By Andrew Leahey
Personal data is big business. Recent news of the 2017 Equifax data breach settlement checks reaching the 147 million Americans affected focused on the paucity of the per-consumer amount—which were mostly in the single-digit-dollar range. The settlement pool was more than $380 million, but when the breach included just a shade under 45% of the US population, even hundreds of millions of dollars doesn’t go very far.
But we still need entities such as Equifax, and we can’t shut them down simply because they leaked out just under half of our identities. After all, what about the other 56% of the population that the company presumably didn’t have information on or somehow didn’t leak? Isn’t that worth something?
Sure, and so are Equifax Inc., Experian PLC, and the like. Experian is an information company similar to Equifax that, in 2015, leaked out a mess of data on T-Mobile customers and paid about 0.0004% of its value—derived chiefly from said data—to do so. Experian offers a protection plan that costs about $25 per month. If the Equifax payout is any indication, most folks’ settlement checks will cover about a week of that plan. And if you purchased said plan immediately in the wake of the breach news, you’d have paid in just shy of $1,500 by the time you’re reading this.
Credit reporting agencies may need to be incentivized through a fine or excise tax. Because unlike the tech companies, there isn’t a tremendous amount of competition. It isn’t as though, in light of the Equifax and Experian breaches, one can simply take their consumer credit report information elsewhere.
Companies such as Apple Inc., Google LLC, and Meta Platforms Inc. will often offer what’s called a bug bounty, or a fund for ethical white hat hackers that report discovered vulnerabilities to be patched rather than sold on the open market. This motivates hackers who would prefer to operate above board to act as a nefarious hacker might—but to lay out what they found to the company itself rather than to the dark web.
Perhaps we should ask why we’re considering reorienting a policy to reward the hackers who necessitate the policy to begin with while putting money in the hands of those who would gleefully leak our information if we didn’t pay them not to. But protecting the status quo is to make permanent the identity of winners and losers. It’s hard to tell who the winner is, but it’s crystal clear who the losers are.
Offering incentives to white hats corrals market forces to put a value in the legitimate economy on something that only had value in the underground economy. The same approach needs to be taken here. If credit reporting agencies need to exist, they need to have incentives to offer bounties on confirmed exploits.
A completed portfolio or tax return for an individual shouldn’t be selling for $70 apiece on the dark web; the individual who found the vulnerability that led to the leak should already have been paid hundreds of thousands of dollars by the credit agency through a legitimate channel.
There’s a theory in tort law that, to ascertain the fairness of compensation after the fact, one might reimagine an exchange between two parties that gives rise to a claim as a pre-negotiated contract.
In this case, one party theoretically approaches 147 million Americans one at a time and informs them that they would very much like to leak their information. The individuals theoretically hear the request and agree to the contract but respond that they’d need to be paid about $7 for their troubles.
Imagine if you approached people on the street and asked if they’d be willing to share a piece of identifying information, such as a driver’s license or Social Security Number, for $7—you wouldn’t get a lot of takers. And yet, it seems this has been deemed fair compensation for having that information taken from you and made public.
One might also look to the value of that information in the marketplace. In this case, the “marketplace” would be the dark web, where 2022 individual completed 1040 forms with proof of identity are selling for about $70. The entrepreneurs peddling these portfolios indicate much of the information was gleaned from the 2017 Equifax breach.
Whether or not that’s true, it is true that personal information being sold in bulk is almost certainly from some sort of breach—Experian, Equifax, or one of the myriad others. And if that breach ended in a settlement, there’s no reason to believe it would lead to more favorable compensation terms for the victims.
Suffice it to say, then, that the justice system values our personal information at a bit under $10, while fraudsters value it at around $70. And we would each likely pay 10 times that to avoid the hassle and headache of having to deal with identity theft.
This is a regular column from tax and technology attorney Andrew Leahey, principal at Hunter Creek Consulting and a sales suppression expert. Look for Leahey’s column on Bloomberg Tax, and follow him on Mastodon at @andrew@esq.social.
To read more articles log in.
Leave a Reply