With a consumer activist dressed as Rich Uncle Pennybags (aka the Monopoly Man) behind his left shoulder, Richard Smith, the former chief executive officer of the credit bureau Equifax, faced another withering round of questions from lawmakers about the hack that exposed the personal information of up to 145.5 million Americans.
The Senate Banking Committee covered similar ground to their House colleagues who examined Smith on Tuesday. They pressed him on the stock sales by a group of high-level Equifax executives in the days following the hack, and on the company's lackluster and unclear communications with consumers following the hack's announcement.
Smith resigned from Equifax late last month, as outrage grew over the data breach and the way the company handled it.
Several senators noted that Equifax had made no commitments to help consumers whose credit will be affected by their seizure of their personal information, and they brought up a new topic: the company's newly won $7 million fraud prevention contract with the Internal Revenue Service, which was revealed by Politico Tuesday.
Nebraska Republican Sen. Ben Sasse asked Smith, "Why should anyone hire Equifax for fraud protection right now after this exposure?" to which Smith could only respond, that for "most" of the 118 years Equifax has been in business, "we've done good things."
North Dakota Democrat Sen. Heidi Heitkamp suggested that Equifax not take the IRS contract and that the three Equifax executives who sold their stock in the days following the breach forfeit their profits. "It's the symbolic things," she said.
Giving Equifax an IRS contract, Louisiana Republican Sen. John Kennedy told Smith, was like "giving Lindsay Lohan the keys to the mini bar."
Smith said repeatedly that, to his knowledge, the three Equifax executives had not been aware of the possibility of a breach when they sold almost $2 million worth of stock in early August.
But the senators were dubious. "This really stinks — it really smells really bad," Sen. Jon Tester, a Montana Democrat, told Smith, adding, "I guess smelling bad isn't a crime."
Sen. Tim Scott, a South Carolina Republican, also cast doubt on Smith's account. "The stock sales seem to suggest more information than we are getting here," he said. "This was pure luck and nothing else?"
Virginia Democrat Sen. Mark Warner scolded Smith for how the company handled the consumer-facing response to the hack, with a new website that was not connected to Equifax's domain, as well as what Smith has said were not enough call-center employees, and Equifax's social media channels directing consumers to incorrect URLs.
Warner also excoriated Smith and, by extension, Equifax's security and information teams for "cyber-hygiene practices that are sloppy in the extreme," referring specifically to Equifax's failure to install a software patch in March that would have secured a vulnerability in a portal on its website that hackers used to steal personal information.
"What in heaven's name were you thinking?" an exasperated Warner asked at the end of his long litany of Equifax's failures.
"I apologize," Smith responded.
"Why should any of us have any faith that you’re putting anything in place that appropriate when the immediate actions you took after the knowledge that the hack took place was so sloppy and so inadequate?" Warner said.
Hawaii Democrat Sen. Brian Schatz, picking up a thread from Tuesday's hearing, asked Smith about his compensation from Equifax, both during his time at the company and in the future. Smith will receive an $18 million pension and could be eligible for tens of millions of stock awards depending on the performance of Equifax shares in the coming years.
"You leave with your base salary, unvested options, and a pension [all] roughly valued at $90 million, help me understand why that's fair?" Schatz asked.
"Those numbers don't resonate with me," Smith told the dumbfounded senator, adding that his final compensation is yet to be determined.
Massachusetts Democrat Sen. Elizabeth Warren had one of the more aggressive lines of questioning for Smith — as she typically does during Senate Banking Committee hearings that feature apologetic and scandal-ridden executives from the financial services industry.
Warren pressed Smith on how Equifax will be able to profit from the breach. She pointed out that, while the company's credit lock service will be free for life, the credit-monitoring service it is offering now is only available free for a year.
Warren also said that LifeLock buys data from Equifax in order to sell its own identity theft protection services. LifeLock's standard service costs $9.99 per month and its highest-level service costs $29.99. The company has said that it got over 100,000 new sign-ups in the week following the hack and told CNN that it's "enrolling 10 times as many customers every hour."
"From the second Equifax announced this breach, they’ve been making money off consumers who purchased monitoring through LifeLock," Warren said.
Warren said that 7.5 million people had signed up for Equifax's own free credit monitoring for one year. She calculated that if only 1 million people continued to use the service after the free year, Equifax could have almost $200 million in revenue per year thanks to selling its own services to deal with the hack.
Equifax, the senator continued, "did a terrible job to protect our data. They didn’t have a reason to care to protect our data. The incentives in the industry are completely out of whack.
"Consumers will spend the rest of their lives worrying about this and Equifax will be just fine — it could come out ahead," Warren said, picking up a head of steam.
But she was not finished yet. "Consumers should decide who gets access to their own data," Warren said. "Senior executives should be held personally accountable. The company should pay mandatory and severe financial penalties for every record that’s stolen. We've got to change this industry before more people are injured."
