There for you. You cant be there. And everything i see is important. American history tv. All weekend, every weekend, only on cspan3. Sunday night on after words. Over 90 of Sexual Harassment cases end up in settlements. And what does that mean . That means that the woman pretty much never works in her chosen career ever again. And she can never talk about it. Shes gagged. Now how else do we solve Sexual Harassment suits . We put in arbitration clauses in employment contracts, which make it a secret proceeding. So, again, nobody ever finds out about it if you file a complaint. You can never talk about it. Ever. Nobody ever knows what happened to you, and in most cases youre also terminated from the company, and the predator, in many cases, is left to still work in the same position in which he was harassing you. So this is the way our society has decided to resolve Sexual Harassment cases. To gag women so that we can fool everyone else out there that weve come so far in 2017. Former fox news host, gretchen carlson, talks about Sexual Harassment in her new book, be fierce stop harassment and take your power book. Shes interviewed by sally quinn. Watch after words on cspan 2s book tv. Earlier this week, the Senate BankingCommittee Held a hearing on potential legislative responses to the equifax data breach, which made vulnerable the personal and Financial Information of more than 143 Million Consumers. We heard testimony from representatives of the Credit Reporting industry and Consumer Protection groups. This is almost two hours. As a followup to our hearing on the equifax data breach, we hear testimony on protection of consumer data. Members expressed interest in better understanding how Credit Bureaus are regulated, how they protect consumer data, and whether there are gaps that Congress Needs to fill. Ive long been concerned about the ever increasing amounts of big Data Collected by companies and by the government. It is critical that personal data is protected. Consumer impact in the event of a breach is minimized, and consumers ability to access credit is not harmed. Credit bureaus play a valuable role in our Financial System by helping Financial Institutions assess a consumers ability to meet financial obligations. And also facilitating access to beneficial Financial Products and services. The inherent nature of the Credit Bureaus business, as with most businesses in this digital age, requires utmost Data Security to ensure that sensitive Consumer Information is safeguarded. Two weeks ago, equifax testified about the methods it uses to protect its consumer databases, such as encryption at rest and tokenization. Former equifax ceo, richard smith, noted that while some of equifaxs databases are encrypted at rest, the disputed portal that was compromised was not. Questions remain about the best ways to protect sensitive data. Including are there Data Security industry standards and best practices at Credit Bureaus. Should tools like encryption at rest be employed to protect all data containing sensitive Consumer Information. What role do Financial Institutions and federal agencies play in Data Security at Credit Bureaus . Given the Credit Bureaus are Financial Institutions under the grammleachbliley act, how does Data Security, testing and oversight by regulators compare to that of traditional Financial Institutions . I look forward to hearing from our witnesses about what Credit Bureaus do to ensure security for the data they collect. Who oversees Credit Bureaus to ensure they have Adequate Security measures in place . And what improvements could be made to the oversight of Data Security at the Credit Bureaus . There are also many concerns regarding Company Response to data breaches. The Equifax Breach has left more than 145 Million Consumers a little confused as to what can be done to mitigate damage to their identities and credit. We do know that starting in january, equifax will offer all customers the ability to lock or unlock their credit files for free. Additional products have also been offered from equifax and the other Credit Bureaus for consumers to monitor or freeze their Credit Reports. Many consumers remain confused about which options are best for them. But this hearing will hopefully provide some additional clarity. We have a shared interest on this committee in ensuring that Credit Bureaus take the necessary measures to safeguard personal data and minimize risk of another massive data breach. Senator brown. Thank you, chairman crapo. Under current law, whether we like it or not, Companies Like equifax can collect vast trophies of personal information. That includes personal information plucked from our work histories, our social media profiles from reward cards that track our purchases at the grocery store, even information from our smartphones tracking our daily commutes. Generally these companies are free to sell that information to all sorts of Financial Institutions and other data mining firms who use it to make decisions about us, like what kind of car or job that we might get. Corporations like equifax rarely have to tell us exactly why or how these decisions are made. They get to hide behind proprietary models and trade secrets. It seems our laws protect big corporations use of peoples data a lot better than they actually protect people. As a recent breach demonstrates, enhanced Cyber Security measures at Companies Like he cequifax m work perfectly yet still do little to protect consumers data. 145 Million People have had their private data exposed. It doesnt appear that any sensitive corporate data was accessed. Because these businesses are not accountable to consumers, and because consumers have no choice over what is over who is collecting their information, Consumer Protection is pretty much an after thought. As we talk about the clearly inadequate protections for consumer data at equifax and those in place at the other Consumer Reporting agencies today, we cannot forget that the real victims of this hack are the 145 Million People, 5 million in my state alone. Through no fault of their own, have had their personal information compromised. I hope at todays hearing we dont just talk about how we strengthen Cyber Security. We need to do that, of course. But we also need to explore how to restore peoples control over their own information. We need to examine whether the crept Credit Bureau model makes sense for American Consumers. We know the Credit Bureaus have a long history of consumer complaints and inaccurate reporting that has longterm effects on peoples ability to get a job or get a house. Rather than addressing these problems, the Credit Bureaus have spent millions acquiring other Data Collection companies and branching out into new lines of business. Despite their continued failure, theres no other word to use, their continued failure to provide accurate Credit Reporting services, or to protect all of the data that they collect, these ceos have been rewarded with enormous salaries and bonuses. Sometimes they come in philosophy us and say theyre going to give up their bonus, as if thats a major concession. Now in an era of nonstop cyber threats, it seems like they made consumers even more vulnerable. Equifax made astounding amounts of money off of the consumer data it collected. It will hardly, unless things change, it looks like it will hardly pay a price for its recklessness. Its still collecting and storing our data. In some cases were giving some cases, were giving even tax dollars to do it. I look forward to todays witnesses views on these matters. Thank you. Thank you, senator brown. Well now turn to our witnesses. First we will receive testimony from mr. Andrew smith, partner at coughington and burrelling on behalf of the consumer data industry association. Then we will hear from mr. Mark rotenberg, president of the electronic privacy information center. And finally, we will hear from mr. Chris jaikaran. Did i pronounce that right . Mr. Chris jaikaran, analyst in Cyber Security policy at the Congressional Research serviceful. Each witness is recognized for five minutes of oral remarks and then we will proceed to questions. Mr. Smith, you may proceed. Thank you. Chairman crapo, Ranking Member brown and members of the committee, thank you for the opportunity to appear before you. My name is andrew smith, and im a partner in the law firm of covington and burrelling. Im appearing today on behalf of the consumer data industry association, which is a trade association of companies that provide businesses with the information and analytical tools necessary to manage risk and to protect consumers. Cdi as members include the three national Credit Bureaus, equifax, ex person and transunion. Youve asked us to discuss how Credit Bureaus protect consumer data. First, i wanted to mention the Important Role played by the National Credit reporting system in our economy. More than twothirds of our gdp comes from consumer spending, fueled by Consumer Credit. Its the National Credit reporting system that allows consumers to quickly and effortlessly open a bank account or purchase a cell phone. More than 40 of consumers move every year. And the National Credit reporting system facilitates this mobility. In addition to providing fast, fair and impartial access to wellpriced credit, insurance, apartment rental and other essential services. Nearly 50 years ago, congress enacted the fair Credit Reporting act to ensure the fairness and impartiality of Credit Reports to protect Consumer Privacy and to foster the continued development and vitality of the National Credit reporting system. The most recent revision to this comprehensive regulatory scheme was the addition of the cfpb as a supervisory agency. This is the first agency to directly supervise the National Credit reporting system. Not just examining Credit Bureaus, but also examining the users of Credit Reports and the companies that contribute information into the Credit Bureaus. The cfpbs virtual continuous supervision of the Credit Reporting system began in earnest in early 2012, and, according to the cfpb, has produced, and i quote, a proactive approach to compliance management that will reap benefits for consumers and for lenders for many years to come. With respect to Data Security, Credit Bureaus are subject to federal and state laws requiring them to safeguard consumer data, and because of the key role they play in the banking system, they also are subject to very specific private Data Security requirements. Such as the payment card industry Data Security standards. To begin, Credit Bureaus are required by the fcra to maintain procedures to ensure that they only provide Credit Reports to legitimate people for legitimate purposes. These credentialing requirements go beyond contractual certifications and include comprehensive Due Diligence of perspective customers, as well as Continuous Monitoring of existing customers. The fcra also requires secure disposal of Credit Report information. In addition, the ftcs safeguards rule, as referred to by chairman crapo, under the grand leech bliley act, requires Financial Institutions, including Credit Bureaus, to develop and implement comprehensive Information Security programs. The laws of at least 13 states similarly require companies to implement and maintain reasonable procedures to safeguard sensitive, personal information. Furthermore, almost every state requires that companies notify consumers when there is unauthorized access to or acquisition of sensitive personal information. Because of their Important Role in the banking system, Credit Bureaus are also subject to private contractual Data Security requirements. For example, because the Credit Bureaus handle credit card information, the card networks, visa, mastercard, et cetera, require that they comply with the payment card industry Data Security standards. And validate such compliance by obtaining an independent, Third Party Audit of their security procedures. In addition, because banks provide a great deal of sensitive customer information to the national Credit Bureaus, theyre required by their prudential regulators to conduct regular Information Security audits of the Credit Bureaus. These audits can include onsite inspections, which might last for several days. Each of the three national Credit Bureaus is subject to dozens of these bank reviews each year. Cdia shares with you the goal of ensuring that consumers and businesses have confidence in the ability of the National Credit reporting system to keep consumer data safe. Thank you for the opportunity to testify, and we look forward to todays dialogue. Thank you. Mr. Rotenberg. Members of the Senate Banking committee, thank you for the opportunity to speak with you today. My name is marc rotenberg, president of the electronic privacy information center. We are an independent, nonprofit, Research Organization founded in 1994 to focus public attention on emerging privacy issues. I would like to begin by saying that the equifax data breach is one of the most serious in our nations history. On par with a 2015 data breach at the office of Personnel Management that impacted more than 22. 5 million federal employees, their families and friends. The Equifax Breach poses enormous challenges to the security of american families, and even to our nations security. There is no simple solution, but in my testimony today, i will outline the steps i believe that congress can take to mitigate the risks that follow from the breach and reduce the danger and likelihood of future data breaches. I should also say that the Equifax Breach is remarkable, because of its scope, the sensitivity of the data, and the delay to fix a welldocumented security flaw. More than four months passed from the time equifax failed to install Critical Software updates. And the data that was disclosed is precisely the information that individuals rely upon to open bank accounts, get car loans, seek employment and buy cell phones. The data included names, Social Security numbers, birth dates, home addresses, and drivers license information. This is also the data that criminals use to commit Identity Theft and financial fraud. Equifax is clearly responsible for this breach. The company was notified in march by both the Apache Software foundation and u. S. Cert of the need to make Critical Software changes. But its also worth emphasizing that equifax chose to collect this personal data on American Consumers. Consumers did not provide this information to equifax. And the lax Security Strategy that they followed meant that a single breach resulted in the release of 145 million Credit Reports on American Consumers. The breach will cause unprecedented harm. When hackers get access to credit card numbers, consumers can cancel accounts and change the credit card numbers. But its not so easy to change a Social Security number, and i dont think its possible to change your date of birth. Equifaxs victims will be exposed to the ongoing risk of Identity Theft and financial fraud. Which is already an enormous problem for American Consumers. The ftc reported almost 400,000 cases of Identity Theft in the United States in 2016. 29 of those cases involved tax fraud. And department of justice estimates the cost to the u. S. Economy at over 15 billion per year. Credit reporting agency is in urgent need of reform. In my testimony, ive outlined a number of steps that i believe should be taken to establish accountability and transparency. Most simply, consumers need to be given greater control about the information about them that impacts their financial future. This means, for example, that we should have a nationwide credit freeze, or to say a little bit more precisely, the disclosure of Credit Reports should be on an optin basis. We recognize the value of credit in the american economy. But it is the consumer who should decide when it is in their interest to disclose the information to a third party to obtain the car loan. They should not have to jump through hoops to put in blocks and freezes to restrict access by others. They should make the affirmative decision. Credit monitoring should also be freely available. You should not have to pay to be told that there is fraudulent activity on your account. But that is the current problem with Credit Monitoring Services that require either a fee or limit the access to credit monitoring for 90 days. This makes no sense whatsoever. If theres a problem in the account, the consumer should be notified. We also think consumers should have more ready access to the contents of the Credit Report. So they know who is receiving the information and the impact that the data might have. I have several other suggestions in my testimony which i would be pleased to provide for the committee. Thank you. Thank you. Mr. Jaikaran. Chairman crapo, Ranking Member brown and members of the committee. Thank you for the opportunity to testify in the consumer Data Security and Credit Bureaus. My name is chris jaikaran, and im an analyst and Cyber Security policy at the Congressional Research service. In this role, i research and analyze Cyber Security issues and their policy implications. Including issues of Data Security, protection and management. My written statement for the record goes into further detail, but my testimony today will address Data Security as an element of Cyber Security and risk management. Cyber Incident Response and options for congress to address Data Security. An increasingly used catch phrase amongst Industry Analysts is that today all companies are technology companies. Or all companies are data companies. This concept reflects the Information Technology and data play an Important Role in enabling the modern business practices, which allow companies to compete and thrive in the marketplace. However, this reliance on i. T. And data also creates risks for corporate leadership to manage. Adequately controlling that risk is an objective of Cyber Security. Data security is an element of Cyber Security that involves risk management. Absolute security is not obtainable. So managing the risks, which would impair security, is the goal. In order to evaluate risk, managers need to understand the threats their enterprise may face, the vulnerabilities they have, and the consequences of an incident. Cyber security Incident Response describes activities to confirm an attack, discover information about it and mitigate against it. For Incident Response, staff is not limited to just i. T. Personnel. Communication staffer that are able to draft messages to both internal and external stakeholders, legal teams who can help with reporting and compliance requirements, and management and corporate boards who are accountable for the operations of a corporation should all be included in response planning, among others, depending on the entity. There will be a delay between the discovery of an attack and the public notification of that attack, because analysis of what transpired will need to be conducted. This analysis will inform the entity of how they were breached and what data or systems were compromised. This type of analysis may be conducted by the entity itself, a Business Partner of the entity, government Response Teams and Law Enforcement. With a variety of potential forensic investigators, determining how they will coordinate in their response, and how they will share information among one another is a factor which should be determined during the planning and training phase. With information on how the breach happened and the extent of the breach, the entity can proceed to mitigate its effects. These phases need not occur in succession, but may be able to occur concurrently. I will now briefly present three Options Congress could consider to address Data Security. Congress could explicitly authorize a federal regulator to examine Credit Reporting agencies for their adherence to the safeguards rule, as promulgated by the federal trade commission. Dialogue created by the federal government and Credit Reporting agencies could lead to greater understanding of the Cyber Security risk faced by Credit Reporting agencies and allow for deficiencies to correct their Security Posture prior to referral for enforcement action. Congress could regulate the collection use and retention of data, regardless of the type of entity that houses that data. The European Union and canada have such data laws. Congress can establish requirements on what data may be collected, how data must be stored, and the consumers rights to collection and data about them. Congress could require Credit Reporting agencies or any entity that profits from consumer data to identify and disclose their data model for consumers. Elements such as where data is acquired, how it is used, and what other data the entity generates about the consumer will provide consumers with Additional Information that may affect their decision in the marketplace. Thank you for the opportunity to testify today. And i look forward to your questions. Thank you very much. Before i begin my questions to just inform the senators, we have a vote at 10 30. Senator brown and i have discussed it, and we intend to keep the hearing running. So we will adjust our attendance at the vote, and you can make your plans accordingly. But the hearing will continue to proceed during the vote. First question i have is for the whole panel. Im going to ask you to be concise. I only have five minutes in my questioning, as does each of the other senators. But this is for each of the members of the panel, if you have an opinion on this. There has been a lot of discussion surrounding the social the security of the Social Security number. And whether it should be used as an identifier going forward. Do you think we need to get rid of the Social Security number as a personal identifier . And if so, what viable alternatives do we have . How would we ensure that such an alternative doesnt suffer from the same draw backbacks as the l security number. Mr. Smith, do you want to start . I think that if we eliminate the Social Security number as a personal identifier, were going to have to have something some other unique identifier that will allow businesses, Credit Bureaus, others to know who precisely theyre dealing with. So my name is andrew smith. There are thousands of me, perhaps tens of thousands of me. When youre looking at a Bankruptcy Court record, if theres no identifier on there, how do you know which andrew smith it is . So socials right now, and other identifiers, play a Critical Role in the economy, just simple identification, right . Not authentication, not verification. Not that truly am who i say i am. But as identifiers, socials have had a role to play. Whether we need another identifier, i think that were willing to work with you on that to try to come to try to get to the right result for consumers. Mr. Rotenberg. Thank you for the question. Ive spent many years before many congressional committees urging that limits be established on the use of the Social Security number. But we have never argued for replacing the Social Security number. The key point is that the ssn serves an important purpose in the management of certain government record systems. Thats what it was established for, and thats where the Legal Authority exists the problem is that the ssn was adopted in the private sector, and used as an identifier for general purposes. This is actually contributed to Identity Theft and financial fraud. Its an imperfect identifier. Its used both as a password and as an authenticator. It was intended for neither. So when we talk about the Social Security number, we would not say replace the ssn. As i describe in my testimony, we would say limit the use of the ssn. It should only be available in the private sector for lawful purposes. Thank you. Mr. Jaikaran. The Social Security number is a piece of personally identifiable information. So limiting its use in the private sector may lead to reduced consequences that impact, if there is a data breach. However, whatever replaces it would likely still remain personally identifiable information that would constitute some level of increased Security Posture around that data. In case there were a breach. Thank you. And this question is also for you, just for you, mr. Jaikaran. Your testimony discusses encryption and other tools that can be used in providing Data Security. Equifaxs former ceo mentioned that some of their data is encrypted at rest. While some of it is not. Are there certain minimum Data Security tools or standards that should be employed across the board for data sets containing personally identifiable information . Are there measures that if in place may have been able to prevent the Equifax Breach or detect it sooner . So in my testimony, i discussed Cyber Security as a element of risk management. Understanding the entire risk that an enterprise or corporation may face in their conduct of their business. There are federal guidance that is created for the implementation of encryption, and there are industry best practices on the use of encryption for data at rest, data in motion, or data in process. While these may exist, a lot depends on how it is implemented and the use cases of each individual company. For where they apply that where they apply that encryption, how strictly they apply it, and how the keys are managed within that enterprise to allow those with legitimate access to continue to be able to conduct the business while still restricting access to those that dont. All right. Thank you very much. And i just have about 45 seconds left. So mr. Smith and mr. Rote en berg, very briefly, under the current legal framework, the ftc has Enforcement Authority over its safeguards rules for Data Security but no Regulatory Agency currently examines or supervises Data Security. As is the case with banks. Do you think there is a gap in this framework, and do we need a Credit Bureau o an agency to e set up or authorized to examine for Data Security . So as you noted, the ftc has law Enforcement Authority, and we feel as though we are not unsupervised with respect to Data Security. We do, as i said earlier, have our Bank Customers who are regularly auditing us. I would say, however, that if there are gaps in supervision, that we would be happy to talk with you about that. And to come up with the most sensible result for consumers. All right. Thank you, mr. Rotenberg, very quickly. Safeguards rules and important Data Security standard. But it only applies right now after the fact. The ftc can only act against a Credit Reporting agency once the breach occurs. We think they should have the ability before the breach to inspect and determine compliance with standards. Thank you. Senator brown. Thank you, mr. Chairman. Mr. Smith, in your testimony you stated the Credit Reporting system, quote, provides critically important benefits, and you went on to say its indispensable to the economy. I think we all agree with that. So my questions are this. And ill start with you, mr. Jaikaran. And please give a yes or no on this, if possible. Do you think that the breach or failure of a nationwide Credit Reporting agency, whether its equifax or transunion or ex person, do you think that a breach or failure of one of those agencies could have a systematic or im sorry, could have a systemic impact on the u. S. Financial system . A breach of any agency is difficult to judge, depending on the categorization of the agency itself. But it is a possibility that it could have impacts on the Financial System. Mr. Rotenberg, could it . I think the answer is clearly yes. Mr. Smith . I think that with respect to the equifax incident, one of the things that we need to keep in mind is that according to the news reports, the Credit Reporting database was not, in fact, compromised. A compromise of a Credit Reporting database, i would have to think about whether it would present but youre the one that started off by saying it provides critically important benefits thats indispensable to the economy and a breach of 145 million, you dont think does have a systemic impact on the u. S. Financial system . I think that the risk would be able to be managed by banks. But i do think that its going to be something that would need to be actively managed, because what it would what it would is that a yes or no to systemic impact . Could be managed. A lot of things could be managed. Does that have a systemic impact on the Financial System . As the im not prepared to say it would have a systemic impact. But i would like to think that through. Okay. Could you in the next week let me know if thats a yes or no . Sure. How would you define systemic impact. Well, im asking you to. Okay. 145 million sounds systemic to me. A number of one fifth that does. Mr. Rotenberg, most of us, or our family members, have faced challenges for decades trying to fix inaccuracies in their Credit Rating their Credit Reports. These inaccuracies result in ex which fax for transunion or ex person being three of the most complained about companies to the cfpb. Do you think it would make sense to prevent these Consumer Reporting agencies from collecting new personal data or providing other services until they have met an accuracy metric in their consumer Credit Reporting, and should consumers second question, related should consumers be allowed access to all data held by these three companies . Senator, i think both suggestions are very good. I think Credit Reporting agencies which provide personal data to others should be held to an accuracy standard. Because, of course, when they provide information thats inaccurate, incomplete or outofdate, people are wrongfully denied credit. Theyre wrongfully denied jobs. And thats certainly a problem. But also to your second point, whatever information the Credit Reporting agencies know about us, i think we should have the right to know. Particularly now when this information is being made available for sale for data brokers and oftentimes falls outside the protections of the fair Credit Reporting act. I think we need to do much more to give consumers information and control about their personal information held by others. Thank you. And mr. Smith, consumer advocates have called for Free Security freezes to be provided by equifax and transunion, experian. Instead they have what they call credit lock products, which appear to give consumers fewer rights and less security than credit freezes. Are cras offering credit locks so consumers have to sign forced arbitration agreements . Just like they had to on equifaxs first offer of credit Monitoring Products . So can i respond really quickly to the issue of access . I wanted to remind the members of the committee that consumers do have access to all of the information on file with about them with Consumer Reporting agencies, and they have they have free access to that through annualcreditreport. Com, as well as through other mechanisms. To access and correcting are two different phenomenon, but go ahead. Yeah. And with respect to the credit locks, im not so familiar with the different features of the credit locks, nor do i know whether they have an arbitration clause. You do know they did, though, on the first round of credit Monitoring Products, that they lets say, quote, unquote, be generously offered. They included that, as you know. Yes. They backed off under public pressure, as you know. That i know. I dont think that the impetus for offering credit locks would be to provide would be to obtain a mandatory arbitration clause from consumers. I do think that these credit locks may be useful to consumers. I think that freezes more generally serve a specific need for a specific type of consumer. There are a lot of other tools that consumers have that can protect themselves in these situations, including obtaining a free Credit Report, placing a fraught alert on their Credit Report, obtaining credit monitoring. Theres a lot of free credit monitoring available. So i think consumers should understand and appreciate that before they place a credit freeze on their file. But credit freezes do have their place. I dont want to debate that. But ill close with on the forced arbitration agreement, you were their lawyer. You represent them. They also rely on you for advice. Are you willing to go back to them and say that there is strong sentiment among the public and this congress that forced arbitration agreements should not be part of this credit this credit lock offer products . Yes. Ill convey that message. I do think that there is a special theres sort of an exigent circumstance when talking about credit monitoring and other Credit Report related products. And there is a statute called the credit repair organizations act which imposes particularly stringent penalties on companies, any company that is found to be a credit repair organization. And so because of that and i think some members of the committee are probably familiar with this, because of that, arbitration clauses have a special role to play with these products. But i will certainly convey the message. Would you share with the committee exactly what message you conveyed to them on forced arbitration . I will share that. Thank you. Senator rounds. Thank you. Gentlemen, regardless of what we put into law, regardless of what rules are put in place, if theyre not followed, the possibilities of an additional breach continue. Im just curious, with regard to equifax, would it be fair to say that the data that we have so far, the information that we have so far, does it point to basically human error having been the cause of the data breach . Like, just a Quick Response from each. Senator, i think human error understates the problem. Were talking about a breach that impacted 145 million records. A circumstance where the company was twice notified by two leading authorities and left the breach exposed over a fourmonth period. I didnt discuss in my testimony this morning, but even the response to the breach was not helpful to consumers. So at almost every step, they did the wrong thing by consumers. I believe that equifax has said publicly that it was the result of human error. With respect to the question about human error. I would add, though, that the ftc and cfpb are investigating the breach, and i would want to see what their conclusions are before we draw any broader before we make any policy choices based on the fact of this breach. Mr. Jaikaran . Based on the amount of information that we have regarding this particular breach, it is difficult to judge as to whether the breach came down to human error or some other reason within the company. So its difficult to judge at this point based on the information we have. Even if lets assume that there was human error involved in this. And recognizing the significant damage thats been caused. If we have within our abilities the opportunity to lay out a plan in which there is not just an audible, but a review process could be placed in place with assurances of the followthrough, were still talking about the protections that we put in place for a legal entity that has been breached by thieves. What more can we do, or what more should we be doing to prevent this breakin the first place with regard to protections and also the consequences for entities throughout the world that actually caused these breaches, that are actually overtly out trying to get their hands on the data. Do we need to look at additional federal authorizations or institutions that would be literally for the cyber community, the same as the fbi was when it came to stopping the Bank Robberies of the 1920s and 1930s . Do we need to be looking at Something Like that on a worldwide basis . Senator, i think this is a very important point. When the fair Credit Reporting act was passed in 1970, the primary concern was about the possible misuse of consumer data by the Credit Reporting agencies. And that was the problem that congress sought to address. But here we are almost 50 years later, living in a world of constant cyberattack. And in my testimony this morning, i tried to explain that the Equifax Breach needs to be understood, not just in terms of the misuse of personal data, but actually the exploitation of foreign by foreign adversaries. And that is also the reason, sir, why i think we need to update our privacy laws, put more incentives on companies to protect this data, not just for misuse, but also from exploitation by foreign governments. Mr. Smith . We think that to the extent that there are gaps in supervision of Data Security, that we are that we want to talk with you about that. We want to get to the right result. With respect to professor rotenbergs point, theres no doubt that this was a criminal hack, that it was from an unknown source, that it may have been from a foreign actor. And thats something that i think is hopefully the ftc and cfpb and the other continued investigations will reveal. And if there are policy implications from that, hopefully we can have that discussion then. Mr. Jaikaran . So when we think about the government relationship with these agencies, there are kind of three buckets that we can put them in. First is rulemaking, which the federal trade commission did with the safeguards rule. Next is examination and the third is enforcement, which the ftc maintains. In this space, we can see that the examination space was the one that we had the least government involvement. So i think there presents an opportunity for congress to create further guidance on how they want agencies to act with regard to that. Concerning the consequences side, to the best of my knowledge, that has not been placed for this breach and that would be a conversation to have with Law Enforcement agencies and officials on what authorities they think they need in order to go after the criminals here. See, i think its important that we recognize that there is a standard of security which has to be imposed, and weve got to be able to audit it, follow through, and with consequences. But also with a continued surveillance. But until we get down to the point where there are actually consequences for the bad guys involved, were not going to make the major dent that we have to in terms of cyber theft elsewhere. And i think we missed that sometimes. Were focusing on the people who are trying to provide services. Were not focusing on going after the guys who are actually causing the problems for everybody else. Not just in the United States, but elsewhere around the world, as well. Thank you, mr. Chairman. El senator reed. Thank you, mr. Chairman. Mr. Rotenberg, my sense from your testimony is that, and you can confirm this. There are two points that consumers should have legal rights. And one is that they should have the legal right to withhold or divulge their credit score. Or they should know the Credit Information that an agency has. And that should be by law, not by deference of the agency. Is that your view . Yes, thats correct, senator. When the information is being provided in the Credit Report, presumably its for the consumers benefit. Theyre seeking a loan, they want to buy the car. They need the mortgage. They should know when thats happening, and they should know the information thats contained in the report. And that should be by statute, not by deference. Yes. A part of this is about changing the default. Right now your Credit Report is freely available to others within the structure of the fair Credit Reporting act. But you have very little control over that. We would say give the consumer optin control. And miss smith indicated that consumers once a year have access to all information that a Credit Bureau has. Is that well, its true. Once a year they can get a free copy of their Credit Report. Its not all the information they have. They dont know who has received the information. And as i said, this is also rapidly evolving industry. There are a lot of related practices that are not covered by the fcra and as a consequence, consumers dont have the full picture. So essentially they could get the number, whatever it is, 400 or 800 yes. And supplement all the information to that number. But if as senator brown suggested, the agency was also buying cell phone information or Something Like that, thats not that would fall outside of the Credit Report. So that in order to give a customer the full benefit citizen the full benefits that all information of the agency has on them should be identifiable information should be discloseable. Is that correct . Yes, senator. Thats why we recommended a comprehensive approach based on a federal baseline. It would give consumers more information about them thats being transferred to third parties. And i would also presume that you would suggest that they have the right to deny access to certain information. Absolutely. Or, in fact, even to require that information be deleted from the Credit Bureaus files. I think Many American consumers would actually be surprised to know how many people, how many businesses get access to their Credit Reports without their knowledge. Those reports move very freely with very Little Information being provided to consumers. And i think that should change. In the description of what took place, it appears that there was negligence on behalf of equifax. Being told by the federal regulator to make a match and not making a patch for several months. Who does anyone have the right to sue or to enforce criminal or administratively . Well, im sure there will be lawsuits brought. And there are a variety of different theories. But as others have already pointed out, almost immediately equifaxs response was to try to deny consumers the opportunity to pursue their legal remedies. And that cant be the right response. But with respect to regulatory agencies, the impression that i have from the discussion is that its all sort of retrospective after the fact. That they can go in and make a judgment. Could the ftc levy a fine based upon failure to solve . Actually, no. Under the safeguards rule, they can inspect and they can i think sanction, but i think a fine would require subsequent violation of the settlement or order with the company. And the ftc under the safeguards rule currently would not have the ability to inspect or prevent prior to the breach occurring. So is there any under existing law, is there any way for an appropriate federal agency to levy a fine or some type of significant penalty on the company to deter or to i think for the ftc to levy a fine, they would have to find a breach under the fair Credit Reporting act under section 5 of the ftc act, they have to have a Consent Order and then a subsequent violation. Its not a very effective enforcement regime. I concur. Thank you very much. Senator scott. Thank you, sir. Good morning to the panel. Thank you all for being here this morning. The Equifax Breach is still catastrophic for so many in South Carolina. If you think about the numbers of individuals impacted by the breach in my home state of South Carolina, 2. 4 million south carolinians had their personal information exposed. Stolen through the Equifax Breach. We only have about 5 million folks living in the state. Thats about 48. 76 of the state. Thats the sixthhighest number in the country. When you account for the fact that there are about 500,000 south carolinians under the age of 14, that means that the number surges over 50 . So over half of the Adult Population at least in the state had their information exposed. Equifaxs negligence has been devastated for my constituents. But when you look at the geographic location of that impact, the Southeast Region seems to have been impacted aggressively, in high levels. Georgia, around 51. 6 . Virginia, around 48. 8 . Florida, around 53. 5 . I asked equifax why South Carolina and the southeastern region was so hard hit. I hope they find an answer soon. My suspicion is that perhaps the location, the physical location of equifax, may have played a role in that. Mr. Jaikaran, why are the numbers so high, so close to the physical headquarters of equifax . So that would be difficult to judge based on publicly available information. But there might be some business reasons why equifax would have Additional Information on people in the Southeast Region of the nation. They may have more Business Partners with businesses near their headquarters. So there is greater opportunity for sharing of information. It may be that the population of those states are prime targets for credit. So just the population of the states. The sample pool may be more amenable to a Credit Reporting agency. Thank you. Things get complicated when a company is headquartered in new jersey, does business in South Carolina, and is breached in arkansas. These states have very different laws on the books governing when and how Companies Must notify the public of a data breach. Back to you, mr. Jaikaran. Is our current statebystate patchwork of regulatory approaches effective in protecting the public . I believe my colleagues at the Government Accountability office or gao would be in a better position to evaluate the statebystate Regulatory Regime we have today. However, as a broader data breach notification policy, that does provide a level of certainty for both businesses and consumers if there was a federal rule or federal law on the data breach notification that is expected, both for businesses to provide, as well as what consumers can expect to receive. Something that must be considered when developing a data breach notification rule, however, or law, is that what will consumers be expected to do with that information . Do they just get a letter in the mail saying that their data was compromised and theyre on their own, or is there some recourse that the corporation that had the data and then had it breached must provide to the consumer because the data was compromised. So not simply a uniformity across the nation, but also some teeth as it relates to what happens next, once the consumer is informed. We see that across state laws now. Some are just a simple notification and some of them are similar relationship that the corporation must have with the breached consumer. Thank you. Mr. Smith. Despite the federal government also being breached pretty frequently, unfortunately, some have suggested that we nationalize the Credit Reporting agencies. Such a move would kill innovation. The same innovation that is opening up the market of 26 million credit invisible americans. I think fannie and freddie should consider new Credit Reporting models that take into account things like rent payment and utilities. Who would benefit the most from such a change, mr. Smith . So use of information about rent and utility payments by fannie and freddie could expand access to mortgage credit, for younger consumers, recent immigrants, consumers who are new to credit and others without a traditional credit file. So the national Credit Bureaus are already able to collect this information from landlords and utilities and have built the systems necessary to do that. And as you know, the Credit Bureaus over the last 50 years have been successful in expanding access to credit to folks who previously may not have had that access. But i think ultimately, its going to be fannies and freddies decision whether or not these utility and rent payments are actually predictive of the risk of default that theyre trying to manage. We certainly understand that freddie and fannie will have to make their own decisions. But the question was, who benefits from it. It sounds to me that the population who benefits the most with those folks who disproportionately represented today in home ownership. Yeah, folks who are credit worthy, but we cant tell, because they dont have extra additional Credit Report information. Specifically people who are new to credit, i think. Senator brown, i know i thin thinking about in South Carolina, the number is about 16 of South Carolina krians whe credit worthy enough to allow them to own a home. My state is 5 million out of 11. 6. Senator cortez . Thank you. Gentlemen, thank you so much for the conversation, mr. Smith, i wanted to start with you, as you note in your testimony, the cfpbs supervision of Credit Bureaus relates primarily to the accurate reporting of credit data, and it does not provide for director cordery has been assigned at the big three Credit Reporting bureaus and monitor Data Security and credit protection practices. Would you agree this is an Important Development . When you look at the directors comments, i think youre talking about his cnbc or something comments on television. He said initially that the cfpb doesnt have authority over Data Security. And it seems as if the folks on the panel agree with that. Whether there is an appropriate role for a supervise in the Data Security bureaus. It may be that if there is such a role to be played that the cfpb isnt the best person for the role, or it could very well be that they are. Let me put this in context, because prior to my role here, i spent the last eight years as attorney general of nevada. Nevada had one of the highest Identity Theft rates in the country. And let me tell you, the breach that happened at equifax is not the same as what happened at a target store. What happened at equifax, what happens is now is there a chance for millions of americans identity to be stolen. And the rest of your life, youre trying to get back your identity. Its somebody that has purchased a house in your name, purchased a boat in your name, or when u youre show up in court and find out that a person who committed a crime has stolen your identity. This is lifelong and its going to have a major impact on millions of americans and thats why this is so egregious, so we have to do a better job of protecting peoples data and information, because youre collecting it without their approval, then they have to succumb to years of trying to clear up all of that data. So my concern now is how do we address it . How do we put limits on what we, the data we collect . I know were talking about more Cyber Security protection, and making sure theres oversight over the companies, but if theres human error, whatever occurred, its going to happen again, so is there some limit to the data we should be collecting, in addition to all the things we talked about today. I think it would be a step in the right direction, to have Supervisory Authority by the cfpb. But the question is what to do now for American Consumers who confront the reality that others are in possession. We call these the authenticators, this is the information that is used to establish your identity in commercial transactions, and this is the reason that we need to change the default on credit freezes, people should know at this point going forward, any time anyone wants access to their Credit Report, and people should know from this time going forward, any time theres suspicious activity on their Credit Reporting account. They shouldnt have to select a service or pay for the service. I absolutely agree. It should be built in the industry. Im going to cut you off because i only have so much time. I absolutely agree. Because theres been talk about limiting the use of a Social Security number. I dont know about you, but when you go to set up your house and set up your utilities they ask for your Social Security number. When you go to your doctors office, they ask for your Social Security number. This number has been so prevalent in society, that i dont know how you protect against anybody having access to it. Because i can tell you a bad guy is going to be able to go online, and if its already been used and out there, theyre going to find it. So more importantly, for my purpose, and i think of all of our purposes, shouldnt it be now giving the consumer the absolute right to control their investigation and how its being used . Absolutely, senator, i think thats key, but if i could say briefly on the Social Security number, we have actually made some progress limiting its use, in fact with credit to senator collins and senator mccaskell, the number is now coming off the medical benefits id card, because its use there was contributing to Identity Theft among American Consumers. We helped to get the Social Security number off the state drivers license, the Social Security number is no longer published in Voter Registration logs. I appreciate the comments, and my time is up, thank you. Senator kennedy . Thank you, mr. Chairman, gentlemen im sorry i missed your presentations. Why should we not pass legislation that would establish that the bureaus have a fiduciary obligation, to the people whose data they collect and earn a profit off of . I think you should, senator, i think some of that legislation is already in place with the act. But i think more needs to be done and i think your description of the fiduciary relationship is absolutely correct. Do you think theres a fiduciary relationship now . No, i dont. I dont think the Companies Feel they have an obligation to American Consumers and do you ygentlemen agree with that . No, i disagree with that. Im sorry, you disagree or agree . I disagree. And i represent the industry, were subject to a pervasive regulatory scheme in this statute here the fair Credit Reporting act, that requires us to ensure the accuracy of information in Credit Reports that requires us to do when the Equifax Breach was made public,s werent you. That would introduce a cap on potential liability for private actions, that cap would have been do you think that was a good idea . The fcra is unique among Consumer Credit protection statues, in that it doesnt have a cap on fair Credit Reporting. All of these have caps. Fcra does not. Do you believe your clients should have caps, counselor. As a trade association, we would continue to argue for caps. Is that a yes . Thats a yes. Heres my problem. Heres my problem, if the bureaus do their jobs right, they facilitate commerce. Because when lenders loan money to people, the lenders want to get paid back. And what your clients offer is one assessment of the risk that the lenders are taking. Its just one assessment. There are others who dont use many online lenders dont use your data anymore. Im not saying they are right or wrong, im saying that your clients, basically take my data, personal information about me without my permission, and as a business model, they sell it to businesses. Im not compensated. Now if they lose my data as equifax did, or if someone submits to them data that is in error, that undermines my credit score, the bureaus have no obligation or interest right now to work with me to try to get the credit score correct. Have you ever had one of the bureaus get your credit score wrong and you called and tried to get it fixed . Have any of you . No, i have not, senator. No, senator. Well, it not an easy process. Well, so and it would seem to me, im not trying to undermine the bureaus, but it seems to me first of all, that you could develop technology very easily that would allow people to go to an app on their phone to put a credit freeze on and off, free of charge. That ought to be a minimum. Number two, you need to explain to the American People how youre protecting their data on which your clients are making most of the clients in louisiana had their data stolen by equifax. And they had to go to a lot of trouble to go freeze credit, some of them are going to have their identities stolen. And its just not right. Its just not right. And were looking to you gentlemen to tell us what to do about it. And counselor, i dont mean to pick on you and i understand youre representing your clients, but your clients need to step up to the plate here and suggest some meaningful reforms or some reforms are going to be suggested to them. Okay . And my advise to you would be to step up to the plate and offer specific things that you and your clients are going to do to improve this situation. Not platitudes, not bromides, specific suggestions. Because a lot of americans didnt know what a Credit Bureau was. They know now. I went over, im sorry, mr. Chairman. Thank you, senator warren . Thank you, mr. Chairman, so at the hearing two weeks ago with theequifax, there was a lot of agreement between democrats and republicans that consumers should be able to control their own data. And without consumer control, Credit Reporting Companies Really have no reason to treat us well. We are not their customers, we are just their products. And it shows. A 2012 study by the federal trade Commission Found that one out of every five people had an error in their Credit Reports. Meanwhile, over last year, the Consumer FinancialProtection Bureau as fielded hundreds of thousands of consumer complaints. And the big three Credit Reporting agencies are now the three most complained about companies in the entire Financial Services industry. You know, if you ran a restaurant and got your customers orders wrong 20 of the time, and had the Worst Customer Service in town, you would be out of business in a week. But Credit Reporting companies, not them. Theyer a getting bigger, theyre getting richer and theyre getting more powerful. This market is clearly broken. And fixing it starts with giving customers more control over their own data. So mr. Rotenberg, i have introduced the free act with senator shots and more than a dozen other senators. Our bill would let every consumer freeze and unfreeze access to their credit files for free. So i want to ask, do you think that would be a good idea to give consumers more control over their data . Senator, warren, i think its an excellent proposal. And as you say, i think the key to this industry is giving consumers greater control over their personal data. It begins by moving to an ogden model, giving consumers the ability to decide if the information in their Credit Report should be released to someone else. Companies like equifax do more than issue Credit Reports, they also sell your information to businesses that want to sell something in turn back to the customer. Our bill also makes clear that no Credit Reporting agency can sell your data if your credit file is frozen. Other legislative proposals and the new lock that equifax is rolling out right now, dont give customers that right. So let me ask this part, two you think that consumers should have the right to freeze the data so that it stops a Credit Reporting agency from selling access to the consumers data . Absolutely, senator. The model doesnt work unless consumers maintain control and so many problems of the industry result from the industry pushing the burdens back on to the consumers to choose the freeze, to choose the monitoring service, to inspect their Credit Reports, its entirely upside down and its the reason that we have record levels of Identity Theft today in the u. S. Thank you, i think thats a powerful point. You know, if Companies Like equifax dont pay us to sell information to other people, we shouldnt have to pay them to stop selling it. According to your testimony, your saying, and i think you mentioned this earlier, mr. Rottenberg, you would go even further, you would make the default position that a consumers account is frozen until the Credit Reporting agency gets the consumers explicit permission to unfreeze the account to share the data. In other words, consumers would have to opt in to sharing their data, rather than opt out. And whats the reason for that . Senator, i think its just common sense. No one is objecting to the provision of credit to American Consumers, its obviously critical for our economy and makes it possible for people to purchase homes and cars and even cell phones. But its the cominsumer whos initiating the transaction, its the consumer whos seeking the mortgage or the loan, the consumer should decide when to release that credit record to others. And they should know whats contained that Credit Report. They may where denied credit but for the fact that the Credit Reporting agency has reported accurate information. So powerfully important that we be able to protect our own privacy, that we be able to make sure that its accurate. In your testimony, though, you raised one more point. You said we need to fix Credit Reporting industry in order to protect our national security. Im about out of time, but could you just say a word about that . I mentioned that when the fair Credit Reporting act was passed in 1970, the concern was the misuse of personal data by the Credit Reporting agency. That concern remains, but what has changed almost 50 years later, is that data is now the target of foreign adversaries and we need to realistically consider that the people that get access to our personal data held by these companies are adverse to our nation. Thats an additional reason to strengthen these privacy laws. You know the Credit Reporting agency is a threat to each of us personally, but it is also a threat to our national security. We need to give consumers more control over their data and reform this industry and thats what were trying to do with the free act. Thank you. Senator tillis. Thank you mr. Chairman, gentlemen, thank you for being here, one question, when you have Something Like the breach at equifax, congress has never seen a legitimate problem that needs to be dealt with, an opportunity to overreact. And so one of the things that im concerned with, is when we have this discussion, i want to start with something simple and then maybe i can build on things to the extent time allows, when we had the equifax ceo in here, i tried to ask him the question of the lock, theyre calling it lock for life, versus delete. Mr. Rottenberg, where are you on the option of the consumer being able to delete any presence for their existence in any of the big three Credit Reporting agencies, do you think thats something they should be entitled to do . I do, senator, in fact this country has a long history of expungement of their financial records to give consumers the opportunity to start over even after bankruptcy. So we recognize that people should be given the opportunity to reapply for credit even after they have had those types of experiences. If they delete it and then later they were seeking credit and they had no reliable sources for showing credit worthiness, who is it on to provide all the information that may be needed to underwrite a loan or get a credit card or other financial instrument . Under those circumstances, of course the absence of the Background Information could well be a factor in the credit determination, but thats not a reason not to give the consumer the opportunity to delete the data if the consumer chooses to do so. But at the end of the day, the Consumer Needs to be aware that the absence of information would likely result in no credit being extended. Heres another concern, senator. Is that what happens if the consumer selective lly deletes information. So i have three credit cards, and i decide im not going to pay one of them. How will a bank if im able to delete accurate information. The fcra already allows for that, any information thats derogatory in your credit record comes off after seven years. One thing that we discussed this with the breach, i think one thing that the Credit Reporting agencies need to demonstrate is that they dont make their problem the consumers problem. In other words if you have a breach, then you should be trading that ctrad treating that consumer like youll move heaven and earth to clean up the problem. I m concerned with the idea of just thing a gacey of data thats used to predict out cohorts may, you know, behave in terms of credit worthiness. That if we continue to reduce the base, do you think theres any threat to the fact that we have less reliable information to move capital or to provide resources to people who need it . I think its important for businesses to have access to relevant and accurate consumer data. I think they should be accountable and transparent about how that data is being used. Would you consider the selective deletion of credit data as being accurate and relevant data for the Financial Services industry . It may or may not be. The credit decision is based on a wide variety of factors, many of which by the way are not even known to consumers. So we dont know how theyre making determinations about us, yet their concern if they dont know everything about us when they make their decisions and that just seems a little unfair. I wasnt here, i think someone else answered the question, but what do you think is the what technologies or maybe what processes out there are we using to get away from Social Security numbers as Authentication Methods and moving more to say what the card industry is using, trying to come up with some sort of an identity, that will actually eliminate or substantially reduce what is a relatively easy thing to do, that is to get somebodys relevant information in committing fraud . What in terms of Public Policy shouldpromoting . Im not aware of any token products that could be used. One interesting thing to note is there may be people, citizens, consumers that dont have access to things like a cell phone, so they would be barred from participating in the widespread use of technology, and thats one thing to consider in engl h establishing Public Policy. Today were at the other end of the spectrum to i think if we didnt have the potenti social we would need to come up with another unique identifier. With a name like andrew smith, its critical that people would be able to distinguish between the thousands of people named andrew smith, not necessarily to authenticate that i am who i say i am, but which one are you . If not the social, then we need Something Else to fill that role. Thank you, senator. Mr. Smith, after the Equifax Breach, consumers learned that the best way to protect themselves from Identity Theft and fraud was to freeze their credit record. But when they went to do that, they found a complicated process that required contacting each of the Credit Bureaus which meant remembering separate information for each. And paying 10 bucks, not to mention the fees that they have to incur if they want to lift the freeze later. Eckquifa equifaxs lapse in Data Security will be worth hundreds of my question is very simple. Explain to me why equifax, experian and transunion have to pay to freeze the Credit Report. For certain consumers, freezes are the right choice. Those instances, why is it not free . If the consumer right now we have a patch work of laws and if we are to have a Single National standard, i think that, you know, we would be happy to talk with you about how to get that right. A patch work of laws, what does that have to do with anything. Im asking you when a mistake occurs and 144 Million People are told to do a certain thing, that certain thing should be free, shouldnt it . I dont know that everyone was told to freeze their Credit Report, personally i dont think its the right choice for everyone. But its the right choice for some number of millions of americans, is it not . I believe this all three of the national Credit Bureaus make freezes available for free for nose who a those who are as for as National Freeze requirement, i think that im not asking you about a requirement, im asking you why you generate revenue off of the mistakes of the organizations that you represent . Well, the why is because freezes cost money. And also the state laws but the locks are free, roogt . Locks, i dont know, im afraid. Youre the counsel for this organization . These are new products. Im the counsel for the trade association, but i know that there are all kinds of new products that Credit Bureaus and others are rolling out that can take advantage of for example apps on a mobile device and lock and unlock. But i dont know that those any of those products are necessarily in the market now. I dont understand what youre saying and i dont think its because i dont understand this area, i think its because i dont understand what youre saying because at a common sense level, i want you to try to explain to somebody you went to high school with, right . Who says you got a gig with the cras, how is that going . Let me ask you a question, why do i have to pay for a freeze . And the answer is because freezes cost money. Freezes have to be implemented by the Credit Bureau. Why did the company who made a mistake make a profit off the consum consumer, even if the freezes cost money, fine, you should eat it. Because that would create an incentive i think equifax is providing freezes for free. That only occurred after the ceo quit and i thought the freezes were offered right up front. Nope. Do you think its a good idea for Credit Bureaus to use tighter matching requirements so that the trade lines on someones Credit Report are more likely to be their own information . I think matching algorithms are their own issue. Im sure youve done some thinking about it and its really a question about stat it is matching is critically important for accuracy. What is your error rate roughly . We believe that our error rate, the ftc did a study in 2012, and we did a similar study, we believe that the error rate from our study is less than 1 . Looking at the ftcs study. And this is an appendix of the ftcs study. We believe that the error rate is about 2 . Error is an important concept here, though. It has to be an error that moves the needle, that would have an effect on the consumer, so they get my date of birth wrong, thats not necessarily an error. So youre talking about even after the low end of the errs mat, youre talking about a million, 2 million individuals. And thats not acceptable. Whose responsible is that . Well, it is a lot of peoples responsibility, but it is to some extent the Credit Bureaus responsibility. As far as accuracy is concerned. Professor rottenberg wrote in his report, theres always going to be security breaches, the best we can do is try to control them up front. Accurate si is the same way, its a process. I understand that youre going to make mistakes, the basic question is who should incur the costs of those mistakes, you guys or the rest of the country . Thank you. Senator purdue. Thank you, chair. Its a very complicated conversation, let me start with something we are working on to codify something across 47 states. Right now if you want to, you have to opt out, basically. In other words i never gave permission to anybody to get that data. Although it does provide a service, so i dont have to aggregate all my Credit Information when i go borrow something. So i get that. At the Equifax Breach hearing just a few weeks ago, we asked questions about a National Standard on credit freezes and i think representative mchenry already has a protect act. It creates a National Standard for credit freezes harmonizing the 47 state laws on the issue. Do you agree that that would help and allow the development of technology such as apps that could freeze and unfreeze without having to go through the process, so someone could actually open up, get the Credit Information they need and then opt out easily, without having to have a lot of instruction . Is that something that might benefit us here . So as i have said earlier, freezes arent the right choice for everybody, necessarily, but they are the right choice for some people and that, you know, the development of a National Standard is something that we would welcome. With respect to this lock and unlock functionality, i would ask you to consider whenever we legislate Something Like this, the question would come up, what about the people who dont have smart phones, what are we going to do about them . Were going to have a lock and unlock functionitfunctionality. But they would not be, just so im clear, they would not be any system, i couldnt access their data unless they were to come back and do Something Like this. So an 800 number or whatever, when they needed it. So you think, lets do an 800 number, thats going to create a Security Risk that someone else unlocks my credit when theyre applying for an unlock on a saturday afternoon. I dont ghoe wht know what my d before you know it, youre not going to get that new cell phone as a Verizon Store on a saturday afternoon. Youre going to have to go back to the Verizon Store the next weekend, and hopefully it will work out. These freezes and locks are difficult to administer, and thats why theyre not necessarily the right choice for everything. But they are for some people what are not buying things. Im frankly a little confused by mr. Smiths excellentcomment. Most of what hes describing are things that the industry has created in giving the consumer the ability to access the freeze and what legislation would accomplish is to sich apply tmp process, precisely so they can have the Credit Information available when they need it to be made available. Regarding any congressional action in this space, its an interesting Public Policy question. Because there is these there are these groups of data brokers who have this information and they have their business relationships with those that they acquire information from, and those that they sell the information to. However the information is the consumers. And the relationship between the data broker and the consumer a little bit different in terms of who they are selling the data to and who they are acquiring from. Theres a link in that space where federal policy may be able to bridge the gap between the consumer and the Credit Bureau. Lets talk about Social Security numbers for a minute. Adoption of Social Security in the last half century, our technology has moved fairly rapidly forward. Is there a better way . Isnt there a better more secure way to match people with accounts, touches tokenization, or should all these Cyber Attacks be the impetus to planning out credit futures. Social security numbers seem to be the holy grail here beyond what the average person would want. Is that a reasonable direction . I think the key is to limit the use of the ssn, but not replace it. In other words it is the weak leak in the information industry. It is the target of identity thieves and if youre trying to make your industry more resilience against those attacks, you have to reduce your dependency on the ssn. But if you replace the ssn with another general purpose identifier, that becomes the target. So we need a more distributed approach to identification, not an approach to failure. Thats what the ssn has become. We have to engage on this, but we dont have a common answer yet to this security issue. Thank you, im out of time. Mr. Chairman, just to not to put extend the discussion on when you can put a credit freeze on or put a lock on. Its interesting, mr. Smith, you said you can put a lock on after youve been a victim of Identity Theft. Thats kind of like saying, lock the door after the thief went in your house. Its just not its not responsive to what were frying to get at here, which is we understand the benefit of an aggregator of data that gives us easier access to credit. I think no ones disagreeing with that. The question is, and you were asked about fiduciary obligations and the question really is, what responsibility does that aggregator have when Something Like this happens . Now when mr. Smith was here, the previous mr. Smith, that equifax no relation. I figured that. He said this happens all the time. Were hit all the time. And i asked, well in light of that, then why did you seem so ill prepared when you were actually breached . Why did it take you so long to come up with a response to the breach . So ive got a series of questions on how often does this happen, and what is the general response that the industry has . So as a general matter, how many times per year on average would a company like equifax, transunion or exp eshserian, hog before a breach would be reported to the fbi . I would say from my personal knowledge, none of the Credit Bureaus themselves have been breached. Now the companies in equifaxs case, it was information that was outside of the Consumer Reporting Agency database. We also know of a breach at experian involving tmobile. So there are breaches that occur, and well come up with a number as to how freely they occur, but to the best of my knowledge, theres never been a breach of a Consumer Reporting Agency database. And thats splitting hairs for the consumers, i dont think theres any doubt about it. Its an important policy after the investigations conclude that the Consumer Reporting Agency wasnt breached, after equifax was subjected this announcement of eattack. Lets say that you reported to the fbi, what is the typical guidelines or strategies that any of these credit agencies, any of them would basically go to, do you have like a fire drill, in other words . Do you have a system in place that will lock down and protect data . Right, so now of course i cant speak for any particular company, but the companies with which im familiar with Incident Response plans, and they have a table top exercise, where all the stake holders are at the table and we run through whats the Public Statement going to be, how do we inform Law Enforcement, how are we going to do the consumer notifications. That kind of staff. But you have to agree that equifax was pretty ill prepared . I dont know, i think this was an unprecedented breach. Even if its ten people, the response should be the same as if it were 140 Million People. Except, think about your call center for example. So rather than ten calls, ten calls you can handle, 140 million on one day . Doesnt that beg the question of why people here are upset . I mean you had senator kennedy basically say, look, this is not data that you own. You do not have a relationship with the consumer other than an aggregate for that provides tha service, if i say i dont want your service, ill aggregate my own data, ill take responsibility, i have to pay you so that youre not collecting my data, correct . Not collecting, this is a freeze, right . The data is still there, but youve frozen it and you have the right to unfreeze it. In europe, all across the eu, theres a whole lot of privacy initiatives, the right to be forgive forgotten. We have been a much more open economy when it relates to this kinding e aggregation, the potential that you guys are going to be out of business because everyone american is going to say we dont want your service. No, absolutely, we need to ensure that consumers and businesses trust the National Credit reporting system. And i think you have a Serious Trust problem today. And i think the lack of coming forth with solutions and the adversarial kind of approach that we have seen to this is not helping to solve the problem. So we look forward to ongoing discussions. Enter as do question. Thank you, mr. Smith. Thank you. Senator donnelly . Mr. Smith, this is actually to all of you, in 2014, the department of Veterans Affairs created the Choice Program to allow vets to receive medical care in nonva facilities. Its been helpful in increasing access. However, issues with the implementation of the program led to delayed payments and billing problems. Which in turn resulted in some vets receiving adverse actions on their Credit Reports from Debt Collection efforts. Adverse credit actions make it more difficult and expensive for them to get a mortgage, to buy a car and its really troubling that our veterans have had their credit harmed through no fault of their own. We have to make it easier for this erroneous debt to removed from Credit Reports. Medical debt can what damage can it do to the vets credit when this is reported as unpaid . We agree with you 100 that veterans shouldnt have their credit records tarnished by backlogs and inefficiencies in vas Payment System and we understand thats whats happening and were committed to working with you to solve that issue through the National Credit reporting system. I think institutionally, we believe that the folks who are best able to solve that issue are the private are the va and the private medical Service Providers and the debt collectors who are furnishing this eroanous were committed to working with your office. I have your commitment on behalf of the trade association and on behalf of the industry that you will Work Together with us to address these problems and to address the reporting of va related medical debta our vets wont get dinged on their Credit Reports. What were talking about because of vas processing inefficiencies, they just havent paid the bill. Its not erroneous that my knee was worked on, its eroanous to me that the va doesnt pay it. Yeah, we kneed need to fix td were committed to working with you to fix that. Congress enacted the fair Credit Reporting act in 1970 to set the rules of the road. Despite the original act and the many consistent amendments, we still dont control our information contained in the files of the Credit Bureaus, its reported without any consumer permission, as has been noted by many, its also sold to third parties, with prescreened credit and insurance offers and the personal information may now be available to thieves on the dark web after equifax. Mr. Smith, youre the representative for the association, should consumers have more control over their information . Well, so we have talked little bit about that today. The ability to remove yourself from the system, the ability to selectively delete information. I think both of those present issues for the National Credit reporting system. The selective deletion would allow a consumer to gain a system, to hide unpaid debts from potential creditors presenting a real concern for the safety and soundness. That comes out if they apply for something. If they want to get a mortgage, then the Mortgage Company im talking about the selective deletion, but the removal from the system. The removal from the system is great until you kneed to rent an apartment or buy a cell phone, or get a mortgage or buy a car. Then you can opt in, right . Not if your investigation is removed. What youre talking about is perhaps a freeze. And i think we are we think that a freeze is the right choice for some consumers, not for all consumers. Isnt it appropriate that the consumer ought to be able to make that decision, even if it makes it a little bit harder to get an apartment, thats a decision that they have made . I think its important for the consumer to understand, if the consumer is making a major decision, have them have the eight to decide whos going to get access to that information, that would be common sense. It. Thank you, mr. Chairman. Thank you. Senator, van holland . Thank you, mr. Chairman, and thank all of you for being here today. It does seem as reflected in amount of comments today and in the earlier hearings we had, the Credit Reporting agency model is one that is in some ways uniquely stacked against consumers when theres been your data breach or bad data put in. And my question is a little goes beyond the issue of the data breach to lots of complaints we have heard over the years about Credit Reporting agencies collecting bad data, that then goes to lead to a denial of a loan or a mortgage payment. And theres been a lot of discussion about how to sort of allow that consumer to be made whole. My question is, on the front end, in terms of creating penalties or deter rants and have the burden be on the consumer. My question to all of you is to there some kind of deterrent that we put in place so that the burden and the penalty for collecting and disseminating that data, whether its through a breach, or whether its through denial of a Credit Reporting card, that can actually address this problem on the front end, so theres more of a premium for a Credit Reporting agency to prevent that from happening in the first place . I would like to start in responding to that, so with respect to data accuracy. Credit bureaus have substantial duties with respect to data accuracies and those are up front to ensure that they have procedures in place to ensure the maximum possible accuracy of the data, the companies that furnish data into the Credit Bureaus are now required to have written policies and procedures to ensure the accurate sky cy o data. A so i think that that so we do have, were not unregulated, we do have the statute and it gets longer every year, and there is more and more duties added to the Credit Bureaus. Last the penalty in the event that bad data gets in, despite all the systems that are put in place, is there a penalty that has to be paid by the Credit Reporting agency. Im not talking about after the fact. In addition to just bringing the consumer whole. Lets say youre a consumer, right . Right. You get denied a loan, then youve got to go through the incredible hassle of getting all this straightened out. At the end of the day, maybe you get your loan, but what can we do to put a deterrent up front so that we never get to the point that thousands of people are wrongfully denied a loan and after a whole lot of work and costs, maybe they get the loan, so im interested in your thoughts. Let me say, senator, right now i think its upside down, in other words right now when theres a problem, the companies turn around and charge the consumers to take advantage of the tools they need to correct the problem. It so that cant be right. I think what we do need to do is increase the incentives for the companies to do a better job on Data Security and on privacy protection. To make one more historical point, there is a deal at the heart of the fair Credit Reporting act. When the fcra was passed by congress in 1970, the ability for consumers to bring opportunity in state tortemptp this information inaccurate and incomplete. Before passage of the fcra, people could bring lites for that harm, and they cant now under the fcra which means that congress has toinse inseptembi incenti incentives. Do you think they should be able to have recourse through the courts . And they do have recourse and remember this law provides for statutory penalties in private actions where the Credit Bureau behaved willfully. Let me ask you, because my time is running out here. Your association has been lobbying against the Consumer Protection bureaus provision that would allow people to bring lite lawsuits. In other words youve been lobbying towards keeping mandatory arbitration . Yes, sir. You mentioned 143 Million People, if everybodys got to go to arbitration, instead of being able to come together and bring a case, that definitely stacks the deck in favor of the big guys instead of those what have been harmed. You have no contract with equifax, so you have no mandatory arbitration clause with equifax, correct . But this is a separate issue that was just raised by another witness, in other words if there is information in there that causes me damage . Information in the Credit Report . Yes, that causes me damage. You can sue and you can be a member of a class because there is no mandatory arbitration clause in that context. What were talking about in arbitration, where the consumer is purchasing a product from one of the Credit Bureaus, like a credit mortoner service dpramfo example. We did see in equifax initially, in the event that Equifax Breaches a cause, that people were relinquishing their rights to go to arbitration. And there are other equifax products where there is a contractual relationship where they are insisting on mandatory a arbitration, isnt that the case . They testified here they have lots of products where they insist the products sold to consumers. If a consumer is wrong in that context, isnt the deck stacked against them that they have to go through mandatory arbitration . We think that arbitration can be affective. We also think that given the statue called the credit repair organizations act. That there are special risks for credit Monitoring Products that have stacked the deck against the company. It. I understand why equifax would want to deny that particular kind of recourse, because it can be more successful in recovering peoples damages. Hold on one second. Im going to wrap it up. Im going to have to be very fast, because there is a second vote that im going to have to get to. So thank you very much for attending here today. I just have one question, and i know that youre here as experts on Credit Bureaus. I just want to know if you know. Whether there is data that is required to be submitted by the Credit Bureaus to the federal government. Does any federal Government Agency require Credit Bureaus to submit data to them . I dont believe that i know that data is provided to the Federal Reserve board and to the fcpb by fred bucredit bureai believe that that data is purchased by those agencies and that is provided within the strictures of the fair Credit Reporting act. And its identified in an aggregated format. That does it then. Can i have some more questions . Thank you. Oh, okay and then i will wrap up. If americans could make cras delete their credit files upon demand, like the law requires for medical records, and i know you have some thoughts there, but dont go into medical records, if they could delete their credit files, could that create a risk for Credit Reporting agencies . I dont know if it would create a risk for Consumer Reporting a agencies, it would give consumers more control over their Credit Reports. Would you say that Consumer Reporting agencies would not want americans to demand that their credit files be deleted . Im certain or expect that would be their position. They try to get as much information about consumers as they can. And of course consumers have very Little Information about what is being gathered. So if cras allow consumers to delete their data and they have unsuccessfully tried to do that following the Equifax Breach as we all know. Would that create an incentive for these agencies to pay more attention to Cyber Security in the first place . Im sure it would, and Consumer Reporting agencies have no legal right to obtain the information of American Consumers, as business has evolved over time, they have selected data but i dont think Credit Reporting agencies can claim they have any right to access our personal data. So ultimately it would be the consumers decision, whether any company has is right to collect our data. So consumers could game the system, is that right . Right now, the Credit Reporting agencies largely game the system because consumers dompblts kn dont know the factors that are used to make decisions about them for employment and even for cell phone purposes. So its very asymmetric, this industry who has information about who and how that information is used. Speaking of asymmetric, currently my understanding is that rules for privacy are much strict for Government Agencies than they are in the private sector. If that is the case, should we consider a separate set of privacy standards for both public and private . I think thats the Unfinished Business for Credit Reporting agencies in the United States. We had a moment to establish a comprehensive law for private agencies. Europe took a different approach, they established comprehensive law for private tell me more about europe. My understandi ining is europea countries have strict ter data privacy laws and i assume they still have functioning credit markets . Theyagencies, these three agencies you represent. Do they do business in those countries . I dont know about those specific firms, i do know theres a vibrant credit market across the european economy. The key is theyre held to a higher standard. For instance in the area of breach notification, equifax took more than six weeks after they learned about the breach to tell americans what happened. Under the new european privacy laws, they have 72 hours to con front a problem like that. You can still operate the buer r rows youre just held to a higher standard. Are they profitable in europe with a different model, one with stricter privacy laws . I know that some operate in the uk, we have a Different Group of Credit Reporting agencies in europe. And its not necessarily the three that were familiar with here. We know that equifax is in the uk, not sure about continental europe. Could you give to the committee, from those three clients specifically, what they do in europe and their profitability, how big a presence they have, market share, like you know in the u. S. , and how theyre doing in europe in terms of profitability and any public plans they have about continuing . One thing i would say about europe, though, and professor rottenberg may disagree with this. I dont believe theres a right to be forgotten with respect to Credit Reporting information. Theres a balance for collecting such information and a balancing with this right to be forgotten. So theres guidance under the in the eu that i believe would not permit consumers to just delete wholesale information from Credit Reporting agencies because of the vital role that they play in managing safety and soundness. Actually if i may disagree, thats not correct. The general Data Protection regulation, the new european law speaks specifically about the right theyre subject to controls of public data. Lost under the european laws, consumers have a right to an explanation about the basis of the decision, if the company has an automated process, under the european law, consumers get to know the factors that were made to make the determination, i think we need to move to that approach in the United States. That would make the countries more accountable and make the decisions about American Consumers fairer and more transparent. We do have requirements that when you take adverse action based on Consumer Report information that you notify the consumer and in the case of where a credit score is used, you have to have the key factors that affected that score. Thank you and i have one last question. I apologize and i know i committed to the chair to keep it as close to five minutes. Let me ask mr. Smith, if the how much would the 145 million americans, 5 million in many state, how much would those victims of the equifax the equifax problem be entitled to . First youre assuming there would be a cause of action under the fair Credit Reporting act. There would be no action under the fair Credit Reporting act. Because it was not the Credit Reporting database that was compromised. Were there to be a breach of the Credit Reporting database, i believe the figure was a million . The cap was either 500,000 or a million, but it was consistent with all of the other Consumer Protection statutes. Sounds like they have a loophole to close. Thank you all. Members may have a question for you. We encourage them to get them in writing to each of you and please, within the next seven days answer as quickly as you can. I think the meeting is adjourned