October 04, 2017

Brown Opening Statement at Banking Committee Hearing on Equifax

WASHINGTON, D.C. — U.S. Sen. Sherrod Brown (D-OH) – ranking member of the U.S. Senate Committee on Banking, Housing, and Urban Affairs – released the following opening statement at today’s hearing entitled, “An Examination of the Equifax Cybersecurity Breach.”


Brown’s remarks, as prepared for delivery, follow.

The story of this data breach is a familiar one. A big financial institution screws up. Executives walk away with millions of dollars. Tens of millions of Americans end up holding the bag.

Americans expect that the Equifax scandal will play out the same way as Wells Fargo’s. A couple executives retire and lose some bonuses, a couple fines are issued, and only later do we find out the problems go much deeper.

Most Americans never chose to have their data scooped up by Equifax. You have said that since 2005, Equifax has been rapidly transforming itself into a “global analytics company” by collecting huge troves of information on people that you can sell to marketers and employers. But you almost never ask people if they want to be tracked.

Most of the 145 million people – well over half of all adults in the U.S. – whose data you allowed to be stolen probably only had a vague idea of what Equifax was, if they’d heard of you at all – that was until they read in the paper that their personal information had been compromised.

But while they might not have known the name “Equifax,” they should have been able to expect that a company that gathers the most private information about them would have state-of-the-art protections for that information. A gold mine for hackers should be a digital Fort Knox when it comes to security.

But security doesn’t generate short-term profits. Protecting consumers apparently isn’t important to your business model, so you just gathered more and more information and peddled it to more and more buyers.

For example, you bought a company called TALX so you could get access to detailed payroll information – the hours people worked, how much they were paid, where they lived – at more than 7,000 businesses.

You were hacked there, too, exposing the workers at Kroger’s and an unknown number of people’s information to criminals who used it to commit tax fraud.

In May of this year, your outside law firm stated that Equifax had instituted additional security measures in order to prevent a recurrence of the TALX incident, just like you’re claiming you’re doing now. Yet at that same time, hackers had already taken advantage of another security flaw to get into Equifax systems.

It has been ten weeks since you discovered this latest breach, but I still don’t think we have a complete answer to the question: what happened and why?

We do know that this breach could have been avoided if you had taken the simple step of administering security patches.

But your response after the fact may be just as negligent.

You told the House yesterday that Equifax knew at least some people’s data had been exposed on August 15th. Rather than give victims a chance to protect themselves, you withheld this information from the public for weeks.

You claim that you delayed telling the public about this hack so you could get an appropriate consumer response put together, but when you finally did tell people what happened, Equifax’s website and call centers were immediately overwhelmed.

You even tried to take advantage of the situation by sticking victims with a forced arbitration clause buried in the credit monitoring product you were shopping to victims. At least in this instance you backed down under public pressure, unlike Wells Fargo.

Chairman Crapo and I sent a letter to you on September 22nd requesting some very basic information. 

For example, is there a company policy on stock sales? I’d guess so, but the best we got from the company was: “Equifax will work with committee staff to provide a copy of the policy.” 

We’re not talking about trade secrets here. I just don’t get the obfuscation.

Despite your promise to deliver a free “credit-lock” product next year, all of Equifax’s actions up to this point demonstrate that this is not a company that deserves to be trusted with Americans’ personal data.

Your actions have exposed over half the country’s adults to financial harm. Equifax has forfeited its right to corporate secrets. So please do not make the same mistake Wells Fargo did – now is the time to give this committee the whole story.

Thank you Mr. Chairman.