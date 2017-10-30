The disastrous Equifax breach that exposed over 145 million Americans’ personal information provides two important lessons for credit bureaus that hold large amounts of our personal information: avoid big databases where possible and give consumers more control over their personal information.

By and large, big credit bureau databases are no longer necessary. For decades, aggregating files on hundreds of millions of Americans into massive databases was the most efficient way for the big three credit bureaus to maintain our sensitive financial information. As banks, credit card companies and mortgage lenders reported new consumer financial activity to the bureaus, the size of these databases ballooned. According to the Consumer Financial Protection Bureau, each month furnishers provide information on over 1.3 billion accounts to credit bureaus, with the top 100 furnishers providing 76 percent of the updates. Yet, it has long been clear that collecting so much sensitive information in centralized locations would create attractive targets for cyber thieves. Despite this obvious risk, Equifax failed to take adequate measures to protect the information.

In a high-speed, networked 21st century world, we should be asking ourselves why we are still maintaining huge databases when the risks are so clear. It would be far better to decentralize personal information, keeping it in the hands of firms that use it on a regular basis to run their business, such as banks and credit card companies. To fulfill a request for someone’s credit report, a credit bureau could poll a network of financial institutions for that consumer’s credit history and compile it into a report, eliminating the need for the bureau to maintain its own database.

Almost exactly two decades ago, I testified before the House Banking Committee on behalf of the Federal Trade Commission that large databases would likely become obsolete. “Credit bureaus exist really because of the efficiency of sharing large amounts of data in one place,” I said. “With networked computers and the Internet, it is not clear that that is really going to be the way companies communicate in the future. They may communicate directly with each other and create electronic profiles through the network, essentially, and avoid the large databases.”

The “future” is here, but credit bureaus are still maintaining antiquated databases of sensitive personal information. As Equifax has proven, these databases are vulnerable to hacking and are now causing millions of Americans to suffer the uncertainty of whether they will become victims of identity theft and fraud.

The second lesson has to do with giving consumers more control over their data. Potential Equifax victims have been encouraged to freeze their credit files. Freezing prevents files from being accessing when a criminal attempts to obtain credit in a victim’s name. Unless the freeze is lifted using a secret PIN, creditors will be unable to access the credit report. Believe it or not, you may even have to pay the credit bureaus to freeze your file so they don’t give out your information without your consent. It’s time to put consumers in charge of who can access each item of their information.

India provides a lesson about how this can be done. The “India Stack” is a collection of tools that collectively are being used to bring more Indians into the financial system. A key component is the “digital locker,” which allows people to keep their records, such as birth certificates, driver’s licenses and bank statements, in a secure environment. Individuals can authorize access to their information using a biometric national identifier (a 12-digit number linked to their fingerprints and iris scans) when applying for a loan or opening a bank account, giving the lender electronic access to documents needed to consider their credit application. Access can be authorized at a granular level, permitting a lender to see pertinent documents in the locker, including bank statements and utility bills, but not others, such as medical records.

Financial institutions and other firms in the United States could report transaction information not to credit bureaus but to individuals’ digital lockers. These documents could be digitally signed by the reporting firms to ensure their legitimacy. This approach would address many of the concerns highlighted by the Equifax breach. First, while the possibility of a breach can never be completely eliminated, measures such as encrypting transmissions to the locker and meeting international data center security practices would make people’s data more secure. Second, instead of having to freeze access to their credit history, consumers’ information would only be released with their express consent. Third, digital lockers would give consumers the opportunity to review their credit history anytime at no cost and dispute it with furnishers so that more accurate, timely information would be available when they apply for credit.

Now is the time to start using network technology and digital lockers to better protect consumers’ privacy.