Equifax breach and how credit agencies must change how they manage data

The Equifax settlement, struck last week between the credit reporting firm and federal regulators over a massive data breach in 2017, has triggered calls for stronger legislation and regulatory restraints to protect consumers. The breach affected approximately 147 million people, compromising their names, addresses, dates of birth, and Social Security numbers.

cartoon of person running across a full screen of 0s and 1s with an armful of numbers in the air, indicating stealing online data
After a massive data breach in 2017, the Equifax settlement with the FTC, the Consumer Protection Bureau and all 50 U.S. states calls for the firm to pay up to $700 million in damages.

Experts are calling for a more consistent legislative and regulatory approach to preventing and managing data breaches, instead of isolated responses after each hacking scandal. They also warn that regulators have to strengthen their enforcement tools as digital technology-driven nonbanking financial institutions, or shadow banks, become more prominent. In just the latest example of a large-scale hack, a Seattle software engineer was arrested July 29, accused of gaining access earlier this year to the personal information of more than 100 million Capital One customers.

The Equifax settlement calls for the credit reporting firm to pay at least $575 million, and potentially up to $700 million. The settlement with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories, stems from allegations that Equifax failed “to take reasonable steps to secure its network,” leading to a data breach in 2017. In addition to compensating affected consumers, the Equifax settlement requires it to strengthen and monitor its security safeguards.

Wharton professor of legal studies and business ethics David Zaring does not see the U.S. regulatory approach as robust enough to meet the privacy protections credit bureaus must provide. “It has been put together with a patchwork of regulations,” he says. “Regulators don’t always care as much about privacy until something truly terrible has happened. They don’t punish privacy violations systematically. Instead, they seem sometimes like they’re chasing the headlines or the disasters.” He stresses that Congress must step in with laws since the challenges are too huge for technology companies or regulators to deal with in the prevailing regulatory regime.

Read more at Knowledge@Wharton.