Shouldn't we, as citizens, have better ownership and rights to our Personal Identity Information (PII)? At the very least can we establish an expectation of easy access, control, and accountability with those who collect and use this information.  If mishandled, it can destroy lives and have decades of impact, yet increasingly it seems the precedent is being set that a breach like Equifax's can be resolved with credit monitoring for a year.

The Equifax problem highlights a gaping hole we have in the USA around PII protection.  The free market will not fix this situation because the people they collect the data on are unwilling customers (even more so for the credit reporting agencies).  We have no choice to opt out let alone easily manage our data, and those who buy the credit scores (lenders) treat the simple presence of identity information as authorization and authentication, and they don't care because they are not affected when there is a data breach, and if there was identity fraud, the burden of proof is backwards.  The victim has to prove they didn't commit the crime!

Regulation can be dangerous, but it seems this is a situation where it is called for: when a citizen's liberty is being trampled; and the Equifax breach will trample on people's liberty for decades to come – yet they are offering a pittance of one year's credit monitoring as if this will help for a lifetime of damage.  Perhaps the EU's GDPR takes things a bit too far for the USA, but it can be used as a reference point, and we need something in our citizen's rights to their own identity in this modern world.

Some identity information is already protected at the state and some federal levels, but we need to take it further; including acceptable recourse when there is a breach of key identity information.

Options to consider:

• Fixing the Missing link - Authentication.
• Companies using our PII data should be culpable for mishandling this data, including strong penalties along the lines of GDPR.  If negligence is found, they should be able to pierce the corporate umbrella and target individuals as well at the executive level with criminal charges.  Corporations need to take this seriously.
• Classification of our PII data (Name, Phone, Address, SSN, DL#, and other bank/credit account information) that comes with requirements for people collecting and handling it, giving us rights to our own identity.
• It has to be easy for identity owners (each of us) to correct misinformation – as easy as it was for the entity to collect it in the first place.  Used for cleaning up identity fraud.
• It should be free and easy for us to lock our credit information and restrict it from being used without our consent.  Currently, this can be done, but it is a charged fee.  Why are we charged to control our own information?
• Companies using PII data should have to easily make available a report to the individuals for whose data they have, without fee, for what they are reporting, and who they reported it to (this can be done online).
• Change finance identification law so that the victim is presumed innocent until proven guilty (such as in the case of identity theft.) The lender who fails to perform acceptable due diligence loses (the presence of PII is not sufficient as is being done now). This would be a powerful motivation for the finance industry to adopt new techniques that minimize their risk, and it would help reduce the impact of data loss in a PII breach.  Right now lenders accept the presence of identity as authentication, and this is wrong.