This morning, in a hearing of the Senate Banking Committee with Securities and Exchange Commission (SEC) Chairman Jay Clayton, Sen. Mark R. Warner (D-VA) slammed the credit bureau Equifax for its cybersecurity failures and weak response in the wake of a data breach affecting the personal information of 143 million Americans.
Said Warner of the Equifax breach, “We have no ability to opt-in to these systems. We are part of these systems whether we like it or not. I’m often asked in my job on the Intelligence Committee what I think the single greatest vulnerability our country faces is, and I believe it’s cybersecurity.”
Added the Senator, “I think Equifax is a travesty. I think the resignation of the CEO is by no means enough… Number one, in terms of the sloppiness of their defenses. Two, in terms of the fact that this was clearly a knowable vulnerability – they had known for months, and if they had simply put a patch in place we might have precluded this. And to add insult to injury, Equifax, when it put up the site to direct consumers after the breach, that site was not properly domain-registered and was known to have vulnerabilities in the site itself. So if we don’t send a very, very strong message – now the market has already taken, I think, 25 percent off its market value – but I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity.”
Noting a number of significant data breaches in both the public and private sector have affected hundreds of millions of people in recent years, Warner pressed the SEC Chairman on whether he believes the publicly-traded companies regulated by the agency are being sufficiently forthcoming with shareholders and the public when their systems are breached by hackers.
The SEC Chairman told Sen. Warner, “I agree with you generally. I don’t think there’s been enough disclosure around the risk profile of companies with respect to cybersecurity. Where are the risks, what are the vulnerabilities, what do we know, not know. And then, if there are breaches, the disclosure of those specific breaches. I don’t think there’s been adequate disclosure in that regard.”
Warner urged Chairman Clayton to work with the Banking Committee to strengthen those reporting standards through the SEC rulemaking process or by working with Senators to craft appropriate legislation that would improve disclosure and transparency for companies that suffer a data breach. A full transcript of their exchange is below.
In a September 13 letter, Sen. Warner also asked the Federal Trade Commission (FTC) to examine whether credit reporting agencies such as Equifax have adequate cybersecurity safeguards in place for “the enormous amounts of sensitive data they gather and commercialize.” In a response to Sen. Warner’s questions, dated September 21 and newly released today, the FTC disclosed that the agency is considering whether an existing FTC consent degree with Equifax for violations of the Fair Credit Reporting Act could allow the FTC to assess additional sanctions and civil penalties on Equifax for its failure to maintain acceptable data security practices. The FTC also agreed with Sen. Warner’s assessment that Equifax has not adopted sufficient security practices for consumers wishing to place a credit freeze on their accounts following the theft of their personal information.
The FTC also recommended that Congress take up comprehensive data security legislation that would provide timely notification to consumers when there is a data breach – a cause Sen. Warner has championed for more than three years.
The FTC’s full response to Sen. Warner is available here.