If you’ve spent any time in front of C-SPAN this week, you’ve probably seen Congress repeatedly taking Equifax’s former CEO out to the woodshed. It’s been quite the shellacking. And it almost seemed as if we’d finally reached a breaking point. America wasn’t going to put up with companies recklessly handling our private data, losing control over it, saying “sorry” and moving on like it’s business as usual any longer.
But then came the gut punch: Almost a month after Equifax fessed up to a data breach affecting up to 143 million people (145 million we know now), news broke that the company had been handed a no-bid federal contract with the IRS. Sure, it was only worth $7.25 million, chump change in the long run, but those aren’t just regular dollars—they’re freakin’ taxpayer dollars. It’s enough to make you spit.
But one Texas lawmaker has an idea about how to rectify the situation: instigate a Department of Homeland Security (DHS) investigation into whether Equifax represents a cybersecurity risk to the federal government. In a statement, Republican Representative John Ratcliffe, a member of the House Committee on Homeland Security, called the Equifax breach a “cybersecurity negligence of epic proportions,” and he’s asking DHS to use its authority to “address this troubling development.”
The news that the Internal Revenue Service (IRS) awarded a multi-million dollar contract to Equifax to assist in “ongoing identity verification and validations” left several lawmakers stunned, particularly those whose legislative duties include dealing with credit-reporting agencies and consumer data breaches. In a letter to IRS chief John Koskinen, Representative Earl Blumenauer wrote that he thought the news was something out of “The Onion.”
Representative Debbie Dingell, the cosponsor of a House bill that would require prompt notifications in the event of a breach, told Gizmodo that until Equifax truly answers for what happened, the company should not be “rewarded for reckless data protection with a $7.25 million IRS contract.”
“Americans place their faith in federal agencies—the IRS most certainly included—to safeguard vast amounts of their highly sensitive personal information,” Ratcliffe said. “As the lead civilian cybersecurity agency, DHS should play an important role in ensuring federal agencies engage in responsible cybersecurity behavior, so we can maintain the confidence of the American people.”
Ratcliffe’s spokesperson told NextGov on Thursday that the congressman wasn’t ready to say Equifax should be banned throughout the federal government, only that DHS should issue “binding operational directives” forcing federal agencies to improve their cybersecurity. Presumably, that would include not using services with a track record of negligently handling customers’ data. It could mean forcing the IRS to reconsider Equifax’s contract.
Banning Equifax entirely is an interesting idea, if not a risky precedent. If the federal government instituted a ban on every company affected by a data breach, it might run out of services to rely on. It’s widely accepted, after all, that it’s a question of “not if, but when” a given corporation will experience a data breach.
But that’s why culpability must be weighed against the company’s own conduct in the aftermath of a breach: Did it needlessly put consumers in harm’s way by disregarding its obligations to security? Did the company respond swiftly, doing everything in its power to protect those affected, notifying them promptly of any lingering risk? Equifax’s response, which included waiting over a month to notify the public and repeatedly failing to detect easily patched security vulnerabilities, does not the mustard cut.
We’ve reached out to the Democrats on Representative Ratcliffe’s committee to see if his idea has earned any bipartisan support. (So far, taking it to Equifax has been spectacularly bipartisan affair!) And we’ve asked DHS if they’re considering Ratcliffe’s investigation. We’ll update when we get a response.