The Equifax Breach and Regulation

Washington, D.C.’s intuitive reaction when something goes wrong is to regulate. But what if the thing that went wrong was caused by regulation?

“Caused” is a lot to claim, and there isn’t going to be just one cause of the major breach of consumer data that we learned about at credit reporting agency Equifax this week. But there are important ways that regulation may have contributed to it. The FCRA has certainly helped produce a weaker credit reporting system than the United States would otherwise have.

Congress passed the Fair Credit Reporting Act more than forty-five years ago to comprehensively regulate the business of credit reporting. If you hold regulation to a certain standard, you might expect problems with credit reporting to be largely solved.

But as I reported in a 2011 Cato Institute study, some things got better, some things got worse, and some new problems emerged. Four decades of regulation under the FCRA did not achieve Congress’s goals, and dissatisfaction with the credit reporting industry continues apace.

The FCRA structured the credit reporting industry we have today and the incentives that industry follows. The industry is cartelized, with little competition or innovation. By raising costs, the law has helped the three major credit bureaus successfully fend off Silicon Valley’s efforts to disintermediate credit reporting.

But more importantly, when credit bureaus do things that harm consumers, the FCRA insulates them from common law liability. Because the FCRA preempted state common law, consumers have fewer rights to sue, such as for defamation when credit bureaus disseminate inaccurate, derogatory information about consumers. (Read about the law as it was developing at the time in my study.)

Firms that hold sensitive data probably should be liable when their negligent release of it causes legally recognized harm. But because of FCRA immunity, Equifax hasn’t lived with that powerful incentive. It probably hasn’t taken the care it should to protect consumers from the harms that may arise from breach of data about them. That’s a likely contributor to the breach and greater risk of breach across the credit reporting industry. The credit reporting industry has developed an adept lobby in Washington, D.C., to contain things when events like this occur.

Credit reporting involves deep complexities, including identification issues, contested notions of relevance, and the surprisingly difficult problem of arriving at “fairness.” Government regulation of credit reporting has not effectively solved these problems or reconciled the conflicting values that drive them. The Fair Credit Reporting Act has likely protected the credit reporting industry from competition, denying consumers the benefits of innovation.

When the Fair Credit Reporting Act pre-empted state common law remedies against credit bureaus, it foreclosed an option that may have resulted in better protection for consumers and better results for the economy and society. Because Congress imposed a national credit reporting rule, we cannot know how this industry might have developed had it been left free to experiment, subject to simple rules against harming consumers.

If there is a lesson from the Equifax breach, it is that Congress should deregulate the credit reporting industry and withdraw the immunity that it gave to credit bureaus. When companies are spurred by competition, credit reporting will improve and consumers will benefit financially. When credit reporters know that they will have to pay out for any harms they cause consumers, their efforts to protect consumers will increase.

In the Equifax breach, regulation is a likely contributor to the problem. It is probably not a good solution.