Senators on Wednesday slammed Equifax Inc. for making money off its massive data breach and said Americans should have more control over the vast amount of sensitive personal information that credit reporting companies have about them.
"Equifax and this whole industry should be completely transformed," Sen. Elizabeth Warren (D-Mass.) told the company's former chief executive, Richard Smith, at a hearing. "Consumers — not you — should decide who gets access to their own data."
Warren and other members of the Senate Banking Committee questioned a business model that allows Equifax and the other credit reporting companies to collect consumers' data and then charge them to monitor for misuse of that information by identity thieves.
"I don't pay extra in a restaurant to prevent the waiter from spitting in my food," said Sen. John Kennedy (R-La.). "I think this is a very clever business model you've come up with."
Smith, who stepped down last week in the wake of the breach, faced a second straight day of sharp bipartisan criticism on Capitol Hill for the hack that exposed the Social Security numbers and birthdates of as many as 145.5 million U.S. customers. On Tuesday, he appeared before a House Energy and Commerce subcommittee.
On Wednesday, in addition to facing the Senate Banking Committee in the morning, Smith appeared before a Senate Judiciary Committee panel later in the day. He is scheduled to testify at a House Financial Services Committee hearing on Thursday.
Senators also were outraged about the revelation that Equifax last week was awarded a $7.3-million no-bid contract by the Internal Revenue Service to verify taxpayer identities and prevent fraudulent access to the data.
"I won't ask for a show of hands in the room, but I don't know who would want to say we should buy fraud protection from the people who were just hacked and dumped 145 million American records," said Sen. Ben Sasse (R-Neb.).
Kennedy was more blunt.
"You realize, to many Americans right now, that looks like we're giving Lindsay Lohan the keys to the minibar," he said.
The IRS said in a statement that Equifax was awarded a short-term contract to prevent a lapse in services and it was told by the company that no IRS data was involved in the breach.
"Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems," the statement said. "At this time, we have seen no indications of tax fraud related to the Equifax breach, but we will continue to closely monitor the situation."
But the chairman and top Democrat on the Senate Finance Committee, which oversees the IRS, wrote to the agency's commissioner on Wednesday saying they were "taken aback" by the contract and asking for more details.
Sen. Mike Crapo (R-Idaho), the committee's chairman, said that he believed there was bipartisan interest in legislation strengthening data security laws.
"The amount of data that the private industry and the government collect and store is very concerning," Crapo told Smith.
As he did at the House hearing Tuesday, Smith apologized for human and technical errors that led to the data breach. But senators hammered him for Equifax's failure to protect its data and then taking almost six weeks to notify the public of the breach.
"A gold mine for hackers should be a digital Ft. Knox when it comes to security. But security doesn't generate short-term profits," said Sen. Sherrod Brown (D-Ohio). "Protecting consumers apparently isn't important to your business model, so you just gathered more and more information and peddled it to more and more buyers."
Warren quoted a speech Smith gave in August in which he said that fraud was a "huge opportunity" for Equifax because it could sell credit monitoring services.
"So the breach of your system has created more business opportunities for you," she said.
Equifax has offered a year of free credit monitoring to customers. So far 7.5 million people have signed up for it, Warren said. If just 1 million of those decided to buy another year's protection at $17 a month, that would generate more than $200 million for Equifax, Warren said.
The company also sells credit monitoring services to businesses and the government, she said. And Equifax is compensated for providing credit monitoring to LifeLock, an identity theft protection company that has seen a surge in business since the hack, Warren said.
"You've got three different ways Equifax is making money — millions of dollars — off its own screw-up," Warren said.
"Equifax did a terrible job of protecting our data because they didn't have a reason to care to protect our data," she said. "The incentives in this industry are completely out of whack."
Warren called for "mandatory and severe financial penalties for every consumer record stolen." That echoed a call from Rep. Joe Barton (R-Texas) at Tuesday's House hearing.
Smith said the best solution was to allow consumers to easily lock access to their credit data for free whenever they want via an app that the company is rolling out in January.
But some senators want consumers to have even more control. Brown noted that Americans must give permission before their medical records are shared and pressed Smith on whether consumers should be allowed to request credit rating companies delete their data.
Smith said that would prevent consumers from getting credit cards and other financial products.
"If you're not in the credit ecosystem, you don't get a loan," Smith said.
Last month, Warren introduced the Freedom from Equifax Exploitation Act. The legislation would require that credit reporting companies allow consumers to freeze access to their credit files at no cost. Equifax also would be required to refund any fees it has charged for credit freezes after the company's data breach. The bill has 17 co-sponsors, but no Republicans have signed on.
Rep. Jan Schakowsky (D-Ill.) this week introduced legislation in the House that would require credit rating companies and other firms that collect and store personal information to enact tough data security practices and require prompt notification of breaches.
12:40 p.m.: This article was updated to note other appearances by Richard Smith before congressional committees.
10:45 a.m.: This article was updated with comment from the IRS and details about a letter from the chairman and top Democrat on the Senate Finance Committee.