Over at Credit Slips, law prof Adam Levitin has written Equifax: A Call for Public Utility Regulation of Consumer Reporting Agencies. It's a comprehensive and interesting post, and it's worth reading the whole thing. He starts by explaining the hacking of Equifax in plain terms — what it was (for instance, how it is different from the Target hack) and the harm it can impose on consumers. Then, he moves on to the heart of his argument, in which he maintains (in the part I've italicized below) that post-breach lawsuits will never solve the problem. He argues that credit reporting agencies be regulated as public utilities (the part in bold):
Let’s start with this. We’re not going to get rid of hacking. We can enact a Bloody Code or the like, but it’s not going to stop hacking, especially as it can increasingly be done internationally. Instead, we need a system that incentivizes CRAs to take the appropriate level of care. That means that the CRAs need to “internalize” the costs of the externalities that are produced when they are hacked as they are the “least cost avoider” of the hacking. How can we do that? Let me start with what I think won’t work: an ex post liability regime. There have been calls to increase CRAs’ liability for breaches and/or inaccurate consumer files. I’m all for that, but I don’t think an ex post liability regime will ever be enough to sufficiently change CRA behavior, especially as a host of procedural problems will continue to bedevil consumer litigation. There will never be complete cost internalization by CRAs even with a much stronger ex post liability regime. Instead, I think we need to consider moving to a public utility regulation regime for CRAs. What I have in mind is a system in which the CRAs’ ability to pay dividends to shareholders and to dole out executive compensation would be restricted and tied to their meeting various performance standards relating to consumer file accuracy, dispute resolution, and data security.
Levitin then goes on to discuss a couple "small ball" legislative fixes to be enacted before there's the political will to do the full-scale regulation that he'd like to see:
[First,] just as consumers have a statutory right to a free annual credit report, they should also have a right to place credit freezes on their accounts for free. State law in a number of states regulates credit freeze fees, but allows fees to be charged. That’s ridiculous. Freezes should be free in all circumstances. Second, federal law really ought to require that all consumer data be stored and transmitted solely encrypted formats. That should be a no-brainer.
I had the same thought about Levitin's first "small ball" fix. Right after the Equifax hack, I looked up the "free" credit monitoring being offered in its wake and learned that if you choose to do the thing most highly recommended — a credit freeze — you will have to pay to freeze the account and pay again when you unfreeze the account and then presumably again when you re-freeze the account. (As I understand it, a consumer would need to unfreeze the account whenever she wanted to apply for credit.) That's nuts.
