As you prepare your taxes this year, think of Equifax. Why? If you were one of the 145 million Americans who had their personal information breached at Equifax last year, you could become a victim of tax fraud.
After the breach, there were a flurry of articles advising people to place credit freezes on their accounts and set up fraud alerts at each of the credit bureaus. This is good advice, but it does not prevent scammers from filing with the IRS using your Social Security Number and requesting fraudulent tax returns in your name. All you can do to protect yourself from tax identity theft is file as early as possible, so identity thieves don’t file before you do.
Meanwhile, Equifax has faced minimal consequences: a few weeks of bad press, a temporary dip in stock prices, and some hard questions in congressional hearings. These companies could actually profit from the breach because they use it as an opportunity to sell services to vulnerable consumers. That is why companies might rather risk the bad press than invest in data protection. When a company recklessly flouts basic security standards, as Equifax did, there should be consequences and meaningful reform. Consumer privacy is a goal that cannot be fixed by markets.
That is why we need to reset the defaults on data protection law in the United States. Already we have seen a few proposals in Congress, but any comprehensive approach to protecting personal information should include, at a minimum:
1. Creation of a data protection authority
The U.S. needs to have a specialist agency with the expertise and authority to enforce data protection standards. The Federal Trade Commission only has the authority to bring actions for “unfair or deceptive practices,” such as explicit lies by companies, and their enforcement power is limited.
2. Private right of action
Individuals should have the ability to get relief in court when their personal information has been mishandled. When consumer protection is not a top priority — which has been true so far in the current administration — consumers still have a redress.
3. Objective standards for data security
Companies implement certain baseline data security processes, rather than give companies wide latitude to determine what constitutes reasonable security measures.
4. Prompt breach notification
There should be a 48-hour requirement for breach notification. When companies take too long to notify consumers of a breach, as Equifax did, consumers are less able to take preventative or mitigating actions.
5. Deterrent penalties
If a law’s penalties don’t cause a company any real financial harm, they will not have a deterrent effect because companies will just see it as a cost of doing business. The Federal Trade Commission’s largest settlement to date was in 2012 with Google for $22.5 million, but that was a mere five hours of revenue for the company. Compare that to Europe’s General Data Protection Regulation, that imposes a penalty of 4 percent of a company’s global annual revenue.
6. Statutory damages
Penalties for companies should be stated explicitly in the law because plaintiffs have found it difficult to quantify the harms they suffered due to a data breach and to show their harm was caused by a particular breach. The bill introduced by Senator Warren (D-Mass.) and Senator Warner (D-Va.) sets this at $100 per consumer, which would be a hefty total for a breach as large as Equifax’s.
7. No preemption of state law
Federal privacy law should set a baseline standard and allow states to enact stricter safeguards. In other words, it should be a floor, not a ceiling. A weak federal law that preempts state regulation could put consumers in a worse position than they’re in now.
8. No mandatory arbitration
We have seen many companies try to escape liability by requiring consumers to use complicated “arbitration” systems to seek relief. But consumers shouldn’t lose their rights based on the fine print buried in a policy they have never read.
Data protection is not a partisan issue; we all face the risk of identity theft. In a time where Washington seems more divided than ever, the revelation of the Equifax data breach last fall has galvanized citizens on both sides of the aisle. Several bills have been introduced in both the House and the Senate, but legislators need to work on this in a bipartisan way to protect all Americans.
Equifax is asking you to pay the price for its malfeasance. Congress shouldn’t let them get away with it. But until then, file your tax returns early.
Christine Bannan the Administrative Law and Policy Fellow at the Electronic Privacy Information Center (EPIC).