Congress grapples with preventing the next Equifax-level hack

Congress is grappling with how to respond to the massive Equifax data breach after hackers gained access to the sensitive data of more than 145 million Americans.

As lawmakers grilled former Equifax CEO Richard Smith over four separate hearings this week, they proposed a number of possible ways to prevent such massive breaches in the future.

Their ideas included fining companies that fail to adequately protect consumer data, restructuring the credit reporting industry to allow for more competition and requiring data holders to notify consumers whose information has been compromised.

A slew of legislation aimed at instituting tougher regulation on credit reporting agencies has already been introduced since the breach was announced last month, including a bill that would give consumers greater control over the mass amounts of data about them that such organizations collect.

ADVERTISEMENT
But in the midst of the week’s hearings, top Republicans are expressing caution, saying that a crackdown from Congress may not be the best way to address the problem. Instead, they’re laying the blame for the hack on Equifax.

“How does this happen when so much is at stake?” Rep. Greg Walden (R-Ore.), chairman of the House Energy and Commerce Committee, asked Smith in one hearing. “I don’t think we can pass a law, excuse me for saying this, but fixes stupid. I can’t fix stupid."

Sen. Jeff FlakeJeffrey (Jeff) Lane FlakeGOP rushes to cut ties to Moore Flake on Moore defenders: 'This cannot be who we are' GOP senators raise concerns over tax plan MORE (R-Ariz.), who chairs a Senate Judiciary panel on privacy and technology, told The Hill that the problem lies in the fact that data brokers don’t value privacy. Still, Flake said that it’s on the industry to come up with best practices to safeguard consumers’ information.

“The problem is you have to have the right incentives and the incentives, when you’re not facing consumers directly, might not be there,” Flake said after hearing Smith testify. “I’m not ready to pile on regulation at this point. We want to find out more and that’s what this hearing was useful for. And we’ll see."

“We obviously want a growing economy, and you’ve got to have a conducive tax and regulatory environment, but you also have to make sure that consumers’ data is protected,” he added.

Smith made a number of revelations about the breach during his four appearances. On Tuesday, he told a House Energy and Commerce subcommittee that a “combination of human error and technological error” made the company vulnerable to the hack.

According to Smith, an employee responsible for ensuring that a key software vulnerability was patched failed to do so, and later a detection program failed to find the weakness. While speaking to Flake’s subpanel on Wednesday afternoon, Smith revealed that the unidentified employee had left the company.

That person was one of four Equifax employees, including Smith, who have stepped down in the wake of the breach, which was revealed last month. The other two were Equifax’s chief information and security officers.

Lawmakers of both parties used the opportunity to pile on Smith and his former company. Despite hesitation from some of the committee heads, there were bipartisan calls to act to protect consumers from data breaches.

“Equifax won’t be losing any business as a result of its failures,” said Sen. Al FrankenAlan (Al) Stuart FrankenOvernight Tech: Senate panel subpoenaed ex-Yahoo chief | Twitter gives all users 280 characters | FBI can't access Texas shooter's phone | EU wants tax answers from Apple Week ahead: DHS nominee heads before Senate | Ex-Yahoo chief to testify on hack | Senators dig into election security Feinstein: Sessions should re-testify on Russia meetings MORE (D-Minn.). “American consumers are not able to walk away and take their business or their personal information elsewhere. And that’s because those consumers aren’t actually your customers. They’re your product.”

The scrutiny into Equifax and data protection is likely to continue. On Tuesday, Yahoo revealed that it now believes that a 2013 data breach affected all 3 billion of its user accounts, triple the amount that it had initially estimated when it first announced the hack in December 2016. Sen. John ThuneJohn Randolph ThuneOvernight Tech: Senate panel subpoenaed ex-Yahoo chief | Twitter gives all users 280 characters | FBI can't access Texas shooter's phone | EU wants tax answers from Apple Overnight Cybersecurity: What we learned from Carter Page's House Intel testimony | House to mark up foreign intel reform law | FBI can't access Texas shooter's phone | Sessions to testify at hearing amid Russia scrutiny Former Yahoo CEO subpoenaed to appear before Congress MORE (R-S.D.), the chairman of the Senate Commerce Committee, has already called on Yahoo and Equifax executives to testify before his panel.

For now, there’s bipartisan support for Congress to implement a nationwide requirement that companies notify consumers in the event that their data is compromised by hackers. Forty-eight states currently require companies to do so.

Rep. Joe BartonJoe Linus BartonGOP lawmaker calls for vote on DREAM Act More than a dozen lawmakers put family on campaign payroll GOP chairman threatens to subpoena DEA over investigation into 'pill dumping' in West Virginia MORE (R-Texas) suggested that companies should be fined if they jeopardize personal information.

“We could have this hearing every year from now on if we don’t do something to change the current system,” Barton said.