Smith confirmed at the hearing that intruders accessed the company's network by exploiting a known vulnerability that Equifax had failed to patch. But Smith said the employee responsible for assigning a correction to that vulnerability failed to do so, even though that person knew the patch was needed.
Smith also fielded questions concerning reports that his former colleagues sold an unusual amount of stock after the breach was discovered but before it was disclosed to the public. Smith said that at the time, Equifax knew only that suspicious activity had been detected and not that personal information had been stolen from the company. “To the best of my knowledge they did not know,” Smith said.
When asked several times about whether Equifax suspects a nation state was involved in the breach, Smith did not give a direct answer. “I have no opinion,” he said. Smith emphasized that the FBI is involved.
Later in the hearing, Rep. Joe Barton (R-Tex.) told Smith that Equifax appears to collect far more data than is needed to determine creditworthiness, and questioned why companies should not be obligated to pay consumers for failing to protect their information. “I think it's time at the federal level that we put some teeth into this,” he said, referring to data security legislation.
Since the hack was disclosed last month, several members of Congress have seized on Equifax's missteps, and the widespread public outrage, to advance bills designed to protect consumers from data breaches and identity theft. Rep. Jan Schakowsky (D-Ill.) and Rep. Frank Pallone Jr. (D-N.J). recently reintroduced the Secure and Protect Americans’ Data Act, which would create enforceable data security standards and require companies to notify consumers in the event of a breach. Sen. Elizabeth Warren (D-Mass.), along with a dozen other lawmakers, introduced the Freedom from Equifax Exploitation Act, which would force credit reporting agencies, such as Equifax, Experian and TransUnion, to allow consumers to freeze and unfreeze their credit free of charge.
Perhaps to preempt such legislation from gaining momentum, Equifax said last week it would offer a new service starting next year that would let consumers lock and unlock their credit information for life. During the hearing, Smith described this move as part of a “new paradigm” at Equifax, of giving consumers control over their information. But according to Warren, who will question Smith at a hearing Wednesday, Equifax's remedy falls short. It's unclear, she said, if Equifax will continue to sell a consumer's information even if their credit information is locked, and if the company would be liable for mistakes during a “lock.” Warren added that Equifax's service wouldn't apply to the other credit agencies, which would still leave consumers vulnerable, and that Equifax's commitment could change in the future.
Under the proposed legislation, “Once a customer submits a freeze the credit reporting company cannot pull a credit report, cannot sell customer data, and will be liable for data if it fails to follow through,” she said. “This law makes sure that it has all the right elements, that the protection will last forever, and that it applies to all credit reporting agencies.”
Also at Tuesday's hearing, several representatives took issue with not having a current Equifax executive testifying. Smith is retired, after announcing last week that he would step down as chief executive. Lawmakers said they would like to hold another hearing with Equifax's current chief legal officer, John Kelley, and the chief information officer, Mark Rohrwasser, who is serving in an interim role.
Smith will go before the Senate Banking Committee, a Senate Judiciary subcommittee and the House Financial Services Committee Wednesday and Thursday.