in the world. i'm convinced that the story helped me get the job at "the post". >> american history tv all weekend every weekend only on former equifax ceo, richard smith, testified today before the house financial services committee. it's the fourth time he's been before lawmakers this week. they're looking into the equifax data breach, which exposed private information from nearly 146 million people. all four hearings are available in our video library at c-span.org. [ banging gavel ] >> the committee will come to order. without objection, the chair is authorized to declare a recess of the committee at any time, and all members will have five legislative days within which to submit extraneous material to the chair for inclusion in the record. the hearing is entitled "examining the equifax data breach." i now recognize myself for three-and-a-half minutes to give an opening statement. september 7th, equifax announced what it called a, quote, cyber security incident at its business. that potentially affects 145 million u.s. consumers. nearly half of all americans. in other words, if you are hearing my voice, you are either the victim of the breach or you know someone who is. that's how massive this breach was. the criminals got basically everything they need to steal your identity, open credit card accounts in your name, and cause you untold frustration and financial calamity. this may be the most harmful failure to protect private consumer information the world has ever seen. the company's response to this breach has left much to be desired. for weeks, equifax failed to disclose the breach to consumers and its shareholders. it provided confusing information about whether people were victims of the breach or not. and beyond belief, senior executives sold their equifax shares after the company knew of the breach and before the company disclosed the breach. i trust the justice department and securities exchange commission will get to the bottom of this. clearly, action by the federal trade commission, the consumer financial protection bureau and potentially other regulators is required. congress must ensure that federal law enforcement and federal regulators do their jobs, so justice can be served and victims are made whole. we must thirdly examine if you're agencies and statutes like gramm-leach-bliley, the fair credit reporting act and udap are up to the job. in this era of big data, large-scale security breaches, unfortunately, are becoming all too common. by the increasing frequency and sophistication of cyberattacks, this clearly demands heightened vigilance and enhanced efforts to safeguard consumers. protecting consumers, obviously, starts with requiring effective measures to prevent data breeches in the first place. given the federal government's own poor track record when it comes to protecting personal information, witness the s.e.c. in the opm hacks as two recent examples. we must be cautious about attempts to never let a good crisis go to waste and impose a washington-force technology solution. that may be antiquated as soon as it is imposed. however, i do believe that we need to ensure we have a consistent national standard for both data security and breach notification in order to better protect our consumers, hold companies accountable and assure that this affair does not repeat itself. our committee passed such legislation nearly two years ago. the bipartisan data security act. the need to revisit that legislation and where necessary improve upon it should be obvious to all. the status quo is clearly failing consumers and leaving them extremely vulnerable. so i look forward to working with members of both sides of the aisle, and working with the administration to ensure that americans across the country will be protected and will no longer have to lose sleep over the kind of breaches that we are discussing today. i yield back the balance of my time. i now recognize the ranking member of the committee, the gentle lady from california, for three minutes. >> thank you, mr. chairman. the massive breach at equifax and the company's skubs eloquent failures are a lapse on a scale we have never seen before. equifax's failure to safeguard consumer data is all the more egregious because the impacted customers never chose to do business with equifax. and because of the broken business model of our country's credit reporting agencies, these consumers can't end their relationship with equifax. they can't shop around for a better deal. they're literally stuck with this company. so i'm very interested in what equifax will do moving forward to provide full redress for all of those who have been harmed. i am also interested in why equifax has sent this committee a witness today without the authority to commit equifax to future action. the members of this committee need to hear not just about what has happened, but also about what equifax plans to do moving forward. so i already know that this hearing won't answer all of the questions that i and other members would like to know more. this is why committee democrats are requesting a minority day hearing to get more answers to the questions surrounding not only this breach, but also its impact on consumers and solutions for consumers moving forward. for example, i for one would like to make sure that credit reporting agencies do not inappropriately profit off of this incident by exploiting consumers' legitimate fears. now is not the time to focus on how to sell consumers more products. now is the time to fix what has been broken. but this breach at equifax woeful response are just a tip of the iceberg. the whole credit reporting system needs a complete overhaul. that's why i introduced hr-3755, the comprehensive consumer credit reporting reform act. this legislation, among other things, shifts the burden of removing credit report mistakes to credit reporting agencies and away from consumers. and my bill would also shrink the importance of credit reports in our lives by limiting the use of credit reports and employment checks and limiting when cras can collect information on consumers. it's time to end the stranglehold that equifax, transunion and experian have on our consumers' lives. mr. chairman, i yield back. >> the gentle lady yields back. the chair now recognizes the gentlemen from missouri, mr. luetkemeyer, the gentleman of our financial institution subcommittee, for one-and-a-half minutes. >> thank you, mr. chairman. mr. smith, i know you -- right here. there we go. there's a lot of us to try and keep track of, right? i know you sat before several committees this week, and i trust you heard the anger from congress and the american people. this is not just incompetence on the part of you and your company, but also for law and for consumers. there was a failure on the part of you, your board and your senior management. and your failures have impacted more than one-third of the american people. what's most egregious to me is that the american people's data had potentially been compromised had to wait more than a month to find out about it. the public -- the american public deserves better. they deserve prompt notification so they can safeguard their identity. they deserve a system that effectively and efficiently notifies them, not one slowed down because of turf wars, regulatory complex or fear of litigation. i believe it's now time to move forward. and we need to find solutions to this problem. i hope that the one good thing that comes from this yet another major data breach is that the american consumers can finally get a system that works for them. i chair the financial institutions subcommittee that is going to have oversight over this data breach, and as security informational type of bill. and i can assure you, we're going to try and look very thoroughly at this incident, as others, to find ways to protect the american consumers. mr. chairman, with that, i yield back. >> the gentleman yields back. the chair now recognizes the gentleman from missouri, mr. clay, the ranking member of the financial institution's subcommittee for one minute. apparently he is not here. we then will go to the gentleman from michigan. also appears not to be here. the gentleman from minnesota is mr. -- mr. ellison is recognized for one minute. >> well, i'd like to thank the chair and ranking member for this important hearing. a lot has been said about the equifax breach. and a lot of the same things will be repeated today. but there's a few things that i think we've got to bear in mind. one is that equifax and two other big players in this industry of credit reporting dominate basically the whole field. as members of this committee know, i've been quite concerned about market concentration. i believe equifax is just too big. it needs to be reduced in size. we need to increase competition. and if equifax had to worry about a real competitor, i believe they would be better at safeguarding the data of consumers. it is the fact that markets have concentrated so high that basically other than transunion and experian, you know, equifax doesn't have to worry about much of any other kind of competition. that they can be lax with the data of people. i will look forward to the gentleman talking about some issues that i think are very important. i know that there's been some movement in the area of -- well, i'll -- i'll leave that to the rest of the questions. >> time for the gentleman has expired. the chairman now recognizes the gentle lady from new york, miss maloney, for one minute. >> mr. smith, equifax was not just a breach of security. it was not just a massive, huge database breach. it was a breach in the trust of the american people in your company. we have the best markets in the world. and i believe that our markets run more on trust than it does on capital. so a breach of trust is something our markets cannot tolerate. and i join my colleagues in being committed to finding procedures going forward that this does not happen again. and that the law is enforced against those who breach and break the law. >> the time of the gentle lady is expired. today we'll receive the testimony of mr. richard smith, who is former ceo and chairman of equifax and adviser to the interim ceo. prior to september 26th of this year, mr. smith had been the chairman and chief executive officer at equifax since 2005. before joining equifax, mr. smith held various management positions at general electric, where he worked for 22 years. without objection, the witness's written statement will be made part of the record. mr. smith, you are now recognized for five minutes to give an oral presentation of your testimony. thank you. >> thank you. thank you, chairman hensarling, ranking member waters and the honorable members of the committee. thank you for allowing me to come before you today to testify. again, i am rick smith. and for the past 12 years, i have had the honor of serving as chairman and ceo of equifax. over the past month or so, i've had the opportunity to talk to many american consumers and read their letters. those impacted and not impacted alike and understand their anger and frustration that we have caused at equifax. this criminal attack on our data occurred on my watch. and i take full responsibility for that attack as the ceo. i want every american and everyone here to understand that i am deeply apologetic and sorry that this breach occurred. and that -- i also want the american public to know that equifax is committed to dedicate their energy and time going forward to making things right. americans have a right to know how this happened, and today i'm prepared to testify about what i learned and what i did about this incident while ceo of the company. and also what i know about the incident as a result of being breached by the company's ongoing investigation. we now know that this criminal attack was made possible by a combination of a human error and a technological error. the human error involved a failure to apply a patch to a dispute portal in march of 2017. a technological error involved a scanner that failed to detect a vulnerability on this particular portal that had not been patched. both errors have since been addressed. on july 29th and 30th, suspicious activity was detected. we followed our security incident response protocol at that time. the team immediately shut down the portal, and they began their internal security investigation. on august 2nd, we hired top cyber security forensic and legal experts. we also notified the fbi. at that time, we did not know the nature or the scope of the incident. it was not until late august that we concluded that we had experienced a major data breach. over the weeks leading up to september 7th, our team continued working around the clock to prepare to make things right. we took four steps to protect consumers. first, determining when and how to notify the public relying on the advice of our experts that we needed to have a plan in place as soon as we announced. number two, helping consumers by developing a website, staffing up massive call centers and offering free services not only to those impacted, but to all americans. number three, preparing for increased cyberattacks, which were advised or common after a company announces a breach. and finally, number four, continuing to coordinate with the fbi and their criminal investigation of the hackers. or at the same time, notifying federal and state agencies. in the rollout of our mediation program, mistakes were made for which i am, again, deeply apologetic. i regret the frustration that many americans felt when our websites and our call centers were overwhelmed in the early weeks. it is no excuse, but it certainly did not help that two of our larger call centers were shut down due to hurricane irma. since then, however, the company has dramatically increased its capacity. and i can report to you today that we have had over 420 million u.s. consumers visit our websites and that our call times or wait times at the call centers have been reduced substantially. at my direction, the company offered a broad package of services to all americans. all of them free, aimed at protecting the consumers. in addition, we developed a new service available on january 31st of 2018 that will give all consumers the power to control access to their credit data by allowing them to lock and unlock access to their data for free, for life. putting the power to control access to credit data in the hands of the american consumer. i'm looking forward to discussing as much detail as you would like of that service offering during my testimony. as we all painfully learned, data security is a national security problem, putting consumers in control of their credit data is a first step towards a long-term solution to the problem of identity theft. but no single company can solve the larger problem on its own. i believe we need a private/public partnership to evaluate how best to protect americans going forward. i look forward to being a part of that dialogue. chairman hensarling, waters, members of the committee, thank you for letting me speak today. i'll close by saying i am sorry again that this breach occurred on my watch. on a personal note, i want to thank the many hard-working and dedicated employees that i've worked with so tirelessly over the past 12 years. equifax is a very good company. with thousands of great people trying to do what's right every day. i know they will continue to work tirelessly, as we have over the past few months, to right the wrong. thank you. >> mr. chairman, point of order? >> the gentleman from california will state his point of order. >> i would request that the witness be sworn. >> it has not been the practice of the committee to swear in witnesses. as you know, the witness has to find before coming here that the testimony will be truthful. that should be sufficient. chair yields himself five minutes for questions. mr. smith, i know this is your fourth appearance before congress. but i think you know, it speaks to the gravity of the situation. the number of our constituents impacted. and frankly, the number of committee jurisdiction lines that this crosses. so since you've testified three other times, i will attempt to plow a little new ground. so as you know, there is a lot of focus on -- i guess to use your phrase, once the nature and the scope of the breach was realized. it still took approximately a month before people were notified of the breach. did someone in law enforcement ask equifax to delay notification to the public? >> mr. chairman, as i mentioned in my written and oral comments, we were in communication routinely throughout the process with the fbi. but they did not necessarily dictate the flow of communication to the public. >> okay. were there outside data security consultants that advised the company to delay notification for a month? >> mr. chairman, we worked very closely with manned ant. that may ring a bell. they're viewed as if not the leading, one of the leading cyber forensic firms in our country. and our outside counsel, global law firm, came in. and, yes, they both in tandem with our team managed the flow of communication external. i would say, mr. chairman -- >> i'm sorry. did they advise you to delay it for a approximately four weeks? >> they guided us in our announcement on the 7th. four weeks, mr. chairman. it wasn't until around the 24th that we really realized the size of the breach. and even that continued to develop from the 24th of august to the time we went public on the 7th. and as you may have seen, the company came out -- i think it was this monday, with continued evidence on 2.5 million more consumers. so it was a very fluid process of understanding the scope, the size and the nature of the breach. >> mr. smith, i'm led to believe the apache struck cve 2017, 5638 vulnerability was first publicized in early march. at which point it was immediately categorized as a critical vulnerability by numerous cyber security authorities. what do you believe is a reasonable amount of time for a critical vulnerability patch to be pushed out and implemented on all affected applications? >> our policy or program at the time was within 48 hours. and we did that. we were notified -- >> i'm sorry. you did do that? >> yes. >> so what happened? >> so on the 8th of march, we were notified, as you mentioned. on the 9th of march, following standard protocol, communication was disseminated to those who needed to know about the patch. two things happened, mr. chairman. one was human error. an individual who was responsible for what we call the patching process did not ensure that there was communication in a closed loop communication to the person who needed to apply the patch. that was error number one. error number two was on the 15th of march, we use a technology called a scanning technology which looks around the systems for vulnerabilities. that scanner for some reason did not detect the apache vulnerability. so we had a human error, as i alluded to in my oral testimony, and a technological error. both resulting in the fact that it was not patched. >> mr. smith, once equifax chose to notify the public, there are currently roughly 47-odd state breach notification laws, as you are well aware. so i know we have a patchwork. but under what breach notification regime did you notify the public? >> well, mr. chairman, we were mindful of the state laws, and trying to abide by all state laws. while at the same time, following the recommendation of mannedian, making sure we had clear and accurate understanding of the breach, and as i mentioned earlier, that took weeks. it was very difficult to retrace the footprints of these criminals. where they had been, what they had done. we had to recreate inquiries weaving mandiant and security team and outside legal adviser. >> mr. smith, you're located in georgia, correct? was that a georgia regime notification that you followed? i mean, you didn't follow the 47-odd state notification regimes, did you? . >> yes, sir. we are headquartered and domiciled in atlanta, georgia. my point was, we were being aware of and mindful of all state laws for breach notification. while also making sure we had accurate and clear understanding of what data had been compromised. and that was not until late in august. >> my time has expired. the chair now recognizes the ranking member for five minutes. >> thank you very much, mr. chairman. mr. smith, i appreciate your being here today. but i want to understand what capacity are you in today. are you a volunteer, a paid adviser? do you play any role in the company? would you please make that clear to me? >> yes, congresswoman. i am the former chairman and ceo, 12 years in that role. today i am a -- sitting here as a former ceo. but also someone who has agreed to work with the -- >> are you a volunteer? >> yes. i'm not paid. >> you're not paid. and so you came today to try and perhaps explain what has taken place. but do you have the ability to talk about what happens going forward, and how we can correct the mishaps, the errors, the problems of equifax? are you empowered to do that today? >> congresswoman, i have the ability to talk looking forward from my perspective as a individual who was a ceo for 12 years. >> but if you make a commitment here today, are you bound by -- in a commitment, do you make for the company today? >> no, commitment is made by the company themselves. >> and so your capacity today is simply to try and explain and take responsibility, rather than how we go forward for the future. is that right? >> that's largely correct, congresswoman. i do have views again on paths forward and i'm prepared to discuss those. the commitment is actually made by the company themselves. >> well, that creates a little bit of a problem for us today. we have such limited time. to deal with so many problems. and while i appreciate your taking responsibility and apologizing, your being here today doesn't do much for us in terms of how we're going to move forward and correct the problems of equifax. our consumers are at great risk. as a matter of fact, i've not been able to freeze my credit with equifax. i can't get through. and you're talking about the improvements that you have made. are you close enough with the company to know exactly what has been done to be available to consumers? >> congresswoman, yes. i have an understanding that what has been done to make these service level to consumers better. i mention indeed my comments, they have staffed up dramatically on the call centers. i am told -- it's a few days old now -- that the backlog of consumers trying to get through and secure their free services has now been emptied, and that the flow is now almost -- >> i'm not sure about that. and i worry about that. in addition, i tell you what else i worry about. how long will consumers be able to get what you describe as free service from equifax? is there a time that's going to kick in where they're going to be charged for trying to straighten out whatever problems have been created because of this serious hacking that has been done? >> the company has offered five services to every american. not just those impacted. >> how many? >> five different services. i can walk through those if you're interested. which give protection to the consumer and, again, not just those impacted, but any u.s. consumer. >> for how long? >> are one year from the time they sign up, followed by in january of 2018. under my watch, we started developing this product, which is the ability for a consumer to control access to their data for life. they'll have the ability to lock access and unlock when he or she chooses versus us being able to do that on their behalf. and that will be free for life. starting in january 2018. it will be enabled as an application on one's cell phone, for example. so very easy for a consumer to use. >> okay. i might have missed part of that. but if one's identity has been stolen, and usually it takes a long time to unravel that. are you going to provide service and protection and assistance to the consumer until that is taken care of? >> yes, congresswoman. again, the product we have today -- one of the five services we offer today is the ability to lock your access to your file. it will be enhanced in january with easier user interface. that is the most secure way we have to prevent someone from preventing identity fraud by accessing your credit file. you as a consumer determine who accesses it, who does not, and when. >> okay. but i'm clear. i think what you've said is, when one finds one's self in that position, that equifax will provide them with the service and assistance in perpetuity. >> for life. >> thank you. i yield back the balance of my time. >> the chair now recognizes the gentleman from missouri, mr. luetkemeyer, chairman of our financial institution subcommittee. >> mr. smith, i'm still over here. thank you. you know, we have -- i had a long meeting this past week with some experts in data security, and how they can be protected. and one of the comments that was made was that when it comes to information technology budgets, the average company only spends 6% on security. do you know off the top of your head roughly what your company spent for security out of their information technology budget? >> congressman, i do. i think what you're referring to is there's a benchmark on percent of the i.t. budget. >> right. >> directed towards security. and 6% is the average. ibm creates a benchmark views. 10% to 14% as being best in class. we are in the 12% range. >> okay. have you put in place or are you aware of new protocols that you have got in place to make sure this never happens again, your company? >> yes. we have implemented multiple protocols over the years, and at the time of the breach, step one was the forensic review. step two was remediation plans. for short-term, medium-term and long-term. we have implemented those. and we have also engaged a oral class consultant to come out and rethink everything we have done for a long-term plan. >> okay. as a result of this breach, the exposure is ginormous here, quite frankly. i would imagine bankrupt your company if something -- if this was for a number of reasons here. do you have an insurance policy to cover this kind of a breach? >> yes, i have discussed that in the past. we do have a tower of insurance coverage that is common in our world. it's cyber security general liability insurance. >> okay. so basically the company is protected, is that right? >> well, there are -- there are limits to any coverage you have. limits here, as well. i have not disclosed those limits. >> okay. in your testimony in both written testimony and your verbal testimony a minute ago, you talked about new security processes, and you were talking here, creating a public/private partnership to begin a dialogue on replacing social security numbers as a touch stone for identity verification in this country. can you explain what you believe is a public/private partnership with regard to this? >> yes, congressman. there's two thoughts there. one, the rise and the intensity and severity of cyber security incidents around the country and the world is running at a pace that's never been seen before. i'm convinced there's more we can do. and public/private partnership to get ahead of the curve on cyber security. not just reacting to it. number two is, the more i reflect, think and talk to experts in the area of subcyber security, i'm convinced there is an opportunity between public and private to rethink the concept of a social security number, name and date of birth as being a -- the most secure way to identify consumers in the u.s. it was introduced, as you all know, far better than i, back in the '30s. i think it's time we think of a new way to identify consumers. >> the chairman did a good job of discussing the notification problems with regard to this situation. can you tell me, what do you believe is a perhaps better way to notify the individuals? i mean, basically, a minute ago you said you basically knew on the 24th that individual data had been breached. and it wasn't until the 7th, which is two weeks later, that really made a notification to the individuals. even if you can't get your systems up and running, so you can take phone calls, don't you think it would be better to have at least notified the individuals, if not by just a public declaration, saying, hey, we've been breached, millions of people's information could have been -- could have been breached. therefore, all of you who have -- are in our system need to take precautions and let them on their own -- take whatever precautions they can, rather than wait to find out if they have been hacked or their information has been breached. don't you think there would be a better way to go about it? >> congressman, i can assure you, we took a lot of time to think about the notification process. i will make one point of clarification. on the 24th, the knowledge we had surrounding the breach was still fluid. it was fluid through the 7th. in fact, it was fluid the forensics didn't conclude until monday this week. the other thing i'll say is that the cyber security forensic experts recommended that we really prepare ourselves for significant increased cyberattacks when you went live with the announcement. so between the 24th and the 7th, a lot of energy was spent securing wherever we could secure our facilities to give us the best protection against cyberattacks. and also, as you mentioned, congressman, we had to stand up in the environment, call centers, train people, staff people, put together the service offering. so a lot of work was being done over those two weeks. >> the time of the gentleman has expired. there is currently a vote taking place on the floor. over ten minutes left in the vote. we will clear one more member and then declare a recess, pending end of votes. the chair now recognizes the gentle lady from new york, ms. maloney, capital market subcommittee ranking member. >> thank you. mr. smith, as you well know, americans rely on the three credit bureaus. a select group of companies to safeguard some of our most sensitive information. and it is because these credit bureaus hold this key personal information that we subject your companies to very rigorous data security standards. the credit bureaus are subject to the federal trade commissions safeguards rule, which is intended to ensure the security and confidentiality of the information. so we have a law in place that protects, supposedly, against exactly what happened here. and now we'll see if the ftc is willing to enforce it. and if they are not, then we'll know that equifax is clearly above the law. the safeguards rule requires, among other things, that equifax have an information security program in place that can identify reasonably foreseeable risks to the security of your data. and can protect against these risks. this risk was obviously reasonable, foreseeable, because the department of homeland security literally sent you and the other credit bureaus notice warning you about the exact vulnerability that the hackers exploited. and yet your security program did not protect against this obviously foreseeable, announced risk. so in my mind, this is the most open and shut violation of the safeguards rule that i have ever seen in the history of this country. so my question to you, mr. smith, is, do you believe that equifax violated the ftc's safeguard rule? >> congresswoman, i understand your point. and it's my understanding we were in compliance with the safeguards rule and that the safeguards rule does not prevent 100% against data breaches. >> how in the world could you let this happen when you were warned by the homeland security department? my second question. the safeguard rule also requires you to have a patched management system. essentially a system in place to patch security flaws as soon as a fix for the flaw is released. but you have testified that your patch management system failed in this case. even though there was a patch released almost immediately. equifax did not implement the patch like it was supposed to. now, i wrote to the other two credit bureaus a letter about their information security programs to make sure that their systems were fully protected. and one of them wrote me back, experian. they wrote me a very detailed response, which i would like to submit to the record. >> without objection. >> and it explains their patch management system functioned correctly. and when they got the notice from homeland security, they immediately implemented the security patch. they also stated that their patch management system will literally shut down. it won't even work. it shuts down automatically if a patch isn't implemented immediately. so my question is, why didn't your patch management system automatically shut down your systems when the security patch wasn't implemented? why was this flaw allowed to go unpatched for months before you noticed it? >> congresswoman, a patch has got to be identified. we are routinely notified -- >> it was identified by the homeland security department when they notified you. you already testified that your person failed to implement it. >> yeah. i was referring to it's got to be identified by us, not by the outside. either software manufacturer -- in this case, the department of homeland security. as i said, my oral testimony -- >> my time is almost up, and i have one more question, and i think it's important. you may not know this, mr. smith. but it is actually considered best practices in a company with lots of sensitive, personal information to have their chief information security officer have independent business lines that report directly to the ceo and to the board of directors. but at equifax, you were using an outdated corporate governance model, and had your chief information security officer reporting to the general counsel. not directly to the ceo. so my question is, why was your chief information security officer not reporting directly to you and the board? and why were you using an old model? was it because you don't think that information security was important enough to be reported directly to you? >> congresswoman, i don't believe it matters where the chief information security officer reports. it was a priority for me. it was a priority for the board. it was a priority for the company. having -- >> but it wasn't reported to you or the board. >> does not hinder -- did not hinder our ability -- >> and it violated best practices for security companies. >> time of the gentle lady has expired. there is one vote pending on the floor. the committee stands in recess pending conclusion of that vote. [ banging gavel ] [ banging gavel ] the committee will come to order. the chair now recognizes the gentleman from new mexico, mr. pierce, chairman of our terrorism and illicit finance subcommittee, for five minutes. >> thank you, mr. chairman. and thank you, mr. smith, for being here today. to just try to get the playing field underneath us, you had described the processes at equifax with regard to outside hacks to be very engaged and pretty professional. we had a human mistake, more or less. is that kind of correct? >> congressman, i would say obviously we committed two very unfortunate errors. the one you mentioned, which was -- >> no, i'm asking about the overall culture and the approach to security, understanding that you've got a lot of critical data here. >> yes, i would describe the culture and the focus as one that put a top priority on security, yes. >> yeah. how much of your time in your 12 years did you spend each day, say, on cyber security? >> are congressman, when i first came here, we had no cyber security organization. i made it a priority 12 years ago to engage consultants to help us scope it out. we went from basically no people -- >> how much time -- >> to 225. >> how much on the subject? >> we had routine reviews. >> no, you personally. you had routine reviews. how many times had the apatch been fixed? how many times had it been patched underneath your watch? >> we have vulnerabilities in general terms across software. the apache strut, to the best of my knowledge, this particular open source software that was one notification was march 8th. >> the -- so is the firm still using that software? >> it was deployed in two locations, and it's been patched. >> but it's still using it? because when i -- i mean, so i'm not that savvy on all of the cyber crimes and stuff. but when i hear the secretary of the treasury say that 50% of his time every day is spent on cyber threats, i was trying to get some sense from you how much of your time every day, because this is probably one of the more critical things. and when i didn't get a very solid answer, then i tend to fall on the side that says there's a little bit of a lax culture here. i just googled apache struts to just -- opened the first website. and it talks about something that came out open source, and it was pretty good. but they have kind of lost their way back three or four years ago. i mean, to be using a piece of software that even just the first google says three out of five stars, we probably ought to be looking at better alternatives out there. and then you install these patches that come out, and no one actually responds to them, away i don't know who exactly -- so who made that decision in where in the hierarchical system did that decision not to implement the patch that was suggested -- where does that decision come in? >> again, on the 8th of march, the notification came out, as you alluded to, from the department of homeland security. the security team sent out a communication to the organization. the patching process, to be clear to your question, was owned by the chief information officer who was under his -- in his organization. >> where in the -- surely somebody more than just an agent at the field level -- >> yes -- >> was tasked with being sure that we don't have any vulnerabilities. surely it was not that low. so is that -- has that decision-making stream been made public? >> the owner of the process for patching was a direct report to -- >> no, i'm talking about internally in equifax. don't worry about who out there offsite, because you're the one responsible. so is that decision scheme -- the decision process made public, and can we know who -- can we get that information? >> congressman, let me clarify now if i may. the owner of the process internal to equifax with the patching, in this case of apache struts, or any software that needs to be patched, was an individual who was a direct report to the chief information officer. >> okay. i'm about out of time. now, your assertion that this is just human error overlooks the fact that you have unencrypted information. anybody that gets in can just read it's not encrypted. is that industry standards, that we don't encrypt? >> congressman, that's not correct. we use tonization. we use encryption. we use masking. >> your testimony a couple days ago answered that you had a lot of information that was just in plain text. i think those all indicate and the fact that we haven't identified the process indicate a culture internally that was very lax, in my opinion. thank you, mr. chairman. i yield back. >> the time of the gentleman has expired. the chair now recognizes the gentle lady from new york, miss velasquez. >> thank you, mr. chairman. mr. smith, in your testimony, you stated that you are deeply sorry that this event occurred. and that you and equifax leadership team have worked tirelessly over the last two months to make things right. however, according to an article in "fortune" magazine published on september 26th, you're retiring with a pay date worth as much as $90 million. so my question to you, sir. do you believe it is right for you to walk away with a payday worth $90 million when the lives of more than 145 million hard-working americans have been potentially compromised? >> congresswoman, again, i deeply apologize for the breach of those american consumers. i've heard of this article. i can't reconcile that number. let me be very clear. >> how much are you getting in your retirement? >> if i may. when i retired, i did announce my retirement at that time. and i also told the board back in early september, mid september, that i would not take a bonus going forward. i also told the board that i would be adviser, unpaid, helping the board and helping the management team for as long -- and i asked for nothing. the amount was disclosed in a proxy and that was a pension that i've accumulated over my career. and that is some equity that i've earned in the past. >> so you told the ranking member that you are here in your capacity as an adviser to equifax now. >> unpaid. >> okay. and so are you advising equifax to set up a compensation fund for impacted consumers to help them rebuild their lives? >> congresswoman, the advice i gave the board and the management has been followed, and that was to offer five free services for one year followed by the ability to lock and prevent identity theft against their credit files. >> but that's not a compensation fund. >> correct. >> so, mr. smith, as ranking member of the house small business committee, i am concerned about the impact this historic breach will have on our country's 29 million small businesses. as you know, the availability of business credit is often inextricably tied to owner's personal credit score. last week, senator shaheen and i wrote a letter requesting information about equifax's efforts to help small business clients. but we haven't received any response. so what steps is equifax taking to educate small businesses? and what it means for their businesses? >> congresswoman, i understand the question. if we have not responded to your letter, i'll make sure that the company does respond in writing to your request. specifically to your question, however, if a small business,man or woman was also the proprietor of that company as an individual, they would be covered by what we're doing for them going forward, offering this free lock product for life. number two, to clarify, if i may, small businesses in america are very important customers of ours. >> i know that. >> and we have told them and others through different functions they have not been compromised. the data we have on small businesses was not compromised. >> they were not compromised. >> if you are an individual, again, as i have said, as a proprietor, you're covered by the services we're offering for free. the small business database that we manage was not compromised. >> so let me ask you, how is equifax working with lenders to establish a safe way to check credit score for borrowers seeking a small business loan? >> again, congresswoman, if you are a proprietor of that small business, and you have the ability to access all the free services that we just discussed. >> so this past monday, it was announced that approximately 2.5 million additional u.s. consumers have been potentially impacted by the breach. can you assure us that there will be not more discovery of even more consumers who have been potentially impacted as a result of this breach? >> it's my understanding that the press release that came up from the company on monday not only said 2.5 million consumers were impacted additionally, but also that the forensic review by mandate was now complete. >> the time of the gentle lady has expired. the chair now recognizes the gentleman from michigan, mr. huizinga, chair of our national market subcommittee. >> right here, sir. up. right up here. as the chairman had indicated, i chair the capital market securities and investment subcommittee, where it's securities and exchange commission falls under that purview. you obviously know that under sarbanes oxley, you have certain duties and responsibilities as a ceo. not just in the running of the company, but in the paperwork filing that has to go on that and be filed with organizations like the s.e.c. was data security ever an area you listed as a deficiency in regards to any of these sarbanes oxley requirements? >> congressman, i can't recall it ever being described as a deficiency or filed as a deficiency. it is routinely communicated in ks and qs and other means. >> but you had internal controls. >> yes. >> all right. and presumably you do your analysis on that. >> yes. >> so data security was never a part of that. >> not that i -- as far as a control issue? >> well, as a control issue or as an area of concern. >> it's always viewed as an area of risk for the company. i don't ever recall it being communicated as an area of concern with lack of controls. >> okay. under s.e.c. rules, when you have a material change in the condition of your company, you have to file a form commonly known as 8k. that 8k form is there -- regarding financial condition or prospects. and when significant events have occurred. when did you file that 8k? >> i don't recall. >> according to my information, it was september 7. >> that makes sense. that's the day we went public with the release on the breach itself. >> okay. and i had heard in earlier testimony that you had not been directed by the fbi to withhold information from the public or to slow walk or to do anything, right? this was not a directive from either federal government or fbi or any other law enforcement agency or any of your consultants. >> maybe two different questions there. the fbi specifically involved from the second. it was a very fluid series of communication through the -- in fact, today, even. the -- >> but, no, they did not -- >> not the fbi. you said the consultants. the consultants did guide us on the communication. >> okay. did those same consultants tell you you better file that 8k? >> the 8k, as you mentioned, was filed on the 7th. >> on the 7th. but you discovered this in july. >> congressman, all due respect, we did not discover it in july. in july, the 29th and 30th, someone on the security team noticed what they described as suspicious activity. and to put it in perspective, we as a company see millions of suspicious activities against our data from outside every year. >> so you had an indicator. let's call it an indicator. july 29th. you hired a consultant based on your previous testimony, august 2. correct? >> that is correct. >> okay. so why did it take a month-plus -- five weeks, to file a form with the s.e.c. and coupled with that, when did you let your board know about this? >> i'll answer both those, if i may. so as i talked about in the written testimony and the oral, from the 2nd of august when mandiant, the cyber security firm was hired, and king spalding was hired, a global law firm, very fluid. they had to rebuild the footsteps of the criminals, where they had been. they had to rebuild the inquiries. it wasn't until late august that there became an indication of a significant -- >> okay. so let's even take that. it still then took two weeks for you to file an 8 casino d, which in the meantime you had executives that sold shares. you had the public that was thinking nothing was wrong, was buying and selling shares of equifax. you know, would a reasonable shareholder have gotten some of this information, and said, hey, wait a minute, there's something going on at equifax. maybe i'm not going to purchase that stock. that seems like that would be a reasonable step for an investor. >> congressman, if i may, let me address the point you made on the sale. the sale by the three individuals -- individuals, two was back in august -- >> got it. regardless -- i know it was prefiled. i'm not saying that there was necessarily insider information or something nefarious with that. what i'm pointing out to you is that even though your own executives -- if they didn't know this was going on and an 8k has not been filed, it seems to me you've got the public both coming and going. that you've not only the data, but also the fact that you falsely put your stock out there at a particular price. mr. chairman, my time has expired. >> time of the gentleman has expired. the chair now recognizes the gentleman from california, mr. sherman. >> mr. chairman, i'll renew my request that the witness be sworn. when john stumpf was here, his company had adversely affected only 3 or 4 million consumers. we swore in that witness. that is the precedent of this committee in situations like this. >> the chair has already spoken to the matter. >> mr. smith, you made a point of -- that you're an unpaid volunteer for your company. i want to thank you for that service. aside from the $90 million, you're uncompensated. i know you've disputed the $90 million figure, so i would ask you to respond for the record in detail how much you have made, pensions, stock options and salary from equifax during your term there. and we'll see whether the reports of $90 million are accurate. time line. there is the period march to july when you should have noticed or your company should have noticed the problem, should have paid attention to the homeland security advisory, et cetera. but on -- so that's one part of the time line. another part starts on july 1 when your chief information officer told you about the attack and that the website was shut down. now, there are those in this committee room who have said that the company didn't act immediately on that on july 31. that's not entirely true. in just one day, august 1st, three of your executives sold $2 million of their stock.ly true. in just one day, august 1, your executives sold $2 million of their stock. that shows an immediate action right after the cio report. did your company have any policies on allowing executives to sell stock, getting legal advice before they do so, et cetera, or is it up to each executive to decide how to obey the security laws? >> congressman, let me address one, there was never a report on the 1st. it was a verbal communication. >> but you were told, and the website was shut down. something pretty significant happened because the next day, your executives sold $2 million worth of stock. answer the question, weather your company has a policy of getting approval and legal review before your executives sell stock? >> there is a clearing process. >> and how would you get approved through the clearing process, the day after the information officer is notified of a data beacreak. >> they all followed the process. >> you don't think the process is broken if it approves a sale of stock within 24 hours of when the ceo gets a report of what turned out to be the most important data breach we have had in your industry? >> congressman, i have no indication this process was broken. these three individuals who sold, to the best of my knowledge had no -- >> just your luck. now, the initial response of equifax was to have a website, advertised as your way to help consumers and then in the website you tricked consumers, this was the plan, tricked consumers into foregoing their right to sue. whose idea at the company was it to do that? >> the arbitration clause is what you were referring to. we never intended, when we found out the arbitration clause was in there -- >> you found out? it popped in and you didn't know it was there? >> it was never intended to be in there with the free service. it was removed within 24 hours. >> after a huge outcry, including many members of this committee. you have put out press releases telling people they may be among the 30 million or 40 million people. is it up to them to go to your difficult to use overburdened website to find out? >> we followed what we thought was due process, we sent out press releases, instead of a website. >> how about notices? are you going to give notices to 140 million people? >> no, sir. >> you going to send them an email? >> no, sir. >> so everybody out there figures there's a 2/3 chance they weren't affected and you do nothing, and you've expose their data and you won't give them a notice, not even an email? >> 420 million u.s. consumers have come to our website. >> 420 million u.s. consumers, that's more than the number of people in the country. >> several have come several times. >> so several have not come at all. >> the gentleman's time is up. >> mr. smith, forgive me if i appear a little bit more disturbed or harsh than some of my colleagues, but this issue hits very, very close to home for me. this past year my tax identity was stolen. and to be frank with you it has been a complete and utter nightmare. for me 24 isn't just another data breach, it is a breach of trust. when we learned that our tax identity was stolen, guess who we turned to for help? that's right, the credit reporting agencies. so although giving a free year of credit monitoring is a good step, first step, i should say, i don't have much confidence, to be perfectly honest in the product, sir. in addition, as a chairman of the oversight and investigations committee, i will be closely monitoring the additional facts that come out regarding this case, especially those concerning the sale of stocks by executives at equifax. although none of us should, i should say prejudge before knowing all the facts and i'm sure that the sec and doj will get to the bottom of this. let me start by asking you this, briefly, mr. smith, what would you tell people like me, people who have previously experienced identity theft of some kind and turned to equifax for help. what do you say to these people who feel completely at a loss for what to do next? how can anyone possibly ever trust, and we have talked about trust here at the committee, this company again and be confident that they can be protected in the future? >> we're a 118-year-old company. and protecting and being a trusted steward of our data is paramount to our ability to gain trust, have trust with consumers and companies around the world. what i would tell consumers, is first, please go to our website, take advantage of the five offerings that we have offered for a year for free. and secondly, january approxima31st, when the new lifetime lock product becomes available for free for life, i would strongly recommend that every american go get that product as well. >> i recently read comments by richard corgraver who -- as you know, the pfpb started providing credit monitoring, but not it's cyber security systems, which has been left to the fdc, what interactions did you have with the cfpb prior to the break of cyber security? >> obviously we have been in communication with cfpb since they have been our regulator and i have personally been involved in -- >> prior to the breach? >> i was not personally involved with cfp brb regarding cyber security. >> what interaction have you had with them since? >> i have not had interaction with them. >> i want to take advantage of this opportunity to ask you some question -- can you detail what categories of consumer information were accessed during the month-long breach? >> we tried to be clear in the series of press releases we have had in the past, that the consumer's core credit file, which is a credit history with us, was not compromised. we talked about a database we have where someone asked over here on small businesses, we have a database on small business, that was not compromised. >> what kind of personal identification information specifically? >> as we have disclosed in press releases, date of birth, name, social security number, i think there were 200,000, 209,000 credit cards that were compromised. there was a document, congresswoman, called a dispute document, where a consumer could dispute that they paid an obligation, take a picture of that, for example, upload that into the system, that was another example that was compromised. >> let me ask you this mr. smith, what sort of financial products could be opened in my constituents' names if that information was part of the breach? >> if the consumer takes advantage of the free service and locks the file, no one has a way to open it. >> i thought my files were locked before. when my tax information was breached. again, my trust in the product is at an all time low. i have several more questions, i'll submit them for the robert. >> i now recognize the gentleman from new york. >> i agree with the ranking member, i'm here, i'm going to ask you questions, you know, you're unpaid, you say you're no longer really with the company, you're an unpaid advisor, i don't know what we're going to do wremps ith reference to the . i know that when a consumer has a problem, they can't just get out of it in the way that, you know, some kind of measly explanation or something of that nature, and it's all over with. and you have an extra or equifax, your former employer, has a -- because of the nature of the business in which they are in, they have a special responsibility in regards to cyber incidents and i think that, you know, it's probably a problem -- it's definitely clearly a problem with equifax, but probably a bigger problem across the board, with all public companies, there was a pricewaterhousecooper survey that found 23% of corporate directors did not discuss crisis planning with management and that 38% of directors did not discuss their management testing of these crises. and consistent with this data it seems that equifax's board and management failed to plan for this crisis, equifax's failure to respond to a homeland security department warning, the delay notification to the public and the company's arbitration clause misstep that you acknowledged today and yesterday at the hearing are just a few examples of equifax' lack of preparation. so what i'm trying to find out is, prior to this breach, did equifax ever adopt a written breach response that included a formal process for notifying the public and regulators or did equifax merely formulate a cyber crisis plan post the breach? and secondly, prior to the beach, did equifax ever test a crisis is plan in anticipation of a cyber breach because you know the significance of what the data that you were here to protect. and finally, if you say that there is, can you share with this committee the documents with evidence of equifax' former cyber crisis response plan? >> congressman, i understand your question and yes we did have and do have a written documentation on crisis management, including cyber, obviously being one of the top crises we could face as a company and have faced. we can reach out to management, have them provide you that crisis management documentation, we'll do that. >> and now was there any -- my other two questions, was there a written breach response? as opposed to planning what you would do, something that you would say, and did you test it, you know, a crisis plan in anticipation of a breach, so that if, like a fire drill, if something should happen, this is what we're going to do, have a plan? have you done that? was that done? >> yes, congressman, it has been done, the real life challenge is when you look at the size of this breach and the fact that we offered it to every american that was a victim or not a victim, the shear scale of trying to stand up the environment from a technology perspective, hire thousands of people, that take weeks to train, you can't just hire 2,000 people, 3,000 people and expect them to be trained and impactful day one. as i mentioned in my oral testimony, the team has gotten better each and every day from a technological perspective in the web environment and from the call centers. but again, i do apologize, you mentioned a few of the things where we made mistakes early on. but yes, we do have and have practiced -- >> let me disagree with you, for example, you know, the kind of information that you were to protect, you've got do make sure that each and every individual you hire is prepared. it's like information that we have at the cia or some other places, protected documents, they can't hire somebody and say oh, well, we can take a chance and maybe they'll learn while they're on the job and if something happens it will be okay, we'll just excuse it. you got to be sure that you're putting individuals in and have a plan that's going to protect folks because of the nature of the information of which you're given and because of the numbers of people that are dependent upon you to protect that information. >> i understand your point. >> the chair now recognizes the gentleman from wisconsin, mr. duffy. i would recognize the gentleman from kentucky. >> mr. smith, a representative from your company, i think put it well, he said americans expect their mortgages to be approved on time, their auto loan applications to be accepted while they're at the dealership and the retail credit approved while they're at the counter, disrupting american credit would hurt the economy. can you describe for us how this beach and this painful experience for the american people, how this may very well disrupt that miracle of instant credit? >> congressman, if we were to get to the point where we allowed consumers for example to opt out of the credit system, that would be devastating to the economy. if we don't allow consumers that ability to instantly lock and unlock at the point of under writing to your example, that could be devastating for the flow of credit in our economy. so the intent of the lifetime product that we're going to roll out january 31st, gives that consumer the ability to give them the security level that he or she deserves with the ability to instantly turn on and turn off access to the credit so that the flow is uninterrupted. >> can you tell me about credit freezes as a solution or maybe not the bests solutions to problems like this and what we're talking about here is a consumer telling a credit bureau to not release a credit report unless the consumer contacts the bureau in advance to say otherwise? >> the credit freeze itself congressman was something that was born out of regulation in 2003, and put into law in 2004, and it often times con fized with a credit lock, so if i may take a second and talk about both. credit freeze, from a consumer's perspective, largely provides the same protection as a credit lock would be, however states mandate different means of reporting between the consumer and the credit reporting agency, that sometimes can be cumbers e cumbersome, phone calls to the credit bureau, so that flow of credit can be disrupted. the idea of the lock is to make it far more user friendly, where you can be on your smart phone and toggle on to lock and toggle off to unlock. >> so as we look at data security, you talked about the many different state laws that you have to navigate, tells your view after this painful experience of what you think would be a solution, would a national uniform breach notification rule be better for the american consumer? that's what a lot of us are thinking in the aftermath of this breach. >> i have not given that much thought, congressman, but i will. >> what about fraud alerts under the fair credit reporting act? are they sufficient? >> i think the most -- they do add value, fraud alerts do add value. the monitoring of those alerts give people peace of mind. this concept where consumers can control who accesses their credit data, with a lock, and i think the next step forward there would be to not only have equifax offer that -- but imagine the consumer being able to lock and unlock for free for life, all three credit bureaus, to give them that protection. >> you talk about the steps you took after learning of the breach and why it took a why to notify the american people about the breach? why did it take so long, i would think the american people would expect more constant -- >> we were driven by a couple of thoughts, one was making sure we were accurate as possible in who was impacted and who was not. and that just took time, as i amclea mcle le alluded to, that took place in the late weeks of august. and the cyber forensic examiner, viewed as world class in what they do, had advised us to expect an increased frequency of cyber attacks and we had developed plans to make sure we're prepared for those attacks. >> my time is expiring. can i just ask you, if one of my constituents approaches me with a problem, will you commit to me to working with our office to help any person who comes to my office with a problem? >> i do. >> votes are currently taking place on the floor of the chair and tends to recognize one more member and then go into recess. the chair now recognizes the gentleman from massachusetts for five minutes. >> mr. smith, i want to join my colleagues in saying i don't have a clue why somebody who doesn't work for the company is here. is there anybody in the audience that you know of that currently works for equifax and has the authority to change internal company policies? is there anyone in the audience that you know of that has that ability? >> no, congressman. >> oh, well this is great, thank you for coming, from this point forward, don't take it personal, because i know you can't do anything about it. but i will use you because i'm hoping that one or two people back in the company are watching, maybe not, probably not, because they don't care, but we'll find out. is it fair and accurate to say that any given moment equifax has the credit information of roughly 2 million americans? >> there are 10,000 people back working at equifax that do care. >> fine, just answer my question, you can defend the company when they put you back on the payroll, since you don't represent them, how would you know? >> i spent 12 years there, that's how i know. >> yes, it's over 200 million u.s. consumers. >> and your accuratcy rate is about 95%. >> how are you defining accuracy? >> no errors of significant numbers? >> you're referring to the credit file itself? this. >> yes. >> there was an independent study a number of years ago, and found that if you defined an error as something that has a negative influence on the consumer's ability to get a loan, no goes to yes, yes goes to no, it's well over 99%. >> i use 95%, because that's what i read, but the numbers will be close. you have 200 million records, you have a 95% accuracy rate, which means a 5% error rate, so that's 10 million americans who you have financial records on and you have 500 service reps, that's 20,000 customers with a problem, that your company created per service rep. now you get 145 million, you're ramping up, you're going to hire give or take 3,000 service remembers, 145 million, at least 48,000 people with a problem you created, not you, your former company created, per service rep. 48,000, you think that's good? >> two points of clarification, i disagree with your math. in all due respect, the math we have is 99%. and two is, most of the disputes, if you have an issue with your credit file, we have an online electronic -- >> let's talk about that for a minute, i'm sure since you were the ceo of 2014, you're familiar with the case of miller versus equifax? >> yes, sir. >> you've heard of that case, i'm sure. >> vaguely, yes. >> that's the case where the judge found -- as a matter of fact, congratulations on that case, because that case was actually determined that you didn't have to pay an $18 million penalty, you only had to pay $1.5 million penalty, because that's the most that the law allows and the judge said that your actions were reprehensible. that's her words, not mine, and it's stated very clearly here, that your own expert testified that it was equifax's policy to correct files only after a lawsuit is filed, which is why i wanted to talk to somebody in the company and see if they're willing to change that, but since there's nobody here, i guess not. and i just wonder, you think that that's okay? you thought, apparently you thought that was a good policy in 2014? >> congressman, if a consumer has a dispute on something on his or her credit file, we take that seriously, they have the ability to communicate with us electronically or over the phone, we work with the furnisher. >> but in this case you ignored it and didn't do anything about it and the only reason there's a lawsuit is because two people with the same name of miller, their records got combined and you refeudsed, after you have proven repeatedly for years to do anything about it. it happens all the watime, ever one of us gets complaints from our constituents, and the other two, your company is to different, that treats themlike dirt, they can't get student loans, they can't get credit cards, because you won't do anything by your own policies admitted by your own people who used to work for the company, that says we don't do anything until you file a lite. so here in my last few seconds, i'm going to speak for american, to the 145 million people, file a lawsuit and maybe you'll get some equity, otherwise they're going to keep doing to you, what they have been doing to you forever. >> the time for the gentleman has expired. votes are pending on the floor, the committee stands in recess. >> committee will come to order, i recognize the ranking member. >> pursuant to clause 2j11. i'm submitting for your consideration a letter signed by all the democrats of the financial services committee notifying you of our intent to hold a democratic hearing, also known as a minority day hearing on the equifax data breach, i look forward to working with you to determine the date, time and location of such a hearing. >> the demand being properly -- will be held with the concurrence of the ranking member once the hearing day is scheduled. we now here from the gentleman from california, mr. royce, chairman of our foreign affairs committee. >> i thank you and i thank mr. smith for being here today. since september 7, my office, i'm sure all of these offices, have received a lot of angry and anxious phone calls and emails by our constituents and i think one of the things that really stands out is how could a company that deals in data not protect that data. i think the answer lies in what your company did not do. use did not protect their personal investigation. you did not encrypt that data, you did not patch a vulnerability that you were alerted to on march 8. you did not disclose the breach to the public, until 117 after it occurred. and then on top of it, the insider trading allegations i think only add fuel to that fire. so let me turn to my questions. before september 7th, who else, outside the company, and your hired legal counsel and the fbi. who else was made aware of the breach? was the fdc notified? >> at the appropriate time all appropriate outside constituents were notified including the fdc. >> let me ask you this, mr. smith, according to media reports, life lock executive fran roesch was notified before the hack became public. according to that individual, he got a call while vacationing in maine. are you aware of this? do you know who called mr. roche to give them the heads up? >> no, sir, i'm not aware of that. >> according to bloomberg, armed with information only a handful of people had at the time, mr. roche mobilized the rapid response team. he knew the company would receive an onslaught of calls and signups in the coming days and i'll quote from bloomberg, he was right. in fact, the phones were ringing off the hook. he bragged that it was bigger than the anthem breach, bigger than anything they had ever seen before, a 10-fold increase in life lock customers, and here's the kicker, quote, from him. most are paying the full price, rather than discounts. i think that means most were paying $30 instead of $10, it's a really incredible response from the market, unquote. i'll tell you what's incredible here. that actually, your company profited off the relationship between lifelock, which is a company to which you provide credit monitoring services. so that, here's the point i would like to make, so life lock gets this heads up. did credit karma or intersections or the other competitors, did they get similar notice? >> again, congressman, i'm unaware of the lifelock discussion let alone anyone else. >> it's fair to say, that lifelock benefitted from both the breach and the foreknowledge of it. li lifelock's parent company had seen its stock rise by more than 10%, since the breach was made public. mr. smith, do you or any current executives at we c s at equifa in semantech. >> i don't know, sir. >> what i would like to know if you could provide a list of any executives who do. because someone notified them in advance, someone in the company gave them a heads up so that they had an opportunity to get the phone bank ready and in advance of anybody else, start calling about their service and at a price $29.99, instead of the $9.99 discount that obviously was a great benefit to that company. somebody tipped them off on the inside and i think it would behoove equifax to find out who that is. and if you could start by finding out which executives own stock, that might help us get to that answer. >> congressman, your source was bloomberg, is that correct? >> that is correct. >> we'll look into that. >> very good, i appreciate it. yesterday in the senate, the question was asked if we had seen any evidence -- >> time of the gentleman has expired. the chair now recognizes the gentleman from georgia, mr. scott. >> thank you very much mr. chairman, good to have you, chairman. first of all, i want to make a couple of points very clear, i represent the great state of georgia, i love georgia. and when this news first came to me, my staff reported it, i immediately wanted to do all i could to make sure that we could be able to make sure that out of this that after this, that equifax would be standing tall. that they would be clean. that is my objective, as the congressman from georgia, because as you said, you represent a legacy of our great state, you are a 128-year-old company, you employ 20,000, 30,000 people, many of whom are my constituents, many of whom who work and toil in the vineyards at your company and they are great people doing a are great job. it is important for the american people to know that what we have before us is a despicable, a shameful situation, for 145 million american citizens, to lose the privacy of their social security number and all of that, but let it be known, that it is the top management, it is you, who is responsible for this. now, what i want to do is to be at the front of this spear, to make sure that equifax regains the confidence and trust of the american people. so my comments here to you, mr. ceo, are going to be geared to that, first of all, i want to call, mr. chairman, and be the first one to call for an investigation by the justice department by the cfpb and certainly by the sec. now mr. smith, you're leaving this company. but there are others who are going to be there. and we have to make sure that equifax comes out clean and standing tall. now, what disturbs me, perhaps more than anything, was the timeline. you said that you came knowledgeable about this breach on july 31st. but here's what happened. on august 1, your executives sold $2 million worth of stock. and not only that, mr. ceo, former ceo, it was your chief financial officer who led that charge to sell that stock. now nobody's going to tell me you're getting information on july 31st and here they go dumping their stock, less than 24 hours later, that has to be investigated and cleared. if we're going to get the confidence of the american people back. so it's this insider trading, anybody can see that, and i'm sure, and i hope that your predecessor, your -- the guy who's going to be taking your place, i hope he's listening. that would be the first thing, and then the second thing, we need to make sure that these guys who sold that stock, who made $653,000 in savings from that stock with that inside information, that they pay that money back, and that they are fired. 143 million people losing this is no justification, we have got to make sure, and you have got to make sure that we clean this mess up. now i want to talk about the other way in which we can do this. you mentioned numerous times that it wasn't the intent of equifax to include the arbitration piece. well now some have it, some don't, that's the next thing that needs to be done. no more of this arbitration clause, when you do things like that, the public will take notice, our job is to clean that mess up and make sure we bring equifax back standing tall. we yo owe that to the american people. now the other thing that i would like finally, is my staff informed me that most mortgage lenders pull all three reports from the big three credit reporting agencies, equifax, transunion and experian, so when you talk about this new lifetime lock product, it's not going to be effective unless everybody does it. i wish i had more time, but we're going to clean this mess up and we're going to restore the integrity and the trust of the american people. >> time of the gentleman has expired. the chair now recognizes the gentleman from illinois. >> thank you, mr. chairman, i know many of us have been hearing from our constituents, i certainly have, marty says equifax has -- they should have done it for me or pay me to do all this of signing up and paying for these credit reports? someone should go to jail for this. another constituent said, this careless act caused the loss of personal information on a scale never seen before, because they failed to patch their servers for a known problem, combined with the careless handling of highly sensitive personal information, their action went far beyond carelessness to negligence. legislation should be put forward to increase regulation on these agencies, equifax must be held accountable and liable foreall damage that caused the breach and all credit reporting firms must be held to higher sense of security. and my personal information has been -- both companies are offering a limited subscription to identify protection companies, hpf is offering a free year subscription to protect my id, own by experian. it seems like a twisted marketing campaign to me, he said. home point claims to have lost those social numbers, birth dates, driver's license numbers, many of these numbers cannot be changed. what good is a one-year membership. this data is lost and valuable until i pass away. the one person who -- wants me to pay to help protect me from its eventually use. it's time that all these companies are held liable and forced to offer lifetime membersh memberships, please help us, all of us, this is out of control. many other constituents glen concerned, talked with parpents of young people whose information has been compromised. when this committee sends requests for records which there will be many, will the response come from you or equifax? >> they'll come from the company, congressman. >> and how should we respond in getting those answers from equifax? >> i'll make sure someone from the company reaches out to your staff. >> that would be great. equifax has been investigating the breach now for over two months, as the identity of the hackers been determined? >> no, congressman, it has not. as you know, we're engaged in the fbi and the fbi is running that investigation for us. >> do you have an opinion of whether it would eventually whebe determined of who did it? >> i do not. >> did outside security firms say there should be a delay in notifying the public? what -- >> it was a team effort and relied upon the input from our outside forensic examiner, global law firm that we talked about and our team, trying to balance accuracy, clarity, transparency, with the urgency of contacting the consumers. >> was an event like this in the scope and scale con templated by your security staff in a preventable sense? >> yes, there was a crisis management process that we have had in place for quite some time and the data breach is one of the crisis examples that we practice routinely. >> this doesn't appear that you were ready for it. and, you know, that's our question, of the incredible delays, you have heard from my constituents, this is just a small sampling of incredible frustration and fear that their information has been compromised and they don't know if it's ever going to change, echoing what one of them said, this is information that can't be changed, you can't go back and get a new birth date or a new social security number, if equifax had notified consumers within one week, did equifax have the ability to do so? >> we moved with haste, as i moengs e mentioned in my oral testimony and my written testimony wasn't until august, that was continuing to move, we moved as quickly as possible thereafter. >> has there been any uptick in identity theft or fraud since the breach? >> not that i'm aware of. >> would you expect something like that to occur and why might there not be an uptick yet? >> if consumers take advantage of the services that we're offering, congressman, to lock their file, that will give them great protection. >> obviously there's a concern when it still is the same entities are involved. i yield. >> time has expired, the chair now recognizes the gentleman from illinois, mr. foster. >> what i would like to talk about are things that congress could have done before this that could have pray venevenltpreven. you would have needed a team that's looking every day for security breaches, which you obviously didn't have in place, so that one way to make that happen is by making a requirement that you actually carry enough insurance to make customers whole when this thing happens. it's my understanding that statutory damages for a breach like this are roughly a $1,000 per person, which means that the total potential liability for 140 million people is $140 million, more than 10 times the market capitalization of equifax, so you clearly can never seclf insure, or at leasta company with your business model could never self insure. on the other hand some of these have settled for a lot more, a lot less, just a few dollars per person for a data breach incident so it not clear what it should b so my question is, what would you personally for yourself or one of your family want as remuneration for having your private information up for sale on the dark web? >> congressman, the suite of services we're providing for free in some cases -- >> no, i'm saying, if i came up and said i want to public your information on the dark web, would you do it for $1,000, personally, or on behalf of members of your family? >> no, sir. >> 10,000,$10,000, $100,000? everyone has that number, but it's well north of a few dollars per person. without even having a negotiation, we're having this pain inflicted on people. so now, so let's just stick with the $1,000 a person, just that's statutory on there, plus punitive damages. so now if congress were to require that any company like yours that held information for people, you know, without asking them necessarily to opt in, that you had a requirement that you would hold enough insurance to make them whole if there was a massive data breach, that would be a very expensive insurance policy, correct? >> right. >> now you indicated earlier that you had not disclosed how much insurance against data breach you're actually carrying and you don't intend to tell us that? >> that is correct. >> that is correct. is it fair to say it's not enough to cover a $140 billion, is it less than that? are you comfortable saying this? >> yes, it's less than that. >> so it's likely that many customers may end up getting less than they think their actual damages are. have you thought through, say, how much per hour the average customer would charge someone to just sit on hold waiting to try to get attention to getting their credit unfrozen? >> remember, congressman, one of the officers we have to consumers is an insurance policy, are you aware of that? we offer five different services for free, one is if a consumer has loss, lost expenses, in trying to get their credit repaired, trying to take time off of work up to a million dollars. >> okay, but i'm trying to understand under what conditions you would have assembled a team, either yourself or an insurance carrier, assembled a team that would have prevented this? if you have tens of billions of dollars of coverage on this, i imagine that would have funded a very aggressive team of people who would every time a patch came out, they would say oh, boy, let's go and figure out if you have applied that patch, and they would be looking at your source code for anything a company offering that kind of coverage would demand. do you think that's a possible way that we could actually prevent this in the future? >> congressman, we have notifications routinely every year for patches. this is a very unfortunate mistake, i mentioned the mistake, i apologized for it. the insurance approach is not the solution. it is preventing the human error and the technological error that occurred. >> but there will always be human errors, what you need is a red team who sits there and looks for human errors and flags that immediately and this has to be a very expert team, nothing short of that is going to rapidly catch the kind of human errors that will natural happen. so anyway, this is one of the things i'm looking at, because it's the only free market solution that i think that has a chance of preventing this in the future. thank you. >> time of the yeah man has expie expired. i now recognize the yeah mchair from colorado, mr. tip on tton. >> i want to follow up on a couple of questions, whether or not you had protocols in place to actually address whether or not the information was being reported p reported properly internally and also the governmental agencies who are responsible for oversight. and i didn't hear you respond to the answer, whether you have rid written protocols in place to make sure that the governing bodies overseeing you are notified in a timely manner? >> yes, there were protocols in place, the protocols starting when the security individual saw suspicious active, protocol number one, he or she shut down the particular portal. started the internal investigation followed by the additional protocol they followed which was to notify and engage outside cyber forensic auditor, and engage outside counsel to help us with the investigation and protocols followed all the way throughout the time of notifying the regulators, ags and the consumers. >> looking forward to try and be a little more solutions oriented. understand and appreciate the comments that you have made, regretting what took place. are there protocols, are there actions that this congress might be taking ins ter terms of the of the regulatory bodies to incentivize earlier action, earlier notification, not only to the governing bodies, but also to the can assuonsumers as that we ought to be looking at? >> i would love to see both congress and companies tackle is the concept of is there a better way to identify consumers in america, other than ssn. it's unfortunately the number of breaches that occurred over the years have expose so many ssns that were vulnerable. so i would love to see us engage in that discussion. >> in terms of internally, there are some opinions, for example "the wall street journal" noted independent groups that analyze the vulnerability of you, of equifax, in terms of what you're going to be dealing with. do you look at that sort of analysis and who is responsible for identifying that and taking it seriously to see that patches aren't needed but were being proactive to make sure that the breaches do not take place? >> yes, we routinely bring in outside consultants, advisers to help us check, double check, rethink, tactically steps we can take, that we have taken since the breach as well as long-term strategically, steps we can take to make sure that we're more secure. >> those are the questions that i have, yield back. >> gentleman yields back, chair now recognizes the gentleman from maryland, mr. delain any. >> thank you for being with us here today, mr. smith. i have a couple of questions about how you interacted or how your board interacted around this matter generally. it says in your testimony that you became aware of the information on august 11th. but that you notified the lead member of the board of directors mark fiedler, on august 22nd, did you have any conversations with other board members before that. >> let me clarify, the first debriefing occurred on august 17th. >> between the 17th and the 22nd, did you speak to any other board members? >> on the 17th of august is the first time i spoke -- on the 24th and 25th where we had two board meetings. >> does it normally take this long to notify your board with a matter like this occurs? >> i thought that was an appropriate timeline. >> untder the sarbanes-oxley act for public companies under your control, were cyber or data breaches ever considered by the board of directors and the audit committee? >> in what way? >> well, i ran two public companies and i used to have to sit down with my management team and get certificates where they would assure me things were getting done in accordance with our audit procedures and the auditors would review things under the requirements of the law. in that process, i assume you engaged in a similar process at your company? >> we have two ways to engage as it relates to the -- enterprise risk managements, top of that list was cyber security, also go through deep types with the board of directors on security risks, the second means of communicating with the board was through a kbhe committee we have called the technology committee. >> offensive you were to put the board's time in a pie chart, representing 100% of the time they spent on matters related to the company, what percentage of the time would you say was spent on cyber security risks and data breaches? >> i would be guessing if i were to take a stab at that. >> did you regularly have full discussions around the board table about this potential risk? you identified as a risk factor in your financial statements, i mean in your 10k? is. >> absolutely. >> so would you say 5%, 10%, 15%, 1%? >> congressman -- >> you chaired the board, so you have a sense of what occurred at the board meeting, i assume you set the agenda, was there an agenda item for cyber security? >> through committee meetings, and board meetings, the board is apprised? >> so the audit committee didn't -- >> the audit committee would have purview as well. the entire board would have a view, the technology company was i was responsible for oversight for security and technology, at the board level. >> would the technology department make a presentation at every board meeting? >> yes. >> were is thethere discussions technology at the board level about whether there was adequate cyber security? >> the technology board would approve that every year. >> in your opinion, how mindful was the board before this event occurred as to the likelihood of an event like this? >> very mindful. >> so you would say your board spent considerable time -- >> data security is the number one risk we have, and took that very seriously. >> uh-huh. >> a and is part of your -- the disclosure statements that you received as a ceo, where your direct reports would certify that things were being done correctly, did one of those certificates include some mention of the cyber risk, and the potential for data breach and assurances that the systems were in place? >> we disclose in every k and every q, that security is a risk we face. >> have you had other significant events in your company where you notified your board of these problems the day they happened? >> have we ever notified the board of a security risk in the past? >> let's say you had analyst expectations to your earnings and you realized during the quarter you were going to miss them, would you call the board that day and notify them? or would you wait for our five days? >> if there were risks to our familiars in a particular quarter, we would notify the board. >> sooner than five days? >> we have never had to two that in my time there. >> time expired. the chair recognizes the gentleman from north carolina, mr. pittinger. >> mr. chairman, mr. smith, we are addressing a very egregious concern in our country, concerning our financial inf infrastructure, our government spends hundreds of millions of dollars every year regarding cyber security measures well as energy companies and other institutions. to date, we're aware that not just the 143 million consumers' personal information was exploited, but additionally, the there's now another 2.5 million people that's been affected by this initial account. can you assure us that the 2.5 million are the last americans whose data has been compromise inside. >> congressman, can you repeat the last part of your question? >> can you assure that the additional 2.5 million people who have been reported that their data has been compromised, is that the last? >> yes, it's my understanding, from the forensic experts, that one movement from the time you announced to the final conclusion is not unusual. and number two is, while i have not had a chance to read the press release myself, it's my understanding on a monday when it came out in the company, it said that the forensic review is in fact complete. >> yes, sir. prior to the security breach, did equifax in your opinion have systems in place to prevent a breach of this magnitude? >> obviously a breach of this magnitude would not have occurred if everything was in place. >> elaborate with us on addit n additionadditio additional measures that you believe could be put in place at this time? >> congressman, many have, from the time of the announcement, actually before the announcement, we engaged experts to help us increase monitoring penetration techniques, they call white labeling, of ip addresses, a variety of things were put in place before the announcement on september 7, those continue with 30-day plans, 60-day plans, 90-day plans, and as i was getting ready to step aside, we engaged a top notch consulting firm to help us rethink our entire strategy. >> it have you actively engaged in testing these databases for vulnerabilities? >> yes, we do. >> do you use third parties or do you do this in house. >> we do both. >> can you explain the process in which equifax stores personal information? >> can you say that again? >> i would like you to explain the process or the standards by which equifax has stored consumers' colonel information? >> standards, i would say a variety of techniques used from a security perspective, there's layers of security techniques we use. >> is there an encorruption pke procedure in place? >> there's allayi ee's layers i ways to secure place? >> if we could have prevented the human error, that would have stopped the issue, yes. >> there was a fair encryption process in place, in your opinion? >> again, there's different techniques used and encryption is only one of them. >> how do you plan to regain the trust of our consumers? >> by making it right. >> thank you for coming. this is probably, no doubt, the hardest time in your life, it's much harder for the american people whose data was exploited. we are here on their behalf. >> i agree. thank you. >> the chair recognizes the gentleman mr. clay. >> thank you for being here. more than 2.5 million missourians had their information exposed in the equifax breach and that will likely be impacted by it for years to come. can you share with this committee and the american public what types of activity that these people can expect whose identity has been compromised. tell them what kind of activity they can expect from the thieves that took their personal information and, you know, because most americans have never had an identity theft occur to them. can you give them, give us some examples of what they can expect over the next year? >> thank you, congressman. i'd answer that two ways. one, we have offered a comprehensi comprehensive suite of services to protect identity. they are five things we talked about. i have offered that, we have offered that to every american. regardless of being impacted, they could have been impacted by the opm breach, home depot, we are covering all americans. >> but, describe for this committee and the american public the hellish nightmare they are about to go through when they go to the irs and someone filed taxes in their name and get a refund by the irs or that someone has gotten a credit card in their name. >> congressman, one of the things we talked about is the lock. the consumer takes that lock, locks access to the file, no one can open a credit card in his or her name, as an example. >> equifax offered consumers a year of free credit monitoring services, free credit freezes and a promise to provide a better product. described as, quote, lock, unquote, on consumers credit reports. at an energy in commerce committee hearing held earlier this week, you stated that credit freezes and credit locks are virtually, if not exactly the same, end quote. it's a protection these products afford to consumers are the same, what is the need for the new term? >> congressman, lock was introduced through regulation in 2003 and 2004 where it was referring to the quote? >> yeah. >> protection to the consumer is largely the same. the difference is the ability to freeze and unfreeze can be very cumbersome and lock product coming out in january, 2018 will be very user friendly. consumer can lock and unlock on their iphone. >> so, because security freezes are covered by state law, if something goes wrong, for example, if credit accounts are fraudulently accessed, will consumers be protected from financial liability? >> congressman, again, locking or freezing protects the consumer and someone accessing their credit file to access credit to rent an apartment, to secure the credit problem. >> okay. yeah, but i'm talking about the activity that occurs when they are compromised, when their identity is compromised. what kind of comfort can you give these people? can you tell them anything that your company will work with them to resolve this? what? >> again, we are working with consumers impacted, not impacted. offering five different products today, for free, to lock and unlock the file for free. that should give them comfort and the ability to stop people from opening and accessing their credit file. >> do you agree steering consumers covered by a contractual agreement and is covered by state law raises concern? >> no, sir, i do not. the freeze is still our product. the way consumer gets access to freezing, unfreezing is set by state law. >> time of the gentleman has expired. the chair recognizes the gentle lady from utah, miss love. >> thank you. estimates are that about 50% of adults, u.s. population is affected by the breach. if you extrapolate the information to utah, that's about 1.43 million utahns that are protected. my question is, what sort of financial product could be opened in my constituents name if their data was part of the breach? >> two things. we have the data of those who were a victim of the criminal hack by state level. if that would be interesting to you, we could get that to your staff. >> i would love that, that would be great. but, i'm still asking, if they were affected, what type of products could be open in their name? >> if they signed up for many, many halves, the lock products, lock the file so no one can access it, open a credit card, get a loan, a home equity or mortgage. >> if they didn't get a lock and they are still, if they didn't get a lock, that means credit cards can be opened in their name. i just want a list of things they need to watch out for. >> we are offering a monitoring service as well. if you are a victim of the criminal attack, we will send you notifications if there's suspicious activity on your file. >> have there been up ticks of identity theft and fraud since the breach? >> it was asked earlier, not that i'm aware of. you mean since the breach? >> yeah. >> no. >> how would you know? >> we have fraudulent flags on files. >> when would you expect an up tick? if there were up ticks, when would you see those? >> it depends. some say the social security numbers, which we focus the most on here have been out in the public domain, hacked in the past for quite some time. >> for my constituent that is were impacted, how long should they expect to remain concerned without the potential impact on their credit file? >> they should be diligent and looking at the monitoring products we offer. the first thing they should do is lock their file. if they lock their file, they are going to rest better. >> okay. so, in terms of -- i'm trying to, what i'm trying to do is to give a clear vision to people who are watching what they need to do. i understand locking their file. some of those, some people watching that today can do that. but, in the meantime, i need to give them something to look out for. what to look out for before they do that or over the years what they need to be aware of. >> i'll try to answer it this way. if the consumers in utah or anyone in america takes advantage of the free service, whether you are a victim or not of the five offers we have, one is monitoring of all three credit bureaus filed. that's the first thing. we do that for free. the second thing is access your credit file through us to look at it, for suspicious activity. we offer a dark web scanning service. we go out there and scan the dark web for activity. four is, we have the ability to lock the product for free and the fifth one, i forget what the fifth one is. those five products should give the u.s. consumer, the utah consumer, far more comfort, father or mother lowed by january of next year. >> can you explain, i may have missed this, can you explain the difference between a credit lock and freeze? >> the freeze was passed at the state level. each individual state pass zed law in 2004. the difference is the ability and means by which a consumer communicates with us versus the lock, which is application enabled on and off, much more user friendly for the consumer. >> i want to reiterate one more thing that was brought up by the ranking member, that you are committing to work with people who may have been or have been affected or may have had their identity taken and used for their lifetime. >> yes, we are offering every citizen, american citizen a lifetime lock to lock and unlock the life. >> thank you. i yield back. >> the chair now recognized the gentleman from new jersey. >> thank you mr. chairman and mr. smith, thank you for being here today. as a former microsoft executive, i have an appreciation for corporate integrity and where the buck stops. issues come up all the time. it's how you handle them when they come up. your response has been more of an equiscam than fix. if you are going to take four or five weeks to tell consumers, where is the gap in putting information together to respond well. one, if you could help me here, out of the 145 million consumers impacted, only 7.5 million have signed up for monitoring services, is my understanding. why do you think only 10% have and why not autoopt everything in since you have their information. >> it's illegal. it requires the consent of the consumer. >> can you reach out since you know their addresses and e-mail? why not send them a letter sayi saying would you be interested in this. >> i mentioned in my oral testimony, the awareness is record highs for breaches. over 400 million consumers have come to visit. they know. >> would you be against a letter to them to give them information so they know and get more people signed up? >> again, i think they do know. >> i'm sorry, is that a no? you're not willing? >> sent a press release out to notify. we have the website, the phone numbers. we followed state law required for local advertisement. the 2.5 million that was mentioned earlier, the company released additional victims of the crime, those individuals, because of the fear of false positives were notified via e-mail. >> the rest, the 143 or 144 million plus you are not willing to reach out to? >> we follow the process that is legal. >> thank you for your answer. what is being done to resolve the problems of your website to make them more stable and eliminate confusing links and make information more accessible? i know people are saying we can't get it to for a few weeks. what do you do about the websites crashing? >> we have come a long way. again, it was overwhelming. as i noted earlier on, we have taken steps to fix that experience. it's my understanding the experience of the the call centers and website are far, far better than they were, september 7th. >> when they crash, people get more anxiety. if you can please, there are a lot of resources out there to take it and can help you with that. can you verify the legal liability is not included in the credit freeze, lock and identity theft insurance? >> congressman, the arbitration clause is a clause in products we sell as a consumer. the consumers have a right not to buy a product from us, but go somewhere else. the intent was never to have the arbitration to free offerings. we were made aware of that in 24 hours and took the clause off. >> good. thank you. they will provide $1 million in insurance coverage to affected consumers. the coverage for loss can be unclear to some people. does equifax believe this is in lieu of reimbursing in actual losses and can you make clear the legal limitations? >> that is correct. the expenses incured. the five services we are offering up front for the lifetime ability to lock your file are the right steps for the consumers. >> i think this is a big issue because insurance companies provide this coverage and doesn't cover what people think. as liability occurs, there are holes. i'm sure you have heard about the phone call wait times. i know one of my constituents were on the phone an hour the other day. others have called in in 45 minutes. how are we doing and what is the improvement? >> it's been dramatic. we have gone from 500 call center people to over 2700 was the last number i heard of trained people to handle the phone calls. it comes down -- i don't have the exact number. i saw the data earlier in the week, congressman. >> maybe you can get it to us, a sense of where you are. yeah. >> there's huge capacity to add and bodies to add since people have huge anxiety over this. people can't feel like there's an equiscam. they have to think you are making it better for them. thank you so much for your time. >> time for the gentleman has expires. we recognize the gentleman from arkansas, mr. hill. >> thank you. thank you for coming in and appreciate you coming in to testify on this important issue. it's something my family understands. we have had the pleasure of being in the opm breach, the irs breach and couldn't file our returns on time a year ago. now, we are gratified to receive your e-mail about being in the equifax breach. i can feel the frustration for a lot of americans and in arkansas, according to our attorney general, 1.2 million people in arkansas, some 40% of the population of the state are covered by the announced breach by equifax. we appreciate our chance to sit down and ask the hard questions we are asked by our constituents. i want to follow up on some of the line of questioning and start out talking about the management practices of equifax if i could. did you have a weekly executive meeting with the top officers? >> are you referring to post breach? >> no, just general, as a general practice at equifax, did you have a management meeting on a regular basis. maybe i shouldn't have said weekly? >> yes, we had routine mechanics to operate the business. it could be weekly, quarterly. >> i'm sure it's a mix of people. in your sort of direct report meeting, would mr. gamble be at the meeting on whatever frequency it was? >> depends on the meeting, but largely, yes. >> the president of information systems, as well, would he have been in that meeting? >> again, i have 12-13 direct reports -- >> is he a direct report? >> the three you are going to, rudy is the third. >> right. >> all three report to me and all three in most of the meetings we have. >> mr. kelly, as well, the chief legal officer? >> again, 13 or 14 individuals, yeah. >> i'm curious, in that meeting, sort of your trusted advisers with the top echelon of the company, between march 8 and the end of july, did this topic come up among that group? >> no, sir, it did not. >> in that period between march 8 and end of july, when did you really feel or you were told it was a serious business -- >> it wasn't until -- the detailed review is noted in written testimony on the 17th of august with the cyber security forensic team, the outside legal team, my team, that was the 17th of august, the first deep dive. >> so, let me turn and talk about the section 16 officers in the company. i'm sure the people we talked about are all section 16 officers, the chief legal officer, the cfo, yourself, the president of information systems? >> that's correct. >> in your 12b51 plan, i assume it's all holdings and the money covered by the preplan to sell stock? >> the 75-1 plan? >> yes. >> yes. >> both your personal holdings and money options that were in the money at the time of the filing. your plan as a corporate officer in the plan. >> some officers may have had a 10b15. >> it wasn't a requirement? >> no, the requirement was if they have a clearing process they have to approve before selling stock. >> how many day as quarter do you think you had available for trading under those plans? >> the first 30 days after the earnings call. we wait a day or two, 30 day window, the general indication is sooner in the opening versus later. >> can you think of a time the general council canceled that window due to a material nonpublication or you couldn't use the window because people in the group had material, nonpublic information? >> a few times, yes. >> when did you have a lead director since you were the chairman? did you have a lead director? >> similar. we called it a presiding director. >> when did that person find out about this? >> the 22nd of august. >> okay. my time is expired. >> the time of the gentleman has expired. we recognize the gentleman from minnesota. >> thank you, mr. chair. thank you, mr. smith, for sitting through this again today. obviously, you have heard this over and over today in your prior three congressional hearings, i, like most people am very concerned about the time line of events. i appreciate what i take as a sincere apology of yourself on behalf of equifax and the acknowledgement of both the human error you point out from last march and the error in technology, the scanning process that didn't work. but, the time line of the discovery of the issue, the sale of the company stock by three top executives in disclosure of the breach, the impacted american consumer, which in minnesota's case, i believe we have a little over 2 million that have been identified at this point. it raises serious potential ethical and legal questions. i guess i want to start by echoing what our chairman said at the outset of this hearing. that is that the company, and i would say current and former executives like yourself, i would hope are going to continue to cooperate to the fullest extent with the fbi, the scc, any agency that is investigating this so that the truth can actually get out into the light and people can know exactly what happened. i know you can't commit on behalf of the company, but i'm sure that you could commit on your own behalf that even if your current capacity you are going to cooperate to the fullest extent? >> absolutely. >> i wanted to talk a little about the area. you know, today it's about equifax. i don't know that people are talking about the -- even though we all know it, it is going unspoken, this is such a fast changing environment. you know, i was in a business that will go unnamed in minnesota and they have a huge investment in technology. they take you into the back room and they have tv screens, flat screens around the room and they are showing you in realtime all of the attacks that are coming in by the second and the minute. i don't think it's just about equifax. this is a huge issue. you look in 2014, the u.s. postal service had a breach that expose zed personal data on almost 1 million employees and they had to shut it down. the irs in 2015 had almost three quarter of a million people affected by a breach. the office of personnel management had one in 2015 and even the scc last year had the breach of the edgar online filing system. so, this isn't just about equifax, this is a much bigger issue. in the short time that i have left, there's two areas that i would like to talk to you about. one is, i guess worried in this place that the snap reaction of elected officials is more regulation, more stuff that you have to comply with, which i suspect takes resources away from the stuff you are trying to do to keep up with the ever changing technology and the way the bad guys are trying to breach these systems. i would like you to talk about that for a second before talking about rethinking social security numbers and dates of birth for identification. >> i share your views there. recent publication came out last week that talked about in 2016 alone, over 4 billion pieces of consumer information was hacked in one year alone. it is at a rate that i have not seen in my career to excel rate, if nothing else into an issue that public partnerships can work if regulation can prevent a breach like this occurring again, i'm all for it. this was not an issue, in my humble opinion that more regulation would have addressed. >> as you go forward, into the next stage of your career with the experience you have, would you give a word of caution to those of us looking at this to be very careful about if there is a magic regulation because of the compliance cost that come with it and how that could negatively impact your ability or others ability to keep up with the technology. >> yes. oftentimes, we are all in a ration nar environment. the first thing we think is regulation is the issue. i think there are a lot of things the public can do. you mentioned one of them, think about the identifier that we use for the american public and the position beyond that. >> thank you very much. >> time. the time of the gentleman has expired. the chair recognized the gentle lady from arizona. >> thank you. i am troubled by the data breach that compromised the personal information of 145 million americans. every american should take precautionary measures to ensure his or her financial security. arizona seniors are particularly at risk, especially now. we must make safeguards to protect them from financial fraud. i have been working with the congressman of maine to pass a legislation. this ensures financial institutions have the regulatory flexibility to report instants of abuse of seniors. people need to know his or her data is safe when applying for a credit card, accessing a small business loan or buying a home. today is an important step in what went wrong and what must be done to protect consumers. thank you for being here today. by your account, it took equifax 40 days to let american people know, via press release about a data breach that lasted 77 days. the exposure of the i.t. staff for the 65 days leading up to the breach. that adds up to 182 days of equifax failing to put arizona families first. your testimony seeks to meet up the press release, but does not excuse the end result. an arizona person whose name was taken was left vulnerable and in the dark about the data breach for 117 days. that is disgraceful and unacceptable. more than most, people in arizona value privacy. we vl the independence to make financial decisions for families in the economic future. instead of taking precaution to secure the data, equifax made millions of people vulnerable to identity theft and financial fraud. now we must take every step possible to minimize the damage and better address the breaches. for the vast majority of americans this was limited to their credit data. that includes name, address, date of birth as well as addresses, alias' and social security numbers. the first question is while this is highly compromise zing, it does not include their most private financial information. are you aware of attempts to broaden the scope of the breach to capture private financial information? if so, were any of those attempts successful? if not, why do you think hackers opted to forego it? >> congresswoman, there are millions of attempted or suspicious attacks each and every year across a wide array of data assets. we have no knowledge that forensics done that any of the core credit, that you referred to data was compromised. as to why, that goes back to the written and oral testimony i gave, which is the software that sat in a different environment completely outside the credit file that was not patched. that's why they were able to penetrate that environment. >> you testimony stated it took the i.t. staff 76 days to notice suspicious activity after the breach began. how were the intruders blending in with normal network traffic and what do you think took the i.t. staff so long to notice the breach? >> they were fairly sophisticated, the criminal hackers. they moved about the system without moving large files, but files themselves in size were not suspicious. they were clever enough not to move at speeds. we have velocity indicators to look for things moving at very high speeds. they were sophisticated to do beneathing. >> while it was significant, it was only the fifth largest data breach in the u.s. all five have happened within the last five years in our country. we, as a community here in congress must recognize they are increasingly frequent and undermine the trust americans put in the marketplace and their government. whether it's equifax or what, americans deserve to have institutions public and private that work in good faith to safeguard data. i would urge that congress should recognize that cyber security is not a niche issue. give americans the opportunity to succeed. thank you, mr. chairman, i yield back my time. >> your time has expired. we recognize the gentleman of ohio. >> thank you for your testimony and sincere apology. we recognize all these companies are staffed by humans and humans fail, as do technology. however, we also recognize the high duty of care, responsible by few disharies. i was concerns the reporting structure on the board and the attention given to governance. does the i.t. report through the cfo or direct report to you as ceo? >> direct report to me. >> within the i.t., you said you are a technology company. what is the structure like within i.t.? is there an information security officer that stays in the i.t. channel or broken out separately? >> the chief security officer, global security officer is a direct report into the company. the gentle council reports to me. >> okay. so, you feel that your governance structure was adequate? >> i'm not sure i understand the question. >> given that this error happened, you mentioned you had some closed loop system failures where you have things that are supposed to happen, but didn't have a closed loop system. do you feel there was failure in governance? was structure part of the issue at all? >> i don't think so. i don't think it determines the process or the business. it is people and technologies doing the right thing. so, having the security officer report to me and cfo, i'm not sure would change the outcome we experienced. >> okay. that's concerning, but that's your philosophy. on trading, so, when you look at the cyber security concerns, which have been covered extensively, i was planning to go down the similar path of my colleague, mr. hill. talked about how trade or board members, executives within the company are approved. what is the timing like for that and noted that you said there were times where because shareholders of record inside the company had information that was nonpublic in material, that those trades were suspended. i can't think of a more public time where it would be appropriate to suspend a trade than while you had a breach of this. was that an error, omission or do you feel the governance worked correctly in that instance as well? >> let me be clear, if i may. there is a process to clear traits, goes to the gentle council. these three individuals that traded, it is my understanding they had no knowledge of the breach. remember back to the time we talked about earlier? it was the 31st was when the portal was shut down. we hired the forensic auditors and law firm on the second. it wasn't until later in mid august that we had indication something was going on that involved large amounts of data. they traded the first and second of august. they followed the process we had in place at that time. >> okay. so, based on the knowledge that your counsel had, reviews the source of things, would it have been part of the procedure to say, hey, we have just had some very substantial material information that is nonpublic. isn't there a clear concern, four days of testimony here, i'm sure you are going to keep talking about this for a long time, that gimven the amount of material information that was nonpublic, that executives and board members should not be trading in these shares? >> congressman, again, clarification. the 31st of july, the only indication we had there was a suspicious incident. no knowledge of a breach until weeks and weeks later. number two, it should be noted, this is the topic that is priority for the board of directors and there's investigation currently going on by the independent board directors. >> do you think it was a mistake to not cancel pending trade even if it was ordered before the discovery of this non-public information? >> congressman, on the first and second of august, we had no idea other than a suspicious incident and a dispute portal. >> my time is expired. i yield back. >> gentleman yields back. the gentleman from colorado. the gentleman passes at the moment. gentleman from tennessee is recognized for five minutes. >> thank you mr. chairman. thank you mr. smith for being here today. if i could, i think my standpoint in listening to others question you today, really the problem is the length of time between when this breach occurred, when the public was notified. i have heard your explanation this morning. on september 7th, when equifax claimed they recently discovered a cyber security incident involving s involving security information. you knew in july. if i could back it up, from a governance standpoint, if they had a pre-existing plan in place for a contingency such as this -- before i answer the question, point of clarification. i was not aware in july there was a breach. i was not aware until mid-august as i said before, not until late august there was a breach. that continued to evolve to september 7th and monday of this week. to answer your question specifically, yes, there was a crisis management written protocol in place applied to many crises, including a data breach. >> did it anticipate a breach as big as this breach? >> no, the crisis management protocol we have in place is a breach in general. it doesn't specify 145 million versus 5 million. >> did equifax, in fact, use that protocol for this breach? >> yes. >> was it executed properly? >> not without issue, as we talked about. that's because the system, the people were overwhelmed on the sheer volume. >> i understand the website that you set up that provides consumers information about the breach, which is equifax security 2017.com, that domain name was secured on august 22nd, does that sound about right? >> sounds about right. >> that website, in some former fashion was ready to go some two weeks prior to the announcement, is that right? >> yes, congressman. that's approximately right. the thing we talked about is the data still moving. we were going to be as accurate and transparent as possible on the data. number two, we talked about cyber security forensic team and recommended we prepare for increased cyber attacks, post announcement and third, we had to stand-up the environment you referred to to get access to free services. >> this morning, the chairman asked you about law enforcement. i understand the fbi is involved, they are leading the investigation, is that correct? >> that's correct. >> is the secret service also involved? >> not to my knowledge. >> are there other law enforcement agencies involved in the investigation? >> there may be. i have been focused on the fbi. >> law enforcement, including the fbi, may possibly be other law enforce mts. there are other agencies involved in the investigation. is there any law enforcement agency or agency, whatsoever that recommended to you oreck wii fax that you not disclose this breach until you disclosed it in september? >> to the best of my knowledge, no. they were involved starting august 2nd. we communicated with them routinely throughout the process and we made them aware in september. >> as you mentioned earlier, you hired on or around august 2nd. you mentioned hired for legal purposes. you also hired a pr crisis team. >> yes, congressman, we did. >> who is that? >> in fact, we hired two. a company calls everland, a well known crisis team at the tactical level to help us understand, track a variety of input from different sources, social media, broadcast the regulators, state ags and crisis management a strategic consultant as well. >> you inquired in king spauding or other law firm requiring the bankruptcy of equifax? >> no, sir. >> no bankruptcy whatsoever? >> a law firm -- >> or anyone else? >> no, sir. >> anybody at ek pi kax sought bankruptcy protection? >> not that i'm aware of. >> the chair recognized the gentleman from maine. >> thank you for being here. a lot of these questions have been asked before. you know, this is so important because it goes central to our economy. it really does. you know, here we are on a way to have lower taxes, fewer regulation and trade in energy prices that are stable. then this happens. i know you folks got hacked. and i know you are doing the best you can with it. but, you know, the result of this might not be felt for quite some time. think about this, a third of our country, 40% of our country, i don't know, 60% of health. 145 million people. 145 million. criminals now have the social security numbers, addresses, birth dates. when my mom was 89, had to sign her up for medicare. you need her social security number. this is serious stuff. we have 1.3 million people, a half million got affected by this. now, i am also very concerned about the perception, at least, of wrong doing when it comes to our securities law. you know, you are a public traded company or equifax is. in rural maine, people saving for college or retirement, little savers, small investors, the little guy, they can buy some of your shares in the open market and take a bet your growth is going to reward them. take a bet on the economy. all of a sudden, we have material here, if you believe it. i don't know, this investigation that is going on, that says in late july, you folks knew about a breach and a breach which is central to your business. my gosh. you folks collect all this sensitive information and sell it to banks and automobile dealers and what have you to make sure they get accurate credit reports and money flows and families get homes. this is really serious stuff. so, any breach of that information, your business plan is central. your success as a company and therefore affects your stock price. now, we see information, if it's true, i don't know. you had folks on the inside and it's really hard, mr. smith, for me to accept the fact that you have a dozen people reporting to you and they didn't know what the heck was going on when something is so central to your business plan. it looks like some of these folks acted, three, in particular that i mentioned, acted to sell their stock before the breach was announced, a month before to escape loss in the stocks they own, which is stock in your company. if that's the case, the little guy gets screwed. because guys on the inside who know this information avoid the loss. the little folk that is i represent in maine are hard working. they save every penny and they are worthy of all the income they have. they invested in your company, in america and they get screwed. i have a question for you, now, i may be wrong about this, mr. smith, but the information you have is public. says you own 285,000 shares of equifax. is that true? >> i believe that's right. >> okay, fine. given the roughly market value of that, it's outstanding price per share is 28 million bucks or something. did you or did you sell any of your stock between the time when the breach was on the inside and when you announced it to the public when anybody else in america had that information? >> no, sir. >> here is one of the things that drive me crazy. confidence. a 15 year business confidence at a high. we have consumers confident about the direction for a growing economy. then something like this happens, which shakes our confidence. now, i know they mentioned this and i want to support it also, and everybody in our conference, republicans and democrats to support a way for congress to help s. th help. that's a senior save back. we think it's a good idea if seniors who are vulnerable to this identity theft and fraud are able to go to bank tellers and insurance agents and say we expect fraud on all times. we want to speak up to the authorities and not be liable for doing so. that's a great bill. thank you for being here. appreciate your time. >> the time has expired. now, the gentleman from pennsylvania. >> thank you, mr. chairman. mr. smith, when i heard about the breach, i was very concerned like all americans were. equifax, which is tasked with guarding millions of americans sensitive and personal data has violated the trust in the american people. it's not acceptable. acommend the chairman for having these meetings and prevent what can happen in the future. my people sent me hear to share their voice. i would like to say their comments. i am more than angry about the equifax data breach. i understand crime will always be a part of life, i am outraged to the response of the situation. they have allowed my personal information to be compromised. this has the potential to impact us for the rest of our lives. robert in pennsylvania wrote, quote, equifax must be held severely accountable for the mass zive data breach affecting nearly every american including all of my family. the disengenius response. allen described directions as an endless circular conversation and added i am tired of this ongoing fiasco. these are real people whose concerned need to be addressed, hard working americans are scared and deserve answers and they need to be made whole. i understand we are talking about the time line here. equifax discovered the breach on july 29 and notified the fbi two days later. others were brought in two days later to investigate. equifax did not notify the public for a month. it was due to public notification would affect more bad actors to compromise the system. more than a month elapsed from the breach to public notification. i'm curious if there was an event or fact that led you to make the disclosure. september 7 was the date it was disclosed. did you know something on september 7th that you did not know on september 6th? >> point of clarification, we did not -- we are not aware of a breach of any sort in the july time frame. again at that time -- you noticed activity july 29 that was suspicious. >> we notice it on a daily basis around the world to the tune of millions per year. what we saw in late july was nothing we haven't seen before, suspicious activities. unfortunately, in this environment very common. >> a couple days later, you are engaging outside vendors. >> that is not unusual. >> what did you know september 7 that you did not know on september 6? >> i don't have a specific answer. i can tell you the time frame between mid august and september was very fluid. pressure continues to develop. we found more impacted. it was ever evolving set of facts. >> you testified data was not encrypted on your data base. is there a reason for that? >> there are different levels of security. encryption is one, masking is one, firewalls. encryption at rest and encryption in motion is another technique. there's no one single technique that protects the consumers data. >> a lot of people are watching at home, wondering if their data was compromised in the breach. many americans are wornderring if their information is currently held at equifax is safe. is their information currently safe today? >> we have no knowledge that any other information we have in our data base in the u.s., around the world was compromised. >> is there a reason you are choosing not to disclose the scope of insurance coverage? >> yes, there is. >> can you share that with us? >> i prefer not to. the reason being, congressman, when you disclose a number, it puts a target out there for others, for lawsuits, so on and so forth. >> that's going to be disclosed in discovery. you already have losses out there. >> yes. >> you are choosing not to -- >> yes. >> i yields back, mr. chairman. >> the chair recognized the chairman from north carolina. >> thank you, mr. chairman and mr. smith. i think what's infuriated the people of north carolina, they didn't volunteer to have their information stored at your company. equifax, take my company. it's a trust element. that's really been shattered. let me shift to personal topic. why were the security officer and information officer allowed to retire instead of resigning and being fired. i believe you, yourself, resigned. >> the day we announced their stepping down, they are individuals who can add an advisory to smooth transition between themselves and the two announced interim individuals we have at the cio level and the chief security officer level. then, if those individuals were replaced with full-time people, which they will be, they can add value. nothing but the transition. >> what was the total cash value of their retirement packages, if you don't mind? >> i don't know specifically. we can get that information to you. >> did the chief security officer, and chief information officer undergo repercussions as a result of their retirement other than foregone future salary? >> they lost their jobs and there's no bonus. >> just foregone future salary and no bonus. correct? >> that's correct. and no severance. >> allowing them to retire instead of terminating did it increase the scope of the severance? you said there was no severance. >> right. >> if they retire, do they have more access to benefits, receive a better separation agreement than someone that resigns or is fired? >> not to my knowledge. >> did equifax not punish the individuals responsible by not firing anybody? >> no, sir, they are both out of a job. >> chairman, i yield back. >> gentleman yields back. the chair recognizes the gentleman from indiana, mr. messer. >> mr. smith, thank you for being here. i admire your stamina sitting here. the more i hear, the madder i get. have you had an opportunity to log on to the equifax page and do this process of determining whether you were part of the breach. >> absolutely. >> i did it. i had to give my birthday multiple times, i had to give parts or all of my social security four or five times. i answered a question or two wrong, so i had to call into the web page, call into the calling service and give my social security number another time. has it crossed your mind, given the recent breach and the fact you have disclosed personal information for 140 million americans that people might be uncome fo uncomfortable giving their social security number seven or eight times to know whether they are impacted? >> i share your frustration. we tried to improve that process as much as we can. we have to validate you are who you are before we offer the product. >> it's frustrating to a lot of people and obviously, you haven't built a strong relationship. will equifax profit for the new data provided by americans to your website? use it commercially? >> the intent of this service is a service to offer the service for free, not cross so, up so, you as a consumer. >> this is the privacy notice you have to click on. it says here, i think in two columns that this information can be used for joint marketing with other financial companies, for affiliates to every day purposes, marketing purposes by, it looks to me like equifax and the company doing it for you. >> if you get a free service from us, we don't cross sell or up sell you. >> the form says you will. do i believe you or the form. >> excuse me? >> the form says you will. do i believe you or the form? this is the privacy notice. again, will equifax have the opportunity to use the information provided by consumers and their operations in congress, therefore make a profit on it. >> i'll say one more time, when you come to us to get a free service, we are not going to cross the website. >> there's aphrase the road to hell is paved with good intentions. i think your intentions are good as 140 million people lost their information. looks to me, based on this form, that you have the ability to do that. i want to ask you this question, have you ever met anybody who had their identity stolen, mr. smith? >> yes. >> pretty miserable. >> yes. >> it destroys their life. almost 4 million people in indiana, it's important to remember these people are real people that have had their lives put at risk. >> congressman, i couldn't agree more. i talked to people at my church, that work for us, my daughters, my family, i understand the frustration. >> i'm glad you appreciate that frustration. we'll turn to that in a minute. when it comes to real kompb sags for people who had their identity stolen, the reality is they are not going to get much from you, is that fair? >> they are going to get five services plus the sixth -- if 1% of those people have damage, you get $4700 that you would have to compensate them anyway. i want to ask you this, you mentioned how frustrated you were. a lot of american people struggle, you consider this major business screw up, right? >> it's a breach, obviously -- >> 147 million people. and you mentioned, let me use your phrase, the folks you found most directly responsible for that, they lost their job, no bonus, no severance. is that what happened? that's your words. >> my words are, i'm responsible and i stepped down. >> does it seem fair to you you would get a $40 million to a $90 million bonus as you exit after you presided over the million b exit after you presided over potentially the biggest business screw up in modern history where 140 million americans had their personal information stolen? >> congressman, the only thing i walked away with, it's all disclosed in the probation, this was my pension and prior compensation. >> the american people are frustrated. and listen, again, i appreciate you being here, but they have a right to be frustrated. it doesn't seem fair. >> time of the gentleman has expired. the dhar now recognizes the gentleman from georgia. >> thank you, mr. chairman. thank you for being here, mr. smith. i am impressed that you're here considering that you are no longer in your previous position. i don't know that you would have had to have been here, but i appreciate your attendance here because i know this is difficult. it's a difficult time for 147 million americans as well. a couple questions regarding some of the things you said earlier. i want to be focused is how do we present something like this from happening again. i spent 30 years in the i.t. business and security was always at the forefront of things we were working on. and so very interested in how -- what transpired to cause the problem, how can we avoid this in the future. but first of all, you had mentioned in a couple of instances as you were addressing some of the members asking questions here that you complied with all the state laws regarding notification. and you mentioned state laws earlier regarding cybersecurity. is it state laws that govern our cybersecurity policy? is there not a federal law that governs that? and if there are, why is that not applicable? >> the congressman, the only point of clarification, the only thing we're trying to be mindful there was as we learned and gained more insight on the size and scope and nature of the breach is making sure we balance our desire for accuracy, completeness of the picture with the state laws of communication. that's what i was referring to. >> okay. i understand. but are there federal laws that are applicable in this instance? is cybersecurity pretty much governed by state law? >> i'm not sure what you're saying. it's not governed by state law. the state law was just the communication that i was referring to. >> okay. the actual applying of the patch, from what i understood in your previous testimony and you answering questions was you were notified of the vulnerability. a patch was provided. it was communicated that that patch should be applied, but somewhere that did not happen. i guess was the human error was the individual who was to apply the patch to that portal did not follow through. is that correct? >> it's a little bit more than that. it was an individual in the i.t. organization who received notification from security. that individual is responsible for the patching process and never ensured that the proper person was communicated to and then did not close that loop. >> is there a level of oversight that should be there? i mean, quite often when i was in the military and worked in communications and intelligence, we always had to person integrity. there was always somebody looking over the shoulder to make sure that a process was completed. same thing when i was working with many governments in their i.t. is that especially with a security patch, that there was always someone else to come back through and make sure that it was applied. was that process not in place? >> yeah. to clarify, this individual owned the communication and the patching process to ensure it was not closed. he did neither. secondly, the closed loop process was also the scanner we talked about. the scanner, which was applied i believe it was march 15th to look across the environment for this vulnerability did not find this vulnerability. and that is currently under investigation as to why. >> okay. that was kind of hit my next question is is that being under investigation as to why that did not happen and is there some liability on some individuals that, you know, potentially were nefarious in this process? >> the individual who i just discussed that was responsible for the patching process is no longer with the company. >> all right. thank you, mr. chairman. i yield back. >> gentleman yields back. chair now recognizes gentle lady from new york. >> thank you, mr. chairman. and thank you for having this very important meeting as we have over 145 million u.s. consumers who have been aif he could by this. and i thank you, mr. smith, for being here and being willing to answer these questions. you know, everybody is really angry. our constituents are calling us. people are concerned about the security breach. social security numbers, birth dates, addresses, drivers license numbers, credit card numbers for up to 200,000 consumers and all kinds of data has been breached. and it took i know you've discussed this over and over, but six weeks to notify regulators. my first question on this is did you or your firm notify the credit bureaus that before you announced this breach so they could prepare for what our consumers are trying to find answers to and many state laws also require this. did your company actually do that? did you notify those credit bureaus that were your customers? >> let me make sure i understand the question, congresswoman. did we notify specifically transunion and expeer yon. >> right. prior to the date that -- it took six weeks before the actual patch was discovered and released. that's when you got your -- i can't remember the dates on my colleagues asked you when you got your crisis management team, when you lawyered up when you got everybody ready before you actually disclosed that. but when did you actually notify your customers, your -- the credit bureau customers who relied on you for your information? >> again, i think i understand the question. so it was in late august, not late july, that the picture started to come together that we had a data security issue. we went live on september 7th. to answer your question specifically, we did not go to transunion or exspear yon before the release went out on september 7th. >> so they didn't have any knowledge of this happening, so they weren't able to prepare when this was to come later on, as your company. >> yeah. it was not public at that time. >> right. let me ask you, so you described the suspicious activity and the patches and millions of patches occur. is there like a priority or a way that your team identifies what patches are more important, more valuable, more vulnerable than others? is there some protocol in place for that. >> yes, there is. let me clarify, though, if i may. it's not millions and millions of patches per year. what i was referencing is in any given year it is not unusual to have millions of suspicious or potential attacks. specific to patches, patches and the requirement for patches are very common. and they're stratified in different categories, from critical to high to medium to low risk. and the protocol internally for the amount of time required oral loud to apply the patch depends on the criticalty of the issue itself. >> so what would you rate this patch that did not get -- >> it was critical. >> it was critical. when was the actual date that you discovered that patch? >> again, march 8th the -- we notified by sert of the need to patch on the 9th the e-mail went out to the teams to apply the patch. and as we talked about before, there was a human error. the individual did not communicate and close the process. on the 15th of march the scanning device did not find the vulnerability. >> but that's in march. did you notify the credit bureaus or the other customers -- how many customers do you have on your -- this confidential data is actually on your site do you have in control of? how many people would you say, actual individuals have their -- are on the site that would be vulnerable, not just -- >> the total credit population in the united states is roughly 230, 240 million people. >> so that many people were affected by this. >> no, congresswoman. the number we've disclosed was 145.5 million. the services we're offering are all americans, but at this .145.5 were impacted. >> let me just go quickly because i decided to go look on to your site as my colleague pointed out. it's ironically called trusted i.d. premiere.com. and i went to this and put my own information and said i may have been breached and it does send me to another -- i have to go through some protocols, reenter more digits on my social security, my name and then it reveals to me that nonetheless, please enter more personal information. if people listening to this in my constituents go on to find out if they've had their data breached, will they be vulnerable if they reenter this on this website? >> we've taken many steps since it is breach to make sure that's secure. >> so this is secure. they can go reenter their data and it will be secure. why he. >> thank you. >> time of the gentle lady has expired. the chair now recognizes the ja from colorado. >> mr. smith, thank you for your testimony today. thanks for lasting so long. just a few questions for you. and i do have some sympathy for, you know, the attack, the breach, whether it's anthem blue cross or lowes, home depot, jpmorgan chase, lots of attacks have occurred and everybody needs to stay vigilant to that. my question to you, sir, are going to be more credit reporting agencies are not everybody's best friends, you know. you have a job where you try to actually say this guy is a good credit risk, this gal is not a good credit risk, whatever. and we had -- and it may have been you and executives from expeer yon and transunion a few years ago and there was a question about whether or not the allege rhythms that are the basis for peoples' credit reports were going to be disclosed to us as members of congress or whatever and i think the testimony was that those were proprietary and patentable and were key pieces of information for the different organizations. did you -- were you one of the ones that testified for us? >> congressman, i was not. you may be referring to the most common credit score in the industry is a score fauld the fico score. >> right. >> that may be what you're referring to. so we wanted to get information at that point about how a fico score was calculated. just, you know, is it fair to whoever is getting their credit score or credit report, and we were told no, that's proprietary information. do you know whether in this hack how you guys develop the fico score was stolen? >> congressman, we're a reseller, if you will, in some cases of that fico score, and there's no indication that we housed fico scores that were hacked in any way. >> okay. so the allege rhythm or whatever is that proprietary information, to your knowledge, wasn't part of this theft. >> yeah. the allege rhythm is developed and controlled and owned by another company called fair ice yaks. >> and your company don't have how that allege rhythm is created or developed. >> that is correct. >> okay. i was asked by somebody from the energy committee and i know you may have testified earlier today. do you know whether there was a foreign actor who was the perpetrator of this hack. >> we've engaged the fbi and the fbi is continuing in their investigation. >> there were some statements you made that there was a clever kind of ability to get around some of the safeguards you all had in terms of the speed or the volume. is there a concern on your part or anybody at the company's part that this was an inside job? >> no indication of that at all. >> so, i mean, when somebody comes in and hacks, it's like they're trying to break into the bank, and your bank housed a lot of information, if you will. and you had some safeguards -- you got the patch, so there's a vulnerability that they were able to get inside the bank, but then they were able to avoid a number of the different kinds of defenses you had within the bank. am i -- did i miss hear your testimony? >> that's correct. >> so in this investigation are you doing an internal investigation on top of the fbi investigation? how is that proceeding? >> yes. if i understand your question, there's the forensic investigation, which is done on the data that was compromised. it was done by an independent firm. there is an internal investigation being done by outside counsel to look at all the processes internally and individuals involved internally, if that answers your question. and then there's the fbi investigation as well. >> all right. last question. just what i was looking at there's like a hundred lawsuits, class action suits, variety of suits. you were asked by mr. roth fuss whether you had insurance for this. are you self insured? you didn't want to give us an amount. do you have insurance for this. >> we have cyber insurance, yes. >> and is there a self insurance in do you have self insurance? do you have sort of money in reserve for something like this? >> there's a retention that we have and then on top of that is a stack of participants up to a limit. >> and my last question, do you still retain shares in the company? >> absolutely. >> thank you. >> time of the gentleman has expired. there are no more members nft queue. i'd like to thank the witness for his testimony today. without objection, all members will have five legislative days within which to submit additional questions for the witness to the chair which will be forwarded to the witness tore his response. i would ask, mr. smith, that you please respond as promptly as you are able. this hearing stands adjourned. xxxx . the supreme court heard a case dealing with legislative districts in wisconsin after a lower court concluded the state's republican drawn mapp constituted partisan gerrymandering. an interview with former first lady michelle obama. she's interviewed by tv create or and producer shonda rhimes. on c-span saturday at 8:00 p.m. eastern. congresswoman linda sanchez, vice chair of the house democratic caucus is our guest on news makers this week. in this interview with reporters from the "washington post" and the los angeles times, she talks about her party's leadership. i personally think that, you know, our leadership does a tremendous job, but i do think we have this real breath and depth of talent within our caucus and i do think it's time to pass the torch to a new generation of leaders. and i want to be a part of that transition. i want to see that happen. you know, i think that we have too many really great members here that, you know, don't always get the opportunities that they should. and, you know, i would like to see that change. >> would nancy pelosi win a caucus leadership fight right now if she were challenged? >> i don't know. i mean, i don't know. there are a lot of members in our caucus and, again, everybody has their opinion. i just don't know what the answer to that is. >> but by saying it's time for a generational change, what you're suggesting is win or lose after next year, it's time for her to go? >> i don't want to single her out. i think that -- >> well, her and sentence any hoyer, jim clay burn, all three of them. >> i think it's time to pass the torch to a new generation. they are all of the same generation. and again, their contributions to the congress and to the caucus are substantial, but i think there comes a time when you need to pass that torch, and i think it's time. >> the entire news makers interview airs on sunday at 10:00 a.m. and again at 6:00 p.m. on c-span. this weekend on american history tv on see spab 3, spart at 8:00 p.m. eastern on lectures in history, sew no ma state university professor discusses the evolution of the national park system. >> this was not just a case of setting aside an already natural landscape and leaving it alone, which is again what we tend to think of when we think of park protection. what he was doing was making nature out of what at the time was mostly old sheeps meadows. there actually is a big address area in central park called the sheeps meadow, and that's why, because there were sheep on it. >> sunday at 6:00 p.m. on eastern artifacts, architect and historic preservationist joe by hill on saving slave houses. >> it's important to do this because well, one, documentation is a type of preservation. you know, slave houses are buildings that are disappearing from the landscape, and so by documenting them, that's one way of preserving them. documenting them and through my database is also a way to share information and get it out there and learn from them. >> then at 7:00 p.m. on oral histories, we continue our series on photo journal it's with an interview with loseian perkins. >> i ended up following a woman who ended up on the front page of the post. in the photo is her yelling at these freshman pleebz who are lined up against a wall with their chins tucked in like this and that photograph ran everywhere in the world. and i'm convinced that that story helped me get a job at the post. >> american history tv, all weekend, every weekend, only on c-span3. c-span's cities tour takes american history tv to pierre, south dakota. we'll explore the rich history and literary life of the state's capital city. saturday on noon eastern on book tv, author nathan sanderson. >> ed lemon was involved in the expansion of that cattle ranching industry primarily in western south dakota, which was essential along with mining and the expansion of the railroad into the growth of our state in the early part of the 20th century. >> and director of the peen ear girl project explores the memoirs and inspiration of laura inning alice weird. >> the pioneer girl project is a research and publishing program of the south dakota state historical society that is designed to study and publish a comprehensive edition of laura inning gals wilder's pioneer girl, which is her auto biography. >> we'll tour the south dakota state capitol. >> if you look up, there are also four corner areas with flags. obviously the south dakota flag. there is a flag from da coat that territory. there's a flag for the united states, of course. there are also flags for spain and france because they controlled this territory at different times. and then each corner has -- one corner has a white flag, one a red flag, one black and one yellow and. and those are the native american colors that symbolize the four directions of the compass. >> why that meeting was so important to the area. watch c-span's cities tour of pierre, south dakota saturday at noon eastern and sunday at 2:00 p.m. on american history tv on c-span3. the c-span cities tour, working with our cable affiliates and visiting cities across the country. last month the second circuit court of appeals heard the oral argument for zarda v. altitude express. judges will decide whether sexual orientation discrimination is protected under title vii which protects employees from discrimination by employers based on sex, race, color, national origin and religion. in 2010 donald zarda, a sky diver instructor with altitude express filed a lawsuit alleging he was fired because of his sexual orientation after he revealed to a client thoo he is guy r. mr. zarda passed away in 2014. his estate is continuing on with the suit. >> good afternoon. each side has been assigned 30 minutes divided ten minutes per person and that time may be exceeded depending on how things go during the argument. we'll hear from mr. an toe lee notice. >> good afternoon, urn. and all of your honors. i forgot to introduce steve berg steen, my cocounsel, who worked with me on

Related Keywords

New York , United States , Arkansas , Georgia , North Carolina , Missouri , Washington , Atlanta , Kentucky , Minnesota , Illinois , Indiana , California , Wisconsin , New Mexico , Togo , Michigan , Arizona , Maine , Tennessee , New Jersey , South Dakota , Massachusetts , Colorado , Maryland , Pennsylvania , France , Utah , Americans , America , American , Richard Smith , Nathan Sanderson , Lucy Perkins , Michelle Obama , Linda Sanchez , Nancy Pelosi , Jim Clay , Shonda Rhimes , Los Angeles , Rick Smith , John Stumpf ,