• Cullen and Dykman LLP Blogs

  • Archives

  • Congress Grills Former Equifax CEO about Data Breach

    Former Equifax CEO Richard Smith testified in front of the House Digital Commerce and Consumer Protection subcommittee on Tuesday to provide details about the massive data breach that put at risk the personal information of millions of consumers. Smith offered a few new details about the breach in a prepared statement before fielding questions from members of Congress.  The new information included an announcement that an additional 2.5 million people were potentially affected by the breach.  Smith refused to commit Equifax to fully reimbursing those who are financially harmed as a result of the breach.  The piece of Smith’s testimony that troubled the lawmakers on the panel the most was his lack of an explanation for how such a large data breach could have happened let alone be allowed to continue for over two months before being detected.

    Smith revealed new details about the series of events that took place within Equifax that lead to the breach. Smith stated that the company received a notice in March that once of its software application needed to be patched.   He also stated that the company sent a warning to security staffers about the patch and that Equifax’s data security protocols require software to be patched within 48 hours of notice.  However, the person responsible for installing the patch never did so.  Further, the company’s information security department ran scans weeks later that should have revealed the vulnerability but failed.  Smith also stated that the company delayed publicly disclosing the breach because it took Equifax over a month to determine the scope of the breach.

    Members of the subcommittee were baffled as to how a company with a cyber-security team of 225 professionals could allow a breach like this to happen. There was also major concern over the fact that there was no penalty that could be imposed on Equifax outside of affected consumers filing lawsuits.

    The outrage over the lack of consequences for Equifax has led lawmakers on both sides of the aisle to call for legislation to help protect consumers from future breaches. The current laws only require companies to notify consumers that their data may be compromised after uncovering a breach.  The most cited potential bill is the Secure and Protect Americans’ Data Act which would set national data security standards, require prompt breach notification, and provide additional relief for consumers impacted by data breaches.  Members of the subcommittee stated that while regulations would not stop data breaches entirely, unified security standards as well as statutory penalties would help make companies much more careful in securing consumer data.

    With most critical information now being stored digitally and the rising number of data breaches, it is now more critical than ever for institutions to have an effective cyber-security policy. Organizations should ensure that all software is updated to the latest version with the newest patches and have multiple safeguards in place to avoid oversight.  Organizations should also continue to look out for upcoming changes to cyber-security laws that could impose new minimum cyber-security standards.

    If you, or your organization, have any questions concerning cybersecurity, do not hesitate to contact Cynthia A. Augello at 516-357-3753 or via email at caugello@cullenanddykman.com.

    Thank you to Ryan Soebke, a law clerk with Cullen and Dykman LLP, for his assistance with this post.