Committee will come to order. A recess at the committee of any time and all will have five days for inclusion in the record. Entitled examining the equifax data breach. On september 7th equifax announced a Cyber Security incident. It effected 145 million u. S. Consumers, nearly half of all americans. In other words if your hearing my voice youre either the victim or you know someone who is. Thats how massive this brief was. Criminals got basically everything they need to steal your identity, open credit card accounts in your name it may with b the most harmful the world has ever seen the companys response has left much to be desired. For weeks equifax about whether people were victims of the breach or not. And beyond brief they sold their equifax before the company disclosed the breach. I trust the Justice Department will get to the bottom of this. Clearly action by the federal trade commission and potentially other regulators is required. Congress must ensure federal regulators do their jobs so justice can be served and victims are made whole. We must examine are up to the job. Large scale Security Breaches are becoming all too common. By the increasing frequency of Cyber Attacks it demands inhansed efforts to safeguard consumers. It rekwiers effective measures to data breaches in the first place. Given the federal government track record when it comes to protecting personal information witnessed the tax as two recent examples. We must be cautious about attempts to never let a good crisis go to waste and impose a washington forced Technology Solution that may be antiquated as soon as it is imposed. Bipartisan Data Security act, the need to revisit that legislation and where necessary improve upon it should be obvious to all. It is clearly facing consumers and leaving them extremely vulnerable. I look forward with working with members of both sides of the aisle and working with the administration to ensure that americans across the country will be protected and no longer have to lose sleep over the kind of breaches that we are discussing today. I yield back the balance of my time and recognize the Ranking Member and gentle lady from california for three minutes. Thank you. Subsequent failures are elapsed on a scale we have never seen before. It is all the more outrageous because the impact to customers never chose to do business with equifax. They are literally stuck with this company. Im interested in what equifax will do moving forward fwr all of those who have been harmd. I am interested in why they have sent this witness today without the authority to commit equifax to future actions. They need to hear what happened and what equifax plans to do moving forward. I already know this hearing wont answer all of the questions and i and other members would like to know more. This is why democrats requesting a minority day hearing to get more questions surrounding not only this breach but also impact on consumers and for moving forward. Now is the time to fix what has been broken. It is just the tip of iceberg. The whole Credit Reporting system needs an overhaul. This would shift the burden to Credit Reporting agencies and away from consumers. It would also shrink the importance of Credit Reports in our lives. Employment checks and limiting when cras can collect information on consumers. It is time to end the strangle hold that equifax have on our consumers lives. I yield back. We have the chairman for one and a half minutes. Thank you. Right here. There we go. Theres a lot to try to keep track of. I trust you heard the anger from congress and the American People. It is disregard for the law and consumers. A failure on part of you, your board and Senior Management and your failures impacted onethird of the American People. The American Peoples data has been compromised had to wait more than a nont find out about it. The American Public deserves better. They deserve profit notification, a system that effectively notifies them, not one that is slowed down because of turf wars or fear or litigation. I believe its now time move forward and we need to find solutions to this problem. I hope if one good thing comes from this its that the American Consumers can get a system that works for them. I share that its going to have oversight over this data breach and that security type of bill and i ensure you well try to look at it about ways to protect the American Consumers. The chair recognizes mr. Clay, the Ranking Member of the institutions Sub Committee for one minute. Apparently he is not here. Well then go to the gentleman from michigan who also appears not to be here. Gentleman from minnesota recognized for one minute. I would like to thank the chairman and Ranking Member for this important hearing. A lot has been said about the Equifax Breach. Theres a few things i think we have to bear in mind. One is that equi fax and two other players in this industry of Credit Reporting dominates in the whole field. As members of this committee know i believe equifax is too big. We need to increase competition and if equifax had to worry about a real competitor i believe they would be wettbette safeguarding the data of consumers. It is the fact markets have concentrated this so high equifax doesnt have to worry about any other competition that they can be lax with the data of people. I look forward to the gentlemen talking about issues that are very important. I know there has been movement in the area of well, ill leave that to the rest of the questions. Time has expired. We recognize the gent le lady from new york. Mr. Smith, equifax was not just a breach of security. It was not just a massive huge database breach, it was a breach in the trust of the American People in your company. We have the best markets in the world and i believe that our markets run more on trust than it does on capital. So a breach of trust is something our markets cannot tolerate. I join my colleagues in being committed to finding procedures Going Forward that this does not happen again and that the law is enforced against those who breach and break the law. Time of the gent it lady has expired. Today well advise vooiz sore. Prior to september 26th of this year mr. Smith had been the chief executive officer since 2005. For joining equifax he held various positions where he worked for 22 years. The written statement will be recognized. Thank you for allowing me to testify before you today. I am rick smith. I have had the honor of serving as chairman and ceo of equifax. I have had the opportunity to read their letters of those impacted and not impacted alike and understand the anger and frustration we have caused at eq equifax. This criminal attack occurred on my watch. I take full responsibility as the ceo. I want everyone here to understand that i am deeply apologetic and sorry that this breach occurred i want to American Public to know equifax is dedicated to making things right. Americans have a right to know how this happened. Im prepared to know what i did about this incident while ceo of the company and also what i know about the incident as a result of being breached by the ongoing investigation. We now know this criminal attack was made possible by a combination of a human error. The human error a dispute portal in march of 2017. A technological involved july ner blt that had not been patched. Both have since been addressed. On july 29th and 30th suspicious activity was detected. We followed our response protocol at that time. The Team Immediately shut down the portal and began their internal security investigation. On august 2nd we hired top Cyber Security forensic and legal experts. We also notified the fbi. At that time we did not know the nature or the scope of the incident. It was not until late august we experience add major data breach. Over the weeks leading up to december 7th our team continued working around the clock to prepare to make things right. We took four steps to protect consumers. First telling me whel when and how relying on the advice of our experts that we needed to have a plan in place as soon as we announced. Number two developing a web site and Offering Free Services not only to those impacted but to all americans. Number three, preparing for increased Cyber Attacks which were advised or common after a Company Announces a breach. Finally, continuing to coordinate with the fbi and criminal investigation of the hackers while notifying federal and state agencies. In the role of our Remediation Program mistakes were made, which i am again deeply apologetic. I regret the frustration that Many Americans felt when our web sites and our call centers were overwhelmed in the early weeks. It is no excuse and it certainly did not help that two were shut down due to hurricane irma. Since then the company has increased the capacity. I can report to you today we have had over 420 million u. S. Consumers visit our web site and that our call times and wait times at the call centers have been reduced substantially. The Company Offered a broad package of services to all americans. All of them free aimed to protecting the consumers. In addition we developed a new Service Available on january 31st, 2018 that will give all consumers the power to control access to their credit data by allowing them to lock and unlock access to their data for free for life. As we all learned it is a National Security problem putting consumers in control of their credit problem. No Single Company can solve a larnger problem on its own. I believe we need a Public Partnership and i look forward to being part of that dialogue. Thank you again for inviting me to speak today. Ill close again by saying how sorry i am that this breach occurred on my watch. On a personal note i want to thank the many hard working and dedicated employees that i wo worked with over the past 12 years. Equifax is a good company with thousands of great people trying to do whats right every day. Thank you. Gentleman from california. I would request that the witness be sworn. It has not been the practice of the committee to swear in witnesses. As you know the witness has to find before coming here that the testimony will be truthful. I know this is your fourth appearance before congress but i think you know it is thanks to the gravity of the situation, the number of our constituents which are impacted and frankly the number of Committee Jurisdiction lines that this crosses. I will attempt to plow a little new ground. So there is a lot of focus when the nature is realized. It took approximately a month before people were notified of the breach. Did someone in Law Enforcement ask equifax to delay notification to the public . As i mentioned, we were in communication routinely with the fbi. We worked very closely. In our outside council and yes, they both managed the flow of communication. Did they advise you to delay it for approximately four weeks . They got it on the 7th it wasnt until around the 24th that we really realized the size of the breach and even that may continue from the 24th of august and that you may have seen it would continue evidence on 2. 5 million more. Im lead to believe the was first publicized and at which point it was immediately categorized by numerous Cyber Security authorities. What do you believe is a reasonable amount of time for a critical vulnerability patch to be pushed out and implemented on all effective applications . It was within 48 hours. We did that. Im sorry, you did do that . Yes. It is responsibility and did not ensure there was communication for a person that needed to apply. That wass error number one. On the 15th of march we used scanning technology which looks around the systems for vulnerability. That scanner did not detect the vulnerability. We had a human error once equifax chose to notify the public there are notification laws that you are well aware. I know we have patch work but under what breach notification we regime did you notify the public . We were mindful of the state laws and trying to abide by all state laws. At the same time following the recommendation, making sure we had clear and accurate of the breach. It took weeks, very difficult to retrace the footprints of these criminals, where they had been, what they had done. We had to recreate inquiries and the Security Team and our outside legal adviser. Youre located in georgia, correct . Was that a georgia regime notification that you followed . You didnt follow the 47 odd state regimes, did you . Yes. We were headquartered in atlanta, georgia. Also making sure we have accurate and clear understanding. It was not until late in august. My time has expired. We recognize the Ranking Member for five minutes. Thank you very much. I appreciate you being here today. I want to understand what capacity are you in today . Are you a volunteer, a paid adviser . Do you play any role in the company . Would you please make that clear to me . Yes. I am the former chairman and ceo and today i am sitting here as the former ceo and also someone who agreed to work with the are you a volunteer . Yes. Im unpaid. Unpaid. And you came today to try to explain what has taken place. Do you have the ability to talk about what happens Going Forward and how we can correct the mishaps, the problems of equifax, are you empowered to do that today . We have the ability looking forward from my perspective who was a ceo. If you make a commitment here today are you bound by any commitment you make for the company today . No. Commitments are made by the company themselves. So your capacity is to simply try to explain and take responsibility rather than how we go forward for the future, is that right . Thats largely correct, congresswoman. I do have views on fast forward. Commitments have toub made by the company themselves. We have such limited time to deal with so many problems. While i appreciate you taking responsibility your being here today doesnt do much in terms of how we are going to move forward and correct the problems of equifax. Our consumers are at great risk. Are you close enough to know exactly what has been done to be available to consumers . Congresswoman, yes. I have an understanding that what has been done, i mentioned my comments, they staffed up dramatically. I am told that the backlog of consumers trying to get through and security their Free Services has now been empty and the flee im not sure about that. I worry about that. In addition i tell you what else i worry about. How long will consumers be able to get free service . Is there a time where they will be charged trying to straighten out whatever problems have been created because of this serious hacking that has been done . The Company Offered five services to every american, not just those impalkted. How many . Five Different Services. It is for how long . One year for the time they sign up and until january the 2018. It is the ability to control access to their data for life. They will have the able to lock or unlock when they choose versus us being able to do that. It will be free for life starting in january 2018. It will be enabled as an application on ones cell phone. Very easy far consumer to use. I might have use missed part of that. If ones identity has been stolen, and usually it takes a long time to unravel that, are you going to provide service and assistance to the consumer until that is taken care of . Yes, congresswoman. Again, one of the five services we offered today is the ability to lock access to your trial. It is the most security way. You determine who accesses it, who does not and when. But im leer, i think what you have said is when one finds ones selfin that position you will provide them with the Service Service and assistance. For life. Thank you. Jebt l lady yie gentle lad yields back mr. Smith, im still over here. Thank you. You know, we have i had a long meeting this past week with some experts in Data Security and how they can be protected. One of the comments that was made was that when it come ts from Information Technology budgets the average company only spends 6 on security. Do you know roughly what your company spent for the Information Technology budget . I do. I think theres a bench mark on the i. T. The average aba, we are in the 12 range. Okay. Are you aware of new protocols . Place . Yes. We have implemented multiple protoco protocols. We have also engaged a world Class Consultant to come out and rethink everything we have done far longterm plan. As a result of this breach the exposure is ginormous here. Do you have an insurance policy to cover this kind of a breach . Yes. I have dised it in the past. We do have a tower of Insurance Coverage. It is kmn in our world. Okay. So basically the company is well, they are limited to any coverage you have. I have not disclosed tho