Former Equifax CEO Richard F. Smith said that he is "deeply sorry" for the Equifax data breach and detailed the company's remediation efforts.
In testimony before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, Mr. Smith, who resigned from his position on September 25, 2017, acknowledged that the data of 140 million consumers had been stolen from Equifax servers. He also acknowledged that the compromised data included names, social security numbers, birthdates, addresses and credit card information. Mr. Smith conceded that the Department of Homeland Security warned about a vulnerability in software used by Equifax on March 8, 2017, but the vulnerability was never addressed. As a result, between May 15 and July 30, attackers continuously accessed customers' private, personally identifiable information.
Equifax announced that the breach occurred on September 7. Mr. Smith stated that the company instituted remedial measures, including (i) a website for customers to determine whether they were affected by the breach, (ii) a call center to address customers' questions, and (iii) the development of identity protection and monitoring tools for customers. Mr. Smith said that the rollout of the remedial measures included various missteps, such as the accidental inclusion of a mandatory arbitration clause and understaffed call centers.
Mr. Smith asserted that cybersecurity issues have plagued various other companies and government agencies, and encouraged policymakers and corporations to remain vigilant about emerging cybersecurity issues.
The State of Massachusetts brought charges against the credit reporting agency Equifax for failing to adequately protect consumer data and other related violations.
At the direction of Governor Andrew Cuomo, the New York Department of Financial Services proposed expanded cybersecurity regulations for credit reporting agencies.
In the wake of the recent Equifax cybersecurity breach, Cadwalader attorneys reviewed SEC policies, procedures and controls on cybersecurity-related disclosures.