Even as the big Equifax data breach was exploding into the news a couple of weeks ago, there was a bill that had gotten to a fairly advanced stage of the Congressional sausage-grinder, providing for a limitation of liability for the big credit bureaus in the event of such instances or other violations of the Fair Credit Reporting Act. The principal sponsor was a guy named Barry Loudermilk of the Georgia-11 (northern Atlanta) District. (Isn't that odd? He's one of Equifax's home town Congresspersons!) NBC News reports on the bill on September 11, with a headline spinning this as "Republicans" seeking to protect their big business allies. ("Republicans in Congress Want to Roll Back Regulations on Credit Bureaus"). Loudermilk is quoted as follows:
“I have seen how a small technical error, turned into a lawsuit, can affect everyone in a business, including employees, customers, and vendors. Unfortunately, suits under the Fair Credit Reporting Act have skyrocketed in recent years while leaving consumers inappropriately compensated."
Well, I wouldn't think that Loudermilk's bill is going anyplace during the current firestorm.
Normally, you might expect the Manhattan Contrarian to have some sympathy with legislative efforts to rein in abusive lawsuits, but this one is a little different. As discussed in my first post on this subject last week, Equifax and its confrères in arrogant credit-bureaudom claim the right to collect all your most private and sensitive information and then to have no relationship with you and no responsiveness to you at all. And to sell your information to thousands of their customers without giving you any idea who those customers are, what information is being sold, or what those customers are doing with the information. And if you ask any of those questions, the credit bureaus will refuse to answer.
Loudermilk does have a point that the current structure of the FCRA is essentially useless in protecting consumers against credit bureau abuse (few can show actual damages, and $1000 statutory damages is not enough to justify any individual lawsuit), while at the same time creating perverse incentives for entrepreneurial lawyers to gin up huge class actions over minor technical violations systematically repeated over thousands or millions of customers. OK. But there must be a way to make the credit bureaus responsive to consumers in the same way as every other normal company. Not that other companies are perfect, but the credit bureaus are ridiculous. (Try googling any of the three of them and the word "reviews", and get ready for hundreds upon hundreds of scathing one star reviews. And these are the people who purport to establish your reputation!)
There have been numerous proposals for reform, including many put forth as the issue has been in the news during the past couple of weeks. I'll discuss two: one from Bloomberg View on September 15 by an opinion columnist named Joe Nocera, headline "Equifax Should Be a Public Utility"; and the other from a guy named Jim Harper for the Cato Institute made back in 2011, title "Reputation under Regulation: The Fair Credit Reporting Act at 40 and Lessons for the Internet Privacy Debate."
Nocera seems to start out on the right foot:
[T]hey don’t care because they don’t have to. At a minimum, the government needs to create incentives that would reward the companies for accuracy, customer service, and ironclad data security.
But from there it's all down hill. How to create those incentives, Joe? His big and only idea is to go from the current model of uber-government regulation to another model of much greater, super-duper government regulation -- the "public utility" model:
[T]here is a solution that is both radical and sensible: treat the companies like public utilities. [Adam] Levitin recently wrote a blog post proposing such a plan. The credit bureaus, he wrote, have no natural right to the data the collect; they only have it because the law tolerates it. Thus, he says, “It’s quite reasonable to qualify that right with a regulatory system.” As public utilities, they would still be publicly-traded companies, but they would be overseen by a government body. . . .
It's the completely standard answer of doubling down on failed bureaucratic solutions. If dozens of pages of statute and hundreds of pages of regulations have only brought us complete failure, what makes us think that doubling or tripling the regulatory regime will make things any better?
Harper's much longer report contains a very useful history of how we got where we are in the credit reporting mess. You won't be surprised to learn -- or maybe you will be surprised -- that once the government got into heavily regulating the credit bureaus back around 1970, there followed a series of statutory amendments, one after the other, each giving the government itself more and more access to the credit bureau databases without consumer knowledge or permission for one after another seemingly laudatory purpose. The end result of it all has been to turn the bureaus, in substantial part, into an arm of what Harper calls the "surveillance state," all taking place without your permission and behind your back, and without need of a search warrant or subpoena:
[I]n 1989 Congress expanded the “permissible purposes” for which a credit bureau could furnish a report by allowing federal grand juries to take a look at people’s credit files. . . . Among the 23 amendments passed since 1990, Congress has added child support obligations to credit reports, later making disclosure of credit reports to state and local child support agencies a “permissible purpose.” In 1996 Congress allowed disclosure of credit report information to the Federal Bureau of Investigation for counterintelligence purposes. After a heavy revamp of the law’s provisions in 1996, Congress in 1997 allowed the use of credit reports for investigations of people related to security clearances . . . . Terrorism opened credit bureaus’ files to the government yet further. In the USA-PATRIOT Act, Congress allowed the release to government officials of consumer reports “and all other information in a consumer’s file” for counterterrorism purposes. . . . In 2006 Congress made it a “permissible purpose” to provide a consumer report to the Federal Deposit Insurance Corporation or the National Credit Union Administration as part of their preparation for appointment as conservator, receiver, or liquidating agent for depository institutions or credit unions. And in 2007 Congress made it a permissible purpose to provide a consumer report to a government agency in connection with the issuance of government-sponsored, individually billed travel charge cards. . . .
You get the picture. The fact is that far and away the entity most to be feared for potential misuse of your private information is the government itself, and giving it more regulatory authority only makes that problem worse, not better.
Harper's proposed solution? He doesn't give a lot of details, but the gist consists of three points: (1) repeal the FCRA in its entirety, (2) declare in a one-line statute that consumer data reported to a credit bureau is held in "a confidential trust for the benefit of the consumer," and (3) let the common law take it from there.
Under this regime, if the credit bureaus want to use your information, they would either need to get your permission, or alternatively pay you (in some form) to allow them to use it. In the case of credit reporting, you would very likely give your permission, because you would need to have credit bureau reporting in order to obtain credit. For other uses, the experience with companies like Google and Facebook shows that most people will gladly give up plenty of personal information in return for nominal and often non-monetary consideration like free use of a website. Others (like yours truly) aren't so glad to do this, so they'd have to pay me more, or maybe they couldn't use my information for other purposes. Too bad for them. What about this doesn't work?