Two great pieces in the New York Times on the Equifax hack, which I will continue to post about so that none of you forget that they just lost 143 million Social Security numbers.
If a bank lost everyone’s money, regulators might try to shut down the bank. If an accounting firm kept shoddy books, its licenses to practice accounting could be revoked. (See how Texas pulled Arthur Andersen’s license after the Enron debacle.)
So if a data-storage credit agency loses pretty much everyone’s data, why should it be allowed to store anyone’s data any longer?
Here’s one troubling reason: Because even after one of the gravest breaches in history, no one is really in a position to stop Equifax from continuing to do business as usual. And the problem is bigger than Equifax: We really have no good way, in public policy, to exact some existential punishment on companies that fail to safeguard our data. There will be hacks — and afterward, there will be more.
Perhaps the most maddening part of the Equifax breach is that the credit-rating industry is itself unforgiving in its approach to even the smallest error. I’m still dealing with the damage to my credit rating that resulted when I forgot to return a library book and a collection agency was called in (for a paltry sum). The Equifax executives who let my data be stolen will probably suffer fewer consequences than I will for an overdue library book. Even if they do get fired, it is likely that they will be sent off with millions of dollars in severance, which is common practice for executives. (I would like to note that I am available for such punishment any time.)
I don’t think Equifax’s executives should be nailed to the underside of their cars by their toenails and driven through the Arizona desert landscape or anything, but there has to be some accountability here. As soon as possible, there should simply be no choice but to comply with security standards that I bet most people would assume are standard practice.