Several U.S. lawmakers have called for further action in the wake of a $700 settlement reached by state prosecutors with the credit bureau Equifax over its disastrous 2017 data breach.
The settlement was announced on Monday, the largest thus far involving a security breach at a U.S. company. Up to $425 million will be used to compensate victims of the breach. Equifax also agreed to provide free credit monitoring services to all consumers impacted for the next decade. The company further agreed to study new, secure methods for identifying consumers other than by using their Social Security numbers, which are frequently stolen.
While the settlement was lauded by the negotiators—the Federal Trade Commission, the Consumer Financial Protection Bureau, and attorneys general from 48 states, Puerto Rico, and the District of Columbia—as “historic,” many federal lawmakers were less enthused. Congress has yet to pass any legislation that would force companies to vigorously secure consumer data, despite the fact that major data breaches have been a common occurrence for years.
“In a just world, these executives would be going to jail,” Senator Ron Wyden, a leading privacy hawk in Washington, said in response to the settlement. “No one should be able to collect deeply sensitive information on 200 million people without their consent, treat it with reckless disregard and then just pay a fine when a predictable, easily avoidable hack takes place.”
Wyden added that unlike Target and Home Depot, businesses that consumers could choose not to patronize after major data breaches of their systems, credit-reporting agencies like Equifax “play a role in consumers’ financial lives no matter how much they are disliked and no matter how shady their practices or how awful their cybersecurity.”
Rep. Frank Pallone, Jr., who chairs the Energy and Commerce Committee, said the settlement “does not come close to making consumers whole” and further underscores the limitations of the FTC’s enforcement abilities. “It also shows that we need a comprehensive data privacy and security law to ensure companies are designing their systems to protect consumer privacy for the start, minimizing the personal information they keep, and are held appropriately accountable if they fail.”
Rep. Greg Walden, the committee’s ranking member, called the settlement a “step forward” toward ensuring Americans affected by the breach could “recover and protect themselves.” His remarks stopped short of pressing for additional legislative action, calling instead on companies to “reexamine their security practices to make sure this type of avoidable event does not happen again.”
Rep. Anna Eshoo said the settlement “barely scratches the surface” with regards to compensating those impacted. “Data privacy will be the defining consumer protection issue of the 21st Century,” she said, adding that Congress should immediately pass “new laws backed with strong enforcement to safeguard every American’s information online.”
Sen. Edward Markey, who sits on the Commerce, Science and Transportation Committee, called the settlement “far from an adequate solution.” For years, he said, Equifax played “fast and loose” with the enormous amount of data it collected on Americans. “[W]e have to do much more to stop the next breach before it happens,” he said.
Markey added that he intends to reintroduce legislation announced in the aftermath of the Equifax breach, the Data Broker Accountability and Transparency Act, which would compel data brokers to develop rigorous data security procedures and allow consumers to prevent them from using, sharing, or selling their personal information.
Sen. Mark Warner, a leading sponsor of another bill, the Data Breach Prevention and Security Act—a proposed law that would impose mandatory penalties on credit bureaus that negligently handle consumer data—said that while he was pleased Equifax’s victims now have a recourse to get compensation, “we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.”
“Americans don’t choose to have companies like Equifax collecting their data,” he said, “by the nature of their business models, credit bureaus collect your personal information whether you want them to or not.”