Skip to main content

tv   Senate Homeland Subcommittee Hearing on Data Breaches  CSPAN  March 7, 2019 4:15pm-6:53pm EST

4:15 pm
ladies and gentlemen, while he was president for eight years was 65%. average. the next president who comes closest to that is bill clinton. and after that, ronald reagan at 53%. they're way in the rearview mirror. >> watch "american history tv" this weekend on c-span3. the ceos of equifax and marriott international testified before lawmakers today on recent data breaches. arne sorensen of marriott apologized for information having been stolen from approximately 383 million guests. this hearing of the senate homeland security permanent subcommittee on investigations ran about 2 1/2 hours. >> permanent subcommittee investigations will come to order. it seems no industry is immune
4:16 pm
from data breaches that expose sensitive consumer information. some of the biggest breaches we've seen recently include google, uber, facebook, their department store sachsfifth avenue. government agencies have not been immune from this, suffered significant breaches including over 20 million security clearance files, background files that were held by the office of personnel management. locating network vulnerabilities that hackers can exploit to gain access to sensitive information is a key issue. actually, senator hassan and i have worked on this with some specific legislation. she's here this morning. earlier this year, the president signed our hack dhs act, as an example, into law, which will strengthen dhs' cyber security, using whitehat hackers to locate previously unknown vulnerabilities in the departme departments' systems. last night, senator carper and i released a report on how the equifax data breach occurred and how hackers were able to steal
4:17 pm
personal and financial data from over 145 million americans. that report documents how equifax failed to follow basic cyber security practices and protocols which prevented the company from identifying and patching an exploit bl vulnerability on its system. during the course of our investigation, the company failed to preserve important documents related to the breach. equifax employees told us they frequently used a chat application used microsoft link. when equifax discovered the breach on july 29th, 2017, the security team used the chat plat dpo platform to discuss. our report uncovered equifax did not issue a notice not to restrr destroy documents related to the breach. and failed to set the chat platform to a r kif archive to the chats until a month and a half after the breach was discovered, again, back on july
4:18 pm
29th. prior to september is ath, equifax was not archiving any link chats based on its own document retention policy. counsel for equifax told the subcommittee they could not find any of the chat the equifax employees told us about documenting the discovery of the breach. as a result, the subcommittee is left with an uncomplete record. so are the american people. after discovering the breach, equifax waited six weeks to disclose to the public on september 7th, 2017, that hackers had compromised its collection of personal and financial, again, on over 145 million americans. adding to this delay, the hackers had access to the information since may 13th, 2017, 3 months before they were discovered. equifax chief executive officer, mark begor, is here today to discuss the report's finding. we're going to hear from arne sorenson on the kate data breac
4:19 pm
company occurred in july 2014. this was not the first time starwood suffered a data breach. in november 2015, starwood announced it has discovered malwema malware on some systems a tt hotels designed to steal credit card information at the point of sale. in november 2018, marriott announced it had discovered a hacker. it had accessed the starwood guest reservation database. marriott's investigation determined that the hacker had access to guest information related to 383 million guest records since 2014. as part of that database, the hackers also gained access to over 23 million passport numbers and credit card numbers most of which were expired. marriott learned of the breach on september 8th, 2018, but waited almost 12 weeks to notify the public on november 30th, 2018. the goal of today's hearing and the subcommittee's report is to
4:20 pm
fully understand these breaches, but also to focus on the future. to focus on solutions. companies and government agencies alike must take steps to better protect the data c consumers entrusted them. that is clear. and when that date a is compromised, we need to know as soon as so we can do everything we can to ensure criminals are no longer taking advantage of us as consumers. that seems clear. so i look forward to working with my ranking member, senator carper, and others on this committee, including the chairman, senator hassan, and ensuring that we can move forward with legislation that ensures both the protection of consumer data and prompt notification when data is compromised. i also want to thank senator carper and his staff for their dedication to these issues, and to him and his staff for leading this vauinvestigation. with that, i turn to senator carper for his opening statement. >> thanks, mr. chairman. thanks to both of our witnesses this morning for joining us.
4:21 pm
i want to take a moment to say a special things to members of the minor it i staff, members of the majority staff, who worked hard for months to prepare us for this day. according to a 2017 study by the pew research center the vast majority of americans have personally experienced a major data breach. i guess most of us in this room on this side of the panel are among them. about half of our country believe their personal information is less secure than it was five years ago. our subcommittee initiated investigation into the causes of private sector data breaches shortly after equifax announced its breach in the fall of 2017. as we conducted our work, a seemingly endless stream of new, high-profile incidents were announced. one after the other, well-known companies including google, facebook, t-mobile, orbitz, sachsfifth avenue, under armour,
4:22 pm
eventually marriott, announced they, too, suffereded breaches. we thank you for your appearance today and for you helping better understanding how these private sector data breaches occur and what can be done to prevent them including steps that we can take. while my colleagues and i will have some tough questions for you, our goal is to -- our goal here is to ensure the mistakes in the oversights that contributed to the attacks your company suffered are well understood, so that other american businesses are less likely to fall victim to hackers. when hackers are able to obtain someone's personal information, the consequences are real. 2017 pew study i referred to found that more than 40% of the individuals polled had discovered fraudulent charges on their credit cards. others reported that someone had attempted to take out loans in their name, file tax returns in their name, or steal their
4:23 pm
identity. several of those things had happened to my own family, and i suspect to the families of many of us in this room. even when a breach victim is fortunate enough to avoid becoming a victim of crimes like these, they often deal with months or even years of hassle and worry as they swap out compromised credit and debit cards, change their online passwords, and monitor their bank accounts and credit reports for suspicious activities. given the vast amount of information collected on consumers these days, and the skill and relentlessness of the hackers seeking to steal that information, it is critical that businesses make cyber security a priority. at the very top level of a company. the board, the ceos, as well, the constant stream of data breach notifications we see year in and year out is a sign to me that we could and should be doing a lot better. as my colleagues have heard me
4:24 pm
say many times, everything i do, i know i can do better. the same is true of all of us. in this one particular area, we need as a country to do a whole lot better and it's a shared responsibility. equifax and its two main competitors, transunion and experian, have built their business models around the collection and dissemination of consumers' most sensitive financial information. that includes names, nicknames, dates of birth, social security numbers, telephone numbers, current and former address, account balances and payment histories. this data collection is not something consumers can opt out of. credit reporting agencies collect personal information without our knowledge or our explicit authorization. someone shops regularly at a retail chain that gets hacked, that person could opt not to shop there any longer if doing so makes them uncomfortable. they cannot, however, keep their information away from equifax. knowing this, you'd think that
4:25 pm
protecting the sensitive information its entire business relies on would be equifax's top priority. yet, information obtained by this subcommittee and including in a bipartisan report released last night, illustrates a years-long neglect of basic cyber security practices and a decision by company officials to prioritize the case of doing business over security. in 2015, equifax officials learned through internal audit that the company's i.t. systems were riddled with thousands of unpatched vulnerabilities, hundreds of them deemed critical or high risks. they also learned that the company lacked mature inventory of its i.t. assets, making it more difficult to address problems as they arose. by the time the department of homeland security announced in march of 2017 that versions of the widely used web application
4:26 pm
software, apachestruts, included a serious security flaw. equifax has still not properly responded to its 2015 audit findings or brought its cyber security practices in line with industry standards. despite being informed that the announced flaw in apache was extremely dangerous and easy to exploit, equifax officials appear to have approached the challenge it presented with no sense of urgency whatsoever. scans at the company's networks failed to find the vulnerable version of apachestruts it was using and key staff were in position to make the necessary security enhancements were left off internal communications. vulnerability was discussed at regular security meetings held in march and april of 2017, but it's not clear who attended those meetings. senior managers interviewed by the subcommittee were nominally
4:27 pm
in charge of i.t. management and cyber security of equifax. they told subcommittee staff that they did not regularly attend the meetings, themselves. former top equifax officials were interviewed were very frank about the priority they place on cyber security. one key former security official told our subcommittee staff that, "security wasn't first" at equifax and that is an understatement. the company's former chief information officer was extremely dismissive of the importance of key security processes during his interview saying that he considered the patching of security plays to be a, "lower-level responsibility that was six levels down from him." there's no evidence that these two individuals or any other top executives at equifax directed staff to take steps to update
4:28 pm
the company's i.t. asset inventory and conduct a more thorough search for the vulnerable apachestruts software. this lack of initiative would be bad enough on its own, but equifax also left itself blind to incoming attacks by allowing the tools it needed to monitor for malicious web traffic to expire. so when hackers moved in may of 2017 to attack equifax through a version of apachestruts, still in use on the company's websites, nobody saw them coming. what's more, nobody discovered them until july, 78 days after the hackers first gained entry. during the 78 days the hackers had been inside of equifax's i.t. network, they accused -- they accessed, rather, multiple data repositories containing
4:29 pm
information on more than 145 million people and probably half the people in this room are among them. there are tools available that could have been sent alerts to equifax staff as the hackers manipulated the information in the databases, but equifax had not installed them. once equifax found the hackers at the end of july 2017, equifax executives waited an additional six weeks before letting the public know what had happened. six weeks. so because equifax was unaware of all the assets it owned, unable to patch the apachestruts vulnerability, and unable to detect attacks on key portions of its network, consumers were left unaware for months that criminals had obtained their most sensitive personal and financial information. consumers were also unaware that they should take steps to protect themselves from fraud. and importantly, these failures stand in stark contrast to the
4:30 pm
experiences of transunion and experian, which both quickly identified and addressed the same apachestruts vulnerability and have not announced data breaches. i have a friend, you ask him how he's doing, he says, compared to what? and i think the obvious question here is, for equifax, compared to transunion and experian. the data breach announced by marriott this past november doesn't appear to have been caused by the kind of cultural indifference to cyber security the record indicates has existed at equifax. rather, it looks like marriott inherited this attack through its acquisition of starwood. with the sides of this breach up to 500 million people were reported to have been affected at one point, requires that we take a close look and learn what happened and why. i have questions about marriott's data retention policies. for example, i understand why a hotel chain might collect
4:31 pm
passport information in some cases, but i don't know why it would need to maintain records of millions of guests' passport numbers as appears to have occurred in this case. this incident also raises questions about the degree to which cyber security concerns do and should play a role in merger and acquisition decisions. and starwood, marriott acquired a company that it knew had serious cyber security challenges, and it had actually been attacked before. despite this, marriott chose to initially leave starwood's security system in place after acquiring the company. we need to learn more about the priority that marriott executives chose to place on addressing security flaws at starwood as it worked to integrate its system into its own. what we do know today is that large-scale data breaches are not gong to stop. we can't afford to shrug our shoulders and write them off as a cost of doing business. approaching cyber security challenges with this frame of mind, and real harm that can occur both to consumers'
4:32 pm
pocketbooks and to the companies' bottom lines. here in congress, i think it's long past time for us to come to agreement on a federal data security law that lays out for private industry what we expect from them both in data protection, in data breach notification. we also need to ensure that the system we established for sharing information and cyber threats and cyber security best practices is as effective as it can be. and is updated over time. if a company is as large and sophisticated as equifax can fail so badly at implementing basic cyber security practices, we can certainly do a better job making clear what will and won't work when it comes to blocking hackers and preventing data breaches. my thanks again, mr. chairman, for the work that you and your staff, my staff, putting this complex and important issue, we look forward to hearing from our witnesses today. again, thank you for joining us. >> thank you, senator carper.
4:33 pm
i'd like to call the first panel of witnesses. first, we have mark begor who is the chief executive officer of equifax. he served in that capacity since april 2018. again, as we just heard, the equifax breach occurred was discovered in july of 2017. second, arne sorenson is here, president and chief executive officer of marriott international inc. he's held that position since 2012. again, as we just heard, marriott acquired starwood in 2016. the breach occurred at starwood in 2014 and was discovered in 2018. we're also going to swear in someone else this morning, the current chief information security officer at equifax. it was requested should mr. begor need some special expertise, technical assistance. so i'm going to ask you to raise your hand as well. it's a custom of the subcommittee to swear in all of our witnesses. so at this time, i'd ask you all to please stand and raise your
4:34 pm
right hand. please repeat after me. do you swear the testimony you will give -- i'm sorry, just respond to this. do you swear the testimony you will give before the subcommittee will be the truth, the whole truth, and nothing but the truth so help you god? let the repocord reflect the witnesses all three answered in the affirmative. gentlem gentlemen, all your written testimony will be written in the record. i ask you try to limit your oral testimony to five minutes. mr. begor, we'll hear from you first. >> chairman portman, ranking member carper, and distinguished members of the subcommittee, thank you for the opportunity to be here today. i'm mark begor, chief executive officer of equifax. with me today is jamil farsey, our chief information security officer. let me begin by expressing my personal regret for the disruption that our 2017 cyber attack had on millions of americans. cyber crime is one of the
4:35 pm
greatest threats facing our country today. u.s. corporations are continu continually fighting criminals that operate outside the rule of law and attempt to steal data for their own gain. these attacks are no longer a hacker in the basement attempting to penetrate a company's security perimeter, but instead, are carried out by increasingly sophisticated criminal rings and even more challenging nation states that are well funded or the military arms of nation states. these attacks on u.s. businesses are attacks on u.s. consumers and are attacks on america. this war is getting more challenging and more sophisticated and there's no end in sight. fighting these attackers will require cooperation between government, law enforcement, and the private sector. we appreciate that members of
4:36 pm
this subcommittee have introduced legislation that promotes this type of partnership and we support these efforts. the fact that equifax suffered a data breach does not mean the company did not have appropriate data security program or that the company fail to taed to takr security seriously. i understand that before the attack, the company's security program was well funded and staffed and leveraged strong administrative and technical safeguards. in april 2018, when i joined equifax, i made a personal commitment. internally and externally, to building a culture within equifax where security is part of or dna and committed that equifax would be an industry leader around data security. i'm proud of the leadership, cultural enhancements, and investments that equifax has
4:37 pm
made over the past 18 months. we've added experienced senior leaders and board members to enhance our security and technology skill sets. and in 2018, alone, we added close to 1,000 incremental security and i.t. professionals to our team. between 2018 and 2020, we are increasing our technology and security spending by 50%. totaling an incremental $1.25 billion. we recognize that being an industry leader means actively sharing our security learnings and best practices. we have been openly sharing all of our cyber learnings with our customers, our competitors, enten t the u.s. government and the rest of the private sector. last year, we established a
4:38 pm
number of meaningful security partnerships that will help raise the entire security community by leveraging our joint learnings. in addition to the goal of being a leader in data security, equifax has been working diligently to support u.s. consumers. when equifax announced the cyber attack, its response was guided by a desire to focus on helping and supporting consumers first. since the 2017 incident, equifax has invested more than $80 million to assist impacted consumers. when we announced the incident, we offered an identity theft and credit monitoring service free for all americans regardless if they were impacted by the cyber incident. last november when that service was nearing its end, equifax voluntarily extended that protection for another year.
4:39 pm
going forward, we are investing over $50 million to make it easier for consumers to interact with us. both over the internet and in our call centers. we want to make sure we are a consumer-friendly credit bureau at every step of the way. to close, i'd like to thank chairman portman for holding this hearing. equifax is committed to our commission to become an industry leader in data security, and we are investing unprecedented resources in technology, security, and people. thank you, again, for the opportunity to testify and for your focus on protecting american businesses and consumers from cyber attacks. >> thank you, mr. begor. mr. sorenson, i want to hear from you. >> chairman portman, ranking member carper and members of the subcommittee, thank you for the opportunity to testify today. the subject of the subcommittee is tackling private sector cyber attacks is an increasingly
4:40 pm
urgent one. one that has hit marriott directly with the data security incident we announced on november 30th, 2018. we deeply regret this incident and are committed to determining how it occurred, supporting our affected guests, and enhancing security measures to protect against future attacks. for 91 years, marriott has been in the business of serving people. we began as a small family business in washington, d.c., serving hamburgers and root beer at hotshops. today we're a global hospitality company conducting operations in all 50 of the united states and 130 countries and territories. throughout that time, we have built our reputation by putting people first and focusing on the care of our guests. as a company that prides itself on taking care of people, we recognize the gravity of this criminal attack on the starwood guest reservation database and our responsibility for protecting data concerning our guests. to all of our guests, i sincerely apologize.
4:41 pm
we are working hard every day to rebuild your confidence in us. because this incident involved a starwood dabttabase, let me provide background on the merger of marriott with starwood. signed a merger agreement with starwood in november 2015 and qulo closed the transaction in between september 2016. we conducted an assessment on integrating the two systems although this inquiry was legally and practically limited by the fact that until the merger closed, starwood remained a direct competitor. we made the decision to retain marriott's reservations system as the central system for the combined group of hotels and to retire starwood's system. migrating all of starwood's 1,270 hotels onto marriott's system, while avoiding disruption of the reservation process, was a significant undertaking that took us about two years. we made additional investments to enhance security of the system while it was operating. following discovery of the
4:42 pm
incident, we accelerated retirement of starwood's reservation system and as of december 18th, 2018, are no longer using the starwood guest reservation database to conduct business or operations. until our investigation of the incident announced on november 30th, we were unaware that the starwood guest reservation database had been infiltrated by an attacker. our investigation was initiated following an alert on september 7th, 2018, from a cyber security tool. in response, our i.t. team swiftly implemented containment measures. we retained industry experts to conduct a forensic investigation and deploy additional defenses. unraveling the scope of the attack required extensive forensic work by experts. we also contacted the fbi, which continues its investigation. as our investigation unfolded, we learned the intruder had been in the starwood system since 2014. on november 19th of 2018, we
4:43 pm
determined that the intruder had accessed files containing personal information of guests who had made reservations at starwood properties. we believe that the upper limit for the total number of guest recordeds involved in this incident is approximately 383 million. what do we mean by guest records? take my name for an example, which is in the database multiple times with variations such as arne sorenson. arne m. sorenson. arne morris sorenson. other times with my home address, other times with my business address, and again without any address. each entry represents a separate record even though they all relate to one person. we cannot confidently determine whether records with similar names or even identical names represent one person or multiple people, but we know that the information for fewer than 383 million unique people was involved. in the days immediately after november 19th, we worked quickly to make sure that we could share
4:44 pm
useful information with our guests. on november 30th, we provided broad public notice of the incident via press release and notification banners across marriott and starwood websites and apps. we stood up a website with consumer information in multiple languages as well as call centers to answer questions and offered guests free web monitoring services among other steps. in assessing the impact of this event, you should know that starwood did not keep guests' social security numbers and the overwhelming majority of payment card information was encrypted. to date, we have not found data removeded from the starwood database on the internet or dark web which we continue to monitor. finally, we know this is a race that has no finish line. cyber attacks are a pervasive threat. we are committed to responding to these evolving threats with a layered defense approach and continuous improvement. our founder, jay willard marriott, was fond of saying
4:45 pm
success is never final. we're applying the critical review process to learn from the incident as we work diligently to regain the level of trusts that our guests have come to expect from us over the years. thank you, and i welcome your questions. >>. >> i thank both the witnesses for their statements and i think they make a good point that this is a matter that requires cooperation between government and the private sector at every level. i'm going to delay my questioning until we have a chance to be sure that our two colleagues who i know have other commitments have a chance to ask theirs. so for this first record, i will be coming back and asking some questions. i want to give them a chance first before they have to leave. and i now turn to my ranking member, senator carper. >> senator hassan, if you have other obligations, go ahead, ask your questions. all right. thanks. again, thank you.
4:46 pm
as, again, used to say, people may not remember what you say, but they may not remember what you do, but they'll remember how you made them feel. maya angelo. b people may not remember who you said, may not remember what you do, they'll remember how you made them feel. and first i'm going to say i was glad to hear both of you apologize. i say to my kids who are now grown, the three post important words are please and thank you and the couple others that mean a lot are i'm sorry, especially when we screw up, and especially with respect to equifax. the amount of screw-up is just almost unbelievable. equifax has known since 2015 its approach to cyber security was lacking, and among other issues equifax learned that during an internal audit that was conducted that year, that the company had left a number of critical and high-risk security
4:47 pm
flaws unpatched. the company also learned it lacked a comprehensive i.t. asset inventory meaning it would be difficult to address new security issues as they were brought to the company's attention. when the department of homeland security informed the public about a major security risk, in certain versions of apachestruts, apparently very commonly used piece of software, it also told the public that the vulnerability was easy to exploit. knowing all of that, equifax relied on the same flawed policies and procedures which ultimately failed to identify the presence of the vulnerable versions of apachestruts. equifax circulated a notice about the vulnerable to an e-mail list that did not include application owners. the issues on the agenda of two
4:48 pm
meetings that senior leaders failed to attend regularly and conducted repeated scans that failed to identify the vulnerability which allowed hackers to access the online dispute portal. mr. begor, if equifax knew that it lacked a mature inventory of its i.t. assets, why didn't senior i.t. and security officials, staff, do more to improve the inventory before the 2017 data breach? specifically, why did equifax fail to conduct a follow-up audit after the 2015 review to determine whether the company had made progress in addressing its patch management issues? >> ranking kme ining member, i you know, r i joined in april 2018 in the first few weeks of joining equifax, i went into great detail about, you know, the forensics on what caused the breach, what our routines and processes were in place at the time, and as i stated in my
4:49 pm
testimony, you know, there were controls in place that clearly weren't strong enough and, you know, we've taken great steps since then. we've doubled the size of our security team. i talked in my testimony a few minutes ago about our increased spending on data and security and our approach to making security central to the dna of the company. we also changed the incentives in the company. we're very unique, i think, in corporate america, in our bonus system which the top 3,900 out of 11,000 employees participate in an annual bonus, 25% of that bonus is tied to cyber security. and that went in place in 2018. it's continuing in 2019. will continue going forward. and, rarnking member, that incentive is only punitive. meaning if we don't make progress on our security improvements, if we don't take our security forward, you can only reduce the individuals' bonus including mine. there's real making
4:50 pm
security part of our dna is quite critical. i'll also say, i think mr. sorenson said the same thing, this won't end. meaning you can never be good enough in the the investments ag will continue, and as i pointed out, we've increased our technology and security spending in '18, '19 and '20 by 50%. so security is a top priority at equifax, it's a top priority of mine and the board and the leadership team and the whole organization going forward. >> i spent a lot of years in my life in the navy. retired navy captain. and vietnam veteran. and we have a standard in the navy and a process in the navy that says if the captain of the ship is asleep in his or her ward room in the middle of the night and the ship runs aground, the captain of the ship is held responsible. has that happened in this case? >> in my view, senator, it has.
4:51 pm
you know, i think you know the prior ceo is no longer with the company. the prior cto is no longer with the company. if you look at our technology and security organization, we've upgraded really strong talent in probably two-thirds of both of those organizations. and as i talked about, you know, we've added significant resources. a thousand incremental people. we have 10,000 people globally at the beginning of last year. at the end of last year, 1100, and those were all in security and technology. so there was a lot of accountability. i wasn't there, but there's a new team at equifax that takes security intensely seriously. >> equifax's competitors which have the same extremely sensitive date on american consumers as equifax operated with a stronger sense of urgency. once they learned about the apachestruts vulnerability.
4:52 pm
and as you assume the leadership of this organization, you must have wondered why, if they're doing this, why didn't we at equifax? and we've asked what you've done. i explained a bit about what you've done to change the culture of our company around cybersecurity. if you are advising other companies, whether they happen to be companies that deal in the business you have your business model, what advice would you have for those other companies today? >> first is, it's a war. and i think the -- mr. sorenson said the same thing. i think this committee understands that. that these criminals, other actors that are attacking u.s. companies are increasingly sophisticated. we get attacked multiple times per day and the system we have now, i get an alert on my phone from my chief security officer and his team when there's an attempted attack on equifax. and point one is, it's not going to go away. and point two is, we really
4:53 pm
applaud the committee's focus on sharing best practices. and i think as the senator may know, that's challenging sometimes for a company that goes through a data security breach to be open about actually having it. and these forms i think are critically important. when i joined equifax in april, my first call was to my two competitors. and what i told both of them was there's no trade secrets around data security. this is a war we face as an industry. it's a war we face for american companies as you pointed out, for the government. and it's one that's not going to end, and we applaud the idea of sharing actively what we're learning from each other. what are those ip address that are known bad actors. if one company knows it, let's make sure the next company knows it and share those so we can build our defenses up because it is increasingly sophisticated and challenging. >> i'll close this round with this thought. the constitution of our country was first ratified in delaware.
4:54 pm
december 7th, 1787. we ratified before anyone else had. the very beginning of the constitution starts with these words in the preamble. we the people of the united states, in order to form a more perfect union. doesn't say to afford a perfect union. a more perfect union. our goal in this realm has to be perfection. knowing we'll never get there, but we need to strive for that, thank you. >> senator hassan. >> thank you, mr. chair, and thank you ranking member carper for your bipartisan leadership of this committee. and thank you to both of our witnesses for being here today. let me start with a couple of questions, mr. begor, to you. you said in your testimony that you believe despite some errors, equifax took cybersecurity very seriously even before the 2017
4:55 pm
breach. i know that the 2017 breach occurred before your time at the helm of the company, but the facts presented in the subcommittee's report make clear that the company's pre-breach security practices were really not in keep with serious cybersecurity practice. the report shows that equifax had forgotten to update a security certificate known as an ssl certificate that encrypted data transfers between equifax's customers and website. when equifax developers attempted to install new certificates, they realized that some of the old ones had expired as much as eight months earlier. that failure led to the exploitation, as you've acknowledged, of millions of americans' data by what appears to be chinese hackers. equifax should have routinely audited its ssl certificates to make sure they hadn't expired since these certificates can only protect user data when they're current. so let me just ask you a few
4:56 pm
questions. when equifax sought to upgrade its ssl certificates on july 29th, 2017, how many expired certificates did your team come across, and how many of the certificates had been expired by more than a day? >> senator, i don't have that information in front of me. if you'd like me to, i could ask my chief security officer if he could help with that question. >> that would be terrific. thank you. >> good morning. >> good morning. unfortunately, i also was not at equifax during the time of this incident, and so i don't have that information with me right at this moment, but i'm theep go back to the team and -- >> does the company have that information? >> i believe we, do yes. >> and do you know if any of these certificates had been expired for more than eight months? >> unfortunately, because i wasn't there, i don't have the specifics on the certificates exactly. >> i would expect that even
4:57 pm
though you weren't there that you would know this or have access to it because it seems to me that is the type of investigation and understanding that you would want to develop moving forward. >> senator, if i could just add. as you might imagine, we have a much different process today, much more robust. we know exactly which certificates are expired, which ones are critical. they're risk rated. we also do automatic scanning. >> right. >> it's a protocol that would be quite normal in today's environment. and we're always -- we're continually investing in new technologies to make sure we stay in front of that and are very rapid around addressing those. >> so you are routinely auditing your ssl certificates now? >> yes. >> i'm seeing nodding, too. okay. and you are making sure that they are current and they're not in danger of imminently expiring? >> that's correct. >> okay. would you support a law that would require companies like equifax that deal with millions
4:58 pm
of americans' personal identifiable information to adhere to clear cybersecurity standards and practices such as auditing your security certificates on a continuous basis, establish standards established and enforced through your regulator? >> first, senator, i agree that equifax is in a unique situation with the data we hold versus most companies. we understand that and take that quite seriously. with regards to all of the elements you talked about, those are standard protocols for us today and things we're following as a company. and really the highest standards of data security. with regards to legislation, you know, we'd be happy to work with your office and understand what's the right legislation to move forward, but we're doing things you talked about. >> i understand you're doing things but you're doing things after a major breach and what i want to make sure is that americans whose information is in custody of an entity they may not know anything about don't have to wait for there to be a breach before companies start
4:59 pm
doing what they should responsibly do. we are -- we have all discussed this is an ongoing threat. it's been an ongoing threat for a while. and we need to make sure that there are standards in place just the way we have safety standards in many other industries. let me move on just to another aspect to this. it appears in the psi report that one of equifax's biggest weaknesses was that the company's policy made individual developers responsible for identifying and patching vulnerabilities in the software they used, rather than relying on a full company effort to address any vulnerabilities. and as senator carper mentioned, unfortunately when dhs alerted equifax to an urgent and critical vulnerability in a piece of software called apachestruts, the sungle goer who was using the software was not notified by his superiors about dhs' urgent message about those vulnerabilities. as a result, that developer was
5:00 pm
unaware of a critical vulnerability that eventually was exploited by hackers. you mentioned in your testimony that human error was certainly part of the problems that led to the breach. we've all acknowledged that up here, too. however, human error happens at every level of government and every level at the private sector. so it's incumbent upon security professionals and leaders of any security system -- government or private sector -- to build in extensive redundancies to mitigate against inevitable human errors. so it appears that prior to the breach, equifax had not build in those redundancies and as a result, human error became a single point of failure in a critical cyberattack. what redundancies has equifax built in to its system to ensure human errors never lead to this kind of breach. >> we agree that a single point of failure is one too many which
5:01 pm
is why we have a number of redundancies. i'd ask my chief security officer to talk in more detail? >> i'd be happy to. yes, one of the key tenets of our program is assurance. we want to make sure we have as many layers of security as possible because we know that any given control may fail or may be bypassed from a sophisticated attacker. as it relates to patching, we have updated all of our processes. we've implemented automated tools to be able to help reduce the reliance on human error. we've established patch champions, individuals specifically accountable for the implementation of these patches across the entire enterprise. and then an automated tracking system as well to be able to continue to track and manage these. i would mention one other one on the back end. we continuously scan our environment. so we, again, don't just rely on one system, one process, one individual. we have a belt and suspenders
5:02 pm
approach across the entire program. >> thank you. that's helpful. and i appreciate your indulgence, mr. chair. mr. sorenson, i had a question for marriott. i'll submit it for the record. i want us to think about what standards companies should have when they merge that might help us make sure that we're getting to problems before they are breached. thank you. >> we look forward to continuing to work with you on these issues you raised today and others. i'm going to reclaim some of my time now. i'll be back with more to follow up on the points that senator hassan made. she talked about updating certificates on the website. she talked about building in redundancies. again, mr. begor, you, in your testimony, were pretty confident that they were doing the right things by saying that the program also leveraged strong administrative and technical safeguards and subject to regular ongoing review through external and internal assessments. and there is a third concern
5:03 pm
that i have that i think we need to raise this morning and be sure that we're aware of a lack of follow-up, really, to an audit that was done. there was a 2015 audit of the security of your system. it found over 8500 known critical, high or medium vulnerabilities on equifax systems. so here's an audit discovered these vulnerabilities. these vulnerabilities had not been patched when the breach occurred. and many were over 90 days old. a copy of that audit is there with you on the witness table. i've had it for you all to look at this morning. i'm going to ask that that 2015 audit be made part of the record without objection. so my question for you is, how does a company that at that time as you indicated placed a high priority on cybersecurity allow 8500 vulnerabilities to exist
5:04 pm
unpatched on its systems in and, of course, my follow up, since you've become ceo, and you've stepped in and aggressively tried to address these issues, have you addressed these patching vulnerabilities on equifax's systems? how could that have happened, and then what has been done? >> thank you, senator. i wasn't there. i spent quite a bit of time looking at the past. i'm a big believer that we want to learn from mistakes and learn from things that weren't going as well as they could be. and i've tried to be quite clear and i will be clear right now that there's no question what we did in the past we can do a lot better today and tomorrow and we already have. we've made massive changes in our security protocols, our infrastructure, the involvement of the organization. as i mentioned earlier, we brought in really top talent. it starts with people leading these organizations. i think the senator may know that the cso reports directly to me and has a line into the board
5:05 pm
to our technology committee, which is a best practice in many companies. and we've, you know, added -- doubled the size of his team. with regards to your specific question around audits and patch management, we've doubled the size of our audit team and as a new element, we've added i.t. or cyberexperts as a part of our internal audit team. historically, those were just financial resources. now we have experienced technologyists or security people in our independent audit team doing some of that work. and with regards to follow-up of audits -- >> hold there for a second. so when you look back at the 8500 vulnerabilities that were reported through that audit, what happened? why were those vulnerabilities not patched? what was the issue? >> you know, as you may imagine, there's a large organization like equifax has many patches that are under way at all times. they are coming in weekly and
5:06 pm
daily and -- >> the race is never won as was said earlier by mr. sorenson. >> yeah. >> but the question is, what did you learn from it. as you look back, i understand that you have beefed up your cybersecurity presence and you have the cso reporting, you put a bonus system in place that incent vises all your executives to look at it. but what happened? how could those 8500 vulnerabilities not have been addressed at that time? what did you learn from that? >> i learned from that, senator, that that's not how you want to operate. we don't operate that way today. there's a real focus on, you know, both risk prioritizing the patching that needs to be done. the most critical areas are done first. next ones happen after that. there's real follow-up. tracking plp farsi talked about how we follow up on those. we have automated systems now to track those. there's a real rigor, as there should be, around ensuring that that work is completed and those vulnerabilities are closed down. >> so that 2015 audit, if it had
5:07 pm
been followed up on would have made a difference, it appears to ubased on our analysis of what happened. where your now? have you done a recent audsnit are you continuing to audit? >> we audit routinely. i don't know the -- the last audit was done in the fourth quarter. we also have third parties coming in and doing work around our cybersecurity efforts. we do our own perimeter testing by our own internal team. we also bring in third parties that the team doesn't know is trying to penetrate the exterior of our system. so there's all levels of rigor around getting external inputs like audit around our systems and processes. >> so you have done a follow-up audit comparable to the 2015 audit, and you have responded to what has been discovered, because i assume that it also discovered that there were certain vulnerabilities? >> correct. you know, you want your audit to
5:08 pm
identify things that will make the system better. that's the way i think about audit teams and the -- i don't know how many audits have been done since the cyberbreach in 2017, i can follow up on the number of audits around this area but there have been numerous. and as you might know, there's also regulatory organizations, cfpb, the attorney generals and others that are involved in discussions about audits and our customers. >> our interest is to figure out what the heck happened. how can you have an audit that, again, uncovers these vulnerabilities and not act on it. with regard to legislation we're looking at, what role should audits play if you could provide that to the subcommittee, that would be helpful. when your last audit was. any results of the audit. how you react to it today. that would be much appreciated. senator rosen? >> thank you. i want to thank you for bringing this very important issue, privacy and security. it is issue number one, not just
5:09 pm
for all of us as individuals but for all the companies and businesses that serve us that we expect to protect us and our communities every single day. but i want to address -- i do have some things to talk about acquisition and data migration as a former software developer. i've actually done that in my prior life. so i have some comments on that. first, i want to talk about the global nature, mr. sorenson about marriott hotels. of course you're worldwide. you operate in all 50 u.s. states and in 130 countries and territories. americans stay at marriott hotels all over the world so it is crucial that our data collected is secure. of course you've noted 23 million passports have possibly been compromised no matter where the hotel has been physically located. so my question to you is, last year, secretary of state mike pompeo stated publicly that china was responsible for the
5:10 pm
cyberattack on your marriott system and theft of consumer data. do you believe that to be the case? >> first, good morning, senator rosen. nice to be here and to be able to answer your questions. the short answer is we don't know. and i feel quite inadequate about even drawing inferences from the information that we've obtained. we have -- when we first discovered information had been extracted from the system which was november 19th it has been all hands on deck basically to make sure that -- noerchlths preliminary data has come out as to where the isps may be located or any commonalities and other hacks -- other hacking attempts with other companies across the world? >> we have shared everything we have with the fbi, including the addresses used and the malware tools used in the system so that they can do that kind of investigation. we simply have been focused on making sure the door is closed and communicate with our
5:11 pm
customers. so do you have policies in the u.s. that apply abroad taking into account, obviously, foreign laws and regulations. >> we do. we have policies certainly about data collection and retention. we also have an obligation to comply with local law. i think one of the things that's unusual about the marriott cyberattack is this passport information. and the number -- >> how long do you retain the passport information? >> well, the passport information that was accessed was in the starwood reservation system, and it had been there for a number of years. >> do you have a responsibility when you buy a company to doon audit of the company you're either buying or i guess it's like buying a home. do you get an inspection? what does the seller disclose? what is the buyer's responsibility? did you buy it as is, and so you just took no method of auditing the data coming across? >> well, we -- in the bottom line is we do buy it as is.
5:12 pm
when you're acquiring a public company, and buying those shares, there's nobody left. we are starwood today as well as marriott. we did diligence. >> so i want to tell you as a former computer programmer. i've worked for companies where i've done this acquisition and data migration. and while the other system is still up, i had a team of people working with me to maintain that system, auditing that system, making sure it had integrity while we were training and moving that data over. so where was your responsibility in maintaining and as you migrated, protecting that data? >> we were very much taking the same approach. really three periods we could look at separately. one is the 3 1/2-week due diligence period before we signed documents to acquire starwood. very abbreviated public company to public company. that was a, you know, tell us about your i.t. system. our i.t. team was involved in that and asking questions. but it was quite brief and we
5:13 pm
didn't learn about any of this. second period is between the fall of 2015 and fall of 2016, between signing and closing the transaction. and while we had not closed, our team, our i.t. team was deeply engaged in understanding starwood system, understanding the data, understanding the vulnerabilities and being ready essentially for the moment that transaction closed to say, okay, now what are we going to do with this system from a cybersecurity perspective, data retention, but also an operating perspective, obviously. and then immediately after closing, it was bringing in, not just our internal expertise but external expertise and saying help us identify the risks in this system. let's make sure we are doing things to address those risks and enhance them. in retrospect we wish we had done even more. obviously, something happened. but even -- while that system is running independently before the data migration and before it's turned off, we are very much
5:14 pm
trying to make sure that we are addressing the security flaws that we think are there. >> so as we think about those 23 million passports and other data that may have been breached worldwide, do you have, of course, i just want to be sure, a consistent policy, of course, taking into consideration certain other governments, laws or regulations for how you keep the data, how you retain the data and your responsibility towards the data? >> so let me give you just a couple of data points here, if i could. my number is just a little different than the committee's. about 19 million total -- >> 19, 23, it's an awful lot of passports. >> about 5 million of those were unencrypted. >> and that makes it better? >> no, no, those are the ones that, obviously, would have been most -- >> so we know that hackers can beat the encryption so that isn't really a factor here, i don't believe. >> well, i actually do think
5:15 pm
part of our strategy going forward is to rely on encryption and tokenization and whatever data we keep in this space it should all be encrypted. that by itself is not necessarily a totally adequate defense but it's one of the tools we should use. i think one of the other things that is clear -- there are dozens of countries around the world that require us to collect passport data. sometimes they require us to make physical copies of passports for guests in those hotels. in the marriott system, legacy, that was at the hotel level and not centralized in the data platform, if you will. in the starwood system it was done locally and essentially centralized into the data system. there procedures and cons of allowing it to be entirely at property level. one of the pros is it's a smaller target, if you will. one of the cons -- >> more diffuse.
5:16 pm
harder to get centralized. much harder to break into. >> one of the cons on the other hand is then if each hotel needs the same elaborate system of cyberdefenses, can you make sure that you are delivering that. and those are issues that we're working through right now. i think in all likelihood, everything -- passports will be encrypted. secondly, i think we'll look hard at not centralizing any of it, but making sure that we've got appropriate tools at property level to protect against cyberattacks. >> and perhaps how long you store customer information, sensitive information like their credit card numbers and those extra security codes. >> we are looking at that, too. >> thank you. i think my time is up. >> thank you, senator rosen. senator hawley. >> thank you for having this important hearing. thank you witnesses for being here. mr. begor, let me start with you. you may know that as attorney general of missouri, i and 43
5:17 pm
other attorneys general sent -- launched a multistate action after the announcement of the equifax breach in 2017 and among other things we sent a letter to equifax in which we expressed particular concern with equifax's post breach activities, including the offering of a fee-based service to guard against data breach at the same time that you are offering a free service. we object to equifax using its own data breach as an opportunity to sell services to breach victims. selling a fee-based product that competes with equifax's own free offer of credit monitoring services to victims of equifax if's own data breach is unfair if consumers aren't sure if their information was compromised. can you give us the update on the stat ufs this product? are you still doing that? >> thank you for the question. as i mentioned this morning, we offered a free product for all
5:18 pm
americans, whether they were impacted or not at the time of the data breach. and i don't know the exact timing of when we stopped marketing to consumers, but soon after the data breach, it may have been when we received the letter from you and the other attorneys general. we stopped marketing to u.s. consumers as a result of that. we recently started again marketing in october on a very limited basis. the other thing that we offered in january of 20 -- >> this is a free product, though, that you were marketing a free product? >> no, senator, when the breach happened, we offered free credit monitoring product to any american, and it was opened up to any american could get that. whether they were impacted by the data breach or not. that happened in september of 2017. in january of 2018, we added another free product for any american that's free for life that's a lock and alert product where on your mobile device you can lock your credit file or unlock it. and equifax isso only credit
5:19 pm
bureau offering that. and last you talked about marketing to consumers. we stopped marketing in the -- i don't know the exact date, but in the fourth quarter of 2017, to u.s. consumers. >> what about the fee-based product that you were offering after the announcement of the breach? >> that's what i was referring to. we stopped that in the fourth quarter of -- >> you stopped marketing it in the fourth quarter? >> that's correct. >> we raised other concerns in that same letter and same multistate action including the terms of service that required customers to waive their rights, charges customers pay for a security freeze, with other credit monitoring companies. and overly long wait times for the equifax customer support call center. can you give us an update on how you've addressed these concerns? >> yes, senator. on the freezing your credit file, i referred to what equifax proactively did in january of 2018 offering a free freeze or
5:20 pm
lock product to any american, and that's still offered today. you can get that today. i have it on my own. it allows you to lock or unlock your credit file at no charge and free for life. the senator also knows last september the senate passed senate bill 2155 that offers consumers free freezes for life. that was passed and that's in place. and we've implemented that along with the other three credit bureaus. with regards to our customer service center, there was clearly some challenges there as i look back on what happened in the fourth quarter. staffing up for something like this is quite challenging. in my testimony this morning, i talked about the incremental $50 million of investment we're making now in our customer service capabilities to enhance our abilities to manage our day-to-day interactions with consumers, as well as investing to make it easier for consumers to interact with us when they have a question. whether it's around a dispute or
5:21 pm
question on their file. >> thank you. >> mr. sorenson, in the testimony you provided, the written testimony you provided this committee, you noted, i'm going to make sure i get this right. you noted you did not receive any substantiated claims of loss from fraud attributed to the incident and none of the security firms you engaged to monitor the dark web have found evidence that evidence contained in the affected tables has been or is being offered for sale and that you had not been notified by any banks or credit card networks that starwood had been identified as a common point of purchase in any fraudulent transactions. do you take this to be a thorough accounting of which sources might know about your custome customers' data used by third parties, and is it sufficient for them to just wait for them to report to you? >> i think the answer to the first question is no. it's hard to feel like anything is thorough in this space. you pick signals from a number of different places. we use a number of different tools to try and go after the
5:22 pm
same thing. we take some comfort in this, but it's only some comfort. and i think we are grateful for the partnerships we have with the financial institutions so we can have a little bit of that dialogue about what they may be seeing, but we are -- one of the reasons we put the web watcher out and made it available to our customers is that's another tool to look regularly at the so-called dark web to see whether a particular customer's information is showing up on that dark web. >> if i could just press a little deeper here, does this, in your written testimony, does this reflect an ad hoc list of sources that could report this information about personal information of users, or does this reflect some sort of cybersecurity methodology that you have in place in order to protect your consumers' data? >> no, i don't think this is really in the first instance about protecting consumers' data. i think it is about assessing
5:23 pm
what we can assess about the cyberbreach that occurred. and so if you will, the attack happened. successful, i suppose, if you take it from the attackers' perspective. information was obtained. we've been wrestling with the consequences of that. one of the tools that we're using is to try and figure out what can we tell about where that data has ended up. the tools that we use to protect the data in the first place, i think, are different. in many respects, obviously, much more fundamentally important because we want to avoid that data from getting out in the first instance at all. >> and you do have some cybersecurity methodology you've put in place to systematically protect your consumer data. that's what you're telling me? >> a whole range of tools. >> my final question here, mr. chairman, are you complying with gdpr? am i to understand that gdpr in europe requires reporting within
5:24 pm
72 hours if one marriott customer resides in the eu. is that your understanding as well? >> yes, and we believe we are. >> thank you, mr. chairman. >> thank you, senator hawley. senator harris. >> thank you. thank you, mr. chairman, for bringing this subject up as california's ag, i'm supported expanded california's laws as it relates to the requirement of the report of data breaches. and have met with many folks over the years who have suffered greatly because of the breach of their personal information and data. and so the risks are, obviously, many. mr. begor, equifax is facing lawsuits. in response your lawyers have argued that even though their information was stolen, consumers cannot prove they were harmed. it was recently reported that none of the data stolen from equifax in 2017 has been used in
5:25 pm
identity theft or other fraud lent activity and that the stolen data has not been offered for sale on the dark web. do those assertions remain true? >> they, do senator harris. to date, we use a variety of outside experts, as well as our own, like marriott, really trying to understand where the data went, what it was used for, and our analysis is there's been no evidence that the data has been sold or no evidence of increased identity theft as a result of equifax data that was stolen in 2017. >> so a former senior intelligence official recently told cnbc that the hack was more likely the work of a foreign intelligence agency than a garden variety criminal. which would explain why the stolen information has not been used for garden variety crimes. if a foreign power is an especially hostile foreign power, is using the data it stole from equifax to target u.s. officials or american operatives, does it remain your position that there has been no
5:26 pm
injury or harm caused by this breach? >> senator, we don't know who took the data, and we still don't and we're working closely with the fbi. days after identifying the cyberbreach in 2017, we started collaboratively working with the fbi and other authorities. we have the same goal. we've been completely transparent about who took the data. we just don't know who it is at this stage and we continue to work with those authorities. >> it would be important for us to know that you appreciate the fact that if the data were breached for purposes of gaining information about u.s. officials or american operatives that there would most certainly be harm and damage and injury that would result from that. do you appreciate that concern? >> of course, senator. in my testimony this morning, i started out by expressing regret for what happened. talked about what we're doing for consumers, which is really our initial focus and continues to be our focus around supporting consumers.
5:27 pm
the free credit monitoring that we offer. the other free products we've rolled out subsequent to the data breach around supporting consumers. >> and do you understand that there have been targeted violations of privacy as it relates to employees of the united states government and that there is a concern among intelligence community and all of us that there is a focused concern actually, a triangulation around officials, american officials, and in particular those who may be involved in our military or intelligence work. and the attempt being to get their personal information for the purposes of attempt to compromise those individuals. are you aware of that concern? >> i've read about it and listened to the experts we work with about that threat on american companies and on american consumers and as well as government employees. >> and will you commit to this committee that you will have that as a priority among your priorities in understanding and thinking about potential harm
5:28 pm
that's resulted from these breaches? >> senator, i testified a couple times this morning that security is a very -- is a top priority at equifax today. we've doubled our security team. >> so is that yes? >> the answer is, everything we're doing is around yes. >> okay, great. and mr. sorenson, as senator rosen referenced in november of 2018, hackers exposed the personal information of up to 383 million marriott customers, including millions of passport numbers. shortly after cybersecurity firms and recently our government hired -- was hired to assess the damage attributed to the hack and attributed it to chinese intelligence. in addition to passport numbers, could hackers have accessed guest itineraries and the names of their traveling companions? >> yes. well, traveling companions, i'm not certain about, but reservation data was obtained in -- i think most recently as
5:29 pm
far as we can tell in 2016. so that would have been my upcoming reservation or perhaps a past reservations that i had at one of the starwood hotels. we do not think, based on what we've been able to tell so far that any reservation data post-2016 was obtained by the cyberattacker. so in the 2018 instance, which was the first one after we acquired starwood, we do not think individual reservation data was there. this is not 100% provable, but we believe that that means there's no longer any upcoming reservation data which was obtained because if 2016, two years ago, we tend not to take reservations more than a year out. so probably nothing that is still -- if you will, a future reservation. >> and then as it relates to the names of traveling companions, it is the custom of marriott
5:30 pm
hotels to collect the information of whoever is occupying the room, whoever has the credit card plus whatever guest they may have, isn't that correct? >> well, again, this is the starwood reservation database. and certainly in many instances, a hotel would note somebody else who might be sharing a room. but not necessarily in every instance. if the person who made the reservation is showing up and checking in and getting the key, the front desk may or may not take the time to make the effort to figure out whether a spouse or child or somebody else was traveling with them. but certainly it would have happened in some circumstances. >> so for those folks whose names may have been exposed, but they're not actually the individual who was contracted with the hotel to pay for the room, have those people been notified of this breach? >> well, we tried very hard to notify everybody that we could. the first tool we used was a
5:31 pm
broad press release with broad public dissemination and then the carrying on the banner, the top line of the marriott.com, starwood.com apps, all the rest of it. in addition, we sent out in excess of 50 million e-mails to folks that we had e-mail addresses on to also make sure that we were notifying them in that way. is it possible that somebody has slipped through the cracks? of course. i think more likely that they were repeat customers of ours, the more likely they are travelers. the more likely that they would have been either notified by us directly or seen the news. >> mr. chairman, just one last question, and it's a brief question. is it correct that marriott is the top hospitality provider for the american government and the united states military? >> i don't know that we have the data which would tell us that. we're the largest hotel company by rooms. >> can you follow up with the committee and see if you may have the answer to that question? >> i'll ask andee whether we can find out, yes.
5:32 pm
>> thank you. >> thank you, senator harris. senator peters. >> thank you, mr. chairman. thank you to our witnesses today. mr. begor, if a consumer is delinquent on a payment but later makes the necessary payment to bring the account current, it's my understanding that that delinquency stays on the credit report for seven years. is that correct? >> yes, it is, senator. >> so if a consumer misses a single credit card payment and then follows -- you will continue to follow them for basically seven years, and then they'll have an opportunity to in that seven years basically demonstrate that they are good credit risk, a good credit score and as a result of that, then get additional credit as a result of that after that seven-year period. is that correct? if there isn't any other activity? >> there isn't, senator, but as you may know in the credit scoring models that we use, other credit bureaus use, the banks use themselves as a
5:33 pm
delinquent payment using your example if there was one delinquent payment as that ages out, it becomes less predictive, has less impact on an individual's credit score or ability to obtain credit. >> but, still, it's an expectation it takes -- you want to watch it for seven years basically to see how it acts. there's a slope there. and i bring that up because i think that most people, certainly everybody that i talked to, believes that equifax was beyond being just delinquent on one payment when it came to the securing of this critical data and the cybersecurity hack. and that the information that has now been put out or has been taken, will likely be there forever. and, in fact, that you haven't seen some of these activities in the short run may make sense because, if you are a bad actor, you may wait awhile before you use this data to use it for a nefarious purpose.
5:34 pm
and so i just find it interesting in that delinquent payments for a consumer, you follow for seven years. although you have offered the credit freeze for a lifetime. when it comes to credit monitoring, it's only two years. credit monitoring is certainly much more preferable to consumer convenience than it is to freeze and unfreeze, go back and forth. and i know you want to build consumer trust, but if you are telling your consumers, we'll watch you for seven years because you've missed one payment, but we have this massive breach and we gave all your personal information -- somebody got all your personal information to millions of people and it's going to be out there for the rest of your life, we'll help you for two years. seems to me that it would make sense that, at a minimum, that you would offer credit monitoring for the seven years just as you monitor your customers for seven years. so my question to you, mr. begor, would you support mandating free credit reporting for seven years for all
5:35 pm
consumers whose personally identifying information was the subject of a breach of a credit reporting agency? >> senator, we think that's really situational and what the consumer should be offered. we offered 12 months starting in the fourth quarter of 2017. we voluntarily extended it for another 12 months late last year. we'll continue to look at that as we go forward and, again, it's my view that legislation is not required for that. that we're doing the right thing for consumers and i would just remind the senator that while the credit monitoring is a valuable product, what the senate passed last september in senate bill 2155 offering a free freeze for consumers really is the most important way to protect your data. and then equifax has a supplement product that's available on your phone or mobile device that's free for life to do the same thing with some more functionality. so if you are at a car
5:36 pm
dealership and getting an auto loan, you can unlock your credit file. when you finish getting that financial transaction, you can lock it again. >> would you still see the value of monitoring because you're offering it to your customers for up to two years. that that's a better product than just the freeze and unfreeze, which is more cumbersome. i think you mentioned that. so you said you'll re-evaluate this on a situational basis. what is that situational basis? what's the criteria you'll be usings too whether or not to extend this beyond the two years? >> it really depends on how the data -- how we can see the data had been used and what it's being used for. and i would make the point where credit monitoring is quite valuable, you know, we believe that giving consumers control about who has access to the data, when it's frozen, no one can see it. and no one has access to it.
5:37 pm
>> i would like to in the remaining time touch briefly on another important subject. that's the collecting of data on minors. how many minors had their personally identified information compromised in the 2017 breach? >> senator, i don't have that information in front of me. i'd be happy to get back to your office with that. >> is it greater than zero? >> i don't know the answer to that, senator. >> so you'll provide that for me? >> yes. >> that would be great. do you have any policies regarding the collection of information on minors? >> the policy is that, you know, we don't. and as you know, you may know senate bill 2155 allows a parent to put a freeze on their children's credit file, if, in fact, they have one. we're quite diligent about managing that because it's an area of focus by imposters or fraudulent individuals that try to create a credit file for identity theft purposes, not only on minors but other
5:38 pm
americans. >> is there an instance where a young child would need a nonfrozen account? >> not to my knowledge, senator. >> but a parent has to opt out, even though there's no reason to have a non -- or to have a frozen account but the parent has to be active in doing that? okay. so last year i worked to pass legislation that protects children from synthetic i.d. fraud. it's a form of identity theft you know very well, where stolen security numbers of children are paired with fake names and birth dates to apply for loans, credit cards and other accounts. could any minors' information that was exposed in the 2017 breach be used as part of identity theft or synthetic i.d. fraud operation? >> i'll have to get back to you on what minors were included, if any. i don't know the answer to it in the theft that took place in 2017. >> i appreciate working with you on that. thank you. >> we have a short second round here.
5:39 pm
senator carper, do you have additional questions? >> i do. both equifax and marriott publicly announced their data breaches within weeks of learning them. and while this is better than some companies have done in recent years, it's a lot longer than, for example, target waited when it suffered a breach in 2013. in fact, target learned about a cyberattack, you may recall, affecting its customers in the middle of the holiday shopping center. i was one of them. and that year informed the justice department and public literally within days. and this allowed target customers to take precautions against fraud and ident ut theft and to monitor the bank and credit card statements. mr. begor, the hackers who attacked equifax were in the company for 78 days before equifax discovered their presence. i think that's correct. and by the time equifax informed the public, consumers' information had been in the hands of hackers for close to four months. given the damage that can be
5:40 pm
done with the type of information equifax collects, why do you suppose the folks who were in positions of responsibility prior to your arrival, why wait six weeks to step forward? why not follow the target example so that people could take swift action to protect themselves as soon as possible? and if i had been you coming into a new situation as the new ceo, i would have said to the people who were there before we, what were you thinking? how could you have allowed this to happen? did you ever have those kind of conversations? >> i had a lot of conversations when i joined last april. and i hope you get a sense for the pace of change, the breadth of change, the priority around security. there's a whole new team here. we've added extensive resources, and we're very serious about security. with regards to the time frame, you know, with the data breach, my strategy and i believe it was the team's strategy at the time,
5:41 pm
was to be accurate and quick in completing the work. as the senator probably knows, it's a very complex process. once you find out that you have a data breach to really determine which elements of your database was affected. we brought in the very best forensic experts within days of the data breach. i think it was a day or two contacted the fbi and got their involvement in it. and from my look back at what the team did, they moved as quickly as they could to ensure that we were going to be complete and accurate. from my perspective, making an announcement that there was a data breach but not knowing which americans were impacted, and is it 50 million, 2 million, 150 million? it took time to really do the forensics to figure that out. my approach is to be accurate and complete with the real focus around the consumer first. really making sure that those consumers that are impacted we can identify who they are and
5:42 pm
then communicate with them quickly. >> mr. sorenson, really the same question. i'd like to hear about the factors that went into marriott's decision on the timing of its public notice. >> so we had an alert which -- on september 7, 2018, was triggered. that alert went to a third party who was operating the reservation system for us with in effect a company to the i.t. group at marriott. we heard from that third party operator the next day on september 8th that that alert had been received and immediately started to mobilize resources to contain and to ascertain why that alert went off. it wasn't until november 19th, 2018, that we learned that data about our customers had been exfiltrated from our system. and we announced on november 30th. we, of course, had lawyers and
5:43 pm
security experts and all sorts of other folks who were engaged in the conversation about timing, how quickly could we go? we also wanted to make sure that we had set up call centers and websites so that the moment we released this information publicly the customers had a place to go and find out more and sign up for the web watcher services and do the other things that were necessary. and so that 11-day time, of course, was -- met the legal requirements but it also was practically about as fast as we could move it and be able to communicate something which was concrete and useful to customers and then be able to deliver something of what we anticipated they would need and want. >> thank you. let me ask both of you, any idea -- any sense for how many state data breach notification laws your companies are, i guess, subject to?
5:44 pm
would it be fair to say that maybe even 50 such state laws that you are subject to at this time? >> if it's okay, senator, i'll go first. you are correct on that. and it's quite a challenge. >> i was going to ask, what kind of challenge does that present, if it's true? >> there's -- i don't know if the exact number is 50, but they're all different and it creates challenges in a situation like equifaequifax, a perhaps marriott's, in complying with the requirements. different notification documents required. different ways you communicate with the consumer. different ways you're allowed to communicate with the consumer. and we've been longstanding supporters of a unified federal legislation that would unify that and allow, you know, actually that's one of the elements that makes it -- there's a time limit there once you figure out which consumers are impacted and what states are they in and requirements on how you communicate with them. we're very supportive of a
5:45 pm
federal unified legislation on that. >> thank you. same question, mr. sorenson. what kind of challenges do you have with respect to who to notify, when to notify, what to disclose about a data breach. >> it was not among the biggest challenges we faced. i would put it that way. although if memory serves, we found some place between 20 and 30 states had specific notification requirements with a deadline. now we, of course, met those deadlines and then ultimately communicated to all 50 states. outside the united states, there were probably, i don't know, 20 or 30 countries that had various kinds of notification deadlines. obviously, that's nothing that the federal government can do with that. sadly, i suppose, in some respects, this ground is too well trod and so there are folks that can help us figure out where those requirements are and
5:46 pm
how to meet them. would be simpler, of course, to have one sort of u.s. standard, but that's something that we'd be happy to work with your office and give whatever input we could from the experience we've had. >> mr. chairman, i am sitting here thinking, believe it or not, if something richard nixon, of all people, once said. and richard nixon once said the only people who don't make mistakes are people who don't do anything. we all make mistakes. and i said to our sons now, 29 and 30 years old, i've said to them, nothing wrong with making a mistake. the key is we don't want to continue making the same mistake. in this case, mistakes, not only harm your companies but we talk about the harm, 150 really innocent people across this country. so the question is, what do we do about it? and you've talked to us today about a number of things that each of you have done.
5:47 pm
and i am pleased to hear the statements of apology, of contrition. acknowledging the harm and damage that's been done. and god knows i wish and i'm sure 148 million people wish that the kind of thinking of the actions you've displayed in the last year or so that you've been in your position, mr. begor, that that kind of thinking had existed in the previous administration, if you will. you talked about what i think is really important. leadership is most important in leading the success of any organization i've ever been a part of. in business, government, military, always the key. if the leader doesn't say cybersecurity is important or the board doesn't say cybersecurity is important, nobody else down the line is going to make it important in the end. and it appears to us that you have done that, both of you. and have made it clear from the top, this is important.
5:48 pm
you've aligned incentives, financial incentives for the folks helping to run your company so that their incentives are all lined up with that in mind. sounds like you've done a lot with respect to hiring your kind of workforce that you need to enable the desires and wishes, the directives from on top to make sure that they are carried out. one of the things i think a lot about, mr. chairman, is workforce. i know you do, too. and we have focused in delaware for a number of years, the delaware university, the community college, to make sure we're turning out a better workforce to help take on these jobs that are available out here to be done. with the federal government, what our responsibilities are, i was privileged to chair this homeland security committee for a while and with tom coburn from oklahoma, and we focused, senator portman knows, he's part
5:49 pm
of this, on what we needed to do within the federal government. what weed ed mneed to do as legislators. we did a lot, and we've continued to do a number of things. i really think, mr. chairman, this is the right time for us as a committee. we have new talent on either end of us here, democrat, republican, bright people with real world experience that can bring a lot to this. i think it's really an ideal time for us to do our job of oversight. we've done all this legislating. and it's being implemented. and we have -- let's find out to what effect, to what good. that's a big part of our job. last thing i'll say is i'd ask to enter for the record some newspaper articles i read on the train coming down this morning from the last several weeks about the dramatic increases in attacks from china and from iran. and i remember when barack obama met with the president xi in washington state.
5:50 pm
you may remember this, 2015. i think september of 2015. and jeh johnson, director of homeland security, gave me his eyewitness account. in that meeting, president obama said tosecurity gave me his eyewitness account. in that meeting president obama said we know you are attacking us and coming after our trade secrets, business. practice and are military secrets pick we want you to stop the president said we don't do that that's not the policy of our country and that's that were about. president obama basically said this is who's doing it, this is where they are located, and we want you to stop. president she said we are not willing to do that. i'm told president obama said if you don't stop, you will wish you had in so many words. as you may recall dramatic drop in attacks by china. about two months before that, the congress of the united states, the president had essentially signed off on a five nation deal with iran, for
5:51 pm
gradually lifting sanctions. at the time the iranians were unrelentingly attacking your financial services companies. in july, i was a strong supporter of lifting sanctions for the opening of inspections ongoing. and you know what happened? literally within a month, the frequency of arabian attacks greatly dropped. almost like china a couple of months later. there's another element here, we don't think much about. there so much they can do and other companies need to do. more work to do in terms of training the workforce and making sure they are available. the jobs involved before the administration in working or
5:52 pm
reaching out to other countries and getting them to work with us instead of being or undermining what we are trying to do. plenty of for today. a multilayered approach and we appreciate your being here today and helping put a spotlight on this. you have cleaned up the messes that you inherited especially equifax. it's given us an opportunity to think about what we can do, to better do our own jobs. thank you. everything we do, everything i do i know we can do better and that includes this. think you pick >> i can't believe government to do anything better than the spec thank you. to the witnesses i have two follow-up questions we want to get into the record. but let me reiterate what i said earlier which is, we appreciate your being here. we're trying to learn. and the lessons that you have learned within your company's are really important for what we are trying to do legislatively.
5:53 pm
understanding what happened, what could be done differently, this is frightening, scary for hundreds of millions of families. whose personal and financial data was compromised through the two companies you now lead. i appreciate the fact you acknowledge that, understand that you know, this is about hackers. it's about technology but it's also about people. and the frustration that many americans have right now that nothing is sacred or safe. you know, and it is, is good to know that as mr. sorensen has said and mr. begor said, some of the data has not been used yet by criminals in ways that one may have thought it could've been. that doesn't mean it didn't happen or isn't happening right now. also gets raised earlier some of this may be being used by foreign actors in ways counter to our national interest. by targeting individuals. so it's growing or importance
5:54 pm
get to the bottom of what happened and what's being done and what can be done in the future legislatively. we go back if i could to the cyber security protocols that mr. begor talked about earlier. in your testimony seemed to lean heavily i thought on the fact the program at the time as i said leveraged technical safeguards and was subject to regular ongoing review. external and in total as we talked about the audit that was not respected just by some really troubling data it uncovered. the other part that i think we need to talk about this morning and i was waiting to hear what my colleagues would address and they addressed a lot of this. if the it inventory. the investigation, as you know, found that aqua fax at the time failed to follow this basic practice of maintaining an it inventory of applications and assets on its systems. without having this list,
5:55 pm
equifax was unable to find the application that was exploited by the hackers park that's when that has been talked about previously called apache strut. you guys didn't even have it on your inventory. so you couldn't find it. i guess a few questions, one since the breach has equifax generated a list of applications on its systems? >> we have chairman in great detail. not only that i think my colleague mr. farsi talked about some of the automated systems we put in place to really track all of the systems and make sure we understand not only the systems and all the assets we have, but also when there's a patch that needs to be completed, those are all automated and we are watching those. there's multi layers of defense picked you know, it's more than just one later. i think the chairman knows that. that all of these elements have to be done very well and then
5:56 pm
with the latest technology which is what we put in place and we are continuing to put in place. >> the national institute of science and technology list has issued a recommendation that there be an it inventory and every company that could be affected. by these breaches. let me ask you this, if equifax had kept an up-to-date it inventory come up with have been helpful to have identified the viability? >> you know it my analysis what happened in 2017, there was an inventory. it wasn't as complete as it should be put certainly, the protocols and the procedures the resources we have in place are at the highest standards. like most companies, we follow the protocols. as i mentioned early this morning, we have third parties actually auditing us against those nis standards is a part of our many layers of how we are managing our security program going forward.
5:57 pm
>> we have a difference of opinion. our investigation identified there was not a complete inventory. mr. farsi, maybe you can respond to this book was there inventory or not? did that affect the ability to find availability? >> certainly. so inventory is an important control across any organization to defend against threats. i wasn't here at the time. but looking back, we did have an inventory, it just wasn't, it just wasn't a complete inventory. since that time what we've done, we have built-in the controls that mr. begor was saying is so we do have a complete inventory of our assets. and note, -- >> it sounds like if i might, you did not have a complete inventory and apache struts was not something that was able to be identified. is not accurate? >> what i would say is this,
5:58 pm
the inventory for us apache struts is typically not in the inventory that you highlight in the report. so it's a tactical nuance. the specifics of that particular airborne mobility typically are not included in the asset inventory park because it's a source cords been ability, it's typically in the code repository instead. >> well again we have a difference of opinion on this one we will follow-up with you and again, it's about the future going forward. are you telling me something of the nature of apache struts would not be in her current inventory and therefore you would not be able to find the vulnerability today? >> no took it absolutely is not inventory. >> it should be an inventory. >> it's a different type of inventory center. >> well, if it had in the inventory they are reviewing, clearly would've made a difference. do you believe that statement? >> made a difference, with respect to what senator four >> the ability to find the vulnerability? >> it would have helped. >> thank you. okay mr. soreson thank you for
5:59 pm
being here too and again i want to follow-up on one of the points we found in our investigation, it's true the big breach happens it started in 2014. you acquired starwood in 2016 is that correct? in 2018 you were able to identify something happened in you said the alert was issued in 2018. however, we have not mentioned today there was a 2015 breach at starwood that was acknowledged. and so when you bought starwood, you knew about i see me know about the breach. is that correct? >> yes we did. >> that reach was a credit card breach numbers were taken points of sale at 54 different properties. and in 2016, january 22, 2016 to be exact the president of starwood sent a letter, a
6:00 pm
public letter out, saying the guest reservation database was not impacted by that breach. i have a copy of that letter on the witness table for you. again, i would like to enter that 2016 letter into the record without objection. of course in reality the reservation system had been breached considerably. in 2014. so the letter said don't worry, reservation system has not been breached. so my question to you is just a simple one, when you did your due diligence -- which you talked about having an -- did you look at the letter and examine the issue and could you have determined therefore earlier, what happened? >> yeah that's a very fair question. the short answer is, we knew about the point-of-sale breach that starwood had suffered. we worked with the starwood team and we worked independently to try and make sure we understood the scope of that breach. as far as we know today, it was
6:01 pm
totally unrelated to the reservation system breach that we had been talking about and announced in november. different tools, the sprint system in a sense the point-of- sale is obviously distributed at the properties and the restaurants and at the front desk. the reservation system by comparison which was the larger breach we disclosed in november, is a centralized system. again the team has said they don't relate to each other. although certainly from a colloquial perspective it feels similar. it feels like a warning and somehow it's related to the starwood's customers which it is. we did try and understand the point-of-sale thing and we were satisfied starwood had taken the steps necessary in order to deal with that breach. separately, we did some things on the reservations platform side. it was in retrospect, clearly not enough. >> again lessons learned. and we appreciate the testimony given us and we appreciate the opportunity to stay in touch
6:02 pm
with you and your experts to help to be sure we are putting together the kind of legislation that can help avoid these problems in the future. you made a statement earlier, this is a race that has no finish line. i think that factor and is accurate this is a marathon that has to be run at a sprinters pace. because there will be continual innovative hacking. i noticed this morning to senator carper's point, while the president was in hanoi negotiations with chairman kim, there was an increase apparently this is report -- take it as such -- in north korean hacking commercial hacking of u.s. targets. so it's something we will have to continually assess and government is not often good at that. we put a law in place and
6:03 pm
senator carper said we don't do the proper oversight and follow- up. we sometimes get behind the curve. we want your ongoing cooperation with this panel. to be able to put together what makes sense and then to update it as necessary because you're going to both the in your companies engaged in this for a long time in the future. thank you. >> if i could in a for the record, article from paris 16th new york times chinese packers renew attacks on u.s. companies. the wall street journal recently as yesterday hackers have hit hundreds of companies in the past two years. i asked that that be included in the record. thank you. >> thank you for your testimony. >> we thank you for your service. >> thank you. >>
6:04 pm
the mac we will now color second panel witnesses for the hearing. please come forward and take a seat. this is the expert panel that's going to give us information about how to solve some of these problems. we just talked about. we welcome you. we will start by introducing the panel. alisha cackle he is director of financial markets and community investment at the government accountability office. we appreciate your work on this issue and report.
6:05 pm
secondly andrew smith director of the bureau of consumer protection at the federal trade commission. and third, we have john gilligan with us. mr. gilligan's death ceo at the center for internet security. it's the custom of the subcommittee to swear and witnesses so at this time of would ask you to stand up and reach a right-hand. you swear the testimony will get before the subcommittee will be the truth, the whole truth and nothing but the truth so help you god? please be seated. let the record reflect all the witnesses answered in the affirmative. your written testimony will be part of the record. if you could keep your oral presentation to five minutes, that would be great. and mr. smith i think we told you would go first so we will calling you first. >> thank you.
6:06 pm
chairman fort men and members of the subcommittee, i am andrew smith the director of the bureau of consumer protection at the federal trade commission. i appreciate the opportunity to present the commission's views on how congress can help the ftc further its efforts to prevent data breaches in the private sector. my written statement represents the views of the commission. the opening statement represents my views alone and not necessarily the views of the commission or any individual commissioner. let me begin by summarizing the ftc's current efforts to protect consumers by promoting data security and preventing data breaches. our work has three primary areas of focus. the first, is enforcement. for nearly 2 decades the ftc has been the nation's leading data security enforcement agency. we are charged with enforcing data security requirements contained in specific laws such as children's online privacy protection act, fair credit reporting act and the grant but by reactive reinforce section 5 of the ftc act which prohibits unfair or deceptive practices including unfair and deceptive practices with respect to the
6:07 pm
data security. in this law enforcement role the commission has settled old irrigated more than 60 actions against businesses that allegedly failed to take reasonable precautions to protect their customers personal information. for example we brought cases against manufacturers of consumer process like smart phones, routers and connected to us. we brought cases against data brokers that connect consumers personal information. our secondary focus is policymaking. the ftc's conducted workshops, issued reports and minerals to promote data security. for example, just this week, we announced a notice of proposed rulemaking to update our safeguards rule under the gramm leach bliley act. the safeguards rule was issued in 2002 and requires financial institutions within the ftc's jurisdiction to implement reasonable process based safeguards to protect personal information in their control.
6:08 pm
the proposed revisions to the safeguards rule based on nearly 20 years of enforcement experience. these revisions are intended to retain the process based approach of the original rule. providing financial institutions with more certainty with respect to the ftc's data security expectations. our third area focuses business education. the commission has issued numerous guidance materials for business including a guide called start with security, in 2015. the series of columns and 27 called stick with security last year a conference of small- business cyber education campaign which includes written guidance, how-to videos and training materials for businesses. these materials instill the lesson to learn from our enforcement actions in assessing to and accessible manner. we have vigorously used our existing authority to protect consumers. if this authority with limited important respects in the commission has called on congress to enact competence of data security legislation.
6:09 pm
that includes rulemaking, civil penalty authority and enhanced jurisdiction for the ftc. first, the legislation should give the ftc the authority to issue data certain security rules under the administrative procedures act so we can keep up with business and technological changes. we currently have rulemaking authority, we've used it as demonstrated by this week's proposed revisions to the safeguard tool i described. second, legislation should allow the ftc to obtain civil penalties for data security by violations. currently we have authority to seek civil penalties for data security violation under the children's online privacy protection act and the fair credit reporting act. we also can get civil penalties for violations of an existing administrative order. as a general matter, we cannot obtain civil penalties into noble cases. to help assure effective deterrence, congress to enact legislation to allow the ftc to
6:10 pm
seek civil penalties for data security violations in appropriate circumstances. finally, the legislation should extend the ftc's jurisdiction over data security to nonprofits and common carriers. entities in the sectors often collect sensitive consumer information. and significant breaches have been reported particularly in the educational and non-profit hospital sector. take you for the opportunity to appear before you and i look forward to answering your questions. >> thank you mr. smith ms. cackly >> i'm the director in the financial market and community investment team at the government accountability office. please to be here to testify about internet privacy and data collection issues. my will discuss the ruling authorities for overseeing internet privacy and the stakeholders views on potential actions to enhance that federal oversight.
6:11 pm
i testimony is primarily based on our january 2019 report on internet privacy as well as prior reports on various privacy issues. as you are aware, the united states does not have a comprehensive internet privacy laws governing the collection, use and sale or other disclosure personal information. and prior work, we found gaps exist in the federal privacy framework which does not fully address changes in technology in the marketplace. at the federal level, ftc currently has the lead in overseeing internet privacy using its statutory authority under section 5d of the ftc act to protect consumers from unfair and deceptive practices. however, to date ftc has not issued regulations for internet privacy other than those protecting financial privacy and the internet privacy of children which were required by law. for ftc violations transient ftc may promulgate regulations
6:12 pm
that is required to use procedures that differ from traditional notice and comment processes and ftc staff said at time and complexity. stakeholders gao interviewed had very views on ftc's oversight of internet privacy. most industry stakeholders said they favored ftc's current approach directed enforcement of its unfair and deceptive practice in statutory authority. with a set allows for all for flexibility. other stakeholders including consumer advocates and most former ftc and fcc commissioners gao interviewed favored having ftc she revolution park dated 53 years in which internet privacy over hot oversight can be enhanced. first, through statute. some stakeholders told gao an overarching internet privacy statute could enhance consumer protection but clearly it leading to consumers, and agencies what behaviors are prohibited. second, through rulemaking.
6:13 pm
some stakeholders said regulation can provide clarity, fairness and flexibility. and third, through civil penalty to 30 pick stakeholders said ftc's internet private they can force that could be more receptive to level civil penalties for first-time violation. recent data breaches that federal agencies, retailers, hospitals and insurance companies, consumer reporting agencies and other large organizations, highlight the importance of ensuring the security and privacy of personally identifiable information collected and maintained by those entities. such breaches have resulted in the potential compromise of millions of americans personal identifiable information, which could lead to identity theft another serious consequences. these recent developments regarding internet privacy and data security suggest that this is an appropriate time for congress to consider comprehensive internet privacy
6:14 pm
legislation. although ftc has been addressing internet privacy through its unfair and deceptive practices authority and ftc another agencies have been addressing the issue using statutes that target specific industries where consumer segments, the lock of a conference of federal privacy statute with specific standards these consumers privacy at risk. in our january 2019 report, we recommended congress consider developing competence of legislation on internet privacy that would enhance consumer protections and provide flexibility to address the rapidly evolving internet environment. issues that should be considered include, which agency should oversee internet privacy, what authorities and agencies should have for that oversight, including notice and comment rulemaking authority and first-time violation civil penalty authority. and how to balance consumers need for internet privacy with the industry's ability to provide services and innovate.
6:15 pm
mr. chairman and ranking member, this concludes my prepared statement. i am pleased to respond to any questions you may have. >> you for your testimony and your mr. gilligan. >> members of the subcommittee, my name is john gilligan and i serve as the chief executive officer of the center for internet security or cis a nonprofit cyber security organization. in my oral statement this morning i would like to share my perspectives on the logical question that may be asked after this morning's testimony, which is, what can be done to prevent major cybersecurity breaches? i asked myself a similar question in the early 2000 thus the chief information officer of the united states air force. after the national security agency's annual penetration analysis found are far cybersecurity posture in an adequate despite beer for spending literally over $1 billion a year on cybersecurity. i went to nsa and asked them where should i start? after consulting the offense
6:16 pm
and defense of experts and is a came back with a prioritized list of the system weaknesses most commonly exploited by attackers. by a large margin, the most common weakness exploited with misconfigured software. that is software that did not have appropriate security settings enabled software that was not properly patched. as a result of your guidance, i launched an initiative in the air force tweets your security enabled configurations with up- to-date patches for all of our operating systems. based on the positive experience with the air force in identifying less frequent cyber attack patterns and the associated mitigating security controls, the nsa effort was subsequently adopted by the private sector in 2009 and became known as the sands truck 20. inch one in 2015 it was transition to the center for internet security and became named the critical security controls or just the cis controls. the critical security controls
6:17 pm
represent a set of internationally recognized prior trades actions that form the foundation for basic cyber hygiene effective cyber defense. the controls are readily up dated by global network of cyber experts put the critical security controls have been assessed as preventing up to 90% of pervasive and dangerous cyber attacks. the controls act is a clear, actionable and free blueprint for system and network operators to improve cyber defense identifying specific actions to be done in a priority order. cis has analyzed data breaches over the past two years and found in each one the root cause of the breach relates to the failure to properly implement one or more of the critical security controls. the equifax breach is no exception. we found there were five of the 20 critical security controls that were not properly implemented by equifax. many organizations are seeing the value of the critical security controls. california, ohio, the republic
6:18 pm
of paraguay, the european standards technical standards organization, adopted the controls of a standard for cybersecurity. airspace industries and the alanna council have also endorsed the critical security controls. as congress considers ways to improve cyber security in the u.s., i offer the following recommendation. i start with the recognition the nist cybersecurity points to more detailed documents and best practices for implementation guidance including the critical security controls. will the logical construct this has unintended consequences, in particular government and private sector organizations who wish to implement the nist cybersecurity framework must select for implementation from among the very comprehensive list of standards, guidelines and best practices that are referenced in the nist
6:19 pm
framework. the same problem is magnified for organizations required to comply with multiple high-level frameworks that are similar to the nist cybersecurity framework. for example, financial organizations are required to certify against the payment card industry or pci, security framework. organizations with international presence often required to follow the international standards organization were iso cybersecurity framework and so on. while the individual policies and regulations are fell well intended, they contribute too much confusion and inefficiency in achieving the common goal of effective cyber defense picked recognizing that are multiple cybersecurity frameworks and duplicate of policies have contributed to great confusion, i would recommend that nist be charter to develop a single cybersecurity implementation guideline that can be used to satisfy the requirements of the nist cybersecurity framework, pci, ico ieee and similar
6:20 pm
security frameworks. this implementation guideline should provide clear guidance on what constitutes basic cyber hygiene and specify a prioritization for implementation of appropriate controls. i note the united kingdom and australia have done exactly that with the australian signals direct route essential 8 in the united kingdom's national cybersecurity centers cyber essentials. i offer this center for internet securities critical security controls to the point of departure or model for such an effort this concludes my remarks and i look forward to your questions. >> thank you and thank you to all three of the witness. as we heard this morning, these data breaches have become a fact of doing business. every day. it's a matter of constantly keeping up. it never ends. the best effort we had with the most recent data we have, come from the second or the first
6:21 pm
half of 2018. and that is there were 291 data records compromised every second. 290 records compromised every second. i think that has slowed down. it is probably increased. so it's an ever present danger to consumers, businesses, government our national security. mr. smith i find your testimony interesting as is been alluded to today, 50 states have different standards on this. most states have passed their own breach notification laws. in fact i think every state has some sort of breach notification law dumping mr. gilligan? >> i believe that is the case. for yeah so you know that's good but they very significantly. from state to state. so let me ask you this mr. smith, what benefit would there be from having a single standard for at the federal level -- for breach notification legislation given this climate of increased technological interconnectedness
6:22 pm
and the number of breaches we are seeing? >> it seems like there would be some benefit to uniformity. i should say though our current commission, the commission as she knows composed of five commissioners. all of them are new within the loss year or so. and they have not had an opportunity to testify on whether or not they would support a uniform data breach notification standard. pass commissions have supported such a uniform notification standard. >> in your personal capacity this afternoon, now what is your opinion for >> i was injured actually about what cis said was a challenge but it was not necessarily their primary challenge. i worked at the ftc in the early 2000 spoke at that time california had passed its first in the nation data breach notification standard. we dealt with it during the choice point breach a huge breach at the time. and we started looking at
6:23 pm
whether we should have a uniform standard and in fact the commission i believe testified in favor at that time. those were introduced. 2005 say we need a national standard. every state will enact their own standard. well, every state has. and the sky hasn't fallen. so i feel as though companies have probably figured out how to comply. i do have to say that i do think there's always a benefit to uniformity in terms of ease of compliance. but from what i can tell in the market, companies seem to be able to comply with this multiplicity of standards pics from use of compliance is one issue. that something we will hear about from the private sector they would prefer to know with the standards are and not to perhaps inadvertently not follow standard that's different state to state. but beyond that you know, it's about protection. it's about the consumer and the government security and so on. so do you think there's some benefit to that? in other words, having a high standard we can therefore ensure we have better security?
6:24 pm
>> one of the critical aspects of any kind of a breach notification standard, is the trigger for notification. i think that one on the earlier panel mentioned there's a 72 hour notice requirement ntv pr. i think there is from the perspective of someone who focuses on consumer protection, i want to get notices that are useful. that are actually and actionable information. the worst thing we have seen in the breaches is piecemeal modification. wenders goes out and we thought this was breached and you should do this in response. and then another notice goes on. we discovered another as it was breach. >> this adds to the frustration pick >> you need to give the company time to investigate. in of they have to investigate quickly picked up in time to to investigate and figure out who was affected and what information was compromised and what consumers can do to protect them selves work as
6:25 pm
well as develop systems to respond. the 800 lines, credit monitoring and things like that. so you know, 30 days, 45 days something like that. we have a rule, the ftc has a rule that applies to breaches of certain healthcare information where the standard is as quickly as possible. but in no event longer than 60 days. i don't know if that's the right cat or not. you need to give people a little bit of time to conduct a thorough investigation. >> i don't disagree. i think 60 days is excessive >> could well be per >> given the past nature and the potential for people's information to be compromised. on the administrative procedures act, i know you talked about that in your oral remarks. i think the administrative procedure act rulemaking does give us more flexibility. in other words, as i said earlier, with the previous panel want to respond quickly to her changing threat because evolving.
6:26 pm
unless it was specifically related to rulemaking authority for cybersecurity legislation, it could get out of hand. can you speak to that for moment, one do think rules under the apa are necessary and you think that will add to flexibility. second, how you narrate to make sure it's responsive to the congressional actions we take on this issue? >> the commission has testified in favor of apa dual writ rulemaking for security only. i think what folks imagine would be of bill like several we've seen introduced were congress is companies you shall assess risk and develop a plan to keep data safe and maybe provide some of the boundaries for what the program ought to look like. and ftc you shall have rulemaking authority under the administrative procedure act. only for that, to execute that, that law. right? not apa rulemaking authority for everything in the world. what we have right now -- referred to by ms. cackly,
6:27 pm
rulemaking authority under the magnuson moss act which requires us not only to do notices of proposed rulemaking and taking of comments, we have to do advance notices, whipped of hearings, issue interim reports, allow for interim appeals, what that means, if not impossible to do. what it means is that, you know from soup to nuts, a magma's rule takes us 10 years. >> the process is considerable. one final point. on the nonprofits, you mentioned and you said private carriers and nonprofits should be under the ftc rubric for this purpose. and you give us a couple of examples about. i think about hospitals for the have been breaches, as an example for sensitive medical information can be released inadvertently sometimes to hackers. >> so hospitals the issue of
6:28 pm
its medical information, healthcare information and at the hospital, then that will be covered by hipaa. and we work closely with hhs and the office of civil rights to enforce and administer hipaa standards. what we have seen with nonprofit hospitals are breaches of employee data. not covered by hipaa. that's a real challenge. we've also seen breaches at educational institutions. and we have seen breaches at common carriers and there is -- i think a bit of an open question about the federal communication commissions authority. jurisdiction to address those issues. >> thank you senator harper? from thank you for that eliminating testimony. i was sitting on the audience and i don't know what you're thinking about that you came to the table prepared. it's very much appreciated. one of the things is helpful to me is when we have a panel of well-informed, thoughtful witnesses.
6:29 pm
is to see where do you think you agree? where do you think you agree as a panel with respect to what congress should do next? if you get to start us off ms. cackly? >> senator i think where certainly my testimony and mr. smith's testimony were in agreement, was around the need for a legislation and what some of the elements of that legislation could include. which is to say, notice and comment rulemaking authority, civil penalty authorities. those were the things that would best help the ftc or whichever agency congress chooses, to invest with, with this issue -- oversight over this issue -- the necessary tools to be able to get the job done. >> all right thank you.
6:30 pm
mr. smith would you think the three of you agree on what we should be doing next? our to do list if you will? >> well, i mean particularly with respect to be statutory authority for the federal trade commission to make rules in the area of data security, and enforce using civil penalties. and also the expenditure or the expanded jurisdiction. we agree on that book i agree with mr. gilligan from cis about the importance of these useful rubrics like the cis critical security controls to educate businesses and focus attention on things that really matter . for a lot of businesses, i believe or i think that data security is just sort of an insurmountable obstacle. it's beyond anyone's comprehension. these types of rubrics i think help businesses to focus their
6:31 pm
attention the right place. we been the same thing this week with our glba safeguards rule. were we have the rule began life in 2002 and at the time was quite influential. but is very basis basic. requires companies to have good data security, appoint people to be responsible and the new rule which is somewhat longer, they offer more specifics about encryption and penetration testing. and some of the other best practices. which one provides businesses with an audible standard, provides them with clear information about expectations and also candidly provides us more ability to enforce. >> mr. logan would you agree? i think there's fundamental agreement it's a complex issue. there are number of very latorre bodies, federal trade commission the one who have jurisdictions over part of our economy. one of the, the functions that the center for internet
6:32 pm
security provides is what we call, the multistate information sharing and analysis center. we provide underfunding from congress and dhs sponsorship, we provide security support for state, local, tribal and territorial governments. included in state, local, tribal and territorial the most every different domain you might imagine. and they are all struggling dealing with cybersecurity. while i am personally not an expert in data breach reporting. i can say the states and local governments are struggling trying to deal with all of the well intended regulations that i mentioned in my testimony. and so i think some consolidation of that and simplification. and as i suggested, perhaps using something like critical security controls, really the technical foundation. that's where most organization -- that needs to be continuously updated -- that's
6:33 pm
what most organizations need to help focus. and as i said, the breaches that have been discovered, invariably are the result of failure to implement very simple controls in a conference of way. >> i asked myself together a handful of tips for consumers for regular folks, to follow if they fought if they become a data breach victim. the short list, not a conference of this, one of those is change your password another would be to contact your bank or your credit card company. third would be to contact a credit reporting bureau. the fourth would be to sign up for credit monitoring. and that's for folks who have become a breach victim. moisture gilligan what would you suggest consumers can do to protect themselves after they become a victim? any tips?
6:34 pm
>> well i think it would be largely parallel to the list you just mentioned. one of the things i would recommend is that all consumers freeze their credit reporting. which is often a vehicle through which the, of their particular information is compromised. i think having good hygiene with regard to passwords. with regard to updates and security software, are also things that all consumers should do on a regular basis. in order to protect themselves. >> mr. smith and ms. cackly? mimic i would direct consumers to our website ftc.gov for we have a tremendous amount of information about how to protect yourself. in the event of a data breach both the general information, as well as specific information. for example, we have pages dedicated to identity theft.
6:35 pm
we have a page dealing with connected toys. just a couple of months ago in december 2018, there was a fishing sam a phishing scam where consumers saw a scam from netflix but we don't that specifically because it was important threat to consumers. we built pages for the marriott breach and the equifax reach that gave specific information for consumers who receive those notices about what they could do to protect themselves. including some of the measures that your staff mentioned. and finally, where consumers believe they may be a victim of identity theft, they need to go to identity theft.gov. which is operated by the ftc. their we have tools, such as the identity theft affidavit you can use , with the credit bureaus to have fraudulent information removed from your credit report.
6:36 pm
as well as, as well as receive other rights under the fair credit reporting act. >> thank you ms. cackly? mimic i would say consumers need to educate themselves. they need to understand what data is potentially available to other, other people. what companies are collecting their data. and how they can set privacy controls potentially or do whatever else they can to keep themselves safe. >> terrific park thank you. you had to wait here for a while to share your thoughts with us. but for us, it was well worth the read. we thank you very much. >> i can't tell you how much we appreciate the testimony and also the ongoing work with us. we have some real expertise here. with regard to the ftc, i think i speak for senator carver, we
6:37 pm
want you to feel responsible. in other words, one of the concerns i've had is, there's so much of this going on, breaches some of which relates to private companies and some as you mentioned earlier, nonprofits. so many people are concerned about whether information is going, even if it's not a business per se he would normally think of as we saw in the earlier panel. even any of these. these websites where you know, you are giving information and that information is given out to other people. folks want to know about it. and so i hope and maybe maybe we can do work on this going forward. that you will feel empowered. to be that one-stop for a consumer. to have a concern, they can go to your website and figure out, look what's going on with the specific issue as we talked about earlier. there's been a breach of the big company and they can find out what information is about
6:38 pm
how they can protect themselves. but also just general information. i assume you feel you have that responsibility already. but we want to be sure whatever legislation we do squarely pets that responsibility frankly and accountability on the ftc. any thoughts on that? >> well we are. the countries only general jurisdiction consumer protection agency. so of course we have a lot of consumer protection agencies. that fda or the securities and exchange commission or the banking agencies. we are the only one who take a general view to the whole marketplace. and we believe that we are the best equipped to address -- should congress pass legislation with respect to data security, we believe we other agency best equipped to enforce and administer that statute. not only because of our more than 20 years experience with privacy and data security, in
6:39 pm
fact if you look at the fair credit reporting act, that statute has been around since 1970. we've been in charge of enforcing and administering it. but also just our general know- how with respect to how to protect consumers. and our focus on consumer harm. whether it's deceptive practices or unfair practices. and we have the goods to show for it. right? we brought 60 cases plus in the data security area. and the same in the privacy area. and finally i would say, i think we unlike an agency that has specific jurisdiction, i think we are less susceptible to capture. you look at the more than 100 year history of the ftc we have proven remarkably them into that. and i would worry about a special agency to deal with privacy in terms of the potential for dilatory capture. >> well again, i think that is consistent with where we would like to go with legislation. just to affirm that and make sure there's a clear line of
6:40 pm
responsibility. my final question is about ohio of course. and it's to mr. gilligan because he mentioned ohio in his list of states and countries that have it in place some kind of a internet security control system. we have recently in ohio, established are center for internet security controls, as a standard for cyber defense after passing the ohio data protection act. could you discuss briefly the role of the cis roles within the ohio data protection act and how legislation of this kind can incentivize companies to implement some of these baseline cyber controls we talked about today? >> thank you senator. the ohio legislation, is, is one of the groundbreaking legislations in that it for the first time provides specific guidance with regard to expectations for cyber security. as you mentioned, it does
6:41 pm
reference a couple of the federal guidelines. sort references several nist documents . critical security controls is really one that provides specific implementation guidance. so we believe that's the type of guidance that is required, as you know, the ohio legislation is voluntary. the intent of an is really to provide positive incentives. to those doing business within ohio, to improve their status of cyber security. and we think that sort of the right way to go. to provide a clear definition of what are the expectations. encourage through positive rewards. organizations to comply with those, those best practices. and to serve as an example for industry as well. >> thank you mr. gaul mr. carper? mimic i just want to thank a
6:42 pm
couple of members of staff by name. and surf for the records names of other folks who worked on the spec we've been at this for a while and some people have come and gone. i want to add those names for the record. majority staff andy gottman, patrick warrant for their hard work and the others i know as well. minority staff i went to think a rotor bareness and john holdridge. the law clerks, kaelin burnett helps prepare for this hearing. and we have a number of folks former staff, former law clerks who have gone into other pursuits. we are grateful and i went to enter those names for the record. as well as the people and the folks who help us. >> thank you senator carper. think the witnesses further testimony this morning panels.
6:43 pm
we are very informative. and i also want to thank the staff senator carper for leading on this important issue of protecting consumer information. that's a rework >> reporter: it's a nonpartisan approach. my staff also is deserves recognition for doing a great job and working a think with the witnesses and others. to make sure this is a thorough investigation. as with other investigations we will look at investigation. i look forward to hearing from senator harper park the hearing record will remain open for additional comments or questions by subcommittee members. with that, this hearing is adjourned.
6:44 pm
6:45 pm
6:46 pm
>> there's no apparent loss to the commercial use it appears to me at least this is a government and does not some
6:47 pm
crime significant of criminals. >> is it china? mimic >> evidence suggested that's where it's coming from pick >> there's work for all of us today. the companies themselves, the private sector, they have financial incentives. the customer protection has worked for commerce city. we've passed a lot of legislation. we need to do comprehensive oversight hearings to find out what is working and what is not the responsibility of the federal trade commission, the fbi, department of homeland security. are we working together? and so forth one of the reasons why i decided three years ago father was a drop in hacks by the chinese and iranians was because we started working with them in a more collaborative way. and that has gone up in smoke
6:48 pm
in the last couple of years. we are seeing a simultaneous rise in the attacks going on. and from china. >> the develop >> i introduced my first bill on notification basically three things, companies have a responsibility to protect sensitive information. number two when there's a breach, and needs to be in be the best. and three folks have to be notified. and they are risk for we had another piece of legislation essentially said they have 50 states passing their own and we need a national standard international direction. my hope is one of the things that will flow from this hearing is that we will actually do now that common ground. we have a lot of different jurisdictions and federal agencies. making sure they are on the same page perks from you in senator porter and anybody else is working on this? >> i think bellows has worked
6:49 pm
for me for number of years. you have senator boone, on the commerce committee. now we have the senior democrat on the commerce committee maria cantwell who knows a thing or two. was in the senate her more knowledgeable about these issues than some of them have been here for a long time. this is a good time. to take stock for senator portman to provide as much as we can to get the job done.'s from the data privacy bill? >> there's a bunch of bills that a been introduce. a number of things have been interacted over the last six or seven years. we need to find out what's right and what's not. and in terms of notification, breach certification, the focus on prevention. focus on employment. people from they have been breached have been notified. we need to do that and do it
6:50 pm
right. legis 50 states doing their own thing. we need a common sense federal standard to get the job done. thank you. >> thank you. >> >> the war in the pacific, a cure for measles and the life and legacy of dwight eisenhower. on american history tv, saturday at 1:00 p.m. eastern, pacific war scholars on world war ii specific defenses. >> for the american public, water canal came to symbolize the first fair test of the
6:51 pm
first generation to fight the canal. book on real america, with a rash of outbreaks of measles this year, a look back at the 1964 film on the history of measles and the development of a vaccine. >> in a few weeks, the results are evident. the monkeys that were not vaccinated developed measles. the ones like this one that were given the experimental vaccine show no signs of measles but they have developed protective antibiotics. doctor anders and doctor katz now know they have developed for the first time, a vaccine which will provide safe protection against measles. >> reporter: sunday at 8:00 eastern on the presidency, the university of virginia professor and author william hitchcock, on the age of eisenhower. >> dwight eisenhower was the most popular, most respected man, the most admired man of that period, 1945 to 1961. he served the country as president and he garnered massive approval from the public having won two landslide
6:52 pm
elections. his average approval rating while he was president for eight years, was 65%. average. the next president who comes closer was bill clinton at 55% and then ronald reagan at 53. they are way in the rearview mirror. >> watch american history tv this weekend on c-span 3. executives from the three credit reporting bureaus in the u.s. appeared before a house committee to propose how companies use spending and debt data. during this portion of the hearing, lawmakers asked questions of the panel's experts, called to testify in response to the ceos. this portion is a little over an hour.

16 Views

info Stream Only

Uploaded by TV Archive on