Skip to main content

tv   Former Equifax CEO Before Senate Judiciary Panel - Part 1  CSPAN  October 20, 2017 1:19pm-2:25pm EDT

1:19 pm
and you see something. and it is important -- i can be there for you. you can't be there. and everything i see is important. >> american history tv all weekend, every weekend, only on c-span3. c-span, where history unfolds daily. in 1979, contraction span was created as a public service by america's cable television companies and is brought to you today by your cable or satellite provider. now, former equifax ceo richard smith testifies before a senate judiciary subcommittee about his former employer's response to a data breach that left more than 140 million consumers with their personal financial information at risk.
1:20 pm
it was mr. smith's third such questioning in a week's time. and most of the subcommittee's inquiries focused on the speed of the credit reporting agency's response to the knowledge its data servicers had been infiltrated by nefarious forces. this is about an hour and 40 minutes. jo this hearing of the subcommittee on privacy, technology, and law, will come to order. we're here to examine per sis sent cybersecurity concerns in the data broker industry. this is not the first time our subcommittee has gathered to do
1:21 pm
so after a cybersecurity breach last august, we held a hearing to ask the question how secure is consumers' data in the hands of data brokers. the answer, not very secure. the industry immediately responded by committing to take serious security issues and pledging to dedicate resources toward data protection measures. yet here we are two years later in the wake of what we now know as the largest breach of private consumer data. we're trying to figure out how it happened once again. it happened because data brokers have created an industry-wide culture that appears not to prioritize the security of consumers' information. traditional broker who is make a profit by buying and selling information to companies have direct interaction with consumers, very or little
1:22 pm
assurance to seeking trust and security is apparently treated as an expenditure that ought to be minimized. this of course is unacceptable. today we ask another question -- how do data brokers prioritize the security of consumers' data? we have now seen over and oh how easy it is for hackers to breach data brokers' systems due to a lack of proper security. last week equifax said they were breached. hackers were able to access equifax's database through a software vulnerability that equifax failed to resolve despite having been alerted to the vulnerability and its potential for criminal exploitation by dhs. the hackers continuously accessed system undetected for a
1:23 pm
period of over four months. by the time any step were taken, 145.5 million americans' personal identifying information had been stolen including the data of nearly 3 million americans -- i'm sorry -- 3 million arizonans. we will now further ask what did equifax due to prioritize a security of consumer data. we'll hear from rick smith, former ceo of equifax. i'll let him describe the details of breach. these details are important. we must examine them if we're going to learn from this incident. i'm also pleased to welcome to the committee jamie winterton from arizona state university and tyler moore from the university of tulsa who will be on the second panel. it's my hope that this hearing will finally provide answers to the subcommittee questions regarding industry-wide security practices and identifying ways in which data brokers can truly
1:24 pm
prioritize the security of sensitive consumer data. now senator franken, if you'll give your opening statement, we'll go from there. >> thank you, mr. chairman, for holding today's very important hearing. you and i were here two years ago assessing the security risks of vast databases of consumer information like those compiled by data brokers like equifax. we spoke of such company as being forget target for cyber criminals and discussed lack of accountability that data brokers have to american, whose sensitive information they collect, analyze, and share on a massive scale. we also talked about the worst case na worst-case scenario, what happens when there's an unprecedented breach on a company that trades on the
1:25 pm
information op people with whom they have no direct relationship or no particular set of obligations. unfortunately, we all know we're here today again because that worst-case scenario is our new reality. because of the gross failures of equifax as well as a lack of safeguards protecting our privacy and security, 145 million americans including over 2 million minnesotans, are facing the risk of identity theft for the rest of their lives from tax fraud and medical identity theft to even drivers license theft, threats of individuals' financial security and frankly their livelihoods are too numerous to count and will persist for decade ts. to make matters worse, the americans who could be hit the hardest are the ones who may be least able to bear such a burden. according to a department of justice survey, the average
1:26 pm
victim of identity theft loses 1,343 dollars in stolen assets and expenses. that's money out of americans' pockets for exfax's failures and a significant burden for most americans. and let's not forget or downplay what this breach means for our national security. whether there was a foreign government behind the breach of equifax, no doubt a foreign government could use the information to target american for blackmail or influence future elections. mr. smith i know you're about to tell us how sorry you are and i'm sure that you've had a lot of sleepless nights in recent months. but as a business that has consistently operated with little or no regard for the well-being of american consumers, i'm wondering whether you and the rest of equifax's
1:27 pm
leadership foresaw is gravity of a breach and failed to take proper precautions, because you simply don't care. and because you don't have the care. equifax won't be losing any business as a result of its failures. american consumers are not able to walk away and take their business or their personal information elsewhere. and that's because those consumers aren't your customers. they're your product. and you've been treating them as such for years. perhaps that's why in february of this year the cfpb reported that the three credit bureaus were ranked numbers two, three, and four in the agency's consumer complaint database, trailing only wells fargo. according to the 2012 ftc report, one in five credit reports contains an error.
1:28 pm
but for years consumers have struggled to meaningfully correct that information. and just this year, equifax settled with the cfpb for ripping off consumers over its website, claiming to, quote, offer, quo, free credit scores when in actuality they were signing up for a $16 a month subscription service. mr. smith, your disregard for your customers was particularly evident in the first days following the disclosure of the breach when equifax attempted to force harmed individuals into arbitration and insisted on charging consumers to freeze their credit. practices that were changed only after massive public outcry. so today's hearing is an opportunity to get to the bottom of equifax didn't do what it
1:29 pm
should have done but also to think carefully about the future of data brokers and the credit reporting industry more broadly. can data brokers with massive troves of data ever fully guarantee the security of that data? and if not, should such entities even exist? and if they must, how do we secure both transparency and accountability from the companies that trade on the most intimate details of our lives. i look forward to the testimony of our three witnesses. thank you, mr. chairman. >> thank you, mr. franken. senator franken, before swearing in the witness, we'll turn to chairman grass lley. >> thank you. for the audience, i don't normally attend all the subcommittee meetings. i have great confidence in our chairman and ranking members. but this is such an important one i wanted to be here to say a few words and then i have to go back to the budget committee meeting.
1:30 pm
chairman flake, i know this isn't an unfamiliar subject to you monopoly in the last congress you held a hearing and a subcommittee examining the data broker industry security standards for protebing personal information. i appreciate your hard work and the bipartisan approach that you and senator franken have taken in examining this eschew over a long period of time. today's hearing continue as committees long-standing history involving our committee and data breach and data security. we've held hearings to examine past data breaches and spent years working on legislation to establish a uniform national day the security and breach notification standard . our progress in congress has been slowing criminal hackers, continuing to find ways to break into even the most secured systems so, they seem to be even -- it's hard for congress to keep up with them. unfortunately, data breaches and
1:31 pm
cyberattacks are going to happen. it's a matter of when, not if. most iowans i hear from recognize this fact, but recognizing reality doesn't mean that we must accept it and give up. we all must work to prevent future attacks and limit the harm from those that do occur. additionally, we must appreciate the fact that all not data breaches are the same. the information and risk of harm can greatly vary from one breach to another. for example, the past breaches at target and neiman-marcus, which this committee held a hearing to examine, involved financial information such as credit and debit cards. of course this is information that absolutely must be protected and secured. if it falls in the wrong hands, it can create a lot of problems for individuals. but in the equifax data breach, i think that's different. it's important that consumers and policymakers recognize this
1:32 pm
distinction because the threat landscape has changed. the information hackers obtained or gained access to in the equifax breach is most sensitive personal information used by thieves to commit identity theft. so we should let that sin income very definitely. a credit card number or a bank casualty information can be changed with a phone call, but you can't change your social security number and your date of birth. anyone who's ever applied for a loan, a credit card, a job, or opened a bank account knows you have to provide a social security number and date of birth to verify your identity. thus, if someone has this information they can do the same and take over your identity. they can become you and you won't know what happened until it's too late. granted, it may be months or even years before a consumer suffers identity theft if at all
1:33 pm
as a result of the equifax breach. yet no one will be able to prove their identity was stolen due to this particular breach. we live in a world of data breaches so good luck locating your identity theft's source. the status quo has changed with respect to protecting individuals from identity theft. most americans are clearly now at risk of real harm and not mere nuisance. what can and should we do? it's long past time for uniform national data security and breach notification standard. i've been working with senator feinstein and a bipartisan group of senators on this issue. i remain committed to getting a good bill put together and over the finish line, but that's just one step. this breach should be a wake-up call to the new identity theft threat landscape that we now
1:34 pm
face. all of us policymakers, business and consumers must start thinking differently than we have in the past. we need to look at ways to empower consumers, to limb or prevent identity theft from occurring in the first place. one tool that's been found to be effective is credit freezes. but credit freezes are costly and can be difficult for consumers to control. in the age of smartphones and other devices where consumers can turn things on and off with the tap of a button, this shouldn't be the case. i look forward to learning more about the tools available to help consumers and the security threats faced by industry and consumers in light of this breach. so, mr. chairman, thank you again for holding this hearing. i encourage all of us to figure out ways to work together to strengthen the ability of consumers for protect and control access to their credit information and identity.
1:35 pm
thank you. >> thank you, mr. chairman. mr. smith, will you stand to be sworn in? do you affirm the testimony you are about to give before the committee will be the truth, the whole truth, and nothing but the truth? >> i do. >> thank you. mr. rick smith is the former chairman and ceo of equifax. before joining equifax, mr. smith spent 2 years at general electric and in top positions in the company's insurance, leading, and asset management departments. your testimony will be entered into the record in its entirety. i ask that you'd summarize your testimony in five minutes or less. please proceed. >> thank you. thank you, mr. chairman, mr. chairman flake, ranking member franken, and the honorable members of the subcommittee. thank you for the opportunity to testify before you today. as the chairman mentioned my name is rick smith and for the past 12 years i've had the honor to be the chairman and ceo of
1:36 pm
equifax. i've submitted written testimony earlier, which goes into much greater detail than i will today. i look forward to answering any questions that you may have. as you might guess over the past month or so i've talked to many consumers and read their letters, and i understand how frustrated and fearful many americans are about the breach that happened at equifax. this is my third hearing in two days, and in each of these hearings i have said that there's no doubt that this criminal attack happened on my watch, and the responsibility as ceo of the company stops with me, and i take full responsibility for letting that breach occur. i want to say to every person in this room and every american that i am truly sorry for the breach that occurred at equifax and everyone at equifax is
1:37 pm
deeply committed to making things right. americans have the right to know how this happened. i'm prepared to testify today about what i learned and what i did about the incident in my role as ceo and chairman of the board and also what i've learned about the incident since being briefed by the company's investigation, which is ongoing. we now know that this criminal attack was made possible by a combination of a human error and a technological error. the human error involved the failure to apply a software patch to our dispute portal in march of 2017. the technological error involved a scanner which failed to detect the vulnerability on this particular portal which had not been patched. both errors have since been addressed. on july 29th and july 30th,
1:38 pm
suspicious activity was deteched. we followed our security incident response protocol at the time. the team shut down the portal and began our internal secure investigation. on august 2nd we hired top cybersecure, forensic, and legal experts and we notified the fbi. at that time, we did not know the nature or the scope of the incident. it was not until late august that we concluded that we experienced a major breach. over the weeks leading up to september 7th our team continued to work around the clock to make things right. we took four steps to protect the consumer, first was determining when and how we notify the public. relying on the advice of our experts that we needed to have a plan in place as soon as we announced. number two, helping consumers by developing a website, staffing up massive call centers, and
1:39 pm
offering free services to all americans. number three, preparing for an increased cyberattacks, which were advised would occur shortly after the notification of a breach. and finally, number four, continuing to coordinate with the fbi and the criminal investigation of the hackers and notifying other federal agencies, federal and state agencies at the same time. in the rollout of our program, mistakes were made for which, again, i deeply apologize. i regret the frustration that many americans felt when our websites and call centers were overwhelmed in the early weeks. it's no excuse, but it certainly did not help that two of our larger call centers were shut down for days by hurricane irma. since then, however, the company has dramatically increased it
1:40 pm
capacity. i can report to you today that we've handled more than 420 million visits to our websites and wait times at our call cents have been substantially reduced. at my direction, the company offered a broad package of services to all americans, all of them free to help protect consumers. in addition, we developed a new service available in january 31st of 2018 that will give all consumers the power to control access to credit data by allowing them to lock and unlock their credit files when they want. this is free and it's free for life. putting the power to control access to credit data in the hands of the american consumer is a powerful first step. we've all painfully learned data security is in fact a national security problem. and butting consumers in control of their credit data is just a
1:41 pm
first step towards a long-term solution of managing identity theft. but no single company can solve a larger problem on its own. i believe we need a public/private partnership to i e value wait how to best protect americans' personal data going forward. and i look forward to being a part of that dialogue. chairman flake, ranking member franken, and the honorable members of the subcommittee, thank you again for inviting me to speak with you today. i'll close by saying once again how sorry i am about this breach. on a personal note sh i want to thank the many thousands of hardworking and dedicated people who've worked with me so tirelessly over the last 12 years. equifax is, in fact, a very good company with thousands of great people. i know they'll continue to work tirelessly as we have over the past few months to right the wrong. thank you.
1:42 pm
>> thank you, mr. smith. i'll start the questioning and we'll go five-minute rounds. the term data broker comes from buying, selling, or storing consumer information. this is sold to other companies. as i mentioned earlier, traditional data brokers have very little interaction with the consumer directly. its customer is usually another business seeking specific information aba consumer for a product market or lending purposes. in your testimony before the house yesterday, you stated that equifax is, quote, traditional business model is with companies not with 400 million consumers. what portion of equifax's business is, you know, a consumer facing? >> will chairman, roughly 10% of our revenues around the world come from what we call b-to-c, business-to-consumer.
1:43 pm
>> that's 10%. what is the main source of equifax's revenue stream? >> the vast majority, the remaining, is largely doing analytics, insights, and providing solutions to banks, telecommunications companies, credit card issuers, insurance companies and the like around the world. >> so if only 10% of revenue is consumer facing, what is the company's incentive for keeping consumer data secure when it has no meaningful interaction or limited meaningful interaction with the accountability of consumers? >> we are clearly viewed as a trusted steward of that information and losing that information violates the trust and confidence not only of the consumer but also the companies we do business with as well. >> i'd like to note that my staff and senator franken's staff have asked for this
1:44 pm
information. the company's response was not very forthcoming with respect to revenue streams pip'd like equifax to provide a description of its business model and identify all distinct sources of revenue. i intend to follow up with the company in writing for answers to these questions, and i would expect to receive a satisfactory response. can we expect that? >> absolutely, mr. chairman. i'll work -- reach out to the company and make sure we get you that information. >> mr. smith, does equifax maintain a company culture that prioritizes the security of consumers' private information? >> absolutely. >> has that always been the case? snif been there for 12 years, mr. chairman, and we embarked upon a very aggressive ramp-up in create ing a king e ing ing g in peel and tools to put security top of mind. there's not a tay that goes by that we're not talking to investors, 10q, 10k, consumers and customers, board of
1:45 pm
directors and our people being a trusted steward of data is vie vooial to the mission of our company. >> what are some examples that demonstrate equifax's commitment to secure? >> thank you. when i started 12 years ago we had virtually no staff, no program around security. we hired consultants to come in and do a strategic review, developed a roadmap for us. we've gone from that level for 2005 roughly 225, 250 employees today dedicated towards security. we spend roughly 12% of our i.t. budget on security. it is -- we created an enterprise risk management program largely centers on all of our risks including security. >> equifax waited four months after being alerted to a software vulnerability with the potential for criminal exploitation before taking any steps to stop the attacks. how does that reflect a culture that prioritizes security? >> if i may walk through the
1:46 pm
time line quickly, that might bring some clarity. it was in march 8th of 2017, the department of homeland security sent out notification there was a vulnerability to open source software called apache struts. march 9th we sent out directions to the security team to patch, look for, identify, and patch that vulnerability. unfortunately, that's where a human error occurred. an individual who's responsible for the patching process did not get that request to the right person. march 15th we deployed scanning technology to look for the vulnerability. it did not find the vulnerability. on july 29th and july 30th, a security individual saw suspicious movement of data, shut portal down shortly thereafter. on august 2nd, we brought in a cybersecurity forensic expert,
1:47 pm
global law firm, their cybersecurity arm, they started the investigation. to get to the heart of your question, mr. chairman, it wasn't until late august we had an indication that there was a breach of pii and of some significance. it was between then and september 7th we worked diligently to prepare to go live. ? tha . >> thank you. my time has expired. i have other questions, some may be asked by other member, if not i'll follow up. mr. franken. >> thank you, mr. chairman. you were talking a thkt human error. i want to be crystal clear about something. in your written testimony you reference the quote sophisticated cyber criminals who have been behind the attacks on a long list of companies and agents -- agencies including now yours. but i understand that numerous other entities were provided
1:48 pm
with the same u.s. cert alert that equifax was. for those entities, the vulnerability was assessed and patched, in some cases within hours and at very little cost. mr. smith, this was not a novel vulnerable with a novel solution. would you agree with thatsome. >> yes, i would. >> now, yesterday you told representative walden that the, quote, human error was the individual who was responsible for communicating to the organization to apply the patch did not. end quote. you just sort of said the same thing in your answer to chairman flake. representative walden asked, quote, so does that mean that the individual knew that the software was there and needed to
1:49 pm
be patched and did not communicate that to the team that does the patching? is that the heart of the issue here? and you confirmed that that was the case. and you just said the same thing. right? >> clarification, if i may, senator. i'm not certain that the individual who was responsible for communicating that the patch needed to be applied, that he knew the software was deployed. he was responsible for communicating to his team to look for the software, if the software existed, patch the software. >> okay. well, still, it's an individual. i guess my question is then why is the security of 145 million americans' personal information all in the hands of one guy? why is it all up to gus?
1:50 pm
how did -- what did you -- knowing the seriousness at least put it in the hands of one guy to screw up? >> i may, clarification, this one guy was responsible for the patching process. he had a team underneath him. he did not communicate and ensure a close loop process was followed. number two -- >> that doesn't change it's up to one guy and you said this is human error and the human error was one guy. >> i think as i mentioned in my oral comments and my written comments, that was followed up by technology where we deployed a scanner on the 15th of march that from a technology perspective was look for vulnerabilities and it did not find it either. >> okay. mr. smith, you told the house energy and commerce committee and the senate banking committee that it was a, quote, mistake
1:51 pm
with the terms of use for your trusted i.d. premier product included a forced arbitration clause. you said the, quote, boilerplate language was removed as soon as possible. this begs a number of other questions but i'll stick to the one most obvious to me and that the senator hit on this morning. if you recognize that it would be inappropriate to subject consumers who have been wronged as a result of the breach to force arbitration, why is it that you think it is appropriate to subject anyone who claims to have been wronged by your company in the forced arbitration? are you suggesting that every other consumer who may have been cheated or mistreated by equifax is not worthy of the same access to justice as those who have been harmed by this breach? >> senator, if i may clarify, the arbitration clause is in a series of products that we offer
1:52 pm
to consumers where consumers have options. if they don't like the arbitration clause, they have the ability and right to go somewhere else. it was never our intent to have an arbitration clause -- >> this is the terms of service that you would click on? >> the standard terms for consumer products, yes. it was never intended -- >> how long is that terms of service document? how many pages? >> i don't know. >> you don't? >> we can get that for you. >> if i hand today to you right now, would you be able to find the -- what you have to opt out of? or actually what you'd have to read in order to say oh, i get it, i can't go to court? senator, the point i was trying to make is -- >> would a human being be able to do that? that's my question. if i gave you now the terms and conditions for signing on to the product that you sent to people, would they have been able to find it, like, in five minutes? >> i have not studied that
1:53 pm
document, but my point was -- >> okay. i think that answers the question. this is a common practice which is companies like you put in these clauses that no one's going to read. but you're sending these people who are vulnerable because their information has been stolen a thing that basically says here, use this -- use this product that we'll give you for free for a year to check your credit and to check your -- whether you've been breached or not and oh, by the way, not only can't you sue us if we screw this up, but you can't sue us for the original breach. >> the arbitration clause was removed within 24 hours.
1:54 pm
>> okay. but it isn't in your other products? >> on the breach solution that was offered -- >> no. i asked you a question and i just really would like you to answer the question. >> i said yes, it's in the products that we sell. >> thank you. >> senator tillis. >> good afternoon, mr. smith. i was on the banking committee this morning. i appreciate your questions. i did add, because we talked about the timeline, i just want to go back, because i have some personal experience in correction and transport and software management, so i need to ask a little technical question here to be clear on timeline. so after you got the notice of a potential vulnerability with open source, you ordered the patch be applied and through the miscommunication it didn't get applied. did you ultimately find instances of that open source that required a patch and how long was it before the patch was actually applied? i'm just trying to figure out how -- at what period of vulnerability there was. >> to the best of my recollection was when the
1:55 pm
security individual on the 29th and 30th of july saw suspicious activity, and they shut down the portal at that time, that is when they applied the patch. >> so that inaction on the part of somebody in your software management or infrastructure group that occurred back when the need for the patch was originally applied, it actually did not -- you didn't cover that vulnerability for a couple months then. is that right? >> that is correct. >> okay. i want to get back to did you call it lock for life? >> yes, that's what i referred to it this morning. >> well, i have a question. one thing you mentioned in your opening comment or perhaps in response to one of the questions about public/private partnership, one thing that, is it true that the three major providers in this field have roughly the same base of
1:56 pm
consumers? is there a substantial difference in your base? do they roughly have similar bases of data that they're working from? >> roughly. >> and so while we're talking about one business that was exposed to a vulnerability, the fact of the matter is all three of them could be exposed to a vulnerable, some of which could come through the sort of attacks that we saw with sony and other businesses they thought had secure infrastructures. what's being done to create a consortium, number one even the lock for life strategy on an industry wide basis? and two, what did you mean by a possible public/private partnership to try and harden access to this data? >> senator, on the first, yeah, i think there is an opportunity. it benefits the consumer. for the three of us, in this case ourselves trans union auni
1:57 pm
work together -- >> so it's a single app versus three lock for lives? >> yes, that's the thought. >> what about the public/private partnership that you alluded to ear earlier that goes beiyond the private players? >> i would love a dialogue that talks about how do you protect identity in the cyber age, digital age we have today. is the social security number, name and date of birth in 2017 a secure way, a private way to protect s protect someone's i.d. or is there a better solution? >> i think tech neniques that they're using in card and payment industry really needs to get to this industry or you're leaving us vulnerable, particularly when the remediation efforts require you to enter part of your social security to figure out whether or not you've been exposed to a vulnerability. let's say that we have that app. does that simply prevent my
1:58 pm
information from being dissim nated to anybody inquiring about my credit worthiness or is it also opted out of the broader analytics you do to provide services to your b two b customers? >> if i can clarify, it's an interesting question. if you lock your file, it prevents identity fraud against you as an individual. if you go to get a job nowadays, you have to show -- have access to your credit report. if you want to rent an apartment, you have to have access to your credit report. credit card, auto loan, mortgage, it prevents fraudulent activity against your credit from koccurring. it is a secure way to prevent identity theft. >> i guess the final question, i'm grad that you held this committee meeting. i'm probably more glad than mr. sloan, but mr. sloan, thank you for being here. i want to say here what i said in the banking committee meeting that's incredibly important.
1:59 pm
we can spend a lot of time talking about this event and the punitive measures that should be imposed on equifax or anybody else who gets a breach. or we could spend more time recognizing the broader vulnerability that we have and the role that the government needs to play in securing these platforms and ensuring that the consumer protection measures are in place. i mentioned this to mr. sloan this morning. i hate that equifax had this problem. i hate it for the employees. but at the end of the day, we want to make sure that your problem, which is the cost of doing business, you have to secure the data to maintain your reputation, to be able to provide the products and services you do to your business customers and consumers. but at the end of the day, we have to continue to put pressure on businesses to not make the remediation that is required after a breach occurs to be the consumer's problem. we've got to figure out how to get that right.
2:00 pm
we need to have discussions about that. so that we're having a perspective discussion that's addressing the millions of people and the hundreds of thousands of businesses that are every bit as vulnerable as eck e -- up to and including i might add the office of personnel management and government institutions who arguably have access to some of the best technology available. thank you for holding this hearing. thank you, mr. sloan. >> thank you, senator tillis. senator leahy. >> thank you, mr. chairman. i'm glad the other committees are also looking at this. it's been extremely troublesome. it's almost your company, mr. smith, i want to state it as much in favor of you as i can. it showed gross negligence and total disregard of its customers
2:01 pm
and more regard for protecting its own people and its profits even having a couple of your executive cash in stock once the breach had been disclosed before it was disclosed to the public. it's hard to think of such an arrogant disregard to the people that put trust in you. and also -- but i think it may sound like a personal charge against you. i'll let you take it any way you want. but i think it shows something else. there's very little incentive for a company to protect their consumers unless something's gone wrong. and then it's as much -- you did
2:02 pm
one step forward, two steps back, two steps forward, one step back kind of reaction. it was took more like a pr effort than an effort to protect the customers. i've previously introduced legislation that would have required a comprehensive and enforceable approach to the security that requires companies to take preventative steps to protect data, but also quickly notify consumers when -- and customers if a breach occurs. before i did -- i think it may now. i think you may find republicans and democrats will subject the bill i'm reintroducing for a new consumer privacy protection bill. it's certainly going to have strong support of leading consumer right groups and privacy supports. i hope it won't be considered
2:03 pm
political because republicans and democrats are being hurt by this ignoring of consumers. corporations, i understand can profit immensely from our personal information often without even our knowledge. but they should be obligated to keep it safe once they have. i listened to what my colleagues have said. i made notes as they're going on. senator franken had talked about the consumer privacy. i think we all feel an individual consumer looks at a giant company like your former company and they feel they're powerless even though they expect you to give overall kinds
2:04 pm
of information about themselves. you discover this. no matter how you describe it, it took you six weeks from the date it was discovered to finally disclose the breach to consumers. if we had that consumer privacy protection act you would have been required to notify us immediately. your lobbying report shows us you spent quarter of million dollars lobbying the congress against the consumer privacy protection act. you think that maybe after all this has happened consumers or companies like yours, like your former company might take steps to protect not only themselves but to protect their customers? i just want to give you a -- i'm trying to be as subtle as i can
2:05 pm
in letting you know how i feel. would you like to respond? feel free. >> thank you, senator. i would like to respond. one, as i've stated in the prior hearings today and yesterday, we do take protecting data for our consumers and customers very seriously. it is a reputational issue. and once we lose that trust, it takes a long time to regain it, not just for the consumer, but for the companies who trust us with their data as well. i'd like to touch on one thing, if i may. you mentioned the insider trading of the stock sales. and your comments. would you like me to talk about that now? >> no because you're going to be discussing it in other committees and i'll wait to hear that. what i would like to discuss is the possibility, you spent a lot of money lobbying against the consumer protection act that might require you to notify consumers immediately of such breaches. are you still going to fight and
2:06 pm
spend hundreds of thousands of dollars to stop that kind of a consumer protection bill from going through? >> senator, i can tell you as a company, we do have a government relations team. in the scheme of things, it's relatively small. we're a company with expenses of well over $2 billion. i think our entire lobbying budget which includes a association fees is $1 million less chl less. >> i could care less what your budget is. the fact is you opposed legislation notifying consumers that might actually give consumers the ability to respond when they've been hurt. are you going to -- is equifax going to continue to fight consumers right to know? >> i'm unaware of that particular lobbying effort you're referring to. i can talk to the company, but i'm unaware of that particular lobbying effort. >> it was in your report that you have to file on your
2:07 pm
lobbying expenses. but my time is up. mr. chairman, i just want to give fair notice i will try again to get through consumer protection legislation among other things to allow people a real choice and not be forced into arbitration where the companies determine who's going to make the decision. >> thank you, senator leahy. >> thank you, mr. chairman. mr. smith, do consumers have the right to find out what kind of information data brokers like equifax has on them? >> do they have the right? >> yeah. yes. can they kwacall equifax up andy what do you have on me? >> every consumer has a right to a free credit report from us, from the industry, and that credit report would detail all the information that the credit filed would have on them. >> that's just their credit.
2:08 pm
you have a lot of other information on everybody besides just their credit information, do you not? >> yes, we do. >> so my understanding is that you get all these -- this information free. you don't pay anybody for their information you gather on 145 million people which is more than one out of three people in our entire country. >> it's a largely free. there are exceptions, obviously, but this business as you know, we're 118 years old. we're part of a federally regulated eco system that enables consumers to get access to credit. that data is there and used at their consent. regardless of the type of data we have, if it's your employment data or your income data or your credit data, that can only be accessed if you give the consent to access that. >> how does one give consent if you're selling the information that you have on them? >> if you as a consumer go to
2:09 pm
your bank and want to get a credit card, for example, when you sign a contract with the bank for the credit card, you're allowing the bank the access to approve your credit in this particular case to give you the best rate and the best line. >> so it's not really a free choice, is it? if all of us had the option of not having a specific information about us and pretty specific information, if we all could just do that and say no, we don't want our information to be sold, that would be an easy matter. but if it's tied to the ability for that person to get credit or to do that, then that's not what i would call an arm's length kind of a free choice decision being made. so there's that. is there a government agency or agencies who's investigating the breach of equifax? is it the nsa? >> there are a variety of investigations going on, yes. >> can you name the agencies that are conducting these investigations? >> state ags, example, ftc and
2:10 pm
others. >> do you know if the nsa is? >> not to my knowledge. >> and i realize that this committee had had a hearing in 2015 expressing concerns about the security measures that entities like you put in place. so after that hearing the very thing that was the subject of that hearing in 2015 has come to pass. so after that hearing, did equifax do something to secure its data? >> i'm unaware of a hearing in 2015. >> mr. chairman, did this committee have a hearing in 2015? that's what my -- >> specific to equifax? >> no. it had to do with data brokers. so being a company that has been in this business for over 115 years, i would think that you were aware. but what did the then equifax do to secure its data? >> as i was mentioned earlier,
2:11 pm
we have invested heavily in people processing technologies. we've staffed up dramatically. we bring in consultants from time to time to look at our processes. always looking for new tools. >> yet this breach occurred. so does equifax face any fines or liability for the breach? >> there are a number of lawsuits going on right now. >> these lawsuits are brought by what? class actions? >> state ags, class actions, yes. >> so you are facing some liability issues. if we were to pass a bill that allowed individuals to opt out of a broker -- data broker from selling any information to them that there goes your business, right? >> more than that. there goes the economy. >> there goes the economy? >> if consumers don't -- >> this is different from the credit reporting portion of your
2:12 pm
business. >> what piece are you referring to? >> don't you have a lot of other information besides their credit scores? you have social security information. you have date of birth. you have all kinds of information. >> that is all largely a part of the credit eco system. so it's -- it's part of the picture of a consumer. there's the credit information, the pii center which you referred to is a part of that as well. employment data, income data. it's all -- the primary purpose of what we do is to aggregate data to give underwriters of risk the best insight to make a decision when the consumer wants access to credit. >> so that sounds all very benign and all of that, but since we don't know who breached your systems, we don't know what use they're going to make of all this information that they have on everybody. how will you know if this information is being used in
2:13 pm
ways that the people are not authorized to use the information? >> a couple things. one, we have offered five services to the consumers. one of those is a monitoring service so we can monitor activity against that consumer as it relates to their credit file. two, we're offering a lifetime ability for consumer to lock his or -- access to his or her kr credit file for life for free f. you lock that file down, it secures your credit file for life. >> can i ask one more question? >> how many consumers of the 145 million have taken advantage of what you just described? >> i don't have that exact data. we can get that. i mentioned in my oral comments i think it was 420 million consumer visits to our website alone in the last whatever it's been, three weeks. the expectation is the take rate for these free services will be
2:14 pm
multiples higher than a typical take rate you get for a breach. as you know, there's breaches literally every week now in america. we've got good insight to that. this looks like it will be multiples that size. >> perhaps you get back to us as to how many of the 145 million people have -- >> senator, point of clarification, we've offered this free service to all of america. not just the 145 million. >> thank you. thank you, mr. chairman. >> thank you. i know we have a vote called so i'm going to go four minutes and turn it over to senator blumenthal. the reality is that we will never prevent all data breaches, mr. smith. i know this from my state. but what we can do is to control how we react when it happens. we can also put things in place to make sure that we've done everything so that it doesn't happen. i'm just looking at the response here. you guys didn't report the breach for a month.
2:15 pm
after zdisclosing the breach yo fell short with your response. customers spent hours on hold. the twitter account directed customers to the wrong website. the right website was not secure. the customers were initially charged. in your testimony you laid out the timeline of discovering the data breach. do you believe you dedicated enough time and resources preparing to respond given what happened later in the out cry from the customers? >> senator, if i may go through a few of those, you mentioned a month to respond. as i had in my written testimony and the oral testimony wasn't until late august we actually understood that there was a breach that occurred. significant breach that occurred. so it was a number of weeks. the response, you are correct, i mentioned in my oral testimony that the response to our call centers and our website was overwhelming in the early days, early weeks. the volume of far greater than anything we've ever handled in
2:16 pm
the history of our company. the team reacted as quickly as they could to increase resources and improve the service level. the twitter account that you mentioned, there was one customer service rep and i think the number was 14 to 17 consumers got the wrong -- it was responding to twitter and dr directi directing consumers to go to a particular website. 14 to 17 consumers got the wrong website from this individual who's no longer employed and they shut that down very quickly. the service was not optimal. we realize that. we apologize for that. it's getting better every day. >> what do you think other companies could lrp from this, not only as we look into a world where hacks are happening and how you would better prepare for responding? i know you went over in your opening the two things that went wrong. but what do you think that you would learn from this as a company and what other companies should learn, and then the second question is from the response from what happened with
2:17 pm
the response? >> on the first -- >> preventing and then the response. >> on the first, the rate of change and sophistication of cyber attacks, the rate of increase of cyber attacks is unbelievable. i mentioned in one of the other hearings, it's not unusual for us to identify and block millions of attempted suspicious attacks every single year. that's doing nothing but going up. so continue to challenge yourself to think creatively with outside influence, never take security for granted. on the response, senator, it is -- i struggle with that one to be honest. the volume of response from consumers for business of our type and size, which is largely a b to b company, not a b to consumer company, to have 400 million consumer visits in a few weeks, i'm not sure there's much
2:18 pm
more we could have done. i mentioned in my comments, hurricane irma took out two call centers. there will be a time for reflection. i'm not trying to short the answer. there will be a time for reflection and say what could you have done better on both sides and i'll do that. >> thank you. >> thank you. >> senator bloom maumenthal. >> thank you, chairman. thank you for being here, mr. smith. you weren't the only one responsible for the system protecting against this kind of breach, were you? >> no, sir, but i was ultimately responsible. >> you were ultimately responsible, but you had a team of people. this wasn't simply your failure. it was an institutional failure, correct? >> yeah. i described it in my comments as a human error and a technology failure. >> well, a human error and a technology failure, how many employees are there at equifax?
2:19 pm
approximately 10,000. >> who under you is responsible for security? >> that person reported in to the general counsel. that person is no longer with the company. >> has he been fired? or she? >> there's two individuals a few weeks ago stepped down from the company. one is the chief security officer. the other was the chief technology officer. the third was the individual responsible for the breach. >> how many people have resigned or been fire sd? >> so far it's -- i've stepped down as you know. chief technology officer, chi security officer, and the individual in the patching environment. four that i know of so far. >> and the investigation is still going on. >> four out of the total? wouldn't you agree with me that many more than four are responsible? >> there's a detailed investigation going on. >> you have been in effect --
2:20 pm
you have become the designated apologist or some would say the fall guy, but there are many more who should be held accountable, correct? >> i go back. it ultimately stops with me. and it has. there's an independent external investigation going on right now and if someone needs to be held accountable, i'm confident this board will make those people accountable. >> you would agree with me that people have been harmed here. >> if nothing else, they've been angered and frustrated. >> well, they've been angered and frustrated because their privacy has been invaded, their most private information has been in effect given to thieves. their security over years to come has been shattered.
2:21 pm
whether or not they ever become victims of identity theft, correct? >> i can't -- senator, i understand the question and the emotion of the question. i do believe the combination of the five services we've offered for a year combined most importantly with the ability of consumer to lockdown any access from any fraudulent activity for life for free -- >> but their sense of security has been shattered. the lock line program -- by the way, is there any arbitration requirement attached to any of these programs? >> we talked about the initial rollout had that early on, that first -- >> but don't the terms of use still require arbitration? is there any arbitration requirement? can you guarantee that committee that no consumer will ever be required to go to arbitration? >> i cannot, sir. >> why? >> one, i'm no longer with the company. i can talk to the management
2:22 pm
team. >> well, that's what i mean by the designated fall guy. you're here. you can't speak for the company. i'm interested in looking forward. how will consumers be protected? will arbitration be required of them? will they be compensated for the sense of security that has been lost? will there be a compensation fund? will there be insurance against that kind of loss? and i'm talking about a compensation fund that applies to them because of that loss of privacy. these kinds of questions, which you're unable to answer because you're no longer with the company, are as profound and important as any investigative effort looking back and i recognize you're here without the authority to make these decisions, but i think someone from the company has to make
2:23 pm
them. >> i understand your point. >> thank you, mr. chairman. we have a vote so i'm going to understand my questions there. thanks for holding this hearing. >> thank you, senator blumenthal. unfortunately i have to go vote as well. just before ending this portion, though, i'll go ahead and recess for the next panel. so i can go vote. two votes we have to do right now. just to -- the hearing that we had two years ago and the thread that kind of goes between that one and this one kind of reflected in the questions that i asked with so little of the company's revenue, 10% in your view customer facing. it seems that part of the problem we have with the data broker industry is that frankly there's just too little priority given to protecting consumer information when you don't face the consumer that much. when simply aggregate data, personal data and then store it
2:24 pm
or sell it or market it to other companies, then it seems that privacy of individuals is given the shaft. and that's just from my view and i think a lot of other people's view. can you dispute that? >> senator, mr. chairman, i'll go back to where i was earlier on. data privacy protection regardless of it being a consumer's data or a company's data, we take both equally seriously. the reputational impact is significant coming from a consumer breach as it would be a corporation breach. >> thank you. this concludes this panel. thank you for your testimony. we'll recess before calling the next panel. thank you.


info Stream Only

Uploaded by TV Archive on