Richard Smith, the Equifax CEO who left the company following a massive consumer data breach, apologized numerous times to the House Energy and Commerce Committee during a Tuesday hearing, but lawmakers and the general public are far from ready to accept the apology.
As more of the facts are revealed about the Equifax hack, many Americans are wondering what recourse they will have and whether the government will step in to help protect their personal data, especially when it's gathered without their explicit consent by companies like Equifax.
Despite receiving warnings from the federal government, Equifax failed to detect and patch a key cyber vulnerability. Smith attributed the mistake up to a combination of "human error and technological error."
Chairman of the Energy and Commerce Committee, Rep. Greg Walden (R-Ore.) attributed it to incompetence.
"I don't think we can pass a law that ... fixes stupid," Walden said during the hearing. "I can't fix stupid."
The ranking Democrat on the Consumer Protection Subcommittee Jan Schakowsky (D-Ill.) called the ex-CEO's testimony, "unconvincing."
Rep. Peter Welch (D-Vt.) denounced the company's actions as "outrageous" saying Equifax "failed grossly" to protect consumer information. But he gave them credit on one count.
"They've done the impossible. They've brought Democrats and Republicans together in mutual outrage about their total and complete disregard for the rights and privacy of consumers," Welch said.
One day before the hearing, Equifax announced a total of 145.5 million Americans had their personal data stolen, including Social Security numbers, drivers licenses, addresses, birthdates and other highly sensitive information.
On top of that already staggering number, more than 200,000 people had their credit card information stolen and more than 180,000 people had credit dispute documentation stolen.
Lawmakers pressed Smith to account for the almost inconceivable series of errors that led a multi-billion dollar company in possession of more than 800 million individuals' private data worldwide to fail to safeguard the information.
"It's like the guard at Fort Knox failed to lock the doors," Walden said, posing the question, "With so much at risk, how does this happen?"
That was the question that Smith began answering on Tuesday, beginning with the series of the events that led up to the massive data breach.
THE TIMELINE IN BRIEF
The Equifax security breach was finally revealed to the American public on September 7, but the series of errors began back in March.
At that time, the Department of Homeland Security's Computer Emergency Readiness Team (CERT) alerted Equifax and other companies of an "Apache Struts" software vulnerability that had to be patched.
According to Richard Smith's testimony, that notice was passed on, yet the security and technology teams at Equifax were unable to identify the software or apply the patch. Smith said they deployed a technology scanner to search for the vulnerability, but that too failed.
Then, beginning in May and continuing through July, hackers were able to access and siphon off consumer data undetected until July 29 and July 30 when the company took note of "suspicious activity."
Throughout August, the company researched the breach, enlisted the help of federal law enforcement and cyber forensics experts, and by September 4 came up with a list 143 million consumers whose data had been jeopardized. Again, the public announcement followed three days after on September 7.
One crucial event the former CEO left out of his timeline of events was the August 1 and August 2 sale of approximately $1.8 million worth of Equifax stock by three executives, just after the chief executive was made aware of the "suspicious activity." When the data breach was made public in September, the company's stock tumbled, losing more than 30 percent of its value.
While Smith told members of Congress that the executives did not know about the breach at the time of the sale, lawmakers remain deeply skeptical.
The legality of the trades is currently being investigated on a bipartisan basis by the Senate Finance Committee, according to ranking member Ron Wyden (D-Ore.).
By focusing that investigation on top executives, Wyden hopes to send a powerful message to others. "If you're serious about deterrence, those are the things you investigate," he said.
EQUIFAX NOW FACING A RAFT OF INQUIRIES, PROBES, LAWSUITS
For Equifax, the inquisition is far from over.
After a bruising first round in the House, Richard Smith will appear before the Senate Banking Committee on Wednesday. Lawmakers will continue probing the company's activities, its apparent lack of concern for consumer privacy while considering legislative remedies and possibly new regulations to prevent such data breaches in the future.
Rep. Walden noted that the House hearing is just the beginning. "There has to be accountability here," he stressed. "And once we get past this hearing we'll have a chance to figure out, based on the record, where do we go from there."
In addition to Congressional inquiries, the FBI is also looking into the data breach and has reportedly opened a criminal investigation. The Consumer Financial Protection Bureau has launched its own investigation to determine whether the company engaged in unfair, deceptive, or abusive acts or practices and the country's top consumer watchdog, the Federal Trade Commission announced that it began its own Equifax investigation back in September.
State attorneys general in Massachusetts and New York have gotten in on the action, the city of Chicago is suing Equifax and as many as 70 private class-action lawsuits have reportedly filed against the company.
For Rep. Joe Barton (R-Texas), taking a company to court for such privacy breaches is "cumbersome ... expensive and it's after the fact."
That is why Barton is planning to introduce a bill that will impose fines on companies who fail to safeguard consumer information, a proposal that already has supporters on both sides of the aisle.
"You either force them to start paying some per-customer account breached fine to the consumer, or you give more power to the customer about what [data] is collected," he said. "And I would do both."
The way Barton sees it, if his bill were to become law, anyone whose information was compromised in a data breach would be eligible for "automatic compensation."
While he hasn't worked out the specifics, he estimated the consumers could be compensated in the order of $5,000 to $10,000.
The key is making the fine large enough so the companies that are collecting the data decide it's worthwhile to protect it, he said. "My bet is if we made it automatic ... My God, they'd protect that data."
There is also some talk about imposing stricter regulations on companies who hold massive amounts of sensitive consumer data.
WHAT CAN CONSUMERS EXPECT?
During the hearing, Smith said "Equifax is committed to make it whole" for consumers impacted by the cyber attack.
However, for the 145.5 million Americans whose information was stolen, who could be subject to identity theft and fraud at any time, what Equifax is offering amounts to a band-aid.
After initial widespread outrage over the company's plan to charge consumers a $10 fee to lock and unlock their credit, Equifax announced it had put together a no-cost "relief package."
The package includes free monitoring of consumer credit across all three bureaus, access to Equifax credit files, a free insurance policy to cover out-of-pocket costs associated with identity theft, and a dark web scans for consumers' Social Security numbers.
As of January 2018, the company will also provide a lifetime service allowing consumers to lock and unlock their credit files to prevent new or unauthorized activity in their name.
The company also made clear that, despite earlier reports, an individual does not waive their right to sue Equifax if they use the company's Am I Impacted? 'tool.
Rep. Schakowsky, who recently reintroduced a consumer data protection bill, was unimpressed with Equifax's gestures. "Understand, we didn't sign up to give [Equifax] this information. There is no opt-in and there's not opt-out. You're stuck with these people."
In the future, consumers could have greater control over their credit file and who gets to access it. In the meantime, 145 million horses have been let out of the barn and the trouble may just be beginning for the agency responsible for protecting them.