But many, including members of Vermontโs delegation, were left unsatisfied by the companyโs answers and the countryโs current laws concerning protection of customersโ data.
Addressing the Senate Judiciary Committee on Wednesday, former Equifax CEO Richard Smith apologized to the committee and the American public.
โThere is no doubt that this criminal attack happened on my watch,โ Smith said at his final testimony of the week before the committee. โI take full responsibility for letting that breach occur.โ
The hearing was the third in two days as Smith made the rounds on Capitol Hill after the news last month of a data breach that, according to Equifax, exposed the personal information of 145.5 million people.
Speaking to lawmakers, Smith attributed the security breach to a combination of human error and technological error.
Officials estimate that the hack may have exposed the personal information of approximately 240,000 Vermonters โ more than a third of the stateโs population. The Vermont attorney generalโs office is considering suing the company for violating a state statute that requires companies to notify the public of a breach within two weeks.
Lawmakers on both sides of the aisle grilled Smith over details of how the hack occurred, who was responsible, and what steps came next.
Sen. Patrick Leahy, D-Vt., a longtime member of the committee, told Smith the situation is โextremely troublesome.โ
Leahy charged Equifax was more concerned with protecting its profits and employees than the public. He was one of many lawmakers to raise concerns over the sale of stock in the company by Equifax executives after the breach was discovered, but before it was public.
โCorporations I understand can profit immensely from our personal info, often without even our knowledge, but they should be obligated to keep it safe,โ Leahy said.
He announced at the hearing that he will reintroduce the Consumer Privacy Protection Act, legislation he initially introduced in 2015.
โBefore it didnโt advance, but I think it may now,โ Leahy said.
It would standardize what personal information companies are obligated to protect, as well as require companies to inform consumers within 30 days if thereโs been a breach.
โI think we all feel an individual consumer looks at a giant company like your former company, and they feel theyโre powerless, even though theyโre expected to give over all kinds of information about themselves,โ Leahy said.
The Vermont senator questioned Smith about previous lobbying efforts by Equifax against consumer protection legislation and pressed him about whether the company would continue to take the same position.
โIs Equifax going to continue to fight consumersโ right to know?โ Leahy asked.
Smith responded he was not aware of the companyโs lobbying efforts on that issue.
Through the week, there was a bipartisan call for improving laws to protect customers from breaches.
Sen. Chuck Grassley, R-Iowa, said at the hearing that itโs โlong past timeโ for national standards for data security notification.
โThis breach should be a wake-up call to the new identity theft threat landscape that we now face,โ he said.
While there have been major breaches in the past with companies such as Target or Neiman Marcus, he said, the personal information hackers were able to access from Equifax is very sensitive and will potentially affect the public long into the future.
โThey can become you, and you wonโt even know what happened before itโs too late,โ Grassley said.
The previous day, Smith testified before the House Energy and Commerce Committee, of which Rep. Peter Welch, D-Vt., is a member.
โWhat Equifax did is something I havenโt seen anybody else be able to accomplish, and that is create a sense of bipartisan outrage,โ Welch said in an interview after the hearing.
โHe went to charm school and had a sober demeanor, but bottom line, how did this happen โ that question was not really answered,โ Welch said.
Equifax, Welch said, has โapparently a very cavalierโ attitude to safeguarding customersโ personal information.
โWe donโt need an apology,โ he said. โWe need an explanation.โ
Welch, too, has supported legislation to protect consumers from issues that compromise the security of their data, but it has not advanced so far, he said. Now, following the Equifax breach, there is a need to change federal laws to better protect personal information and to give people a course for relief when breaches do happen.
Mike Litt, a consumer advocate with U.S. Public Interest Research Group, went to all four hearings where Smith testified. He was disappointed Smith did not make more recommendations to the public for protecting themselves.
Litt said consumers should freeze their credit with all three major credit reporting agencies. Freezing oneโs credit at all three agencies, rather than just at Equifax, decreases the likelihood a thief would be able to open fraudulent bank accounts.
โHaving it just at one is basically just like locking your front door and leaving your garage and back doors open,โ Litt said.
Litt said there are several steps lawmakers could take to better protect consumers from situations like the Equifax breach, including passing laws to streamline the process of getting a free credit report and making stricter laws for reporting on breaches.
