Georgia lawmakers want Equifax probe before sanctions

The headquarters of Atlanta-based Equifax in Midtown Atlanta. (AP Photo/Mike Stewart, File)

The headquarters of Atlanta-based Equifax in Midtown Atlanta. (AP Photo/Mike Stewart, File)

The Senate’s top Democrat compared Atlanta-based credit bureau Equifax to the beleaguered company Enron on Thursday and called on Equifax’s board and CEO to step aside if they can’t commit to protecting the 143 million Americans whose personal information was compromised in a whopping data breach.

Senate Minority Leader Chuck Schumer, D-NY, called for hearings to look into the matter, demanding that Equifax officials agree to testify before his chamber, as well as the Federal Trade Commission and the Securities and Exchange Commission. He demanded that the company comply with any recommendations arising from the government probes.

Schumer said the company also needed to notify their customers who were hacked, provide credit monitoring for 10 years and remove forced arbitration provisions from their terms of use of credit products. If executives do not agree to those terms, Schumer said, CEO Rick Smith and Equifax’s board of directors should be fired.

Schumer gave Equifax until next week to comply, and compared the credit bureau to Enron, the gigantic energy company that declared bankruptcy in 2001, leaving thousands of employees with no savings because their retirement plans were based on Enron shares.

“To give Equifax a week to implement these things is overly generous to the people who did horrible stuff and then, after it happened, did nothing, virtually nothing that showed that they had remorse,” he said.

Georgia’s congressional delegation also called for answers, but tread cautiously on the matter. Most said it’s too early to pursue some of the prescriptions advocated by Democrats, and said congressional probes should move forward first before lawmakers make any decisions on new cybersecurity laws, regulations or other disciplinary actions.

“If you make those decisions before you investigate, you’re going to do the wrong thing,” said U.S. Sen. Johnny Isakson, R-Ga. “You don’t rush to judgment on Equifax. Equifax has got a lot of explaining to do, but you’ve got to give them the chance to explain before you rush to judgment.”

Representatives for Equifax did not respond to requests for comment.

Rhetoric on Capitol Hill has only grown more heated in the week since Equifax disclosed criminals hacked in to their network and exposed sensitive data, such as Social Security numbers. More than half of the nation's adult population could be affected.

U.S. Sen. Ron Wyden, D-Ore., introduced a bill he said would guarantee all Americans the use of personal identification numbers to freeze and unfreeze their credit for free to help prevent financial fraud in the wake of the cyberattack.

One senator has called for the jailing of some top executives who traded stock before the breach was made public. Equifax has said it learned of the breach July 29, but representatives said the executives were not aware of the incident when they sold a combined $1.8 million worth of stock in early August.

Consumer lawsuits against Equifax are mounting and federal authorities are also investigating the breach and its culprits.

“Let’s get down to as much of the facts as we can and then let that guide our next actions,” said U.S. Rep. Buddy Carter, R-Pooler.

‘Equifax has got to pay’

Congress and consumer watchdogs have trashed Equifax not only for security lapses that led to the breach but for the bungled response that followed. There have been complaints that the company's call centers are inadequate, and a website for consumers hit by the breach dispensed conflicting information.

Equifax also took heat for language in the terms of use of credit protection products it offered free for one year to victims. It appeared to force consumers to give up their rights to sue or join class actions. Equifax rescinded that language under pressure.

One of the most critical Georgia lawmakers was Democrat Hank Johnson of Lithonia, who said the hack proved the need for Congress to pass two bills he sponsored earlier this year related to data privacy and forced arbitration.

“I will continue introducing these critical bills — fighting to ensure all consumers have the tools they need to protect themselves from identity theft and have their day in court,” he said.

Many Georgia lawmakers have been boosters of the home state credit bureau in the past. The firm has donated thousands to local lawmakers in recent years. Isakson was by far its biggest recipient in 2016 as he ran for reelection.

Equifax is “a longstanding Georgia company, and we want to make sure that they come out of this standing as tall as possible,” said Atlanta Democrat David Scott. “And the way to do that is to … find out what happened and who’s responsible so that (it has) the confidence of the people.”

Scott and Isakson are members of informal House and Senate financial innovation caucuses or groups of lawmakers who say their purpose is to explore "new and innovative technologies in the payments industry and address issues concerning data security, consumer protection and electronic payments."

Scott said he’s worried that “our lack of cybersecurity is becoming a very serious national security issue” and that some new rules may be needed to beef up enforcement.

“There’s no question about the fact that Congress needs to act here and learn from all of this,” he said.

Isakson said “failure is not an option” given that tremendous number of people affected.

“We’ve got to make sure that the credit is protected, that the information is protected and the consumers are protected,” he said, “and Equifax has got to pay for the mistake, if in fact they made it.”

Pointing fingers

Equifax and a software company have blamed each other for a glitch that allowed hackers to steal the sensitive data.

Late Wednesday, Equifax said that hackers breached a vulnerable spot in a U.S. website application called Apache Struts.

But Apache Software Foundation said in a statement Thursday that it provided and announced a patch for the software fault on March 7, well before Equifax said the security breach began in mid-May.

“In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner,” the foundation said.

The 18-year-old foundation said it is an all-volunteer organization that produced open-source Java applications for government and business users, including Fortune 100 companies.

Analysts had suspected the breach was related to the Apache Struts issue.

“At the end of the day, there’s humans building the software core … and at the end of the day there is always vulnerability,” said Dimitri Sirota, CEO of BigID, a data security firm.

MYAJC.COM: REAL JOURNALISM. REAL LOCAL IMPACT.

AJC Business reporter Russell Grantham keeps you updated on the latest news about major companies, CEOs and public utilities in metro Atlanta and beyond. You'll find more on myAJC.com, including these stories:

Never miss a minute of what's happening in local business news. Subscribe to myAJC.com.