"Identity theft" as a term has always struck me as a terrible description of what is happening. A bank falsely reporting to a credit agency that I am a debtor (when a criminal hands over some exclusively public information about me to get credit) seems like a slam-dunk definition of defamation. It meets the 4-part definition I'm aware of with (1) statement of fact (2) made to a 3rd party that (3) harms the reputation of the plaintiff while (4) acting negligently. (4) is of course the hardest to prove, but surely if all the information a bank asks to verify identity is in the public domain, that seems pretty clear to me.
Branding it as “identity theft” is a strategic move by the industry to attempt to move liability from themselves onto their customers, labelling them as the victim. The reality is in most cases it should be considered fraud against the business/bank/lender not the customer - they are the entity that has seen defrauded.
>Branding it as “identity theft” is a strategic move by the industry to attempt to move liability from themselves onto their customers, labelling them as the victim.
Except nobody seriously thinks that if someone "stole" their identity, that they're on the hook for the fraudulent loans. The consumer is one of the victims here, in the sense that they have to go through the hassle to have the issue resolved.
individuals are "responsible" for "keeping an eye on their credit report" in the same way that individuals are "responsible" for having an alarm system. They're both proactive things you can do to reduce the risk of something bad happening to you, but if you fail to do it you're not going to be punished for it. Not having an alarm system doesn't mean the burglar gets to keep your TV, and not keeping an eye on your credit report doesn't mean you're responsible for the fraudulent debt.
Responsibility doesn't require punishment (who is going around punishing non-criminal adults anyway?), a situation where negative consequences can fall upon innocent people has been created. I said "apparently" because I don't see any moral reason that individual ought to be responsible for monitoring Experian's data collection, but to monitoring these reports does somewhat reduce the risk that they've created and nobody else is going to do it for you, so...
There's an option to just not deal with anyone who uses their services, but this might include landlords, mortgage companies, and employers.
As to the analogy -- who is Experian in your analogy? And how does the analogy simplify the explanation? I think it is unnecessary and obfuscating. It removes the agency if the entity that has caused the problem in the first place.
>Responsibility doesn't require punishment (who is going around punishing non-criminal adults anyway?), a situation where negative consequences can fall upon innocent people has been created.
The negative consequences is precisely why it's correct to call the consumer a "victim" here, as mentioned in my previous comment.
>I said "apparently" because I don't see any moral reason that individual ought to be responsible for monitoring Experian's data collection, but to monitoring these reports does somewhat reduce the risk that they've created and nobody else is going to do it for you, so...
I also don't see any moral reason that individual ought to be monitoring their belongings (or paying a company to monitor their belongings for them).
>[...] the risk that they've created [...]
>As to the analogy -- who is Experian in your analogy? And how does the analogy simplify the explanation? I think it is unnecessary and obfuscating. It removes the agency if the entity that has caused the problem in the first place.
Okay but this feels like you're moving the goalposts from the original discussion of "is identity theft some sort of scheme to convince people to take responsibility for fraudulent behavior?" to "is experian responsible for leaking personal information?". "Identity theft" has existed well before credit bureau were breached.
>It does mean that disputing charges or accounts becomes way more onerous.
So? It's also more onerous to recover your belongings if you don't have an alarm system and the burglar makes off with your things instead of being scared away.
Identity theft allows them to shift the responsibility for their own fraudulent debts to us. Now we're the ones who have to seek redress. It's great for them.
Experian is so powerful; you can be denied loans for buying a house if your Experian score is poor. You could have little leverage in negotiating a fair salary at your new job because Experian told your new employer what you are currently making. And you could even be denied medical care if your Experian score is poor.
Private hospitals are now consulting a secret medical credit score from Experian before you even see a doctor. As a patient you do not have access to this score, nor can you see how it is generated. All you know is that you may be denied care, or receive different care, because of it. [2]
> Experian Verify Plus
> Returns income and employment information found within the last 90 days
> • Experian Verify Core data
> • Basic income information (gross pay, pay frequency, etc.)
> Experian Verify Premium
> Returns income and employment information found within the last 90 days + multi-year lookback
> • Experian Verify Plus data
> • Detailed income information (income breakdown, deductions, deposite information, etc.)
How's that any different than "In order to qualify for this loan, you must consent to a body cavity search which will be conducted by the guy we hired in the next room"? I suppose you can make the argument that Experian is doing a bad here by being a part of a system that helps employers get private information about you, but that seems somewhat different than the OP which implied something like "experian is gossiping about you behind your back!". It's the difference between providing cavity search as a service (with consent) compared to selling your nudes on the darkweb.
The point is that the bank has no way to perform this body cavity search itself. If Experian didn't exist, it would have to use other means of assessing risk, like all the banks in countries that don't have an Experian do.
The point is that perhaps it shouldn’t be necessary to submit to a cavity search just to get a loan like that. Maybe it should even be made illegal to require something like that.
It is actually much worse than that. If your previous employer flags you as "not eligible for rehiring" then Experian is gonna tell that to your new employer:
Okay but where does that leave my original question? The link you provided seems to suggest that employers can't dox you without your consent. In that case what experian provides isn't really different from your potential future employer asking for your w-2 from your previous job.
>If your previous employer flags you as "not eligible for rehiring" then Experian is gonna tell that to your new employer:
Isn't "eligible for rehire" or "would you hire this person again" a standard question to ask when checking references? It's certainly something that can work against you, but hardly something you can solely blame experian for enabling.
>The difference here is, a third-party company is providing that information about you without your consent.
Do you take offense at your former employer providing the same "information about you without your consent"? More fundamentally, what makes you think you have exclusive control over the piece of information in question?
Did you notice the list of things you need to "obtain authorization" for doesn't include salary?
> what makes you think you have exclusive control over the piece of information in question
Access to courts. If my previous employer prevents me from getting a job, then (depending on circumstances) I may be able to collect damages from them. For that reason, former employers are usually reticent about what they say. Now if a third-party provides that information and I don't even know about it, then that's an even greater encroachment on my rights.
>Did you notice the list of things you need to "obtain authorization" for doesn't include salary?
Did you notice that in the "Employment Verification" section, it literally says "Salary amount, if allowed"? It's pretty obvious what's happening here is that "verifying the employment" refers to validating every piece of information mentioned above, including salary. Moreover, your alternative interpretation (ie. they require authorization to tell a company that you worked for Acme corp but don't require authorization to tell people that you made $80k last year) doesn't really make sense. Finally, if you're going to allege something shady is going on, you should really find better sources than trying to read between the lines of a blog post. Something explicit from experian or a trusted source would be preferred.
That's pretty vague, isn't it? Allowed by whom? That could easily mean "if you have paid Experian for the extra information". They could have used the words "with consent" instead of "if allowed", and to me that is telling.
> Finally, if you're going to allege something shady is going on...
I have provided a link for something worse... information provided by Experian can be used to deny you medical care! See the link below. That isn't shady enough for you?
>I have provided a link for something worse... information provided by Experian can be used to deny you medical care! See the link below. That isn't shady enough for you?
Rage inducing headline aside, I'm really not seeing what's shady here after reading the article. What basically seems to be happening here is that Experian is telling hospitals your credit worthiness, and as a result people with bad credit are being denied credit by hospitals and therefore have to pre-pay for their medical care. If they don't have the money, they can't get medical care. I'm not saying this is a good situation, but I'm not sure how Experian's role here is "shady".
> people with bad credit are being denied credit by hospitals and therefore have to pre-pay for their medical care.
That article doesn't say that at all. There is no mention of pre-pay that I could find. In fact, this may not be about credit worthiness at all.
As it says in the article: "The central issue is that we don't have any actual transparency on what's in the record," says Reede. "I can't see what this is being evaluated on."
Yeah, because it's intentionally being vague to elicit rage. What's actually happening (ie. people with poor credit being denied access to cerdit) isn't as rage inducing as some vague implication that Experian is running death panels. However, there are snippets that imply hospitals are basically doing a credit worthiness assessment.
>Under these heightened circumstances, you now have to wait to see if a company thinks you're a good customer for them.
>While Reede says this is likely not an issue for larger hospitals that have less financial pressure (although Kaiser Permanente uses this system), it's definitely appealing for smaller hospitals that will notice a hit to their finances if a patient defaults.
Besides, what plausible reasons do hospitals have for refusing care based on information from experian? Do you think hospital administrators despise people with under 800 credit score and want them to die of illness?
> Besides, what plausible reasons do hospitals have for refusing care based on information from experian? Do you think hospital administrators despise people with under 800 credit score and want them to die of illness?
Hospitals want to get paid for their work same as anyone else. But if occasionally someone has a low credit score not because they're an actual credit risk but because an ex-spouse lied about them, or because they published an article critical of Experian, then they're going to lose access to medical care all the same.
>But if occasionally someone has a low credit score not because they're an actual credit risk but because an ex-spouse lied about them
okay but I fail to see how that's "shady" behavior on the part of experian, any more than amazon is "shady" for allowing to post false/defamatory reviews.
>because they published an article critical of Experian, then they're going to lose access to medical care all the same
is this something that actually happened, or something theoretical?
> is this something that actually happened, or something theoretical?
It doesn't matter. Even the theoretical possibility is bad. If you're going to be denied medical care because of a score generated by a third-party you should be allowed to see the score, know how it is generated, and be allowed to fix errors.
What Experian is doing — controlling your ability to get a job, buy a house or even get medical care through their opaque and non-appealable scoring system — is worse than China's purported Social Credit System [1]. We look down on China's system, but our own system is just as bad if not worse.
>It doesn't matter. Even the theoretical possibility is bad.
So you're saying that we should get rid of reputation systems because they can theoretically be used to deny people services?
>If you're going to be denied medical care because of a score generated by a third-party you should be allowed to see the score, know how it is generated, and be allowed to fix errors.
You can already see your report and fix any errors. I'm not sure how "you should be allowed to see the score, know how it is generated" helps though. If your Experian Medical Score™ is 500, and all the details (eg. past medical bankruptcies are correct), what are you going to do? Argue that you merely warrant a score of 600? Or more realistically, since the scores map to a default probability, try to convince them that you merely have a 4% risk of default rather than 10%?
>What Experian is doing — controlling your ability to get a job, buy a house or even get medical care through their opaque and non-appealable scoring system — is worse than China's purported Social Credit System [1]. We look down on China's system, but our own system is just as bad if not worse.
The difference here is that the social credit system is used as a tool by the state to punish dissidents and other unwarranted behavior and participation is mandatory (ie. you don't get the choice between not serving a patron with a bad social credit score or not), whereas various credit rating agencies are providing information and businesses are choosing to make use of that information. The latter case is more acceptable because there's a legitimate interest by people/businesses that want to screen their counterparties (eg. employers who don't want flakey workers, and banks/hospitals who don't want deadbeat creditors).
> any more than amazon is "shady" for allowing to post false/defamatory reviews.
Amazon attaches identifiers to reviews, and you could ultimately file a defamation suit and subpoena their identity. With Experian you don't even know you're being defamed.
> is this something that actually happened, or something theoretical?
There's no way to know from the outside. Even if Experian hasn't done this yet, they've set up their system so that they have the capacity to do so.
Everyone above is talking about income verification for employment, but worth noting is that state governments also contact services like these when reviewing applications for public assistance as well.
I'm less worried about the investors than the management. I'm fairly certain that due to the hands off nature of most American's investment choices, there's likely a bit of Experian in every portfolio out there. The main concern is to clearly, unambiguously demonstrate that the operation of a business that creates a data liability for the public, and failing to secure the data or ensure it's accuracy, will not be tolerated.
Any management should be barred from management roles in similar ventures/verticals. The company assets should be liquidated, except for the data. That should be wiped. Their charter and documents of incorporation should be revoked.
Whether investors end up getting paid back out of liquidation is moot. I'm fairly sure the alleged value of the company was entirely tied up in it's data, which if wiped, just leaves their in house software/operational structure, which as previoudly established, should be considered toxic in and of itself due to not being fit for operating in a manner concommitant with the task at hand.
I feel for the employees, but there is a point where even you as an employee should be calling out management for not doing their job, and telling you to do yours poorly.
My patience with corporate actors has grown increasingly short at an astonishing rate.
We had a class action lawsuit before and what did it get:
1) hundreds of millions for corporate lawyers
2) almost nothing for everyone else
Without functional market dynamics (ie actual competition), the class actual lawsuit doesn't actually influence Experience etc to do anything because they will always own the market, so they can continue to fuck people forever.
>the class actual lawsuit doesn't actually influence Experience etc to do anything because they will always own the market
except as you admitted yourself, they had to pay "hundreds of millions for corporate lawyers." That seems at least somewhat of an incentive to step up security.
Yeah but "hundreds of millions" can buy a lot of cybersecurity consultants. The shoplifting loss from a single store probably doesn't make much of a dent in a S&P 500 retailer's profit either, but they still spend money on loss prevention because it saves money on net.
The Equifax class action lawsuit required you to fill out a form. Half a year later, they required you to fill out another form and then mail something in. If you forgot at any point, you'd not be entitled to your paltry settlement.
This is one company that should be sued until it's out of business. I hope this is a step in that direction.
The fact that after a major leak, there's little protection in place to protect people from using this information to hijack accounts is extreme negligence.
And then what? We're left with two other credit bureaus that aren't much better? Another company takes its place that isn't any better, or maybe is even worse?
That itself has issues. If you're in a minority/ostracized group inequality is made worse by the fact you can't secure a loan for a house/car. Also people who are generally more outgoing/social (ie. more likely to be chummy with the local loan officer) get better loans, which is also unfair.
Right! Just fill out this form with your ssn, current name, address, phone and email and we'll start your free credit monitoring. (Thanks for the free updates to our db, which we may license or sell to our partners)
These $400 class-actions are more and more common nowadays. I personally know two people, two different settlements with huge corporations, who got a paycheck to that tune.
You won't hear much about these because sharing the terms of the settlements usually break it. (Or so I'm told.)
At this point are class action suits even a reasonable way to penalize companies? Companies pay some small amount relative to profit so they can’t be sued by anyone in the class action again.
It’s would be way more effective to sue them individually as costs are not the same for the customer versus the company legal protection. Once a single case is won it’s a rinse and repeat, no? Then lawyers could take the job pro bono knowing it will likely pay out (and what arguments to use).
Sorry what's not the case? I made two assertions in the quoted bit:
- "small amount relative to profit"
- "can't be sued by anyone in the class action"
Most class action lawsuits levy penalties that are mostly inconsequential to companies in the long run -- in fact they just become part of the cost of doing business, and the market has realized this. There's never any danger, just a short term hit to already massive revenues, if that.
Class action lawsuits are opt in, so if you've opted in and go through with it, you can't sue the company separately right? If you opt-out (after opting in) or refuse to opt-in in the first place, then you're right where you started... Being aggrieved in some way and looking for compensation.
My point was that if you're looking for actual penalization of companies, class action lawsuits are basically fake justice that lawyers and businesses profit massively from.
Remember when companies started removing forced arbitration because too many people started arbitrating and costs went through the roof? That's what I'm suggesting we do (it'd be great if there was a way to avoid overburden the public courts though).
>My point was that if you're looking for actual penalization of companies, class action lawsuits are basically fake justice that lawyers and businesses profit massively from.
Okay but what's the issue with this "fake justice" that you're describing? It seems pretty obvious that you take issue with class actions and are not simply describing how they work. If you don't think the settlement is fair, you're free to not participate in the class action and possibly seek your own justice through your own lawsuit. Otherwise you get the settlement which is better than the $0 you would have otherwise gotten without the class action. If you're the righteous type who knows you wouldn't sue but don't want them to get the satisfaction of settling you can opt out.
It sounds great, but the article would be better if it explained how the Fair Credit Reporting Act results in standing for a consumer to sue Experian. Maybe this is similar to libel?
In a more reasonable world, the banks that rely on Experian would be suing Experian for facilitating fraud upon the bank.
> the banks that rely on Experian would be suing Experian for facilitating fraud upon the bank.
It's a racket, no doubt, but the banks won't be claiming fraud as long as there is sufficient value to them in the aggregate. An account hacked here or there is tolerable, but assessing and managing risk across the bank's entire customer base in aggregate is really the service that credit reporting agencies provide. And according to all the rich people who run the spreadsheets, it's paying off.
I am counting down to another 12 months of "free credit monitoring", a nominally paid service which in any other case would be labelled extortion: give us money or we will defame you by publishing false information. Information that we know is so likely to be false we offer a paid "service" to tell you when we're defaming you.
I’m surprised these credit agencies haven’t found a way to require forced arbitration as a terms of service of possessing any of your data or giving it to a lender
Because you don't ever sign an agreement with them. They just collect your data from all the other entities you do business with. Your bank, your landlord, your employer, your credit card company, etc.
Not that they haven’t tried! Equifax snuck an arbitration agreement in the free credit monitoring they offered in the wake of their hack. They removed it after (understandable) uproar.
For example, if your employer uses ADP for payroll processing, you consent to ADP selling your wage and income history simply by working for that company.
I can't imagine a job interview that would include, "Oh, by the way, if you take this job, we're going to let a multi-national megacorp know every penny you make, every two weeks, and sell that information for tracking, profiling, and advertising. Also, there's free coffee next to the men's room."
Why can't people opt-out? Aren't there privacy laws that allow people control of their data? For instance, so that they can request to have a copy of all the data a given corporation has on them and to have them delete it as well?
To delete all the data, you'd be effectively be opting out of being able to get loans, credit cards, rentals, and perhaps at least some jobs. This probably isn't practical for a lot of people.
Disclosure: I currently contribute in part at a fintech, thoughts and opinions are my own.
This is somewhat true, but because weight is given to credit reporting data that shouldn’t be. Past performance is not entirely indicative of future performance. Several large commercial banks are moving away from FICO because of this, and cashflow underwriting is normalizing (with you being underwritten based on actual fiat flowing through your deposit account versus credit payment history). This is also beneficial to folks with a “thin file”, or not a lot of credit history.
I'm OK with banks requesting access from a database controlled by a regulated public institution; not with a random corporation (like Experian) collecting data from people and selling it to banks.
GDPR excludes some financial data. So I don’t know about Experian, but I don’t think you can opt out of your bank holding data even after you close your account. For example, Transferwise asked me to provide a copy of my passport or driving license. I asked why they keep it for 10 years after they identify me, and they pointed out to some extensive regulation (which I believe trumps the GDPR).
Isn't this the equivalent of "fining the company equal to its market cap"? If the fine is equal or greater to how much it's worth, it's effectively a death penalty. Given that regulators are having trouble even fining companies for 1% of their market cap, this seems like a goal that can't realistically be achieved. You'd be better off lobbying for stronger enforcement of existing laws and/or higher fines.
No need to do that. Just liquidate the company, and give nothing to the investors. The threat of corporate death penalty and a 0% yield on your investment (not a good track record) will help CEOs think twice before they do something stupid on behalf of their investors.
They should never be allowed to own or invest any business again, in part of full, for the rest of their lives (including as an indirect beneficiary via family or friends). On top of a hefty personal monetary penalty... bring them back down to the level of us filthy peasants so they can reap what they sow.
This would help dissuade people from using companies as proxies to do evil things for profit without consequence. Since it puts you at high personal risk of burning your one lifetime chance at entrepreneurship.
Or maybe fix capitalism somehow i duno (yes this is hard).
If the company is shut down, then they lose any investment that they've made in the company. Most investors have little knowledge of the day to day operations of a company.
Roll back the game. Identify when the crime took place. Every transaction after that point is invalid. All profits made must be paid back. The corporation may resume its operations under new leadership after the rollback is complete.
If that's too hard then just wipe out the company. They're not humans, they don't have rights, they don't feel pain.
If we’re going down this rabbit hole, Exxon or Philip Morris or DuPont or Chiquita is probably way higher up the list than Boeing, as Boeing has only killed a thousand or so people via mismanagement (this is not counting their warplanes which kill deliberately).
Exxon knew definitively in 1977, in writing, that we were going to incinerate the planet.
