Complete we turn to the issue of data breaches. This is not a new issue. The committee has been focused on the Consumer Impact since before i was elected to the senate. The september 2004 choice point breach was considered to be the first highprofile data breach in the modern era prompted investigations from this committee and state authorities. Choice point was a data Aggregation Company originally created by equifax who as fate would have it is represented here today. In terms of the inquiry the major data breaches, we have come full circle. Congress and this committee paid close attention to data breaches big and small. The committee has entertained proposals to strengthen requirements for Companies Across the board and impose federal requirements for companies to notify consumers following discovery of the breach. We are in the air of major data we are in the era of major data breaches, including equifax and yahoo that we are examining. The yahoo breaches are larger, Equifax Breach is more severe given the nature of the data compromised. I have heard many constituents who were concerned about the lasting effects of the Equifax Breach. I have heard complaints it is difficult to set up a credit freeze and questions about whether credit monitoring is an effective tool to prevent Identity Theft. The Equifax Breach exposed the sensitive personal data of 145. 5 million u. S. Consumers including the names, Social Securitys, birthdates, addresses cut and driver license numbers. 200,000 were affected. Equifax will have an opportunity to provide an update regarding the breach as well as its much criticized efforts to mitigate harm and prevent anything like this from happening. The yahoo breach compromised over 3 billion User Accounts and followed a prior breach in which hackers stole similar information from 500 million users. The data included names, dates of birth, partial passwords, unencrypted security questions and answers, and employment information. The figure constitutes the entirety of yahoo mail and other yahoo owned accounts at the time of the breach. Yahoo representatives will have an opportunity to provide an update regarding the breaches as well as efforts to mitigate harm and ensure security and consumer data Going Forward. The data breaches illustrate dramatically that our nation continues to face constantly evolving Cyber Threats to her personal data. Companies that collect and store personal data on american citizens must step up to provide adequate Cyber Security and there should be consequences if they fail to do so. The committee made Cyber Security a priority and i am hopeful todays hearing will help help the committee understand and when there is a risk of real harm stemming from a breach we must make sure that consumers have the information they need to protect themselves. That is why i support a uniform federal breach notification standard to replace the patchwork of laws and 48 states in addition to the district of columbia and three other territories. A single federal standard would ensure all consumers are treated the same with regard to notification of data breaches that might cause them harm. Such a standard would provide consistency and certainty regarding timely notification practices that a fitting consumers and businesses. To ensure that businesses secure information appropriately, i have advocated for uniform reasonable security requirements to protect consumer data. Based on the size and scope of the company and the sensitivity of the information. However in this regard, the facts of the equifax reach are troubling. As a credit bureau, equifax was subject to the safeguards rule under the act which is considered to be a stringent regulation. The Equifax Breach occurred and its implications appear dire. Enhancing security, protecting the personal data of consumers will be a priority for this committee. I want to thank our witnesses for appearing here today and i look forward to hearing your testimony. I will turn to senator nelson for his opening remarks. Senator nelson thank you, mr. Chairman. As you stated, this is the latest edition and a long history of hearings that we have held on this committee to discuss Data Security and breaches. I want to thank several senators on this committee who have asked for this hearing. Senator baldwin in particular, senator cortez, thank you for all the more ringing this to the forefront. If you start with the massive breach of the choice point reach breach in 2005, and then continuing with target, neiman marcus, shape hat, sony, citigroup, cvs, south shore hospital, heartland Payment Systems, and many others, the parade of highprofile data breaches seems to have no end and billions of consumers have had their sensitive personal, personally identifiable information compromised, including Social Security numbers, drivers licenses, addresses, dates of birth. For years Going Forward, criminals can use this data to steal the identity of innocent consumers and create fake accounts in their names and commit other types of fraud and i might point out that right now, we estimate 5 billion a year is being stolen from the u. S. Treasury just on fake federal income tax returns of which they get a refund. And on top of that, we also recently found out the 2013 yahoo breach compromised the personal data, it is hard to believe, 3 billion users. That is the biggest data breach in history. Yet today here we are once again dealing of the aftermath of the recent Equifax Breach involving the personal identification information of nearly 145 million americans. This most recent breach raises an even more troubling question. If Credit Reporting agencies that offer Identity Theft protection and Credit Monitoring Services cannot even safeguard their own data from hackers, then how can Consumers Trust any company to protect their information . And let me say also, when you get up against the sophistication of state actors such as russia and china, it is going to be hard to protect against them. So, sadly, the question that millions of americans are now asking is, as they struggle to figure out how to protect themselves in the wake of these massive breaches, what in the world do we do . This committee, mr. Chairman, is going to again consider what it would do to make sure that consumers are protected, but if we are going to do anything meaningful, we must have the political will to hold these companies accountable. Over the years, the federal trade commission has brought numerous Enforcement Actions against companies for lax Data Security practices. But industry has recently challenged the ftcs wellestablished Legal Authority to bring such actions. This piecemeal, afterthefact approach would be better served if the ftc were able to prescribe rules that require companies to adopt reasonable security practices in the first case. Rules have already been put forward to agencies like equifax. The agency should have a similar authority for the rest of the commercial sector. And so, mr. Chairman, i think at the end, it is only stiffer enforcement and stringent penalties are going to be able to help incentivize companies to properly safeguard their consumer information, and to notify their consumers when they have been compromised. I strongly believe that without rigorous Data Security rules in place, it is not a question of if that we will have another one, but when. We can either take action with common sense rules or we can start planning for our next hearing on this issue. Thank you, mr. Chairman. Chair thank you. I hope it can inform our future actions. It needs to be addressed. Congress needs to be heard from. Glad to have our panel with us this morning. On my left in your right is mr. Barros from equifax, and richard smith, the former ceo at equifax. Ms. Marissa mayer, former ceo of yahoo incorporated. And Karen Zachariah for verizon, a Parent Company of yahoo since 2017. And todd wilkinson, president and ceo of entrusted data card. I will start with you mr. Barros, and ask you to confine your oral remarks as close to five minutes as possible. Anything extra can be on the record. Mr. Barros good morning. Chairman thune, Ranking Member nelson, members of the committee. Thank you for letting me be here today. Six weeks ago i was named interim chief executive officer of equifax. I never expected to become ceo under the circumstances. But i am honored to be in this position. Speaking for everyone at equifax come i am determined to address all the issues from the breach so we can regain the confidence of the American People. Equifax is based in atlanta, you can tell from my accent, i did not grow up in georgia. I am a native of brazil. I have had the privilege of working most of my adult life in the u. S. My children were born here. Im an engineer by training and i have spent a lifetime confronting and fixing complex business problems. This is the mindset i bring to my new position. My first act as ceo was the consumer response and call centers and the website. We are working hard to fix the problem. I apologized to the American People and i do so again here today. I promise each of you and the American People, equifax will be focused every day on assessing security and providing better support for consumers. We will be an Industry Leader in giving consumers more control over personal private data. In answer to your questions i would like to review briefly the actions we have taken in the past six weeks. First, my highest priority has been to improve service for consumers. I visit call centers, have spoken with call center representatives, personally have taken calls from consumers and help to resolve their issues. Social media, we have expanded communication. We have improved the website, have staffed the call centers and made it more consumer friendly. The result is a substantial reduction in backlogs and delays. We have revised our corporate structure. The chief Security Officer now reports directly to me. I have also appointed an officer to perceive the response to this incident. Third, we are rapidly improving our security infrastructure. Were changing our networks, our vetting procedures, introducing new tools, and strengthening our accountability mechanisms. Fourth, we have committed to working with the entire industry to develop solutions to the growing Cyber Security and Data Protection challenges we all face. Finally, we promise to launch a new, easytouse app in january that will give consumers access to data free for life. We are on schedule with the development of the app and we are confident consumers will find it extremely valuable. We have done a lot in a short period of time. But this is just beginning. I remind my team every day that there are not shortcuts. Serving consumers it is a longterm commitment. Equifax is made up of 10,000 talented and dedicated people. Our business is not well understood. But it is essential for the economy and for helping consumers obtain credit they need. Our top job must be to protect the data entrusted to us. We did not meet the publics expectations and now it is up to us to prove we can regain the trust. We are committed to working with consumers, customers, congress, and regulators to restore public trust. This is been my focus during my first six weeks as ceo. It will continue to be my focus every day at my new job. Thank you for your attention and i welcome your questions. Sen. Thune mr. Smith. Mr. Smith thank you. Thank you for the opportunity to testify before you today. I submitted my written testimony to the committee and other committees in the senate and house. I testified over the last three or four weeks. The written testimony is a record of the events of the breach at equifax is that occurred. I am here today to answer any questions you may have. Thank you. Sen. Thune thank you, ms. Mayer. Ms. Mayer thank you for the opportunity to appear before you today. I have the honor and privilege of serving as the yahoos chief executive officer from july 2012 through the sale of the business in june of this year. As you know, yahoo was a victim of criminal, statesponsored attacks on its systems, resulting in the theft of certain user information. We worked hard over the years to earn our users trust. I want to sincerely apologize to each and every one of our users. When yahoo learned of this in late 2014, yahoo promptly reported it to Law Enforcement and notified the users at that time who had been directly impacted. Yahoo worked closely with a Law Enforcement, including the fbi, and were able to identify and expose the hackers responsible. We now know that russian Intelligence Officers and statesponsored hackers were responsible for highly complex and sophisticated attacks on yahoo systems. The department of justice and fbi had a 47 count indictment charging criminals with these crimes. The doj and fbi praised yahoo for our cooperation and early proactive engagement with Law Enforcement. In november 2016, yahoo determined the user data was most likely stolen from the company in august of 2013. Although yahoo and its outside Forensic Experts were not able to identify it, the company disclosed to incident, notified the users believed to have been affected, and took steps to secure all User Accounts. I want to stress how seriously i view the threat of Cyber Attacks. After growing up in wisconsin i remember buying my first computer in college, developing a passion for Computer Science and writing code and seeing the potential to change the world. After college i was hired by a small start up named google as their 20th employee and first female engineer. I worked my way up from Software Engineer to part of the executive operating committee. In july 2012, i became ceo of yahoo . I will always be grateful for and humbled by the opportunity to have led yahoo and its employees for the last five years. My experiencesfrom yahoo and google have shown me the potential of the internet to change our world for the better. However, they have reinforced the dangers of cybercrime. Our efforts to confront the challenges of Cyber Security, including security measures and defenses yahoo has in place, in hopes of further advancing protection and security. We worked hard to protect our systems and users. We devoted substantial resources to security with a shared goal of staying ahead of the evolving threat. After i joined yahoo we roughly doubled our internal security staff and made significant investment. In addition to improving our talent, we improved our security processes and system defenses. Yahoo had in place multiple layers of sophisticated protection. We were extremely committed to security. I want to thank all of our team members for their tireless efforts in addressing yahoo s security needs. Russian agents intruded on our system. The threat from statesponsored attacks has changed the Playing Field so dramatically that today, i believe all companies, it probably be vulnerable to these crimes. Cyber security is a global challenge. No company, individual or Government Agency is immune from these threat. The attacks on yahoo demonstrate the strong collaboration between the public and private sectors is essential in the fight against cyber crime. Aggressive pursuit of cyber criminals as the doj and fbi exhibited in the yahoo case, could be a meaningful deterrent in preventing future crimes like these. The words of the investigator, a nation state attack is not a fair fight and not one you will win alone. We can Work Together to level the cyber Playing Field. Thank you for the opportunity to address the committee today. Sen. Thune ms. Zacharia. Ms. Zacharia thank you for the opportunity to testify here today. My name is Karen Zacharia and i am verizons chief Security Officer. Verizon has a longstanding commitment to protecting and safeguarding consumer data and Building Trust online. In an increasingly connected world, verizon recognizes Strong Security and Consumer Trust are prerequisites to compete in the 21st centurys digital economy. The nature of our business requires verizon made Cyber Security a top priority. In 2016 verizon announce it entered into an agreement to acquire yahoo s operating business. That acquisition closed in 2017. Yahoo is now part of a new company from verizon called oath. Both consists of 50 Digital Brands globally, including yahoo news, yahoo sports, tumbler and aol. In september and december of 2016, yahoo announced its user data was stolen and two separate incidents in 2013 and 2014. These incidents happened well before the acquisition of yahoo . At the time of the december 2016 announcement, yahoo disclosed one billion of the 3 billion accounts existing at 2013 had likely been impacted. After verizon acquired yahoo , we obtain new information from a third party and reviewed it with the same Forensic Experts yahoo had used previously. Based on that review we , concluded all accounts, not just a subset, were impacted by the 2013 security incident. Yahoo provided further notices to the impacted users beginning october 3, 2017. Less than a week when we determined that the impacted User Accounts. In addition the review confirmed , the stolen information did not include Social Security numbers or passwords and clear text, and did not include sensitive Financial Information like payment card data or bank account information. Although verizon do not own yahoo s operating business at the time of the 2013 data theft, we understood yahoo took action around the time of this announcement to protect its users accounts. Yahoo required password changes for User Accounts that had not been changed since 2014. Yahoo invalidated unencrypted security questions and answers so they could not be used to access an account. Yahoo took these actions on User Accounts beyond those of the security incident. This means that yahoo took steps in 2016 to protect all users, including additional accounts individually, notifying them in october of 2017. Proactively enhancing our security is a top priority at oath. N and oats we gather intelligence, Leverage Technology advances to make improvements to our system, and apply more advanced protection to our User Accounts. We are combining two strong existing security teams. We are examining practices of each team and applying the best across oath. We are creating an Advisory Board with experts. The board will provide input in all of its security. Security has always been in verizons dna and we will make improvements to meet the security challenges of the future. Add verizon and oath, we are laser focused on the needs of our customers. We know that they expected their information will be secure. As a result, we go to Great Lengths to implement security. We are committing substantial resources to defend our assets, networks and customers, including those acquired with the closing of the yahoo transaction. With the benefit of verizons resources and accountability, verizon and oath will continue to strive to stay ahead of an ever evolving threat landscape. Thank you again for the opportunity to testify today. I look forward to answering your questions. Sen. Thune mr. Wilkinson. Mr. Wilkinson chairman thune, members of the committee, thank you for allowing me to discuss about the urgent actions needed to protect personal information. For almost 50 years, entrust datacard has secured digital identities that are used around the world and banking, government and private applications. Identity is the way americans build financial lives. The value of identity is the primary reason this information was targeted. And it is why we see more sophisticated attacks. We live in an incredibly complex world. The challenge of protecting data is an evolving and sophisticated task that starts with a secure identity. This will only become more critical as we drive toward connectivity linking virtually every aspect of our lives. According to the 2017 verizon data breach, 43 of all data breaches can be traced to a phishing tactic. Once compromised, primary target is consumer identities. The information stolen in the most recent breach contained a significant amount of personally identifiable information. The focus of this hearing is to examine the recent data breach events, focus on the events, the steps that could of been taken, and determine if there are options to further safeguard consumer identities in the future. Regarding the issue of steps we have taken to better ensure the safety, organizations are challenged by increasingly complex systems. And a rise in attacks from nationstates. This committee can bring forward a number of experts. No system is free from vulnerabilities and all have the potential to be breached. There are documented best practices and tools available to mitigate common attacks. The vast majority are the result of Common Security mistakes and poor cyber hygiene. A substantial amount of pii is the basis of our identities for secure transactions, could potentially be used to defraud consumers. It is essential to find a balance in providing an answer to the underlying security of consumer identities. To address consumer identity, it will be critical to recover quickly and ensure consumer data is no longer at risk. Today, the federal government provides a nine digit number issued on a paper card, our Social Security card. This static number is issued at birth and difficult the change without significant inconvenience. While we have made substantial advances in technology, consumers are still vulnerable to compromise. Our recommendation is that the time is upon us to create a new identity. It would have a modern secure identity with collaboration of government and industry. There are several examples delivering stronger identity frameworks as a foundation for commerce. A new identity framework will allow citizens to use a more secure method to transact in and reduce potential of breach or compromise. This new framework would minimize risk and be used in case of breach and allow the consumer to more easily recover their identity with minimal impact. Our identity system is broken, not secure. It is time to leverage technologies to provide americans with new technologies to protect their identities. The best path forward rests upon the publicprivate ecosystem and constant selfassessment of vulnerabilities. Whether it is through incentive or directive, we need to proceed now. I urge you to focus on near term actions to address information compromised while working toward longerterm solutions to greater more resilient identity for American Consumers. Thank you for your time today. Sen. Thune thank you, mr. Wilkinson. I will start with the questions, ms. Mayer, you describe the significant investments yahoo made under your leadership with regards to security. Nevertheless, the company failed to detect the 2013 breach, the largest in the security of the internet, for more than three years. Even after the 2013 breach became apparent, yahoo significantly underestimated the number of accounts implicated, by billions. I will give you an opportunity to answer the obvious question. That is, with such a Strong Security team in place, how did yahoo fail to recognize that all 3 billion of its User Accounts had been compromised, and why did it take more than three years to discover and disclose the breach . Ms. Mayer at yahoo we deeply valued our User Security and invested heavily in that security. As is frequently the case in these type of Cyber Attacks, they are complex, they are persistent, and in often cases, the understanding of the facts evolve over time. To this day, as i understand it, we have not been able to identify the intrusion that led to that theft. We received files from Law Enforcement that contained yahoo data. We verified the data came from yahoo , but we do not understand how the act was perpetrated. That led to some of the areas where we had doubts about the n where we had gaps i information. Sen. Thune why the delay in disclosing it . It took from 2013, three years. And how is it possible to underestimate by billions, literally, the number of consumers impacted by it . Ms. Mayer yahoo did not know of the intrusion in 2013. We learned of the intrusion by files presented to us in november of 2016. We identified at the data was taken from yahoo , likely from august of 2013, notified Law Enforcement and users and took effective actions on accounts. We estimated it affected more than one billion users. There have been recent announcements from verizon that i am not privy to, as i am no longer with the company. Sen. Thune the 500 million originally disclosed and it jumped up to 3 billion, there is no real explanation to your knowledge, for how you miscalculated the number of people . Ms. Mayer the 500 million number was related to the fall of 2014 breach by the Russian Hackers for the indictments were issued by the doj and fbi. Sen. Thune in prior testimony you said the failure to patch a known vulnerability in your system boiled down to a single employees failure to act, compounded by an i. T. Scan that should have detected the failure, but did not. And then the vulnerability was allowed to persist for several months without corrective actions being taken. For a company that holds the most Sensitive Information on millions of American Consumers, i hope you can understand why this revelation is so hard to understand. Can you explain why there were not more tripwires and redundancies to prevent things like this from happening . You testified these weaknesses have now been addressed. Perhaps you could elaborate on how. Yes, youre right. In prior testimonies i referred , to the fact we were notified march 8 of this year. I communicated protocol on the ninth, the vulnerability in the source software. The email did go out for our protocol on the 15th of march, we did a scan and the scanned did not find the vulnerability. Human error, as well as a technology error, both led to the ability for criminals to access what we call a web portal dispute environment. Sen. Thune but why wouldnt you have had more redundancies built into your system . Why was it basically comes down to, one employee. It seems really hard to fathom. A company that specializes in what you do. Mr. Smith the redundancy was a scanner, and it did not work as as well as it could. A standard process of identifying a patch, and going back a week later with a technology scanner. Sen. Thune you said you fixed that . Can you elaborate on that . Mr. Barros candelabra on further can elaborate further steps equifax has taken since the breach. Mr. Smith i will start and mr. Barros can continue. We installed a new scanning technology to a new generation scanner. It seems to be a better scanner than the prior scanner. Mr. Barros as you can imagine, it is my top priority. Strengthening Security Systems in our company. We have done a comprehensive, topdown review on the process. We are strengthening all aspects of our operations. Including our patching capabilities, enhancing and updating our tools, to make sure we have an effective detection system in place. We have put stronger policies in place to make sure we have more redundants and closed loops. In order to make sure our actions have accuracy. Sen. Thune have you disposed of the data you no longer need . Has equifax disposed of it . Mr. Barros it is part of the process were going through right now. Sen. Thune how about in cryptic . Pted . W about encry mr. Barros whatever is necessary to do it. Including encryption and all new technologies available to make sure we protect the data. Sen. Thune senator nelson. Sen. Nelson we have had these hearings before. If we do not do something, we will be having a lot of these hearings again. At this point, i am wondering that there is no such thing as Data Security. When you think of a sophisticated state actor, such as china or russia, your companies cannot stand up against them. The only person or institution that can stand up against them is the National Security agency. And what we are going to see in the future, not only personally identifiable information, but the state secrets of our country. Many of which are critical infrastructure, as represented by companies such as yours. There is going to be cooperation between the most sophisticated player in the United States, which is the nsa. And you all. Otherwise, we, americans, will not have any more privacy. If we do not do something and if you all do not do something to change this, we are going to be right back here on additional hearings coming up on this same topic. Ms. Mayer, what do you think . You had a sophisticated state actor coming after you. How do you really think you could have protected yourself . Ms. Mayer even robust defenses and processes are not sufficient to protect against a statesponsored attack, especially one that is sophisticated and persistent. We at yahoo cooperated with the Law Enforcement and brought these breaches and intrusions to the attention of Law Enforcement, each time they were detected. And the doj and fbi were of great assistance to the company in identifying the perpetrators and bringing them to justice. Sen. Nelson but that is an admission you are not protected against a state actor. You all own yahoo . What are you going to do about it . A couple of different things. Your point that we need to Work Together is absolutely right. When he to work with industry and government to tackle this problem. That is true in a number of different areas. Verizon has long believed there should be national Data Security and data breach legislation, and we would be happy to work with any of the senators here on what that legislation should look like. In addition, all of our security teams need to understand that security is not static. Changing. Ys attackers are getting better. Tools are getting better. Intelligence we are gathering is changing. As that is happening, we need to make sure we are changing our Security Systems to improve and keep up. Sen. Nelson that is a good intention, but it is going to take more. It is going to take an attitude change among companies such as yours, that we have to go to extreme limits to protect our customers privacy. Smith, you hold a lot of a overcial guillotine customers by virtue of what their Credit Rating is. Protected,a is not poor little fellow goes to buy a ready, andhe has it he has the down payment, and that he cannot get a mortgage is now he has a black mark on his Credit Rating that is not real, but has been placed there is of a data breach. And the poor little fellow cannot close on his house. This has huge consequences. Barrose you and mr. Going to do about it . No doubt securing data is the core value of our company. To thegize deeply American Public for the breach that we had. We let the public down. I do agree with other panelists here. A combination of cooperation between public and private to address this issue is needed. In my 12 years of running the company, and tracking the velocity and increase of Cyber Attacks, is remarkable to see in prior testimonies. Sen. Nelson didnt you describe equifax as the victim when the company failed to secure the security vulnerability that led to the breach . Is equifax really the victim . I believe we described ourselves as a victim of a criminal attack. Nelson you consider equifax to be a victim . Senator, i think they are a victim. There have been many victims in the case of these breaches. The criminal impact from hackers makes them a victim in my opinion. Sen. Nelson you believe they had Adequate Security measures in place . Based on my understanding of the breach at equifax, and we are talking about security vulnerabilities, we have heard some discussion of the increase in security they have had since the breach. Easily types of things i would are understood as best practices. Nelson you consider them to have had appropriate security protocols . For not having passed as long as they did, i would not recommend that that was Adequate Security protocol. Son the answer is no. Victim, it is the the poor customers of equifax. Is that correct . I believe they are both victims in my opinion. Does your suggestion also apply to rethinking the use of ,asswords and user id numbers and im going to ask mr. Wilkinson to address this question also. And your testimony, mr. Wilkinson, you talk about dynamic identities as a way to replace the Social Security number in the modern age. As a better brazil example where the government owns core Identity Technology and issues some sort of identity that might last for three years. Go to mr. Wilkinson first, and then back to mr. Smith. Is that system working better brazil, orsumer in is it just a helpful aspect, but does not get the job done against this onslaught which senator nelson described in his question. You asked about the use of passwords and identifiers as well as Social Security numbers. Likestatic information passwords or a Social Security number, you have a generally weakened framework. Which is why we talk about the need for additional security. There is a Tool Companies are using to help overcome the vulnerabilities we see like username passwords. Some of those tools need to be employed where we use Social Security numbers as a primary identification. In my written testimony i provided examples of what we see other countries doing. It would be important for this committee to look at. In some cases these countries have moved to visible identity systems. Our recommendation is moving from a system that has worked in the United States for 50 years that is no longer secure. The example you cited from brazil is a Digital Identity issued by the government for the purpose of providing a citizen with a Digital Identity they can use for certain transactions, highsecurity needs, digital signing requirements, and has a limited life, three to five years. The way they avoid that identity framework is more secure, and provides the ability to be more resilient than what we see today. What we are able to recover from a breach like the one in equifax. In your view the brazilian is better protected . They can be. We had outlived the concept of ssn. Some form of digital identification is the right path. Legislation,ted all five members of the panel are advocating legislation. We only have a minute left. In general, what with this legislation look like . I think the two key things that should be in data breach legislation are, number one, that it be a National Framework so that we have one standard to comply with as we are responding to a data breach. Number two, it is really important that we get the standard right for when we notify customers. It is important to notify customers about information they really need. To make sure we are not notifying them so often and about so many things that they stop paying attention. Would anyone like to take issue with senator nelsons conclusion that against the state actor, like we have seen, companypany a mere is able to withstand that without going to the nsa. No takers. Senator blumenthal. Thank you mr. Chairman. Thank you to the witnesses for being here today. I think almost every American Consumer at this point is aware thate unacceptable risk are entailed in many of our business practices, risks to the privacy. Expect,ion that they and reasonably anticipate will be safeguarded by companies that do business with them. And where their customers. The Equifax Breach in particular the vulnerability to trade commission, and impose Civil Penalties on companies that treat our data with negligence and recklessness. Under current law, even some of the most egregious examples of lack security can be met only with apologies. And promises. To do better next time. Not fines or other penalties or real deterrence that provide incentives to Business Executives to actually do better. The real deterrence will, windows penalties are imposed on executives like the ones before us today. If the entities that hold our data cannot be trusted to protect it, then the government needs to have the tools to not only go after hackers and thieves, but also hold companies accountable. Commonsense legislation, i have introduced the enforcement act of 2017 what should ftc can investigate any data breach by thatompany or organization holds consumer data, including nonprofits, and can impose Civil Penalties that are sufficiently strong to motivate companies implement Strong Security at the onset. In this area, truly, an ounce of prevention is worth a pound of cure. In many instances for many consumers, there is no real cure. Here last, i think , senatehe last time side at least you became before the judiciary committee, and i asked whether you could commit that none of your consumers would ever be required to go to arbitration. You said understandably that you were no longer with the company, and therefore you could not guarantee. Barros, and ask mr. I appreciate you being here today. I have the same question. That noguarantee consumer will be required to go to arbitration if they decide to use one of your services or products . Senator, i understand , ittive to the arbitration is a tool used by the industry. In the use that tool light of the law. We will continue to evolve in this process and examine the use of this arbitration process. I apologize for interrupting you, but my time is limited. This is one of those yes or no answers. Can you guarantee you will not use arbitration . All of the, on the one hand, on the other hand, comments that could be made. Consumers expect they will have the right to go to court and have the rights vindicated their. Can you guarantee you will not force them to use arbitration . I believe the consumers have a choice to use the product. If they use your product they will not be forced in to arbitration, you are guaranteeing that . [indiscernible] youknow the freeze know the definition between a credit freeze in the credit lock . Lock, if youcredit use them will of the subject to Consumer Protection under the state laws were consumers live . I understand the way we use breeze and locks. Approach for the consumer, it provides the same result. The difference is credit freezes are regulated by states, credit locks are not. You are resorting to credit locks. Is it to avoid state scrutiny . No, not at all. We did it because it is more simple to use. It is easy to understand for the consumer. My time is expired, thank you mr. Chairman. I hope we will have a second round. Thank you, mr. Chairman. Mr. Barras, thank you for being here. Should consumers see the same information banks used to make a credit decision . We have as an industry not done it good job representing the consumer in this process. The information is provided by the consumer when they are in the process of buying a car or opening a cry card. Card. Ning a credit evaluates myank credit worthiness, they get a bunch of data. I do not get to see what they are looking at. What theye of to see are looking at when evaluating my credit worthiness . This is probably a yes or no answer. You have access to your Credit Report. You have access to your score. This is the information they used to make a decision. Is at the same information western mark is it the same information . It is the same information. Youre telling me the same information the customer has is all that a bank is provided by equifax . I dont know. I dont know what is provided to the bank. Mr. Smith, you sounded like you might want to correct to a the consumer is going bank to apply for a loan, typically the underwriter of the bank will pull a credit file. The consumer has the right to. Et that free they also have access to the scores. The banks do not just use a standard score. They may have their own score. That score is not disclose to the consumer. Are we are customers . Are the people whose data breached your customers question mark or are your lenders the customers . We have customers and sumers, it seems to me there is a line on that side of the desk which is to say, not to excuse what happened with yahoo , it is different. The incentives are different between the credit agencies which have zero financial incentive to get it right. Thecan informed by department of Homeland Security there is a vulnerability. You dont download the patch. Your scanner does not work. Your executives cash out their stock. Charge people to lock their credit. Or freeze their credit. You then start to promote through lifelock, you have commercials with lifelock thing there has been a breach, you might want to use this product. Equifax subcontracts to. You guys continue to be profitable. ,n the other side, for verizon google, other companies, if you screw up with your customers, there is a Customer Relationship that is afraid. But in the case of the Credit Reporting agencies, there is no volition on the side of the customers. That is the foundational problem here. There is no incentive on your than todo anything charge us to solve the problem that you caused. There is no incentive on your side to spend the money it would take to transform the company to actually treat us like customers. Are lenders. S your customers are not the people who got harmed the breach. You want to respond to that . Incentive the biggest we have is the obligation to get the consumer their data. That is not a fiduciary you have an Earnings Call tomorrow. You are going to report presumably that everything is fine, or things are starting to pick up, or maybe even you make more profit than usual in the wake of this problem. I would be remiss if i did not mention it, because people back home, and i dont mean just where i live, but back were we howlive cannot understand the ceo of equifax and the ceo with 90 walked away million and 27 million, and possibly a quarter billion dollars in stocks. This is unfathomable to the average person. Mr. Smith, you and i had an exchange in the banking setittee, you said this is by the board, not under your control. I understand that. Regular people do not understand that. And they shouldnt understand how you harm consumers, and then walk away with the amount of money that a small city or county uses for their annual operating budget. It is not fair and that is why this day is has an obligation to make a law, and not just drag you back and forth and wave our fingers that you. Thank you, mr. Chairman. Let me start by asking this question. Perhaps to mr. Smith, and mr. Mr. Barros. My question is, before the equifax,occurred at with both companies, before this breaches occurred, what did you expect . What did you say to your executive committee or board of directors, what is the probability of a breach of occurring at our company . And the followup question, what is the probability today . You calculated what the problem you calculated what the probabilities were, is it any different today for a breach at either one of your companies that it was prior to the original breaches . Framework like this. We do not calculate the percentage probability. Get a copperheads of framework called enterprise risk management. , Data Security is the most high risk probability risk we have as a company. If we had a security event, it would be detrimental to the company. We dont calculated at 50 , 60 does that statement mean you would expect a breach . The probability of a breach is high. Yes. Still the same probability of a breach occurring today or tomorrow as it was prior to the earlier breaches . We believe today we are better than we were at the time of the breach. Make significant investments to make sure we are better today. How much more money are you spending today to prevent a breach than you were prior to the breach . As a natural response we are spending a significant amount of money. What percentage of an increase as a result of what you learned from the breach . We are expecting a specific spike on the cost. Do you spend 50 more than you did before . Four times more. As a result is it less likely that a breach occurs than the probability of it occurring before . Yes. What is the reduction of the vulnerability . We have a series of actions taking place today. We believe we are better today than it was before. Would it be better to spend six times more . If the technology out there to prevent this . We are buying new tools. We are being advised by specialists. Yahoo enter into this question and it circumstances . At yahoo we have one of the most valuable databases in the world because of the shared number of users. We describe this as an arms race. Hackers become more sophisticated, and we have to become sophisticated in turn. Would you have predicted a breach before it occurred . Would you expect a breach . I expect the answer is no or you would have done more. We did not calculate percentages or predict the breach. Teamcreased the size of a by the size of two. I got whoed our users account key. We increased our encryption. Bounty wered a bug outside developers, if they discover of honor ability can report it, and we would reward them. Tohired an outside team attack us and show our vulnerabilities. We took extensive actions. Probability of a breach less today at yahoo than it was prior to your acquisition of the company . We do not calculate the probability of a breach. What we do is let me ask the question differently. Our questions our customers more secure than they were before the breach . That weller expect have less expectation that their data as at risk than before the earlier breach . What i can tell you is that verizon has always taken privacy and security seriously, and we are bringing the best team focused, and intensity to protect our customers and our network to any new acquisition including yahoo . Me, what iss to missing as a customer, however we define customer, is there should be a sense that they are safer today than they were before. I do not have assurance from any response to my questions that that is the case. We ought to be as concerned today about a breach as prior to it. What i hear is we are taking all the steps. Let me ask this question. You believe other companies in a similar business, companies that have a lot of data that affect consumers, are they as vulnerable to breaches as your nies are and compa have been . This is not limited to yahoo or equifax. Every other company in the data business is just as vulnerable as you have been . I would print out the list of efforts of our ongoing defenses. In addition to the breach we customersional steps, changing the passwords, changing , so by all means we did respond and change the level of as a customer of yahoo i should feel much better than my data is safe. I dont to get can be qualified, but there is no doubt in my mind users are protected today because these breaches were detected. Are you spending all the money necessary to increase the protection . Would they be sick or if you did more . Are you doing everything you can do . I am no longer with the company, but during my tenure that was the case. I agree. The security teams that verizon would tie you that their job is to defend against any and all attackers. That is what we are tried to do. And the copy provides them with the resources to a college that goal . Absolutely. Agree theof you federal trade mission has jurisdiction over your data breaches, and has the ability to ,egulate and penalize for false to penalize if there are breaches . You all agree that ftc is your regulator and has little authority . Certainly for the yahoo incident. On the telecom side of verizon that is a complicated question. The yahoo incident, absolutely. Thank you very much. Thank you. I want to start with the question of the panel, mr. Barros, mr. Smith, and mr. Wilkinson in particular to identify if you have any information today about who hacked equifax. Who possesses the personal identifying information of 145 million americans, and what you believe they intend to do with it. Can you identify to me if you have that information today. Know, we have no evidence. The fbi on august 2. Experience, the vast ority of these breaches, all know the Equifax Breach compromised the personal and Financial Information of more than 145 million americans. We cant begin to know what ramifications this failure will have to the families and individuals that are impacted. Ink it is clear at the think it is clear equifax needs to do a lot more to help respond to this breach. We you make a commitment here and now that equifax will every personotify who was impacted in this breach . Yes or no . We had been notifying, we have been working with consumers, we have improved our web page and make sure social media is active. We have been working with the consumer that have reached to us. The other team working every day. I know you have acted in areas where state law demands you do so. Where it does not, are you going to reach out to each and every individual that you believe was impacted his breach to let them know . We will execute the requirements of the law. And if there is absence of a law in the state you will not do anything . We are actively engage with consumers to make sure they use the product we have. Set up a poorly functioning process where people people to dig up would have to go to the equifax website if they were impacted. How may people have gone through this process . We had close to 400 million hits. Do you know how many individuals . 30 million individuals. Out of 145 million. You mentioned call centers in your testimony. Where are equifax is call centers located . We have one in florida, one in nevada. Florida, and one in las vegas. Are there any outside of the United States . We use call centers in costa rica, and other parts of the world. What other parts of the world . Malaysia, india, it depends on how the demand goes. Most of them are here in the u. S. Equifax is now offering free Credit Report locking for life, but only offering Credit Report monitoring through january 30 1, 2018. Through january 31, 2018. Available,a service it was available for a year. If you roll if you and roll until january you have a couple months to use the product. ,he new product we put in place where consumers can lock and unlock their credit file, will be available for free and for life at the end of january. And monitoring . We dont have the scope for monitoring at this stage. Victims of this breach will need to be able to control access to the reports from all three credit agencies to fully protect themselves. The other agencies charged between five dollars and 10 for each and every freeze. Rebates to offering the victims to cover their freezing costs with the other reporting agencies . Resolution hase to be one that protects the consumer. It has to be sustainable. It has to be industry driven. Ard with the government and work with the government. We offered a service that consumers can check to lock and unlock their credit data for free and for life. We want to work with industry to make sure we have a similar capacity to do it. Your firm recently completed an internal review of the stock trades executed by four senior equifax executives prior to the Public Disclosure of the reach. Of the breach the special Committee Report found that none of the four executives engaged in insider trading. The report failed to mention that equifax is chief legal kelly approved some of the stock sales on the same day that he called the fbi to alert it that the company had a problem. It took mr. Kelly two more weeks to inform the executives that they were no longer allowed to sell stocks. ,his is totally inappropriate and yet the report does not even mention mr. Kelly, and he still works for equifax. I would like to ask both mr. Barros and mr. Smith, do you believe mr. Kellys failure to act was appropriate . I think it is not my perspective to provide if it was appropriate or not. Defined the four executives in a direct form. The special committee continues to investigate, to review the process as related to the Cyber Security incident, including procedures. There is a full investigation by the independent directors of the board. You saw the report published earlier this week. It is not unusual for us to engage outside counsel, outside Forensic Experts, or the fbi. We have three to 4 million suspicious activities, suspicious attempts. Unusual. Thank you. Thank you chair, and the Ranking Member for holding this hearing. I appreciate it. Let me start with equifax and the concerns i have. Im from nevada and there are 3 Million People there. 1. 3 million were impacted by this breach. Let me give you an example of letters. One woman said no citizen has a say in the practice of reporting to credit bureaus. I do not choose equifax. Equifax did not do enough to protect our information. A couple of questions. I want to drill down into the data collected, because i think part of this is the data collection, and we should be looking at that. Of 145, and a breach million consumers, the data thoseted was names of consumers, Social Security numbers, addresses, birth dates, trevors license numbers, and great card information. Is that true, yes or no . In some cases yes, some cases note. What other data do you collect on consumers other than what i identified . Most of the data included, Social Security numbers im going to ask for the record, if equifax could provide me the answer to that question would be helpful. This yahoo collect drivers license numbers . Not to my knowledge. That is helpful in this discussion. To me the data breach that happened at equity is egregious. It happens all the time. Weve heard it i think from what i heard from ms. Mayer, cube ticket is a global challenge. To not only have Top Line Security sophisticated security. When you fail to do that, you should be held accountable and customers should be notify. We havent had the discussion on the data. Even those individuals that you work with now and those customers that had credit locks and credit freezes their data was still breached . It could be thats what they will go after. Social security numbers. Shouldnt customers be the ones to say i want to opt in and opt when it comes to data that im sharing with you . This is the way the economy works. When customer customer does not have a chase on the data that youre collecting. I know it. The Credit Reports do not tell me all the data that youre checking. Isnt that true. I was attorney general for eight years. Everyday dwelt somebody whos identity was stolen. For the rest of their lives thein they are going to have to clear their records for the reof their live. That means that somebody will buy a goat and house in their name. People will clit crime in their name. They are spending rest of their lives. Thats why this is so egregious. Will have an obligation to not only look at the data, but make sure youre protecting it. If there is a breach, youre doing everything you can to bring restitution to individuals. Mr. Wilkinson. You talked about the data and Social Security numbers and that we have to look at it different way of identifying. Im secure if you have anything specific on what we should be looking when looking at that data fii. First thing to note. In the case of the broaches, 2,145,000,000 of items were leaked. When you combine this with other breaches that curd, were getting close to all the personal information in the United States. I think its a good point to compare and contrast what happened with some of those breaches. That means financial Payment System is reasonably resilient. It was a burden for customers, the ability for consumers to have a new issue as a fraud remediated and ability to do commerce is relatively well known. In addition, the liability largely fell to the financial institutions. I think looking to some examples like what we see in financial payments, ecosystem is a more example of a system we have in this form of identity today. Our identity is out there. I continue to reinforce that our position is that. We believe more resilient identity needs to be brought forward. I agree with you. Identities are out there. Some of us its too late. To our kids its not too late. We got to look to the future and protect their information as well. It is something that to me, its not static. Weve got to continue to figure out how we address this issue. I do agree there should be that Publicprivate Partnership weve got to figure this out for the benefit of those people that were taking their data and they have no choice. They have no choice that companies are taking their personal information, theyre monetizing it. They get stuck for the rest of their lives dealing with results of breach. So thank you. Good morning to all of our panelist. This is a question to the panel. Although the most relevant example that we can call on is a response from equifax to the data beach breach. There are state by state laws to notify individuals when there are Security Breaches of their personal information. These laws represent the lowest amount of communication required. Im interested in what companies are deciding to proactively done to help notify and help the consumers affect by these breaches. We could start mr. Smith and mr. Barros. You both stated that equifax taken big steps. Many of those steps seem to have come only after public outcry to your initial response. My question more broadly, can you elaborate what considerations and you and your Companies Take boo account when determining steps to notify and readduate damage remediate the damage done. One of the the notification process. We took very seriously. The state requirements first time a innovation. Im asking beyond that. Those are minimal. What are you deciding to do beyond that and how do you what considerations are you making . This is one more i top priorities. Consumer response. On the consumer side we made our call centers for scalable. You can get in and out. Im also talking about your proactive efforts to notify customers beyond the requirements. Weve been working with the customers making sure they use the service that we have provided for free. For the transitional period. We will continue to introduce our new lock and unlock for free for life. The process we did use, was one acceptable. It seem like it worked. We can pursue this on the record. That isnt my question. Im asking for now. State laws are minimal you have to follow it. What are factors you are considering when you decide when to notify a consumer . At yahoo we took a proactive stand. Our view was frequently education is required, we did it everywhere. Accuracy and comprehensiveness are very important. Analyses how any new data maybe misused or abused. Verizon what we do, we always obviously look at what the law requires. Then we look at what we think is the right thing to do for the customer. Thank you. Our company doesnt hold consumer information. I wanted to follow up with mr. Barros about the difference between credit lock and credit freeze services. Placing a freeze on their credit is one of the best ways customers can protect themselves. Equifax stated it with waive the fee for customers to place a freeze on their credit in response of the major data beach. The company stated that it will offer customers the ability lock their credit for free. Can you share difference between credit lock and credit freeze in terms of Consumer Rights and protections. Who has access to a Consumer Credit record when it was frozen versus lock . Fundamentally, theres no difference between a lock and a freeze. When you freeze a your a leg process and you make a phone call. You identify yourself. You get a pen and you ready to execute. When you to the win you do the lock, its the simplicity of the process. They trying to goat to your file. I see that my time is up. I think drunk driver experts who would disagree with you in terms of safe partly sunny. One of the tensionally follow one of the things i will follow up with you, is freeze a equifax gets for helping customers. I thank you for your thank you. I want to start with the question to mr. Barros. To your knowledge has any of the unless that was pretty muched and drivers license, Social Security, forkeds addresses, credit card information. Do you have any indication a any of those customers folks a you have data was breached. Has been misused. Did you have any indication a somebody was using this data to might other choices. What about in terms of the yahoo . Was that a red flag that was brought tour company . We saw no volume of report. We did roll out advance protection against threats that notified user if we saw any indication that their account might be accessed by a spate sponsored attack. Let me roll that out in county. Mr. Wilkinson, you said all this information is if Public Domain but you out there in general. We would have to assume that. Bt ay and anybody can protect this point . Be surprised. Mr. Barroser you mentioned in were how individuals contactedded. Has direct yahoo communication. Data thats collected here does not seem to indicate any kind of email address or a you can send out s. Map warning signal will that change your profile in of being able to have quicker, more efficient and disseminate. We like to be more up front the secure. We have improved significantly web fight. Have my phone numbers available for the customer to questions. Were doing this for social media inviting people to talk to us. Sure that we can respond and direct them to the right solution. I can tell you that one of ways that people want to talk to you when they get their Credit Report and they see there they dont agree with. I think that your company years and the credit is anad realized this northerns problem for the i know that happens frequentsly. Worked to correct this problem and toy to reach consumer. This to get do complaint andr a work through the process, very time consuming and difficult. Im going to consume that those tightening up in light of this security pretty weve seen. Concerns a of my top i have. Improve the process. Im interested in your proposal to lock your information as an individual. Said you would have on cost freejanuary at and the customer can opt in opt out. How did that work in they weres of your piz frame work . For the objective that we have service,esigned this make sure consumer will have the power in their hand to lock and file. Their when they have a locked file, you . Locked from yes, nobody can have access to that file. Ation on that thank you. Senatorher gardner. Economy heard it said this is information. Personal identification information. Who owns the information that you provide to your clients customers . According to existing we knowry framework, that information does consumer have ability to say i dont want you to have that information . They have opportunity unlock file. Ck the do i have an ability to say i want equifax to have. Nformation about me the framework that we have exit, the consumer cannot out the file. The answer is no. A credit card, bank loan, that institution ability ceo, i have no to stop that from happening. File. Can up lock your answer is no i can stop that. Whos information is this. Is it your file or my file . Regulatoryg to perspective, i have the information. I get it. Think its right though . I think its not my perspective to say its right or wrong. Its the regulatory perspective a we work on. Owns the credit card me . Rmation a you have on do you think consumer should own data . Should customer own their information . Yes, i believe they should. Controld we be able to our own information mr. Barros . Yes. Youre saying by putting lock control , its consumer control . When you look and unlock your file nobody can have access to your file. Decision that was made to manage the data . There were multiple deals tools we used to encrypt data, including masking, and firewalls, with multiple layers of encryption. It was made to leave it on encrypt at rest . , have youtook over directed company to encrypt such data or have even recommended to . We have done a topdown review of our security situation. Yes or no question. Is the data unencrypted at rest . I dont know at this stage. You dont know . Isnt this the reason why it was breached . This data was unencrypted . Encryption is one form of defense, and we have several forms in place to prevent this from happening. So the data remains unencrypted at rest . We have deployed several different tools and encryption is one tool. Senator, if i may. This environments of attack is much more complex than before, with multiple layers of security. Sickere are other experts, privacy experts year, is that a good system . I think we have spoken about the value of that, but from our Companies Perspective bennys yes it is highly data. To leavenswer then is it unencrypted would be irresponsible . Information thats required to be encrypted, in this case it was not. Question,uld ask one when did you notify the other Credit Reporting agencies of the breach . , we notifiedd them the public. That was around august. Could you give me the actual dates . September 7. Suspicious activity on the 29th and 30th of july. , and then wehe fbi went public on the seventh of september. So that is when Credit Rating agencies also received that information . Is equifax currently under investigation by the department of justice . Multiple investigations. Thank you for your thank you. Thank you for the panel here today. Sir, it you are the ceo of large it you were the ceo of yahoo during one of the largest breaches. You testified that the 2014 breach was state sponsored, but you did not conclude that the 2013s breach was not is that correct . We were not able to determine thats. Thank you. You did not learn about any of the other breaches until 2016, is that correct . I learned about the breaches at the scale reported in december of 2014. Intrusion inian our network, and we saw 26 individuals with political interest in russia with accounts compromised. We notified the fbi and we put , tolace a special notice make sure that people were aware this is happening. Did you learn about the 2013 breach not until 2016 . That is correct. What kind of information can you provide to support your claims . Our board formed an independent committee, and they reported on their findings. Is that publicly available . Yes. Mr. Smith, mr. Barros, current and former ceos of equifax, i am grateful for your presence. Million ho 3. 8 osiers. 68 percent of indianas population was affected by this breach. Can you see why they feel that the company does not have their back . Yes. One of the tragic things about this whole episode is that many of these hoosiers, many americans, will not discover down the road that there was a breach. A mother in gary, indiana goes to buy a car and finds out that her credit has been ruined. What is equifax going to do to remedy the situation for that single mother . That was the idea behind the lifetime ability to lock and unlock your file. If it is locked, you do not have the ability to go rent a house falsely, you dont that is a prophylactic defensive, and it seems like a good thing to do. Say, we have had these massive data breaches, and it is an affront to the basic sense of fairness that most americans, that top executives leave with of tens of millions dollars. Im not strike to start a class war, but when i am seeing the twore to top officers thosers for the deaths of sailors, they were survey fired because of a lack of confidence. Take Free Enterprise more seriously in the u. S. , and im talking boards as well as executives, when things like this happen it offends the sensibility of most americans. Can you understand why that is . Can you understand why they are offended to be on the receiving end of a breach months after the fact where they may have lost tens to hundreds of millions of dollars . I understand your point senator. I only ask for pension. I have waived my bonus. Worked for i have months off of generosity. You dont need to answer the question im not trying to personalize it, i am talking culturally. Big business in the country. Id like to talk about one policy issue before you move forward. The idea that Credit Reporting agencies will give consumers the ofht to request a locking access to credit policies, ask no cost to them, can you pledge, years ofs, that five now, equifax will not be charging consumers to lock and unlock their credit files . Would you be opposed to congress . Roviding a law thank you. Expected to lean in that direction, where consumers can lock their files, we want to make that free for life. Thank you senator young. Senator cantwell. Cantwell thank you, we have had several long Cyber Security meeting. Homeland security has had some, i think the Armed Services community has had been. Now is the time for us to be serious about passing legislation as we did out of the senate. Particularly, we want to strengthen our infrastructure against possible attacks. These are not the only things being attacked. Our networks, or Nuclear Power plants, our pipelines, a whole slew of things as we continue to grow. Weve heard about how more devices and more productivity means more data for people to attack. , and i hopethings our committee will join in to discuss and bring Cyber Security legislation over the line this year i dont think its too much to ask. I would like to speak on behalf of 3 million washingtonians who were affected by the breach. It was my understanding that a patch was lamented. It was my understanding that a patch was implemented that was not followed . That is correct. Why can mr. Barros not answer that question . He was not in position at the time. Understanding, what happened was a combination of human error and technology. I defer to him because he actually work through this process. The reason im asking you understandtonight, i the dual role here, but we have to do both. The issue of Cyber Security is here. It is a National Security issue, it is a sick a consumer issue , its a future issue on Identity Theft and the ability for individuals to protect what they hold here. , at the federal level, up our game. To address this issue on international basis. What do we need to put in place to get people on the same page on fighting cybercrime . At the same time, we have to make sure that everyone understands hygiene, and that the hygiene of your daytoday business, even your home computer, is going to be a Critical Role of the world we live in. I want you to understands enviable to speak on how one individual i want you to understand and speak on how one individual caused such a drastic issue. My First Priority has been too hard and hours Security Systems. We have done a comprehensive review of process. Patchingudes our capabilities, our tools, updating our tools, make making sure that our detecting the process is much more up to speed and uptodate. To makechanged policies sure that we have redundancies and closed loops in place, to improve accuracy and precision. It is enough to have voluntary safeguards, or do you think that something more stringent is required for the industry . But we haveand, complied with this code before. The industry is ahead of that in many areas. We are using new tools. We definitely welcome the conversation. I would say that we need something more at this point in time. Issue, if one employee was able to miss something as critical as this, and put some estate at risk, we need something to make sure that this is implemented. Does anyone else on the panel want to answer that question . Mr. Wilkinson . The vulnerability that we are speaking out about was called the apache stress. We became aware of it in march publicly. This is a zero day vulnerability. They happen more often than we would like to speak about. When we become aware of the zero day trends, our need to react is quick, and have to be conclusive. This is something we are going to continue to see. That you continue to speak about, senator, of Cyber Security hygiene is very important. I liken it to locks on doors. What we do, there is still vulnerability in the ecosystem and the possibility to be breached. A lot of door wont prevent you from all crime, but you still put one on your door. The same idea applies to Cyber Security and a zero day trends. That is my point exactly, thank you so much for that. You just explained that you have to have we have National Labs working day and night against the unbelievable amount of attacks happening every single day. We have all of his efforts that were trying to do both with getting a workforce that the committee had a hearing on, to doing everything we need withnies to follow hygiene great religious fervor in its. If actors will continue to hack, we need to do something. But companies also needs to follow hygiene. Thank you. Peters is sen. Next up is senator peters. I know a lot of folks are angry about this incident. Over 4 million in my state. This question as to mr. Wilkinson. Thist want to be clear, was a vulnerability that was discovered. A patch was created, the information went out, and my understanding is when this goes out, bad guys find out as well. You are basically broadcasting vulnerable information that people can figure out easily. Experts ive spoken with have said that this was not a sophisticated hack. It was Pretty Simple because the roadmap was put out for folks to take. Weve talked about national or state actors involved, but this was just basically a roadmap being put out for the bad guys. They just got in, is that correct . It is. When zero day trends are publicized, they do create a roadmap for bad guys. That is why we need to respond quickly to his to close those threats. The best practices hygiene. I want to paint a picture for the American Public. Put out for all the bad guys who wants to do us harm. We have a company that has some of the most sensitive personal information about each and every one of us, and as we heard from testimony, we dont have choice in the matter. Companies can collect his information. Toy dont even take the time look at a roadmap that has been put out there is a breach . I cant think of a clearer definition of gross negligence anywhere then a company that has been entrusted with the most trusted data and customers dont have a choice for you to hold that. To hold my equifax information, many dont, but you have that information. My other question i guess, is that after a breach has occurred, a criminal may wait before using that data, is that correct . That is correct. So it will be a while before we even see it being used. In your professional opinion, is there and are is there ever a . T after a breach this type of data, being out exposedild, is forever and will never be credibly used for secure identity again. So we have to worry about this the rest of our lives . Yes. Barros, you mentioned there is free credit monitoring for one year. Is that correct . Yes. It started since we announced the breach in september 7. We extended to january, and you still have 12 month. Why only 12 months when we believe when we heard that we have to worry about this for the rest of our lives . We believe that the action to come out of this is to protect consumers. For one year . Well why not for the rest of their life . Consumer can lock and unlock information for the rest of their life. But that is only with your company. This information is in all sorts of avenues that can be created to create a false identity. You are saying that you can lock your credit with us, Going Forward, when you still have more abilities with all other agencies . This is Pretty Simple if you are bad guy. Dont go to equifax. Ive got the keys to the kingdom, i am going to go other places. Incentiveso create to stop this kind of behavior, and make sure people with hest standards in place and certainly gross negligence should never be acceptable. If you are giving out information of mine and i did not have to have the information given, i understand you make money when you provide information to financial institution. You make money off of my information, which i have never asked. Should letmum, you me know that you are making money off of that. I should begin you permission to make money off of my information. I dont understand why i dont have the ability or tools for any agency right now to make sure that i have control, as i we had talked about. I thinkof time, but this raises a host of major issues related to privacy and control of data. Right now, we dont have any incentives to get companies to protect that information. You profit from it, you do not protected. A simple, sophisticated hack had access to 140 Million People. There needs to be strong liability for companies that do andprotect information jeopardize americans for the rest of their life. You need to be stripped of that liability, and stepping up to make sure that those consumers are protected for the rest of their lives. Hopefully we consider that moving forward. Thank you senator. Senator markey. Thank you mr. Chairman. Pop then, the public wants us to do more to protect privacy, but earlier this Year Congress rescinded broadband privacy and security rules. This ensures that verizon and other broadband Companies Adopt reasonable security protection. These protections insured broadband providers implement uptodate Data Security practices, provide appropriate oversight of security practices, properly dispose of Sensitive Information, and notify affected consumers within 30 days of a breach. Still, verizon oppose these ensure thaty to they were of repealed. It was argued that we need a light touch. Billion yahoo accounts users, and 145 million users in america, understand that light touch me hands off and the rain. Now because of congressional broadbandee reign for providers such as verizon to collect and share data of consumers without their consent is now the law. Avoid security preventions and not promptly notify consumers when they have this testimonyd, states that security has always been in verizons dna. During todays hearing you stated that verizon would support National Security data legislation. But they have actively and vigorously lobbied to eliminate these notification protections. How are these two positions consistent . Leaves thatverizon there should be a single National Framework when it comes to Data Security and processing. We support legislation in both of those areas, and we would be happy, as i said earlier, to work with your office or other members of this committee on what thats should look like. We think that there should be one overarching framework, and this was not that. Well heres where we are. We have nothing now. Repealed the law that actually requires that there be protection. Now we have nothing. He did notspective, have to repeal one of the most comprehensive Data Security and aivacy frameworks to develop National Security framework. You couldve advocated for congress to give the fcc the ftc to give security protections to websites as well. Instead, you opted to eliminate the rules altogether. That is the problem we have right now, that we had very strong Data Security and privacy protections on the books. Of there removed as part cra, a vote on the floor of the senate and house earlier this year. Here, we hear concerns about the need to have legislation. We had it, and it was going to actually work, in terms of ensuring that the regulations would be put on the books. Instead, we have nothing. In retrospect, do you think it was in the Public Interest to eliminate these Data Security and breach notification protections . If you could go back in time earlier this year, would you still remove those protection . Yes i would, senator. Again, we think there should be National Data breach i appreciate, you advocated strongly to remove protections. Even today, you are not regretful at all. Thats going to be the environments in which we are working right now. That is where yahoo was, if these other companies. That wasstronger she in place and going to be made wen stronger, and that is had a strong regime that was in place and was going to be stronger, and that is in fact what the American People want. They want to know there is Real Security around the eta that cuts to the right they want to know that there is Real Security around the data that cuts to their very identity. I think ultimately, we are going to see a big price as year after year goes by, because it is not talk but action that makes the difference. Those actions have been taken. They were on the books. Now that is gone. Thank you senator markey. I think there are ways that we can address data breach that dont involve classaction lawyers. Ween be looking at ought to be looking at the tools we need to hold bad actors accountable. Next senator. Thank you mr. Chairman, and thank you for meeting at this important time. The impact is incredibly farreaching. I want to take a moment to highlight how state and federal entities rely on these services such as equifax, for credit monitoring and other services. For example, equifax lost over a million over one million identity. Methods arety of available to veterans. If they are not comfortable going online, they can access their information by fax. They can request changes to their facility, and the changes can be made if the Social Security number matches the person making the request. Made in an era when valid Social Security numbers could be used as an effective tool for identity. That is no longer the case. My questions to you are simple. Following the loss of millions of Social Security numbers, whats concrete steps what concrete steps did equifax take to notify consumers and offer solutions to the governments to prevent information and identity from the stolen . We have spoken with these different administrations in order to make sure we enhance the communication process and have solutions that will allow people to know how to protect themselves using our service. You went public about the breach, when did you contact the dod or the department of Public Affairs to inform them and explain what they would have to do . Since i got here, i asked my people if they have done this, which they have done a few weeks ago. Was anything done, mr. Smith if you know, when the breach was known and when it became public . Specific to the veterans . Specific to Government Agencies in particular, but specifically to the u. S. Department of veterans affairs, and the department of defense. Not i am aware of. Know, sod like to please find out and provide me h that information to provide me with that information. We will do that. I want to be clear, that veterans need these funds to pay their rent, get groceries, to keep the lights on. When they notice that their disability benefit was not v. A. ,ed and contact the this is only the first step of a complex and odorous maze that a veteran needs to go through just to get disability benefits restored. When they noticed that it does not go into the bank account to goes into, thinking back to when this breach occurred, you will see that veterans still be suffering because you did not tell the a the va. Hopefully you told them that there is no evidence that you had. To understand first that it received information, then has to process the information to return fund to the u. S. Treasury department. Then they have to get a confirmation from the treasury that the fraudulent payment was actually recoup, and then when the treasury returns the funds, before that money is returned to the veteran. Best case, a couple of weeks, but i wouldnt we surprised if it took a couple of. Surprised wouldnt be if it took a couple of months. Given your companys role in failing to safeguard medical equifax told like make commitments to work with the v. A. , veterans organizations, and individual veterans to provide valuable support and services such as unlimited free credit services, and monitoring for life. Would you make that commitments to the men and women who laid down their lives to protect you, your family, and your business . We have engaged with the department of defense and the veterans administrations. The products we have will be offered you will not offer credits monitoring to veterans 11 affected for life . They have been locked in again, that doesnt help. The bad guys are going to go somewhere else. You are saying that you will not make his commitments to our nations veterans . The people who protect your ability to make money, your freedoms . You are not going to support our disabled veterans, who are wounded in the service of the country . You will not provide credits monitoring to them for life . We believe that the lock product is a safer products in the monitoring we had. The answer is no. Well i am over time erie it ideal the chair. I yield the chair. Thank you for holding this important hearing. The testimony i have heard is pretty discouraging. 846,100 new mexicans who had their creditworthiness endangered by the carelessness of equifax employees. When you previously testified, mr. Smith, you said that data was stolen and stored in plain text and had not been encrypted. This is an unacceptable practice for an organization with such hour over consumers lives, and it is painfully aware that americans cannot rely on Large Companies to protect their data. As a possible solution, congress banning use of unverified Social Security numbers in commerce. There is strong bipartisan support for this. These numbers were never supposed to be used for universal online identification number. Im glad to hear that this is Going Forward with interest, and that congress is into it as well , we shouldinterest look at technology and trust onlineto look into security and ban the use of online such security numbers. I look forward to the work that is already been undertaken. The following are yes or no questions for the entire panel. Necessary for online commerce to rely on a Social Security number mr. Boros . Please give me a yes or no, it is a simple question. Number is acurity process that was developed in 1936. I think we need to have a different perspective when dealing with ecommerce. So your answer is yes it is necessary to rely on . Today, some sites do rely on. Mr. Smith . I would love to see it replacement until then it is the standard. Readouts collect or stores of security numbers for the conduct of our business. Verizon would be happy to work on an alternative for Social Security numbers. Social security number is a static identity as a static identity is not secure, will never be secure, and will not be secure the future. Do your businesses require a Social Security number before you will do business with a consumer . Is doneof our business business to business, so we deal mostly with entities. A small portion of our business thatrequires information varies on the consumer side. I concur. Man miss mayor . No. Not a typicalis one, but it is something that is required for a credit check. In an areaocused that is not collect Social Security numbers for consumer information. Thank you. Do you think that the developments of a security Digital Identity number could break the cycle of Identity Theft . Yes. Yes. Think it is necessary, but not necessarily efficient. So, yes. Yes. The final question, do you think that congress should these Social Security numbers while promoting the use of secure digital identification . I need to understand the proposition, but anything that can move us forward from a static number, we would support it. I agree. I dont know that my opinion matters, but i agree. Mr. Wilkinson says yes. The trusted Identities Group is comprised of a public and private partnership that is looking into in easy to use Digital Identity. I will ask the final question here. Will you commit to working with my office on ways to improve the Current Working Group and expand its efforts . Definitely. Thank you. Mr. Smith . Yes. Absolutely. Very much mr. Chairman. Really appreciate you holding the steering, i know there was great interest on really appreciate you holding this hearing, i know there was great interest on both sides of the aisle. Hopefully we can find a bipartisan way to deal with this situation. Senator udall . Udall given that i am the last one to ask questions, i thought i would use this opportunity to welcome mr. Wilkinson. I hope things are going well from my home state. A hundred of your employees are from our state, said thank you for being here. I know much of this ground has been covered. In your testimony, you mentioned brazils model of identity model,ions, and in this the Government Works to provide Digital Certificates of identification. How did they ensure that the governmentss private partners can keep citizen Information Safe . Brazil is a great example, but there are some models that we can share with you, senator, that are being used around the world. Certainly, the framework they built for security is close to what we are proposing Going Forward. But, the comment that sen. Made was accurate. Theyre doing really good work that we would love to spend more time with the committee speak about to discuss what security could look like in the future. Mr. Smith appeared before thank you. I believe i have shared my frustrations before. Equifax has announced that it is launching an app in january to allow consumers to lock and unlock credit data while giving consumers more control over their credit information. We do not want to have new avenues for hackers. Are there additional Cyber Security challenges that come with the Global Technology and how these products will be tested . The products that are being developed as we speak, we are on time to deliver in january. Theof the things is simplicity for how consumers can understand and use the application. We just started our Development Test now, and this is a connection to our main files, so all secure needs and requirements will be done in compliance with security. I have been working on election issues since i am i have an rules, and bill to upgrade our election equipment we had an attempt to hack 21 state equipment manufacturers or software companies. Handinhanding with some of the attacks ive seen in companies. Mayor, we hadiss attacks similar to what we think occurred in the 2016 election. In your experience with yahoo , how do statesponsored hacks differ from individual hacks . In many ways, the motivation is different. I would say they tend to be much more sophisticated the statesponsored . Yes, the statesponsored or more sophisticated. They spanned over several companies trying to get together a picture of what they are actually seeking. They are very good at hiding their tracks. The four people indicted in the case with yahoo one of them is considered one of the most dangerous hackers in the world today, a central figure in many cases around the world today. Motivated tothat work such a sophisticated network, it is deftly an issue. What do you think we can do differently with statesponsored attacks . That a really aggressive pursuit of hacking is important, and i was pleased with the fbi and the department of justices work with yahoo to bring the purpose the people who perpetrated the crimes against us to justice. I think we need to empower them legislatively and financially. Not enough of now a disincentive to hack on a criminal or public level. You are talking about a much more aggressive pursuit in addition to everything we are doing to prevent this . Yes, one of the individuals in the case was from canada and was extradited to the u. S. A good example. On the election site, we have to get back to paper ballots. It is issue that businesses face as well though, so thank you very much. Thank you senator. You guys made it through. Open,l keep the record and we will allow members to submit questions for the record for a couple of weeks, but we will want to close it out. If you could respond as quickly as you can in writing to the questions submitted by committee members, we will get that taken care of. Ireciate you to appreciate you being here today, the shed light on this issue. Committee has an interest in moving forward on the legislative front that will hopefully be effective until we can prevent these types of Cyber Attacks in the future. Thank you again, and with that, this hearing is adjourned. We will be back on capitol hillbillies morning for the ways and Means Committee markup. They are working on the House Republican proposal to overhaul the tax code, and they are hoping to finish the belt by the end of the day. Live coverage when they return at 9 00 a. M. Eastern time on cspan3. Here on cspan, washington journal is life with issues that impact you. We will be joined by republican tom garrett to discuss policy issues following the recent Violent Attacks in texas and new york city. Then dan rather discusses his new book, what unites us. It all starts with your phone calls live at 7 00 a. M. Eastern. Now we return to capitol hill where Kierstin Nelson took questions at her confirmation hearing yesterday. Served ton previously former Homeland Security secretary john kelly. This runs for 2. 5 hours. Hours two. 5 two and a half hours. Good morning. We are here to consider the nomination of kiersten m nelson nielson be the secretary of Homeland Security. We would making introductions later on. Karens