At Equifax Hearings, Senators Complain of Deja Vu
It’s ‘long past time’ Congress set standards for data security, Grassley says
Senate Judiciary Committee members voiced exasperation about holding another hearing on whether consumers’ personal information is secure as Richard Smith, the former CEO of Equifax, made his third congressional appearance in two days to explain a security breach that allowed hackers to gain access to personal data — names, Social Security numbers, birth dates, addresses and some driver’s license information — on more than 145 million consumers.
Judiciary Chairman Charles E. Grassley of Iowa said Wednesday that it is “long past time” that Congress set standards for data security, adding that he was “committed to getting a good bill … over the finish line.”
“We’re trying to figure out how it happened, once again,” said Sen. Jeff Flake, chairman of the Privacy, Technology and Law Subcommittee. The panel held a similar hearing in November 2015 on the handling of consumer information after data breaches at Target, Home Depot and Anthem.
Equifax is one of three big credit reporting companies. It disclosed the breach on Sept. 7, more than a month after the company first learned of it in July.
Flake said the company failed months earlier to patch a web application, known as Apache Struts, even though it had been warned by the Department of Homeland Security that the software was vulnerable.
He described the credit-reporting industry as one that doesn’t prioritize consumer protection and has “very little incentive” to gain consumer trust. Equifax mainly sells consumer data, and only 10 percent of its revenue “is customer facing,” Flake said. “Frankly there’s just too little priority given to protecting consumer information when you don’t face the consumer that much.”
Ranking member Al Franken reminded Flake that at the 2015 hearing on data breaches “we also talked about the worst-case scenario. Well, unfortunately, we all know that we’re here today again because that worst case scenario is our new reality.”
In testimony to the Senate Banking Committee earlier Wednesday, Smith said the company would soon be offering consumers the option that many members of Congress have been clamoring for: the ability to opt out of the credit reporting system.
Smith, who remains an Equifax consultant, said the new online product will be available Jan. 31, giving consumers the power to “lock and unlock their credit files whenever they want, for free, and for life.”
Senate Banking members focused their wrath on the company’s long delay in announcing the breach and stock sales by Equifax executives before that disclosure. Lawmakers also said the company is profiting from the breach.
What next?
Smith will testify Thursday before the House Financial Services Committee. He appeared Tuesday before the Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee.
The Equifax product to help consumers lock and unlock credit files will be available for smartphones and other computers and allow the consumer to tell Equifax who it can and can’t share information with in response to a credit inquiry, Smith said.
“I would encourage our two other competitors” to offer the same service, he said of credit reporting companies, TransUnion and Experian.
Democrats have introduced bills in both chambers to require free credit freeze services, quicker notification of breaches and higher standards of data protection, but Republicans have largely taken a fact-finding approach to the hearings with Smith.
Senate Banking Chairman Michael D. Crapo said he expected discussions in his committee both on private data breaches and the vulnerability of government data.
“I think the interest that you saw on a bipartisan basis here will generate further discussion, and I would expect that legislation would be generated from that,” he said after the hearing.
Sen. Thom Tillis said that a broader look into cybersecurity and how firms in the same industry might share security information without running afoul of anti-trust laws was needed.
“Equifax needs to be held accountable,” he said. “We need to be held accountable . . . we have a role to play.”
Otherwise, Tillis said, “It’ll be the CEO of the week or the breach of the week.”
Lucrative stock sales
Smith’s testimony that Equifax had informed the FBI Aug. 2 that there had been “suspicious activity” on its site drew questions from several senators. The company’s counsel had approved proposed stock sales by three executives amounting to $1.8 million around the same time.
Three high-level employees — Chief Financial Officer John Gamble; Rodolfo Ploder, who is president of Workforce Solutions, one of Equifax’s four business units; and Joseph Loughran, president of U.S. Information Solutions, one of the other major business units — sold shares on Aug. 1 and Aug. 2.
The three executives avoided the 36 percent stock drop Equifax suffered shortly after announcing the massive breach Sept. 7, which would have amounted to $650,000, Sen. Tim Scott said.
Smith’s testimony “is that the three luckiest investors who sold their stock did so without any knowledge that that suspicious activity may be bigger and more powerful than in the history of the company,” Scott said. “I find that hard to believe.”
Smith said executives are encouraged to make stock sales shortly after the company announces financial results. Equifax announced its second quarter earnings July 26. Sales on Aug. 1 and Aug. 2 would be “normal behavior,” he said.
Sen. Elizabeth Warren estimated that of the 7.5 million people who had signed up for a year of free credit monitoring through Equifax, 1 million of them might subsequently sign up for ongoing credit monitoring at $17 a month. She also pointed out that a company that sells Equifax credit monitoring under its own name has reported a ten-fold increase in sales. Equifax also sells its services to businesses and government.
“You’ve got three different ways Equifax is making money, millions of dollars, off its own screw-ups,” Warren said. “The incentives in this industry are completely out of whack.”
Sen. Ben Sasse agreed. “It feels like a broken windows business model. Your company allowed bricks to be thrown through windows” and is now selling windows, he said.