
You Can’t Fire Equifax, but Your Employer Can - tysone
https://www.nytimes.com/2018/01/26/your-money/equifax-breach.html
======
petilon
Here's an example of a report sold by The Work Number:
[https://www.theworknumber.com/samples/The-Work-Number-
Employ...](https://www.theworknumber.com/samples/The-Work-Number-Employment-
Data-Report-EFX-WS-0205-11-21-14.pdf)

Notice that one of the items they disclose about you is Workers' Comp. If you
are injured at work you can get treatment for your injury through Workers'
Compensation and this is usually much more generous than your regular health
insurance: there are no co-pays or deductibles, for example. But be careful -
when you interview for a new job, The Work Number may disclose this info to
your prospective employer and they may consider this a red flag.

This happened to me. When I interviewed at a large software company the
recruiter mentioned something about my using Workers Comp. Fortunately I had
only used it a little and that was many years ago. She also thanked me for my
honesty regarding my salary at my previous job. I found that appalling. Me
voluntarily disclosing my salary is one thing, but some data purveyor selling
my salary info to a prospective employer is a violation of my privacy, and it
may depress the salary offered by the new employer. Unfortunately there are no
laws preventing employers from disclosing your salary to such companies, and
they often do.

~~~
srtjstjsj
> Me voluntarily disclosing my salary is one thing, but some data purveyor
> selling my salary info to a prospective employer is a violation of my
> privacy,

You consented to this disclosure during your application, or else Equifax
violated its contracts.

~~~
philipov
Coerced consent isn't consent. A drunk person can't consent, and neither can
someone who is presented with an impenetrable contract without a lawyer
present.

~~~
colejohnson66
Except you’re not drunk when signing the papers at the beginning of the job...
So I fail to see the parallel.

~~~
lotsofpulp
Then consider not being able to get a job with a stable employer and pay off
your loans. Being pedantic about whether or not you're forced is not
constructive, when there obviously exists a power imbalance that is causing a
massive rift in society.

------
sxates
I'd really like there to be a law that allows you to opt-out of credit
reporting agencies. This would work similarly to the do-not-call list - I give
them my social and they are instructed to disregard any data they receive
that's associated with that number, and will destroy whatever information they
currently have about it.

Doing this potentially locks you out of getting credit, but if you can do it
on a per-agency basis, then it's a good way for individuals to punish bad
actors like Equifax. If even 10% of Americans opted out after the breach,
their business would be over, the remaining agencies would have proper
motivation to improve their security standards, and it would open a gap in the
market that a better run startup could move into.

~~~
mtremsal
I'm thinking EU residents/citizens should be able to do so under the GDPR. The
main concern is that the request would cascade to their 3rd parties (as data
processors) and it might be difficult to anticipate the total reach of the
request.

~~~
adamnemecek
EU doesn't have Equifax.

~~~
dreamfactored
Applies to any EU citizen data anywhere.

~~~
kingnothing
Applies to EU citizen data for companies that operate in the EU. You can't
enforce laws against a company outside of your realm of jurisdiction.

~~~
aussie1233
GDPR has what is called extra-territorial applicability.

~~~
laingc
If it’s outside their jurisdiction, they can claim whatever applicability they
like: the law is simply not enforceable outside that jurisdiction.

~~~
dragonwriter
The law can be enforced against people who are, or have assets, within the
jurisdiction, whether or not the alleged violation occurred there.

~~~
nraynaud
You can also have some very weird legal definition of a nexus, like this bank
that allegedly opened a nexus in the US because they used US dollars for a
transaction between two non-Us countries.

And there is also the case that the US army just land in your country and
arrest anyone they could not kill.

~~~
dragonwriter
> And there is also the case that the US army just land in your country and
> arrest anyone they could not kill.

Unlikely; its a lot easier to kill people than arrest them, especially if you
are the US army, which is optimized for the former over the latter.

------
rdtsc
Good to see. This is a great development hopefully others follow suit. It was
telling in how Equifax announced their breach -- they stressed that "no
customer information was impacted" very strongly, right at the top:

[https://investor.equifax.com/news-and-
events/news/2017/09-07...](https://investor.equifax.com/news-and-
events/news/2017/09-07-2017-213000628)

Most of US population got exposed but hey our customers are safe, so no big
deal. We'll just give everyone credit monitoring and they'll shut up.

The thing is looking back, Equifax wasn't really that impacted. Their stock is
back to where it was last January. They'll have some lawsuits but it doesn't
seem like they'll be going out of business like everyone expected (hoped
even). The other terrible thing there is that it was a lesson for others in
the industry. They are watching and learning, if Equifax didn't suffer that
much why bother enhancing their security posture. Why spend money if even with
such a huge breach the consequences are not that bad.

People are always surprised how banks or other institution have terrible
security practices, this is why.

~~~
maxxxxx
Yeah, it's surprising how little impact this had on Equifax so far.

~~~
FireBeyond
I wish I could say I agreed with you.

In truth, it’s eminently unsurprising to me how little impact there has been.

Any time we see one of these “should be devastating” data breaches, people/
politicians shake their fist for about a week, but there’s little
consequences. Sure, sometimes a company might be fined _five per cent_ of the
_profit_ they made from the behavior that lead to the breach. Not sure that’s
so much a slap on the wrist as a “tsk, tsk”.

~~~
maxxxxx
That was a really big one at a company that has a lot of valuable start on
almost every citizen. I can't think of many worse possible breaches. Maybe the
IRS or Visa?

~~~
toomuchtodo
OPM.

[https://www.opm.gov/cybersecurity/cybersecurity-
incidents/](https://www.opm.gov/cybersecurity/cybersecurity-incidents/)

------
tedivm
I would _never_ work for a company that used this service.

> Lots of employers use it. Equifax claims that more than 5,500 have signed
> up, including over 75 percent of Fortune 500 companies and many federal
> agencies. The service works by setting up a sort of central line to your
> employer’s payroll operation, uploading your paycheck information each
> period. It also records your job title and tenure.

~~~
fra
Are you sure yours does not? Most large tech firms use Equifax for The Work
Number.

~~~
abecedarius
How does this work? Does the employer have a clause in your contract, plus a
deal with this company to feed them this data, in exchange for what? It wasn't
clear to me from poking around their website. Does it buy the employer the
ability to query this database about their new candidates?

I don't remember anything like this when last I worked fulltime for a bigco,
in 2007.

~~~
rdtsc
> in exchange for what?

Guessing here but it could be in exchange to letting them use the data as
well. By feeding data back into it, they might get some benefit like a
discount for example.

People join and leave companies regularly and having access to the system
allows them to low-ball people in salary negotiations thus saving them a
considerable chunk of money.

Wonder how legal that is. It's obviously not completely illegal but it seems
like it would be a gray area. Should the company be allowed to share a
worker's salary information? Does that belong to the worker or the company? If
it belongs to the worker the company could still just claim if you work here
on page 95 of your contract you agreed to let us share this and it looks like
you signed and agreed, so tough luck.

You can almost see some executive there realizing "Hey, I read in <whatever
business journal> people are getting pretty good jumps in salaries just by
moving jobs. Regular workers shouldn't be able to do those kinda things. It
seems if we invent this new product we could fuck people over and make a good
chunk of money for ourselves" (followed by maniacal evil laughter).

------
rectang
Voluntary forebearance is not a solution. Most companies are not The New York
Times, and Equifax is providing powerful data for management to wield in
relations with their workforce. Unless it becomes illegal (as it has in
California), there will always be many, many companies who will not willingly
give up such an advantage in information asymmetry.

~~~
FireBeyond
Exactly. We are not their customers. Employers and lenders are, no more, no
less, simple as that.

Even “fraud protection” / “credit monitoring”, ostensibly the closest we come
to being customers, is in many senses “protect you from our customers and our
fuckups” (forgive the language).

------
s73ver_
I've said this in every thread about these scummy companies, but it is
entirely unconscionable that not only are we not allowed to constantly look at
and correct the data about us that they have, we are forced to pay for it if
we want to do it more than once a year. For them to profit off of us like that
is completely and utterly immoral, especially when they clearly do not give a
crap about keeping that sensitive data about us secure.

------
neil_s
This looks like a service we could recreate, and sell to employers who don't
want to be responsible for handing over their employees' data to a firm that
risks creating embarrassing PR for them. There are obviously network
advantages, but you could bootstrap it if you got even a single employer on
board. Is there some other complexity I'm missing?

~~~
cornholio
There are massive network effects, employers only sign up to learn information
from other companies, and give up their own information as a condition for the
former.

It's a business that bootstraps when you have an existing customer base of
related services, dealing with employee and payroll management, credit ratings
etc. and mine your existing data for a prototype product good enough until the
network effects kick in.

Maybe you could make it bootstrap by making it very cheap or free, so that,
even if employers don't usually get anything from you, they still remained
enrolled for the rare instance when you deliver something that others lack, so
that you can buildup your database in time. But then highly secure, easy to
use and long term come at odds with free.

------
TrainedMonkey
Interesting question of what happens to the trove of data they have if Equifax
does go out of business. Sensible alternatives are either regulators will have
to step in or they are in too big to fail boat. Less sensible would be to do
nothing and hope data does not end up in bad hands.

~~~
maxxxxx
Somebody will buy the data. Equifax won't just disappear one day.

~~~
jessaustin
Actually it seems possible. The demand for their service won't disappear, but
with their unpopularity and poor security practices someone who can might just
decide to burn them to the ground. Their only assets are data. I'm sure they
have offline backups, but a patient enough attack would bork the backups too.
They'd probably try to continue doing business, because YOLO, but eventually
enough erstwhile 850s would get their Audi leases rejected that the lawsuits
would really pile up. About that time some pissed-off employees would start
talking to reporters, and that would end the whole thing.

------
Molaxx
What about the crazy idea of nationalizing this? If it's a cartel and very
hard to open to competition, and reap the benefits of centralization and not
only the disadvantages.

