“We could have this hearing every year from now on if we don’t do something to change the current system,” Mr. Barton said.
He said he would like to see companies fined for every account that gets breached — with penalties large enough “that even a company that’s worth $13 billion would rather protect the data, and probably not collect as much data, than have to come up here and appear and say ‘we’re sorry.’”
The Equifax hacking sparked widespread outrage, as well as bipartisan demands for more information from the company on how the security debacle happened and what steps the company is taking to handle the fallout. The outcry has increased the odds of new rules or laws governing the credit-reporting industry.
Representative Frank Pallone Jr., Democrat of New Jersey, called for Congress to pass legislation that would do more to protect consumers whose personal data is stolen in such breaches. “Of course, breaches will continue to occur but they occur more often when there is no accountability and when no preventative measures are in place,” Mr. Pallone said.
After Tuesday’s grilling, Mr. Smith is scheduled to testify at three additional congressional hearings this week.
On Monday, Equifax said the personal information of nearly 146 million Americans may have been stolen, an increase of more than two million from the company’s previous estimate.
Mr. Smith provided some new details about the breach.
In early March, the Department of Homeland Security sent Equifax and others an alert about a critical vulnerability in software that Equifax used in an online portal for recording customer disputes. The company sent out an internal email requesting that its technical staff fix the software, but that was not done, Mr. Smith said.
By mid-May, attackers had found the unpatched software and used the flaw to gain access to sensitive information. Their actions went undetected until late July, when Equifax finally registered suspicious traffic on its network.
Equifax cut off the attackers at that point and began an investigation, but it did not grasp the scale of the theft — including the discovery that consumers’ personal information had been breached — until mid-August.
The company’s full board was not notified until the end of the month, nearly four weeks after Equifax discovered the breach.
“Mistakes were made,” Mr. Smith said, referring to extensive problems with Equifax’s call centers and with the website that it set up to provide information to those whose information may have been exposed.
Some lawmakers have called for new consumer protections such as stricter monitoring of the credit bureaus and a federal rule standardizing requirements to notify victims of data breaches.
Mr. Smith said he would be amenable to rethinking the role that Social Security numbers play in identity verification. Critics have long condemned the widespread reliance on and use of the numbers as insecure.
Mr. Smith said he would like companies and government agencies to “begin a dialogue” about replacing Social Security numbers as a key verifier.
“It is time to have identity verification procedures that match the technological age in which we live,” he said.