Bring Back the Guillotine: Thoughts on the Nelnet Breach

No news is good news when it comes to correspondence from student loan servicers. They never mailed me to announce pandemic forbearance. I have received no letter explaining the upcoming loan forgiveness program. But I did receive one regarding the Nelnet breach that has my personal info floating out there somewhere. “It's not as bad as it could have been,” the letter reads, “your financial information wasn't compromised!”

And of course, as always happens after these major breaches, the letter includes an offer for 24 months of complimentary identity monitoring.

To be honest, it was this last part that really got under my skin. I'm nowhere near as pissed at the thieves as I am at Nelnet. For one thing, unless they're completely incompetent, the thieves should know better than to use or sell this data right now. Since most of the stolen information won't change during those two years, it will generally retain its value over that time. Second, these monitoring offers typically come with a waiver of legal liability. Coupled with the previous point, this provision hands those companies solid protection for zero cost.

Most egregiously, however, is the implication that these companies are going above and beyond by offering limited credit monitoring. Again and again they fail to keep our data secure—data that we didn't voluntarily give them!—and we're supposed to accept their limp offer as high generosity. Monitoring should be considered the bare minimum from credit bureaus, not extra. Imagine how ridiculous it would be for your bank to charge you a subscription fee to notify you if your money was stolen. That's a strained analogy, of course; you've willingly handed your money to the bank. But it still highlights the absurdity of consumer credit reporting.

You may have taken issue with my characterization of the stolen information as involuntarily given. After all, I did choose to accept the loan. Does that not amount to a voluntary transaction? No, it doesn't. While I may have chosen to accept the loan, I had no say in the key details. I did not select my first loan servicer, nor did I agree to have the current servicer take over my loan. I certainly didn't authorize Nelnet to handle my personal information—or for that matter Equifax, Experian, or TransUnion. Given the ways our lives can be impacted—financially, occupationally, and so on—by opaque credit scores, we should demand more than empty apologies from these careless stewards of our data.