The committee also made a number of recommendations that it said would need the cooperation of Congress, the White House and private companies. It called for greater transparency on data collection and security risks, "modernized" IT, reduced uses of Social Security numbers as identifiers. The government should also determine whether or not the FTC's oversight is enough, keep federal contractors more accountable for their security and verify the effectiveness of post-breach services like identity protection.
In response, Equifax argued there were "significant inaccuracies" in the report and that it didn't have much time to review the findings, although TechCrunch said the ostensible errors were "nit-picks" such as the duration of credit monitoring offers and a state settlement that hasn't taken place. There weren't fundamental disagreements with the report's conclusions. Equifax added that it had implemented "meaningful steps" to bolster security and was "generally supportive" of the recommendations.
The larger question is whether or not anything will change as a result. It's easy to make recommendations, but it's another to have multiple parties implement improvements. And as we've seen, Equifax leadership hasn't always been forthright about what's going on. On top of its attempted scapegoating, it has also faced investigation for suspicious stock trades and made questionable claims that executives were 'retiring' in the wake of the breach. Equifax will have to show that it really did learn its lessons if it's going to regain trust, while officials will have to update laws and regulations to reduce the chances of a repeat.