comparemela.com

Hours. Good morning. The subcommittee on Digital Commerce and Consumer Protection will come to order. Chair now recognizes himself for five minutes for an opening statement. Good morning. Today we are here to get the facts to learn what happened at equifax that led to the personal information of over 143 million americans information being stolen. Americans deserve to know what equifax is doing to fix the problem and help individuals that are impacted. We must find out what happened. The public deserves to know what happened and what steps are being taken to protect their Sensitive Data Going Forward. Todays hearing needs to shed muchneeded information and light on this breach. Weve received assurances from equifax that mr. Smith can speak for the company on concrete remediation steps that the company took in the aftermath to secure its Computer Systems and to protect the affected u. S. Customers, as well as what happened when he was chief executive. As chairman of the Digital Commerce and consumer subcommittee i speak about the fact that we live in a digitally connected world. That fact of life can have many positive implications far and wide ranging for commerce, trade, communications, and entertainment. The sbrach massive reminder of the bad actors that are out there and the security challenges confront our digitally integrate and data powered economy. In this case sensitive personal information thats used to build Credit Histories and allow individuals to engage in commerce open credit cards, buy cell phones, and apply on security mortgages has been compromised. Reasonable security measures must be implemented, practiced, and continually improved by companies that collect and store dat in a in order to guard against unauthorized access to sensitive, personal information. Orng wise, consumers will face considerable financial harm. This risk is deeply concerning to me and i know that other members of the subcommittee share this view. Priority number one, we must protect americans and work to safeguard their personal information online. The recent equifax data breach is unprecedented and it is also unique because. Sensitivity of the information stolen, including full ninedigit Social Security numbers. Over 143 million americans are potentially impacted. This represents approximately 44 of the total u. S. Population. In my home state of ohio approximately 5. 2 million customers are likely affected. Based on information released by equifax, we are informed that the massive amounts of personal and Financial Information was assessed from midmay through july, 2017, including names, birth dates, addresses, and in some cases drivers license information. In addition, over 200,000 people had their credit card information stolen and over 180,000 people had credit dispute documentation stolen. This is a Staggering Amount of sensitive personal information and impacts an extraordinarily number of credit viable americans that is in the hands of criminals that could result in fraud or Identity Theft. We need these numbers confirmed. Today, we must understand the following. First, how did the hackers get into equifaxs system for so many weeks and pull so much information out of the system without being detected . Second, what processes and procedures were in place in the event of such a breach and were those processes followed . There are many questions as to who knew what and when this information was known. This will have implications in other ongoing investigations. Further, the chief Information Officer and chief Security Officer made retirement announcements shortly after the Public Notice of the breach and have been available for questions about their role. Again, despite months of delay, why was equifaxs notification and Consumer Protection processes still met with misinformation, glitches, and overall confusion . For example there are numerous reports of difficulties assessing equifaxs dedicated website or call centers. And there were dismaying reports that the official equifax twitter account directed consumers to a fake website. I believe the American Public de sto deserves to know the facts about how the board of directors were made aware, its systems were vulnerable to hackers and how over 143 million Sensitive Data records were stolen. So that end, what were the steps taken and in what time frame to notify and help individuals that were impacted . I look forward to getting these answers today and many more questions for the American People answered this morning. And at this time, i will ask the gentle lady from ill, the ranking minority member for five minutes for her opening statement. Thank you, mr. Chairman, for holding this hearing. The equifax data breach was massive in scale. 145. 5 million american victims as of yesterday. I would call it shocking, but is it really . We have these unregular underregulated private for profit Credit Reporting agencies collecting detailed, personal and Financial Information about American Consumers. Its a treasure trove for hackers. Consumers dont have a choice over what equifax or transunion or expeerian have collected, stored, and sold. If you want to participate in todays modern economy, if you want to get a credit card, rent an apartment, or even get a job often, then a Credit Reporting Agency may hold the key. Because consumers dont have a choice. We cant trust Credit Reporting agencies to selfregulate. Its not like when you get sick at a restaurant and decide not to go there anymore. Equifax collects your data whether you want to have it collected or not. If it has Incorrect Information about you, its really an arduous process, ive tried it, to get corrected. When it comes to Information Security, you are at the mercy of whatever equifax decides is right and once your information is compromised, the damage is ongoing. Given vast quantities of information and lack of accountability, a major breach at equifax i would say would be predictable if not inevitable. I should really say breaches. This is the third major breach equifax has had in the past two years. From media reports and the subcommittees meeting with equifax officials after the breach, its clear to me that the company lacked appropriate policies and practices around Data Security. This particular breach occurred when hackers exploited a known vulnerability that was not yet patched if the was months later before equifax first discovered the breach and it was another several weeks before equifax shared news with the consumers, this committee, the federal trade commission, and the Consumer Financial protection bureau. Senior officials at the company are saying they werent immediately aware that the breach occurred and, yet, by the way, there were executives to sold over a Million Dollars in stock just days after the breach was discovered but yet not reported. And for a lot of americans, that just doesnt pass the smell test. The response to the breach was its own debacle. They offered Credit Monitoring Services that initially game with a mandatory arbitration clause which fortunately has been corrected. Equifax tweeted links to the wrong url directing victims to a fake website. The call center was understaffed and in the end equifax has had to apologize for its post brief response almost as much as it had to apologize for the breach itself. Equifax deserves to shall shamed in this hearing, but we should also ask what congress has done or failed to do to stop data breaches from occurring and what equifax plans do. The same day that Equifax Breach went public, the House Financial Services Committee Held a hearing on liability, harmony act, a bill to protect Credit Reporting agencies like equifax from class action suits. Imagine. In fact, equifax was lobbying for this bill after the breach was discovered in july, still not reported, and the 14 republican sponsoring this bill should ask themselves whether this is really the industry they want to be in bed with. Companies like equifax need more accountability, not less. I agree with the cfpb director Richard Cordrey that the Credit Reporting agencies need embedded regulators to protect consumerss Sensitive Information. Nd then we need to go further. Last night i reintroduced the secure and protect americans data act along with Ranking Member pallone and several other members of the energy and Commerce Committee and our bill would establish, one, strong Data Security standards. Two, i prompt breach notification, which we didnt get. And, three, provide appropriate relief for breached victims. Chairman latta, American Consumers dont just need answers, they need action. I hope that our bill can be a starting point for discussion on strengthening protections for americanss data. Consumers deserve a whole lot better than they got from equifax. And i yield back. Thank you very much. Gentle lady yields back. The chair now recognizes gentleman from oregon, the chairman of the full committee for five minutes. I thank the chairman. Were here to do today what it appears equifax failed to do over the last several months, and thats put consumers first. Our job is to get answers for the more than 145 million americans who have had their personal information compromised and now fear they could be victims of fraud at any time. How could a major u. S. Company like equifax which holds the most sensitive and personal data on americans so let them down . Its like the guards at fort knox forgot to lock the doors and failed to notice the thieves were emptying the vaults. The American People deserve to know what went wrong. We want a clear timeline of events and to understand what to expect moving forward. As chairman of the energy and Commerce Committee ive tried to put our consumers first at everything we do on Public Policy. So today well begin to get the answers for the public, hold equifax accountable and make clear that businesses Holding Americas most Sensitive Data have a responsibility under existing laws to protect those data. Today gives whole new meaning to mr. Smith goes to washington. Its not a run on the bank thats at issue, its a run on financial records of 145 million americans. And the consequences and the inconveniences for our fellow citizens is every bit as important to discuss today as the reasons behind high this breach occurred in the first place. Mr. Smith as former chairman and ceo of equifax at the helm during and immediately after the breach, we appreciate your being here and we expect your candor and full cooperation as we march toward getting the facts in this case. While theres no such thing as perfect security, companies do have a legal obligation to protect sensitive consumer data. This diligence is necessary to both comply with existing laws and maybe more importantly, earn and keep the Publics Trust in a datadriven economy. Given the size of the breach and the sensitivity of the data, we expect to learn more about how equifax failed to secure its systems and what contingency plans were in place. Further, we need to understand how information flowed through the organization and when you and other Senior Executives were notified about the breach. In other words, how important was cybersecurity to you as a ceo and to the rest of your executive team . Did your employees have a way to report to you if they had concerns about how the Security Team was functioning . While there are still many questions that need answers, a few details have emerged. First, the vulnerability that the hackers used to get into the equifax system was discovered in early march. From the beginning, the vulnerability was described as critical and easily exploit able. That information was pushed out through multiple security information sharing channels including by the u. S. Computer Emergency Readiness Team to equifaxs chief Security Officer. For some period of time between march and august of 2017, the hackers were able to sit on equifaxs system and sigh of phonout 145 million records without being detected. How did this go unnoticed . Further, is there a process in place to raise flags or alarms when massive amounts of data are pulled out of the equifax system . Then there are questions about equifaxs response for consumers that we need answers to. Why was the consumer facing website created on a separate domain from the main equifax website . Did anyone raise concerns about creating more consumer confusion with a separate website . Are consumers able to sign up for the products offered by equifax today . How many consumers have placed a fraud alert on their account or frozen their credit . And on top of all the other issues, multiple times equifax tweeted the wrong url directing consumers to the wrong website to check if they were part of a breach. Talk about ham handed response tlrs is simply unacceptable and it makes me wonder whether there was a breach Response Plan in place at all and if anyone who was in charge of overseeing and executing that plan. I have to agree with the interim ceo when he said theres insufficient support for consumers. Its important that as congress does its work on Public Policy issues that the federal trade commission and other agencies, including Law Enforcement agencies, continue their work, especially in liefght of recent reports that indicate there are marker nation state activity involved with that hack. But today, mr. Smith, i and the rest of the committee and congress and the country expect the answers. After all, the buck does stop with you as ceo and i thank you for being here and i return the balance of my time. Thank you very much. The gentleman yields back and the chair now recognizes the gentleman from new jersey, the chairman or the Ranking Member of the full committee. Thank you, mr. Chairman. Well, i understand that Law Enforcement and internal investigations into this incident are still ongoing, i expect to get more information today on what happened and why it took so long to inform the public. Most importantly, we want answers for consumers because equifaxs response to this breach has been unacceptable. So too has been equifaxs ongoing lacks attitude when it comes to consumer data. has been ten weeks since was discovered by equifaxs employees yet equifaxs Customer Service has been confusing and unhelpful. Equifax even tweeted a link to a fake website. Many of the remedies equifax is now offering to consumers were not offered up front or in good faith. They were forced out of the company only after a public outcry and they are still inadequate. Its hard to imagine that anyone at equifax thought it was a good idea to offer only one year of credit monitoring with an arbitration clause at first to boot. Free and comprehensive monitoring and Identity Theft protection should be offered for far longer than a year. Most recently, equifax aided lifetime credit locks to its offering which consumer advocates are weaker than credit freezes. Regardless, a lock or a freeze at only one Credit Bureau is almost useless. Equifax should work with the other Credit Bureaus to immediately create a free, quick, and easy to use freeze and you freeze one stop shop. And because credit freezes or locks may not work for everyone, Going Forward equifax should do more than credit locks, it should give consumers more control over how their data is used and stored. In addition, if equifax wants to say in business, its entire Corporate Culture needs to change to one that values security and transparency. Had is not equifaxs first data breach in the past year. Consumers did not have any say in whether or not the equifax collects and shares their data and thats what makes this breach so concerning. This is unlike other breaches at stores such as target and michaels where consumers could make a choice and change their Shopping Habits if they were upset with how the companys protected data. Thats simply not the ais case with equifax. While data breaches ununfortunately become commonplace, its long pastime for Congress Beginning with this zmit committee to act. Since at least 2005 this subcommittee has been considering data breach legislation but its never become law and its time we change that. Yesterday Ranking Member schakowsky and i reintroduced the secure and protect americas data act. This bill would, i enforceable, rebust Data Security practices and meaningful notice to consumers. It would also give additional protections to consume aries after a breach. 6 course breaches will continue to occur but they occur more often where theres no accountability and no preventative measures are in place. And our bill will not stop mistakes and cyber crimes from happening, but we need to start somewhere. So, mr. Smith, i read your oped in u. S. Today last month and i appreciate that youre both sorry, but my question is, what now . Id like to yield now the rebehir remainder of my time to my colleague from new mexico. Thank you, mr. Pallone and i thank the committees leadership for organizing this important hearing. 145 500,000 million americans, 145. 5 Million People at risk because of equifaxs failure. Now, mr. Smith, the american dem e people deserve answers and i hope you are prepared to provide them. Not just about what caused the breach, but what equifax is doing to prevent this from happening again. And to ensure that those who were harmed are made whole. I worry that your job today is about damage control. To put a happy face on your firms disgraceful actions and then depart with a golden parachute. Unfortunately, if fraud sters destroy my constituentss savings and financial futureses theres no golden parachute awaiting them. We have questions and its our expectation you have concrete answers, and i hope this hearing is just the start of our committeess work. I recently took a step in that direction by introducing the freeze credit the free credit freeze act to allow consumers to protect themselves by freezing and unfreezing their credit at no charge. It is unconscionable that equifax failed so spectacularly to protect peoples most sensitive, personal data. Its even more reprehensible that the same Company Profits from the pain that they have caused. And i certainly hope that we can get some assurances from the committees leadership that he will have a markup and hearing on legislation to address this mess, and i hope that that assure answer can be given before the holidays of 2017. I yield back the balance of my time. Thank you very much. The gentleman yields back. And this concludes the our member Opening Statements. The chair would remind members that pursuant to the Committee Rules all members Opening Statements will be made part of the record. Today we have mr. Richard smith, the former chairman and ceo of equif equifax inc. Who is here to testify. Mr. Smith, you are recognized for five minutes to give an opening statement. Thank you. Thank you. Chairman walden, Ranking Member pallone, chairman latta, Ranking Member schakowsky, the honorable members of the subcommittee, its an honor to be here before you today. My name is rick smith and for the last 12 years ive had the honor of being the ceo and the chairman of equifax. Earlier this week i submitted a written testimony which at this time i dont plan on going through any detail on that but rather im here today to explain to you and the American People how criminal hackers were able to steal personal information on over 145 million americans from our servers and as importantly to discuss with you today what the companys response was to that criminal hack. The criminal hack happened on my watch. And as ceo, i am ultimately responsible and i take full responsibility. Im here today to say to each and every person affected by this breach im truly and deeply sorry for what happened. Ive talked to many consumers, ive read your letters, and equifax is committed to make it whole for you. Americans have a right to know how this happened. Ive prepared to testify today about what ive learned and what i did about this incident. In my role as ceo and as chairman of the board. And also what i know about the incident as a result of being briefed by the companys investigation which is ongoing. We know now that this criminal attack was made possible because of a combination of human error and technological error. The human error involved a failure to apply Software Patch to our dispute portal in march of 2017. Technological error involved a scanner which failed to detect that vulnerability on that particular portal. Both errors have since been addressed. On july 29th and july 30th, suspicious activity was detected and the team followed our security incident protocol. Team immediately shut down the portal and began our internal security investigation. On august 2nd, we hired top cybersecurity forensic and legal experts. And at that time we notified the fbi. At that time, to be clear, we did not know the nature or the scope of the incident. It was not until late august that we concluded that we had experienced a major breach. Over the weeks leading up to september 7th, our teem continued working around the clock to prepare. We took four steps to protect consumers. Step number one, determining when and how to know the fight public. Relying on the advice of our experts that we needed to have a plan in place as soon as we announced. Steb two, helping consumers by developing a website, staffing up massive call centers, and Offering Services free to every american. Three, preparing for increased Cyber Attacks which were advised by the cybersecurity experts that we should expect. And finally, continuing to coordinate with the fbi and the criminal investigation of the hackers. And also to notify other federal and state agencies. In the rollout of our remediation program, mistakes were made which, again, i deeply apologize. I regret the frustration that Many Americans felt when our web sites and call centers were overwhelmed in the early days. Its no excuse, but it certainly did not help that Hurricane Irma took down two of our larger call centers in the first few days after the breach. Since then, however, the company has dramatically increased its capacity and i can report to you today that weve handled over 420 million consumer visits to our website in just over three weeks. And the wait times at the call centers have been substantially reduced. At my direction, the Company Offered a broad package of services to all americans. In addition, we developed a new Service Available on january 31st, 2018, that will give all consumers the power to control access to their credit data by allowing them to lock and unlock their credit files when they want. And they can do that for free for life. Putting the power to control access to credit data in the hands of the American Consumer is a step forward. I look forward to discussing this new tool with you during my testimony. As weve all painfully learned, Data Securitys a National Security problem. Putting the consumer in control of their credit data is a First Step Towards a longterm solution to the industry, the problem of Identity Theft. But no Single Company can solve a larger problem on its own. I believe we need a Public Private partnership to best protecting data Going Forward and i look forward tok a part of that dialogue. Members of the committee, thank you again for inviting me here today to speak to you. I will close by saying, again, how sorry i am for this breach. On a personal note, i want to thank the many hardworking and dedicated employees who have worked with me so tirelessly over the past 12 years at equifax. He equifax say very good company with thousands of great people waking up every day trying to do what is right. I know theyll continue to work tirelessly as we have over the past two months to right the wrong. Im looking forward to answering your questions. Thank you. Thank you very much. This concludes our witness testimony. Well move into the question and answer portion of our hearing. Ill begin with the question recognize myself for five minutes and i would remind members because we do have quite a few members that want to ask questions today, im going to try to keep the fiveminute rule on questions in place so youll hear the tapping. But i will begin with the questioning. Mr. Smith, the timeline of events is raising red flags i would like to ask you about. According to your statement, the first time you heard about the breach of security was on july the 31st of 2017, is that correct. Yes, congressman, that is correct. And you first asked for a briefing about the breach on august the 15th, is that correct . Yes, that is correct. Okay. And the first time the board of directors was notified about the breach was august the 24th, is that correct, the full board . Congressman, the on the 22nd of august i notified our lead director, presiding director at that time, the full board was briefed went to 14th, again on the 25th and subsequent meetings after that. All right put notified the public about the breach on september the 7th, correct . That is correct. You state in your testimony that you began developing the remediation for consumers on august the 24th or the 25th. Why was there a tenday delay between you finding outs that personal information had likely been stolen and goung deputy the reimmediating a plan and do you think that tenday window was responsible for having learned about that personal information being stolen to Start Talking about how to talk to the consumers . Congressman, i understand the question. If i may go back to the time frame of the 31st. So the 29th and 30th, someone in security had detected what they deemed as suspicious activity. That is something that happens routinely around our business. On the 30th, to bring down this particular portal and they start their own internal investigation. S a had mentioned in my opening comments and my written testimony, on the 2nd of august they had engaged leading Forensic Experts, cyber experts and leading case following a leading law firm and their cyberSecurity Team. We talked to the forensics experts, they will tell you the comp pla occasio complication where these criminals were, the inquiries they had made is a comer some process, thats why it took weeks before we had an indication for the breadth and the depth of the issue which brought us to the obvious 24th date that you had mentioned. Lets back up to july the 31st when you learned, again, youre talking with the experts at that time. You learned about the breach and you testified that you did not know the personal information had been stolen at that point. Did you ask anyone if personal information had been stolen when you found out about that breach . Congressman, on the 31st all i was told at that time was that security had noticed a Suspicious Movement of data out of an environment we call a dispute portal. It wasnt until later that they understood that was an actual dispute document. We had no indication on the 31st of july that there was any p. I. I. Information that was normal. So i guess, again, but not knowing if that information, that personal information had been stolen at that time, you know, your companys built on data and at any point did you think it was important or somebody in the company to start looking at personal data had been stolen at that point . Congressman, i can tell you were working with the best forensic oug Forensic Auditors in the business. We had a great cyber team with us. It took them time. At that time they did not know if data had been compromised, exfiltrated or what the data was. If we could go back when did you find out about the breach in that conversation with your chief Information Officer, mr. Webb, how did he exactly tell you that there had been a breach . It was tay phone call . An email . In person . How did he notify you of the breach . It was a facetoface brief meeting on the 31st. At that time he had just learned as well, so the data was very, very fresh to him. And the incident was described as a incident, not as a breach. Is that the normal way for that information if there had been a breach at the company to notify someone for the cio to come and just give a facetoface or what is that the standard operating procedure, then . Congressman, at that time we had no indication it was a breach. It was a suspicious activity. Did you tell anyone else in Senior Management or any other members of the board of directors about the breach at that time or was it just not until you told the on august the 22nd when you had the one call and then the 24th before the rest of the board of directors, did anyone else know about the breach . Again, its important to say on july 31st it was not we did not know it was a breach at that time. Suspicious activity only. The first notification to the board was a lead director on the 22nd of august, which followed the chronology of events a meeting i had with our cybersecurity expertsed on our outside council that occurred on the seven teenlth of august. Thats when the picture was starting to develop. Okay. Thank you. My times expired and i will recognize the gentle lady from illinois, the Ranking Member for five minutes. Thank you, mr. Chairman. Im going to get right to it. I wanted to ask some questions about john kelly, the chief legal officer who i understand is responsible for security at equifax or was at least at the time of the breach and its discovery, is that right . That is correct, congresswoman. And mr. Kelly in turn reports directly to you, the ceo, correct . Correct. Okay. So we were told that mr. Kelly was informed by the chief Security Officer the week of july 30th, weve just been talking about that, that a cybersecurity incident, you mentioned that, had occurred, is that correct . He was notified, its my understanding, on the 31st of july. 31st. That there was suspicious activity in a particular environment called a web portal that was a dispute zbliernt we were told that mr. Kelly, this is our staff, was informed at the same time that the incident might have compromised personal personally identifiable information. Is that correct . The only knowledge i have is he was notified on the 31st that there was suspicious activity in a consumer dispute portal. We were told that mr. Kelly then wrote a short memo to you regarding the incident. Is that correct . Correct, congresswoman. In his email is said some suspicious activity. Okay. Around that same time, three equifax executives sold over 1 million of equifax stock. Thats on august 1st and august 2nd, and its reported that mr. Kelly was ultimately responsible for approving those sales. Is it true that mr. Kelly or one of his direct reports would have been required to sign off on these stock sales . Yes. Mr. Kelly whos our general counsel, owns the clearance process and he i have a lot of questions so the answer is yes, he had to he was supposed to sign off . Yes. Did anyone of these three executives have knowledge that cybersecurity incident had occurred . To the best of my knowledge, congresswoman, no. When were they informed that the incident had occurred . I dont know exactly the date that they were informed but they were not best of my knowledge, they had no knowledge at the time, they cleared their trades through the general counsel. Do you know for sure that they didnt know. To the best of my knowledge, they did not know. And mr. Kelly, who we were told knew of the breach and that it contained personal information and yet still approved the stock sale, is he still chief legal officer for equifax . Congresswoman, i would come back to it again. He did not know it was a breach when he approved but it could have been a breach. All he knew at the time, its my understanding, is suspicious activity when he approved the sales. What the heck does suspicious it could be a breach, right . It was deemed suspicious activity. We had no indication that 3i6789 w p. I. I. Was compromised. Had he had no idea that information was compromised. I understand you agreed to fore goe go your 2017 bonus which has been about 3 million for the past few years, correct . Thats correct. But its been reported that you will still retain 18 million in pension benefits from equifax, is that correct . That is correct. Retiring, which is the category right now, all though the Company Maintains the right to change that designation, also means youll be free to sell your equifax stock which is worth about 24 million, is that correct . Congresswoman, that calculation is its hard to say. Its a complicated calculation. It depends on the total share hollered return of the company at the time, the stocks vest, theres multiple variables. That may be an estimate. Ive seen different estimates but its hard to say what that number is. We wont know until the end of the year. Thats in addition to equifax stock you sold earlier this year for 19 million, is that correct . That sounds correct. And according to one report, you could be eligible for 22 million in performancebased compensation depending how equifax stock performs in the next three years, is that right . Let me be very clear, if i may, congresswoman. When i announced my retirement, i thought it was best for the company to move forward with a new leader. I agreed to step down at that time with no further compensation. I agreed i should not get a bonus. I agreed it would be no severance. I asked for nothing beyond what i had already earned. I was just informed by staff that the chief Security Officer told the chief legal officer verbally that there was p. I. I. That, according to a call with staff yesterday, that actually there was a mention of the breach of personally identifiable information. The cso told that yeah, told us in a call yesterday is what i just heard from staff. Congresswoman, i have no documentation, no insight, no knowledge that anyone in the company had informed me or the in that case the chief Security Officer or the chief general counsel that there was a breach on july 31st m is that what you said . Yes. We didnt say a date im told, that our staff didnt say a date. Okay. Let me just say im glatd the f fbi is looking into it, many state attorneys general, the city of chicago has sued so well probably get more information that way as well. Thank you. Thank you very much the gentle ladys time has expired. The chairman now recognizes the chairman the full committee the gentleman from oregon for five minutes. Thank you, mr. Chairman. Mr. Smith thanks again for being here today. As you know, this is a sample of a copy of an equifax Credit Report in my hand. It lists Social Security numbers, address, credit history, debts, all the sort of personal Financial Information. Its the lifeblood of equifax, right . I mean these data points are really important to what you do as a company . Congressman, thats correct. Its a three billion dollars company, data on 820 million customers worldwide, and yet it appears this breach happened because the company didnt know it was running Certain Software on its system, right, the apache strut software that are had the patch requirement . Congressman, as i alluded to in my opening comments and the written testimony, it was a human error and technology error that did not allow us to identify i think thats what were trying to get to here. If i understand it right, your own Information Technology system did not tell the equifax Security Division that the apache strut software which contained the vul nernlt neshlt th was run thong system. How did that happen. The day after the notification came out from certs, the Security Team notified a wide range of people in the Technology Team who were responsible for them finding a patch, finding the vulnerability, applying the patch, and then days later, sas typical protocol, to deploy a technology scanner to then go look for the vulnerability, find the vulnerability. If they found the vulnerability, they knew it was not patched. Both human deployment of the patch and the scanning deployment did not work. The protocol was followed. So then people ask us how does that happen . If, as a sophisticated a company as you headed is, with so much at risk, how did z this happen . And, you know, we have colleagues that say were going to, you know, double the fines, triple the fines, put fines in, do all these things, but how does this happen when some much is at stake something i dont think we can pass a law that, excuse me for saying this, but fixes stupid. I cant fix stupid as a colleague of mine used to say. With so much at risk, ive talked to other Software Companies and people in this space who say some companies have an Automated System that when a patch comes out it automatically gets installed. Thats not what had necessarily, right . Im unaware of an automatic patch. System we have in place is security gets notification, and its not uncommon to get notification from Software Providers routinely. Right. But vulnerabilities that are discovered. Right. They follow the protocol which to know the fight appropriate people pin u within the time frame that the protocol called for. Unfortunate lit human error was they did not find the patch, did not if i could, the human error piece you reference, is that that they didnt know that that particular software was running on your system, achach which i strut was run something because thats what needed patching, right . Congressman, great question if i may clarify . Please. Human error was the individual whos responsible for communicating in the organization to apply the patch did not. So does that mean that that individual knew that the software was there, and it needed to be patched, and did not communicate that to the team that does the patching, is that the heart of the issue here . Thats my understanding, sir. And theres no i was on a bank board for a while and you know we always had sort of double checks on everybody, right . Do you not have a doublecheck of some sort, an audit of some sort . Is there it seems like that was a single point. The doublecheck was thing device that was deployed a few days later. But the scanning device, i dont know how that process works. Does it snow you have that software or do you have to tell it thats what youre scanning for. Its the latter. You have to tell it what its looking for. So the individual who didnt tell the i. T. Team ill call. I. T. Team, whatever the Security Team, thats where the individual failed. Was that the same person telling them what to look for . No. The scanner is deployed by the Security Team. And i should clarify there that the rational or the reason why the scanner, the technology piece did not locate the vulnerability is still under investigation by outside counsel. One final question. Youve referenced the Suspicious Movements of data, youve referenced incident, American People think all of that is breach. How regularly did you have incidents or Suspicious Movement of data . Is this a routine thing that people call hey we got another incident, we got another Suspicious Movement of data or was this sort of outside normal thank you for that question. Operations. As you alluded to in your comments we do have a lot of data and our primary goal is to protect that data. And we have experienced millions of suspicious activity against our database any given year. But to the point that the head of your Security Team comes to you and says, hey, weve got another one. That is not uncommon. Its not uncommon. How often would that happen in the course of a week that they would come to the ceo and say heads up. I dont have a number for you, congressman, but its not uncommon. Its not uncommon for us to engage Forensic Audit firms. Its not uncommon for us to engage outside counsel for us to think things through when theres suspicious activity. Its the part of doing business in a data business that you alluded to. Thank you for the indulge against of the committee. I yield the balance of my time. The gentleman yields back and the chair recognizes the Ranking Member of the full committee, the gentleman from new jersey for five minutes. Thank you. Mr. Smith, you testified that on august 11th you were informed that hackers had stolen, quote, a large amount of consumers personally identifiable information unquote in this incident and that august 17th i guess a week later you said in a speech, and i quote, afforded us a huge opportunity for equifax, its a massive growing business for us, unquote. So im just look fofrg a number, mr. Smith. At the time you gave that speech, roughly how many consumers did you believe had been compromised by the breach . If you could . Congressman, if i may clarify i think you alluded to an august 11th zblat august 11th initially. August 11th i had no indication, i was not informed at that time. My notification was before the august 17th meeting. And you apleated. Reporter on the 17th you said in the speech, fraud is a huge opportunity for equifax. Reporter its a massive growing business for us. Im looking for a number. At the time how many consumers did you believe had been compromised by the breach. On august seven teethth which is on or around the date that you talked about that i gave a speech, we did not know how much date was compromised, what data was compromised, that story was still developing. That speech that youre alluding to say very common speech we have in communities. This happened to be at a university that we talked to them and at that time when i gave that speech, i did not know the size, the scope of the breach. All right. During your tenure at equifax you expanded the companys business into packaging and selling other peoples data and in that august 17th speech you explained that having free data with the gross margin of profit of about 90 is i quote a pretty unique model. I get that this unique model is a good deal for equifax, but you can explain how its a good deal for consumers . Thank you, congressman. I think i understand the question. Our industry has been around for a number of years, as you know. In fact, equifax is a 118yearold company. Were part of a federally regulated ecosystem that enables consumers to get access to credit when they want access to credit and hopefully the best rates available to them at that time. So were very vital to the flow of economy, not just in the u. S. But around the world. I want to turn what equifax is offering consumers in the wake of this breach, specifically the free credit lock service thats supposed to be introduced next year. Weve been told that this free credit lk lock service could, i consumers to consent to equifax sharing or settling information it collects from the service to third parties with whom the individual already has a business relationship for marketing or other purposes. Is that true . This product will be a webenables, mobileenables application that will allow a consumer at the time he or she if they decide they want access to credit, can simply toggle on and toggle off that application to gift Bank Credit Card issuer, auto lender, access to their credit file to approve their loan. Well, by agreeing to use the equifaxs lock service, will consumers also be opting into any additional Marketing Arrangements either via equifax or any of its partners . Congressman, were trying to change the parodyne. What i mean by that is this will be an environment viewed as a service, a utility, not a product. There will be no cross selling, upselling, or any products available to the consumer when they go to get and sign up for the lock product, its a service to them and thats the only product and service theyll be able to get. Will equifax give consumers an equal and easy way to choose not to share their information this in this way even if the consumer has a relationship with the third party. I envision as this evolves overtime the consumer will have the ability to invite into their world who they want to have access and who they do not. It will be their choice, their power, not ours to make that decision. Last week the interim ceo announced by january 31st of 2018 equifax would make lock and unlocking of a persons equifax Credit Report free forever. A Credit Report lock is already included in trusted i. D. , premier and other service like credit monitoring and Identity Theft insurance. Will that still end after one year . Congressman, a couple of differences. Number one, the product we offer today for consumers protects the consumer at the same level of protection they get january 31st. Difference is todays a browserenabled product or service. The 31st of january it will be a application much simpler and easier for the consumer to use. The protection is large lipt same fpt they get this free service for one year. At the end of one year, effective january 31, 2018, it goes into the new lock product. I guess the difference, other than not expiring between the Credit Report lock thats part of trusted i. D. Premier and the credit locking tool that will be available in january, why not just extend the Freeze Program . Theres a difference between the freeze product, which was came to pass with facta back in 2003, passed into law in 2004, thats now governed by state laws in all states and its a cumbersome process for a consumer. In many cases some states, i to you mail in your requests for freeze and then we must mail you a pin. So your ability to get access to credit when you want credit is encumbered. Consumer could go to a car dealer or a bank to get i credit card, forget his or her pin, be able to anyone. Its a couple ber some process. The lock product were offering today is a big step forward, the lock product for the 31st of skbran is an even bigger step forward. My time has run out. Thank you very much. The gentlemans time has expired. The chair now recognizes the chairman of the full committee, the gentleman from texas for five minutes. Thank you, mr. Chairman and since im not a member of this subcommittee thank you for your courtesy in allowing me to ask questions. Mr. Smith, whats the market value of equifax . Whats your Company Worth . Congressman, last time i checked its somewhere close to 13 billion. 13 billion. Im told by my staff that this latest data breach was about 143 Million People, is that right . We were informed yesterday from the company that is testimony in a Forensic Audit there was some Slight Movement and the number has adjusted. Press release came out from the company last night its 145. 5. Well, okay. I appreciate your accuracy there. But under current law, youre basically required to alert each of those that their account has been hacked but theres really no penalty unless there is some sort of a lawsuit filed and federal trade commission or a state attorney general files a Class Action Lawsuit against your company. So youre really only notified youre just required to notify everybody and say so sorry, so sad. I understand that your company has to say in business, has to make money, but it would seem to me that you might pay a little bit more attention to security if you had to pay everybody whos account got hacked a couple thousand bucks or something. What would the industry reaction be to that if we passed a law that did that . I understand your question. I think the path we were on when i was there and the companys continued is the right path. And thats the path of allowing the consumers to control the power of who and when access is credit file Going Forward. The consumer cant control the security of your system. That is true, sir, but they can control and your security people knew there was a problem and according to staff briefings that ive been a part of, they didnt act in a very expeditious fashion until the system had already been hacked. And, i mean, youre to be commended for being here, i dont think we subpoenaed here, i think you appeared voluntarily, which shows a commendable amount of integrity on your part. But im tired of almost every month theres another Security Breach and its, okay, we have to alert you. I check my file to see if i was one of the ones that got breached and apparently i wasnt. I dont know how i escaped, but i didnt get breached. But my staff person did. And we looked at her reports last night and the amount of information thats collected is way beyond what you need to determine if shes creditworthy for a consumer loan. Basically her entire adult history going back ten years everywhere shes lived, her name, her date of birth, her Social Security number, phone numbers, her addresses, her credit card, student loans, security clearance applications for federal employment, car insurance, even employment history of jobs that she worked when she was in high school. Thats not needed to determine whether shes worthy of getting a 5,000 credit card loan or something. And now its all out in the netherworld of whoever hacked it, you know, i cant speak for anybody but myself, but i think its time at the federal level to put some teeth into this and some sort of a per account payment and, again, i dont want to drive Credit Bureaus out of business and all of that, but were going to we could have this hearing every year from now on if we dont do something to change the current system. So i would hope that youd go back to your peers and work with the committee, the chairman and the subcommittee chairman, Ranking Member, and lets figure out something to do that actually gives an incentive to the industry to protect ourselves. And the only way i know do it is some fine per account hacked thats large enough that even the company thats worth 13 billion would rather protect their data and probably not collect as much data than just come up here and have to appear and say were sorry. With that, mr. Chairman, thank you for your courtesy and i yield back. The gentleman yields back and the chair now recognizes the gentleman from new mexico for five minutes. Thank you, mir chairman. Mr. Smith, there is a difference between a locked product and a freeze, correct . Those were to Different Things . Congressman, the theres a process thats a little different, but as far as the consumer and the protection that he or she would get from doing one versus the other is virtually if not exactly the same. Its virtually almost exactly is not the same. Its the same. Are they different . Its the same. So your lock product is the same as a freeze . As far as the protection. Well, well get into that later. I appreciate that clarification. Will equifax be willing to pay for this freeze out of extierian and transunion whos information was stolen . Youre referring to the freeze or the lock . You said theyre the same. Right now we offer a free lock product, as you know, for one year. And then a free lifetime lock product for life starting january 31, 2018. And that also extends to expeer onand drans union . No, sir, it does not. Would equifax be willing to pay for that freeze, for that lock at extier onand transunion whos information was stolen through equifax . Congressman, the companys come out with what they feel say comprehensive five Different Services today and a lifetime lock. I would encourage, to be clear, i would encourage transunion and extierian to do the same. Its time we changed the parodyne, give the power back to the consumer to control who accesses his or her credit data. Its the right thing to do. I have limited time, mr. Smith. I apologize. Ill take that as a no that equifax will illinois not pay for that. Do you think consumers should have to pay a penalty for your mistake including potential Identity Theft, false credit california accounts or do you consume any harm as a rufrltd your breach. We take this seriously. Ill apologize again to the American Consumer. Weve offered a comprehensive set of products for free. Will those sets of products macon assumers whole . It will protect them Going Forward. Will it make them whole, yes or no . Its hard for me to tell if someones been harmed so i cant answer the question. If someones credit has been stole and someone went and opened up a bunch of their accounts, bought furniture and cell phones and fuel and now this consumer cant fix their history, theyve been harmed and that case will equifax make that person whole. Congressman, as i said, i apologize, weve offered them a comprehence sfwlif thank you very much, sir. I want to go back to the like of questioning from mr. Pallone. On august 11th, in your prepared testimony it says that you were aware of a large amount of consumer p. I. I. On august 15th it says in your prepared testimony p. I. I. Had been stolen, it appeared likely, and that you requested a detailed briefing to determine how much the company should proceed. On august 17th it says you, i held the Senior Leadership meeting to receive the detailed briefing on the investigation. You gave a speech also on the seven teeth about profiting off of fraud with these new markets. You shared with mr. Pallone that you were not aware of p. I. I. Being stole pent what is compro. Rep. Lujan i appreciate that clarification. You are aware it was stolen, you were not aware of how much. It says in your prepared testimony you asked for a detailed briefing to determine how the company should proceed. You are aware that pii was stolen on the 15th. Is that true or not . Mr. Smith the 15th with a detailed review of when i learned about pii. Which pii was stolen, was it stolen . Those details came to light over the course of august. Rep. Lujan on august 15, were at there was pii that was stolen or not . Regardless of the amount, were you aware of that . Mr. Smith i was made aware criminal hackers had gotten into our system with pii information. Rep. Lujan the other question i is, chief legal officer john kelly still employed by you or equifax . Mr. Smith , yes he is. Rep. Lujan you were the ceo that approved the terms of the retirement for david webb and susan mounting. Firedpotentially turn to for cause like yours . Mr. Smith there is investigation going on by the board at this time. Rep. Lujan i know my time has collapsed, if you will. There is an article on wgntv that talks about equifax doing their own investigation into the three executives that sold their stock and profited. I guess they must have a pretty good investigative team, because the press release that happened on friday and the story on sunday, and today we have a revelation that those folks did not know this breach took place. I just hope we get to the bottom of this. I hope we can be given assurance to the committee and American People that this committee will have a markup with a bill we can take to the floor before the holidays to give the consumers confidence again, because this is a mess. Rep. Latta the gentlemans time has expired. The chair recognizes the gentleman from mississippi, the vice chairman of the subcommittee, for five minutes. Thank you for being here to testify today. In your written testimony and response to some of the chairmans questions, you stated you were informed of suspicious activity on july 31 by your chief Information Officer. You said, i certainly did not know that personal identifying information had been stolen, or have any indication of the scope of the attack. There hadk him if been any personally identifying information that had been obtained . Mr. Smith at that time i was informed it was a dispute portal document. A dispute portal document is something that typically houses if the consumer is disputing with us that they paid off the utility bill. You may take a picture of the utility bill. That was the conversation. Rep. Harper not to interrupt, but my question was, did you ask if any pii had been accessed . Mr. Smith no i did not. Rep. Harper where you made aware of the apache strut patch . Mr. Smith no i was not. Rep. Harper had you had any meetings with your Security Department about this issue prior to july 31 . Mr. Smith no i did not. Rep. Harper did you have any meetings with them about any other security information from that time march until july 31 . Mr. Smith yes, we would have routine meetings. Security reviews. Rep. Harper how often do you have this . Mr. Smith at least quarterly. Rep. Harper why did you not have this discussion come up . How many meetings did you have between that time of march the eighth until july the 31st with your Security Team . Mr. Smith make sure i understand your question rep. Harper how many meetings did you have from march the eighth until july the 31st . Mr. Smith i dont have that information with me. If that is important rep. Harper do you remember any of those . Mr. Smith normally we would have i. T. Reviews at least quarterly, and security reviews at least quarterly. We would augment that on an as needed basis. Rep. Harper with those timelines of march 8 to july 31, we are covering into three quarters. Buta total of nine months, you touch into three quarters of that year. , during any of did you have any information about this going on . Mr. Smith no i did not. Rep. Harper did you testify that the security to permit ran scans for march, but failed to identify it . Can you explain how this is possible, and why was there no confirmation of anyone checking thise okay, we have identifiable information, it was a failure of someone on the team to identify the software was being used. Did you have any outside person prior to the ones you hired to look at this . Mr. Smith we get notifications routinely. The i. T. Team and Security Team to apply applications. This individual did not communicate to the right level to apply the patch. Rep. Harper you said this individual . So you had one person responsible for this . Mr. Smith there is an owner of the patch process. There is a communication that comes out from security, a broadbased communication. Once they receive notification from a security company, they notify the appropriate people. The individual who owns the past process cascades that information. Rep. Harper for everyone on your equifax team, is there anything more important than protecting the pii of the consumers . Mr. Smith no sir. Rep. Harper would you identify that as the number one response ability of everyone in your company . Mr. Smith we have for years, yes. Rep. Harper it appears obviously the job wasnt on. Done. We know it was an equifax spokeswoman that said we took shortterm or mediation steps and accelerate longterm improvements to prevent this type of incident from happening again. We have 145. 5 Million People whose pi has been compromised. How many files do you have in the system . Mr. Smith worldwide . Rep. Harper yes sir. Mr. Smith there is a public number, 800 some odd Million Consumers, hundred Million Companies roughly. Rep. Harper we know this breach includes some from canada, some from the u. K. Mr. Smith point of clarification, there was some data we had on the 7000 canadians in the u. S. So the data was in the u. S. Same environment. We had data on u. K. Citizens. That piece is also under investigation. Rep. Harper my home state of mississippi has 3 Million People. Almost 1. 4 million files have been breached. If you take away people that are minors that dont have a file yet, almost my entire state will be impacted. This is a travesty, and something we know was preventable. Saying we want to protect what goes forward doesnt bring us a lot of comfort tonight. Rep. Latta the gentleman yield back. Chair recognizes the gentleman from california for five minutes. Thank you very much. I thought i prepared for this i thought i prepared for this committee, but i have more Chicken Scratch notes. I dont know where to start. Mr. Smith, welcome to washington. Are you currently employed by equifax . No sir. H no sir. When you decided to come before this committee, were you specifically requested by name to come to this committee by this committee, or were you offered up like equifax o ffered up by equifax to come before this committee . Mr. Smith my understanding is by the committee. Rep. Cardenas okay. Apparently the committee asked for the ceo at the time, and at that time you are still the ceo. But you are no longer the ceo. Did you inquire as to why the ceo did noturrent come before this committee . Mr. Smith i did not, but i felt it was personally my obligation. The breach occurred under my watch. As i said in my written and oral testimony, i ultimately take the responsibility, so ithe think is important that i be here. Rep. Cardenas i get the picture. On july 31, you were notified of the suspicious activity that eventually is 145 million person breach. July 31, was it . Mr. Smith yes, it was a brief and direction. Rep. Cardenas you just referenced on august 31 he received some kind of email you received some kind of female referring to the breach . Mr. Smith i was notified on the 31st of july by the chief Information Officer in a very brief interaction that this portal seemed to have a suspicious incident. It was a communication internally. It also referenced that i was aware of this incident through my interaction with dave. That written trail was not directed to you. You were just mentioned in that trail, that you were verbally notified. Mr. Smith that is my recollection. Rep. Cardenas is this appropriate for this committee to ask for that trail of documents . Rep. Latta i would have to ask our console rep. Cardenas if it is appropriate. I would like my office and that committee to receive documents of that trail which has been referenced more than once on this congressional committee. Thats come to my attention several people are no longer with the corporation. You are not officially with the corporation anymore. The cio at that time is no longer the cio of equifax . Mr. Smith that is correct. Rep. Cardenas there is another higher up that is no longer mr. Smith the chief Security Officer. Rep. Cardenas however the then john kelly, chief legal officer, was legal officer at the time, but is still legal officer, is that correct . Mr. Smith is correct. Rep. Cardenas apparently the chief legal officer, on or about hired9 or august 1, outside counsel, correct . Mr. Smith no congressman, what occurred on august 2 is that the officer reached out to a forensic cyber expert and outside officer reached counsel, and engaged then at that time. Rep. Cardenas thank you. When executives at equifax want to sell stock, they need to get the chief legal officer to sign off . Mr. Smith correct. It is a protocol that requires the general counsel of equifax to approve the sale. They ares and all hideouts with equifax all highups with equifax. They sold stock in the amount of 1. 8 million. They had to get an ok from john kelly before they did that, is that correct . And apparently they did get the ok . Mr. Smith yes, that is my understanding. Rep. Cardenas and you are ceo at the time they sold that stock . Mr. Smith i have no rep. Cardenas i get it, but you were ceo at the time. What i would like to request of you mr. Chairman, and managing member, that we ask for a specific hearing where we get then andy, who was is still currently legal officer. Hopefully he will still have that title when we get him here. I am disturbed that congress is holding a hearing and that equifax has before us someone who no longer works for them. I hope we can have that hearing where we have chief legal officer john kelly before us. Rep. Latta the chair recognizes the gentleman from michigan for five minutes. Thank you mr. Chairman. Ry family watches over their Financial Data with great concern. It impacts their daily life. Whether it is going to get a they havea loan, car, to have that credit score, even often a job. They view that data as it relates to them as very private. They want it to be secure. Credit reportifax for someone that i know. It is 131 pages long. Unbelievable in terms of the data that has been collected on this particular individual. I would guess that most individuals have no clue that there is that much data that has been assembled on their own personal family account. You said earlier that the data was compromised. The question i have to ask is, does that word compromised manipulated . Erm are those folks who broke into that account are they able to actually change the accurate data that might be reflective of their own personal story . Cannot be changed . Can that be changed . Mr. Smith the database was attacked by criminals that we know Forensic Experts that we engaged have led us to believe that there is no indication that the data left behind has been manipulated. Now, one of the things that is in this report, any Credit Report, is you verify individual tothat make sure it isagain from perso, when one goes to get a individuo make sure it is accurate. As i understand it, and going loan, permission to look at that tax return of the individual, is that not correct . Loan, whether it is a mortgage or a car, often one of those boxes that you check is that you are allowingregardless of selfempld income, regardless of automated underwriting findings, when income is used the following documentation is required, two years of federal tax reform returns with all schedules and two and k1s, most recent years business returns, in which the buyer has ownership interest 35 or more, and a complete and signed irs form 4506t is required for every borrower on the loan application. Transcripts validated from the irs are required for each year documented in the loan file. The question is, that is collected is someone, a bad actor, able to use the personal information stolen from this report to then perhaps files a false tax return come the first of the year . Mr. Smith a couple points of clarification. Contain report does not employment and income information. There are many lenders who will consumer in going to get a loan, validate your income. In the many means as you alluded consumer in going to get ato how to do that. Two, the unfortunate criminal hack we refer to, this morning a written press release in the past month or so, it is clear to say it did not two, ine that Credit Report information you just picked up. It was limited to an environment we call a consumer dispute portal, not the credit file itself. Rep. Upton last question i have is, how did you know . Hearings, aa lot of number of them classified. Breeches made into the department of energy, utilities, a whole number of different Major Players where hackers are coming in, trying to break and penetrate daily. What tripped these guys up . Fact, ayou identify, in breach had been made . What was their mistake . Mr. Smith congressman, there is a piece of technology called a decrypter. A decryptor allowed us to see some of the data. Once we saw the data, that is when we saw this suspicious data, and we were able to shut off the portal at the end of july. Rep. Upton my time has expired. Rep. Latta thank you very much. The gentleman yields back. The chair recognizes the gentlelady from michigan for five minutes. Thank you mr. Chairman. Mr. Smith, i first want to say we appreciate your coming to testify today. We spent a lot of time talking today about the what, when, and why of this breach. I agree with paula my colleagues that we need to be expressing extreme displeasure. I want to ask a few questions about where we go from here, because i hope this has awoken american consciousness about privacy and credit that they need to be paying far more attention to. This breach is different than most. Not only the scale, but the type of information taken. In the past, folks usually maybe youur password, got a new credit card, and that was it. It had no real impact on your life. That is not so simple when it is your Social Security number or other personal information. You cant change your Social Security number, and i cant change my mothers maiden name. This data is out there forever. Clearly something needs to be done. We can all sit here and talk about what went wrong, but we are doing the public a disservice to not begin the discussion on how to improve Data Security. That is why i am a proud cosponsor of representative said kautsky and Ranking Member alone s bill. It needs to be given consideration. I am endorsing the Data Protection act of 2017. Whatever path we choose Going Forward, it is important we take action on the topic, and that all American Consumers pay attention. I would like to ask a few questions. I would like to ask a few questions. No one has asked this question yet. Just a quick yes or no have you worked anyone on your you om see that the attackers were backed by a nationstate . Mr. Smith we have engaged the fbi. At this point that is all i am saying. Team after yourell security blocked suspicious traffic in your testimony, did anyone from your team or outside Companies Venture beyond your network to attempt to locate where they came from . Yes, we have the ability to track the ip address of the criminals, but as you know, finding a location where the ip address does not necessarily tell you where they are from. It is easy to set up ip addresses anywhere in the world. Rep. Dingell i think we all care about this. I want to move to this author topic. I share your belief that accessing credit data should be placed in the hands of the consumer. Many did not know that equifax was holding their data. I unfortunately learned a long time ago, because this is not the first data theft. We were part of something where they got our Social Security and mothers maiden names. Must giveard, we consumers the chance to protect themselves before a breach happens. Do you believe that consumers can take reasonable steps to secure the identity and information if they dont even know who has it . Mr. Smith congresswoman, i think we can help. I think we can help by the announcement of this offering to all americans the ability to lock and unlock your credit file for life, for free. There needs to be greater awareness. I think by making this available to all americans is one step in doing that. Rep. Dingell i was educating my colleagues about credit karma. They were stunned by how easy it was, with two little factoids, to suddenly unleash the amount of money they had in all of their credit card companies, with data inquiries and all of the different factors. I think most people dont understand experian and trans union, who are also collecting this data. Why do consumers have to pay you to access their Credit Report . Why shouldnt they do not be free . Mr. Smith the consumer has the ability to access the Credit Report for free from each of the three Credit Reporting agencies once a year. You combine that with the ability to lock your credit file for life for free, again is a step forward. Rep. Dingell i am running out of time. When you find mistakes, which a number of us have, and we are luckier than others, it is difficult to fix. We need a longer debate about who owns this data and how we educate the American People. Rep. Latta the chair now recognizes the gentleman from new jersey for five minutes. Good morning to you, mr. Smith. Criminals perpetrated this fraud. Is it possible these criminals are from another country . Mr. Smith congressman, it is possible, but it this time it is possible. Is it possible it is the government of another country . Mr. Smith as i mentioned, we have engaged the f ei. They will make that conclusion. Do you have any suspicions . Either persons or a government from another country . Mr. Smith at this time i will differ that we have the fbi involved. Yes, i know. Do you have an opinion to the two questions i just asked . Mr. Smith i have no opinion. The stock that was sold by as i understand it was sold on august 2. Is it usual that executives of a mature company, not a company that has just come onto an exchange, is it usual that a significant amounts of stock are sold . Mr. Smith the stock was sold on the first and second. Rep. Lance i said the second. Mr. Smith the first was the first it was sold. Not unusual for stock to be sold quarter, as wehe call. Ur earnings windows open up. We encourage those who are going to sell to sell as early in the window as call. Windows open up. Possible. That is what occurred here. Rep. Lance you believe this stock was sold as a matter of course, as it would be true in any other quarter . Mr. Smith yes. Rep. Lance you do not believe it was based upon knowledge of these gentlemen related to the breach . Mr. Smith i have known for these men up to 12 years. They are honorable men, men with integrity. They followed due process. They went through the clearance process of the general counsel. Rep. Lance did you have knowledge of the breach at that time . Mr. Smith i did not. Rep. Lance werent you warned well in advance that there was suspicious activity . Mr. Smith i was notified on july 31 in a conversation with the chief Information Officer that there was suspicious activity detected in an environment called the web portal. There was no indication of a breach. Rep. Lance that was prior to the sale of the stock, is that accurate . Mr. Smith on the 31st of july, there was no indication of a breach. Rep. Lance from my perspective as a layman, the difference between a breach and suspicious activity is not one i believe is particularly relevant. A breach might have technical connotations to it, but certainly you were aware of untoward activity prior to that date, is that accurate . No it is not. On the 31st we had no indication the documents were taken out of the system, what information was included. It was very early no it is not. On the 31st we had no days. It took the Forensic Experts from the 24th to develop a clear picture. From the 24th, as we heard just last night, with the additional punishment. Rep. Lance many calls have been received by equifax at your call center since september 7. Do you know how many calls have been dropped or missed due to staffing shortages or other issues . Mr. Smith i dont have the exact number. I apologized for that startup. It was overwhelming in volume, overwhelming. I think i mentioned over 400 million u. S. Consumers going to a website in three weeks. We went live in a short period of time. Call centers were taken down by Hurricane Irma. We want to make the experience better for the consumer. I am told each day process is Getting Better. Rep. Lance on august 22, you notified elite directer of notified a lead director of the data breach, and the full board was notified two days later. Why was there nearly a week between august 17 and august 22, before members of the board were alerted . Mr. Smith the picture was very fluid. Rep. Lance what does that mean . Mr. Smith we are learning new pieces of information every day. As soon as we had information we thought was of value to the board, i reached out to delete director on the 22nd. To the lead director on the 22nd. We had subsequent board meetings routinely, if not daily, through as recently as last week. Rep. Lance thank you. Rep. Latta the gentlemans time has expired. The chair recognizes the gentlelady from californiaf or five minutes. Thank you for appearing here today. As many of my colleagues have thatighted, the actions equifax took afterthefact are upsetting. Many americans are in a place of breach fatigue. This potentially impacts narrowed nearly half of all americans should light a fire here. Scriptot follow the same after the next inevitable data breach. That is why i am also supporting the secure and protect americans data act. It is not as if this type of legislation is unprecedented. 48 states have implemented laws that require consumers to be notified of Security Breaches. I am pleased my home state of california was the first to pass this kind of notification law in 2002. Residentscalifornia personal data is hacked, state law requires they are notified expediently and without delay. We must act to ensure all americans are protected by the federal level. Mr. Smith, because equifax without doubt has personal information of many california residents, it is subject to the data breach notification law. Can you please describe to me how equifax complied with the state law . Where california residents notified of the breach . Mr. Smith i dont have the specific knowledge of the california law. I can tell you that we work as a team, including with our counsel, to help us assure we are doing what was right for the consumer in the most expedient manner as possible. We are aware of the requirements of the different state laws. I dont have the specific knowledge as a relates to california. Rep. Matsui the law requires equifax to submit a copy of the breach notification to the California Attorney general. You do not know if this was done . Mr. Smith we can follow up with your staff if that would be helpful. Rep. Matsui in the context of this breach, if data that you hold is about me, do i own it . Do i own my data . Mr. Smith could you please repeat the question . Rep. Matsui in the context of this breach, if the data that you hold is about me, do i own it . Mr. Smith congresswoman, we are part of a federally regulated ecosystem that has been going on for a long time. Is there to help consumers get access with their consent to credit when they want access to credit. Rep. Matsui can you explain what makes data about me mine, compared to someone elses . Mr. Smith the solution we recommend we implement, and are going live with in january of 2018, is to give you as a consumer a product for life, free, to control who accesses your personal information and who does not. Rep. Matsui so at that point you believe i can say that i own my data . Mr. Smith you will have the ability to control who accesses and when they access your data. Could i ask you further questions following what others have asked about locks and credit freezes . Limiting access to credit, even time, cant amount of locks andt have real financial consequences, especially for low income populations. How quickly will if i will be able to be locked and unlocked, and how can you ensure that speed . Mr. Smith that is the great advantage of the time, can have real Financial Product we e offering for free, versus the freeze, which came about in 2004. Their states dictate how quickly you can get access to freezing and unfreezing your file. That can take days if not weeks because we are mailing data back and forth to the consumer. In this case the intent is in january of 2018, on your iphone, you can freeze and unfreeze your file instantly at the point you want it locked and unlocked. Rep. Matsui i recall that one of my colleagues asked whether a credit lock is the same as a credit freeze, and you said that it was. Mr. Smith as far as protection to the consumer, it is. As far as ability to lock or block is far more userfriendly. Rep. Matsui you currently offer a credit lock product now. You plan to offer this other one for free starting in january. Why youdescribe for me besider that would a lock you, ornomical for would a freeze be . You, or would a freeze be . I think there is a difference here. Mr. Smith to try to clarify, as far assame. The lock we are offering to consumers on september 7 gives you the same level of security you would get from a freeze, or from the product going out in january. The difference is todays lock is rouser enabled. App ons lock will be an an iphone. It will be instant on an instant off instead of a freeze. Rep. Matsui i have more questions, but i have run out of time. Rep. Latta the gentleman from illinois is recognized for five minutes. Thank you for being here today. This is officially a huge issue. 45. 5 Million People affected by the state average. That is nearly half of all americans. The failure to appropriately theond to a breach, and failure to notify the public and much more. My constituents and the American People need not just answers, but want assurances they will not be financially ruined by this. I want to ask if the people harmed by this would be made whole i realize there are technical or legal reasons for this, but you said, i dont know if consumers were harmed. I will make the point that the idea that people were not harmed is ludicrous. Of course they are going to be harmed, even if there is no financial harm. Just having this information exposed is a massive deal. I fear we will see bigger repercussions from that. I was surprised to find out equifax initially included a requirement that consumers consent to a mandatory arbitration clause. Why was that at the beginning of the rollout . Mr. Smith thank you for the question. I want to clarify. The product went live on the seventh. It was never intended to have that arbitration clause the plight to this breach clause apply to this breach. It was a standard boilerplate clause. As soon as we learned the boilerplate was applied to the surface, we removed that and tried to clarify that. That was a mistake. One of the mistakes that i alluded to in my oral testimony about the remediation product. Rep. Kinzinger if not, is that information prominently disclosed to the consumer . Mr. Smith not as it relates to the breach. Rep. Kinzinger what about any other products that you require and send to arbitration . Mr. Smith some of the products we have there is an arbitration clause in the standard clause. Rep. Kinzinger what is the reason for that . Mr. Smith i dont have the answer other than that is a standard clause. Rep. Kinzinger hopefullyrep. Kinzinger you can get that to me. No found unauthorized activity andhe core consumer commercial Credit Reporting databases. What are those databases, and how are they distinct from the database that was subject to the unauthorized theft . Mr. Smith the area impacted here was a consumer dispute where the consumers would dispute activity with us. That is separate than the credit file that is separate from the core credit data that consumers have in our database. Rep. Kinzinger in essence, were there 145. 5 Million People who had disputed credit issues, then . Rep. Kinzinger mr. Smith it is a portal they used. They could have been in the portal for many reasons. We have to keep that data for an extended period of time, in some cases seven plus years. It is outside of the core credit file itself. Rep. Kinzinger which Company Databases were accessed why wouldnt you consider that to be part of the core consumer reporting databases . Mr. Smith it is the way we define it. The Credit Report itself is housed in a completely separate environment from a database that consumers go into directly. The core credit file is accessed by corporations versus consumers. Rep. Kinzinger you will have to forgive me, i am not an i. T. Expert. Peoples5 million records in only the dispute database you didnt really answer the question, where there 145 Million People that disputed at one time, half of americans, or was there another entry . Mr. Smith the only entry was through the consumer dispute portal. That is a completely separate environment from the credit file itself. We also, as you might recall how of data forood businesses. That data was not compromised either. Rep. Kinzinger are your Core Commercial databases encrypted . Mr. Smith we use many techniques to protect data. Encryption, masking, encryption data was this not encrypted at rest. Rep. Kinzinger but your core is . Mr. Smith some is tokenized, some is masked. There are varying levels of that thetechniques team deploys around the business. Rep. Kinzinger thank you sir. Rep. Latta the chair now that the recognizes the gentleman from california for five minutes. I thank the chair for having this hearing. Recognizes the gentleman from californiamr. Smith, it is my understanding that the comprised information was due to an unpatched vulnerability in the web application framework, strurtts . Does equifax have any other portals that use apache struts . Sir. Mith no strurt this was the environment that this was the environment that deployed struts. Rep. Kinzinger that was a simple answer. You may need to restart my time. In addition to equifax credit monitoring and reporting services, the company had equifax for business offerings. In this custody operates as a data broker. As a part of this service the company collects data on without consumers having knowledge of this happening. Was this information compromised in the breach . Mr. Smith i think i understand your question, without but coulu repeat that so i get it right . Rep. Mcnerney you are familiar for businessfax offerings . Yes, we have solutions for small businesses, mediumsized businesses and Large Businesses across the country. Rep. Mcnerney was equifax information for business also comprised in the breach . Mr. Smith no it was not. It was not part of our core credit data. Rep. Mcnerney you testified you took security extremely seriously and devoted substantial resources to it. Did you tell us what investments in Cyber Security during your tenure . Mr. Smith yes. When i came to the company 12 years ago, we had virtually no on Cyber Security at that time. Cyber security was not as sophisticated as it was today. We have gone from that environment to a team of over 225 professionals focusing each and every day on security around the world. Rep. Mcnerney what time frame is that . Rep. Mcnerney mr. Smith from the time i started 12 years ago. Rep. Mcnerney you say you hired up to 250 personnel team. Ith i did not, the we have a staff of 225 Cyber Security experts around the world. We have made substantial investments over that time frame. In the last three years alone we have invested approaching a quarter billion dollars. There is a benchmark that says Financial Services companies tend to be best in class. 10 to 14 of the budget of i. T. Security. Rep. Mcnerney the company was notified about the vulnerability in the apache struts system days before the attack occurred. Mr. Smith yes. We were notified by the permanent Homeland Security in march of 2017. Rep. Mcnerney and the attack occurred after the notification . Mr. Smith yes. Rep. Mcnerney was there a human failure . 250 professionals, hired and designed for that purpose, they left a breach like that happen after they were notified . Mr. Smith it was in my oral testimony, the notification comes out. We had a Communications Process in place. I described it as a human error, where an individual did not ensure communication got to the patchperson to manuallymr. Smi the patch the application. That was subsequently followed by a logical error, where a piece of equipment was used which scans the environment looking for that vulnerability. That seems like a lack of confidence, or professional error of some kind. Mr. Smith i described it as a human error and technology error. That is what happened. Rep. Mcnerney moving on, do you believe the ftc has an Important Role protecting consumers from future data breaches . What kind of role should the ftc have at this point given what happened . Mr. Smith there is a role for the industry to do more. We talked about this concept of offering the consumer the ability to control their data, and lock and unlock when he she so chooses. If there is particular legislation that arises out of this horrific breach, i am sure you will find management at equifax and the industry willing to cooperate. Rep. Mcnerney the federal trade commission is an enforcement body, but does not have any Rulemaking Authority. Do you think the ftc should have Rulemaking Authority . Do you think it would make a difference in the future . Mr. Smith i have no opinion. Rep. Mcnerney my final question is, how long will individuals be vulnerable to Identity Theft problems due to this breach . Mr. Smith we have offered five different individual services. One is the ability to monitor your credit files from all three of us for free. Another is to lock your file, another is a dark web scanning file rep. Mcnerney that does not answer my question. Our Social Security numbers are out there. This is forever, right . Mr. Smith unfortunately the breaches of a Social Security number has been on the rise. There have been many this year. There is another thought, and that is, how secure are we with an snn, and is that best for consumers Going Forward . Rep. Latta the gentlemans time has expired and the chair recognizes the gentleman from kentucky for five minutes. We appreciate you being here to testify. There is a medical hearing going on upstairs, so i have been back and forth. We appreciate you being here toi will try not to double question. A lot of us wondered, july 31 was suspicious activity, then notice to the board was three weeks later. I heardat before you say it was suspicious activity, therefore did not thenze it was a breach, action took three weeks later when you did. Looking at how big it is, would you have done different . From july 31 to august 24, what would you do different that equifax didnt do . Mr. Smith that is an appropriate question. To be honest, time for reflection will come there has been. No time for reflection. This has been a team of people, including myself, working around the clock for the past six weeks, trying to understand the forensics, trying as best we could to offer Consumers Services to protect themselves. There will be an opportunity where i have time to catch my breath and reflect. Rep. Guthrie 1. 9 million kentuckians were exposed by this hack. One of the questions we have about the process equifax went help people determine that one was setting up a new website for consumers to visit. Was that an appropriate response . Help people determine that one was setting up a new website i know there are issues getting to the website. Were you part of the deliberation . Why did you set up a new website that seemed to cause issues, as opposed to setting up a portal on your current website . Mr. Smith it was strictly due to the sheer volume of incoming visitors that we had expected. A traditional website we have used to interact with Consumers Services a total of 700,000 to 800,000 consumers at any one given point of time. I mentioned in my opening comments earlier this new micro site that we set up has a capacity for much higher levels. I believe we had 20 Million Consumers come to visit us in the first three weeks on that website. Our traditional equifax website could not have handled that from day one. Rep. Guthrie according to reports many consumers were not able to determine with certainty if their information was breached. Why was equifax not able to provide clarity . Mr. Smith when you went to the website, you typed in six of your nine digits of your social it wasy number, if breached, itre will Say Something along the lines of, it looks like you may have been compromised, as opposed to, breached, it will Say Something along the lines its definite that you have been breached. The point is, we offer this service, the five Different Services, to every american. Does not matter if you were compromised or not, every american was offered the same services. Service, the five different rep. Guthrie just Going Forward, we also have to do an analysis. Whatyour business does and people in your business do are important. A is one you can sit down at car dealer and walk away with a car that afternoon because someone can check your credit with the check you are credit worthy. What steps is equifax doing to rebuild the confidence . The ability to be able to access credit on almost immediately if you have the proper credit is something your services provide. The risk is having all the information in one place, plus the convenience of your business. How can people be confident this can go forward . Mr. Smith that is a good question. An 118yearold company. We have done a lot for consumers. We take being a trusted steward seriously. We need to think more holistically, broadly. Steps we have and can taken to make sure we are more secure today than at the time of the reach. We can an offer services to consumers to make sure they are protected. The third is to launch this paradigm shift effective january next year, which is put the power of the control of Consumer Credit in the consumers hands, not our hands. Rep. Guthrie thank you, that would be helpful. My time has expired and i yield back. Rep. Latta the gentlemans time has expired. Pursuant to committee roles, we will go with members on the subcommittee by order of appearance, and after that the nonsubcommittee members. The chair recognizes the number from florida for five minutes. Thank you mr. Chairman, i appreciate it. Mr. Smith, one of my constituents accessed equifaxs Website Security 2017. Com to determine if they were affected. Me that whether you submit your own identifying or whether you submit a random name and Social Security number, you get the same message, that he may be affected. What course of action should consumers who havent received correspondence yet as to what they are affected or not what is the course of action, and if they were affected, what are the next steps . Mr. Smith it is my understanding those have gone online to register, and that were not notified immediately or whether you submit a random name and social if you were trying to sign up for the service, you have done the notified. You have now been notified. Rep. Bilirakis i understand equifax is waiving fees to freeze and unfreeze your credit. How long is that exemption going to stay in place . On smith we have announced september 7 the ability to lock and unlocked you are file at equifax for free one year from the time you signed up. We announced a product we have been working on for quite some time, effective in january 2018, the ability to lock and unlock your file with equifax for life for free. That will be the next generation of the lock that we offer in september. Eo, whatirakis as c level of involvement did you have with regards to the Data Security and Data Protection . Obviously the buck stops with you, i understand that, but what level of involvement did you have . Mr. Smith Data Security directly reported to my general counsel. I would have active involvement with my general counsel, with the head of security routinely throughout the year. Rep. Bilirakis what responsibilities did ms. Mauldin, the chief Security Officer at equifax at the time of the breach, have in respect to Data Protection and data breach notification . What were her responsibilities . Mr. Smith those were core to her responsibilities. She was the head of Cyber Security and physical security in all 2400 countries we operate. Mr. Smith how many meetings did you have . There were routine meetings we would go through. Those required for security, but the actual numbers sometimes in that timeframe i dont recall. Half a dozen, a dozen . That would be a guess. More the in three . Would that information, i appreciate that. Did mr. Ponsibilities webb, the chief Information Officer at the time of the breach of with respect to Data Security, dated breach notification . And none, sir. Closelyxpected to work with the head of security but the security function is a separate function, you can do security without i. T. , you cant do i. T. Without security. How many meetings did you ofe between march 8july 18. Of anas not even notified incident. I did not know what the incident was until july 31. It would not have been related to this incident. Thank you. I back. Is it possible that people who never signed up or used equifax couldve been affected by the breach . Yes. Information from banks, telecommunication companies, credit card issuers, so on. So just like we go to apply for a loan, they send information because they want the information on my credit rating, for example. Exactly. We are part of the federally regulated echo system that allows banks to lend money to consumers. Ranks so can you tell which credit agencies they are using to assess their risk or is it up to the agency . The banks would give their data to all three. You get a holistic view of an individuals credit risk. A lot of people i spoke with an indiana have no idea who equifax is, right . Many have applied for home loans and other things. Probably at some point you have that information, they may or. Ay not have been notified probably the bank or other agencies. That is just something i think it is also may issue. The people do not understand or have not been told who is being used to assess their credit risk and when Something Like this happens they have no idea whether or not their information has been compromised. I have a lot of constituents in rural or lower income agencies that may not have access to the internet or wifi. It is interesting depending on where you are, people who actually have wifi or internet high she might think. Some peoples information might yourbeen acquired right company. How are you notifying all of those people other than saying that you have a website . The is important because people having access to the internet might not be as high as you think coming from indiana and other rural areas. We have set up the website you mentioned in a press release across the country. We have also set up internet call centers. We went from some 500 over 2700r agents to agents. I understand the call centers. I guess that is again making the assumption people have watched the news and knew there has been a breach. They are proactive in knowing whether they have been involved or not. There anything other than a passive way for them to find out. Is there anything proactiv to let them know their data may have been compromised . Inthey get advertising newspapers and so on. Indication may or may not help those in rural indiana, the visibility this has gotten is high. Some 400 million customers have come to our website. People willay more know. Thek you for answering questions. My main concern is that my constituents understand whether or not their data has been compromised and what other options gone forward. I do think it is important to recognize that although they are important passive ways to people become aware of the data breach that is one approach actively informing people might very well be important in certain areas of the country. The chair recognizes the gentleman from texas for five minutes. Thank you. I apologize, we had a Committee Meeting upstairs. I appreciate it. That does not take way the importance of this hearing. I thank you for setting it. We have here one of the most impactful hacks we have seen. It was an entirely preventable. It may be considered criminal. The Credit Reporting industry is itously unforgiving and helps perpetuate the cycle of poverty. Paying more money for loans and mortgages, less than perfect Credit Scores can result in higher rates for things like Auto Insurance premiums. These people have a harder time paying back higher Interest Rates and make it likely they wont be able to pay back their debt on time. Yet the Credit Reporting forgiveness for breach after breach, lobbying congress for even less liability. Routinely shut down for violations even if problems have not yet occurred as a consequence of violations. Is it clear that equifax, that is beyond that point, should be allowed to continue operating when they have endangered the public . In the next part couple months, thus allowing company like equifax to put clauses in forcing individuals into arbitration agreements in instead of classaction agreements where they stand a chance to recover losses. It should be clear that now is not the time to roll back consumer safeguards. Securert my colleague and protect american data act. I look forward to her and the witness has to say. Protection companies have seen a big jump in business and share price since the breach of your Company Including lifelock, who has reported a increase. Lifelock has a contract to Purchase Services from equifax meeting every time someone signs up or lifelock protection from impact of aqua fox equifax data breach, equifax makes money on that reach. What is the value of night contracted lifelock has with equifax . Congressman, do not recall but at the same time, the ability to come to us directly and get free product is available. Ok. If it is available i have your share that with the committee. Marketing materials that is leading database offers segmentsof response covering every conceivable aspect on how consumers live, what they spend the money on, and what interest they have. Can you tell us as a granule level what the sources are for that data for every conceivable aspect of a consumers life . Congressman, im not quite sure where you are referring to. We are not a data provider in the area of behavioral analytics and data. So im not quite sure what you are referring to. I have a lot of constituents concerned about for example you say, i dont need to worry about this breach i havent applied for credit for 10 years, but that is not always the case because these hundreds of millions released, maybe they bought a car 20 years ago and that data goes forward i assume. Others whotomers or purchased credit, the American Public is essentially equifax is product. On average does equifax sell access to a given individuals credit file to a potential creditor and how much do they make when they sell it . We take the dating him into a spy the credit ecosystem of the analytics to an end when a consumer once credit through credit cards, home loans, car, the bank comes to us analyticsay to and and we charge some for that. The question was, how many times does equifax receive payment for that individual credit file . Every time . If my local car dealer contacts pay a fee too they x will fax for that information . Equifax for that information . Yes, congressman. If you as an individual want to get a car and go to a car dealership for a loan, they come to us or to our competitors and when they get the data, access your data, we do get paid for it. Correct. Wasnt started. You have about 15 seconds. Question. Ve one more the products at equifax are so far providing equifax victims of the breach, to not include anything they wont meet if it wasnt for equifaxs lapses on their data. You and i have made more than 69 million in 2016, so thats a committee has. E and i know we have for all of our constituents. I thank you for your time. Two i very much. I appreciate the gentlemans questions. The chair now recognizes the gentleman from oklahoma. Mr. Smith what is your current job . Im retired. Your retired . Are you still getting paid by the company . No, sir. So you are fully retired, is it you have no affiliation that all with the company . I was meant. I agreed to do this because i love this company. It has been 12 years with 10,000 people trying to do the right thing. As i told the board, it was right for me to step down. They had new leadership take this company in a nude direction. When i retired, i agreed to work for them as long as the board required for free. To help make it right for the consumers. So the affiliation is to do free work with the board of directors ceo. He interims so you are not getting paid in any manner, no shares, stocks, anything . Nothing. The day i announce my retirement do you still own stock in the company . Im sorry . Do still have stock in the company . Yes. Have you sold an event . I have been there for 12 years. Yes, sir. Recently this has become aware to the public. During this breach . Yes. Are three individuals who reported to me what why was there and ceo. That sold stock . Yes. All three of them are men i have known, i mentioned earlier, for a number of years. 12 years and one for three or four years. They are men of high integrity. Did they sell it for this went public . Yes. As i said before, the knowledge, we went public with this on september seven. When did they sell their stock . August 1 and two. So, after the breach . No. The timeline of the end of july 29 and 30. The notification on the 31st of suspicious activity, at that time, one in two days prior to selling. There was no indication. Ask what would cause them to sell it . There is what we call section 16 of us are. Mmhmm. Theres a limited window in which they can sell. Ok. Tends to be right after the Earnings Call for no more than 30 days. This is a natural process. The window opened after the Second Quarter window. In your opening statement, you made mention theres an error in the portal. And it was three weeks before you were notified of a breach. If i can clarify. Yes. There was a software called an open Source Software that was deployed in this environment, this consumer portal. Right. We never found a vulnerability to patch that vulnerability. That was the issue. Who was in charge of overseeing that . Who was supposed to watch the portals for you . Ultimately me. I get that. But who did you have hired that was supposed to watch that . It was the vulnerability side, there was you have department thats dedicated to this . A chief Information Officer was ultimately responsibility. Is that person still over that department . No, sir. Hes gone. Hes gone. You said you put in, once you were made aware of the breach,you put in four plans of action, right . The first one was, do you remember . Notification. The second one was a call center. The third one was increase Cyber Attacks, preparing for that. Fourth was coordinating with Law Enforcement. Not on ther was ceo, company side but from the companys my wife and i had. Place ofotocols put in what could happen. We know Cyber Attacks happen. You hear it happen everyday on the news. Four things you named were common sense. Things that should been put in place to begin with. It shouldve been the fire alarm. You are in that world. This should be on the side of the wall where you put that handle and immediately goes and ice. How was it that you just now thought of that they need to principlesnd sense put into place on how to react to something in a world where we knew you were vulnerable to be hacked . We have protocol. The team followed from the call. This is well known what to do from hiring a cyber friend sick expert. We knew what to do. We had done up before, engaging a world leading cyber arm of a law firm. We knew what to do. There are protocols. The one thing congressman, there is not a switch on the wall. The ability to stand up. Up. Ook a long time to stand that is the issue we have here. Guide you were on the leading front of this. The four things you identified, i dont need to simplify it i sang a switch on the wall. These protocols shouldve already been in place. With that im sorry, i dont mean to cut you up at the chairman has indulged me longer than he should up. The gentlemans time has expired. The chernow recognizes the gentlelady from california, ms. Waters, for five minutes. Thank you mr. Chairman. Ifore i get to my question want to say that on behalf of the 50 million californians whose information was exposed, we expect better. Was based on model collecting and maintaining the most Sensitive Information on folks, and you let us all down. That happened on your watch. From my briefings, and appears as couldve been and frankly should have been prevented. As equifaxs Business Model consumern gathering information, repackaging it, selling it. Equifax a simple website which caused the mars can enter information consumers can enter information to determine if they are at risk and sign up for credit monitoring and credit lock. Then you ensure me that equifax plug this information back into its core information and sell it to its lenders . Equifax should not benefit from this situation, and i want to know that equifax is going to well up this information and guarantee that the company will not profit from the situation. Ask congresswoman, thank you for your comments. As i mentioned in my written and oral testimony and i said throughout the morning and will say again today, as a ceo it was under my watch. I am responsible. I am accountable. I apologize to all of your consumers and california. Giving toing we are your constituents in california and across the country is an environment where we are not going to sell other products. To come there and be serviced, protection of the five offerings you mentioned. Not to sell your data and monetize that. It is to take and protect you with these five services. Ok. Equifaxs breach notification website uses a stock installation of wordpress. This causes me concern because it seems to have insufficient security for a site asking people to provide part of their Social Security number. Can you and care as sherman this website is secure and will not further endangered the personal information of my constituents . Racks congresswoman, we took what we believe is the red man of time looking hastily. Late august, looking at one of the four work streams the congressman mentioned is to prepare ensuring we were prepared for what we knew where increased Cyber Attacks as told to us by examiners. One of the first things we did was ensure the website would bring consumers to these Free Services and was as secure as possible. That was one of our top priorities. Ok. My last question, how many u. S. Consumers have an world in the Credit Monitoring Services trusted id . I know multiple people 11 world cup including my immediate family and they were told they would receive any mail to complete the process. After days of waiting, they have not received any mail. I wanted to know what the delay in processing this protection and will they be able to helpete the process to protect their information . I understand. I mentioned earlier there were over 400 nine consumers have come to the website. Have 400, we do not might consumers in the countries on number of them came back multiple times. I was told in the last two days the backlog waiting for those he has now been fulfilled. As you come into the system there is a more immediate response. The teams have made great progress. Thank you. I yield back the balance of by time. Thank you. Recognizes the gentleman from pennsylvania for five minutes. Thank you, mr. Chairman. I have heard from hundreds of constituents in my congressional district. There are approximately 5. 5 million inpennsylvania. I have reviewed each and every one of the constituents stories i have received, and amongst my growing concerns, your baseline security practices leading up to the breach, the company psawareness of the breach developments and relevant timing, how consumers can get assistance in securing their how reliable the Recovery Efforts are in the wake of the breach, and the path forward, longterm, for consumers personal information and making sure theyre safe despite the breach. It is his last one that is so particularly angering because its going to potentially be so destructive to hundreds of millions of americans about what might happen to them in the years to come. And as the head of the company, of the company has to know how predictably damaging this can be. I ask you, isnt not predictable how bad it might get for the individuals who have been optimized . Damageerms of how much could be wrought on them individually in the years to come . Let me start with saying that like you, i have talked to constituents, consumers across this country. Who have been impacted. I personally read letters from consumers complaining. Voicing anger and frustration. So i know what you are saying and seeing back him in pennsylvania. I think it is going to be multiplied thousands of times when something actually happens. So when you talk about how predictable some of this is, the rollout of the call centers and the second rollout and the third rollout, it has to be predictable how massive this is and what would need to be put into place from eight protocol perspective in order to address what is coming. The slow roll out and how poorly it was done to me is inexcusable. You have to have departments dedicated to dealing with this potential. It does not seem to me that was planned. If it was planned, it was planned extremely poorly. I understand your point. We went from 500 callcenter agents to almost 3000. Properly handled callcenter lip agents to handle the calls. We did the best we could in a short time. We open to larger call centers. It was Hurricane Irma. We were not prepared for that kind of all. How could you not be . How could you not be . That is not our traditional Business Model. Our traditional Business Model is companies, not 400 million customers. But your Business Model has a couple hundred million customers. So on this scale, obviously you are going to have at least that number are probably twice that inquiringling in and as to whether or not they are subject to the breach and that was not done. The differences, the primary Business Model is dealing with companies, not with hundreds of millions of consumers. Acted the best we could, as quickly as we could. We mentioned it is Getting Better each day. We listen to feedback, changed the website, callcenter. Familiar with the safeguards role that you operate under . How would you say a Forensic Consultant issued the certification based on your protocol is in compliance . Compliance. As you are saying how are you and compliance . You arese if you said following protocol and protocol led to this, it is difficult. That calls into question ] whether the safeguards role is sufficient because if you said you are in compliance and this still happen that unearths a whole other set of questions. The scale of the reaction was unprecedented. I am not making excuses. Guess but there is a governance issue here. Your board of director gets together, your ceo, chief officers, at least once a year. Probably quarterly. You have i presume outside firms, consultants, doing this stuff everything obey for you on retainer. The speed at which you have to do this just to run your company operationally, you do not ever stop. Ongoing. Iously income a persistent. And, it just seems to me that through insurance policies, through reporting to your board, through your board wanting to make sure they are doing their job that you are going to be looking for certifications from your outside friends at consultants doing audits and say, youre doing good. Heres a new threat. Heres how we are updating. I just dont see, thats the kind of information i think would be extremely helpful that we have not received any information from today. But i would ask you, since im well over my time, that i would like to know how often your board asks you to certify whether or not youre in compliance, and what is that protocol, and when was the last time you updated the protocol . You said you complied with protocol. When was the last time that was updated . I understand your question. Well get you that information. Do you yield back after youre already well over . I yield back. The time has expired. The chair now recognizes the gentleman from new york. Five minutes. Thank you mr. Chair. Americans should know their sensitive personalinformation is safe. Their security is exposed when private companies,including equifax, can collect their private information without their direct knowledge or consent, and its why im cosponsoring representative schakowskys measure, hr3896, the secure and protectamerican data act. Mr. Smith, we are here today because months after the breach actually took place, your company, equifax, revealed thatsits forprofit Business Practices have exposed the highly sensitive personal information of some 145. 5 million americans and counting. Your data breach exposed a critical vulnerability in the American Economy and the Information Security of the American People. The victims of this breach span every age group, every race, class, and other demographic. They now face a lifetime at risk of fraud, Identity Theft, and other crimes as a result of the private data that youexposed. I have many, many questions. Allow me to be the conduit through which my constituents ask you, mr. Smith, their questions. Ill go first to a constituents pointed out to me, it would be wrong to callthe victims of this breach equifax customers. Most of them never askedto be tracked and judged by a private company with little public oversight or accountability. This is unacceptable. And he asks why hes been impacted in this manner. Any comments to the question . Again, congressman, i have read many similar letters and talked to people back home in atlanta who voiced that same concern. I can tell you this. Were a company thats been around for 118 years. 10,000 employees trying to do whats right each and every day. I apologize to the individual who wrote you that letter. I apologize to america for what happened, and were going to try to make it right. My my constituent jason from albany asked, mr. Smith, to the best of your knowledge employ the best and most effective defense available to you to prevent this breach . A crisis never occurs if everything has gone right. In this case, we had a human error and a technology error. It wasnt because we were unwilling or unable to make the Financial Investments in people,process, or technology, though. My constituent tanya asks, how do i get equifax to fix this without signing over my rights . And what related costs will i, tanya, be expected to pay over my lifetime . The five products we launched, services we offered in september are all free. Theyre all spelled out in the press release. They give that individual significant protection. The most comprehensive change is coming in january of next year when is the ability for consumers to lock and unlock their data when they want and only when they want. And any relates costed she should expect to pay . Services are all free. Number of my constituents would like to know given that the sole purchase of credit agencies secure handling of consumersconfidential information, which they spectacularly failed to do, why is this company allowed to continue to exist . We have a rich history of helping those who want to get access to credit, to get access to credit. The company has done many great things to help those in the unbanked world who would never otherwise have access to credit, because what we do, bring them intothe credit world. Constituent lee from albany asks why are you using this gross misconduct to turn your victims into customers for a paid Monitoring Service that you will profit from . This is not our intent. Our intent is to offer the five services for free, followed by a sixth lifetime lock for free. My constituent karen says why havent you notified each person whose data was compromised, folks who never asked to you to score their information. So where are the representatives and why should they be responsible for your malpractice . Following the recommendation of those who advised us, we did notify through the press release, notifying the entire population not just those who were the victim of the criminal hack, but all americans to get access to these products and services for free. And my constituent james from new york asked why did it take so long to announce the data breach and why shouldnt you be held responsible for every day of failing to report . I think hopefully my written testimony, my oral testimony, and the dialogue we have had today has talked about the timeline in enough granularity to help that person understand what occurred from march through 7th. And a constituent stephanie asked, do they know if the people were targeted or randomly picked . Why some but not others . At this point, all indications are it was at random. It was targeting of individuals specifically. I have exhausted my time, but let me assure you, mr. Smith, i have many,many, many constituents questions that continue to pour forth and were going to provide those after the hearing here. And would expect that they would all be answered, and again, thank you for your response. I yield back. Thank you very much. The gentleman yields back. The chair now recognizes the gentleman from pennsylvania for five minutes. Thank you. Thank you, mr. Chairman, for allowing me to sit on this hearing. My fellow members have already asked a lot of questions, very important highlevel questions, but i want to take a memant to dig more deeply into a few specific issues. We now know that equifax information Security Department ran scans that should have detected systems that were exploitable, but that the scans didnt detect any. I foresee at least one system was vulnerable. If the scan was improperly configured to catch this vulnerability, in other words, you missed a major breach, is it possible that it has also been improperly configured to detect similar vulnerabilities . I no knowledge of that. I have no knowledge of that being the case. You have to feed the information in these scans and it has to becomplete and accurate information. And this information apparently wasnt fed in was fed in an incomplete way, is that true . Can you repeat the question please . In order to scan something, a human has to feed it information, right . I am not a scanning expert, congressman. My understanding is that you have to configure the scanner in certain ways to look for certain vulnerabilities. A lot of what is going on is youre saying no humans are involved, butconfiguring is done from a human being, right . And inaccurate information got in there, too. If it was improperly configured to catch the vulnerability, is it possible it is improperly configured to detect similar vulnerabilities . I have no information that is the case. Scammers were using it for phishing. Someone switched two words and made it into a phishing website that looked identical. Luckily, this person was just trying to make a point, but the point is well taken. You said today you set up this external website because equifax wouldnt be able to handle the sheer amount of traffic. It doesnt make sense. A company of your size and knowledge doesnt understand how to handle traffic for over 100 Million People. Dont you use an elastic Cloud Computing service that would have accounted for that. A point of clarification, the phishing site you refer to was mentioned a few times today, was an error by a individual in the call center. Let me ask the question, we have that established, but i want to ask this question, though. You wouldnt be able to handle the sheer amount of traffic. The environment microcyte is in a cloud environment. Its very, very scalable. The traditional environment we operate in could not handle400 million consumer visits in three weeks. I want to come back to some of this stuff, too. I want to come back to the issue of patching the vulnerability. I know this has come up a few times but i want to make sure to highlight this point. Our understanding is that vulnerability required more effort than simply installing a patch. We also understand when equifax patched thevulnerability, it took less than three days to do so. The patch only took a few days to apply, why did equifax fail to install it immediately after it was announced as critical . Patching takes a variety of time. Im not sure where you got the note that its three days. Patching can take days to up to a week or more. Did you notify everybody it was going to take some time. Im sorry . Did you notify your customers it was going to take some sometime . Did you notify people there was a risk that you were trying to apply the patch. No standard protocol . I didnt ask about standard protocol. I asked if you notified people. No knowledge that we notified consumers of a patching process. You didnt notify people a patch was going to take place and the risk existed. Did other executives of your company, were you aware of it . As i said before, i was not. You were not aware that there was a problem with vulnerability . You just told me it takes a few days to a few weeks. You werent aware it existed . Thats correct. Let me wrap with one final thought. You state the breach occurred because of human error and technology failures. Looking at the three issues i highlighted, these are not failures of technology. Human misconfigured the scan, a human selected the website name, a human failed to apply the patch. While i understand cybersecurity complicated field, we have dealt with this many times on the committee, and i also think its important to be up front about the cause of breaches like this. If we continue to blame human technology, i thinkwell have a very difficult time improving our capabilities andpreventing future cyber threats. Well see you again in my subcommittee. Thank you very much. The gentlemans time has expired. And the chair now recognizes the gentleman from maryland for five minutes. Thank you, mr. Chairman. Thank you for being here. You have been the president of the company for, ceo for 12 years, is that right . That is correct. Theres three things i think that the public is angry about, certainly as my colleague was indicating, were getting a lot messages and contacts, inquiries from our constituents across the country. First of all, they want to understand, and you have tried to explain it today, but im not sure its going to be satisfactory why there wasnt sufficient protections in place on the front end so that this kind of breach wouldnt happen in the first place, given the sensitivity of the information that youre keeping in the company. The second thing is how quickly once a breach was discovered you came clean to the public and provided information on what was happening. There seems to have been a delay there that concerns people. The third is whether theservices that youre now providing to people you have enumerated five or six Free Services that youre providing to people. Whether thats going to be a sufficient assurance to folks Going Forward that their identity can be protected, that their information is safe and so forth. So youre trying to fish thingx things now, but theres going to continue to be, i think, serious questions about all three of those things that i just mentioned. I wanted to ask you about the kind of remedies you have out there because theres some confusion. I got a question from a constituent who had purchased a Monitoring Service that would cover his family, including a child under the age of 18. So first of all, can you tell me, it is possible for someone under the age of 18 to have their identity stolen, is that correct . As far as you understand . Is it possible . Yes . As it relates to this breach . Just generally. Identity, if certain information about a minor is divulgedto some unscrupulous actor, that can be used to steal the identity of if someone has a Social Security number at any age, can that be compromised, yes. It cannot be compromised in this case because thisdatabase they got into, from my understanding, was only for peoplewho have credit active or inactive. They have been in the credit environment. But my understanding is when you provide a family service, youre collecting information and Holding Information that includes the Social Security number of people who may be under the age of 18. Have no knowledge that under 18, not credit active, was compromised here. I can look into that. I have no knowledge. If that is the case, is the free service that you are providing going to cover any exposure or information thats related to a minor as opposed to somebody whos over the age of 18, if you had information on that minor . I can look into that, congressman. The intent of the coverage was to cover anyone in america who is in the credit system. So if youre under 18 and not in the credit system, ill check your one point which is on this concept called family plan that youre alluding do where you lockdown consumers. I dont believe their security numbers were in the system but we can verify that. If i can interrupt. We had a clock issue. You have about 30 seconds left. Thank you. I think its important because it may be that with respect to Credit Reporting, implications of this breach are only attached to people who are 18 or older. But if youre Holding Information about minors like a Social Security number, thats part of the portfolio ofinformation youre getting from a family, for example, particularly when the family has paid for this service. Youre holding their Social Security number. So any breach that makes that Information Available outside of the arena in which its supposed to be kept close, createsvulnerability for that person. Its not like we get a new Social Security number when we turn 18. So thats going to follow them all the way through and create some real risk for them. So i think thats a piece of this that we need to understand much better. And i want to thank my constituents for bringing this to our attention. I understand your point. To my knowledge, that data is not included in the breach. I will look into it. Thank you. I yield back. Thank you very much. The chair now recognizes the gentleman from george up for five minutes. Thank you. I want to thank you for allowing me to sit on this today. Mr. Smith, thank you for being here. It has been a tough day. It has been a temp as couple weeks. I appreciate you being here. I am not going to apologize for my colleagues and their questions and their aggressiveness, if you will be because as you know, people are upset. They are met. You get it, i get it. Well understand it. But nor am i going to pile on. I want to go to a different route if you will. One of the things ive learned in two and half years ive been up is to be very careful about my southern phrases which have always not been you know, for me once, shame on you. Full me twice, shame on you. I want to know what we can learn from this. This is not the first time a data breach has happened. Perhaps it is the biggest head has ever happened, but it has happened to other companies before. To the extent you are not prepared for this or what happened to you, and i hope it was not due to complacency, i hope all is not due to you not doing everything you could to have prevented this. Mike question is this and you share with us any information about the attackers . Att do you know about them this point . Congressman thank you for that. As i mentioned in my opening comments in my written testimony earlier this week, we engage the fbi and they currently have the investigation in their hands. Nothis juncture, we are disclosing what we know about the hackers. How has your cooperation with the fbi been . Has your experience with them thus far been good . This is important. This is important for everyone. Everyone is upset and rightfully so. They should be upset. When your personal data is out there, obviously it is upsetting. A differentng to go direction. I am trying to figure out how we can prevent this from happening. With the fbi, as this is i know has been good. It is ongoing. We have lines of communication into the f ei will but. Just about the breach routinely throughout the are. So i would say it has been very good cooperation, congressman. Of me ask you this. Done anything differently, what would you have done . Askedngressman, i was that question earlier in my answer will be the same now. There will be time for reflection personally and as an organization. Coupled with the investigation we continue to undertake to look at processes inhouse. Since ihis juncture, was notified mid august through this morning it has been all about forensics. It has been about trying to protect and do what is right for the consumer with no time to reflect on what we would do differently when the time comes, we need to know. We dont need to let this happen again. Other Companies Need to learn from this. There is one thing i would love to see this country think concept of athe Social Security number in this environment being private and secure, i think it is time is a country to think beyond that. What is a better way to identify consumers in our country in a very secure way. I think that way is Something Different then a Social Security number, date of birth, in name. You are exactly right. I remember my time in the Georgia State legislature when we change. You know, you used to have your Social Security number injured drivers license. There used to be a drivers eyes and summer. We changed it. That is something that tells me this is something that is changing dramatically and quickly and we need to be prepared for it. I know you are putting out fires right now. But at some point, we need to learn from this. We need to know we should not have done this, we should have done that. What good web done differently . What will benefit another company to allow that this is not happen . And i hope, and thus far you appear to been honest about this. I hope that a part of what the problem was was complacency, that you admit that and say, dont ever let your guard down. Thank you congressman. I would love to be part of that dialogue about what lies ahead to protect individuals identities. Again, it went to think you for being here. It says a lot about you and your company. To i chairman. The german yields back. The chair now recognizes the gentlelady from california for five minutes. Thank you mr. Chairman. First i would like to recognize a former colleague here in the chamber with us. Served in thewho house and senate. Good to see you. Very nice to see you. Mr. Smith, it seems to me that you have accomplished something that no one else has been able thatcomplish and that is youre brought republicans and democrats together and outrage and distress and frustration over what has happened. Huge. E this is this is almost half of the country into their information. You know, the American People are i think they have privacy in their dna. We do not like big brother. We do not like people having information on us. Andnow in the information digital age that is impossible breached, whens the privacy goes out the window, it really puts a dent in peoples lives. Because with they dont feel they can do anything about. They feel helpless. I come from earthquake country. And, when that radel first starts, you really do feel helpless. You feel absolutely helpless. Now, it has been the question has kind of been posted rhetorically by some members because i have been sitting in for a wild at this hearing. Be done . I have the privilege of representing most of silica and alley. I have asked this question about the protection in terms of privacy, breaches in our country , to just about every ceo i have met. And they have responded like a chorus and said that there are two main reasons for breaches in our country. Hygiene in a lack of systems. And, very poor security management. That is why i have legislation. Senator hatch is the lead sponsor in the senate. I have the bill in the house. So, it is distressing to me knowing this information, that Homeland Security notified sevenx this is almost months ago. This has to do with a patch, so i know there is a lot of questions that have probed this, at the time, when Homeland Security and form drug company that there was a breach informed your company there was a breach, what did you say to your cio officer . Did you understand what the breach was . Did you understand what the patch meant . Did you understand the need for timeliness to have this fixed . And, did anything change in that department . Was there a new policy put in place by you . Alex congresswoman, to clarify, when the search came out in march, there was no notification of a breach. There was notification what did it mean . Did it mean, if i got a notice from Homeland Security, that is like the ei knocking on the door. Menacing. What it meant was an open Source Software commonly used, deployed around the world, called apache struts. Vulnerability. The notification was the former ability should be patched. All right. Did you ask if it was patch . We get notifications know, you got the notification from Homeland Security, all right . What did you do about it the day you found out . Notified on as blue the ninth of march. When did you know . The team, Security Team, instantly,otocol and within a day, sent notification out too many people in the organization that a patch needed to be applied to apache struts. Christ did you ask your team when it was applied . Asked the Security Team did, and i spoke with the i. T. Team as well. When did they take care of it . When it occurred. The testimony we talked about when was it actually the following day, communication was out to those he needed to be notified. Id you already said that. I want to know when they did it. When they took care of it. They took care of it in july because we never found it. It was not until your call. We have the human error, we did the scan, the Technology Never found it. In july, we sauces vicious activity, to the portal down, found the vulnerability, applied the patch. Well, i think the chairman. We have in the roles of full committee which are approved at the beginning of every congress that members of the full committee can participate in subcommittees when they are not members. I appreciate the legislative courtesy and i think there is a lot more to be done on this issue, mr. Chairman. If i might make the recommendation, think we should up the cio, the chief Information Officer, come in because i do not think that this is resolved. Thank you. Thank you very much. Ask the gentleladys time has expired. Were going to ask one quick a lot. I yield to the Ranking Member first. Worst of all, mr. Chairman, i would like to insert for the record a letter from Consumers Group Credit Union National association and an article from wgn tv. Without objection, so ordered. All right so in closing, mr. Smith, i want to quote again from you, from your testimony. You mentioned the five fixes, socalled, and you put this puts the control of consumers Credit Information where belongs, with the consumer. So, i want to ask you a question. What if i want to opt out of equifax . I do not want to drive my information anymore. Of my to be in control information. I never opted in. I never said it was ok to have all my information. Now i want out. I want to lock out equifax. Can i do that . Congresswoman, that requires a much broader discussion of the role of Credit Reporting agencies. The data as you know, today, does not come from the consumer. It comes from the furnishes. And the furnitures provide that data to the entire industry. No, i understand that. That is exactly where we need to go, to a much larger discussion because most americans really do not know how much information, what it is, that you have. Ok. Never said so, i am hoping this will lead to a wider discussion. Thank you. To i very much. The gentlelady yields back. If i may just go back to a discussion earlier, again, going back to your testimony from august 15 when you reported it was likely Consumer Information had been stolen. There again, a 10day delay between finding out about the personal information that could have likely been stolen to developing that remediation plan . That 10date window. Why did it take 10 days to start that remediation . Congressman, there was continuous work going on around the clock from that time through yesterday trying to develop the product, develop the upmunication plan, stand websites, informed those that needed to be in form. It was not like on a certain date something occurred. It was a continual motion by many people for many weeks. Let me ask a followup on that done. It was within a 10day. Of time, when was the appropriate time to Start Talking to consumers . Waiting until september . There was that line time, information had been stolen on individuals. The whole goal was to make sure the data we had was accurate, secure for the u. S. Consumer. To make sure the for an sick Cyber Security specialists in our environment work as secure as possible. To stand up the call centers and websites for hundreds of millions of consumers and that took time, as i alluded to earlier. Thank you very much. Members too other ask questions, we want to thank you for testifying today. Pursuant to committee roles, and want to remind members you days to submit questions for the records. I asked that though witness submit his response to the questions admitted within 10 days. The committee is adjourned. [gavel pound]

© 2024 Vimarsana

comparemela.com © 2020. All Rights Reserved.