Senators Knock Former Equifax CEO for Response to Breach, Problems With Security
Former Equifax CEO Richard Smith was grilled by lawmakers the past two days and faces the House Financial Services Committee Thursday over theft of personal information of 145.5 million consumers. House and Senate lawmakers at three different committees (see 1710030034 and 1710020021) interrogated Smith, including at a Senate Judiciary Privacy Subcommittee hearing where ranking member Al Franken, D-Minn., said Smith and Equifax had "little regard" for consumers.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Judiciary Chairman Chuck Grassley, R-Iowa, sat in at the beginning, saying he doesn't normally attend subcommittee meetings but this is important. He said Equifax's data breach was different from high-profile incidents at Target and Nieman Marcus where credit and debit card information was stolen. He's working with full committee ranking member Dianne Feinstein, D-Calif., and other Democrats on legislation for a uniform data breach notification standard and is committed to a "good bill," he said.
Asked by subcommittee Chairman Jeff Flake, R-Ariz., how much of Equifax's business is consumer facing, Smith replied it's about 10 percent. He said the company is entrusted with protecting the data, and losing it would violate the trust it has with consumers and business customers. Later Flake said "just too little priority is given to protecting consumer information when you don’t face the consumer that much … it seems that privacy of individuals is given the shaft."
Sen. Pat Leahy, D-Vt., said an Equifax report showed it spent a "quarter of a million dollars to lobby the Congress among other things against the Consumer Privacy Protection Act," which the senator sponsored in 2015. The bill would have required the company to immediately notify lawmakers about the breach. Leahy asked whether the company plans to continue to lobby against similar legislation. Smith initially said the company takes data protection seriously because it's a reputational issue. When Leahy asked again, Smith said the lobbying budget is "relatively small," to which Leahy replied: "I could care less about what your budget is for lobbying. The fact is you opposed legislation that might require notifying consumers." Smith replied he's unaware of that particular lobbying effort but would look into it.
Senators knocked Smith, who provided the same testimony at a House subcommittee hearing, about Equifax initially including an arbitration clause for affected consumers, who would have had to waive rights to sue. The company removed the arbitration clause shortly after it was reported in early September and Smith said it was a mistake.
Sen. Richard Blumenthal, D-Conn., asked Smith if he could guarantee whether any affected consumer would ever be required to go to arbitration. The former CEO said he couldn't since he's no longer with the company. The senator called Smith the "designated fall guy" and needed to know whether arbitration will be required of consumers, will there be a compensation fund and insurance. “These kinds of questions, which you’re unable to answer because you’re no longer with the company, are as profound and important as any investigative effort,” said Blumenthal.
Another witness, Jamie Winterton, director-strategic research initiatives for Arizona State University's Global Security Initiative, said a foreign adversary could use that large dataset to take an in-depth look into the U.S. economy. Franken earlier said a foreign entity could use the data to blackmail people or influence elections.