Bloomberg
Wells Fargo & Co. is wrapping up one of its worst years ever by passing a baton to Washington’s new favourite financial-industry villain: Equifax Inc.
Executives from both companies will travel to Capitol Hill this week to testify in overlapping hearings about efforts to aid customers stung by lapses at their firms. Lawmakers on both sides of the aisle are eager to use Wells Fargo’s retail bank scandals and Equifax’s massive data breach to push their political agendas on everything from computer security to financial
regulation.
For Wells Fargo, the congressional flogging can’t get much worse than it was last year for then-CEO John Stumpf, who was berated and insulted and then ousted. This time around, analysts, lawmakers and their staffers expect Tim Sloan, who succeeded Stumpf, to be better prepared and that his biggest challenge will be to explain why more revelations about fake accounts and other lapses keep dribbling out. But time in the hot seat is just starting for Richard Smith, who stepped down as CEO last week. He will testify before four separate congressional panels, with the House Energy and Commerce Committee, which has jurisdiction over the Federal Trade Commission and a wide range of consumer-protection
issues.
In prepared remarks for the session, Smith said the credit-reporting company didn’t meet its responsibility to protect sensitive consumer information, which led to the theft of personal data for almost half of all Americans. The company said that an outside cybersecurity firm has completed its review of the breach and boosted its estimate of impacted US consumers to 145.5 million, an increase of 2.5 million.
The company has said hackers exploited a vulnerability in open source Apache software it was using. But a patch for the flaw was available in March, about two months before hackers began accessing sensitive information on Equifax’s servers. Smith said in his testimony that the firm asked personnel to fix the vulnerabilities on March 9, noting that company policy requires patching to occur within 48 hours.
“We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched,†Smith said. “Equifax was entrusted with Americans’ private data and we let them down. To each and every person affected by this breach, I am deeply sorry that this occurred.â€
Smith will urge lawmakers to consider creating a public-private partnership that will examine replacing Social Security numbers as the standard for identity verification in the U.S., according to the testimony. He also will propose that all three national credit-reporting firms adopt programs that give consumers free lifetime credit locks. Lawmakers have warned that this week will be just the beginning of additional hearings, investigations and legislation that could have implications for the
entire finance industry.
“What has transpired over the past several months is one of the most egregious examples of corporate malfeasance since Enron,†Senate Minority Leader Chuck Schumer, a New York Democrat, said in a speech on the chamber’s floor last month. “We need to get to the bottom of this, the very bottom. The murky bottom. The dirty bottom.”
Future Hearings
Smith will later appear before Senate and House committees that oversee law enforcement, cybersecurity and regulation of financial companies. Lawmakers are expected to grill him on the timeline of the breach, including when top executives learned about the incident and how they responded. In the short term, lawmakers want to ensure the company helps protect consumers against fraud.
Leading up to the hearings, Equifax executives have been briefing congressional staffers on what they’ve done to remedy the fallout, such as replacing senior company leaders and launching internal reviews. But so far, the staffers have left unimpressed. Some attendees said the company couldn’t answer basic questions about the breach and deferred queries to data-security experts or other executives who’ve stepped down.
One particular area of focus is whether Equifax had appropriate standards in place to protect sensitive data, or whether it failed to follow them.
“You can’t stop stupidity, you can’t even legislate against it,” Representative Greg Walden, an Oregon Republican and chairman of the House Energy and Commerce Committee, told CNBC last month. “But you sure can hold people accountable for it.”
Stock Sales
Lawmakers also will probably examine stock sales by senior executives after the company first learned of the breach. Three of them unloaded shares worth almost $1.8 million within days of the discovery.
Equifax has said the managers didn’t know of the intrusion at the time. The company’s board is reviewing the sales, and federal law-enforcement agencies also are investigating.
The company’s legal department, led by Chief Legal Officer John Kelley, might draw scrutiny from lawmakers. Officers in that department are typically notified of security incidents to help with the company’s response, according to a Sept. 28 letter Equifax’s outside lawyers submitted to Walden’s committee. That same unit also signed off on the three executives’ stock sales, regulatory filings show.
Lawmakers may use the data breach to try to advance legislation, potentially setting rules for companies to report incidents or subjecting credit-reporting firms to more regulation. Despite the furor, any action might take awhile — or never happen.
“This is more politics than policy, it’s all about the Senatorial sound bite,” said Isaac Boltansky, an analyst at Compass Point Research & Trading. “I don’t know that we’re going to have that much substance that follows.”