Equifax Lobbied For Easier Regulation Before Data Breach

WSJ reports: Equifax was lobbying lawmakers and federal agencies to ease up on regulation of credit-reporting companies in the months before its massive data breach. Equifax spent at least $500,000 on lobbying Congress and federal regulators in the first half of 2017, according to its congressional lobbying-disclosure reports. Among the issues on which it lobbied was limiting the legal liability of credit-reporting companies. That issue is the subject of a bill that a panel of the House Financial Services Committee, which oversees the industry, discussed the same day Equifax disclosed the cyberattack that exposed personal financial data of as many as 143 million Americans. Equifax has also lobbied Congress and regulatory agencies on issues around "data security and breach notification" and "cybersecurity threat information sharing," according to its lobbying disclosures. The amount Equifax spent in the first half of this year appears to be in line with previous spending. In 2016 and 2015, the company's reports show it spent $1.1 million and $1.02 million, respectively, on lobbying activities. While the company had broadly similar lobbying issues in those years, the liability matter was new in 2017.

They knew

[Calydor]

They knew about the breach when they started lobbying for that. LONG before the poor schmucks were allowed to know about it.

Re:They knew

[MickyTheIdiot]

The corporate death penalty, i.e. the loss of charter, needs to be a thing. The possibility of all the stock becoming worthless would be a great tool in getting corporations to actually follow the law.

However since we have a congress that is OWNED by corporations there isn't a way for it to happen.

Re:They knew

[MickyTheIdiot]

The executives and management should be held personally responsible

Though I agree in this case, this is a dangerous line of thinking — not entirely unlike blaming a rape victim for wearing too short a skirt...

This is the worst simile I have EVER seen on Slashdot. That's saying a lot.

The corporate CxOs are NOT the victim in this scenario. The corporate worshipers on /. and the Internet love to tell us that the executives deserve huge pay packets because they are responsible. However in *every case* when something happens that hurts thousands of people they are always don't know what happened. Executives hold responsibility and deserve what they are paid or they don't know what is going on and they are overpaid. You can't have it both ways.

The CxOs were the benefactors of the malfeasance. Calling them rape victim is idiotic.

Re:They knew

Though I agree in this case, this is a dangerous line of thinking — not entirely unlike blaming a rape victim for wearing too short a skirt...

I think your analogy is a bit flawed. Let me expand...

EquiFax isn't the one wearing the short skirt. EquiFax is the pimp that forced their entire involuntary stable (those who's credit is checked) to wear short skirts as to be more attractive to the johns (those doing credit checks). The rapists (hackers) are certainly in the wrong but rape or no rape of the stable, the pimp is still in the wrong. The pimp forced the short skirts specifically to entice johns not as a fashion choice. Remember - nobody is in the stable by their own choice and nobody wears short skirts by their own choice.

This is another case of one party making a decision about risk where they will enjoy any positive consequences but other people will be left to deal with any negative consequences. The word for the phenomenon is 'externality'.

EquiFax was an accessory if not an accomplice to the crime so stop feeling sorry for them. The victims are the 'stable' who's information, stored against their choice, has been stolen.

cyberattack?

Equifax disclosed the cyberattack

Welcome to the age of "cyber war", where every crap system connected to the internet can hide under the umbrella of an "attack" rather than face the consequences of a complete disregard for properly designed information security.

This will be proof that fewer regs are needed

[sandbagger]

If only they could have been freed from the yoke of these onerous, confusing regulations, this never would have happened!

Just think...

[Gravis+Zero]

Your data wouldn't have been given to criminals if they had invested that $500K in security.

Re:Just think...

[markdavis]

>"Your data wouldn't have been given to criminals if they had invested that $500K in security."

Actually, according to the summary, they spent at least $2.6 MILLION dollars in just the last 2.75 years, alone. Imagine how much that money COULD have done if they had used it to hire a few good security engineers and made meaningful changes.

Re:Investment

[Archangel+Michael]

Actually, the cost of doing business it is always cheaper for lawyers than just about anything else. Lawyers keep you out of Legal Danger (or at least are supposed to).

And until the Corporate board and the CxOs and the Shareholders are held accountable, nothing will actually change.

The only way to solve this problem is start charging the bigwigs at the top for criminal negligence of the corporate culture they foster. Followed by Corporate Death Penalty where the corporate charter is revoked. When shareholders are caught empty handed with nothing to show, they will DEMAND corporations uphold their due diligence and actually start protecting their data.

Lastly, I would suggest that the default nature of Credit is keeping it in a frozen state. It should take extraordinary effort to open credit account.

Sounds familiar

[smooth+wombat]

I clearly remember the banks and Wall Street firms lobbying Bush and Congress not to implement any new regulations back in 2006. Their words were, more or less, any new regulations would kill their competitive nature on the world market. Trust us, we know what we're doing.

The following year we know what happened.

Now here we are again, with a very similar situation. Regulations are evil! Don't kill us with regulations, bro!

I can guarantee not a single executive at Equifax will go to jail or pay a fine. Further, every excuse imaginable will be given why requiring such breaches to be announced immediately should not be done.

In a few years, this will happen again and everyone will look around and ask, "How did this happen?"

Hangin's too good for 'em

[Rick+Schumann]

You think maybe Equifax is exemplar of all the other credit reporting agencies? I think they might be. I think there needs to be some corporate nutsacks put on the congressional anvil, with liberal application of the judicial sledgehammer over this, to ALL of them. It's bad enough that jackass businesses like Facebook and Google and ISPs are invading our privacy, but companies like these credit reporting agencies MUST BE ABOVE REPROACH AT ALL TIMES OR THEY ARE WORSE THAN USELESS. It is totally, completely unacceptable that this happened at all and it has to STOP.

regulation is always bad for business

[Revek]

Its normally quite good for the public, though you couldn't convince them of that since they get their swill from big media.

Re:regulation is always bad for business

[HiThere]

It's normally good for the public until regulatory capture happens. Then it continues to be slightly less bad for the public...but often only slightly.

Regulators need to be forbidden to accept payments from the groups they regulate not only while in office, but also after leaving. And that includes jobs.

Re:Investment

[MickyTheIdiot]

The constant whine about regulations when as a country we pretty much allow our large corporations to get away with anything is rather tiresome.