Sunday, September 17, 2017

Equifax Execs Resign; Security Head, Mauldin, Was Music Major


I notice that the executives who make these decisions are never penalized. The companies might be fined, which means the stockholders and lower level employees are hurt.



by Ben Popken
Sept. 15, 2017

•••••

The beleaguered company announced Friday evening that its chief information officer, David Webb, and chief security officer, Susan Mauldin, had retired. A statement said Mark Rohrwasser would serve as interim CIO and Russ Ayres would be interim CSO.

•••••

But are these moves will be enough to tamp down the growing conflagration surrounding the company?

"Not at all," Ed Mierzwinski, Senior Fellow for U.S. PIRG, a Washington-based advocacy group, told NBC News in an email. "These are calculated sacrifices at a company with a troubled record."

"All the credit bureaus have a troubled culture because consumers do not regulate their markets," he added. "You cannot vote with your feet. They've only just begun to be reined in under the CFPB after 40 years of sneering at consumers and the FTC."

•••••

Watchdogs are referring to the debacle as "corporate malfeasance," noting that it is "the worst breach in history."

The hot glare stands in marked contrast to the cool breeze the credit bureaus have felt for decades with little to no oversight or regulation, consumer advocates say, despite holding and making money off the deep and personal data on nearly every American citizen.

This is no accident. The three top credit reporting agencies, Equifax, Experian, and TransUnion have spent millions lobbying for lighter regulation and in campaign donations to congressmen who will keep their mandatory protections low and profits high.

From 1998 to 2017, Equifax alone has spent over $9 million in lobbying, primarily on debt, credit report, credit score and personal information issues.

Perhaps tellingly, Warren also sent letters to the Consumer Financial Protection Bureau and the FTC asking whether they had authority to investigate the breach and the adequate power to regulate the agencies and protect consumers.

It's not too hard to guess what direction the answers will go.

"The credit bureaus have never been forced to have a 21st century database. The reason is because they don't have to," said Mierzwinski.

Since the rise of consumer credit in the 1970s, credit bureaus have fought back against efforts to ensure accuracy and maintain stricter consumer protections.

•••••

"We know [the credit bureaus] didn't make an investment in accuracy until recently," said Chi Chi Wu, a lawyer for the National Consumer Law Center. "In the last couple of years they have moved better with respect to dispute processing. That's because the CFPB has been supervising them and the state attorneys general have been taking enforcement action."

The day the breach was announced, Wu was testifying in Congress against a bill that would have rolled back financial penalties for violations of Fair Credit Reporting Act, a 40-year-old rule that requires credit reports to not have mistakes or contain false information.

The new bill, the FCRA "Harmonization" Act, was sponsored by and endorsed by 14 congressional representatives, 10 of whom have received campaign donations linked to the big three credit bureaus.

•••••

And if the invisible hand of the marketplace is supposed to course correct, it's asleep at the wheel.

"The three credit reporting agencies are a natural oligarchy," said Wu. Unlike with, say, wireless providers, where a handful of companies control the overall market — and if you don’t like one you can just switch — when it comes to credit bureaus, "the consumer has no choice."

Speaking of the private sector, there are controls there that would have stopped the breach or limited its impact.

"The U.S. breach was an Apache vulnerability that had a patch available back in March. According to Payment Card Industry Data Security Standard, all critical patches must be applied within 30 days," Greg Sparrow, general manager for Compliance Point, which does PCI certification for Equifax vendors, told NBC News in an email.

•••••

No comments:

Post a Comment