WASHINGTON — Richard Smith came to Capitol Hill this week to speak about the massive breach at Equifax, where he was until last week the CEO. But it was clear Tuesday that he will have to defend the entire credit bureau industry, not just his former company.

In his first of four hearings this week, Smith took bruising questions and criticism from members of the House Energy and Commerce Committee on security lapses leading up to the hack, the company’s response, suspicion about stock sales by Equifax managers and who may have perpetrated the breach.

But some lawmakers also appeared to cast the breach, now estimated to have affected over 145 million consumers, as a symptom of more systematic concerns: the credit bureaus’ hold on consumer data, the security risks inherent in that data collection and the agencies’ powerful influence in credit decisions.

Richard Smith, former chairman and chief executive officer of Equifax, listens during a House Energy and Commerce Committee hearing in Washington.
On allowing consumers to more easily lock their credit file, former Equifax CEO Richard Smith said, “It's time to change the paradigm and give the power to consumers to control who accesses their data." Bloomberg News

“The Equifax data breach was massive in scale. I would call it shocking, but, is it really?” said Rep. Jan Schakowsky, D.-Ill., in her opening remarks for the hearing. “We have these under-regulated, private, for-profit credit reporting agencies collecting detailed personal and financial information about American consumers. It’s a treasure trove for hackers. Consumers don’t have a choice.”

Smith, appearing contrite, sought to offer a detailed timeline of the company’s response to the breach while explaining steps Equifax was taking to give consumers the ability to defend themselves against fraud. This includes a new free lifetime service to let customers lock their credit file.

“It's time to change the paradigm and give the power to consumers to control who accesses their data,” said Smith. He added that he “would encourage” Transunion and Experian to offer similar free services.

Such steps may become increasingly less voluntary as the Equifax breach highlights concerns that officials have about all of the credit bureaus and several lawmakers push legislative solutions.

Equifax has already come under fire from the credit union industry in the wake of the breach, with the Credit Union National Association announcing late last week it planned to file suit to protect the interests of credit union members.

"Equifax needs to be held accountable for this massive data breach that gave hackers access to the personally identifiable information of 143 million Americans and the credit card information of 209,000 people," CUNA President/CEO Jim Nussle said in a statement. "Equifax's disregard for protecting this highly sensitive data means credit unions are left bearing the brunt for damages in replacing members’ cards payment cards, covering fraudulent purchases and taking protective measures to reduce risk of identity theft and false loans."

Announcement of CUNA's suit follows that of Summit Credit Union in Madison, Wis. (which, coincidentally, earlier in its history served as CUNA's credit union). Summit is believed to have been the first financial institution to file suit against the credit bureau.

In advance of today's hearing -- and others this week -- the National Associaiton of Federally-Insured Credit Unions weighed in with a letter to members of the House Energy and Commerce Subcommittee.

"Americans’ sensitive financial and personally identifiable information will only be as safe as the weakest link in the security chain," Berger wrote. "While financial institutions, including credit unions, have been subject to federal standards on data security, and examination by regulators on these standards … retailers and many other entities that handle sensitive personal financial data are not subject to these same standards. Consequently, they have become the vulnerable targets of choice for cybercriminals."

Before the hearing, held before the subcommittee on digital commerce and consumer protection, Schakowsky reintroduced a bill requiring better data security as well as notification measures following a breach. Sen. Elizabeth Warren, D-Mass., has also introduced two bills in the aftermath of the hack: one that would require credit bureaus to offer free credit freezes to customers, and another that would prohibit employers from the credit reports of prospective employees.

At the hearing Tuesday, lawmakers laid into Smith not just for Equifax’s data security procedures, but also how the information collection process and administration of credit reports can generally harm consumers.

“The credit reporting industry is famously unforgiving, and it is an industry that helps perpetuate the cycle of poverty,” said Rep. Gene Green, D-Texas. “Agencies like Equifax force those with lower credit scores to pay more money for loans and mortgages. Less than perfect credit scores can even result in higher rates for products that don’t require credit, like auto insurance premiums.

“Those people will have a harder time paying back higher interest rates, making it more likely that they won’t be able to pay their debt back on time and will hurt their credit further. And yet, Equifax and the rest of the credit reporting industry expect forgiveness for breach after breach, lobbying Congress for even less liability.”

To be sure, Equifax has now become the biggest target in light of its breach. The company has been strongly criticized for flaws in the credit freeze it implemented right after the hack, as well as what was thought to be a forced-arbitration clause for consumers affected by the breach.

“It was a standard boilerplate clause,” said Smith, who added that it was a “mistake” that was rectified “within 24 hours” of being revealed.

Smith also faced tough questions on security oversights that are now being blamed for having made the company more vulnerable to hackers. He acknowledged that the company had failed, starting as early as March, to apply a patch to software called Apache Struts, which the company uses for its online disputes portal.

“The breach occurred because of both human error and technology failures,” said Smith. “It was not until late August that we concluded that we had experienced a major breach.”

But lawmakers asked repeated questions about why the breach, which Smith found out about on July 31, took weeks to be disclosed to the company’s board of directors and more than a month to be made public.

Initially, Smith said he learned of the hack in a face-to-face meeting with his chief information officer. “The incident was described as an incident, not a breach,” he said. “At that time I did not know if data had been compromised, exfiltrated or what the data was.”

But lawmakers were not satisfied by that explanation.

“The difference between a breach and a suspicious activity is not one that I find particularly relevant,” said Rep. Leonard Lance, R-N.J.
Asked if reports of suspicious activity were a routine occurrence, Smith said it was “not uncommon” for him to be notified of such incidents by his staff.

“We do have a lot of data, and our primary goal is to protect that data,” he said. “We have experienced millions of suspicious activity against our database.”

Smith was also put on the defensive over questions about Equifax's chief legal officer, John Kelley, who is still with the company and reportedly approved the sale of company stock by three top managers in August, just weeks before the breach was revealed.

“He did not know it was a breach,” said Smith, defending Kelley. “It was deemed suspicious activity with no indication that personally identifiable information was in fact compromised at that time.”

Smith was also asked multiple times about whether he had seen indications that the attack may have been carried out by a nation-state.

Asked by Rep. Debbie Dingell, D-Mich. if he had seen signs that “the attackers were backed by a nation-state,” Smith responded that the company was collaborating with the FBI. “At this point, it’s all I’ll say,” he said.

Yet lawmakers repeatedly came back to credit bureaus’ massive hold on consumers’ own financial data, pointing out how, for example, many Americans do not even realize how much of their information is included in their credit file.

“Most people had no idea that Equifax was even holding their data,” said Dingell. “Do you think that consumers can take steps to control their information, if they don’t even know who has it?”

Smith responded that offering “the ability to lock and unlock your credit file for life for free” would be “one step in doing that.”

Rep. Doris Matsui, D-Calif., asked Smith whether consumers affected by the hack actually own their financial data.

"In the context of this breach, if the data that you hold is about me, do I own it?," said Matsui. "Can you explain what makes data about me mine?"

Smith referred again to the company's free credit lock, which he said would give consumers "the ability to control who accesses [their] personal information and who does not."

But Dingell suggested those steps would not be sufficient. “I think we need a longer debate about who owns this data and how we educate the American people,” she said.

There were also questions raised about the level of regulatory oversight for credit bureaus. The primary regulator in charge of enforcing cybersecurity standards for the credit reporting agencies is the Federal Trade Commission.

“Do you believe that the FTC has an important role in protecting consumers from future data breaches?” said Jerry McNerney, D-N.M. “The Federal Trade Commission is an enforcement body, but it doesn’t have any rulemaking authority.”

In response, Smith said, “I think there’s a role for the ... industry to do more.”

“If there’s particular legislation that arises out of this horrific breach, I’m sure you would find … Equifax and the industry willing to work and cooperate with the regulators,” he said.

Even some Republicans appeared ready to implement sweeping reforms to protect consumer data form further theft.

“It would seem to me that you may pay a little bit more attention to security if you had to pay everybody whose account got hacked a couple hundred bucks or something,” said Rep. Joe Barton, R-Texas, who recounted how a member of his staff had been a victim of the breach. “We're going to have this meeting every year from now on if we don't do something to change the system.”

Others expressed exasperation at what they viewed as a preventable catastrophe.

“With so much at risk, how does this happen?” said Rep. Greg Walden, R-Ore., who is chairman of the full Energy and Commerce Committee. “I don't think we can pass a law that fixes stupid.”

Subscribe Now

Authoritative analysis and perspective for every segment of the credit union industry

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.

Lalita Clozel

Lalita Clozel covers fintech regulation, anti-money-laundering, cybersecurity and the Federal Deposit Insurance Corp. in American Banker's Washington bureau.