Lawmakers grilled former Equifax Inc. CEO Richard Smith on Tuesday after hackers attacked the company’s systems and got access to sensitive information for 145.5 million Americans.
U.S. companies and government agencies have disclosed 1,022 breaches this year, according to the Identity Theft Resource Center. Lawmakers from both parties said it’s time to enact tougher rules for data security.
Here are five ideas floated during the hearing:
Replacing Social Security numbers
Smith said that the U.S. should transition away from using Social Security numbers as the standard for identity verification.
“The concept of a Social Security number in this environment being private and secure—I think it’s time as a country to think beyond that,” Smith said.
The Trump administration also is exploring ways to replace the use of the federally issued numbers as the main method of confirming identities.
Representative Joe Barton wondered if companies like Equifax might do a better job protecting customers’ data if there were federal fines for breaches.
“You might pay a little bit more attention to security if you had to pay everybody whose account got hacked a couple thousand bucks,” said Barton, a Texas Republican.
Equifax could theoretically be fined as much as $143 billion under a federal law that charged as much as $1,000 per violation.
Creating a federal breach notification law
While most states require companies to inform consumers affected by cyberattacks, there’s no federal notification law.
Representative Doris Matsui, a Democrat from California, said that should change. “Forty-eight states have implemented laws that require consumers to be notified of security breaches,” Matsui said. “We must act to ensure that all Americans are subject to protections like this at the federal level.”
Consumer Financial Protection Bureau (CFPB) officials have said the agency should embed more regulators at the three largest U.S. credit-rating firms to monitor cybersecurity—a plan endorsed Tuesday by Representative Jan Schakowsky.
“Companies like Equifax need more accountability, not less,” said Schakowsky, an Illinois Democrat. “Credit reporting agencies need embedded regulators to protect consumers’ sensitive information.”
Giving consumers control
Schakowsky also said she’d like lawmakers to start a broader discussion about the role of credit-reporting firms.
Consumers don’t have the ability to remove their information from Equifax’s databases because it’s furnished by banks and telecommunications companies. “Most Americans really don’t know how much information” the companies have, Schakowsky said. “I don’t want you to have my information anymore. I want to be in control of my information.”