Hold a minority hearing on the equifax data breach. Commanding properly supported by the majority of minority members. The gentlemane from california, chairman of our Foreign Affairs committee. Mr. Chairman, thank you. I thank mr. Smith for being here today. Ande september 7, my office all these offices have received a lot of angry and anxious socalled and emailed by our constituents and i think one of the things that really stands out is how can a company that deals in data not protect that data. Es in whate answer li your company did not do. You did not protect their personal information. You did not encrypt that data. You did not catch a vulnerability patch a vulnerability you were alerted 8. On march he did not disclose the breach to the public until 120 days after it occurred and the insidertrading allegations only add fuel to the fire. Before september 7, who else outside the company, your heart Legal Counsel and the fbi hired Legal Counsel and the fbi, who was made notified of the breach . According to media reports, the lifelock executive fran roche was notified before the lifelock attack before the attack went public. Eo you know who called mr. Roch to give him the heads up . According to bloomberg, armed with information only a handful of people had at the time, mr. Roche mobilized the Rapid Response team. He knew the company would receive an onslaught of calls and signups in the coming days and he was right. The phones were ringing off the health, he bragged it was bigger than the anthem breach. A tenfold increase in lifelock customers and here is the quote, most him, are paying the full price rather than discounts. Most were paying 30 instead of 10. It is a really incredible response from the market unqu ote. Incredible,hat is that actually your company profited off of the relationship with lifelock which is a company to which you provide credit monitoring services. Heres the point i would like to make, lifelock gets this head sup, the credit karma or intersections or the other competitors, did they get similar notice . Again, congressman, i am unaware of the lifelock discussion, let alone anyone else. It is fair to say that lifelock benefited from both the breach and the foreknowledge of it. Lifelocks Parent Company value rises seen it by 10 . Officials aty equifax of stock in semantic . In symantec . Mr. Smith i do not serve. A list ofu provide executives that do. Someone in the company gave them a heads up so they had the opportunity to get the phone banks ready and in advance of everyone else, started calling about their service and at a 9. 99 instead of the 9. 91 discount. Someone tipped them off from the outside and so much of them off from the inside and if you found out which acte executives owned stock. Mr. Smith your source was bloomberg . I will look into that. The time for the gentleman has now expired. Scott frome mr. Georgia. I represent the great state of georgia. I love georgia. With this news first came to me and my staff reported it, i immediately wanted to do everything i could to make sure we would be able to make sure that out of this, that after this that equifax would be standing tall. That they would be clean. That is my objective as a congressman from georgia. Because, as you said, you represent a legacy for our great state. You are a 128 year old company. People,oy 2030,000 many of whom are my constituents. Many of whom work and toil at your company and they are great people doing a great job. Rep. Scott it is important for the American People to know that what we have before us is a shameful situation for 145 tolion american citizens lose the privacy of their Social Security number. Topit be known it is the management, it is you who is responsible for this. What i want to do is to be at the front of this. To make sure that equifax regains the confidence and trust of the American People. My comments to you are going to be geared to that. Chairman call mr. For an investigation by the Justice Department and certainly by the sec. You are leaving this company but there are others who are going to be there and we have to make sure equifax comes out clean and standing tall. Thanthis means more you said you were knowledgeable about this breach on july 31. Here is what happened. Executives sold 2 million worth of stock. And not only that, mr. Ceo, former ceo, it was your chief Financial Officer who led that charge to sell that stock. Now nobodys going to tell me youre getting information on july 31st and here they go dumping their stock, less than 24 hours later, that has to be investigated and cleared. If were going to get the confidence of the American People back. So its this insider trading, anybody can see that, and im sure, and i hope that your predecessor, your, the guy whos going to be taking your place, i hope hes listening. That would be the first thing, and then the second thing, we need to make sure that these guys who sold that stock, who made 653,000 in savings from that stock with that inside information, that they pay that money back, and that they are fired. 143 Million People losing this is no justification, we have got to make sure, and you have got to make sure that we clean this mess up. Now i want to talk about the other way in which we can do this. You mentioned numerous times that it wasnt the intent of equifax to include the arbitration piece. Well now some have it, some dont, thats the next thing that needs to be done. No more of this arbitration clause. When you do things like that, the public will take notice, our and our job is to clean that mess up and make sure we bring equifax back standing tall. We back to the American People. Now the other thing that i would like finally, is my staff informed me that most mortgage lenders pull all 3 reports from the big 3 credit reporting agencies. Equifax, transunion and experian, so when you talk about this new lifetime lock product, its not going to be effective unless everybody does it. I wish i had more time, but were going to clean this mess up and were going to restore the integrity and the trust of the American People. Time for the gentleman has expired. Now acknowledges the gentleman from illinois. Thank you, mr. Chairman, i know many of us have been hearing from our constituents, i certainly have, marty says equifax has, they should have done it for me or pay me to do given away my private information. They should have done it for me or pay me to do all this of signing up and paying for these credit reports . Someone should go to jail for this. Another constituent said, this careless actions caused the loss of personal information on a scale never seen before, because they failed to patch their servers for a known problem, combined with the careless handling of highly sensitive personal information, their action went far beyond carelessness to negligence. Legislation should be put forward to increase regulation on these entities, not the chris not decrease regulation. Equifax must be held accountable and liable foreall damage that caused the breach and all credit reporting firms must be held to Higher Standards of security. And another said my personal information has been lost twice. Both companies are offering a limited subscription to identify protection companies, hpf is offering a free year subscription to protect my id, owned by experian. Equifax is offering a oneyear membership to a trusted subsidiary. It seems like a twisted Marketing Campaign to me, he said. Home Point Financial claims to have lost those social numbers, birth dates, drivers license numbers and many of these numbers cannot be changed. What good is a oneyear membership . This data is lost and valuable until i pass away. Is it ethical that a company that loses all my personal data conveniently owns the service of the product it wants me to pay for to help protect me from its eventual use. Its time that all these companies are held liable and forced to offer lifetime membership memberships, please help us, all of us, this is out of control. Many other constituents glen constituents concerned. Talk with parents of young people whose information has been compromised. When this Committee Sends questions for the record which , there will be many, will the response come from you or equifax . They will come from the company, congressman. How should we respond in getting those answers from equifax . Equifax has been investigating the breach for over two months. Has the identity of the hackers been determined . Mr. Smith no, congressman. We are engaged with the fbi. Do have an opinion of it will be determined . Mr. Smith i do not. Did outside Data Security consultants tell equifax it to delay notifying the public . What change allowed equifax to notify the public in september . Mr. Smith it was trying to thence a team effort of forensic examiner likaw firm tried to balance with a and security notifying the consumers. Did a playbook exist . Mr. Smith there was a crisis hadgement process we have in place for some time. It does not appear like you were ready for. That is our question. The incredible delays. You have heard from my constituents. This is a small sampling of incredible frustration and fear. Their information has been compromised and this is information you cannot go back and change. You can i get a new birthday or a Social Security number. If equifax had notified consumers within one week, did equifax have the ability to do so . Mr. Smith we moved with haste, as i mentioned in my oral testimony. And my written testimony wasnt until august, that was continuing to move, we moved as quickly as possible thereafter. Rep. Hultgren has there been any uptick in Identity Fraud or theft since the breach . Mr. Smith not that i am aware of. Rep. Hultgren which you expect Something Like that to occur . Mr. Smith if consumers take services we the offer, that will give them great protection. Rep. Hultgren there is a concern when the same entities are the chair now recognizes the gentleman from illinois. Rep. Foster what i would like to talk about are things that congress could have done before this that could have prevented this. You would have needed a team thats looking every day for security breaches, which you obviously didnt have in place, so that one way to make that happen is by making a requirement that you actually carry enough insurance to make customers whole when this thing happens. Its my understanding that statutory damages for a breach like this are roughly a 1,000 per person, which means that the total potential liability for 140 Million People is 140 million, more than 10 times the market capitalization of equifax, so you clearly can never self insurer or at least a company with your Business Model could never self insure. On the other hand some of these have settled for a lot more, a lot less, just a few dollars per person for a data breach incident so it not clear what it should be. What would you personally for , yourself or one of your family want as remuneration for having your private information up for sale on the dark web . Mr. Smith congressman, the suite of services we are providing for free, in some cases rep. Foster if i came up to you and said i want to publish your information on the dark web, which he did for the thousand dollars would you do it for 1000 dollars . Mr. Smith no sir. Rep. Foster 10,000, 100,000, everyone has that number, but its well north of a few dollars per person. Without even having a negotiation, were having this pain inflicted on people. So now, so lets just stick with the 1,000 a person, just thats statutory on there, plus punitive damages. So now if congress were to require that any company like yours that held information for people, you know, without asking them necessarily to opt in, that you had a requirement that you would hold enough insurance to make them whole if there was a massive data breach, that would be a very expensive insurance policy, correct . It. Did not disclose that you can say a 140,000 n 140 million liability. Most customers are going to end up getting less than what their actual damages are. Do you know how much of the average customer, you would charge someone who waited to get their credit unfrozen . Mr. Smith one of the offers we have two consumers is an insurance policy. Over five Different Services for free. Losss the consumer has expenses in trying to get their credit repaired, that is 1 million. Ok, but im trying to understand under what conditions you would have assembled a team, either yourself or an insurance carrier, assembled a team that would have prevented this . If you have tens of billions of dollars of coverage on this, i imagine that would have funded a very Aggressive Team of people who would every time a patch came out, they would say oh, boy, lets go and figure out if you have applied that patch, and they would be looking at your source code for anything a Company Offering that kind of coverage would demand. Do you think thats a possible way that we could actually prevent this in the future . Mr. Smith congressman, we have notifications routinely every year for patches. This is a very unfortunate mistake, i mentioned the mistake, i apologized for it. The insurance approach is not the solution. It is preventing the human error and the technological error that occurred. But there will always be human errors, what you need is a red team who sits there and looks for human errors and flags that immediately and this has to be a very expert team, nothing short of that is going to rapidly catch the kind of human errors that will natural happen. So anyway, this is one of the things im looking at, because its the only free Market Solution that i think that has a chance of preventing this in the future. Thank you. Time for the gentleman now expires. The chernow recognizes the gentleman from colorado mr. Tipton. Tipton the question was around whether or not you had protocols in place to be able to address whether or not the information was being reported properly internally. But also to the Government Entities that are responsible for oversight. And i didnt hear you respond to the answer, whether you have written protocols in place to make sure that the governing bodies overseeing you are notified in a timely manner . Would you address that . Mr. Smith yes, there were protocols in place, the protocols starting when the security individual saw suspicious activity. Protocol number one, he or she shut down the particular portal. Started the internal investigation followed by the Additional Protocol they followed which was to notify and , engage outside cyber Forensic Auditor. And engage outside counsel to help us with the investigation and protocols followed all the way throughout the time of notifying the regulators, ags and the consumers. Rep. Tipton looking forward to try and be a little more solutions oriented. Understand and appreciate the comments that you have made, regretting what took place. Are there protocols, are there actions that this Congress Might be taking in terms of the some of the regulatory bodies to incentivize earlier action, earlier notification, not only to the governing bodies, but also to the consumers as well that we ought to be looking at . Mr. Smith congressman, i would love to see both congress and companies tackle is the concept of is there a better way to identify consumers in america, other than ssn. Its unfortunately the number of breaches that occurred over the years have exposed so many ssns that were vulnerable. So i would love to see us engage in that discussion. Rep. Tipton in terms of internally, the wall street that independent groups analyze vulnerabilities of equifax. Do you look at that sort of analysis and who is responsible for identifying that and taking it seriously to see that patches arent needed but were being proactive to make sure that the breaches do not take place . Mr. Smith yes, we routinely bring in outside consultants and advisors to help us check and double check. Steps we have taken since the toach as well as longterm make sure we are more secure. Discipline yields back. Chernow recognizes the gentleman from maryland. Mr. Delaney. Delaney i have questions about how your board interactive around this matter generally. It says in your testimony that you became aware of the information on august 11. But that you notified the lead member of the board of directors mark fiedler, on august 22nd, did you have any conversations with other Board Members before that . Let me clarify if i may. The first debriefing i had of any significance was on the 17th of august. The 1ipton between 7th and the second, did you have any conversations with other Board Members . 25th, we the 24th and had to Board Meetings. Rep. Tipton is it normal to wait so long to update your board . Mr. Smith the data was developing everything all day. I thought that was an appropriate timeline. For tipton requirements Public Companies as it relates controls, was Cyber Security considered by the directors of the Audit Committee . I used to have to sit down with my Management Team and get certificates where they would assure me things were being done in accordance with our procedures and the Audit Committee would review these things so they could do their jobs under the requirements of the law. Process, im sure you engaged in a similar process in your company. Ways toh we had two engage with the board. The top of the list was Cyber Security. We also went through deep dives with the board of directors on Security Risks. The main communication we had was with the Technology Committee. ,t is comprised of individuals most of whom have a deep understanding of security. Ofy would go into details our security standing as well. Rep. Tipton if you could put it in a pie chart, what percentage of time was spent thinking about Cyber Security risk . Mr. Smith i would be guessing if i were to make that guess. Rep. Tipton did you regularly have full discussions around the board table about this specific risk. Riskdentified it was a factor in your financial statements. Would you say 5 , 10 , 1 . You chaired the board so you have a sense as to what occurred. Agenda, was there a regular item about Cyber Security or data breaches at every Board Meeting. Mr. Smith not every Board Meeting. Rep. Tipton which committee is responsible for the . Mr. Smith the Technology Committee. Rep. Tipton the Audit Committee did not . Mr. Smith the entire board had a few. The Technology Committee, we are a Technology Company, it was responsible for oversight. Rep. Tipton with the Technology Company make a presentation every Board Meeting . Mr. Smith yes. Rep. Tipton were there discussions about the Technology Budget at the board level . Mr. Smith the Technology Committee would approve the Technology Budget every year. And they would bring it to the board for approval or Committee Level . How mindful was the board to the likelihood of a risk like that. Mr. Smith very likely. Rep. Tipton your board spent time a we took that very seriously. Rep. Tipton as part of the disclosure statement you received as ceo, your report certified things are being done correctly, was there some mention of the cyber risk and the potential for data breach louvre and assurances the system louvre was in place. That is a risk we face. Rep. Tipton have you had any other significant events in the company where you notified your board with these problems . Mr. Smith have we ever notified the board of a Security Risk in rep. Tipton if you realize you are not going to make your earnings, would you call the board and notify them . Mr. Smith if there were a risk to our financials, we would notify the board. Rep. Tipton sooner than five days . Mr. Smith we have never had to do that during my time there. The gentlemans time has expired. We now recognize the gentleman from north carolina. We are addressing an egregious concern in our country. We have National Security threats. Financial systems, our government, private sector spends hundreds of millions of dollars every year regarding Cyber Security measures. We are aware that 143 Million Consumers information was exploited and another 2. 5 Million People have been affected by this initial count. Are you sure that the 2. 5 million additional people who ha ve reported their data has been compromised, is that the last . Mr. Smith it is my understanding from the forensic it is not unusual. That my understanding is he said the forensic review is rep. Pittenger prior to this security breach, did equifax g preventive measures in place to combat a data breach of this magnitude . Mr. Smith a breach of this magnitude would not have occurred if everything was in place. Rep. Pittenger elaborate on additional measures you believe could have taken place at this time. Mr. Smith from the time of the announcement and before the announcement, we engaged experts to help us increase monitoring techniques, they call it white labeling. A variety of things were put in place before the announcement on september 7. Plans, 90n, succeeded 90 plan 60 day plans and day plans. We have a Consulting Firm to help us rethink our strategy. Rep. Tipton you engage in testing your databases for vulnerabilities . Mr. Smith we do. Rep. Tipton can you please explain the process . I would like you to explain the process of the standard by which equifax stores consumers personal information . Mr. Smith there are a variety of techniques used from a security perspective. Rep. Tipton is there an encryption procedure in place . Mr. Smith there is encryption, masking, there are layers in different ways to secure the data. Rep. Tipton do you feel like there was adequate encryption in place, could you have done more to prevent what occurred . If we could have prevented the human error and the scanner from not finding this, that would have prevented the issue. There are different techniques used in different areas. Rep. Tipton how do you and the rest of the leadership of equifax plan to restore the trust of consumers . Is a you for coming, this hard time in your life but it is a much harder time for the americans whose data was exploited. Recognizes thew chairman from missouri. Thank you for being here. More than 2. 5 million missourians had their information exposed in the Equifax Breach and that will likely be impacted by it for years to come. Can you share with this committee and the American Public what types of activity that these people can expect whose identity has been compromised . Tell them what kind of activity they can expect from the thieves that took their personal information and, you know, because most americans have never had an Identity Theft occurred to them. Can you give them, give us some examples of what they can expect over the next year . Mr. Smith congressman, i would answer that two ways. One, we have offered a comprehensive suite of Services Free to all americans these are five Different Things we talked about earlier. We have offered that to every they could have been impacted by the different breaches. Rep. Tipton but, describe for this committee and the American Public the hellish nightmare they are about to go through when they go to the irs and someone filed taxes in their name and get a refund by the irs or that someone has gotten a credit card in their name. Mr. Smith congressman, one of the things we talked about is the lock. The consumer takes that lock, locks access to the file, no one can open a credit card in his or her name, as an example. Rep. Tipton equifax has offered consumers a year of free credit monitoring service. Free credit freezes and they promised to provide a better product that has been described lock on Consumer Credit report. At an energy and commerce meeting, he stated that credit freezes and credit lots are quotefor truly are virtually the same. What isare the same, the need for the new term. Mr. Smith Congress Introduced , the protection to the consumer is largely the same. The ability to freeze and unfreeze is cumbersome and dictated at state levels. The locks coming out in january 2018 will be useful. Unlockrs can lock and from their iphone. Rep. Tipton because security freezes are covered by state law, will consumers be protected from financial liability . Mr. Smith locking or freezing protect the consumer from credit accessing their to rent an apartment. It is a secure way to protect their credit filing. Rep. Tipton i am talking about the activity that occurs when they are compromised. When their identity is compromised. What kind of comfort can you give these people. Thatou tell them anything your company will work with them to resolve this or what . Mr. Smith we are working with consumers. We have five or 10 products can lock free and they and unlock their credit file for free. Rep. Tipton do you agree that scaring consumers into a product that is covered by a contractual ,greement with your company this is already covered by many state laws and raises concern. Mr. Smith the freeze is still our product. The way a consumer gets access to freezing is state law. The time for the gentleman has expired. The terror now recognizes the gentlelady from utah the chair now recognizes the gentlelady from utah. Are affected by the breach. If you extrapolate that to utah, thatis 4. 3 million utahans are affected. What sort of Financial Products could be opened in my constituents name if their data was part of the breach . Mr. Smith we have the data of those who were victims of the criminal hack by state level. If that would be interesting to you, we could get you to we can get that to your staff. If they were affected, what kind of products could be opened in their name . Mr. Smith they can lock in their file so no one can access it. The lock prevents that from happening. , if they did not get a lot that means credit cards can be opened in their name, i just want to get a list of things they want to look out for. Victimth if you are a of the criminal attack, we will send you notifications of the suspicious activity on your file. Had there been any uptake of theft or Identity Fraud since the breach . Mr. Smith not that i am aware of. Rep. Love how do you know . Mr. Smith we have it on file. Rep. Love if there were to be some of kids, when you expect to upticks,re to be some see do you expect to those. For my constituents that were impacted, how long should they expect to remain concerned about the potential risk to their credit file. Mr. Smith the first thing they should do is lock their file. If they lock their file, they will rest better. What im trying to do is give a clear vision to people who are watching what you need to do. I understand blocking their file. Some people watching can do that. But in the meantime, i need to give them an idea of what to look out for. What they need to be aware of. Mr. Smith if the consumers in utah or anyone in america takes advantage of the free service, whether you are a victim of not or not, they get monitoring of all credit files. File fors your credit us to look at suspicious activity. Scanninga dark web service. We scan the dark web for activity. We have the ability to lock the product for the. Those five products should get the u. S. Consumer far more comfort. Can you explain the difference between a credit lot and a credit freeze. Mr. Smith the credit lock was passed at the state level. Is the ability and means by which a consumer versus the to us lock will be an application enabled, on and off, much more userfriendly. Reiterate i want to one more thing, you are committing to work with people who may have been affected or may have had their identity taken and used for their lifetime . Mr. Smith we are offering every american citizen a lifetime lock. They can lock and unlock for life. The chair now recognizes the gentleman from new jersey. As a former microsoft executive, i have an appreciation for corporate integrity and where the buck stops. Ive had these issues come up all the time. It is where you handle them. Your response has been more of equifix. M than out of the 145 million can tumors impacted, only 7. 5 million have signed up for monitoring services. Why do you think only 10 have and why not auto opt everyone in . Mr. Smith it requires the consent of the consumer. Mr. Smith why not send them a letter rep. Love why not send them a letter . Can we get more people signed up . Are you not willing to do that . The 2. 5 million released earlier, the victims of the crime on monday. They were notified by a male. As for the they were notified by email. We followed the process that was legal. What is being done to resolve the problems of your website. To make them more stable and to make essential information more accessible. What do you do about the websites crashing. Mr. Smith we have come a long way. Taken the right steps to fix that experience. Centersrience with call and the website were far better than on september 2. Rep. Gottheimer when they crash, people get even mornings when theyu verify crash, people get even more anxiety. Freezinglot, credit and Identity Theft insurance . Mr. Smith the arbitration clause is a product we sell the consumer. Theintent was never to have arbitration clause apply. We were made aware that within 24 hours and took the arbitration clause off. Rep. Gottheimer equifax is claiming to provide ever 1 million in Identity Theft coverage for consumers. But the timeframe can be unclear. Thisequifax believe insurance is in lieu of reimbursing customers for their actual losses . I know this does not cover everything. Mr. Smith it is expenses incurred. The fiver services we are offering up front including inability to lock for life is the right step for consumers. Rep. Gottheimer i think this is a big issue. You see these Insurance Companies providing these coverages but it does not cover what people think. When liability occurs there are holes. Im sure you heard about the phone call wait times. One of my constituents wrote they were on the phone for an hour. What has the improvement in . Been . Mr. Smith we have gone from 500 callcenter people to over 2500. Rep. Gottheimer the wait time now . Mr. Smith it has come down significantly. Rep. Gottheimer can you get us those numbers . Mr. Smith it should be more than a couple rep. Gottheimer it should be more than a couple of minutes. People have huge anxiety over this issue. People cannot feel like this is a scam. They have to feel like you are making their lives better. Thank you for your time. The time for the gentleman has expired. The chair now recognizes the gentleman from arkansas. Mr. Hill. Mr. Smith we have had the family rep. Hill my family has had the pleasure of being in the oem breach and we are so gratified ut seeing your email abo being in the Equifax Breach. People,sas, 1. 2 million some 40 of the population of the state are covered by the breach wife equifax by equifax . We appreciate our chance to ask the hard questions. I want to follow up on some of the line of questioning and start out talking about the management practicing at equifax. Did you have a weekly executive Management Meeting . Mr. Smith are you referring to post breach . Rep. Hill as a general practice at equifax, did you have an executive Management Meeting on a regular basis . Mr. Smith yes, we had routine operating mechanics to run the company. Rep. Hill it is a mix and im sure a mix of levels of people in the company came depending on the topic. In your director report meeting, with mr. Gamble the in those meetings . Mr. Smith it would depend on the meeting itself. He would be involved with many of the meetings. The president of information systems, would he have been in that meeting . Mr. Smith i have 12 to 13 direct reports. Reports tore direct me. They would be in most of the meetings we have. Rep. Hill mr. Kelly, the chief legal officer . Mr. Smith yes. Rep. Hill i am curious, in that meeting, of your trusted 8 andrs, between march the end of july, did this topic come up among that group. Mr. Smith no sir. Rep. Hill in that time between march 8 and the end of july, when did you really when were you told it was a Serious Business . Mr. Smith it was not until the detailed review we had on the 17th of august with the Cyber SecurityForensics Team and a legal team, my team. The 17th of august was the first deep dive. Rep. Hill turn and talk about section 16 officers in the company. The people we talked about our section 16 officers. Correct. that is plan, assume your s, that wouldolding be covered by someone preplanned to sell stock . Mr. Smith yes. Rep. Hill both your personal holders and any money options that were in the money at the time of filing. Your plan as a corporate officer . Mr. Smith some officers may have had a 75 one plan. The generalent was counsel has a clearing process he has to approve. Rep. Hill how many days a quarter you think you have available for trading under those plans . Mr. Smith 30 day window, we wait a day or two, general indication is sooner in the opening. Rep. Hill can you think of a time when your general counsel canceled that window due to material nonpublic information when you were ceo . You could not use the window because people had material, nonpublic information . Mr. Smith a few times, yes. Rep. Hill did you have a lead director on your Public Company board . Mr. Smith someone we call the presiding director. Rep. Hill winded that person find out about this . Mr. Smith the 22nd of august. Rep. Hill thank you, my time has expired. The chair now recognizes the gentleman from minnesota. Emmer you have heard this over and over today in your prior three congressional hearings. I, like most people are very concerned about the timeline of events. I appreciate what i take is a sincere apology of yourself on the half of equifax and the knowledge meant of both the human error the knowledge error andoth human the process that did not work. The timeline of the discovery of the issue, the sale by company top companye of stock by executives in minnesota we have over 2 Million People identified at this point. It raises significant ethical and legal questions. I want to start by echoing what our chairman said at the outset of this hearing and that is the company, and i would say current and former executives like yourself, i would hope, will continue to cooperate to the fullest extent so that the truth can actually get out into the light and people can know exactly what happened. Onnow you cannot commit behalf of the company but im sure you can commit on your own behalf that even in your current capacity youre going to continue to operate to the fullest extent. Mr. Smith absolutely. Rep. Emmer i wanted to talk about the area. But iit is about equifax dont know if people are talking about even if we all know it, it seems to be unspoken. This is a fastchanging environment. I was in a business in minnesota and they have this Huge Investment in technology. They take you into the back room and they have these flatscreen and they are showing you all impactstime the of what is coming in at the minute. This is a huge issue. 2014, the u. S. Postal service had a breach that exposed personal data on almost one million employees. In 2015 had almost three quarters of a Million People affected by a breach. The office of personnel 2015 andt had one in sec had the breach of the edgar online silences. System. G this is not just about equifax. This is a much bigger issue. There are two areas i would like to talk to you about. I get worried in this place that the snap reaction of elected officials is more regulation, more stuff that you have to comply with, which i suspect takes resources away from the stuff you are trying to do to keep up with the everchanging technology and the way the bad guys are trying to breach the systems. Talk about that before we talk about rethinking Social Security numbers and dates of birth for identification. Mr. Smith congressman i share your views. A recent publication came out that in 2016 alone there were 4 billion pieces of Consumer Information hacked in one year alone. It is a rate i have not seen in my career accelerating into a real issue that public and private partnerships can work on. Can prevent a breach like this occurring, i am all for it. As you go forward, into the next stage of your career with the experience you have, would you give a word of caution to those of us looking at this to be very careful about if there is a magic regulation because of the compliance cost that come with it and how that could negatively impact your ability or others ability to keep up with the technology. Yes. Oftentimes, we are all in a rational environment. The first thing we think is regulation is the issue. I think there are a lot of things the public can do. You mentioned one of them, think about the identifier that we use for the American Public and the position beyond that. Thank you very much. Time. The time of the gentleman has expired. The chair recognizes the gentle lady from arizona. Thank you. I am troubled by the data breach that compromised the personal information of 145 million americans. Every american should take precautionary measures to ensure his or her financial security. Arizona seniors are particularly at risk, especially now. We must make safeguards to protect them from financial fraud. I have been working with the congressman of maine to pass a senior safe act. This ensures Financial Institutions have the regulatory flexibility to report instances of abuse of seniors. Everyone needs to know his or her data is safe when applying for a credit card, accessing a Small Business loan or buying a home. Todays hearing is an important step in finding out what went wrong and what must be done to protect consumers. Thank you for being here today. By your account, it took equifax 40 days to let the American People know, Via Press Release , about a data breach that lasted 77 days. The exposure of the i. T. Staff for the 65 days leading up to the breach. That adds up to 182 days of equifax failing to put arizona families first. Your testimony before this seeks to explain your activities before the press release, but does not excuse the end result. An arizona person whose name was taken was left vulnerable and in the dark about the data breach for 117 days. That is disgraceful and unacceptable. More than most, people in arizona value privacy. We value the independence to make Financial Decisions for families and economic future. Instead of taking precaution to secure our data, equifax made millions of people vulnerable to Identity Theft and financial fraud. Now we must take every step possible to minimize the damage and better address the breaches. It is believed for the vast majority of americans, this was limited to their credit header data. That includes name, address, date of birth as well as addresses, alias and Social Security numbers. My first question is while this information is highly compromising, it does not include their most private Financial Information. Are you aware of attempts to broaden the scope of the breach to capture private Financial Information . If so, were any of those attempts successful . If not, why do you think hackers opted to forego it . Congresswoman, there are millions of attempted or suspicious attacks each and every year across a wide array of our data assets. We have no knowledge, the Forensic Audit could done audit done, that any of the core credit, that you referred to data was compromised. As to why, that goes back to the written and oral testimony i gave, which is the software that sat in a different environment completely outside the credit file that was not patched. Thats why they were able to penetrate that environment. Your testimony stated it took the i. T. Staff 76 days to notice suspicious activity after the breach began. Could you tell me exactly how were the intruders blending in with normal Network Traffic and what do you think took the i. T. Staff so long to notice the breach . They were fairly sophisticated, the criminal hackers. They moved about the system without moving large files, but files themselves in size were not suspicious. They were clever enough not to move at speeds. We have velocity indicators to look for things moving at very high speeds. They were sophisticated enough to do neither. While the Equifax Breach was significant, it was only the datargest database breach in the u. S. All five have happened within the last five years in our country. We, as a community here in Congress Must recognize they are increasingly frequent and undermine the trust americans put in the marketplace and their government. Whether it is equifax or not, americans deserve to have institutions public and private that work in good faith to safeguard data. I would urge that congress should recognize that Cyber Security is not a niche issue. We must find real, Bipartisan Solutions that give americans the opportunity to succeed. I yield back my time. We recognize the gentleman of ohio. Thank you for your testimony and sincere apology. We recognize all these companies are staffed by humans and humans fail, as do technology. However, we also recognize the high duty of care, responsible by fiduciaries. Concerned about the reporting structure on the board and the attention given to governance. Does the i. T. Report through the cfo or direct report to you as ceo . Direct report to me. Within the i. T. , you said you are a Technology Company. What is the structure like within i. T. . Is there an Information Security officer that stays in the i. T. Channel or broken out separately . The chief Security Officer, global Security Officer is a direct report into the company. The general counsel reports directly to me. Ok. So, you feel that your governance structure was adequate . Im not sure i understand the question. Given that this error happened, you mentioned you had some closed loop system failures where you had things that are supposed to happen, but didnt have a closed loop system. Do you feel there was failure in governance . Was structure part of the issue at all . I dont believe so. Ill think structure determines success or failure of a process or the business. It is people and technologies doing the right thing. So, having the Security Officer report to me and cfo, im not sure would change the outcome we experienced. Ok. Thats concerning, but thats your philosophy. On trading, so, when you look at , aside from the Cyber Security concerns, which have been covered extensively, i was planning to go down the similar path of my colleague, mr. Hill. Talked about how trade or Board Members, executives within the company are approved. What is the timing like for that . And i noted that you said there were times where because shareholders of record inside the company had information that was nonpublic and material, that those trades were suspended. I cant think of a more public time where it would be appropriate to suspend a trade than while you had a breach of this. Was that an error, omission or do you feel the governance worked correctly in that instance as well . Let me be clear, if i may. There is a process to clear es, it goes to the general counsel. These three individuals that traded, it is my understanding they had no knowledge of the breach. Remember back to the time we talked about earlier . It was the 31st was when the portal was shut down. We hired the Forensic Auditors and law firm on the second. It wasnt until later in mid august that we had indication something was going on that involved large amounts of data. They traded the first and second of august. They followed the process we had in place at that time. Ok. So, based on the knowledge that your counsel had, reviews the reviews these sorts of things, would it have been part of the procedure to say, hey, we have just had some very substantial Material Information that is nonpublic. Isnt there a clear concern, four days of testimony here, im sure you are going to keep talking about this for a long time, that given the amount of Material Information that was nonpublic, that executives and Board Members should not be trading in these shares . Congressman, again, clarification. The 31st of july, the only indication we had there was a suspicious incident. No knowledge of a breach until weeks and weeks later. Number two, it should be noted, this is the topic that is priority for the board of directors and theres investigation currently going on by the independent board of directors. Do you think it was a mistake to not cancel pending trade even if it was ordered before the discovery of this nonpublic information . Given there were actually going to occur . Congressman, on the first and second of august, we had no idea other than a suspicious incident and a dispute portal. My time is expired. I yield back. Gentleman yields back. The chair recognizes the gentleman from colorado. The gentleman passes at the moment. Gentleman from tennessee is recognized for five minutes. Thank you, mr. Chairman. Thank you, mr. Smith for being here today. If i could, i think my standpoint in listening to others question you today, really the most glaring problem is the length of time between when this breach occurred, when the public was notified. I have heard your explanation this morning. On september 7, when equifax claimed they recently discovered a Cyber Security incident involving Consumer Information, of course you knew in july. If i could back it up, from a governance standpoint, did planax have a preexisting in place for contingency such as this . Before i answer the question, point of clarification. I was not aware in july there was a breach. I was not aware until midaugust as i said before, not until late august there was a breach. That continued to evolve to september 7, and that continued to monday of this week. To answer your question specifically, yes, there was a Crisis Management written protocol in place applied to many crises, including a data breach. Did it anticipate a breach as big as this breach . No, the Crisis Management protocol we have in place is a breach in general. It doesnt specify you react differently for 145 million versus 5 million. Did equifax, in fact, use that protocol for this breach . Yes. Was it executed properly . Not without issue, as we talked about. Thats because the system, the people were overwhelmed on the sheer volume. I understand the website that you set up that provides consumers information about the breach, which is equifax security 2017. Com, that domain name was secured about august 22, does that sound about right . Sounds about right. Orthat website in some form fashion was ready to go some two weeks prior to the announcement, is that right . Yes, congressman. Thats approximately right. The thing we talked about is the data still moving. It was fluid. Wanted to be as accurate and transparent as possible on the data. Number two, we talked about the Cyber SecurityForensic Team and recommended we prepare for increased Cyber Attacks post announcement, and third, we had to standup the environment you referred to to get access to free services. This morning, the chairman asked you about Law Enforcement. I understand the fbi is involved, they are leading the investigation, is that correct . Thats correct. Is the secret service also involved . Not to my knowledge. Are there other Law Enforcement agencies involved in the investigation . There may be. I have been focused on the fbi. Law enforcement, including the fbi, may possibly be other Law Enforcement. There are other agencies involved in the investigation. Is there any Law Enforcement agency or agency whatsoever that the mac and recommend to you or equifax that you not disclose this breach until you disclosed it in september . To the best of my knowledge, no. They were involved starting august 2. We communicated with them routinely throughout the process and we made them aware in september that we planned on going live on september 7. As you mentioned earlier, you the cyber Forensics Team on or around october august 2. You mentioned hired for legal purposes. You also hired a pr crisis team. Yes, congressman, we did. Who is that . In fact, we hired two. A Company Calls everland, a well known crisis team at the tactical level to help us understand, track a variety of input from different sources, social media, broadcast the broadcast media, regulators, state ags and Crisis Management , a strategic consultant as well. You mentioned king and spalding. Have you contacted any other law firm requiring the bankruptcy of equifax . No, sir. No bankruptcy protection whatsoever . A law firm or anyone else . No, sir. Equifax soughtat information on bankruptcy protection for equifax . Not that im aware of. The chair recognized the gentleman from maine. Thank you for being here. I know you have been on the hill quite some time. A lot of these questions have been asked before. But you know, this is so important because it goes central to our economy. It really does. Here we are on a progrowth agenda, we want to have lower taxes and you are regulations and trade in Energy Prices that are stable. Then this happens. I know you folks got hacked. And i know you are doing the best you can with it. But, you know, the result of this might not be felt for quite some time. Think about this, a third of our country, 40 of our country, i dont know, 60 of adults. 145 Million People. 145 million. Criminals now have the Social Security numbers, addresses, birth dates. When my mom was 89, had to sign her up for medicare. You need her Social Security number. This is serious stuff. I accept your apology, i hope he American People do, i dont know if they will. We have 1. 3 Million People, a half million got affected by this. Now, i am also very concerned about the perception, at least, of wrongdoing when it comes to our securities law. You are a publicly traded company, or equifax is. In rural maine, people saving for college or retirement, little savers, small investors, the little guy, they can buy some of your shares in the open market and take a bet your growth is going to reward them. Take a bet on the economy. All of a sudden, we have material here, if you believe it. I dont know, this investigation that is going on, that says in late july, you folks knew about a breach and a breach which is central to your business. My gosh. You folks collect all this Sensitive Information and sell it to banks and automobile dealers and what have you to make sure they get accurate credit reports and money flows to the economy and families can buy homes and cars and is mrs. Can grow. This is really serious stuff. So, any breach of that information, your Business Plan , is central. Two your success as a company and therefore affects your stock price. Now, we see information, if its true, i dont know. You had folks on the inside and its really hard, mr. Smith, for me to accept the fact that you have a dozen people reporting to you and they didnt know what the heck was going on when something is so central to your Business Plan. It looks like some of these folks acted, three, in particular that i mentioned, acted to sell their stock before the breach was announced, a month before to escape loss in the stocks they own, which is stock in your company. If thats the case, the little guy gets screwed. Because guys on the inside who know this information avoid the loss. The little folks that i represent in maine are hard working. They save every penny and they are worthy of all the income they have. They invested in your company, in america and they get screwed. I have a question for you. Now, i may be wrong about this, mr. Smith, but the information i have is public. Says you own 285,000 shares of equifax. Is that true . I believe thats right. Ok, fine. Given the roughly market value of that, its outstanding price per share, it is 28 million bucks or something. Did you or did you sell any of your stock between the time when the breach was learned on the inside and when you announced it to the public when anybody else in america had that information . No, sir. Ok. Here is one of the things that drive me crazy. Confidence. Business confidence at a 15 year high. We have consumers confident about the direction for a growing economy. Then Something Like this happens, which shakes our confidence. Now, i know they mentioned this and i want to support it also, and ask everybody in our conference, republicans and democrats to support a way for congress to help. That is called the senior safe act. We think its a good idea if seniors who are vulnerable to this Identity Theft and fraud are able to go to bank tellers and Insurance Agents and say we suspect fraud of all times. We want to speak up to the authorities and not be liable for doing so. Thats a great bill. Thank you for being here. Appreciate your time. The time has expired. The chair recognizes the gentleman from pennsylvania. Thank you, mr. Chairman. Mr. Smith, when i heard about the breach, i was very concerned like all americans were. Equifax, which is tasked with guarding millions of americans sensitive and personal data has violated the trust in the American People. Its not acceptable. I commend the chairman for having these meetings and to determine how we can prevent this from happening in the future. My people sent me hear to share their voice. I would like to say their comments. One men wrote, i am more than angry about the equifax data breach. I understand crime will always be part of life that i am outraged to the response of the situation. They have allowed my personal information to be compromised. This has the potential to impact us for the rest of our lives. Robert in pennsylvania wrote, quote, equifax must be held severely accountable for the massive data breach affecting american,ry adult including all of my family. They must be held was possible, including for the disingenuous response. Described equifax directions as an endless circular conversation and added i am tired of this ongoing fiasco. These are real people whose concerned need to be addressed, hard working americans are scared and deserve answers and they need to be made whole. I understand we are talking about the time line here. Equifax discovered the breach on july 29 and notified the fbi two days later. The Investigative Team was brought in two days later. Equifax did not notify the public for a month. I understand it was partly due to public notification would affect more bad actors to compromise the system. More than a month elapsed from the breach to public notification. Im curious if there was an event or fact that led you to make the disclosure. For example, september 7 was the date it was disclosed. Did you know something on september 7 that you did not know on september 6 . Clarification, we are not aware of a breach of any sort in the july time frame. Again, at that time you noticed activity july 29 that was suspicious. We notice suspicious activity on our databases around the world to the tune of millions per year. What we saw in late july was nothing we havent seen before, suspicious activities. Unfortunately, in this environment very common. A couple days later, you are engaging outside vendors. That is not unusual. What did you know september 7 that you did not know on september 6 . I dont have a specific answer. I can tell you the time frame between midtolate august and september was very fluid. Continues to develop. We found 5 million more impacted. It was ever evolving set of facts. You testified data was not encrypted on your database. Is there a reason for that . There are Different Levels of security in different informant. Encryption is one, masking is one, firewalls. Encryption at rest and encryption in motion is another technique. Theres no one single technique that protects the consumers data. A lot of people are watching at home, wondering if their data was compromised in the breach. Many americans are wornderring if their information is currently held at equifax is safe. Is their information currently safe today . We have no knowledge that any other information we have in our database in the u. S. , around the world was compromised. It was limited to this one portal. Is there a reason you are choosing not to disclose the scope of Insurance Coverage . Yes, there is. Can you share that with us . I prefer not to. The reason being, congressman, when you disclose a number, it puts a target out there for others, for lawsuits, so on and so forth. Thats going to be disclosed in discovery. You already have lawsuits out there. Yes. You are choosing not to yes. I yield back. The chair recognized the chairman from north carolina. Thank you, mr. Chairman and mr. Smith. I think whats infuriated the in northserved carolina, they didnt volunteer to have their information stored at your company. They did not say equifax, take my data. There is a major element, its a trust element. Thats really been shattered. Personnelft to a topic. Why were the Security Officer and Information Officer allowed to retire instead of resigning and being fired . I believe you, yourself, resigned. It is it is semantics, they t of a job now. The day we announced their stepping down, they are no longer effective. They are individuals who can add an advisory to smooth transition between themselves and the two announced interim individuals we have at the cio level and the chief Security Officer level. Then, if those individuals were replaced with fulltime people, which they will be, they can add value. Nothing more than having them assist in a smooth transition. What was the total cash value of their retirement packages, if you dont mind . I dont know specifically. We can get that information to you. If you would, please. Did the chief Security Officer, and chief Information Officer undergo financial repercussions as a result of their retirement other than foregone future salary . They lost their jobs and theres no bonus. Just foregone future salary and no bonus. Correct . Thats correct. And no severance. Did the discussion to allow them to retire instead of terminating did it increase the scope of the severance . You said there was no severance. Right. In general, if an employee at s,e Equifax Corporation retire do they have more access to benefits, receive a better separation agreement than someone that resigns or is fired . Not to my knowledge. Did equifax not punish the individuals responsible but rewarded them for this decision by not firing anybody . No, sir, they are both out of a job. Chairman, i yield back. Gentleman yields back. The chair recognizes the gentleman from indiana, mr. Messer. Thank you for being here. I admire your stamina sitting here. The more i hear, the madder i get. Excuse my tone as i go to this. Have you had an opportunity to log on to the equifax page and do this process of determining whether you were part of the breach . Absolutely. I did it. I had to give my birthday multiple times, i had to give parts or all of my Social Security four or five times. I answered a question or two wrong, so i had to call into the web page, call into the calling service and give my Social Security number another time. Has it crossed your mind, given the recent breach and the fact you have disclosed personal information for 140 million americans that people might be a little comfortable giving you their Social Security number seven or eight times to know whether they are impacted . I talked to people myself. I share your frustration. I share their frustration. We tried to improve that process as much as we can. We have to validate you are who you are before we offer the product. Its frustrating to a lot of people and obviously, you havent built a great record on trust. Will equifax profit for the new data provided by americans to your website . Will you take that information, now that i have entered it again and use it commercially . The intent of this service is a service to offer the service for free, not cross sell or upsell you as a consumer. This is the Privacy Notice you have to click on. It says here, i think in two columns that this information can be used for joint marketing with other financial companies, for affiliates for every day purposes, marketing purposes by, it looks to me like equifax and the company doing it for you. If you are can you are a consumer that gets a free service from us, we dont cross sell or up sell you. The form says you will. Do i believe you or the form . Excuse me . The form says you will. Do i believe you or the form . This is the Privacy Notice. Again, will equifax have the opportunity to use the information provided by consumers in their operations of commerce, therefore make a profit on it. Ill say one more time, when you come to us to get a free service, we are not going to cross the website. There is a phrase the road to hell is paved with good intentions. I think your intentions were probably fine as 140 Million People lost their information. Looks to me, based on this form, that you have the ability to do that. I want to ask you this question, have you ever met anybody who had their identity stolen . Yes. A pretty miserable experience. Yes. It destroys their life. Almost 4 Million People in indiana, its important to remember these people are real people that have had their lives put at risk. Congressman, i couldnt agree more. I talked to people at my church, that work for us, my daughters, my wife, my family. I understand the anchor the anger and frustration. Im glad you appreciate that frustration. Well turn to that in a minute. Its as you have these five services you will provide. When it comes to real compensation for people who had their identity stolen, the reality is they are not going to get much from you, is that fair . They are going to get five services, plus the sixth service number, give you a total assets of your company are about 6. 6 billion according to your annual report. Approximately. 147 Million People, that is about 4700 per person if you liquidate. If 1 of those people have damage, you get 4700 that you would have to compensate them anyway. I want to ask you this, you mentioned how frustrated you were. A lot of American People struggle, you consider this Major Business screw up, right . Its a breach, obviously 147 Million People. And you mentioned, let me use your phrase, the folks you found most directly responsible for that, they lost their job, no bonus, no severance. Is that what happened . Thats your words. My words are, im responsible and i stepped down. Does it seem fair to you you would get a 40 million to a 90 million bonus as you exit after you presided potentially over the biggest business screw up in modern history where 140 million americans had their personal information stolen . Congressman, the only thing i walked away with, its all disclosed in the proxy, this was my pension and prior compensation. The American People are frustrated. And listen, again, i appreciate you being here, but they have a right to be frustrated. It doesnt seem fair. Time of the gentleman has expired. The chair now recognizes the gentleman from georgia. Thank you. Thank you for being here, mr. Smith. I am impressed that youre here considering that you are no longer in your previous position. I dont know that you would have had to have been here, but i appreciate your attendance here because i know this is difficult. Its a difficult time for 147 million americans as well. A couple questions regarding some of the things you said earlier. Where i want to be focused is prevent Something Like this from happening again . I spent 30 years in the i. T. Business and security was always at the forefront of things we were working on. And so very interested in how what transpired to cause the problem, how can we avoid this in the future . First of all, you mentioned in a couple of instances as you were addressing some of the members asking questions here that you complied with all the state laws regarding notification. And you mentioned state laws earlier regarding cybersecurity. Is it state laws that govern our cybersecurity policy . Is there not a federal law that governs that . And if there are, why is that not applicable . Congressman, the only point of clarification, the only thing were trying to be mindful there was as we learned and gained more insight on the size and scope and nature of the breach is making sure we balance our desire for accuracy, completeness of the picture with the state laws of communication. Thats what i was referring to. Ok. I understand. But are there federal laws that are applicable in this instance . Is cybersecurity pretty much governed by state law . Im not sure what youre saying. Its not governed by state law. The state law was just the communication that i was referring to. Ok. The actual applying of the patch, from what i understood in your previous testimony and you answering questions was you were notified of the vulnerability. A patch was provided. It was communicated that that patch should be applied, but somewhere that did not happen. I guess the human error was the individual who was to apply the patch to that portal did not follow through. Is that correct . Its a little bit more than that. It was an individual in the i. T. Organization who received notification from security. That individual is responsible for the patching process and never ensured that the proper person was communicated to and then did not close that loop. Is there a level of oversight that should be there . I mean, quite often when i was in the military and worked in communications and intelligence, we always had to person two person integrity. There was always somebody looking over the shoulder to make sure that a process was completed. Same thing when i was working with many governments in their i. T. , there was always a security patch. That there was always someone else to come back through and make sure that it was applied. Was that process not in place . Yes. Sterday to clarify, this individual owned the communication and the patching process to ensure it was not closed. He did neither. Secondly, the closed loop process was also the scanner we talked about. The scanner, which was applied i believe it was march 15, to look across the environment for this vulnerability did not find this vulnerability. And that is currently under investigation as to why. Ok. That kind of hit my next question, that being under investigation as to why that did not happen and is there some liability on some individuals that, you know, potentially were nefarious in this process . The individual who i just discussed that was responsible for the patching process is no longer with the company. All right. Thank you, mr. Chairman. I yield back. Gentleman yields back. Chair recognizes the gentlelady from new york. Thank you, mr. Chairman. And thank you for having this very important meeting as we have over 145 million u. S. Consumers who have been affected by this. And i think you, mr. Smith, for being here and being willing to answer these questions. You know, everybody is really angry. Our constituents are calling us. People are concerned about the security breach. Social security numbers, birth dates, addresses, drivers license numbers, credit card numbers for up to 200,000 consumers and all kinds of data has been breached. And it took, i know youve discussed this over and over, but six weeks to notify regulators. My first question on this is did you or your firm notify the Credit Bureaus that before you announced this breach so they could prepare for what our consumers are trying to find answers to and many state laws also require this. Did your Company Actually do that . Did you notify those Credit Bureaus that were your customers . Let me make sure i understand the question, congresswoman. Did we notify specifically on . Ns union and experi right. Prior to the date that it took six weeks before the actual patch was discovered and released. Thats when you got your i cant remember the dates on my my colleagues asked you when you got your crisis Management Team, when you lawyered up when you got everybody ready before you actually disclosed that. But when did you actually notify your customers, the Credit Bureau customers who relied on your information . Again, i think i understand the question. So it was in late august, not late july, that the picture started to come together that we had a Data Security issue. We went live on september 7. Two into your question specifically, we did not go to beforenion or experion the release went out on september 7. So they didnt have any knowledge of this happening, so they werent able to prepare when this was to come later on, as your company. Yeah. It was not public at that time. Right. Let me ask you, so you described the suspicious activity and the patches and millions of patches occur. Is there like a priority or a way that your Team Identifies what patches are more important, more valuable, more vulnerable than others . Is there some protocol in place for that . Yes, there is. Let me clarify, though, if i may. Its not millions and millions of patches per year. What i was referencing is in any given year it is not unusual to have millions of suspicious or potential attacks. Specific to patches, patches and the requirement for patches are very common. And theyre stratified in different categories, from critical to high to medium to low risk. And the protocol internally for the amount of time required or allowed to apply the patch depends on the criticality of the issue itself. So what would you rate this patch that did not get it was critical. It was critical. When was the actual date that you discovered that patch . 8, we werearch notified by sert of the need to patch on the ninth. The email went out to the teams to apply the patch. And as we talked about before, there was a human error. The individual did not communicate and close the process. On the 15th of march the scanning device did not find the vulnerability. But thats in march. Did you notify the Credit Bureaus or other customers how many customers do you have, this confidential data is actually on your site do you have in control of . How many people would you say, actual individuals have their are on the site that would be vulnerable, not just the total credit population in the United States is roughly 230, 240 Million People. So that many people were affected by this . No, congresswoman. The number weve disclosed was 145. 5 million. The services were offering are o allamericans, but at this point, 145. 5 were impacted. Let me just go quickly because i decided to go look on to your site as my colleague pointed out. Its ironically called trusted i. D. Premiere. Com. And i went to this and put my own information and said i may have been breached and it does send me to another i have to go through some protocols, reenter more digits on my Social Security, my name and then it reveals to me that nonetheless, please enter more personal information. If people listening to this in to this and my constituents go on to find out if theyve had their data breached, will they be vulnerable if they reenter this on this website . Weve taken many steps since it is breach to make sure thats secure. So this is secure. They can go reenter their data and it will be secure. Yes. Thank you. Time has expired. The chair recognizes the gentleman from colorado. Mr. Smith, thank you for your testimony today. Thanks for lasting so long. Just a few questions for you. And i do have some sympathy for, you know, the attack, the breach, whether its Anthem Blue Cross or lowes, home depot, j. P. Morgan chase, the Democratic National committee, lots of hacks have occurred and Everybody Needs to stay vigilant to that. My questions to you, sir, are going to be more credit reporting agencies are not everybodys best friends, you know. You have a job where you try to actually say this guy is a good credit risk, this gal is not a good credit risk, whatever. And we had and it may have been you and executives from union a few trans years ago, and there was a question about whether or not the algorithms that are the basis for peoples credit reports were going to be disclosed to us as members of congress or whatever and i think the testimony was that those were proprietary and patentable and were key pieces of information for the different organizations. Did you were you one of the ones that testified for us . Congressman, i was not. You may be referring to the most common credit score in the industry is a score called the fico score. Right. That may be what youre referring to. So we wanted to get information at that point about how a fico score was calculated. Just, you know, is it fair to whoever is getting their credit score or credit report, and we were told no, thats proprietary information. Do you know whether in this hack how you guys develop the fico score was stolen . Congressman, were a reseller, if you will, in some cases of that fico score, and theres no indication that we housed fico scores that were hacked in any way. Ok. So the algorithm or whatever is that proprietary information, to your knowledge, wasnt part of this theft. Yeah. The algorithms is developed and controlled and owned by another Company Called fair isaacs and your company dont have how that algorithm is created or developed . That is correct. Ok. I was asked by somebody from the Energy Committee and i know you may have testified earlier today. Do you know whether there was a foreign actor who was the perpetrator of this hack . Weve engaged the fbi and the fbi is continuing in their investigation. There were some statements you made that there was a clever kind of ability to get around some of the safeguards you all had in terms of the speed or the volume. Is there a concern on your part or anybody at the companys part that this was an inside job . No indication of that at all. So, i mean, when somebody comes in and hacks, its like theyre trying to break into the bank, and your bank housed a lot of information, if you will. And you had some safeguards you got the patch, so theres a vulnerability that they were able to get inside the bank, but then they were able to avoid a number of the different kinds of defenses you had within the bank. Mishear miss here your testimony . Thats correct. So in this investigation are you doing an internal investigation on top of the fbi investigation, how is that proceeding . Yes. If i understand your question, theres the forensic investigation, which is done on the data that was compromised. It was done by an independent firm. There is an internal investigation being done by outside counsel to look at all the processes internally and individuals involved internally, if that answers your question. And then theres the fbi investigation as well. All right. Last question. Just what i was looking at , theres like a hundred lawsuits, class action suits, variety of suits. You are asked by mr. Rothfuss whether you had insurance for this. Are you self insured . You didnt want to give us an amount. Do you have insurance for this . We have cyber insurance, yes. And is there a Self Insurance , do you have Self Insurance . Do you have sort of money in reserve for Something Like this . Theres a retention that we have and then on top of that is a stack of participants up to a limit. And my last question, do you still retain shares in the company . Absolutely. Thank you. Time of the gentleman has expired. There are no more members in the queue. Id like to thank the witness for his testimony today. Without objection, all members will have five legislative days within which to submit additional questions for the witness to the chair which will be forwarded to the witness for his response. I would ask, mr. Smith, that you please respond as promptly as you are able. This hearing stands adjourned. [gavel] [captions Copyright National cable satellite corp. 2017] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org] Michelle Obama will be interviewed help you. She talked about issues including standard of success for women. Said women have less chances. Absolutely. I think thats true for women, minorities. I think the bar is different in various that all the time. I joke on the campaign trail that the bar to moving you meet it and then the bar would change. We see that now quite frankly