Pallone: Equifax’s Response to this Data Breach Is Unacceptable & It’s Time for Congress to Act
Energy and Commerce Ranking Member Frank Pallone, Jr. (D-NJ) delivered the following opening remarks at a Digital Commerce and Consumer Protection Subcommittee hearing on “Oversight of the Equifax Data Breach: Answers for Consumers:”
Thank you, Mr. Chairman, for holding this timely hearing. While I understand that law enforcement and internal investigations into this incident are still ongoing, I expect to get more information today on what happened and why it took so long to inform the public.
Most importantly, we want answers for consumers because Equifax’s response to this breach has been unacceptable. So too has been Equifax’s ongoing lax attitude when it comes to protecting consumer data.
It has been four weeks since the breach was made public and at least ten weeks since it was discovered by Equifax employees. Yet, Equifax’s customer service has been confusing and unhelpful. Equifax even tweeted a link to a fake website.
Many of the remedies Equifax is now offering to consumers were not offered up front, or in good faith. They were forced out of the company only after public outcry, and they are still inadequate.
It is hard to imagine that anyone at Equifax thought it was a good idea to offer only one year of credit monitoring, with an arbitration clause at first to boot. Free and comprehensive credit monitoring and identity theft protection should be offered for far longer than a year.
Most recently, Equifax added lifetime credit locks to its offering, which consumer advocates suggest are weaker than credit freezes. Regardless, a lock or a freeze at only one credit bureau is almost useless. Equifax should work with the other credit bureaus to immediately create a free, quick, and easy-to-use freeze and unfreeze one-stop shop.
And because credit freezes or locks may not work for everyone, going forward, Equifax should do more than credit locks, it should give consumers more control over how their data is used and stored. In addition, if Equifax wants to stay in business, its entire corporate culture needs to change to one that values security and transparency. After all, this is not Equifax’s first data breach in the past year.
Consumers do not have any say in whether or not Equifax collects and shares their data, and that’s what makes this breach so concerning. This is unlike other breaches at stores such as Target and Michaels where consumers could make a choice and change their shopping habits if they were upset with how the companies protected data. That’s simply not the case with Equifax.
While data breaches have unfortunately become commonplace, it is long past time for Congress, beginning with this Committee, to act. Since at least 2005, this Subcommittee has been considering data breach legislation, but it has never become law.
It’s time we change that. Yesterday, Ranking Member Schakowsky and I re-introduced the Secure and Protect Americans’ Data Act. This bill would require enforceable robust data security practices and meaningful notice to consumers. It would also give additional protections to consumers after a breach.
Of course, breaches will continue to occur, but they occur more often when there is no accountability and when no preventative measures are in place. Our bill will not stop mistakes and cybercrimes from happening but we need to start somewhere.
Mr. Smith, I read your op-ed in USA Today last month and the new CEO’s op-ed in The Wall Street Journal last week. I appreciate that you’re both sorry. My question is: What now?