Washington, D.C. – U.S. Senator Chuck Schumer today delivered remarks on the Senate floor regarding Equifax’s handling of a recent data breach affecting more than a million Americans. Below are his remarks:
Now, on the Equifax data breach, Mr. President.
What has transpired over the past several months is one of the most egregious examples of corporate malfeasance since Enron.
Equifax has exposed the most sensitive personal information of over half of the United States citizens. Names, addresses, social security numbers, driver’s licenses, and in some cases, even their credit history. Clearly there were inadequate data security standards at Equifax, which is deeply troubling on a number of levels.
When you’re a credit agency like Equifax, you have two principle jobs: calculating and reporting accurate credit scores and protecting the sensitive information of individuals that are funneled through that process. Equifax stunningly and epically failed to perform one of its two essential duties as a company, to protect the sensitive information of the people in its files.
That is unacceptable and there’s no other word for it.
Even following this failure by Equifax, this huge, massive failure, the company and its leadership failed to communicate this breach to the public effectively and in the aftermath of the announcement, failed to address public concern.
The company knew about the breach and yet did not notify consumers that their information had been compromised for far too long a period. Because Equifax waited so long to report the breach, consumers were put behind the eight ball. Their information was potentially compromised without their knowledge and. They had no ability to protect themselves. Meanwhile hackers could attempt to take out loans in their name, potentially use the information for identity fraud, or perpetrate a number of fraudulent schemes with the sensitive information these horrible hackers had obtained.
Once the breach was eventually announced, consumers found themselves forced to provide sensitive information to Equifax in order to verify whether they were impacted by the breach. In order to sign up for the company’s credit monitoring services, customers were forced to agree to terms prohibiting their ability to bring a legal claim against Equifax. Is that disgusting? Equifax creates the problem and then says, ‘customer, if you want to solve it you have to give up your rights.’ Outrageous. Equifax was saying ‘we royally screwed up, but trust us, we won’t screw up again, but if we do screw up, you can’t sue us.’
And to make matters worse, in the weeks leading up the announcement of the breach, while consumers were in the dark, several executives at Equifax sold off their stock in the company. They claim they had no knowledge of the breach, but if they did, it would be one of the most brazen and shameful examples of insider trading that I can recall.
So, we need to get to the bottom of this, the very bottom, the murky bottom. The Senate must hold hearings on the Equifax breach where these executives are called to account. No question about that.
But beyond that, these five things need to happen in the very near future – I’d like to see them in the next week.
Equifax must, first, commit to proactively to reach out to all impacted individuals to notify them that their personal, identifiable information may have been compromised, and if known, inform them of exactly what information has been released.
Second, provide credit monitoring and ID theft protection services to all impacted individuals for no less than 10 years. And If an individual chooses not to use the credit monitoring service offered by Equifax (because they naturally don't trust them) then Equifax should reimburse that individual for the costs of the alternative credit monitoring service they sign up for
Third, offer to any impacted individual the ability to freeze their credit at any point for up to 10 years.
Fourth, remove forced arbitration provisions from any agreement or terms of use for products, services, or disclosures offered by Equifax. This means that Equifax will proactively come into compliance with the CFPB's forced arbitration rule and there will be no question that an individual will not have all legal rights at their disposal.
And fifth, Equifax must agree to testify before the Senate, the FTC and the SEC, cooperate with any investigation, and comply with any fines, penalties, or new standards that are recommended at the conclusion of the investigations.
And if Equifax does not agree to these five things in one week’s time, the CEO of the company and the entire Board should step down. These five steps are commonsense. They are the baseline of decency. If Equifax can’t commit to them, their leadership is not up to the job, and the entire leadership must be replaced.
Let me tell you folks, if Joe Public, if the average citizen did anything close to what the corporate leaders of Equifax did that led to this data breach and the awful response to it, that average citizen would be fired immediately.
To give Equifax a week to implement these things is overly generous to the people who did horrible stuff and then after it happened, did nothing, virtually nothing that showed that they had remorse.
It’s only right that the CEO and the board step down if they can’t reach this modicum of corporate decency by next week.