Monday, September 18, 2017

Congress looks for hearings, documents on Equifax data breach

By Colleen M. Svelnis, J.D.

Democrats and Republicans from both the House of Representatives and the Senate are calling for investigations into the massive data breach revealed by Equifax, and proposed legislation is introduced into the Senate that intends to address issues arising from the breach. According to Equifax, the breach lasted from mid-May through July and compromised the personal information of up to 143 million Americans. The potential information accessed primarily included names, Social Security numbers, birth dates, addresses, and driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, may have been accessed. Equifax discovered the unauthorized access on July 29, 2017.

A bipartisan group of 37 senators are calling on key federal agency leaders to investigate reports that senior Equifax officials sold over $1.5 million in the company’s securities within days of its announcement of a cybersecurity breach. The letter was addressed to Securities and Exchange Commission Chairman Jay Clayton, U.S. Attorney General Jeff Sessions, and Acting FTC Chairman Maureen Ohlhausen. “We need answers, and I’m calling on leaders of the SEC, FTC, DOJ, and Senate Banking Committee to do just that. If there’s sufficient evidence to warrant criminal prosecution, it’s necessary to hold these executives accountable to the fullest extent of the law. Cybercrimes and identity theft are frightening and we also need to do everything we can to prevent such breaches to keep families safe,” stated Sen. Heidi Heitkamp (D-ND), one of the Senators who signed the letter.

Risk for further breaches?
Senator Elizabeth Warren (D-Mass) has launched a broad investigation into the causes of the breach, the response by Equifax, and possible next steps to address problems at credit reporting agencies and better protect consumers. Warren sent a letter expressing her concerns to Equifax, as well as the other major credit reporting agencies TransUnion and Experian. Warren wrote that Equifax failed to provide information describing exactly how the breach happened, and exactly how Equifax security systems failed. She lamented that Equifax’s “initial efforts to provide customers information did nothing to clarify the situation and actually appeared to be efforts to hoodwink them into waiving important legal rights.” In her letters to TransUnion and Experian, Warren asked for answers to questions to provide consumers “with clarity on the danger of identity theft in the aftermath of the Equifax breach,” and the public with information “about the risk of further data breaches, and to address concerns about the credit ratings industry as a whole.”

Warren has also sent a letter to the Federal Trade Commission and the Consumer Financial Protection Bureau on oversight actions prior to and following the breach; and to the Government Accountability Office to request a thorough investigation into consumer data security. In her letter to the FTC and CFPB, Warren requested details regarding when the agencies were informed of the breach, whether the credit reporting agencies were obligated “to report any information to your agencies, either prior to the public notice or after the public notice was sent,” what steps were taken to protect consumers, the number of inquiries of complaints the agencies received related to the breach, the investigative authority each agency has, and whether each agency has regulatory authority over credit reporting agencies.

Warren expressed concern in her letter to the GAO about the actions of credit reporting agencies, pointing out that Equifax obtains and uses “massive troves of data on millions of consumers, but consumers have little to no power over how this data is collected, how it is used, or how it is kept safe.” Warren requested that the GAO investigate the oversight of credit reporting agencies and provide an analysis of potential impact on major federal programs.

Wants hearing scheduled. Heitkamp and nine other Democratic senators on the Senate Banking, Housing and Urban Affairs Committee also sent a letter to Committee Chairman Mike Crapo (R-Idaho) requesting that the Banking Committee hold immediate hearings on the Equifax breach. The letter described the “additional issues” that have come to light that “further underscore the need for the committee’s attention,” including Equifax Chief Financial Officer selling nearly $2 million of stock five days after discovering the data breach, and the extreme delay between when Equifax discovered the breach, on July 29, and its public announcement of the breach, on September 7. The letter also mentioned the initial requirement that possible victims of the breach must waive their right to participate in class-action lawsuits in order to receive access to Equifax’s credit monitoring product, which has since been rescinded.

According to the letter, the magnitude of the breach “merits a thorough investigation and comprehensive review” by the committee. “We should accept nothing less than a full and transparent explanation of what went wrong, who is responsible, how to fix it, and how to prevent such catastrophes in the future.”

Documents requested by committee members. House Oversight and Government Reform Committee Chairman Trey Gowdy (R-SC) and House Science, Space, and Technology Committee Chairman Lamar Smith (R-Texas) have sent a letter to Richard Smith, Chairman and Chief Executive Officer of Equifax Inc., requesting documents and a briefing related to the recent data breach, which the letter states likely affected nearly half of the American population. The letter also noted that the breach “potentially exposes federal employees’ personally identifiable information” because Equifax helps conduct background checks and security clearances for government workers. The committee chairs requested a briefing by Equifax by September 28 in order to “better understand the ramifications of the breach for consumers and the federal government, the delay by Equifax in publicizing the breach, and any mitigating steps being taken by Equifax.” 

The letter also requested the following documents:

1) All documents and communications referring or relating to the breach(s) of personally identifiable information announced on Sept. 7, 2017, including, but not limited to, documents and communications to and from members of Equifax's corporate leadership.

2) All documents and communications referring or relating to the NIST Framework or other cybersecurity standards used by Equifax.

3) All documents and communications regarding federal contracts for credit and identity verification services and information technology security plans related to these contracts for the last three fiscal years.

4) All documents and communications referring or relating to the website “equifaxsecurity2017.com.”

5) All documents and communications referring or relating to Equifax’s decision to publicize the data breach, the timing thereof, or any intervening actions the company took in response to or relating to the data breach between July 29, 2017, and Sept. 7, 2017.

For more information about data breaches, subscribe to the Banking and Finance Law Daily.