Reuters
A year ago, Americans learned that a company that warehoused their personal information without their express permission had failed to safeguard that data, exposing to unauthorized access the personal data of more than half of all adults in the country.
And then ... nothing happened.
The Equifax Inc. EFX, +0.11% data breach should have been a wake-up call for the U.S. government, sending a clear signal that new safeguards and penalties needed to be enacted to protect Americans and their data. Instead, legislators brought the Equifax chief executive to Capitol Hill to yell at him and pretend they cared deeply, then largely moved on to the next ineffectual hearing.
That CEO, Richard Smith, eventually stepped down, walking away with $18.3 million in pension benefits. Two SEC cases alleging insider trading among certain Equifax executives after the breach are still ongoing. The Federal Trade Commission has taken no action. Another investigation opened by the Consumer Financial Protection Bureau is ongoing.
Still have questions about Equifax one year later? We have the answers
“No public enforcement actions have been taken by either agency in response to the breach,” wrote Sen. Elizabeth Warren of Massachusetts and Rep. Elijah Cummings of Maryland, both Democrats, in a letter Thursday to the chairman of the FTC and the director of the Office of Management and Budget as they shared a Government Accountability Office report on the breach. “Credit Reporting Agencies (CRAs) should be given special attention by regulators because of the unique characteristics of the industry.”
Perhaps it is unsurprising that the FTC has not cracked down on Equifax, since President Donald Trump appointed a lawyer who has represented the company as the head of the agency’s consumer protection division. The CFPB has been thrown into turmoil by the Trump administration as well, leaving that agency mostly toothless.
This column suggested in the wake of the Equifax disclosure last year that it was investors who should bring the wrath of Americans on the company, because why would anyone invest in a data-warehousing company that failed at literally its only job? For a while they did, but the declines were short-lived — Equifax’s stock was down less than 5% in the past year at the close of trading Thursday, and had gained 15.1% so far in 2018, almost double the 7.7% gain of the S&P 500 index.
The stock’s recovery could have been predicted, since Equifax said that its total costs related to the incident came to about $300 million, with $75 million covered by insurance. The costs entailed transforming its IT and security infrastructure — which was obviously needed — and legal fees, and are a drop in the bucket for a company of Equifax’s size and scale. In 2017, its annual revenue was $3.4 billion, and sales have not fallen off, rising 3.2% through the first six months of this year.
At this point, it seems Equifax will move on and avoid any long-term pain beyond having its name become permanently synonymous with “data breach” in most Americans’ minds. Consumers, though, must agitate for permanent changes to address the glaring need for government regulations and penalties that protect our data.
Another idea that has been espoused by privacy advocates is for the U.S. to create an agency or an entity charged with the protection of consumer data. Such an agency or authority would have the required expertise and could enforce data-protection standards on credit-reporting companies like Equifax, financial institutions and other companies that are repositories of sensitive consumer data, ranging from Facebook Inc. FB, +0.31% FB, +0.31% FB, +0.31% FB, +0.31% to the Alphabet Inc. GOOG, -0.56% GOOGL, -0.54% unit Google to Amazon.com Inc. AMZN, -0.32% .
Under the Trump administration, though, creating another government entity is not exactly a popular idea, and none of the attempted legislation in response to the Equifax scandal called for the creation of a new entity focused on data protection and privacy.
Such an entity, though, could address consumer privacy across all other areas, such as transportation and education. “It seems more effective to have this one agency than to try to put privacy experts in every agency,” Bannan said.
States including California have been enacting their own privacy laws, but privacy advocates fear that weak federal privacy policy under the current administration could supersede more stringent local legislation.
“It’s hard to think of what would be bigger than Equifax disclosing half the county’s Social Security numbers and Facebook and Cambridge Analytica influencing the election — that would seem to be a watershed moment,” Bannan said. “But it’s a hard time politically.”
Americans should not let the government use the “it’s a hard time politically” line as an excuse to not do its job. We deserve protections for our data, which grows more valuable by the day, not least because artificial intelligence depends on more and better personal data for improvements. We must hold our leaders accountable for not making it happen in the past year, and we must demand they catch up now.