Daniel Tsai is a business and securities lawyer and part-time professor at Humber College Business School, where he teaches business law and marketing.
The Equifax data breach of 143 million people in the United States and as many as 100,000 in Canada may create a lifetime of problems for those affected. Hackers have gained access to sensitive data such as social insurance numbers and other identifying information that will allow them to engage in identity theft and fraud for years against these victims.
The company is offering free credit monitoring for one year and free credit freezes until Nov. 21, 2017, but the sensitive data goes beyond credit cards, which you can cancel, and extends to the very identity of the victims. Permanent credit freezes are a possible solution, but Equifax is a private company, with a clear profit motive, and it charges monthly fees for such "services." In other words, it could stand to gain financially from the data breach that its flawed data security systems allowed.
Credit bureaus are privately run businesses, not public institutions, regulated by a ragtag collection of provincial and federal privacy legislation. But these laws do not provide direct oversight of these companies. Individual complaints about Equifax get lost in the ether. There is no consumer advocate or public watchdog that deals directly with Equifax or other credit bureaus when a consumer has problems with his or her credit reports and needs to appeal to a higher authority.
Equifax has long been plagued by horror stories about customer service and ruined credit scores.
It even happened to me. I had an incorrect note placed on my credit file with Equifax and TransUnion. I was able to contact a live human being at TransUnion who removed the credit note after I sent in evidence that the debt had been paid. However, Equifax repeatedly refused to correct my credit report, which tanked my credit score for months.
Even after retaining a lawyer and sending legal letters and e-mails, Equifax and the collection agency refused to remove the credit note. I was ready to walk to the courthouse near my house and file a lawsuit when the matter was rectified by a supervisor at Equifax Canada who contacted me.
After the steps I had to go through, I know it's going to be hard for the millions of victims of this data breach to get protection and resolution when their lives get turned upside down by these hackers and the fraudsters who purchase their data.
Considering the seriousness of this breach, it is time for Ottawa and provincial governments to consider treating Equifax and other credit bureaus as quasi-governmental or highly regulated institutions.
As with banks and airlines, we already regulate profit-oriented businesses and have a long and relatively successful history with the regulation of businesses tasked with sensitive or public functions.
We need to establish regulations for Equifax and other credit bureaus, including approved security regimes for sensitive information with annual external reviews of data security. And these reviews need to be made public for greater accountability.
We also need to create provincial and federal watchdogs with direct oversight of credit bureaus to help address consumer complaints and provide solutions when a company such as Equifax fails to do so. The recourse in such consumer complaints should be clear and simple.
The government should also mandate that companies such as Equifax provide access to customer service people within a reasonable time frame. With the substantial power they have maintaining people's credit reports, they have a responsibility to respond to the public in a timely manner.
And finally, Equifax and other credit bureaus should not be permitted to profit from their negligence. For instance, in the case of the recent breach, Equifax should not be allowed to charge for credit freezes and instead should provide the service for free for the lifetimes of its Canadian and U.S. victims.
The data breach will almost certainly result in a class-action lawsuit. For its part, Equifax has offered to dedicate more customer service representatives to deal with the problem. But the serious consequences of the data breach won't be properly dealt with until Equifax and other credit bureaus are properly regulated and accountable to the people they serve: consumers.