Richard E. Smith, the former Equifax (EFX) CEO who stepped down in the wake of a massive data hack, kicks off three days of congressional testimony today to explain how the breach was able to take place.
Smith appears before the House Energy and Commerce Committee starting at 10 a.m. He will apologize, according to prepared testimony shared Monday. Smith retired just weeks after the company disclosed a data breach that exposed the personal data of 145.5 million consumers.
Even though Smith is visiting with more visible committees later in the week, today's hearing will be closely watched because it is expected to set the tone for the rest of the hearings, according to Wall Street analysts. Smith will appear on Wednesday before the Senate Banking Committee, on which Massachusetts Democrat Sen. Elizabeth Warren sits, followed by the House Financial Services Committee Thursday.
If Smith doesn't perform well, it increases the probability that lawmakers will advance legislation over how consumers' data is both collected and protected. Credit bureaus are currently subject to rules about how they can sell consumers' financial data, but some lawmakers are calling for stricter oversight aimed at preventing credit fraud and correcting errors on credit reports. Any regulations limiting credit agencies' ability to collect data would threaten their business model, analysts say.
What happened so far
9: 55 a.m. -- Equifax's CEO has already taken the standard steps required of a leader when a massive breach happens on their watch: apologized, taken responsibility for the attack and left the company.
To people affected by the breach, Equifax is offering free credit monitoring across all three credit bureaus, credit locks and insurance for costs linked to identity theft.
It's taken the company a while to get to this point. Its initial response, for which it was heavily criticized, was to offer one year's worth of credit monitoring and require customers who signed up for the service to waive their right to sue the company.
Richard Smith is expected to lay out in detail how the breach happened. In his prepared testimony, he blamed the flaw on a combination of human error and technological failures. On March 8, Smith said, the Department of Homeland Security warned the company it needed to patch a particular vulnerability in software used by Equifax and other businesses. The company emailed out that warning the following day and requested that applicable personnel install the upgrade. But even though Equifax's policy required the upgrade to occur within 48 hours, Smith said that did not happen.
10:06 a.m. -- Rep. Bob Latta (R-Ohio), who chairs the subcommittee on digital commerce and consumer protection, set out the basic lines of the committee's questioning in his opening statement Tuesday: how did the breach happen, what policies were in place to prevent it, and were they followed?
Ranking member Janice Schakowsky (D-Ill.) was more fiery, calling the breach "predictable but not inevitable."
"We have these under-regulated private data collecting detailed information about American consumers. Consumers don't have a choice of what information Equifax, or for that matter, TransUnion or Experian, collects," she said. "Because consumers don't have a choice, we can't expect credit reporting agencies to self-regulate," she said. She called out a bill she introduced that would require prompt notification of a breach, among other things.
Committee Chair Greg Walden (R-Ore.) described the incident this way:
"It's like the guards at Fort Knox forgot to lock the doors and failed to notice that thieves had broken in."
Rep. Frank Pallone (D-N.J.), the ranking member, brings up a point several made: consumers don't have a choice in whether credit bureaus collect their data. In other data breaches, like one at Target or Michael's, consumers could choose not to shop at a store that was affected. This isn't the case with credit reporting.
Under current law, it's unlikely that Equifax would face criminal liability, tech experts say.
"The problem is that there aren't any laws and regulations forcing companies to provide a certain level of cybersecurity," Jeff Williams, CTO and co-founder of Contrast Security, told CBS MoneyWatch in an email.
The timeline of the hack
10:15 a.m. -- Former CEO Rick Smith, who stepped down last week but is still an adviser to Equifax, began by summarizing his written testimony.
"As CEO I was ultimately responsible for what happened on my watch," he said. "To each and every person affected by this breach, I am deeply, deeply sorry that this occurred."
The hack occurred around May 13, Smith said. According to the timeline he laid out, the company noticed "suspicious activity" July 29 in a consumer dispute portal. Smith was notified on July 31, and called in a cybersecurity law team on Aug. 2. But it wasn't until late August that Equifax concluded they had experienced a major breach, Smith said.
Smith concluded by saying, "I believe we need a public-private partnership to evaluate how best to protect Americans' data going forward." His written testimony mentioned replacing Social Security numbers, which currently function as Americans' primary form of identification for financial and other sensitive transactions.
Rep. Latta pushed Smith on when he found out that personal data had been compromised, but Smith declined to give a timeline. Smith said it was a "cumbersome, cumbersome process" to figure out how a breach occurred or where it came from.
Latta countered, "Your company is built on data--did you think to ask if any personal data had been stolen?"
Smith said it was not until Aug. 17 that "the picture developed" and the company realized what they'd been calling an "incident" was actually a hack.
10:50 a.m. -- In response to questioning from Rep. Greg Walden (R-Ore.), Smith explains that there was a protocol in place to fix the software flaw that led to Equifax being breached. It wasn't followed, he said.
"I don't think we can pass a law that, excuse me for saying this, fixes stupid," said Walden. He pressed Smith on the issue of human error and double-checking of systems and software.
"The human error was, the individual who was responsible for communicating the patch, in the organization, did not," Smith said. A few days later, there was a scan of the system, which also didn't reveal the vulnerability.
Rep. Frank Pallone (D-N.J.), the ranking member, brings up a speech Smith gave on Aug. 11 pitching Equifax's fraud protection services.
"Fraud is a huge opportunity--it's a massive, growing business for us," Pallone quoted Smith as saying. Smith maintained that he did not know then that Equifax's own consumers had been affected, and that he did not know its extent until Aug. 17.
Pallone then moved to language Equifax included in its credit-lock service that said consumers' information might be shared with affiliate marketers. Smith answered categorically.
"There will be no cross-selling, upselling, of services to the consumer" who signs up for credit protection with Equifax, he said.
11:02 a.m. -- Rep. Joe Barton (R-Texas) wants a law that would fines Equifax for every consumer who's been affected in the breach.
"You're really just required to notify everybody and say, so sorry, so sad," Barton said to Smith. "It seems to me you might pay a little more attention to security if Equifax were required to pay every consumer who was affected several thousand dollars."
"We could have this hearing every year, from now on, if we don't do something to change the current system."
One of Barton's staffers was affected by the breach, he tells Smith. Barton takes issue with the amount of information Equifax keeps, including where someone went to school--information that's not necessary to decide if someone is creditworthy, he said. (Equifax has data on about 800 million people worldwide.)
Equifax is offering a free credit lock for customers who were affected by the breach. Consumer advocate groups say a credit lock is not as good as a credit freeze, but Smith maintained at the hearing that they offer the same level of protection.
A credit freeze is legally binding, according to Consumer Reports, whereas a lock is simply an agreement between a consumer and a company.
Rep. Ben Ray Luján (D-N.M.) asked if Equifax would pay for affected customers to freeze their credit file with the other two credit reporting bureaus, and if it would compensate people whose identity was stolen in the hack. Smith didn't give direct answers to those questions.
"You can't change your social security number"
11:21 a.m. -- Rep. Fred Upton (R-Mich.) asked if criminals who stole consumers' data are able to manipulate what shows up in a consumer's credit report. They couldn't, Smith said.
Smith also said that the breach was limited to one part of the site, a consumer dispute portal, which was shut down at the end of July after the company discovered the so-called suspicious activity.
"You can't change your social security number, and I can't change my mother's maiden name," said Rep. Debbie Dingell (D-Mich.) There ought to be a law that better protects consumers, she said, reiterating what some Democratic members have brought up. (Dingell is a co-sponsor of Jan Schakowsky's bill on this issue.)
Dingell also asked whether Equifax's hackers were backed by state actors; Smith demurred, saying Equifax involved the FBI. He later conceded that it was "possible."
"I think we need a broader debate about who owns this data," Dingell closed.
Rep. Doris Matsui (D-Calif.) returned to this issue later, with a question that seemed to stump Smith.
"In the context of this breach, if Equifax has data about me, do I own it?" she asked.
Smith answered that Equifax was part of a federally regulated industry, and consumers could allow others to access data about them, but did not directly answer the ownership question.
11:32 a.m. -- Three Equifax executives sold company stock on Aug. 1 and 2, shortly after the company found out about "suspicious activity" but before the company realized it was a full-fledged hack, according to Smith's timeline. Some reports have raised the question of whether this qualifies as insider trading.
The sale would have been approved by John Kelly, Equifax's CEO and top lawyer. Smith painted it as a routine matter, saying it was typical for stock sales to happen at the end of a quarter, and that the company encouraged people to sell stock early.
Responding to probing questions from Rep. Michael Burgess (R-Texas), Smith reiterated that he and the Equifax board did not know about the breach in the early days of August.
11:43 a.m. -- Equifax's initial demand that people signing up for credit protection agree to arbitration was "a mistake," Smith told Rep. Adam Kinzinger (R-Ill.).
"That clause was never intended to be in there," Smith said, explaining that it was a "standard boilerplate clause" in other agreements. He couldn't answer a follow-up question about why Equifax required binding arbitration for some of its other products, saying only that it was "standard."
11:48 a.m. -- The consumer data that was revealed in the hack was "not encrypted at rest," Smith told Rep. Adam Kinzinger (R-Ill.) Smith reiterated that the data was inside a portal that people used to dispute credit decisions, and was not part of what Equifax considers a "core data" file.
Kinzinger followed up with the obvious question--were there 145.5 million people who had disputes with Equifax? People use the portal for a variety of reasons, Smith explained, adding that the company was required to keep some types of data for up to seven years.
How many meetings?
12:06 p.m. -- Several Congress members have pressed Smith on how many times he met with the security team between May and August -- the time between when the hack took place and Equifax leadership knew.
Smith has said a meeting each with security and with IT took place every quarter, but can't recall exactly how many meetings he had in that time.
12:40 p.m. -- Rep. Tim Murphy (R-Penn.) hammered Smith on why Equifax set up a separate site for consumers to check if their information was compromised. Several lawmakers brought up the site, equifaxsecurity2017.com, in the context of a spoof website created by a critic. Smith said that Equifax's own site wouldn't have been able to handle 400 million consumer visits.
Equifax previously came under fire when it turned out that its Twitter account sent customers looking for breach information to the wrong website.