WASHINGTON — It takes a lot to unite Congress in outrage these days, given how divided along party lines it’s become. Equifax this week managed that feat.
Firebrand consumer watchdog Elizabeth Warren was joined Wednesday by a number of Republicans on the Senate Banking Committee in roasting the company over its enormous data breach this year in which the personal information — including Social Security numbers — of as many as 145.5 million Americans was compromised.
It turns out letting hackers steal personal, sensitive information of nearly half the US population riles up lawmakers on both sides of the aisle.
“Equifax did a terrible job of protecting our data because they didn’t have a reason to care to protect our data. The incentives in this industry are completely out of whack,” Warren, the Massachusetts Democratic senator, told Equifax’s former chairman and CEO, Richard F. Smith, during a hearing, his second of four congressional appearances scheduled this week.
“Consumers — not you — consumers should decide who gets access to their own data, and when companies like Equifax mess up, senior executives like you should be held personally accountable, and the company should pay mandatory and severe financial penalties for every consumer record that’s stolen,” she continued.
Warren’s words echoed the sentiment of Texas Republican Representative Joe Barton, who during a Tuesday House hearing said he wants new legislation “to put some teeth” behind penalties by forcing companies to pay each consumer whose account is hacked. If the fines are large enough, even a company as big as Equifax — which Smith said was worth $13 billion — would probably be motivated to do more to protect consumers’ sensitive data, Barton said.
Barton is in the early stages of drafting such a bill, a spokesman told the Globe, and expects to have it out in the next couple of weeks.
“You’re just required to notify everybody and say, ‘So sorry, so sad,’ ” he said. “It would seem to me that you might pay a little more attention if you had to pay everybody whose account got hacked a couple thousand bucks or something.”
Whether threats like these turn into a crackdown on the credit-rating industry remains to be seen.
Many financial industry analysts are skeptical that the Republican-controlled Congress will ultimately pass anything. Efforts to do so in the past have run into dead ends. Equifax alone spent more than $1 million last year lobbying lawmakers and regulators to relax rules on credit-reporting companies, according to congressional lobbying disclosure forms. This year, the company has already spent $500,000 on similar issues, including in favor of legislation that would cap its legal liability if sued by consumers.
Republicans on the Senate banking panel didn’t go as far calling for specific legislation, but they heaped plenty of outrage on Smith.
They, along with Democrats, criticized the company’s lax data security procedures. They expressed skepticism about the business model on which Equifax and the two other big credit-rating agencies rely — basically, collecting information on US consumers, without their permission, and making money by selling it to other businesses. Then they charge consumers to monitor for misuse of that information, if and when it is stolen by criminals.
“I mean, I don’t pay extra in a restaurant to prevent the waiter from spitting in my food,” observed Louisiana GOP Senator John Kennedy.
Equifax and its competitors are required by law to offer consumers a free credit check once a year, which helps borrowers measure their own creditworthiness. They also charge more to consumers for a premium credit check. Their main business is selling financial data on millions of people to banks and other lenders.
In addition to the departure of its chief executive, Equifax is facing an investigation by the Federal Trade Commission as a result of its security breach, which occurred between May and July.
Under Warren’s questioning, Smith acknowledged that after the year of free credit monitoring Equifax is offering to those affected by the breach, consumers will have to pay to continue the service. If even a small portion of the 7.5 million consumers who’ve signed up for that free monitoring stick around after the year mark, it will mean millions in annual revenue for the company, Warren said.
Warren quoted remarks Smith made at an August conference where he said, “Fraud is a huge opportunity for us. It is a massive growing business for us.”
Senators of both parties pressed Smith on why in late July top Equifax executives sold large amounts of stock, worth close to $1.8 million, in the period after evidence of a breach surfaced but before it was publicly disclosed, depressing the stock price. Smith called the executives “honorable men” who did not know the scope of the breach at the time.
Lawmakers were not convinced.
“What y’all want us to believe is that the three luckiest investors who sold their stock did so without any knowledge that that suspicious activity may be bigger and more powerful than any other suspicious activity perhaps in the history of this company. I find that hard to believe,” said Senator Tim Scott, a Republican from South Carolina.
Democrats are pushing hard for legislation that would hit credit-reporting companies like Equifax with tougher sanctions when breaches happen and give consumers more control over their personal data. So far, no Republicans have signed onto the bills Democrats introduced.
Warren is backing several bills in response to the breach, including one she wrote that would make it free for consumers to freeze their credit reports, which can prevent criminals from opening new credit cards or other lines of credit with stolen information.
While Equifax recently said it will next year offer consumers a free product to “lock and unlock” access to the credit files, via the Internet, Warren said that the company still hasn’t explained key details of what protections are involved.
“Equifax is trying another sleight of hand to avoid responsibility,” Warren said.
There’s been decades-long history of problems with the credit-reporting agencies, which for most of their existence have been practically unregulated, said Chi Chi Wu, a Boston-based staff attorney with the National Consumer Law Center.
“They own our information . . . we have no control. We’re the product not the customer. There’s some fundamental problems with this system that need to be fixed,” Wu said, pointing to the long-running problems of errors in credit reports and how difficult it is for consumers to get the companies to correct those errors.
A 2012 Federal Trade Commission study found that one in five people have some sort of error in their credit reports, which for one in 20 people is so serious it would cause them to be denied credit or have to pay more to obtain it, she said.