Hacker News new | ask | show | jobs
by ARothfusz 2843 days ago
The correct response should have been for credit card holders to sue their credit card companies. We have a relationship with the card companies, and they chose to share data with a third party, so the credit card companies are responsible. This class action suit did not happen as far as I know. Why not?

If we're so outraged and thus there's a market for it, why didn't banks start offering their own credit cards with guarantees not to share your data with any third parties?

Also, why should it be risky for someone to know your name, address, and social security number? Yes, I agree it is risky, but it shouldn't be. Those things are not me. They're not even secrets. Knowing those things should not give you superpowers.
5 comments
maxsilver 2843 days ago
> The correct response should have been for credit card holders to sue their credit card companies

Why? Why should it be the victims job to find and prosecute criminals?

Should victims also be responsible for breaking up monopolies? Or cleaning up oil spills? Or to keep hospital patient records private? How much time and money should victims be required to invest in lawsuits, to bring justice against illegal mistakes made by entities with thousands of people and million/billions of dollars?

Wouldn't it be better if we had government agencies draft and strictly enforce regulations to prevent this. Like say, an EPA for environment, or HIPAA for healthcare, or GDPR for consumer/business data?

link
wpietri 2843 days ago
Whether it would be better is a really interesting question.

For this specific case, I think energetically enforced regulation would be clearly better. But in general, I'm not so sure. The American system of "let people do what they want; if there's harm, they can sue" allows a lot more room for innovation than a system of up-front regulation.

I think the difference for me lies in the extent to which an issue is a) in a stable context, b) causes significant harm, and c) is unlikely to be fixed through market mechanisms or self regulation.

Here, since consumer privacy is basically an externality to these companies and the market is an oligopoly, I think stronger regulation is a pretty good bet. But in general I think private right of action is underappreciated. Especially class action suits, which aren't burdensome for most plaintiffs.

link
Aeolun 2842 days ago
I think the problem with that strategy is that harm is generally done on a large scale until someone prevents it from continuing.
link
wpietri 2842 days ago
Well, generally it isn't. Most businesses go along doing good things for their customers and getting paid in return. Really, given the way that the Internet has changed everything, we've had surprisingly few major problems.

As a tiny example, look at phone calls. They used to be absurdly expensive. In college I remember having phone bills costing ~30 hours of (minimum-wage) labor. Now it would be hard to explain to an 18-year-old what a long-distance call even was. These days I have effectively unlimited calling from anywhere to anywhere via a handheld device that costs ~7 hours of (minimum-wage) labor/month, and I see lower-cost vendors that provide it for ~4 hours/month.

If we had taken a regulation-first approach, where each new service had to get regulatory approval, I could imagine us still being stuck in the old paradigm, where each phone call had to go through a monopoly operator, and things like Skype were illegal. Or maybe we'd be part-way along the curve, but with incumbents pushing to increase regulatory burden and hobble startups.

So I agree the problem with a default-permit model is that you have more problems to fix, and some can be big. But the problem with a default-deny model is that you miss out a lot of gains. And those, being hypothetical, are easy to underweight against the benefits of the status quo.

link
johannes1234321 2843 days ago
> Wouldn't it be better if we had government agencies draft and strictly enforce regulations to prevent this. Like say, an EPA for environment, or HIPAA for healthcare, or GDPR for consumer/business data?

Yes! Since the state enforcing this creates a legal threat. If the individual has to prosecute there is a good chance that nobody comes after them, making it viable from the companies position to be a bit too relaxed. If the state strictly goes after it the risk calculation is different.

link
cityzen 2842 days ago
Yes, it would, but our government agencies and officials are paid by Equifax to NOT draft and strictly enforce regulations to prevent this.
link
twblalock 2843 days ago
> We have a relationship with the card companies, and they chose to share data with a third party, so the credit card companies are responsible.

When people sign up for credit cards they agree to the terms and conditions, and sharing data with credit scoring agencies is one of them.

Equifax is the one to sue -- they are the ones who let the data become public.

And frankly there are a good reasons we have credit scoring agencies. Getting rid of them would make it more difficult for creditworthy people to prove they are creditworthy in order to obtain credit. If there were not credit scoring agencies, lenders would need to rely on methods of determining creditworthiness that are more invasive of privacy than credit histories. Getting a credit card would be like getting a mortgage, and lenders would demand bank statements, pay stubs, proof of past payments, etc.

link
bob_roboto 2841 days ago
That's simply not true. Many European countries have privacy laws that render credit scoring agencies effectively useless. And yet it's not at all hard to get a credit card.
link
Aeolun 2842 days ago
I think those ‘invasive’ methods of determining credit worthiness are a lot more accurate and safe. Mainly to protect people against themselves.
link
mixmastamyk 2841 days ago
And the burden would fall on those who use credit, not on those who largely don't.
link
iamdave 2843 days ago
That class action suit did not happen as far as I know

Yes it did. The complaint can be found below.

https://images.law.com/contrib/content/uploads/documents/398...

link
ianai 2842 days ago
Any idea whether it’s going anywhere?
link
p49k 2843 days ago
The correct response should have been for credit card holders to sue their credit card companies.

Which we won't be able to do at all in a few years thanks to the ubiquitousness of forced arbitration clauses?

link
dd36 2842 days ago
Every credit card has a forced arbitration agreement that prohibits class actions.
link
jameskegel 2842 days ago
Forced arbitration needs to go, as a concept. I can’t imagine any situations where it makes sense.
link
r00fus 2842 days ago
Didn't this USSC recently rule that forced arbitration was ok?
link
dd36 2842 days ago
Agreed.
link