Newsroom

Former Equifax CEO Richard Smith on Wednesday continued his tour on Capitol Hill to defend his previous employer's response to a data breach that disclosed the personal financial information of more than 145 million Americans.

Smith testified first in the morning before the Senate Banking Committee, followed by an afternoon hearing with the Senate Judiciary Subcommittee on Privacy Technology and the Law. Similar to Tuesday's experience, lawmakers quizzed Smith about the timeline of events, including who knew what details and when.

Senate Banking Member Elizabeth Warren, D-Mass., condemned Equifax's business model, noting the firm makes money from data breaches – including its own – because more Americans then sign up for identity theft protections. She also noted that small banks and credit unions will be hurt because they'll have to shoulder the costs of issuing new cards to members.

One positive outcome of the Equifax data breach is a renewed bipartisan interest in legislation to strengthen the country's data security laws, said Senate Banking Chairman Mike Crapo, R-Idaho. NAFCU, citing the cost to credit unions and their members of the unending stream of merchant data breaches, has been an active advocate for a strong national data security standard similar to the one credit unions follow under the Gramm-Leach-Bliley Act (GLBA).

Throughout Wednesday's hearings, senators noted various bills along this line, and Sen. Patrick Leahy, R-Vt., said he would reintroduce the Personal Data Privacy and Security Act. While NAFCU supports many provisions of the bill, any final legislation should apply to entities not currently under GLBA and require any non-depository institutions already covered by GLBA to be examined regularly.

Smith will testify in one more hearing today with the House Financial Services Committee at 9:15 a.m. Eastern. NAFCU President and CEO Dan Berger again sent a letter to the committee ahead of the hearing, calling for congressional action to ensure that credit unions do not bear the cost of negligent data practices by entities like Equifax.