House Democrats and Republicans have found common ground in their joint effort to uncover precisely what Equifax knew prior to revealing its data breach last month. That effort continued on Wednesday as lawmakers sought to learn more about what the embattled credit agency is doing to aid the roughly 145 million victims of this self-imposed calamity.
In a bipartisan letter obtained by Gizmodo, members of a House Energy Subcommittee on Oversight and Investigations demanded of Equifax additional details about the remedies being offered consumers in the wake of the breach — including whether the company's expenses were at all a contributing factor.
The letter was signed by Colorado Rep. Diana DeGette, the panel's ranking Democrat, and Rep. Joe Barton, Republican of Texas. It was important to understand, they wrote, Equifax's decision-making process given the historic size of the breach and the "potential decades-long effects of stolen personal information on the privacy and financial security of breach victims."
Equifax has offered to lock and monitor the credit of impacted consumers, as well as provide credit reports and identity theft insurance; however, the process by which Equifax determined the efficacy of these solutions remains unknown. A long-time proponent of post-breach consumer protection, Rep. DeGette raised questions last month over whether credit monitoring solutions are effective, or merely an effort by companies to "avoid liability" and give consumers "peace of mind."
In Wednesday's letter, addressed to Equifax interim CEO Paulino do Rego Barros, the lawmakers ask Equifax to respond to the following questions "no later" than November 3rd:
1. How did Equifax come to determine which remedies would be offered to consumers? Specifically, did Equifax consult any outside groups on the efficacy of consumer remedies or were all decisions made internally?
2. In addition to the aforementioned remedies, what other options did Equifax consider for consumer remedies?
3. When deciding what to offer consumers, did Equifax assess the costs associated with each remedy considered? If yes, were any remedies ultimately decided against, or offered for a limited period of time, due to cost?
4. Will Equifax periodically review its offerings should new information on the efficacy of existing and future remedies become available? If not, why?
5. Testimony before the Oversight and Investigations Subcommittee of the Energy and Commerce Committee in March 2015 has outlined the limited effectiveness of services such as credit monitoring. Were you aware of these shortcomings? If yes, to what degree did that information inform your decision-making in what remedies to offer?
New details about the breach — considered one of the largest, in terms of potential impact, in US history — continue to trickle in: It was revealed this week that 15.2 million UK customers' records were exposed, in addition to 10.9 million US drivers licenses. Security researcher Brian Krebs further uncovered that among the data stolen was detailed salary and employment history on a significant number of American citizens.