We will receive testimony on the protection of consumer data at Credit Bureaus. At the equifax hearing members expressed interest in better understanding how Credit Bureaus are regulated, how they protect consumer data, and whether there are gaps that Congress Needs to fill. Ive long been concerned about the ever increasing amounts of big Data Collected by companies and by the government. It is critical that Personnel Data is protected. Consumer impact in thee vented of a breach is minuimized and consumers ability to access credit is not harmed. Credit bureaus play a valuable role in our Financial Institution by assessing a persons ability to meet financial obligations an also facilitating access to beneficial Financial Products and services. The inherent nature of the Credit Bureaus business, as with most businesses in this digital age, requires utmost Data Security to ensure that sensitive Consumer Information is safeguarded. Two weeks ago equifax testified about the methods it uses to protect its consumer databases such as encryption at rest and tokenization. Richard smith noted that while some of equifaxs databases encrypted at rest, the disputed portal that was compromised was not. Questions remain about the best ways to protect sensitive data, including there are Data Security industry standards and best practices at Credit Bureaus . Should tools like encript at rest be employed to protect all data containing sensitive Consumer Information . What role do financial rules and federal agencies play in Data Security at credit burrows . Given that Credit Bureaus are Financial Institution under the graham leech blyly act, how does Data Security, testing and oversight by regulators compare to that of traditional Financial Insurance stietions . I look forward to hearing from our witnesses about what Credit Bureaus do to ensure security for the data they collect. Who oversees Credit Bureaus to ensure they have Adequate Security measures in place, and wha what improvements could be made to the oversight of Data Security at Credit Bureaus. There are many things regarding Company Response to data breaches. The Equifax Breach has left more than 145 Million Consumers a little confused as to what can be done to mitigate damage to their identities and credit. We do know that starting in january equifax will offer all customers the ability to lock or unlock their credit files for free. Additional products have also been offered from equifax and the other credit burrows for consumers to monitor or freeze their Credit Reports. Many consumers remain confused about which options are best for them, but this hearing will hopefully provide some additional clarity. We have a shared interest on this committee and ensuring that Credit Bureaus take the necessary measures to safeguard personal data and minimize risk of another massive data breach. Senator brown. Under current law, whether we like it or not, Companies Like equifax can conduct vast trophies information, that means information plucked from our work histories, our social media profiles from reward cards to track our purchases at the dproshry store, even information from our kel phones tracking our daily commutes. Ninly 3 these companies are free to combine and sell that information to all sorts of Financial Institutions and other data mining firms who uses it to make decisions about us like what kind of car or job that we might get. Corporations like ek equifax rarely have to tillerson how, why these decisions are made. They goat hide behind proprietary models and trade secrets. It seems our laws protect big corporations ewing of peoples data a lot better than they actually protect people. As a recent breach, demonstrates enhanced cybersecurity measures at Companies Like equifax might work perfectly yet still do little to protect consume e everersss date at while 145 Million People have had their private data exposed, it doesnt appear that any sensitive corporate data was accessed because the businesses are not accountable to consumers and consumers have no choice over who is collecting their information, Consumer Protection is pretty much an afterthought. As we talk about the clearly inadd wait protections for consumer data at equifax and knows in place at the other consumer reporting agencies today, we cannot forget that the real victims of this hack are the 145 Million People, 5 million in my state alone that through no fauflt their own have had their personal information. We need to talk about how were going to zreng inningen cybersecurity but how to restore peoples control over their own information. We need to examine whether the current Credit Bureau model makes sense for consumers. We know theres a long history of consumer complaints in inaccurate reporting that has longterm affects on peoples akt to get a job or a house. Rather than addressing these problems they have spent millions acquire other Data Collection companies an branching out into new lines of business. Despite their continued failure, theres no other wordtor use, you their continued failure to provide accurate Credit Reporting Services or to protect all of the data that they collect, these ceos have been rewarded with enormous salaries an bonuses. Sometimes they come in front of utz and say theyre going gouf up their bonus as if thats a major concession. Now in an era of nooun nonstop Cyber Threats it seems theyve made consumers more vul aeshl. Equifax made astounding amounts of money off the consumer data it collected. It will hardly, unless things change, it looks like it will hardly pay a price for its recklessness. Its still collecting and storing our data in some case were giving some cases were giving each tax dollars do it. I look forward to todays witnesss foous foous views on these matters. Pu. Thank you, senator brown. Well now turn to our witnesses. First well receive testimony from mr. Andrew smith. On behalf of the Consumer Data Industry Association. Then we will hear from mr. Marc rotenberg, president of the electronic privacy information center. And finally we will hear from mr. Chris jaikaran, did i promouns that right . Jaikaran, thank you. Mr. Chris jaikaran analyst in cybersecurity policy at the Congressional Research service. Each witness is recognized for five minutes of oral remarks and then well proceed to questions. Mr. Smith, you may proceed. Thank you. Chairman crapo, Ranking Member brown and members of the committee, thank you for the opportunity to appear before you. My name is andrew smith and im a partner in the law firm of covington and berling. Im appearing today on behalf of the Consumer Data Industry Association which say trade association of companies that provide businesses with the information and analytical tools necessary to manage risk and to protect consumers. Cdias members include the three national Credit Bureaus. Equifax, experian and transunion. Youve asked us to discuss how credit burrows protect consumer data, but first i wanted to mention the Important Role played by the National Reporting system and our economy. More than two thifrds our gdp comes from Consumer Spending fueled by consumer credit. Its the National Credit reporting system that allows consumers to quickly and effortlessly open a bank account or purchase a cell phone. More than 40 of consumers move every year. And the National Credit reporting system facilitates this nobmoekt. In addition to providing fast, fair, impartial access to well priced car, amt apartment rental and other services. Nearly 15 years ago congress enacted the fair employment acts to protect Consumer Privacy and to foster the continued development and vi taltd of the National Credit reporting system. The most recent revision to this comprehensive regulatory scheme was the cfpb as a supervisory agency. This was not just examining Credit Bureaus but examining the users of Credit Reports and the companies that contribute information into the Credit Bureaus. The virtual continuous supervision of the Credit Reporting system ghan earnest in early 2012 and according to cfpb has a proactive approach that will reach benefits for consumers and lenders for many years to come. With respect to Data Security, Credit Bureaus are ubt to federal and state laws requiring them to safeguard consumer data and because of the key role they play in the banking system, they also are subject to very specific private Data Security requirements such as the payment card industry, Data Security standards. To begin, Credit Bureaus are required built fcra to maintain procedures 10 to sure that they only provide Credit Reports to legitimate people for legit plate purposes. These credentialing requirements go beyond contractual sirt if i occasions and include comprehensive Due Diligence of customers as well as Continuous Monitoring of existing customers. Fcra requires secure dispose afl Credit Report information. In addition, the ftcs safeguards role is referred to by chairman kraip crapo requires Financial Institutions, including credit burrows to develop and implement comprehensive and Information Security proper grams. The laws of at least 13 states similarly, i companies to implement and maintain reasonable procedures to safeguard sensitive personal information. Furthermore, almost every state requires that companies notify consumers when there is unauthorized access to or acquisition of sensitive personal information. Because of their Important Role in the banking system, Credit Bureaus are also subject to private contractual Data Security requirements. For example, because the Credit Bureaus handle credit card information, the card networks, visa, mastercard, et cetera, i that they comply with the payment card industry Data Security standards and validate such compliance by obtaining an independent thirdparty aud dift their security procedures. In addition because banks provide a great deal of sensitive custer information to the national Credit Bureaus, theyre required by their prudential regulators to conduct regular Information Security audits of the credit burrows. These audits can include onsite inspections which might last for several days. Each of the three national Credit Bureaus is subject to dozens of these bank reviews each year. Cdia shares with you the goal of ensuring that consumers and businesses have confidence in the ability of the National Credit reporting system to keep consumer data safe. Thank you for the opportunity to testify and we look forward to todays dialogue. Thank you. Mr. Roten brg. Chairman crapo, Ranking Member brown, thank you for the opportunity to speak with you today. Im mark rote ebberg, im president of the electronic privacy information center. We are an independent, Nonprofit Research organization founded in 1994 to focus public attention on emerging privacy issues. I would like to begin by saying that the equifax data breach is one of the most serious in our nations history. On par with a 2015 data breach at the office of Personnel Management that impacted more than 22. 5 million federal employees, their families, and friends. The Equifax Breach poses aenormous challenges to the security of American Families and even to our nations security. There is no simple solution, but in my testimony today i will outline the steps i believe that congress can take to mitigate the risks that follow from the breach and reduce the danger and likelihood of future data breaches. I should also say that the Equifax Breach is remarkable because of its scope, the sensitivity of the data, and the delay to fix a welldocumented security flaw. More than four months passed from the time equifax failed to install Critical Software updates. And the data that was disclosed is precisely the information that individuals rely upon to open bank accounts, get car loans, seek employment, and buy cell phones. The data included names, Social Security numbers, birth dates, home addresses, and drivers license information. This is also the data that criminals use to commit Identity Theft and financial froaud. Equifax is clearly responsible for this breach. The company was notified in march by both the Apache Software foundation and u. S. Certi sert to make Critical Software changes. But its worth emphasizing that equifax chose to elect this personal data on american consumers. Consumers did not provide this information to equifax. And the lacks Security Strategy that they followed meant that a single breach resulted in the release of 145 million Credit Reports on american consumers. The breach will cause unprecedented harm. When hackers get access to credit card numbers, consumers can cancel accounts and change the credit card numbers. But its not so easy to change a Social Security number. And i dont think its possible to change your date of birth. Equifaxs victims will be expose to the ongoing risk of Identity Theft and financial fraud which is already an enormous problem for american consumers. The ftc reported almost 400,000 cases of Identity Theft in 2016, 29 of those cases involve tax fraud and the department of justice estimates the cost to the u. S. Economy at over 15 billion per year. The Credit Reporting agencies are in urgent need of reform. And my testimony ive outlined a number of steps that i believe should be taken to establish accountability and transparency. Most simply, consumers need to be given greater control about the information about them that impacts their financial future. This means, for example, that we should have a nationwide credit freeze or to say a little bit more precisely, the disclosure of Credit Reports should be on an optin basis. We recognize the value of credit in the american economy. But it is the consumer who should decide when it is in their interest to disclose their information to a third party to obtain the car loan. They should not have to jump through hoops to put in blocks and freezes to restrict access by others. They should make the affirmative decision. Credit monitoring should also be freely available. You should not have to pay to be told that theres fraudulent activity on your account. But that is the current problem with Credit Monitoring Services that, i either a fee o limit the access to credit monitoring for 90 days. This makes no sense whatsoever. If theres a problem in the account, the consumer should be notified. We also think consumers should have more ready access to the contents of the Credit Report so they know whos receiving the information and the impact that the data might have. I have several other uses is in my testimony which id be pleased to provide for the committee. Thank you. Mr. Jaikaran. Chairman crapo, Ranking Member brown and members of the committee, thank you for the opportunity to testify on consumer Data Security and the Credit Bureaus. Im krition jaikaran and im an april list in cybersecurity policy at the congressal research service. In in role i research and an lice cybersecurity issues and their policy impla occasions including issues of Data Security, protection, and management. My rin statement for the record goes into further detail . But my testimony today will address Data Security as an element of cybersecurity and risk management. Cyber incident response, and options for congress address Data Security. An increase creasingly used catchphrase is that today all companies are Technology Companies or, all temperatures companies are data companies. This concept reflects that Information Technology and data play an Important Role in enabling the modern Business Practices which allow companies to compete and thrive in the marketplace. However, this reliance on i. T. And data also create risks for corporate leadership to manage. Adequately controlling that risk is an objective of cybersecurity. Data security is an element of cybersecurity that are involves risk management. Absolute security is not obtainable, so managing the risks which would impair security is the goal. In order to evaluate risk, managers need to understand the threats their enterprise may face, the vul nernlts they have and the cons sense consequences of an incident. Sooip cybersecurity instant response describes an attack, driver information about it and mitigate against it. For incident response, staff is not limited to just i. T. Personnel. Communication staff that are able to craft messages to both internal and external stakeholders, legal teams who can help with reporting and compliance requirements ar and management and corporate boards who are accountable for the corporation should all be included in response planning, among others depending on the entity. There will be a delay between the discovery of an attack and the public notification of that attack because analysis of what transinspired will needing to conducted. This analysis will inform the entity of how they were breached and what data or systems were compromised. This type of analysis may be conducted by the entity itself, a Business Partner of the entity, government response taims teams, and Law Enforcement. With a variety of potential frans economy investigators determining how they will coordinate in their response and how they will share information among one another say factor which should be determined during the planning and training phase. Within information on how the breach happened and the extent of the breach, the entity can proceed to mitigate its effects. These phases need not occur in succession but may be able to concur currently. I will know now briefly present three Options Congress could consider. They could explicitly authorize a federal regulator to the agencies for adhere raens to the rules. The the dialogue creted by the federal government and Credit Reporting agency cos lead to greater understanding of the cybersecurity risk faced by Credit Reporting agencies and allow for those withdy efficiencies to correct their Security Posture prior to referral for enforcement action. Congress could regulate the collection, use, and retention of data regardless of the type of entity that howses that data. The European Union and canada have such data laws. Congress can establish requirements on what data may be collected, how data must be stored, and the consumers rights to collection and use of data about them. Congress could, i Credit Reporting agencies or any entity that frosts consumer data to identify and disclose their model for consumers. How it is use and what other data the entity generates about the consumer will provide consumers with Additional Information that may affect their decision in the marketplace. Thank you for the opportunity to testify today. And i look forward to your questions. Thank you very much. Before i begin my questions to just inform the senators, we have a vote at 10 30. Senator brown and ive discuss today and we intend to keep the hearing running so well adjust our attendance at the vote and you can make your plans accordingly. But the hearing will continue to proceed during the vote. First question i had is for the whole panel. And i ask you to be concise i only have five minutes in my questioning as zoo does each of of the other senators. And but this is for each of the members of the panel if you have an opinion on this. Theres been a lot of discussions surrounding the social the security of the Social Security number. And whether it should be used as an identifier going forward. Do you think we need to get rid of the Social Security number as a personal identifier and, is f so r what viable alternatives do we have . How would we ensure such an alternative doesnt suffer from the same drawbacks as the Social Security number. Mr. Smith, you want to start . I think that if we eliminate the Social Security number as a personal identifier, were going to have to have some other unique identifier that will allow businesses, Credit Bureaus, others to know who precisely theyre dealing with. So my name is andrew smith. There are thousands of me, perhaps tens of thousands of me. When youre looking at a Bankruptcy Court record, if theres no identifier on there, how do you know which andrew smith it is . So socials right now, and other identifiers, play a Critical Role in the economy just simple identification, right . Not authentication, not verification, not that i truly am who i say i am. From that perspective socials are terrible. But as identifiers, social do have had a role to play. Whether we need another identifier, i think that were willing to work with you on that to try to come to try to get to the right result for consumers. Thank you for the question. Ive spent many years before many congressional committees urging that limits be established on the use of the Social Security number. But we have never argued for replacing the Social Security number. The key point is that the ssn serves an important purpose in the management of certain government record systems, thats what it was established for and thats where the Legal Authority exists. The problem is that the ssn was adopted in the private sector and used as an identifier for general purposes. This is actually contributed to Identity Theft and financial fraud. Its an imperfect identifier. Its used both as a password and as an ow authenticate ter, it was intended for neither. When we talk about the Social Security number, we would not say replace the ssn as i describe in my testimony, we would say limit the use of the ssn. It should only be available in the private sector for lawful purposes. Thank you. Mr. Jaikaran. The Social Security number say piece of personally identifiable information. So limiting its use in the private sector may lead to reduced consequences that impact if theres a data breach. However, whatever replaces it would likely still remain personal identifiable information that would constitute some level of increased Security Posture around that data in case there were a breach. Thank you. And this question is also for you, just four mr. Jaikaran. Your testimony discusses encryption and other tools that can be used in providing Data Security. Equifaxs former ceo mentioned that some of their date is encrypted at rest while some of it is not. Are there certain minimum security data sools tools or standards that should be employed across the boyd . Are there meng e measures that are if in place play have been able to prevent the Equifax Breach or detected it sooner . So in my testimony i discussed cybersecurity as an element of risk management. Understanding the entire risk that an enterprise or corporation may face in their conduskt thafr business. There are federal guidance that is created for the implementation of encryption and there are industry best practices on the use of encryption for data at rest, dat in motion, or data in process. While these may exist, a lot depends on how it is implemented and the use cases of each individual company. For where they apply that where they apply that encryption, how strictly they apply it, and how the keys are managed within that enterprise to allow those with legitimate access to be able to continue to conduct the business while still restricting access tho those that dont. Thank you very much. I just have about 45 seconds left so mr. Smith and mr. Rotenberg, very briefly, under the current Legal Framework the ftc has authority over its safeguard rule for Data Security but no Regulatory Agency currently examines or support advises Credit Bureaus for Data Security sas the case with banks. Do you think theres a gap in this framework and do we need a Credit Bureau an agency to be set up or authorized to examine for Data Security . So as you noted, the ftc has Law Enforcement authority and we feel as though we are not unsupervised with respect to Data Security. We do, as i said earlier, have our Bank Customers who are regularly auditing us. I would say, however, that if there are gaps in supervision that wed be happy to talk with you about that and come up with the most sensible result for consumers. Thank you mr. Rotenberg very quickly. Safeguard rules an important data standard but it only applies right now after the fact. The ftc can only act against a Credit Reporting agency once the breach occurs. We think they should have the ability before the breach to spekt inspect and determine compliance withstand ards. Thank you. Senator brown. Thank you, mr. Chairman. Mr. Smith, in your testimony you stated that the Credit Reporting system, quote, provides critically important benefits and you went on to say its indispensable to the economy. I think we all agree with that so my questions are this, and ill start with you are are mr. J jaikaran and please give a yes or no. Do you think that the breach or failure of a Credit Reporting agency, do you think that a breach or failure of one of the agency cos have a systemic or could have a systemic impact on the u. S. Financial system . A breach of any agency is difficult to judge depending on the categorization of the agency itself. But it is a possibility that it could have impacts on the financial system. Mr. Rotenberg . I think the answer is clearly yes. Mr. Smith. I think that with respect to the equifax with respect to the equifax incident, one of the things that we need to keep in mind is that according to news reports the Credit Reporting database was not, in fact, compromised. A compromise of a Credit Reporting database, id have to think about whether it would whether it would present so youre the one that started off by saying it provides critically important benefits fits, its indispensable, the breach of 145 million you dont think has a systemic impact on the u. S. Financial system . I think that the risk would be able to be managed by banks but i do think that its going to be something that would need to be actively managed because what it would present is that a yes or no so to systemic impact . Could be manage the, a lot of things could be managed. Does that have a systemic impact on the financial system. Im not prepared to say it would have a systemic impact but id like to think that through. Okay. Could you in the next week let me know if thats a yes or no. Sure. How would you define systemic impact. Im asking you to. 145 million sounds systemic to me, number of one fifth that does. Mr. Rotenberg, most of us or our family members have faced challenges for decades trying to fix inaccuracies in their Credit Reports, these inaccuracies results in czech fax, transunion or experian being three of the most complained about companies. Do you think it would make sense to prevent these consumer reporting agencies from collecting new personal data or providing other services until they have mate an accuracy metric in their consumer Credit Reporting and should consumers second question related should consumers be allowed access to all the data held by these three companies . Senator, i think both suggestions are very good. I think Credit Reporting agencies which provide personal data to others should be held to an accuracy standard because, of course, when they provide information thats inaccurate, incomplete, or out of date, people are wrongfully denied credit, theyre wrongfully denied jobs and thats certainly a problem. But also to your second point, whatever information the Credit Reporting agencies know about us, i think we should have the right to know. Particularly now when this information is being made available for sale for data brokers and often times falls outside the protections of the fair Credit Reporting act. I think we need to do much more to give consumers information and control about their personal information held by others. Thank you. And mr. Smith, consumer advocates have called for Free Security freezes to be provided by equifax and transunion and expeerionian and instead the companies have announced theyre rolling out what are called credit lock products which appear to give consumers fewer rights an less security than credit freezes. Are cras offering credit locks so consumers have to sign forced arbitration agreements just like they had to on equifaxs first offer of credit Monitoring Products . So i can respond really quickly to the issue of access . I wanted to remind the members of the committee that consumers do have access to all of the information on file with about them with consumer reporting agencies and they have they have free access to that through annual Credit Report. Com as well as other mechanisms. Access in correcting are two different phenomena, but go ahead. And with respect to the credit locks, im not so familiar with the different features of the credit locks nor i do know whether they have an arbitration clause. You do know they did on the first round of credit Monitoring Products that they, lets say, quote unquote generously offered that they included that as you know. Yes. They backed off it under public pressure as you know. That i know. I dont think that the empoe tus for offering credit locks could be to obtain a mandatory arbitration clause from consumers. I do think that these credit locks may be useful to consumers. I think that freezes more generally serve a specific need for a type of consumer. There are a lot of other tools that consumers have that can protect themselves in these situations including obtaining a free Credit Report, placing a fraud alert on their Credit Report, obtaining credit monitoring. Theres a lot of free credit monitoring available. So i think consumers should understand and appreciate that before they place a credit freeze on their file the but credit freeze do have their place. I dont want to debate that but ill just close with on the forced arbitration agreement, you were their lawyer, you represent them, they also rely on you for advice. Are you willing to go back to them and say that there is strong sentiment among the public and this congress that forced ash Administration Agreements should not be part of this credit this credit lock offer products . Yes, ill convey that message. I do think that there is a special theres a sort of an eggs generality circumstance in that theres a statute called the credit repair organizations acts which imposes particularly stringent penalties on companies, any company thats found to be a credit repair organization. And so because of that, and i think some members of the committee are probably familiar with this, because of that arbitration clauses have a special role to play with these products. But i will certainly convey the message that would you share with the committee exactly what message you conveyed to them on forced arbitration . I will share that. Thank you. Thank you. Gentlemen, regardless of what weve put into law, regardless of what are rules are put in place, if theyre not followed, the possibilities of an additional breach continue. Im just curious, with regard to equifax would it be fair to say that the that the data that we have so far, the information that we have so far does it point to basically human error . Having been the cause of the data breach . Like just Quick Response from each. Senator, i think human error understates the problem. Were talking about a breach that impacted 145 million records. A circumstance where the company was twice notified by two leading authorities and left the breach exposed over a fourmonth period. I didnt discuss in my testimony this morning, but even the response to the breach was not level to consumers. So it almost every step they did the wrong thing by consumers. I believe that equifax has said publicly that it was the result of human error. With respect to the question about human error, i would add, though, that the ftc and cfpb are investigating the breach and i would want to see what their conclusions are before we before we draw any broader before we make any policy choices based on the faskt this breach. Mr. Jaikaran. Based on the amount of information that we have regarding this particular breach, it is difficult to judge as to whether the breach came down to human error or some other reason within the company. So its difficult to judge at this point based on the information we have. Even if lets assume that was there human error involved in this, recognizing the significant damage thats been caused, if if we have within our abilities the opportunity to lay out a plan in which there is not just an audit able bable bu review process to be placed in place with assure rans of the follow through, were still talking about the protections that we put in place for a legal entity that has been breached by thieves. What more can we do or what more should we be doing to prevent this breakin in the first place with regard to protections and also the consequences for entities throughout the world that actually cause these breaches that are actually overtly out trying to get their hands on the data . Do we need to look at additional federal authorizations or institutions that would be literally for the cyber community, the same as the fbi was when it came to stopping the Bank Robberies of the 19 twenties and 1930s, do we need to be looking at Something Like that on a worldwide basis . Senator, i think had is a very important point. When the fair Credit Reporting act was passed in 1970, the primary concern was about the possible misuse of consumer data by the Credit Reporter agencies. And that was the problem that congress sought to address. But here we are almost 50 years later living in a world of constant cyberattack the. And in my testimony this morning i tried explain gnat Equifax Breach needs to be understood, not just in terms of the misuse of personal data, but actually the exploitation of by foreign adversaries. And thats also the reason, sir, why i think we need to update our privacy laws, put more incentives on companies to protect this data, not just from misuse, but also from exploitation by foreign governments. Mr. Smith. We think that to the extent that there are gaps in supervision of Data Security that were that we want to talk with you about that. We want to get to the right result. With respect to professor rotenbergs point, theres no doubt that this was a criminal hack, that it was from an unknown source, that is it may have been from a foreign actor, and thats something that i think is hopefully the ftc and cfpb and other continued investigation dollars will reveal and if there are policy implications from that hopefully we can have that discussion then. Mr. Jaikaran. When we think about the government relationship with these agencies there are three ducts we could put them in. First is rule making, next is examination, and the third sen force meant which the ftc maintains. In this zais space we conseech that the agency space was the one that we had the least government involvement. So i think there presents an opportunity for congress to create further guidance on how they want agencies to act with regard to that. Concerning the consequences side, to the best of my knowledge attribution has not been placed for this breach and that would be a conversation to have with Law Enforcement agencies and officials on what authorities they think theyd need in order to go after the criminals here