E&C Dems Question Equifax on Massive Data Breach

Washington, D.C. – Energy and Commerce Democrats today sent a letter to Equifax Chairman and CEO Richard Smith seeking more information about the massive data breach that has compromised the sensitive personal information of approximately 143 million Americans. The members asked what Equifax is doing to make consumers whole, how the breach occurred, and what the company is doing to safeguard against security breaches in the future. The members also expressed concern that it took Equifax more than a month to disclose the data breach to the public and that consumers continue to report difficulties they face in merely getting information about whether their personal information was compromised.

The letter was signed by all of the Democrats on the Energy and Commerce Committee – Ranking Member Frank Pallone, Jr. (D-NJ), Bobby Rush (D-IL), Anna Eshoo (D-CA), Eliot Engel (D-NY), Gene Green (D-TX), Diana DeGette (D-CO), Mike Doyle (D-PA), Jan Schakowsky (D-IL), G.K. Butterfield (D-NC), Doris Matsui (D-CA), Kathy Castor (D-FL), John Sarbanes (D-MD), Jerry McNerney (D-CA), Peter Welch (D-VT), Ben Ray Lujan (D-NM), Paul Tonko (D-NY), Yvette Clarke (D-NY), David Loebsack (D-IA), Kurt Schrader (D-OR), Joe Kennedy, III (D-MA), Tony Cárdenas (D-CA), Raul Ruiz (D-CA), Scott Peters (D-CA), and Debbie Dingell (D-MI).

"Your company profits from collecting highly sensitive personal information from American consumers—it should take seriously its responsibility to keep data safe and to inform consumers when its protections fail," the members wrote to Equifax CEO Richard Smith.

"We are writing with serious concerns about the immense scale of this data breach, and we have a number of questions about whether Equifax took appropriate steps to safeguard the personal information of consumers," the Democratic Committee members continued in their letter. "We also have concerns about the amount of time it took for Equifax to notify the public of the breach and about the way Equifax is providing information to consumers."

Almost immediately after Equifax announced the breach, consumers reported a number of problems with the website where people were directed to go to determine if their information was compromised. People who checked the website on both their mobile device and a computer received different results. False information entered into the fields also provided the same result as real information.

With an Energy and Commerce hearing expected for either later this month or in October, the members have requested answers to a series of questions prior to the hearing, including:

• Why did it take Equifax more than a month to announce this massive data breach?
• How did Equifax determine that offering credit monitoring services for one year – provided by Equifax itself – would be adequate to make consumers whole?
• How much money per year would an affected customer pay Equifax to extend the "complimentary" credit monitoring services beyond one year? How much money would Equifax make after one year on credit monitoring services that would be unnecessary but for Equifax's failure to safeguard consumer data?
• What measures is Equifax implementing after the event to improve the protection of consumer information residing on its network?
• What measures is the company taking to investigate the sale of stock in the aftermath of the company's discovery of the data breach, including whether these or other executives sought to delay the announcement of the data breach?
• What measures, other than offering credit monitoring services and identity theft protection, is Equifax taking to mitigate harm to consumers?

A copy of the letter is available here.