We knew it wouldn’t be long before Congress demanded action in response to the Equifax data breach—particularly since several of its members are among the 143 million Americans who are pissed about having their Social Security numbers and other personal data exposed.
Equifax announced the breach yesterday, and so far the company’s behavior has been an example of how not to respond to a data breach. The tool for consumers to check if their data was stolen doesn’t really work, Equifax is supposedly offering free credit monitoring but no one can sign up yet, and several of its executives mysteriously sold off stock before the breach was announced.
In short, it’s a disaster—and lawmakers aren’t happy.
Among those taking action, three Democrats on the House Energy and Commerce Committee didn’t waste any time on Friday digging into the company’s questionable response.
In a letter Friday, US Representatives Frank Pallone, Jr., Diana DeGette, and Jan Schakowsky tasked the Government Accountability Office (GAO) with evaluating whether Equifax’s reaction to the breach will in any way benefit the millions of Americans now at risk of financial fraud. After all, Equifax is itself a credit reporting agency; there’s plenty of irony to go around.
Specifically, the lawmakers say they’re alarmed by GEO reports that suggest simply offering to monitor a breach victim’s credit is not the way to go. The entire purpose of offering this service, according to GAO’s findings, is to “avoid liability” while offering consumers “peace of mind.”
After the Office of Personnel Management (OPM) was breached in 2015, the federal government offered millions of its employees access to credit monitoring services. However, the GAO later found that this decision was not based on any actual analysis of whether or not the services were truly effective, the lawmakers said.
While putting people’s minds at ease is certainly a service, it’s hardly a substitute for a genuine shield against identity theft.
“Questions remain about whether purchasing and providing credit monitoring for customers is the optimal way to respond to data breaches,” the lawmakers wrote. “In particular, we are concerned that the popular response may reflect factors unrelated to the actual protection of breach victims and reliance on these products after the breach may result in consumers being lulled into a false sense of security.”
The Democrats have asked the GAO to take another swing at determining precisely what “post-breach solutions” would benefit victims of data theft—and not just those impacted by Equifax.
The lawmakers would like to know, for instance, as do we all,“To what extent does the most effective solution vary by breach type, victim characteristics, demographics or other key factors?” They’ve also asked: “To what extent are the services offered determined by price?” and “To what extent are they determined by their level of protection?”
“This incident shows how urgent the need is to find better ways to protect personal data,” Rep. Diana DeGette, the ranking member on the House subcommittee on oversight and investigations, told Gizmodo. “Clearly, as a country we need to craft new means to keep thieves and hackers from obtaining and using personal information. Simply compensating consumers whose data has been hacked with a year of monitoring is not going to be enough.”
Should the GAO identify “effective post-breach solutions and obstacles that impede their use,” DeGette and her colleagues have also asked for new recommendations on how both the federal government and the private sector can more widely leverage these solutions to the benefit of data breach victims.
It’s difficult to assess whether Equifax’s offer will actually help anyone. Despite its lengthy press release, the company has revealed next to nothing about the breach and the types of data stolen—beyond saying as many as 143 million customers might be at risk. The company didn’t disclose the breach for more than a month after detecting it, a decision which has drawn significant criticism. And the nature of the “website application vulnerability” supposedly responsible for the breach itself also remains unclear.
The ambiguity with which the company has described the incident—they have referred to it as a “cybersecurity incident” and an “intrusion”—could indicate that a hacker, or hackers, went to painstaking lengths to steal its customer database. One would presume they intend to use it. But for all we know now, the company might’ve simply left the door wide open, its databases made accessible through some serious lapse in security to virtually anyone with a web browser and the right IP address.
What can be weighed, however, is Equifax’s response after learning about the breach: Is the company doing everything it can to do right by its customers? Or is it acting solely in its own self-interest, taking only the steps necessary to reduce its own liability? So far, the outlook is not great. Offering to monitor the victims’ credit is the very definition of the least Equifax could do.
But now there are other concerns: Troubling language has been discovered on the website Equifax set up to allow its customers to check to see if their personal information was exposed. Few who’ve signed up likely noticed the “arbitration clause” in the terms of service that restricts them from participating in any class-action lawsuits arising from the incident. (Seriously, this is a thing.)
The GAO evaluation is only one of several investigative measures being pushed by members of Congress.
“It is a threat to our economic security,” Sen. Mark Warner tweeted. He floated several ideas for legislation to address cybersecurity nightmares like the Equifax breach, including notification standards for companies to tell consumers about hacks.
It doesn’t look like Energy and Commerce is going to be the only committee trying to get answers from Equifax, either. Rep. Ted Lieu is calling for the House Judiciary Committee to hold a hearing on the breach. Lieu wants Equifax to testify, of course, but he wants their major competitors—Experian and TransUnion—to come to the table, too. Each company, he said, should be required to explain how it is “taking proactive, defensive steps to prevent such breaches in the future.”
On top of the investigative hearings, some members of Congress are already pushing for legislation that would create stricter regulation of credit reporting agencies. Sen. Brian Schatz announced that he plans to reintroduce legislation he drafted in 2015 that would give consumers more control over their credit reports.
Gizmodo reached out to Equifax with a list of questions about the data breach Thursday afternoon. No one from company has responded so far, but we’ll update when and if they do.
Update, 8:00pm: As a helpful reader pointed out below, Equifax has added language to a Q&A section on its website addressing the arbitration clause issue: