Members of the Senate Commerce Committee challenged Equifax's chief executive Wednesday about the credit reporting agency's sweeping data collection and its one-sided relationship with millions of Americans whose personal information it harvests for profit.
Equifax revealed in September that attackers may have compromised the sensitive information of as many as 145 million people. But for many Americans — and for Senators at Wednesday's hearing — it was unclear why Equifax was storing information about them in the first place.
The hearing into the data breaches -- the fifth so far -- featured testimony from current and former officials from Equifax, Yahoo and Verizon, and added to the uproar about the company's policies and its response to the breach.
In one notable exchange, Sen. Catherine Cortez Masto (D-Nev.) asked the interim chief executive officer of Equifax, Paulino do Rego Barros, why consumers do not have a say in opting in or out of the company's data collection.
“This is part of the way the economy works,” Barros said. But he was swiftly interrupted. “The consumer doesn't have a choice, sir. The consumer does not have a choice on the data that you’re collecting,” Masto said.
Her line of questioning echoed other lawmakers who have pushed back against fundamental aspects of Equifax's business, which have faced widespread scrutiny after the data breach came to light.
After confirming with Barros that it is Equifax, and not consumers, that owns all the granular data collected about them, and that consumers cannot request to exit the company's files, Sen. Cory Gardner (R-Col.) asked the current Equifax chief if it was right that the company maintains that arrangement. “I think it’s not my perspective to say it's right or wrong,” Barros said.
When Marissa Mayer, the former chief executive of Yahoo was asked if consumers should own their own data, however, she said, “Yes. I believe that they should.”
Even as Barros said it is up to Equifax to earn the public's trust, he did not commit to proactively notifying all the consumers who were potentially affected by the breach. “We are actively, actively engaged with consumers to make sure that they use the products that we have today,” Barros said when asked by Sen. Tammy Baldwin (D-Wis.), pointing to the company's Web page, social media and a team dedicated to engaging with consumers.
Barros told the committee that 30 million people have visited Equifax's website to learn if their information was stolen.
However, Baldwin suggested that was only a fraction of those who might have been affected by the breach. "30 million? Out of 145 million,” Baldwin said.
Several senators on the panel said new legislation is needed to prod companies like Equifax and Yahoo to better protect consumer data. Such measures would grant the Federal Trade Commission greater powers to enforce “reasonable” cybersecurity standards and for the agency to impose fines on negligent businesses.
“If we are going to do anything meaningful we must have the political will to hold these companies accountable,” said Sen. Bill Nelson (D-Fla.), the ranking member of the committee. “We can either take action with common sense rules or we can start planning for our next hearing on this issue.”
During the four previous congressional hearings about the Equifax data breach, lawmakers took issue with the extended period of time it took the company to disclose the intrusion, its cybersecurity practices, and the use of arbitration clauses.
Such clauses typically require customers to settle disputes they have with companies through a third party rather than going to court or joining a class-action lawsuit.
On Wednesday, Equifax again, defended its use of arbitration. "We work according to the law and use the tools that the industry uses to have arbitration in place,” said Barros.
Equifax is also facing multiple federal investigations over its handling of the hack and reports that executives sold an unusual amount of stock before the breach was publicly disclosed.