(Bloomberg) -- Lawmakers grilled former Equifax Inc. Chief Executive Officer Richard Smith on Tuesday after hackers attacked the company’s systems and got access to sensitive information for 145.5 million Americans. Smith’s trip to Capitol Hill continues Wednesday with appearances before the Senate Banking and Judiciary committees.
A possible topic on Day Two: The Internal Revenue Service’s decision to pay Equifax $7.25 million to help it verify taxpayer identities. The agreement was reached last month, after the scope of the breach became public, according to a contract award dated Sept. 30.
U.S. companies and government agencies have disclosed 1,022 breaches this year, data from the Identity Theft Resource Center show. Yahoo, the Internet company acquired by Verizon Communications Inc. this year, said Tuesday it now believes 3 billion accounts were affected by a 2013 hack, instead of the 1 billion initially thought.
Lawmakers from both parties said it’s time to enact tougher rules for data security. Here are five ideas floated during Tuesday’s hearing:
1) Replacing Social Security numbers
Smith said that the U.S. should transition away from using Social Security numbers as the standard for identity verification. “The concept of a Social Security number in this environment being private and secure -- I think it’s time as a country to think beyond that,” Smith said. The Trump administration also is exploring ways to replace the use of the federally issued numbers as the main method of confirming identities.
2) Bigger fines
Representative Joe Barton wondered if companies like Equifax might do a better job protecting customers’ data if there were federal fines for breaches. “You might pay a little bit more attention to security if you had to pay everybody whose account got hacked a couple thousand bucks,” said Barton, a Texas Republican. Equifax could theoretically be fined as much as $143 billion under a federal law that would charge as much as $1,000 per customer.
3) Creating a federal breach notification law
While most states require companies to inform consumers affected by cyberattacks, there’s no federal notification law. Representative Doris Matsui, a Democrat from California, said that should change. “Forty eight states have implemented laws that require consumers to be notified of security breaches,” Matsui said. “We must act to ensure that all Americans are subject to protections like this at the federal level.”
4) Embedding regulators
Consumer Financial Protection Bureau officials have said the agency should embed more regulators at the three largest U.S. credit-rating firms to monitor cybersecurity -- a plan endorsed Tuesday by Representative Jan Schakowsky. “Companies like Equifax need more accountability, not less,” said Schakowsky, an Illinois Democrat. “Credit reporting agencies need embedded regulators to protect consumers sensitive information.”
5) Giving consumers control
Schakowsky also said she’d like lawmakers to start a broader discussion about the role of credit-reporting firms. Consumers don’t have the ability to remove their information from Equifax’s databases because it’s furnished by banks and telecommunications companies. “Most Americans really don’t know how much information” the companies have, Schakowsky said. “I don’t want you to have my information anymore. I want to be in control of my information.”