Capitol Hill comes for Equifax, demanding answers for massive breach

U.S. lawmakers are demanding answers from consumer credit reporting firm Equifax after the company publicly disclosed a data breach last week where the sensitive personal information, including social security numbers, of upwards of 143 million Americans was stolen.

Sens. Orrin Hatch, R-Utah, and Ron Wyden, D-Ore., called Monday upon Equifax to publicly determine when the company originally contacted law enforcement in relation to the breach, Reuters first reported.

The two lawmakers, who are the leaders of the Senate Finance Committee, sent a letter to Equifax CEO Rick Smith requesting additional information about the incident, including details about a trio of Equifax executives who sold company stock before the original breach announcement was made on Thursday.

The letter is the latest in a series of strong public statements made by lawmakers calling for greater transparency from Equifax as it handles what some cybersecurity experts are already calling “one of the largest data breaches in history.”

Rep. Will Hurd, R-Texas, is among those who have spoken out.

“Consumer confidence in a credit rating agency, like Equifax, is based on that company’s ability to do one job well: store data securely,” Hurd, who chairs the House IT Subcommittee, told CyberScoop. “Data is not just a byproduct of doing business, it is their business. And when a breach occurs, it shouldn’t take six weeks to alert consumers. When it comes to consumer protection, companies must adopt a ‘need-to-share’ mentality.”

At least three different congressional committees in the House, including Financial Services, Energy and Commerce and Judiciary, plan to hold hearings about the Equifax breach later this fall. In addition, the Senate Finance Committee may hold a hearing after having sent a letter to Equifax’s leadership. Staffers say these types of hearings may spur new laws, regulations and policies related to breach disclosure standards and cyber insurance; two underdeveloped legal areas.

Sen. Mark Warner, D-Va., is one of the lawmakers hinting at the creation of a national breach disclosure standard following the Equifax incident. Existing breach disclosure laws are largely decided at the state level, where they differ depending on the affected business sector and quality of data.

“While many have perhaps become accustomed to hearing of a new data breach every few weeks, the scope of this breach – involving Social Security Numbers, birth dates, addresses, and credit card numbers of nearly half the U.S. population – raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans,” Warner said in statement about the breach last week.

On Tuesday, Rep. Lou Correa, D-Calif., announced plans to introduce legislation “to protect consumers from cyberattacks and data breaches,” according to a statement provided to CyberScoop.

Dubbed the “Cyber Breach Notification Act,” Correa’s law requires that firms immediately disclose whenever “personal information has been potentially compromised allowing consumers to take necessary actions to protect themselves from identity fraud and commit other crimes.” The bill is likely just the first among several upcoming bills this fall that hopes to regulate and therefore responsibly manage future incidents like the Equifax breach.

In the immediate future, however, before legislation is written or voted on, Equifax should simply be more transparent with the public, according to Rep. Jim Langevin, D-R.I.

“There is still little concrete information about the Equifax breach, which speaks to the company’s need to be much more transparent,” Langevin, a senior member of the House Committee on Homeland Security, told CyberScoop. “Many people have legitimate questions about whether their data were affected, whether their data are still at risk, and whether Equifax’s remediation efforts will actually protect them.”

Credit reporting agencies store extremely sensitive information and as such, their digital security should reflect the value of that data, he said.

Last Congress, Langevin was one of few lawmakers to push for the creation of a national data breach notification standard. The bill previously introduced by Langevin would have mandated how and when a company affected by a data breach must disclose that information to its customers. The bill, however, never passed the House. In the aftermath of the Equifax breach, Langevin’s idea may have renewed interest from his peers.

“The swirling uncertainty surrounding the Equifax incident highlights the need for regulatory clarity,” Langevin told CyberScoop. “Reports that the breach may have been due to a vulnerability in Apache, open source software that underpins much of the web, also puts in stark relief the need to invest in the security of our critical Internet infrastructure.”

It’s unclear at the moment who is responsible for the breach or exactly why it happened. Some analysts believe the leak came from a vulnerable web server application, although this has yet to be confirmed.