Wharton's David Zaring and Michigan State's Lisa D. Cook discuss the Equifax settlement.

The Equifax settlement, struck last week between the credit reporting firm and federal regulators over a massive data breach in 2017, has triggered calls for stronger legislation and regulatory restraints to protect consumers. The breach affected approximately 147 million people, compromising their names, addresses, dates of birth and Social Security numbers.

Experts at Wharton and the University of Michigan called for a more consistent legislative and regulatory approach to preventing and managing data breaches, instead of isolated responses after each hacking scandal. They also warned that regulators have to strengthen their enforcement tools as digital technology-driven nonbanking financial institutions, or shadow banks, become more prominent. In just the latest example of a large-scale hack, a Seattle software engineer was arrested July 29, accused of gaining access earlier this year to the personal information of more than 100 million Capital One customers.

The highly concentrated, three-firm credit reporting industry — Equifax, Experian and TransUnion — have a “broken system,” members of Congress said in a hearing on the Equifax breach earlier this year as they proposed reforms in how the companies handle customer information.

The Equifax settlement calls for the credit reporting firm to pay at least $575 million, and potentially up to $700 million. The settlement with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories, stems from allegations that Equifax failed “to take reasonable steps to secure its network,” leading to a data breach in 2017. In addition to compensating affected consumers, the Equifax settlement requires it to strengthen and monitor its security safeguards.

The challenges go beyond consumer data privacy and in fact strike at the very roots of the financial system, and the economy at large, according to Lisa D. Cook, professor of economics at Michigan State University. Consumer credit rating firms like Equifax ascertain the creditworthiness of borrowers, and banks use the credit scores they assign to make lending decisions, which in turn helps make the financial system productive, she explained.

Thus, with security breaches at credit bureaus, “something that fundamental is being compromised,” Cook continued. “If we can’t trust [credit bureaus], we can’t have an economy that functions well, making [sure] markets work properly, that people are able to buy and save as they need to and that businesses get funded as they need to.” She saw a clear role for the Consumer Finance Protection Bureau to help usher in a stronger regulatory framework.

Wharton professor of legal studies and business ethics David Zaring did not see the U.S. regulatory approach as robust enough to meet the privacy protections credit bureaus must provide. “It has been put together with a patchwork of regulations,” he said. “Regulators don’t always care as much about privacy until something truly terrible has happened. They don’t punish privacy violations systematically. Instead, they seem sometimes like they’re chasing the headlines or the disasters.” He stressed that Congress must step in with laws since the challenges are too huge for technology companies or regulators to deal with in the prevailing regulatory regime.

Zaring suggested the U.S. could take inspiration from the European Union, which he said has proactively enacted strict regulatory checks to ensure consumer data privacy. He did note that in recent times, U.S. regulators have been imposing increasingly stiffer penalties on offenders, such as the latest $5 billion settlement with Facebook.

Zaring said the Equifax breach highlights the need for “some federal privacy legislation that would set forth that what we expect from these companies and hold them accountable for the many failures in this area.” He added that the FTC needs guidance from Congress “as to what the privacy values it is supposed to protect should be.”

“Regulators don’t always care as much about privacy until something truly terrible has happened.”–David Zaring

Cook and Zaring discussed the takeaways from the Equifax settlement for legislators and Congress in providing the requisite consumer protections on the Knowledge at Wharton radio show on SiriusXM. (Listen to the podcast at the top of this page.)

New Solutions for the Digital Era

The digital era has brought new players such as Amazon Loans, Google Wallet and Facebook’s Libra cryptocurrency — and therefore created newer demands on regulators, Zaring said. Those demands will become tougher as more and more nonbanking firms begin to accumulate large amounts of consumer financial data, he added.

The entry into the financial system of tech companies and fintechs raises questions about the risks that shadow banking brings, said Cook. (Shadow banks provide financial services similar to those of traditional commercial banks, but they typically operate outside of regulatory supervision.) Much depends on the checks and balances regulators are able to bring to that sector, and they would face “tremendous pressure” from the likes of Facebook to allow digital currencies and related financial components, she added.

Cook pointed to the recent spate of ransomware attacks on city governments as another wakeup call. “Think about the cities that have been held hostage because of cyber security breaches and the ransom they were asked to pay, and they ultimately had to pay,” she said. “Governments can’t function, and the markets can’t function if we don’t do more with respect to legislation, and if we allow Equifax and others to continue to be bad actors.” A New York Times report on a recent ransomware attack on Lake City, Fla. with a demand of $460,000 said “cyber attackers have found a ripe target: small governments with weak computer protections and strong insurance policies.”

“Maybe we need a government credit rating agency; maybe we need to create some competitors.”–David Zaring

In fact, cyber security is becoming increasingly important in practically every domain, Cook said, pointing to the latest warning from former FBI director Robert Mueller that Russia is and will continue hacking U.S. elections. Mueller was appointed as special counsel in part to investigated allegations of Russian interference in the 2016 presidential election.

Boosting Internal Risk Management

Stronger internal risk management processes at financial institutions, including credit bureaus and nonbanking firms, are also important, Cook said. She noted with dismay that the Equifax breach went undetected for six weeks. The Equifax breach occurred between May and July 2017, after failed attempts to fix a software flaw that Cisco had flagged in March of that year, according to a Wall Street Journal report that reconstructed the sequence of events.

Cook would like to see “some sort of uniform standard” for how long it should take to detect a breach. “Six weeks seems like a very long time.” The sequence of events is disconcerting: Cisco reported that hackers had found a flaw in the software Equifax used on March 8, 2017; Equifax detected the data breach on July 29, but disclosed that only on September 7.

Cook wondered if two weeks might be a reasonable time period for a breach to be reported to the U.S. government, the Federal Bureau of Investigation, the CFPB, the FTC and, most importantly, consumers. Legislators and regulators must recognize that the fallout of a breach at Equifax might spill over to other credit bureaus such as a Transunion, she said, and called for comprehensive legislation that covers those wider risks.

Zaring said Equifax came up short on three fronts. Two of those are flaws in its internal controls and data storage practices, he added. Equifax had been storing data on consumers who hadn’t interacted with it “in plain text and no encryption,” which gave easier access to the hackers.

The software glitch Cisco flagged allowed hackers to redirect consumer data from Equifax’s servers to another server they had set up. “It was the digital equivalent of popping open a side window to sneak into a building,” according to the Wall Street Journal report cited earlier.

The Equifax breach also indicates a leadership problem, since human error was involved, said Cook. “You can have all of the structures in place that you want, but if people aren’t following the protocols or don’t believe in the protocols, that certainly needs to change.”

“If we can’t trust [credit bureaus], we can’t have an economy that functions well, making [sure] markets work properly, that people are able to buy and save as they need to and that businesses get funded as they need to.”–Lisa D. Cook

Longer-term Reforms

Zaring and Cook weighed other longer-term responses that could help prevent another similar data breaches. “The credit rating agencies got everything wrong during the [2008] financial crisis and people talked about reforming them,” said Zaring. “Maybe we need a government credit rating agency; maybe we need to create some competitors. Ten years [after the 2008 crisis], we have the same big three credit rating agencies.” Companies also must consider having cyber experts on their boards, he added.

Cook worried about the prospect of entities like Facebook getting into the credit reporting space. “I’m not sure I would want Facebook and other such entities to be providers of my credit information; they know everything about me,” she said. “You want to have some ambiguity; you don’t want to be so transparent that you’d never be able to get credit, and you want to make sure that the right things are being calculated.”

Cook recalled that while working as an advisor to policymakers during the Obama Administration, she advocated for utility bills to be included in calculating credit scores, because “that gives a consistent view of how people spend their money.” She also wanted economists to be consulted on what types of information would be best used for calculating a credit score. “Some company that follows you on social media and follows all of your transactions might [have] perfect information, but it’s the biggest invasion of privacy,” she added.

Managing Consumer Impact

Although the FTC has provided a tool to help consumers check if they were affected by the breach and the compensation they could potentially get, “typically, the claims don’t come forward,” said Cook. “People will look at this and say this is this is a big amorphous mass; it’s ambiguous.”

However, those consumer attitudes may be changing, especially “given the backlash by Democratic senators and given the mood in the country with respect to violations of privacy,” Cook said. “We need bigger fines. We need more systematic enforcement. We need intervention by Congress to put this on the priority list.”

Under the settlement, Equifax is offering options for free credit monitoring, identity theft insurance and cash payments of up to $20,000 for each consumer who may have been affected by the breach, such as with a financial loss or expenses they may have incurred including fees for attorneys, accountants and the like. Consumers could also claim $25 an hour for up to 20 hours they spent on dealing with the breach.

Cook said the $20,000 cap on compensation may fall short of the losses incurred by individuals who had to pay more for their home mortgage or student debt. Further, the deadline of January 22, 2020 for consumers to file claims is too short, Cook said. Many people may be on vacation now, and a deadline of just a few months away is not reasonable, she argued.

“That’s all very nice,” but not too many consumers may invest the time and energy in filing claims, said Zaring. “In end, the balance sheet hit that Equifax will take from this settlement won’t be as big as [provided for].”