U.S. Sen. Mazie Hirono, D-Hawaii, was among several senators who grilled former Equifax CEO Richard Smith on a massive data breach that affected 145 million Americans.
Smith is testifying at four congressional hearings this week in which lawmakers are demanding to know how the breach happened and what the company was doing to make things right for consumers. Hackers stole Social Security numbers, birth dates and addresses, and in some instances driver’s license numbers.
Hirono says 462,195 Hawaii residents were affected by the breach, and Equifax’s response was “completely inadequate.”
“Mr. Smith’s refusal to recognize that these consumers have a right to know the totality of the information Equifax and other credit reporting agencies have on them is beyond the pale,” she said in a statement. “We will continue to hold Equifax accountable, and must explore legislative solutions to ensure that consumers’ data is protected.”
Hirono and other Senate Judiciary Committee members questioned Smith and experts on data breaches in a hearing Wednesday afternoon.
Hirono: You have a lot of other information on everybody besides just their credit information, do you not?
Smith: Yes, we do.
Hirono: My understanding is that you get all this information free. You don’t pay anybody for the information you gather on 145 million people, which is more than one out of three people in our entire country.
Smith: It’s largely free. There are exceptions, obviously. But this business, as you know, we’re 118 years old. We’re part of a federally regulated ecosystem that enables consumers to get access to credit, so that data’s there and it’s used at their consent by the way. Regardless of the type of data we have, if it’s your employment data, or your income data, or your credit data, that data can only be accessed if you as a consumer give the consent for someone to access that.
Hirono: How does one give consent if you’re selling the information that you have on them?
Smith: If you as a consumer go to your bank and want to get a credit card for example, when you sign a contract with the bank for the credit card, you’re allowing the bank the access to approve your credit in this particular case to give you the best rate and the best line.
Hirono: So it’s not really a free choice is it? If all of us have the option of not having specific information about us and pretty specific information, if we could all just do that and say no we don’t want our information to be sold, that would be an easy matter. But if it’s tied to the ability for that person to get credit or to do that, then that’s not what I would call an arms-length kind of a free choice.
Sen. Elizabeth Warren, D-Mass., said Equifax didn’t have enough incentive to ensure consumer data was secure. She said the breach means consumers will spend the rest of their lives worrying about identity theft and businesses will lose money to thieves, but the company itself will come out of the crisis just fine.
Warren has called for changes in how credit reporting agencies operate. She said consumers should decide who gets their financial data, not companies such as Equifax. She is also calling for stiffer penalties when breaches do occur.
“When companies like Equifax mess up, senior executives like you should be held personally accountable and the company should pay mandatory and severe financial penalties for every consumer record that’s stolen,” Warren said.
“We’ve got to change this industry before more consumers get hurt,” she said.
Members of Congress also expressed bewilderment Wednesday that Equifax received a $7.25 million contract with the IRS to validate the identity of taxpayers communicating with the agency on the telephone or through its website.
“Why in the world should you get a no-bid contract right now?” Sen. Ben Sasse, R-Neb., asked former Equifax CEO Richard Smith at a Senate Banking, Housing and Urban Affairs Committee hearing.
Sasse’s indignation was soon topped by Sen. John Kennedy, R-La., who said, “You realize, to many Americans right now, that looks like we’re giving Lindsay Lohan the keys to the mini-bar.”
“I understand your point,” Smith said.
Smith said he didn’t know many details about the contract, but he explained that it was for work Equifax has done in the past for the IRS, and he thought the contract was being renewed. He also said he believed the contract was “to prevent fraudulent access to the IRS.”
Sen. Heidi Heitkamp, D-N.D., said Equifax forced the IRS to renew the contract because it issued a protest contesting the awarding of the work to another bidder. She called on Smith to tell the IRS that it’s fine to take the contract somewhere else.
The IRS issued a statement seeking to allay concerns about the security of taxpayer information. It said Equifax advised the agency that no IRS data was involved in the breach. The statement confirmed that the renewal was awarded to Equifax to prevent a lapse in service.
“Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems,” the statement read.
An IRS document justifying the award said that the verification information is necessary to prevent tax fraud. Also, taxpayers would have more difficulties obtaining the information they need to file their taxes in a timely fashion if the verification services were allowed to lapse.
The document also said the contract only covers the timeframe needed to resolve Equifax’s protest.