Former Equifax CEO Richard Smith testifying before the House Energy and Commerce subcommittee on Tuesday.
And it's unclear if Equifax will put in any stipulations like asking you to give up your right to sue the company over the data breach. At least one state, Massachusetts, and the cities of San Francisco and Chicago have sued Equifax as well.
On top of that, Smith failed to ask basic questions when he was notified of suspicious activity on July 31.
Some lawmakers have called for new consumer protections such as stricter monitoring of the credit bureaus and a federal rule standardizing requirements to notify victims of data breaches.
He said he would like to see companies fined for every account that gets breached - with penalties large enough "that even a company that's worth $13 billion would rather protect the data, and probably not collect as much data, than have to come up here and appear and say 'we're sorry'".
The company later says the hackers gained access through the vulnerability in Apache Struts, which supports Equifax's online dispute portal web application.
Equifax routinely touted its ability to shield the data from prying eyes.
Smith, who stepped down from the company last week, told Scott that the executives followed protocol.
After the Department of Homeland Security sent out a notification in March about the need to patch a particular Apache Struts software vulnerability, the individual within Equifax responsible for communicating that information to the Equifax patch team failed to do so, Smith testified. At this time, he said, he was unaware of the scope of the damage.
Equifax first notified the public of the security breach on September 7, though it said the unauthorized access is thought to have happened from May 13 to July 30, with Equifax's security team catching the hack on July 29.
The company is dealing a breach of its systems by hackers who accessed or stole the information of 145 million Americans. "As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices", said Barros.
As for Equifax's American customers, the turnout is considerably different. According to the firm biography, she counsels the corporate board, senior executives and other clients regarding data breach prevention, emergency response, remediation, compliance, regulatory enforcement, internal corporate investigations and addresses other critical privacy and data security concerns.
The IRS has suffered its own embarrassing breaches, with the agency announcing on 6 April that the personal data of up to 100,000 U.S. taxpayers could have been compromised.