In September, we learned that Equifax had suffered a massive data breach that exposed the personal information—including names, addresses, birthdates and Social Security numbers—of 145 million Americans. It was the latest in a string of cybersecurity breaches in recent years. The frequency of such attacks—with other prominent examples including breaches of systems belonging to Target, eBay, Yahoo and Home Depot—demonstrates the complexity of securing sensitive information in the internet age.
If there's one thing that all these breaches have taught us, it's that cybersecurity is hard. There's no easy legislative fix, and knee-jerk calls for new regulations on each industry that suffers from a breach offer no substitute for improving cybersecurity.
Nevertheless, a mere week after the Equifax breach, Sen. Elizabeth Warren, (D-Mass.), had the issue all sorted out. She introduced her legislative remedy, the Freedom from Equifax Exploitation, or FREE, Act, claiming that it "is a first step toward reforming the broken credit reporting industry."
The implication is that this incident is unique among all other cybersecurity breaches in that Equifax and the credit industry at large are the source of the problem. The truth is much more mundane. Equifax fell victim to an unpatched vulnerability installed by a contractor, and now a politician is exploiting the issue to increase government control over an industry.
This is not to say that Equifax deserves no blame. Quite the contrary. Not only was its response after the incident widely condemned as ham-fisted but also the vulnerability itself was disclosed months before the attack and should have been patched. But that kind of mistake is quite common, and the FREE Act would do nothing to fix it.
Instead, Warren focuses on promoting credit freezes by forcing credit reporting agencies to offer the service free of charge. That is troubling because it would be far too easy for consumers to get in the habit of using government to force businesses to provide useful services free. In addition, there is danger in the over-promotion of credit freezes, which, though a useful tool for consumers, come with the potential for economic downsides.
Consumer access to credit is important to the functioning of the economy, and the credit reporting industry plays a vital role. Without the information and the assurance that it provides to lenders, all but the most obviously dependable would find their access to credit considerably curtailed. Everything from buying a home or car to opening a store credit card would become much more difficult without access to the information provided by the credit reporting industry. Even those trying to register on the Obamacare exchanges are finding it much more difficult if they have frozen their credit.
Even if freezes wouldn't be more widely used or prove terribly disruptive, the new regulations would add friction at a key juncture of the economy. There are valid reasons individuals may wish to free their credit, but the government shouldn't pretend that it is a panacea or promote it without understanding the potential for unintended consequences.
The fact that major breaches have occurred at government agencies—such as the United States Office of Personnel Management, the U.S. Postal Service and the IRS—suggests that the government is unlikely to be holding a secret formula for solving the cybersecurity problem. Warren's heavy-handed price control regime wouldn't improve cybersecurity, and it would increase regulatory burdens on a sector that in truth needs the opposite.
The credit reporting industry is cartelized, thanks to past government interventions. The Fair Credit Reporting Act, now 47 years old, has served to limit competition and partially shield companies such as Equifax from legal claims. Instead of micromanaging the services that firms offer, the government should look to remove rules that prevent competition.