Skip to main content

tv   Equifax Data Breach  CSPAN  October 17, 2017 10:03am-11:57am EDT

10:03 am
we take you live to the senate banking, housing, and urban affairs committee on consumer data security. a follow-up to the equifax data breach hearing which affected more than 145 million americans. we are talking about that. we will take you there for live coverage. >> this committee will come to order. as a follow-up to her hearing on the equifax data breach, we will hear testimony on the protection of super day -- consumer data at the euros. members expressed interest of how credit bureaus are in -- protected, how they protect consumer data and whether there are gaps congress needs to fill. i've been concerned about the ever-increasing amounts of the data collected by companies in
10:04 am
the government. it is critical that personal data is protected. consumer impact in the breach is minimized and consumers ability to assess credit is not harmed. credit bureaus play a valuable role in our financial system by helping institutions assess a consumers ability to meet financial obligations. and also facilitating access to beneficial financial products and services. the inherent nate -- nature of the business as with most businesses in the digital age, requires utmost data security to ensure that sensitive consumer information is safeguarded. two weeks ago, equifax testified about the message it used to protected consumer bases such as encryption. former equifax ceo richard smith noted that while some of equifax 's databases are encrypted at rest, the disputed portal that
10:05 am
was compromise was not. questions remain about the best ways to protect sensitive data, including are their data security industry standards and best practices that credit bureaus? encryptions like addressed the employed to protect all data. what role do financial institutions and federal agencies play in data security at credit bureaus? given that credit bureaus are financial institutions, how does data security, testing, and oversight by regulators compared to that of traditional financial institutions? i look forward to hearing from our witnesses about what credit bureaus due to ensure security for the data they collect. who oversees credit bureaus to see the have adequate security measures in place? what improvements could be made to the oversight of data security of the credit bureaus? there are many concerns regarding company response to
10:06 am
data breaches. the equifax breach has left more than 145 million consumers confused as to what can be done to mitigate damage to their identities and credit. we know that starting in january, equifax will offer all customers the ability to lock or unlock their credit files for free. additional products have also been offered from equifax and the other bureaus for consumers to monitor or freeze their credit reports. many consumers are main about which options are best for them. this hearing will hopefully provide some additional clarity. we have a shared interest on this committee in insuring that credit bureaus take the necessary measures to safeguard personal data and minimize risk of another massive data breach. senator brown. lawtor brown: under current , whether we like it or not, companies like equifax can collect vast troves of personal information.
10:07 am
that includes information plucked from our work histories, social media profiles, reward cards, track our purchases at the grocery store and information from cell phones tracking commutes. these companies are free to combine and sell the information to all sorts of financial institutions and other data mining firms who use it to make decisions about us, like what kind of car or job we might get. corporations like equifax rarely have to tell us exactly why or how these decisions are made. they get to hide behind proprietary models and trade secrets. it seems our laws to protect big corporations use of people's data a lot better than they actually protect people. as the recent breach demonstrates and cyber security measures at companies like equifax might work perfectly yet still do little to protect consumer data. 145 million people had their private data exposed.
10:08 am
it does not appear any sensitive corporate data was accessed because these businesses are not accountable to consumers and because consumers have no choice over who is collecting their information. consumer protection is the much an afterthought. as we talk about the clearly inadequate protection for consumer data at equifax and those in place of the other reporting agencies, we cannot forget the real victims of this hack are the 145 million people, 5 million in my state alone, who through no fault of their own have had their personal information compromised. i hope we don't just talk about how we strengthen cyber security . we need to do that of course, we need to explore how to restore people's control over their own information. we need to examine whether the current model makes sense for american consumers. we know the bureaus have a long history of consumer complaints and inaccurate reporting that
10:09 am
has long-term effect on people's ability to get a job or house. rather than addressing these problems, the credit bureaus have spent millions acquiring other data collection companies and branching out into new lines of business. despite their continued failure to provide accurate credit reporting services or to protect all of the data they collect. these ceos have been rewarded with enormous salaries and bonuses. sometimes they say they will give up their bonus as if that's a major concession. now in an era of nonstop cyber threats, it seems like they made consumers even more vulnerable. equifax made astounding amounts of money off the consumer data collected. it will hardly, unless things change, it looks like it will hardly pay a price for its recklessness. it is still collecting and storing data and in some cases we are giving tax dollars to do it. i look forward to the days we
10:10 am
can talk on these matters. >> we will now turn to our witnesses. first we receive testimony from andrew smith, partner at .ovington on behalf of the computer data industry association. then we will year from mark rosenberg, president of the electronic privacy information center. finally we will hear from mr. jackrin,rn -- chris analyst in cyber security policy at the congressional research service. each witnesses recognized for five minutes of oral remarks and questions.ceed to mr. smith, you may proceed. thank you for the opportunity to appear before you. my name is andrew smith and a partner at the law firm of covington burling. behalf of thee
10:11 am
trade association of companies that provide businesses with the information and analytical tools necessary to manage risk and protect consumers. ctia's members include the three national credit bureaus. you've asked us to discuss how credit bureaus protect consumer data. first and wanted to mention the important role played by the national debt credit reporting. more than two thirds of our gdp comes from consumer spending, fueled by consumer credit. credit reporting system that allows them to quickly and effortlessly open a bank account or purchase a cell phone. more than 40% of consumers move every year and the national credit reporting system facilitates this mobility in addition to providing fast, fair, and impartial access to well priced insurance, apartment rental and other services. congress years ago, enacted the fair credit reporting act to ensure that
10:12 am
ensure fairness and impartiality to protect consumer privacy and fight for the continued development and vitality of the national credit reporting system. the most recent revision to the comprehensive regulatory scheme was the addition of the kiev bdi the supervisory agency. this is the first agency to directly supervise a national credit reporting system, not just examine credit bureaus, but the user credit reports and the companies that contribute information. supervision of the credit reporting system began in earnest in early 2012 and according to the kiev db has produced a proactive -- the cfbd that has produced a proactive approach for many years to come. bureaus are subject to federal and state laws requiring them to safeguard consumer data and because of the key role they play in the banking system, they are subject to very specific
10:13 am
private data security requirements such as the payment card industry, data security standards. credit bureaus are required by the -- required to maintain procedures that they only provide credit reports to legitimate people for legitimate purposes. these credential requirements go beyond contractual certification and include copperheads of due diligence of prospective customers as well as continuous monitoring of existing customers. they also require secure disposal of credit information. the ftc safeguards rule is andrred to by the chairman requires financial institutions including credit bureaus to develop and implement copperheads of information security programs. the laws of police 13 states similarly require companies to implement and maintain reasonable procedures to safeguard sensitive personal information. almost every state requires that companies notify consumers when
10:14 am
there is unauthorized access to acquisition of sensitive personal information. because of their important role in the banking system, credit bureaus are also subject to private contractual data security requirements. bureausthe credit handle credit card information, the card networks require that they comply with the payment card industry data security standards and validate such compliance by obtaining independent third-party audit of their security procedures. in addition because banks provide a great deal of sensitive customer information to the national credit bureaus, they are required by their regulators to conduct regular information security audits of the credit bureaus. these can include on-site inspections which might last for several days. each of the three national credit bureaus is subject to these reviews each year. dia shares with you the goal of ensuring businesses and
10:15 am
consumers have confidence in the national credit reporting system to keep data safe. thank you for the opportunity to testify and we look forward to the dialogue. >> thank you for the opportunity to speak with you today. my name is mark rosenberg. nonprofitindependent research organization founded in 1994 to focus public attention on emerging privacy issues. i would like to begin by saying that the equifax data breach is one of the most serious in our nation's history. breachwith a 2015 data at the office of personnel management that impacted more than 22.5 million federal employees, their families, and friends. comes debt breach
10:16 am
poses enormous challenges to the security of american families and even to our nation's security. , but is no simple solution in my testimony i will outline the steps that i believe congress can take to mitigate the risks that follow from the breach and reduce the danger and likelihood of future data breaches. the equifaxo say breach is remarkable because of its scope, the sensitivity of the data and the delay to fix a well-documented security flaw. more than four months passed in the time equifax failed to install critical software updates. is data that was disclosed precisely the information that individuals rely upon to open bank accounts, get car loans, seek employment and by cell phones. names, homeludes addresses, birth date and drivers license information.
10:17 am
this is also the data that criminals use to commit identity theft and financial fraud. equifax is clearly responsible for this breach. the company was notified in march by both the apache software foundation and u.s. cert of the need to make critical software changes. but it is also worth emphasizing that equifax chose to collect this personal data on american consumers. consumers are not provide this information to equifax. and the lax security strategy they followed meant that a single breach resulted in the release of 145 million credit reports of american consumers. this caused him president did harm. when hackers get access to credit card numbers, consumers can cancel accounts and change the credit card numbers, but it is not so easy to change a
10:18 am
social security number and i don't think it's possible to change her date of birth. equifax's victims will be exposed to the ongoing risk of identity theft and financial fraud which is already in a problem for american consumers. the ftc reported a most hundred thousand cases of identity theft in the u.s. in 2016. 29% of those involved tax fraud and the department of justice estimates the cost to the u.s. economy at over $15 billion per year. are inreporting agencies urgent need of reform. in my testimony i've outlined number of steps that i believe should be taken to establish accountability and transparency. most simply, consumers need to be given greater control of the information about them that impacts their financial futures. this means for example that we should have the nationwide
10:19 am
credit freeze or to say little bit more precisely, the disclosure credit reports should be on an option basis. we recognize the value of credit in the american economy, but it is the consumer who should decide when it is in their interest to disclose the information to a third party to obtain the car loan. they should not have to jump through hoops to put in the blocks and freezes to restrict access by others. they should make the affirmative decision. credit monitoring should also be freely available. you should not have to pay to be told there is fraudulent activity on your account. that is the current problem of credit monitoring services that require either a fee or limit the access to credit monitoring for 90 days. this makes no sense whatsoever. if there is a problem in the account, the consumer should be notified. we also think consumer should have more ready access to the contents of the credit report so
10:20 am
that they know who is receiving the information and the impact the data might have. i have several other suggestions in my testimony which i will be pleased to provide to the committee. >> thank you. chairman crapo, ranking member brown and members of the committee. thank you for the opportunity to testify. inname -- i'm an analyst cyber security policy the congressional research service. in this role i research and issues issues and their of data security and management. my written statement goes in further detail. will -- ony cyber incident response and options for congress for security. increasingly used catchphrase is that today all companies are technology companies or all
10:21 am
companies are data companies. this concept request -- reflects that data plays an important role in enabling the modern practices which allow companies to compete and fried -- thrive in the modern workplace. this also creates risk for corporate leadership to manage. adequately controlling that risk is an objective of cyber security. is an element of cyber security that involves risk management. absolute security is not attainable. managing the risk, which impair security. in order to evaluate risk, managers need to understand the threats are enterprise makes and the consequences of an incident. responseurity describes activity to confirm an attack and mitigate against this. it is nott response, limited to just i.t. personnel, to external and internal stakeholders, legal
10:22 am
team to help with requirements and management for those who are responsible for the corporation should all be included in it spots planning. among others. there is a delay between a discovery and public notification. analysis of what's transpired would be conducted. will inform the entity of how they were breach and what data or systems were compromised. this type of analysis may be conducted by the entity itself, a business partner, government response teams and law enforcement. with a variety of potential investigators, determining how they will work the response and how they share information is a factor which should be determined during the planning phase. with information on how the breach happened and the extent of the breach, the entity can mitigate its effects. these phases need not occur in succession and may be able to concur -- occur concurrently.
10:23 am
congress could explicitly authorize a federal regulator to monitor credit reporting agencies as promulgated by the federal trade commission. the dialogue created by the federal government and credit reporting agencies could lead to greater understanding of cyber security risks faced by clear reporting agencies and allow for those with efficiencies to bring up their security posture. this usecould regulate and retention of data regardless of who holds it. the european union and canada have such data loss. --gress can establish unwed on what may be collected, how it can be stored and consumers rights. congress could require credit reporting agencies or any agency the profits from data to disclose their model for consumers. whatis how it is used and
10:24 am
other data the entity generates about the consumer will provide consumers with additional information that may affect their decision in the marketplace. thank you for the opportunity to testify and i look forward to your questions. >> thank you very much. before i begin my questions to inform the centers with a vote at 1030. senator brown i have discussed that. attendance of our the vote and you can make your plans accordingly. the hearing will continue to proceed during the vote. , i askuestion i've had you to be concise. as do it -- we only have five minutes each. this is for each of the members of the panel if you have an opinion on this. there's been a lot of discussion surrounding the security of the social security number and where it should be used as an identifier going forward.
10:25 am
do you think we need to get rid of the social security number as a personal identifier? if so, what viable alternatives do we have? how would we ensure that such an alternative doesn't suffer from the same drawbacks? mr. smith, do you want to start? smith: if we limited the social security number is a personal identifier, we will have to have something -- some other unique identifier that will allow businesses and credit bureaus to know who precisely they're dealing with. my name is andrew smith, there are thousands of me, perhaps tens of thousands of me. when you look at a bankruptcy court record, if there is no identifier, how do you know which injure smith it is? socials and other identifiers play a critical role in the economy, just simple identification. not authentication or verification not that i truly am why say im. perspective socials
10:26 am
are terrible. as identifiers, socials have had a role to play. whether we need another identifier, i think we are willing to work with you on that to try and get to the right result for consumers. i've spent many years before many congressional committees are that limits be established on the use of the social security number. we've never argued for replacing the number. the key point is that it serves a -- an important purpose in systems. that is what it was established for and that's what the legal authority exists. the problem is that the ssn was adopted in the private sector and used as an identifier for general purposes. this has contributed to identity theft and financial fraud. with an imperfect identifier using both a password and authenticator was intended for neither. when we talk about the social security number, we would not
10:27 am
see -- assay to replace the ssn as i describe in my testimony, we would say limit its use. it should only be available in the private sector for lawful purposes. mr. rotenberg: this also -- mr. security the social number is a piece of personally identical information so limiting its use may lead to reduce consequences that impact data breach. whatever replaces it would likely still remain personally identify limper make an that would constitute some level of increased security posture around that data in case the -- there were a breach. >> this question is just for you, your testimony discusses encryption and other tools. equifax's former ceo mentions some of their data is encrypted arrest. while some of it is not. are there certain memory and data security tools that should be employed across the board for data sets including information? are there measures that maven
10:28 am
able to prevent the breach? in my: -- mr. jaikaran: testimony i discuss cyber security is an element of risk management, understanding the entire risk that a corporation may face in their conduct of their business. there are federal guidance for the implication of encryption and are industry best practices on the use of encryption for data addressed, data at motion. while these may exist, it depends on how it's implemented and the use cases of each individual company. for where they apply that encryption, how strictly they apply that and how the keys are managed within that enterprise to allow those with legitimate access to continue to be able to conduct while still restricting access. >> thank you very much. i-45 second life so mr. smith
10:29 am
erg, the ftc has no regulatory agency currently examining supervising security. as is the case with banks. do you think there is a gap in this framework and do we need a credit bureau agency to be set up or authorized to examine security? mr. smith: we feel as though we are not unsupervised with respect to data security. bank customers who are regularly auditing us. i would say however that if there are gaps in supervision that we would be happy to talk with you about that and you come up with most sensible result for consumers. the ftcnberg: safeguards rules and important standards, but it only applies right now after the fact. the ftc can only act against a
10:30 am
credit reporting agency once the breach occurs. we think they should have the ability before the breach to inspect and determine compliance of standards. brown: brown: senator providesthe system critical important benefits and indispensable to the economy. i think we all agree with that so my question is this. please give yes or no on this. you think the breach or failure of a nationwide credit reporting could have a systematic -- could have a systemic impact on the u.s. financial system? mr. jaikaran: a breach of any agency is difficult to judge, but it is a possibility that it could have impact on the financial system. mr. rotenberg: i think the answer is clearly yes.
10:31 am
to theth: with respect equifax incident, one of the things we need to keep in mind is that according to the news reports the credit reporting database was not in fact compromised. the compromise of a credit reporting database i would have to think about whether it would present. >> you are the one that started off by saying it provides important benefits and is indispensable to the economy. a breach of 145 million you don't think does have a systemic impact? riskmith: i think the would be able to be managed by banks, but i think it will be something that needs to be actively managed because what it would -- >> is it a yes or no to systemic impact? a lot of things can be managed. does it have a systemic impact? >> i'm not prepared to say that it would have a systemic impact but i would like to think that through. senator brown: in the next week could you let me know. >> how would you define systemic impact?
10:32 am
senator brown: i'm asking you. 145 million sounds like a lot to me. , we have been trying to fix inaccuracies. these the most desperate through the most complained companies, do you think it would make sense to present -- prevent these reporting agencies from collecting new personal data or providing other services until they met and accuracy metric in the consumer credit reporting and should consumers second should they bed, allowed access to data by all these three companies? mr. rotenberg: i think both suggestions are very good very credit reporting agencies which provide personal data to others should be held to an accuracy standard because of course when they provide information that is inaccurate and incomplete or out
10:33 am
of date, people wrongfully denied credit and jobs. that is a problem. also to your second point, whatever information the credit reporting agencies know about us , i think we should have the right to know. particularly now when this information is being made available-for-sale for data fallss and oftentimes under the protections of the fair credit reporting act. to giveto do much more consumers information and control about their personal information held by others. senator brown: mr. smith, consumer advocates of called for free security to be provided by axis -- equifax comments instead the companies announced they are rolling out what are called credit lock products which appeared to give consumers fewer rights and less security than credit freezes. cra's offering these survey
10:34 am
of two sign forced arbitration agreements? mr. smith: can i respond to the issue of access? i want to remind members of the committee that consumers do have access to all of the information on file about them with consumer reporting agencies. free access to that through annual credit as well as other recompense mechanisms. with respect to the credit locks , i'm not so familiar with the different features of the credit locks, nor do i know if they have enough -- an arbitration clause. >> on the first round of credit monitoring products that they generously offered, they included that. they backed off under public pressure. >> that i know. i don't think the impetus for offering credit locks would be to obtain a mandatory arbitration clause from
10:35 am
consumers. i do think these credit lots may be useful for consumers. i think that freezes more generally serve a specific type of consumer. they can obtain a frequent report, prison a fraud alert on their credit report, obtaining credit monitoring. there is a lot of free credit monitoring available so i think consumers should understand and appreciate that before they place a credit freeze on a file. credit freezes do have their place. close withwn: i will forced arbitration agreements. you were their lawyer, you represent them, they also rely on you for advice. are you willing to go back to them and say that there is strong sentiment among the public in this -- and this congress that forced arbitration agreement should not be part of this credit lock offer? >> i will convey that message. an exit andhere is circumstance when we are talking
10:36 am
about credit monitoring and other credit report related products and there's a statute called the credit repair organizations act which imposes particularly stringent penalties on companies, any company found to be a credit report organization. because of that, i think some members of the committee are familiar with this, because of that arbitration clauses have a special role with these. but i will convey the message. senator brown: would you share the committee of what message you will convey? >> i will share that. >> thank you. gentleman, regardless of what we put into law, regardless of what rules are put in place, if they are not followed, the possibilities of an additional breach continue. i'm just curious, with regard to equifax, would it be fair to say that the data we have so far and the information we have so far,
10:37 am
does it point to basically human error having been the cause of the data breach? just a quick response from each. i think human error understates the problem. we are talking about a breach millionacted 145 americans. a circumstance where the company by twoce notified leading authorities and left the breach exposed over a four month period. even the response to the breach was not helpful to consumers. at almost every step, they did the wrong thing by consumers. i believe equifax is said publicly it was the result of human error. with respect to the question about human error, i would add pb arehe ftc and cf investigating and i would want to see their conclusions before we draw any broader -- before you make any policy choices.
10:38 am
mr. jaikaran: based on the amount of information we have regarding these breaches, to judge as to whether the breach came down to human error or some other reason within the company. it's difficult to judge at this point based on the information we have. let's assume there was human error involved in this. recognizing the significant damage that's been caused. abilityve within our the opportunity to lay out a plan in which there is not just auditable, but a review process in place with assurances , we are stillugh talking about the protections that we put in place for a legal entity that has been breached by thieves. what more can we do or what more should we be doing to prevent
10:39 am
this break in in the first place with regards to protections and also the consequences for entities throughout the world that actually cause these breaches that are actually overtly out trying to get her hands on the data? do we need to look at additional authorizations for institutions that would be literally for the cyber community, the same that the fbi was when it came to stop in robberies of the 1920's and 1930's? do we need to be looking at something like that on a worldwide basis? mr. rotenberg: i think this is a very important point. when the fair credit reporting act was passed in 1970, the primary concern was about possible misuse of consumer data by the credit reporting agencies and that was the problem that congress sought to address. here we are most 50 years later
10:40 am
living in a world of constant cyber attack. in my testimony this morning i tried to explain that the equifax breach needs to be understood not just in terms of the misuse of personal data, but dust byoitation of foreign adversaries. that is also the reason why a think we need to update our privacy laws, put more incentives on companies to protect this data not just from misuse, but also from exploitation by foreign governments. we think that to the extent that there are gaps in supervision of data security that we are -- we want to talk with you about that. we want to get to the right result. justrespect to professor the professor's point, there is no doubt this was a criminal act that was from an unknown source and may have been from a foreign actor. thinks something that i
10:41 am
is hopefully the ftc and other continued investigations will policyand if there are implications from that, hopefully we can have that discussion. mr. jaikaran: when we think about the government relationship with these agencies, there are three parts, first as rulemaking next is examination and the third is enforcement. in this space we can see the examination space was the one that we had the least government involvement. i think that present an opportunity for congress to create further dialogue on how they want agencies to act. concerning the consequences. to the best of my knowledge that would be a conversation drop of law enforcement agencies on what authorities they think they need in order to go after. >> i think it's important we recognize there is a standard of security which has to be imposed and we've got to be able to audit, follow through and with
10:42 am
consequences, but also with a continued surveillance. until we get down to the point where there are actually consequences for bad guys make ad, we will not major jensen that we have to in terms of cyber theft elsewhere. sometimes.miss that we are focusing on the people who are trying to provide services, not focusing on going after the guys causing problems around the world. senator reid. reid: my sense from your , you can is that confirm this, there are two points that consumers should have legal rights and one is they should have the legal right to with hold their credit score or they should know the credit information that an agency has
10:43 am
and that should be by law, not by deference of the agency. is that your view? mr. rotenberg: when the information is being provided in the credit report, presumably it is for the consumers benefit, they are seeking the loan, they need the mortgage, they should know what is happening and should know the information contained in the report. senator reid: that should be by law not deference. mr. rotenberg: right now your credit report is freely available to others within the structure of the fair credit reporting act, but you have little control over that. we would say give the consumer all the control. smith saidd: mr. once they have access to the cure -- mr. rotenberg: once a year they can get a free copy of their credit reports. not all the information they have. they don't know who is receiving information. and is rapidly evolving there are a lot of related
10:44 am
practices that are not covered by the fcra and consumers don't have the full picture. >> they can get the number whatever it is. mr. rotenberg: yes. as senator brown suggested the agency was also buying cell phone information or something like that, that is not death mr. rotenberg: that would fall outside of the credit report. >> in order to give the customer the full -- that is in the full benefits of all information the agency has on them should be identical information should be disclosed is that correct? mr. rotenberg: that's why we recommended a comprehensive approach based on the federal baseline. it would give consumers more information about them that being transferred to third parties. >> i would also presume you would suggest they have the right to deny access to certain information. or even to require the
10:45 am
information be deleted from the credit bureaus file. mr. rotenberg: i think many american consumers would be how many to know people, how many businesses get access to the credit reports without their knowledge. those reports move very freely with very little information being provided to consumers. i think that should change. >> in the description of what took place, it appears that there was negligence on behalf of equifax being told by federal regulator to make a patch and not making it for several months. does anyone have the right to criminal enforce ordinance ratably? mr. rotenberg: i'm sure the will be lawsuits brought and there are a variety of different theories. as others of our he pointed out, almost immediately, equifax's response was to try and deny consumers the opportunity to pursue these remedies and that can't be the right response. >> with respect to regulatory
10:46 am
agencies. the impression i have from the discussion is that it is all sort of retrospective after the fact that they can go in and make a judgment, could the ftc levy a fine based upon failure to follow? mr. rotenberg: no. under the safeguards rule, they can inspect and i think sanction, but a fine would require subsequent violation of the settlement or order with the company and the ftc under the safeguards rule currently would not have the ability to inspect or prevent prior to the breach occurring. >> so is there any way under existing law for appropriate federal agency to levy a fine or some type of significant penalty on the company to deter or two? mr. rotenberg: for the ftc to levy a fine they would have to find a breach under the fair credit reporting act.
10:47 am
under section five they will have to have a consent order and a subsequent violation. it's not a very effective enforcement machine. >> i concur. thank you very much. >> senator scott. scott: the equifax breach is still catastrophic for so many in south carolina. if you think about the numbers of individuals impacted by the breach in my home state, 2.4 million south carolinians have their personal information exposed, stolen through the equifax breach. we have about 5 million folks living in the state. that's about 48.76% of the state . that's the sixth highest number in the country. when you account for the fact 500,000re are about south carolinians under the age of 14, that means that surges
10:48 am
over 50%. over half of the adult population at least in this state had their information exposed. equifax's negligence has been devastating for my constituents. but when you look at the geographic location of that impact, the southeast region seems to have been hit aggressively in high levels. around 51 .6%, virginia around 48.8%. i asked equifax why the southeastern region was so hard hit. i hope they answer soon. my suspicions is that perhaps the location, the physical location of equifax may played a role in that. , why are the numbers so high so close to the physical headquarters of equifax? mr. jaikaran: that would be
10:49 am
difficult to judge based on publicly available information, but there might be some business reasons why equifax would have additional information on people in the southeast region. they may have more business partners with businesses near their headquarters, so there's a greater opportunity of sharing information. it may be that the population of those states are prime targets for credit so just the population of the states, the sample pool may be more amenable to a credit reporting agency. senator scott: things get kabul gateway company is headquartered in new jersey, does business in south carolina and is breached in arkansas. these states have different laws on the books governing when and how companies must notify the public on a data breach. is our current state-by-state patchwork of regulatory approach is effective in protecting the public? mr. jaikaran: i believe my
10:50 am
colleagues of the government accountability office would be in a better position to evaluate the state-by-state regulatory. as a broader data beach -- data breach note of vacation policy, it provides a level of certainty for businesses and consumers of their was a federal rule or federal law of the data breach notification. as well as what consumers can expect to receive. something that must be considered when developing the rule is what will consumers be expected to do with that information. do they get a letter in the mail saying their data was compromised and they are on their own? or is there recourse the business that has the data and that it breached what it provides a consumer. scott: also as a relates to what happens next, what the consumer is informed. mr. jaikaran: some of them are
10:51 am
just a simple notification and some of them are some relationship the corporation must have to the breach consumer. senator scott: thank you. mr. smith, despite the federal government also being breached fairly frequently unfortunately, some suggested we nationalize the credit reporting agencies. such a move would kill innovation. the same innovation that is opening of the market of 26 million credit visible americans. i think fannie and freddie should consider new credit reporting models that take into account things like rent payment and utilities. who would benefit the most from such a change? use of information about rent and utility payment by fannie and freddie could expand access to mortgage credit for younger consumers, recent immigrants, consumers were new to credit and others without a traditional file. rrenational credit bureaus
10:52 am
able to collect this information from landlords and utilities and a systems necessary for that. as you know, the credit bureaus have been successful in expanding access to credit to folks who previously may not of had that access. i think ultimately it's going to be fannie and freddie's decisions whether the payments are actually predictive of the risk of default there trying to manage. understandtt: we'll they will have to make your decisions. i'm asking who benefits from it. folks who are credit worthy but we cannot tell because they don't have traditional credit report information. specifically people who are new to credit. senator scott: i think the number you are thinking about south carolina when i was talking, the number is about 16% of south koreans who are credit invisible would become credit visible. and would show the responsible pattern that would allow them to
10:53 am
own a home. thank you. senator brown: my state is 5 million out of 11.6, so it is also mid-high percent. for the you so much conversation. mr. smith and want to start with you. your -- the supervision of credit bureaus relates primarily to the accurate reporting of credit data and it does not generally provide for in-house supervisors. in the wake of the equifax breach, the director is indicated the supervision teams thebe assigned to reside in big three nationwide consumer reporting bureaus and monitor cyber security and data protection practices. wouldn't you agree this is important development? hissmith: when you look at comments, i think you are talking about his cnbc or something comments on television. he said initially that they don't have authority over data
10:54 am
security. it seems as though folks on the panel agree with that. whether there is an appropriate role for supervisor for data security the credit bureaus, we want to talk about that and come up with the best results for consumers. if there is a role to be played that it is not the best person for the role or that it could well be that they are. >> do you think this would be helpful mr. rotenberg? my role here i spent the last eight years as attorney general of nevada. nevada had one of the highest identity theft rates in the country. i can tell you the breach that happened with equifax is not equal to the breach that happened at the target store somewhere else. what's happened with equifax is now there is a potential of millions of americans identities being stolen. if you been the victim, the rest of your life you are trying to reclaim your identity. it is not just clearing up your credit, it is addressing
10:55 am
somebody who's purchased a boat in your name, a house in your name. committed a crime in your name when you are showing up in court and trying to identify the person who committed a crime had stolen your identity. this is lifelong and it will have a major impact on millions of americans and that's why this is so egregious. we have to take a better job of protecting individual data and information because you are collecting it without their toroval and then they have succumb to years of trying to clear up all of that data. my concern now is how do we address it? how do we put limits on what the data we collect? i know we talk of a more cyber security protection and making sure there is oversight, but whatever occurred will happen again. is there some limit to the data that we should be collecting?
10:56 am
besides all of the other discussion we talked about today. mr. rotenberg, i'm curious on your thoughts. mr. rotenberg: to your first point i think it would be a step in the right direction to have a supervising authority at the credit reporting agencies and that makes a lot of sense. of course that is only to prevent against future data breaches. my question is what to do now from american consumers who confront the reality that others are in possession. we call these the authenticators. this is the information used to establish your identity in commercial transactions. this is the reason we think we need to change the default on credit freezes. people should know from this point going forward any time anyone wants access to the credit report and people should know from this point going forward anytime there is suspicious activity on their credit reporting account. they shouldn't have to select a service or pay for a service. >> i absolutely agree.
10:57 am
i'm going to cut you off and apologize because i don't have much time. there has been talk about use of the social security number and limiting it, but i don't know about you, but when you go to setup your house and you set up your utilities, they ask resources security number. when you go to the doctor's office they ask for sosa security number. this number has become so prevalent as an identifier, i don't know how you pull it back from the private sector. howe honestly, i don't know you protect against anybody having access to it because i can tell you a bad guys going to be able to go online and of its already been used and out there, they will find it. , for myimportantly purposes and i think all of our purposes, shouldn't it be now giving the consumer the absolute right to control their information and how it's being used? mr. rotenberg: i think that is key. if i could say briefly him social security number.
10:58 am
we have made some progress on the use. with credit to senator collins and senator mccaskill, the sizzles -- these also security number is coming off the medical benefits id card because it's use there was determining to identity theft among american seniors. we help get the social security number of the state drivers license and it is no longer published on the state voter rolls. this is an issue that can be addressed. congress will have to get behind an initiative that says to the private sector we have to limit the use of it. >> i appreciate the comments and i know my time is up. >> senator kennedy. senator kennedy: i'm sorry i missed your presentation. passhould we not legislation that would establish that the bureaus have a fiduciary obligation to the people whose data they collect? mr. rotenberg: i think you
10:59 am
should. i think some of that legislation is already in place with the gramm-leach-bliley act. the description of the fiduciary relationship is absolutely correct. senator kennedy: do you think there is a relationship now? mr. rotenberg: i don't. i don't think the companies feel the have an obligation to american consumers. senator kennedy: would you agree with that? mr. smith: i would disagree. senator kennedy: you represent the industry. mr. smith: we are subject to a pervasive regulatory theme in the statute in the fair credit reporting act that requires us to ensure the accuracy of information and credit work. senator kennedy: you and your when the equifax breach was made public, weren't you trying to pass legislation that would lessen your clients response ability? mr. smith: there was legislation
11:00 am
that would introduce a cap on potential liability for private actions. senator kennedy: do you think that was a goodthe fcr is uniqur credit rejection statutes. it doesn't have a cap on class-action liability. it credit opportunity. all of these. fcr he does not. senator kennedy: should it have cap's? mr. smith: as a trade association, we would continue to argue for caps. senator kennedy: here's my problem. if the bureaus do their jobs right, they facilitate commerce. when lenders loan money to people, the lenders want to get paid back. offer is oneents assessment of the risk that the letters are taking. there's the lenders are taking.
11:01 am
-- that the lenders are taking. as one assessment. lenders don't use your clients product. they think there are better ways to assess risk. i'm not saying they are right or wrong. i am saying that your clients basically take my data, personal information about me, without my permission, and as a business model, they sell it to businesses. i'm not compensated. data, ashey lose my equifax did, or if someone submits to them data that is in error, that undermines my credit scores, the bureaus have no obligation or interest right now to work with me to try to get the credits were correct.
11:02 am
have you ever had one of the bureaus get your credit score wrong, and you called and try to get it fixed? have any of you? mr. smith: no, senator. senator kennedy: it's not an easy process. -- i'm not to me trying to undermine the bureau. but it seems to me first of all that you could develop technology very easily that would allow people to go to a on their phone to on free offreeze charge. need to explain to the american people how you are protecting their data on which your clients are making a profit. most of the adults in louisiana have their data stolen by
11:03 am
equifax. go to a lot of trouble to go freeze credit. some of them were going to have their identity stolen. it's just not right. it's just not right. we are looking to you gentlemen to tell us what to do about it, and counselor, don't mean to pick on you, and i understand you are representing your clients, but your clients are going to step up to the plate here and suggests a meaningful reforms or some reforms are going to be suggested to them. and my advice to you would be to step up to the plate and offers specific things that you and your clients are going to do to improve the situation. bromides,udes, not specific suggestions. because a lot of americans didn't know what a credit bureau was. they know now.
11:04 am
i went over, i'm sorry, mr. chairman. >> senator warren. at the hearing two weeks ago with the former ceo of equifax, was a lot of andvance between democrats republicans that consumers should be able to control their own data. without consumer control, credit reporting companies have no reason to treat as well. we are not their customers, we're just their products. and it shows. a 2012 study by the federal trade commission found one out of every five people had an error in their credit report. meanwhile, over last year, the consumer financial protection bureau has fielded hundreds of thousands of consumer complaints. the big three credit reporting agencies are now the three most complained about companies in the entire financial
11:05 am
services industry. , and gotn a restaurant your customers orders wrong 20% of the time and had the worst customer service in town, you would be out of business in a week. but credit reporting companies -- not them. they are getting bigger, they are getting richer, they are getting more powerful. this market is clearly broken. and fixing it starts with giving customers more control over their own data. rosenbergerg -- mr. , and introduced a bill that would allow consumers to freeze and unfreeze credit accounts. do you think that would be a good idea to give people control over their data? an rotenberg: i think it's excellent proposal. i think the key is giving consumers greater control over use of their personal data and
11:06 am
it begins by moving to an opt in model, allowing the consumer to decide in which circumstances it's in their interest for their credit report to be released to someone else. senator warren: thank you. companies like equifax do more than issue credit reports. they also sell your information to businesses that want to sell something in turn back to the customer. that no makes clear part reporting agency can sell your data if your credit file is frozen. proposals intive the but i ask rolling out right now don't give customers that right. let me ask this part. do you think that consumers should have the right to freeze the data so it stops a credit reporting agency from selling access to the consumer data? absolutely,g: senator. the model doesn't work unless consumers maintain control, and
11:07 am
so many problems of the industry result from the industry pushing the burdens back onto the consumers to choose the phrase, to choose a monitoring service, to inspect their credit reports. it's entirely upside down and is the reason that we have record levels identity theft today in the u.s. senator warren: thank you. i think it's a powerful point. if companies like equifax don't pay us to seller information to other people, that we shouldn't have to pay them to stop selling it. according to your testimony, i think you mentioned this earlier. you would go even further. he would make the default position that consumers account is frozen until the credit reporting agency gets the consumer's explicit permission to unfreeze the account to share the data. in other words, consumers would have to opt in to sharing their data, rather than topped out. was the reason for that?
11:08 am
mr. rotenberg: i think it's just common sense. no one is objecting to the condition of credit for american consumers, it's critical for our economy makes a false people purchase homes and cars and even cell phones. but it's the consumer who is initiating the transactions. the consumer to decide whether to release that credit record information to others and they should know what information is contained in the credit report. they may be wrongfully denied a loan from a bank that the bank would provide but for the fact that the credit reporting agency has provided inaccurate information. senator warren: so powerfully important that you be able to protect our own privacy, that we be able to make sure that it's accurate. in your testimony, you raise one more point. you say we need to fix credit reporting industry in order to protect our national security. could you just say word about that? mr. rotenberg: i mentioned that
11:09 am
when the fair credit reporting act was passed in 1970, the concern was the misuse of personal data by the credit reporting agencies. that concern remains. what has changed almost 50 years later is that data is not a target of foreign adversaries, and we have to realistically consider the people who get access to our personal data held by these companies have interest adverse to our nation. as an additional reason to strengthen these privacy laws. senator warren: thank you. the credit reporting agency is a threat to each of us personally, but it's also a threat to our national security. when you to give consumers more control over their data and we need to reform is industry, that's what we're trying to do. thank you, mr. chairman. .> sen. tillis: senator tillis: congress has
11:10 am
never seen a legitimate problem and needs to be dealt with as an opportunity to overreact. one of the things i'm concerned with is we have this discussion, i was or wasn't things simple and then maybe i can build on things to the extent time allows. when we had the equifax ceo in here, i tried asking the question of the lock for life versus delete. , we are you on the option of the consumer being presence ofte any their existence in any of the big three credit reporting agencies. do you think that is something they should be entitled to do? mr. rotenberg: they do. this company -- this country along this three of expungement of financial records to give people the option to start over even after bankruptcy. we already recognize that people should begin the opportunity to reapply for credit, even after they've had this type of experiences. is a deletellis:
11:11 am
it and later they were seeking credit and they had no reliable sources for showing credit worthiness, who is it on to provide all the information that may be needed to underwrite a loan or get a credit card or some other financial instrument? anyone on the panel is welcome to a pine. mr. rotenberg: the absence of background permission could well be a factor in the credit determination, but that's not a reason not to give the consumer the opportunity to delete the data if the consumer chooses to do so. senator tillis: at the end of the day, the consumer needs to be where it could be on them to produce information that could be used to underwrite. in the absence of information would likely result in no credit being extended. what happens if the consumer selectively delete information. i have three credit cards i decided not want to pay one of them i delete that trade line for my file. how will a bank be able to manage that credit risk if consumers can delete accurate and relevant information?
11:12 am
mr. smith: we have cra already allows for that. information that's derogatory near credit record comes off after seven years. senator tillis: i think one , one that we discussed thing the credit reporting agencies need to demonstrate is that they will make their problems consumers problem. in other words, if you have a breach, you should be treating that consumer like you will move heaven and earth to clear up the problem. it shouldn't be something that requires months of paperwork and hours of their time to clean up if in fact, you can point back to the bridge and that is something i will be interested in seeing how equifax handles it. rotenberg,ned, mr. with the idea that -- just the aggregation of data that is used to predict how cohorts may behave, in terms of credit
11:13 am
worthiness. if we continue to reduce the base, do have is a threat to the fact that we have less reliable orormation to move capital to provide resources to people who need it? a. rotenberg: i think it's port of her business is to have access to relevant and accurate consumer data. i think they should be accountable and transparent about how the data is being used. senator tillis: would you consider the select deletion of credit data for being accurate and relevant data for the financial services industry? mr. rotenberg: it may or may not be. credit is based on a wide variety of factors, many of which are not even known to consumers. we don't know how they are making determinations about us, yet they are concerned if they don't know everything about us when they make their decisions. and that just seems a little unfair. here, itillis: i wasn't think someone else answer the
11:14 am
question, but what do you think -- what technologies or what processes out there are we using to get away from social security numbers as authentication methods, to move it more to what the card industry has done with tokenization, trying to come up with some sort of identity that will actually eliminates or substantially reduce what is a relatively easy thing to do, which is to get someone's information and commit fraud. what is out there that we should be looking at, as a matter of public policy, should be promoted? my times expired after this answer. mr. smith: i'm not aware of any particular token products that could be used. mr. jaikaran: there may be people in the sample size, citizens, consumers, that don't have access to something like a cell phone so they would be barred in participating in the widespread use of technology. that's one consideration to
11:15 am
make. mr. rotenberg: as a general matter, if we have distributed and detection lies identity, the company learns only when it needs to learn to make a decision, that's the best approach. today we are at the opposite end of the spectrum with open-ended identifier that makes it possible for companies to learn just about anything they want to run an individual. mr. smith: i think that if we didn't have the social, we would need to invent it. if we take away the social, we need to come up with another unique identifier. with a name like andrew smith, it's critically important that people are able to distinguish between the thousands or tens of thousands of individuals named andrew smith just to identify which one are you. not necessarily to authenticate i am indeed who i say i am, but which one are you? the social plays a critical role. if not the social, we need something else to fill that role. scotts: consumers
11:16 am
learn the best way to protect themselves from identity theft and fraud was to freeze their credit report. when they went to do that, they found a complicated process that required contacting each of the three credit bureaus, generating and remembering separate pins for each, and most infuriating, paying $10 each bureau to place the freeze, not to mention the fees they have to incur if they want to lift the freeze later. lapse in data security will be rewarded by hundreds of millions of dollars in revenue to the company that made the mistake. my question for you is simple. to me why equifax, experience, and trans union charge people to freeze their credit report when there is a mistake and it is their fault. of smith: there are a lot ways for consumers to protect
11:17 am
themselves, and for certain consumers, freezes are the right choice. scott: why is it not free? mr. smith: we have a patchwork of laws, and if we had a single national standard, we would be happy to talk to you about how to get that and write. scott: what a mistake occurs in 144 million people are told to do a certain thing, that certain thing should be free, shouldn't it? thatmith: i don't know everyone was told to freeze hier credit- t report. i believe all three make freezes available for free to individuals who say that they are identity theft victims. i believe they also make freezes available for free to senior citizens and to minors.
11:18 am
that -- a, i think asking scott: i'm not about the requirements, i'm asking why you generate revenue off of the mistakes of the organizations that you represent. mr. smith: freezes cost money. senator scott: but the locks are free? mr. smith: i don't know. i saw the testimony -- senator scott: your counsel for this organization? mr. smith: these are new products. i'm a counsel for the trade association but there are new products that they are rolling out that they can take advantage of apps on a mobile device and lock and unlock. that any of those products are necessarily in the market now. senator scott: i don't understand what you are saying and i don't think it's because it understand this area, i think it's because i don't understand what you are saying because a commonsense level, i want you to try to explain some of you went to high school with his says you have a gig with the cra, how's
11:19 am
that going? why do i have to pay for a freeze? mr. smith: because freezes cost money. freezes have to be implemented -- senator scott: the question is why did the company that made the mistake make a profit off of that mistake? why are you charging consumers? freeze costs money, you should eat it as an incentive not to do it again. mr. smith: i thought equifax was providing freezes. senator scott: the one on all three and why offer after the ceo quit. mr. smith: i thought they offered for free. i want to ask you a couple of questions related to a bill introduced. do you think it's a good idea for credit bureaus to require tighter matching so it's more likely to be their own information?
11:20 am
mr. smith: matching algorithms are turkey issue -- a tricky issue. a question of probability of statistics and i'm not sure necessarily want to legislate that. matching is greatly important for accuracy. senator scott: what is your rate -- your error rate? mr. smith: we did a similar study in 2012 and we believe that the error rate from our study is less than 1%. looking at the fcc study, this is independent of the fcc study. we believe that the error rate is about 2%. error is an important concept. it has to be an error that moves the needle, that would have an effect on the consumer. wrong,t my date of birth that's not necessarily in error. senator scott: even at the low end of the estimate, you are talking about one million, 2 million individuals. mr. smith: that's not
11:21 am
acceptable. senator scott: who's response ability is that? mr. smith: it is to some extent the credit bureaus responsibility. concerned,ccuracy is professor rotenberg said you are never going to have preventive security and there are always going to be breaches. the best we can do is try to control them. accuracy is the same way. it's a process. senator scott: i'm over time. i understand you are going to say who's going to incur the costs of those mistakes, you guys are the rest of the country. perdue: something we're working on to codify something across 47 states. you have to opt out basically. i never gave permission to anyone to get that data, although it does or might a service, so i don't have to aggregate all my credit
11:22 am
information when i want to borrow something eerie i get that. at the equifax breach hearing just two weeks ago, we asked questions regarding the need for national standard on credit freezes and i think representative mckinley is already got a protect action you may be familiar with that they are proposing. it creates a national standard for credit freezes, harmonizing the current 47 state laws on the issues. i would like to get all three beta comments on do you agree allow the help development of technology such as apps that could freeze and unfreeze about having to go through the process, so somebody could actually open up, get the credit information they need and then opt out easily, without having to have a lot of instructions. is that something that might benefit us? mr. smith: freezes are the right choice for everybody necessarily, but they are the right choice for some people. the development of a national standard is something that we would welcome.
11:23 am
lock andect to this unlock functionality, i would ask you to consider that whatever we legislate something like this, the questions will come to say what about people who don't have smartphones? what do we do about those? we will have a lock and unlock functionality were you dialer 1-800 number. what about people who don't have phone?cess to a cell senator perdue: i couldn't theys their data unless were to come back and do something like this. it 1-800 number when they needed it. mr. smith: correct. you think to yourself let's do a 1-800 number. that's going to present a security risk that someone also locks in the credit when they are applying for an auto loan on a saturday afternoon. that means a pin. i don't know what might in -- my pin is. you have to reset it.
11:24 am
you're not a get a cell phone, you're going to have to go back to the verizon store the next weekend and hopefully it will work out. there's a lot of friction in the system. these freezes and locks are difficult to administer, and that's why they are not necessarily the right choice for everybody. but for some people who aren't credit active, aren't buying cell phones or renting apartments. mr. rotenberg: i think it's a step in the right direction. i'm a little confused by mr. smith's comments, most of what he is describing are the difficulties that the industry has created in giving consumers the ability to select the freeze to limit the access by others, and what legislation i think would accomplish is to simple find that process and make it easier for people to make those decisions. precisely so they can have a credit record information available when they need it to be made available. regarding -- mr. jaikaran: it's an interesting public policy question.
11:25 am
there are these groups of data brokers who have this information, and they have their business relationships with those they acquire information from those they feel the information to. the relationship between the data program and consumer is a little weaker compared to who they are selling data to and who they are requiring it from. the weakness in that link is a space where federal policy may be able to bridge the gap between the rights of the consumer and the rights of the data broker or the rights of the data broker relative to the consumer. senator perdue: this talk about social security numbers. social security numbers as a method goes back to the 60's, but in the last half-century, technology has moved fairly rapidly forward. isn't there a better, more secure way to match people with accounts such as tokenization, or should all these cyber attacks be the impetus to start planning out what transition to
11:26 am
credit future without social security numbers? that seems to me the holy grail to access beyond what any reasonable person would want. is that a reasonable direction? mr. rotenberg: i think the key is to limit the use of the ssn, but not replace it. it's the weak link in the information industry, it is the target of identity thieves, and if you're trying to make your industry more resilient against those attacks, you have to reduce your dependency on the ssn. withu replace the ssn another general-purpose identifier, that becomes the target. we need a more distributed approach to identification, not a single point of failure. that is what the ssn has become. senator perdue: it's pretty obvious we have to engage on this and we don't have a common answer to the security and -- security issue. i'm out of time. heitkamp: not to extend
11:27 am
the discussion on when you can put a credit freeze on or put a lock on. you can putou said a lock on after you've been a victim of identity theft. that's kind of like saying lock the door after the thief went in your house. it's not responsive to what we are trying to get at here, which is we understand the benefit of an aggregator of data that gives us easier access to credit. no one is disagreeing with that. the question is, when you were asked about fiduciary obligation -- the question really is, what responsibility does the aggregator have went something like this happens? when mr. smith was here, the previous mr. smith at equifax -- mr. smith: no relation. senator heitkamp: i figured that. he said this happens all the time. we are hit all the time.
11:28 am
in light of that, why did you seem so ill-prepared when you were actually breached? why did it take you so long to come up with a response to the breach? i have a series of questions on how often does this happen and responsehe general that the industry has. as a general matter, how many times for year on average with a company like equifax, trans union, or experience experience , experience a breach that would be reported to the fbi? mr. smith: i don't have those figures. ,ased on my personal knowledge none of the credit bureaus themselves have been breached. the company's neck with axis information that was outside of the consumer reporting agencies database.
11:29 am
we also know of a reach at involving a breach at t-mobile. we will come up with a number for how frequently they occur, but to the best of my knowledge, there has never been a security breach of a consumer reporting agency database. senator heitkamp: that is splitting a hair for consumers. i don't think there's any doubt about it. mr. smith: it's an important policy point, i think. concludes that the consumer reporting agency database wasn't breached after equifax was subjected to this punishing attack, that might inform our policy choices. senator heitkamp: the next question i have is let's say you reported to the fbi. guidelines typical or strategies that any of these credit agencies -- any of them would basically go to? do you have a fire drill, in
11:30 am
other words? do you have a system in place that will lock down and protects data? mr. smith: i can't speak for any particular company, but the company's but i'm familiar with have incident response plans. they call it a tabletop exercise. how do we and form that informed law enforcement? you have tokamp: say that equifax was ill prepared. mr. smith: that was an unprecedented breach. senator heitkamp: even if it was 10 people come the response should be the same as if it were 140 million people. mr. smith: tend called you can handle. calls he can handle. -- 140 40 million?
11:31 am
million? senator heitkamp: this is not data you on. you do not have a relationship other than an aggregator that provides that serves. if i think i do not want my service, i will take responsibility, i have to pay you so you are not collecting my data, correct? mr. smith: not collecting. this is a freeze. the data is still there, but you have frozen it and you have a right to unfreeze it. senator heitkamp: in europe, across the eu there is a lot of privacy initiatives, the right to be forgotten. we are getting close to that here. we have been a much more open economy as it relates to this kind of data aggregation. the more we don't see a response, the closer we are to that senator tillis talked about, which is the potential that you guys are
11:32 am
going to be out of business because every american is going to say we do not want your service. mr. smith: absolutely. we need to ensure that consumers and businesses trust a national credit reporting system. senator heitkamp: you have a serious trust problem today. and the lack of coming forth with solutions and the adversarial approach we have seen with this is not helping to solve the problem. so we look forward to ongoing discussions. mr. smith: as do we. senator crapo: senator donnelly? mr. smith,nelly: this is to all of you, the veterans affairs allowed that's to receive medical care in non- v.a. facilities. the implementation of the program led to billing problems which resulted in some vets receiving adverse actions on
11:33 am
their credit reports from debt collection efforts. adverse actions make it more expensive for them to get a mortgage, and it is troubling our veterans have had their credit harmed through no fault of their own. we have introduced a credit act -- to make it easier for this debt to be removed. mr. smith, medical debt can get expensive. what damage can it do to the credit when this is reported as unpaid? mr. smith: we agree with you that veterans are not have their records tarnished by backlog and , and weencies we understand that is what is happening here, and we are committed to working with you to solve that issue to the national system.
11:34 am
institutionally we believe the folks who are best able to solve and theue are the v.a. private medical service providers and the debt collectors who are furnishing this erroneous information into the system. we are committed to working with you. i had yournelly: commitment on behalf of the trade association and the industry that you will work together with us to address these problems, to address the difficulty of the reporting of ed medical debt that they will not get things on their medical reports. mr. smith: what we're talking about -- it is not mylly: fault that my knee got worked on. serversh: private provider has not been paid. we need to fix that and we are committed to you to fix that. senator donnelly: congress enacted the act in 1970 to set
11:35 am
the rules of the road. despite the original act and the we do notments, control our information contained in the files of the credit bureaus. it is reported without any consumer position -- permission. it is often sold to third parties. the personal information may now be available to thieves after equifax. , you are the representative for the association. should consumers have more control over their information? mr. smith: we have talked a little bit about that, the ability to remove yourself from the system, to delete information. i think both of those present information for the national system. selective elation would allow a game the system, to hide that's, presenting a concern for the safety -- that comes outy:
11:36 am
if they want to apply for something. mr. smith: we are talking about the selective deletion. removal from the system is great until you need to rent an apartment or by a cell phone or get a mortgage. if it is removed, it is removed. what you're talking about is a we thinkem and i think a freeze is the right choice for and consumers, not for all, we are willing to work -- donnelly: isn't right for the consumer to make that decision, even it makes it harder for them to rent apartment? correct,berg: that is and it is important to understand if a consumer is applying for home mortgage or a car loan, it makes sense for them to have the ability to know
11:37 am
what is in the report and make the affirmative decision to decide who is going to get access to that information. that would be common sense. senator donnelly: thank you, mr. chairman. hollen: i thank you for being here today. it seems reflective in the comments today that we have had that the credit reporting agency model is one that is in some ways uniquely stacked against consumers when there has been either a data breach or bad data put in. and my question goes beyond the issue of the data breach, to lots of complaints we have heard over the years about credit reporting agencies collecting to lead that then goes to a denial of a loan or a mortgage payment.
11:38 am
there has been discussion about how to allow that consumer to be made whole. my question is on the front end in terms of creating multisport for those were collecting all this data without people's permission, and then having the burden beyond the consumer on the other side. my question is, is there some kind of deterrent that we could put in place so that the burden and the penalty for collecting and disseminating that data, whether through a breach or through a denial of a credit reporting -- can address the problem on the front end so that there is more of a premium for credit reporting agencies to prevent that from happening in the first place? mr. smith: i would like to start and respond to that. with respect to data accuracy, euros have duties with respected accuracy, and those are upfront
11:39 am
to ensure they have procedures in place to ensure the maximum possible accuracy of the data the companies that furnish data are not hard to have written policies and procedures to ensure the accuracy of that data . that is upfront. and the credit bureaus and the people furnishing the data into the bureaus are all supervised for church to those standards by the consumer financial protection bureau. so we do have -- we are not unregulated. we have the statute and he gets longer every year, and there are more duties at it in. senator van hollen: my question is, what is the current penalty in the event that bad data gets in? is there a penalty that has to be paid by the credit reporting agency? i'm not talking about after the fact. in addition to just bringing the consumer whole -- let's say you are a consumer. you get denied a loan, then you
11:40 am
got to go to the incredible hassle of getting all this straightened out. at the end of the day, you get your loan, but what can we do put more of a deterrent upfront so that we never get to that point where thousands of people are wrongfully denied a loan, and after a lot of work and cost, maybe they get a loan? i'm interested in your thoughts. >> right now it is upside down. right now when there is a problem, the company's charge the consumer to take advantage of the tools they need to correct the problem. that cannot be right. what we need to do is increase incentives for the companies to do a better job on privacy protection. to make one historical point, there is a deal at the heart of the fair credit reporting act. was passed, the ability for consumers to bring suit in state tort law was
11:41 am
preempted was because their information and some of this inaccurate and incomplete is discouraging and causes commercial loss. -- beforege of the passage, people could bring lawsuits. they cannot now, so congress has to generate. senator van hollen: would you agree they should have every recourse to the courts? mr. smith: they do, and the recourse is through the law. law provides for penalties for private actions where that credit bureau behaved willfully. senator van hollen let me ask you, your association has been lobbying against the consumer 's provision.reau you have been lobbying in favor of keeping mandatory
11:42 am
arbitration. mr. smith: that is my understanding. senator van hollen: doesn't that stack the deck against the question mark if everybody has to go to mandatory daytration, that stacks the -- deck in favor of the big guys and against the person who was harmed. mr. smith: with respect to the credit reporting system, you have no contract with equifax, so you have no mandatory arbitration laws. senator van hollen: this is a separate issue that was raised. if there is information that causes me damage -- that causes me damage -- sue and beyou can member of a class. what we are talking about with arbitration is where the -- is purchasing a product from one of the bureaus, like a credit monitoring
11:43 am
products, for example. : we saw in hollen the case of equifax that as a condition of getting protection from damaging information that at the fox -- that the equifax breach caused some people are hard to really push their rights. they are expected to sign something -- and there are other equifax products where there is a relationship where they are insisting on mandatory arbitration. isn't that the case? they justified they have lots of products -- mr. smith: product sold to consumers -- isn't itan hollen: right to say that they have to go to mandatory arbitration? given the we think statute called the credit repair organizations act that there are special risks for monitoring products that have stacked the
11:44 am
deck against the company. i canr van hollen: understand what equifax would want to deny that report. thank you. thank you,po: senator. hold on one second. up.ll wrap it im going to have to be very fast because there is a second vote i'm am going to have to get to. thank you very much for attending here today. i have one question and you are here as experts on the credit bureaus. i want to know if you know whether there is data that is required to be submitted by the credit euros to the federal government -- bureaus to the federal government? -- imith: i do not believe
11:45 am
know that data is provided to the federal reserve board and to bureausb by the credit and i believe it is purchased by those agencies and it is provided within the strictures of the fair credit reporting act. in instances in which i am familiar, it is provided in an aggregated format. senator crapo: all right, that does it. >> [indiscernible] i will wrap up. let me start with you. can delete their credit files on demand, like medical records, but do not go into the medical records. if they could delete their credit files on demand, with that create an additional business risk for credit reporting agencies? know.tenberg: i do not
11:46 am
it would give consumers more control of their personal information, and i think there is a way to management -- manage that. certainly it is done with the credit reporting agencies. would you save agencies would not want americans demand that they want their files deleted? mr. rotenberg: i expect that would be their position. they want to get as much information about consumers as they can, and consumers have very little information about what is being gathered. new their data would be to lead after a breach like we just had, and they unsuccessfully tried to do that after the equifax breach, with that create an incentive for these agencies to pay attention to his hyper security in the first place? mr. rotenberg: i'm sure it would. consumer reporting agencies have no legal right to obtain information of american consumers.
11:47 am
the businesses have devolved over time, collected a lot of but i do not think the credit reporting agencies can claim they have any right to access our personal data. ultimately, it would be the orsumer's decision whether not any copy has any right to possess our data. senator brown: some of the claims that the consumers would game the system, is that right? possible,erg: it is but now that agencies largely gamed the system because consumers do not know the factors that are used to make decisions about them for credit or for employment and even for cell phone purchases. it is very asymmetric this industry, who has information. senator brown: my understanding is rules for privacy are much stricter for government agencies that in the private sector.
11:48 am
if that is the case, and i think it is, should we consider a single set of privacy standards for public and private? that is theg: unfinished business for privacy protection in the united states. we had a moment where there was opportunity to establish that in the private sector. congress chose not to. --re's a couple minutes of there is a comprehensive all for federal agencies. europe took a different approach, and there has been some benefit. you do not face the same levels of identity theft -- senator brown: tell me more about europe. they have stricter data privacy laws. i assume they still have functioning credit markets. does that mean these three agencies -- and mr. smith can respond -- do these three agencies do business in this country's? mr. rotenberg: i do not know about the specific firms. there is a vibrant market across
11:49 am
the european economy. they are held to a higher standard. in the area breach notification, effects took more than six weeks once they learned of the breach to tell consumers what had happened. under the new european privacy law, they have 72 hours when they confront a probably that. you can still operate your business. your held to a higher standard. mr. smith, let's talk about these three agencies. are they profitable in europe with a different business model, one with stricter privacy models? mr. smith: i know some operate in the u.k. we have a different group of agencies in europe, and it is not necessarily the three we are familiar with here. we know equifax is in the u.k. not sure about continental europe. senator brown: could you get to the committee from those three
11:50 am
clients what they do in europe and how big a presence they have, market share, like you know in the u.s., and how they are doing in europe in terms of profitability and the public plans they cap for continuing? mr. smith: one thing i would say about europe, and professor rosenberg may disagree with this, they do not believe there is a right to be forgotten with respect to credit report information, that there is a balancing of legitimate interest for collecting such information and the balancing with this right to be forgotten. eu that guidance in the i believe would not permit consumers to delete wholesale information from credit reporting agencies because of the role they play in managing safety. mr. rotenberg: if i may disagree, that is not correct. the general data protection regulation, the new european law speaks specifically to the right of array sure -- erasure.
11:51 am subject to also under the european law, consumers have the right to an expiration of the basis of a decision. if a company has an automated process to decide whether someone get a loan or get a job, under the european law, consumers get to know what the factors were that were used to make that determination. we need to move toward that approach in the united states. wereuld make the companies capital. it would make decisions for consumers ferrer and more transparent -- fairer and more transparent. mr. smith: we do that too. we notify the consumer from and where a credit score is used, you have to have a key factors that affected that score. senator brown: i have one last question. , if the bill had
11:52 am
passed, how much of the 145 million americans, how much with those victims of the equifax problem been entitled to? mr. smith: you assume there would be a cause of action under the fair credit reporting act, and now based on news reports, there would be no cause of action because it was not a .redit report it were there to be a breach, figure was one million, the cap was either 500,000 or a million, but it was consistent with all of the other consumer credit protection statutes. sounds like they have a loophole to close. members of the banking committee may have questions for you. we encourage them to get them in
11:53 am
writing to you. within the next seven days, please answer them. chairman crapo. the meeting is adjourned. [captions copyright national cable satellite corp. 2017] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit]
11:54 am
today president trump meeting with the prime minister of greece at the white house. they are scheduled for a joint news conference to take questions from reporters. we will have that live at 1:30
11:55 am
eastern on c-span. in the senate intelligence committee will hold a hearing for the nominee for the inspector general of the cia. that is at 2:30, live on c-span. tonight the president talking about rewriting the u.s. tax code at the heritage foundation. we will take you there live at 7:30 eastern. >> sunday night -- >> over 90% of cases and up and settlement. what does that mean? that means that the woman never works in their chosen career ever again come and they can never talk about it. how else do we solve sexual-harassment suits? we put in arbitration clauses in employment contracts that make it a secret proceeding. nobody finds out about if you file a complaint. can never talk about it ever. nobody ever knows what happened to you and in most cases you are
11:56 am
terminated from the company. this is the way our society has decided to resolve sexual-harassment cases, to gag women so we can for everybody out there that we have come so far in 2017. >> gretchen carlson talks about sexual harassment in her new book. she is interviewed by a "washington post" columnist. sunday at 9:00 p.m. >> next, a look at national foreign policy. the discussion with former officials from the cia and the and members of the house intelligence committee. posted by the texas tribune festival in austin. this is an hour.


info Stream Only

Uploaded by TV Archive on