When the credit-reporting agency Equifax announced this month that hackers had accessed the accounts of 143 million of its customers — over 40 percent of the population of the United States — it was another example of how little power consumers have over their own money and personal information. Indeed, it unfolded in a familiar way: Equifax isn’t communicating with its customers, and no one can make it.
Customers whose data was exposed have faced the same fruitless, bureaucratic responses that people face when they try to get errors on their credit reports fixed. The company has been unresponsive; many customers say they have no way to get through to representatives. There’s not even a serviceable customer service infrastructure in place. How can any company answer the phone calls of millions of people? “Ma’am … 143 million people were affected by this so you are going to have to be more patient,” one Equifax rep reportedly told an exasperated client. Most aren’t even trying. Only 15 million people, a fraction of the customer base, even tried to visit the company’s website after the hack, according to its chief executive, Richard Smith.
No wonder. To be an American consumer these days is to have become numb to signing away your rights so you can buy products and services. If you want to use a smartphone, you have to agree to give your privacy to the company that makes it, and to your Internet provider, which can see every website you visit. If you want to use email, you agree that the provider can scan your messages for certain words to sell ads. And when you sign up for financial services, you give away your rights to negotiate how your money is used or how your information is protected. The people whose Social Security numbers Equifax lost had no say in how the company acquired, uses or guards their financial information.
The hack only exposed the truth about how most of us interact with big corporations these days: All the power is in their hands. Customers sometimes aren’t even aware they’re customers until something has gone wrong. Every financial contract involving consumers is standardized to prevent negotiation. Every financial contract involving wealthy individuals or companies, on the other hand, is highly tailored to personal concerns. The terms of the contracts for regular people are consistently asymmetrical: they favor the company, and never the consumer.
Consumers might be forgiven for believing that’s just the way things are, but it doesn’t have to be. Banks and other financial firms regularly negotiate contracts — as long as they’re with other banks, big businesses or rich people. Many companies avoid bankruptcy by simply asking their banks for better terms or lower interest rates. They refinance easily, because their bankruptcies would be costly to the banks. Consumers, on the other hand, can’t renegotiate with Equifax; they frequently face trouble even getting problems fixed or reaching the company.
In the financial crisis of 2007 to 2009, many commercial real estate firms that were dangerously indebted avoided an industry-wide collapse by simply asking their banks for better terms. When consumers try to ask for leeway in loans or real estate, what happens? We saw it then: They’re forced into default or foreclosure. Banks simply will not negotiate with anyone whose pockets aren’t deep. The Consumer Financial Protection Bureau was created for just this kind of problem, but it has been so defanged that it’s almost as if it doesn’t exist at all. It introduced a rule this summer to allow consumers to pursue class-action lawsuits against financial firms; that was repealed within weeks by Congress.
Our financial system is currently set up so that consumers who have any dealings with money — which is everyone — are on the turf of major financial firms, and the firms set the rules unilaterally.
Instead of capitalism based on democratic principles of trade, it’s more of a feudal system: The land is owned by the banking class and anyone using it has to pay the owners. The “land,” in this case, is the entire U.S. financial system of banking and credit, as banks and financial firms like Equifax have made themselves successful intermediaries in nearly all transactions, from simple salary payments (hello, direct deposit) to renting an apartment (try doing that without having a credit score on file.) While consumers remain accountable to financial firms — that late rent payment is on your credit report — financial firms are not at all accountable the other way around. They do business as they like, as Equifax shows. Because their more profitable customers are other financial firms, and those firms don’t care if you have to spend an hour or two on the phone cleaning up Equifax’s mess.
That’s an inefficient way for a financial system to function, and it makes financial and tech firms extraordinarily lazy: If they judge customers as just more “churn,” then they will never upgrade their services or their technology — which, indeed, is the dire, sloppy situation we find ourselves in now.
The Equifax hack brings the essential unfairness of this system into high relief. Reports from news outlets including Bloomberg suggest that Equifax knew about another breach as far back as March, in addition to the May attack, which the company knew about in July and revealed only this month. Two weeks before customers were told anything, two top Equifax executives sold millions of dollars in company stock. The stock has dived 37 percent since the company disclosed the hacking on Sept. 7. In the time before the public announcement, Equifax also had enough time to create a website, equifaxsecurity2017.com. (Although, as Gizmodo reported Wednesday, they also started directing people to a fake version of the site, apparently by accident.) All of this indicated plenty of time to prepare.
Yet it took months for Equifax to tell its customers that their financial information was severely compromised. When it did, the company’s solution — asking consumers to type in their Social Security numbers online to see if they were affected — was quickly revealed to be a sham that returned the same result for everyone. Equifax has nearly entirely ignored customers who applied for credit freezes or tried to reach the company, according to comments left on the Federal Trade Commission website. After hours on the phone, one frustrated customer complained to a personal finance columnist that Equifax’s outsourced customer service told him to “go back to the website and call the number you just called.”
This reveals another major problem rife among technological and financial businesses that expect consumers to sign away their rights: They don’t provide responsive technology to answer questions or protect consumers’ data.
In nearly all cases of major financial hacks, for instance, sloppy patching of software vulnerabilities has been an issue. Equifax learned about some of the vulnerability in its system through Cisco, and believed it had patched it, but hadn’t. In 2015, hackers gained access to a huge mutual fund’s accounts because of a sloppy patch for the Heartbleed bug. Hackers know this and are increasing their attacks on financial firms of all sizes, looking for a way into customer information that can then be sold for profit on the dark web.
At the same time, financial companies are chasing the false economies of technology: Financial companies often turn to technology to “lower costs,” which means reducing human salaries. What they don’t realize is that good tech also costs money: regular upgrades, diagnosing vulnerabilities and staying ahead of hackers. If financial companies control or move trillions in assets and can’t protect them, they’re not actually improving on the old models. They’re no better than regular bank branches with the vault doors left wide open.
If any use can be made of the Equifax hack, it’s this: It’s time to throw out the consumer-unfriendly contracts of tech and financial firms and replace them with provisions that take customer complaints seriously and allow them to negotiate with a company.
That includes allowing customers to sue companies outright; writing contracts in plain English that allow people to understand what they’re getting into; and providing clear written rules on prices of different financial and technological services for easy comparison. For extra credit, all financial firms should be required to disclose major hacks within two weeks of learning about them — not waiting several months, as has often been the case.
There is zero chance that financial firms will do this on their own. As a recent working paper from the OECD notes, “people often make errors when choosing and using financial products, and can suffer considerable losses as a result …. Market forces left to themselves will often not work to reduce these mistakes, so regulation may be needed.”
So far, the Equifax hack has attracted legislative attention, long overdue. Sens. Elizabeth Warren (D-Mass.) and Brian Schatz (D-Hawaii) have introduced legislation — the FREE Act — that would force credit-reporting firms to stop charging consumers to freeze their credit. The Department of Justice, the FTC and several states have opened their own investigations. This attention is important, but investigations have a way of dragging on or fading out. The pressure needs to be sustained to be effective in really restoring consumer rights.
“Never waste a crisis,” the saying goes. It’s past time for financial firms like Equifax to use the moment to finally acknowledge that consumers deserve to know more about — and be able to control — their own information.