At first glance, it appeared Equifax and Facebook got their comeuppance this week for privacy screw-ups that endangered hundreds of millions of Americans.
Equifax agreed to pay as much as $700 million to resolve federal and state investigations into the 2017 hack that compromised the privacy of more than 147 million people. (I’ll tell you how you can get a piece of that.)
Facebook was slapped with a record $5-billion fine by the Federal Trade Commission over the Cambridge Analytica scandal that resulted in 87 million Facebook users’ data being accessed without their approval.
Here’s the thing, though. A quick crunching of the numbers reveals that Equifax is paying only about $4.75 per person it exposed to hackers and scammers.
That’s the equivalent of an order of Chicken McNuggets.
As for Facebook, $5 billion sounds like a huge penalty until you realize this is roughly how much the company makes in a single month.
“Both settlements fall short of what consumers deserved,” said Joe Ridout, California legislative advocate for Consumer Action, echoing the sentiment of many privacy experts.
“I doubt if industry will learn much, other than perhaps to invest more in security and in preparing for the aftermath of inevitable breaches,” said Fred H. Cate, a senior fellow at Indiana University’s Center for Applied Cybersecurity Research.
The inevitability of future breaches was cited as well by Equifax Chief Executive Mark Begor, who told CNBC that “companies are attacked every day. It’s a war that, from our perspective, isn’t going to end.”
Sure, he’s deflecting by making his company’s negligence seem like a piece of a much larger puzzle. But Begor is right. A digital war is being waged, and consumers are caught in the crossfire.
And can I just say how cheesed I was to learn that Begor’s predecessor as CEO of the credit reporting agency, Richard Smith, the guy who was at the helm when all our info spilled into the ether, will pocket about $20 million in stock bonuses to reward him for his incompetence?
It was Smith who was in charge when Equifax failed to install a software patch that could have protected all that data. He’s the guy ultimately responsible for the entire mess.
On top of $20 million in bonuses, Smith also gets health coverage for life -- for life! -- and a $24-million pension.
So, yeah, enjoy your McNuggets.
I’ve said it before and I’ll say it again: These data breaches will continue until they become so financially painful for businesses that companies finally take steps to keep people’s information under wraps.
That means encrypting data, which seldom happens at the moment. It means privacy practices that make data off-limits to third parties, which also seldom happens.
And it means giving consumers far more control over how their personal information gets used, which is anything but the default setting when it comes to corporate privacy policies.
“What we really need is a designated privacy protection agency at the federal level,” said Ridout at Consumer Action. “The FTC works very hard, but its mandate is so sweeping, it simply can’t be expected to be there for consumers on privacy as well as on so many other fronts.”
I agree. Just as the Consumer Financial Protection Bureau was created to safeguard people in their financial dealings -- a regulatory role that’s been all but defenestrated by the Trump administration -- a Bureau of Privacy Protection would have much to offer in a data-driven world.
Beyond official oversight, though, the real question here is teeth. How do we make sure CEOs take people’s privacy seriously?
Facebook’s Mark Zuckerberg will feel the pinch of a $5-billion fine. But his company posted nearly $60 billion in revenue for the 12 months ended March 31, up 32% from the same period a year earlier.
Moreover, the FTC let senior Facebook execs off the hook for any personal responsibility for their own decisions.
“Zuckerberg and associates escaping personal liability means they’ll do it again,” said Chris Hoofnagle, a privacy expert at UC Berkeley. “The lesson from recent events is that there is no real accountability for Facebook.”
What’s needed are comprehensive privacy rules that level the playing field, if not tip the balance in consumers’ favor.
A new privacy law set to take effect in California at the beginning of next year will allow state residents to find out what kinds of information a business has collected.
The California Consumer Privacy Act also permits consumers to request that a company delete any personal information it holds and to opt out of the sale of such info.
However, corporate lobbyists are pushing for passage of a weaker federal privacy law that would preempt state regulations.
I suggest we follow the example of our friends across the Atlantic. The European Union last year implemented a sweeping privacy law called the General Data Protection Regulation.
Among other things, it requires that companies obtain consent from customers before using or sharing their personal information.
It also gives consumers the right to know how their personal data are being used and to receive a free copy of any such information held by a business. People must be notified of a security breach within 72 hours.
Most importantly, it has teeth. A violation of the European law can result in a fine of up to 20 million euros ($22 million) or 4% of the company’s annual global revenue, whichever is greater.
That would mean smaller fines than what Equifax and Facebook are currently paying, but would guarantee huge penalties for any future incidents. That’s the sort of ongoing threat that makes a board of directors sit up and take notice.
Maybe a one-time $5-billion hit won’t make Facebook change its ways. Five billion a year would resonate with the company.
Jen King, director consumer privacy for Stanford University’s Center for Internet and Society, said she doesn’t expect Congress to act on a federal privacy law any time soon.
But she said the European rules could become “something like a global standard as more companies are forced to comply with them.”
For the time being, it’s mostly up to consumers to protect themselves.
If you were affected by the Equifax breach, you qualify for either $125 or up to 10 years of free credit monitoring. If you were the victim of fraud or identity theft, you could receive up to $20,000 in compensation.
The reason those amounts are bigger than the $4.75 figure I cited earlier is because Equifax is figuring most people won’t take the time to submit a claim. You should prove them wrong.
Go to EquifaxBreachSettlement.com. You’ll be asked to enter your last name and the last six digits of your Social Security number. You can also contact the Settlement Administrator at (833) 759-2982.