All The Federal "Privacy" Regulations Are Worse Than Useless

By now you've probably heard of the big data breach at credit reporting agency Equifax.  It apparently occurred back in July, but the details are only now coming out.  Numbers in the range of 143 million have been mentioned for how many consumers have been subjected to compromise of their personal data, including their name, addresses, date of birth, and social security number (aka your "personal information").  The combination of these things in association with each other is what enables the opening of a credit account in your name.

When comparably large data breaches occurred a couple of years ago at Yahoo and Target, you knew you were at risk if you did business with those companies; and if you did, you could rightfully blame yourself.  But, you say, you've never had any dealings of any kind with Equifax.  Therefore, your information cannot possibly be at risk.  Wrong.  Pretty much every bank, credit card company, mortgage lender, car finance company, or credit provider of any type shares your personal information with Equifax.  Without your permission.  Indeed, even over your specific objection.

The New York Times today has no fewer than three big articles on the Equifax breach, one on page A1, and two more on the front page of the Business Section.  The article on page A1 is headlined (in the online version) "Equifax Hack Exposes Regulatory Gaps, Leaving Consumers Vulnerable."  The theme, you will not be surprised to learn, is that the problem was caused by insufficient government regulation:

Despite the wealth of sensitive information in its databases, Equifax, in essence, falls through the regulatory cracks.  The dangers of such lax oversight became apparent on Thursday when Equifax disclosed that hackers had compromised the personal and confidential information, including Social Security numbers, of nearly half of the American population.

"Falls through the regulatory cracks"?  "Lax oversight?"  Funny, but as far as I've been able to observe over the past multiple decades, the credit reporting business has been the subject of one big federal statutory and/or regulatory initiative after another.  First there was the Consumer Credit Protection Act of 1968, followed quickly by the Fair Credit Reporting Act of 1970, which has subsequently been amended several times.  The FCRA gave regulatory jurisdiction to the Federal Trade Commission, which has issued multiple rounds of regulations.  Then there was a big statutory addition made by the Gramm-Leach-Bliley Act in 1999, followed by additional rounds of regulations from the FTC.  The Dodd-Frank Act in 2010 added yet more statutory provisions, and brought in another regulator, the Consumer Financial Protection Bureau, with its own rounds of regulations.  Are you now telling us that all these layers and layers of statutes and regulations have given us nothing but a bunch of "cracks" for our information to slip through right into the hands of the bad guys?

The problem, of course, is that all the rounds of statutes and regulations have been completely incompetent.  The chance that the next round will be any less incompetent is approximately zero.  With so many regulations the details have become mind-numbingly complex, but the bottom line is that you have no ability whatsoever to limit access to your information only to the people and companies of your choice.  Nor can you find out any comprehensive list of who has access to your personal information or what they are doing with it.

The statute most specifically focused on the privacy of your personal information was Gramm-Leach-Bliley (GLBA).  Here is a summary of the GLBA privacy provisions from the Electronic Privacy Information Center.  GLBA is the source of the requirement for all those "privacy notices" that you get regularly from your banks and credit card companies and insurers.  Have you ever read one of them?  I'll bet the answer is no.  And you are right not to.  They all start out saying that "you have options," but then seem to exempt from the opt outs anything of any significance.  Somewhere in every one of them it will say either that we use your information to "manage our business" or "as permitted by law" or some other empty phrase that lets them do whatever they please without giving any specifics.  As an example (and not meaning to pick on them specifically) here is the relevant part of the Citibank privacy statement currently available at their website:

Citi uses the information we collect about and from you to provide services, to manage our business and to offer an enhanced, personalized online experience on our site and third-party websites.

The information we collect allows us to:

  • Recognize you when you return to our site so we can personalize your experience
  • Process applications and transactions
  • Respond to your requests
  • Recognize and provide you account related benefits and information on our sites.
  • Provide you more relevant product and service offers on our sites and in other advertising

We may also use personal information we have about you such as your email or postal address to deliver advertising to you directly or on third party websites.

Try reading that a few times and see if you can figure out where they tell you that they give your personal information to Equifax (and for that matter Experian and TransUnion).  Or where they tell you that Equifax, Experian and TransUnion in turn sell your personal information to data aggregators and brokers who then sell it to all kinds of other people and entities for all kinds of other unspecified purposes, like:

  • Governments at all levels for whatever they feel like doing with it, including snooping on you behind your back without a warrant.
  • Private investigators for whatever they do with it.
  • Law firms (my old law firm subscribed to one of these services).
  • Others?  I've demanded a complete list from my bank, from each of the three credit bureaus, from some of the data aggregators (like ChoicePoint) and others.  None will respond.

Here's another page from EPIC, this time about ChoicePoint.  Haven't heard of them?  Here's an example of what they sell:

ChoicePoint sells a wide array of information to the government, including:  Credit headers, a list of identifying information that appears at the top of a credit report. This information includes name, spouse's name, address, previous address, phone number, Social Security number, and employer.

Wait, where did they get that information to sell?  You guessed it.  If you think that a big piece of the holes in the GLBA are to enable the government to circumvent the pesky Fourth Amendment requirements for court-approved warrants if they want to investigate you, you are now starting to catch on.  Enabling you to protect yourself against fraud is not one of their priorities.

By the way, ChoicePoint had a big data breach in 2004, and then another one in 2008.  

So is there anything you can actually do to protect yourself against misuse of your personal information?  Yes:  put a "freeze" on your credit.  If you haven't done it yet, you should do it promptly, with each of the three credit bureaus.  But don't do it online.  Try to do it online, and they will of course demand your social security number in order to proceed.  Don't give it to them.  They will promptly re-sell it.  Write them a letter.  It's some work, but it can be done.