Al Franken tears into former Equifax CEO over the data breach

Franken questioned the former CEO over the massive data breach.

Sen. Al Franken made a national splash earlier this year with his pointed questioning in committee hearings, attention that even led to 2020 buzz.

The latest target of Franken's ire? Former Equifax CEO Richard Smith.

Smith sat in front of Franken and the rest of a Senate privacy subcommittee Wednesday to talk about the enormous data breach (and yes, that was the Monopoly man in attendance). 

It was initially thought that 143 million Americans may have had their personal information compromised – that number has now gone even higher, with Franken calling the entire ordeal a "worst case scenario," but one that's become "our new reality." 

Related: The Tip Jar: Should you accept Equifax's free credit lock offer?

And then Franken went after Smith for something the former CEO said a day earlier.

Smith told a different committee Tuesday that "human error" and "technology failures" allowed the data breach to occur. He blamed the human error piece specifically on one unnamed person who did not tell the company a patch was available, according to The Verge

“The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not,” he said. 

Fast forward to Wednesday.

"Why is the security of 145 million Americans' personal information all in the hands of one guy?" Franken asked Smith. "How did you – knowing the seriousness of this – put it in the hands of one guy to screw up?"

Smith countered by explaining there was a team underneath the individual, but he did not communicate.

"That doesn't change that it's up to one guy, and that human error is up to one guy," Franken replied.

Smith said Equifax, back on March 15, had used a scanner to find vulnerabilities in its systems as well, but that it didn't turn up anything. 

You can watch the 12-minute exchange here:

Franken then shifted gears to Equifax's credit monitoring offer following the breach. The company offered affected consumers one year of its TrustedID service for free, but initially had language in the terms that required anyone who signed up to agree to forced arbitration. Meaning if something went wrong, a consumer couldn't join a class-action lawsuit.

Equifax removed the arbitration clauses after an uproar. But Franken wanted to know why the other services Equifax offered still included the clause.

Smith said it was standard for these types of products, and that if someone doesn't like the arbitration clause "they have the ability and right to go somewhere else."

But Franken was dubious about how easy that would be for someone to find.

"How long is that terms of service document, how many pages?" Franken asked.

"I don't know. We can get that for you," Smith responded.

Franken asked Smith if someone would be able to find and understand the ramifications of that clause "in, like, 5 minutes."

"I have not studied that document," said Smith.

"OK, I think that answers the question," Franken replied.

Smith stepped down in September

Smith stepped down as chairman and CEO of Equifax late last month, as the credit reporting agency continues to face public scrutiny for the massive breach.

The company has a page where you can check if you my have been affected, and sign up for the free monitoring service.

Franken has some big-picture questions, as he laid out Wednesday before questioning Smith.

"Can data brokers with massive troves of data ever fully guarantees the security of that data? And if not, should such entities even exist?" he asked.

And if they must exist, how can consumers be ensured their data is safe and secure, and that those companies will be held accountable if something happens? Franken continued.

The senator also had this to say:

“Mr. Smith, I know you’re about to tell us how sorry you are, and I’m sure you’ve had a lot of sleepless nights in recent months. But as a business that has consistently operated with little to no regard for the well-being of American consumers, I’m wondering whether you – and the rest of Equifax’s leadership – foresaw the gravity of a breach and failed to take the proper precautions because you simply don’t care. And because you don’t have to care. Equifax won’t be losing any business as a result of its failures. American consumers are not able to walk away and take their business—or their personal information—elsewhere. And that’s because those consumers aren’t actually your customers; they are your product. And you’ve been treating them as such for years.”

A couple of cybersecurity experts also spoke at the hearing, and you can watch Franken's questions for them here.

Next Up