Complete we turn to the issue of data breaches. This is not a new issue. The committee has been focused on the Consumer Impact since before i was elected to the senate. The september 2004 choice point breach was considered to be the first highprofile data breach in the modern era prompted investigations from this committee and state authorities. Choice point was a data Aggregation Company originally created by equifax who as fate would have it is represented here today. In terms of the inquiry the major data breaches, we have come full circle. Congress and this committee paid close attention to data breaches big and small. The committee has entertained proposals to strengthen requirements for Companies Across the board and impose federal requirements for companies to notify consumers following discovery of the breach. We are in the air of major data we are in the era of major data breaches, including equifax and yahoo that we are examining. The yahoo breaches are larger, Equifax Breach is more severe given the nature of the data compromised. I have heard many constituents who were concerned about the lasting effects of the Equifax Breach. I have heard complaints it is difficult to set up a credit freeze and questions about whether credit monitoring is an effective tool to prevent Identity Theft. The Equifax Breach exposed the sensitive personal data of 145. 5 million u. S. Consumers including the names, Social Securitys, birthdates, addresses cut and driver license numbers. 200,000 were affected. Equifax will have an opportunity to provide an update regarding the breach as well as its much criticized efforts to mitigate harm and prevent anything like this from happening. The yahoo breach compromised over 3 billion User Accounts and followed a prior breach in which hackers stole similar information from 500 million users. The data included names, dates of birth, partial passwords, unencrypted security questions and answers, and employment information. The figure constitutes the entirety of yahoo mail and other yahoo owned accounts at the time of the breach. Yahoo representatives will have an opportunity to provide an update regarding the breaches as well as efforts to mitigate harm and ensure security and consumer data Going Forward. The data breaches illustrate dramatically that our nation continues to face constantly evolving Cyber Threats to her personal data. Companies that collect and store personal data on american citizens must step up to provide adequate Cyber Security and there should be consequences if they fail to do so. The committee made Cyber Security a priority and i am hopeful todays hearing will help help the committee understand and when there is a risk of real harm stemming from a breach we must make sure that consumers have the information they need to protect themselves. That is why i support a uniform federal breach notification standard to replace the patchwork of laws and 48 states in addition to the district of columbia and three other territories. A single federal standard would ensure all consumers are treated the same with regard to notification of data breaches that might cause them harm. Such a standard would provide consistency and certainty regarding timely notification practices that a fitting consumers and businesses. To ensure that businesses secure information appropriately, i have advocated for uniform reasonable security requirements to protect consumer data. Based on the size and scope of the company and the sensitivity of the information. However in this regard, the facts of the equifax reach are troubling. As a credit bureau, equifax was subject to the safeguards rule under the act which is considered to be a stringent regulation. The Equifax Breach occurred and its implications appear dire. Enhancing security, protecting the personal data of consumers will be a priority for this committee. I want to thank our witnesses for appearing here today and i look forward to hearing your testimony. I will turn to senator nelson for his opening remarks. Senator nelson thank you, mr. Chairman. As you stated, this is the latest edition and a long history of hearings that we have held on this committee to discuss Data Security and breaches. I want to thank several senators on this committee who have asked for this hearing. Senator baldwin in particular, senator cortez, thank you for all the more ringing this to the forefront. If you start with the massive breach of the choice point reach breach in 2005, and then continuing with target, neiman marcus, shape hat, sony, citigroup, cvs, south shore hospital, heartland Payment Systems, and many others, the parade of highprofile data breaches seems to have no end and billions of consumers have had their sensitive personal, personally identifiable information compromised, including Social Security numbers, drivers licenses, addresses, dates of birth. For years Going Forward, criminals can use this data to steal the identity of innocent consumers and create fake accounts in their names and commit other types of fraud and i might point out that right now, we estimate 5 billion a year is being stolen from the u. S. Treasury just on fake federal income tax returns of which they get a refund. And on top of that, we also recently found out the 2013 yahoo breach compromised the personal data, it is hard to believe, 3 billion users. That is the biggest data breach in history. Yet today here we are once again dealing of the aftermath of the recent Equifax Breach involving the personal identification information of nearly 145 million americans. This most recent breach raises an even more troubling question. If Credit Reporting agencies that offer Identity Theft protection and Credit Monitoring Services cannot even safeguard their own data from hackers, then how can Consumers Trust any company to protect their information . And let me say also, when you get up against the sophistication of state actors such as russia and china, it is going to be hard to protect against them. So, sadly, the question that millions of americans are now asking is, as they struggle to figure out how to protect themselves in the wake of these massive breaches, what in the world do we do . This committee, mr. Chairman, is going to again consider what it would do to make sure that consumers are protected, but if we are going to do anything meaningful, we must have the political will to hold these companies accountable. Over the years, the federal trade commission has brought numerous Enforcement Actions against companies for lax Data Security practices. But industry has recently challenged the ftcs wellestablished Legal Authority to bring such actions. This piecemeal, afterthefact approach would be better served if the ftc were able to prescribe rules that require companies to adopt reasonable security practices in the first case. Rules have already been put forward to agencies like equifax. The agency should have a similar authority for the rest of the commercial sector. And so, mr. Chairman, i think at the end, it is only stiffer enforcement and stringent penalties are going to be able to help incentivize companies to properly safeguard their consumer information, and to notify their consumers when they have been compromised. I strongly believe that without rigorous Data Security rules in place, it is not a question of if that we will have another one, but when. We can either take action with common sense rules or we can start planning for our next hearing on this issue. Thank you, mr. Chairman. Chair thank you. I hope it can inform our future actions. It needs to be addressed. Congress needs to be heard from. Glad to have our panel with us this morning. On my left in your right is mr. Barros from equifax, and richard smith, the former ceo at equifax. Ms. Marissa mayer, former ceo of yahoo incorporated. And Karen Zachariah for verizon, a Parent Company of yahoo since 2017. And todd wilkinson, president and ceo of entrusted data card. I will start with you mr. Barros, and ask you to confine your oral remarks as close to five minutes as possible. Anything extra can be on the record. Mr. Barros good morning. Chairman thune, Ranking Member nelson, members of the committee. Thank you for letting me be here today. Six weeks ago i was named interim chief executive officer of equifax. I never expected to become ceo under the circumstances. But i am honored to be in this position. Speaking for everyone at equifax come i am determined to address all the issues from the breach so we can regain the confidence of the American People. Equifax is based in atlanta, you can tell from my accent, i did not grow up in georgia. I am a native of brazil. I have had the privilege of working most of my adult life in the u. S. My children were born here. Im an engineer by training and i have spent a lifetime confronting and fixing complex business problems. This is the mindset i bring to my new position. My first act as ceo was the consumer response and call centers and the website. We are working hard to fix the problem. I apologized to the American People and i do so again here today. I promise each of you and the American People, equifax will be focused every day on assessing security and providing better support for consumers. We will be an Industry Leader in giving consumers more control over personal private data. In answer to your questions i would like to review briefly the actions we have taken in the past six weeks. First, my highest priority has been to improve service for consumers. I visit call centers, have spoken with call center representatives, personally have taken calls from consumers and help to resolve their issues. Social media, we have expanded communication. We have improved the website, have staffed the call centers and made it more consumer friendly. The result is a substantial reduction in backlogs and delays. We have revised our corporate structure. The chief Security Officer now reports directly to me. I have also appointed an officer to perceive the response to this incident. Third, we are rapidly improving our security infrastructure. Were changing our networks, our vetting procedures, introducing new tools, and strengthening our accountability mechanisms. Fourth, we have committed to working with the entire industry to develop solutions to the growing Cyber Security and Data Protection challenges we all face. Finally, we promise to launch a new, easytouse app in january that will give consumers access to data free for life. We are on schedule with the development of the app and we are confident consumers will find it extremely valuable. We have done a lot in a short period of time. But this is just beginning. I remind my team every day that there are not shortcuts. Serving consumers it is a longterm commitment. Equifax is made up of 10,000 talented and dedicated people. Our business is not well understood. But it is essential for the economy and for helping consumers obtain credit they need. Our top job must be to protect the data entrusted to us. We did not meet the publics expectations and now it is up to us to prove we can regain the trust. We are committed to working with consumers, customers, congress, and regulators to restore public trust. This is been my focus during my first six weeks as ceo. It will continue to be my focus every day at my new job. Thank you for your attention and i welcome your questions. Sen. Thune mr. Smith. Mr. Smith thank you. Thank you for the opportunity to testify before you today. I submitted my written testimony to the committee and other committees in the senate and house. I testified over the last three or four weeks. The written testimony is a record of the events of the breach at equifax is that occurred. I am here today to answer any questions you may have. Thank you. Sen. Thune thank you, ms. Mayer. Ms. Mayer thank you for the opportunity to appear before you today. I have the honor and privilege of serving as the yahoos chief executive officer from july 2012 through the sale of the business in june of this year. As you know, yahoo was a victim of criminal, statesponsored attacks on its systems, resulting in the theft of certain user information. We worked hard over the years to earn our users trust. I want to sincerely apologize to each and every one of our users. When yahoo learned of this in late 2014, yahoo promptly reported it to Law Enforcement and notified the users at that time who had been directly impacted. Yahoo worked closely with a Law Enforcement, including the fbi, and were able to identify and expose the hackers responsible. We now know that russian Intelligence Officers and statesponsored hackers were responsible for highly complex and sophisticated attacks on yahoo systems. The department of justice and fbi had a 47 count indictment charging criminals with these crimes. The doj and fbi praised yahoo for our cooperation and early proactive engagement with Law Enforcement. In november 2016, yahoo determined the user data was most likely stolen from the company in august of 2013. Although yahoo and its outside Forensic Experts were not able to identify it, the company disclosed to incident, notified the users believed to have been affected, and took steps to secure all User Accounts. I want to stress how seriously i view the threat of Cyber Attacks. After growing up in wisconsin i remember buying my first computer in college, developing a passion for Computer Science and writing code and seeing the potential to change the world. After college i was hired by a small start up named google as their 20th employee and first female engineer. I worked my way up from Software Engineer to part of the executive operating committee. In july 2012, i became ceo of yahoo . I will always be grateful for and humbled by the opportunity to have led yahoo and its employees for the last five years. My experiencesfrom yahoo and google have shown me the potential of the internet to change our world for the better. However, they have reinforced the dangers of cybercrime. Our efforts to confront the challenges of Cyber Security, including security measures and defenses yahoo has in place, in hopes of further advancing protection and security. We worked hard to protect our systems and users. We devoted substantial resources to security with a shared goal of staying ahead of the evolving threat. After i joined yahoo we roughly doubled our internal security staff and made significant investment. In addition to improving our talent, we improved our security processes and system defenses. Yahoo had in place multiple layers of sophisticated protection. We were extremely committed to security. I want to thank all of our team members for their tireless efforts in addressing yahoo s security needs. Russian agents intruded on our system. The threat from statesponsored attacks has changed the Playing Field so dramatically that today, i believe all companies, it probably be vulnerable to these crimes. Cyber security is a global challenge. No company, individual or Government Agency is immune from these threat. The attacks on yahoo demonstrate the strong collaboration between the public and private sectors is essential in the fight against cyber crime. Aggressive pursuit of cyber criminals as the doj and fbi exhibited in the yahoo case, could be a meaningful deterrent in preventing future crimes like these. The words of the investigator, a nation state attack is not a fair fight and not one you will win alone. We can Work Together to level the cyber Playing Field. Thank you for the opportunity to address the committee today. Sen. Thune ms. Zacharia. Ms. Zacharia thank you for the opportunity to testify here today. My name is Karen Zacharia and i am verizons chief Security Officer. Verizon has a longstanding commitment to protecting and safeguarding consumer data and Building Trust online. In an increasingly connected world, verizon recognizes Strong Security and Consumer Trust are prerequisites to compete in the 21st centurys digital economy. The nature of our business requires verizon made Cyber Security a top priority. In 2016 verizon announce it entered into an agreement to acquire yahoo s operating business. That acquisition closed in 2017. Yahoo is now part of a new company from verizon called oath. Both consists of 50 Digital Brands globally, including yahoo news, yahoo sports, tumbler and aol. In september and december of 2016, yahoo announced its user data was stolen and two separate incidents in 201