This committee will come to order. This morning we will hear testimony from Richard Smith, former chairman and chief executive officer of equifax who held those positions until last week. I understand that you are now serving as an unpaid adviser to the company and appreciate your willingness to testify here and appear about the events surrounding the breach and equifaxs response while you were leading the company. Given the severity of the data breach, congress will continue to examine the facts behind it and what can be done to prevent similar situations. Sign r security is one of the most pressing issues facing companies as well as consumers and governments alike. And is one of the biggest threats to our financial system. The amount of data that the private industry and government collect and store is very concerning. Theres intrinsic vulnerability in collecting information and we e need to have a meaningful discussion on how to protect and limit access to it. The Banking Committee takes oversight of Credit Bureaus serious lir as they are Financial Institutions under the act. Credit bureaus serve a critical function and have become a daily part of every americans life. Every day these institutions intersect in peoples attempts to get credit cards, car loan, mortgages and other items. Consumers may know about their involvement in their lives such as when they directly request a credit report, but sometimes they do not. Like when a Company Requests a background check to determine their eligibility for a kren cell phone. The ability of americans to easily access credit is one of the many things that make our economy and our country the envy of the world. It is also why this breach is so shocking and concerning. Heres what we know based on information from equifax. Equifax experienced a Cyber Security breach that potentially impacted more than 145 million u. S. Consumers. The data that was taken included the names, Social Security numbers, birth dates, addresses and in some cases drivers license numbers. In addition, credit card numbers were approximately 209,000 consumers and dispute documents with personally identifiable information for approximately 182,000 consumers were accessed. According to ek wi fak, the unauthorized access took place from midmay through july 2017. With discover iing the situatio on july 29th and then finally cutting off the intruders. Here is what we need to know. Why did it take equifax six w k weeks from the time it learned of the breach to tell the public regulators and victims about it . Why were equifax executives trading during this time . How strong were and are equifaxs Cyber Security practices. After the breach, what interactions did the company have with other Government Agencies in order to understand what, if anything, can be improved to mitigate harm . There are valid and important questions about the steps faction faction has taken and whether more needs to be done to minimize the potential harm. I look forward to having these questions answered and exploring different options on how companies can safeguard consumers information. Senator brown. Thank you. The story of this data breach is a familiar one. A big Financial Institution screwed up. Executives walk away with millions of dollars, tens of millions of americans end upholding the bag. Unfortunately, americans have come to expect that the equifax will play out the same way as the wells fargo scandal. A couple executives retire, some lose bonuses, a couple fines are issued and we find out the problems go much deeper. Most americans never chose to have their data scooped up by equifax. You said that since 2005 equifax has been rapidly transforming itself into, your words, Global Analytics company by collecting huge troefs of information on people to sell to marketers and employers. You almost never ask people if they want to be tracked. Most of the 145 Million People that number seems to climb every week or so, while over half of all adults in the united states, most of the 145 Million People whose data you allowed to be stolen probably only had a vague idea of what equifax, if they heard of you a at all. They read in the paper their personal information has been compromise pd while they may not have known the name equifax, they should expect the company that gathers the most private information about them would have state of the art protections for that information. A gold mine for hackers should be a digital fort knox when it comes to security. Security doesnt generate shortterm profits. Protecting consumers apparently isnt important to your Business Model so you gather more and more information. You meddled it to more and more buyers. You bought a Company Called talks to get access to detail payroll information. The hours people worked, how much they were paid, even where they lived. 7,000 businesses. You were hacked there too exposing the workers of one proud ohio company, 400,000 workers at kroger in an unknown number of peoples information to criminals who use it to commit tax fraud. In may of this year your outside law firm stated that equifax instituted additional security measures in order to prevent a recurrence of the a talks incident just like youre claiming youre doing now. Yet at the same time hackers had already taken advantage of another security flaw to get into equifaxs system. It has been ten weeks since you discovered this latest breach but i dont think we have a complete answer to the question what happened and why. We do know this breach could have been avoided if you had taken a simple step of administering security patches, but your response after the fact may have been just as negligent. You told the house yesterday that equifax knew at least some peoples data had been exposed on august 15th. Rather than giving victims a chance to protect themselves, you withheld this information from the public for weeks. You claim that you delayed telling the public about this hack so you could get an appropriate consumer response put together. But when you finally did tell people what happened, equifaxs website and call centers were immediately overwhelmed. You even tried to take advantage of the situation by sticking vick tims with a forced arbitration clause. Think about that. You tried to take advantage further even with all this when the public was so upset because you had detrayed their trust. You sneak with a forced arbitration clause. At least in this instance, you backed down under public pressure unlike wells fargo, which yesterday continued to resist. We sent a letter requesting basic information. For example, is there a Company Policy on stock sales . The best we got from the company was, quote, equifax will work with Committee Staff to provide a copy of the policy, unquote. Were not talking about trade secrets here. I just dont get it. Despite your promise to deliver a free credit product next year, all of equifax action up to this point demonstrate that this simply is not a company that deserves to be trusted with americans personal data. Your actions have exposed over half the countrys adults to financial harm. Equifax has forfeited its right to corporate secrets, so please dont make the same mistake that wells fargo did. Now is the time to give this committee the whole story. Thank you. We will proceed to the testimony. We will hear testimony from Richard Smith former chairman and chief executive officer. Mr. Smith, your written statement will be made part of the record and you may proceed with your oral remarks. Thank you, good morning. Thank you, chairman, thank you for the opportunity to testimony before you this morning. For the last 12 years i have had the honor of serving as chairman and ceo of equifax. I have submitted written testimony that addresses the details of my testimony in far more detail than i will get in my oral comments. I have talked to many consumers and read their letters. I understand how frustrated and fearful Many Americans are about what happened at equifax. This criminal attack took place on my watch. I take full responsibility as ceo at the time. I want to say to every american i truly and deeply sorry for what happened. Americans have the right to know how this happened and im prepared to testify today about what i learned and what i did about the incident and my role as ceo and chairman of the board and also what i know and what i have learned about the incident as a result of being briefed by the companys investigation, which is ongoing. As we now know, this attack was made possible because a combination of a human error and technological error. The human error involved the failure to apply a patch to a portal in march 2017. The technological error involved a scanner, which failed to detect the vulnerability on this particular por toll, which had not been patched. Both errors have since been addressed. On july 9th and 30th, suspicious activity was detected. We followed our security Incident Response protocol at that time. We began our internal security investigation. On august 2nd, we hire hadded top security Cyber Security and legal experts and we notified the fbi. At that time, we did not know the nature or the scope of the incident. It was not until late august that we concluded that e we experienced a major data breach. Over the weeks leading up to september 7th, our team continued working around the clock to e prepare to make things right. We took four steps to protect consumers. First, determining when and how to notify the public and relying on theed advice of our experts needed to have a plan in place as soon as we announced. Two, helping consumers by developing a website and staffing up a massive call center and Offering Free Services to every american. Three, preparing for increased Cyber Attacks which were advised or common after the notice of a breach. And finally, number four, continue to coordinate with the fbi and their criminal investigation of the hackers and notifying other federal and state agencieagencies. In the roll out of our program, mistakes were made for which again, i am deeply apologetic. I regret the frustration that Many Americans felt when our websites and call centers were overwhelmed in the early weeks. Its no excuse, but it did not help. Two of our larger call centers were shut down for days by hurricane irma. Since then, however, the company has dramatically increased its capacity and i can report to you we have handled more than 420 million consumer visits to our website and the wait times and call centers have been dramatically reduced. In my direction, the Company Offered a broad package to all americans. All of them free to help protect consumers. In addition, we developed a new service that will be available january 31st, 2018, that will give all consumers the power to control access to credit data to lock and unlock their credit files whenever they want for free and for life. Putting the power to control access to data in the hands of the American Consumer and working to discuss in detail during my testimony. As we all learned, Data Securityings and National Security problem putting consumers in control of the credit data is a first step to the problem of Identity Theft. No Single Company can solve the larger problem on its own. We need a Public Private partnership to evaluate how to best protect consumers personal data. I look forward to being a part of that dialogue. Chairman, Ranking Member brown, honorable members of the committee, thank you for inviting me to speak before you today. I will close by saying how sorry i am about this breach. On a personal note, i want to thank the many hard working and dedicated people who worked with meso tirelessly over the last 12 years. Equifax is a good company with thousands of e great people trying to do the right thing each and every day. I know they will continue to work tirelessly as we have over the past few months to right this wrong. Thank you. Thank you, mr. Smith. Mr. Smith, you discussed the need to give consumers control of their own data. Yesterday you said its time we changed the paradigm. Give the power back to the consumer to control who accesses his or her credit data. Its the right thing to do. But we are far from that reality today with Credit Bureaus. First, what needs to be changed to give consumers this power . The start is this that were introducing, which will come out in january of next year. It gives the consumer the ability to control who and when accesses the credit data. It will be a simple tool if he or she wants to go to a bank to get a credit card or a car loan, open the access for the underwriter to look the at the credit file, toggle off and its secure. If that solution works, that that is a solution or part of the the solution with regard to other actors or illegal actors. What about the dpoft . Does the Federal Reserve have access to your data . At the consumer level . If the consumer locks their file, they lock out anyones access. You are not in a position to be required to provide this personally identifiable data to that agency. If a consumer locks their file to prevent access to their file, from any other bank or telecommunications company, they would be the only ones to unlock that file. We cannot unlock that file on their behalf. Even if asked by a Government Agency opposed to an inquiring bank . I have to check that. I would appreciate that. You mentioned we may need to think about how secure Social Security numbers really are and if they are the best identifier for consumers going forward. I worry the fact that Social Security numbers have been out there since 1936 and used to be on our drivers license and used for our employer, you talk to Cyber Security experts and they say the vast majority of all ssns have been compromised. Im in no way disguarding the issue of the breach that e we had. It was horrific. Once again, apologize to this committee and all americans. But i would encourage a dialogue to talk about what is a better way to identify individuals, something beyond the ssn. Do you have any ideas as to what that might be . What could we transfer into . I do not, but i would love to be part of that dialogue. The combination of Public Private partnership to think about that. Theres a lot of thinking going on right now. Im sure with the right thought and priority, we could crack that code. Thank you. There have been some issues and confusion relating to the product you just discussed and services that equifax has offered in light of the breach. Some of my constituents have said they are having trouble gaining access to the products being offered. What exactly are customers being offered today and what do they need to do to obtain these products and. Services . Thank you. We are offering five Different Services for free and to repeat this is all americans, not just the victims of the criminal attack. Number one, it is a three bureau monitor to monitor activity against your credit file from transunion and ourselves. The ability to lock the file. Number three is the ability to scan the dark web on behalf of the consumer looking for Social Security activity that might occur. Number four, access to our file for free. Number five, an insurance product that helps recoop costs up to a Million Dollars if a a consumer has costs in trying to fight to repair their credit. Toez are the services that are available. Which is the next generation of lock. Thank you very much. Senator brown. Mr. Chairman, according to to your testimony over the last three years, you spent 250 million on Cyber Security. Thats about 85 million a year, correct . Yes, that was an estimate that is approaching a quarter billion. Since 2016 you have made personally about 69 million. Is that correct . I dont track that number to be honest. In hindsight, do you think equifax should have spent more money protecting peoples data rather than compensating you so well . I look back at the money we have spent. Its not a party of tmatter of s spent. Its obviously when you look at the issue in hindsight, could you have spent money differently. Theres a benchmark out there that benchmarks Financial Services company and their total security spent is a percent of i. T. It talks about a range of 10 to 14 . Ours is 12 . I know there werent as many questions because your answers were pretty long and i understand the complexity. But youre an i. T. Company and thats not acceptable. This past august at the university of georgia, you bragged that equifax gets its data cost free. Also how you approach data fraud and responded fraud is a huge opportunity for us. Your filings back that up. They state that a significant portion of your revenue comes from selling credit monitoring and Fraud Protection services to consumers. Do you think its fair that faction gets to take consumers data, makes millions by selling it to Data Mining Companies and charge fees to those consumers for credit Monitoring Products after they have become Identity Theft victims . We take their data and combine with analytics and allow underwriters and banks. As a percent of total revenue from selling Monitoring Products to consumers. The point is you keep making money off Sensitive Data either way. Equifax doesnt get its data from consumers. It get it is from their banks and Security Companies without consent of the borrowers and the employees. Congress long ago, as i think you know, decided the companies would not traffic in peoples medical records for obvious and good reason and they needed to consent to a transfer. Why should we do the same with financial records. You know how important that personal Financial Data is to people. Why not do the same with financial records. Do we need to change the consumer reporting industry in this country to give ownership of the data. Should they be allowed to request that you delete the data from your systems. Were a vital part to the global economy. We provide a Great Service to the consumer and they limit access to credit. E we also enable the unbanked because of our data. Yes, there are things e we could do better as an industry. Working with government and the the one thing id like to see us talk about as an industry is this concept of giving the consumer the power to control their data one small step forward is the concept of this lock for life. Id like to see the l industry move in that direction. Im trying to read the between the lines. Is that a yes or no. A better way to get at that is this concept. So that means no. Correct. Even though we do it with medical data and even though fundamentally if you dont think consumers should be allowed to control their own data, the question is why should a company that has had so many security failures be allowed to control their data. Thats the fundamental question that this company hasnt asked or certainly hasnt answered to the public. Thank you. I would note to the senators that senator brown and i stayed within our five minutes. I encourage all of you to follow that pattern. Its kind of impressive. Lets take a minute to talk about why were here. Big picture, its this. Theres a really small group of Credit Bureaus in america and by small i mean three. If youre ab american who buys a home or a car, you typically have to be cleared by one of those three. Even if you dont have a relationship with one of the three, if youre a consumer who didnt choose this, you think about the opm hack, people were choosing to apply for a security clearance. We have people here who didnt have any relationship with you and didnt choose to engage with you. If you get a credit card from one of the countless offers that americans get every day in their mailbox from Department Stores or gas stations or airlines, its not uncommon for one of the three Credit Bureaus to obtain your information. So what happens when something goes wrong . What happens when one of the big three is hacks . What happens if youre one of the americans who ahad their information stolen. What happens if five years from now an american has their identity information stolen. What happens when theres a reasonable suspicion that folks at your organization may have engaged in insidering. Theres a lot of anxiety that americans feel and they are americans who dont have the benefit of powerful attorneys and lobbyists. This hearing is one of the only shots at a full account of what went wrong, who is to blame and whats going to. Happen about it in the future. Id like to discuss this question about those impacted by the breach and how long you think equifaxs exposure responsibility lasts. If youre an american, you dont have the ability to change your name, your mothers maiden name, Social Security number. And your organization is committed to providing Identity Monitoring Services for the next year. But im curious about whether or not equifax and your board have deliberated. Do you think your responsibility ends in one year, two years, five years, ten years, and if you think it ends at some point, if you try to think about the good will and Balance Sheet impact of all this, how can you explain to an american whose identity might be stole b later why your responsibility would end. Does it end . I understand the question. And it extends well beyond a year, senator. The first step we took was the five services we mention ed the control is going to the lifetime lock. The ability for the consume tore lock down his or her file to determine who they want to have access for life. Isnt that about people who might be breached in the future. Im talking about the 145 million whose data has been stolen. Does your responsibility end . What do you think your legal obligations are . The combination of the services were offering is a good combination. I think the innovation for the big three is quite interesting. But why does any of that five really do much for the data thats already been stolen . Senator, the kcombination of the the five offerings today plus the lifetime lock is the best offering for the consumer. I dont think you really answered the question about whether or not your exposure legally ends for the 145 million. Do you know the number of breakdown by state . Not off the top of your head, but do you have the data that we could have by tomorrow . Can you parse it by state so each of us how many constituents we have . I believe so. We should have that capability. Im hesitating on by tomorrow. Let me take we do have it. Great. Thank you. Its being reported in the media this morning that you have just received a no bid contract from the irs for fraud prevention. Can you explain to the American People not just as consumers who have been exposed and breached here but as taxpayers. Why should you get a no bid contract . My understanding is its with the irs. Its a contract we have had in the past thats being renewed. Were going to follow up with the irs as well. If you could clarify. I want to open the allegations of the equifax executives engaged in Insider Trading relating to knowledge of the breach. One of the clear eest times and definitions occurs when a Business Executive trades their companys stock because of confidential knowledge that they have gained from their job. Im sure you can imagine why americans are very mad about the possibility that this occurred here. While Insider Trading is going to be discussed a lot more later in this hearing, i wish you could just quickly give us a time line of the first steps. When did equifax first learn of the may 2017 breach and when did you inform the fbi of that breach . Thank you. Ill answer as quickly as i can. E we notified the fbi Cyber SecurityForensic Team and outside Global Law Firm on august 2nd. At that time, all we saw was suspicious activity. We had no indication, as i said in my oral testimony, of a breach at that time. You might recall the individuals sold stock and we did not have an indication to midto late august. So youre saying those three executives had no knowledge of a breach on august 1st or 2nd . To the best of my knowledge, no knowledge. And they had sales cleared through the proper channels. We all have follow ups on that. Senator tester. Thank you, mr. Chairman. I want u to thank you for being here today, mr. Smith. I apologize for not being here during your presentation. Hi a business meeting on another committee. So i didnt hear your time line. I will give you mine and start with the first notification of march of this year that you had a vulnerability. Did you do anything . We were notified on march 8th and on march 9th on traditional patch protocol communication was sent out. Communication was sent out. Did you do anything to fix the potential vulnerability . There were two steps i discussed in my oral testimony chrks ill walk through. There was a communication breakdown within i. T. The message did not get to the right person. So ultimately nothing happened. Two things happened. You did the notification. But in the end, there was nothing done with that notification to fix that vulnerability. The scan was applied look in for the vulnerability. Did not find it so the patch was applied. Lets fast forward to the 29th of july. You learn for the first time that your company has been hacked. Dont know how big the hack is but it was proceeded by this notification. Three days after, you had three high level executives sell 2 million in stock. The stats you notified the fbi of the breach. Can you tell me if your General Council was held accountable for allowing this stop sale to go forward . Or did he not know about the breach . Clarification. The 29th and 30th, a security person saw suspicious activity, shut the portal down on the 30th. There was no indication of a breach at that time. On the 2nd we brought in outside cyber experts. Forensic auditors and the fbi. The trades took place on the 1st and 2nd. At that time the General Council who cleared the stocks had no indication of a security breach. Im going to tell you something. This is just a fact and may have been done with the best of intentions and no intent for Insider Trading but this really stinks. It really smells really bad. And i guess smelling bad isnt a crime, but the bottom line here is that you had a hack that you found out about on the 29th. You didnt know how severe it was. You told the fbi about the breach on that same day high level executives sell 2 million worth of stock and then you find out at the end of the month that or at least by the first part of september that this is a huge hack. You finally notify the public. As was pointed out in this committee, these are people that didnt ask for your service. You gathered it. Now its totally breached. Then as the senator said, whats the length of exposure here. You said we do these five things. Thats proactive. I think we can all applaud those efforts. Im going to tell you that doesnt do a damn thing for the people who had had their identity stolen. So let me ask you this. Their credit rate goes up a little bit and go buy a house on a 30year note and costs them 25,000. Are you liable for that . I understand your anger and frustration. We apologize for the breach. We have done everything in our power to make it right. We think the services were offering is a right first step. I would just tell you this. And i think equifax must be a benefit company. But this length of time on a breach this big in this day in age when we have folks that are pretty damn good at this stuff. When the department of Homeland Security says you got a problem. And wasnt really dealt with in a way like it was really a problem. You can say you sent out the directives, but in the end, you end up with a very severe breach. The problem we have got here and i will just tell you this, the impact and the numbers by states are important. Its about 600,000 adults. And i think its about twothirds of the adults in montana. Which is probably 500,000. In a state of a million, thats a lot. So consequently, those people are going to be impacted for a long time. Why . Because this happened and you can say im sorry it happened, but the notification for six weeks in the 21st century is unacceptable. I will just tell you that. Its unbelievable. I appreciate you coming in front of the committee. Senator scott. Thank you for being here this morning. Certainly we all are a tad confused about the knowledge that you had and your execs had. Seemed to at least stock sale seem to suggest more information than we are getting here. So i want to walk through the numbers and the time line to better understand and appreciate what happened. You said that they did not know about the breach, but there was suspicious activity that was reported. Did you know about the suspicious activity on july 29th president bush . Not on the 29th. 31st you were not if ied. Correct. So the next day your Senior Executives sold nearly 2 million in stock for a profit of comparative think speaking to your september th value stock, for about 655,000. So at the price of the execs sold their stock for, netted to the stock price that would have been on the 7th, they netted 655,000 during the same window that the average person who learned about the breach lost 6. 4 billion or 36 of the stock value. Is that accurate . I have not done the math. I trust it is. So equifax tells the public about the breach on september 7th, which is six weeks later. The stock dropped to 92. 98 a share. And dropped from 146. 26 per share. The executives who sold the 1. 8 million benefitted about 655,000, if. You average in that 36 difference. There are roughly 120 million outstand iing shares of equifax. That means that folks who have equifax stock in their requirement accounts, the mom and pop businesses that are saving for the future for a Large Purchase and say thats in equifax, all those folks for the burden of a 6. 4 billion drop in valuation. At the same time, the General Council didnt know the ceo didnt know so all the folks in the executive with suite had no clue, but they were the luckiest investors on august 1st. To sell the stock at the best price, to net 655,000. This was pure luck and nothing else. Was it . A few thoughts. Go back to the 29th and 30th. We experience millions of suspicious potential attacks each year. Its not like the suspicious attack that occurred on the 29th and 30th was the first of that year, of that month. Suspicious attacks occur all the time. Thats number one. Let me ask you a question. If you were to look back at the executives stock sales on the other millions of suspicious activity was there ever a suspicious activity that led to within a 48hour window sale of stock. The window was open Second Quarter earnings call. Totally open for a short period of time. The first part of that window is open. As you get into the opening, you know more and more about the quarter and the Financial Performance of the cane. So the the behavior you saw is normal behavior. Point number two is they did follow the protocol. They got the clearance. The window was not closed by the General Council. These men are known for a long time. Two of them has been my cfo for three and a half years. These are honorable men that follow the protocol that was outlined by the organization. I believe that you are innocent until proven guilty. But i will say that what you guys want the us to believe as a committee, the u. S. Senate, the congress, the investors and equifax and the entire nation what yall want us to believe is that the three luckiest investors who sold their stock did so without any knowledge that that suspicious activity may be bigger and more powerful than any other suspicious activity perhaps in the history of the company. I find that hard to believe. Senator warner. Thank you, mr. Chairman. Mr. Smith, appreciate being here, but we have seen a history of other companies, of yahoo announcing today their breach was 3 billion. Not the billion they initially acknowledged. But for a company like yours where american citizens have no right to opt in, to know customer based relationship with you, i think it raises a whole host of policy questions we cant get into today. But i think this committee needs to look at. I think we have to ask honest questions. Who own this is data. How do you get the right to this data thats our personal information and yet your companys practices of cyber hygiene are sloppy in the extreme. The fact that there was known vulnerability that you didnt have appropriate internal controls ain place to easily patch this is an issue. The fact that it took so long for the Senior Leadership to get his act together is inexcusable. And what i find what im going to spend my time because i could echo what my colleagues have said about how long it took. But then once the breach was known, the complete sloppy, happ. Approach you took was inexcusable. The site you put up that you directed customers to go to, to not use your existing domain. You created a whole new domain site. In that domain site, there were known software glitches. You initially offered people a bait and switch scam to say were going to give you a year of free protection, but by the way, youre going to give up all of your legal rights by agreeing to some small print arbitration agreement. The fact that the site that you directed people to was so faulty and so sloppily put together that even entities like the architect for the capital would not allow users to access the site because they thought it was so vulnerable. The fact that you then also required individuals after their information had been hacked into, abused, potential ly now vulnerable for who knows how long to entering your last name and last six digits of your Social Security number. What in heavens name were yall thinking. The fact that your official twitter account mistakedly tweet ed a link four times instead of the companys actual brief response page, even if im going to try to give you the benefit of the doubt of sloppy cyber hygiene and somebody made a mistake and didnt find until after the fact mistakes were made, when this was all known, you said you created a company that was an Information Base company. You had this level of sloppy cyber response. What do you say to the americans who had their private information violate d. On every level would not make basic cyber standards. Senator, i understand your te american public. I apologized not only for the im not asking im asking to say how do we tell the American People how should any american say again ive got no option of opting in that youre going to get my personal credit information. Why should anyone have any faith that youre putting anything into place thats appropriate when the immediate action was so sloppy and inadequate in terms of your mediation site. The rampup was overwhelming. We had to go from 500 call Center People to almost 3,000 in two weeks. We went to the Cloud Computing amazon site for scale. I think i mentioned in my oral testimony, we had over 400,000 consumers come to our website. My time is up, but i would only say telling me how many more people you hired and scaled up, thats not what my question was. My question was, why was your site so technically flawed . Why did you send people to a new domain site that wasnt properly registered . Why was your twitter account sending people to the wrong site . Why was this site so badly put together that institutions like the architect of the capital wouldnt even allow consumers to touch it because it was to faulty . Even giving you the benefit of the doubt on everything that happened beforehand, your remediation efforts do not pass basic cyber 101 hygiene. Senator purdue . Thank you, mr. Smith, for being here today. Just for the record, are you the current ceo of equifax today . No, sir. Im retired. And you resigned your position . Correct. Would you tell the committee why you did that . I thought it was best for the company to have a new leader come in and resurrect this great company. I have agreed, senator, to work with the company for as long as needed. Its been a company ive loved working for for 12 years. The company has done a lot of great things around the world. Ive agreed to assist anyway ki for free for as long as they need. Today there are a ftwo issue. What happened, how did it happen and whats going to be done to rectify that with the current individuals that were harmed by this . The second issue is this entire Cyber Security issue. When the now chairman jay clayton of the sec was before this committee, we asked this same question. Under the antitrust laws there are is that correct . There are ways for us to talk to different entities when needed. The agency is an example. Theres a network we belong to where we talk about issues and trends in Cyber Security. We take advantage of that. In this situation, were you able to talk to your two biggest competitors when you were warned earlier in march and when you discovered it in july . No, senator. Why were you not able to talk to them and warn them of similar activity . We didnt know enough at that time either to talk to them. Later when you did know enough internally, were you limited by antitrust law or were you able to fully talk to these competitors . That, im not aware of. Senator carden and senator blunt are working on a Data Security act that would provide a National Standard and make it clear. If you look at the current law, its not clear on these cyber breach notifications for people within an industry, a National Standard like this, would that be helpful for your successors and other people in this industry . I believe so. Lets talk about credit record freezes. It seems to me in the day of the app when my 6yearold grandson knows how to get on and get unlimited access to apps, that a person who has data stored in one of these Credit Companies could go in an app to manage your credit scores, what keeps you from giving the ability to freeze an account . Today if you want to freeze your account, you have to go to your firm, each of your competitors and others pay a fee, get a pin, remember the pin and freeze it. To unfreeze it, you have to go back and activate the entire process again. Most americans are not going to be able to do that. What keeps the industry from moving toward a simple app that some individual can be informed about to preclude this sort of exposure . Thats where were heading. Our service that we eere offe which is will be an application on a smart phone that allows you to freeze or unlock instantly at the time you want. I would encourage to of our competitors to come together as an industry and offer that service to all consumers on one site. The things you could do if you had the consumers, the power at their fingertips to lock and unlock any time they want that for all three credit reporting agencies would be powerful. What would you tell your successor in most businesses the number one entity they worry about is the customers. The individuals youre talking about really werent customers of equifax. What advice would you give your successor to rectify this situation . Were a 118yearold country. Weve always prided ourselves on being a trusted steward of data. Weve got to regain the trust of the consumer in america. How do you do that . By doing whats right with the consumer. Were starting by offering these five services, offering the lifetime lock. It takes time. When you have the size of criminal attack that we allowed to occur, it takes time to regain that trust. Thank you. Senator warren. Mr. Smith, equifax has been hacked several times in the past few years. It is consistently rated as having some of the worst Data Security practices in the Financial Services industry. And this latest hack happened through a hole in your system that had been identified months before and could have been fixed pretty easily. The whole thing is staggering. A company like equifax that has sensitive personal information on most americans should have the best Data Security in the industry. And instead it has the worst. I want to understand why. So i started to look into this. One thing jumped out at me. In august just a couple of weeks before you disclosed this massive hack, you said and i want to quote you here fraud is a huge opportunity for us. It is a massive growing business for us. Now, mr. Smith, now that information for about 145 million americans has been stolen, is fraud more likely now than before that hack . Yes, senator, it is. Yeah. So the breach of your system has created more Business Opportunities for you. For example, millions of people have signed up for the Credit Monitoring Service that you announced after the breach. Equifax is offering one year of free credit monitoring. But consumers who want to continue that protection after the first year will have to pay for it . The best thing a consumer could do is get the lifetime lock. Im asking you the question. Youre offering free credit monitoring and youre offering it for only one year. If Consumers Want it for more than one year, they have to pay for it. Yes. Theyre going to have to pay after one year if they want your credit monitoring. And that could be a lot of money. So far 7. 5 Million People have signed up for free credit monitoring through equifax since the breach. If just one million of them pie just one more year of monitoring through equifax at the standard rate of 17 a month, thats more than 200 million in revenue for equifax because of this breach. But theres more. Life lock, another company that sells credit monitoring, has now seen a tenfold increase in enrollment since equifax announced the breach. According to filings with the sec, life lock purchases credit Monitoring Services from equifax. And that means someone buys credit monitoring through life lock. Life lock turns around and passes some of that revenue directly along to equifax. Is that right, mr. Smith . That is correct. That is correct. Okay. So from the second equifax announced this massive data breach, equifax has been making money off consumers who purchase their credit monitoring through life lock. Equifax also sells products to businesses and Government Agencies to help them stop fraud by potential identity thieves is that right . One clarification. You mentioned the life lock relationship which is accurate. At the same time the majority of that revenue were no longer selling Consumer Product directly. My question is every time somebody buys through life lock and theyve seen a tenfold increase since the breach, you make a little more money. We actually called the life lock people to find this out. I asked you the question, but i already know the answer. Its true. Youre making money off this. Equifax sells predicts to businesses and Government Agencies to help them stop fraud by potential identity thieves, right . To the government, not business. We sell business but not to prevent fraud. To stop Identity Theft you dont have any products youre touting for Identity Theft purposes . The vast majority we do for br businesses is not fraud. Youve got three different ways equifax is making money, millions of dollars off its own screwup. Meanwhile the potential costs to equifax are shockingly low. Consumers can sue, but it turns out that the average recovery for data breaches is less than 2 per consumer. And equifax has insurance that could cover some big chunk of any potential payment to consumers. I want to look at the big picture here. From 2013 until today, equifax has disclosed at least four separate hacks in which it compromised sensitive personal data. In those four years, has equifaxs profit gone up . Mr. Smith . Yes, senator. Yes, it has gone up, right . In fact its gone up by more than 80 over that time. Heres how i see this, mr. Chairman, equifax did a terrible job of protecting our data because they didnt have a reason to care to protect our data. The incentives in this industry are completely out of whack. Because of this breach, consumers will spend the rest of their lives worrying about Identity Theft. Small banks and Credit Unions will have to pay to issue new credit cards. Businesses will lose money to thieves. But equifax will be just fine. Heck, it could actually come out ahead. Consumers are trapped. Theres no competition. Nowhere else for them to go. If we think equifax does a lousy job protecting our data, we cant take our data to someone else. Equifax and this whole industry should be completely transformed. Consumers should decide who gets access to their own data. When Companies Like equifax mess up, Senior Executives like you should be held personally accountable and the company should pay mandatory and severe financial penalties for every consumer record thats stolen. Weve got to change this industry before more people are injured. Senator tillis. Thank you for being here. I have one question that i want to get to. First, can you explain to me why you believe as a strategy the lock versus the delete option is in the best interest of the consumer . Yes. Senator, we i think provide a very valuable service to the consumer allowing he or she to get access to credit when they want access to credit. If they are not in the system, they hinder their ability to get credit. Lets say you had a delete option so there wasnt a transactional opportunity for a consumer to have that Information Available to people who are maybe underwriting a lon loan. Lets say that if you had all three of information providers delete your financial record, how do you think that would affect somebody trying to apply for credit . If youre not in the credit ecosystem you dont get a loan. Do you think thats more pronounced given some of the changes with financial regulations and Underwriting Practices and scrutiny from the federal government . I do. You all have a problem i associate myself with a lot of the concerns. One thing i would ask you to do, you said that the three individuals in question for disposition are honorable people that have been employed by equifax for several years. I think that would be helpful for this committee. Heres the other thing that we could be missing here. You all made a big mistake. You sound like youve got some remediation practices in place. I think you do have to get right on the longterm obligation you may have. Theres a difference between a breach and exploitation. At least the other day when i asked about any evidence of exploitation of the data breach, we havent seen any yet. But it seems to me youve got to create some sort of a footprint on the data that was exploited so that over time you could make a decision about whose problem it is to remediate any exploitation beyond the year pathway. I mentioned yesterday the problem that resulted from maybe controls and processes at equifax should be your problem, not the consumers problem. In other words, you need to make it very easy and no cost to the consumer to fix a problem that they became a part of. Rather than you get into the details in this committee, it would be helpful for me to get some assurances that thats the case. I use an example of an inappropriate parking ticket that i got using a park mobile app in charlotte. When i called the focuses up and said ive got a receipt, they said you can appeal, you can file it and were sure it was because maybe your license tag got mixed up. I said my license tag at the time was a three. They were trying to make their problem my problem. You need to be absolutely certain at equifax that they can convince us that youre addressing this and not making your problem the consumers problem. I do think its very important for people to understand the potential Chilling Effect you could have if you erase your financial history from the system. We expect you all to protect it and be good stewards of it. I had another comment to make. Youre anning ing aggregator of. Again, i would think that your system should be more impervious to attacks than mom and pop shops than other people who are aggregators of data. Congress needs to start thinking big picture in how we can get the u. S. Economy to a point where if you become more difficult to penetrate, then i just go to the sources. And then i can pick it off and maybe do it in organizations that are far less sophisticated than you. If people think that the credit reporting agencies and the big banks are the only ones that are vulnerable, i would suggest you get a book i have in my office called hacking for dummies. You need to be held can believe. Equifax needs to be held can believe. We need to be held accountable and recognize we have a role to play to protect this economy. Otherwise this is not going to end. Thank you for being here. We will potentially submit some other questions for the record. But i think its in your best interest to give us more information on the stock disposition patterns for the executives in question. Thank you very much. Thank you. I understand, senator. Thank you, mr. Chairman. North dakota is a state of about 740,000 people. Our attorney general estimates that 248,000 north dakota families have been affected by this. And let me tell you ive heard from a lot of them. And i want to just tell you that i am deeply concerned about the remedial efforts and how all of that rolled out to begin with. First off, if you have this level of information on consumers that they didnt give you, thats all part of this thing that elizabeth was talking about, and you dont have a system in place for a fire drill on what you do if youre breached, after you told us that you get notifications all the time of potential breaches and then you say, oh, we had to create all of this system. We had to create this thing out of whole cloth, right . Thats what youve told us. Why the rollout after the breach was notified, why it went to poorly and why people were not protected and way in many cases it was like okay, but were going to charge you a fee if you do this. My consumers are like why do i have to now spend money to protect myself when its their fault . And so i think its not enough for you to say, my goodness, look at the magnitude of this, when you should have anticipated it, the same way you should anticipate whether you have a fire in a building, you should be ready when it happens. We all know its going to happen again. And im saying this because i want all ceos who have access to this kind of information to know im going to ask a question on what theyre doing to prepare for a breach. Now, i want to get back to the fbi. Look, we had a lot of these breaches. This happens all the time. We didnt realize it was as serious as what it was. What is the date you notified the fbi and who made that notification . Senator, the date was august 2nd. The head of security at that time would have notified the fbi, the Cyber SecurityForensic Team. And when would the head of security have notified your chief Legal Counsel or chief legal officer . On or around that same time. When did he approve the stock trades . On the 1st and 2nd for the three individuals. It was suspicious activity. How many times do you notify the fbi . I dont have that specific data but its not unusual. I get that. I want to know how many times when youre notified you actually turn around and notify the fbi . We can get the information. I dont have that. Thats a problem, because it looks pretty suspicious. And your chief legal officer has some explaining to do. Even after he knew there was a notification to the fbi about this level of breach, he did not claw back or try to undo those transactions and reverse what clearly appears to be a pretty beneficial situation for three of your employees. I want to talk about remedial measures and go back to consumers. You know, obviously were in this very big discussion about what were going to do with mandatory forced arbitration. You know, its interesting because if i go out there and sign a contract with somebody, maybe i can protect myself, maybe i cant. I dont think that fine print in a contract is anything other than illusory. We can argue that point. W why should you ever make that choice and mandate forced arbitration in your business . Point of clarification. The intent was never to have arbitration clause in the product the services are offered to the consumer at that time. It was part of a boilerplate product we were offering to consumers prior to the breach. Lets just ignore for a minute the breach. Why should the consumer not be able to make that choice, especially in this situation when the consumer is not your customer . To be clear, that was not the intent for the breach. Arbitration clause is a legally viable path for us to take at this time. Thats why it was in the consumer offering. I think weve got some real challenges in taking a look at how we provide a real remedy to consumers in this situation. This wont be the first time that we have a hearing like this. We had one yesterday. Were having one today. I guess my warning, mr. Chairman, would be im going to ask every person out there who has responsibility as a ceo for consumer data to do the right thing. And that is right now start thinking about if this happens to me, how do i treat my consumers and the people who have lost their personal data. And maybe we ought to start thinking about opting in as opposed to opting out. So i want my credit locked until i unlock it. Why cant i have that option . Why do i have to pay to have my credit locked . You dont. Its free. Its part of the offering we just made. For the breach. For lifetime. Thank you, mr. Chairman. Youre retired as of last week. You leave with your base salary, unvested options and a pension, roughly valued at 90 million. Help me to understand why thats fair. Those numbers dont resonate with me, sir. Whats the number then . You should know. Clarification, i stepped down last week. I told the board at the time i stepped down i will not take a bonus. Theres no severance. Ill work for as long as the Company Needs for free. Ive asked for nothing. What i walk away with is a pension that ive earned over my career and unvested equity. Is it fair to say thats in the tens of millions of dollars. Its in the proxy. The proxy discloses the value of the thats how we got to 90 million. But if its 45 million or 23 million, my question stands. How is that fair . The pension, senator, is something ive earned for my career. And the other piece is the earned equity ive already been given. Do you think thats fair . Senator, i grew up as a young guy in the midwest. I never envisioned having a career like ive had for the last 36 years. Ive been fortunate. Ive worked hard. I dont set those compensation levels. The board does and the board is elected every year. Your Investor Presentation from august 16th, 2017, mentions nothing about the data breach, even though by july 29th you knew your system had been compromised. By august 2nd you obtained outside counsel and informed the fbi. I assume at some point around august 2nd you knew something more significant than usual was up, is that true . No, thats not true. It wasnt until later in august that we had some indication of the size and scope and complexity of the breach. It was not on august 2nd. So august 16th your message to investors was, quote, enduring business fundamentals support longterm growth and the first time Data Security is mentioned is at the end of your materials where you tout your role as a trusted steward of consumers data. Do you think that equifax should have disclosed the possibility of a major data breach to its investors . We talk to investors routinely. We disclose that one of the greatest risks we pose each and every day and fight every day is Cyber Security. Right. But you retained outside counsel, you informed the fbi, people are liquidating their stock. I guess im wondering whether that pattern seems to indicate that somebody knew something pretty significant was up, but somebody made a judgment to not disclose that, not just to 143 million americans but also investors. It seems to me thats material, reportable. And whether or not you follow the letter of the law, it seems to me that investors ought to know if something is going to impact the company. You had to have some clue this was percolating in a negative way. We are very transparent with our investors that security is always a risk. Theyre well aware of that. They price that into their value of the company. Obviously on the 16th i think is when you referred to the Investor Relations team had a presentation around the 16th. We had not gone public with anything. We did not know the scope or size of the breach. So obviously we could not disclose that at the investor meeting. You didnt know the scope and size to have breach, i get that. So you decided not to disclose it at all . Tonchts t to the investors . Yes. We didnt know there was a breach at that time. Why wouldnt you inform the public about it . The timeline as i walk through the 28th, 29th and 30th of july through september 7th lays that out. It wasnt until late august we actually had an indication of the breach. What happened on july 29th . July 29th is when a security individual saw suspicious activity on the 30th saw it again, shut down the portal to stop the incident. And it took you six weeks to figure it all out . Again, we bring in Cyber Security expert who s who do thr a living. You dont do it very well for a living to the extent that you make massive profits off the mistakes. None of us have the volition to enter into a contract with you. You are not doing it well for a living except that you are all making a very nice living at it. Before calling senator kennedy, i want to do a clarification. Senator sass asked about if you had state by state information. You seemed unsure. Your team informed you in realtime that in fact you did have that. I was just informed it was given to each of the state a. G. S earlier. Released by the company i believe it was monday. That has not yet been distributed to the ags. I am told the state ags have that record. Were not the state ags. We do a lot of things bipartisanly in this committee. That letter was sent two full weeks ago and was not provided. I hope you get that to us quickly. Thats the way you should operate. I found out about equifaxs contract with the Internal Revenue service in an interview this morning with stuart varney. How big is that contract . I saw it this morning as well. Maybe it was last night. It referenced a 7. 5 million contract. Im not sure if thats multiyear. Do you have other contracts with the Internal Revenue service . We may, sir. Im not aware of it. Could you get me a list of all of equifaxs contracts with various governments . Yes, senator, we can do that. The contract of 7 million and change contract, does that involve taxpayer information that you would have access to . Senator, its my understanding and i do not profess to be deep in this particular contract it is to prevent fraudulent access to the irs. Beyond that if you want more information, we can get that for you. You realize to Many Americans right now, that looks like were giving Lindsay Lohan the keys to the minibar. I understand your point. Let me ask you about a credit freeze. Ive frozen my credit at all four of the bureaus. Id like a commitment from you today that youre going to ask your former company i think you still own quite a few shares. I want you to make a commitment to putting a free app available to anybody so that you can just go to your app, toggle on and off access to your credit files. Senator, i agree with you. We like that idea. Thats going to go live for every American Consumer the end of january 2018. It will be free for life. So youre committing to do it. Yes, senator. Weve been working on that for months. This whole unfortunate experience, mr. Smith, has raised larger issues. And one of the issues that is raised is to whom does your former company ill call it your Current Company because youre still working there. To whom does your company have an obligation . My understanding of your Business Model is that you collect my information without my permission. You get the information. You take it along with everyone elses information and you sell that information to businesses. Is that basically correct . Thats largely correct. And you also have a Premium Service to monitor the information that you collect about me. So if theres some Bad Information that you collect about me, you sell me a service to monitor it and correct it. Is that right . Senator, just for clarification, roughly 90 of everything we do is helping banks and others make informed decisions about lending money to consumers. The monitoring youre referring to to consumers is a very small piece of what we do. But it just seems incongruent to me that you have my information, you dont pay me for it, you dont have any permission. You make money collecting that information, selling it to businesses. And i think you a service there. Dont misunderstand me. And you also come to me you cant run your business without me. My data is the product that you sell. And you also offer me a Premium Service to make sure that the data youre collecting about me is accurate. I mean, i dont pay extra in a restaurant to prevent the waiter from spitting in my food. You understand my concern . I understand your point, i believe. Another way to think about that is the Monitoring Product that youre referring to, senator, in the future is far less required if you as a consumer have the ability to freeze or lock and unlock your file. That is free for life. But its not just the freeze part. What if you have Bad Information about me . Has an agency ever had pBad Information about you and you had to go through the process of correcting it. Yes, senator. Its a pain in the elbow, isnt it . I mean the burden is kind you have my data, which you havent paid me for. Youre earning a good living, which i dont deny you. I believe in free enterprise. But youre earning your money by selling my data which you get from me and dont pay for to other people. But if the data is wrong that you have about me, i would think you would want to make it as easy as possible to correct it, not as hard as possible. I understand your point. Its an important point for the entire industry to make the process as consumer friendly as possible. If theres an error on your utility bill, your bank bill, your credit card statement can you commit to me today that equifax is going to set up a system where a consumer who believes that equifax has Bad Information about him, can pick up the phone and call a live human being with a beating heart and say heres this information you have about me that youre selling to other people, youre ruining my credit and its not true and i want to get it corrected. How are you going to correct it . What information do you need from me to prover its incorrect and when are you going to get back to me and give me your name and phone number so i can call you. I understand your point. There is a process that existed today. Its difficult, mr. Smith. Id be more than happy to get our staff to reach out to you and point out what were doing the improve the process. Mr. Smith, on september 19th, myself, senator heller, senator tester, senator menendez sent you a letter. And the letter we sent expressed concerns about the impact on the roughly 1. 3 million active duty u. S. Military personnel, especially the 200,000 currently stationed overseas who may lack the access and resources required to place a credit freeze on their files or take other necessary measures to adequately protect their personal information. We requested you immediately detail the specific actions equifax will take to ensure our Service Members are not victimized any further by thieves with access to personal information such as Social Security numbers, dates of birth and home addresses. In response i received a generic letter from equifax that never even mentioned Service Members that basically said thank you for your interest. In your written testimony today, you also make no mention of our Service Members or the military. So ill again ask the question that should have been answered. What specific actions will equifax take to ensure our Service Members are not victimized any further. We apologize if we did not get back to you. That was someone dropped the ball and ill look into that quickly for you. The Service Members around the world have the same ability if they have access to the internet to freeze, lock, get teaccess t the products. If not, they have the ability to have a power of attorney in the u. S. To act on their behalf. Let me ask you about some of our young men and women at bases in iraq or afghanistan who may be somewhat other occupies than having the chance to get on the computer and get their lock going on. Let me ask again and say, for those members who are serving in remote or high conflict areas, what is it that you can do to make sure their identities and Financial Information are safe. Again, they have the ability to have a power of attorney and that power of attorney can act on their behalf. You know thats pretty weak tea for someone whos in a location where they may be occupied keeping their country safe and having their hands full with others. Let me take that on. Ill get back with the company and see if theres anything else we can do specifically for those overseas. Due to the cyber attack, you know, roughly 145 million americans have had their information compromised. Equifax has said you now offer free credit freeze, but theres also experion and transunion. What i want to know is will equifax also offer free credit freezes at exper i dont knion transunion . The tlook we offer for life is a product i believe the entire industry should rally around. Its my understanding that transunion also offers a lock product for free. Its my understanding its not for life at this time but they offer it for free. Well, this breach was caused by equifax. What will equifax do to ensure that there are free credit freezes for those 145 million americans at experion and transunion as well . You know, i dont want to see folks have to rally around this or that or try to figure out how to navigate the internet to get it done for themselves. What will you do for those 145 million americans, our friends and neighbors, millions in my state that will provide a free credit freeze at experion and transunion. Again, senator, the things we have done is the five services we offer for one year combined with a lock for life. And i would invite transunion and experion to follow suit. Those services you just described do not include a free credit freeze at experion and transunion. That is correct. So in other words equifax wont do anything to provide that. Again were offering our five Services Plus lock for life. I guess that answers the question that i was asking. Which then leads to my next question, which is what is equifaxs obligation to consumer who is fa s who fall victim to Identity Fraud due to this breach . How does equifax plan to address the financial harm that can come to our families . The design was the thought to offer these five services, allow someone to lock their file for life to minimize the downstream harm. What happens if someone is harmed . That is the extent of our offering. If a family is damaged financially, there will be no compensation provided. The five services were offering is for free. The lifetime lock is for free. Which doesnt touch at all upon the question i just asked. Senator rounds. Thank you mr. Chairman. Id like to go back into a little bit different question for a little while. I would suspect that there are probably thousands of ceos and Board Chairman for publicly traded companies as well as some Large Private Companies that when they heard about the theft of data that was in your care, custody and control that they looked back at your operations and said can that happen to us. I would suspect there were a number of chief Information Officers out there who were being called into the front offices to explain and to reassure that they did not have the same vulnerabilities found within your operation. I also suspect since youve got experience in working with multiple major organizations, that youve seen how boards work and youve seen how the bosses do their own type of a command and control and get feedback. I would imagine that youve lost a lot of sleep wondering what it was that you could have done differently and what message you would send to other individuals if given the opportunity. Were going to have a lot of people get hurt on this and there are people you had data from. If you could go back a year and look at your operation and tell us what you would do differently to demand things be changed if there was any inkling at all, what would you do . Senator, as you might guess, since early august myself and the entire team has been focusing on addressing this issue, has been working around the clock trying to first and foremost understand the forensic of what occurred and maybe why it occurred and then communicating to consumers and raeg l regulators and state ags alike. Ive had no time to reflect as a leader who is apologizing and takes full responsibility what i would do differently. Im sure when i have time to reflect, there will be things ill look back on and say if i only had done this. That time will come but to be honest i have not had that time to reflect. As many Board Members or chairman would do, they rely on a cio to provide them with assurances. Did you as a member or with the boards doing their Due Diligence, do you feel that Due Diligence that was expected of you as a board and as the chief executive officer, do you feel like you did the Due Diligence necessary to assure yourselves and to get Second Opinion that is the cio was actually doing the job that they needed to do and they were doing their own sense of Due Diligence in this process . The cio i had has been there for eight years. He was a very seasoned cio. Ultimately the responsibility stops with me, not him. He is no longer with the company, nor is the chief security officer. Ultimately that responsibility stops with me. I read through your written statement and i caught time and again and sometimes we go for the fact you were the victim of theft as well. There were bad people that got into your system. The obligation that you had to protect that information that was in your care, custody and control is clear. And i think that sometimes organizations that have that data, they assume that somebody else is doing their job. They assume that there are reasonable expectations of Due Diligence being completed. I guess what i was hoping to hear was something along the lines of, yeah, if i could send a message to other ceos out there, is dont just listen, do the double checks, find out, ask for the outside assistance. And i guess im not hearing that. I know this is early in your process. But nonetheless, it seems like that would have been one of the first things that most ceos would have said is if i could do this over again, i would have fixed this. Im looking for that. I know that you did make a point in there of saying were using Social Security numbers out there and weve got to go to a different system. If nothing else, youve thought about that. What would you do or what would you recommend in terms of a different system for identifying and maintaining data belongs to individuals safe in a case like this . I dont have that answer. Ive spent a lot of time talking to people in the cyber world and they are convinced and theyve convinced me there has to be a better solution than an instrument introduced in 1936. It was never intended as an identifier for people. No real answer yet . Not yesterday. Thank you. Thank you, mr. Chairman and mr. Smith. Good to have you here. Consumers dont authorize equifax or any Credit Reporting Agency to collect their personal information, do they . Not to collect it. So you vacuum up lots of information and you provide it to people who say theyre interested in the credit of somebody who may be applying for a car loan or home loan or other loan, right . Yes. So you have an incredible amount of power over peoples lives. You collect all their personal information and yet their life decisions may in many cases depend on what you say to a bank or another lender, isnt that right . Okay. Isnt it a fact that when somebody goes for a loan, if you tell a lender that someones a bad risk, theyre a lot less likely to lend. We dont make that delineation for the bank. We have that data. Ultimately the banks but you provide the credit scoring, right . Theres an individual firm called f eed fico that provides score. And they do that based on the information you provide, correct . Correct. They found that equifax, experion and transunion are the three most complained about companies in america. Are you familiar with that finding . Yes. Its a little misleading. A that is the complaint portal, if i may. If the chairman wants to give me more time, i will. But i will just submit something for the record if youre interested. The point i want to make is this was from september 8th, 2016. This is even before we had the incredible intrusions into the data and the exposure of data. People pay many other companies billions of dollars in the event that you make a mistake that needs to be corrected, isnt that the case . Im sorry. State that again. Consumers who have information incorrectly included on one of your reports, they often have to pay a lot of money to other firms to get it corrected. Isnt that the case . No, thats not the case. If a consumer has a im talking about the Credit Repair Services. What do they do . The process im asking about these Credit Repair Service companies. They are making money now to try to help consumers correct mistakes that are often put in your reports or other Credit Rating agencies. There is an industry that does that. A consumer can come to us directly and dispute that issue. I guess those industries are making billions of dollars but they really dont need to exist in your testimony. Are you aware of the fact that id like to put in the record a Washington Post story from 2016, how the careless errors of credit reporting agencies are ruining peoples lives. Without objection. Id also like to include in the record something from cnbc titled the real problem with credit reports is the astounding number of errors. Without objection. Id also like to put in the report the ftc study from february 2013 that said 5 of consumers had errors on their credit reports that could result in less favorable terms for loans. Without objection. Because the whole model of this industry is you collect information without permission from consumers. And yet their lives depend their economic lives depend on decisions you make. So i want to go back to something with respect to forced arbitration. Clearly we have a powerful company thats often up against one individual whos trying to get something corrected on their Credit Rating report. And yet in the aftermath of this incredible breach, you said that you would provide credit protection, but only if consumers gave up their right to get their day in court. Now, your testimony today is that was a mistake, that you did not mean to apply it in this case, is that right. That is correct. But you do apply forced orb train stati arbitration in many over the instances, right . In the Consumer Products. If youre looking out for the rights of consumers, why dont you give them the choice of how they seek their remedy . I understand your issue today. That arbitration clause is a legal provision and we follow that. Youve paid lobbyists on capitol hill im asking you a question then. Have you paid lobbyists on capitol hill to fight the rule that was put forward by the Consumer FinancialProtection Bureau . If youre referring to the ha harmonization bill im referring to the legislation that would over turn the Consumer Financial protections bureaus rule that prohibits forced arbitration cla clauses. If we spent time on that, i am not aware of that. You said its part of the law so youre just abiding by the law. Will you agree that consumers should have the right to decide how best to protect themselves in legal matters . If that becomes law, well follow the law. Thats not my question. I understand. My question is where do you stand on the issue of allowing consumers to choose how they seek recourses when they believe theyve been wronged . Senator, i understand the question. Today arbitration is a part of the law and were following the law. Yeah. And so youre following it even though it may be unfairly treating consumers, is that right . I understand your point. But you chose to suspend that law that you could have enforced that on these individuals, right . It was never the intent as it related to the law would have allowed you to do it. It was never thats not what im asking. The law would have allowed you to do that, right . Yes. And you chose not to because you thought consumers would be better protected by having choices. If its good in that circumstance, why isnt it good for consumers all the time. Weve had a couple of requests for a second round. I will go with a brief threeminute second round. Following up on senator van hollands very good line of questioning about your curious statement that youre following the law, but youre not following the law in the one case but you are in the other. I dont entirely get that. In your written testimony you state that terms and conditions attached to the Free Solutions that equifax offered included an arbitration clause. You said this provision was never intended to apply in this case and you were informed the clause was included. Apparently it was sent out to your customers and you didnt know it was in there. I assume you are more sophisticated in these Financial Instruments and transactions than most of your customers. You were informed the clause was included because essentially cut and pastes from a different equifax offering. But this inadvertent error could have prevented, if not unearthed and then protested then pushed back and you dropped it. This inadvertent error could have prevented 145 million victims from pursuing their legal rights in court. Your company failed by allowing this breach of 145 victims. You sent out a restitution to them with forced arbitration. You backed off the forced arbitration. Dont you think fundamentally its unfair that the ability of 145 million americans to seek justice in court could have taken away simply by a cut and paste job . Doesnt that show how unfair forced arbitration is to customers . To be specific to this particular issue, it was an error as you noted. We were made aware of the error. I believe we within 24 hours removed that clause. It was never intended to be a clause applied to the breach. But that wasnt really the question. First of all, you say it was an error. I guess i believe that, that it was an error, although your company has given us cause to not belief sove some other thin. Doesnt that show how unfair forced arbitration is . If this inadvertent error had taken away forced arbitration on 145 million americans, doesnt that show how unfair forced arbitration is . I have no opinion on that. But you used forced arbitration in other cases. Correct. So it was unfair to those 145 million in that circumstance, but its not unfair to customers in other circumstances on whom you imposed forced arbitration. It was never the intent for us to have ill close, mr. Chairman. I appreciate your indulgence. I just cant understand why you think for those 145 million in that case that forced arbitration is unfair but in other uses in your company, you seem to think its fair. It just puzzles me. Senator height camp. Thank you, mr. Chairman, and i just wanted to come back and offer a couple suggestions because were all struggling, and obviously, your company has had a huge hit to its reputation. We found out today that the irs has been forced to continue your contract by your protest. Thats why that contract was continued. And we in spite of some very interesting timelines, the belief that you have that there was no Insider Trading. So im just going to offer a couple suggestions for you. Number one, tell the irs its okay to migrate the contract someplace else and say were fixing, getting our house in order. We understand that we have ways to walk back our reputation, and were going to withdraw our protest on the loss of that contract. And the other thing i would suggest to the three individuals who may be completely innocent but the rest of the shareholders who took the hit, theyre more innocent than employees of that company, of your company. They should give the money back. They should give the money back. And so i think theres other things that, you know, i think theres an attitude that we come here, we do everything possible. You know, were trying to do our level best, but many, many times its the symbolic things. Its like forcing the irs to take this contract for another year. Like a very suspicious timeline that has led us all to believe that there should at least at a minimum be an investigation. All of that could be undone with a gesture of goodwill. I understand youre not the ceo of the company. You said youre still in an advisory role. My advice to you is do some things that are very, very visible, and those are two things you could do that would give us some certainty that this is being taken as seriously as what it should be taken. Thank you, mr. Chairman. Thank you. And i will conclude with three minutes of questions as well. And mr. Smith, i wanted to get back to my original question. A lot of the questions youve gotten today, appropriately, have been very specific with regard to equifax and the equifax breach. I want to focus on the broader issue as we conclude. In my initial questioning to you, i talked to you about whether any experian data went to other entities. I was referring to governmental entities, the cfpb, the Federal Reserve, we had a discussion about the irs. And there are contractual relationships, i understand, with the use of this data. And let me just talk about the cfpb as an example. In september of 2014, the gao did a report which i request for on cfpb Data Collection. They found that cfpb at that time, thats three years ago now, had access to account level credit card data on between 546 to 596 million consumer accounts on a monthly basis. Representing 87 of the credit card market. Gao also found that at that time there was not adequate protection at the cfpb of this data that they were collecting. In this report, it indicated, again, this was in 2014, all of the sources of data that the cfpb was collecting, and experian shows up in that report, 700,000 vehicles per month, information procured from experian. Vehicle purchases and the data on those purchases. 10. 7 million consumers, cosigners and borrowers with Consumer Credit information from experian. And another 600,000 samples of Consumer Credit reports and Consumer Credit scores on those reports from experian. Now, experian is not the only entity that is providing data to the cfpb. There are in this same report, for example, nine unidentified large Financial Institutions using a commercial data aggregator who provided 25 million to 75 million total account sets of data involving individual consumers credit card account level data with linkages to their credit reporting data. What im getting into here is this. Experian is not the only company or entity in america collecting data. There is massive Data Collection being undertaken in this country. And its not just the three Credit Bureaus that are collecting this data. I believe that Congress Needs to address not only the issue with experian but the broader issue of the collection and use and protection of personally identifiable information that is being collected by the government, by the private sector, and others. With regard to this personally identifiable data. And i guess this is really more of a statement than a question. But i would like to know your opinion on that. Actually, there is a question first. And that is, does experian face requests from federal regulators that are mandatory to provide data to them . Senator, i assume you mean equifax . Excuse me, equifax. General reaction to your thoughts there, if there is a better way to insure that those in aggregate significant amounts of data like we do, banks do, others in the industry, we would welcome that dialogue if theres a better path forward. To answer your question specifically, do we aggregate and provide data to different Government Entities . The answer is yes. All right, thank you. I apologize. In fact, i gave the experian examples and that was just a mistake. But your answer is that, yes, equifax also provides data to those regulators. Its not always voluntary, is it . In other words, you must provide it on occasions when it is required from agencies . Yes. So let me ask you the general question then. As congress looks at this issue, seems to me that it should be obvious we should look much more broadly than even just one private sector company. And even then just the private sector. But to the Data Collection that is going on across our society, including the Data Collection that the government itself is collecting. Would you agree . The rate and pace of cyberattacks is increasing at a rate that is unbelievable. If theres a way for Public Private partnership to intelligently sit around a table and debate that and find better ways to manage and secure data, we would welcome that dialogue. Thank you. I note that senator sasse came in so hell get the last word. I would like to associate myself your comments right there about the digital revolution moment were at and the speed and pace of data aggregation and collection should push the congress to have some real hard discussions about data ownership and transmission and implicit contracts where individuals are not contracting with one of the three Credit Bureaus and their data is still managed in ways they cant control. I agree we should have hearings and a lot of debate about this topic in the digital revolution. Mr. Smith, i want to see if i can be clear about where i think we stand nearly two hours into this hearing. Your company, which has only two competitors, right . Really, you only have two competitors, has lost the data of 145 million americans. And this isnt a spreadsheet problem. This is a real human problem where two and three and four years from now, youre going to have real americans whose identity is going to be stolen and their credit is going to be abused in the future and theyre going to have difficulty qualifying for a home loan or a car loan or theyre going to pay a differential Interest Rate than they should be paying because of the rotten credit score that theyre going to have. And in response, your company could potentially make a profit from selling lifelock products. Again, i agree with you earlier that a lot of the forward looking innovation that may come from this could incrementally improve things but were interested now in the 145 million. Youre going to have a product that could potentially be sold to the very victims. It feels like a broken windows Business Model where you didnt actively chuck the bricks but your company allowed bricks to be tossed through windows and then you might potentially be able to sell new windows to some of the people whose windows were just broken. I think the way you explained your lifelock product in your testimony makes some sense for what you plan to roll out in january of 2018, but it still is really hard to understand it as a Fraud Protection product when you think about the victims historically. I want to go back for just a minute to this contract with the irs. So we checked and it appears to be a nobid, even if its a revolving contract, its a nobid, but the purpose of the contract with the irs looks like its fraud prevention, right . Youre trying to prevent fraudulent access. I wont ask for a show of hands in the room, but i dont know who would want to say we should buy Fraud Protection from the people who were just hacked and dumped 145 million american records. So just honestly, as an american, and i appreciate the fact that you have resigned from the company. But as an american, why should anybody hire equifax for Fraud Protection right now . After the exposure. Senator, i understand your point. Were a company thats been around for 118 years. For most of those 118 years have done good things for many stakeholders, including the government. One of those things we have done very proudly is prevent fraud for many entities including the government. I come back, it was a horrific breach, and i apologize on behalf of the company for that breach. Well make it right as best we can. But it doesnt wipe out 118 years of good work weve done. Thank you. Im going to be following up with the irs and asking them why this contract should go forward. But thank you for your willingness to appear before the committee today. Thank you. Thank you, senator. And that concludes the questioning. Mr. Smith, we do appreciate you coming before the committee and appearing today. For all senators, all followup questions need to be submitted by next wednesday, october 11th. And mr. Smith, we ask that you please respond promptly to those questions. We usually like to see the responses within a week if possible. With that, this hearing is adjourned. I was just out in the hallway, so my apologies. Just to piggy back on what senator warren said about transforming the industry, you seem to have concerns yourself about all the data being collected. Do you have any idea where that might go from here . I did just answer that question. I dont have aspecific answer except i believe there is bipartisan interest here, and theres already some legislation being generated by different individuals. So i would expect that there will be a full discussion of that, though im not going to predict any specific outcome, but thats the type of thing that could generate a legislative proposal. Have you given thoughts on hes got to get to the capitol soon. Do you have thoughts on the Warren Schatz bill . I dont know it in enough detail to comment on tt. What did you think about that product . What product . The product he mentioned . Might be interesting. The lock, the credit lock . That idea is one, you can probably tell from my comments, im interested in having a much more robust system in place that allows individuals to yes, that allows individuals to protect their private personal identifiable information. Pulling you with a cane off the stage. Thanks. Former equifax ceo Richard Smith finishing up his second of four appearances before congressional committees. This afternoon, hell be testifying before a Senate Judiciary committee. Tomorrow morning, mr. Smith goes before the house Financial Services committee. That will get under way at 9 15 eastern tomorrow, and well have live coverage of that here on cspan3. These hearings, by the way, along with yesterdays testimony, all Available Online at cspan. Org. The hill has a story this morning, the European Union is ordering amazon to pay 294 million in back taxes saying that the company had been given improper tax breaks. Luxembourg gave illegal tax breaks to amazon, they said in a statement, and as a result, almost three quarters of amazons profits were not taxed. The european commission, the eus Enforcement Branch concluded after a threeyear investigation that luxembourg had allowed amazon in 2003 to shift assets from a subsidiary thats subject to taxation to another thats not. The eu prohibits states from offering tax breaks that are not available to others. Amazon denied it had received special treatment and insisted it had followed the law. That from the hill today. House democrats gathered on the u. S. Capitol steps this morning to call for legislation to prevent gun violence. Former arizona congresswoman Gabrielle Giffords was shot done a constituent