Settlement invites criticism from lawmakers

Lawmakers and industry officials are criticizing the settlement between regulators and credit agency Equifax, claiming the potentially $700 million penalty is not enough for the 2017 data breach that exposed the personal information of around 147 million Americans.

Critics also are turning their ire toward Congress, arguing the penalty could have been steeper if the U.S. had a comprehensive privacy law in place.

“[The settlement] shows that we need a comprehensive data privacy and security law to ensure companies are designing their systems to protect consumer privacy from the start, minimizing the personal information they keep, and are held appropriately accountable if they fail,” House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.) said in a statement on Monday.

“If we had the comprehensive privacy statute … the authorities would be clear, we’d have a clear way to proceed and then we wouldn’t have an extensive negotiation to try to figure out what sort of remedies the agencies could impose,” Harold Feld, senior vice president of consumer group Public Knowledge, told The Hill.

Pressure on Congress: Following the initial breach in 2017, Congress stepped in to investigate the incident, with multiple hearings from various committees. Multiple congressional reports concluded that Equifax ignored vulnerabilities in its system that led to the hack and failed to take adequate action in its aftermath.

But broader efforts to pass federal privacy legislation have stalled in both chambers.

A plea for more help: During a press conference Monday, FTC officials said they need greater civil penalty authority to respond to incidents such as the Equifax breach, with FTC Chairman Joseph Simons urging Congress to pass data privacy legislation.

“I think we could create a lot more deterrence if we got civil penalty authority, and that is what we are asking for,” Simons said.