This is one of several appearances he made. This is two hours. This is two hours. The committee will come to order it as we hear testimony from a the ceo from equifax that held those positions until last week i understand you are now an unpaid advisor to the company that we appreciate your willingness to testify here about the events surrounding the breach and equifax response what you were leading the company. Given the severity congress will continue to examine the facts and what can be done to prevent similar situations cyber securities one of the most pressing issues facing Companies Consumers and governments alike is one of the biggest threats to the Financial System the amount of data us the industry collective stores very concerning intrinsic vulnerability collecting and storing personal information when you have the Banking Committee takes the oversight seriously and Financial InstitutionsCredit Bureau serves the critical function to be a daily part of every americans intersect and get credit cards and car loans and mortgages and other items such as when they directly request day could report like as a background check to determine their eligibility. To easily access credit is one of the things that makes the economy and country the envy of the world it is also why is preaching is so shocking and concerning here is what we know based on information from equifax. If it impacted more than what hundred Million Consumers the daybed taken included the names, Social Security numbers for updates addresses and in some cases drivers license numbers and credit card numbers to moderate 9,000 consumers for proxy 182,000 and according to equifax that unauthorized access to a committee made through july 2017 with equifax discovering on july july 29 then finally taking care of the intruders why did take him six weeks from the time it learned of the reach to how strong are their practices after the breach what interactions of the company have with other Credit Bureaus and Government Agencies to understand what could be improved in terms of information sharing . Additionally pouted important questions about the steps he . Has taken to alleviate customers and if more needs to be done for that potential harm in the oped last week your successor they answers to keep consumer questions were delayed and incomplete were both. That same oped asserted to protect and control access to personal credit data. Senator brown. This data of r. H. This data breach executives walk away with billions of dollars tens of billions of american that upholding the bag unfortunately americans have come to expect that equifax scandal will play out the same way as wells fargo as executives retire or lose their bonuses only later we find out it goes much deeper. And that since 2005 it has been rapidly transforming itself but then never asking people if they want to be tracked. Was 145 million over half of those adults in the United States the daybed that you allowed to be stolen and had a vague idea if they hurt you a little bit while they may not know the name chief at equifax dado they should about the company that gathers the most information about them should have stayed of the art it should be a digital fort knox when it comes to security. That is not important your Business Model you bought one company to get access to payroll information and even where they lived. 7,000 businesses and that one in ohio company with an unknown number of information of those criminals. Into states that instituted additional security measures to psyche claim you are doing now it at the same time taking advantage to get into their system it has been 10 weeks since you discover this but i still dont think we of a complete answer what happened or why. We do know it could have been avoided of a simple step resembles that to a Ministry Security patch by your response was negligent use say they knew some people have been exposed on august 15th rather than give them a chance to protect you withheld the information for weeks and then see you could get the appropriate consumer response put together. But when you finally did the website and call center were overwhelmed to try to take a vintage of the situation by a stick eight victims of the forced arbitration clause buried in the of credit you even tried to take it period fitch further when the public was so upset because you betrayed their trust you give them a forced arbitration clause in the credit monitoring product. To at least to back down under pressure id like wells fargo continued to resist. We sent you a letter requesting disinformation is their Company Policy on stock tips the best we got it will work with Committee Staff to provide a copy of the policy were not talking about trade secrets just the obs vacation all of at action up to this point demonstrates this is not a company that deserves to be trusted with americas personal data you exposed over half the country to financial harm they have forfeited its right to corporate secrets settle make the same mistake that wells fargo did now was the time to give this committee the whole story. Now we will proceed to the testimony from mr. Smiths former chairman and ceo of equifax. Your written statement will be made a part of the record in its entirety and you may proceed to hear oral remarks. Good morning. Honorable members of the committee think for the opportunity to testify for the last 12 years and had the honor of serving as chairman and ceo of equifax i submitted written testimony which addresses the details of my testimony in far more detail. Many consumers have read their letter says understand how frustrated and fearful americans are this criminal attack took place on my watch and i take full responsibility as ceo of the time and i am truly and deeply sorry for what happened. Americans have a right to know how this happened the what i did about by incident and what they know what i have learned to as a result of being briefed from the companys investigation which is ongoing. As we now know the criminal attack was made possible from human error and technological error involving a failure to apply a patch in march 2017. Technological was a scanner that failed to detect the vulnerability of the portal both have since been addressed on july 29 and july 30th suspicious activity was detected we followed security per call at that time they shut down the portal to begin the internal investigation in august 2nd with the top securities experts and notified the fbi and at that time we did not know the nature or the scope of the incident. Not until late august we concluded we had experienced a major data breach the weeks leading up through september 7 the Second Team Team continue to work from the clock to prepare to make things right we took four steps first to determine when and how to notify the public flying on the advice of our experts to have a plan in place as soon as we announced. Hoping consumers to develop a web site with two staff massive call center to offer Free Services to every american. Preparing for increase Cyber Attacks which reword rise were common after a breach and corning with the fbi to notify a theres. In the rollout the mistakes were made which again i am deeply apologetic air regret that frustration Many Americans felt with the web sites and call centers for overwhelmed it is no excuse but it did not help the to of a larger call centers were shut down for days over hurricane irma. It has increased the capacity we have handled more than 420 million visits to her and the web site. And to offer this to all americans to help protect consumers and in addition there will be available, jr. 31st and with access to that credit data to locked and unlocked their credit files whenever they want putting access to data of the American Consumer and mesurol learned it is a first approach longterm solution at the kennedy laughed and then to solve that larger problem pleaded Publicprivate Partnership to give personal data ongoing aisle afford to being a part of that dialogue. Chairman and Ranking Member thank you for inviting me to speak for you today in a row close by saying how sorry i am about this region of a personal note thanks to the hard and dedicated people working so tirelessly over the last 12 years per boat put equifax is a Great Company with thousands of people trying to do the right thing every day they will continue as we have months to right this wrong. Thank you. Mr. Smitty recently discussed the need to give consumers a control. Yesterday said it is time we change the of paradigm give them control who abscesses their data is the right twelve and then accesses the data it will be a simple tool, web enabled on an application to consumer can dictate who gets access and who does not and if he or she wants to go to the bank to get a credit card or car loan, open access to the underwriter to look at the file, total and secure. If the Solution Works and it is a part of the solution with regard to other private sector actors or illegal actors, what about the government . Does the federa federal reservee csp be have access to the data . If the consumer, at the consumer level . If the consumer walks their final day walkout anyones access to that data. So you are not in the position of being acquired by any federal agency to provide us personally identifiable data to the agency . Mr. Chairman, im not sure that i understand the question. If a consumer walks their file, prevents access for any other bank or telecommunication company, they would be the only one to unlock the final. I couldnt unlock that on the behalf. Even if asked by a Government Agency as opposed to an inquiring bank . I would have to check on that. Thank you. I would appreciate that. In the hearing yesterday, he mentioned that we may need to think about how secure the Social Security numbers are and if they are the best identifier Going Forward. Can you give your thoughts on that . Social security numbers have been out there since 1936. You talk to many Cyber Security experts and they say the vast majority of all have already been compromised. I am in no way scurrying the issue of the horrific breach that we had. It was horrific, and i apologize to the committee and all americans. I would encourage a dialogue to talk about what is a better way to identify individuals something beyond the ssm. Do you have any idea what could effectively transfer to . I would love to be part of ththat dialogue of public partnership. Theres a lot of thinking going on right now. Im sure with the right thought and priority, we could correct that. Thereve been some issues and confusion related to the products discussed and services that a equifax has offered. Some are having trouble with the offers. Why do they need to do to be able to obtain these products and services . We offer five Different Services for free, not just to the victims of the criminal attack. Number one coming it is a free Bureau Monitoring where you can monitor activities against your credit file. The results, equifax and trans union. Then to walk the file. Number three is the ability to scan the dark web on behalf of the consumer, looking for Social Security activity that might occur. Number four is access to the file for free. Number five is an insurance product that helps recoup the cost of 2 million if a consumer has costs trying to fight for the fair credit. So those are the five services we offer today to all americans and the other is the one we talked about available in 2018, january 30200 first 2018, whiche next generation of lock. Thank you very much. Senator brown. According to your testimony in the house over the last three years coming to spend 250 million on cybersecurity. Yes, that was an estimate over the last three years it is approaching a quarter billion dollars. So in 2016 youve made up of 69 million is that correct . Im not sure to be honest. In hindsight, do you think equifax should have spent more money protecting peoples data rather than compensating you so ill . Its not a matter of the dollars spent or a financial constraints by any means. Its obviously when you look at the issue in hindsight could you spend money differently, not the total dollars spent. There is a benchmark that the Financial Services company in their totals security spent talks about the range of ten to 14 and our range is in the range of 12 so we are spending money in the range i know there were not nearly as many questions coming in i understand the complex via this but you are an it company and that is not acceptable. At the university they get the database cost free and ask how you approach the data as a huge opportunity for us. The filings back that up and stay to the significant portion of the revenue from credit monitoring and Fraud Protection services to consumers. So do you think it is fair that equifax gets to take its consumer data and almost no cost weeks millions by selling it to the Data Mining Companies and marketers in charge of those consumers for the credit Monitoring Products after they become Identity Theft victims. It allows them to get access to credit. We take the data and analytics and allow underwriters and banks and credit card lenders, automotive lenders to make loans to consumers. We make very little money as a percentage of the total revenue selling products to consumers. It doesnt get the data directly from the consumers and has several pointed out Congress Long ago as i think you know decided the companies could not traffic in peoples medical records for obvious and good reason. And if they needed the consent to a transfer. Why shouldnt we do the same with financial records, that is how important it is to people why not do the same to the financial records to change the consumer reporting industry in this country to give americans the ownership and the data for example, should they be allowed to request that you delete the data from your systems . We are a vital part to the global economy. We provide a Great Service to the consumer and they learn to get access to credit. We also enable beyond the bank because of the data to have the opportunity to get into the credit markets if there is a vital and very Important Role that we play for many years. Yes, there are things we could do better as an industry working with government and the one thing i would like to see us talk about it as an industry is the concept of giving the consumer the power to control the data and its the concept of the walk for life. Im trying to read between the lines. Is that a yes or no to the question of should consumers be allowed to request you delete the data from the system, that the data youve gathered without their knowledge . A better way to get at that is a smart concept. So that means no. Even though we deal with medical data and fundamentally if you dont think consumers should be able to control their own data in question is why should the company that has had so many security failures be allowed to control their data that is the question that this company hasnt apparently has not asked or certainly hasnt answered the public. Thank you and i would note that the senators that we both stayed within our five minutes. I would encourage all of you to follow that pattern. Its kind of impressive. Mr. Smith, lets take a minute to talk about why we are here. A big picture. There is a small group of Credit Bureaus in america and by small i mean three. If you buy a home or car you typically have to be cleared by one of the three and if you dont have a relationship with one of the three, if you are a consumer who didnt choose this, people were at least choosing to apply for the security clearance and work for the federal government. It is not uncommon from one of the Credit Bureaus to obtain when something goes wrong and when one of the big three is hacked if you are one of the 145 million americans that have their information stolen and if an american has their identity information stolen what happens when there is a reasonable suspicion that folks at your organization may have engaged in the Insider Trading there is a lot of anxiety that americans feel into those that dont have the benefit and the powerful lobbyists and for them this is one of the only shots at getting the full account of what went wrong and who is to blame and what is going to happen in the future. So i would like to discuss a question about those that were in tactic by the breach and how the exposure lasts. You dont have the ability to change your name, your mothers maiden name, birthdate, Social Security number commands your organization is committed to providing Monitoring Services for the next year. But i am curious about whether or not equifax and the board deliberated. Do you think the responsibility ends in one year, two years, five years and if you think it ends at some point, you try to think about the goodwill and Balance Sheet impact how can you explain to an american whose identity is the sole and later because the breach why the responsibility whatever it extends well beyond a year. The first step we took is the services mentioned to the chairman of minutes ago which gets the consumer through one year. The ultimate control for the security for a consumer is going to a lifetime, the ability for a consumer to walk down his or her file to determine who they want to have access for life. Isnt that about people who might be breached in the future . Im talking about the 145 million whose data has been stolen. What do you think your obligations are . It is a good combination of services. I think the innovation of some of the stuff proposed for the big three Going Forward is quite interesting but why is any of the five doing much for the data that has already been struggling . Venus plus the lifetime walk we think is the best offer for the consumer. I dont think you answered the question about whether or not the exposure and is at 145 million. Do you know the number breakdown by state across the top of her head with the data that we could have by tomorrow ask, can you parse it by state so we understand how many constituents we have . Highinterest hesitating by tomorrow but let me take that back. Thank you. It is being reported in the media that he received a nobid contract from the irs for fraud prevention. Can you explain to the American People not just consumers have been exposed but as taxpayers why you should get a nobid contract . I do not profess to have the details. It is with the irs and the concept in the past that is being renewed. We are going to followup as well if you can clarify back. I have less than a minute left but i want to open the allegations that the executives engaged in Insider Trading with knowledge of the cyber breach. One of the definitions of trading occurs when a Business Executive trades their Company Stock because of confidential knowledge that theyve gained from the job. Im sure you can imagine why they are very mad about the possibility of this occurred or Insider Trading is going to be discussed more. I wish you could give us a timeline of the first steps when did equifax learned of the beach and when dibreach and when did m them of that . I will answer as quickly as i can. We notified cybersecurity Forensics Team and outside Global Law Firm on august 2. August second. At that time all we saw was suspicious activity with no indication as i said my testimony of the breach at that time you might recall the individuals sold stock august 1 and 2nd and we didnt have an indication until mid or late august. So those executives have no knowledge of the breach on august 1 or 2nd . They also followed the protocol for the proper channels which is the general counsel. Thank you for being here today mr. Smith. I apologize for not being here in the presentation i had a business meeting at another committee that i didnt hear your timeline so i will give you mine and start with the first notification in march of this year. Did you do anything in that notification . We notified on march 8 and march 9 among the traditional patch critical to communication was sent out. Did you do anything to fix the potential vulnerability . There were two steps that was a walkthrough for patching the organization. The message didnt get to the right person. Automatically in the end, there was nothing done with that notification to fix the vulnerability. The scam was applied looking for it we didnt find one. Lets fastforward to the 29th of july you learned for the first time your company has been hacked and it was preceded by the notification from the u. S. After the senator pointed out, you had three highlevel executives sell 2 million in stock. You notified the fbi of the breach. Can you tell me if the General Council was held accountable for allowing the stock sale to go forward or did he not know about the breach . On the 29th and 30th a security person saw suspicious activities and shut up or go down. There was the vindication at the time. The forensics began at the 30th. They brought in an outside cyber expert, forensics auditors, law firm and fbi. It took place on the first and second thats time general counsel who clears up the sales have no indication of the company. I have to tell you something this is a fact and it may have been done with the best of intentions with no intense for Insider Trading but this really stinks. I mean, it really styles daddy and i guess this isnt a crime. But the bottom line is if you found out on the 29th you didnt know how severe it was coming you told the fbi about the breach in on the same day they sell 2 million worth of stock and then you do some investigation evidently and find out at the end of the month that at least by the first part of september you finally notify the public and as it was pointed out already in the committee these were people that did not ask for your service. You gathered it and now it is totally breach and then as the senator said, what is the length of exposure and you said we do these five things. The credit rate goes up a little bit and they buy a house for 250 on a 30 year note and it costs 25,000. Are you liable for that . I understand your anger and frustration and apologize for the breach. We think the Services Offered are a first step. I think equifax must be the company at that point in time. On a breach this vague in this day and age we have folks that are good at this stuff especially the department of Homeland Security says you have a problem and it wasnt really dealt with in a way that was like a problem you could say you send ousent out the directives,n the end you end up with a series of very severe breaches. The problem weve got and i will tell you this time of the impact and the numbers are important for the 600,000 adults. I think its about two thirds the adults in montana which is about four or 500,000 people. And in a state of the million, that is a lot. So, consequently those people are going to be impacted negatively for a long time. Because this happened and you can say im sorry that it happened but the notification for six weeks in this century that we live in is absolutely unacceptable. I will just tell you that. It is unbeatable. I appreciate you coming before the committee. Thank you mr. Chairman and mr. Smith. Certainly, we are all a tad confused about the knowledge that you had in your executives have at least two seem to suggest more information than we are getting. So i want t to walk through the numbers as well as the timeline to better understand and appreciate what happened. You said that they did not know about the breach, but there was suspicious activity that was reported. Did you know about the suspicious activity on july 29 . You were not notified about the suspicious activity. I was, but on the 29th, on the 21st you were notified . Correct. So, the very next thing after you were notified, your Senior Executives including your cfo sold 1. 8 million, nearly 2 million of stock for a profit of, speaking to the september 7 d. Valued stock, for about 655,000. So, as the price of the executives sold their stock, comparatively speaking to the stock price that would have been had they sold it on september 7, there were 655,000 during the same window that the average person who learned about the breach lost 6. 4 billion or 36 of the stock value. Is that accurate i havent done the math but i would trust that it is. So, equifax tells the public about the breach on september 7 which is six weeks later and walking through the math the stock dropped to 92. 98 per share and dropped from 146. 2 per share for 36 loss. The executives sold about 1. 8 million benefit of about 655,000. If you average the 36 difference. There are roughly 120 million outstanding shares of equifax. That means folks that have equifax stock in their retirement accounts some of the mom and pop businesses that are saving for the future for the march purchase and they decide to invest in the equifax, all those folks had the burden of the drop in the valuation. At the same time, the general counsel who didnt know, the ceo who didnt know, so all the folks had no clue they were the luckiest investors on august 1 to sell the stock at the best price to net the 655,000. This was pure luck and nothing else. A few thoughts back to july 9 and 30th. We experience millions of suspicious potential attacks each year. Its not like the suspicious attack that occurred on the 29th and 30th was the first of the tt year of that month suspicious attacks occur all the time. Thats number one. Let me ask you a question about this. If you were to look back at the executive stock sales on the other millions of suspicious activity, was there ever a suspicious activity that led to within a 48 hour window the sale of stock . The window was open and not call and its only open a short period with time as you might guess we encourage them to sell at the first part of the windows opening. As you get into the opening you know more about the quarter so you tend to discourage the sales later on in the months of the behavior you saw was normal behavior. Number two they did follow the protocol and got the clearance. The window wasnt closed b was e general counsel until mid august. The last point i will make these are the men that ive known for a long time. Two of them for 11 or 12 years and one has been my cfo for three, three and a half years. These are honorable men who follow the protocol as outlined by the organization. I will close with this mr. Ranking member. I believe in the rule of law for everyone. I believe that you are innocent until proven guilty. I will say what you want us to believe as the committee, the u. S. Senateu. S. Senate, the cone investors in equifax and the entire nation, what you want us to believe is the three wealthiest investors who sold their stock did so without any knowledge that suspicious activity may be bigger and more powerful than any other suspicious activity perhaps in the history of the company. I find that hard to believe. Senator warner. I appreciate being here, but we have seen a history of other Companies Like yahoo announcing today the breach was actually 3 billion, not the 1 billion they initially acknowledged. For a company like yours, where american citizens have no right to opt in, we enter into no customerbased relation with you, i think it raises a whole host of policy questions we cannot get into today. But i think this committee needs to look at it. We need to ask honest questions. Who owns this data. How do you get the right to this day as it is our personal information and yet your companys practices of cyber hygiene are sloppy in the extreme. The fact that there was no known vulnerability and you didnt have the appropriate internal control in place to easily patch this is inexcusable and the fact that it took so long for the Senior Leadership to get its act together is inexcusable. And what i find, to echo what my colleagues said on how long it took, once the breach was known to, but complete sloppy haphazard approach you took on remediation is again inexcusab inexcusable. The fact that the site you put up rather than directed customers to go to did not use your existing domain that you created a whole new domain site and there were known software glitches. You initially offered to people what i believe was a bait and switch scam to say we are going to give you a year of preproduction but by the way, we are going to give up all of your legal rights by agreeing to some small print arbitration agreement. It was so faulty and sloppily put together that even entities like the architect of the capitol would allow them to access the site because you thought that it was so vulnerable. The fact that you then also required individuals after their information had been hacked into abuse for who knows how long, entering your last name and last six digits of your Social Security number what i was in hs name are you all thinking . Argue the current ceo . No. I thought it was best for the company if i leave in san resurrect this Great Company. And has done a lot of great things in the world and to assist any way i can for free. Today there are two issues before this committee and what will be done to rectify this for those individuals that have been harmed so it is the entire Cyber Security so now to say with the antitrust laws there are limitations to talk to each other when threatened by a cyber attack. Correct . And to leave those agencies with those issues san twins of several securities. And the situation could talk to your two biggest competitors in march and then july . Like to do not warn them them . So later with that consideration could you talk to those big competitors . I am not aware. The sec chairman is aware of that. Working on the Data Security act to provide a National Standard to make it clear for people within an industry in the federal government so would that be hopeful for your predecessor or successor . It seems to me when my grandson can get unlimited access that a person u. S. Data stored and how to manage their Credit Scores what keeps you from giving that ability to freeze the accounts . With 22 biggest competitors get a bin at then to unfreeze the you have to activate that entire process is scenes like most americans cannot do that so what keeps that industry moving toward a simple type of app spirit that is what we were happened to be headed toward said jerry 31st product an application on the smart phone and i would encourage to other competitors to come together to offer the service so the things you to do if they had the power at their fingertips to lock in dunlop anytime they wanted all three companies would be a paradigm shift. What do you tell your successor . What advice would you give to rectify the situation . We pride ourselves to be the in trustors steward of data and now to regain the trust of the consumer. How do we do that . To be no lifetime walk. Lifted you have the size of that criminal attack. Equifax has been hacked several times in the past few years consistently noted to have the worst day this security practices in the industry through this system that was identified months before. The whole thing is staggering so they should have the best Data Security in the industry but instead they have a the worst and i want to understand why. Are a look at this and in august day couple of weeks prior you said the fraud is a huge opportunity for us a growing business for us so information 145 million americans has been stolen is that more likely now . Yes. Sova breach of your system has created more Business Opportunities . For example, millions have signed up for Credit Monitoring Service after the breach offering one year of free credit monitoring but consumers that want to continue that have to pay for it . The best thing they can do is get the lifetime lock. You are offering free credit monitoring but then they have to pay for it . That is a lot products. But that is a lot of money. 7. 5 million have signed up through equifax if what million by just one more year of monitoring that the standard rate negative 17 per month that is more than 200 million in revenue for equifax because of the breach but there is more. Wife what to another company has now seen a tenfold increase in according to filings with the sec lifeloc purchases credit Monitoring Services from equifax that means of a buyback through lifeloc then they pass that revenue. Is that right . That is correct. From the second breach making money off of consumers to purchase credits maturing through lifeloc to be in businesses in the Government Agency to stop fraud to the potential identity beef . With one clarification but at the same time with direct to consumer reaction at that down. Im sorry but my question is making a 10 fold increase of the of breach you make money. So youre making money off of this. Equifax sells products to businesses and Government Agencies through potential indemnity believes . Yes we sell to business but that is not the primary focus. You dont have any products. I am saying the vast majority we do for business is not broad. Equifax is making millions of dollars but meanwhile the potential cost is shockingly low. It turns out the average recovery for the data breach is 2 per consumer so looking at the big picture equifax disclosed at least four separate attacks in those four years has the cost on up . Yes. Has more than 80 percent over that time. Equifax did a terrible job because they didnt have a reason the incentives are complete the spotify because of the reach consumers will spend the rest of their lives worrying about Identity Theft and will have to pay to issue new credit cards but equifax will be just fine actually coming out ahead there is no competition and with nowhere for them to go we dont take are dated to someone else equifax with this whole industry should be completely transformed and should decide iran as access to their whole data Senior Executives should be held accountable to pay severe financial penalties for every consumer record that is stolen. The q mr. Chair i have one question now want to get to so can you explain the strategy vs. Belloc purses the delete option . To provide a very valuable source to get access to credit if they are not in the system. If you have that delete option for a consumer to have that Information Available to people who are underwriting and all three of those providers had is that affect. Is that more pronounced of those changes of those regulations . I do the point i am trying to make is i associate myself with the concerns the three individuals then question the of known for several years would be helpful to see that process that they had gone through but there is that the individual should step up and address. The other thing we could be missing you sound like you have remediation in place on the longterm obligation there is a difference between the breach andy expect exploitation we have not seen any yet. So over time to mediate any exploitation on the of pathway but when engen yesterday the problem that resulted so you needed to make it very easy and no cost to the consumer to fix a problem they became a part of it would be hopeful to get some assurances that is the case that inappropriate parking ticket parking ticket i got and said i have received they said you can file it may be your license tag was mixed up so they should of been able to figure out they made their problem my problem but to be absolutely certain that they can convince us you are addressing this not making the consumers problem. It is important to understand that affect to erase the financial history from the series from the system. Said justin day comment but this committee in every committee for Cyber Security needs to understand that exposure as the aggregate your of data i would think your system should be more impervious to attack the those who are the ad creators of Data Congress needs to think big picture getting the economy to be a point it is more difficult to penetrate with organizations that are far less sophisticated if they think the of big banks are the only ones i have a book called packing for dummies. For the industry and congress to understand they need to be held accountable for getting beyond that shiny object and protect the consumers to recognize to protect this economy otherwise it is the ceo of the week that is not the way we should leave from capitol hill. I do think it is in your best interest to give us more information on the stock disposition pattern of those executives in question. North dakota is a status 740,000 per car our attorney general estimates 248,000 families have been affected. And i just want to tell you i am deeply concerned of those remedial efforts. First if you have this level of information that they did not give you and you dont have a system in place for a fire drill and looking for potential breaches to create this that is what you told us so why the of rollout why that went so poorly and why it was like 0k . We will charge you a fee . Now why do i have to spend money to protect myself . I think it isnt enough to say my goodness look at the magnitude the same way you should anticipate a few of a fire in a building you should be ready when it happens we know it will happen again but i say this because i want all ceos to answer what theyre doing to prepare. Getting back to the fbi we didnt realize it was this serious what date did you notified the fbi . August 2nd, ahead of security at that time was notified. Win with the head of security notified the chief officer . From the same time. When did he approve the stock trades . On the first and the second that was suspicious activity with no indication. How many times to notify notify . I dont have that data but that is not unusual. I get that but how many times when notified you turnaround. I dont have that. That is a problem because that is suspicious when your chief legal officer has explaining to do because after knowing about this level of breach did not try to undo those transactions what appears to be a beneficial situation for your employees. Talk about remedial measures that were in this very big discussion of mandatory forced arbitration. If i sign a contract may be i can protect myself maybe i can the we can argue that point why should you ever make that choice of forced arbitration . The intent was never to have the arbitration clause there was the part of a boiler plate. Lets just ignore a the breach why should they not make that choice . Especially if the consumer is not your customer . That is the path for us to take we have some real challenges to take a look at how we provide a real remedy to consumers in that situation. This will be the first time we have a hearing like this we had one yesterday but my warning is a person has a responsibility for consumer data to do the right thing right now thinking if this happens those who lost their personal data . Opt in as opposed to opt out . I wanna walk to and tell i am locket why cant i have that option . Wiedmaier have to pay . It is free. For the lifetime. Mr. Chairman you are retired as of last week. You leave with your base salary and and vested options and a pension value of roughly 90 million. Help me to understand why thats fair . Clarification i told the board it is time to step down i will not take a bonus or severance i will work as long as they need for free i walk away with a pension and invested equity given to me. I have burned. Is the tens of millions . That is how we got at 90 million if it is 23 your 45 or 38 my question stands out is that fair . That is something i have learned through my career. Is that fair . Senator, i grew up in the midwest and never envisioned to have his career i have been fortunate i have worked hard. The board is elected every year. Your investor presentation. Even though by a july 29 to be compromised by August August 2nd to retain outside counsel and i understand you periodically inform the fbi but not consistently retain outside counsel so what some point you do something more significant than usual was up . Not true. Not until later in august the size and scope of the complexity of the breach. August 16 your message to investors was in during support longterm growth is ryutaro what your role for consumer data. Should equifax disclosed the data reached to investors . We talk to them routinely been to fight to every day. That you retain outside counsel and i guess i am wondering if that pattern indicate somebody knew something significant was up they made the judgment not to disclose that not just 143 americans also investors and whether or not you throw him the love letter of the what they should know of that will impact the company in you had to have some clue it was percolating in a negative way. There is always the risk they are well aware of that. Referring to those Investor Relations we have not gone public. We cannot disclose that. You know the total scope and size of the breach. See you decide not to disclose all . Yes. At that time we were not even certain it was real. Why would you inform the public . To late august to have the indication. What happened july 29 . When they security individual saw suspicious activity saw that again on the 30th then shut down the portal to make it tricky six weeks to figure that out . Yes bringing in those Cyber Security experts in the complexity and the size. To the extent you make massive profits by a understand you do this for a living but not to have that coalition to enter into a contract except youre making a nice living have it ready to what to do a . Clarification the senator asked about a statebystate information you seem to of insurer not sure but the chairman and i sent a letter requesting that state level data so why was that not provided to west the statebystate data . Tavis just informed that it was given earlier of another 2. 5 Million Consumers that has not been distributed. We do a lot of things and it looks like two full weeks ago it was not provided the you can get back to was quickly the. I found out about the equifax contract with the virus in an interview this morning how good is that contract . I saw that this morning as well. The seven plan 5 million contract. You have others with the irs . We may but i am not aware king you do that with the various governments . With a 7 million and change with the taxpayer information you have access to . It is my and a standing might understanding of that fraudulent but if you want more information we can get the at. You are asked why giving windshield hand the keys to the menu bar. I a understand your point. What me ask about a credit breach. I have frozen my credit of four bureaus. I like a commitment from you today and to put the free app to just go there access to your credit file. I agree. We like it. For every American Consumer. Anbar working on the four months. So this whole unfortunate experience has raised larger issues and one of them because recurring company because you still work there to whom do they have an obligation . You get my information without my permission and so at is that correct . Buyback largely. Also were Premium Service to monitor the information you collect about me . So if there is Bad Information menu sold me the service to correct that . Roughly 90 is to help banks and others make informed decisions that is a very small piece. This seems in congruent you have my information you make money collecting information and selling it to businesses and then you also cannot run your business without me my a dated ensure product but then offer a Premium Service to make sure the data you collect about me is accurate . I dont pay extra in a restaurant for the waiter to spit in my food. Ion negative standard point but that monitoring part in the future is far less required and then to unlock your file. Is in just the freeze part what if you have Bad Information about me . As a bad and from agency ever had Bad Information about you and you have to correct it . You have my data but my data lifted is wrong that you have i would think youd want to make it as easy as possible. Not as hard as possible. Committed an important point for the inter at entire industry. Can you commit they would set up a system that if equifax has a life pyrimidine they live person what do you need for me to print this by a understand your point. Team we express concerns of 1. Three activeduty military personnel to what did thousand currently stationed overseas for backing the ability to put a freeze on their files are take measures to protect personal information. We request your immediate need detail the specific actions that theyre not victimized any further such as Social Security numbers and home address. And in response received a general response 90 been managing the Service Members so what specific actions will equifax take to ensure Service Members are not victimized any further . We apologize if we did not get back to you i will look into that quickly. Service Members Around the world have the same ability to freeze lock products cargoes that could have the other wise occupied but those to serve in remote or hot conflict areas what can you do to make sure the attendees were Financial Information is safe . They should have the power of attorney and they should act on their behalf. That is a weak answer to have their hands full of mothers bad experience and trans union as well . At what people to rally around or how to navigate the internet what about those 45 millions of americans and get the free credit freeze . I would invite the trans union. But that does not include a free credit freeze at the others. Correct. Equifax cannot do anything to provide that . That answers the question i was asking which is what is the equifax obligation to consumers in the future and how do they plan to address that financial harm . Into minimize the downstream. But what if someone is harmed . That is the extent of the offer. Sova because of your failure if damaged financially there is no Compensation Provided . That does not touch on that question. Mr. Smith i would like to go into a different question thousands of ceos for publicly traded companies that that theft of a the end custody in to do happen to us with the chief Information Officers called in to the front officers that they did not have the same folder abilities vulnerability how uc conveyed to command and control and feedback to you have lost sleep wondering what it was you could have done differently. What the people will get hurt the lot of people you have data if you could go back one year to locate your operation what you would do differently to demand that things be changed what would you . As you might guess since early august or why that occurred and to have no time to reflect. And to take that responsibility to reflect that time will come. As the chairman would do to provide them with assurances so with the board doing their Due Diligence to you feel that was expected of you as a board and chief executive officer of the you think youve got those opinions that they were doing their own Due Diligence . You were the victim as well and you had to protect that information i fake fat organizations assume somebody else is doing their job. I was waiting for you to say dont just wait ask for the assistance i notice early but they said if i could do this again i would fix this. I am looking for that you did make a point of those Social Security numbers we have to go to a different system but you have thought about that what would you recommend to identify and maintain data belonging to the individuals . I dont have that answer i spent time talking to people in the cyber world and what is never intended clinton convinced with that partnership. So consumers stall authorize equifax to collect their personal information . Not to collect. So you vacuum up disinformation and provided to people who say theyre interested in the credit of somebody if they apply for a car or of home . You have an incredible amount of power collecting their personal information and that the pins and what you say to a bank or another lender . Okay. Is it a fact if you tell a lender they are a bad risk theyre less likely to lend . We dont make that delineation we have the data. You provide this gore . There is an individual score from an individual firm. Provided on your information. So when the Consumer Protection bureau found that you were the three most complained about companies in america. Yes that is misleading. Unfortunately the chair will give me more time but this is from 2016 even before the incredible intrusions people pay many other companies billions of dollars if you make that mistake that needs to be corrected. Consumers that have the information correctly included under reports have to pay a lot of money to get that corrected . No. There is a process they can use. Now and they are making money from the information that you put. They are making billions of dollars but they just have to come to you . And so here is the peas saying the real problem is the astounding number of bears. End by have errors of their credit report. Without objection because the whole model of this industry is you collecting information without permission but yet their lives their Economic Life depends on decisions that you make. Of going back to forced arbitration against one individual Credit Rating report but in the aftermath and this incredible breach you said you provide credit protection but only if consumers gave up their right for their day of court the testimony today was a mistake you did not mean in this case. Correct bet you do in forced arbitration in many others . And consumer products. If you look out for the rights of consumers wider you give them the choice . The arbitration clauses a legal provision. Q paid lobbyist on capitol hill to fight for the rule put forward from the Consumer FinancialProtection Bureau . I am referring to the legislation and overturned by this siepi be ruled cfpb rule. I am not aware. Mower un favor . He said it is part of the law somebody who has experience would you agree they should have the right of best to protect themselves in legal matters. If it does become the law. Where we stand on them to you choose to seek recourse . And stan the question today arbitration is part of the law. Even though im fairly treating consumers . You could have been forced to that. It was never the intent. But the law would have allowed you to do that. Yes. You thought in that circumstance consumers would be better protected benefit is good in that circumstance why not all the time . Back includes questioning we do have request for a second round. Fall lineup following up by your curious statement of following though law in the one case. In those terms and conditions included the arbitration clause was never intended to do apply is this about your customers because they dont know these forced arbitration clauses. But to essentially cut and paste to lead different offer. But for this error could have prevented and pushed back 145 million victims to pursue their legal rights so to send out a piece or restitution and backed off of forced arbitration is that fair that they could have been taking that away by cut and paste this and that show how unfair forced arbitration is . That is an error that you noted within 24 hours to remove that clause that was never intended. But there really wasnt a question they guess i believe thats but it doesnt that show how unfair forced arbitratiarbitrati on is . With this cut and paste with forced arbitration doesnt that show how unfair that is . I have no opinion. You use that with other cases so it is unfair to those 145 million in that circumstance that you oppose forced arbitration . That was never the intent of that arbitration clause. Digest cannot understand that you think that is unfair but other uses you seem to think it is fair. That a waste manage and secure data. Who would welcome a dialogue. He will at the leftward privet we will do a three minute rounds. Thank you, mr. Chairman. I would like to associate with your comments about the digital revolution moment we are at and the speed and pace of the data aggregation and collection should push the congress to have some real hard discussions about data ownership and transmission whereplicit contracts individuals are not credited with the bureaus and their data is still being managed and shipped. I agree we should have debate about this topic. Mr. Smith, i want to be clear about where i think we stand nearly two hours into this hearing. Your company, which has only two competitors, really only two competitors, has lost the data of 145 million americans and this is not the spreadsheet problem, this is a real human fourem where two, three, years from now, millions of americans will have issues with their credit in the future. They will have a rotten credit score. In response, your company could potentially make a profit from selling lifelock products. I agree that the forwardlooking innovation that may come from this could incrementally improve things, but we are most interested in the retrospective moment for these 145 million. It will have a product that could be sold to potential victims. It feels like a broken windows is this model or you didnt actively chuck the bricks come up at your company allowed the bricks to be tossed through windows and you might be able to sell new windows for some of the people whose windows were broken. I think the way you explain your lifelock product in your some sense for what you plan to roll out in january of 2018, but it is still hard to understand it as a Fraud Protection product when you think about the victims historically rooted i want to go back to this contract with the irs. We checked and it appears to be a no bid even if it is a revolving contract. The purpose of the contract with the irs looks like it is fraud prevention. You are trying to prevent fraudulent access. I dont know who would want to say which it by Fraud Protection from the people who are just hacked. American, and i appreciate the fact you have resigned from the company, but as an american, why should fraudy hired equifax for section right now after the exposure. Your point. And the company has been around for 118 years and for most of those years, it has been good things. One of the things we have done proudly is prevent fraud for many entities including the government. It was horrific breach and i apologize. Right as best we can, but it doesnt wipe out 118 years of good work we have done. Thank you. And askollow up the irs why the contract should go forward, but thank you for your willingness to appear before the committee today. That you that concludes the questioning. We appreciate you coming before the committee today. For all senators, all followup questions need to be suited next wednesday and mr. Smith, we ask you respond properly to the questions. We like to see responses within the week if possible. The hearing is adjourned. [indiscernible] ds and concerns itself about where the data is going . That and there is some legislation being created by individuals, so i expect her before discussion of the no im not going to predict any specific outcome. That is the type of incident that could generate a legislative proposal. Have you thought about worn shots bill . Warren schotz bill . A im interested in having much more robust system in place allows individuals to protect their privately and persuaded if final information. Im pulling you with a cane off the stage. Thanks. On the next washington itrnal, we look at the week i head in washington. They oconnor looks at Progressive Agenda and the trump presidency. As always, we will take your calls. You can join the conversation on facebook and twitter as well. All this week, book tv is on prime time on cspan2. Nominees for the National Book award. A claim and her book democracy and chains. Tuesday night at eight eastern 8 00 eastern. Frank kaplan, author of dark t erritory. 8 00, a lookht at at the 2016 election with Hillary Clinton and her book what happened. Douglas shown in his book america in the age of trump. Books made into movies with hid immortales and the life of henrietta lacks. A covers and gregg harper at the mississippi book festival. This week, watch the tv in primetime on cspan2. Now the House Foreign Affairs committee on refugees. This hearing begins with graphic images that some viewers may find disturbing. This is just under two hours