaul in privacy laws

“I don’t pay extra in a restaurant to prevent the waiter from spitting in my food,” Sen. John Kennedy (R-La.) said during a Senate Banking Committee hearing on the Equifax breach. “I think this is a very clever business model you’ve come up with.”

The tone of the questions and comments hurled at former CEO Richard Smith during the two-day hearing may suggest a sea change in the way the legislative branch views consumer privacy — hopefully one that will change the way our legal system handles it in the future.

The hearings were held on the heels of some epically bad news. Up to 145.5 million people would never again experience the relative tranquility of hoping (with fingers and toes crossed) that their sensitive personal information was safe.

{mosads}What a difference a week can make!

The Equifax breach was the worst of its kind, exposing the kind of granular data — Social Security numbers, birthdates, even driver’s license numbers in some cases — that in the wrong hands can be readily converted into a lucid nightmare for consumers. The potential crimes range from account take-over to new account fraud to child identity theft to theft of healthcare services — even criminal acts committed in a victim’s name.

When Equifax announced that it was open season on the consumers exposed by the breach, the company’s former CEO Richard Smith stepped down. That he was filleted by several congressional committees should not come as a surprise. It’s high time lawmakers focused on our nation’s breach epidemic.

Rewarding bad work

One issue that lawmakers were fixated on was Equifax’s $7.5-million contract with the Internal Revenue Service to verify taxpayer identities and prevent fraudulent access to data. That it remained a no-bid gig in the wake of the breach was a head scratcher for most people, including, surprisingly enough, members of Congress.

You know the old rub: Sometime the jokes just write themselves. Kennedy earned the zinger of the day when he remarked, “You realize, to many Americans right now, that looks like we’re giving Lindsay Lohan the keys to the minibar.” 

“I won’t ask for a show of hands in the room, but I don’t know who would want to say we should buy fraud protection from the people who were just hacked and dumped 145 million American records,” said Sen. Ben Sasse (R-Neb.). 

Demanding competence and change

Sen. Elizabeth Warren (D-Mass.) focused attention on what should be the main takeaway from the hearing. “Equifax and this whole industry should be completely transformed,” she told Smith. “Consumers — not you — should decide who gets access to their own data.” 

At issue, finally, is the conundrum of credit monitoring in the first place. Consumers benefit from the credit offered to them by businesses and banks, but banks and businesses can’t know whether a person is a good risk for that credit without having some fairly granular information about them: Do they pay their bills on time? How much money do they owe to their creditors? How long have they been using credit? How varied is their use of credit (i.e., do they have a mortgage, a car loan, credit cards)?

Sen. Sherrod Brown (D-Ohio) pointed to medical information disclosure laws as a possible model for a new, safer credit rating system. Brown specifically touted the possibility that consumers could request to have their information deleted from the credit reporting bureaus. While such a move would limit consumer credit opportunities because they would exist outside the credit ecosystem (as Smith pointed out)—it could be one solution. 

The first thing that we can demand is that better disclosure laws become the law of the land, and not something that varies from state to state as is presently the case. 

Secondly, however it is arranged, now is the time to work on ways for consumers to have more control of their information. If someone wants to get off the credit grid, they should be allowed to do that.  

The laissez-faire idea needs to go the way of the pterodactyl 

We’ve heard it before: Let business take care of consumers; it’ll work out. The free market is sentient. Everything will be fine.

Let business take care of environmental stewardship. Let business take care of the architecture of a workable national gun ownership plan. Let business take care of making sure consumers aren’t swindled while managing their personal finances. Let business take care of a consumer’s privacy and security while making a bundle on advertising that markets goods and services to them. 

The solution to these non-starters may be spurred by the current crisis. Make no mistake, it means we’re going to see wild over-reaching and wild over-corrections in the mad rush to secure consumer privacy. But one thing is certain: We’re at the beginning of a consumer revolution.