Senator To Ex-CEO: Equifax Can't Be Trusted With Americans' Personal Data

Enlarge this image toggle caption Mark Wilson/Getty Images Mark Wilson/Getty Images

Former Equifax CEO Richard Smith, who stepped down just last week, faced a roomful of angry senators and some tough questions at a hearing Wednesday. It was the second of three congressional hearings he is testifying in front of this week.

Republicans and Democrats alike are upset about the massive hack of Social Security numbers and other sensitive information at the consumer credit reporting company.

"This simply is not a company that deserves to be trusted with Americans' personal data," said Sen. Sherrod Brown, D-Ohio, the Senate Banking Committee's ranking member. "Your actions have exposed over half the country's adults to financial harm."

The latest word from the embattled company is that the hack involved more than 145 million Americans.

Smith admits the breach occurred because Equifax failed to act on warnings to fix a software security problem. On top of that, senior executives sold millions of dollars in stock after the breach but before the company made it public. And the efforts to help consumers had a series of missteps.

"The whole thing is staggering," said Sen. Elizabeth Warren, D-Mass. "Equifax and this whole industry should be completely transformed."

Warren, who has already introduced legislation related to the Equifax breach, told Smith: "When companies like Equifax mess up, senior executives like you should be held personally accountable and the company should pay mandatory and severe financial penalties for every consumer record that is stolen."

One cybersecurity expert who spoke to NPR said he is getting calls from both Democrats and Republicans interested in creating new rules for the industry. And at the hearing Wednesday, Republicans were landing some verbal blows on Smith too.

Republican John Kennedy of Louisiana raised a series of questions about Equifax's basic business model and noted that the company also has a premium data monitoring service that it charges consumers for. "You can't run your business without me," he said. "My data is the product that you sell."

So Kennedy said it seems "incongruent" that Equifax charges people to make sure that the information it is collecting is accurate. "I mean I don't pay extra in a restaurant to prevent the waiter from spittin' in my food," the senator said.

Warren zeroed in on another way Equifax makes money. She said Equifax has some of the "worst" cybersecurity around because it actually has no incentive to protect people's data from being stolen and used for identity theft.

Warren said that while Equifax is offering free "credit monitoring" for a year, after that consumers will have to pay if they want to keep getting that protection. More than 7 million people have signed up for the free monitoring through Equifax since the breach, Warren said.

"If just 1 million of them buy just one more year of monitoring through Equifax at the standard rate of $17 a month, that's more than $200 million in revenue for Equifax because of this breach," she added.

Warren detailed other ways Equifax is already making more money as a result of the breach. For example, she said a company called LifeLock has seen a tenfold surge in enrollment since the breach. According to filings with the Securities and Exchange Commission, LifeLock purchases credit monitoring services from Equifax — so more money for LifeLock means more money for Equifax.

"You've got three different ways that Equifax is making millions of dollars off its own screw-up," Warren said. (LifeLock is among NPR's financial supporters.)

In the days after the breach, some Equifax executives made money another way — by selling millions of dollars' worth of the company's stock. Smith said "to the best of my knowledge" the executives didn't know of the breach at the time of the stock sales. "These are honorable men," he said.

But such explanations didn't seem to satisfy Sen. Jon Tester, D-Mont. "This really stinks," he said. "[T]he bottom line here is you had a hack that you found out about on [July] 29, you told the FBI about the breach and on that same day some high-level executives sell $2 million worth of stock."

Lawmakers also raised questions about the compensation Smith stands to get as he retires. "You leave with your base salary, unvested options and a pension, roughly valued at $90 million. Help me to understand why that's fair?" Sen. Brian Schatz, D-Hawaii, asked.

There was some disagreement on the exact amount of the pension and stock. But Smith said, "I've been fortunate; I've worked hard and I don't set those compensation levels, the board does, and the board is elected every year."

It's unclear whether the Equifax board will move to reduce or claw back any of that compensation.