Equifax shares have tumbled 22% to $110.35 since its Sept. 7 disclosure of the hack, which exposed the data of more than 145 million U.S. residents -- nearly half the country.
The firm's initial response, rather than alerting affected consumers individually, was to request that people log onto its website, where many were told only that their data might have been involved and offered a free year of the company's credit-monitoring service.
Opting for the service, initially, required giving up the right to sue the company and agreeing to an automatic renewal of the service at its regular price.
Although Equifax later removed those conditions, the fallout led to Smith's departure and his agreement to give up an annual bonus payment this year that had totaled more than $3 million each of the past two years.
"I'm truly and deeply sorry for what happened," Smith said on Tuesday. "I've talked to many consumers, I've read your letters and Equifax is committed to making it whole for you."
He blamed the hack on a combination of technological and human error. Equifax typically relied on members of its security team to notify their technology counterparts of patches and updates recommended by the company's software providers, then followed up with digital scanning software designed to detect vulnerabilities, Smith said.
The breach scrutinized in Tuesday's hearing occurred after an employee responsible for notifying the company that a patch had been issued for a vulnerability in open-source Apache Struts software failed to do so, despite a warning from the U.S. Department of Homeland Security, Smith said.
A subsequent digital scan failed to detect the problem, and an outside firm is investigating why it didn't, he added.
Because of those failures, the company is now grappling with both lawsuits and a U.S. Department of Justice investigation while lawmakers have proposed a variety of bills that would tighten regulations on Equifax as well as its rivals.
"Consumers don't have a choice over what information Equifax, or for that matter, TransUnion (TRU - Get Report) or Experian (EXPGF) , have collected, stored and sold," said Rep. Jan Schakowsky of Illinois, the ranking Democrat on the subcommittee.
The day before the hearing, Schakowsky reintroduced the Secure and Protect Americans' Data Act, which she said would enhance information security and require prompt notification of, and assistance to, consumers.
In the Senate, meanwhile, Elizabeth Warren, a Massachusetts Democrat, joined Brian Schatz of Hawaii earlier in introducing a bill that would require Equifax and its two biggest rivals to freeze credit files whenever consumers make a request -- for free.
But legislative proposals, even those to institute or increase fines on companies that fail to protect the consumer data they have stored, may not address a chain of events like those that led to the Equifax hack, Walden noted.
"I don't think we can pass a law that, excuse me for saying this, fixes stupid," he said.
Watch the full testimony below.
More of What's Trending on TheStreet: