No company wants to be called out by a member of Congress for taking advantage of everyday Americans.
While Equifax didn't escape that particular fate in a report by Sen. Elizabeth Warren examining the events leading up to the credit-scoring firm's massive data breach last year, interim CEO Paulino Barros did avoid something potentially much worse: a push for Congress to enact laws allowing U.S. residents to wipe out their credit histories.
Instead, the Massachusetts Democrat said last week that Congress should set strict cybersecurity standards for companies like Equifax and rivals Experian and TransUnion and allow government regulators to fine them when they fail to protect consumer data.
"Equifax and other credit reporting agencies have taken advantage of consumers for years, collecting their data without permission and turning a huge profit while failing to adequately protect that data," Warren said in the report. "These practices won’t change without federal legislation."
Warren's proposals, coming from somebody in the liberal wing of the minority party, don't have much hope of going anywhere in the Republican-controlled senate. However, Jaret Seiberg, an analyst with Cowen Washington Research Group, suggested that another hack at a credit bureau might alter that quickly. One more modest legislative change would be requiring the companies to provide unlimited credit freezes, a provision in a compromise Senate bill on banking deregulation.
Still, Warren's argument that only large penalties will convince credit bureaus to put more money toward cybersecurity might, in the meantime, still prompt the firms to ramp up any investments they made in the wake of the Equifax attack, Seiberg said.
"This report could have been worse for Equifax and credit bureaus as Warren stops short of saying consumers should have more control over their credit data, including the right to bar its collection," Seiberg said. "The biggest policy threat to credit bureaus is legislation giving consumers the right to have their credit data forgotten."
The hack alone has already proved extremely costly, however. Atlanta-based Equifax lost more than half its market value after its autumn disclosure of the data theft, which ultimately spurred the resignation of then-CEO Richard Smith.
The shares, which eventually rallied to about $117 in early February, have yet to regain their September high of $142, though Smith's temporary successor has said the firm is making progress on improving its security and responding to numerous queries from lawmakers and regulators about what happened.
Data from birth dates to Social Security and driver's license numbers for 145 million people – information lenders routinely use to verify the identities of applicants for car loans, credit cards, and mortgages – were spirited away in the hack, which Equifax said it discovered in July 2017 but didn't reveal to consumers for over a month.
Such fundamental identification markers are tough, if not impossible, to alter, making the plight of people affected much worse than when credit cards or account numbers are stolen. Lenders can easily change those, and frequently do.
In sometimes-harsh hearings in October, lawmakers in both the House and the Senate berated Smith for the company's failures, suggesting that executives should have known the firm's data was a gold mine for hackers and installed the digital equivalent of security protections at Fort Knox, the U.S. gold depository in Kentucky.
Smith, who forfeited a yearly bonus valued at $3 million in the past, blamed the breach on staff mistakes and technological failures.
Equifax typically relied on its security team to notify the tech division of recommended software patches and updates, but an employee alerted to a vulnerability in Apache Struts failed to share the information – despite a warning from the U.S. Department of Homeland Security.
A follow-up digital scan didn't detect the issue either, ultimately leaving the company to contend with lawsuits, a U.S. Justice Department probe, and bills including one proposed by U.S. Rep. Jan Schakowsky, an Illinois Democrat, that would require prompt notification of consumers affected by a cybersecurity failure.
"We believe this is a turning point for anyone interested in protecting personal data," Barros, the interim CEO, told investors when the company reported quarterly earnings in November. "The time is right for an industry-wide solution that provides consumers with substantially improved visibility and control to personal credit data for free, for life."
While Equifax introduced an app in January that lets consumers using Apple and Android devices lock and unlock their credit reports on demand – a tactic that makes it tougher for fraudsters to open new accounts using stolen information but still allows consumers themselves to obtain loans – the tool doesn’t work for the company’s competitors, and it’s unlikely, by itself, to prevent tougher oversight.
Warren makes the case that such oversight should come from the Federal Trade Commission, led by a five-member panel, no more than three of whom can come from the same political party. At present, the commission has only two members, one a Democrat and one a Republican.
That recommendation may reflect the fact the Consumer Financial Protection Bureau, which Warren championed, lost its aggressive leader, Richard Cordray, late last year. President Trump named Mick Mulvaney, a South Carolina Republican who had sought to kill the agency, as its interim director, and Reuters later reported that he had scaled back Cordray’s probe of Equifax and other credit bureaus.
The agency, however, demurred. Any reports that it’s not investigating the Equifax breach are incorrect, it said.
“Acting Director Mulvaney takes data security issues very seriously,” said his senior adviser, John Czwartacki. “Under his direction, the CFPB is working with our partners across government on Equifax’s data breach and response. We are committed to enforcing the law.”