Richard Smith, who was CEO and chairman at Equifax when the company experienced a data breach that resulted in the theft of comprehensive private identifying information on 145 million Americans last month, appeared before the House Energy and Commerce Committee today to answer questions. The queries included: “Why was there nearly a week before members of the board were alerted of the breach?” “Why was the consumer facing website created on a separate domain?” “Does Equifax require consumers to consent to arbitration?” “If the data that you hold is about me, do I own it?” and “I get that this model is a good deal for Equifax, but can you explain how it is a good deal for consumers?”
Some of Smith’s answers were more satisfying than others.
The hearing confirmed what we all basically knew: Equifax has made a business model out of collecting obscene amounts of data on Americans without their consent — far more data than is really needed to perform its ostensible function of assessing creditworthiness, as multiple members pointed out. The margin of profit on this business, Smith said in a speech at the University of Georgia last month, is approximately 90 percent. And while Smith and his interrogators repeatedly insisted that protecting consumer data was the company’s “primary goal,” it was not. Equifax’s primary goal was to continue its 118-year tradition of collecting metadata on every individual participating in the modern economy and selling it for ludicrous profits. From the International Directory of Company Histories, “Equifax was founded in 1898 by two brothers, Cator and Guy Woolford. Cator Woolford got his start in the credit bureau business as a grocer in Chattanooga, Tennessee. There he supervised the compilation of a list of customers, with indications of their creditworthiness, for the local Retail Grocer's Association.”
The Congressional panel made a show of grilling Smith, and multiple members got in some satisfying jabs. Rep. Ben Ray Luján of New Mexico pointed out that Equifax’s offerings to consumers affected by the breach are all pretty worthless (For one thing, a free credit freeze at Equifax — the lynchpin of the company’s attempt to make things right — is ineffective without a simultaneous freeze at the two other major credit bureaus, Experian and TransUnion). “Will those products make them whole, yes or no?” Luján asked. Smith tried to say he did not know if consumers had been “harmed,” and Luján went in. “If someone’s credit has been stolen and someone went and opened up a bunch of their accounts, bought furniture, bought cell phones, bought a bunch of fuel, and now this consumer can't fix their history, they’ve been harmed. In that case, will Equifax make them whole?” In another exchange, Rep. Joe Barton of Texas opened by asking how much Equifax is worth — roughly $13 billion — and then suggested that the company simply pay each consumer who was affected. “If you had to pay everybody whose account got hacked a couple thousand bucks or something,” he said, “what would the industry reaction be to that, if we passed a law that did that?”
Despite the bipartisan tough talk, the hearing was a sad reminder of the stunning riches that can be had by exploiting the powerlessness of the average American consumer. Smith, who announced his “retirement” with what will amount to a golden parachute on September 26 and has no impact on what the company will do to fix its sloppiness or reverse its moral depravity, is still positioned to earn many millions in the future from Equifax in addition the many millions he has already made. (Fortune calculated that amount will shake out to $90 million.
“That seems like a lack of competence.”
Smith said that the hack was a result of “human error” followed by “technological error” — there was a bug in their system that had been publicly disclosed and patched for more than two months that Equifax’s team of more than 225 security professionals neglected to fix.
The human error occured when a single person — the “owner of the patch process,” in Smith’s words — failed to communicate the need to patch the system. “The human error was the individual who was responsible for communicating in the organization to apply the patch, did not. That individual knew the software was there and it needed to be patched and did not communicate it to the team that it needed to be patched,” Smith said. Then, he said, the technological error occurred when “a scanning device that was deployed a few days later” did not catch the problem. When pressed, Smith admitted that this “scanner” needs to be told what to look for, suggesting there was no way for it to catch the earlier human error.
A structure that allows for one person to commit an error of this magnitude without a check or balance is a deeply flawed structure. One security developer who works at Twitter chimed in via tweet, “There are no InfoSec failures that are the fault of one person. If you think you've found one, the fault really lies in the system that exposes such a single point of failure in the first place.” Rep. Jerry McNerney of California put it more plainly: “That seems like a lack of competence.”
The members of the committee seemed ready to pass legislation that would discourage future “lack of competence.” “Because consumers don't have a choice, we can't trust credit reporting agencies to self regulate,” said Rep. Jan Schakowsky, who reintroduced the Secure and Protect Americans’ Data Act, a piece of federal legislation similar to what 48 states have already put in place to protect sensitive data. “Equifax deserves to be shamed in this hearing, but we should also ask what Congress has done or failed to do.”
This would be a positive step. Consumers can't protest Equifax’s with their pocketbooks, since they aren't explicitly giving their information to the credit bureau in the first place; Equifax obtains that data from banks and companies. Unless the government compels them to, companies like Equifax have no accountability to consumers. The systems they use to rate customers are proprietary and secret. They collect far more data than they need, and that data is incredibly valuable. Equifax has been incompetent in responding to the breach and its promises of an iPhone app to be released in January that will give consumers more control over access to their credit file is underwhelming. Meanwhile, just a week after the breach was revealed, Republican representatives introduced and argued for the Fair Credit Reporting Act Liability Harmonization Act, which would limit damages to credit reporting bureaus in class-action lawsuits.
The House Financial Services Committee will be holding a hearing on the Equifax breach next. Multiple members have expressed a desire to vote on legislation before the holidays. Meanwhile, New York Attorney General Eric Schneiderman has launched a formal investigation into the breach, and multiple class action lawsuits have been filed. But as for the basic structure of the credit reporting system — three companies locked in a robust triopoly, no way for consumers to control their own data — that seems unlikely to change.
Rep. Schakowsky asked Smith at the end of the hearing, “What if I want to opt out of Equifax? I don't want you to have my information anymore. I want to be in control of my information. I never opted in. I never said it was OK to have all my information, and now I want out. I want to lock out Equifax. Can I do that?” “That requires a much broader discussion about the role of the credit reporting agencies,” Smith said. “Because the data doesn't come from the consumer, it comes from the furnishers, and the furnishers provide that data the entire industry.” “That’s exactly where we need to go,” Schakowsky said. “To a much larger discussion.” Later in the day, the IRS awarded Equifax a $7.5 million no-bid contract for its data services.