Committee will come to order. A recess at the committee of any time and all will have five days for inclusion in the record. Entitled examining the equifax data breach. On september 7th equifax announced a Cyber Security incident. It effected 145 million u. S. Consumers, nearly half of all americans. In other words if your hearing my voice youre either the victim or you know someone who is. Thats how massive this brief was. Criminals got basically everything they need to steal your identity, open credit card accounts in your name it may with b the most harmful the world has ever seen the companys response has left much to be desired. For weeks equifax about whether people were victims of the breach or not. And beyond brief they sold their equifax before the company disclosed the breach. I trust the Justice Department will get to the bottom of this. Clearly action by the federal trade commission and potentially other regulators is required. Congress must ensure federal regulators do their jobs so justice can be served and victims are made whole. We must examine are up to the job. Large scale Security Breaches are becoming all too common. By the increasing frequency of Cyber Attacks it demands inhansed efforts to safeguard consumers. It rekwiers effective measures to data breaches in the first place. Given the federal government track record when it comes to protecting personal information witnessed the tax as two recent examples. We must be cautious about attempts to never let a good crisis go to waste and impose a washington forced Technology Solution that may be antiquated as soon as it is imposed. Bipartisan Data Security act, the need to revisit that legislation and where necessary improve upon it should be obvious to all. It is clearly facing consumers and leaving them extremely vulnerable. I look forward with working with members of both sides of the aisle and working with the administration to ensure that americans across the country will be protected and no longer have to lose sleep over the kind of breaches that we are discussing today. I yield back the balance of my time and recognize the Ranking Member and gentle lady from california for three minutes. Thank you. Subsequent failures are elapsed on a scale we have never seen before. It is all the more outrageous because the impact to customers never chose to do business with equifax. They are literally stuck with this company. Im interested in what equifax will do moving forward fwr all of those who have been harmd. I am interested in why they have sent this witness today without the authority to commit equifax to future actions. They need to hear what happened and what equifax plans to do moving forward. I already know this hearing wont answer all of the questions and i and other members would like to know more. This is why democrats requesting a minority day hearing to get more questions surrounding not only this breach but also impact on consumers and for moving forward. Now is the time to fix what has been broken. It is just the tip of iceberg. The whole Credit Reporting system needs an overhaul. This would shift the burden to Credit Reporting agencies and away from consumers. It would also shrink the importance of Credit Reports in our lives. Employment checks and limiting when cras can collect information on consumers. It is time to end the strangle hold that equifax have on our consumers lives. I yield back. We have the chairman for one and a half minutes. Thank you. Right here. There we go. Theres a lot to try to keep track of. I trust you heard the anger from congress and the American People. It is disregard for the law and consumers. A failure on part of you, your board and Senior Management and your failures impacted onethird of the American People. The American Peoples data has been compromised had to wait more than a nont find out about it. The American Public deserves better. They deserve profit notification, a system that effectively notifies them, not one that is slowed down because of turf wars or fear or litigation. I believe its now time move forward and we need to find solutions to this problem. I hope if one good thing comes from this its that the American Consumers can get a system that works for them. I share that its going to have oversight over this data breach and that security type of bill and i ensure you well try to look at it about ways to protect the American Consumers. The chair recognizes mr. Clay, the Ranking Member of the institutions Sub Committee for one minute. Apparently he is not here. Well then go to the gentleman from michigan who also appears not to be here. Gentleman from minnesota recognized for one minute. I would like to thank the chairman and Ranking Member for this important hearing. A lot has been said about the Equifax Breach. Theres a few things i think we have to bear in mind. One is that equi fax and two other players in this industry of Credit Reporting dominates in the whole field. As members of this committee know i believe equifax is too big. We need to increase competition and if equifax had to worry about a real competitor i believe they would be wettbette safeguarding the data of consumers. It is the fact markets have concentrated this so high equifax doesnt have to worry about any other competition that they can be lax with the data of people. I look forward to the gentlemen talking about issues that are very important. I know there has been movement in the area of well, ill leave that to the rest of the questions. Time has expired. We recognize the gent le lady from new york. Mr. Smith, equifax was not just a breach of security. It was not just a massive huge database breach, it was a breach in the trust of the American People in your company. We have the best markets in the world and i believe that our markets run more on trust than it does on capital. So a breach of trust is something our markets cannot tolerate. I join my colleagues in being committed to finding procedures Going Forward that this does not happen again and that the law is enforced against those who breach and break the law. Time of the gent it lady has expired. Today well advise vooiz sore. Prior to september 26th of this year mr. Smith had been the chief executive officer since 2005. For joining equifax he held various positions where he worked for 22 years. The written statement will be recognized. Thank you for allowing me to testify before you today. I am rick smith. I have had the honor of serving as chairman and ceo of equifax. I have had the opportunity to read their letters of those impacted and not impacted alike and understand the anger and frustration we have caused at eq equifax. This criminal attack occurred on my watch. I take full responsibility as the ceo. I want everyone here to understand that i am deeply apologetic and sorry that this breach occurred i want to American Public to know equifax is dedicated to making things right. Americans have a right to know how this happened. Im prepared to know what i did about this incident while ceo of the company and also what i know about the incident as a result of being breached by the ongoing investigation. We now know this criminal attack was made possible by a combination of a human error. The human error a dispute portal in march of 2017. A technological involved july ner blt that had not been patched. Both have since been addressed. On july 29th and 30th suspicious activity was detected. We followed our response protocol at that time. The Team Immediately shut down the portal and began their internal security investigation. On august 2nd we hired top Cyber Security forensic and legal experts. We also notified the fbi. At that time we did not know the nature or the scope of the incident. It was not until late august we experience add major data breach. Over the weeks leading up to december 7th our team continued working around the clock to prepare to make things right. We took four steps to protect consumers. First telling me whel when and how relying on the advice of our experts that we needed to have a plan in place as soon as we announced. Number two developing a web site and Offering Free Services not only to those impacted but to all americans. Number three, preparing for increased Cyber Attacks which were advised or common after a Company Announces a breach. Finally, continuing to coordinate with the fbi and criminal investigation of the hackers while notifying federal and state agencies. In the role of our Remediation Program mistakes were made, which i am again deeply apologetic. I regret the frustration that Many Americans felt when our web sites and our call centers were overwhelmed in the early weeks. It is no excuse and it certainly did not help that two were shut down due to hurricane irma. Since then the company has increased the capacity. I can report to you today we have had over 420 million u. S. Consumers visit our web site and that our call times and wait times at the call centers have been reduced substantially. The Company Offered a broad package of services to all americans. All of them free aimed to protecting the consumers. In addition we developed a new Service Available on january 31st, 2018 that will give all consumers the power to control access to their credit data by allowing them to lock and unlock access to their data for free for life. As we all learned it is a National Security problem putting consumers in control of their credit problem. No Single Company can solve a larnger problem on its own. I believe we need a Public Partnership and i look forward to being part of that dialogue. Thank you again for inviting me to speak today. Ill close again by saying how sorry i am that this breach occurred on my watch. On a personal note i want to thank the many hard working and dedicated employees that i wo worked with over the past 12 years. Equifax is a good company with thousands of great people trying to do whats right every day. Thank you. Gentleman from california. I would request that the witness be sworn. It has not been the practice of the committee to swear in witnesses. As you know the witness has to find before coming here that the testimony will be truthful. I know this is your fourth appearance before congress but i think you know it is thanks to the gravity of the situation, the number of our constituents which are impacted and frankly the number of Committee Jurisdiction lines that this crosses. I will attempt to plow a little new ground. So there is a lot of focus when the nature is realized. It took approximately a month before people were notified of the breach. Did someone in Law Enforcement ask equifax to delay notification to the public . As i mentioned, we were in communication routinely with the fbi. We worked very closely. In our outside council and yes, they both managed the flow of communication. Did they advise you to delay it for approximately four weeks . They got it on the 7th it wasnt until around the 24th that we really realized the size of the breach and even that may continue from the 24th of august and that you may have seen it would continue evidence on 2. 5 million more. Im lead to believe the was first publicized and at which point it was immediately categorized by numerous Cyber Security authorities. What do you believe is a reasonable amount of time for a critical vulnerability patch to be pushed out and implemented on all effective applications . It was within 48 hours. We did that. Im sorry, you did do that . Yes. It is responsibility and did not ensure there was communication for a person that needed to apply. That wass error number one. On the 15th of march we used scanning technology which looks around the systems for vulnerability. That scanner did not detect the vulnerability. We had a human error once equifax chose to notify the public there are notification laws that you are well aware. I know we have patch work but under what breach notification we regime did you notify the public . We were mindful of the state laws and trying to abide by all state laws. At the same time following the recommendation, making sure we had clear and accurate of the breach. It took weeks, very difficult to retrace the footprints of these criminals, where they had been, what they had done. We had to recreate inquiries and the Security Team and our outside legal adviser. Youre located in georgia, correct . Was that a georgia regime notification that you followed . You didnt follow the 47 odd state regimes, did you . Yes. We were headquartered in atlanta, georgia. Also making sure we have accurate and clear understanding. It was not until late in august. My time has expired. We recognize the Ranking Member for five minutes. Thank you very much. I appreciate you being here today. I want to understand what capacity are you in today . Are you a volunteer, a paid adviser . Do you play any role in the company . Would you please make that clear to me . Yes. I am the former chairman and ceo and today i am sitting here as the former ceo and also someone who agreed to work with the are you a volunteer . Yes. Im unpaid. Unpaid. And you came today to try to explain what has taken place. Do you have the ability to talk about what happens Going Forward and how we can correct the mishaps, the problems of equifax, are you empowered to do that today . We have the ability looking forward from my perspective who was a ceo. If you make a commitment here today are you bound by any commitment you make for the company today . No. Commitments are made by the company themselves. So your capacity is to simply try to explain and take responsibility rather than how we go forward for the future, is that right . Thats largely correct, congresswoman. I do have views on fast forward. Commitments have toub made by the company themselves. We have such limited time to deal with so many problems. While i appreciate you taking responsibility your being here today doesnt do much in terms of how we are going to move forward and correct the problems of equifax. Our consumers are at great risk. Are you close enough to know exactly what has been done to be available to consumers . Congresswoman, yes. I have an understanding that what has been done, i mentioned my comments, they staffed up dramatically. I am told that the backlog of consumers trying to get through and security their Free Services has now been empty and the flee im not sure about that. I worry about that. In addition i tell you what else i worry about. How long will consumers be able to get free service . Is there a time where they will be charged trying to straighten out whatever problems have been created because of this serious hacking that has been done . The Company Offered five services to every american, not just those impalkted. How many . Five Different Services. It is for how long . One year for the time they sign up and until january the 2018. It is the ability to control access to their data for life. They will have the able to lock or unlock when they choose versus us being able to do that. It will be free for life starting in january 2018. It will be enabled as an application on ones cell phone. Very easy far consumer to use. I might have use missed part of that. If ones identity has been stolen, and usually it takes a long time to unravel that, are you going to provide service and assistance to the consumer until that is taken care of . Yes, congresswoman. Again, one of the five services we offered today is the ability to lock access to your trial. It is the most security way. You determine who accesses it, who does not and when. But im leer, i think what you have said is when one finds ones selfin that position you will provide them with the Service Service and assistance. For life. Thank you. Jebt l lady yie gentle lad yields back mr. Smith, im still over here. Thank you. You know, we have i had a long meeting this past week with some experts in Data Security and how they can be protected. One of the comments that was made was that when it come ts from Information Technology budgets the average company only spends 6 on security. Do you know roughly what your company spent for the Information Technology budget . I do. I think theres a bench mark on the i. T. The average aba, we are in the 12 range. Okay. Are you aware of new protocols . Place . Yes. We have implemented multiple protoco protocols. We have also engaged a world Class Consultant to come out and rethink everything we have done far longterm plan. As a result of this breach the exposure is ginormous here. Do you have an insurance policy to cover this kind of a breach . Yes. I have dised it in the past. We do have a tower of Insurance Coverage. It is kmn in our world. Okay. So basically the company is well, they are limited to any coverage you have. I have not disclosed those limits. All right. In your testimony, both written testimony and your verbal testimony a minute ago you talked about new security processes and youre creating a Public Private partnership. Can you explain what you believe is a Public Private partnership with regard to this . Yes. There are two thoughts. One is the rise and intensity around the country and the world is running at a pace thats never been seen before. It is to get ahead of the curve and not just reacting to it. Number two is the more i reflect, think and talk to experts in the area of Cyber Security im convinced theres an opportunity to rethink the concept of a Social Security number, name as being the most secure way to identify consumers in the u. S. Something that was introduced as you all know better than i in the 30s. I think its time we think about a new way to identify consumers. Chairman did the good job of discussing the notification problems with regards to the situation. Can you tell me what do you believe is a perhaps better way to notify the individuals . I mean, basically a minute ago you said you basically knew on the 24th that individual data had been breached and it wasnt until the 7th, which is two weeks later that you made a notification to the individuals. Even if you cant get your estimates systems up and running to take phone calls, dont you think it would have been better to have notified the individuals if not by a public declaration by saying, weve been breached. Millions of peoples information could have been breached, therefore, all of you who are in our systems need to take precautions and let them on their own take better precautions. Rather than wait to find out if theyve been hacked or if their information has been breached. Dont you think that would have been a better way to go about it . Congressman. I assure you we took a lot of time to think about the notification process. One point of clarification. On the 24th, the knowledge we had surrounding the breach was still fluid. It was fluid through the 7th, in fact, it was fluid until monday this week as far as i understood. The other thing i will say that the cybersecurity Forensic Experts recommended that we really prepare ourselves for significant increased Cyber Attacks, when you went live with the announcement. So between the 24th and the 7th much energy was spent securing wherever we could secure our facilities to give us the best protection against Cyber Attacks and as you mentioned, congressman, we had to stand up the environment. Call centers, train and staff people, pull together the product of the service offering. Time of the congressman has expired. There is clearly a vote taking place on the floor over ten minutes left in the vote. Well clear one more member and then declare a recess, pending end of votes. The chair now recognizes gentle lady from new york mrs. Maloney. Mr. Smith, as you well now, americans rely on the three Credit Bureaus, a group of companies to safeguard some of our most Sensitive Information. And it is because these Credit Bureaus hold this key personal information that we subject your companies to very rigorous Data Security standards. The Credit Bureaus are subject to the federal trade commissions safeguards rule, which is intended to ensure the security and confidentiality of the information. So we have a law in place that protects, supposedly, against exactly what happened here. And now well see if the ftc is willing to enforce it. And if theyre not, then well know that equifax is clearly above the law. The safeguards rule requires, among other things, that equifax have an Information Security program in place to identify reasonably foreseeable risks to the security of your data and can protect against these risks. This risk was obviously reasonable, foreseeable, because the department of Homeland Security literally sent you and the other Credit Bureaus notice warning you about the exact vulnerability that the hackers exploited. And yet, your Security Program did not protect against this obviously foreseeable announced risk. So, in my mind, this is the most openandshut violation of the safeguards rules that i have ever seen in the history of this country. So my question to you, mr. Smith, is do you believe that equifax violated the ftcs safeguard rule . Congresswoman. I understand your point. Its my understanding we were in compliance with the safeguards rule and that the safeguards rule does not prevent 100 against data breaches. How in the world could you let this happen when you were warned by the Homeland Security department . My second question, the safeguard rule also requires you to have a patch Management System, essentially a system in place to patch security flaws as soon as the fix for the flaw is released, but you have testified that your patch Management System failed in this case. Even though there was a patch released almost immediately. Equifax did not implement the patch like it was supposed to. I wrote to the other two Credit Bureaus a letter about their Information Security programs to make sure that their systems were fully protected. And one of them wrote me back, experian, wrote me a detailed response which id like to submit with my letter. Without objection. And they explained that their patch Management System functioned correctly and that when they got the notice from Homeland Security they immediately implemented the Security Patch. They also stated that their patch Management System will literally shut down, it wont even work. It shuts down automatically if a patch isnt implemented immediately. So my question is, why didnt your patch Management System automatically shut down your systems when the Security Patch wasnt implemented . Why was this flaw allowed to go unpatched for months before you noticed it . Congresswoman, a patch has got to be identified. We routinely it was identified by the Homeland Security department when they notified you. You already testified that your person failed to implement it. Yeah. I was referring to its got to be identified by us, not by the outside either Software Manufacturer in this case, department of Homeland Security. As i said in my oral testimony. My time is almost up and i have one more question, and i think its important. You may not know this, mr. Smith, but it is actually considered best practices in a company with lots of sensitive personal information to have their chief Information Security officer have independent business lines that report directly to the ceo and to the board of directors. But, at equifax, you were using an outdated Corporate Governance model and had your chief Information Security officer reporting to the general counsel, not directly to the ceo. My question is, why was your chief Information Security officer not reporting directly to you and the board . And why were you using an old model . Was it because you dont think that Information Security was important enough to be reported directly to you . Congresswoman, i dont believe it matters where the chief Information Security officer reports. It was a priority for me. It was a priority for the board. It was a priority for the company. But it wasnt reported to you or the board. It went to the counsel and it violated best practices for security companies. Time of the gentle lady has expired. There is one vote pending on the floor. The committee stands in recess pending conclusion of that vote. A brief break in the hearing on the equifax data breach. Well return to live coverage here on cspan3 after members attend a series of votes in the house. Well let you also know that the ford opportunities for testimony on capitol hill on the equifax data breach will be Available Online at cspan. Org. While the break continues well show you some of the opening remarks from todays testimony. Committee will come to order without objection. The chair is authorized to declare a recess of the committe committee at any time. The hearing is entitled examining the equifax data breach. I now recognize myself for three and a half minutes to give an opening statement. On september 7th, equifax announced what it called a, quote, cybersecurity incident at its business that potentially affects 145 million u. S. Consumers, nearly half of all americans. In other words, if you are hearing my voice, you are either the victim of the breach or you know someone who is. Thats how massive this breach was. Criminals got basically everything they need to steal your identity. Open credit card accounts in your name and cause you untold frustration and financial calamity. This may be the most harmful failure to protect private Consumer Information the world has ever seen. The companys response to this breach has left much to be desired. For weeks equifax failed to disclose the breach to consumers and its shareholders. It provided confusing information about whether people were victims of the breach or not. And Senior Executives sold their equifax shares after the company knew of the breach and before the company disclosed the breach. I trust the Justice Department and Securities Exchange commission will get to the bottom of this. Clearly, action by the federal trade commission, the Consumer FinancialProtection Bureau and potentially other regulators is required. Congress must ensure that federal Law Enforcement and federal regulators do their jobs so justice can be served and victims are made whole. We must thoroughly examine if our agencies and statutes like the fair Credit Reporting act and udap are up to the job. In this era of big data, largescale Security Breaches, unfortunately, are becoming all too common. By the increasing frequency and sophistication of cyberattacks, it clearly demands heightened vigilance and enhanced efforts to safeguard consumers. Protecting consumers obviously starts with requiring effective measures to prevent data breaches in the first place. Given the federal governments own poor track record when it comes to protecting personal information, witness the sec and the opm attacks as two recent examples, we must be cautious about attempts to never let a good crisis go to waste and impose a washingtonforced Technology Solution. That may be antiquated as soon as it is imposed. However, i do believe that we need to ensure we have a consistent National Standard for both Data Security and breach notification in order to better protect our consumers, hold Companies Accountable and assure that this affair does not repeat itself. Our committee passed such legislation nearly two years ago. The bipartisan Data Security act, the need to revisit that legislation and, where necessary, improve upon it, should be obvious to all. The status quo is clearly failing consumers and leaving them extremely vulnerable. So i look forward to working with members of both sides of the aisle and working with the administration to ensure that americans across the country will be protected and will no longer have to lose sleep over the kind of breaches that we are discussing today. Yield back the balance of my time. I now recognize the Ranking Member of the committee gentlelady from california for three minutes. Thank you, mr. Chairman. The massive breach at equifax and the companys subsequent failures are a lapse on a scale we have never seen before. Equifaxs failure to safeguard consumer dau consumer data is even more egregious because the customers never chose to do business with equifax and because of the broken Business Model of our countrys Credit Reporting agencies these consumers cant end their relationship with equifax. They cant shop around for a better deal. They are literally stuck with this company. I am very interested in what equifax will do moving forward to provide full redress for all of those who have been harmed. I am also interested in why equifax has sent this committee a witness today without the authority to commit equifax to future actions. The members of this committee need to hear not just about what has happened but also about what equifax plans to do moving forward. So i already know that this hearing wont answer all of the questions and i and other members would like to know more. This is why Committee Democrats are requesting a minority day hearing to get more answers to the questions surrounding not only this breach but also its impact on consumers and solutions for consumers moving forward. For example, i for one would like to make sure that Credit Reporting agencies do not inappropriately profit off this incident by exploiting consumers legitimate fears. Now is not the time to focus on how to sell consumers more products. Now is the time to fix what has been broken. But this breach and equifaxs woeful response are just the tip of the iceberg. The whole Credit Reporting system needs a complete overall. Thats why i introduced the comprehensive Consumer Credit reporting act which would shift the burden of removing Credit Reporting mistakes to Credit Reporting agencies and away from consumers. My bill would also shrink the importance of Credit Reports in our lives by limiting the use of Credit Reports and employment checks and limiting when cias can collect information on consumers. Its time to end the stranglehold that equifax, transunion and experian have on our consumers lives. Mr. Chairman, i yield back. Chair recognizes gentleman from missouri, mr. Lute key marry for and a half minutes. I am right here. A lot of us to keep track of. You have sat before several committees and i trust youve heard the anger from congress and the American People. Its nottus incompetence on the part of you and your company but also negligence and disregard for the law and consumers. There is a failure on the part of you, your board and your Senior Management, and your failures have impacted more than onethird of the American People. Whats most egregious to me is that the American Peoples data had potentially been compromised had to wait more than a month to find out about it. The American Public deserves prompt notification. They deserve a system that effectively and efficiently notifies them, not one that is slowed down because of turf wars, regulatory conflicts or fear of litigation. I believe its now time to move forward, and we need to find solutions to this problem. I hope that, if one good thing comes from this yet another major data breach, its that the American Consumers can finally get a system that works for them. I chair the subcommittee that will have overnight over the data breach and i can assure you well look thoroughly at this incident as well as others and look at ways to protect the American Consumers. Mr. Chairman, i yield back. Gentleman yields back. Chair recognizes the gentleman from missouri, mr. Clay, Ranking Member of the Financial Institutions subcommittee for one minute. Apparently he is not here. We then will go to the gentleman from michigan. Also appears not to be here. Gentleman from minnesota, mr. Ellison, is recognized for one minute. I would like to thank the chair and Ranking Member for this important hearing. A lot has been said about the Equifax Breach. And a lot of the same things will be repeated today. But there are a few things that i think we have to bear in mind. One is that equifax and two other big players in this industry of Credit Reporting dominate basically the whole field. As members of this committee know, i have been quite concerned about microconcentration. I believe equifax is too big, it needs to be reduced in size. We need to increase competition. And if equifax had to worry about a real competitor, i believe they would be better at safeguarding the data of consumers. It is the fact that markets have concentrated so high that basically other than transunion and Experian Equifax doesnt have to worry about much of any other kind of competition, that they can be lax with the data of people. I look forward to the gentleman talking about some issues that i think are very important. I know there has been some movement in the area of well, i will i will leave that to the rest of the questioners. Time of the gentleman has expired. Chair recognizes gentlelady from new york mrs. Maloney. Ranking member of the subcommittee for one minute. Mr. Smith, equifax was not just a breach of security, it was not just a massive, huge database breach. It was a breach in the trust of the American People and your company. We have the best markets in the world, and i believe that our markets run more on trust than it does on capital. So a breach of trust is something our markets cannot tolerate. And i join my colleagues in being committed to finding procedures Going Forward that this does not happen again and that the law is enforced against those who breach and break the law. Time of the gentlelady has expired. Today well receive the testimony of mr. Richard smith, former ceo and chairman of equifax and adviser to the interim ceo. Prior to september 26th of this year mr. Smith had been the chairman and receive executive officer at equifax since 2005. Before joining equifax mr. Smith held various management positions at General Electric where he worked for 22 years. Without objection, the witness written statement will be made part of the record. Mr. Smith, you are recognized for five minutes to give an oral presentation of your testimony. Thank you. Thank you. Thank you, chairman hensarling, Ranking Member waters and other members of the committee. Thank you for allowing me to come before you today to testify. I am rick smith. For the past 12 years i have had the honor of serving as chairman and ceo of equifax. Over the past month or so, i have had the opportunity to talk to many American Consumers and read their letters, those impacted and not impacted. Meeting will come to order. Chair recognizes the gentleman from mexico, mr. Pierce. Chairman of our terrorism and elicit finance subcommittee for five minutes. Thank you, mr. Chairman and thank you to mr. Smith for being here today. Just to try to get the Playing Field underneath us, you would describe the processes at equifax with regard to outside hacks to be very engaged and pretty professional. We had a human mistake, more or less. Is that is that kind of correct . Congressman, i would say obviously we committed two very unfortunate errors, the one you mentioned i am asking about the overall culture in the approach to security, understanding that youve got a lot of Critical Data here. Yes, i would describe the culture and the focus as one that put a top priority on security, yes. How much of your time in your 12 years did you spend each day, say, on cybersecurity . Congressman, when i first came here we had no cybersecurity organization. I made it a priority 12 years ago to engage consultants to help us scope it out. We went from basically no people how much to 225 how knowledgeable are you on the subject . We had routine reviews. You personally. Thats what im saying. You had routine reviews. How many times had the apache struts been fixed and how many times had it been patched underneath your watch . We have vulnerabilities in general terms across software. The apache struts, to the best of my knowledge, this particular opensource software, there was one notification on march 8th. The so is the firm still using that software . It was deployed in two locations and has been patched. Theyre still using it . Let me i am not that savvy on all the cyber crimes and stuff. When i hear the secretary of the treasury say that 50 of his time every day is spent on cyber threats, i was trying to get some sense from you how much of your time every day, because this is probably one of the more critical things. And when i didnt get a very solid answer, i tend to fall on the side that says that there is a little bit of a lax culture here. I just googled apache struts to just open the first website. It talks about something that came out open source. It was it was pretty good. But they have kind of lost their way back three or four years ago. I mean, to be using a piece of software that that even just the first google says three out of five stars, we probably ought to be looking at better alternatives out there. And then then you just have these patches that come out, and no one actually responds to them. I dont know exactly who made that decision . Where in the hierarchical scheme did the decision not to implement the patch that was suggested, where did that decision come in . Again, on the 8th of march the notification came out from the department of Homeland Security as you alluded to. A Security Team sends out a communication to the organization. The patching process, to be clear, to your question, was owned by the chief Information Officer, was under his in his organization. Where where in the surely somebody more than just an agent at the field level is tasked with being sure that we dont have any vulnerabilities. Surely it was not that low. So is that has that decisionmaking stream been made public . The owner of the process for patching was a direct report to no. I am talking about internally in equifax. Dont worry about who out there outside, because you are the one responsible. So is that decision scheme, the decision process, made public, and can we know who can we get that information . Congressman, let me clarify, if i may. The owner of the process internal to equifax for the patching in this case of apache struts or any software that needs to be patched was an individual who was a direct report to the chief Information Officer okay. I am about out of time. Now, your assertion that this is just human error overlooks the fact that you had an unencrypted information. Anybody that gets in can just read it, its not encrypted. Is that industry standards that we dont encrypt pii . Thats not correct. We use tokenization, inscription, masking. Your testimony a couple of days ago was that you had a lot of information that was just in plain text. Those indicate the fact that we have identified a process and indicate a culture internally that was very lax. I yield back. Time of the gentleman has expired. Chair recognizes the gentlelady from new york. Thank you, mr. Chairman. Mr. Smith, in your testimony you stated that you are deeply sorry that this event occurred and that you and equifax Leadership Team have worked tirelessly over the last two months to make things right. However, according to an article in Fortune Magazine published on september 26th, you are retiring with a paycheck worth as much as 90 million. So my question to you, sir, do you believe it is right for you to walk away with a payday worth 90 million when the lives of more than 145 million hardworking americans have been potentially compromised . Congresswoman i deeply apologize for the breach of those American Consumers. I have heard this article. I cant reconcile that number. Let me be very clear. How much are you getting in your retirement . When i retired, i did announce my retirement, and at a time so i also told the board back in early, mid september that i would not take a bonus Going Forward. I also told the board that i would be adviser, unpaid, helping the board, helping the Management Team for as long and i asked for nothing. Beyond what was disclosed in the proxy. That is a pension that i have accumulated over my career. And that is some equity that i have earned in the past. So you told the Ranking Member that you are here in your cap capacity as an adviser to equifax now. Unpaid. Okay. And so are you advising equifax to set up a Compensation Fund for impacted consumers to help them rebuild their lives . Congresswoman, the advice i gave to the board and the management has been followed, and that was to offer five Free Services for one year followed by the ability to lock and prevent Identity Theft thats not a Compensation Fund. Correct. Mr. Smith, as Ranking Member of the house Small Business committee, i am concerned about the impact this historic breach will have on our countrys 29 million Small Businesses. As you know, the availability of Business Credit is often inextricably tied to owners personal credit scores. Last week senator shaheen and i wrote a letter requesting information about equifaxs efforts to help Small Business clients, but we havent received any response. So, what steps is equifax taking to educate Small Businesses and what it means for their businesses . Congresswoman, i understand the question. If we have not responded to your letter, i will make sure that the company does respond in writing to your request. Specifically to your question, however, if a Small Business man or woman was also the proprietor of that company, as an individual, they would be covered by what were doing for them Going Forward, offering this free lock product for life. Number two, to clarify if i may, Small Businesses in america are very important customers of ours. I know that. And we have told them and others through different functions that they have not been compromised. The data we have on Small Businesses was not compromised. They were not compromised. If you are an individual, again, as i said, a proprietor, you are covered by the services we are offering for free. The Small Business database that we manage was not compromised. So let me ask you. How is equifax working with lenders to establish a safe way to check a credit score for a bore wborrower seeking a Small Business loan. If you are a proprietor of that Small Business and you have the ability to access all the Free Services that we just discussed. So this past monday it was announced that approximately 2. 5 million additional u. S. Consumers had been potentially impacted by the breach. Can you assure us that there will be not more discovery of even more consumers who have been potentially impacted as a result of this breach . Its my understanding that the press release that came out from the company on monday not only said 2. 5 Million Consumers were impacted additionally, also that the forensic review mandate was now complete. Time of the gentlelady has expired. The chair recognizes the gentleman from michigan. Mr. Huizenga. Chairman of the Capital Markets subcommittee. Up here, sir. As the chairman indicated. I chair the Capital Markets, securities and investments subcommittee where the securities and Exchange Commission falls under that purview. You obviously know that under sarbanesoxley you have certain duties and responsibilities as a ceo, not just in the running of of the company but in the paperwork filing that has to go on that and be filed with organizations like the sec. Was Data Security ever an area you listed as a deficiency in regards to any of these sarbanesoxley requirements . Congressman, i dont recall it ever being described as a deficiency or filed as a deficiency. It is routinely communicated in ks and qs and other means. You had internal controls. Yes. And presumably you do your analysis on that. Yes. So Data Security was never a part of that. Not that i as far as as a control issue . As a control issue or as an area of concern. Its always viewed as an area of risk for the company. I dont ever recall it being communicated as an area of concern where there were lack of controls. Under sec rules, when you have a Material Change in the condition of your company, you have to file a form commonly known as 8k. That 8k form is there its regarding Financial Condition or prospects, and when significant events have occurred. When did you file that 8k . I dont recall. According to my information it was september 7th. That makes sense. Thats the way we went public with the release on the breach itself. Okay. I had heard in earlier testimony that you had not been directed by the fbi to withhold information from the public or to slowwalk or to do anything, right . This was not a directive from either federal government through the fbi or any other Law Enforcement agency or any of your consultants. Two different questions there. The fbi specifically, involved from the second in a very fluid series of communications through in fact today even. But no, they did not you said the consultants. The consultants did guide us on the communication. Did they tell you you better file that 8k . The 8k as you mentioned was filed on the 7th. On the 7th. You discovered this in july. Congressman. D all due respect we did not discover it in july. In july, the 29th and 30th, someone on the Security Team noticed what they described as suspicious activity and to put it in perspective, we as a company see millions of suspicious activities against our data from outside so you had an indicator. Lets call it an indicator, july 29. You hired a consultant based on your previous testimony august 2, correct . That is correct. Okay. So why did it take a month, plus, five weeks, to file a form with the sec and, i guess, coupled with that, when did you let your board know about this . Ill answer both those, if i may. As i talked about in the written testimony and the oral, from the 2nd of august when the cybersecurity Forensic Firm was hired and King Spalding was hired, Global Law Firm, very fluid, they had to rebuild the footsteps of the criminals, where they had been. They had to rebuild the inquiries. It wasnt until late august that there became an indication of a significant so lets even take that. It still, then, took two weeks for you to file an 8k and in the mean time you had consecutives who sold shares. You had the public that was thinking nothing was wrong, was buying and selling shares of equifax. You know, would a reasonable shareholder have gotten some of this information and said, wait a minute, something is going on at equifax. Maybe im not going to purchase that stock. Seems like that would be a reasonable step for an investor. Congressman, let me address the point you made on the sale. The sale by the three individuals, individuals back on august 1st. I know it was prefiled. I am not saying there was something nefarious. But even your own executives and they didnt know it was going on and there wasnt an 8k filed, you have the public coming and going. You falsely put your stock out there at a particular price. Mr. Chairman, my time has expired. Time of the gentleman has expired. Chair recognizes the gentleman from california, mr. Sherman. Mr. Chairman, i renew my request that the witness be sworn. When john stumpf was here, his company had adversely affected only three or four Million Consumers, we swore in that witness. That is the precedent of this committee in situations like this. Chair has already spoken to the matter. Mr. Smith, you have made a point of that you are an unpaid volunteer for your company. I want to thank you for that service. Aside from the 90 million, youre uncompensated. I know you have disputed the 90 million figure, so i would ask you to respond for the record in detail how much you have made, pensions, Stock Options, and salary from equifax during your term there, and well see whether the reports of 90 million are accurate. Time line. There is the period march to july when you should have noticed or your company should have noticed the problem, should have paid attention to the Homeland Security advisory, et cetera. But on so thats one part of the time line. Another part starts on july 1 when your chief Information Officer told you about the attack and that the website was shut down. Now, there are those in this Committee Room who have said that the company didnt act immediately on that on july 31. Thats not entirely true. In just one day, august 1, three of your executives sold 3 million of their stock. That shows an immediate action right after the cio report. Does your company have any policies on allowing executives to sell stock, getting legal advice before they do so or is it up to each executive how to obey the security laws . There was never a report issued on the 31st, to be clear. It was a verbal communication. Right. But you were told and the website was shut down. The website something pretty significant happened because the next day three executives sold 2 million worth of stock. Answer the question whether your company has a policy of getting approval and legal review before your employees sell yes, there is a clearing process. And how would you pass that clearly process selling the stock just a day after the chief Information Officer tells the ceo that there has been this data breach. There is a clearing process required for any section 16 officer. These were section 16 officers. They all followed the process. You dont think the process is broken when it approves the sale of 2 million in stock within 24 hours of when the of when the ceo gets a report of the most enormous data breach what turned out to be the most important data breach weve had in your industry . Congressman, i have no indication that the process was broken. These three individuals who sold had to the best of my knowledge had no knowledge just your luck. The initial response of equifax was to have a website advertised as your way to help consumers. And then, in the website, you tricked consumers this was the plan trick consumers into foregoing their right to sue. Whose idea at the company was it to do that . The arbitration clause is what you are referring to. Exactly. That was never intended. When we found out that clause was in there, within one day it was down. You just found out . Somehow it popped in and you didnt know it was there . It is a standard clause in products where consumers have options to buy a product. It was never intended to be in there for the free service. It was removed within 24 hours. After a huge outcry, including many members of this committee. Now, you have put out press releases telling people that they may be among the 143 Million People. Is it the intention of equifax to send a notice to those whose data were compromised or is it up to them to go to your difficulttouse, overburdened website to find out . We followed what we thought was due process. We sent out press releases. Set up a website. How about notices . Are you going to give notice to the 143 Million People . Are you going to send them a letter . No, sir. Going to send them an email . No, sir. So, every everybody out there figures there is a twothirds chance they werent affected and they may do nothing and you youve you have exposed their data and you wont give them a notice. Not even an email. 420 million u. S. Consumers have come to our website. 420 million. U. S. Consumers. Thats more than the number of people in the country. Theyve come multiple times. Which means that many havent come at all. You wont notify people. I yield back. Time of the gentleman has expired. The chair recognizes the gentle lady from missouri miss wagner. Chairman of the overnight and investigations subcommittee. Thank you, mr. Chairman. Right here. Mr. Smith, forgive me if i appear a little bit more disturbed or harsh than some of my colleagues, but this issue is very, very close to home for me. This past year my tax identity was stolen. And to be frank with you, it has been a complete and utter nightmare. For me, this isnt just another data breach, it is a breach of trust. When we learned that our tax identity was stolen, guess to whom we turned for help . Thats right, the Credit Reporting agencies. So although getting a free year of credit monitoring is a good step, first step, i should say, i dont have much confidence, to be perfectly honest, in the product, sir. In addition, as the chairman of the oversight and Investigations Committee, i will be closely monitoring the additional facts that come out regarding this case, especially those concerning the sale of stocks by executives in at equifax. Although none of us should, i should say, prejudge before knowing the facts and i am sure the sec and doj will get to the bottom of this. Briefly, mr. Smith, what would you tell people like me, people who have previously experienced Identity Theft of some kind and turned to equifax for help . What do you say to these people who feel completely at a loss for what to do next . How can anyone possibly ever trust . And weve talked about trust here at the committee. This company again, and be confident that they can be protected in the future . Please. Thank you, congresswoman. We are a 118yearold company. Protecting and being a good steward of our data is paramount to our ability to gain trust, have trust with consumers and companies around the world. What i would tell consumers is first please go to our website, take advantage of the five offerings that weve offered for a year for free. Secondly, january 31st, when the new lifetime lock product becomes available for free for life, i would strongly recommend that every american get that product as well. I recently read comments from cfpb director Richard Cordray where he stated his intention to provide accountability concerning the data breach. As you know, it began supervising Credit Reporting agencies on behalf of consumers i believe in 2012. But not its cybersecurity systems, which has been left to the sec. What interactions did you have with the cfpb prior to the breach of cybersecurity . Obviously weve been in communication with them since theyve been our regulator and i have personally been involved prior to the breach, sir . I cant recall i was not personally involved with cfpb regarding cybersecurity mivysel what interactions have you had with them since the breach, then . I have not had interactions with them since the breach. Wow mr. Smith, i did want to take an opportunity to ask you some questions that i have been hearing from my constituents back home. Can you detail what categories of Consumer Information were accessed during the monthslong breach . Yes. I will give it a shot. We try to be very clear in the series of press releases we have had in the past that the consumers core credit file, which is their Credit History with us, was not compromised. We talked about a database we have where someone asked over here on Small Businesses. We have a database on Small Business. That was not compromised. What kind of personal identification information specifically . So, as we have disclosed in press releases, date of birth, name, Social Security number. I think there were 200,000, 209,000 credit cards that were compromised. There was a document, congresswoman, called a dispute document where a consumer could dispute that they paid an obligation, take a picture of that, for example, upload that to the system. That was another example that was compromised. Let me ask you this, mr. Smith. What sort of Financial Products, for instance, could be opened in my constituents names if those pieces of data that you just named, for instance, were part of the breach . Congresswoman, if the consumer takes advantage of the free service and locks their file, no one has access to that file i thought my file was locked before, after my my tax returns were breached, when i reached all of you. So again, my trust in the product is at an alltime low. I have several more questions. I will submit them for the record. I thank chairman and i yield back. The lady yields back. The chair recognizes gentleman from new york, mr. Meeks. Thank you, mr. Chairman. I agree with the Ranking Member when she said i am here, im going to ask you questions. But your he unpaid. Youre no longer with the company. You are an unpaid adviser. I dont know what were going to do with reference to the future. So i am here. I am going to ask you questions. I dont know whether youre going to how long youre going to be advising them for free or whatever that deal is. But i know that when a consumer has a problem, they cant just get out of it in the way that, you know, some kind of easy explanation or something of that nature and its all over with. And you have an extra or skrax equifax, your former employer, because of the nature of the business which theyre in, they have a special responsibility in regards to cyber incidents. I think its probably a problem definitely clearly a problem with equifax but probably a bigger problem across the board with all Public Companies. There was a Pricewaterhouse Cooper survey that found 23 of Corporate Directors did not discuss crisis planning with management and that 38 of directors did not discuss their management testing of these crises. And consistent with this data, it seems that equifaxs board and management failed to plan for this crisis, given the companys numerous gaffes as you have admitted to. Equifaxs failure to quickly respond to Homeland Security departments warning. The companys delayed notification to the public and the companys arbitration clause misstep which you acknowledge today and yesterday at the hearing are just a few examples of equifaxs lack of preparation. So, i am trying to find out, then, is prior to this breach did equifax ever adopt a written breach Response Plan that included a formal process for notifying the public and regulators, or did equifax merely formulate a cyber crisis plan post the breach . Secondly, prior to the breach, did equifax ever test a crisis plan in anticipation of a cyber breach because you knew the significance of what the data that you were here to protect. And finally, if you say that there is, can you share with this committee the documents of equifaxs formal Cyber Response crisis plan. I understand your question, congressman. Yes we did and do have a written documentation on Crisis Management including cyber as obviously being one of the top crises we could face as a company and have faced, so we can reach out to management, have them provide you that Crisis Management documentation. Well do that. Now, was there any my other two questions. Was there a written breach response . What you would do, and did you test it . A crisis plan, in anticipation of a breach so that, if you you know, like a fire drill. If something should happen, this is what were going to do. Have a plan. Have you done that . Was that done . Yes, congressman, it has been done. The reallife challenge is, when you look at the size of this breach and the fact that we offered it to every american that was a victim or not a victim the sheer scale of trying to stand up the environment from a technology perspective, hire thousands of people, that take weeks to train, you cant just hire 2,000 people, 3,000 people and expect them to be trained and impactful day one. As i mentioned in my oral testimony, the team has gotten better each and every day from a technological perspective in the web environment and from the call centers. But again, i do apologize. You mentioned a few of the things where we made mistakes early on. But yes, we do have practice let me disagree with you. For example, the kind of information that you were to protect, youve got to make sure that each and every individual that you hire is prepared. I mean, its like, you know, information that we have at the cia or other places, protected documents, they cant hire somebody and say, well beings we can take a chance and maybe theyll learn while theyre on the job and if something happens it will be okay and well excuse it. You have got to be sure, that you are putting the individuals in and have a plan thats going to protect folks because of the nature of the information of which youre given. And because of the numbers of people that are depending upon you to protect their information. I understand your point. Gentlemans time has expired. The chair recognizes the gentleman from wisconsin, mr. Duffy. I would recognize the gentleman from kentucky. Mr. Smith, a representative from your company, i think, put it well. He said, americans expect their mortgages to be approved on time, their auto loan applications to be accepted while they are at the dealership and Retail Credit approved while they are at the counter, disrupting the miracle of instant credit would hurt the economy. Can you assess for us the extent to which this breach and this painful experience for the American People how this may very well disrupt that miracle of instant credit. Congressman, if we were to get to the point where we allowed consumers, for example, to opt out of the credit system, that would be devastating to the economy. If we dont allow consumers that ability to instantly lock and unlock at the point of underwriting, to your example, that could be devastating for the flow of credit in our economy. The intent of the Lifetime Product that were going to roll out january 31st gives that consumer the ability to give them the security level that he or she deserves with the ability to instantly turn on and turn off access to the credit so the flow is uninterrupted. Can you tell me about credit freezes as a solution or maybe not the best solution to problems like this. What were talking about here is a consumer telling a Credit Bureau to not release a Credit Report unless the consumer contacts the bureau in advance to say otherwise. The credit freeze itself, congressman, was something that was borne out of regulation in 2003. Put into law in 2004. And its oftentimes confused with a credit lock. If i may just spend a second and talk about both. Credit freeze, from a consumers perspective, largely provides the same amount of protection as a credit lock would be. However, they dictate different means of communicating between the consumer and Credit Reporting agency that can oftentimes be cumbersome, require phone calls into call centers, mailing things back and forth so that the flow of credit you talked about can be disrupted. The idea of a lock is to make it far more user friendly, where you can be on your smartphone and toggle on to unlock and toggle off to lock. Far less cumbersome than the freeze. As we look at Data Security, you talked about the the many different state laws that you have to navigate. Tell us your view, after this painful experience, what you think would be a solution. Would a National Uniform breach notification rule be better for the American Consumer . Thats what a lot of us are thinking, in the aftermath of this breach. I had not given that much thought, congressman, but i will. What about fraud alerts under the fair Credit Reporting act . Are they sufficient . I think the i think the most they do add value. Clearly, the monitoring of the alerts gives consumers peace of mind. I think the most significant step forward, congressman, is the concept where consumers can control who accesses their credit data with a lock. And i think the next step forward there would be to not only have equifax offer that solution but imagine a consumer being able to lock and unlock for free for life access to all three Credit Reports, and that gives them the ultimate protection. You went over this a little bit, about the steps you took after learning of the breach and why it took a while for you to notify the American People about the breach. But why did it take so long . I mean, i think the average american would expect a more expeditious notification of the compromise of their personal identifiable information. Congressman, we are driven by a couple of thoughts. One was making sure we were as accurate as possible on who was impacted and who was not. That just took time as i alluded to in the oral testimony. That developed over the weeks of mid to late august. Number two, as i had mentioned. The cyber forensic examiner who is viewed as worldclass in what they do, had advised us to expect an increased frequency of cyberattacks. And we had to develop plans to make sure we were a number of years ago. Perk did the study and found that if you defined an error as a negative influence on a consumers ability to get a loan, Interest Rate goes up, over 99 . I used 95 because thats what i read. You have 200 million records. And you had 500 service reps. Thats 20,000 customers with a problem that your Company Created per service rep. Now you get 145 million. Youre ramping up. Youre going to hire give or take 3,000 service reps. We have an online electronic lets talk about that for a minute. Im sure since you were the ceo in 2014, youre familiar with the case of miller versus equifax . Youve heard of that case, im sure. Vaguely, yes. Thats a case where the judge found as a matter of fact, congratulations on that case because that case it was determined that you didnt have to pay an 18 million penalty. You only had to pay 1. 5 million penalty because thats the most the constitution allowed. The judge found that your actions were reprehensible. Thats her words, not mine. Your own expert testified that its equifaxs policy to investigate and correct files only after a lawsuit is filed. Which is why i wanted to talk to somebody in the company, see if theyre willing to change that. But since theres nobody here, i guess not. You think thats okay . Apparently you thought that was a good policy in 2014 . If a consumer has a dispute on something on his or her credit file, we take that seriously. We work with the banks to correct you didnt do anything about it. The only reason there was a lawsuit is because two people with the same name of miller, their records got combined and you refused after you had proven repeatedly for years to do anything about it. It happens all the time. Every one of us gets complaints from our constituents that your industry treats them like dirt. They cant get student loans. They cant get auto loans. They cant get atm cards because you wont do anything by your own policies admitted by your own people who used to work for the company that says we dont do anything until you file a lawsuit. Here in my last 13 seconds im going to speak to america and im going to say for the 145 Million People, file a lawsuit and maybe youll get some equity. Otherwise, theyre going to keep doing to you what theyve been doing to you forever. Time of the gentleman has expired. Votes are pending on the floor. The committee stands in recess. Nearly 146 Million People. All the hearings available on our website at cspan. Org. While we wait for members to return and the hearing to continue,. Committee will come to order. Without objection the chair is authorized to declare a recess of the committee at any time. All members will have five legislative days to submit extraneous materials for inclusion in the record. The hearing is entitled examining the equifax data breach. On september 7th, equifax announced what it called a, quote, Cyber Security incident at its business that potentially affects 145 million u. S. Consumers, nearly half of all americans. If you are hearing my voice, you are either the victim of a breach or you know someone who is. Thats how massive this breach was. The companys response to this breach has left much to be desired. For weeks equifax failed to disclose the breach to consumers and shareholders. It provided confusing information about whether people were victims of the breach or not. And beyond belief, Senior Executives sold their equifax shares after the company knew of the breach and before the company disclosed the breach. I trust the Justice Department is curious. Congress must ensure that federal Law Enforcement and regulators do their jobs so justice can be served and victims are made whole. Protecting consumers obviously starts with requiring effective measures to prevent data breaches in the first place. Given the federal governments own poor track record when it comes to protecting personal information, witness the sec and the opm hacks as two recent examples. We must be cautious about attempts to never let a good crisis go to waste and impose a washington forced Technology Solution that may be antiquated as soon as it is imposed. However, i do believe that we need to ensure we have a consistent National Standard for both Data Security and breach notification in order to better protect our consumers, hold Companies Accountable and assure that this does not repeat itself. Our committee passed such legislation nearly two years ago. The bipartisan Data Security act. The need to revisuit that edge legislation and improve upon it should be obvious to all. The status quo is clearly failing consumers and leaving them extremely vulnerable. I look forward to working with members of both sides of the aisle in working with the administration to ensure that americans across the country will be protected and will no longer have to lose sleep over the kind of breaches that we are discussing today. I yield back the balance of my time. I now recognize the Ranking Member of the committee for three minutes. Thank you, mr. Chairman. The massive breach at equifax and the companys subsequent failures are a lapse on a scale weve never seen before. Equifax failure to safeguard consumer data is all the more egregious because the impacted customers never chose to do business with equifax. Because of the broken Business Model of our countrys Credit Reporting agencies, these consumers cant end their relationship with equifax. They cant shop around for a better deal. Theyre literally stuck with this company. Im very interested in what equifax will do moving forward to provide full redress for all of those who have been harmed. Im also interested in why equifax has sent this committee a witness today without the authority to commit equifax to future actions. The members of this kmicommitte need to hear not just about what has happened but also about what equifax plans to do moving forward. I already know this hearing wont answer all of the questions i and other members would like to know more. This is why Committee Democrats are requesting a minority day hearing to get more answers to the questions surrounding not only this breach, but also its impact on consumers and solutions for consumers moving forward. For example, i for one would like to make sure that Credit Reporting agencies do not inappropriately profit off of this incident by exploiting consumers legitimate fareears. Now is not the time to focus on selling consumers more products. Now is the time to fix what is broken. This breach and equifaxs woeful response is just the tip of the iceberg. Thats why i introduced the comprehensive Consumer Credit reporting reform act. This legislation would among other things shift the burden of removing Credit Report mistakes to Credit Reporting agencies and away from consumers. My bill would also shrink the importance of Credit Reports in our lives by limiting the use of Credit Reports in employment checks and limiting when cras can collect information on consumers. Its time to end the strangle hold that equifax, transunion and experion have on our consumers lives. I yield back. Chair now recognizes gentleman from missouri, the chairman of our Financial Institutions subcommittee for one and a half minutes. Thank you, mr. Chairman. Mr. Smith, i know you im right here. There we go. Theres a lot of us to try and keep track of. I know youve sat before several committees this week and i trust youve heard the anger from congress and the American People. This is not just incompetence on the part of you and your company but also negligence and disregard for law and consumers. Theres a failure on the part of you, your board and your Senior Management and your failures have impacted more than onethird of the American People. Whats most egregious to me is that the American Peoples data who has potentially been compromised had to wait more than a month to find out about it. The American Public deserves better. I believe its now time to move forward and we need to find solutions to this problem. I hope that if one good thing comes from this, yet another major data breach, its that the American Consumers can finally get a system that works for them. I can assure you were going to look thoroughly at this incident as well as others to find out some ways to protect the American Consumers. Chair now recognizes the gentleman from missouri, mr. Clay, the Ranking Member on the Financial Institutions subcommittee for one minute. Apparently he is not here. We then go to the gentleman from michigan, who also appears not to be here. Gentleman from minnesota mr. Ellison is recognized for one minute. Id like to thank the chair and Ranking Member for this important hearing. A lot has been said about the Equifax Breach and a lot of the same things will be repeated today. But theres a few things i think weve got to bear in mind. One is that equifax and two other big players in this industry of Credit Reporting dominate basically the whole field. As members of this committee know, ive been quite concerned about market concentration. I believe equifax is too big. It needs to be reduce inside size. We need to increase competition. If equifax had to worry about a real competitor, i believe theyd be better at safeguarding the data of consumers. It is the fact that market is concentrate sd so high that equifax doesnt have to worry about much of any other competition that they can be lax with the data of people. I look forward to the gentleman talking about some issues that i think are very important. I know theres been some movement in the area of well, ill leave that to the rest of the questions. The chair now recognizes the gentle lady from new york, ms. Maloney for one minute. Mr. Smith, equifax was not just a breach of security. It was not just a massive, huge database breach. It was a breach in the trust of the American People in your company. We have the best markets in the world and i believe that our markets run more on trust than it does on capital. So a breach of trust is something our markets cannot tolera tolerate. And i join my colleagues in being committed to finding procedures Going Forward that this does not happen again and that the law is enforced against those who breach and break the law. I am rick smith. For the past 12 years i have had the honor of serving as chairman and ceo of equifax. Over the past month or so, ive had the opportunity to talk to many American Consumers and read their letters and understand their anger and frustration that we have caused at equifax. This criminal attack on our data occurred on my watch and i take full responsibility for that attack as the ceo. I want every american and everyone here to understand that i am deeply apologetic and sorry that this breach occurred. I also want the American Public to know that equifax is committed to dedicate their energy and time Going Forward to making things right. Americans have a right to know how this happened and today im prepared to testified about what i learned and what i did think about incident while ceo of the company and also what i know about the incident as a result of being briefed by the companys ongoing investigation. We now know this criminal attack was made possible by accommodation of a human error and a technological error. The human error involved the failure to apply a patch to a dispute portal in march of 2017. The technological error involved a scanner that failed to detect a vulnerability on this particular portal that had not been patched. Both errors have since been addressed. On july 29th and 30th suspicious activity was detected. We followed our security Incident Response protocol at that time. The Team Immediately shut down the portal and began the internal investigation. On august 2nd we hired top Cyber Security forensic and legal experts. We also notified the fbi. At that time, we did not know the nature or the scope of the incident. It was not only late august that we concluded that we had experienced a major data breach. Over the weeks leading up to september 7th, our team continued working around the clock to prepare to make things right. We took four steps to protect consumers. First, determining when and how to notify the public relying on the advice of our experts that we needed to have a plan in place as soon as we announced. Number two, helping consumers by developing a website, staffing up massive call centers and Offering Free Services not only to those impacted but to all americans. Number three, preparing for increased cyber attacked which were advised or common after a Company Announces a breach. Fourth, coordinating with the fbi in their criminal investigation of the hackers while at the same time notifying federal and state agencies. In the role out rollout of mediation program, mistakes were made. I regret the frustration that Many Americans felt when our websites and call centers were overwhelmed in the early weeks. It is no excuse, but it certainly did not help that two of our larger call centers were shut down due to hurricane irma. Since then, however, the company has dramatically increased its capacity. I can report to you today weve had over 420 million u. S. Consumers visit our websites and that wait times at the call centers have been reduced substantially. At my direction the Company Offered a broad package of services to all americans, all of them free, aimed at protecting the consumers. In addition, we developed a new Service Available january 31st of 2018 that will give all consumers the power to control access to their credit data by allowing them to lock and unlock access to their data for free for life we put access to the credit data in the hands of the American Consumer. Im looking forward to offering as much detail as you like about that service offering. This is a National Security problem. Putting consumers in control of their credit data is the first step. No Single Company can solve this pr problem on their own. Chairman, Ranking Member and honorable members of the committee, thank you begin for inviting know speak today. Ill close again by saying how sorry i am this breach occurred on my watch. On a personal note, i want to thank the many hard working and dedicated employees ive worked with. Equifax is a Great Company with thousands of great people trying to do whats right every day. I know they will continue to work tirelessly as we have over the past few month tos to righte wrong. Thank you. Gentleman from california will state his point of order. I would request that the witness be sworn. It has not been the practice of the committee to swear in witnesses. As you know, the witness has to sign before coming here that the testimony will be truthful. That should be sufficient. The chair yields himself five minutes for questions. Mr. Smith, i know this is your fourth appearance before congress but i think you know it speaks to the gravity of the situation. The number of our constituents which are impacted and frankly the number of Committee Jurisdiction lines that this crosses. So since youve testified three other times i will attempt to plow a little new ground. As you know, theres a lot of focus on i guess to use your phrase, once the nature and the scope of the breach was realized, it still took approximately a month before people were notified of the breach. Did someone in Law Enforcement ask equifax to delay notification to the public . Mr. Chairman, as i mentioned in my oral comments, we were in communication routinely throughout the process with the fbi, but they did not necessarily dictate the flow of communication to the public. Okay. Were there outside Data Security consultants that advised the company to delay notification for a month . Mr. Chairman, we worked very closely with mandiant. It is one of the leading cyber Forensic Firms in our country. And our outside counsel, Global Law Firm king and spalding. And yes, they both in tandem managed the flow of communication externally. I would say one thing im sorry. Did they advise you to delay it for approximately four weeks . They guided us in our announcement on the 7th. It was four weeks. It wasnt until around the 24th that we really realized the size of the breach. And even that continued to develop from the 24th of august to the time it went public on the 7th. As you may have seen, the company came out i think it was this monday with continued evidence on 2. 5 million more consumers. So it was a very fluid process of understanding the scope, size and nature of the breach. Im led to believe the apache struck cve 2658 vulnerability was first publicized in early march, at which point it was immediately categorized as a critical vulnerability by numerous Cyber Security authorities. What do you believe is a reasonable amount of time for a critical vulnerability patch to be pushed out and implemented on all affected applications . Our policy at the time was within 48 hours. We did that. Im sorry, you did do that . Yes. So what happened . On the 8th of march we were notified as you mentioned. On the 9th of march following the standard protocol communication was disseminated to those who needed to know about the patch. Two things happened, mr. Chairman. One was a human error. An individual who was responsible for what we call the patching process did not ensure that there was communication and closed loop communication to the person who needed to apply the patch. That was error number one. Error number two was on the 15th of march we used a technology called a scanning technology which looks around the systems for vulnerabilities. That scanner for some reason did not detect the apache vulnerability. So we had a human error as i alluded to in my oral testimony and a technological error, both resulting in the fact that it was not patched. Once equifax chose to notify the public, there are currently roughly 47 odd state breach notification laws as you are well aware. So i know we have a patchwork. But under which brief notification regime did you notify the public . Mr. Chairman, we were mindful to have state laws and trying to abide by all the state laws while at the same time following the recommendation of mandian, making sure we had clear and accurate understanding of the breach. As i mentioned earlier, that took weeks. Very difficult to retrace the footprints of these criminals, where they had been, what they had done. We had to recreate inquirienquie being mandian and the Security Team and our outside legal advisor. Youre located in georgia, correct . Was that a georgia regime notification that you followed . I mean, you didnt follow the 47odd state notification regimes, did you . Yes, sir. Were headquartered and domiciled in atlanta, georgia. My point was we were aware and mindful of allstate laws for breach notification. Also accurate and clear understanding of what data had been compromised. That was not until late in august. My time has expired. The chair now recognizes the Ranking Member for five minutes. Mr. Smith, i appreciate your being here today. I want to understand in what capacity are you in today. Are you a volunteer, a paid advisor . Do you play any role in the company . Would you please make that clear to me. Yes. I am the former chairman and ceo, 12 years in that role. I am sitting here as the former ceo, but also as someone who has agreed are you a volunteer . Yes. Im not paid. So you came today to try and perhaps explain what has taken place. But do you have the ability to talk about what happens Going Forward and how we can correct the mishaps, the errors, the problems of equifax . Are you empowered to do that today . Congresswoman, i have the ability to talk looking forward from my perspective as an individual who was the ceo for 12 years. If you make a commitment here today, are you bound by any commitment you make for the company today . No. Commitments have to be made by the company themselves. So your capacity today is simply to try and explain and take responsibility rather than how we go forward for the future, is that right . Thats largely correct, congresswoman. I do have views on paths forward and im prepared to discuss those. Commitments have to be made by the company themselves. That creates a little bit of a problem for us today. We have such limited time to deal with so many problems. While i appreciate your taking responsibility and apologizing, your being here today doesnt do much for us in terms of how were going to move forward and correct the problems of equifax. Our consumers are at great risk. As a matter of fact, ive not been able to freeze my credit with equifax. I cant get through. And youre talking about the improvements that you have made. Are you close enough with the company to know exactly what has been done to be available to consumers . Congresswoman, yes. I have an understanding that what has been done to make the Service Level to consumers better i mentioned in my comments weve staffed up dramatically in the call centers. I am told that the backlog of consumers trying to get through and secure the Free Services has now been emptied and that the flow is now almost im not sure about that. And i worry about that. In addition, i tell you what else i worry about. How long will consumers be able to get what you describe as free service from equifax . Is there a time thats going to kick in where theyre going to be charged for trying to straighten out whatever problems have been created because of this serious hacking that has been done . The company has offered five services to every american, not just those impacted. How many . Five Different Services. I can walk through those if youre interested, which give protection to the consumer and again not just those impacted but for any u. S. Consumers. For how long . One year from when they sign up. Followed by in january 2018 we developed this product which is the ability for a consumer to control access to their ability for life. Theyll have the ability to lock access and unlock when he or she chooses versus us being able to do that on their behalf and that will be free for life starting in january 2018. It will be enabled as an application on ones cell phone for example. So very easy for a consumer to use. I might have missed that part of that. But if ones identity has been stolen and usually it takes a long time to unravel that. Are you going to provide service and protection and assistance to the consumer until that is taken care of . Yes, congresswoman. Again, the product we have today, one of the five services we offer today is the ability to lock access to your file. It will be enhanced in january with easier user interface. That is the most secure way we have to prevent someone from accessing your credit file. You as the consumer determine who accesses it, who does not and when. But im clear. I think what youve said is when one finds ones self in that position, equifax will provide them with the assistance in perpetuity. For life. Committee will come to order. The chair now recognizes the gentleman from new mexico, mr. Pierce, chairman of our terrorism and elicit finance subcommittee for five minutes. Thank you, mr. Chairman. Thank you, mr. Smith, for being here today. So just to try to get the Playing Field underneath us, you would describe the processes at equifax with regard to outside hacks to be very engaged and pretty professional. We had a human mistake more or less. Is that kind of correct . Congressman, id say obviously we committed two very unfortunate errors. Im asking about the overall culture and approach to security, understanding youve got a lot of Critical Data here. Yes. I would describe the culture and the focus as one to put the top priority on security, yes. How much of your time in your 12 years did you spend each day, say, on Cyber Security . When i first came here, we had no Cyber Security organization. I made it a priority 12 years ago to engage consultants to help us scope it out. How much time how knowledgeable are you on the subject . We had routine reviews. No. You personally. Thats what im saying. So you had routine reviews. How many timed had the apache strut be patched under your watch . We have vulnerabilities in general terms across software. This particular open sourced software, there was one notification on march 8th. So is the firm still using that software . It was deployed in two locations and has been patched. But its still using it . I mean im not that savvy on all the cyber crimes and stuff, but when i hear the secretary of the treasury say that 50 of his time every day is spent on cyber threats, i was trying to get some sense from you how much of your time every day, because this is probably one of the more critical things and one i didnt get a very solid answer, then i tend to fall on the side that says theres a little bit of a lax culture here. I just googled apache struts. Just opened the first website. It talks about something that came out open source. It was pretty good but they kind of lost their way back three or four years ago. I mean, to be using a piece of software that even just the first google says three out of five stars, we probably ought to be looking at better alternatives out there. And then you just have these patches that come out and no one actually responds to them or i dont know exactly. So who made that decision . Where in the hierarchical scheme come in . The Security Team send out a communication to the organization. The patching process, to be clear to you question, was owned by the chief Information Officer. It was under his in his organization. Where in the survey is somebody more than just an agent at the field level tasked with being sure that we dont have any vulnerabilities. Surely it was not that low. Has that Decision Making stream been made public . The owner of the process for patching was a direct report to no. Im talking about internally in equifax. Dont worry about who outside because youre the one responsible. So is that decision scheme the decision process made public and can we know who can we get that information . Let me clarify now if i may. The owner of the process internal to equifax in the patching of apache struts or any software that needs to be patched was an individual who was direct reporting to the chief Information Officer. Okay. Im about out of time. Now, your assertion this is just human error over looks the fact that you had unencrypted information. Anybody that gets in can just read it. Its not encrypted. Is that industry standards that we dont encrypt . Thats not correct. We use tokenization. We use encryption. We use masking. Your testimony a couple days ago answered that you had a lot of information that was just in plain text. I think those all indicate and the fact that we havent identified the process indicate a culture internally that was very lax in my opinion. The chair now recognizes the gentle lady from new york, ms. Velasquez. Mr. Smith, in your testimony you stated that you are deeply sorry that this event occurred and that you and equifax Leadership Team have worked tirelessly over the last two months to make things right. However, according to an article in Fortune Magazine published on september 26th, your retiring with a payday worth as much as 90 million. So my question to you, sir, do you believe it is right for you to walk away with a payday worth 90 million when the lives of more than 145 million hard working americans have been potentially compromised . Congresswoman, one again i deeply apologize for the breach of those American Consumers. Ive heard of this article. I cant reconcile that number. Let me be very clear how much are you getting . When i retired, i did announce my retirement and at that time so i also told the board back in early september, mid september that i would not take a bonus Going Forward. I also told the board that i would be advisor, unpaid, helping the board and the man e Management Team for as long and i asked for nothing. That was disclosed in the proxy. That is a pension that ive accumulated over my career. And that is some equity that ive earned in the past. So you told the Ranking Member that you are here in your capacity as an advisor to equifax now. Unpaid. Okay. So are you advising equifax to set up a Compensation Fund for impacted consumers to help them rebuild their lives . Congresswoman, the advice i gave to the board and the management has been followed and that was to offer five Free Services for one year followed by the ability to lock and prevent Identity Theft. Thats not a Compensation Fund. Correct. As Ranking Member of the house Small Business committee, i am concerned about the impact this historic breach will have on our countrys 29 million Small Businesses. As you know, the availability of Business Credit is often inexplicably tied to owners personal credit score. Last week the senator and i wrote a letter requesting information about equifaxs efforts to help Small Business clients but we havent received any response. So what steps is equifax taking to educate Small Businesses and what it means for their businesses . Congresswoman, i understand the question. If we have not responded to your letter, ill make sure that the company does respond in writing to your request. Specifically to your question, however, if a Small Businessman or woman was also the proprietor of that company as an individual, they would be covered by what were doing for them Going Forward offering this free lock product for life. Number two, to clarify if i may, Small Businesses in america are very important customers of ours. I know that. And we have told them and others through different functions that they have not been compromised. The data we have on Small Businesses was not compromised. They were not compromised. If you are an individual again, as a proprietor, youre covered by the as much Services Offering for free. The Small Business data was not compromised. How is equifax working with lenders to establish a safe way to check credit score for someone seeking a Small Business loan . If you are a proprietor of that Small Business and you have the ability to access all the Free Services that we just discussed. So this past monday, it was announced that approximately 2. 5 million additional u. S. Consu r consumers have been potentially impacted by the breach. Can you assure us that there will be not more discovery of even more consumers who have been potentially impacted as a result of this breach . To my understanding, the press release came out from the company on monday not only said 2. 5 Million Consumers were impacted additionally but also that the forensic review was now complete. The chair now recognizes the gentleman from michigan, mr. Hi huizin huizinga. You obviously know that you have certain duties and responsibilities as a ceo, not just in the running of the company but in the paperwork filing that has to go on that and be filed with organizations like the sec. Was Data Security ever an area you listed as a deficiency in regards to any of these sar bans oxly requirements. It is routinely communicated in ks and qs and other means. But you had internal controls . Yes. And presumably you do your analysis on that. Yes. So Data Security was never a part of that . As far as a control issue . As a control issue or as an area of concern. Its always viewed as an area of risk for the company. I dont ever recall it being communicated as a concern under lock and controls. Under sec rules, when you have a Material Change in the condition of your company, you have to file a form commonly known as 8k. That 8k form is there regarding Financial Condition or prospects. A and whens have occurred. When did you file that 8 k . I dont remember. My information says it was september 7th. That makes sense. That was the day we went public with the breach itself. My understanding is you have not been directed by the fbi to withhold information from the public or to slow walk or do anything, right . This was not a directive from the federal government, through the fbi or any other Law Enforcement agencies or any of your consultants . The fbi specifically involved from the second and a very fluid series of communications but no, they did not the fbi did not. The consultants did guide us on the communication. Did the same consultants tell you you better file that 8 k . It was filed on the 7th. On the 7th. But you discovered this in july. With all due respect, we did not discover it in july. July, the 29th and 30th, someone on the Security Team noticed what they described as suspicious activity. To put it into perspective, we as a company see millions of suspicious activities against our data from outside so you had an indicator. Lets call it an indicator july 29th. You hired a consultant based on your previous testimony august 2, correct . That is correct. Okay. So why did it take a month plus five weeks to file a form with the sec and i guess coupled with that, when did you let your board know about this . Ill answer both of those, if i may. As i talked about in written testimony and the oral, from the 2nd of august when mandiant, the ski Cyber Security firm, was hired and king and spalding were hired, they had to rebuild the footsteps of the criminals, where they had been. They had to rebuild the inquiries. It wasnt until late august that there became indication of a significant lets take that. It still then took two weeks for you to file an 8 k, which in the meantime you had executives that sold shares. You had the public that was thinking nothing was wrong, was buying and selling shares of equifax. Would a reasonable shareholder have gotten some of this information and said, hey, wait a minute, theres something going on at equifax, maybe im not going to purchase that stock. That seems like that would be a reasonable step for an investor. If i may, let me address the point you made on the sale. The sale by the three individuals was back on august 1st and 2nd. Got it. I know it was prefiled. Im not saying there was Insider Information or something as nefarious as that. What im pointing out to you even if your own executives didnt know this was going on and an 8 k has not been filed, it seems to me that youve got the public both coming and going. Not only the data but also the fact that you falsely put your stock out there at a particular price. Mr. Chairman, my time is expired. The chair now recognizes the gentleman from california, mr. Sherman. Ill renew my request that the witness be sworn. When john stump was here, his company had adversely affected only 3 or 4 Million Consumers. We swore in that witness. That is the precedent of this committee in situations like this. The chair has already spoken to the matter. Mr. Smith, youve made a point that youre an unpaid volunteer for your company. I want to thank you for that service aside from the 90 million youre uncompensated i know you disputed the 90 million figure, so id ask you to respond how much you have made, pension, Stock Options and salary from equifax during your term there. And well see whether the reports of 90 million are accurate. Timeline. There is the period march to july when you should have noticed or your company should have noticed the problem, should have paid attention to the Homeland Security advisory, et cetera. So thats one part of the timeline. Another part starts on july 1 when your chief Information Officer told you about the attack and that the website was shut down. Now there are those in this Committee Room who have said that the company didnt act immediately on that on july 31. Thats not entirely true. In just one day, august 1st, three of your executives sold 2 million of their stock. That shows an immediate action right after the cio report. Does your company have any policies on allowing executives to sell stock, getting legal advice before they do so, et cetera . Or is it up to each execive to decide how to obey security laws . There was never a report issued on the 31st, just to be clear. There was a verbal communication. Right. But you were told and the website was shut down. And the website was shut down. The next day three of your executives sold 2 million worth of stock. Please answer the question whether your company has a policy of getting approval and legal review before your employees sell yes. There was a clearing process. How would you pass that clearing process selling the stock just a day after the chief Information Officer tells the ceo that theres been this data breach. Theres a clearing process required for any section 16 officer. These three were section 16 officers. They all followed the process. And you dont think the process is broken when it approves the sale of 2 million stocks within 24 hours of when the ceo gets a report of the most enormous what turned out to be the most important data breach weve had in your industry . Congressman, i have no indication the process was broken. These three individuals who sold to the best of my knowledge had no knowledge just your luck. The initial response of equifax was to have a website advertised as your way to help consumers. And then in the website you tricked consumers this was the plan, tricked consumers into foregoing their right to sue. Whose idea was it at the company to do that . The arbitration clause is what youre referring to. Exactly. When we found out the arbitration clause was in there, we took it down one day it is a standard claus in products of consumers with options to byproducts. This was never intended to be in there for the free service. It was removed after 24 hours. After a huge out cry, including members of this committee. Youve put out press releases telling people they may be among the 143 Million People. Is it the intention of equifax to send a notice to those whose data was compromised or is it up to them to go to your over burdened difficult to use website to find out . Are you going to give notice to the 143 Million People . Are you going to send them a letter . No, sir. Email . No, sir. So everybody out there figures theres a twothirds chance they werent affected and they may do nothing and youve exposed their data and you wont give them a notice, not even an email. 420 million u. S. Consumers have come to our website. 420 million u. S. Consumers. Thats more than the number of people in the counted. They come multiple times. Which means many havent come at all. You wont notify people. The chair recognizes the gentle lady from missouri, ms. Wagner, chairman of our oversight and investigation subcommittee. Mr. Smith, dprforgive me if appear a little bit more disturbed or harsh than some of my colleagues but this issue hits very, very close to home for me. This past year my tax identity was stolen. And to be frank with you, it has been a complete and utter nightmare. For me, this isnt just another data breach. It is a breach of trust. When we learned that our tax identity was stolen, guess who we turned to for help . Thats right, the Credit Reporting agencies. So although giving a free year of credit monitoring is a good step, i dont have much confidence to be perfectly honest in the product, sir. In addition as the chairman of the oversight and Investigations Committee i will be closely monitoring the additional facts that come out regarding this case, especially those concerning the sale of stocks by executives at equifax. Although none of us should, i should say, prejudge before knowing all of the facts and im sure that the sec and doj will get to the bottom of this. Briefly, mr. Smith, what would you tell people like me, people who have previously experienced Identity Theft of some kind and turned to equifax for help. What do you say to these people who feel completely at a loss for what to do next . How can anyone possibly trust this company again and be confident they can be protected in the future . Thank you, congresswoman. Were a 118yearold company in protecting and being a trusted steward of data is paramount to our ability to gain trust. What i would tell trust, have trust with consumers and companies around the world. What i would tell consumers is first please go to our website, take advantage of the five offerings that weve offered for a year for free. And secondly, january 31st when the new lifetime lock product becomes available for free for life, i would strongly recommend that every american go get that product, as well into i recently read comments from cfpb director Richard Cordray where he stated his intention to provide accountability concerning the data breach. As you know, the cfpb began supervising Credit Reporting agencies on behalf of consumers i believe in 2012 but not its Cyber Security systems which has been led to the fdc. What interaction did you have prior to the breach regarding cybersecurity . Congress woman, i cant recall. Obviously, weve been. Communication since theyve been our regulator. Ive been involved in those communications. Prior to the breach, sir . I was not personal involved with cfpb regarding Cyber Security myself. Wow. What interactions have you had with them since the breach then . I have not interaction since the breach. Wow. Mr. Smith, i did want to take an opportunity to ask you some questions that ive been hearing from my constituents back home. Can you detail what categories of Consumer Information were accessed during the months long breach . Yes, ill give that a shot. We tried to be very clear in the series of press releases in the past that the consumers core credit file which is a credit hi history with us was not compromised. We talked about a database where someone asked on Small Businesses. We have a database on Small Business that was not compromised. What kind of personal identification information specifically . As weve disclosed in press releases, date of birth, name, Social Security number, i think there were 200,000, 209,000 credit cards that were compromised. There was i a document called a dispute document where a consumer could dispute that theyve paid an obligation, take a picture of that, for example, upload that into the system. That was another example that was compromised. Let me ask this. What sort of Financial Products for instance could be opened in my students names if those pieces of data you just named were part of the breach . If the consumer takes advantage of the free service f the breach . If the consumer takes advantage of the free service t of the breach . If the consumer takes advantage of the free service were part of the breach . If the consumer takes advantage of the free Service Committee will come to order. Without objection, i recognize the Ranking Member for one minute. Thank you very much, mr. Chairman. Pursuant to clause 2j16 rule 11 and cause d5 of rule 3 of the rules of this committee, im submitting for your consideration a letter signed by all of the democrats of the financial Service Committee notifying you of our intent to hold a democratic hearing on the equifax data breach. I look forward to working with you to determine the location and date of such a hearing. The additional hearing day will be scheduled with the concurrence confident Ranking Member and members will receive notice once the new hearing day is scheduled. I now recognize the gentleman from california, mr. Royce. Chairman of our Foreign Affairs committee. Mr. Chairman, thank you. And i thank mr. Smith for being here today. Since september 7th it, my office, im sure all of these offices, have received a lot of angry and anxious phone calls and emails by our constituents. And i think one of the innings that really stands out is how could a company that deals in data not protect that data . I think the answer lies in what your company did not do. You did not protect their personal information. You did not encrypt that data. You did not patch a vulnerability that you were alerted to on march 8th. You did not disclose the breach to the public until 117 days after it occurred. And then on top of it, the Insider Trading allegations i think only add fuel to that fire. So let me turn to my questions. Before september 7th, who else outside the company and your hired Legal Counsel and the fbi, who else was made aware of the breach . Was the ftc notified . Congressman, all at the appropriate time, all outside constituents were notified including the ftc. Let me ask you this, mr. Smith. According to media reports, life lock executive fran r roche was notified before the hack actually became public according to that individual, he got a call while vacationing in maine and i just ask, are you aware of this . Do you know who called mr. Roche to give hip the heads up . No, sir, im not aware of that. Well, according to bloomberg, armed with information only a handful of people had at the time, mr. Roche mobilized the Rapid Response team. He knew the company would receive an onslaught of calls and signups in the coming days, and ill quote from bloomberg, he was right. In fact, the phones were ringing off the hook. He bragged that it was bigger than the anthem breach, bigger than anything theyd ever seen for, a tenfold increases in life lock customers. And heres the kicker. From him most are paying the full price rather than discounts. I think that means most were paying 30 instead of 10. Its a really incredible response from the market. Ill tell you whats incredible here. That actually, your company profited off the relationship with life lock which is a company to which you provide credit Monitoring Services. So that heres the point id like to make. So life lock gets this headsup. Did credit karma or intersections or the other competitors, did they get similar notice . Again, congressman, im unaware of the life lock discussion let alone anyone else. Well, its fair to say, i think, that life lock benefited from both the breach and the aforeknowledge of it. Life locks parent company, semantic, has seen its stock rise by more than 10 since the breach was made public. Mr. Smith, do you or any current executives at equifax own stock in semantic . I do not, sir. Well, what id like to know is if you could provide a list of any executives who do. Because someone notified them in advance. Someone in the company gave them a headsup so that they had an opportunity to get the phone banks ready and in advance of anybody else, start calling about their service and at a price, 29. 99 instead of the 9. 99 discount that obviously was of great benefit to that company. Somebody tipped them off on the inside. And i think it would behoove equifax to find out who that is. And if you could start by finding out which executives own stock, that might help us get to that answer. Congressman, your source was bloomberg, is that correct . That is correct. Well look into that. Very good. I appreciate it. Yesterday in the senate the question was asked if we had seen any evidence too. Time of the gentleman has expired. The chair now recognizes the gentleman from georgia, mr. Scott. Thank you very much, mr. Chairman. Good to have you, chairman. First of all, i want to make a couple of points very clear. I represent the great state of georgia. I love georgia. And when this news first cape to me, my staff reported it it, i immediately wanted to do all i could to make sure that we would be able to make sure that out of in that after this, that equifax would be standing tall. That they would be clean. That is my objective as the congressman from georgia. Because as you said, you represent a legacy of our great state. You are a 128yearold company. You employ 20,000, 30,000 people. Many of whom are my constituents. Many of whom who work and toil in the vineyards at your company and they are great people doing a great job. It is important for the American People to know that we have before us is a despicable, a shameful situation for 145 million american citizens to lose the privacy of their Social Security number and all of that. But let it be known that it is the top management. It is you whos responsible for this. Now, what i want to do is to be at the front of this sphere, to make sure that equifax regains the confidence and trust of the American People. So my comments here to you, mr. Ceo, are going to be geared to that. First of au, i want to call mr. Chairman and be the first one to call for an investigation by the Justice Department, by the cfpb and certainly by the sec. Now, mr. Smith, youre leaving this company but there are others who are going to be there. And we have to make sure that equifax comes out clean and standing tall. Now, what disturbs me perhaps more than anything was the timeline. You said that you came knowledgeable about this breach on july 31st. But heres what happened. On august the 1st, your executives sold 2 million worth of stock and not only that, mr. Ceo, former ceo, it was your chief Financial Officer who led that charge to sell that stock. Now nobodys going to tell me youre getting information on july 31st and here they go dumping their stock less than 24 hours later. That has to be investigated. And cleared. If we are going to get the confidence of the American People back. So thats Insider Trading, anybody can see that. And im sure and i hope that your predecessor, the guy who is going to be taking your place, i hope hes listening. That will be the first thing. And then the second thing, we need to make sure that these guys who sold that stock who made 653,000 in savings from that stock with that inside information, that they pay that money back and that they are fired. 143 Million People losing this is no justification. We have got to make sure, and you have got to make sure that weep clean th weep we clean this mess up. Now, i want to talk about the other way in which we can do this. You mentioned numerous times that it wasnt the intent of equifax to include the arbitration piece. Well, now some have it, some dont. Thats the next thing that needs to be done. No more of this arbitration clause. When you do things like that, the public will take notice. Our job is to clean this mess up and make sure we bring equifax standing tall. We owe that to the American People. Now, the other thing that i would like finally is my staff informed me that most mortgage lenders pull all three reports from the big three Credit Reporting agencies. Equifax, transunion, and expeeron. So when you talk about this new free lifetime lock product, its not going to be effective unless everybody does it. I wish i had more time but were going to clean this mess up. Time. And were going to restore the integrity and the trust of the American People. Time of the gentleman has expired. The chair now recognizes the gentleman from illinois, mr. Hultgren. Thank you. I know many of us have been hearing from constituents. I certainly have, marty from illinois said equifax has jeopardized my private information which i never gave them. Why should i have to do all the work to monitor my credit. They should have done it for me or pay me of signing up and freezing my Credit Reports. They should pay me for my time. Should someone go to jail for this . Do you agree . James from spring grove says this companys careless actions have caused the loss of personal information on a scale never seen before not due to a new or so if hetis indicated hacking technique but because they failed to patch their servers. Criminal sales of stocks prior to reporting the breach, their action went far beyond carelessness to negligence. Legislation should be put forward to accretion. Equifax must be held liable for all damaged caused by their breach and all Credit Reporting firms must be held to much Higher Standards of Information Security. John said in the last six months, my personal information has been lost twice, once by my Mortgage Company and equifax. Both are offering a limited subscription to credit Monitoring Companies to protect my id own bid experian. Equifax is offering a oneyear membership to an equifax subsidiary. Seems like a twisted Marketing Campaign to me he said. Home Point Financial claims to have lost Social Security numbers, birth dates, drivers license numbers. Many cannot be changed. What good is a oneyear membership . This got is lost and available till i pass away. Is it ethical that a company that loses my personal data also conveniently owns a service to help me protect it from its eventual use . Its time all these companies are forced to offer lifetime memberships. Please help all of us. This is out of control. Many other constituents again concerned talked with parents of young people whose information has been compromised. Mr. Smith, when this Committee Sends questions for the record of which there will be many, will the response to our questions come from you or from equifax . Theyll come from the company, congressman. And how should we respond in getting those answer from equifax . Ill make sure someone from the company reaches out to your staff. That would be great equifax has been investigating the breach for over two months. As the identity of the hackers been determined . No, it has not. As you know, were engaged with the fbi and fbis running that investigation for us. Do you have an opinion of whether it will eventually be determined of who did it . I do not. Did outside Data Security consultants tell equifax it should delay notifying the public and if so why, when and for how long . Ing what change allowed them to public in september. It was a team effort relied upon the input from our outside forensic examiner. Global law firm that we talked about and our team trying to balance accuracy, clarity, transparency with the urgency of contacting the consumers. Was an event like this in the scope and scale contemplated by your security staff in a preventable staff . Did a playbook exist for responding to material breach of your pii database . Yes, there was a Crisis Management plan weve will in place for quite some time and data breach is one of the crisis examples we practice routinely. It doesnt appear like you were ready for it. And thats our question of the incredible delays. You heard from my constituents. This is a small sampling of incredible frustration, fear that their information has been compromised and they dont know if its ever going to change echoing what one said, this is information you cant go back and change, you cant go back and get a new birthday or Social Security number. If equifax had wished to notify the company within one week of the breach, could it have had both the resources and plan in place to do so . Why or why not . We moved with haste as i mentioned in my oral testimony and the written testimony. It wasnt till late august that we got a sense for the size and scope of the breach and even that was continuing to move. We moved as quickly as possible thereafter. Has there been any uptick income identity or fraud since the breach . Would you expect something liking that to occur and why might there not be an june tick yet. If consumers take advantage of the services to lock their file, that will give them great protection. Obviously, theres a concern when it still is kand kind of same entities. I yield back. The chair nowrections the zwramt from illinois, mr. Foster. Thank you, mr. Chairman. Id like to talk about are things that is congress maybe should have done or can do that would have prevented this. And what that means is that you would have needed a team of really smart highly motivated people looking every day for any security problem which you obviously did not have in place. And so that one way to make that happen is by making a requirement that you actually carry enough insurance to make customers whole when this thing happens. Its my understanding that statutory daniels for a breach like this are roughly 1,000 per person which means the total potential liability for 140 million is 140 billion more than ten times the market capitalization of equifax. So you clearly can never selfinsure or a company with your Business Model could never selfinsure. On the other hand, some of these settled for a lot more, a lot less, just a few dollars per person. Its not clear what it should be. My first question is, what would you personally for yourself or one of your family want as remuneration for having your private information up for sale on the dark web . Congressman, the suite of services were providing for free in some cases. No, im saying if i came up to you and said i want to publish your private information on the dark web, would you do it for 1,000, just personally or on behalf of members of your family . No, sir. No you would not. 10,000, 100,000 . Everyone has that number but its well north of a few dollars per person. But thats sort of whats happening to without even having a negotiation, you know, were having this pain inflicted on people. So now so lets just stick with a 1,000 a person the statutory number plus punitive damages. So now if congress were to require that any company like yours that held information for people without asking them necessarily to opt in, that you had a requirement that you would hold enough insurance to make them whole if there was a massive data breach. That would be a very expensive insurance policy, correct . Right. You indicated earlier that you had not disclosed how much insurance against data breach, youre actually carrying, is that correct . And you dont intend to tell us that. That is correct. Is it fair to say that it is not enough to cover 140 billion, thousand per customer type liability . Is it less than that . Are you comfortable saying that . Yes, its less than that. Okay. So its likely that many customers will end up getting less than they think theyre actual damages are. You know, have you thought through say how much per hour the average customer would charge someone to just sit on hold waiting to try to get attention to getting their credit unfrozen . Remember, congressman, one of the offers we have 0 consumers is an insurance policy. Are you aware of that . No. For five Different Services for free. One is if a consumer has loss, lost expenses in trying to get their credit repaired, trying to take time off of work, up to 1 million. Okay. But im trying to understand under what conditions you would have assembled a team, ears yourself or an insurance carrier that would have assembled a team that would have prevented this. If you would have tens of theyd say oh, boy, lets try to figure out if you applied that patch and they would be looking at your source code for everything that Insurance Company that was offering that kind of coverage would depend. I was wondering if you think thats a possible way that we can actually prevent this in the future. Congressman, we have notifications routinely every year for patches. This is a very unfortunate mistake. I mentioned the mistake. I apologized for it. The insurance approach is not the solution. It is preventing human error and technological airer that occurred into there will always be human errors and the best what you need is a red team who sits there and looks for human errors and flags them immediately and this has to be a very expert team. Nothing short of that is going to rapidly catch the kind of human errors that will naturally happen. So anyway, this is one of the things im looking at because its the only free Market Solution that i think that has a chance of preventing this in the future. Thank you. Time has expired. The chair now recognizes the gentleman from colorado, mr. Tipton. Thank you, mr. Chairman. And mr. Smith, appreciate you being here. I want to follow up on some previous yes i heard. The question was around whether or not you had protocols in place to be able to actually address whether or not the information was being recorded proper reported properly internally but then also to the Government Entities that are responsible for oversight. And i did not hear you respond to the answer whether or not you have written protocas in place to be able to have a timeline to be able to make sure that the governing bodies overseeing you are notified in a timely manner. Would you address that. Yes, thank you for that question. Yes, there were protocas in place. They started with when the security individual saw suspicious activity, protocol number one, he or she shut down the particular portal, started the internal investigation followed by the traditional protocol that they followed which is to notify and engage outside cyber Forensic Auditor mandiant, engage outside counsel to help us with the investigation and then protocols followed all the way to the time of notifying the regulators, ags, and the consumers. Looking forward to try and be a little more solutions oriented, understand and appreciate the comments that youve made regretting what took place. Are there protocols, are there actions that this Congress Might be taking in terms of some of the regulatory bodies to be able to incentivize earlier action, earlier notification, not only to the governing bodies but also to the consumers, as well that we ought to be looking at . Congressman, the one thing i mentioned before, id love to see both congress and companies tackle is the concept of is there a better way to identify consumers in america other than ssn. Its unfortunate the number of breaches that have occurred over years has exposed so many ssns that were all vulnerable to that. So id love to see us engage in that discussion. In terms of internally, there are some independent i believe the wall street journal noted independent groups that analyze vulnerability of you, of equifax in terms of what youre going to be dealing with. Do you look at that sort of analysis and who is responsible for identifying that and taking it seriously to see that patches arent needed but were being pro active to make sure that the breaches do not take place . Yes, we routinely bring in outside consultants, advisers to help us check doublecheck, rethink tactically steps we can take as weve taken since the breach. As well as longterm strategically steps we can take to make sure were more secure. Thank you. Mr. Chairman, those are the questions i had. Yield back. Gentleman yields back. The chair now recognizes the gentleman from maryland, mr. Delaney. Thank you, mr. Chairman, and thank you, mr. Smith, for being with us here today. I have a couple questions about how you interacted or how your board interacted around this matter generally. It says in your testimony that you became aware of the information on august 11th but that you notified the lead member of the board of directors, mark fiedler on august 22nd. Did you have any conversations with other Board Members before that . Let me clarify. The first debriefing i had of any signatures was on the 17th of august that included mandiant. Got it, sorry. Between the 17th and 22nd, did you speak to any other Board Members. On the 22nd of august was the first discussion with the lead director. What about other Board Members . The 24th and 25th we had two Board Meetings where entire board was updated. Is it norm to wait this long to con screen your board when a matter of this scale has occurred. The data was fluid, moving and developing each day. I felt that was an appropriate time line. Under the sarbanesoxley requirements for Public Companies as it relates to their internal controls, was Cyber Security or data breaches ever considered as part of the board of directors and the Audit Committee . In what way . Well, i ran two Public Companies and used to have to sit down with my Management Team and get certificates where they would assure me that thing were being done in accordance with our procedures and then the Audit Committee would review these things. So that they could do their job under the requirements of the law. So in that the process, i assume you engaged in a similar process at your company. Yeah, we had two ways to engage as relates to security with the board of directors of detect direct ers. One was at the entire board level through a device we call erm, enterprise risk management. To have of that list was Cyber Security. Also go through deep dives with the directors on Security Risks. The second means of communicating with the board was through a committee called the technology committee. Technology committees comprised of individuals some of which have a deep understanding of security. They would go into detailses of our security efforts, as well into if you were to kind of put the boards time in a pie chart representing 100 of the time they spent on matters related to the company, what percentage of their time would you say was spent on thinking about Cyber Security risk and data breaches . I would be guessing if i were to make that take a stab at that. Did you regularly have full discussions around the board table about this potential risk . You identify it as a risk factor in your Financial Statements i mean in your 10k. Absolutely. So would you say 5 , 10 , 15 , 1 . Congressman. You chaired the board so you have a sense what occurred in the Board Meeting. I assume you set the agenda. On the agenda, was there a regular item about Cyber Security or data breaches in every Board Meeting. Routinely throughout the year through committee and Board Meetings, the board is apprise smoothed which committees had responsibility . Ed Audit Committee. The technology committee. The technology. So the Audit Committee didnt . The Audit Committee would have purview as well as. The entire board. The technology committee. Were a Technology Company was responsible for oversight of security and technology at the board level. What the Technology Company made a presentation to every Board Meeting . Yes. Got it. Were there discussions about the Technology Budget at the board level about whether it was adequate in the area of Cyber Security . The technology committee, congressman, would approve the Technology Budget every year. Got it. And they would bring it to the board for approval or the committee level. Yeah. Got it. In your opinion, how mindful was the board before this event occurred as to the likelihood of a risk like this. Very mindful. You would say that your board spent considerable time trying to get to the bottom of the risk. A data company to your point. That Data Security is the number one risk we have. And took that very seriously. Uhhuh. And as part of your the disclosure statements that you received as a ceo where your direct reports wots certify that thing were being done correctly, did one of those certificates include some mention of the cyber risk and the potential for data breach and assurances that the systems were in place . We disclosed in every k and q that security is the number one rick we face. Got it. Have you had other significant events in the company where you notify your board of these problems the day they happened . Have we ever notified the board of a Security Risk in the past . Lets say you had analyst expectation tourz earnings and realized during the quarter you were going to miss them, would you call your lead director that day and notify them or would you wait four or five days . If there were risks to our finishes a particular quarter, we would notify the board. Sooner than five days . Weve never had to do that in my time there. Time has expired. The chair now recognizes mr. Pit tin jer. Thank you, mr. Chairman. Mr. Smith, we are addressing a very egregious concern in our country. Obviously we have major threats, National Security threats. Affecting our financial systems, our infrastructure, our government, private sect spends hundreds of millions of can dollars every year regarding Cyber Security measures as well as Energy Companies and other institutions. To date, were aware that not just the 143 Million Consumers personal information was exploited but additionally, theres now another 2. 5 Million People affected by this initial account. Can you assure us that the 2. 5 million are the last americans whose data has been compromised . Congressman, can you repeat that last part of your question. Can you assure that the 2. 5 million additional people whose been reported that their data has been compromised, is that the last . Im sorry, i missed that. Yes, its my understanding from mandiant, the experts that one movement from the time you announced till the final conclusion is not unusual and number two is while ive not had a chance to read the press release myself, its my understanding on monday when it came out from the company, it said the forensic review is in fact complete. Yes, sir. Prior to this security breach, did equifax in your opinion, have preventive measures in place to combat a data breach of this magnitude . Well, obviously, a breach of this magnitude would not have occurred if everything was in place and. Elaborate with us on additional measures that you believe could be put in place at this time. Congressman, many have from the time of the announcement actually before the announcement, we engaged experts to help us increase monitoring penetration techniques what they call white labeling. Ip addresses, a variety of things were put in place before the announcement on september 7th but its continued with 30 day plans, 60 day plans, 90 day plans. As i was getting ready to step aside, we engaged a topnotch Consulting Firm to help us rethink our entire strategy for security. Have you actively engaged in testing these databases for vulnerability . Yes, we do. Do you use third party or do this inhouse. We do both. Can you please explain the process or standards by which equifax has stored consumer hes personal information. Say that again please. Explain the process or the standards which equifax has stored consumers personal information. Standards. I would say there are a variety of techniques use the from a security perspective. Theres layers of security techniques we use. Theres i think it was mentioned or asked earlier. Is there an encryption procedure in place. Encryption, masking, layers in different ways to secure that data. Do you feel like there was adequate encryption in place . Could you have done more to prevent what occurred . If we could have prevented human error and the scanner from not finding this, that an would have stopped this issue, yes. So there was a thorough encryption process in place in your opinion. Theres different techniques used in different areas. Encryption is only one of them. How do you and the rest of the leadership of equifax plan to regain the trust of the consumers . By making it right for consumers. I thank you for coming. This is no probably the hardest time in your life but its a much larder time for the American People whose data was exemployeded. Were here on their behalf. I agree, thank you. I yield my time. The gentleman yields back. The chair now recognizes the gentleman from missouri, mr. Clay, for five minutes. Thank you, mr. Chairman and mr. Smith, thank you for being here. More than 2. 5 million missourans had their information exposed in the Equifax Breach and they will likely be impacted by it for years to come. Can you share with this committee and the American Public what types of activity that these people can expect whose identity has been compromised and who and thieves and tell them what kind of activity they can expect from the thieves that took their personal information and you know, because most person americans have never had Identity Theft occur to them. Can you give us some examples of what they can expect over the next year . Congressman, id answer that is two ways. One, we have offered a comprehensive suite of Services Free to all americans to protect their identity to your point. Five Different Things we talked about earlier and the important point there is ive offered that to every american. So regardless of them being impacted by our breach or not, they could been impacted by pm breach, anthem, home depot. Were covering all americans with the suite of products. But describe for this committee and the American Public the hellish nightmare theyre about to go through when they find out that the irs, that someone has filed taxes in their name and get a refund by the irs. Or that someone has gotten a credit card in their name. So congressman, one of the products were offering as we talked about is the lock. If the consumer takes ta lock, locks access to their file, no one can open up a credit card in his or her name as an example. You know, equifax has offered consumers a year of free credit Monitoring Services. Free credit freezes now and a promise to provide a better product and several months described as lock on assumers Credit Reports and an energy at an Energy CommerceCommittee Hearing held earlier this week, you stated that credit freezes and credit locks are virtually if not exactly the same. If the protects these products afforded to consumers are the same, what is the meed for the new term . Congressman, lock was introduced through regulation in 2003 and 2004. What it was referring to in the quote you mentioned is the protection of the consumer is largely the same. The difference is the ability to freeze and unfreeze can be very cumbersome and is dick taed to state level of the lock product coming out in january of 2018 will be very user friendly, consumer can lock and unlock from their iphone. Thats the difference. So because security freezes are covered by state law, if something goes wrong, for example, if credit accounts are fraudulently accessed, will consumers be protected from financial liability . Congressman, again, locking or freezing protects the consumer from someone accessing their credit file to access credit to rent an apartment. Its a secure way to protect their credit file. Okay. Yeah, but im talking about the activity that occurs when they are compromised, when their identity is compromised, what kind of comfort can you give these people . Can you tell them anything that your company will work with them to resolve this or what . Yes, again. Were working with consumers impacted, not impacted by offering five different products today for free followed by lifetime ability 0 lock and unlock your file for free. That should give them comfort, and ability to stop people from opening and accessing their credit file. Do you agree that steering consumers into a product that is covered by a contractual agreement with your company when a product you say is the same that is already covered by many state laws raises some concerns . No, sir, i do not. The freeze is still our product. The way a consumer gets access to freezing and unfreezing is set by state law. Time of the gentleman has expired. The chair now recognizes the gentle lady from utah, miss love. Thank you. Estimates are that about 60 of adults u. S. Population is affected by the breach. If you extrapolate the information to utah, thats about 1. 43myon utahans that are potentially affect. The so my question is, what sort of Financial Products could be opened in my constituents name if their data was part of the breach . Congresswoman, two things. One if youre interested. We have the data of those that were a victim of the criminal hack by state level. If that would be interesting to you, woo he can get that to your staff. Id love that. That would be great. But im still asking what type if they were affected, what type of products could be opened in their names . Well, if they signed up for as many many have since the breach with a lock product, the ability to lock their file so no one can access it or open a credit card, get a car loan, get home equity loan, get a mortgage. The lock prevents that from happening. If they didnt get a lock and theyre still if they didnt get a lock that means credit cards could be opened up in their name. I want to get a list of things they need to look out for. Were offering a monitoring service, as well. If youre a victim of the criminal attack, well send you notifications if the suspicious activity on your file. Have there been any uptickses in Identity Fraud or theft since the breach. Not that im aware of, no. You mean since the breach. Yeah. Not that im aware of. How do you know . We have fraudulent flag on files. Would you expect when would you expect to see an uptick . Usually some of these things take time. If there were to to be some up ticks whelds you expect to see some of those. It depends. Some say the Social Security numbers which is the piece of the pii we focus the most on here have been out in the Public Domain hacked in the past for quite some time. So for my constituents that were impacted, how long should they expect to remain concerned about the potential impact on their credit files or identity . They should always be vigilant in looking at their Monitoring Products that we offer. And again, i go back the first thing they should do is lock their file. If they lock their file, theyre going to rest better. So in terms of im trying to what im trying to do is to give a clear vision to people who are watching what they need to do. I understand locking their file. And some of some people who are watching that today can do that, but in the meantime, i need 0 give them things to look out for, what to look out for either before they do that or over the years what they need to be aware of. Maybe ill try to answer it this way. If the consumer is in utah or anywhere in america take advantage of the free service whether youre a victim or not of the five offerings we have, one is monitoring of all three Credit Bureaus files. Thats the first thing we should do. We doha for them for free. The second thing is access your credit file through us to look at it for suspicious activity. Three, we offer a dark web scanning service. We go out there for you and scan the dark web for activity. Four is we have the ability to lock the product for free. And theres a fifth one, i forget what the fifth one is. Those five products should give the u. S. Consumer the utah consumer far more comfort followed by january of next year the lifetime lock. Can you explain, and i may have missed this. Can you explain the difference between a credit lock and a freeze . Yes, the freeze was enacted in 2003 passed into law at the state level. Each individual state passed it in law in five. 2004. The difference is the ability and the means by which a consumer communicates to us transunion and experian versus the lock which will be an application enabled on and off much more user friendly, much quicker for the consumer. And i just want to reiterate one more thing that was brought up by the Ranking Members that you are committing to work with people who may have been or have been affected or may have had their identity taken and used for their lifetime . Yes, were offering every citizen american citizen a lifetime lock, the ability to lock and unlock for life. Thank you. I yield back. The chair now recognizes the gentleman from new jersey, mr. Got heimer. Thank you, mrs. Chairman and mr. Smith. Thank you for being here today. As a former microsoft executive, i have appreciation for corporate integrity and where the bucks stops. Issues come up all the time. Its how you handle them when they do come up. It seems your response has been for of an equiscam than an equifix. If youre going to take four to five weeks to tell consumers what happened, i dont understand where the gap was in terms of putting information together so that you can respond well bug. If you could help me here, out of the 145 Million Consumers impacted, only 7. 5 million signed up for Monitoring Services is my understanding. Have you, why, do you think only 10 have and why not auto opt everyone in since you have their information. Its illegal. Requires consent of the consumer. Since you know their addresses and information and many of their emails why not send them a letter and say would you be interested in this. I may have mentioned in my oral testimony, that the awareness is at record highs for breaches. Over 400myon consumers have come to visit. They know. Would you be against sending a letter to them to give them information oh they will know so hopefully you can get more signed up . Again, i think they do know. Is that a no . Youre not willing to do that. I was going to answer. Please. So we went the press release out to notify. We set up a website. We gave phone numbers. We toed state law where that was required for local advertisement to create the awareness. The 2. 5 million that was mentioned earlier that the Company Released of additional victims of this crime on monday, those individuals because of the fear of false positives were notified via email or will be notified via email. The rest, 143 or 144 million plus you not be willing to reap out to . We followed the process that is legal and acceptable for this. What is being done to resolve the problems with your website, im sure youve heard about them to make them more stable, eliminate dead and confusing links and make information more accessible . People got emails saying we cant get to this for a few weeks. What do you do about the website crashing . The volume was overwhelming as i noted early on. Theyve taken the right steps to fix that experience. Its my understanding that the experience at the call centers and the website are far, far better today than they were september 7th. Yes, and i think we should bring them to your attention. When we crash, people get even more anxiety. There are a lot of resources to take that can help you with that. Can you verify for me the arbitration clauses or legal liability limitations are not being included in your aufrgss of credit monitoring, credit freezes and locks and Identity Theft insurance. The arbitration clause is a standard clause in products we sell 0 consumers. They have the right not to buy products from us but go somewhere else to get that product. The intent was never to have the clause apply to the free offerings. We were made aware of that within 24 hours, took that ashbitration clause off. Equifax is claiming to provide 1 million in original for Identity Theft to affected consumers but the conch has numerous exceptions and time frame for covered loss can be unclear to some people. Do you believe this insurance is in lieu of reimbursing customer for actual losses . Know it doesnt cover everything. That is correct. Expenses incurred. I think the five services were offering up front combined with the lifetime ability to lock your file are the right steps for the company to take for consumers. I think this is a big issue because you see a lot of Insurance Companies and they provide this coverage but it doesnt what people think. As the liability occurs, there are holes. Have you im sure youve heard about the phone call wait times. I know up with of my constituents wrote they were on the phone for an hour the other day. And others have called in about it being 45 minutes. Whats the improvement been . Been dramatic. Weve gone from 500 call Center People to over 2700 was the last number ive heard of trained people to handle those phone calls. Wait time now . Its come down significantly. I dont have the exact number. I saw the data earlier in the week. Is that information you can get to us a sense where you are now. Yes. It shouldnt be more than a couple minutes. Obviously theres huge capacity to add bodies and given how people have huge anxiety over this issue. People cant feel like this is a scam. They have to feel like youre fixing things for them. Thank you so much for your time. Time of the gentleman has expired. The chair now recognizes the gentleman from arkansas, mr. Hill. I thank the chairman. Thank you, mr. Smith for coming in today. I appreciate with your chance to visit with the committees on capitol hill about this issue. Its something my family understands. Weve had the pleasure of being in the opm breach, the irs breach, and couldnt file our returns on time a year ago and now received were gratified to receive your email about also being in the Equifax Breach. I can feel the frustration for a lot of americans and in our arkansas according to our attorney general, 1. 2 Million People in arkansas, some 40 of the population of the state are covered by the announced breach by equifax. So we do appreciate our chance to sit down and ask the hard questions that were being asked by our constituents. I want to follow up on some of the line of questioning and start out just talking about the Management Practices at equifax, if i could. Did you have a weekly executive Management Meeting with your top officers, your direct reports . Are you referringing to post breach . No, just generally as a general practice at equifax, did you have an executive Management Meeting with your direct reports on a regular basis . Maybe i shouldnt have said weekly. Yes, congressman. We had routine operating mechanics to run the company. Some might be weekly, some might be everier with oak, some monthly, some might be quarterly. Im sure a mix of levels people in the company came depending on the topic. In your sort of direct report meetings, so would mr. Gamble be in those meetings of that Smaller Group whatever frequency it was. Largely yes. He would be involved in many of the meetings as a cfo. And mr. Logerin, the president of information systems. Would he have been in that meeting . Again, ive got 12 to 13 direct reports. Is he one of them . Is he a direct report. The three youre probably going to, rudy would probably be the third. All three are direct reports to me and all three would be in most of the meetings we would have. Mr. Kelly as well as the chief legal officer. Theres 13 or 14 individuals, yeah. So im just curious in that meeting of sort of your trusted advisers of the top echelon of the company between march 8th and the end of july, did this topic come up among that group . No, sir, it did not. And in that period between march 8th and end of july, when did you really feel or you were told that it was a Serious Business challenge . It wasnt till the detailed review we had as noted i think in written testimony on the 17th of august with the Cyber SecurityForensic Team mandiant, the outside legal team of king and spalding, my team that was the 17th of august was the first doo deem di deep dive. Let me talk about the 16 officers in the company. Im sure the people we just talked about are all section 16 officers. Chief legal officer, the cfo, yourself, mr. The president of the information system, mr. Logner, all section 16 officers . Thats correct. In your 12b51 plan, i assume thats all holdings and then any in the money options would be covered by somebodys preplan to sell stock . The 10b51 plan . Yeah. Yes. Both your personal holdings and then any in the money options that were in the money at the time of filing of an open period. Youre referring to me . No, just your plan as a corporate officer in the plan. Some officers may have had a 10b51 plan, others may not have. It wasnt a requirement by the general counsel everybody have one. No the requirement was that the general counsel has a clearing process that he has to approve before an officer can sell stock. How many days a quarter do you think you had available . We wait a day or two. 30day window. General indication is the sooner in the opening versus later. Can you think of a time when your general counsel canceled that window due to a material nonpublic information effect while you were ceo . In other words, you capitol use the window because people in the group had material nonpublic information. There were a few times, yes. When did you did you have a lead director since you were the chairman in your Public Company board . Did you have a lead director. Similar. We called it a presiding director. Right. And when did that person find out about this . The 22nd of august. Okay. Thank you, my times expired. The chair now recognizes the gentleman from minnesota, mr. Emmer. Thank you, mr. Chairman and thank you, mr. Smith for sitting through this again today. Obviously, youve heard this over and over today and in your prior three congressional hearings. I, like most people, am very concerned about the time line of events. I appreciate the what i take is a sin series apology of yourself on behalf of equifax and the acknowledgement of both the human error that you point out from last march and the error in technology, the scanning process that didnt work. But the timeline of the discovery of the issue, the sale of the Company Stock by three top executives and the disclosure of the breach to the impacted American Consumer which in minnesotas case i believe we have a little over 2 million that have been identified at this point, raise serious potential ethical and legal guess. So i guess i echoing what our chairman said at the outset of this hearing, and that is that the company, around i would say current and former executives like yourself, i would hope are going to continue to cooperate to the fullest extent with the fbi, the s. E. C. , any agency that is investigating this so the truth can actually get out into the light and people can know exactly what happened. I know you cant commit on behalf of the company but im sure you believed commit on your own behalf even in your current capacity youll continue to cooperate to the fullest extent. Absolutely. I wanted to talk a lit about a the area. Today its about equifax. Even though we all know it, it seems to be unspoken this is such a fastchanging environment. I was in a business that will go unnamed in minnesota and they have this Huge Investment in technology. They take you into the back room and they have these screens, flat screen, around the room, and they are showing you in real time all of the attacks that are coming in pi the second and the minute. And i dont think its just about ek. Eck wy fax. This is a huge issue. In 2014, the u. S. Postal service had breach that exposed personal data on almost a million employees and they had to shut it down. The irs in 2015 had almost threequarters of a Million People affected by a breach. The office of Personnel Management had one in june of 20 2015, and even the sec sc just last year had the breach of the edgar Online Filing system. So this isnt just about equifax. This is a much bigger issue. In the short time i have left, there are two areas i would like to talk to you about. One is i get worried in this place that the snap reaction of elected officials is more regulation, more stuff that you have to comply with, which i suspect takes resources away from the stuff youre trying to do to keep up with the ever changing technology and the way the bad guys are trying to breach these systems. Id like to talk about that for a second before we talk about rethinking Social Security numbers and dates of birth for identify caution. Congressman, i share your views there. Its amazing. A recent publication came out, i think last week, talked about in 2016 alone over 4 billion pieces of Consumer Information was hacked in one year alone. Its rate i have not seen in my career, accelerating if nothing else. Something Public Private organizations can work on. If regulation can prevent a breach like this occurring again, im all for it. This was not an issue in my humble opinion that more regulation would have addressed. As you go forward into the next stage of your career with this experience that you now have, i mean, would you give a word of caution because of the Compliance Costs and how that could negatively m pact your ability or others to keep up with the technology . Yes. Oftentimes were all in a reactionary environment and the first thing we think about sometimes is regulation is the issue. I think theres lot of things that the public and private together can do. You mentioned one of them, to think about the identifier we use for the American Public and is there a solution beyond ssn. Thank you very much. The chair recognizes the gentlelady from arizona. Thank you, mr. Chairman. I am deeply troubled by the equifax data breach that compromised the personal information of over 145 million americans. Every american should take precautionary measures to ensure his or her financial security. Arizona seniors are particularly at risk and especially now. We must make sure safeguards are in place to protect them from financial fraud. Ive been working with the congressman from maine to pass hr 3758, the senior safe act. This legislation ensures Financial Institutions have the regulatory flexibility needed to report suspected instances of Financial Abuse of seniors. Every e arizonan deserves to have confidence that his or her data will be kept safe when applying for a credit card, accessing a Small Business loan, or buying a home. And todays hearing is an important step in finding out what went wrong and what must be done to protect consumers. Mr. Smith, thank you for being here today. By your account, it took equifax 40 days to let the American People know via a press release about a data breach that had lasted for 77 days. Adenver nuggetsly, hackers exploited the failure of equifax i. T. Staff to Patch Software for the 65 days leading up to the breach. That adds up to 182 days of wick fax failing to put arizona families first. Your testimony before this Committee Seeks to detail the internal deliberations and Legal Consultation leading up to the press release on september 7th. But it does not excuse the end result. An arizonan whose name, address, and Social Security number was taken on day one of the breach under your watch was left vulnerable and in the dark about the data breach for 117 days. That is disgraceful and unacceptab unacceptable. More than most, arizonans value their privacy. Instead of taking every precaution to secure our personal data, we can, fax jeopardized our privacy and made millions of arizonans significantly more vulnerable to Identity Theft and financial fraud and now we must take every step possible to minimize the damage and better address future data breaches. Its e believed for the vast majority of americans this data breach was limited to their credit header data, things like name, address, date of birth, as well as addresses, alias, and Social Security numbers. So my first question to you, mr. Smith, is while this information alone is highly compromising, it does not include americans most private Financial Information. Are you awaur of attempts by these intruders to broaden the scope of the data breach to capture private Financial Information . If so, were any of those attempts successful . And if not, why do you think hackers opted to forego the more private Financial Data . Congresswoman, there are millions of attempted or suspicious attacks each and every year across a wide array of our data assets. We have no knowledge from the Forensic Audit done that any of the core credit, as you refer to it, data was compromised. As to why, that goes back to the written and oral testimony i gave, which is the apache strut software that sat in a different environment completely outside of the core credit file that was not patched. Thats why they were able to penetrate that environment. Mr. Smith, your testimony stated that it took the equifax i. T. Staff 76 days to notice suspicious activity after the breach began. Can you tell me how the spruders are blending if with normal Network Traffic simultaneously stealing this data from americans and what do you think took the i. T. Staff so long to notice the praech . They were fairly zpatsed, the criminal hackers. They moved about the system without redefining large files so files themselves in size were not suspicious. They were also clever enough not to move at speeds. We have velocity indicators looking for things moving at very high speeds. They were sophisticated enough to do neither p. Thank you. While the Equifax Breach was significant, it was still only the fifth largest data breach in the u. S. And all five of the largest data breaches have happened within the last five years in our country. And we as community here in Congress Must recognize these data breaches are increasingly frequent and undermine the trust that americans place in the marketplace and their government. Whether its equifax or the office of Personnel Management, americans deserve to have institutions both public and private that work in good faith to safeguard their data from those who would harm them. I would urge that congress should recognize Cyber Security is not a niche issue to be left to the next generation. We must find real Bipartisan Solutions that give americans the opportunity to succeed. Thank you, mr. Chairman. I yield back my time. Gentleladys time has expired. The chair recognizes the gentleman from ohio, mr. Davidson. Thank you, mr. Chairman. Thank you for your testimony. Thank you for your sincere apology. We recognize that all these companies are staffed by humans and humans fail, as do technology. However, we also recognize a high duty of care responsible for a fiduciaries, and i was a little concerned that i was tracking your structure and the attention given to governance. Does i. T. Report through your cfo or a direct report to you as the ceo . Its a direct report to me. Within the i. T. Youve emphasized youre a Technology Company. Whats the structure like within i. T. . Is there an Information Security officer in the i. T. Channel or is that broken out e separately . The chief global Security Officer is a direct report to the general counsel of the company, and the general counsel reports directly to me. Okay. So do you feel that your governance structure was adequate . Im not sure i understand the question. So given that this error happened, you mentioned you had some closedloop system failure where is you had things that are supposed to happen but didnt have a closedloop system to make sure they did happen. Do you feel there was any failure in governance . Was the structure part of the issue at all . I believe so. I dont think structure determines success or failure of a process or of a business. It is people e and technologies doing the right thing. So having the chief Security Officer report and Technology Reporting to me, to the cfo, im not sure would change the outcome of what we just experienced. Okay. Thats a little concerning, but thats your philosophy. On trading, so when you look at aside from the Cyber Security concerns which have been covered extensively, i was planning to go down a similar path of my colleague mr. Hill who talked about how trades for Board Members, executives within the company are approved, whats the timing like for that, and also noted that you said there were time where is because shareholders of record inside the company had information that was nonpublic and material, that those trades were suspended. And i cant think of a more public time where it would probably have been appropriate to suspend a trade than while you had a breach of this. Was that an error, an omission, or do you feel the governance worked correctly in that instance as well. Congressman, let me be very clear if i may there. There is a process to clear trades. It goes through the general counsel. Im not involved in that process. These three individuals that traded, it is my understanding they had no knowledge of the breach. Remember back to the time line we talked about earlier . It was the 31st was when the portal was shut down. We hired the Forensic Auditors and the law firm on the 2nd. It wasnt until the later in midaugust that we had indication that something was going on that involved large amounts of data and pii. These phis traded the 1st and 2nd of august. They followed the process, the protocol we had in place at that time. Okay. So paced on the knowledge your counsel had that reviews these sorts of things, would it have been part of the procedure to say, hey, weve just had some very substantial Material Information that is nonpublic, isnt there a clear concern, four days of testimony here, im sure youre going to keep talking about this for a long time, that given the amount of Material Information that was nonpublic that executives and Board Members should not be trading in these shares . Congressman, again, clarification. The 31st of july, the only indication we had there was a suspicious incident. No knowledge of a breach till weeks and weeks later. Number two, it should be noted this is a topic thats of priority for the board of directors and theres an investigation currently going on by the independent board of directors. Do you think it was a mistake to not cancel pending trades even if they had been ordered before the discovery of this nonpublic information given that they were actually going to cur in that period . Congressman, on the 1st and 2nd of august we had no idea other than a suspicious incident and a dispute portal. Chairman, my time is expired pip yield back. The gentleman yields back. Chair recognizes the gentleman from colorado, mr. Pearlnutter. The gentleman passes at the moment. Gentleman from tennessee, mr. Custoff is recognized for five minutes. Thank you, mr. Chairman, thank you, mr. Smith, for being here today. If i could, mr. Smith, i think from my standpoint and listening to others question you today, really the most glaring problems is the length of time between when this breach occurred and when the public was notified. I of heard your explanations this morning. To that end, on september 7 when equifax reported they recently discovered, quote unquote, information, of course you knew back in july so, if i can back it up for just a moment, from a governance standpoint, did equifax have a preexisting plan in place for a contingency such as this, for a breach such as this . If i may before i answer the question, point of clarification, i was not awaur in july there was a breach. I was not aware till midaugust as i of said before. And then not till late august that there was a breach and even that date continued to evolve until september 7th and again till monday of this week. To answer your question specifically, congressman, yes, there was a Crisis Management written protocol in place and it applied to many crises including a data breach. Did it anticipate a breach as big as this breach . No. The Crisis Management protocol that we have in place is a breach in general. It doesnt specify you react differently fits 145 million versus 5 million. Did equifax in fact use that protocol for this praech . Yes. Was it executed properly . Not with that issue, as weve talked about, but thats because the system, the people were overwhelmed on the sheer volume. I understand that the website that youve set up fro consumers about the breach, which is equifaxsecurity2017. Com, that domain main was secured on or about august 22nd. Does that sound about right . Sounds about right. So that website in some form or fashion was ready to go some two weeks prior to the announcement. Is that right . Yes, congressman. Thats proapproximately right. Remember, we talked about the one data was still moving, was fluid, one wwanted to be as acc and transparent as possible on the data. Two, we talked about the Cyber SecurityForensic Team that recommended we prepare for increased cyberattacks post announcement, and third was we had to stand up in the environment youre referring to so consumers could get access to Free Services. The beginning of this morning you were asked about Law Enforcement. I understand that the fbi is involved. Theyre leading the investigation. Is that correct . That is correct. Is this the secret service also involved . Not to my knowledge. Are there any other Law Enforcement agencies involved in the investigation . There may be. I of been so focused on the fbi. I know that Law Enforcement, whether including the fbi, they possibly be other Law Enforcement. Other agencies that are involved in the investigation. Is there any Law Enforcement agency or any agency whatsoever that recommended to you or to equifax that you not disclose this breach until when you disclosed it in september . To the best of my knowledge, no. They were involved starting august 2nd. We communicated with them routinely throughout the process. We made them aware in september we planned on going live on september 7th. You mentioned earlier you hired mandient on or around august 2nd. Right . King and spaulding youve hired for legal purposes. Have you also hired a pr crisis team . Yes, congressman, we did. Who is that . In fact, we hired two. A Company Called edelman, wellknown crisis Management Team at the tactical level to help us understand, track a variety of input from different sources, social media, broadcast media, regulators, state ags, so on and so forth, and Crisis Management kind of strategic consultant as well. You mentioned king and spaulding. Have you inquired of king and spaulding or any other law firm concerning bankruptcy protection for equifax . No, sir. No bankruptcy protection whatsoever . Have i consulted a law firm or anyone else concerning bankruptcy protection for equifax . No, sir. Let me ask it another way. Is anybody at equifax sought advice for bankruptcy protection for equifax . Not that im aware of. Thats all that i have. I yield back. The final for the gentleman has expired. The chair recognizes the gentleman from maine. Thank you, mr. Chairman. Thank you, mr. Smith, for being here. I know youve been on the hill quite some time and a lot of these questions is rb asked for, but this is so important because it dpoesz central to our economy. It really does. Here we are on a new progrowth agenda for this country, lower taxes and fewer regulation and trade that is fair and Energy Prices that are lower and stable. And then Something Like this happens. I know you folks got hacked. And i know youre doing the best you can with it. But, you know, the results of this might not be felt for quite some time. Think about this. About a third of our country, 40 of our country, 60 of our adults, 145 Million People, mr. Smith, 145 million, and criminals now have the Social Security numbers, their addresses, their birth dates, and, you know, when my mom was 89 had to you know, i had to g in and sign up for medicare. What do you need . Your Social Security number. And this is really, really serious stuff. I accept your apology. I hope the American People do. I dont know if they will. But we have a population in maine of about 1. 3 Million People. Im guessing half a million got affected by this. Now, i am also very concerned about the perception at least of wrongdoing when it comes to our securities laws. You know, youre a publicly traded company, or equifax is. That means folks in maine, rural maine that i represent or saving for college or for their retirement, little savers, small investors, the little guy, they can buy some of your shares in the open market and take a bet that your growth is going to reward them and take a bet on the u. S. Economy. Then all of a sudden we of got material here, if you believe it i dont know, theres an investigation im sure thats going on that says that in late july you folks knew about a breach and a breach which is central to our business, my gosh. You folks collect all this Sensitive Information and you sell it to banks and automobile dealers and what have you to make sure they get accurate Credit Reports and money can flow through the economy and families can get mortgages and buy cars and businesses can grow. This is really serious stuff. So any breach of that information, your Business Plan is central to your success as company and therefore it affects the stock price. So now we see information, fits true, i dont know, that you had folks on the inside, and its really hard, mr. Smith, for me to accept the fact that you had about dozen people reporting to you and they didnt know what the heck was going on when something is so central to your Business Plan. I mean, it looks like some of these folks acted, three in particular mentioned today, acted to sell their stock before the breach was announced, about month before, to escape loss in the stocks they owned, which is stock in your company. If thats the case, the little guy gets screwed. Because guys on the inside who know this information avoid the loss, but the little folks that i represent up in maine, and they are hardworking, and they save every penny and they are worthy of all the income they have, theyve invested in your company, in america, invested in our economy, and they get screwed. Ive got a question for you. Now, i may be wrong about this, mr. Smith, but the information i have thats public says that you own about 285,000 shares of equifax. Is that true . Yeah, i believe thats right. Okay. Fine. And given the roughly the market value of that, its your outstanding price per share, its about 28 million bucks or something. Do you or did you sell any of your stock between the time when the breach was learned on the inside and when you announced it to the public, when everybody else in america had that information . No, sir. Okay. Heres one of the other things that drives me crazy confidence. We have business at a 15year business confidence, a 15year high. We have consumers who are confident about the new direction for a growing economy with more jobs and fatter paychex. And then Something Like this happens which shakes our confidence. Now, i know that congresswoman sinema mentioned this, and i want to ask everybody in our conference, republicans and democrats torque support a way for congress to help, the Senior Safety act. We think its good idea if seniors who are very vulnerable to this sort of Identity Theft and fraud are able to g to their bank materials and their Insurance Agents and plan for their retirement and say we suspect fraud here of all types. We want to speak up to the authorities and not be liable for doing so. Thats a great bill. Thank you, mr. Smith, for being here. Appreciate your time. Time for the gentleman has expired. The chair recognizes the gentleman from pennsylvania. Thank you, mr. Chairman. Mr. Smith, when i first heard about the breach i was obviously very concerned like all americans were. Equifax, which is tasked with guarding millions of americans sensitive and personal data, has violated the trust of the American People. Its not acceptable and i commend the chairman for convening todays hearing so we can understand what went wrong and how we can prevent it from happening in the near future. My constituents in western pennsylvania sent me here to hear their voice. I would like to share their thoughts. David from allegheny county, pennsylvania, wrote i am more than a bit angry about the equifax data breach. While i understand that crime will always be a part of life, i am outraged by equifaxs response to the situation. They have allowed my personal information to be compromised and made available. This has the potential to impact my wife and i for the rest of our lives. To rob National Terror alert cambria county, pennsylvania, wrote, equifax must be held severely accountable for the massive data breach affecting nearly every adult american including my entire family. They must answer for their weak and seemingly disingenious initial response and notification regarding the breach. And alan also from allegheny county, described it as an endless circular conversation and added, quote, frankly, i am rather tired of this ongoing fiasco. These are real people whose concerns need to be addressed, hardworking americans are scared and they deserve answers and they need to be made whole. I understand that, you know, we talk about a little bit of the time line here. Equifax discovered the breach on july 29 and notified the fbi two days later. The team was brought in a few days later to investigate. But equifax did not notify the public for over a month. I understand from your testimony this delay was partly due to concern that public notification would invite more bad actors to compromise your systems. With that said, its still concerning that more than a month lapsed between the discovery and public notification. Im curious if there was a specific event or fact that finally led equifax to make the disclosure. For example, september 7 was the date it was disclosed. Did you know something on september 7th that you did not know on september 6th . Congressman, a point of clarification. We did not were not aware of a breach of any sort back in the july time frame you mentioned. You noticed activity on july 29th that was suspicious. We noticed suspicious ak ti on our daises around the world to the tune of millions per year so, what we saw, thought we saw in late july was nothing we havent seen before, suspicious activities, unfortunately, in this environment very common. A couple days later youre already engaging outside vendors. And that in itself is not unusual. What did you know on september 7th a this you did not know on september 6 sn6th. I dont have a specific answer. I can tell you this, the time frame between mid and leigh august and september 7th as i mentioned before was very fluid. We saw on mondays announcement this week that picture continued to develop. As we found 2. 5 million more consumers were impacted announced on this monday. It was an ever evolving set of facts. You testified that data was not encrypted. On your database. Is there a reason for that. Again, there are Different Levels of security and different environments and encryption is one, masking is one, fire walls are one, encryption at rest is one, encryption in motion the another technique. So theres no one single technique that protects consumers data. A lot of people are watching at home wondering if their data was compromised in the breach. Many americans are still wondering whether their personal information that is currently being housed at equifax is safe. Is there information currently safe today . We have no knowledge that any other information we have in our database in the u. S. Or around the world was compromised. It was limited to this one dispute portal weve talked about now for a number of days. Is there a reason that youre choosing not to disclose the scope of Insurance Coverage . Yes, there is. Could you share that with us . I prefer not to. And the reason being, congressman, is when you disclose a number, it puts a target out there for others, for lawsuits and so on and so forth. Thats going to be odis closed in discovery. And you already have lawsuits out there. Yes. But youre choosing not to correct. I yield back, mr. Chairman. The gentleman yields back. The chair recognizes the gentleman from North Carolina, mr. Bud. Thank you, mr. Chairman, and mr. Smith. I think whats infuriated the people i serve in North Carolina is they rally didnt volunteer to have their data stored at your company. They didnt say, equifax, here, take my data. So theres an element and its a major one, a trust element. And thats really been shattered. Let me shift over to a personnel topic. Why were the chief Security Officer and the chief Information Officer allowed to retire instead of resigning and being fired . I believe you yourself resigned. Its semantics. Theyre out of the job now. The day we announced their stepping down, they were no longer effective. They are individuals who can add an advisory capacity for smooth transition between themselves and the two announced interim individuals we have at the cio level and the chief Security Officer level. And then those individuals were placed with fulltime people, which they will be at some point in time, they can add value there. So nothing more than having them assist in a smooth transmission. Beyond semantics, what was the cash value of their retirement packages . I dont know specifically, but we can get that information to you. If you would, please. Did those officers undergo any financial repper cushions as a result of their retirement other than foregone future salary . They lost their jobs and theres no bonus. So just foregone future salary and no bonus. Correct . Thats correct. And no severance for either one. Did the discussion to allow them to retire instead of terminating their employment increase or decrease the size of their severance package with the company . You said there was no severance package. Right. In general, does an employee of Equifax Corporation who retires have more access to benefits, receive a better separation agreement than someone who is resigns or is fired . Not to my knowledge. So its more likely than not that only did equifax not punish the individuals responsible but actually rewarded them through this decision by not firing anybody . No, sir. Theyre both out of a job. Chairman, i yield back. Gentleman yields back. The chairman recognizes the gentleman from inn u. N. , mr. Messer. Mr. Smith, thank you for being here. I admire your stamina sitting through this, but itch to tell you, the more i hear about this, the madder i get. Excuse my tone. Have you had an opportunity to logon to the equifax page and do this process of determining whether you were part of the breach . Absolutely. I did it, and so i i had to give my birth date multiple times, had to give parts or all of my Social Security number four or five times. I answered a question or two wrong, so i had to call into webpage, i mean call into your calling service and i had to give my Social Security another time. Has it crossed your mind that given the recent breach and the fact you guys have disclosed personal information for 140 million american that people might be a little uncomfortable giving you their Social Security number again seven or eight times to find out whether they were impacted . Congressman, i of talked to a number of people myself and i share your frustration and their frustration. We of tried to improve that process as much as we can. We have to validate you are who you are before we can offer you a product. You havent built a Great Organization on trust. Will equifax profit from the new data now being provided by tens of millions of americans to your website . Will equifax be able to take that information now that ive entered it again and use it commercially for itself or partners . The intent of this is a service, its to offer the service for free, not sell, cross sell, upsell you as a consumer. So this is the Privacy Notice you have to click on when you sign onto the webpage. It says here i think in these two columns here that this information can be used for joint marketing with other Financial Companies for affiliates, everyday business purposes, for marketing purposes by looks to me like equifax and the company thats doing this for you. If youre consumer, that gets a free service from us, our intent is to have that in an environment. We dont cross sell or upsell you. The form says you will. So do i believe you or the form . Excuse me . The form says you will. What form are you referring to . This is the Privacy Notice. Again, will equifax have the opportunity to use the information provided by consumers and their operations of commercing therefore make a profit on it . Say it one more time, the intent is when you come to us to get a free service with all due respect we wont cross sell or upsell you. Theres a phrase, the road to hell was paved with good intentions. Your intentions were probably fine as 140 Million People lost their information. It looks to me based on this form that you guys have the ability to do that. I want to ask you this question. Have you ever met anybody who had their identity stolen, mr. Smith . Yes. Its a pretty mismiz rabble experience. Yes. It sort of destroys their lives. So when we talk about 140 Million People, almost 4 Million People in indiana, its important realize these people are real people that have had their life put at risk. I of talked with peach at my church, workforce, equifax employees, my three daughter, my wife, my family. I understand the anger and frustration theyre going through. Im glad you appreciate that frustration. Well return that to that in a second. You said you have these five services youll provide. When it comes to real compensation for people who have their identity stolen, the reality is theyre not going to get much from you. Is that fair . What theyre going to get, congressman, is these five Free Services plus the sixth service, lock and unlock for life. If their identify is stolen, the compensation wont be much. I can give you a number. Total assets of our company are about 6. 6 billion based on your annual report. Is that right . Approximately. Roughly that. If you take 147 Million People, thats about 47 per person if you liquidate. If 1 of those people have some kind of damage, youve got about 4700 that you would have to compensate them anyway. I want to ask you this, though, because you mentioned how frustrated you were, and i believe you on this. This is where i think a lot of American People struggle. You would consider this a pretty major skrupup, right . Its breach, obviously. 147 Million People. And you mentioned let me use your phrase the folks you found most directly responsible for that, they lost their job, no bonus, no severance. Right . Is that what happened to the people you held responsible for this . Thats your words. My words are im ultimately responsible and i stepped down. So does it seem fair to you that you would get a 40 million to a 09 million bonus as you exit after you presided over potentially biggest business screwup in modern history where 140 million americans had their personal information stolen . Congressman, the only thing i walked away with was ill disclose the proxy, my pension and prior compensation. The American People are frustrated. Listen, again, i appreciate you being here, but they have a right to be frustrated. Doesnt seem fair. Time of the gentleman has expired. The chair recognizes the gentleman from georgia. Thank you, mr. Chairman. Mr. Smith, thank you for being here. I am impressed that you are here considering youre no longer in your previous position. I appreciate your aden tans because this is difficult, its difficult time for 147 million americans as well. A couple questions regarding some things you said earlier. I want to be focused is how do we prevent Something Like this from happening years down the road. Secure the forefront of things we were working on. Very interested in what tran spired to cause the problem, how can we avoid this in the future. First of all, you mentioned in a couple of instances as you were addressing some of the members questions here, that you complied with all the state laws regarding notification. Is it state laws that govern our cybersecurity policy . Is there not a federal law that governs that . And if there are, why is that . Point of clarification. The size and scope and nature of the breach is making sure we balanced our desire for accuracy of the picture with the state laws of communication. Thats what i was referring to. Okay. I understand. But are there federal laws that are applicable in this instance . Or is cybersecurity pretty much governed by state law . The state law was just the communication i was referring to. Okay. To the actual act of applying a patch, from what i understood in your previous testimony answering questions was you were notified of the vulnerability a patch was provided. It was communicated that that patch should be applied but somewhere that did not happen. I guess the human error was the individual who was to apply the patch to that portal did not follow through. Is that correct . Its little bit more than that. It was an individual in the i. T. Organization from security, that individual is responsible for the patching process and never een sured that the proper person was communicated to and did not close that loop. And then we is there a level of oversight that should be there . In any given year it is not unusual to have millions of us is pifshs or potential attacks. Specific to patch, patches and the requirement for patches are very common. And theyre stratified in different categories from critical to high, medium, to low risk and the protocol internally the amount of time required or allowed to apply the patch depends on the criticality of the issue itself. So what would you rate this patch that was it was critical. Critical. And when was the actual date you discovered that patch . Again, march 8th. We notified by cert of the need to patch on the 9th. The email went out to the teams to apply the patch and as we talked about before, there was a human error, the individuals did not close the process. On the 15th of march the scanning device did not find the vulnerability. But thats in march. Did you notify the Credit Bureaus or the other customers . Like how many customers do you have on confidential data is actually on your site you have in control how many people would you say . Actual individual have are on the site that would be vulnerable. Not just the total credit population in the United States is roughly 230 million, 240 Million People. So that many people were affected by this. No, congresswoman. The number we disclosed is 145. 5 million. The services were offering are to all americans but at this point 145. 5 million were impacted. I deided to look on your site as himy colleague pointed out. Ironically called trustedidpremier. Com. I went to this and put my own information that said i may have been breached and it does send me to another i had to g through some protocols, reenter more digits on my Social Security, my name, then it reveals to me that nonetheless please enter more personal information. If people listening to this in my constituents go on to make sure find out if they of had their data breached, will they p be vulnerable if they reenter this on your website . Weve taken many step since the breach to make sure its secure. So this is secure. They can reenter their data and it will be secure. Yes. Thank you. The gentleman from colorado. Mr. Smith, thank you for your testimony today. Thanks for lasting so long. Just a few questions for you. And i do have some sympathy for, you know, the attack, the breach, i mean, whether its Anthem Blue Cross or lowes or home depot or Jpmorgan Chase or personnel department, the Democratic National committee, lots of hacks have occurred. And Everybody Needs to stay vigilant to that. My questions to you, sir, are going to be more, you know, Credit Reporting agencies are not everybodys best friends. You know, theyre have a job where you try to actually say this guys a good credit risk, this gals not a good credit risk, whatever. And we had and it may have been you and executives from experian and transunion a few years ago, and there was a question about whether or not the algorithms that are the basis or peoples e Credit Reports were going to be disclosed to us as a member of the congress or whatever and i think the testimony was that those were propriety proprietary and patentable and were key pieces of information for the different organizations. Were you one of the ones that testified for us . Congressman, i was not. Youre referring to the most common credit score in the tri is a score called the fico score. Right. That may be what youre referring to. So if we wanted to get information at that point about how a fico score was calculated, just, you know, is it fair to whoevers getting their credit score or Credit Report, we were told no, thats proprietary information, do you know whether this hack how you guys developed a fico score was stolen . Congressman, were a reseller, if you will, in some cases of that fico score. And theres no indication that we housed fico scores that were hacked anyway. So the algorithm or whatever is that proprietary information to your knowledge wasnt part of this theft. The algorithm is developed and controlled and owned by another Company Called fair isaacs. And you dont have your company doesnt have how that algorithm is created or developed . That is correct. Okay. I was asked by somebody from the energy committee, and i know you may have testified earlier today, do you know whether there was a foreign actor who was the perpetrator of this hack . We engaged the fbi and the fbi is continuing their investigation. There were some statements you made that there was a clever kind of ability to get some of get around somethe safeguards you all had in terms of the speed or the volume or is there a concern on your part or anybody at the companys part that this was an inside job . No indication of that at all. , i mean, when somebody comes in and hacks its like theyre trying to break into the bank. And your bank housed a lot of information, if you will. And you had some safeguards you got the patch so, theres a vulnerability that they were able to get inside the bank but then they were able to avoid a number of the different kinds of defenses you had within the bank. Did i mishear your testimony . Correct. So in this investigation, are you ding an internal investigation on top of the fbi investigation . How is that perceived . Yes. If i understand your question, theres the forensic investigation which was done on the data that was compromised was done by an independent firm. There is an internal investigation being done by outside counsel to look at tull processes internally and individuals involved internally, if that answers your question. And then theres the fbi investigation as well. All right. Last question. Just when i was looking at, theres like 100 lawsuits, class action suits, a variety of suits. You were asked whether you had insurance for this, are you selfinsured, you didnt want to give us an amount. Do you have insurance for this . We have cyber insurance, yes. Okay. And is there a selfinsurance . Do you have selfinsurance . Do you have a sort of money in reserve for Something Like this . Theres retention that we have and then on op top of that is a stack of participants up to a limit. And my last question, do you still retain shares in the company . Absolutely. Thank you. Time has expired. There are no more members in the queue. Id like to thank the witness for his testimony today. Without objection, all members will have five legislative days within which to submit additional questions for the witness to the chair which will be forwarded to the witness for his response. Pild ask mr. Smith you please respond as promptly as you are able. This hearing stands adjourned. The former ceo of equifax, richard smith, wrapping up his fourth appearance before the committee this week. You can watch all the hearings at c responsibility. Org. Senate democrats held a discussion on Voting Rights following the establishment of a new president ial commission on Election Integrity thats being headed by Vice President mike pence and kansas secretary of state chris coeback. The commission was created to investigate alleged voter fraud in the 2016 election. The Senate Democrat panel also heard suggestions for increasing participation in the u. S. Electoral process