Senator To Ex-CEO: Equifax Can't Be Trusted With Americans' Personal Data

Oct 4, 2017
Originally published on October 5, 2017 7:48 am

Former Equifax CEO Richard Smith, who stepped down just last week, faced a roomful of angry senators and some tough questions at a hearing Wednesday. It was the second of three congressional hearings he is testifying in front of this week.

Republicans and Democrats alike are upset about the massive hack of Social Security numbers and other sensitive information at the consumer credit reporting company.

"This simply is not a company that deserves to be trusted with Americans' personal data," said Sen. Sherrod Brown, D-Ohio, the Senate Banking Committee's ranking member. "Your actions have exposed over half the country's adults to financial harm."

The latest word from the embattled company is that the hack involved more than 145 million Americans.

Smith admits the breach occurred because Equifax failed to act on warnings to fix a software security problem. On top of that, senior executives sold millions of dollars in stock after the breach but before the company made it public. And the efforts to help consumers had a series of missteps.

"The whole thing is staggering," said Sen. Elizabeth Warren, D-Mass. "Equifax and this whole industry should be completely transformed."

Warren, who has already introduced legislation related to the Equifax breach, told Smith: "When companies like Equifax mess up, senior executives like you should be held personally accountable and the company should pay mandatory and severe financial penalties for every consumer record that is stolen."

One cybersecurity expert who spoke to NPR said he is getting calls from both Democrats and Republicans interested in creating new rules for the industry. And at the hearing Wednesday, Republicans were landing some verbal blows on Smith too.

Republican John Kennedy of Louisiana raised a series of questions about Equifax's basic business model and noted that the company also has a premium data monitoring service that it charges consumers for. "You can't run your business without me," he said. "My data is the product that you sell."

So Kennedy said it seems "incongruent" that Equifax charges people to make sure that the information it is collecting is accurate. "I mean I don't pay extra in a restaurant to prevent the waiter from spittin' in my food," the senator said.

Warren zeroed in on another way Equifax makes money. She said Equifax has some of the "worst" cybersecurity around because it actually has no incentive to protect people's data from being stolen and used for identity theft.

Warren said that while Equifax is offering free "credit monitoring" for a year, after that consumers will have to pay if they want to keep getting that protection. More than 7 million people have signed up for the free monitoring through Equifax since the breach, Warren said.

"If just 1 million of them buy just one more year of monitoring through Equifax at the standard rate of $17 a month, that's more than $200 million in revenue for Equifax because of this breach," she added.

Warren detailed other ways Equifax is already making more money as a result of the breach. For example, she said a company called LifeLock has seen a tenfold surge in enrollment since the breach. According to filings with the Securities and Exchange Commission, LifeLock purchases credit monitoring services from Equifax — so more money for LifeLock means more money for Equifax.

"You've got three different ways that Equifax is making millions of dollars off its own screw-up," Warren said. (LifeLock is among NPR's financial supporters.)

In the days after the breach, some Equifax executives made money another way — by selling millions of dollars' worth of the company's stock. Smith said "to the best of my knowledge" the executives didn't know of the breach at the time of the stock sales. "These are honorable men," he said.

But such explanations didn't seem to satisfy Sen. Jon Tester, D-Mont. "This really stinks," he said. "[T]he bottom line here is you had a hack that you found out about on [July] 29, you told the FBI about the breach and on that same day some high-level executives sell $2 million worth of stock."

Lawmakers also raised questions about the compensation Smith stands to get as he retires. "You leave with your base salary, unvested options and a pension, roughly valued at $90 million. Help me to understand why that's fair?" Sen. Brian Schatz, D-Hawaii, asked.

There was some disagreement on the exact amount of the pension and stock. But Smith said, "I've been fortunate; I've worked hard and I don't set those compensation levels, the board does, and the board is elected every year."

It's unclear whether the Equifax board will move to reduce or claw back any of that compensation.

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

DAVID GREENE, HOST:

Senators, pretty angry senators, had some tough questions for Equifax yesterday. The heat was really on the CEO who just resigned. As NPR's Chris Arnold reports, Republicans and Democrats alike are upset about the massive hack of Social Security numbers and other sensitive information, one of the worst data breaches in American history.

CHRIS ARNOLD, BYLINE: The hack affected more than 145 million Americans - that's nearly half the U.S. population - and it happened because the company failed to act on warnings from the Department of Homeland Security to fix a software problem leaving it vulnerable to a breach for more than two months. That's what allowed the hackers to break in. Democrat Sherrod Brown told former CEO Richard Smith...

(SOUNDBITE OF ARCHIVED RECORDING)

SHERROD BROWN: This simply is not a company that deserves to be trusted with Americans' personal data. Your actions have exposed over half the country's adults to financial harm.

ARNOLD: This catastrophic data breach has lawmakers taking a close look at the entire credit-monitoring industry. Both Republicans and Democrats are calling cybersecurity experts to discuss legislation, and in the hearing, Republicans were landing some verbal blows on Smith, too. Republican John Kennedy of Louisiana raised a series of questions about Equifax's basic business model.

(SOUNDBITE OF ARCHIVED RECORDING)

JOHN KENNEDY: You collect my information without my permission. You take it along with everyone else's information and you sell that information to businesses. Is that basically correct?

RICHARD SMITH: That's largely correct.

ARNOLD: Kennedy said he didn't have a problem with businesses making money, but he took issue with an Equifax data-monitoring service which he said basically charges people to make sure the data Equifax collects on them isn't full of mistakes.

(SOUNDBITE OF ARCHIVED RECORDING)

KENNEDY: I mean, I don't pay extra in a restaurant to prevent the waiter from spitting in my food.

ARNOLD: Democratic Senator Elizabeth Warren zeroed-in on another way that Equifax makes money.

(SOUNDBITE OF ARCHIVED RECORDING)

ELIZABETH WARREN: In August, just a couple of weeks before you disclosed this massive hack, you said - and I want to quote you here - "fraud is a huge opportunity for us. It is a massive, growing business for us."

ARNOLD: In fact just a few days ago, the IRS agreed to pay Equifax for fraud prevention services. That struck Senator Kennedy as a little odd.

(SOUNDBITE OF ARCHIVED RECORDING)

KENNEDY: You realize to many Americans right now, that looks like we're giving Lindsay Lohan the keys to the mini bar.

SMITH: I understand your point.

ARNOLD: Elizabeth Warren said the incentives in the industry are out of whack. Equifax makes money selling credit-monitoring and fraud prevention services. It works through other businesses to do that, too, and has contracts with the government, and this massive hack means there'll be more demand for fraud prevention. So, she said, it's no wonder that the company didn't guard people's data more closely.

(SOUNDBITE OF ARCHIVED RECORDING)

WARREN: Look, you've got three different ways that Equifax is making money, millions of dollars, off its own screw-up.

ARNOLD: Equifax is offering free credit-monitoring for one year, but then people will have to pay to keep that service. Warren did some math and said that if just a small fraction of the people who already signed up for the free service stick with it and pay for just one year...

(SOUNDBITE OF ARCHIVED RECORDING)

WARREN: That's more than $200 million in revenue for Equifax because of this breach.

ARNOLD: Then there's the issue of Equifax executives who sold the company's stock before the hack was made public. Montana Democrat Jon Tester.

(SOUNDBITE OF ARCHIVED RECORDING)

JON TESTER: You had a hack. You told the F - the FBI about the breach. On that same day, high-level execs sell $2 million worth of stock.

ARNOLD: That didn't seem to be passing Tester's sniff test.

(SOUNDBITE OF ARCHIVED RECORDING)

TESTER: This really stinks. I mean, it really smells really bad.

ARNOLD: For his part, Smith defended the executives, saying to the best of his knowledge they did not know about the breach when they sold the stock.

(SOUNDBITE OF ARCHIVED RECORDING)

SMITH: These are honorable men who followed the protocol that was outlined by the organization.

ARNOLD: Lawmakers also raised questions about how much money Richard Smith stands to get as he retires. Democrat Brian Schatz.

(SOUNDBITE OF ARCHIVED RECORDING)

BRIAN SCHATZ: You leave with your base salary, unvested options and a pension roughly valued at $90 million. Do you think that's fair?

ARNOLD: Smith first said he wasn't sure that was the right amount, but then responded...

(SOUNDBITE OF ARCHIVED RECORDING)

SMITH: I've been fortunate. I've worked hard. And I don't set those compensation levels. The board does. The board's elected every year.

ARNOLD: It's unclear whether the board will move to reduce or claw back any of Smith's compensation. Chris Arnold, NPR News. Transcript provided by NPR, Copyright NPR.