Skip to main content

Compliance Week: Hearings, investigations lie ahead for post-breach Equifax

September 15, 2017

Don't expect the furor to die down soon regarding the massive data breach that hit consumer credit rating firm Equifax and potentially exposed the personal information of 143 million customers.

At the behest of Republicans serving on the House Energy and Commerce Committee, Equifax CEO Richard Smith was invited (or, better put, formally requested) to testify on Oct. 3.

Smith's presence was requested in a letter co-signed by Chairman Greg Walden (R-Ore.) and Digital Commerce and Consumer Protection Subcommittee Chairman Bob Latta (R-Ohio).

"We look forward to hearing directly from Mr. Smith on this unprecedented breach that has raised serious questions about the security of consumers' personal information," they wrote. "We know members on both sides of the aisle appreciate Mr. Smith's willingness to come before the committee and explain how our constituents might be impacted and what steps are being taken to rectify this situation."

The Energy and Commerce Committee has jurisdiction over the Federal Trade Commission and Consumer Financial Protection Bureau, the agencies responsible for regulating data security. The former agency has announced, with scant details, that it has opened an investigation into Equifax.

In recent years, the FTC has positioned itself as a go-to regulator data breaches, especially if customer assurances of effective security were false, misleading, or unreasonable.

To bring clarity to the "reasonable" dilemma, the FTC boiled into 50 of its cyber-security enforcement actions into a slim guide for businesses, "Start with Security." Among the crucial steps outlined in the 2015 report: control access to data security; segment your network and monitor who's trying to get in and out; secure remote access; apply sound security practices when developing new products; make sure service providers implement reasonable security measures (there's that word again!); and secure paper, physical media, and devices. A theme: assessing a company's cyber-preparedness through the lens of reasonableness doesn't have to be an overly technical exercise.

Other activity in Washington includes a hearing before the House Financial Services Committee, as announced by Chairman Jeb Hensarling (R-Texas).

"This is obviously a very serious and very troubling situation and our committee has already begun preparations for a hearing. Large-scale security breaches are becoming all too common. Every breach leaves consumers exposed and vulnerable to identity theft, fraud and a host of other crimes, and they deserve answers," he said. A date for the hearing is not yet set.

Congressman Ted W. Lieu (D-Calif.) is also seeking a hearing on the matter at the House Judiciary Committee.

"According to reports, hackers penetrated a Web-based application for Equifax and subsequently obtained credit card numbers for 209,000 consumers and credit dispute documents for 182,000 users. It appears that Social Security numbers, birthdates, and home addresses may have been compromised as well.," he wrote in a letter to Committee leadership. "In light of recent events, I request the Committee call upon representatives from the ‘Big Three' credit reporting agencies [Experian, TransUnion, and Equifax] to testify not only on the breach that occurred in May 2017, but also to identify how each company is taking proactive, defensive steps to prevent such breaches in the future. Congress has a strong role to play in preventing such attacks on our financial and IT infrastructure, and must hold those entrusted with our most sensitive data to account."

As a reaction to the Equifax data breach, Senators Edward J. Markey (D-Mass,), Richard Blumenthal (D-Conn.), Sheldon Whitehouse (D-R.I.), and Al Franken (D-Minn.) have introduced legislation to require accountability and transparency for data brokers who are collecting and selling personal and sensitive information about consumers.

The Data Broker Accountability and Transparency Act allows consumers to access and correct their information to help ensure maximum accuracy. The legislation would also provide consumers with the right to stop data brokers from using, sharing, or selling their personal information for marketing purposes.

The proposed bill additionally requires data brokers to develop comprehensive privacy and data security programs and to provide reasonable notice in the case of breaches.

The legislation empowers the FTC to enforce the law and promulgate rules within one year, including rules necessary to establish a centralized website for consumers to view a list of covered data brokers and information regarding consumer rights.

"Equifax's business extends far beyond its role as one of the big three credit reporting agencies. Equifax also serves as a data broker, selling data profiles on consumers to various industries," the Senators point out in a statement.

"As we have recently witnessed with the Equifax breach, data brokers can play fast and loose with Americans' most sensitive personal information," Markey said. "The era of data keepers has given way to an era of data reapers. We need to shed light on this ‘shadow' industry of surreptitious data collection that has amassed covert dossiers on hundreds of millions of Americans."

"Third party data brokers profiting off the sale of personal consumer information is a shameless violation of the privacy and security of millions of Americans," Blumenthal said. "In the face of ubiquitous online security threats, more pertinent than ever following the Equifax data breach, Congress must act to put the power back in the hands of consumers… The American people have a right to know if their personal data has been exploited or contains errors."

"This urgently needed bill will help protect consumers from the massive data gathering tactics of companies as Equifax," said Jeff Chester, executive director of the Center for Digital Democracy, in a statement. "Americans need to know what information is being compiled and used about them and their families, including what they do online. Instead of operating as a stealth data broker that mines our information 24/7, they will now be held more accountable for what they do."

The bill "would give us the right to control who uses our personal information and for what purpose," added John Simpson, privacy project director for Consumer Watchdog.

On Sept. 11, New York Attorney General Eric Schneiderman sent a letter to Equifax seeking additional information about the breach.

"The Equifax breach has potentially exposed sensitive personal information of nearly everyone with a credit report, and my office intends to get to the bottom of how and why this massive hack occurred," he said in a statement.