A mishmash of lawmakers from different parties and committees are wading into the aftermath of Equifax’s megabreach, with some using it to advance their policy agendas while others are calling for possible criminal prosecution.
The House Financial Services Committee and Energy and Commerce Committee are planning hearings on the breach, which compromised the data of 143 million consumers, while the Senate Finance Committee has already demanded answers from Equifax’s CEO.
Senate Banking Committee Chairman Mike Crapo, R-Idaho, said Tuesday that he is still considering whether to hold a hearing, but is seeking more information about what happened.
“At this point, we are investigating at a staff level and in other ways to find … out what we need to do about it,” Crapo said. “We are gathering facts. We’ll get a better answer to that once we get more information.”
The number of lawmakers involved is only likely to grow in the coming days.
Sen. Heidi Heitkamp, D-N.D., told credit union executives at a National Association of Federally-Insured Credit Union conference that Congress needs a better central command to respond to such incidents.
“Almost the entire center of gravity on cybersecurity in Congress is in” the intelligence committee, said Heitkamp, who added that it focuses on nation-state attacks but not the “millions of everyday threats that we know exist.”
“We do not have a center of gravity to have that discussion in Washington, D.C., on cybersecurity," she said. "I personally believe” the “center of gravity needs to be at the Homeland Security Committee.”
Despite the jockeying for jurisdiction over the breach, what comes out of Congress is harder to gauge. Republicans were reluctant to promise a legislative solution, suggesting that regulators may be better positioned to handle the fallout.
“I’m not a big fan of government getting involved with private industry; perhaps some rules and regulations would work best,” Rep. Blaine Luetkemeyer, R-Mo., said at the National Association of Federally-Insured Credit Unions caucus meeting.
He added that “legislation takes too long” to craft and implement and that the industry is evolving so quickly, it is hard for laws to keep up.
Speaking on the sidelines of the conference, House Financial Services Committee Chairman Jeb Hensarling said it is “premature to come to conclusions.”
“We are gathering facts now,” he said. “We will have a hearing in fairly short order on the subject. This is one of the most serious data breaches that has occurred in our history.”
But it was clear that lawmakers wanted to punish Equifax in some way. Heitkamp declared that “somebody needs to go to jail” if reports are true that executives cashed in their stock before the breach became public.
Sen. Sherrod Brown, the top Democrat on the committee, expressed frustration at the credit reporting bureau’s breach and said there needs to be a bipartisan effort to hold the firm accountable.
“Equifax has let criminals get their hands on the most private and valuable pieces of Americans’ financial identities,” Brown said. “We need to work together to make sure companies that use our private data are held accountable for its protection.”
The discussion of how to punish Equifax comes as lawmakers use the breach to battle over another issue—the Consumer Financial Protection Bureau’s rule to ban mandatory arbitration clauses. Republicans are struggling to get the necessary 50 votes to overturn the rule, and at least one GOP senator voiced concern.
“We are going to have some additional discussion” about the CFPB rule, said Sen. Mike Rounds, R-S.D. “Let’s get the facts first and let this thing clear a little bit.”
Rounds said he personally wouldn’t use the credit monitoring service that Equifax is offering in response to the breach.
“The problem is once again you are signing up with the organization that lost your data in the first place,” he said. “It is actually surprising to me that the company that lost it is now suggesting to people that they should come back in and provide additional data back to that company and then that they will then provide protection to them. I personally would say let’s have a reliable third-party organization providing that security.”
Other Republicans, meanwhile, were arguing that they should probe the CFPB’s collection of anonymized mortgage and loan data, arguing it might also pose a threat.
“We’ve got concerns about the CFPB as well,” said Sen. David Perdue, R-Ga. “They’re collecting a lot of information about private consumers that nobody talks about.”
Crapo seemed to agree, saying that the CFPB’s data collection poses at least as big a risk to consumers as the Equifax breach, noting that all manner of transaction data that are recorded by the bureau without consumers’ knowledge.
“I’ve been pushing the CFPB since I’ve been chairman, in fact before I was chairman, on their data collection,” Crapo said. “That’s as big a risk as any of the other kinds of data collections going on.”