WASHINGTON — As the former chief executive of Equifax made the rounds on Capitol Hill last week, lawmakers grilled him over the data breach that exposed personal information of millions.
But many, including members of Vermont’s delegation, were left unsatisfied by the company’s answers and the country’s current laws concerning protection of customers’ data.
Addressing the Senate Judiciary Committee on Wednesday, former Equifax CEO Richard Smith apologized to the committee and the American public.
“There is no doubt that this criminal attack happened on my watch,” Smith said at his final testimony of the week before the committee. “I take full responsibility for letting that breach occur.”
The hearing was the third in two days as Smith made the rounds on Capitol Hill after the news last month of a data breach that, according to Equifax, exposed the personal information of 145.5 million people.
Speaking to lawmakers, Smith attributed the security breach to a combination of human error and technological error.
Equifax was aware of the vulnerability in the system that the hackers used, Smith confirmed. He said an employee failed to apply a software patch to a known vulnerability in March.
Officials estimate that the hack may have exposed the personal information of approximately 240,000 Vermonters — more than a third of the state’s population. The Vermont attorney general’s office is considering suing the company for violating a state statute that requires companies to notify the public of a breach within two weeks.
Lawmakers on both sides of the aisle grilled Smith over details of how the hack occurred, who was responsible, and what steps came next.
Sen. Patrick Leahy, D-Vt., a longtime member of the committee, told Smith the situation is “extremely troublesome.”
Leahy charged Equifax was more concerned with protecting its profits and employees than the public. He was one of many lawmakers to raise concerns over the sale of stock in the company by Equifax executives after the breach was discovered, but before it was public.
“Corporations I understand can profit immensely from our personal info, often without even our knowledge, but they should be obligated to keep it safe,” Leahy said.
He announced at the hearing that he will reintroduce the Consumer Privacy Protection Act, legislation he initially introduced in 2015.
“Before it didn’t advance, but I think it may now,” Leahy said.
It would standardize what personal information companies are obligated to protect, as well as require companies to inform consumers within 30 days if there’s been a breach.
“I think we all feel an individual consumer looks at a giant company like your former company, and they feel they’re powerless, even though they’re expected to give over all kinds of information about themselves,” Leahy said.
The Vermont senator questioned Smith about previous lobbying efforts by Equifax against consumer protection legislation and pressed him about whether the company would continue to take the same position.
“Is Equifax going to continue to fight consumers’ right to know?” Leahy asked.
Smith responded he was not aware of the company’s lobbying efforts on that issue.
Through the week, there was a bipartisan call for improving laws to protect customers from breaches.
Sen. Chuck Grassley, R-Iowa, said at the hearing that it’s “long past time” for national standards for data security notification.
“This breach should be a wake-up call to the new identity theft threat landscape that we now face,” he said.
While there have been major breaches in the past with companies such as Target or Neiman Marcus, he said, the personal information hackers were able to access from Equifax is very sensitive and will potentially affect the public long into the future.
“They can become you, and you won’t even know what happened before it’s too late,” Grassley said.
The previous day, Smith testified before the House Energy and Commerce Committee, of which Rep. Peter Welch, D-Vt., is a member.
“What Equifax did is something I haven’t seen anybody else be able to accomplish, and that is create a sense of bipartisan outrage,” Welch said in an interview after the hearing.
Smith began his testimony to the House panel with an apology for the breach as well, but Welch was not satisfied by the former CEO’s testimony.
“He went to charm school and had a sober demeanor, but bottom line, how did this happen — that question was not really answered,” Welch said.
Equifax, Welch said, has “apparently a very cavalier” attitude to safeguarding customers’ personal information.
“We don’t need an apology,” he said. “We need an explanation.”
Welch, too, has supported legislation to protect consumers from issues that compromise the security of their data, but it has not advanced so far, he said. Now, following the Equifax breach, there is a need to change federal laws to better protect personal information and to give people a course for relief when breaches do happen.
Mike Litt, a consumer advocate with U.S. Public Interest Research Group, went to all four hearings where Smith testified. He was disappointed Smith did not make more recommendations to the public for protecting themselves.
Litt said consumers should freeze their credit with all three major credit reporting agencies. Freezing one’s credit at all three agencies, rather than just at Equifax, decreases the likelihood a thief would be able to open fraudulent bank accounts.
“Having it just at one is basically just like locking your front door and leaving your garage and back doors open,” Litt said.
Litt said there are several steps lawmakers could take to better protect consumers from situations like the Equifax breach, including passing laws to streamline the process of getting a free credit report and making stricter laws for reporting on breaches.