Do you know what credit agencies do?
They collect your personal information from banks, mortgage servicers, debt collectors, and other credit providers aggregate it and then sell it to potential lenders in the form of a credit report and a FICO score.
They also get hacked.
The History of the Equifax Hack
Here’s the timeline:
March 2017: Equifax discovers it has been hacked by way of a flaw in its website. The flaw was discovered but not patched.
July 2017: Equifax discovers that it has again been hacked and the hackers came in by the same entrance. This time the data of approximately 143 million U.S. consumers (plus some Canadians and Brits) was compromised. In this context, the word “compromised” means stolen. The data stolen included: names, Social Security numbers, birth dates, addresses, driver’s license numbers and credit card details.
August 2017: Three Equifax senior executives (John Gamble, Joseph Loughran, and Rodolfo Ploder), sold almost $2 million of Equifax stock
September 2017: Equifax sends out a press release announcing the hack. Equifax stock falls by about 19%.
September 2017: Equifax is almost immediately hit by a class-action lawsuit to the tune of $70 billion, alleging that Equifax was negligent, failing to protect consumer data and choosing to save money instead of spending on technical safeguards that could have stopped the attack.
November 2017: Reported on CNN, Equifax announce that an internal probe which reviewed 55,000 messages, emails and documents found no evidence that the three Equifax executives knew about the hack when they sold their stock. (Note that it is logically impossible to prove someone did not know something).
The GDPR Angle
Most likely some of your personal data is for sale on the dark web. Dark web data brokers sell data on behalf of hackers to those who wish to buy it. If that is the case, then you are more likely to suffer from some form of identity theft than someone whose data has not yet been stolen. The rate of personal data theft, particularly of US citizens is high and likely to remain so until the US government does something to protect its citizens’ data.
By contrast, the rate of personal data theft in the EU is likely to collapse to very low levels because of GDPR.
Here’s what would be different:
- Consent: Equifax would not have been able to hold your data unless you had given consent to that, and as far as I can tell, no credit agency ever asked any citizen of any country for consent to hold (and exploit) their data.
- Reporting: Under GDPR you have 72 hours to report a data breach. Waiting a month is out of the question. Obviously, 72 hours gives you very little time for selling your stock, but if you’re nifty, you can probably pull it off.
- The Fine: Most likely, for the severe dereliction of its data privacy responsibilities, Equifax would have been fined 4% of its annual revenues ~ roughly $136 million.
But that high-profile hack is not the only data protection issue here. The credit reporting industry is not particularly accurate in the services it provides. There is an unconscionable number of errors in the credit reports it provides (see Report to Congress Under Section 319 of the Fair and Accurate Credit Transactions Act of 2003 ) and this directly harms millions of citizens. According to the report over one in five consumers has a “potentially material error” in their credit file which accords them a lower credit rating than they deserve. They thus suffer less favorable terms, higher interest rates or outright denial of credit.
And if your credit rating is wrong, it is notoriously difficult to get it changed. The ability to get inaccurate data changed is a data right under GDPR.
The Case of the Puzzling Puts
In March 2018, a former Equifax executive, Jun Ying, was charged with insider trading, allegedly for selling shares before the company revealed a massive data breach. Strangely, Mr. Ying’s stock sales were never included in earlier stories. Mr. Ying, the former CIO of an Equifax business unit, sold almost $1m worth of Equifax stock after learning of the catastrophe. It may be “plausible” to deny that, as a senior executive of Equifax, you didn’t know of a data breach, but as a CIO, it’s just isn’t. No doubt Mr Ying is the obligatory scapegoat in this blame game.
Anyone who has followed this news story in detail knows that lipstick is being liberally applied to one very ugly pig. It seems wasn’t just company executives selling their stock. There were others.
In fact, there was a highly unusual level of trading in Equifax put options in mid-August which generated millions of dollars in profit once Equifax announced the hack. August 21st onwards, 17 days before Equifax confessed its sins, 260 Equifax put options were purchased giving the owner the right to sell 260,000 shares of Equifax at $135 in September. They cost between 60 to 70 cents each and may have made the owner up to $4.2 million.
Why Don’t We Have Data Rights Like That?
Now, in the simple GDPR commentary above you may have been asking yourself: Why don’t we have data rights like that. If so, I’m on your team. If you’re American there are only two ways that can happen.
- One way is by accident of birth. If you are the child or grandchild of a citizen of Ireland, Italy or Greece, then you only need to apply to become a citizen of those countries and hence the EU. With Hungary, even great-grandchildren are included. With Germany, it’s only children. Anyway, check it out if you think you qualify. Get your EU citizenship and get data rights as a side-effect.
- The only other way is to do what you can to wake America up to this issue. Join a movement to establish US data rights and get active.