One Year After Data Breach, Equifax Goes Unpunished

"It's been a year since Equifax doxed the nation of America through carelessness, deception and greed, lying about it and stalling while the problem got worse and worse," writes Cory Doctorow. Equifax's new CSO says they've spent over $200 million on security upgrades, in work being overseen by auditor from eight different states. An anonymous reader quotes Doctorow's response: This all sounds very good and all, but it's still monumentally unfair. The penalty for Equifax's recklessness should have been the corporate death penalty: charter revoked, company shut down, assets sold to competitors... The fact that Equifax's investors and execs kept all the money they made by risking all America with shoddy security, and that no one went to jail for a monumental act of corporate recklessness, is a moral hazard, virtually guaranteeing that Equifax's competitors will not take the care they owe to the people on whom they have amassed nonconsensual, potentially life-destroying dossiers.
Equifax's CEO and several top officials did leave the company, notes Government Technology -- but that's about it. Thus far, no financial punishment has been imposed on Equifax itself. Despite contentious hearings, no Congressional action has been taken. A few months later, the Consumer Financial Protection Bureau tabled action against the company. And while the Federal Trade Commission said it opened an investigation into the Equifax breach in September, the agency has since named as chief of its consumer protection division a lawyer who has represented Equifax. This past week, Equifax asked a federal judge to reject the claims from 46 banks and credit unions for payment of damages because of the massive data breach. The companies claimed that Equifax owes them for all the costs they incurred protecting data after the breach was revealed, costs that could easily run into many millions of dollars....

Equifax had revenue of $876.9 million during the second quarter of 2018, up 2 percent from the same quarter of last year, officials said.

GDPR and credit agencies

[BellyJelly]

As a European, and with GDPR in force, can I demand that Equifax delete all the data they hold on me?

Re:GDPR and credit agencies

[raburton]

Yes, but you'll never be able to get a mortgage, loan, new mobile phone contract, insurance, etc. again.

Re:GDPR and credit agencies

It'll still depend somewhat on national implementation of GDPR quite how many rights you have in this area, as some countries tend to gold-plate the legislation.

I work for a CRA, and we've put a substantial amount of effort into ensuring GDPR compliance, what scares me the most though is that the corporate attitude was to get us compliant at all costs, but that our client's compliance was their own problem. I disagreed with this, I believe we had an obligation to at least let them know what they needed to do to be compliant with our software. It irks me that we're compliant but we knowingly allow clients to use the data in a non-compliant way.

So make no mistake, here in my country a large number of financial services organisations are currently NOT compliant.

To be clear though, CRAs have always had exceptions under data protection law, much as with law enforcement. This is because they tend to support anti-crime activities such as fraud prevention and detection and use their data for those purposes. It's a tough one because you could argue private companies shouldn't do this and such anti-fraud measures should be publicly run, but let's be clear, this is one area where free market competition is a good thing - having companies play each other off at providing better and better fraud prevention and detection is far better than the stagnation you'd get from a publicly run version.

Mostly you don't have a contract with a CRA though, typically you interact with them indirectly through your credit card provider, mortgage provider, and so on and so forth. Where you do have rights under GDPR is with these guys - you can demand they cease processing your data, you can demand to see what information they have on you, and so on and so forth. That only extends to the point of provisioning a service to you however, you cannot for example demand a credit card supplier delete all data on you if you still owe them for credit card debt. You can also request that financial services organisations don't send your data to a credit reference agency, and that they don't run a credit check on you, but they may simply refuse to accept you as a client in this case.

The biggest benefit of GDPR IMO is in breach reporting - it's now a legal obligation to let you know if your data has been stolen, this means Equifax's handling of this breach would now be outright illegal under GDPR, because they not only didn't let people know, but kept it secret for a while. GDPR requires that you inform affected people as soon as you're aware of a breach - if you don't know which of your customers explicitly were affected you have to notify the minimal possible pool that could potentially have been affected, which might be your entire client base if you don't have sufficient auditing.

So mostly you're not going to get much more ammo against CRA's with GDPR, but it does at least enforce much higher standards on us, which IMO is a good thing. I know we're widely hated as organisations, but some of us working in such agencies do at least have morals and do our best to keep these organisations as honest as we can - I have refused to allow my team to implement certain things because I've found them to be morally reprehensible on a number of occasions. Similarly I've written extensive documents detailing ethical, and sometimes legal problems surrounding existing software and passed it upto the directors to get the product killed, as when made aware of such issues they can't practically continue provisioning said software. You may question why I'm still even employed there given the problems I cause, but in a strange way even the directors accept when called out on bad stuff that I'm only keeping them honest in the way they publicly profess the organisation to be, I get a strange type of respect for helping keep the corner of the company I'm in charge of development for true to it's publicly professed ideals - a kind of love/hate relationship. Make no mistake, I don't buy the bullshit the companies spreads about how we're a public good, but I do at least do my bit to try and keep at least the CRA I work for firmly on the right side of the grey lines, I suspect if I didn't, we'd be just like Equifax showed itself to be.

vs Facebook

Fuckers in congress cared more about the Facebook fiasco - and that was their business model. People signed up for FB. No one signed up for Equifax. They collected and lost our data, but no one gave a flying fuck.

Not News

[Sydin]

Corporations haven't been accountable for anything in this country for years, because those in power (yes, Democrats AND Republicans) are in their pockets. If you want to see what happens when Government actually tries to strike back at corporations with these assholes in power, look no further than the CFPB, which has had its power castrated and is currently in the process of being de facto dismantled because it ruffled too many powerful feathers by actually punishing a company (Wells Fargo) for breaking the law.

What would have been news is if Equifax or its top brass received any actual meaningful punishment.

Re:Not News

Exactly this. You'd think it is the one area where genuine liberals and conservatives can get along because whenever I listen to reasonable people on either side talking in the absence of the other they all say similar things. Both are very concerned about corporate power and corporate accountability.

The problem is that the controlling interests in both major parties are not and have not been in line with the people on this one for a very long time. Bill Clinton completed the corporate takeover of the Democratic party when he was in office, quite deliberately, and the Republican party has been owned by large corporate interests for longer than that. You can see the disagreement between the people and the parties in the way the Democrats deliberately and a lot would say illegally sabotaged the Bernie Sanders campaign, and in the way people on the other side elected Donald Trump. (Quick aside to those who don't pay attention: Trump is no anti-corporate crusader, but at least he's not afraid to call out wrongdoers and he is genuinely and vehemently disliked by the Republican party leadership--as are most of his supporters, and the feeling is very mutual.) One thing I said about the primaries was that Bernie and Donald both had very different solutions to our economic issues, but they both correctly and surprisingly identified the causes of the problems. Simply identifying the problem and calling out corporate corruption was an act of blasphemy completely beyond anybody else on either side in that race.

Conservatives in particular ought not to be corporate apologists. Large corporations are not the embodiment of capitalism, they are its antithesis. They seek to minimize and end competition and to control and manipulate markets, not to compete in them. Conservatives believe in adhering to the founding principles of this country but a lot of those principles are never really taught properly. The founders knew how to deal with corporations: in their day, corporations could only be founded for limited periods of time, and for a single purpose (no conglomerates). At the end of that time the corporation was dissolved and the proceeds distributed to the shareholders. If a corporation was found not to be acting in the public interest, the corporate death penalty was very real. THAT is how the founders governed corporations and monied interests, it's why the US didn't produce its first millionaire-equivalent for several decades after the founding of this nation, and frankly it's one reason the founders are quite misunderstood today: they owned houses and land that today you'd have to be extremely rich to afford and yet back then were residences and enterprises of people who were for the most part upper middle class in their society.

The founders were also protectionists and the notion of free unfettered corporate driven trade would have been absurd to them: the British forbade the manufacture of lots of finished goods and things like fine clothing in the colonies. When George Washington was elected President the first thing he did was send his measurements to a tailor in New York, said tailor being one of the only makers of fine clothing we had at the time. He was NOT going to be sworn in wearing British-made formalwear. Two of the very first actions of the very first Congress would draw screams and temper tantrums from today's Republican leaders: they voted funds to help the poor in the nation's capital, and they put in place a framework of tariffs designed to protect American industry and encourage manufacturing of key necessary things in this country. That framework funded most of the federal government until World War I, and the tariff structure largely stayed in place until Jimmy Carter started and Ronald Reagan finished destroying it--a time period that of course coincided with serious advances in corporate power and serious declines in manufacturing and our standard of living. Isn't bi-partisan cooperation wonderful?

When the Hoover Dam was constructed, 7 different companies