If you’ve paid any attention to American news this week, you’ve probably seen Congress repeatedly taking Equifax’s former CEO out to the woodshed. It’s been quite the shellacking. And it almost seemed as if we’d finally reached a breaking point. America wasn’t going to put up with companies recklessly handling people’s private data, losing control over it, saying “sorry”, and moving on like it’s business as usual any longer.
Former Equifax CEO Richard Smith testifies before the House Digital Commerce and Consumer Protection Subcommittee (Photo: Getty)
But then came the gut punch: Almost a month after Equifax fessed up to a data breach affecting up to 143 million people (145 million we know now), news broke that the company had been handed a no-bid federal contract with the IRS. Sure, it was only worth $US7.25 million ($9.3 million), chump change in the long run, but those aren’t just regular dollars — they’re freakin’ US taxpayer dollars. It’s enough to make you spit.
But one Texas lawmaker has an idea about how to rectify the situation: Instigate a Department of Homeland Security (DHS) investigation into whether Equifax represents a cybersecurity risk to the US federal government. In a statement, Republican Representative John Ratcliffe, a member of the House Committee on Homeland Security, called the Equifax breach a “cybersecurity negligence of epic proportions”, and he’s asking DHS to use its authority to “address this troubling development”.
[referenced url=”https://gizmodo.com.au/2017/10/irs-awards-equifax-725-million-no-bid-contract-to-help-verify-taxpayer-identities/” thumb=”https://i.kinja-img.com/gawker-media/image/upload/t_ku-large/vaogf5rul44w5kiepoaa.jpg” title=”IRS Awards Equifax $9.25 Million No-Bid Contract To Help ‘Verify Taxpayer Identities’” excerpt=”EFF co-founder John Perry Barlow once said that asking the government to protect your privacy is like asking a peeping tom to install your window blinds. The United States’ Internal Revenue Service, it seems, has taken this warning as a recommendation.”]
The news that the Internal Revenue Service (IRS) awarded a multi-million dollar contract to Equifax to assist in “ongoing identity verification and validations” left several lawmakers stunned, particularly those whose legislative duties include dealing with credit-reporting agencies and consumer data breaches. In a letter to IRS chief John Koskinen, Representative Earl Blumenauer wrote that he thought the news was something out of The Onion.
Representative Debbie Dingell, the cosponsor of a House bill that would require prompt notifications in the event of a breach, told Gizmodo that until Equifax truly answers for what happened, the company should not be “rewarded for reckless data protection with a $7.25 million IRS contract”.
“Americans place their faith in federal agencies — the IRS most certainly included — to safeguard vast amounts of their highly sensitive personal information,” Ratcliffe said. “As the lead civilian cybersecurity agency, DHS should play an important role in ensuring federal agencies engage in responsible cybersecurity behaviour, so we can maintain the confidence of the American people.”
Ratcliffe’s spokesperson told NextGov on Thursday that the congressman wasn’t ready to say Equifax should be banned throughout the US federal government, only that DHS should issue “binding operational directives” forcing federal agencies to improve their cybersecurity. Presumably, that would include not using services with a track record of negligently handling customers’ data. It could mean forcing the IRS to reconsider Equifax’s contract.
Banning Equifax entirely is an interesting idea, if not a risky precedent. If the federal government instituted a ban on every company affected by a data breach, it might run out of services to rely on. It’s widely accepted, after all, that it’s a question of “not if, but when” a given corporation will experience a data breach.
But that’s why culpability must be weighed against the company’s own conduct in the aftermath of a breach: Did it needlessly put consumers in harm’s way by disregarding its obligations to security? Did the company respond swiftly, doing everything in its power to protect those affected, notifying them promptly of any lingering risk? Equifax’s response, which included waiting over a month to notify the public and repeatedly failing to detect easily patched security vulnerabilities, does not the mustard cut.
We reached out to the Democrats on Representative Ratcliffe’s committee to see if his idea has earned any bipartisan support. (So far, taking it to Equifax has been spectacularly bipartisan affair!) And we asked DHS if they’re considering Ratcliffe’s investigation. We had not received a reply at time of writing.