Bryce Covert says that it’s time to “Get Rid of Equifax“:
Why should we continue to allow private companies to make money from us while ignoring our needs? Let’s nationalize Equifax and the other two major credit reporting companies, Experian and TransUnion. We could follow other countries’ example and hand the duty of tracking our financial histories over to a public registry instead of a private profiteer.
Look — I don’t have the ultimate solution to data breaches; I just know that giving the U.S. government exclusive control of our financial data is not it. On the contrary, the U.S. government “sucks at cybersecurity,” as my former Mercatus colleague Andrea O’Sullivan once put it. Despite pouring tens of billions of dollars into cybersecurity, the total number of Federal information security incidents continues to climb:
O’Sullivan and Eli Dourado attribute the incompetence of the U.S. government to structural factors within bureaucracies:
The federal government’s continued failures to secure its own information networks indicate a fundamentally flawed approach to cybersecurity. Sweeping technocratic solutions are iteratively imposed every few years with little-to-no understanding or continuity with previous policies. Abstract consistencies in top-down planning break down on the human level as personnel struggle to make sense of redundancies and eventually ignore complex reporting and procedural standards. Fundamental issues of talent recruitment and personnel training go relatively unaddressed as offices struggle to keep up with the changing security checklists, which may or may not actually translate to good cybersecurity outcomes.
Equifax’s failure was not due to the profit motive, but rather because it, as a large corporate incumbent, took on a degree of bureaucratic sclerosis and opacity itself. Yet unlike a federal agency, Equifax can rearrange its internal operations with limited political controversy, up to and including being supplanted by a competitor. Indeed, for all the errors Equifax made leading up to its hack—from hosting an encryption key on the same server as the encrypted data, to failing to patch a known vulnerability—it will be made to suffer for its mistake. Already, Equifax has lost roughly $6 billion in market value, a third of its total market cap, and is facing at least 23 class action lawsuits. In turn, the crediting monitoring industry as a whole will become stronger through feedback mechanisms, include profit and loss, that the U.S. federal government simply lacks.
Large, centralized databases will always be vulnerable to attack. For the companies charged with protecting our data to succeed, they must be allowed to fail.