Brown: Equifax Should Spend More on Security, Less on CEO Pay

Senator Calls for Consumers to Have More Control over Their Own Data

***Production-Quality Video Available HERE*** 

WASHINGTON, D.C. — U.S. Sen. Sherrod Brown (D-OH) – ranking member of the U.S. Senate Committee on Banking, Housing, and Urban Affairs – questioned former Equifax CEO Richard F. Smith today in the wake of a massive data breach that exposed the data of 145 million Americans. According to Equifax, more than 5.2 million Ohioans were impacted by the breach.

Brown called for Equifax to invest more in security and less in huge salaries for CEOs. He pointed out that Equifax spent nearly as much on Smith’s multi-million dollar salary as the company spent on cybersecurity. Since last year, Smith earned about $69 million, while Equifax spends just $85 million a year on cybersecurity.

“In hindsight, do you think Equifax should have spent more money protecting peoples’ data rather than compensating you so well?” Brown asked. “You’re an IT company. That’s just not acceptable.”

Brown also pointed out how unfair Equifax’s business model is for American consumers. Equifax makes money collecting and selling consumers’ data to other big companies. Those consumers are not compensated for the use of their data, in fact, most of the time, they don’t even know it’s being sold. Then Equifax makes even more money by forcing those same consumers to pay Equifax to protect their data after a breach occurs.  

“Do you think it’s fair that Equifax gets to take consumers’ data at almost no cost, make millions by selling it to data mining companies and marketers, then charge fees to those consumers for credit monitoring products after they’ve become identity theft victims?” Brown pressed the CEO.

Brown called for consumers to have more control of their own data, similar to how Americans have ownership of their medical records. It is illegal for companies to buy and sell medical records, and patients must consent before their information is transferred.  However, companies like Equifax are free to buy and sell sensitive data without people’s consent or knowledge. Brown suggested Americans should have the right to request their data be deleted from Equifax’s system or at the other consumer reporting agencies.

“If you don’t think consumers should be allowed to control their own data, why should a company that has had so many security failures be allowed to control their data? That’s the fundamental question this company hasn’t answered to the public,” Brown said.

Click here for production-quality video of Brown’s questions.

Brown’s complete opening remarks, as prepared for delivery, follow.

Video of Brown’s complete opening statement is available here.

The story of this data breach is a familiar one. A big financial institution screws up. Executives walk away with millions of dollars. Tens of millions of Americans end up holding the bag.

Americans expect that the Equifax scandal will play out the same way as Wells Fargo’s. A couple executives retire and lose some bonuses, a couple fines are issued, and only later do we find out the problems go much deeper.

Most Americans never chose to have their data scooped up by Equifax. You have said that since 2005, Equifax has been rapidly transforming itself into a “global analytics company” by collecting huge troves of information on people that you can sell to marketers and employers. But you almost never ask people if they want to be tracked.

Most of the 145 million people – well over half of all adults in the U.S. – whose data you allowed to be stolen probably only had a vague idea of what Equifax was, if they’d heard of you at all – that was until they read in the paper that their personal information had been compromised.

But while they might not have known the name “Equifax,” they should have been able to expect that a company that gathers the most private information about them would have state-of-the-art protections for that information. A gold mine for hackers should be a digital Fort Knox when it comes to security.

But security doesn’t generate short-term profits. Protecting consumers apparently isn’t important to your business model, so you just gathered more and more information and peddled it to more and more buyers.

For example, you bought a company called TALX so you could get access to detailed payroll information – the hours people worked, how much they were paid, where they lived – at more than 7,000 businesses.

You were hacked there, too, exposing the workers at Kroger’s and an unknown number of people’s information to criminals who used it to commit tax fraud.

In May of this year, your outside law firm stated that Equifax had instituted additional security measures in order to prevent a recurrence of the TALX incident, just like you’re claiming you’re doing now. Yet at that same time, hackers had already taken advantage of another security flaw to get into Equifax systems.

It has been ten weeks since you discovered this latest breach, but I still don’t think we have a complete answer to the question: what happened and why?

We do know that this breach could have been avoided if you had taken the simple step of administering security patches.

But your response after the fact may be just as negligent.

You told the House yesterday that Equifax knew at least some people’s data had been exposed on August 15th. Rather than give victims a chance to protect themselves, you withheld this information from the public for weeks.

You claim that you delayed telling the public about this hack so you could get an appropriate consumer response put together, but when you finally did tell people what happened, Equifax’s website and call centers were immediately overwhelmed.

You even tried to take advantage of the situation by sticking victims with a forced arbitration clause buried in the credit monitoring product you were shopping to victims. At least in this instance you backed down under public pressure, unlike Wells Fargo.

Chairman Crapo and I sent a letter to you on September 22nd requesting some very basic information. 

For example, is there a company policy on stock sales? I’d guess so, but the best we got from the company was: “Equifax will work with committee staff to provide a copy of the policy.” 

We’re not talking about trade secrets here. I just don’t get the obfuscation.

Despite your promise to deliver a free “credit-lock” product next year, all of Equifax’s actions up to this point demonstrate that this is not a company that deserves to be trusted with Americans’ personal data.

Your actions have exposed over half the country’s adults to financial harm. Equifax has forfeited its right to corporate secrets. So please do not make the same mistake Wells Fargo did – now is the time to give this committee the whole story.

Thank you Mr. Chairman.