[Congressional Record Volume 163, Number 149 (Thursday, September 14, 2017)]
[Senate]
[Page S5711]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                          EQUIFAX DATA BREACH

  Mr. SCHUMER. Mr. President, on the Equifax data breach, what has 
transpired over the past several months is one of the most egregious 
examples of corporate malfeasance since Enron. Equifax has exposed the 
most sensitive personal information of over half of the citizens of the 
United States--names, addresses, Social Security numbers, driver's 
licenses, and, in some cases, even their credit histories. Clearly, 
there were inadequate data security standards at Equifax, which is 
deeply troubling on a number of levels.
  When you are a credit agency like Equifax, you have two principal 
jobs: calculating and reporting accurate credit scores and protecting 
the sensitive information of individuals that is funneled through that 
process. Stunningly and epically, Equifax failed to perform one of its 
two essential duties as a company--protecting the sensitive information 
of the people in its files. That is unacceptable, and there is no other 
word for it.
  Even following the failure by Equifax--this huge, massive failure--
the company and its leadership failed to effectively communicate this 
breach to the public and, in the aftermath of the announcement, failed 
to address public concern. The company knew about the breach and did 
not notify consumers that their information had been compromised for 
far too long a period. Because Equifax waited so long to report the 
breach, consumers were put behind the eight ball. Their information was 
potentially compromised without their knowledge, and they had no 
ability to protect themselves. Meanwhile, hackers could attempt to take 
out loans in their names and potentially use the information for 
identity fraud or they could perpetrate a number of fraudulent schemes 
with the sensitive information that these horrible hackers had 
obtained.
  Once the breach was eventually announced, consumers found themselves 
being forced to provide sensitive information to Equifax in order to 
verify whether they were impacted by the breach. In order to sign up 
for the company's credit monitoring services, customers were forced to 
agree to terms prohibiting their ability to bring a legal claim against 
Equifax. Isn't that disgusting?
  Equifax creates the problem and then says: Customer, if you want to 
solve it, you have to give up your rights.
  That is outrageous.
  Equifax is saying: We royally screwed up, but trust us. We will not 
screw up again, but if we do screw up, you cannot sue us.
  To make matters worse, in the weeks leading up to the announcement of 
its breach, while customers were in the dark, several executives at 
Equifax sold off their stock in the company. They claim that they had 
no knowledge of the breach. If they did, it would be one of the most 
brazen and shameful attempts of insider trading that I can recall.
  We need to get to the bottom of this--the very bottom, the murky 
bottom, the dirty bottom. The Senate must hold hearings on the Equifax 
breach during which these executives will be called to account. There 
is no question about that. Beyond that, five things need to happen in 
the near future. I would like to see them in the next week.
  First, Equifax must commit proactively to reach out to all impacted 
individuals and notify them that their personal, identifiable 
information may have been compromised and, if known, inform them of 
exactly what information has been released.
  Second, provide credit monitoring and ID theft protection services to 
all impacted individuals for no less than 10 years. If an individual 
chooses not to use the credit monitoring service offered by Equifax 
because they naturally don't trust them, then Equifax should reimburse 
that individual for the costs of the alternative credit monitoring 
service they sign up for.
  Third, offer any impacted individual the ability to freeze their 
credit at any point for up to 10 years.
  Fourth, remove arbitration provisions from any agreement or terms of 
use for products, services, or disclosures offered by Equifax. This 
means that Equifax will proactively come into compliance with the 
CFPB's forced arbitration rule, and there will be no question that an 
individual will not have all legal rights at their disposal.
  Fifth, Equifax must agree to testify before the Senate, the FTC, and 
the SEC, cooperate with any investigation, and comply with any fines, 
penalties, or new standards that are recommended at the conclusion of 
these investigations.
  If Equifax does not agree to these five things in 1 week's time, the 
CEO of the company and the entire board should step down. These five 
steps are common sense. They are the baseline of decency. If Equifax 
can't commit to them, their leadership is not up to the job, and the 
entire leadership must be replaced.
  Let me tell my colleagues, if Joe Public--if the average citizen did 
anything close to what the corporate leaders of Equifax did that led to 
this data breach and the awful response to it, that average citizen 
would be fired immediately. To give Equifax a week to implement these 
things is overly generous to people who did horrible stuff and then, 
after it happened, did nothing--virtually nothing--that showed they had 
remorse.
  It is only right that the CEO and board step down if they can't reach 
this modicum of corporate decency by next week.

                          ____________________