Maloney Says Equifax Violated Law at House Financial Services Hearing
WASHINGTON, DC—Congresswoman Carolyn B. Maloney (NY-12), senior member of the House Committee of Financial Services, today questioned former Equifax CEO Richard Smith at a hearing on the company’s data breach and charged that the company violated the Federal Trade Commission’s Safeguards Rule by failing to act on the security threat pointed out in a DHS notice. Maloney also questioned Mr. Smith on Equifax’s patch management system and outdated corporate governance model.
“Equifax, and Mr. Smith, owe the American people answers and I am very frustrated with how many questions remained unanswered since the security breach. Americans rely on the three credit bureaus — a select group of companies — to safeguard some of our most sensitive personal information and Equifax clearly did not meet their obligations. We have a law in place that protects against exactly what happened here, and now we’ll see if the FTC is willing to enforce it; if they’re not, then we’ll know that Equifax is truly above the law.
“Equifax failed to implement a security patch and allowed the flaw to go un-patched for months. This is simply negligence and unacceptable. To make matters worse, Equifax was using an outdated corporate governance model that kept the Chief Information Security Officer out of direct contact with the CEO and Board of Directors. I asked Mr. Smith if he employed this model because he didn’t think that information security information was important enough to be reported directly to him as CEO. So much went wrong here, even though we have rules in place to prevent just this type of breach. Equifax needs to let the American people know how they plan to fix this broken system and protect our most sensitive personal information.”
The Federal Trade Commission’s Safeguards rule, among other things, requires that credit bureaus have an information security program in place that can identify reasonably foreseeable risks to the security of data and can protect against these risks. It also requires a patch management system to patch security flaws as soon as a fix for the flaw is released.