Equifax Security Breach - Execs Sell Stock...

[old goat]

In this case, probably nil. When settlements are reached, they're pennies on the dollar and usually rely on a direct link between the compromise and any financial loss. I think the biggest risk here is from fraudulent accounts being opened, not from bad guys using an existing payment account. That's probably too indirect for financial institutions to lay it completely at the feet of equifax in any kind of meaningful class action, but who knows? These class action lawsuits will (minimally) benefit impacted consumers.

I don't know anything about these "anti fraud guarantees," but they sound pretty cool. Tell me more.

Good points. Hard to prove where an unidentified hacker got your SSN--especially as the number of breaches increase. OTOH juries may not be very sympathetic to the credit report agencies, assuming a judge lets a jury decide. Best (slim) hope would be for Congress to pass a law mandating large fines for security breaches and for failure to correct erroneous credit report info, larger fines for delay or failure to disclose breaches, proportional to the seriousness and size of the breach (bank PIN numbers and passwords being the highest fines), money to go into a fund to compensate victims. The Equifax case should be worth a few billion, at least. Of course the lobbyists will see to it that nothing happens.
I suspect that as time goes on we will all have ID theft insurance, like we all have auto and homeowner's (but not flood apparently).

[old goat]

Good luck suing a major corporation on your own.

If the damages are enough a big litigating firm will take on a case like that for a hefty percentage. Especially if there is a precedent of a successful class action suit or other individual suits. Once the first domino falls settlements become the norm. Plenty of individuals have successfully sued big companies over asbestos for example.

The alternative is to be a plaintiff in a class action lawsuit and get a trivial amount.

There is precedent for compensation funds--the vaccine "victims" fund being an example.

[PNWbrit]

If the damages are enough a big litigating firm will take on a case like that for a hefty percentage. Especially if there is a precedent of a successful class action suit or other individual suits.

Oh really?

Explain this more to me...

[mecc69]

For who? Fight club scenarios notwithstanding, a good credit score is a consumer asset.

Speaking from the perspective of a financial institution who uses credit scores to price assets, lower scores (among other things) mean we price higher. More lower scores shifts where we compete, perhaps, so institutions who are more competitive in subprime lending will do better. We track net yield within credit score ranges, though, so if something truly universal brought all credit scores lower, loan pricing would eventually shift with it as loan losses decreased in those lower credit tiers.

The reality is, it sucks for those affected, and we're a lot more likely to put some higher yielding assets on the books because of the misfortunes of a few rather than suddenly losing track of our entire risk profile. It's not a level playing field, which is part of why credit unions and small local banks are valuable for the marketplace, and also why pisteoff is correct in that it also tilts toward the wealthy and well off. I don't know how to fix it, though.

So what if a significant percentage of FICO scores are lowered due to fraudulent transactions? Wouldn't some financial institution figure out that there is lower risk money floating around with crappy FICO scores (IE - the person that had a high 700's/800 score who starts the process to buy a house, but finds out they have fraud on their credit report and needs a few months to clear it up) and stop using the FICO score as an assessment tool?

Or are we all just going to end up paying protection money to a credit monitoring service?

[jackattack]

Experian freeze was a breeze.

Other two were, of course, "unable to process your request at this time."

[shroom]

my guess is that credit scores matter in a much more relative sense.

[Mustonen]

So what if a significant percentage of FICO scores are lowered due to fraudulent transactions? Wouldn't some financial institution figure out that there is lower risk money floating around with crappy FICO scores (IE - the person that had a high 700's/800 score who starts the process to buy a house, but finds out they have fraud on their credit report and needs a few months to clear it up) and stop using the FICO score as an assessment tool?

Or are we all just going to end up paying protection money to a credit monitoring service?

Maybe. They'd have to replace it with something, though, and be able to defend it to regulators (who protect the insurance fund, among other things). If they can't demonstrate for themselves and others that some other criteria makes somebody just as credit-worthy as somebody with an 800 score and a deep report, then rates go up for that person anyways. 6 of one...... Some dabble in pure relationship lending, but typically not for something like a house, and if they sell to an investor it gets a lot more complicated.

Typically, credit reports are purchased directly from one or all of the big 3 bureaus (or a third party aggregator) and some version of a FICO score is just an add-on item. If bad data in credit reports becomes a bigger problem, I could see more lenders taking a bit more control of that side, where they're able to more easily suppress supposedly fraudulent trade lines from FICO scoring just to get shit done.

If this becomes truly endemic, as a lender, I'm a lot more worried about taking a bath on opening fraudulent loans than I am about it being marginally harder to get good borrowers approved at a good rate. We'll figure the second one out. The first one stings a bit more and drives rates up across the board. For every borrower who might have to go through some hassle so they don't have to pay an extra $20/month in interest there's a lender who gave some guy $10k that's never coming back.

[old goat]

It's not just credit and home loans that are a problem for people with fraudulent bad debt on their credit reports. They may have trouble renting, getting utilitiy accounts, and even jobs--all these people check credit reports. And coping with modern life without credit is very difficult--for starters buying or paying for anything online is impossible. And that's assuming you can get internet service.

[mecc69]

Maybe. They'd have to replace it with something, though, and be able to defend it to regulators (who protect the insurance fund, among other things). If they can't demonstrate for themselves and others that some other criteria makes somebody just as credit-worthy as somebody with an 800 score and a deep report, then rates go up for that person anyways. 6 of one...... Some dabble in pure relationship lending, but typically not for something like a house, and if they sell to an investor it gets a lot more complicated.

Typically, credit reports are purchased directly from one or all of the big 3 bureaus (or a third party aggregator) and some version of a FICO score is just an add-on item. If bad data in credit reports becomes a bigger problem, I could see more lenders taking a bit more control of that side, where they're able to more easily suppress supposedly fraudulent trade lines from FICO scoring just to get shit done.

If this becomes truly endemic, as a lender, I'm a lot more worried about taking a bath on opening fraudulent loans than I am about it being marginally harder to get good borrowers approved at a good rate. We'll figure the second one out. The first one stings a bit more and drives rates up across the board. For every borrower who might have to go through some hassle so they don't have to pay an extra $20/month in interest there's a lender who gave some guy $10k that's never coming back.

I'm more interested in how it effects the bottom line of the credit companies. IE - Why purchase info from a credit bureau that is junk?

Maybe it will motivate them to clean up credit reports faster or be proactive about fraud.

[Mustonen]

I'm more interested in how it effects the bottom line of the credit companies. IE - Why purchase info from a credit bureau that is junk?

Maybe it will motivate them to clean up credit reports faster or be proactive about fraud.

That'd be nice. They're a commodity, though. If Equifax goes under (and I hope they do) they'll be replaced, probably by an outfit that calls itself equifax who uses the equifax data. A shockingly high percentage of people feel no particular obligation to repay loan commitments. I can't see the industry being able to not rely on credit histories and scoring models and still function well (or individual lenders being able to compete with those who do).

Also, the info being junk is a result of reporting from lenders, who report to all 3 bureaus, not because of shitty data and security practices - even if equifax's breach led to fraudulent trades being opened in the first place. They'll be punished by meaningful class actions, fines, and oversight. Not by the market.

[Supermoon]

Only thing that worked for the CC companies was making them liable for fraud. That's what it's going to take to fix these reporting agencies.

[Mustonen]

Only thing that worked for the CC companies was making them liable for fraud.

Wait, what? When do you think that happened?

[Supermoon]

I guess it was making the consumer NOT liable for fraud.

[Mustonen]

.

[Mustonen]

In any event, assigning meaningful liability to the institution liable for the breach would be terrific and would go a long ways, and there are state level initiatives to do just that. Most of the time, these breaches come from merchants or merchant payment processors (and healthcare).

I think we're conflating credit bureaus being shitty and the credit system being a downer with the state of and liability for information security.

[Supermoon]

I think it was back in the mid-60s.

Edit: Here is the article I read it in: http://www.motherjones.com/kevin-dru...ou-should-too/

Fair Credit Reporting Act of 1968

[Supermoon]

I think we're conflating credit bureaus being shitty and the credit system being a downer with the state of and liability for information security.

Yeah. I'm just talking about the credit reporting agencies here, but agreed on all counts

[Mustonen]

I think it was back in the mid-60s.

70's, actually. Regulation E....

Anyhow, sorry to press you. I thought maybe you were implying it was recent since data breaches are a relatively new phenomenon. I guess there are some parallels....

[Mustonen]

I think it was back in the mid-60s.

Edit: Here is the article I read it in: http://www.motherjones.com/kevin-dru...ou-should-too/

Fair Credit Reporting Act of 1968

Oh, sure. That too. And Reg Z....

Good article....

Edit to add: the most meaningful regulations we deal with when it comes to verifying identities are the bank secrecy act (70's era to combat drug trafficking) and the the post 9/11 patriot act (terrorism, duh). These not only have well defined penalties for non-compliance, they also assign personal liability in cases of willful negligence. Neither are at all geared toward consumer protection, however.

The main consumer protection privacy regulation we deal with is the GLBA of the late 90's which, rather than assign specific penalties for a result, assign minimum standards of privacy and information security programs. Result? Exams spend a lot of time worrying about inane checklist compliance tasks rather than meaningful infosec practices. I'll have to have a think about where FCRA fits in.......

[frorider]

Experian freeze was a breeze.

Other two were, of course, "unable to process your request at this time."

Wish I could say the same. Online freezes at all 3 were unsuccessful. Similar error messages implying that my info didn't match records. I haven't devoted the hours necessary to talk to live agent.

Fucking hassle.

[Ted Striker]

Why purchase info from a credit bureau that is junk?

Maybe it will motivate them to clean up credit reports faster or be proactive about fraud.

That'd be nice. They're a commodity, though. If Equifax goes under (and I hope they do) they'll be replaced, probably by an outfit that calls itself equifax who uses the equifax data.

I'm curious as to how there is room in the market for three major players. Are they merely reaping the benefits of the antitrust acts? They all sell the exact same information.

[RShea]

Experian freeze was a breeze.

Other two were, of course, "unable to process your request at this time."

There are 4 national companies actually, Innovis too.
https://consumerist.com/2008/10/04/d...gency-innovis/

[RShea]

I'm curious as to how there is room in the market for three major players. Are they merely reaping the benefits of the antitrust acts? They all sell the exact same information.

Innovis is a 4th... Most sell the same credit info, but they also sell names and addresses and more for "target" marketing. If you ever get offers for a name that is not even a member of your household- probably bad info out there being sold to others. I get offers for RShea Jr. all the time and there is no Jr. anywhere.

[Mustonen]

There are 4 national companies actually, Innovis too.
https://consumerist.com/2008/10/04/d...gency-innovis/

More than 4.... innovis is trying to make it the "big 4," but I think they're a ways off.

[old goat]

Someone should flood the dark web with billions of fake ID's with SSN's, CC nos, addresses, email addresses, etc--like releasing sterile mosquitoes. And if someone does apply for credit with one of the fake id's they get caught.