Lawmakers on Capitol Hill are outraged it took Atlanta-based Equifax nearly six weeks to alert customers about its massive data breach. Now House and Senate members plan to prod Equifax’s former CEO this week about who knew what about the hacking — and when.
Whether their questioning leads to any substantive policy changes beyond a customary C-SPAN grilling is an open question.
What is known is former Equifax CEO Rick Smith will personally apologize for the hack and the company’s response to it during the first of four committee hearings this week in the House and Senate beginning on Tuesday.
He plans to tell members of Congress that a mixture of “human errors and technology failures” led to the breach, according to prepared testimony released Monday.
“Let me say clearly: As CEO, I was ultimately responsible for what happened on my watch. Equifax was entrusted with Americans’ private data and we let them down,” Smith’s prepared remarks state. “To each and every person affected by this breach, I am deeply sorry that this occurred.”
Smith’s prepared testimony ahead of today’s appearance before a House Energy and Commerce subcommittee marks the most detailed public account yet of what Equifax did between July 29 and Sept. 7, when the company claims to have discovered the breach and the date it made the hack public.
Many members of Congress have expressed outrage about the insufficiency of the safeguards the company put in place and how it went about alerting what Equifax now says is more than 145 million affected consumers. Opinions, however, have differed in what lawmakers would like to see from Washington next.
Senate Democrats have been among Equifax’s harshest critics. North Dakota Democrat Heidi Heitkamp raised the prospect of jailing three top Equifax executives who sold off stock before the breach went public. Elizabeth Warren of Massachusetts called the hack a “nightmare,” taking to the pages of Forbes magazine last week to call for passage of a bill that would let consumers freeze and unfreeze their credit file for free.
Both are members of the Senate Banking Committee, which will hear from Smith on Wednesday. Another member of that panel is Georgia Republican David Perdue, a former Fortune 500 CEO who broadly believes that government should not tell business what to do but appears open to safeguards to “level [the] playing field” for protecting user data.
“The question with Equifax is what people knew and when, and what’s the responsibility,” Perdue said last week. “Then we’ll begin to react to what needs to be done, if anything, from up here.”
Rebuild public trust
Georgia lawmakers overall have had friendly relations with Equifax in the past. Some of their campaigns have even been on the receiving end of thousands of dollars from the company over the years.
Many have kept their powder dry since the breach was announced, indicating they would like to hear more from company executives before drawing conclusions.
“Equifax has got a lot of explaining to do, but you’ve got to give them the chance to explain before you rush to judgment,” said Republican Sen. Johnny Isakson.
Others have indicated they would like to do what’s necessary to help Equifax rebuild public trust.
Equifax is “a longstanding Georgia company,” said Rep. David Scott, a Democrat from Atlanta. “We want to make sure that they come out of this standing as tall as possible. The way to do that is to … find out what happened and who’s responsible so that [Equifax has] the confidence of the people.”
Most lawmakers aren’t likely to be as kind to Smith, who retired last week, when he takes his turns in the Washington hot seat.
A General Electric alum, he’s known as a skilled CEO and one who has a sharp focus on making the business more efficient. Over the years, Smith purchased a number of smaller tech companies and merged them into Equifax to become a data powerhouse.
Smith is also known for being very proud of the company with a bit of chip on his shoulder about the broader public and media not doing enough to acknowledge how Equifax has evolved from a sleepy credit bureau to a more diversified business.
“If he’s being defensive I think [lawmakers] need to push his buttons to get answers from him,” said Paul Stephens, director of policy and advocacy at the California-based Privacy Rights Clearinghouse.
In his prepared remarks, Smith projects a more humble front, telling lawmakers that “accountability starts at the top.” He did not address the stock sales of two former executives who stepped down from the company under fire last month for selling their stock shares before the firm made news of the breach public.
Smith instead uses the majority of his prepared testimony breaking down how Equifax responded to various security warnings and threats going back to March, when the U.S. Department of Homeland Security initially tipped the company off about patching up a vulnerability in its security system.
Consumer groups critical
Consumer groups have indicated they already aren’t content with Smith’s explanation.
Smith’s initial testimony “shows how much he, his leadership team and his board acted to protect themselves in the weeks before they made the breach public,” said Liz Coyle, executive director of the consumer group Georgia Watch, on Monday. “The fact that he refers to Equifax as the victim shows where his greatest concern lies.”
Stephens said the damage has already been done by Equifax and that there is nothing Smith could say to fix that.
“The barn door has been left open,” he said. “The information is out there.”
MYAJC.COM: REAL JOURNALISM. REAL LOCAL IMPACT.
AJC Business reporter J. Scott Trubey keeps you updated on the latest news about economic development and commercial real estate in metro Atlanta and beyond. You'll find more on myAJC.com, including these stories:
- Atlanta-based Equifax hit with massive data breach
- Atlantic Station owners planning for next phase
- Will Falcons' new stadium drive more development to downtown Atlanta?
Never miss a minute of what's happening in local business news. Subscribe to myAJC.com.