Equifax Inc.'s former chief executive trekked to Capitol Hill on Tuesday to offer contrition and explanation for the credit reporting company's massive data breach. He was met with bipartisan incredulity and calls for tougher cybersecurity laws to protect Americans' sensitive information.
"It's like the guards at Fort Knox forgot to lock the doors and failed to notice the thieves were emptying the vaults," Rep. Greg Walden (R-Ore.) told Richard Smith, who stepped down last week in the wake of the hack that exposed the Social Security numbers and birthdates of as many as 145.5 million Americans.
"How does this happen when so much is at stake?" Walden asked. "I don't think we can pass a law that fixes stupid."
For three hours, Republicans and Democrats on a House Energy and Commerce subcommittee blasted Equifax for allowing its trove of consumer data to be hacked and then bungling the rollout of measures to help consumers deal with the breach.
"It seems to me that you've accomplished something that no one else has been able to accomplish … you have brought Republicans and Democrats together in outrage, distress and frustration over what's happened," said California Rep. Anna Eshoo (D-Atherton).
There's more to come for Smith, who is scheduled to testify at congressional hearings on the breach again on Wednesday and Thursday.
On Tuesday, he was contrite in his testimony, which lessened the hostility in lawmakers' pointed questioning.
"I'm here today to say to each and every person affected by this breach: I am truly and deeply sorry for what happened," Smith said. "Equifax is committed to make it whole for you."
He blamed the breach on "human error and technology errors."
Equifax failed to apply a software patch for a consumer dispute website in March, and the company's systems did not detect the vulnerability until July 29, Smith said.
Lawmakers were dumbfounded by the company's failure to patch the software and then, once the problem was discovered, to delay notifying the public for nearly six weeks.
Smith said Equifax employees worked "around the clock" to prepare for an onslaught of consumer inquiries. The company had to set up up a new website and ramp up staffing at call centers.
Rep. Markwayne Mullin (R-Okla.) told Smith that the company's response should have been like a fire alarm on the wall, ready at a moment's notice to be pulled.
Smith acknowledged that "a crisis never occurs if everything has gone right."
Throughout the hearing, Smith was lectured on the ramifications of the breach.
"You can't change your Social Security number and I can't change my mother's maiden name," said Rep. Debbie Dingell (D-Mich.). "This data is out there forever."
Rep. Ryan Costello (R-Pa.) warned that the hack "is going to be potentially so destructive to hundreds of millions of Americans."
"The anger is going to be multiplied thousands of times when something actually happens," he said.
Some members of Congress do want to strengthen cybersecurity laws in the aftermath of the Equifax data breach and there appears to be growing bipartisan support for action.
On Monday, Rep. Jan Schakowsky (D-Ill.) reintroduced legislation they tried unsuccessfully to pass in 2015 that would require tough data security practices and additional consumer protections in the event of breaches.
"Equifax deserves to be shamed in this hearing, but we should also ask what Congress has done or has failed to do to stop data breaches from occurring and what Equifax plans to do," Schackowsy said. Several lawmakers at Tuesday's hearing said they backed her bill.
Rep. Joe Barton (R-Texas) said he thought financial penalties were needed to force companies to take security of sensitive consumer information more seriously.
"You're really only required to notify people and say, 'So sorry, so sad,'" Barton said. "It seems to me you might pay more attention to security if you had to pay everybody who got hacked a couple thousand bucks or something."
Equifax has been criticized for the delay in notifying the public and then initially making consumers give up their right to sue if they wanted free credit monitoring and identity theft protection.
Equifax later backtracked on that requirement. Smith said a mandatory arbitration clause was mistakenly cut-and-pasted into the terms of the tools offered to customers to deal with the breach.
In response to criticism, Equifax said last week that it would stop charging customers to freeze access to their credit records so that no data would be released to scammers. Smith called for such free credit freezes to be the industry standard and that the nation should consider replacing Social Security numbers "as the touchstone for identity verification."
But when asked at the hearing, Smith said Equifax would not pay for credit freezes for affected consumers at the other two leading credit rating companies, Experian and TransUnion.
Smith also was pressed on the sale of stock by three Equifax executives.
On Aug. 1, the executives sold thousands of shares of Equifax stock for about $146 a share. The company's stock sharply declined after Equifax announced the data breach Sept. 7.
Smith said he was notified of "suspicious activity" in Equifax's network on July 31. But such activity is common and it wasn't until Aug. 11 that an investigation indicated hackers might have been able to access Social Security numbers and other sensitive personal information.
Lawmakers pressed Smith on whether the executives who sold the stock knew of the scope of the breach when they made the sales.
"They're honorable men. They're men of integrity," Smith said. "I have no indication they had any knowledge of the breach at the time of the sale."
Equifax's board of directors has formed a special committee and is "conducting a thorough review of the trading at issue," Theodore M. Hester, an attorney retained by Equifax, said in a letter Friday to Democrats on the House Energy and Commerce Committee.
11:35 a.m.: This article was updated with additional comments from the hearing.
8:55 a.m.: This article was updated with additional comments from the hearing and background information about three executives' sale of Equifax stock.
7:55 a.m.: This article was updated with additional comments from the hearing.
7:25 a.m.: This article was updated with remarks by Rep. Frank Pallone.