A few days ago, Equifax, one of the Big Three credit reporting agencies, admitted that the personal data of 143 million consumers had been compromised. This is not the biggest data breach ever, but it might be the worst. After all, Equifax is not just any company. It’s a company whose main job is collecting masses of private financial data—and it does this even though it has neither a business relationship nor explicit permission from the people it monitors. This is a massive and unprecedented FUBAR.
(For more on why the Equifax breach is even worse than you think, Michael Hiltzik explains here.)
I am no fan of the credit reporting business, one of the most arrogant and anti-consumer industries imaginable. Twelve years ago I wrote about them for the Washington Monthly, and it’s startling how little has changed since then. I could republish the story today with only the most cursory changes.
For example, part of my piece was devoted to “credit freezes,” something you may have heard a lot about lately. This is an action you can take to protect yourself in case of identify theft: if you ask for your account to be frozen, credit agencies will furnish a credit report only after they’ve confirmed that it really is you who applied for credit. This stops identity thieves in their tracks: if they apply for a credit card in your name, the credit agency will call you first. When you tell them you never applied for the card, it doesn’t get issued.
But this really shouldn’t be an option you have to request. It should be routine for all credit transactions. The reason it isn’t is because it’s inconvenient for the credit reporting agencies, who have fought regulation on this topic tooth and nail. It’s also because they literally make money on identify theft—no, that’s not a typo—and therefore don’t have much incentive to do anything about it.
Still, as much as I think all accounts should be frozen by default, my solution to the problem of identity theft isn’t to force the credit reporting agencies to freeze or unfreeze accounts—or to force them to do anything else. It’s to make them responsible for all damages related to identity theft and then let them figure out the best solution. Here’s what I wrote in my Monthly piece:
There is a successful precedent for this type of approach. In 1968, Congress passed the Truth in Lending Act, which imposed a variety of regulations on the lending industry. One notably simple provision was that consumers could be held liable for no more than $50 if their credit cards were stolen and used without their authorization. For anything above that, it was the credit-card issuer who had to pay. The result was predictable: Credit-card companies have since taken it upon themselves to develop a wide range ofeffective anti-fraud programs. Congress didn’t tell them to do it, or even how. It just made them responsible for the losses, and the card issuers did the rest themselves.
The same method should be used for identity theft. There’s no need to create mountains of regulations, which are uniformly despised by the credit industry. Instead, simply make the industry itself—and any institution that handles personal data—liable for the losses in both time and money currently borne by consumers. The responsible parties will do the rest themselves.
There’s more to say about this, but sadly, my piece is no longer available at the Monthly site. The great linkrot plague has devoured it. Luckily, I’m a magazine packrat and I still have a dead-tree copy. So I scanned it and turned it into a PDF. Click here to read it—and to find out just why I hate the credit reporting agencies so intensely. It’s worth your time, especially considering how little has been done about this over the past decade. It represents one of the all-time abject surrenders to Big Finance, and it’s something the Elizabeth Warren wing of the Democratic Party should be all over. The time for small-bore proposals is over. It’s time to make the credit agencies—and others—pay for their flagrantly careless behavior. When they allow someone to steal your identity, they’re the ones who should pay the price, not you.
UPDATE: The Wayback Machine also has a copy of my article. I shoulda checked! Click here to see it.