Why Equifax Happened

As Zeynep Tufekci observes, it’s pretty simple: it’s more cost-effective for corporations to lobby the government to invest in security:

I don’t know about you, but I’ve lost count of the number of times in recent years that I’ve been informed by a corporation of such a breach. “We regret to inform you ….” I don’t doubt that companies regret these things, but I don’t think they care that much either. To them it means just a few days of bad press and at most a fine that amounts to a minuscule portion of their profits. With penalties like that, why would companies bother to make things better?

There are technical factors that explain why cybersecurity is so weak, but the underlying reason is political, and it’s pretty simple: Big corporations have poured large amounts of money into our political system, helping to create a regulatory environment in which consumers shoulder more and more of the risk, and companies less and less.

This is a general feature of our lopsided world, but software businesses (and the technology sides of other companies) have acquired perhaps the greatest degree of impunity. Information technology arrived on the scene only recently, so it has faced fewer of the kinds of regulations that consumers and citizens, in more progressive eras, managed to impose on other industries.

By all rights, given that it can’t do its only job Equifax should be going the way of Arthur Andersen, but we don’t do that anymore.