Congress is grappling with how to respond to the massive Equifax data breach after hackers gained access to the sensitive data of more than 145 million Americans.
As lawmakers grilled former Equifax CEO Richard Smith over four separate hearings this week, they proposed a number of possible ways to prevent such massive breaches in the future.
Their ideas included fining companies that fail to adequately protect consumer data, restructuring the credit reporting industry to allow for more competition and requiring data holders to notify consumers whose information has been compromised.
A slew of legislation aimed at instituting tougher regulation on credit reporting agencies has already been introduced since the breach was announced last month, including a bill that would give consumers greater control over the mass amounts of data about them that such organizations collect.
{mosads}But in the midst of the week’s hearings, top Republicans are expressing caution, saying that a crackdown from Congress may not be the best way to address the problem. Instead, they’re laying the blame for the hack on Equifax.
“How does this happen when so much is at stake?” Rep. Greg Walden (R-Ore.), chairman of the House Energy and Commerce Committee, asked Smith in one hearing. “I don’t think we can pass a law, excuse me for saying this, but fixes stupid. I can’t fix stupid.”
Sen. Jeff Flake (R-Ariz.), who chairs a Senate Judiciary panel on privacy and technology, told The Hill that the problem lies in the fact that data brokers don’t value privacy. Still, Flake said that it’s on the industry to come up with best practices to safeguard consumers’ information.
“The problem is you have to have the right incentives and the incentives, when you’re not facing consumers directly, might not be there,” Flake said after hearing Smith testify. “I’m not ready to pile on regulation at this point. We want to find out more and that’s what this hearing was useful for. And we’ll see.”
“We obviously want a growing economy, and you’ve got to have a conducive tax and regulatory environment, but you also have to make sure that consumers’ data is protected,” he added.
Smith made a number of revelations about the breach during his four appearances. On Tuesday, he told a House Energy and Commerce subcommittee that a “combination of human error and technological error” made the company vulnerable to the hack.
According to Smith, an employee responsible for ensuring that a key software vulnerability was patched failed to do so, and later a detection program failed to find the weakness. While speaking to Flake’s subpanel on Wednesday afternoon, Smith revealed that the unidentified employee had left the company.
That person was one of four Equifax employees, including Smith, who have stepped down in the wake of the breach, which was revealed last month. The other two were Equifax’s chief information and security officers.
Lawmakers of both parties used the opportunity to pile on Smith and his former company. Despite hesitation from some of the committee heads, there were bipartisan calls to act to protect consumers from data breaches.
“Equifax won’t be losing any business as a result of its failures,” said Sen. Al Franken (D-Minn.). “American consumers are not able to walk away and take their business or their personal information elsewhere. And that’s because those consumers aren’t actually your customers. They’re your product.”
The scrutiny into Equifax and data protection is likely to continue. On Tuesday, Yahoo revealed that it now believes that a 2013 data breach affected all 3 billion of its user accounts, triple the amount that it had initially estimated when it first announced the hack in December 2016. Sen. John Thune (R-S.D.), the chairman of the Senate Commerce Committee, has already called on Yahoo and Equifax executives to testify before his panel.
For now, there’s bipartisan support for Congress to implement a nationwide requirement that companies notify consumers in the event that their data is compromised by hackers. Forty-eight states currently require companies to do so.
Rep. Joe Barton (R-Texas) suggested that companies should be fined if they jeopardize personal information.
“We could have this hearing every year from now on if we don’t do something to change the current system,” Barton said.