Policy

Lawmakers Push Broad Review of Equifax Security

Democrats cite precedence of reaction to OPM data breach

Ohio Sen. Sherrod Brown wants Equifax to offer 10 years of free credit monitoring to those affected by the breach. (Tom Williams/CQ Roll Call file photo)

Lawmakers are responding to credit-reporting company Equifax’s loss of data on up to 143 million customers with a flurry of proposed legislation, demands for explanations, hearings and calls for regulators to investigate.

Democrats are leading the charge on legislation and investigations while Republicans join in with demands for an explanation from the company and with plans to hold hearings. Members of both parties are seeking details of Equifax’s work for government agencies. Democrats are also trying to pressure Republicans to be at least as tough on Equifax as they were with a government agency that suffered its own breach.

Ohio Democratic Sen. Sherrod Brown said he’ll introduce legislation requiring Equifax to provide 10 years of free credit monitoring to those affected by the breach as opposed to the one year of free monitoring the company is offering. It’s a reminder to Republicans that they enacted legislation with such a requirement when the Office of Personnel Management failed to protect personnel data on 4.2 million current and former federal employees in 2015.

“We cannot accept any less for the people we serve,” said Brown, the ranking member on the Senate Banking Committee.

Meanwhile, Massachusetts Democratic Sen. Elizabeth Warren offered a bill that would allow consumers to impose, for free, a credit freeze, preventing identity thieves from opening accounts in their names. The bill, which has 11 co-sponsors, none of them Republicans, would require the reimbursement of any credit freeze fees imposed since the Equifax breach was announced.

Oregon Democrat Ron Wyden introduced a similar free credit freeze bill in the Senate.

Connecticut Rep. Jim Himes has introduced a House bill that would have similar provisions.

Hawaii Democratic Sen. Brian Schatz introduced a measure that would expand consumers’ rights in disputes with credit-reporting companies.

Equifax announced Sept. 7 that thieves gained unauthorized access to information on up to 143 million consumers from mid-May through July because of a vulnerability at one of its websites. The information included primarily names, Social Security numbers, birth dates and addresses, and, in some instances, driver’s license numbers. The breach also gave them access to credit card numbers for about 209,000 people and dispute documents identifying about 182,000 people.

Equifax said it had discovered the breach July 29, leading to repeated questions from Capitol Hill as to why it took the company more than 40 days to make the incident public. As of Monday, the company’s stock price had dropped 34 percent since news of the data breach broke. 

FTC investigation

Last week, in a letter, 37 senators asked the Justice Department, the Securities and Exchange Commission and the Federal Trade Commission to investigate the breach.

Warren said her office is conducting an investigation of the breach. She also said she asked the FTC to investigate, echoing a call made last week by Michigan Democratic Sen. Gary Peters.

“The FTC typically does not comment on ongoing investigations,” agency spokesman Peter Kaplan said in a statement. “However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”

Warren also asked the Consumer Financial Protection Bureau and the Government Accountability Office to investigate the breach.

The FTC is charged with policing violations of the Fair Credit Reporting Act and the CFPB has jurisdiction as well.

An agency spokesman said the CFPB was looking into the breach and Equifax’s response. “The CFPB is authorized to take enforcement action against institutions engaged in unfair, deceptive, or abusive acts or practices, or that otherwise violate federal consumer financial laws,” the spokesman said.

A GAO spokesman said in an email that the agency was reviewing the request for an investigation, a review that could take weeks.

Equifax CEO Richard Smith is scheduled to make an appearance on Capitol Hill on Oct. 3 before the House Energy and Commerce Digital Commerce and Consumer Protection Subcommittee. The House Financial Services Committee has also said it will hold a hearing on the data breach, but hasn’t set a date.

In one of many letters from members of Congress to Smith, Senate Finance Chairman Orrin G. Hatch of Utah and Wyden, the panel’s ranking member, asked the “who knew what and when” question. They requested information on the timeline of the breach along with when senior Equifax executives were notified.

The senators also asked when Chief Financial Officer John Gamble; Rodolfo Ploder, who is president of Workforce Solutions, one of Equifax’s four business units; and Joseph Loughran, president of U.S. Information Solutions, one of the other major business units, knew of the breach.

Hatch and Wyden noted that Equifax is a partner with a number of U.S. agencies and asked the company for information on whether records of the IRS, the Centers for Medicare & Medicaid Services and the Social Security Administration were breached as well. Sens. Brown and Bill Cassidy, R-La., have asked for similar information from the SSA.

Brown pointed to a February 2016 company press release indicating that Equifax was contracted to help the SSA secure its online services and to mitigate fraud for the “my Social Security” electronic service.

“Given Equifax’s recent security breach, this partnership raises serious questions as to whether the personal data SSA maintains on behalf of all Americans may be at risk of identity theft or other cybersecurity threats,” Brown and Cassidy wrote in a letter Friday to SSA acting Commissioner Nancy Berryhill. “In addition to an immediate threat assessment, we request information regarding the steps you will take to remedy any potential breach of SSA’s online systems and what resources are necessary for SSA to ensure that the data of every single American is safe.”

The company’s 2016 annual report says its Workforce Solutions unit also provides verified consumer income and employment information to mortgage giant Fannie Mae, currently operating under the conservatorship of the Treasury Department.

Senate Banking Chairman Michael D. Crapo of Idaho hasn’t decided whether to heed Democrats’ calls for a hearing. He told reporters last week he isn’t concerned just about private companies collecting personal information, but also government agencies.

Crapo said he was particularly concerned about data collection at the CFPB. A 2014 GAO report said the CFPB has access to account balances for about 87 percent of credit cards, loan level data on 173 million mortgages, and account and loan data on millions of student loans, bank overdraft fees and payday loans.

“I think their data collections should be a concern to everybody,” Crapo said. “Every time you swipe your credit card, they collect the data. I think that’s as big a risk as any of the other kinds of collections going on.”

Get breaking news alerts and more from Roll Call on your iPhone or your Android.