WASHINGTON – Georgia lawmakers in Congress are seeking answers from the Atlanta-based credit firm Equifax in the wake of its massive security breach, but many say they want to hear from top executives before considering any next steps.
Many of the state’s representatives have tread carefully after the hack, which the company announced on Thursday. Most have said it’s too early to pursue some of the prescriptions advocated by some Democratic of Congress, including potentially jailing some top executives who traded stocks before the breach was made public.
Instead, many of the lawmakers said congressional committees should first move forward with their announced investigations before making any decisions about new cybersecurity laws, regulations or disciplinary actions.
“If you make those decisions before you investigate, you’re going to do the wrong thing,” said U.S. Sen. Johnny Isakson, R-Ga. “You don’t rush to judgment on Equifax. Equifax has got a lot of explaining to do, but you’ve got to give them the chance to explain before you rush to judgment.”
“Let’s get down to as much of the facts as we can and then let that guide our next actions,” said U.S. Rep. Buddy Carter, R-Pooler.
At least two House committees have announced plans to hold hearings on the company’s handling of data and security, and more congressional inquiries are likely to be announced.
In the Senate, the top Republican and Democrat on the Finance Committee penned a letter to Equifax Chairman and CEO Rick Smith seeking information about the company’s digital security infrastructure, a detailed timeline of the events surrounding the breach and more details about the personal information that was hacked. They also asked for details about the stocks sold by three Equifax executives days after the company learned of the incident but before the cyber theft had been made public.
Other Democrats were more definitive about what they want to see next.
U.S. Sen. Heidi Heitkamp of North Dakota called for an investigation into the stock sales and said if a crime occurred, “somebody needs to go to jail.”
Equifax previously said the executives had not been aware of the hack when they sold their stock.
“These are very complicated issues, and we expect to be engaging with regulators and legislators in the future,” Equifax spokeswoman Meredith Griffanti said in a statement about the Senate Finance Committee letter. She said the company plans to respond to the committee’s request for information and Equifax is “listening to issues that consumers are experiencing, and their suggestions are helping to further inform our actions.”
One of the most critical Georgia lawmakers was Democrat Hank Johnson of Lithonia, who said the hack proved the need for Congress to pass two bills he sponsored earlier this year related to data privacy and forced arbitration.
“I will continue introducing these critical bills — fighting to ensure all consumers have the tools they need to protect themselves from identity theft and have their day in court,” he said.
Many Georgia lawmakers have been boosters of the homestate credit bureau in the past. The firm has donated thousands to local lawmakers in recent years. (Isakson was by far its biggest recipient in 2016 as he ran for reelection.)
Equifax is “a longstanding Georgia company and we want to make sure that they come out of this standing as tall as possible,” said Atlanta Democrat David Scott. “And the way to do that is to … find out what happened and who’s responsible so that (it has) the confidence of the people.”
Scott and Isakson are members of informal House and Senate groups aimed at “explor(ing) new and innovative technologies in the payments industry and address issues concerning data security, consumer protection and electronic payments.”
Scott said he’s worried that “our lack of cybersecurity is becoming a very serious national security issue” and that some new rules may be needed to beef up enforcement.
“There’s no question about the fact that Congress needs to act here and learn from all of this,” he said.
Other Georgia lawmakers said the investigations needed to play out first.
“I want to find out more about just what happened before I make any definite statements on that, so I really don’t want to go there,” said Monroe Republican Jody Hice. “As a general rule, companies like that have got to police themselves or they’re going to lose business. If information is not secure, people will go somewhere else.”
Isakson said “failure is not an option” given that the hack compromised the personal information of more than 140 million Americans.
“We’ve got to make sure that the credit is protected, that the information is protected and the consumers are protected,” he said, “and Equifax has got to pay for the mistake if in fact they made it.”