U.S. Rep. Ryan Costello’s, R-6, grilled former Equifax CEO Richard Smith as he testified Tuesday before the Energy and Commerce Committee hearing on Capitol Hill in Washington.
As Smith testified, Costello questioned him about the company’s response regarding a massive security breech in the credit monitoring company’s software that occurred in September and may have exposed personal information of as many as 145 million individuals.
Below is the full transcript of Rep. Costello’s questioning:
Rep. Ryan Costello: I’ve heard from hundreds of constituents in my congressional district. There are approximately five and a half million in Pennsylvania. I’ve reviewed each and every one of the constituent stories that I’ve received and amongst my growing concerns: your baseline security practices leading up to the breach, the company’s awareness of the breach developments and relevant timing, how consumers can get assistance in securing their accounts, how reliable the recovery efforts are in the wake of the breach, and the path forward long-term for consumers’ personal information and making sure they are safe, despite the beach. And it’s this last one that is so particularly angering because it is going to potentially be so destructive to hundreds of millions of Americans – what might happen to them in the years to come. And as the head of the company, and throughout the company, the culture of the company has to know how predictable the damage can potentially be. So, I ask you, is it not predictable how bad it might get for the individuals who have been compromised? In terms of how much damage could be wrought upon them individually in the years to come?
Mr. Richard Smith, former Equifax CEO: Congressman, let me start by saying that like you, I’ve talked to constituents, consumers across this country who’ve been impacted. I personally read letters from consumers complaining, voicing their anger and frustrations, so I know what you are seeing back home in Pennsylvania.
Rep. Costello: But see I think the anger is going to be multiplied thousands of times when something actually happens. And so, when you talk about how predictable some of this is, the rollout of the call centers, and the second rollout, and the third rollout, it has to be predictable how massive this is and what would need to be put in place from a protocol perspective in order to address what’s coming. And the slow rollout and how poor it was done, to me is just inexcusable. I mean you have to have departments dedicated to dealing with this potential and it doesn’t appear to me as though that was planned – or if it was planned, it was planned extremely poorly.
Mr. Richard Smith: I understand your point, but it requires a little more color. We went from 500 call center agents to a need of almost 3,000 properly handled call center agents to handle consumer calls took time. We did the best we could in a short period of time. To Ramp those up I mentioned in my opening comments, two of our larger call centers in the first weekend –
Rep. Costello: I understand – the hurricane.
Mr. Richard Smith: Taken out by Hurricane Irma. We were not prepared for that kind of call volume.
Rep. Costello: How couldn’t you be? How couldn’t you be?
Mr. Richard Smith: It’s not our traditional business model. We – our traditional business model deals with companies – not four hundred million consumers.
Rep. Costello: But your business model has a couple hundred million customers, so on a breach of this scale, obviously, you’re going to have at least that number and probably twice that amount of people calling inquiring as to whether or not they’re subject to the breach. And that wasn’t done.
Mr. Richard Smith: Congressman, the difference is again, the primary business model we have is dealing with companies, not with hundreds of millions of consumers. We did the best we could, reacted as quickly as we could. I’d mentioned that the service is getting better each and every day. We’ve listened to consumers’ feedback, try to make changes to the website, make changes in the call center.
Rep. Costello: You’re familiar with the Safeguards Rule? That’s essentially what you operate under?
Mr. Richard Smith: Yes.
Rep. Costello: How often does a forensic consultant issue a letter or a certification, or a law firm issue a certification that they feel your protocol is in compliance with the Safeguards Rule?
Mr. Richard Smith: We are in compliance. I’m not sure how often that is actually communicated to – is you’re saying communicated to us?
Rep. Costello: How would you know that you’re in compliance then? Because if you said you followed protocol and protocol led to this, then it’s very difficult for me – I mean that calls into question whether the Safeguards Rule is sufficient enough because if you’re saying that you’re in compliance with it, and you followed protocol, and this still happened – that unearths a whole other set of questions.
Mr. Richard Smith: Again, the speed of reaction and the scale of the reaction was unprecedented. I’m not taking excuses.
Rep. Costello: But there’s a corporate governance issue here as I see it. And that is your board of directors gets together, you’re CEO, you have a chief information officer, you have chief security officer, and at least once a year – and probably quarterly – you have, I presume, outside forensic consultants doing this stuff every single day from you on retainer. And the speed at which you have to do this just to run your company operationally, you don’t ever stop. It’s obviously ongoing and persistent. And it just seems to me that through insurance policies, through reporting to your board, through your board wanting to make sure that they’re doing their job, that you’re going to be looking for certifications from your outside forensic consultants doing audits to say yep, you’re doing good, you’re doing good. Here are the new threats, here how’s we’re updating. And I just don’t see – that’s the kind of information I think would be extremely helpful that we have not received any information from today, but I would ask you – since I’m well over my time – that I’d like to know how often your board asks you to certify whether or not you’re in compliance, and what is that protocol, and when was the last time you updated that protocol. You said you’ve complied with protocol. When was the last time that that was updated?
Mr. Richard Smith: I understand your question we’ll get you the information.