WASHINGTON, D.C. – U.S. Sen. Sherrod Brown (D-OH) today called on the federal government to initiate a review to bar Equifax from consideration for new or renewed government contracts, citing Equifax’s failure to protect the personal information of 145 million Americans and more than 5 million Ohioans.
The Department of Treasury has the responsibility of protecting consumers and taxpayers from negligent behavior – like that exhibited by Equifax – by making sure federal agencies only contract with companies that act responsibly and in the best interest of consumers. Brown is calling on the agency to begin debarment procedures, which would prevent Equifax from soliciting, obtaining or renewing federal contracts. By debarring Equifax from doing business with any one agency, Equifax would be broadly banned from doing business with any agency in the government.
“This simply is not a company that deserves to be trusted with Americans’ personal data or taxpayer dollars,” said Brown of Equifax.
Shortly after news of Equifax’s data breach became public, it came to light that the Social Security Administration (SSA) contracted with Equifax for the online portal, known as mySocialSecurity. Equifax’s own system was hacked in July, exposing 145 million Americans to identify theft. Brown and his colleague U.S. Sen. Bill Cassidy (R-LA) – leaders of the Senate’s Subcommittee on Social Security – called on the agency to provide answers as to whether it could confirm that its users’ information was secure.
Now, Brown wants to make sure the company cannot put more consumers and the government at risk by preventing it from getting any government contracts.
Full text of Brown’s letter to Treasury is below.
Iris B. Cooper
Department of the Treasury
1500 Pennsylvania Avenue, NW
Washington, D.C. 20220
Dear Ms. Cooper:
I write you today to urge you in the strongest possible terms to act in your capacity as debarment official for the Department of the Treasury to immediately take the steps necessary to review whether Equifax’s failure to protect the personal information of 145 million warrants debarment.
Due to negligent security practices, Equifax allowed the personally identifiable information of 145 million Americans and more than 5 million Ohioans to be accessed illegally. By failing to install a security update available in March 2017, Equifax allowed intruders to maintain a presence on its technology from at least May 13th through July 29th of this year. While executives knew that this information had been accessed as early as mid-August, they neglected to inform banking and consumer regulators, as well as the general public, for weeks.
Equifax’s mismanagement puts taxpayers and the Federal Government at risk of a similar data breach.
Debarment is the remedy the Federal Government has to protect consumers and taxpayers from the reckless and negligent behavior of bad actors, such as Equifax, and ensure that Federal agencies only solicit offers from, award contracts to, and consent to subcontracts with responsible contractors. Debarment prevents a company from soliciting offers for, obtaining additional, and renewing federal contracts for a period of three years and debarment by one agency has government-wide, reciprocal effect.
Debarment grounds and procedures are described in the Federal Acquisition Regulations Subpart 9.4 in accordance with Public Law 102-355, Section 2455 (31 U.S.C. 6101) and Executive Order 12689. Federal Acquisition Regulation 9.406-2 lists the causes for debarment that include, “Commission of any other offense indicating a lack of business integrity or business honesty that seriously and directly affects the present responsibility of a Government Contractor or Subcontractor.” The regulations go on to clarify this behavior as, “a history of failure to perform, or of unsatisfactory performance of, one or more contracts.”
Before arriving at any debarment decision the Federal Acquisition Regulation Section 9.406-1 states that “[i]t is the debarring official’s responsibility to determine whether debarment is in the Government’s interest. The debarring official may, in the public interest, debar a contractor for any of the causes in 9.406-2. Section 9.406-2(c) provides that the debarring official may debar “[a] contractor or subcontractor based on any other cause of so serious or compelling a nature that it affects the present responsibility of the contractor or subcontractor.”
Yet before any decision is made, the debarring official, per Section 9.406-1, should consider a number factors including: (1) Whether the contractor had effective standards of conduct and internal control systems in place at the time of the activity; (2) Whether the contractor brought the activity cited as a cause for debarment to the attention of the appropriate Government agency in a timely manner; (3) Whether the contractor has fully investigated the circumstances surrounding the cause for debarment; and (4) Whether the contractor’s management recognizes and understands the seriousness of the misconduct giving rise to the cause for debarment and has implemented programs to prevent recurrence.
Given the importance of cybersecurity practices to Equifax’s core business and the ease with which a breach could have been avoided, it is clear Equifax did not have effective standards of conduct or internal control systems. US-CERT notified Equifax of the vulnerability of the Apache Struts Web Application in March, but internal controls failed identify that the patch had not been applied across their software environment, or even to identify all vulnerable systems.
After finding the intrusion, Equifax failed to timely notify government agencies about this breach. According to his congressional testimony, the Chief Executive Officer knew the scope and severity of the breach by August 17th, but did not inform government agencies or the public until September 7th.
Equifax has not fully investigated the circumstances surrounding the causes of the intrusion. In what may be an effort to avoid transparency in that investigation, Equifax hired an independent contractor through a law firm. Findings from the investigation may be protected by attorney client privilege and only selectively disclosed to debarring officials.
Equifax’s response to consumers after the incident, including underinvestment in customer complaint intake, directing customers to phishing websites, and proffering a credit protection product for only one year and on the condition that consumers sign over basic rights to court, demonstrate a lack of recognition and understanding of the seriousness of this incident. And while its consumer response was wholly inadequate, it is unclear whether the company has even contemplated changes to their network and information security architecture and data protection standards.
The American people are looking to the Administration for leadership, clarity, and peace of mind. I believe that Equifax’s actions are “of so serious or compelling a nature that it affects” their responsibility to taxpayers. The Department of the Treasury has the cause and imperative to act. I urge you to promptly initiate a debarment review. Please provide my office with an update on the actions you have taken and intend to take as well as the rationale for those actions within five business days.