Skip to main content

tv   Senate Homeland Subcommittee Hearing on Data Breaches  CSPAN  March 11, 2019 3:23am-5:59am EDT

3:23 am
for the creation of a national news media and a national financial system. >> watch "the communicators," tonight on c-span two. now, the ceos of equifax and marriott international testify before the senate homeland security subcommittee about recent data breaches at their companies. this runs to add a half hours. -- two and a half hours. >> the hearing will come to order. it seems no industry is immune to data breaches. some of the biggest breaches we have seen recently include google, uber, facebook. government agencies have not been immune from this. they have also suffered
3:24 am
significant breaches including over 20 million security clearance files, background files held by the office of personnel management, locating network vulnerabilities that hackers can exploit to gain access to sensitive information is a key issue. actually, senator hassan and i have worked on this with some specific legislation. she's here this morning. earlier this year, the president signed our hack dhs act, as an example, into law, which will strengthen dhs's cyber security, using whitehat hackers to locate previously unknown vulnerabilities in the department's systems. last night, senator carper and i released a report on how the equifax data breach occurred and how hackers were able to steal personal and financial data from over 145 million americans. that report documents how equifax failed to follow basic cyber security practices and protocols which prevented the company from identifying and
3:25 am
patching an exploitable vulnerability on its system. during the course fof our investigation, the company failed to preserve important documents related to the breach. equifax employees told us they frequently used a chat application called microsoft link. when equifax discovered the breach on july 29, 2017, the security team used the chat plat the system ins the company's response. our report uncovered equifax did not issue a notice not to destroy documents related to the breach until august 22, 2017, and failed to set the chat platform to archive any of these chats until september, a month and a half after the breach was discovered, again, back on july 29th. prior to september 15, equifax was not archiving any link chats based on its own document retention policy. counsel for equifax told the subcommittee they could not find any of the chats equifax employees told us about documenting the discovery of the breach.
3:26 am
as a result, the subcommittee is left with an uncomplete record. so are the american people. after discovering the breach, equifax waited six weeks to disclose to the public on september 7th, 2017, that hackers had compromised its collection of personal and financial information, again, on over 145 million americans. adding to this delay, the hackers had access to the information since may 13, 2017, 3 months before they were discovered. equifax chief executive officer, mark begor, is here today to discuss the report's finding. we're going to hear from arne sorensen, marriott's chief executive officer on the data breach his company occurred in july 2014. this was not the first time starwood suffered a data breach. in november 2015, starwood announced it had discovered malware on some systems at
3:27 am
hotels designed to steal credit card information at the point of sale. at the time, starwood stated that it did not affect the guest registration database. in november 2018, marriott announced it had discovered a hacker that had accessed the starwood guest reservation database. marriott's investigation determined that the hacker had access to guest information related to 383 million guest records since 2014. as part of that database, the hackers also gained access to over 23 million passport numbers and credit card numbers, most of 9.1 million which were expired. marriott learned of the breach on september 8, 2018, but waited almost 12 weeks to notify the public on november 30, 2018. the goal of today's hearing and the subcommittee's report is to fully understand these breaches, but also to focus on the future. to focus on solutions. companies and government agencies alike must take steps to better protect the data con sumers in trust to them. that is clear.
3:28 am
and when that data is compromised, we need to know as soon as possible so we can do everything we can to ensure criminals are no longer taking advantage of us as consumers. that seems clear. so i look forward to working with my ranking member, senator carper, and others on this committee, including the chairman, senator hassan, and ensuring that we can move forward with legislation that ensures both the protection of consumer data and prompt notification when data is compromised. i also want to thank senator carper and his staff for their dedication to these issues, and to him and his staff for leading this investigation. with that, i turn to senator carper for his opening statement. senator carper: thanks, mr. chairman. thanks to both of our witnesses this morning for joining us. i want to take a moment to say a special thanks to members of the minority staff, the majority staff, who worked hard for months to prepare us for this day. according to a 2017 study by the pew research center, the vast majority of americans have personally experienced a major data breach.
3:29 am
my guess is most of us in this room on this side of the panel are among them. about half of our country believe their personal information is less secure than it was five years ago. our subcommittee initiated investigation into the causes of private sector data breaches shortly after equifax announced its breach in the fall of 2017. as we conducted our work, a seemingly endless stream of new, high-profile incidents were announced. one after the other, well-known companies including google, facebook, t-mobile, orbitz, sachs fifth avenue, under armour, eventually marriott, announced that they too had suffered breaches. we thank you for your appearance today and for your help in better understanding how these private sector data breaches occur and what can be done to prevent them including steps that we can take. while my colleagues and i will
3:30 am
have some tough questions for you, our goal is to, our goal here is to ensure the mistakes in the oversights that contributed to the attacks your company suffered are well understood, so that other american businesses are less likely to fall victim to hackers. when hackers are able to obtain someone's personal information, the consequences are real. 2017 pew study i referred to found that more than 40% of the individuals polled had discovered fraudulent charges on their credit cards. others reported that someone had attempted to take out loans in their name, file tax returns in their name, or steal their identity. several of those things had happened to my own family, and i suspect to the families of many of us in this room. even when a breach victim is fortunate enough to avoid becoming a victim of crimes like these, they often deal with months or even years of hassle and worry as they swap out
3:31 am
compromised credit and debit cards, change their online passwords, and monitor their bank accounts and credit reports for suspicious activities. given the vast amount of information collected on consumers these days, and the skill and relentlessness of the hackers seeking to steal that information, it is critical that businesses make cyber security a priority. at the very top level of a company. the board, the ceos, as well, the constant stream of data breach notifications we see year in and year out is a sign to me that we could and should be doing a lot better. as my colleagues have heard me say many times, everything i do, i know i can do better. the same is true of all of us. in this one particular area, we need as a country to do a whole lot better and it's a shared responsibility. equifax and its two main competitors, transunion and experian, have built their
3:32 am
business models around the collection and dissemination of consumers' most sensitive financial information. that includes names, nicknames, dates of birth, social security numbers, telephone numbers, current and former address, account balances and payment histories. this data collection is not something consumers can opt out of. credit reporting agencies collect personal information without our knowledge or our explicit authorization. someone shops regularly at a retail chain that gets hacked, that person could opt not to shop there any longer if doing so makes them uncomfortable. they cannot, however, keep their information away from equifax. knowing this, you'd think that
3:33 am
protecting the sensitive information its entire business relies on would be equifax's top priority. yet, information obtained by this subcommittee and including in a bipartisan report released last night, illustrates a years-long neglect of basic cyber security practices and a decision by company officials to prioritize the case of doing business over security. in 2015, equifax officials learned through internal audit that the company's i.t. systems were riddled with thousands of unpatched vulnerabilityies, hundreds of them deemed critical or high risks. they also learned that the company lacked mature inventory of its i.t. assets, making it more difficult to address problems as they arose. by the time the department of homeland security announced in march of 2017 that versions of the widely used web application software, apachestruts, included a serious security flaw. equifax has still not properly responded to its 2015 audit findings or brought its cyber security practices in line with industry standards. despite being informed that the
3:34 am
announced flaw in apache was extremely dangerous and easy to exploit, equifax officials appear to have approached the challenge it presented with no sense of urgency whatsoever. scans at the company's networks failed to find the vulnerable version of apachestruts it was using and key staff were in position to make the necessary security enhancements were left off internal communications. vulnerability was discussed at regular security meetings held in march and april of 2017, but it's not clear who attended those meetings. senior managers interviewed by the subcommittee were nominally in charge of i.t. management and cyber security of equifax. they told subcommittee staff that they did not regularly attend the meetings, themselves. former top equifax officials were interviewed were very frank about the priority they place on cyber security.
3:35 am
one key former security official told our subcommittee staff that, security wasn't first at equifax and that is an understatement. the company's former chief information officer was extremely dismissive of the importance of key security processes during his interview saying that he considered the patching of security plays to be a, lower-level responsibility that was six levels down from him. there's no evidence that these two individuals or any other top executives at equifax directed
3:36 am
staff to take steps to update the company's i.t. asset inventory and conduct a more thorough search for the vulnerable apachestruts software. this lack of initiative would be bad enough on its own, but equifax also left itself blind to incoming attacks by allowing the tools it needed to monitor for malicious web traffic to expire. so when hackers moved in may of 2017 to attack equifax through a version of apachestruts, still in use on the company's websites, nobody saw them coming. what's more, nobody discovered them until july, 78 days after the hackers first gained entry. during the 78 days the hackers had been inside of equifax's i.t. network, they accused, they accessed, rather, multiple data repositories containing information on more than 145 million people and probably half the people in this room are among them. there are tools available that could have been sent alerts to equifax staff as the hackers manipulated the information in the databases, but equifax had not installed them.
3:37 am
once equifax found the hackers at the end of july 2017, equifax executives waited an additional six weeks before letting the public know what had happened. six weeks. so because equifax was unaware of all the assets it owned, unable to patch the apachestruts vulnerability, and unable to detect attacks on key portions of its network, consumers were left unaware for months that criminals had obtained their most sensitive personal and financial information. consumers were also unaware that they should take steps to protect themselves from fraud. and importantly, these failures stand in stark contrast to the experiences of transunion and experian, which both quickly identified and addressed the
3:38 am
same apachestruts vulnerability and have not announced data breaches. i have a friend, you ask him how he's doing, he says, compared to what? and i think the obvious question here is, for equifax, compared to transunion and experian. the data breach announced by marriott this past november doesn't appear to have been caused by the kind of cultural indifference to cyber security the record indicates has existed at equifax. rather, it looks like marriott inherited this attack through its acquisition of starwood. with the sides of this breach up to 500 million people were reported to have been affected at one point, requires that we take a close look and learn what happened and why. i have questions about marriott's data retention policies. for example, i understand why a hotel chain might collect
3:39 am
passport information in some cases, but i don't know why it would need to maintain records of millions of guests' passport numbers as appears to have occurred in this case. this incident also raises questions about the degree to which cyber security concerns do and should play a role in merger and acquisition decisions. and starwood, marriott acquired a company that it knew had serious cyber security challenges, and it had actually been attacked before. despite this, marriott chose to initially leave starwood's security system in place after acquiring the company. we need to learn more about the priority that marriott executives chose to place on addressing security flaws at starwood as it worked to integrate its system into its own. what we do know today is that large-scale data breaches are not gong to stop. we can't afford to shrug our shoulders and write them off as a cost of doing business. approaching cyber security challenges with this frame of mind, and real harm that can occur both to consumers' pocketbooks and to the companies' bottom lines. here in congress, i think it's long past time for us to come to agreement on a federal data security law that lays out for private industry what we expect from them both in data protection, in data breach notification. we also need to ensure that the system we established for
3:40 am
sharing information and cyber threats and cyber security best practices is as effective as it can be. and is updated over time. if a company is as large and sophisticated as equifax can fail so badly at implementing basic cyber security practices, we can certainly do a better job making clear what will and won't work when it comes to blocking hackers and preventing data
3:41 am
breaches. my thanks again, mr. chairman, for the work that you and your staff, my staff, putting this complex and important issue, we look forward to hearing from our witnesses today. again, thank you for joining us. >> thank you, senator carper. i'd like to call the first panel of witnesses. first, we have mark begor who is the chief executive officer of equifax. he served in that capacity since april 2018.
3:42 am
again, as we just heard, the equifax breach occurred was discovered in july of 2017. second, arne sorenson is here, president and chief executive officer of marriott international inc. he's held that position since 2012. again, as we just heard, marriott acquired starwood in 2016. the breach occurred at starwood in 2014 and was discovered in 2018. we're also going to swear in someone else this morning, the current chief information security officer at equifax. it was requested should mr. begor need some special expertise, technical assistance. so i'm going to ask you to raise your hand as well. it's a custom of the subcommittee to swear in all of our witnesses. so at this time, i'd ask you all to please stand and raise your right hand. please repeat after me. do you swear the testimony you will give, i'm sorry, just respond to this. do you swear the testimony you will give before the subcommittee will be the truth, the whole truth, and nothing but the truth so help you god?
3:43 am
let the report reflect the witnesses all 3 answered in the affirmative. gentlemen gentlemen, all your written testimony will be written in the record. i ask you try to limit your oral testimony to five minutes. mr. begor, we'll hear from you first. >> chairman portman, ranking member carper, and distinguished members of the subcommittee, thank you for the opportunity to be here today. i'm mark begor, chief executive officer of equifax. with me today is jamil farsey, our chief information security officer. let me begin by expressing my personal regret for the disruption that our 2017 cyber attack had on millions of americans. cyber crime is one of the greatest threats facing our country today. u.s. corporations are continual continually fighting criminals that operate outside the rule of law and attempt to steal data for their own gain. these attacks are no longer a hacker in the basement attempting to penetrate a company's security perimeter, but instead, are carried out by increasingly sophisticated criminal rings and even more challenging nation states that are well funded or the military arms of nation states. these attacks on u.s. businesses are attacks on u.s. consumers and are attacks on america. this war is getting more challenging and more
3:44 am
sophisticated and there's no end in sight. fighting these attackers will require cooperation between government, law enforcement, and the private sector. we appreciate that members of this subcommittee have introduced legislation that promotes this type of partnership and we support these efforts. the fact that equifax suffered a data breach does not mean the company did not have appropriate data security program or that the company fail to takeed to take cyber security seriously. i understand that before the attack, the company's security program was well funded and staffed and leveraged strong administrative and technical safeguards. in april 2018, when i joined equifax, i made a personal commitment. internally and externally, to building a culture within equifax where security is part of or dna and committed that equifax would be an industry leader around data security. i'm proud of the leadership, cultural enhancements, and investments that equifax has made over the past 18 months. we've added experienced senior leaders and board members to enhance our security and
3:45 am
technology skill sets. and in 2018, alone, we added close to 1,000 incremental security and i.t. professionals to our team. between 2018 and 2020, we are increasing our technology and security spending by 50%. totaling an incremental $1.25 billion. we recognize that being an industry leader means actively sharing our security learnings and best practices. we have been openly sharing all of our cyber learnings with our customers, our competitors, entheen the the u.s. government and the rest of the private sector. last year, we established a number of meaningful security partnerships that will help raise the entire security community by leveraging our joint learnings. in addition to the goal of being a leader in data security, equifax has been working diligently to support u.s. consumers. when equifax announced the cyber attack, its response was guided by a desire to focus on helping and supporting consumers first. since the 2017 incident, equifax has invested more than $80 million to assist impacted consumers. when we announced the incident, we offered an identity theft and credit monitoring service free for all americans regardless if they were impacted by the cyber
3:46 am
incident. last november when that service was nearing its end, equifax voluntarily extended that protection for another year. going forward, we are investing over $50 million to make it easier for consumers to interact with us. both over the internet and in our call centers.
3:47 am
we want to make sure we are a consumer-friendly credit bureau at every step of the way. to close, i'd like to thank chairman portman for holding this hearing. equifax is committed to our commission to become an industry leader in data security, and we are investing unprecedented resources in technology, security, and people. thank you, again, for the opportunity to testify and for your focus on protecting american businesses and consumers from cyber attacks. >> thank you, mr. begor. mr. sorenson, i want to hear from you. chairman portman, ranking member carper and members of the subcommittee, thank you for the opportunity to testify today.
3:48 am
the subject of the subcommittee is tackling private sector cyber attacks is an increasingly urgent one. one that has hit marriott directly with the data security incident we announced on november 30, 2018. we deeply regret this incident and are committed to determining how it occurred, supporting our affected guests, and enhancing security measures to protect against future attacks. for 91 years, marriott has been in the business of serving people. we began as a small family business in washington, d.c., serving hamburgers and root beer at hotshops. today we're a global hospitality company conducting operations in all 50 of the united states and
3:49 am
130 countries and territories. throughout that time, we have built our reputation by putting people first and focusing on the care of our guests. as a company that prides itself on taking care of people, we recognize the gravity of this criminal attack on the starwood guest reservation database and our responsibility for protecting data concerning our guests. to all of our guests, i sincerely apologize. we are working hard every day to rebuild your confidence in us. because this incident involved a starwood dabts, tabase, let me provide background on the merger of marriott with starwood. signed a merger agreement with starwood in november 2015 and quloez closed the transaction in between september 2016. we conducted an assessment on integrating the two systems although this inquiry was legally and practically limited by the fact that until the merger closed, starwood remained a direct competitor. we made the decision to retain marriott's reservations system as the central system for the combined group of hotels and to retire starwood's system. migrating all of starwood's 1, 1,270 hotels onto marriott's system, while avoiding disruption of the reservation process, was a significant undertaking that took us about two years. we made additional investments to enhance security of the system while it was operating.
3:50 am
following discovery of the incident, we accelerated retirement of starwood's reservation system and as of december 18, 2018, are no longer using the starwood guest reservation database to conduct business or operations. until our investigation of the incident announced on november 30, we were unaware that thestarwood guest reservation database had been infiltrated by an attacker. our investigation was initiated following an alert on september 7, 2018, from a cyber security tool. in response, our i.t. team swiftly implemented containment measures. we retained industry experts to conduct a forensic investigation and deploy additional defenses. unraveling the scope of the attack required extensive forensic work by experts. we also contacted the fbi, which continues its investigation. as our investigation unfolded, we learned the intruder had been in the starwood system since 2014. on november 19 of 2018, wedetermined that the intruder had accessed files containing personal information of guests who had made reservations at starwood properties.
3:51 am
we believe that the upper limit for the total number of guest recordeds involved in this incident is approximately 383 million. what do we mean by guest records? take my name for an example, which is in the database multiple times with variations such as arne sorenson. arne m. sorenson. arne morris sorenson. other times with my home address, other times with my business address, and again without any address. each entry represents a separate record even though they all relate to one person. we cannot confidently determine whether records with similar names or even identical names represent one person or multiple
3:52 am
people, but we know that the information for fewer than 383 million unique people was involved. in the days immediately after november 19, we worked quickly to make sure that we could share useful information with our guests. on november 30, we provided broad public notice of the incident via press release and notification banners across marriott and starwood websites and apps. we stood up a website with consumer information in multiple languages as well as call centers to answer questions and offered guests free web monitoring services among other steps. in assessing the impact of this event, you should know that starwood did not keep guests' social security numbers and the overwhelming majority of payment card information was encrypted. to date, we have not found data removeded from the starwood database on the internet or dark web which we continue to monitor. finally, we know this is a race that has no finish line. cyber attacks are a pervasive threat. we are committed to responding to these evolving threats with a layered defense approach and continuous improvement. our founder, jay willard marriott, was fond of saying success is never final. we're applying the critical review process to learn from the incident as we work diligently to regain the level of trusts that our guests have come to expect from us over the years. thank you, and i welcome your questions.
3:53 am
>> i thank both the witnesses for their statements and i think they make a good point that this is a matter that requires cooperation between government and the private sector at every level. i'm going to delay my questioning until we have a chance to be sure that our two colleagues who i know have other commitments have a chance to ask theirs. so for this first record, i will be coming back and asking some questions. i want to give them a chance first before they have to leave. and i now turn to my ranking member, senator carper. senator hassan, if you have other obligations, go ahead, ask your questions. all right. thanks. again, thank you. as, again, used to say, people may not remember what you say, but they may not remember what you do, but they'll remember how you made them feel. maya angelou.
3:54 am
i say to my kids who are now grown, the 3 post important words are please and thank you , and the others that mean a lot are "i'm sorry. " especially when we screw up, and especially with respect to equifax. the amount of screw-up is just almost unbelievable. equifax has known since 2015 its approach to cyber security was lacking, and among other issues , equifax learned that during an internal audit that was conducted that year, that the company had left a number of critical and high-risk security flaws unpatched. the company also learned it lacked a comprehensive i.t.
3:55 am
asset inventory meaning it would be difficult to address new security issues as they were brought to the company's attention. when the department of homeland security informed the public about a major security risk, in certain versions of apaches truts, apparently very commonly used piece of software, it also told the public that the vulnerability was easy to exploit. knowing all of that, equifax relied on the same flawed policies and procedures which ultimately failed to identify the presence of the vulnerable versions of apachestruts. equifax circulated a notice about the vulnerable to an
3:56 am
e-mail list that did not include application owners. the issues on the agenda of two meetings that seennior leaders that senior leaders -- senior leaders failed to attend regularly and conducted repeated scans that failed to identify the vulnerability which allowed hackers to access the online dispute portal. mr. begor, if equifax knew that it lacked a mature inventory of its i.t. assets, why didn't senior i.t. and security officials staff, do more to , improve the inventory before the 2017 data breach? specifically, why did equifax fail to conduct a follow-up audit after the 2015 review to determine whether the company had made progress in addressing its patch management issues? >> ranking member, i think as you know, i joined in april 2018 in the first few weeks of joining equifax. i went into great detail about, you know, the forensics on what caused the breach, what our routines and processes were in place at the time, and as i stated in my testimony, you know, there were controls in place that clearly weren't strong enough. you know, we've taken great steps since then. we've doubled the size of our security team. i talked in my testimony a few minutes ago about our increased spending on data and security and our approach to making security central to the dna of the company.
3:57 am
we also changed the incentives in the company. we're very unique, i think, in corporate america, in our bonus system, which of the top 3,900 out of 11,000 employees participate in an annual bonus, 25% of that bonus is tied to cyber security. and that went in place in 2018. it's continuing in 2019. it will continue going forward. ranking member, that incentive is only punitive. meaning if we don't make progress on our security improvements, if we don't take our security forward, you can only reduce the individuals' bonus including mine. so there is real buying in and making security part of our dna , it is quite critical. i'll also say, i think mr. sorenson said the same thing, this won't end. meaning you can never be good enough in the the investments and spending will continue. as i pointed out, we've
3:58 am
increased our technology and security spending in '18, '19 and '20 by 50%. so security is a top priority at equifax, it's a top priority of mine and the board and the leadership team and the whole organization going forward. >> i spent a lot of years in my life in the navy. retired navy captain and vietnam veteran. we have a standard in the navy and a process in the navy that says if the captain of the ship is asleep in his or her ward room in the middle of the night and the ship runs aground, the captain of the ship is held responsible. has that happened in this case? >> in my view, senator, it has. you know, i think you know the prior ceo is no longer with the company. the prior cto is no longer with the company. the prior cisso is no longer with the company. if you look at our technology and security organization, we've
3:59 am
upgraded really strong talent in probably two-thirds of both of those organizations. and as i talked about, you know, we've added significant resources. a thousand incremental people. we have 10,000 people globally at the beginning of last year. at the end of last year, 1100, and those were all in security and technology. so there was a lot of accountability. again, i wasn't there, but there is a new team at equifax that takes security intensely seriously. >> equifax's competitors which have the same extremely sensitive data on american consumers as equifax, operated with a stronger sense of urgency. once they learned about the apache struts vulnerability. and as you assume the leadership of this organization, you must have wondered why, if they're doing this, why didn't we at equifax? we have asked about what you have done. i explained a bit about what you've done to change the culture of our company around cybersecurity.
4:00 am
if you are advising other companies, whether they happen to be companies that deal in the business you have your business model, what advice would you have for those other companies today? >> first is, it's a war. and i think the, mr. sorenson said the same thing. i think this committee understands that. that these criminals, other actors attacking u.s. companies are increasingly sophisticated. we get attacked multiple times per day. actually, the system i have now, i get an alert on my phone from my chief security officer and his team when there's an attempted attack on equifax. point one is, it's not going to go away. point two is, we really applaud the committee's focus on sharing best practices. and i think as the senator may know, that's challenging sometimes for a company that goes through a data security breach to be open about actually having it. and these forms i think are critically important. when i joined equifax in april,
4:01 am
my first call was to my two competitors. and what i told both of them was there's no trade secrets around data security. this is a war we face as an industry. it's a war we face for american companies as you pointed out, for the government. and it's one that's not going to end, and we applaud the idea of sharing actively what we're learning from each other. what are those ip address that are known bad actors? if one company knows it, let's make sure the next company knows it and share those so we can build our defenses up because it is increasingly sophisticated and challenging. >> i'll close this round with this thought. the constitution of our country was first ratified in delaware, december 7 1787. we ratified before anyone else had. the very beginning of the constitution starts with these words in the preamble. " we the people of the united states, in order to form a more union."
4:02 am
it doesn't say "to afford a perfect union." "a more perfect union." our goal in this realm has to be perfection. knowing we'll never get there, but we need to strive for that, thank you. chairman senator hassan. :sen. hassan: on thank you, mr. chair, and thank you ranking member carper for your bipartisan leadership of this committee. and thank you to both of our witnesses for being here today. let me start with a couple of questions, mr. begor, to you. you said in your testimony that you believe despite some errors, equifax took cybersecurity very seriously even before the 2017 breach. i know that the 2017 breach occurred before your time at the helm of the company, but the facts presented in the subcommittee's report make clear that the company's pre-breach security practices were really not in keep with serious cybersecurity practice.
4:03 am
the report shows that equifax had forgotten to update a security certificate known as an ssl certificate, that encrypted data transfers between equifax's customers and website. when equifax developers attempted to install new certificates, they realized that some of the old ones had expired as much as eight months earlier. that failure led to the exploitation, as you've acknowledged, of millions of americans' data by what appears to be chinese hackers. equifax should have routinely audited its ssl certificates to make sure they hadn't expired since these certificates can only protect user data when they're current. so let me just ask you a few questions. when equifax sought to upgrade its ssl certificates on july 29, 2017, how many expired
4:04 am
certificates did your team come across, and how many of the certificates had been expired by more than a day? begor: senator, i don't have that information of economy. if you'd like me to, i could ask my chief security officer if he could help with that question. hassan: that would be terrific. >> good morning. sen. hassan: good morning. >> unfortunately, i also was not at equifax during the time of this incident, and so i don't have that information with me right at this moment, but i'm theep go back to the team and, sen. hassan: does the company have that information? >> i believe we do, us. sen. hassan: and do you know if any of these certificates had been expired for more than 8 months? >> unfortunately, because i wasn't there, i don't have the specifics on the certificates exactly. sen. hassan: i would expect that even though you weren't there that you would know this or have access to it because it seems to
4:05 am
me that is the type of investigation and understanding that you would want to develop moving forward. >> senator, if i could just add. as you might imagine, we have a much different process today, much more robust. we know exactly which certificates are expired, which ones are critical. they're risk rated. we also do automatic scanning. it's a protocol that would be quite normal in today's environment. and we're always, we're continually investing in new technologies to make sure we stay in front of that and are very rapid around addressing those. sen. hassan: so you are routinely auditing your ssl certificates now? .> yes sen. hassan: i'm seeing nodding, too. ok. and you are making sure that they are current and they're not in danger of imminently expiring? >> that's correct. sen. hassan: ok. would you support a law that would require companies like equifax that deal with millions of americans' personal identifiable information to adhere to clear cybersecurity standards and practices such as auditing your security certificates on a continuous
4:06 am
basis, established and enforced through your regulator? >> first, senator, i agree that equifax is in a unique situation with the data we hold versus most companies. we understand that and take that quite seriously. with regards to all of the elements you talked about, those are standard protocols for us today and things we're following as a company. really the highest standards of data security. with regards to legislation, you know, we'd be happy to work with your office and understand what's the right legislation to move forward, but we're doing things you talked about. sen. hassan: i understand you're doing things but you're doing things after a major breach and what i want to make sure is that americans whose information is in custody of an entity they may not know anything about don't have to wait for there to be a breach before companies start doing what they should responsibly do. we are, we have all discussed this is an ongoing threat. it's been an ongoing threat for a while. and we need to make sure that there are standards in place just the way we have safety standards in many other industries. let me move on just to another aspect to this.
4:07 am
it appears in the psi report that one of equifax's biggest weaknesses was that the company's policy made individual developers responsible for identifying and patching vulnerabilities in the software they used, rather than relying on a full company effort to address any vulnerabilities. and as senator carper mentioned, unfortunately when dhs alerted equifax to an urgent and critical vulnerability in a piece of software called apache struts, the single developer who was using the software was not notified by his superiors about dhs' urgent message about those vulnerabilities. as a result, that developer was unaware of a critical vulnerability that eventually was exploited by hackers. you mentioned in your testimony that human error was certainly part of the problems that led to the breach. we've all acknowledged that up here, too. however, human error happens at every level of government and every level at the private
4:08 am
sector. so it's incumbent upon security professionals and leaders of any security system, government or private sector, to build in extensive redundancies to mitigate against inevitable human errors. so it appears that prior to the breach, equifax had not build in -- had not built in those redundancies and as a result, human error became a single point of failure in a critical cyberattack. what redundancies has equifax built in to its system to ensure human errors never lead to this kind of breach? >> senator, we agree that a single point of failure is one too many, which is where we have a number of redundancies. i'd ask my chief security officer to talk in more detail? >> i'd be happy to. yes, one of the key tenets of our program is assurance. we want to make sure we have as many layers of security as absolutely possible because we
4:09 am
know that any given control may fail or may be bypassed from a sophisticated attacker. as it relates to patching, we have updated all of our processes. we've implemented automated tools to be able to help reduce the reliance on human error. we've established patch champions, individuals specifically accountable for the implementation of these patches across the entire enterprise. and then an automated tracking system as well to be able to continue to track and manage these. i would mention one other one on the back end. we continuously scan our environment. so we, again, don't just rely on one system, one process, one individual. we have a belt and suspenders approach across the entire program. sen. hassan: thank you. that's helpful. and i appreciate your indulgence, mr. chair. mr. sorenson, i had a question for marriott. i'll submit it for the record. i want us to think about what standards companies should have when they merge that might help us make sure that we're getting to problems before they are breached. thank you.
4:10 am
>> thank you, senator hassan, we will continue to work with you on these issues you raised today and others. i'm going to reclaim some of my time now. i'll be back with more to follow up on the points that senator hassan made. she talked about updating certificates on the website. she talked about building in redundancies. again, mr. begor, you, in your testimony, were pretty confident that they were doing the right things by saying that the program also leveraged strong administrative and technical safeguards, and subject to regular ongoing review through external and internal assessments. and there is a third concern that i have that i think we need to raise this morning and be sure that we're aware of a lack of follow-up, really, to an audit that was done. there was a 2015 audit of the security of your system. it found over 8500 known critical, high or medium vulnerabilities on equifax
4:11 am
systems. so here's an audit discovered these vulnerabilities. these vulnerabilities had not been patched when the breach occurred. and many were over 90 days old. a copy of that audit is there with you on the witness table. i've had it for you all to look at this morning. i'm going to ask that that 2015 audit be made part of the record , without objection. so my question for you is, how does a company that at that time as you indicated placed a high priority on cybersecurity allow 8500 vulnerabilities to exist unpatched on its systems in and, of course, my follow up, since you've become ceo, and you've stepped in and aggressively tried to address these issues, have you addressed these patching vulnerabilities on equifax's systems? how could that have happened, and then what has been done?
4:12 am
mr. begor: thank you, senator. as you point out, i was in there. -- i wasn't there. i spent quite a bit of time looking at the past. i'm a big believer that we want to learn from mistakes and learn from things that weren't going as well as they could be. and i've tried to be quite clear and i will be clear right now that there's no question what we did in the past we can do a lot better today and tomorrow and we already have. we've made massive changes in our security protocols, our infrastructure, the involvement of the organization. as i mentioned earlier, we brought in really top talent. it starts with people leading these organizations. i think the senator may know that the cso reports directly to me and has a line into the board to our technology committee, which is a best practice in many companies. and we've, you know, added, doubled the size of his team.
4:13 am
with regards to your specific question around audits and patch management, we've doubled the size of our audit team and as a new element, we've added i.t. or cyberexperts as a part of our internal audit team. historically, those were just financial resources. now we have experienced technologyists or security people in our independent audit team doing some of that work. and with regards to follow-up of audits, sen. portman: hold there for a second. so when you look back at the 8500 vulnerabilities that were reported through that audit, what happened? why were those vulnerabilities not patched? what was the issue? mr. begor: senator, you know as , you may imagine, there's a large organization like equifax has many patches that are under way at all times. they are coming in weekly and daily and, sen. portman: the race is never won as was said earlier by mr. sorenson. >> yeah. sen. portman: but the question
4:14 am
is, what did you learn from it. as you look back, i understand that you have beefed up your cybersecurity presence and you have the cso reporting, you put a bonus system in place that incent vises all your executives to look at it. but what happened? how could those 8500 vulnerabilities not have been addressed at that time? what did you learn from that? mr. begor: i learned from that, senator, that that's not how you want to operate. we don't operate that way today. there's a real focus on, you know, both risk prioritizeing donepatching bennies to be for the most critical areas are done first. follow-up and tracking. plp, farsi talked about how we follow up on those. we have automated systems now to track those. there's a real rigor, as there should be, around ensuring that that work is completed and those vulnerabilities are closed down. sen. portman: so that 2015 audit, if it had been followed up on would have made a difference, it appears to ubased -- it appears to us, based on our analysis of what happened. where are you now? have you done a recent audit?
4:15 am
are you continuing to audit? mr. begor: we audit routinely. i don't know the, the last audit was done in the 4th quarter. we also have third parties coming in and doing work around our cybersecurity efforts. we do our own perimeter testing by our own internal team. we also bring in third parties that the team doesn't know is trying to penetrate the exterior of our system. so there's all levels of rigor around getting external inputs like audit around our systems and processes. sen. portman: so you have done a follow-up audit comparable to the 2015 audit, and you have responded to what has been discovered, because i assume that it also discovered that there were certain vulnerabilities? mr. begor: correct. you want your audit to identify things that will make the system better. that's the way i think about audit teams. i don't know how many audits have been done since the cyberbreach in 2017, i can follow up on the number of audits around this area but there have been numerous. and as you might know, there's
4:16 am
also regulatory organizations, cfpb, the attorney generals and others that are involved in discussions about audits and our customers. sen. portman: our interest is to figure out what the heck happened. how can you have an audit that, again, uncovers these vulnerabilities and not act on it? with regard to legislation we're looking at, what role should audits play if you could provide that to the subcommittee, that would be helpful. when your last audit was. any results of the audit. how you react to it today. that would be much appreciated. senator rosen? sen. rosen: thank you. i want to thank you for bringing this very important issue, privacy and security. it is issue number one, not just for all of us as individuals but for all the companies and businesses that serve us that we expect to protect us and our communities every single day. i want to address, i do have some things to talk about acquisition and data migration as a former software developer. i've actually done that in my
4:17 am
prior life. so i have some comments on that. but first, i want to talk about the global nature, mr. sorenson , about marriott hotels. of course, you are worldwide. you operate in all 50 u.s. states and in 130 countries and territories. americans stay at marriott hotels all over the world so it is crucial that our data collected is secure. of course you've noted 23 million passports approximately have possibly been compromised no matter where the hotel has been physically located. so my question to you is, last year, secretary of state mike pompeo stated publicly that china was responsible for the cyberattack on your marriott system and theft of consumer data. do you believe that to be the case? >> first, good morning, senator rosen. sen. rosen: thank you. >> nice to be here and to be
4:18 am
able to answer your questions. the short answer is we don't know. and i feel quite inadequate about even drawing inferences from the information that we've obtained. we have, when we first discovered information had been extracted from the system which was november 19 it has been all hands on deck basically to make sure that the -- sen. rosen: so no preliminary data has come out as to where the isps may be locatedor any -- located, or any commonalities and other hacks, other hacking attempts with other companies across the world? en: we have shared everything we have with the fbi, including the addresses used and the malware tools used in the system so that they can do that kind of investigation. we simply have been focused on making sure the door is closed and communicate with our customers. sen. rosen: so do you have policies in the u.s. that apply abroad taking into account, obviously, foreign laws and regulations? mr. sorenson: we do. we have policies certainly about data collection and retention. we also have an obligation to comply with local law.
4:19 am
i think one of the things that's unusual about the marriott cyberattack is this passport information. sen. rosen: how long do you retain the passport information? mr. sorenson: well, the passport information that was accessed was in the starwood reservation system, and it had been there for a number of years. sen. rosen: do you have a responsibility when you buy a company to do an audit of the company you're either buying or , i guess it is like buying a home. do you get an inspection? what does the seller disclose? what is the buyer's responsibility? did you buy it as is, and so you just took no method of auditing the data coming across? mr. sorenson well, we, in the : bottom line is we do buy it as is. when you're acquiring a public company, and buying those shares, there's nobody left. we are starwood today as well as marriott. we did diligence. sen. rosen: so i want to tell you as a former computer programmer, i have worked for
4:20 am
companies where i've done this acquisition and data migration. and while the other system is still up, i had a team of people working with me to maintain that system, auditing that system, making sure it had integrity while we were training and moving that data over. so where was your responsibility in maintaining and as you migrated, protecting that data? mr. sorenson: we were very much taking the same approach. really three periods we could look at separately. one is the 3 1/2-week due diligence period before we signed documents to acquire starwood. very abbreviated public company to public company. that was a, you know, tell us about your i.t. system. our i.t. team was involved in that and asking questions. but it was quite brief and we didn't learn about any of this. second period is between the fall of 2015 and fall of 2016, between signing and closing the transaction. and while we had not closed, our team, our i.t. team was deeply engaged in understanding starwood system, understanding the data,
4:21 am
understanding the vulnerabilities and being ready essentially for the moment that transaction closed to say, ok, now what are we going to do with this system from a cybersecurity perspective, data retention, but also an operating perspective, obviously. and then immediately after closing, it was bringing in, not just our internal expertise but external expertise and saying , help us identify the risks in this system. let's make sure we are doing things to address those risks and enhance them. in retrospect, we wish we had done even more, obviously, something happened. but even while that system is running independently before the data migration and before it's turned off, we are very much trying to make sure that we are addressing the security flaws that we think are there. sen. rosen: so as we think about those 23 million passports and other data that may have been breached worldwide, do you have, of course, i just want to be sure, a consistent policy, of course, taking into consideration certain other
4:22 am
governments, laws or regulations for how you keep the data, how you retain the data and your responsibility towards the data? mr. sorenson: that may give you a couple of data points, if i could. my number is just a little different than the committee's. about 19 million total, sen. rosen: 19, 23, it's an awful lot of passports. about 5 million of those were unencrypted. sen. rosen: and that makes it better? [laughter] mr. sorenson: no, no, those are the ones that, obviously, would have been most -- sen. rosen: so we know that hackers can beat the encryption , so that isn't really a factor here. i don't believe. well, i actually do think mr. sorenson: part of our strategy going forward is to rely on encryption and tokenization and whatever data we keep in this space it should all be encrypted.
4:23 am
that by itself is not necessarily a totally adequate defense, but it is one of the tools we should use. i think one of the other things that is clear, there are dozens of countries around the world that require us to collect passport data. sometimes they require us to make physical copies of passports for guests in those hotels. in the marriott system, legacy, that was at the hotel level and not centralized in the data platform, if you will. in the starwood system it was done locally and essentially centralized into the data system. there are pros and cons of allowing it to be entirely at property level. one of the pros is it's a smaller target, if you will. one of the cons -- sen. rosen: more diffuse. harder to get centralized. much harder to break into. mr. sorenson: one of the cons on the other hand is then if each hotel needs the same elaborate system of cyberdefenses, can you make sure that you are delivering that. and those are issues that we're working through right now.
4:24 am
i think in all likelihood, everything, passports will be encrypted. secondly, i think we'll look hard at not centralizing any of it, but making sure that we've got appropriate tools at property level to protect against cyberattacks. sen. rosen: and perhaps, how ho long you store customer information, sensitive information like their credit card numbers and those extra security codes. mr. sorenson: we are looking at that, too. sen. rosen: thank you. i think my time is up. sen. portman: thank you, senator rosen. senator hawley. sen. hawley: thank you for having this important hearing. thank you witnesses for being here. mr. begor, let me start with you. you may know that as attorney general of missouri, i and 43 other attorneys general sent, launched a multistate action after the announcement of the equifax breach in 2017 and among other things we sent a letter to equifax in which we expressed particular concern with equifax's post breach activities, including the offering of a fee-based service to guard against data breach at the same time that you are offering a free service.
4:25 am
here is the letter -- we object to equifax using its own data breach as an opportunity to sell services to breach victims. selling a fee-based product that competes with equifax's own free offer of credit monitoring services to victims of equifax if's own data breach is unfair if consumers aren't sure if their information was compromised. can you give us the update on the status of this product? are you still doing that? begor: senator, thinking for the question. as i mentioned this morning, we offered a free product for all americans, whether they were impacted or not at the time of the data breach. and i don't know the exact timing of when we stopped marketing to consumers, but soon after the data breach, it may have been when we received the letter from you and the other attorneys general.
4:26 am
we stopped marketing to u.s. consumers as a result of that. we recently started again marketing in october on a very limited basis. the other thing that we offered in january of 20, sen. hawley: this is a free product, though, that you were marketing a free product? mr. begor: no, senator, when the breach happened, we offered free credit monitoring product to any american, and it was opened up to any american could get that. whether they were impacted by the data breach or not. that happened in september of 2017. in january of 2018, we added another free product for any american that's free for life that's a lock and alert product where on your mobile device you can lock your credit file or unlock it. equifax is the only credit bureau offering that. and last you talked about marketing to consumers. we stopped marketing in the, i don't know the exact date, but in the 4th quarter of 2017, to u.s. consumers. sen. hawley: what about the fee-based product that you were offering after the announcement
4:27 am
of the breach? mr. begor: that's what i was referring to. we stopped that in the 4th quarter of 2000 -- sen. hawley: you stopped marketing it in the 4th quarter? mr. begor: that's correct. sen. hawley: we raised other concerns in that same letter and same multistate action including the terms of service that required customers to waive their rights, charges customers pay for a security freeze, with other credit monitoring companies. and overly long wait times for the equifax customer support call center. can you give us an update on how you've addressed these concerns? mr. begor: yes, senator. on the freezing your credit file, i referred to what equifax proactively did in january of 2018, offering a free freeze or lock product to any american, and that's still offered today. you can get that today. i have it on my own. it allows you to lock or unlock your credit file at no charge and free for life. the senator also knows last september, the senate passed
4:28 am
senate bill 2155 that offers consumers free freezes for life. that was passed and that's in place. we've implemented that along with the other three credit bureaus. with regards to our customer service center, there was clearly some challenges there as i look back on what happened in the 4th quarter. staffing up for something like this is quite challenging. in my testimony this morning, i talked about the incremental $50 million of investment we're making now in our customer service capabilities to enhance our abilities to manage our day-to-day interactions with consumers, as well as investing to make it easier for consumers to interact with us when they have a question. whether it's around a dispute or question on their file. sen. hawley: thank you. mr. sorenson, in the testimony you provided, the written testimony you provided this committee, you noted, i'm going to make sure i get this right. you noted you did not receive any substantiated claims of loss from fraud attributed to the incident and none of the security firms you engaged to
4:29 am
monitor the dark web have found evidence that evidence contained in the affected tables has been or is being offered for sale and that you had not been notified by any banks or credit card networks that starwood had been identified as a common point of purchase in any fraudulent transactions. do you take this to be a thorough accounting of which sources might know about your customers' data used by third parties, and is it sufficient for you to just wait for them to report to you? mr. sorenson: i think the answer to the first question is no. it's hard to feel like anything is thorough in this space. you pick up signals from a number of different places. we use a number of different example, to try and go after the same thing. we take some comfort in this, but it's only some comfort. and i think we are grateful for the partnerships we have with the financial institutions so we can have a little bit of that dialogue about what they may be seeing, but we are, one of the reasons we put the web watcher
4:30 am
out and made it available to our customers, that is another tool to look regularly at the so-called dark web to see whether a particular customer's information is showing up on that dark web. sen. hawley: if i could just press a little deeper here, does this, in your written testimony, does this reflect an ad hoc list of sources that could report this information about personal information of users, or does this reflect some sort of cybersecurity methodology that you have in place in order to protect your consumers' data? mr. sorenson: no, i don't think this is really in the first instance about protecting consumers' data. i think it is about assessing what we can assess about the cyberbreach that occurred. and so if you will, the attack happened. successful, i suppose, if you take it from the attackers' perspective. information was obtained. we've been wrestling with the consequences of that. one of the tools that we're
4:31 am
using is to try and figure out what can we tell about where that data has ended up. the tools that we use to protect the data in the first place, i think, are different. in many respects, obviously, much more fundamentally important because we want to avoid that data from getting out in the first instance at all. and you do have some sen. hawley: -- sen. hawley: and you do have some cybersecurity methodology you've put in place to systematically protect your consumer data. that's what you're telling me? mr. sorenson: a whole range of tools. sen. hawley: my final question here, mr. chairman, are you complying with gdpr? am i to understand that gdpr in europe requires reporting within 72 hours if one marriott customer resides in the eu. is that your understanding as well? mr. sorenson: yes, and i believe we are. sen. portman: thank you, senator
4:32 am
hawley. senator harris. sen. harris: thank you. thank you, mr. chairman, for bringing this subject up as california's ag, i'm supported expanded california's laws as it relates to the requirement of the report of data breaches. and have met with many folks over the years who have suffered greatly because of the breach of their personal information and data. and so the risks are, obviously, many. mr. begor, exquifax is facing lawsuits from consumers whose information was affected by the breach. in response your lawyers have argued that even though their information was stolen, consumers cannot prove they were harmed. it was recently reported that none of the data stolen from equifax in 2017 has been used in identity theft or other fraudulent activity and that the stolen data has not been offered for sale on the dark web. do those assertions remain true? mr. sorenson: they do, senator harris. to date, we use a variety of
4:33 am
outside experts, as well as our own, like marriott, really trying to understand where the data went, what it was used for, and our analysis is there's been no evidence that the data has been sold or no evidence of increased identity theft as a result of equifax data that was stolen in 2017. sen. harris: so a former senior intelligence official recently told cnbc that the hack was more likely the work of a foreign intelligence agency than a garden variety criminal. which would explain why the stolen information has not been used for garden variety crimes. if a foreign power is an especially hostile foreign power, is using the data it stole from equifax to target u.s. officials or american operatives, does it remain your position that there has been no injury or harm caused by this breach? mr. sorenson: senator, we don't know who took the data, and we still don't. we're working closely with the f.b.i. days after identifying the cyberbreach in 2017, we started collaboratively working with the
4:34 am
f.b.i. and other authorities. we have the same goal. we've been completely transparent about who took the data. we just don't know who it is at this stage. we continue to work with authorities. sen. harris: it would be important for us to know that you appreciate the fact that if the data were breached for purposes of gaining information about u.s. officials or american operatives, that there would most certainly be harm and damage and injury that would result from that. do you appreciate that concern? mr. sorenson: of course, senator. in my testimony this morning, i started out by expressing regret for what happened. talked about what we're doing for consumers, which is really our initial focus and continues to be our focus around supporting consumers. the free credit monitoring that we offer. the other free products we've rolled out subsequent to the data breach around supporting consumers. sen. harris: and do you understand that there have been targeted violations of privacy
4:35 am
as it relates to employees of the united states government and that there is a concern among the intelligence community and all of us, that there is a focus focused concern, and actually triangulation around , a officials, american officials, and in particular those who may be involved in our military or intelligence work. and the attempt being to get their personal information for the purposes of attempt to compromise those individuals. are you aware of that concern? mr. sorenson: i've read about it and listened to the experts we work with about that threat on american companies and on american consumers and as well as government employees. sen. harris: and will you commit to this committee that you will have that as a priority among your priorities in understanding and thinking about potential harm that's resulted from these breaches? mr. sorenson: senator, i testified a couple times this morning that security is a very, is a top priority at equifax today. we've doubled our security team. sen. harris: so is that yes? mr. sorenson: the answer is, everything we're doing is around yes. sen. harris: ok, great.
4:36 am
and mr. sorenson, as senator rosen referenced in november of 2018, hackers exposed the personal information of up to 383 million marriott customers, including millions of passport numbers. shortly after cybersecurity firms and recently our government hired, was hired to assess the damage attributed to the hack and attributed it to chinese intelligence. in addition to passport numbers, could hackers have accessed guest itineraries and the names of their traveling companions? mr. sorenson: yes. well, traveling companions, i'm not certain about, but reservation data was obtained in, i think most recently as far as we can tell in 2016. so that would have been my upcoming reservation or perhaps a past reservations that i had at one of the starwood hotels.
4:37 am
we do not think, based on what we've been able to tell so far that any reservation data post-2016 was obtained by the cyberattacker. so in the 2018 instance, which was the first one after we acquired starwood, we do not think individual reservation data was there. this is not 100% provable, but we believe that that means there's no longer any upcoming reservation data which was obtained because if 2016, two years ago, we tend not to take reservations more than a year out. so probably nothing that is still, if you will, a future reservation. sen. harris: and then as it relates to the names of traveling companions, it is the custom of marriott hotels to collect the information of whoever is occupying the room, whoever has the credit card plus whatever guest they may have, isn't that correct? mr. sorenson: well, again, this is the starwood reservation database. and certainly in many instances, a hotel would note somebody else
4:38 am
who might be sharing a room. but not necessarily in every instance. if the person who made the reservation is showing up and checking in and getting the key, the front desk may or may not take the time to make the effort to figure out whether a spouse or child or somebody else was traveling with them. but certainly it would have happened in some circumstances. sen. harris: so for those folks whose names may have been exposed, but they're not actually the individual who was contracted with the hotel to pay for the room, have those people been notified of this breach? mr. sorenson: well, we tried very hard to notify everybody that we could. the first tool we used was a broad press release with broad public dissemination and then the carrying on the banner, the top line of the, apps, all the rest of it. in addition, we sent out in excess of 50 million e-mails to
4:39 am
folks that we had e-mail addresses on to also make sure that we were notifying them in that way. is it possible that somebody has slipped through the cracks? of course. i think more likely that they were repeat customers of ours, the more likely they are travelers. the more likely that they would have been either notified by us directly or seen the news. sen. harris: mr. chairman, just one last question, and it's a brief question. is it correct that marriott is the top hospitality provider for the american government and the united states military? mr. sorenson: i don't know that we have the data which would tell us that. we're the largest hotel company by rooms. sen. harris: can you follow up with the committee and see if you may have the answer to that question? mr. sorenson: i will ask whether we can find out, yes. sen. harris: thank you. sen. portman: thank you, senator harris. senator peters. sen. peters: thank you, mr. chairman. thank you to our witnesses
4:40 am
today. mr. begor, if a consumer is delinquent on a payment but later makes the necessary payment to bring the account current, it's my understanding that that delinquency stays on the credit report for 7 years. is that correct? mr. begor: yes, it is, senator. sen. peters: so if a consumer misses a single credit card payment and then follows, you will continue to follow them for basically seven years, and then they'll have an opportunity to in that seven years basically demonstrate that they are good credit risk, a good credit score and as a result of that, then get additional credit as a result of that after that seven year period. is that correct? if there isn't any other activity? sen. peters: there isn't, senator, but as you may know in the credit scoring models that we use, other credit bureaus use, the banks use themselves as a delinquent payment using your example if there was one delinquent payment as that ages out, it becomes less predictive, has less impact on an individual's credit score or ability to obtain credit. sen. peters: but, still, it's an expectation it takes, you want to watch it for 7 years
4:41 am
basically, just to see how it acts. there's a slope there. and i bring that up because i think that most people, certainly everybody that i talked to, believes that equifax was beyond being just delinquent on one payment when it came to the securing of this critical data and the cybersecurity hack. and that the information that has now been put out or has been taken, will likely be there forever. and, in fact, that you haven't seen some of these activities in the short run may make sense because, if you are a bad actor, you may wait awhile before you use this data to use it for a nefarious purpose. and so i just find it interesting in that delinquent payments for a consumer, you follow for 7 years. although you have offered the credit freeze for a lifetime. when it comes to credit monitoring, it's only two years.
4:42 am
credit monitoring is certainly much more preferable to consumer convenience than it is to freeze and unfreeze, go back and forth. and i know you want to build consumer trust, but if you are telling your consumers, we'll watch you for 7 years because you've missed one payment, but we have this massive breach and we gave all your personal information, somebody got all your personal information to millions of people and it's going to be out there for the rest of your life, we'll help you for two years. seems to me that it would make sense that, at a minimum, that you would offer credit monitoring for the 7 years just as you monitor your customers for 7 years. so my question to you, mr. begor, would you support mandating free credit reporting for 7 years for all consumers whose personally identifying information was the subject of a breach of a credit reporting agency? mr. begor: senator, we think that's really situational and what the consumer should be offered. we offered 12 months starting in
4:43 am
the 4th quarter of 2017. we voluntarily extended it for another 12 months late last year. we'll continue to look at that as we go forward and, again, it's my view that legislation is not required for that. that we're doing the right thing for consumers and i would just remind the senator that while the credit monitoring is a valuable product, what the senate passed last september in senate bill 2155 offering a free freeze for consumers really is the most important way to protect your data. and then equifax has a supplement product that's available on your phone or mobile device that's free for life to do the same thing with some more functionality. so if you are at a car dealership and getting an auto loan, you can unlock your credit file. when you finish getting that financial transaction, you can lock it again. no one can see that data once it is either frozen by senate l 2155 or locked in our "free for
4:44 am
life" product. sen. peters: would you still see the value of monitoring because you're offering it to your customers for up to two years. that that's a better product than just the freeze and unfreeze, which is more cumbersome. i think you mentioned that. so you said you'll re-evaluate this on a situational basis. what is that situational basis? what's the criteria you'll be usings too whether or not to -- you will be using to whether or not extend this beyond two years? mr. begor: it really depends on how the data, how we can see the data had been used and what it's being used for. and i would make the point where credit monitoring is quite valuable, you know, we believe that giving consumers control about who has access to the data, when it's frozen, no one can see it. and no one has access to it. sen. peters: i would like to in the remaining time touch briefly on another important subject. that's the collecting of data on minors. how many minors had their personally identified information compromised in the 2017 breach?
4:45 am
mr. begor: senator, i don't have that information in front of me. i'd be happy to get back to your office with that. sen. peters: is it greater than zero? mr. begor: i don't know the answer to that, senator. sen. peters: so you'll provide that for me? mr. begor: yes. sen. peters: that would be great. do you have any policies regarding the collection of information on minors? mr. begor: the policy is that, you know, we don't. and as you know, you may know senate bill 2155 allows a parent to put a freeze on their children's credit file, if, in fact, they have one. we're quite diligent about managing that because it's an area of focus by imposters or fraudulent individuals that try to create a credit file for identity theft purposes, not only on minors but other americans. sen. peters: is there an instance where a young child would need a nonfrozen account? mr. begor: not to my knowledge, senator. sen. peters: but a parent has to
4:46 am
opt out, even though there's no reason to have a non, or to have a frozen account but the parent has to be active in doing that? ok. so last year i worked to pass legislation that protects children from synthetic i.d. fraud. it's a form of identity theft you know very well, where stolen security numbers of children are paired with fake names and birth dates to apply for loans, credit cards and other accounts. could any minors' information that was exposed in the 2017 breach be used as part of identity theft or synthetic i.d. fraud operation? mr. begor: senator, i will have to get back to you on what minors were included, if any. i don't know the answer to it in the theft that took place in 2017. sen. peters: great. i appreciate working with you on that. thank you. sen. portman: we have a short second round here. senator carper, do you have additional questions? sen. carper: i do. both equifax and marriott publicly announced their data breaches within weeks of learning them. and while this is better than some companies have done in recent years, it's a lot longer than, for example, target waited when it suffered a breach in 2013.
4:47 am
in fact, target learned about a cyberattack, you may recall, affecting its customers in the middle of the holiday shopping center. i was one of them. and that year informed the justice department and public literally within days. this allowed target customers to take precautions against fraud and identity theft and to monitor the bank and credit card statements. mr. begor, the hackers who attacked equifax were in the company for 78 days before equifax discovered their presence. i think that's correct. and by the time equifax informed the public, consumers' information had been in the hands of hackers for close to four months. given the damage that can be done with the type of information equifax collects, why do you suppose the folks who were in positions of responsibility prior to your arrival, why wait six weeks to step forward? why not follow the target example so that people could
4:48 am
take swift action to protect themselves as soon as possible? and if i had been you coming into a new situation as the new ceo, i would have said to the people who were there before we, what were you thinking? how could you have allowed this to happen? did you ever have those kind of conversations? mr. begor: i had a lot of conversations when i joined last april. and i hope you get a sense for the pace of change, the breadth of change, the priority around security. there's a whole new team here. we've added extensive resources, and we're very serious about security. with regards to the time frame, you know, with the data breach, my strategy and i believe it was
4:49 am
the team's strategy at the time, was to be accurate and quick in completing the work. as the senator probably knows, it's a very complex process. once you find out that you have a data breach to really determine which elements of your database was affected. we brought in the very best forensic experts within days of the data breach. i think it was a day or two contacted the fbi and got their involvement in it. and from my look back at what the team did, they moved as quickly as they could to ensure that we were going to be complete and accurate. from my perspective, making an announcement that there was a data breach but not knowing which americans were impacted, and is it 50 million, 2 million, 150 million? it took time to really do the forensics to figure that out. my approach is to be accurate and complete with the real focus around the consumer first. really making sure that those consumers that are impacted we can identify who they are and then communicate with them
4:50 am
quickly. sen. carper: mr. sorenson, really the same question. i'd like to hear about the factors that went into marriott's decision on the timing of its public notice. mr. sorenson: so we had an alert which, on september 7, 2018, was triggered. that alert went to a third party who was operating the reservation system for us with in effect a company to the i.t. group at marriott. we heard from that third party operator the next day on september 8 that that alert had been received and immediately started to mobilize resources to contain and to ascertain why that alert went off. it wasn't until november 19,2018, that we learned that data about our customers had been ex exfiltrated from our system. and we announced on november 30.we, of course, had lawyers and security experts and all sorts of other folks who were engaged in the conversation about timing, how quickly could we go? we also wanted to make sure that we had set up call centers and
4:51 am
websites so that the moment we released this information publicly the customers had a place to go and find out more and sign up for the web watcher services and do the other things that were necessary. and so that 11-day time, of course, was, met the legal requirements but it also was practically about as fast as we could move it and be able to communicate something which was concrete and useful to customers and then be able to deliver something of what we anticipated they would need and want. sen. carper: thank you. let me ask both of you, any idea, any sense for how many state data breach notification laws your companies are, i guess, subject to? would it be fair to say that maybe even 50 such state laws that you are subject to at this time? if it's ok, senator, i'll go first.or:
4:52 am
q are correct on that, and it is quite a challenge. sen. carper: i was going to ask, what kind of challenge does that present, if it's true? mr. begor: there's, i don't know if the exact number is 50, but they're all different and it creates challenges in a situation like ecquifaxequifax, as perhaps marriott's, in -- situation like equifax, as perhaps marriott's, in complying with the requirements. different notification documents required. different ways you communicate with the consumer. different ways you're allowed to communicate with the consumer. and we've been longstanding supporters of a unified federal legislation that would unify that and allow, you know, actually that's one of the elements that makes it, there's a time limit there once you figure out which consumers are impacted and what states are they in, and requirements and how you communicate with them. we're very supportive of a federal unified legislation on that. sen. carper: thank you. same question, mr. sorenson. what kind of challenges do you have with respect to who to notify, when to notify, what to disclose about a data breach. not amongon: it was
4:53 am
the biggest challenges we faced, i would put it that way. although if memory serves, we found some place between 20 and 30 states had specific notification requirements with a deadline. now we, of course, met those deadlines and then ultimately communicated to all 50 states. outside the united states, there were probably, i don't know, 20 or 30 countries that had various kinds of notification deadlines. obviously, that's nothing that the federal government can do with that. sadly, i suppose, in some respects, this ground is too well trod and so there are folks that can help us figure out where those requirements are and how to meet them.
4:54 am
would be simpler, of course, to have one sort of u.s. standard, but that's something that we'd be happy to work with your office and give whatever input we could from the experience we've had. mr. chairman, i am sitting here thinking, believe it or not, if something richard nixon, of all people, once said. and richard nixon once said the only people who don't make mistakes are people who don't do anything. we all make mistakes. and i said to our sons now, 29 and 30-years-old, i've said to them, nothing wrong with making a mistake. the key is we don't want to continue making the same mistake. in this case, mistakes, not only harm your companies but we talk about the harm, 150 really innocent people across this country. so the question is, what do we do about it? and you've talked to us today about a number of things that each of you have done. and i am pleased to hear the statements of apology, of contrition. acknowledging the harm and
4:55 am
damage that's been done. and god knows i wish and i'm sure 148 million people wish that the kind of thinking of the actions you've displayed in the last year or so that you've been in your position, mr. begor, that that kind of thinking had existed in the previous administration, if you will. you talked about what i think is really important. leadership is most important in leading the success of any organization i've ever been a part of. in business, government, military, always the key. if the leader doesn't say cybersecurity is important or the board doesn't say cybersecurity is important, nobody else down the line is going to make it important in the end. and it appears to us that you have done that, both of you. and have made it clear from the top, this is important. you've aligned incentives, financial incentives for the folks helping to run your company so that their incentives are all lined up with that in mind. sounds like you've done a lot
4:56 am
with respect to hiring your kind of workforce that you need to enable the desires and wishes, the directives from on top to make sure that they are carried out. one of the things i think a lot about, mr. chairman, is workforce. i know you do, too. and we have focused in delaware for a number of years, the delaware university, the community college, to make sure we're turning out a better workforce to help take on these jobs that are available out here to be done. with the federal government, what our responsibilities are, i was privileged to chair this homeland security committee for a while and with tom coburn from oklahoma, and we focused, senator portman knows, he's part of this, on what we needed to do within the federal government. on what we needed to do within the federal government as legislators. and frankly in those couple of years, we did a lot. and we've continued to do a number of things. i really think, mr. chairman, this is the right time for us as a committee.
4:57 am
we have new talent on either end of us here, democrat, republican, bright people with real world experience that can bring a lot to this. i think it's really an ideal time for us to do our job of oversight. we've done all this legislating. and it's being implemented. and we have, let's find out to what effect, to what good. that's a big part of our job. last thing i'll say is i'd ask to enter for the record some newspaper articles i read on the train coming down this morning from the last several weeks , about the dramatic increases in attacks from china and from iran. and i remember when barack obama met with the president xi in washington state. you may remember this, 2015. i think september of 2015. and jeh johnson, director of homeland security, gave me his eyewitness account. in that meeting, president obama said tosecurity gave me his eyewitness account.
4:58 am
in that meeting president obama said we know you are attacking us and coming after our trade secrets, business. practice and are military secrets pick we want you to stop the president said we don't do that that's not the policy of our country and that's that were about. president obama basically said this is who's doing it, this is where they are located, and we want you to stop. president she said we are not willing to do that. i'm told president obama said if you don't stop, you will wish you had in so many words. as you may recall dramatic drop in attacks by china. about two months before that, the congress of the united states, the president had essentially signed off on a five -nation deal with iran, for gradually lifting sanctions. at the time the iranians were unrelentingly attacking your financial services companies. especially. in july, i was a strong supporter of lifting sanctions for the opening of inspections ongoing.
4:59 am
and you know what happened? literally within a month, the frequency of iranian attacks greatly dropped. almost like china a couple of months later. there's another element here, we don't think much about. there so much they can do and other companies need to do. more work to do in terms of training the workforce and making sure they are available. the jobs involved before the administration in working or reaching out to other countries and getting them to work with us instead of being or undermining what we are trying to do. plenty of for today.
5:00 am
a multilayered approach and we appreciate your being here today and helping put a spotlight on this. you have cleaned up the messes that you inherited especially equifax. it's given us an opportunity to think about what we can do, to better do our own jobs. thank you. everything we do, everything i do i know we can do better and and that includes this. thank you. sen. portman: i can't believe government to do anything better than the spec thank you. to the witnesses i have two follow-up questions we want to get into the record. but let me reiterate what i said earlier which is, we appreciate your being here. we're trying to learn. and the lessons that you have learned within your company's are really important for what we are trying to do legislatively. understanding what happened, what could be done differently, this is frightening, scary for hundreds of millions of families.
5:01 am
whose personal and financial data was compromised through the two companies you now lead. i appreciate the fact you acknowledge that, understand that you know, this is about hackers. it's about technology but it's also about people. and the frustration that many americans have right now that nothing is sacred or safe. you know, and it is, is good to know that as mr. sorensen has said and mr. begor said, some of the data has not been used yet by criminals in ways that one may have thought it could've been. that doesn't mean it didn't happen or isn't happening right now. also gets raised earlier some of this may be being used by foreign actors in ways counter to our national interest. by targeting individuals. so it's growing or importance get to the bottom of what happened and what's being done and what can be done in the future legislatively. we go back if i could to the
5:02 am
cyber security protocols that mr. begor talked about earlier. in your testimony seemed to lean heavily i thought on the fact the program at the time as i said leveraged technical safeguards and was subject to regular ongoing review. external and in total as we talked about the audit that was not respected just by some really troubling data it uncovered. the other part that i think we need to talk about this morning and i was waiting to hear what my colleagues would address and they addressed a lot of this. it is the i.t. inventory. the investigation, as you know, found that equifax at the time failed to follow this basic practice of maintaining an it -- maintaining an i.t. inventory of applications and assets on its systems. without having this list. equifax was unable to find the application that was exploited by the hackers park that's when that has been talked about previously called apache strut. you didn't even have it in your
5:03 am
inventory, so you can find it. i guess a few questions, one since the breach has equifax generated a list of applications on its systems? mr. begor: we have, chairman, in great detail. not only that i think my colleague mr. farsi talked about some of the automated systems we put in place to really track all of the systems and make sure we understand not only the systems and all the assets we have, but also when there's a patch that needs to be completed, those are all automated and we are watching those. there's multi layers of defense picked you know, it's more than just one later. i think the chairman knows that. that all of these elements have to be done very well and then with the latest technology which is what we put in place and we
5:04 am
are continuing to put in place. >> the national institute of science and technology list has issued a recommendation that there be an it inventory and every company that could be affected. by these breaches. let me ask you this, if equifax had kept an up-to-date it inventory come up with have been helpful to have identified the viability? mr. begor: you know it my analysis what happened in 2017, there was an inventory. it wasn't as complete as it should be put certainly, the protocols and the procedures the resources we have in place are at the highest standards. like most companies, we follow the protocols. as i mentioned early this morning, we have third parties actually auditing us against those nis standards is a part of our many layers of how we are managing our security program going forward. sen. portman: we have a difference of opinion. our investigation identified there was not a complete inventory. mr. farsi, maybe you can respond to this book was there inventory or not? did that affect the ability to
5:05 am
find availability? juan certainly. so inventory is an important control across any organization to defend against threats. i wasn't here at the time. but looking back, we did have an inventory, it just wasn't, it just wasn't a complete inventory. since that time what we've done, we have built-in the controls that mr. begor was saying is so we do have a complete inventory of our assets. and note,, sen. portman: it sounds like if i might, you did not have a complete inventory and apache struts was not something that was able to be identified. is not accurate? mr. farsi: what i would say is this. the inventory for us apache struts is typically not in the inventory that you highlight in the report. so it's a tactical nuance. the specifics of that particular airborne mobility typically are not included in the asset inventory park because it's a source cords been ability, it's those it is a source code
5:06 am
vulnerability, so it is typically in the code repository instead. sen. portman: again, we have a difference of opinion on this one we will follow-up with you . again, it's about the future going forward. are you telling me something of the nature of apache struts would not be in her current inventory and therefore you would not be able to find the vulnerability today? mr. farsi: it is absolutely in the inventory. it should be in the inventory. it's a different type of inventory, senator. sen. portman: well, if it had in the inventory they are reviewing, clearly would've made a difference. do you believe that statement? mr. farsi: made a difference with respect to watch, senator? sen. portman: the ability to find the vulnerability? mr. farsi: it would have helped. thank you. ok mr. soreson thank you for being here too and again i want to follow-up on one of the points we found in our
5:07 am
investigation, it's true the big breach happens it started in 2014. you acquired starwood in 2016 is that correct? in 2018 you were able to identify something happened in you said the alert was issued in 2018. however, we have not mentioned today there was a 2015 breach at starwood that was acknowledged. and so when you bought starwood, you knew about i see me know about the breach. is that correct? mr. sorenson: yes we did. sen. portman: that reach was a credit card breach numbers were taken points of sale at 54 different properties. and in 2016, january 22, 2016 to be exact the president of starwood sent a letter, a public letter out, saying the guest reservation database was not impacted by that breach. i have a copy of that letter on the witness table for you. again, i would like to enter that 2016 letter into the record without objection. of course in reality the
5:08 am
reservation system had been breached considerably. in 2014. so the letter said don't worry, reservation system has not been breached. so my question to you is just a simple one, when you did your due diligence, which you talked about having an, did you look at the letter and examine the issue and could you have determined therefore earlier, what happened? mr. sorenson: yeah that's a very fair question. the short answer is, we knew about the point of sale breach that starwood had suffered. we worked with the starwood team and we worked independently to try and make sure we understood the scope of that breach. as far as we know today, it was totally unrelated to the reservation system breach that we had been talking about and announced in november. different tools, the sprint system in a sense the point-of sale is obviously distributed at the properties and the restaurants and at the front desk. the reservation system by comparison which was the larger
5:09 am
breach we disclosed in november, is a centralized system. again the team has said they don't relate to each other. although certainly from a colloquial perspective it feels similar. it feels like a warning and somehow it's related to the starwood's customers which it is. we did try and understand the point of sale thing and we were satisfied starwood had taken the steps necessary in order to deal with that breach. separately, we did some things on the reservations platform side. it was in retrospect, clearly not enough. sen. portman: again lessons learned. and we appreciate the testimony given us and we appreciate the opportunity to stay in touch with you and your experts to help to be sure we are putting together the kind of legislation that can help avoid these problems in the future.
5:10 am
you made a statement earlier, this is a race that has no finish line. i think that factor and is accurate this is a marathon that has to be run at a sprinters pace. because there will be continual innovative hacking. i noticed this morning to senator carper's point, while the president was in hanoi negotiations with chairman kim, there was an increase apparently this is report, take it as such, in north korean hacking commercial hacking of u.s. targets. so it's something we will have to continually assess and government is not often good at that. we put a law in place and senator carper said we don't do the proper oversight and follow up. we sometimes get behind the curve. we want your ongoing cooperation with this panel. to be able to put together what makes sense and then to update it as necessary because you're going to both the in your companies engaged in this for a long time in the future. thank you.
5:11 am
just a request, if i could enter for the record an article from the new york times, chinese hackers renew attacks on u.s. companies. the wall street journal recently as yesterday -- hackers have hit hundreds of companies in the past two years. i asked that that be included in the record. thank you. thank you for your testimony. >> we thank you for your service. >> thank you.
5:12 am
>> ok, we will now call our second panel of witnesses for the hearing. please come forward and take a seat. this is the expert panel that's going to give us information about how to solve some of these problems. we just talked about. we welcome you. we will start by introducing the panel. alisha cackle he is director of financial markets and community investment at the government accountability office. we appreciate your work on this issue and report. secondly andrew smith director of the bureau of consumer protection at the federal trade commission. and third, we have john gilligan with us. mr. gilligan's death ceo at the center for internet security.
5:13 am
it's the custom of the subcommittee to swear and witnesses so at this time of would ask you to stand up and reach a right-hand. you swear the testimony will get before the subcommittee will be the truth, the whole truth and nothing but the truth so help you god? please be seated. let the record reflect all the witnesses answered in the affirmative. your written testimony will be part of the record. if you could keep your oral presentation to five minutes, that would be great. and mr. smith i think we told you would go first so we will calling you first. >> thank you. chairman fort men and members of the subcommittee, i am andrew smith the director of the bureau of consumer protection at the federal trade commission.
5:14 am
i appreciate the opportunity to present the commission's views on how congress can help the ftc further its efforts to prevent data breaches in the private sector. my written statement represents the views of the commission. the opening statement represents my views alone and not necessarily the views of the commission or any individual commissioner. let me begin by summarizing the f.t.c. chassis current efforts to protect consumers by promoting data security and preventing data breaches. our work has 3 primary areas of focus. the first, is enforcement. for nearly 2 decades the ftc has been the nation's leading data security enforcement agency. we are charged with enforcing data security requirements contained in specific laws such as children's online privacy protection act, fair credit reporting act and the grant but by reactive reinforce section 5 of the ftc act which prohibits unfair or deceptive practices including unfair and deceptive practices with respect to the data security. in this law enforcement role the commission has settled old letter dated -- settled or litigated more than 60 actions against businesses that allegedly failed to take reasonable precautions to protect their customers personal information.
5:15 am
for example we brought cases against manufacturers of consumer products like smartphones, routers. we brought cases against data brokers that connect consumers ' personal information. our secondary focus is policymaking. f.t.c. has conducted workshops, issued reports and minerals to promote data security. for example, just this week, we announced a notice of proposed rulemaking to update our safeguards rule under the gramm leach bliley act. the safeguards rule was issued in 2002 and requires financial institutions within the ftc's jurisdiction to implement reasonable process based safeguards to protect personal information in their control.
5:16 am
the proposed revisions to the safeguards rule based on nearly 20 years of enforcement experience. these revisions are intended to retain the process based approach of the original rule. providing financial institutions with more certainty with respect f.t.c.'s data security expectations. our third area focuses business education. the commission has issued numerous guidance materials for business including a guide called start with security, in 2015. the series of columns and 27 called stick with security last year a conference of small business cyber education campaign which includes written guidance, how-to videos and training materials for businesses. these materials instill the lesson to learn from our enforcement actions in assessing to and accessible manner. we have vigorously used our existing authority to protect consumers. but this authority is limited in some important respects. the commission has called on congress to enact comprehensive data security legislation that includes rulemaking, civil penalty authority and enhanced c. isdiction for the f.t. first, the legislation should the authority to
5:17 am
issue data certain security rules under the administrative procedures act so we can keep up with business and technological changes. we currently have rulemaking authority, we've used it as demonstrated by this week's proposed revisions to the safeguard role, which i just described. second, legislation should allow the fdc to obtain civil penalties for data security by violations. currently we have authority to seek civil penalties for data security violation under the children's online privacy protection act and the fair credit reporting act. we also can get civil penalties for violations of an existing administrative order. as a general matter, we cannot obtain civil penalties in de no vo cases. to help assure effective deterrence, congress to enact legislation to allow the ftc to seek civil penalties for data security violations in appropriate circumstances. finally, the legislation should extend the fdc's jurisdiction over data security to nonprofits and common carriers. entities in the sectors often collect sensitive consumer information. and significant breaches have been reported particularly in the educational and non-profit hospital sector.
5:18 am
thank you for the opportunity or before you enable i look forward to answering your questions. portman: thank you, mr. smith. >> i'm the director in the financial market and community investment team at the government accountability office. i am pleased to be here to testify about internet privacy and data security issues. my statement will discuss the commissions authorities for overseeing internet privacy and the stakeholders views on potential actions to enhance that federal oversight. my testimony is based on our january 2019 report on internet privacy as well as prior reports g.a.o. on various privacy issues. as you are aware, the united states does not have a comprehensive internet privacy
5:19 am
law governing the collection, use and sale or other disclosure of personal information. in prior work, we found gaps exist in the federal privacy framework which does not fully address changes in technology in the marketplace. at the federal level, ftc currently has the lead in overseeing internet privacy using its statutory authority under section 5d of the ftc act to protect consumers from unfair and deceptive practices. however, to date ftc has not issued regulations for internet privacy other than those protecting financial privacy and the internet privacy of children , which were required by law. for f.t.c. act violations transient ftc may promulgate regulations that is required to use procedures that differ from traditional notice and comment processes and ftc staff said at time and complexity. stakeholders that the gal interviewed had very views on
5:20 am
f.t.c.'s oversight of internet privacy. most industry stakeholders said they favored f.t.c.'s current approach directed enforcement of its unfair and deceptive practice in statutory authority. which allows for all flexibility. other stakeholders including consumer advocates and most former f.t.c. and s.e.c. commissioners gal interviewed -- f.t.c. and f.c.c. commissioners that gal interviewed favored legislation in which internet privacy had oversight and could be enhanced. some stakeholders told gao an overarching internet privacy statute could enhance consumer protection but clearly it leading to consumers, and agencies what behaviors are prohibited. second, through rulemaking. some stakeholders said regulation can provide clarity, fairness and flexibility. and third, through civil penalty . stakeholders said f.t.c.'s
5:21 am
internet privacy can be enforced and the more receptive to civil penalties for first-time violations. recent data breaches that federal agencies, retailers, hospitals and insurance companies, consumer reporting agencies and other large organizations, highlight the importance of ensuring the security and privacy of personally identifiable information collected and maintained by those entities. such breaches have resulted in the potential compromise of millions of americans personal identifiable information, which could lead to identity theft another serious consequences. -- and other serious consequences. these recent developments regarding internet privacy and data security suggest that this is an appropriate time for congress to consider comprehensive internet privacy legislation. although f.t.c. has been addressing internet privacy through its unfair and deceptive practices authority and ftc f.t.c. and other agencies have been addressing the issue using statutes that target specific industries or consumer segments,
5:22 am
the statute with specific standards leaves consumer privacy at risk. in our january 2019 report, we recommended congress consider developing a comprehensive legislation on internet privacy that would enhance consumer protections and provide flexibility to address the rapidly evolving internet environment. issues that should be considered include, which agency should oversee internet privacy, what authorities and agencies should have for that oversight, including notice and comment rulemaking authority and first-time violation civil penalty authority. and how to balance consumers' need for internet privacy with the industry's ability to provide services and innovate. mr. chairman and ranking member, this concludes my prepared statement. i am pleased to respond to any questions you may have. chairman portman: thank you for your testimony. mr. gilligan. gilligan: chairman portman, members of the
5:23 am
subcommittee, my name is john gilligan. i serve as the chief executive officer of the center for cis, at security, or nonprofits of her security organization. in my oral statement this morning i would like to share my perspectives on the logical question that may be asked after this morning's testimony, which is, what can be done to prevent major cybersecurity breaches? i asked myself a similar question in the early 2000's as the chief information officer of the united states air force. after the national security agency's annual penetration analysis found are far -- found our cyber security posture inadequate despite spending literally over $1 billion a year on cyber security. i went to the n.s.a. and asked them, where should i start? n.s.a. came back with a prioritized list of the system weaknesses most commonly exploited by attackers. by a large margin, the most common weakness exploited with -- was misconfigured software. software that did not have
5:24 am
appropriate security settings enabled or software that was not properly patched. as a result of your guidance, i launched an initiative in the air force to ensure security-enabled configurations with up to-date patches for all of our operating systems. based on the positive experience with the air force in identifying the most frequent cyberattack patterns and the associated mitigating security controls, the n.s.a. effort was subsequently adopted by the private sector in 2009 and became known as the sands truck top20. it was transitioned to the center of internet security, and became named as the critical security controls or just the cis controls. the critical security controls represent a set of internationally recognized prior trades actions that form the foundation for basic cyberhygiene, or cyber defense. the controls are readily up dated by global network of cyber experts put the critical security controls have been
5:25 am
assessed as preventing up to 90% of pervasive and dangerous cyber attacks. the controls act is a clear, actionable and free blueprint for system and network operators to improve cyber defense identifying specific actions to be done in a priority order. cis has analyzed data breaches over the past two years and found in each one the root cause of the breach relates to the failure to properly implement one or more of the critical security controls. the equifax breach is no exception. we found there were 5 of the 20 critical security controls that were not properly implemented by equifax. many organizations are seeing the value of the critical security controls. california, ohio, the republic of paraguay, the european standards technical standards organization, adopted the controls of a standard for cybersecurity. airspace industries and the atlantic council have also
5:26 am
endorsed the article security controls. as congress considers ways to improve cyber security in the u.s., i offer the following recommendation. i start with the recognition the best of cyber security points to more detailed documents and best practices for implementation guidance including the critical security controls. while a logical construct, this has unintended consequences, in particular government and private sector organizations who wish to implement the nist cybersecurity framework must then select for implementation from among the very comprehensive list of standards, guidelines and best practices that are referenced in the nist framework. the same problem is magnified for organizations required to comply with multiple high-level frameworks that are similar to the nist cybersecurity framework. for example, financial organizations are required to certify against the payment card industry or pci, security framework.
5:27 am
organizations with international presence often required to follow the international standards organization were iso cybersecurity framework and so on. while the individual policies and regulations are fell well intended, they contribute too much confusion and inefficiency in achieving the common goal of effective cyber defense picked recognizing that are multiple cybersecurity frameworks and duplicate of policies have contributed to great confusion, i would recommend that nist be chartered to develop a single cybersecurity implementation guideline that can be used to satisfy the requirements of the nist cybersecurity framework, pci, ico ieee and similar general security frameworks. this implementation guideline should provide clear guidance on what constitutes basic cyber hygiene, and specify a prioritization for implementation of appropriate controls. i note the united kingdom and australia have done exactly that with the australian signals direct route essential 8 in the
5:28 am
united kingdom's national cybersecurity centers cyber essentials. i offer this center for internet securities critical security controls to the point of departure or model for such an effort. this concludes my remarks and i look forward to your questions. chairman portman thank you. and thank you to all three of the witnesses. as we heard this morning, these data breaches have become a fact of doing business. every day. it's a matter of constantly keeping up. it never ends. the best effort we had with the most recent data we have, come from the second or the first half of 2018. and that is there were 291 data records compromised every second.
5:29 am
291 records compromised every i second. think that has slowed down. it is probably increased. so it's an ever present danger to consumers, businesses, government our national security. mr. smith i find your testimony interesting. as has been alluded to today, 50 states have different standards on this. most states have passed their own breach notification laws. in fact i think every state has some sort of breach notification law, don't they, mr. gilligan? mr. gilligan: i believe that is the case. chairman portman but they vary significantly from state to state. mr. smith, what benefit would there be for having a single standard at the federal level for breach notification legislation given this climate of increased technological interconnectedness and the number of breaches we are seeing? mr. smith: it seems like there would be some benefit to uniformity. say, our though, current commission is composed of five commissioners. all of them are new within the last year or so.
5:30 am
they have not had an opportunity to testify on whether or not they would support a uniform data breach notification standard. past commissions have supported such a uniform notification standard. chairman portman: in your personal capacity this afternoon, now what is your opinion? mr. smith: i was interested, actually, about what he said, that california had passed its first data breach standard. at they started looking whether we should have a uniform standard. bills were introduced in 2005 meeting a national standard. every state has enacted their
5:31 am
own standard and the sky hasn't fallen. so i feel as though companies , have probably figured out how to comply. i do have to say that i do think there's always a benefit to uniformity in terms of ease of compliance. but from what i can tell in the market, companies seem to be able to comply with this multiplicity of standards pics from use of compliance is one issue. >> that something we will hear about from the private sector they would prefer to know with the standards are and not to perhaps inadvertently not follow standard that's different state to state. but beyond that you know, it's about protection. it's about the consumer and the government security and so on. so do you think there's some benefit to that? in other words, having a high standard we can therefore ensure we have better security? >> of the critical aspects of one any kind of a breach notification standard, is the trigger for notification. i think that one on the earlier panel mentioned there's a 72 hour notice requirement ntv pr. i think there is from the perspective of someone who
5:32 am
focuses on consumer protection, i want to get notices that are useful. that are actually and actionable information. the worst thing we have seen in the breaches is piecemeal modification. one notice goes out and we thought this was breached and you should do this in response. and then another notice goes on. >> it adds to the frustration. >> this at to the frustration. you need to give the company time to investigate. in of they have to investigate quickly picked up in time to to -- picked up in time to investigate and figure out who was affected and what information was compromised and what consumers can do to protect themselves work as well as develop systems to respond. the 800 lines, credit monitoring and things like that. so you know, 30 days, 45 days something like that. we have a rule, the ftc has a rule that applies to breaches of certain healthcare information where the standard is as quickly as possible.
5:33 am
but in no event longer than 60 days. i don't know if that's the right cut or not? but you need to give people a little bit of time to conduct a thorough investigation. >> i don't disagree with that, but i think 60 days is excessive. could well be given them have nature and the potential for people's information to be compromised. on the administrative procedures act, i know you talked about that in your oral remarks. i think the administrative procedure act rulemaking does give us more flexibility. in other words, as i said earlier, with the previous panel want to respond quickly to her -- respond quickly to a changing threat because it is always evolving. unless it was specifically related to rulemaking authority for cybersecurity legislation, it could get out of hand. can you speak to that for moment, one do think rules under the apa are necessary and you think that will add flexibility?
5:34 am
how do you make sure it is responsive to the congressional actions we take on this issue? >> the commission has testified in favor of apa dual writ rulemaking for security only. i think what folks imagine would be of bill like several we've seen introduced where congress is companies you shall assess risk and develop a plan to keep data safe, and maybe provide some of the boundaries for what the program ought to look like. and ftc you shall have , rulemaking authority under the administrative procedure act. only for that, to execute that, that law. right? not apa-rulemaking authority for everything in the world. what we have right now, referred to by ms. cackly, rulemaking authority under the magnuson moss act, which requires us not only to do notices of proposed rulemaking and taking of comments, we have to do advance notices, whipped of hearings, issue interim reports, allow for interim appeals, what that
5:35 am
means, if not impossible to do. but what it means is that from from soup to nuts, a magma's rule takes us 10 years. >> the process is considerable. one final point. on the nonprofits you mentioned, and you said private carriers and nonprofits should be under the ftc rubric for this purpose. can you give us a couple of examples about this. -- examples about this? i think about hospitals for the have been breaches, as an example for sensitive medical information can be released inadvertently sometimes to hackers. >> right. so, hospitals, the issue of its medical information, healthcare information and at the hospital, then that will be covered by hipaa. and we work closely with hhs and the office of civil rights to enforce and administer hipaa standards. what we have seen with nonprofit hospitals are breaches of employee data. not covered by hipaa.
5:36 am
that's a real challenge. we've also seen breaches at educational institutions. and we have seen breaches at common carriers and there is, i think a bit of an open question about the federal communication commissions' authority. jurisdiction to address those issues. >> thank you senator harper? >> thank you for that eliminating testimony. i was sitting on the audience and i don't know what you're thinking about that you came to the table prepared. it's very much appreciated. one of the things is helpful to me is when we have a panel of well-informed, thoughtful witnesses. is to see where do you think you agree? where do you think you agree as a panel with respect to what congress should do next? a few can start us off ms. , cackly?
5:37 am
>> senator, i think where certainly my testimony and mr. smith's testimony were in agreement was around the need for a legislation, and what some of the elements of that legislation could include. which is to say, notice and comment rulemaking authority, civil penalty authorities. those were the things that would best help the ftc or whichever agency congress chooses, to invest with, with this issue, oversight over this issue, the necessary tools to be able to get the job done. >> all right, thank you. mr. smith, would you think of three of you agree on what we should be doing next? our to do list if you will? >> well, i mean particularly with respect to be statutory authority for the federal trade commission to make rules in the area of data security, and
5:38 am
enforce using civil penalties. and also the expenditure or the expanded jurisdiction. we agree on that book i agree with mr. gilligan from cis about the importance of these useful rubrics, like the cis critical security controls to educate businesses, and focus attention on things that really matter. for a lot of businesses, i believe or i think that data security is just sort of an insurmountable obstacle. it's beyond anyone's comprehension. these types of rubrics, i think him help businesses to focus of rubrics, i think help businesses to focus their attention the right place. we been the same thing this week with our glba safeguards rule. were we have the rule began life in 2002 and at the time was quite influential. but it is very basic. requires companies to have good data security, appoint people to be responsible and the new rule
5:39 am
-- which isomething somewhat longer. they offer more specifics about encryption and penetration testing. and some of the other best practices. which one, provides businesses with an audible standard, provides them with clear information about expectations, and also candidly, provides us more ability to enforce. >> mr. logan, would you agree? mr. logan i think there's : fundamental agreement it's a complex issue. of regulatorymber bodies, federal trade commission the one who have jurisdictions over part of our economy. one of the, the functions that the center for internet security provides is what we call, the multistate information sharing and analysis center. we provide underfunding from congress and dhs sponsorship, we provide security support for state, local, tribal and territorial governments. included in state, local, tribal and territorial the most every different domain you might
5:40 am
imagine. and they are all struggling dealing with cybersecurity. while i am personally not an expert in data breach reporting, i can say, the states and local governments are struggling trying to deal with all of the well-intended regulations that i mentioned in my testimony. and so, i think some consolidation of that and this, as iion in suggested, perhaps using something like critical security controls, really the technical foundation. that is where most organizations , and that needs to be continuously updated, that's what most organizations need to help focus. and as i said, the breaches that have been discovered, invariably are the result of failure to implement very simple controls in a conference of way. >> i asked myself together a handful of tips for consumers for regular folks, to follow if
5:41 am
they fought if they become a data breach victim. , not a short list comprehensive list, but one of those is change your password another would be to contact your bank or your credit card company. third would be to contact a credit reporting bureau. the fourth would be to sign up for credit monitoring, and that's for folks who have become a breach victim. mr. gilligan, what would you suggest consumers can do to protect themselves after they become a victim? any tips? mr. gilligan: well, i think it would be largely parallel to the list you just mentioned. one of the things i would recommend is that all consumers freeze their credit reporting. which is often a vehicle through
5:42 am
which the -- of their particular information is compromised. i think having good hygiene with regard to passwords, with regards to updates and security software, are also things that all consumers should do on a regular basis in order to protect themselves. mr. smith and ms. cackly? anything you would want to add to that list? mr. smith: i would direct consumers to our website for we have a tremendous amount of information about how to protect yourself. in the event of a data breach both the general information, as well as specific information. so for example, we have pages that are dedicated to tax identity theft. we have a page dealing with connected toys. just a couple of months ago in december of 2018, there was a phishing scam, where consumers , but weam from netflix
5:43 am
don't that specifically because it was important threat to consumers. we also build pages for the marriott breach, and the equifax reach that gave specific information for consumers who had received those notices about what they could do to protect themselves, including some of the measures that your staff mentioned. and finally, where consumers believe that they may be a victim of identity theft, they need to go to, which is operated by the ftc. their we have tools, such as the identity theft affidavit you can use, with the credit bureaus to have fraudulent information removed from your credit report. as well as, as well as receive other rights under the fair credit reporting act. >> thank you. ms. cackly, one last word. mrs. cackly i would say : consumers need to educate themselves. they need to understand what
5:44 am
data is potentially available to other, other people. what companies are collecting their data? and how they can set privacy controls potentially, or do whatever else they can to keep themselves safe. >> terrific. thank you. you had to wait here for a while to share your thoughts with us. but for us, it was well worth the wait and we thank you very much. >> i cannot tell you how much we appreciate the testimony, and also the ongoing work with us on this because we have some real expertise here. with regard to the ftc, i think i speak for senator carver, we want you to feel responsible. in other words, one of the concerns i've had is, there's so much of this going on, breaches some of which relates to private companies and some as you mentioned earlier, nonprofits. so many people are concerned about whether information is going, even if it's not a
5:45 am
business per se, you would normally think of as what we saw in the earlier panel. even any of these. these websites where you know, you are giving information and that information is given out to other people. folks want to know about it. and so i hope and maybe maybe we can do work on this going forward. that you all feel empowered to be that one-stop for the consumer. if they have a concern, they can go to your website in figure outcome and look what is going on with the specific issue as we talked about earlier. there's been a breach of the big company and they can find out what information is about how they can protect themselves. but also just general information. i assume you feel you have that responsibility already. but we want to be sure whatever legislation we do, squarely puts that responsibility frankly and accountability on the ftc. any thoughts on that? are -- the country's
5:46 am
only general jurisdiction consumer protection agency. so of course we have a lot of , consumer protection agencies. that fda or the securities and exchange commission or the banking agencies. we're the only ones who take a general view to the whole marketplace. and we believe that we are the best equipped to address, should congress pass legislation with respect to data security or privacy, we believe we are the enforceipped agency to and administer that statute. not only because of our more than 20 years experience with privacy and data security, in fact, if you look at the fair credit reporting act, that statute has been around since 1970. and we had been in charge of enforcing and administering it. but also just our general know -how with respect to how to protect consumers. and our focus on consumer harm. whether it's deceptive practices or unfair practices.
5:47 am
and we have the goods to show for it. right? we brought 60 cases plus in the data security area. and the same in the privacy area. and finally, i would say, i that we, unlike an agency has specific jurisdiction, i think we are less susceptible to capture. if you look at the more than 100-year history of the ftc, we have proven remarkably them into that. and i would worry about a special agency to deal with privacy in terms of the potential for regulatory capture. maxwell again, i think -- >> well, again, i think that is consistent with where we would like to go with legislation. just to affirm that and make sure there's a clear line of responsibility. my final question is about ohio , of course. and it's to mr. gilligan because he mentioned ohio in his list of states and countries that have it in place some kind of a internet security control system. we have recently in ohio,
5:48 am
--ablished are due established our center for internet security controls, as a standard for cyber defense after passing the ohio data protection act. could you discuss briefly the role of the cis roles within the ohio data protection act and how legislation of this kind can incentivize companies to implement some of these baseline cyber controls we talked about today? >> thank you, senator. is one ofegislation the groundbreaking legislations, and that, for the first time, it provides specific guidance with regard to expectations for cyber security. as you mentioned, it does reference a couple of the federal guidelines. missedreferences several documents. critical security controls is really one that provides specific implementation guidance. so, we believe that's the type
5:49 am
of guidance that is required. as you know, the ohio legislation is voluntary. and the intent of it is really to provide positive incentives to those doing business within ohio, to improve their status of cyber security. and we think that sort of the right way to go. to provide a clear definition of what are the expectations, encourage through positive organizations to comply with those best practices. and to serve as an example for industry as well. --thank you, mr. gilliam gilligan. mr. carper? >> i just want to thank a couple of members of staff by name. and serve for the records, names of other folks who worked on the spec we've been at this for a while and some people have come and gone. i want to add those names for the record. majority staff andy gottman,
5:50 am
patrick warren for their hard work, and the others i know as well. minority staff, i want to thank john holdridge. our law clerks, kaelin burnett helps prepare for this hearing. and we have a number of folks former staff, former law clerks , who have gone into other pursuits, but we are grateful, and i want to enter those names for the record. as well as the people and the folks who help us. >> thank you, senator carper. and again, thank the witnesses for their further testimony this morning. we are very informative. and i also want to thank the staff senator carper for leading on this important issue of protecting consumer information. that is how we work here. it is a nonpartisan approach. my staff also is deserves recognition for doing a great job and working, i think with
5:51 am
, the witnesses and others to make sure this is a thorough investigation. as with other investigations we are looking into other investigations. i look forward to hearing from senator harper park the hearing record will remain open for additional comments or questions by subcommittee members. with that, this hearing is adjourned. [captions copyright national cable satellite corp. 2019] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit]
5:52 am
5:53 am
5:54 am
>> there's no apparent loss to the commercial use it appears to me at least this is a government and does not some crime significant of criminals. >> is it china? >> i think there is pretty good evidence suggesting that is where it is coming from. >> there's work for all of us today. themselves, the
5:55 am
private sector, they have financial incentives. the customer protection has worked for commerce city. we've passed a lot of legislation. we need to do comprehensive oversight hearings to find out what is working and what is not. the responsibility of the federal trade commission, the fbi, department of homeland security. are we working together? one of the reasons why i decided three years ago, there was a drop in hacks by the chinese and iranians was because we started working with them in a more collaborative way. and that has gone up in smoke in the last couple of years. we are seeing a simultaneous rise in the attacks going on. and from china. >> i introduced my first bill on notification basically three things, companies have a responsibility to protect sensitive information.
5:56 am
number two, when there is a breach and needs to be -- it best, ande in the number folks have to be three, notified. and they are risk for we had another piece of legislation essentially said they have 50 states passing their own and we need a national standard international direction. my hope is one of the things that will flow from this hearing is that we will actually do now that common ground. we have a lot of different jurisdictions and federal agencies. we got to get on the same page. >> making sure they are on the same page. from you and senator porter, is anybody tells working on this? workedave folks who have for me for a number of years. you have senator boone, on the commerce committee. now we have the senior democrat on the commerce committee maria
5:57 am
cantwell who knows a thing or two. was in the senate her more knowledgeable about these issues than some of them have been here for a long time. this is a good time. -- this is a good time to take stock. for senator portman, to provide as much as we can to get the job done from the data privacy bill? >> there's a bunch of bills that a been introduce. a number of things have been interacted over the last six or seven years. we need to find out what's right and what's not. and in terms of notification, breach notification, the focus on prevention, focus on employment, people from they have been breached have been notified. we need to do that and do it right. we need a common sense federal standard to get the job done. >> thank you. >> thank you.
5:58 am
♪ >> c-span's "washington journal," live every day. we will preview the week in washington. a discussion about paid family leave. be sure to watch c-span's "washington journal," live at 7:00 a.m. this morning. join the discussion. >> the house rules committee meets to work on a resolution calling for special counsel robert mueller's report to be made available to congress and the public or it that is live monday at 5:00 p.m. eastern on


info Stream Only

Uploaded by TV Archive on