Chair good morning, now that our executive session is complete we turn to the issue of data breaches. This is not a new issue. The committee has been focused on the Consumer Impact since before i was elected to the senate. The september 2004 choice point breach was considered to be the first highprofile data breach in the modern era prompted investigations from this committee and state authorities. Choice point was a data Aggregation Company originally as fateby equifax who would have it is represented here today. In terms of the inquiry the major data breaches, we have come full circle. Congress and this committee paid close attention to data breaches big and small. The committee has entertained proposals to strengthen requirements for Companies Across the board and impose federal requirements for companies to notify consumers following discovery of the breach. We are in the air of major data breaches, including equifax and yahoo that we are examining. The yahoo breaches are larger, the fx Equifax Breach is more severe given the nature of the data compromised. I have heard many constituents who were concerned about the lasting effects of the Equifax Breach. I have heard complaints it is difficult to set up a credit freeze and questions about whether credit monitoring is an effective tool to prevent Identity Theft. TheEquifax Breach exposed sensitive personal data of 140 5. 5 u. S. Consumers including the names, Social Securitys, birthdates, addresses cut and driver license numbers. Were affected. Will have an opportunity to provide an update regarding the breach as well as its much criticized efforts to mitigate harm and prevent anything like this from happening. The yahoo breach compromised over 3 billion User Accounts and followed a prior breach in which hackers still information five from 500 million users. The data included names, dates of birth, partial passwords, unencrypted security questions and answers, and employment information. The figure constitutes the entirety of yahoo mail and other yahoo owned accounts at the time of the breach. Have representatives will an opportunity to provide an update regarding the breaches as well as efforts to mitigate harm and ensure security and consumer data Going Forward. The data breaches illustrate dramatically that our nation continues to face constantly evolving Cyber Threats to her personal data. Companies that collect and store personal data on american citizens must step up to provide adequate Cyber Security and there should be consequences if they fail to do so. The committee made Cyber Security a priority and i am hopeful todays hearing will help help the committee when there is a risk of real harm stemming from a breach we must make sure that consumers have the information protect themselves. That is why i support a uniform federal breach notification standard to replace the patchwork of laws and 48 states in addition to the district of columbia and three other territories. A single federal standard would ensure all consumers are treated the same with regard to notification of data breaches that might cause them harm. Such a standard would provide consistency and certainty regarding timely notification practices that a fitting consumers and businesses. Securere that businesses information appropriately, i have advocated for uniform reasonable security requirements to protect consumer data. Based on the size and scope of the company and the sensitivity of the information. However in this regard, the facts of the equifax reach are troubling. As a Credit Bureau equifax was subject to the safeguards rule under the act which is considered to be a stringent regulation. The Equifax Breach occurred and its implement could implications appear dire. Enhancing security, protecting the personal data of consumers will be a priority for this committee. I want to thank our witnesses for appearing here today and i look forward to hearing your testimony. I will turn to senator nelson for his opening remarks. Senator nelson thank you, mr. Chairman. , this is the latest edition and a long history of hearings that we have held on this committee to discuss Data Security and breaches. Several senators on this committee who have asked for this hearing. Senator baldwin in particular, alator cortez, thank you for l the more ringing this to the forefront. If you start with the massive point reache choice in 2005, and then continuing with target, neiman marcus, shape hat, sony, citigroup, cvs, south shore hospital, heartland payment systems, and many others, the parade of highprofile data breaches seems to have no end and billions of consumers have had their , personallyrsonal identifiable information socialised, including security numbers, drivers licenses, addresses, dates of birth. For years Going Forward, criminals can use this data to steal the identity of innocent consumers and create fake accounts in their names and commit other types of fraud and i might point out that right now, we estimate 5 billion a year is being stolen from the u. S. Treasury just on fake federal income tax returns of which they get a refund. And on top of that, we also recently found out the 2013 yahoo breach compromised the personal data, it is hard to believe, 3 billion users. That is the biggest aider breach in history data breach in history. Yet today here we are once again dealing of the aftermath of the breachifax reach involving the personal identification information of nearly 145 million americans. Raisesst recent breach and even more troubling question. Agencies reporting that offer Identity Theft protection and Credit Monitoring Services cannot even safeguard their own data from hackers, then how can Consumers Trust any company to protect their information . And let me say also, when you get up against the sophistication of state actors such as russia and china, it is going to be hard to protect against them. Sadly, the question that millions of americans are now asking is, as they struggle to figure out how to protect themselves in the wake of these massive breaches, what in the world do we do . Chairman, ise, mr. Going to again consider what it would do to make sure that but ifrs are protected, we are going to do anything meaningful, we must have the clinical will political will to hold these companies accountable. Over the years the federal trade commission has brought numerous Enforcement Actions against companies for lax Data Security practices. But industry has recently challenged the ftcs wellestablished Legal Authority to bring such actions. This piecemeal, afterthefact approach would be better served if the ftc were able to prescribe rules that require companies to a. Reasonable security practices to adopt reasonable security practices in the first case. Been pute already forward to agencies like equifax. The agency should have a similar authority for the rest of the commercial sector. And so, mr. Chairman, i think at the end, it is only stiffer enforcement and stringent penalties are going to be able help incentivize companies to properly safeguard their consumer information, and to notify help their consumers whey have been compromised. I strongly believe that without rigorous Data Security rules in place, it is not a question of anotherwe will have one, but when. We can either take i hope it can inform our future actions. It needs to be addressed. Congress needs to be heard from. Glad to have our panel with us this morning. On my left in your right is mr. B from equifax, and richard smith, the former ceo at equifax. Ms. Marissa mayer, former ceo of yahoo incorporated. Verizon, zachariah for a Parent Company of yahoo since 2017. Wilkinsons, wilkinson, president and ceo of entrusted data card. I will start with you mr. Barro s, and ask you to confine your oral remarks as close to five minutes as possible. Anything extra can be on the record. Barros good morning. Rankingman thune, member nelson, members of the committee. Thank you for letting me be here today. Six weeks ago i was named interim chief executive officer of equifax. I never expected to become ceo under the circumstances. But i am honored to be in this position. Speaking for everyone at equifax come i am determined to address all the issues from the breach so we can regain the confidence of the American People. Equifax is based in atlanta, you can tell from my accent, i did not grow up in georgia. I am a native of brazil. I have had the privilege of working most of my adult life in the u. S. My children were born here. Im an engineer by training and i have spent a lifetime confronting and fixing complex business problems. This is the mindset i bring to my new position. Was the act as ceo consumer response and call centers and the website. We are working hard to fix the problem. I apologized to the American People and they do so again here today. You and thech of American People, equifax will be focused every day on assessing security and providing better support for consumers. Leader in an industry giving consumers more control over personal private data. In answer to your questions i would like to review briefly the actions we have taken in the past six weeks. First, my highest priority has been to improve service for consumers. I visit call centers, have spoken with call center havesentatives, personally taken calls from consumers and help to resolve their issues. Expandeddia, we have communication. Website,mproved the have staffed the call centers and made it more consumer friendly. The result is a substantial collection it reduction in backlogs and delays. We have revised our corporate structure. The chief Security Officer now reports directly to me. Officerlso appointed an to perceive the response to this incident. Improvingare rapidly our security infrastructure. Were changing our networks, our vetting procedures, introducing new tools, and strengthening our accountability mechanisms. Fourth, we have committed to working with the entire industry to develop solutions to the growing Cyber Security and Data Protection challenges we all face. We promise to launch a new, easytouse app in january that will give consumers access to data free for life. Scheduled where confident consumers will find it extremely valuable. We have done a lot in a short period of time. But this is just beginning. I remind my team every day that there are not shortcuts. It is asumers longterm commitment. Equifax is made up of 10,000 talented and dedicated people. Our business is not well understood. But it is essential for the economy and for helping consumers obtain credit they need. Our top job must be to protect the data entrusted to us. Did not meet the publics expectations and now it is up to us to prove we can regain the trust. We are committed to working with consumers, customers, congress, and regulators to restore public trust. This is been my focus during my first six weeks as ceo. It will continue to be my focus every day at my new job. Thank you for your attention and i welcome your questions. Sen. Thune mr. Smith. Mr. Smith thank you. Thank you for the opportunity to testify before you today. I submitted my written testimony to the committee and other committees in the senate and house. I testified over the last three or four weeks. The written testimony is a record of the events of the breach at equifax is that occurred. I am here today to answer any questions you may have. Thank you. Sen. Thune thank you, ms. The ms. Mayer. Mayer thank you for the opportunity to appear before you today. I have the honor and privilege of serving as the yahoos chief executive officer from july 2012 through the sale of the business in june of this year. As you know, yahoo was a victim of criminal statesponsored attacks on its systems, resulting in the theft of certain user information. We worked hard over the years to earn our users trust. I want to sincerely apologize to each and every one of our users. Of this in learned late 2014, yahoo promptly reported it to Law Enforcement and notified the users at that time who had been directly impacted. Yahoo worked closely with a Law Enforcement, including the fbi, and were able to identify and expose the hackers responsible. We now know that russian Intelligence Officers and statesponsored hackers were responsible for highly complex and sophisticated attacks on yahoo systems. The department of justice and fbi had a 27 count indictment charging criminals with these fbi praiseddoj and yahoo for our cooperation and early proactive engagement with Law Enforcement. 2016, yahoo determined the user data was most likely stolen from the company in august of 2013. Although yahoo and its outside Forensic Experts were not able to identify it, the company disclosed to incident, notified the users believed to have been affected, and took steps to secure all User Accounts. I want to stress how seriously i cyberhe threat of attacks. After growing up in wisconsin i remember buying my first computer in college, developing a passion for Computer Science and writing code and seeing the potential to change the world. After college i was hired by a small start up named google as their 20th employee and first female engineer. I worked my way up from Software Engineer to part of the executive operating committee. In july 2012i became ceo of yahoo . I will always be grateful for and humbled by the opportunity to have led yahoo and its employees for the last five years. My friends from yahoo and google have shown me the potential of the internet to change our world for the better. However, they have reinforced the dangers of sire cybercrime. Our efforts to confront the challenges of Cyber Security, including security measures and defenses yahoo has in place, in hopes of further advancing protection and security. We protected our systems and users. We devoted substantial resources to security with a shared goal of heading staying ahead of the evolving threat. Joined yahoo we roughly doubled our internal security staff and made significant investment. In addition to improving our talent, we improved our security processes and system defenses. Yahoo had in place multiple layers of sophisticated protection. We were extremely committed to security. I want to thank all of our team members for their tireless efforts in addressing yahoos yahoo s security needs. Russian agents intruded on our system. The threat from statesponsored attacks has changed the Playing Field so dramatically that today, i believe all companies, vulnerable to these crimes. Cyber security is a global challenge. No company, individual or Government Agency is immune from these threat. The attacks on yahoo demonstrate the strong collaboration between the public and private sectors is essential in the fight against cyber crime. Aggressive pursuit of cyber criminals as the doj and fbi exhibited in the yahoo case, could be a meaningful deterrent in preventing future crimes like these. Of thee words investigator, a nation state attack is not a fair fight and not one you will win alone. We can Work Together to level the cyber Playing Field. Ms. Zacharia. Ms. Zacharia thank you for the opportunity to testify here today. My name is Karen Zacharia and i am verizons chief Security Officer. Verizon has a longstanding commitment to protecting and safeguarding consumer data and Building Trust online. Increasingly connected world, verizon recognizes Strong Security and Consumer Trust are prerequisites to compete in the 21st centurys digital economy. The nature of our business requires verizon made Cyber Security a top priority. In 2016 verizon announce it entered into an agreement to acquire yahoo s operating business. That closed in 2017. Yahoo is now part of a new company from verizon called oath. Including yahoo news, yahoos sports, tumbler and aol. In september and december of 2016, yahoo announced its user data was stolen and two separate incidents in 2013 and 2014. This happened well before the acquisition of yahoo . At the time of the december 2016 announcement, yahoo disclosed one billion of the 3 billion accounts existing at 2013 had likely been impacted. Verizon acquired yahoo , we obtain new information from a with party and reviewed it the same Forensic Experts yahoo had used previously. Notoncluded all accounts, just a subset, were impacted by the 2013 security incident. Yahoo provided further notices to the impacted users beginning october 3, 2017. When wen a week determined that the impacted User Accounts. The review confirmed the stolen information did not include Social Security numbers or passwords and clear text, and did not include sensitive Financial Information like payment card data or bank account information. Although verizon do not own yahoo s operation operating business at the time of the 2013 data theft, we understood yahoo took action around the time of this announcement to protect its users accounts. Yahoo required password changes for User Accounts that had not been changed since 2014. Yahoo invalidated unencrypted security questions and answers so they could not be used to access an account. Yet he took these actions on User Accounts beyond those of the security incident. They took steps in 2016 to protect all users, including additional accounts individually notified in october of. 2017 individually, notifying them in october of 2017. Leverage intelligence, Technology Advances to make improvements to our system, and apply more advanced protection to our User Accounts. We are combining two strong existing security teams. We are examining practices of each team and applying the best a crossed across oath. We are creating an Advisory Board with experts. Security has always been in verizons dna and we will make improvements to meet the security challenges of the future. We areizon and oath, laser focused on the needs of our customers. We know that they expected their information will be secure. We go to Great Lengths to implement security. Substantialtting resources to defend our assets, networks and customers, including those acquired with the closing of the yahoo transaction. With the benefit of verizons resources and accountability, verizon and oath will continue to strive to stay ahead of an ever evolving threat landscape. I look forward to answering your questions. Sen. Thune mr. Wilkinson. Mr. Wilkinson chairman soon committee,ers of the thank you for allowing me to discuss about the urgent actions needed to protect personal information. For almost 50 years, entrust datacard has secured digital identities that are used around the world and banking, government and private applications. Identity is the way americans build financial lives. It is the primary reason this information was targeted. And it ismour why we see more sophisticated attacks. The challenge of protecting data is an evolving and sophisticated task that starts with a secure identity. It is more critical as we drive toward connectivity linking virtually every aspect of our lives. According to the 2017 verizon data breach, 43 of all data breaches can be traced to a phisihing tactic. Once compromised, primary target is consumer identities. The information stolen in the most recent breach contained a significant amount of personally identify identifiable information. The focus of this hearing is to focus on the events, the steps that could of been taken, and determine if there are options to further safeguard consumer identities in the future. Regarding the issue of steps we have taken to ensure better ensure the safety, organizations are challenged by increasingly complex systems. Arise and a rise in attacks from nationstates. Is free from vulnerabilities and all have the potential to be breached. Are documented best practices and tools available to mitigate common attacks. The vast majority are the result mistakes andurity poor cyber hygiene. Ii is the basis of our identities for secure transactions, could potentially be used to defraud consumers. It is essential to find a balance in providing an answer to the underlying security of consumer identities. To recovercritical quickly and ensure consumer data is no longer at risk. Today, the federal government provided a nine digit number issued on a paper card, our Social Security card. This static number is issued at birth and difficult the change without significant inconvenience. While we have made substantial steps and technology, consumers are still vulnerable to compromise. Our recommendation is that the time is upon us to create a new identity. It would have a modern secure identity with collaboration of government and industry. Examples several delivering stronger identity frameworks as a foundation for commerce. Will identity framework allow citizens to use a more secure method to transact in and reduce potential of breach or compromise. This new framework would minimize risk and be used in case of breach and allow the consumer to more easily recover their identity with minimal impact. Our identity system is broken, not secure. It is time to leverage technologies to provide americans with new technologies to protect their identities. The best path forward rests upon andpublicprivate ecosystem constant selfassessment of vulnerabilities. Whether it is through incentive or directive, we need to proceed now. We need to address information compromised while working toward longerterm solutions to greater more resilient identity for American Consumers. Thank you for your time today. Sen. Thune thank you, mr. Wilkinson. I will start with the questions, you describe the significant investments yahoo made under your leadership with regards to security. Nevertheless, the company failed to detect the 2013 breach, the largest in the security of the internet, for more than three years. Even after the 2013 breach became apparent, yahoo significantly underestimated the number of accounts implicated, by billions. I will give you an opportunity to answer the obvious question. That is, with such a Strong Security team in place, how did yahoo fail to recognize that all 3 billion of its User Accounts had been compromised, and why did it take more than three years to discover and disclose the breach . At yahoo we deeply valued our User Security and invested heavily in that security. Inis frequently the case these type of Cyber Attacks, they are complex, they are persistent, and in often cases, the understanding of the facts evolve over time. To this day, as i understand it, we have not been able to identify the intrusion that led theft. Safed. To that we verified the data came from yahoo , but we do not understand how the act was perpetrated. That led to some of the areas where we had doubts about the information. Sen. Thune why the delay in disclosing it . It took from 2013, three years. And how is it possible to underestimate by billions, literally, the number of consumers impacted by it . Yahoo did not know of the intrusion in 2013. We knew in november of 2016. We identified at the data was taken from yahoo , likely from august of 2016, notified Law Enforcement and users and took effective actions on accounts. We estimated it affected more than one billion users. There have been recent announcements from verizon that i am not privy to, as i am no longer with the company. Sen. Thune the 500 million originally disclosed and it jumped up to 3 billion, there is no real explanation to your knowledge, for how you miscalculated the number of people . Ms. Mayer the 500 million to the fallelated of 2014 breach by the Russian Hackers for the indictments were issued by the doj and fbi. Sen. Thune in prior testimony you said the failure to patch a known vulnerability in your system boil down to a single employees failure to act, compounded by an i. T. Scan that should have detected the failure, but did not. And then the vulnerability was allowed to persist for several months without corrective actions being taken. For a company that holds the most Sensitive Information on American Consumers, i hope you can understand why this revelation is so hard to understand. Can you explain why there were not more tripwires and redundancies to prevent things like this from happening . You testified these weaknesses have now been addressed. Perhaps you could elaborate on how. Yes, youre right. I referred to the fact we were notified march 8 of this year. I communicated protocol on the ninth, the vulnerability in the source software. The emailed did go out for our protocol on the 15th of march, we did a scan and the scanned and not find the vulnerability. Aman error, as well as technology error, both led to the ability for criminals to access what we call a web portal dispute environment. Why wouldnt you have had more redundancies built into your system . Why was it basically comes down to, one employee. It seems really hard to fathom. A company that specializes in what you do. Mr. Smith the redundancy was a scanner ended and it did not work as well as it could. A standard process of identifying a patch, and going back a week later with a technology scanner. Sen. Thune you said you fixed to that . Can you elaborate on that . Candelabra on further steps equifax has taken since the breach. Mr. Smith i will start and mr. Barros can continue. We installed a new scanning technology to a new generation scanner. It seems to be a better scanner than the prior scanner. Mr. Barros as you can imagine, it is my top priority. Strengthening Security Systems in our company. We have done a comprehensive, topdown review on the process. We are strengthening all aspects of our operations. Including our patching capabilities, enhancing and sureing our tools, to make we have an effective detected detection system in place. We have put stronger policies in place to make sure we have more redundants and closed loops. Sen. Thune have you disposed of the data you no longer need . Has equifax disposed of it . Mr. Barros it is part of the process were going through right now. How about in cryptic . Mr. Barros whatever is necessary to do it. Including encryption and all new technologies available to make sure we protect the data. Sen. Nelson senator nelson. Sen. Nelson we have had these hearings before. If we do not do something, we will be having a lot of these hearings again. Wonderingint, i am that there is no such thing as Data Security. When you think of a sophisticated state actor, such yourina or russia, companies cannot stand up against them. Institutionson or that can stand up against them is the National Security agency. And what we are going to see in the future, not only personally identifiable information, but the state secrets of our country. Are critical infrastructure, as represented by companies such as ewers. There is such as yours. There is going to be cooperation with a sophisticated player in the United States, which is the u. S. Which is the nsa. Otherwise, we, americans, will not have any more privacy. We do not do something and if you all do not do something to change this, we are going to be right back here on additional coming up on this same topic. Ms. Mayer, what do you think . You had a sophisticated state actor coming after you. You really think you could have protected yourself . Robust defenses and processes are not sufficient protect against a statesponsored attack, especially one that is sophisticated and persistent. We at yahoo cooperated with the Law Enforcement and brought these breaches and intrusions to the attention of Law Enforcement, each time they were detected. And the doj and fbi were of great assistance to the company in identifying the perpetrators and bringing them to justice. Is anelson but that admission you are not protected against a state actor. We have to make sure were changing our Security Systems to and keep up. Thats a good intention. Take more. To its going to take an attitude change among companies such as go tothat weve got to extreme limits to protect our privacy. S all you hold a lot of financial guillotine over a lot of your customers by what their Credit Rating is. Protected,a is not the poor little fella goes it and hes got it ready and hes got the down payment and then he cant get a because now, hes got something black mark on his Credit Rating that is not real theres been placed because of a data breach. Cant close onla his house. Consequences. What are you going to do about it . Theres no dugout that securing databt is the core value of our company. Apologize deeply to the American Public for the breach that we had. We let the public down. Ill tell you this, i do agree other panelist here and your point earlier, a combination cooperation between Public Private to address this issue is needing. Any 12 years Running Company tracking the increase of cyberattacks. I talked about it. Not unusual for any one given year to see suspicious activity unwanted attempted attacks of millions per year. Mr. Smith, didnt you describe equifax as the victim failed toompany secure the security theerability that led to breach . Is equifax really the victim . I described victim of are a criminal attack. Mr. Wilkinson do you consider equifax to be a victim . Senator i think a victim. Theres been many victims in the case of these breaches. The criminal impact from hackers those enterprises creates them to be a victim in my opinion. Well, do you believe that they had Adequate Security measures in place . Based on my understanding of at breach that occurred equifax, were talking about the fact patching security timely way,ies in a weve heard some discussion some in securityase stance theyve had since the breach. These are the types of things suggest to you basically understand best practices. Understand your question. Have hadnsider them to appropriate security protocols . Having not patched i would suggesting that that was Adequate Security protocol. No. O the answer is equifax is not the victim. Customers of equifax . Is that correct . Ifi believe both are victims my opinion. Thank you. Senator nelson. Your writtenif testimony, one of your Public Private partnership on social securities. If your that also rethinkingapply to use of passwords and user i. D. Askers and i will mr. Wilkinson to address this question also. Mr. Wilkinson,ny you talked about dynamic identities as a way to replace the Social Security number in modern age. A better to brazil as example where the government issuinge Identity Technology and issues some sort identity a fight last for three years. Go to mr. Wilkinson first and mr. Smith. Is that system working better for the consumer in brazil or is it just a helpful aspect but the job done get against this onslaught which nelson described if his question. Are two questions. Youour first question, passports,ion use of identifiers as well as Social Security number. With static information like pass poured or Social Security number, you have frame work. Ak which is why we talk about the for additional security. Some of those tools need to be deployed as we talk about where we use Social Security numbers as primary form of identification. Testimony, i had additional samples a we see other countries doing. Suggest to you are best practices. I suggest will be important for at. Committee to look these countries moved to Digital Systems because they didnt have anything in place. What our recommendation is, from system that worked in United States but no secure. Example that you site from of digital form identity that is issue by federal government for the withse providing a citizen a Digital Identity that they can use for certain transactions and limited life. Way they avoid moreidentity frame work is secure and provides ability to be more resilient than what we see today. In your view, the consumer is better protected under this brazilian system . They can be, yes. Mr. Smith, what are you saying . I agree. Using 1936 like ssn, concept. Lived that some combination of digital think its rake path. Suggestriah, you legislation. We only have a minute, 23 left. What would this legislation look like . Two key things that should be in data breach thatlation are number one, it be a National Frame work so standard to comply with as were responding to a data beach. Number two, its really porn it gets the standard right for when we know notify customers. Its important to notify customers about information that they really need but to make notifyingwere not them so often about so many stop payingthey attention. To take anyone like issue with senator nelsons that reallylusion against the state actor like seen. A mere company is just unable to without going to n. S. A. Anybody want to disagree with that . No takers. You mr. Chairman. Blumenthal. Thank you mr. Chairman. Thank you for having this hearing. Thank you to the witnesses for today. Ere i think almost every American Consumer at this point is aware risks thatceptable are entailed in many of our risk to theirices privacy information that they expect and reasonably anticipate be safeguarded by companies with them. Iness where they are customers. Breach in particular federalhe limits of the trade commission ability to protect customers and impose companies that negligenceata with and recklessness. Why of the examples security can be met only with and promises to do time. Next the real deterrence will come imposedse penalties are on executives like one today. Our data cantd be trusted, then the government the tools to go after hackers and thieves and accountable. S common sense legislation ive breachced the data accountability enforce amount of 2017 would ensure that the ftc any data breach by any company or organization that hold sensitive consumer data including nonprofit and penalties that are actually sufficiently strong to motivate companies to implement the onset. Rity at o at there is no real cure. When you were here last, i think the last time you were on least. Ate side at you came for the judiciary committee, mr. Smith. Commit ahether you can none of your consumers would ever be required to go through arbitration. You said understandably that you were no lorne with the longer and you company couldnt guarantee. To ask barros. You guarantee no consumer will be required to go through arbitration if they decide to use one of your services . Senator, i understand the first product when it came out and means to being removed. Used by theis tool industry. Especially the consumer industry. Used a tool in the life the law. Well con to evolve in this ofcess and examine the use this arbitration process. I apologize for interrupting is limited as you understand. Yes or noe of those answers i think. Can you guarantee that you wont understandtion i all of the one hand and other hand comments that can be made. Consumers expect that they will right to go to court and have their rights indicated there. Can you guarantee that will you force them to use arbitration . Believe the customers have a choice to choose product. Your product,ose they will not be forced into arbitration . You guaranteeing that . According to the law and use are the tools in the industry theyll have arbitration in place. You know difference between credit freeze and credit lock . Yes and no. Guarantee that the credit lock, if you use them, subject to Consumer Protection . Laws wheretate consumers live . Understand we use freeze and lock. Day, itnd of the provides the same result. Requires different regulated process where you will paying the freeze. Credit freezes is regulated by state. Youre resorting to credit lock. Scrutiny . Void state no. We did it because its simple to use. Access to use. Easy to understand for the consumer. Expired. E is thank you mr. Chairman. Round well have a second schatz. Ator do you think consumers should be able to see the information uses when thek bank makes a credit decision . We have as an industry not done good job represented by the consumer. The unless is provided by the consumer in acquiring new karsh card. Credit this information is usually financial institution. It works. Stand how when the bank evaluates my to get arthiness, bunch of data. I dont get to see what theyre looking at. Think i should be able to see what theyre looking at when worthiness . Y credit this is also probably a yes or to answer. You have access to your Credit Report. Score. E access to your this is information that used to make a decision. Its same information . Credit report is the same as testify. Is the same as they have. As information to make decision. Tare allowed to see information. Youre telling me that the calledtion that so customer has, is all that a bank is provided by equifax . Know. Ont mr. Smith, you sounded like you wanted to correct no. I may add something to it. If a consumer going to a bank to apply for a loan of some sort, thecally the underwriter at bank will pull a credit file. Consumer has a right to get every year. At free they have access to score. The youre referring to, bangs dont just use a standard fico score. E co have their own score customers . Our the people whos datas breached, customers, or customers . R we have customers as consumers. The customers [indiscernible] it seems that theres line on that side not to excuse what happened with yahoo . It is different. Differentives are between the Credit Reporting agencies who had zero financial get it right. You guys get informed by the department of Homeland Security that theres a vulnerability. You get provided the patch. You dont download the patch. Doesnt work. Executive cash out their stock. Peoplen start charging to lock their credit or freeze credit. You then start to promote through life lock. You have commercials with life lock saying, theres been a breach. You might want it use this product. Life lock subcontracts to equifax. Verizon,side for yahoo angolan other companies, if you screw up with your customers theres a Customer Relationship that it frayed. Of the credit noorting agencies, theres vision on side of the pers commerce. Theres no incentive on your side to do anything other than to charge us to solve the caused. That you theres no incentive on your side to spend the money that it take to transform the company to actually treat us like customers. Lenders. Omers are your customers are not the throughho got harmed breach. Mr. Barros you want to respond to that . That biggest incentive that we have is stewardship, obligation with to keep their data. Accurate and safe. Thats not a fiduciary. You have an Earnings Call tomorrow. To reportng presumably everything is fine and things starting to pick up. Made more profit than usual in the wake of this problem. I would be remised if i didnt mention, people back home, i dont mean back home where i live, back home where all of us cannot understand how the yahoo equifax and ceo of walked away with 90 million and possibly a and quarter billion dollars in stocks. Unfathomable to the average person. I understand mr. Myth, you and i had an exchange, this in the proxy. Its set by the board. Control. Under my i up alta. Im saying is, regular people done unthat. They shouldnt understand how you harmed customers and walk moneyith the amount of that a small city or county uses for their annual operating budget. Not fair and its why this dias has an obligation to make a law and drag you back and forth and wave our fingers at you. You. Thank you senator schatz. Senator moran. You ranking member. Let me start by asking this question. The premise. First mr. Smith and mr. Barros then ms. Mayer. Makes thenesses calculation. Invest. Decision how it its investing Data Security. Theuestion is, before breach has occurred at initially equifax and with both companies. Before they occurred, what did expect . What did you say to your to youre committee, board of directors. Whats the probability of Breach Company. At our then follow up question to that, probability today . You calculated what the probabilities were. Decisionsinvestment how to invest in security. Is it anyprobability different today for additional breach at either watch your prior to than it was the original breaches. Mr. Smith. We dont calculate the actual percentage probability. Get a very comprehensive frame work called enterprise risk management. Erm. For ten years, weve ranked Data Security as the most high risk high probability risk we have as a company. If we had a security event, it detrimental to the company. It. Ont calculate does that statement mean you breach . Pect a probability of a breach . Is that calculation any different today mr. Barros based atn changes that youve made the company . Is it still the same probability of a breach occurring today and was prior to the earlier breaches . Today, weeve that abandoned it. To in our company essentially. We would have to make significant investment. Cop to do so. How much more money are you aending today to prevent breach from happening than you were pending as a company . Its a natural response. Were spending significant more money in that process. What percentage increase that your company as occurred as a learned from the breaches that occurred in the past . Expecting to have a specific spike on the cost. Today. Spend 50 more from four times more. As a result spending four more, would you say its less likely today that a Breach Company . Your its my understanding what will be your reduction . Whats the restructure in probability . I dont have specific number. We have a series of action taking place today. Say today a we believe better today than it was before. Would it be better if you four times more, simple six more. Weve been advised to make that we have installment of the technology. Would yahoo answer this question . We have at yahoo one of the databases in the world. Contained. Sers that we described this as an armed race. Hackers becoming more sophisticated. A breachyou predicted before it occurred . Would you expect a breach . Im consuming thats no. We did not calculate percentages and predict a breach. We took significant efforts in investment to increase our security. Which included increasing the side of the team by a factors of two. We did like to empower users to passwords to yahoo account key. Increases our encryption. A bug bounty. Teams to attack us and tell us where where. Bilities we took extensive actions. Turn to ms. Zaccariah. Is probability of breach less today . Again, we dont calculate the of a breach. What we do do is let me ask the question differently. Are customers more secure today were prior to the breach . A customer expect that it less expectation than before the earlier breach . Verizon has taken security very seriously. Were bringing that same focus intensity that weve brought to protecting our customers and our network to any acquisition including yahoo . What seems to be missing to the assurance that as , should have a sense their safer today than they were before. I dont have. Assurance from any of the responses to my the case. Thats we ought to be concerned today about a breach. Were taking all these steps. Let me say do you believe companies in a similar business, companies that wouldots of data that affect customers, are they as as yourle to breaches companies and have been . Yahoo . Not limited to its not limited to equifax. Ifry other company thats the data business is just as been ande as you have are today. Out listd print efforts. In addition to response to steps causingk users to reset passwords, attack surface area. F our systems we did respond and change the of therefore today as a customer of yahoo , i should feel how better that my data is safe . Its difficult to quantify. Thees no question, that users are better protected today because the breaches were detected and deviated . Are you spending all the that necessary to increase protection . Could they be safer if you did more . Are you doing everything you do . Im no longer with the company. Case. As the verizonecurity team at will tell that their job is to defend against any and all attack. Thats exactly what were trying to do. The Company Provides them with the resources to accomplish goal . Absolutely. Mr. Barros. Statement for us. Question, do you any disagree that the federal trade overssion has jurisdiction your data breaches and has the tolity to regulate and penalize for false and to penalize that far breaches. You agree that ftc is your regulator and has Legal Authority . Did you say unfortunately . They make sure regulatory perspective is in place you. Ank certainly because of the yahoo incident. Come tel come side i understand. Thank you very much. Baldwin. The senator with questiontart mr. Barros, mr. Smith. Identify if you have any who pack n today about hacked equifax. Possesses personal identifying information. Can you identify to me if any of you have that information today . No evidence. E we engaged fbi on august 2nd. Theyre working with the fbi august 2nd. In our experience, these ownshes occur, everyone this data because its out in public. You. Ank we all know that the equifax the personalmised and Financial Information of americans. 45 million we really cant even begin to ramifications this failure will have to the and individuals that are impacted. Its clear that equifax needs to do a lot more than it help victims respond to this breach. Make aros, will you commitment right here and now proactively will notify every person who was impacted in this breach . No. Or we have been notifying. Have improved our web page to make sure social media is active in that moment. We have been working with have reached to us. We have a team working everyday. Know youve acted in area where state law demands that you do so. You goingoesnt, are to reach tout to each and every individual that you believe was impacted by this breach . Will execute according to the requirements under the law. If theres an absence of law the state, you wont do anything . Actively engaged customers to make sure they use product that we have today. Equifax set up a poorly where peoplerocess would have to go to the equifax werete to find out if they impacted. How many people have gone process . His this. Smith mentioned to 400 million hits. Do you know how many individuals . 30 million individuals of 145 million. You mentioned call centers in your testimony. Equifaxs call Center Located florida, nevada and las veg vegas. City, in north florida and in las vegas. Are there any ou outside the United States . Centers in cost costa rica. Thats correct what other parts of the world . Malaysia, india. Epends how the demand goes thead surge, we use flexibility. Offering free now Credit Report locking for life reporty offering credit january 31,hrough between 18 2018. A commitment that offer a free Credit Report monitoring for life . You enroll until january, you have another 12 months to use the product. In new product that we put can lockere customers and unlock their credit file. Monitoring . We dont this open. Victims of this breach will able to control access from the reports from all three credit agencies to protect themselves. The other agencies charge for each and 10 every freeze. Be offering rebates to victims to cover their freezing costs with the other agencies . Resolution has to be one that affects the customer. Andas to be sustainable scalable and industry driven and government to make sure we reach out. Step forwardirst which is to offer a service that customers can check and lock and unlock their credit data for free and for life. We want to work with the industry to make sure that we have similar capacities. Mr. Barros, youre from an internalpleted review of the stock trade senior equifaxr exposure. The special Committee Reports founded, none of the four engaged in insider trading. Failed to mention officerye legal approved some of the stock sales same day that he called fbi to alert it. It took mr. Kelley two more to inform the customers that they are no longer allowed to sell stock. Totally inappropriate. The report does not mention mr. Kelley and he still works for equifax. I like to ask mr. Boros and mr. Smith, do you believe waskellys failure to act appropriate . Perspective to provide who was appropriate or not. Has actively defined needthe board executives directuently go out in a form. The special committee continues to review the and process as it relates to cybersecurity. Theres a full investigation. Pub report. R unusual for us to council andde outside experts. I mentioned earlier, one of the had three to four million suspicious activities, attempts that are database around the world. Fbi. Dnt engage the thank you. Me say thank you chair and thisng member for holding hearing. Equifax. Art with im from nevada. Theres about three Million People there. Dozen letter. Four whove a woman in caroline, wrote no citizens have practices businesses or bureaus. Equifax did not do enough to information. Couple of questions to start with into the data that is selective. Part of this is the Data Collection and we should be at that. Breach of the 145 million customers. Names,a collected was social securities, addresses, birth dates drivers license numbers and credit card information. Is that true . In some cases yes and some no. Youhat other data do this . T on the we have a piece that was effective. Most of the data included social and datanumbers, name of bit. I will it for the record very helpful. Be i think thats helpful in this discussion. To me the data breach that equity is egregious. Time. Pens all the weve heard it i think from what heard from ms. Mayer, cube ticket is a global challenge. Have top line sophisticated security. When you fail to do that, you accountable and customers should be notify. The discussion on the data. You those individuals that work with now and those customers that had credit locks credit freezes their data breached . It could be thats what they will go after. Social security numbers. Shouldnt customers be the ones opt in and opto when it comes to data that im sharing with you . The way the economy works. N customer customer does not have a data that youre collecting. I know it. The Credit Reports do not tell data that youre checking. True. That i was attorney years. For eight everyday dwelt somebody whos identity was stolen. Their lives th thein they are going to have to clear their records for the live. Heir that means that somebody will theirgoat and house in name. People will clit crime in their name. Spending rest of their lives. Is so egregious. Will have an obligation to not but make at the data, sure youre protecting it. If there is a breach, youre doing everything you can to restitution to individuals. Mr. Wilkinson. The data andout Social Security numbers and that it differentok at way of identifying. Im secure if you have anything specific on what we should be looking when looking at that fii. First thing to note. Of the broaches, of items were leaked. This with other breaches that curd, were getting close to all the personal information in the states. Its a good point to compare and contrast what happened with some of those breaches. That means financial payment reasonably resilient. It was a burden for customers, the ability for consumers to fraud new issue as a remediated and ability to do wellrce is relatively known. In addition, the liability largely fell to the financial institutions. Looking to some examples like what we see in financial payments, ecosystem is a more example of a system we have in of identity today. Our identity is out there. I continue to reinforce that our position is that. We believe more resilient brought needs to be forward. I agree with you. Identities are out there. Some of us its too late. Our kids its not too late. Andot to look to the future protect their information as well. It is something that to me, its not static. Weve got to continue to figure issue. We address this thatagree there should be Publicprivate Partnership weve got to figure this out for the benefit of those people that were taking their data and they have no choice. They have no choice that companies are taking their information, theyre monetizing it. They get stuck for the rest of their lives dealing with results of breach. So thank you. Morning to all of our panelist. This is a question to the panel. Although the most relevant aample that we can call on is response from equifax to the beach breach. There are state by state laws to individuals when there are Security Breaches of their personal information. Laws represent the lowest amount of communication required. Companiessted in what are deciding to proactively done to help notify and help the consumers affect by these breaches. Mr. Barros. Rt mr. Smith and equifax stated that taken big steps. Haveof those steps seem to come only after public outcry to your initial response. More broadly, can you elaborate what considerations and you and your Companies Take boo account when notify and steps to remediateage the damage done. One of the the notification process. We took very seriously. The state requirements first time a innovation. Im asking beyond that. Minimal. What are you deciding to do beyond that and how do you considerations are you making . Is one more i top priorities. Consumer response. The consumer side we made our scalable. Rs for. Ou can get in and out im also talking about your efforts to notify customers beyond the requirements. Weve been working with the customers making sure they use the service that we have provided for free. Transitional period. We will continue to introduce and unlock for free for life. Did use, wass we one acceptable. Worked. Like it we can pursue this on the record. My question. Im asking for now. State laws are minimal you have to follow it. Factors you are considering when you decide when a consumer . Proactiveo we took a stand. Frequentlys education is required, we did it. Verywhere accuracy and comprehensiveness very important. Analyses how any new data maybe or abused. Verizon what we do, we always obviously look at what the law requires. Then we look at what we think is do for thehing to customer. You. Ank holdr company doesnt consumer information. I wanted to follow up with mr. Barros about the difference between credit lock and credit services. Placing a freeze on their credit best waysthe customers can protect themselves. Thefax stated it with waive fee for customers to place a freeze on their credit in response of the major data beach. Stated that it will customers the ability lock their credit for free. Can you share difference between credit lock and credit freeze in terms of Consumer Rights and protections. Who has access to a consumer when it was frozen versus lock . Fundamentally, theres no difference between a lock and a freeze. When you freeze a your a leg process and you make a phone call. You identify yourself. You ready to and execute. Win you doe the lock, its the simplicity of the process. They trying to goat to your file. Up. See that my time is i think drunk driver experts who would disagree with you in terms of safe partly sunny. Of the tensionally follow one of the things i will follow freeze a equifax customers. Lping i thank you for your thank you. I want to start with the question to mr. Barros. To your knowledge has any of the unless that was pretty muched and drivers license, Social Security, forkeds addresses, credit card information. A any have any indication a youse customers folks have data was breached. Has been misused. Have any indication a this data tousing choices. Er in they weres of yahoo . Offen you have was that a rd flag that was brought tour company . Saw no volume of report. We did roll out advance thatction against threats notified user if we saw any indication that their account accessed by a spate sponsored attack. Me roll that out in county. Mr. Wilkinson, you said all publicformation is if domain but you out there in general. We would have to assume that. Assuming a. Does it surprise you that none of this information is out there. Been used if the farthest ay and anybody can protect this point . Be surprised. Mr. Barroser you mentioned in were how individuals contactedded. Has direct yahoo communication. Data thats collected here does not seem to indicate any kind of email address or a you can send out s. Map warning signal will that change your profile in of being able to have quicker, more efficient and disseminate. We like to be more up front the secure. We have improved significantly web fight. Have my phone numbers available for the customer to questions. Were doing this for social media inviting people to talk to us. Sure that we can respond and direct them to the right solution. I can tell you that one of ways that people want to talk to you when they get their Credit Report and they see there they dont agree with. I think that your company years and the credit is anad realized this northerns problem for the i know that happens frequentsly. Worked to correct this problem and toy to reach consumer. This to get do complaint andr a work through the process, very time consuming and difficult. Im going to consume that those tightening up in light of this security pretty weve seen. Concerns a of my top i have. Improve the process. Im interested in your proposal to lock your information as an individual. Said you would have on cost freejanuary at and the customer can opt in opt out. How did that work in they weres of your piz frame work . For the objective that we have service,esigned this make sure consumer will have the power in their hand to lock and file. Their when they have a locked file, you . Locked from yes, nobody can have access to that file. Ation on that thank you. Senatorher gardner. Economy heard it said this is information. Personal identification information. Who owns the information that you provide to your clients customers . According to existing we knowry framework, that information does consumer have ability to say i dont want you to have that information . They have opportunity unlock file. Ck the do i have an ability to say i want equifax to have. Nformation about me the framework that we have exit, the consumer cannot out the file. The answer is no. A credit card, bank loan, that institution ability ceo, i have no to stop that from happening. File. Can up lock your answer is no i can stop that. Whos information is this. Is it your file or my file . Regulatoryg to perspective, i have the information. I get it. Think its right though . I think its not my perspective to say its right or wrong. Its the regulatory perspective a we work on. Owns the credit card me . Rmation a you have on do you think consumer should own data . Should customer own their information . Yes, i believe they should. Controld we be able to our own information mr. Barros . Yes. Youre saying by putting lock control , its consumer control . When you look and unlock your file nobody can have access to your file. Decision that was made to manage the data . There were multiple deals tools we used to encrypt data, including masking, and firewalls, with multiple layers of encryption. It was made to leave it on encrypt at rest . , have youtook over directed company to encrypt such data or have even recommended to . We have done a topdown review of our security situation. Yes or no question. Is the data unencrypted at rest . I dont know at this stage. You dont know . Isnt this the reason why it was breached . This data was unencrypted . Encryption is one form of defense, and we have several forms in place to prevent this from happening. So the data remains unencrypted at rest . We have deployed several different tools and encryption is one tool. Senator, if i may. This environments of attack is much more complex than before, with multiple layers of security. Sickere are other experts, privacy experts year, is that a good system . I think we have spoken about the value of that, but from our Companies Perspective bennys yes it is highly data. To leavenswer then is it unencrypted would be irresponsible . Information thats required to be encrypted, in this case it was not. Question,uld ask one when did you notify the other Credit Reporting agencies of the breach . , we notifiedd them the public. That was around august. Could you give me the actual dates . September 7. Suspicious activity on the 29th and 30th of july. , and then wehe fbi went public on the seventh of september. So that is when Credit Rating agencies also received that information . Is equifax currently under investigation by the department of justice . Multiple investigations. Thank you for your thank you. Thank you for the panel here today. Sir, it you are the ceo of large it you were the ceo of yahoo during one of the largest breaches. You testified that the 2014 breach was state sponsored, but you did not conclude that the 2013s breach was not is that correct . We were not able to determine thats. Thank you. You did not learn about any of the other breaches until 2016, is that correct . I learned about the breaches at the scale reported in december of 2014. Intrusion inian our network, and we saw 26 individuals with political interest in russia with accounts compromised. We notified the fbi and we put , tolace a special notice make sure that people were aware this is happening. Did you learn about the 2013 breach not until 2016 . That is correct. What kind of information can you provide to support your claims . Our board formed an independent committee, and they reported on their findings. Is that publicly available . Yes. Mr. Smith, mr. Barros, current and former ceos of equifax, i am grateful for your presence. Million ho 3. 8 osiers. 68 percent of indianas population was affected by this breach. Can you see why they feel that the company does not have their back . Yes. One of the tragic things about this whole episode is that many of these hoosiers, many americans, will not discover down the road that there was a breach. A mother in gary, indiana goes to buy a car and finds out that her credit has been ruined. What is equifax going to do to remedy the situation for that single mother . That was the idea behind the lifetime ability to lock and unlock your file. If it is locked, you do not have the ability to go rent a house falsely, you dont that is a prophylactic defensive, and it seems like a good thing to do. Say, we have had these massive data breaches, and it is an affront to the basic sense of fairness that most americans, that top executives leave with of tens of millions dollars. Im not strike to start a class war, but when i am seeing the twore to top officers thosers for the deaths of sailors, they were survey fired because of a lack of confidence. Take Free Enterprise more seriously in the u. S. , and im talking boards as well as executives, when things like this happen it offends the sensibility of most americans. Can you understand why that is . Can you understand why they are offended to be on the receiving end of a breach months after the fact where they may have lost tens to hundreds of millions of dollars . I understand your point senator. I only ask for pension. I have waived my bonus. Worked for i have months off of generosity. You dont need to answer the question im not trying to personalize it, i am talking culturally. Big business in the country. Id like to talk about one policy issue before you move forward. The idea that Credit Reporting agencies will give consumers the ofht to request a locking access to credit policies, ask no cost to them, can you pledge, years ofs, that five now, equifax will not be charging consumers to lock and unlock their credit files . Would you be opposed to congress . Roviding a law thank you. Expected to lean in that direction, where consumers can lock their files, we want to make that free for life. Thank you senator young. Senator cantwell. Cantwell thank you, we have had several long Cyber Security meeting. Homeland security has had some, i think the Armed Services community has had been. Now is the time for us to be serious about passing legislation as we did out of the senate. Particularly, we want to strengthen our infrastructure against possible attacks. These are not the only things being attacked. Our networks, or Nuclear Power plants, our pipelines, a whole slew of things as we continue to grow. Weve heard about how more devices and more productivity means more data for people to attack. , and i hopethings our committee will join in to discuss and bring Cyber Security legislation over the line this year i dont think its too much to ask. I would like to speak on behalf of 3 million washingtonians who were affected by the breach. It was my understanding that a patch was lamented. It was my understanding that a patch was implemented that was not followed . That is correct. Why can mr. Barros not answer that question . He was not in position at the time. Understanding, what happened was a combination of human error and technology. I defer to him because he actually work through this process. The reason im asking you understandtonight, i the dual role here, but we have to do both. The issue of Cyber Security is here. It is a National Security issue, it is a sick a consumer issue , its a future issue on Identity Theft and the ability for individuals to protect what they hold here. , at the federal level, up our game. To address this issue on international basis. What do we need to put in place to get people on the same page on fighting cybercrime . At the same time, we have to make sure that everyone understands hygiene, and that the hygiene of your daytoday business, even your home computer, is going to be a Critical Role of the world we live in. I want you to understands enviable to speak on how one individual i want you to understand and speak on how one individual caused such a drastic issue. My First Priority has been too hard and hours Security Systems. We have done a comprehensive review of process. Patchingudes our capabilities, our tools, updating our tools, make making sure that our detecting the process is much more up to speed and uptodate. To makechanged policies sure that we have redundancies and closed loops in place, to improve accuracy and precision. It is enough to have voluntary safeguards, or do you think that something more stringent is required for the industry . But we haveand, complied with this code before. The industry is ahead of that in many areas. We are using new tools. We definitely welcome the conversation. I would say that we need something more at this point in time. Issue, if one employee was able to miss something as critical as this, and put some estate at risk, we need something to make sure that this is implemented. Does anyone else on the panel want to answer that question . Mr. Wilkinson . The vulnerability that we are speaking out about was called the apache stress. We became aware of it in march publicly. This is a zero day vulnerability. They happen more often than we would like to speak about. When we become aware of the zero day trends, our need to react is quick, and have to be conclusive. This is something we are going to continue to see. That you continue to speak about, senator, of Cyber Security hygiene is very important. I liken it to locks on doors. What we do, there is still vulnerability in the ecosystem and the possibility to be breached. A lot of door wont prevent you from all crime, but you still put one on your door. The same idea applies to Cyber Security and a zero day trends. That is my point exactly, thank you so much for that. You just explained that you have to have we have National Labs working day and night against the unbelievable amount of attacks happening every single day. We have all of his efforts that were trying to do both with getting a workforce that the committee had a hearing on, to doing everything we need withnies to follow hygiene great religious fervor in its. If actors will continue to hack, we need to do something. But companies also needs to follow hygiene. Thank you. Peters is sen. Next up is senator peters. I know a lot of folks are angry about this incident. Over 4 million in my state. This question as to mr. Wilkinson. Thist want to be clear, was a vulnerability that was discovered. A patch was created, the information went out, and my understanding is when this goes out, bad guys find out as well. You are basically broadcasting vulnerable information that people can figure out easily. Experts ive spoken with have said that this was not a sophisticated hack. It was Pretty Simple because the roadmap was put out for folks to take. Weve talked about national or state actors involved, but this was just basically a roadmap being put out for the bad guys. They just got in, is that correct . It is. When zero day trends are publicized, they do create a roadmap for bad guys. That is why we need to respond quickly to his to close those threats. The best practices hygiene. I want to paint a picture for the American Public. Put out for all the bad guys who wants to do us harm. We have a company that has some of the most sensitive personal information about each and every one of us, and as we heard from testimony, we dont have choice in the matter. Companies can collect his information. Toy dont even take the time look at a roadmap that has been put out there is a breach . I cant think of a clearer definition of gross negligence anywhere then a company that has been entrusted with the most trusted data and customers dont have a choice for you to hold that. To hold my equifax information, many dont, but you have that information. My other question i guess, is that after a breach has occurred, a criminal may wait before using that data, is that correct . That is correct. So it will be a while before we even see it being used. In your professional opinion, is there and are is there ever a . T after a breach this type of data, being out exposedild, is forever and will never be credibly used for secure identity again. So we have to worry about this the rest of our lives . Yes. Barros, you mentioned there is free credit monitoring for one year. Is that correct . Yes. It started since we announced the breach in september 7. We extended to january, and you still have 12 month. Why only 12 months when we believe when we heard that we have to worry about this for the rest of our lives . We believe that the action to come out of this is to protect consumers. For one year . Well why not for the rest of their life . Consumer can lock and unlock information for the rest of their life. But that is only with your company. This information is in all sorts of avenues that can be created to create a false identity. You are saying that you can lock your credit with us, Going Forward, when you still have more abilities with all other agencies . This is Pretty Simple if you are bad guy. Dont go to equifax. Ive got the keys to the kingdom, i am going to go other places. Incentiveso create to stop this kind of behavior, and make sure people with hest standards in place and certainly gross negligence should never be acceptable. If you are giving out information of mine and i did not have to have the information given, i understand you make money when you provide information to financial institution. You make money off of my information, which i have never asked. Should letmum, you me know that you are making money off of that. I should begin you permission to make money off of my information. I dont understand why i dont have the ability or tools for any agency right now to make sure that i have control, as i we had talked about. I thinkof time, but this raises a host of major issues related to privacy and control of data. Right now, we dont have any incentives to get companies to protect that information. You profit from it, you do not protected. A simple, sophisticated hack had access to 140 Million People. There needs to be strong liability for companies that do andprotect information jeopardize americans for the rest of their life. You need to be stripped of that liability, and stepping up to make sure that those consumers are protected for the rest of their lives. Hopefully we consider that moving forward. Thank you senator. Senator markey. Thank you mr. Chairman. Pop then, the public wants us to do more to protect privacy, but earlier this Year Congress rescinded broadband privacy and security rules. This ensures that verizon and other Broadband Companies adopt reasonable security protection. These protections insured broadband providers implement uptodate Data Security practices, provide appropriate oversight of security practices, properly dispose of Sensitive Information, and notify affected consumers within 30 days of a breach. Still, verizon oppose these ensure thaty to they were of repealed. It was argued that we need a light touch. Billion yahoo accounts users, and 145 million users in america, understand that light touch me hands off and the rain. Now because of congressional broadbandee reign for providers such as verizon to collect and share data of consumers without their consent is now the law. Avoid security preventions and not promptly notify consumers when they have this testimonyd, states that security has always been in verizons dna. During todays hearing you stated that verizon would support National Security data legislation. But they have actively and vigorously lobbied to eliminate these notification protections. How are these two positions consistent . Leaves thatverizon there should be a single National Framework when it comes to Data Security and processing. We support legislation in both of those areas, and we would be happy, as i said earlier, to work with your office or other members of this committee on what thats should look like. We think that there should be one overarching framework, and this was not that. Well heres where we are. We have nothing now. Repealed the law that actually requires that there be protection. Now we have nothing. He did notspective, have to repeal one of the most comprehensive Data Security and aivacy frameworks to develop National Security framework. You couldve advocated for congress to give the fcc the ftc to give security protections to websites as well. Instead, you opted to eliminate the rules altogether. That is the problem we have right now, that we had very strong Data Security and privacy protections on the books. Of there removed as part cra, a vote on the floor of the senate and house earlier this year. Here, we hear concerns about the need to have legislation. We had it, and it was going to actually work, in terms of ensuring that the regulations would be put on the books. Instead, we have nothing. In retrospect, do you think it was in the Public Interest to eliminate these Data Security and breach notification protections . If you could go back in time earlier this year, would you still remove those protection . Yes i would, senator. Again, we think there should be National Data breach i appreciate, you advocated strongly to remove protections. Even today, you are not regretful at all. Thats going to be the environments in which we are working right now. That is where yahoo was, if these other companies. That wasstronger she in place and going to be made wen stronger, and that is had a strong regime that was in place and was going to be stronger, and that is in fact what the American People want. They want to know there is Real Security around the eta that cuts to the right they want to know that there is Real Security around the data that cuts to their very identity. I think ultimately, we are going to see a big price as year after year goes by, because it is not talk but action that makes the difference. Those actions have been taken. They were on the books. Now that is gone. Thank you senator markey. I think there are ways that we can address data breach that dont involve classaction lawyers. Ween be looking at ought to be looking at the tools we need to hold bad actors accountable. Next senator. Thank you mr. Chairman, and thank you for meeting at this important time. The impact is incredibly farreaching. I want to take a moment to highlight how state and federal entities rely on these services such as equifax, for credit monitoring and other services. For example, equifax lost over a million over one million identity. Methods arety of available to veterans. If they are not comfortable going online, they can access their information by fax. They can request changes to their facility, and the changes can be made if the Social Security number matches the person making the request. Made in an era when valid Social Security numbers could be used as an effective tool for identity. That is no longer the case. My questions to you are simple. Following the loss of millions of Social Security numbers, whats concrete steps what concrete steps did equifax take to notify consumers and offer solutions to the governments to prevent information and identity from the stolen . We have spoken with these different administrations in order to make sure we enhance the communication process and have solutions that will allow people to know how to protect themselves using our service. You went public about the breach, when did you contact the dod or the department of Public Affairs to inform them and explain what they would have to do . Since i got here, i asked my people if they have done this, which they have done a few weeks ago. Was anything done, mr. Smith if you know, when the breach was known and when it became public . Specific to the veterans . Specific to Government Agencies in particular, but specifically to the u. S. Department of veterans affairs, and the department of defense. Not i am aware of. Know, sod like to please find out and provide me h that information to provide me with that information. We will do that. I want to be clear, that veterans need these funds to pay their rent, get groceries, to keep the lights on. When they notice that their disability benefit was not v. A. ,ed and contact the this is only the first step of a complex and odorous maze that a veteran needs to go through just to get disability benefits restored. When they noticed that it does not go into the bank account to goes into, thinking back to when this breach occurred, you will see that veterans still be suffering because you did not tell the a the va. Hopefully you told them that there is no evidence that you had. To understand first that it received information, then has to process the information to return fund to the u. S. Treasury department. Then they have to get a confirmation from the treasury that the fraudulent payment was actually recoup, and then when the treasury returns the funds, before that money is returned to the veteran. Best case, a couple of weeks, but i wouldnt we surprised if it took a couple of. Surprised wouldnt be if it took a couple of months. Given your companys role in failing to safeguard medical equifax told like make commitments to work with the v. A. , veterans organizations, and individual veterans to provide valuable support and services such as unlimited free credit services, and monitoring for life. Would you make that commitments to the men and women who laid down their lives to protect you, your family, and your business . We have engaged with the department of defense and the veterans administrations. The products we have will be offered you will not offer credits monitoring to veterans 11 affected for life . They have been locked in again, that doesnt help. The bad guys are going to go somewhere else. You are saying that you will not make his commitments to our nations veterans . The people who protect your ability to make money, your freedoms . You are not going to support our disabled veterans, who are wounded in the service of the country . You will not provide credits monitoring to them for life . We believe that the lock product is a safer products in the monitoring we had. The answer is no. Well i am over time erie it ideal the chair. I yield the chair. Thank you for holding this important hearing. The testimony i have heard is pretty discouraging. 846,100 new mexicans who had their creditworthiness endangered by the carelessness of equifax employees. When you previously testified, mr. Smith, you said that data was stolen and stored in plain text and had not been encrypted. This is an unacceptable practice for an organization with such hour over consumers lives, and it is painfully aware that americans cannot rely on Large Companies to protect their data. As a possible solution, congress banning use of unverified Social Security numbers in commerce. There is strong bipartisan support for this. These numbers were never supposed to be used for universal online identification number. Im glad to hear that this is Going Forward with interest, and that congress is into it as well , we shouldinterest look at technology and trust onlineto look into security and ban the use of online such security numbers. I look forward to the work that is already been undertaken. The following are yes or no questions for the entire panel. Necessary for online commerce to rely on a Social Security number mr. Boros . Please give me a yes or no, it is a simple question. Number is acurity process that was developed in 1936. I think we need to have a different perspective when dealing with ecommerce. So your answer is yes it is necessary to rely on . Today, some sites do rely on. Mr. Smith . I would love to see it replacement until then it is the standard. Readouts collect or stores of security numbers for the conduct of our business. Verizon would be happy to work on an alternative for Social Security numbers. Social security number is a static identity as a static identity is not secure, will never be secure, and will not be secure the future. Do your businesses require a Social Security number before you will do business with a consumer . Is doneof our business business to business, so we deal mostly with entities. A small portion of our business thatrequires information varies on the consumer side. I concur. Man miss mayor . No. Not a typicalis one, but it is something that is required for a credit check. In an areaocused that is not collect Social Security numbers for consumer information. Thank you. Do you think that the developments of a security Digital Identity number could break the cycle of Identity Theft . Yes. Yes. Think it is necessary, but not necessarily efficient. So, yes. Yes. The final question, do you think that congress should these Social Security numbers while promoting the use of secure digital identification . I need to understand the proposition, but anything that can move us forward from a static number, we would support it. I agree. I dont know that my opinion matters, but i agree. Mr. Wilkinson says yes. The trusted Identities Group is comprised of a public and private partnership that is looking into in easy to use Digital Identity. I will ask the final question here. Will you commit to working with my office on ways to improve the Current Working Group and expand its efforts . Definitely. Thank you. Mr. Smith . Yes. Absolutely. Very much mr. Chairman. Really appreciate you holding the steering, i know there was great interest on really appreciate you holding this hearing, i know there was great interest on both sides of the aisle. Hopefully we can find a bipartisan way to deal with this situation. Senator udall . Udall given that i am the last one to ask questions, i thought i would use this opportunity to welcome mr. Wilkinson. I hope things are going well from my home state. A hundred of your employees are from our state, said thank you for being here. I know much of this ground has been covered. In your testimony, you mentioned brazils model of identity model,ions, and in this the Government Works to provide Digital Certificates of identification. How did they ensure that the governmentss private partners can keep citizen Information Safe . Brazil is a great example, but there are some models that we can share with you, senator, that are being used around the world. Certainly, the framework they built for security is close to what we are proposing Going Forward. But, the comment that sen. Made was accurate. Theyre doing really good work that we would love to spend more time with the committee speak about to discuss what security could look like in the future. Mr. Smith appeared before thank you. I believe i have shared my frustrations before. Equifax has announced that it is launching an app in january to allow consumers to lock and unlock credit data while giving consumers more control over their credit information. We do not want to have new avenues for hackers. Are there additional Cyber Security challenges that come with the Global Technology and how these products will be tested . The products that are being developed as we speak, we are on time to deliver in january. Theof the things is simplicity for how consumers can understand and use the application. We just started our Development Test now, and this is a connection to our main files, so all secure needs and requirements will be done in compliance with security. I have been working on election issues since i am i have an rules, and bill to upgrade our election equipment we had an attempt to hack 21 state equipment manufacturers or software companies. Handinhanding with some of the attacks ive seen in companies. Mayor, we hadiss attacks similar to what we think occurred in the 2016 election. In your experience with yahoo , how do statesponsored hacks differ from individual hacks . In many ways, the motivation is different. I would say they tend to be much more sophisticated the statesponsored . Yes, the statesponsored or more sophisticated. They spanned over several companies trying to get together a picture of what they are actually seeking. They are very good at hiding their tracks. The four people indicted in the case with yahoo one of them is considered one of the most dangerous hackers in the world today, a central figure in many cases around the world today. Motivated tothat work such a sophisticated network, it is deftly an issue. What do you think we can do differently with statesponsored attacks . That a really aggressive pursuit of hacking is important, and i was pleased with the fbi and the department of justices work with yahoo to bring the purpose the people who perpetrated the crimes against us to justice. I think we need to empower them legislatively and financially. Not enough of now a disincentive to hack on a criminal or public level. You are talking about a much more aggressive pursuit in addition to everything we are doing to prevent this . Yes, one of the individuals in the case was from canada and was extradited to the u. S. A good example. On the election site, we have to get back to paper ballots. It is issue that businesses face as well though, so thank you very much. Thank you senator. You guys made it through. Open,l keep the record and we will allow members to submit questions for the record for a couple of weeks, but we will want to close it out. If you could respond as quickly as you can in writing to the questions submitted by committee members, we will get that taken care of. Ireciate you to appreciate you being here today, the shed light on this issue. Committee has an interest in moving forward on the legislative front that will hopefully be effective until we can prevent these types of Cyber Attacks in the future. Thank you again, and with that, this hearing is adjourned. We will be back on capitol hill in the morning for the ways and Means Committee markup. They are working on the House RepublicanCommittee Bill and are hoping to finish it by the end of the day. Live coverage limit return at 9 a. M. Eastern time on cspan3. We are now joined by Virginia Republican tom garrett talk about homeland