Pressure builds as Congress seeks answers on Equifax breach

Members of Congress continue to put pressure on Atlanta-based Equifax, joining a chorus of consumer groups that have criticized the credit bureau in the wake of a massive security breach.

On Tuesday, 24 Democratic members of the House Energy & Commerce Committee demanded answers about the breach, which compromised the personal information of more than 140 million U.S. consumers. A day earlier, the leaders of the Senate Finance Committee made similar demands in a letter to Equifax Chairman and CEO Rick Smith.

So far, the House Financial Services and the Energy & Commerce committees have called for hearings on the matter. More than two dozen lawsuits seeking class-action status also have reportedly been filed against Equifax.

Jeffrey Meuler, an analyst with Robert W. Baird & Co. who follows Equifax, said the company faces risks of regulatory and legislative changes that could affect its business. A finding of severe negligence in the company’s data handling or ballooning fraud costs are also possible threats, he said.

“The fact there’s going to be a congressional inquiry is not surprising,” Meuler said. Under the circumstances, he said, “it is warranted.”

The demands by the House and Senate committee members underscore the seriousness of the breach that’s rocked the Fortune 500 company, which plays a crucial role in the American financial system.

“Your company profits from collecting highly sensitive personal information from American consumers — it should take seriously its responsibility to keep data safe and to inform consumers when its protections fail,” the letter from the House committee Democrats said.

On Monday after public pressure, Equifax said on Twitter it would waive fees for all applications for credit freezes for the next 30 days. The company also reversed itself and removed language in a suite of credit and identity theft protection services it is offering breach victims that consumer groups said would force users into binding arbitration and ban them from joining a class-action lawsuit.

Equifax, which traces its roots to the 1890s, helps banks decide whether to lend people money for homes and cars and whether to issue credit cards.

Equifax and fellow credit bureaus Experian and TransUnion also weigh in when you’re seeking a job, rental housing or insurance, helping companies verify whether you are who you say you are.

The company counts the federal government as a key customer, including the Internal Revenue Service, Centers for Medicare & Medicaid Services, the Social Security Administration and other federal agencies.

Letters from Congress

In a Monday letter to Smith, U.S. Sens. Orrin Hatch, R-Utah, and Ron Wyden, D-Ore., sought information about Equifax’s digital security infrastructure and further details about the personal information that was lost, and whether any government data also was exposed by criminal hackers. The senators also requested a detailed timeline of events about the breach and the company’s response.

The senators want answers about Equifax’s business, when it learned of the breach and about sales of stock by three Equifax executives days after the company learned of the incident but before the cyber theft had been made public.

The first question seeks a timeline of the breach, including “when it began, its discovery, the investigation of its scope and source, notification of authorities, efforts to notify customers and consumers, notification to the Equifax board of directors, and notification of Equifax senior executives — including, but not limited to, John Gamble Jr., Rodolfo Ploder, and Joseph Loughran.”

Gamble, Ploder and Loughran are the three executives who sold stock in the days after the July 29 discovery of the breach.

On Tuesday, U.S. Senator Heidi Heitkamp, D-N.D., called for an investigation into the stock sales, calling it "disturbing" that the sale appeared to happen before the incident was public, and stating that if a crime happened "somebody needs to go to jail," according to Reuters.

Equifax has said the executives were not aware of the breach when they sold their shares.

“These are very complicated issues, and we expect to be engaging with regulators and legislators in the future,” Equifax spokeswoman Meredith Griffanti said in a statement about the Senate Finance Committee letter. She said the company plans to respond to the committee’s request for information and Equifax is “listening to issues that consumers are experiencing, and their suggestions are helping to further inform our actions.”

The House Democrats’ letter, which wants answers by Sept. 22, seeks information about steps the company is taking to protect consumers, as well as answers about the stock sales. Hatch and Wyden want answers by Sept. 28.

The matter could come before one or more House committee in the coming weeks.

‘Fumbled out of the gate’

Equifax announced the breach last Thursday after business hours with a YouTube video, news release and a website for consumers.

Equifax gave few details about how the data was accessed and whether it was their own operations that were breached or those of an outside vendor. The company said only that “criminals exploited a U.S. website application vulnerability to gain access to certain files.”

Unauthorized access to the information occurred from mid-May to July, the company said, and was discovered by the company on July 29. Equifax engaged an outside cybersecurity firm for a forensic review.

Consumer groups called Equifax’s response inadequate. Others complained that the website set up to guide potential victims gave conflicting information about whether consumers’ personal information was exposed. Call centers also weren’t adequately prepared, critics said.

The company also took flak for its offer of a package of credit and identity theft protection services because of a clause watchdogs said meant victims of the hack couldn’t sue or join a class-action case against Equifax for the cyber breach.

Equifax later said the terms of use applied only to issues that might arise during the use of the credit protection service, not from the hack. Bowing to pressure, the company removed the arbitration and class-action clauses from the terms of use.

Conroy Boxhill, an expert in crisis public relations, said Equifax had six weeks from the time it learned of the breach until informing the public, and should have been better prepared.

“They fumbled out of the gate and there’s an erosion of confidence,” Boxhill said. “People think they’re not trustworthy.”

Boxhill said the company needs to address the public directly, inform consumers how the problem will be fixed and stop relying on canned statements. Equifax, he said, needs a public face to help allay people’s fears.

“This is a major, major event. You can’t hide from a situation like this,” he said.

Meuler, the analyst, said missteps are amplified in such situations, though he credited Equifax with waiving fees and taking other steps in response to consumers fears.

“But I do think the company could probably benefit from taking a more proactive approach to engaging with the public, with the consumer,” he said.