Starting in May, hackers breached the huge U.S. credit reporting agency Equifax. The company learned about the incursion in July but only revealed it publicly this month. Ironically, the long-term solution to this problem lies not simply in greater secrecy or security. Rather, it also depends upon greater transparency for an industry that for too long has evaded scrutiny from consumers and government regulators alike.
The Equifax breach alarmed consumer advocates, legislators and millions of Americans because of its size and the potentially massive consequences thanks to the nature of the information stolen. A whopping 143 million American consumers, as well as untold numbers of British and Canadian citizens, learned that their most sensitive information — Social Security numbers, names, birth dates and addresses, as well as driver’s license and credit card numbers in some cases — had been taken. In short, the hackers got all that was necessary to steal someone’s identity, giving them access to everything from medical records to bank accounts.
Understandably, demands for greater data security abound. Yet the history of the credit industry suggests that technical fixes will fail so long as the companies that delve so deeply into every facet of people’s lives operate opaquely.
Equifax and the two other corporations that dominate this industry, Experian and TransUnion, are largely unanswerable to the consumers about whom they know so much. Serious attempts to regulate the industry have foundered, at times even consolidating its clout. All of which leaves consumers exposed to exploitation and data breaches with minimal recourse.
It is a problem with a history. For much of the early 19th century, those who extended credit focused on loans to businesses. Over the course of that century, Dun and Bradstreet became a powerful arbiter for rating the credit worthiness of business people by collecting intimate information about drinking habits, “work ethic” and other personal details that might signal “risk,” compiling impressionistic and often sketchy data into composite profiles available to lenders.
By the late 19th century, these practices were applied to consumers and standardized in the form of department store “book credit” and installment plans for durable goods like sewing machines and automobiles. As buying on credit expanded, lenders sought more (and also more detailed) data on potential borrowers. Local credit bureaus mushroomed, forming a national network by the late 1930s.
With the arrival of credit cards and computerization at midcentury, the information once retained by retailers or local bureaus was consolidated in databanks — and in the hands of a small number of credit card companies and credit agencies that monitored, and sold, the financial profiles of millions of consumers.
By the 1970s, consumers recognized the power that unfettered credit agencies held in shaping their fates and fortunes. They had seen reports about outfits like the Credit Data Corp., which enabled subscribers to procure credit checks on individuals in a mere 90 seconds. And they had read about how stray remarks, “lifestyle” choices and innuendo could compromise one’s credit rating, a quantitative score that was becoming standard nationwide.
Unsavory practices later revealed in a suit by the Federal Trade Commission against the Retail Credit Co. included its agents deliberately misrepresenting themselves as they sought information, as well as false or fabricated material in consumer files, arising from the expectation that agents would supply “a prescribed amount of adverse information.” Trafficking in a mountain of detail about individuals’ “character” and habits, with few checks on the fidelity of the reporting, these agencies were rightly understood as unaccountable gatekeepers.
Protests against corporations’ ability to make consequential determinations about individuals’ lives, exposés about the accuracy of credit bureau reporting and anger that personal information could be bought and sold as a commercial product led to the first — and only — major federal legislation regulating private data collection. The Fair Credit Reporting Act of 1970 attempted to curb credit agencies’ power by permitting individuals a glimpse into the ways their data could be used against them and providing a method for rectifying the worst abuses.
The legislation entitled consumers who had been denied credit on the basis of information from a reporting agency to be advised of this fact and informed of the source of the report — although it did not mandate access to the record itself. Nor, noted one commentary, was the consumer “even advised that the record exists until it has been used for an unfavorable decision.”
Indeed, as critics quickly gleaned, even if FCRA did “involve the consumer more in the processing and selling of information about himself,” it simultaneously cemented the place of credit bureaus in American society by quieting some of the popular criticisms of them.
Nor did the legislation succeed in curbing the capricious stance of credit agencies toward individual consumers. Even after FCRA, tales of abuse abounded. Women were routinely denied auto and other forms of insurance for allegedly cohabitating with men while not married to them (whether this proved true or not). One New Jersey physician was even rejected for disability and life insurance by two companies because of a hint in his record that he lived with a single man named John — who turned out to be his 5-year-old son.
Helped along by Watergate and the Privacy Act of 1974 — which allowed citizens some access to their information in federal records — such practices got a new hearing in the mid-1970s. Many believed that stronger protections for Americans’ data were in the offing, including, as Senator Edmund Muskie put it, “an expanded law protecting the privacy of all of us, in every aspect of our daily lives.”
A federal commission took up the question of extending the Privacy Act to private entities. But the political will to clamp down on the record-keepers soon ebbed. The issue was tabled, and the commission dissolved in 1977.
The same corporations that have taken liberties with Americans’ private financial information have, of course, aggressively sought to shield their own practices from view. With no small amount of chutzpah, Retail Credit, the company sued by the FTC in the 1970s, tried to bend consumer protections to its own advantage. It argued that it would violate individuals’ privacy to allow the federal agency access to its records. This kind of cavalier behavior provoked serious criticism, and seeking to obscure its tarnished reputation, Retail Credit renamed itself Equifax. But while its brand changed, the company’s desire to evade regulation did not.
Along with its peers, the company invested heavily in swaying legislators to this point of view. As credit reporting companies grew richer in both data and dollars, that pattern has intensified. Equifax has spent almost $6 million on Washington lobbying and made more than $650,000 in political contributions (mostly to Republicans) since 2010. In the face of such concentrated power, individuals’ claims against these behemoths have barely made a dent.
It is unclear whether the current outrage surrounding Equifax will prompt a change in either its public relations or operating procedures; after all, the company routinely confronts a deluge of consumer complaints — by one estimate, an average of 31 per day since 2012.
Indeed, the company’s first (widely castigated) proposal for remedying the breach was to offer anyone willing to waive his or her legal rights a year of “free” fraud monitoring, courtesy of the very entity that had exposed individuals’ data in the first place. Perverse as that sounds, Equifax and its two peers have — remarkably — cornered the market to such a degree that they offer the only solution to a problem they have created. Today, they profit not just from their hold on individuals’ data but also from services that supposedly protect those same individuals from identity theft.
Before attention to this most recent scandal fades, Americans might ask whether the size or scale of the breach is the real issue here — or whether the problem is the seemingly unbreachable power of the industry itself, nearly a half century after the public first sought to regulate it.