Monday, September 11, 2017

Violence and the State: Equifax


White-collar criminologist Bill Black and Aaron Mate discuss the massive Equifax data breach on The Real News Network (source)

by Gaius Publius

According to the Associated Press the credit reporting and data storage agency Equifax has suffered a massive data breach, and information on 143 million people — including "credit card and Social Security numbers, addresses and birth dates," plus potentially a whole lot more — have been lost forever to thieves.

The date Equifax said it first learned the breach is July 29. The date it reported this to the public was Thursday, September 7. The data breach(es), according to Equifax, occurred "from mid-May through July 2017."

That information is now "out there" and will be out there, sold and traded between gangs of cyber-criminals, for the next 30 years. The number of U.S. citizens is about 325 million people, of which about 23% are under 18 years of age. The number of U.S. adults is thus about 250 million people.

Equifax has, in other words, through neglect and/or error, disclosed identity data on 44% of the U.S. population, and more critically, on 57% of the adult population. If there are at least two adults in your family, the odds great are that at least one of you is in the affected group.

This is clearly the most serious data breach in U.S. history, one that compromises the financial integrity of more than half of all adults — and will continue to compromise their integrity for the next generation, until they are either dead or the data contains so few living individuals as to be worthless.

You can read more about the Equifax data loss here (AP) and here (NBC News).

This is not about the data loss per se, however damaging it will prove to be, but about the company, the culture of its CEO class, and indeed the CEO class of very large companies in general. It's also about the U.S. government's likely response and how that response will prove to be yet another instance of the violence of the neoliberal (wealth-protecting) state in its service to the very rich.

What To Do

But first, before a taking look at the implications of this data breach, here are two things to consider as a next step for you. The first comes from the invaluable Wolf Richter (h/t Naked Capitalism; italics mine):
But here is the most effective way to prevent identity theft:

Put a “security freeze” on each of the three major credit bureaus

A security freeze (aka “credit freeze”) will prevent the credit bureaus from selling your data to anyone. It will not prevent hackers from stealing that info, but it will make it very difficult for them – or for those who buy that data from them – to use this data to open credit accounts in your name and steal your identity. If they submit your data to a credit card company to apply in your name for a credit card, the credit card company checks with credit bureaus to confirm this information and review your credit. But since there is a credit freeze on your account, Equifax cannot disclose that information, and the credit card company will not open an account in your name.

Note: Even if you try to open a new bank account or credit account, you will not be able to, unless you first remove the credit freeze. Credit freezes do not impact current banking and credit relationships; they continue as normal.

Here are the pages of the three major credit bureaus where you can request or lift a security freeze: Equifax, TransUnion, and Experian.

Credit bureaus are required by law to provide this service, otherwise they wouldn’t. They hate it. Selling your data is how they get revenues. Locking this data eliminates those revenues. But it’s the most effective way to protect yourself.

And remember: you’re not their customer; you’re their product.
The last statement is important — you are not an Equifax customer. That means you haven't signed any agreements with Equifax ... yet.

A second recommendation going forward: Don't sign any agreements with Equifax. See below for why.

If a "Mom and Pop" Store Had Suffered a Similar Data Breach...

And now a look beneath the news to the implications. If a "mom and pop" store had suffered a data breach of this kind, one would reasonably expect the following to be done or required:
  • A timely alert to all customers that the breach had occurred.
  • A list of the kinds data that had been compromised — for example, "only Social Security numbers," or "Social Security numbers plus login passwords," and so on. 
  • A timely, proactive and free notification to affected customers that they specifically were in the affected group. 
  • Disclosure of the vulnerability that permitted the breach and a demonstration that the vulnerability had been effectively addressed. 
  • Some form of restitution — implicit within which is an admission of liability — to customers who experience material harm. 
Were any of those items not part of the store's response, one would expect lawsuits to force the store's compliance. If the store, for example, were to charge customers a fee to find out if they were in the affected group — or attempted to profit by the breach in any other way — a class action lawsuit would immediately follow.

One would also expect, if the financial harm to the store of this breach were great enough, that the store could be forced out of business. After all it is a "free market" and customers could always take their business elsewhere for any reason at all. In other words, one of the costs of doing business in a "free market" is failure, and stores and restaurants fail every day.

The Equifax CEO Class Responds to Its Massive Data Breach

Almost none of the above-listed responses has occurred in the Equifax case, nor is any branch of national government expected to force those responses.

According to Professor Bill Black (see the transcript or the video above), here's what the Equifax CEO class did do (or in the case of front-running stock and option dumping, probably did do).

The breach was undisclosed for more than a month.

• During that time, three Equifax executives dumped more than $2 million in stock and a great many more sold stock options, clearly, if not yet provably, ahead of the expected fall in Equifax stock price.
AARON MATE: It took more than a month for Equifax to publicly disclose it, and during that time, just days after it happened, three company executives sold nearly $2 million worth of stock. Equifax claims they were unaware the intrusion had occurred....

BILL BLACK: On top of that, there was also an immediate … in the same time period that these senior executives were selling their stock, there was a massive increase in sales of stock options compared to the normal for Equifax, and that almost certainly was again because people had been tipped about what had happened in the breach.
Here's a chart of the Equifax stock price for the last three months. The 52-week high was $147.02. On Friday, September 9, the day the market reacted to the announced breach, the stock opened at $141.45 and closed down almost 14%, at 123.23.

Equifax stock price for the three months prior to the data breach announcement (source; click to enlarge). Note the two drops in late July and a week later on low volume, and the deep drop on very high volume on September 8. The small circled price rise is discussed below. 

In other words, the Equifax CEO class arguably withheld the information from the public long enough to protect much of their personal wealth in company stock. It appears from the chart above that by mid-August, most insiders who were "in the know" had sold all the stock and options they intended to. (Note the two low-volume drops in very late September and early-mid-August.) The small spike on August 22 (circled) looks like a market reaction by those not "in the know" to a price considered too low. The price from that point to the Friday announcement-collapse is basically flat.

You will have to pay to find out if you're one of the affected. You will have to pay twice, in fact. First, Equifax won't tell you if you're affected unless you sign away your right to sue or to join to join a class action suit. From the International Business Times:
If you want to know if you were one of the 143 million people whose data was breached in a hack of Equifax’s data, the company has a website you can use to find out — but there appears to be a catch: To check, you have to agree to give up your legal right to sue the company for damages. ...

On Friday, social media users spotlighted fine print on Equifax’s website that appears to force users to agree to waive their class action rights if they use the company’s website to see if their personal data was exposed by the recent hack. It is precisely the kind of arbitration clause that a pending Consumer Financial Protection Bureau (CFPB) rule is designed to outlaw — if Republicans and the Trump administration allow it to go into effect as scheduled later this month.
About that last point — "if Republicans and the Trump administration allow it to go into effect" — look for quite a number of finance industry–friendly Democrats to be put on the spot as well if this comes for a vote in Congress. Finance is where the money is, and finance industry money flows through a virtual firehose to both parties.

If your credit becomes indeed compromised by this breach, there's a measurable cost to not being able to sue to recover damages for harm done — the dollar cost of the harm itself being just a start.

The second way you may have to pay is more insidious. If you sign up at their website to find out if you're affected, you get one year of free "data protection" that automatically converts to a product you pay for if you don't opt out after a year.

Bill Black, from the interview above:
BILL BLACK: ... On top of that, they immediately saw an opportunity, A, to protect themselves, that you talked about, and B, to make a profit. As you say, they said, “We will provide you with one year of protection.” Now first, the information lost, in addition to the types that you talked about, included Social Security numbers, which of course do not change normally, so that information will be commercially valuable to other frauds for 10 to 30 years, so one year of protection, A, doesn’t do it. B, as you said, they said … “they” being Equifax … “If you … ” and this is in the fine print, mind you, “If you sign up for this protection, you have to give up any right to bring a class action suit.” ...

That isn’t it, because they also said, “Hey, this is a chance to make money on the victims.” It turns out, if you sign up for this one-year of free protection, it’s automatically renewed, and they charge you for it after year one. Again, they know that if they do this to some tens of millions of people, that most people will simply not track that it’s a year later and that they have to kill this protection, and so they’ve turned this massive abuse, this greed upon greed upon greed, into yet another opportunity to make money off the customers who they’re treating in the most atrocious fashion possible.
Black concludes this section by making an excellent point: "This is like a bad novel that someone wrote who hated corporations, except all of it’s coming from the senior leadership of the corporation."

"Greed upon Greed" from the Senior Leadership of Equifax

This makes two more general point about the culture of Equifax senior leadership, their CEO class:
  • Personal greed. By delaying release of the breach, they added to the harm done simply to protect, in all likelihood, their personal wealth.
  • Corporate predation. By charging people for information that should be available for free —  by charging for protection beyond a one-year time frame for damage that could occur anytime in the future — the company and its CEO class is using this disaster as a profit opportunity.
How is that not a text book definition of clinically pathological greed and predatory behavior? Were the owners of a "mom and pop" store to respond in this fashion, they'd not only be forced out of business and into bankruptcy, they'd likely be forced to live on a different coast under different names.

Violence and the State

Which leads to a final point. This breach and its likely consequences represents three acts of violence inflicted on the population of the U.S.

The first act of violence, of course, was committed by the hackers and will be perpetuated by whoever they sell their data stash to.

The second act of violence is being committed now by Equifax and its CEO class. They're denying Americans information they need to assess their vulnerability — or charging for it in any of several ways. In other words, if Equifax has harmed you, Equifax is trying to pass much of the cost back to you.

The third act of violence is about to be committed by the bipartisan wealth-protecting neoliberal state, which sees as its duty — is paid in fact to see as its duty — the protection of corporate profits, including Equifax's, at the expense of its citizens. If Equifax is protected by government and business-friendly conservative judges, in all likelihood, the company will suffer no damage at all beyond a temporary PR "speed bump." Government protection of Equifax will guarantee that the maximum possible cost will be passed to you.

If you need any evidence that this characterization of government is correct, consider NAFTA, TPP, and all the other "trade" deals our government has attempted or engaged in — all of which are bipartisan, neoliberal, and put profit before people in each of their many provisions and clauses.

If you wish, you watch this play out yourself. As you do, ask these questions and observe the answers:

Will Equifax be forced to disclose, at no cost to Americans, which Americans are affected?

Will Equifax be forced to make restitution, at no cost to Americans, for damage incurred further into the future than one year?

Will Equifax risk going out of business for this massive data breach, or will its "runway be foamed" by government protection so it can recover as a company pretty much intact?

Finally, will Equifax senior management see criminal prosecution for profiting from harm on such a massive scale?

If you think the answers to the questions above are sure to be No, you've been watching a painful sight — the bipartisan U.S. government in the post-Reagan era.

Violence and the state — this is why the failed revolution we now call the "2016 election" will inevitably continue, whichever pit or paradise it leads us to as a country. The profit-before-people racket we call the U.S. government is now under grave assault, and has been since the 2016 Democratic primary and the general election that produced a President Trump. The response to this massive data breach, if it plays out as all others have, will add to the fuel under that revolution.

Will the electoral situation improve in 2018 and 2020? Not unless one of the following occurs — the U.S. government grows a conscience, or a Sanders-like president is nominated. I wouldn't bet on the first, and the 2016 primary spoke wonders about the second. Stay tuned.


Labels: , , , , , , , ,


At 12:33 PM, Anonymous Anonymous said...

Each credit bureau charges a $10 fee to freeze & $10 to unfreeze your account in CA and most states; unless you prove you're a victim of ID theft? Ayyeee MateY ....all routes lead to a digital plank. Pirates rule.

At 4:12 PM, Anonymous Ed Walker said...

I put a security freeze on my files at all three. You have to watch the TransUnion page carefully. They steer you to a credit freeze which is different in that various people can see the file.

All three require a pin to unfreeze. The Equifax pin is a 10 digit number that only shows up in a note on the last page. The Experian pin is also 10 digits, but they will email it which is better. You make up your own pin and username for TransUnion.

It's fairly quick, and its worth doing. In fact, we should all do it.

Also, why can't we opt out of allowing these pigs to sell our demographic data?

At 5:15 PM, Blogger Gaius Publius said...

Thanks for the great suggestions, Ed!


At 6:21 PM, Anonymous Anonymous said...

Your final 2 paragraphs put the nails in the coffin.

No matter what happened in November last, this would have developed exactly the same. $hillbillary is the goldman-sachs/finance whore of the millennia and the democraps have been on their backs for finance for close to 40 years.

Bernie/Elizabeth might have done something. But we don't live in a democratic country where voters can actually pick their leaders. We live in a fascist binary-oligarchy where 2 equally fascist tsarist parties pick our leaders... and we channel "Animal House" and say "thank you sir, may I have another".


Post a Comment

<< Home