Skip to main content

Equifax’s Maddening Unaccountability

Last week, Americans woke up to news of yet another mass breach of their personal data. The consumer credit reporting agency Equifax revealed that as many as 143 million Americans’ Social Security numbers, dates of birth, names and addresses may have been stolen from its files — just the kind of information that allows for identity theft and other cybercrimes.

.,Brendan Mcdermid/Reuters // New York Times
I don’t know about you, but I’ve lost count of the number of times in recent years that I’ve been informed by a corporation of such a breach. “We regret to inform you ….” I don’t doubt that companies regret these things, but I don’t think they care that much either. To them it means just a few days of bad press and at most a fine that amounts to a minuscule portion of their profits. With penalties like that, why would companies bother to make things better?
There are technical factors that explain why cybersecurity is so weak, but the underlying reason is political, and it’s pretty simple: Big corporations have poured large amounts of money into our political system, helping to create a regulatory environment in which consumers shoulder more and more of the risk, and companies less and less.
This is a general feature of our lopsided world, but software businesses (and the technology sides of other companies) have acquired perhaps the greatest degree of impunity. Information technology arrived on the scene only recently, so it has faced fewer of the kinds of regulations that consumers and citizens, in more progressive eras, managed to impose on other industries.
Today, almost every piece of software comes with a disclaimer on its user license that basically says that the product may not work as intended and that its maker may stop supporting it at any time, and that’s the user’s problem. It’s a wonder companies don’t insert “nyah nyah nyah nyah” into the tiny-print legalese.
Don’t get me wrong: I’m a former programmer; I’m not unsympathetic to the needs of software developers. Some number of unexpected errors — bugs — are unavoidable in computer programs. It would be unreasonable to allow a consumer to sue a software company every time a program suffered a glitch.
But the situation was different when the industry was younger and wasn’t rolling in billions of dollars, as it is now. Most software failures and data breaches aren’t inevitable; they are a result of neglect and underinvestment in product reliability and security.
No software system can be free from bugs (or intruders), and users must be mindful of the risks. But the inherent lack of perfect automotive safety doesn’t mean we don’t try to make cars safer. Obviously, people should drive more carefully, but seatbelts, airbags and better car design reduce injury enormously, and that has been great for the industry as well as consumers. The software industry should be no different.
Perhaps the most maddening part of the Equifax breach is that the credit-rating industry is itself unforgiving in its approach to even the smallest error. I’m still dealing with the damage to my credit rating that resulted when I forgot to return a library book and a collection agency was called in (for a paltry sum). The Equifax executives who let my data be stolen will probably suffer fewer consequences than I will for an overdue library book. Even if they do get fired, it is likely that they will be sent off with millions of dollars in severance, which is common practice for executives. (I would like to note that I am available for such punishment any time.)
I’ve taught at a wide range of universities. I’ve found that institutions serving less-advantaged students tend to have less-forgiving policies for late papers, missed exams, casual drug use and so forth, whereas more elite institutions tend to be more forgiving. All young people deserve compassion, second chances and flexibility — but the poorer ones even more so, since they have fewer resources with which to combat adversity when it strikes. Yet the reality is the opposite.
Along with news of the breach came reports that three Equifax executives sold $2 million worth of stock shortly after the breach was discovered in July. In their defense, Equifax said that the executives were not aware of the breach — and that the amount was only “a small percentage of their Equifax shares.” It’s almost as if the company is saying: Come on, would we engage in insider trading for a mere $2 million?
As long as impunity for corporations and their executives is the norm, data breaches will continue to happen. What should you do? It’s easy: Just make sure to change your name, Social Security number and home address regularly — and don’t go crying if you neglect to do that and suffer the consequences of your actions. It’s not as if you’re are a rich executive.
[Zeynep Tufekci (@zeynep), an associate professor at the School of Information and Library Science at the University of North Carolina; she is the author of “Twitter and Tear Gas: The Power and Fragility of Networked Protest” (Yale University Press) and a contributing opinion writer.]