As might be expected from the Democrat’s consumer protection Pitbull, Sen. Elizabeth Warren (D-Mass.) has expanded her investigation into the causes of the recent Equifax breach, the company's response, and possible next steps to address problems at credit reporting agencies.
Warren’s latest efforts included letters to the chairman of the Securities and Exchange Commission, Equifax's Board of Directors, and the Department of Homeland Security (DHS), to request additional information.
Warren urged SEC Chairman Jay Clayton to investigate whether Equifax violated federal securities laws that prohibit public companies from misleading investors. She noted that despite discovering the breach on July 29 and retaining a cybersecurity firm to investigate it four days later, Equifax failed to disclose those material facts during an investor presentation on Aug. 16th.
“Investors who believed Equifax's Aug. 16th presentation was complete and accurate would have suffered enormous losses if they decided to invest in the company on the basis of the presentation,” Warren wrote. Equifax's share price has dropped more than 30 percent since its investor presentation and subsequent announcement of the breach on Sept. 7.
In a letter to Mr. Robert Marcus, chairman of the Compensation Committee of the Equifax Board of Directors, Warren and Senator Catherine Cortez Masto (D-Nev.) requested details on the rationale and financial consequences of the retirement, roughly a week after the Equifax data breach was reported, of two executives who had direct responsibility over data security. The senators also requested information about Equifax's clawback policy, and whether the company would invoke it to recover incentive compensation from the two executives.
In a third letter, Senator Warren wrote to DHS Acting Secretary Elaine Duke, and the Department's Acting Deputy Undersecretary of Cybersecurity, about reports that the United States Computer Emergency Readiness Team (US-CERT) warned Equifax, months before it occurred, about the exact vulnerabilities exploited during the breach.
Equifax appears to have failed to address the vulnerabilities despite US-CERT's notification, Warren says.
“I am deeply concerned about Equifax's failure to address the vulnerability US-CERT identified,” she wrote. “Companies like Equifax that collect massive amounts of data on millions of Americans should have the most robust data security practices. At a minimum, that means addressing clearly identified cybersecurity threats as quickly as possible.”
Warren asked DHS to provide additional information about US-CERT's warnings to Equifax and the company's response.
These letters are the second phase of an investigation launched last week by Senator Warren and other Senate Democrats. Following the breach and Equifax's “delayed and lackluster response,” she initially sent letters to Equifax; to the other two large credit reporting agencies (TransUnion and Experian); to the Federal Trade Commission, and Consumer Financial Protection Bureau, on oversight actions prior to and following the breach; and to the Government Accountability Office to request a thorough investigation into consumer data security of credit reporting agencies.
Warren has also introduced the Freedom from Equifax Exploitation (FREE) Act to give control over credit and personal information back to consumers. The legislation would allow consumers to freeze and unfreeze access to their credit file for free. It would also prevent credit reporting agencies from profiting from consumers' information during a freeze, enhance fraud alert protections, and provide the opportunity for consumers to receive an additional free credit report following the Equifax data breach.
The bill would force Equifax and the other credit reporting agencies to refund any fees they charged for credit freezes in the wake of the Equifax data breach.