Skip to main content

tv   Senate Homeland Subcommittee Hearing on Data Breaches  CSPAN  March 18, 2019 10:18pm-12:56am EDT

10:18 pm
p.m. eastern,:45 president trump holds a joint news conference with the c-span.n president on on c-span2 at 9:00 a.m., inter-american dialogue hosts a discussion on corruption in venezuela. at. 2:30 p.m., outgoing fda administrator on his tenure. on c-span3 at 9:30 a.m., the u.s. institute of peace hosts a panel on crimea five years after russian occupation. next, the ceos of equifax and marriott international testify on recent data breaches at their companies. the senate homeland security subcommittee on investigations, whether these companies neglected cyber security, putting customer data at risk. breach effort
10:19 pm
than with hundred million guests. the equifax breach affecting with an 145 million consumers. this hearing is just over two and half hours. >> the hearing will come to order. it seems no industry is immune to data breaches. some of the biggest breaches we have seen recently include google, uber, facebook. government agencies have not been immune from this. they have also suffered significant breaches including over 20 million security clearance files, background files held by the office of personnel management. locating network vulnerabilities that hackers can exploit to gain access to sensitive information is a key issue. actually, senator hassan and i have worked on this with some specific legislation.
10:20 pm
she's here this morning. earlier this year, the president signed our hack d.h.s. act as an example, into law, which will strengthen d.h.s.'s cyber security, using whitehat hackers to locate previously unknown vulnerabilities in the department's systems. last night, senator carper and i released a report on how the equifax data breach occurred and how hackers were able to steal personal and financial data from over 145 million americans. that report documents how equifax failed to follow basic cyber security practices and protocols which prevented the company from identifying and patching an exploitable vulnerability on its system. during the course fof our investigation, the company failed to preserve important documents related to the breach. equifax employees told us they frequently used a chat application called microsoft link. when equifax discovered the breach on july 29, 2017, the security team used the chat platform to discuss the system and even the company's response.
10:21 pm
our report uncovered the equifax did not issue a notice not to destroy documents related to the breach until august 22, 2017, and failed to set the chat platform to archive any of these chats until september, a month and a half after the breach was discovered, again, back on july 29th. prior to september 15, equifax was not archiving any link chats based on its own document retention policy. counsel for equifax told the subcommittee they could not find any of the chats equifax employees told us about documenting the discovery of the breach. as a result, the subcommittee is left with an incomplete record. and so are the american people. after discovering the breach, equifax waited six weeks to disclose to the public on september 7th, 2017, that hackers had compromised its collection of personal and financial information, again, on
10:22 pm
over 145 million americans. adding to this delay, the hackers had access to the information since may 13, 2017, three months before they were discovered. equifax's chief executive officer, mark begor, is here today to discuss the report's finding. we're going to hear from arne sorensen, marriott's chief executive officer on the data breach his company occurred in -- his company disclosed in november, 2018. that breach of the starwood database occurred two years before starwood acquired marriott in november of 2015. but it wasn't the first time starwood had suffered a data breach. in november 2018, marriott announced it had discovered a hacker that had accessed the starwood guest reservation database. at the time, starwood stated that it had discovered malware on some systems at hotels designed to steal credit card information at the point of sale. starwood stated that it did not affect the guest registration database. in november 2018, marriott announced it had discovered a hacker that had accessed the starwood guest reservation database. marriott's investigation
10:23 pm
determined that the hacker had access to guest information related to 383 million guest records since 2014. as part of that database, the hackers also gained access to over 23 million passport numbers and 9.1 million credit card numbers, most of which were expired. marriott learned of the breach on september 8, 2018, but waited almost 12 weeks to notify the public on november 30, 2018. the goal of today's hearing and the subcommittee's report is to fully understand these breaches, but also to focus on the future. to focus on solutions. companies and government agencies alike must take steps to better protect the data consumers and trust to them. t to them.rs entrus that is clear. and when that data is compromised, we need to know as soon as possible so we can do everything we can to ensure criminals are no longer taking advantage of us as consumers. that seems clear. so i look forward to working with my ranking member, senator carper, and others on this committee, including the chairman, senator hassan, and ensuring that we can move forward with legislation that ensures both the protection of consumer data and prompt notification when data is compromised.
10:24 pm
i also want to thank senator for their his staff dedication to these issues, and to him and his staff for leading this investigation. with that, i turn to senator carper for his opening statement. senator carper: thanks, mr. chairman. thanks to both of our witnesses this morning for joining us. i want to take a moment to say a special thanks to members of the minority staff, the majority staff, who worked hard for months to prepare us for this day. according to a 2017 study by the pew research center, the vast majority of americans have personally experienced a major data breach. my guess is most of us in this room on this side of the panel are among them. about half of our country believe their personal information is less secure than it was five years ago. our subcommittee initiated investigation into the causes of private sector data breaches shortly after equifax announced its breach in the fall of 2017.
10:25 pm
as we conducted our work, a seemingly endless stream of new, high-profile incidents were announced. one after the other, well-known companies including google, facebook, t-mobile, orbitz, saks fifth avenue, lord and taylor under armour, eventually , marriott, announced that they too had suffered breaches. we thank you for your appearance today and for your help in better understanding how these private sector data breaches occur, and walking be done to prevent them -- what can be done to prevent them, including the steps we can take. while my colleagues and i will have some tough questions for you, our goal here is to ensure the mistakes in the oversights that contributed to the attacks your company suffered are well understood so that other american businesses are less likely to fall victim to hackers. will tokers were it
10:26 pm
obtain someone's personal information, the consequences are real. in 2017, if you study found that more than 40% of individuals pulled had discovered 41 charges -- a pew study discovered that d0% of individuals polle had discovered fraudulent charges on their credit cards. several of those things have happened to my own family, as i suspect to the families of many of us in this room. victim isa breach fortunate enough to avoid becoming a victim of crimes like these, they often deal with years of hassle and laurie as they swap out compromise credit and debit cards, change their online passwords, and monitor the bank accounts and credit reports for suspicious activities. ofen the vast amount information collected on consumers these days and the skill and relentlessness of the hackers seeking to steal that information, it is critical that
10:27 pm
businesses make cyber security a priority. at the very top level of a company. welloard, the ceos, as some of constant stream of data breach notifications we see your in and year out means we could and should be doing better. my colleagues have heard me say many times that anything i do, i believe i can do better. in this particular area, we need as a country to do a lot better. equifax and is two main competitors will have built their business models around a collection and dissemination of consumers' most sensitive financial information, including names, nicknames, dates of earth, social security numbers, telephone numbers, current and former addresses and account numbers. this data collection is not something that consumers can opt out of.
10:28 pm
get it reporting agencies collect personal information without our knowledge or even our explicit authorization. the retail chain gets hacked, a first and can opt not to shop there any longer. because doing so makes them uncomfortable to read they cannot however keep their information away from equifax. knowing this, you would think protecting sensitive information that its entire business relies on would be equifax's top priority. the information obtained by this subcommittee and included in a reportsan illustrates a years-long neglect of basic cyber security practices and decisions by officials to prioritize doing business over security. in 2015, equifax officials learned through internal audits that the company's i.t. system was riddled with thousands of unpatched vulnerabilities, hundreds of them deemed critical
10:29 pm
high risks. they also learned that the company lacked immature inventory of its i.t. assets, difficult toe address problems as they arose. by the time the department of homeland security announced in march of 2017 that versions of the web application software apache struts included serious security flaws, equifax had still not properly responded to or many 15 audit findings brought its cyber security practices in line with industry standards. despite being informed that the announced flaw in apache struts was dangerous and easy to exploit, equifax officials appear to reproach of a challenge it presented with no sense of urgency whatsoever. scans of the company's networks failed to find a version of apache struts it was using, and
10:30 pm
key staff in position to make the enhancement to cyber security were left off internal communications. the vulnerability was discussed in a regular security meeting held in march and april of 2017, but it is not clear who attended the meetings. senior managers interviewed by the subcommittee were normally in charge and they told subcommittee staff they did not directly attend the meetings themselves. former top equifax officials were interviewed and were very frank about the priority be placed on cyber security. security official told is subcommittee staff met "security was in first." ," at equifax. that is an understatement.
10:31 pm
the officer was extremely dismissive of the importance of key security processes during his interview, saying he considered the patching of security flaws to be a quote "lower-level responsibility, that was six levels down from him." there is no evidence that these two individuals are in a other top executives at equifax directed staff to take steps to date the company's i.t. asset inventory and conduct a thorough search for vulnerable apache struts software. lackh -- this lack of initiative would be better enough o on its own. but equifax failed to monitor malicious web tracking and allowed its tools created to monitor malicious web tracking to expire. nobody saw them coming. what's more, nobody discovered
10:32 pm
, 78 days after the hackers first gained entry. during the 78 days the hackers spent inside of equifax's i.t. network, they accessed multiple data repositories of 145 million people, and probably half the people in this room are among them. there were tools available that could have sent alerts to equifax staff as hackers informationthat in the database, but equifax had not install them. hackersifax found the at the end of july of 2017, equifax executives waited an additional six weeks before letting the public know what had happened. six weeks. because equifax was unaware of all the assets it owned, unable to patch the apache struts vulnerability and unable to
10:33 pm
detect attacks on key portions of its network, consumers were left unaware for months that terminals had obtained their most sensitive, personal and financial information. consumers are also a number that they should take steps to protect themselves from fraud. importantly, these failures stand in stark contrast to the appearances of trans union and experience, which was quickly identified and addressed the same apache struts vulnerability and have not announced data breaches. i have a friend and if you ask him how he is doing, he says, compared to what? i think the obvious question here is, for equifax compared to trans union and e xperian. the data breach announced by marriott doesn't appear to have been caused by the same kind of indifference to cyber security. data indicates that marriott
10:34 pm
inherited this attack through starwood.ition of but besides the breach, up to 500 million people are reported to have been affected at one point. it requires that we take a closer look at what happened and why. i have questions about marriott's data retention policies for example. i understand why hotel chain might collect passport information in some cases, but i don't know what it would need to maintain records of millions of guests, passport numbers, as appear to have occurred in this case. this also raises questions about the way security concerns should play a role in acquisitions. marriott had actually been attacked
10:35 pm
before. despite this, marriott chose to initially leave starwood's security system in place after acquiring the company. we need to learn more about the priority that marriott executives chose to place on addressing security flaws at starwood as it worked to integrate its system into its own. what we do know today is that large-scale data breaches are not gong to stop. we can't afford to shrug our shoulders and write them off as a cost of doing business. approaching cyber security challenges with this frame of mind, and real harm that can occur both to consumers' pocketbooks and to the companies' bottom lines. here in congress, i think it's long past time for us to come to agreement on a federal data security law that lays out for private industry what we expect from them both in data protection, in data breach notification. we also need to ensure that the system we established for
10:36 pm
sharing information and cyber threats and cyber security best practices is as effective as it can be. and is updated over time. if a company is as large and sophisticated as equifax can fail so badly at implementing basic cyber security practices, we can certainly do a better job making clear what will and won't work when it comes to blocking hackers and preventing data breaches. my thanks again, mr. chairman, for the work that you and your staff, my staff, putting this complex and important issue, we look forward to hearing from our witnesses today. again, thank you for joining us. >> thank you, senator carper. i'd like to call the first panel of witnesses. first, we have mark begor who is the chief executive officer of equifax. he served in that capacity since april 2018. again, as we just heard, the equifax breach occurred was discovered in july of 2017. >> second, arne sorenson is here, president and chief executive officer of marriott international inc. he's held that position since 2012. again, as we just heard, marriott acquired starwood in
10:37 pm
2016. the breach occurred at starwood in 2014 and was discovered in 2018. we're also going to swear in someone else this morning, the current chief information security officer at equifax. it was requested should mr. begor need some special expertise, technical assistance. so i'm going to ask you to raise your hand as well. it's a custom of the subcommittee to swear in all of our witnesses. so at this time, i'd ask you all to please stand and raise your right hand. please repeat after me. do you swear the testimony you will give -- i'm sorry, just respond to this. do you swear the testimony you will give before the subcommittee will be the truth, the whole truth, and nothing but the truth so help you god? let the reportcord reflect the witnesses all three answered in the affirmative. gentlemen gentlemen, all your written testimony will be written in the record. i ask you try to limit your oral testimony to five minutes. mr. begor, we'll hear from you first.
10:38 pm
>> chairman portman, ranking member carper, and distinguished members of the subcommittee, thank you for the opportunity to be here today. i'm mark begor, chief executive officer of equifax. with me today is jamil farsey, our chief information security officer. let me begin by expressing my personal regret for the disruption that our 2017 cyber attack had on millions of americans. cyber crime is one of the greatest threats facing our country today. u.s. corporations are continual continually fighting criminals
10:39 pm
that operate outside the rule of law and attempt to steal data for their own gain. these attacks are no longer a hacker in the basement attempting to penetrate a company's security perimeter, but instead, are carried out by increasingly sophisticated criminal rings and even more challenging nation states that are well funded or the military arms of nation states. these attacks on u.s. businesses are attacks on u.s. consumers and are attacks on america. this war is getting more challenging and more sophisticated and there's no end in sight. fighting these attackers will require cooperation between government, law enforcement, and the private sector. we appreciate that members of this subcommittee have
10:40 pm
introduced legislation that promotes this type of partnership and we support these efforts. the fact that equifax suffered a data breach does not mean the company did not have appropriate data security program or that the company fail to takeed to take cyber security seriously. i understand that before the attack, the company's security program was well funded and staffed and leveraged strong administrative and technical safeguards. in april 2018, when i joined equifax, i made a personal commitment. internally and externally, to building a culture within equifax where security is part of or dna and committed that equifax would be an industry leader around data security. i'm proud of the leadership, cultural enhancements, and investments that equifax has made over the past 18 months. we've added experienced senior leaders and board members to enhance our security and technology skill sets and in 2018, alone, we added close to 1,000 incremental security and i.t. professionals to our team. between 2018 and 2020, we are increasing our technology and
10:41 pm
security spending by 50%, totaling an incremental $1.25 billion. we recognize that being an industry leader means actively sharing our security learnings and best practices. we have been openly sharing all of our cyber learnings with our customers, our competitors, entheen the the u.s. government and the rest of the private sector. last year, we established a number of meaningful security partnerships that will help raise the entire security community by leveraging our joint learnings. in addition to the goal of being a leader in data security, equifax has been working diligently to support u.s. consumers. when equifax announced the cyber attack, its response was guided by a desire to focus on helping and supporting consumers first. since the 2017 incident, equifax has invested more than $80
10:42 pm
million to assist impacted consumers. when we announced the incident, we offered an identity theft and credit monitoring service free for all americans regardless if they were impacted by the cyber incident. last november when that service was nearing its end, equifax voluntarily extended that protection for another year. going forward, we are investing over $50 million to make it easier for consumers to interact with us. both over the internet and in our call centers. we want to make sure we are a consumer-friendly credit bureau at every step of the way.
10:43 pm
to close, i'd like to thank chairman portman for holding this hearing. equifax is committed to our commission to become an industry leader in data security, and we are investing unprecedented resources in technology, security, and people. thank you, again, for the opportunity to testify and for your focus on protecting american businesses and consumers from arne m. sorenson cyber attacks. >> thank you, mr. begor. mr. sorenson, i want to hear from you. >> chairman portman, ranking member carper and members of the subcommittee, thank you for the opportunity to testify today. the subject of the subcommittee is tackling private sector cyber attacks is an increasingly urgent one. one that has hit marriott directly with the data security incident we announced on november 30th, 2018. we deeply regret this incident and are committed to determining how it occurred, supporting our affected guests, and enhancing security measures to protect
10:44 pm
against future attacks. for 91 years, marriott has been in the business of serving people. we began as a small family business in washington, d.c., serving hamburgers and root beer at hotshops. today we're a global hospitality company conducting operations in all 50 of the united states and 130 countries and territories. throughout that time, we have built our reputation by putting people first and focusing on the care of our guests. as a company that prides itself on taking care of people, we recognize the gravity of this criminal attack on the starwood guest reservation database and our responsibility for protecting data concerning our guests. to all of our guests, i sincerely apologize. we are working hard every day to rebuild your confidence in us. because this incident involved a starwood dabts,tabase, let me provide background on the merger of marriott with starwood. signed a merger agreement with starwood in november 2015 and quloez closed the transaction in
10:45 pm
between september 2016. we conducted an assessment on integrating the two systems although this inquiry was legally and practically limited by the fact that until the merger closed, starwood remained a direct competitor. we made the decision to retain marriott's reservations system as the central system for the combined group of hotels and to retire starwood's system. migrating all of starwood's 1, 1,270 hotels onto marriott's system, while avoiding disruption of the reservation process, was a significant undertaking that took us about two years. we made additional investments
10:46 pm
to enhance security of the system while it was operating. following discovery of the incident, we accelerated retirement of starwood's reservation system and as of december 18th, 2018, are no longer using the starwood guest reservation database to conduct business or operations. until our investigation of the incident announced on november 30th, we were unaware that the starwood guest reservation database had been infiltrated by an attacker. our investigation was initiated following an alert on september 7th, 2018, from a cyber security tool.
10:47 pm
in response, our i.t. team swiftly implemented containment measures. we retained industry experts to conduct a forensic investigation and deploy additional defenses. unraveling the scope of the attack required extensive forensic work by experts. we also contacted the fbi, which continues its investigation. as our investigation unfolded, we learned the intruder had been in the starwood system since 2014. on november 19th of 2018, we determined that the intruder had accessed files containing personal information of guests who had made reservations at starwood properties. we believe that the upper limit for the total number of guest recordeds involved in this incident is approximately 383 million. what do we mean by guest records? take my name for an example, which is in the database multiple times with variations such as arne sorenson. other times with my home address, other times with my business address, and again without any address. each entry represents a separate
10:48 pm
record even though they all relate to one person. we cannot confidently determine whether records with similar names or even identical names represent one person or multiple people, but we know that the information for fewer than 383 million unique people was involved. in the days immediately after november 19th, we worked quickly to make sure that we could share useful information with our guests. on november 30th, we provided broad public notice of the incident via press release and notification banners across marriott and starwood websites and apps. we stood up a website with consumer information in multiple languages as well as call centers to answer questions and offered guests free web monitoring services among other steps. in assessing the impact of this event, you should know that starwood did not keep guests' social security numbers and the overwhelming majority of payment card information was encrypted. to date, we have not found data removeded from the starwood database on the internet or dark web which we continue to monitor. finally, we know this is a race that has no finish line. cyber attacks are a pervasive threat. we are committed to responding to these evolving threats with a layered defense approach and continuous improvement. our founder, jay willard marriott, was fond of saying success is never final. we're applying the critical review process to learn from the incident as we work diligently to regain the level of trusts that our guests have come to expect from us over the years. thank you, and i welcome your
10:49 pm
questions. >> i thank both the witnesses for their statements and i think they make a good point that this is a matter that requires cooperation between government and the private sector at every level. i'm going to delay my questioning until we have a chance to be sure that our two colleagues who i know have other commitments have a chance to ask theirs. so for this first record, i will be coming back and asking some questions. i want to give them a chance first before they have to leave. and i now turn to my ranking member, senator carper. >> senator hassan, if you have other obligations, go ahead, ask your questions. all right. thanks. again, thank you. as, again, used to say, people may not remember what you say, but they may not remember what you do, but they'll remember how you made them feel. maya angelo. people may not remember who you said, may not remember what you do, they'll remember how you made them feel and first i'm going to say i was glad to hear both of you apologize. i say to my kids who are now grown, the three post important words are please and thank you and the couple others that mean a lot are i'm sorry, especially when we screw up, and especially
10:50 pm
with respect to equifax. the amount of screw-up is just almost unbelievable. equifax has known since 2015 its approach to cyber security was lacking, and among other issues equifax learned that during an internal audit that was conducted that year, that the company had left a number of critical and high-risk security flaws unpatched. the company also learned it lacked a comprehensive i.t. asset inventory meaning it would be difficult to address new security issues as they were brought to the company's attention. when the department of homeland security informed the public about a major security risk, in
10:51 pm
certain versions of apachestruts, apparently very commonly used piece of software, it also told the public that the vulnerability was easy to exploit. knowing all of that, equifax relied on the same flawed policies and procedures which ultimately failed to identify the presence of the vulnerable versions of apachestruts. equifax circulated a notice about the vulnerable to an e-mail list that did not include application owners. the issues on the agenda of two meetings that seennior leaders failed to attend regularly and conducted repeated scans that failed to identify the vulnerability which allowed hackers to access the online dispute portal. mr. begor, if equifax knew that it lacked a mature inventory of its i.t. assets, why didn't senior i.t. and security officials, staff, do more to improve the inventory before the 2017 data breach? specifically, why did equifax fail to conduct a follow-up
10:52 pm
audit after the 2015 review to determine whether the company had made progress in addressing its patch management issues? >> ranking kmeb, inging member, i think as you know, r i joined in april 2018 in the first few weeks of joining equifax, i went into great detail about, you know, the forensics on what caused the breach, what our routines and processes were in place at the time, and as i stated in my testimony, you know, there were controls in place that clearly weren't strong enough and, you know, we've taken great steps since then. we've doubled the size of our security team. i talked in my testimony a few minutes ago about our increased spending on data and security and our approach to making security central to the dna of the company. we also changed the incentives in the company. we're very unique, i think, in corporate america, in our bonus system which the top 3,900 out of 11,000 employees participate in an annual bonus, 25% of that bonus is tied to cyber security.
10:53 pm
that went in place in 2018. it's continuing in 2019, will continue going forward. and, rarngnking member, that incentive is only punitive. meaning, if we don't make progress on our security improvements, if we don't take our security forward, you can only reduce the individuals' bonus, including mine. there's real making security part of our dna is quite critical. i'll also say, i think mr. sorenson said the same thing, this won't end. meaning you can never be good enough in the the investments and spending will continue, and as i pointed out, we've increased our technology and security spending in '18, '19 and '20 by 50%. so, security is a top priority at equifax, it's a top priority of mine and the board and the leadership team and the whole organization going forward. >> i spent a lot of years in my life in the navy.
10:54 pm
retired navy captain. and vietnam veteran. and we have a standard in the navy and a process in the navy that says if the mark begor captain of the ship is asleep in his or her ward room in the middle of the night and the ship runs aground, the captain of the ship is held responsible. has that happened in this case? >> in my view, senator, it has. you know, i think you know the prior ceo is no longer with the company. the prior cto is no longer with the company. if you look at our technology and security organization, we've upgraded really strong talent in probably two-thirds of both of those organizations. and as i talked about, you know, we've added significant resources. a thousand incremental people. we have 10,000 people globally at the beginning of last year. at the end of last year, 1100, and those were all in security and technology. so, there was a lot of accountability. i wasn't there, but there's a
10:55 pm
new team at equifax that takes security intensely seriously. >> equifax's competitors which have the same extremely sensitive date on american consumers as equifax operated with a stronger sense of urgency. once they learned about the apachestruts vulnerability. and as you assume the leadership of this organization, you must have wondered why, if they're doing this, why didn't we at equifax? and we've asked what you've done. i explained a bit about what you've done to change the culture of our company around cybersecurity. if you are advising other companies, mark begor whether they happen to be companies that deal in the business you have your business model, what advice would you have for those other companies today? >> first is, it's a war.
10:56 pm
and i think the -- mr. sorenson said the same thing. i think this committee understands that. that these criminals, other actors that are attacking u.s. companies are increasingly sophisticated. we get attacked multiple times per day and the system we have now, i get an alert on my phone from my chief security officer and his team when there's an attempted attack on equifax. and point one is, it's not going to go away. and point two is, we really applaud the committee's focus on sharing best practices. and i think as the senator may know, that's challenging sometimes for a company that goes through a data security breach to be open about actually having it. and these forms i think are critically important. when i joined equifax in april, my first call was to my two competitors and what i told both of them was there's no trade secrets around data security. this is a war we face as an industry. it's a war we face for american
10:57 pm
companies as you pointed out, for the government. and it's one that's not going to end, and we applaud the idea of sharing actively what we're learning from each other. what are those ip address that are known bad actors. if one company knows it, let's make sure the next company knows it and share those so we can build our defenses up because it is increasingly sophisticated and challenging. i'll close this round with this thought. the constitution of our country country was first ratified in delaware december 7th, 1787. we ratified before anyone else had. the very beginning of the constitution starts with these words in the preamble. we the people of the united states, in order to form a more perfect union. doesn't say to afford a perfect union -- a more perfect union. our goal in this realm has to be perfection. knowing we'll never get there, but we need to strive for that. thank you. >> senator hassan. >> thank you, mr. chair, and thank you ranking member carper for your bipartisan leadership
10:58 pm
of this committee. and thank you to both of our witnesses for being here today. let me start with a couple of questions, mr. begor, to you. you said in your testimony that you believe despite some errors, equifax took cybersecurity very seriously even before the 2017 breach. i know that the 2017 breach occurred before your time at the helm of the company, but the facts presented in the subcommittee's report make clear that the company's pre-breach security practices were really not in keep with serious cybersecurity practice. the report shows that equifax had forgotten to update a security certificate known as an ssl certificate that encrypted data transfers between equifax's customers and website. when equifax developers attempted to install new certificates, they realized that some of the old ones had expired as much as eight months earlier. that failure led to the
10:59 pm
exploitation, as you've acknowledged, of millions of americans' data by what appears to be chinese hackers. equifax should have routinely audited its ssl certificates to make sure they hadn't expired since these certificates can only protect user data when they're current. so, let me just ask you a few questions. when equifax sought to upgrade its ssl certificates on july 29th, 2017, how many expired certificates did your team come across, and how many of the certificates had been expired by more than a day? >> senator, i don't have that information in front of me. if you'd like me to, i could ask my chief security officer if he could help with that question. >> that would be terrific. thank you. >> good morning. >> good morning. unfortunately, i also was not at equifax during the time of this
11:00 pm
incident, and so i don't have that information with me right at this moment, but i'm theep go back to the team and -- sen. hassan: does the company have that information? >> i believe we do, us. sen. hassan: and do you know if any of these certificates had been expired for more than 8 months? >> unfortunately, because i wasn't there, i don't have the specifics on the certificates exactly. sen. hassan: i would expect that even though you weren't there that you would know this or have access to it because it seems to me that is the type of investigation and understanding that you would want to develop moving forward. >> senator, if i could just add. as you might imagine, we have a much different process today, much more robust. we know exactly which certificates are expired, which ones are critical. they're risk rated.
11:01 pm
we also do automatic scanning. it's a protocol that would be quite normal in today's environment. and we're always, we're continually investing in new technologies to make sure we stay in front of that and are very rapid around addressing those. sen. hassan: so you are routinely auditing your ssl certificates now? >> yes. sen. hassan: i'm seeing nodding, too. ok. and you are making sure that they are current and they're not in danger of imminently expiring? >> that's correct. sen. hassan: ok. would you support a law that would require companies like equifax that deal with millions of americans' personal identifiable information to adhere to clear cybersecurity standards and practices such as auditing your security certificates on a continuous basis, established and enforced through your regulator? >> first, senator, i agree that equifax is in a unique situation with the data we hold versus most companies. we understand that and take that quite seriously. with regards to all of the elements you talked about, those are standard protocols for us today and things we're following as a company. really the highest standards of data security. with regards to legislation, you know, we'd be happy to work with your office and understand what's the right legislation to move forward, but we're doing
11:02 pm
things you talked about. sen. hassan: i understand you're doing things but you're doing things after a major breach and what i want to make sure is that americans whose information is in custody of an entity they may not know anything about don't have to wait for there to be a breach before companies start doing what they should responsibly do. we are, we have all discussed this is an ongoing threat. it's been an ongoing threat for a while. and we need to make sure that there are standards in place just the way we have safety standards in many other industries. let me move on just to another aspect to this. it appears in the psi report that one of equifax's biggest weaknesses was that the company's policy made individual developers responsible for identifying and patching vulnerabilities in the software they used, rather than relying on a full company effort to address any vulnerabilities. and as senator carper mentioned, unfortunately when dhs alerted equifax to an urgent and
11:03 pm
critical vulnerability in a piece of software called apache struts, the single developer who was using the software was not notified by his superiors about dhs' urgent message about those vulnerabilities. as a result, that developer was unaware of a critical vulnerability that eventually was exploited by hackers. you mentioned in your testimony that human error was certainly part of the problems that led to the breach. we've all acknowledged that up here, too. however, human error happens at every level of government and every level at the private sector. so it's incumbent upon security professionals and leaders of any security system, government or private sector, to build in extensive redundancies to mitigate against inevitable human errors. so it appears that prior to the breach, equifax had not build in
11:04 pm
-- had not built in those redundancies and as a result, human error became a single point of failure in a critical cyberattack. what redundancies has equifax built in to its system to ensure human errors never lead to this kind of breach? >> senator, we agree that a single point of failure is one too many, which is where we have a number of redundancies. i'd ask my chief security officer to talk in more detail? >> i'd be happy to. yes, one of the key tenets of our program is assurance. we want to make sure we have as many layers of security as absolutely possible because we know that any given control may fail or may be bypassed from a sophisticated attacker. as it relates to patching, we have updated all of our processes. we've implemented automated tools to be able to help reduce the reliance on human error. we've established patch champions, individuals
11:05 pm
specifically accountable for the implementation of these patches across the entire enterprise. and then an automated tracking system as well to be able to continue to track and manage these. i would mention one other one on the back end. we continuously scan our environment. so we, again, don't just rely on one system, one process, one individual. we have a belt and suspenders approach across the entire program. sen. hassan: thank you. that's helpful. and i appreciate your indulgence, mr. chair. mr. sorenson, i had a question for marriott. i'll submit it for the record. i want us to think about what standards companies should have when they merge that might help us make sure that we're getting to problems before they are breached. thank you. >> thank you, senator hassan, we will continue to work with you on these issues you raised today and others. i'm going to reclaim some of my
11:06 pm
time now. i'll be back with more to follow up on the points that senator hassan made. she talked about updating certificates on the website. she talked about building in redundancies. again, mr. begor, you, in your testimony, were pretty confident that they were doing the right things by saying that the program also leveraged strong administrative and technical safeguards, and subject to regular ongoing review through external and internal assessments. and there is a third concern that i have that i think we need to raise this morning and be sure that we're aware of a lack of follow-up, really, to an audit that was done. there was a 2015 audit of the security of your system. it found over 8500 known critical, high or medium vulnerabilities on equifax systems. so here's an audit discovered these vulnerabilities. these vulnerabilities had not been patched when the breach
11:07 pm
occurred. and many were over 90 days old. a copy of that audit is there with you on the witness table. i've had it for you all to look at this morning. i'm going to ask that that 2015 audit be made part of the record, without objection. so my question for you is, how does a company that at that time as you indicated placed a high priority on cybersecurity allow 8500 vulnerabilities to exist unpatched on its systems in and, of course, my follow up, since you've become ceo, and you've stepped in and aggressively tried to address these issues, have you addressed these patching vulnerabilities on equifax's systems? how could that have happened, and then what has been done? mr. begor: thank you, senator. as you point out, i was in there. -- i wasn't there. i spent quite a bit of time looking at the past. i'm a big believer that we want to learn from mistakes and learn from things that weren't going as well as they could be. and i've tried to be quite clear and i will be clear right now that there's no question what we did in the past we can do a lot better today and tomorrow and we already have.
11:08 pm
we've made massive changes in our security protocols, our infrastructure, the involvement of the organization. as i mentioned earlier, we brought in really top talent. it starts with people leading these organizations. i think the senator may know that the cso reports directly to me and has a line into the board to our technology committee, which is a best practice in many companies. and we've, you know, added, doubled the size of his team. with regards to your specific question around audits and patch management, we've doubled the size of our audit team and as a new element, we've added i.t. or cyberexperts as a part of our internal audit team. historically, those were just financial resources. now we have experienced technologyists or security people in our independent audit team doing some of that work. and with regards to follow-up of audits,
11:09 pm
sen. portman: hold there for a second. so when you look back at the 8500 vulnerabilities that were reported through that audit, what happened? why were those vulnerabilities not patched? what was the issue? mr. begor: senator, you know, as you may imagine, there's a large organization like equifax has many patches that are under way at all times. they are coming in weekly and daily and, sen. portman: the race is never won as was said earlier by mr. sorenson. >> yeah. sen. portman: but the question is, what did you learn from it. as you look back, i understand that you have beefed up your
11:10 pm
cybersecurity presence and you have the cso reporting, you put a bonus system in place that incent vises all your executives to look at it. but what happened? how could those 8500 vulnerabilities not have been addressed at that time? what did you learn from that? mr. begor: i learned from that, senator, that that's not how you want to operate. we don't operate that way today. there's a real focus on, you know, both risk prioritizeing, to patching bennies to be done for the most critical areas are done first. follow-up and tracking. tracking plp, farsi talked about how we follow up on those. we have automated systems now to track those. there's a real rigor, as there should be, around ensuring that that work is completed and those vulnerabilities are closed down. sen. portman: so that 2015 audit, if it had been followed up on would have made a difference, it appears to ubased -- it appears to us, based on our analysis of what happened. where are you now? have you done a recent audit? are you continuing to audit? mr. begor: we audit routinely. i don't know the, the last audit was done in the 4th quarter. we also have third parties coming in and doing work around our cybersecurity efforts. we do our own perimeter testing by our own internal team. we also bring in third parties that the team doesn't know is trying to penetrate the exterior of our system. so there's all levels of rigor
11:11 pm
around getting external inputs like audit around our systems and processes. sen. portman: so you have done a follow-up audit comparable to the 2015 audit, and you have responded to what has been discovered, because i assume that it also discovered that there were certain vulnerabilities? mr. begor: correct. you want your audit to identify things that will make the system better. that's the way i think about audit teams. i don't know how many audits have been done since the cyberbreach in 2017, i can follow up on the number of audits around this area but there have been numerous. and as you might know, there's also regulatory organizations, cfpb, the attorney generals and others that are involved in discussions about audits and our customers. sen. portman: our interest is to figure out what the heck happened. how can you have an audit that, again, uncovers these vulnerabilities and not act on
11:12 pm
it? with regard to legislation we're looking at, what role should audits play if you could provide that to the subcommittee, that would be helpful. when your last audit was. any results of the audit. how you react to it today. that would be much appreciated. senator rosen? sen. rosen: thank you. i want to thank you for bringing this very important issue, privacy and security. it is issue number one, not just for all of us as individuals but for all the companies and businesses that serve us that we expect to protect us and our communities every single day. i want to address, i do have some things to talk about acquisition and data migration as a former software developer. i've actually done that in my prior life. so i have some comments on that. but first, i want to talk about the global nature, mr. sorenson, about marriott hotels. of course, you are worldwide. you operate in all 50 u.s. states and in 130 countries and territories.
11:13 pm
americans stay at marriott hotels all over the world so it is crucial that our data collected is secure. of course you've noted 23 million passports approximately have possibly been compromised no matter where the hotel has been physically located. so my question to you is, last year, secretary of state mike pompeo stated publicly that china was responsible for the cyberattack on your marriott system and theft of consumer data. do you believe that to be the case? >> first, good morning, senator rosen. sen. rosen: thank you. >> nice to be here and to be able to answer your questions. the short answer is we don't know. and i feel quite inadequate about even drawing inferences from the information that we've obtained. we have, when we first discovered information had been extracted from the system which was november 19 it has been all hands on deck basically to make sure that the -- sen. rosen: so no preliminary
11:14 pm
data has come out as to where the isps may be locatedor any -- located, or any commonalities and other hacks, other hacking attempts with other companies across the world? mr. sorensen: we have shared everything we have with the fbi, including the addresses used and the malware tools used in the system so that they can do that kind of investigation. we simply have been focused on making sure the door is closed and communicate with our customers. sen. rosen: so do you have policies in the u.s. that apply abroad taking into account, obviously, foreign laws and regulations? mr. sorenson: we do. we have policies certainly about data collection and retention. we also have an obligation to comply with local law. i think one of the things that's unusual about the marriott
11:15 pm
cyberattack is this passport information. sen. rosen: how long do you retain the passport information? mr. sorenson: well, the passport information that was accessed was in the starwood reservation system, and it had been there for a number of years. sen. rosen: do you have a responsibility when you buy a company to do an audit of the company you're either buying or, i guess it is like buying a home. do you get an inspection? what does the seller disclose? what is the buyer's responsibility? did you buy it as is, and so you just took no method of auditing the data coming across? mr. sorenson: well, we, in the bottom line is we do buy it as is. when you're acquiring a public company, and buying those shares, there's nobody left. we are starwood today as well as marriott. we did diligence. sen. rosen: so i want to tell you as a former computer programmer, i have worked for companies where i've done this acquisition and data migration. and while the other system is still up, i had a team of people working with me to maintain that system, auditing that system, making sure it had integrity while we were training and moving that data over. so where was your responsibility in maintaining and as you
11:16 pm
migrated, protecting that data? mr. sorenson: we were very much taking the same approach. really three periods we could look at separately. one is the 3 1/2-week due diligence period before we signed documents to acquire starwood. and very abbreviated public company to public company. that was a, you know, tell us about your i.t. system. our i.t. team was involved in that and asking questions. but it was quite brief and we didn't learn about any of this. second period is between the fall of 2015 and fall of 2016, between signing and closing the transaction. and while we had not closed, our team, our i.t. team was deeply engaged in understanding starwood system, understanding the data, understanding the vulnerabilities and being ready essentially for the moment that transaction closed to say, ok, now what are we going to do with this system from a cybersecurity perspective, data retention, but also an operating perspective, obviously. and then immediately after closing, it was bringing in, not just our internal expertise but
11:17 pm
external expertise and saying, help us identify the risks in this system. let's make sure we are doing things to address those risks and enhance them. in retrospect, we wish we had done even more, obviously, something happened. but even while that system is running independently before the data migration and before it's turned off, we are very much trying to make sure that we are addressing the security flaws that we think are there. sen. rosen: so as we think about those 23 million passports and other data that may have been breached worldwide, do you have, of course, i just want to be sure, a consistent policy, of course, taking into consideration certain other governments, laws or regulations for how you keep the data, how you retain the data and your responsibility towards the data? mr. sorenson: that may give you a couple of data points, if i could. my number is just a little different than the committee's.
11:18 pm
about 19 million total, sen. rosen: 19, 23, it's an awful lot of passports. about 5 million of those were unencrypted. sen. rosen: and that makes it better? [laughter] mr. sorenson: no, no, those are the ones that, obviously, would have been most -- sen. rosen: so we know that hackers can beat the encryption, so that isn't really a factor here. i don't believe. well, i actually do think mr. sorenson: part of our strategy going forward is to rely on encryption and tokenization and whatever data we keep in this space it should all be encrypted. that by itself is not necessarily a totally adequate defense, but it is one of the tools we should use. i think one of the other things that is clear, there are dozens of countries around the world that require us to collect passport data. sometimes they require us to make physical copies of passports for guests in those hotels. in the marriott system, legacy,
11:19 pm
that was at the hotel level and not centralized in the data platform, if you will. in the starwood system it was done locally and essentially centralized into the data system. there are pros and cons of allowing it to be entirely at property level. one of the pros is it's a smaller target, if you will. one of the cons -- sen. rosen: more diffuse. harder to get centralized. much harder to break into. mr. sorenson: one of the cons on the other hand is then if each hotel needs the same elaborate system of cyberdefenses, can you make sure that you are delivering that. and those are issues that we're working through right now. i think in all likelihood, everything, passports will be encrypted. secondly, i think we'll look
11:20 pm
hard at not centralizing any of it, but making sure that we've got appropriate tools at property level to protect against cyberattacks. sen. rosen: and perhaps, how long you store customer information, sensitive information like their credit card numbers and those extra security codes. mr. sorenson: we are looking at that, too. sen. rosen: thank you. i think my time is up. sen. portman: thank you, senator rosen. senator hawley. sen. hawley: thank you for having this important hearing. thank you witnesses for being here. mr. begor, let me start with you. you may know that as attorney general of missouri, i and 43 other attorneys general sent, launched a multistate action after the announcement of the equifax breach in 2017 and among other things we sent a letter to equifax in which we expressed particular concern with equifax's post breach activities, including the offering of a fee-based service to guard against data breach at the same time that you are offering a free service.
11:21 pm
here is the letter -- we object to equifax using its own data breach as an opportunity to sell services to breach victims. selling a fee-based product that competes with equifax's own free offer of credit monitoring services to victims of equifax if's own data breach is unfair if consumers aren't sure if their information was compromised. can you give us the update on the status of this product? are you still doing that? mr. begor: senator, thinking for the question. as i mentioned this morning, we offered a free product for all americans, whether they were impacted or not at the time of the data breach. and i don't know the exact timing of when we stopped marketing to consumers, but soon after the data breach, it may have been when we received the letter from you and the other attorneys general.
11:22 pm
we stopped marketing to u.s. consumers as a result of that. we recently started again marketing in october on a very limited basis. the other thing that we offered in january of 20, sen. hawley: this is a free product, though, that you were marketing a free product? mr. begor: no, senator, when the breach happened, we offered free credit monitoring product to any american, and it was opened up to any american could get that. whether they were impacted by the data breach or not. that happened in september of 2017. in january of 2018, we added another free product for any american that's free for life that's a lock and alert product where on your mobile device you can lock your credit file or unlock it. equifax is the only credit bureau offering that. and last you talked about marketing to consumers. we stopped marketing in the, i don't know the exact date, but in the 4th quarter of 2017, to u.s. consumers. sen. hawley: what about the fee-based product that you were offering after the announcement of the breach? mr. begor: that's what i was referring to. we stopped that in the 4th quarter of 2000 -- sen. hawley: you stopped marketing it in the 4th quarter?
11:23 pm
mr. begor: that's correct. sen. hawley: we raised other concerns in that same letter and same multistate action including the terms of service that required customers to waive their rights, charges customers pay for a security freeze, with other credit monitoring companies. and overly long wait times for the equifax customer support call center. can you give us an update on how you've addressed these concerns? mr. begor: yes, senator. on the freezing your credit file, i referred to what equifax proactively did in january of 2018, offering a free freeze or lock product to any american, and that's still offered today. you can get that today. i have it on my own. it allows you to lock or unlock your credit file at no charge and free for life. the senator also knows last september, the senate passed
11:24 pm
senate bill 2155 that offers consumers free freezes for life. that was passed and that's in place. we've implemented that along with the other three credit bureaus. with regards to our customer service center, there was clearly some challenges there as i look back on what happened in the 4th quarter. staffing up for something like this is quite challenging. in my testimony this morning, i talked about the incremental $50 million of investment we're making now in our customer service capabilities to enhance our abilities to manage our day-to-day interactions with consumers, as well as investing to make it easier for consumers to interact with us when they have a question. whether it's around a dispute or question on their file. sen. hawley: thank you. mr. sorenson, in the testimony you provided, the written testimony you provided this committee, you noted, i'm going to make sure i get this right. you noted you did not receive
11:25 pm
any substantiated claims of loss from fraud attributed to the incident and none of the security firms you engaged to monitor the dark web have found evidence that evidence contained in the affected tables has been or is being offered for sale and that you had not been notified by any banks or credit card networks that starwood had been identified as a common point of purchase in any fraudulent transactions. do you take this to be a thorough accounting of which sources might know about your customers' data used by third parties, and is it sufficient for you to just wait for them to report to you? mr. sorenson: i think the answer to the first question is no. it's hard to feel like anything is thorough in this space. you pick up signals from a number of different places. we use a number of different tools, for example, to try and go after the same thing. we take some comfort in this, but it's only some comfort. and i think we are grateful for the partnerships we have with the financial institutions so we can have a little bit of that dialogue about what they may be seeing, but we are, one of the reasons we put the web watcher out and made it available to our customers, that is another tool to look regularly at the so-called dark web to see whether a particular customer's information is showing up on that dark web. sen. hawley: if i could just press a little deeper here, does this, in your written testimony, does this reflect an ad hoc list of sources that could report this information about personal
11:26 pm
information of users, or does this reflect some sort of cybersecurity methodology that you have in place in order to protect your consumers' data? mr. sorenson: no, i don't think this is really in the first instance about protecting consumers' data. i think it is about assessing what we can assess about the cyberbreach that occurred. and so if you will, the attack happened. successful, i suppose, if you take it from the attackers' perspective. information was obtained. we've been wrestling with the consequences of that. one of the tools that we're using is to try and figure out what can we tell about where that data has ended up. the tools that we use to protect the data in the first place, i think, are different. in many respects, obviously, much more fundamentally important because we want to
11:27 pm
avoid that data from getting out in the first instance at all. and you do have some sen. hawley: -- sen. hawley: and you do have some cybersecurity methodology you've put in place to systematically protect your consumer data. that's what you're telling me? mr. sorenson: a whole range of tools. sen. hawley: my final question here, mr. chairman, are you complying with gdpr? am i to understand that gdpr in europe requires reporting within 72 hours if one marriott customer resides in the eu. is that your understanding as well? mr. sorenson: yes, and i believe we are. sen. portman: thank you, senator hawley. senator harris. sen. harris: thank you. thank you, mr. chairman, for bringing this subject up as california's ag, i'm supported expanded california's laws as it relates to the requirement of the report of data breaches.
11:28 pm
and have met with many folks over the years who have suffered greatly because of the breach of their personal information and data. and so the risks are, obviously, many. mr. begor, exquifax is facing lawsuits from consumers whose information was affected by the breach. in response your lawyers have argued that even though their information was stolen, consumers cannot prove they were harmed. it was recently reported that none of the data stolen from equifax in 2017 has been used in identity theft or other fraudulent activity and that the
11:29 pm
stolen data has not been offered for sale on the dark web. do those assertions remain true? mr. sorenson: they do, senator harris. to date, we use a variety of outside experts, as well as our own, like marriott, really trying to understand where the data went, what it was used for, and our analysis is there's been no evidence that the data has been sold or no evidence of increased identity theft as a result of equifax data that was stolen in 2017. sen. harris: so a former senior intelligence official recently told cnbc that the hack was more likely the work of a foreign intelligence agency than a garden variety criminal. which would explain why the stolen information has not been used for garden variety crimes. if a foreign power is an especially hostile foreign power, is using the data it stole from equifax to target u.s. officials or american operatives, does it remain your position that there has been no injury or harm caused by this breach? mr. sorenson: senator, we don't know who took the data, and we still don't. we're working closely with the f.b.i. days after identifying the cyberbreach in 2017, we started collaboratively working with the f.b.i. and other authorities. we have the same goal. we've been completely transparent about who took the data.
11:30 pm
we just don't know who it is at this stage. we continue to work with authorities. sen. harris: it would be important for us to know that you appreciate the fact that if the data were breached for purposes of gaining information about u.s. officials or american operatives, that there would most certainly be harm and damage and injury that would result from that. do you appreciate that concern? mr. sorenson: of course, senator. in my testimony this morning, i started out by expressing regret for what happened. talked about what we're doing for consumers, which is really our initial focus and continues to be our focus around supporting consumers. the free credit monitoring that we offer. the other free products we've rolled out subsequent to the data breach around supporting consumers. sen. harris: and do you understand that there have been targeted violations of privacy as it relates to employees of the united states government and
11:31 pm
that there is a concern among the intelligence community and all of us, that there is a focused concern, and actually, a triangulation around officials, american officials, and in particular those who may be involved in our military or intelligence work. and the attempt being to get their personal information for the purposes of attempt to compromise those individuals. are you aware of that concern? mr. sorenson: i've read about it and listened to the experts we work with about that threat on american companies and on american consumers and as well as government employees. sen. harris: and will you commit to this committee that you will have that as a priority among your priorities in understanding and thinking about potential
11:32 pm
harm that's resulted from these breaches? mr. sorenson: senator, i testified a couple times this morning that security is a very, is a top priority at equifax today. we've doubled our security team. sen. harris: so is that yes? mr. sorenson: the answer is, everything we're doing is around yes. sen. harris: ok, great. and mr. sorenson, as senator rosen referenced in november of 2018, hackers exposed the personal information of up to 383 million marriott customers, including millions of passport numbers. shortly after cybersecurity firms and recently our government hired, was hired to assess the damage attributed to the hack and attributed it to chinese intelligence. in addition to passport numbers, could hackers have accessed guest itineraries and the names of their traveling companions? mr. sorenson: yes. well, traveling companions, i'm not certain about, but reservation data was obtained in, i think most recently as far as we can tell in 2016. so that would have been my upcoming reservation or perhaps a past reservations that i had at one of the starwood hotels. we do not think, based on what we've been able to tell so far that any reservation data post-2016 was obtained by the cyberattacker. so in the 2018 instance, which was the first one after we acquired starwood, we do not think individual reservation data was there.
11:33 pm
this is not 100% provable, but we believe that that means there's no longer any upcoming reservation data which was obtained because if 2016, two years ago, we tend not to take reservations more than a year out. so probably nothing that is still, if you will, a future reservation. sen. harris: and then as it relates to the names of traveling companions, it is the custom of marriott hotels to collect the information of an whoever is occupying the room, whoever has the credit card plus whatever guest they may have, isn't that correct? mr. sorenson: well, again, this is the starwood reservation database. and certainly in many instances, a hotel would note somebody else who might be sharing a room. but not necessarily in every instance. if the person who made the reservation is showing up and checking in and getting the key, the front desk may or may not take the time to make the effort to figure out whether a spouse or child or somebody else was traveling with them. but certainly it would have happened in some circumstances.
11:34 pm
sen. harris: so for those folks whose names may have been exposed, but they're not actually the individual who was contracted with the hotel to pay for the room, have those people been notified of this breach? mr. sorenson: well, we tried very hard to notify everybody that we could. the first tool we used was a broad press release with broad public dissemination and then the carrying on the banner, the top line of the marriott.com, starwood.com apps, all the rest of it. in addition, we sent out in excess of 50 million e-mails to folks that we had e-mail addresses on to also make sure that we were notifying them in that way. is it possible that somebody has slipped through the cracks? of course. i think more likely that they were repeat customers of ours, the more likely they are travelers. the more likely that they would have been either notified by us directly or seen the news. sen. harris: mr. chairman, just one last question, and it's a brief question. is it correct that marriott is the top hospitality provider for the american government and the united states military? mr. sorenson: i don't know that we have the data which would tell us that. we're the largest hotel company by rooms. sen. harris: can you follow up with the committee and see if you may have the answer to that
11:35 pm
question? mr. sorenson: i will ask whether we can find out, yes. sen. harris: thank you. sen. portman: thank you, senator harris. senator peters. sen. peters: thank you, mr. chairman. thank you to our witnesses today. mr. begor, if a consumer is delinquent on a payment but later makes the necessary payment to bring the account current, it's my understanding that that delinquency stays on the credit report for 7 years. is that correct? mr. begor: yes, it is, senator. sen. peters: so if a consumer misses a single credit card payment and then follows, you will continue to follow them for basically seven years, and then they'll have an opportunity to in that seven years basically demonstrate that they are good credit risk, a good credit score
11:36 pm
and as a result of that, then get additional credit as a result of that after that seven year period. is that correct? if there isn't any other activity? sen. peters: there isn't, senator, but as you may know in the credit scoring models that we use, other credit bureaus use, the banks use themselves as a delinquent payment using your example if there was one delinquent payment as that ages out, it becomes less predictive, has less impact on an individual's credit score or ability to obtain credit. sen. peters: but, still, it's an expectation it takes, you want to watch it for 7 years basically, just to see how it acts. there's a slope there. and i bring that up because i think that most people, certainly everybody that i talked to, believes that equifax was beyond being just delinquent on one payment when it came to the securing of this critical data and the cybersecurity hack. and that the information that has now been put out or has been taken, will likely be there forever. and, in fact, that you haven't seen some of these activities in the short run may make sense because, if you are a bad actor, you may wait awhile before you use this data to use it for a nefarious purpose. and so i just find it interesting in that delinquent
11:37 pm
payments for a consumer, you follow for 7 years. although you have offered the credit freeze for a lifetime. when it comes to credit monitoring, it's only two years. credit monitoring is certainly much more preferable to consumer convenience than it is to freeze and unfreeze, go back and forth. and i know you want to build consumer trust, but if you are telling your consumers, we'll watch you for 7 years because you've missed one payment, but we have this massive breach and we gave all your personal information, somebody got all your personal information to millions of people and it's going to be out there for the rest of your life, we'll help you for two years. seems to me that it would make
11:38 pm
sense that, at a minimum, that you would offer credit monitoring for the 7 years just as you monitor your customers for 7 years. so my question to you, mr. begor, would you support mandating free credit reporting for 7 years for all consumers whose personally identifying information was the subject of a breach of a credit reporting agency? mr. begor: senator, we think that's really situational and what the consumer should be offered. we offered 12 months starting in the 4th quarter of 2017. we voluntarily extended it for another 12 months late last year. we'll continue to look at that as we go forward and, again, it's my view that legislation is not required for that. that we're doing the right thing for consumers and i would just remind the senator that while the credit monitoring is a valuable product, what the senate passed last september in senate bill 2155 offering a free freeze for consumers really is the most important way to protect your data. and then equifax has a
11:39 pm
supplement product that's available on your phone or mobile device that's free for life to do the same thing with some more functionality. so if you are at a car dealership and getting an auto loan, you can unlock your credit file. when you finish getting that financial transaction, you can lock it again. no one can see that data once it is either frozen by senate l 2155 or locked in our "free for life" product. sen. peters: would you still see the value of monitoring because you're offering it to your customers for up to two years. that that's a better product than just the freeze and unfreeze, which is more cumbersome. i think you mentioned that. so you said you'll re-evaluate this on a situational basis. what is that situational basis? what's the criteria you'll be usings too whether or not to -- you will be using to whether or not extend this beyond two years?
11:40 pm
mr. begor: it really depends on how the data, how we can see the data had been used and what it's being used for. and i would make the point where credit monitoring is quite valuable, you know, we believe that giving consumers control about who has access to the data, when it's frozen, no one can see it. and no one has access to it. sen. peters: i would like to in the remaining time touch briefly on another important subject. that's the collecting of data on minors. how many minors had their personally identified information compromised in the 2017 breach? mr. begor: senator, i don't have that information in front of me. i'd be happy to get back to your office with that. sen. peters: is it greater than zero? mr. begor: i don't know the answer to that, senator. sen. peters: so you'll provide that for me? mr. begor: yes. sen. peters: that would be great. do you have any policies regarding the collection of information on minors? mr. begor: the policy is that, you know, we don't. and as you know, you may know senate bill 2155 allows a parent to put a freeze on their children's credit file, if, in fact, they have one.
11:41 pm
we're quite diligent about managing that because it's an area of focus by imposters or fraudulent individuals that try to create a credit file for identity theft purposes, not only on minors but other americans. sen. peters: is there an instance where a young child would need a nonfrozen account? mr. begor: not to my knowledge, senator. sen. peters: but a parent has to opt out, even though there's no reason to have a non, or to have a frozen account but the parent has to be active in doing that? ok. so last year i worked to pass legislation that protects children from synthetic i.d. fraud. it's a form of identity theft you know very well, where stolen security numbers of children are paired with fake names and birth dates to apply for loans, credit cards and other accounts. could any minors' information that was exposed in the 2017 breach be used as part of identity theft or synthetic i.d. fraud operation? mr. begor: senator, i will have to get back to you on what minors were included, if any. i don't know the answer to it in
11:42 pm
the theft that took place in 2017. sen. peters: great. i appreciate working with you on that. thank you. sen. portman: we have a short second round here. senator carper, do you have additional questions? sen. carper: i do. both equifax and marriott publicly announced their data breaches within weeks of learning them. and while this is better than some companies have done in recent years, it's a lot longer than, for example, target waited when it suffered a breach in 2013. in fact, target learned about a cyberattack, you may recall, affecting its customers in the middle of the holiday shopping center. i was one of them. and that year informed the him justice department and public literally within days. this allowed target customers to take precautions against fraud
11:43 pm
and identity theft and to monitor the bank and credit card statements. mr. begor, the hackers who attacked equifax were in the company for 78 days before equifax discovered their presence. i think that's correct. and by the time equifax informed the public, consumers' information had been in the hands of hackers for close to four months. given the damage that can be done with the type of information equifax collects, why do you suppose the folks who were in positions of responsibility prior to your arrival, why wait six weeks to step forward? why not follow the target example so that people could take swift action to protect themselves as soon as possible? and if i had been you coming into a new situation as the new ceo, i would have said to the people who were there before we, what were you thinking? how could you have allowed this to happen? did you ever have those kind of
11:44 pm
conversations? mr. begor: i had a lot of conversations when i joined last april. and i hope you get a sense for the pace of change, the breadth of change, the priority around security. there's a whole new team here. we've added extensive resources, and we're very serious about security. with regards to the time frame, you know, with the data breach, my strategy and i believe it was the team's strategy at the time, was to be accurate and quick in completing the work. as the senator probably knows, it's a very complex process. once you find out that you have a data breach to really determine which elements of your database was affected. we brought in the very best forensic experts within days of the data breach. i think it was a day or two contacted the fbi and got their involvement in it. and from my look back at what the team did, they moved as quickly as they could to ensure that we were going to be complete and accurate. from my perspective, making an announcement that there was a data breach but not knowing which americans were impacted,
11:45 pm
and is it 50 million, 2 million, 150 million? it took time to really do the forensics to figure that out. my approach is to be accurate and complete with the real focus around the consumer first. really making sure that those consumers that are impacted we can identify who they are and then communicate with them quickly. sen. carper: mr. sorenson, really the same question. i'd like to hear about the factors that went into marriott's decision on the timing of its public notice. mr. sorenson: so we had an alert which, on september 7, 2018, was triggered. that alert went to a third party who was operating the reservation system for us with , in effect a company to the i.t. group at marriott. we heard from that third party operator the next day on september 8 that that alert had been received and immediately started to mobilize resources to contain and to ascertain why that alert went off.
11:46 pm
it wasn't until november 19,2018, that we learned that data about our customers had been ex exfiltrated from our system. and we announced on november 30.we, of course, had lawyers and security experts and all sorts of other folks who were engaged in the conversation about timing, how quickly could we go? we also wanted to make sure that we had set up call centers and websites so that the moment we released this information publicly the customers had a place to go and find out more and sign up for the web watcher services and do the other things that were necessary. and so that 11-day time, of course, was, met the legal requirements but it also was practically about as fast as we could move it and be able to communicate something which was concrete and useful to customers and then be able to deliver something of what we anticipated they would need and want. sen. carper: thank you.
11:47 pm
let me ask both of you, any idea, any sense for how many state data breach notification laws your companies are, i guess, subject to? would it be fair to say that maybe even 50 such state laws that you are subject to at this time? if it's ok, senator, i'll go mr. begor: first. q are correct on that, and it is quite a challenge. sen. carper: i was going to ask, what kind of challenge does that present, if it's true? mr. begor: there's, i don't know if the exact number is 50, but they're all different and it creates challenges in a situation like ecquifaxequifax, as perhaps marriott's, in -- situation like equifax, as perhaps marriott's, in complying with the requirements. different notification documents required. different ways you communicate with the consumer. different ways you're allowed to
11:48 pm
communicate with the consumer. and we've been longstanding supporters of a unified federal legislation that would unify that and allow, you know, actually that's one of the elements that makes it, there's a time limit there once you figure out which consumers are impacted and what states are they in, and requirements and how you communicate with them. we're very supportive of a federal unified legislation on that. sen. carper: thank you. same question, mr. sorenson. what kind of challenges do you have with respect to who to notify, when to notify, what to disclose about a data breach. mr. sorenson: it was not among the biggest challenges we faced, i would put it that way. although if memory serves, we found some place between 20 and 30 states had specific notification requirements with a deadline. now we, of course, met those deadlines and then ultimately communicated to all 50 states. outside the united states, there were probably, i don't know, 20 or 30 countries that had various kinds of notification deadlines.
11:49 pm
obviously, that's nothing that the federal government can do with that. sadly, i suppose, in some respects, this ground is too well trod and so there are folks that can help us figure out where those requirements are and how to meet them. would be simpler, of course, to have one sort of u.s. standard, but that's something that we'd be happy to work with your office and give whatever input we could from the experience we've had. mr. chairman, i am sitting here thinking, believe it or not, if something richard nixon, of all people, once said. and richard nixon once said the only people who don't make mistakes are people who don't do anything. we all make mistakes. and i said to our sons now, 29 and 30-years-old, i've said to them, nothing wrong with making a mistake. the key is we don't want to continue making the same mistake.
11:50 pm
in this case, mistakes, not only harm your companies but we talk about the harm, 150 really innocent people across this country. so the question is, what do we do about it? and you've talked to us today about a number of things that each of you have done. and i am pleased to hear the statements of apology, of contrition. acknowledging the harm and damage that's been done. and god knows i wish and i'm sure 148 million people wish that the kind of thinking of the actions you've displayed in the last year or so that you've been in your position, mr. begor, that that kind of thinking had existed in the previous administration, if you will. you talked about what i think is really important. leadership is most important in leading the success of any organization i've ever been a part of. in business, government, military, always the key.
11:51 pm
if the leader doesn't say cybersecurity is important or the board doesn't say cybersecurity is important, nobody else down the line is going to make it important in the end. and it appears to us that you have done that, both of you. and have made it clear from the top, this is important. you've aligned incentives, financial incentives for the folks helping to run your company so that their incentives are all lined up with that in mind. sounds like you've done a lot with respect to hiring your kind of workforce that you need to enable the desires and wishes, the directives from on top to make sure that they are carried out. one of the things i think a lot about, mr. chairman, is workforce. i know you do, too. and we have focused in delaware for a number of years, the delaware university, the community college, to make sure we're turning out a better workforce to help take on these jobs that are available out here
11:52 pm
to be done. with the federal government, what our responsibilities are, i was privileged to chair this homeland security committee for a while and with tom coburn from oklahoma, and we focused, senator portman knows, he's part of this, on what we needed to do within the federal government. on what we needed to do within the federal government as legislators. and frankly in those couple of years, we did a lot. and we've continued to do a number of things. i really think, mr. chairman, this is the right time for us as a committee. we have new talent on either end of us here, democrat, republican, bright people with real world experience that can bring a lot to this. i think it's really an ideal time for us to do our job of oversight. we've done all this legislating. and it's being implemented. and we have, let's find out to what effect, to what good. that's a big part of our job. last thing i'll say is i'd ask to enter for the record some newspaper articles i read on the train coming down this morning
11:53 pm
from the last several weeks, about the dramatic increases in attacks from china and from iran. and i remember when barack obama met with the president xi in washington state. you may remember this, 2015. i think september of 2015. and jeh johnson, director of homeland security, gave me his eyewitness account. in that meeting, president obama said tosecurity gave me his eyewitness account. in that meeting president obama said we know you are attacking us and coming after our trade secrets, business. practice and are military secrets pick we want you to stop the president said we don't do that that's not the policy of our country and that's that were about. president obama basically said this is who's doing it, this is where they are located, and we want you to stop. president she said we are not willing to do that. i'm told president obama said if you don't stop, you will wish
11:54 pm
you had in so many words. as you may recall dramatic drop in attacks by china. about two months before that, the congress of the united states, the president had essentially signed off on a five-nation deal with iran, for gradually lifting sanctions. at the time the iranians were unrelentingly attacking your financial services companies. especially. in july, i was a strong supporter of lifting sanctions for the opening of inspections ongoing. and you know what happened? literally within a month, the frequency of iranian attacks greatly dropped. almost like china a couple of months later. there's another element here, we don't think much about. there so much they can do and other companies need to do.
11:55 pm
more work to do in terms of training the workforce and making sure they are available. the jobs involved before the administration in working or reaching out to other countries and getting them to work with us instead of being or undermining what we are trying to do. plenty of for today. a multilayered approach and we appreciate your being here today and helping put a spotlight on this. you have cleaned up the messes that you inherited especially equifax. it's given us an opportunity to think about what we can do, to better do our own jobs. thank you. everything we do, everything i do i know we can do better and and that includes this. thank you. sen. portman: i can't believe government to do anything better than the spec thank you. to the witnesses i have two
11:56 pm
follow-up questions we want to get into the record. but let me reiterate what i said earlier which is, we appreciate your being here. we're trying to learn. and the lessons that you have learned within your company's are really important for what we are trying to do legislatively. understanding what happened, what could be done differently, this is frightening, scary for hundreds of millions of families. whose personal and financial data was compromised through the two companies you now lead. i appreciate the fact you acknowledge that, understand that you know, this is about hackers. it's about technology but it's also about people. and the frustration that many americans have right now that nothing is sacred or safe. you know, and it is, is good to know that as mr. sorensen has said and mr. begor said, some of the data has not been used yet by criminals in ways that one may have thought it could've
11:57 pm
been. that doesn't mean it didn't happen or isn't happening right now. also gets raised earlier some of this may be being used by foreign actors in ways counter to our national interest. by targeting individuals. so it's growing or importance get to the bottom of what happened and what's being done and what can be done in the future legislatively. we go back if i could to the cyber security protocols that mr. begor talked about earlier. in your testimony seemed to lean heavily i thought on the fact the program at the time as i said leveraged technical safeguards and was subject to regular ongoing review. external and in total as we talked about the audit that was not respected just by some really troubling data it uncovered. the other part that i think we need to talk about this morning and i was waiting to hear what
11:58 pm
my colleagues would address and they addressed a lot of this. it is the i.t. inventory. the investigation, as you know, found that equifax at the time failed to follow this basic practice of maintaining an it -- maintaining an i.t. inventory of applications and assets on its systems. without having this list. equifax was unable to find the application that was exploited by the hackers park that's when that has been talked about previously called apache strut. you didn't even have it in your inventory, so you can find it. i guess a few questions, one since the breach has equifax generated a list of applications on its systems? mr. begor: we have, chairman, in great detail. not only that i think my colleague mr. farsi talked about some of the automated systems we put in place to really track all of the systems and make sure we understand not only the systems and all the assets we have, but also when there's a patch that needs to be completed, those are all automated and we are watching those. there's multi layers of defense
11:59 pm
picked you know, it's more than just one later. i think the chairman knows that. that all of these elements have to be done very well and then with the latest technology which is what we put in place and we are continuing to put in place. >> the national institute of science and technology list has issued a recommendation that there be an it inventory and >> the national institute of science and technology has issued a recommendation that there be an i.t. inventory in every company that could be affected by these breaches. let me ask you this. if equifax had kept an up-to-date inventory, with that have been helpful to have identified the vulnerability? >> my analysis, what happened in inventory,ere was an it was not as complete as it should be. the protocols, procedures in
12:00 am
place are not at the highest standards. like most companies, we standard the protocols -- we follow the protocols. i mentioned that we have third parties actually auditing us against those standards as a part of our many layers of how we are managing our security program going forward. >> we have a difference of opinion on that. our investigation identified that there was not a complete inventory. maybe you can respond to this. inventory or not, and did that affect the ability to find a vulnerability? importantry is an control across any organization to defend against threats. i was not here at the time, but, looking back, we did have an inventory, it just not was not a complete inventory. since that time we have built in those controls, so we do have a
12:01 am
complete inventory of our assets. note that -- >> it sounds like you did not have a complete inventory and apache struts was not something able to be identified. is that accra for -- is that accurate? >> i would have to say that the inventory for apache struts is typically not in the inventory that you highlight in the report. it is typically not included in the asset inventory because it is a source code vulnerability it is any code repository instead. >> we have a difference of opinion on this one. we will follow up with you. it is about the future going forward. something ofng me the nature of apache struts would not be in a current inventory so you would not find the vulnerability today. it should be in the inventory. >> it is a different type of
12:02 am
inventory, senator. inventory they were reviewing, it would have made a difference. you wrote that statement? >> made a difference in respect to what? >> the ability to find the vulnerability. >> it would have helped. >> thank you. ok, thank you for being here. again, i want to follow up on one of the points we found in our investigation. as true the big breach happened in 2014. you acquired starwood in 2016. able to you were identify that something happened. you said the alert was issued in 2018. mentionede have not today there was a 2015 breach that starwood acknowledged. when you bought starwood, you knew about, i assume you knew about that breach. is that correct? >> yes, we did.
12:03 am
that breach was a credit card breach. numbers were taken at points that 54 different properties. the president of starwood sent a public letter out saying that the guest reservation database was not impacted by that breach. i have a copy of that letter on the witness table. i would like to enter that 2016 letter into the record without objection. in reality, the reservation system had been breached considerably in 2014. the letter said, don't worry, reservation system has not been breached. my question to you is a simple one. when you did your due diligence, what you talked about having done, did you look at that letter and did you examine this issue, and could you have determined earlier what would happen -- what happened?
12:04 am
>> it is a fair question. the short answer is, we knew about the point of sale breach that starwood had suffered. with the starwood team, and we worked independently to make sure we understood the scope of that breach. as far as we know today, it was totally unrelated to the reservation system breach that we have been talking about and and announced in november. different tools, different system in a sense that the point of sale is distributed at the properties, restaurants, and front desks. the reservation system by comparison, which is the larger breach we disclosed in november is a centralized system. again, the team has said they don't relate to each other. colloquialrom a perspective it feels similar, it feels like a warning. it feels like it is related to starwood's customers, which it
12:05 am
is. we try to understand that point of sale. we are satisfied that they took the steps necessary to deal with that breach. separately we did things on the reservation platforms. in retrospect, clearly not enough. >> again, lessons learned. we appreciate the testimony you have already given us. we appreciate the opportunity to stay in touch with you and your experts to try to help to be sure that we are putting together a kind of legislation that can help avoid these problems in the future. you made a statement earlier, this is a race that has no finish line. i think that is accurate. it is also accurate that this is a marathon that has to be run at a sprinters pace. there will be continual innovative hacking. i noticed this morning that, while the president was in hanoi, in negotiations with chairman kim, that there was an
12:06 am
increase -- apparently this was a report, take it as such, in north korean commercial hacking of u.s. targets. it is something that we are going to have to continuously assess. the government is not often good at that. they said we do not do the proper follow-up. we sometimes get behind the curve. we want your ongoing cooperation with this panel to be able to put together what makes sense, and then to update it as necessary. you will both be having your companies engaged in this for a long time in the future. records interfere article if every 16th, new york times, chinese and a rainy and hackers knew there were attacks on u.s. companies, and the wall street journal's yesterday. hackers have hit hundreds of companies in the past two years.
12:07 am
i would ask them to be included in the record. >> thank you all for your testimony. >> thank you both for your service. we will call our second panel. this is the expert panel that will help us solve the issues we have talked about. we welcome you.
12:08 am
we are going to start by introducing the panel. kegley is with us, the director of financial markets and community investment at the government of accountability office. we appreciate you working with us on this issue and this report. we have andrew smith with us, the director of the bureau of consumer protection at the federal trade commission. third is john gilligan. the is the president chief executive officer at the center for internet security. at this time i would ask you to stand up again and raise your right hand. do you swear the testimony you will give before the subcommittee will be the truth, the whole truth, and nothing but the truth so help you god? please be seated. let the record reflect that all the witnesses answered in the affirmative. r written testimony will be
12:09 am
made part of the record. if you can keep your oral presentation to five minutes, that would be great. think we told you you would go first. we will call on you first. chairman, ranking members of the subcommittee, i am the director of the bureau of consumer protection at the federal trade commission. i appreciate the opportunity to present the commission's view on how congress can help the ftc further its efforts to prevent data breaches in the private sector. my written statement represents the views of the commission. this opening statement represents my views alone, and not necessarily the views of the commission or of any individual commissioner. let me begin by summarizing the ftc's current efforts to protect consumers by promoting data security and prevent a data breaches. our reach -- our has three areas of focus. for nearly two decades the ftc has been the nation's leading data security enforcement agency.
12:10 am
charged with enforcing data security requirements contained in specific laws as children's online tribe is -- privacy acts. we also enforce section five of the ftc act, which prohibits unfair or pursuit -- or deceptive practices. including unfair or deceptive act as is with respect to data security. in this law enforcement role, the commission has litigated more than 60 actions against diseases that allegedly failed to take reasonable precautions to protect their customers personal information. for example, we have brought cases against manufacturers of consumer products like smart phones, computers, connected toys. we brought cases against companies like data brokers that personalata sensitive information. our second focus is policymaking. the ftc has conducted workshops, issued reports and made rules to promote data security. just this week we announced a notice of proposed rulemaking to
12:11 am
update our safeguards rule under the -- act. it was originally issued in 2002 and requires financial institutions within the ftc's jurisdiction to implement reasonable practice-based safeguards to protect personal information in their control. basedoposed revisions are on our nearly 20 years of enforcement experience. these revisions are intended to retain the process-based approach of the original rollout providing just role while providing -- with respect to the data security expectations. our third area of focus is business education. the commission has issued numerous guidance commissions for business, including a guy called start with security in 2015. a series of columns and 2017. last year, a comprehensive small business cyber education campaign, which includes written
12:12 am
guidance, how to videos, and training videos for businesses. these materials distill the lessons learned from our actions manner.cessible we have vigorously used our existing authority to protect consumers. this authority is limited in some important respects. the commission has called on congress to enact comprehensive data security legislation that includes rulemaking, civil penalty authority, and enhanced jurisdiction for the ftc. the legislation should give the ftc be authority to issue data security rules under the administrative procedures act so that we can keep up with this and technological changes. have we currently rulemaking authority, we have used it. as demonstrated by this week's proposed revision to the safeguard rule. second, legislation should allow the ftc to obtain civil penalties for data security violations. thatntly we have authority seeks civil penalties for data security violations under the
12:13 am
children's online privacy protection act and the fair credit reporting act. we also can get civil penalties for violations of an existing administrative order. penalties andin did novo cases. to help ensure effective deterrence, we urge congress to enact legislation to an out -- to allow the ftc to seek civil penalties in appropriate circumstances. the legislation's should extend the ftc's jurisdiction over data security to nonprofits and common carriers. entities in the sectors often collect sensitive consumer information. significant breaches have been reported, particularly in the educational and nonprofit hospital sector. opportunity tohe appear before you. i look forward to answering your questions. >> thank you, mr. smith. i am a director in the
12:14 am
financial markets and community investment team at the government accountability office. i am pleased to be here today to testify about internet privacy and data security issues. my statement will discuss the federal trade commission's role for overseeing internet privacy and stakeholders use on potential actions to enhance that federal oversight. my testimony is primarily based on our january, 20 night -- january to the 19 report on --ernet piracy and various internet privacy. as you are aware, the united states does not have a comprehensive internet privacy law. , use,ing the collection and sale of other disclosure of personal information. gaps exist in the framework, which is not fully address technology on the market place. at the federal level, ftc currently has the lead in overseeing internet privacy using statutory authority under section five of the ftc act to
12:15 am
protect consumers from deceptive practices. ftc has not issued regulations for internet privacy other than those protecting financial privacy and the internet privacy of children, which were required by law. ftc may propagate regulations, but is required to use procedures that differ from comma processes. ftc staff said at time, at complexity. stakeholders interviewed had varied views on ftc's oversight of internet privacy. most industry stakeholders said they favored ftc's current approach. direct enforcement of its unfair and deceptive processes statutory authority. which they set about flexibility. other stakeholders, including consumer advocates and former ftc and fcc commissioners ftcrviewed favored having issued and enforce regulations.
12:16 am
stakeholders identified three main areas in which internet privacy oversight could be enhanced. first through statute. some stakeholders said an overarching internet privacy statute could enhance consumer by articulating to consumers, industry and agencies what the haters obligated. -- what behavior is obligated. some stakeholder said regulations can provide clarity, fairness and flexibility. third, through civil penalty authority. stakeholders that ftc's internet privacy enforcement could be civilccepting of with penalties levied for first-time violators. recent data breaches at federal agencies, retailers, hospitals, insurance companies, consumer reporting agencies, and other large organizations highlight the importance of ensuring the security and privacy of personal identifiable information collected and maintained by those entities.
12:17 am
such breaches have resulted in the compromise of millions of americans personal information, which could lead to identity theft and other serious consequences. these recent developments regarded internet privacy and data security suggest that this is an appropriate time for congress to consider comprehensive internet privacy legislation. ftc has been addressing internet privacy through its unfair and deceptive practices and authority, and ftc and other agencies have been addressing issues using statutes that target specific industries or consumer segments, the lack of a comprehensive federal statute leaves consumers privacy at risk. in our january 2019 report, we recommended that congress considered developing comprehensive legislation on internet privacy that would enhance consumer protections, and provide flexibility to rapidly evolving internet and firemen. issues that should be considered
12:18 am
include, which agency should oversee internet privacy. what authorities at agency should have for that oversight, including notice and comment rulemaking authority, and first-time violation civil penalty authority. and how to balance consumer need for internet privacy with industry's ability to provide services and innovate. member,rman and linking this concludes my prepared statement. i am prepared to respond to any questions you may have. >> thank you for your testimony and your help on this issue. chairman portman, and members of the subcommittee. my name is john gilligan. i serve as the chief executive officer at the senator for -- senate for internet security. this oral statement morning i would like to share my perspectives on the logical question that may be asked after this morning's testimony, which is, what can be done to prevent major cyber security breaches?
12:19 am
i asked myself a similar question in the early 2000 us the chief information officer at the united states air force after the national security agency's annual penetration analysis found our cyber security posture to be willfully inadequate, despite the air force spending over a billion dollars a year on cyber security. i went to nsa and ask them where should i start? ofer consulting their office defense of experts, nsa came back with a prioritized list of the system weaknesses that were most commonly exploited by attackers. by a large margin, the most common weakness exploited was misconfigured software. software that did not have appropriate security settings enabled, or software that was not properly patched. as a result, i launched an initiative in the air force to ensure security enabled configurations with up-to-date patches for all of our operating systems. based on the positive experience with the air force and identifying the frequent cyber attack patterns, and the associated security controls,
12:20 am
the nsa effort was subsequently adopted by the private sector in 2009 and became known as the sans top 20. in 2015 it was transitioned to my current organization, the center for internet security and became named, the critical security controls, or just the cis controls. it represents a set of prioritized actions that form the foundations for basic cyber hygiene or effective cyber defense. the controls are regularly updated by a global network of siebel -- cyber experts. the controls have been assessed for up to 90% of dangerous cyber attacks are at the controls act as a clear, actionable and free blueprint the system and network operators to approve cyber defense by identifying specific actions to be done in a priority order. has analyzed major data breaches in the past two years. was cause of the breach
12:21 am
related to the failure to properly implement one or more of the critical security controls. the equifax breaches no exception. we found that there were five of the 20 critical security controls that were not properly implemented by equifax. many organizations are seeing the value of the critical security controls. california, ohio, the republic of paraguay, the european technical standards organization have adopted the controls at the standard for cyber security. associationdustries and the atlantic council have also endorsed the critical security controls. as congress considers to improve cyber security in the u.s., i offer the following recommendation. i start with the recognition that the cyber security framework is an excellent top-level guidance that were the points to other documents and best practices for implementation guidance, including the critical security controls.
12:22 am
while a logical construct, this approach has unintended consequences. in particular, government and private sector organizations who wish to implement in the cyber security framework, must select for implementation from among the very comprehensive list of standards, guidelines and best practices that are referenced in the framework. is magnifiedlem for organizations that are required to comply with multiple high-level frameworks that are cyber security framework. for example, financial organizations are required to certify against the payment card security or pci framework. organizations with international presence are required to follow the international standards organization or the cyber security framework and so on. while the individual policies and regulations are will intended, there are contributing to much confusion and inefficiency in achieving the common goal of effective cyber defense.
12:23 am
recognizing that our multiple cyber security frameworks, and policies have contributed to great confusion, i would recommend that nest be chartered to develop a single cyber security implementation guideline that can be used to satisfy the requirements of the cyber security framework, pci, iso and similar frameworks. this implementation guideline should provide their guidance of what constitutes basic cyber hygiene and specify a prioritization for implementation of appropriate controls. i note that the united kingdom and australia have done exactly that with the australian signal directorates essential eight, and the united kingdom's national cyber security centers cyber essentials. i offer the center for internet security's critical security controls is the point of departure or model for such an effort. this concludes my remarks, i look forward to your questions.
12:24 am
>> thanks to all three of the witnesses. these data breaches have become a fact of doing business. it is a matter of constantly keeping up. it never ends. the most recent data we have the first half of 2018. that is, there were 291 data records compromised every second. 291 data records compromised every second. i do not think that has slowed down, it has probably increased. present danger to consumers, our government, our national security. your testimonynd interesting, as has been alluded to today. 50 states have different standards on this. most states have passed their own breach notification laws. i think every state has some sort of breach notification law. don't they? >> i believe that is the case.
12:25 am
>> that is good, but they vary significantly from state to state. let me ask you this, mr. smith. what benefit would there be from having a single standard for -- standard at the federal level given the climate we have of increased technological interconnectedness and the number of breaches we are seeing? mr. smith: it seems like there would be some benefit to uniformity. our currenthat commission, so our commission as you know is composed of five commissioners. all of them are new within the last year or so. they have not had an opportunity to testify on whether or not they would support uniform data breach notification standard. past commissions have supported such a uniformed notification standard. >> what is your opinion? mr. smith: i was interested i said.r. sorenson
12:26 am
he said it was a challenge, but not a primary challenge. i worked at the ftc in the early 2000's. at that time california had passed its first in the nation data breach notification standard. we dealt with it under the choice point breach, which is a huge breach at the time -- which was a huge breach up a time. we started looking at whether we should have a uniform standard. the commission testified in favor of it that time. bills were introduced in 2005 saying we need a national standard. well, every state has enacted a standard and the sky has fallen. i feel as though companies are probably figured out how to comply. i do think there is always a benefit to uniformity in terms of ease of compliance. from what i can tell and the market, companies seem to be able to comply with this multiplicity of standards. of compliance is one issue. that is something we will cure
12:27 am
about from the private sector that they would prefer to know what the standards are, instead of not following the standard that is different from state to state. it is about protection, it is about the government security and so on. do you think there is some that there is a high standard that we can ensure we have better security? mr. smith: one of the critical aspects is the trigger for notification. i think that in the earlier panel it was mentioned that there is a 72 hour notice requirement in gdpr. from the perspective of someone who focuses on consumer protection, i want to get notices to consumers that are useful. that give that actionable, accurate, actionable information. the worst thing is piecemeal notification. one notice goes out, we thought it was breached, you should do
12:28 am
this, then another notice goes out. >> this adds to the frustration? mr. smith: you need to give company time to investigate. they have to investigate quickly. give them time to figure out who was affected and what information was compromised and what consumers can do to protect themselves, as well as develop the systems to respond. the 800 lines, the credit monitoring things. things like that. days, something like that. the ftc has a rule that applies to breaches of certain health care information with the standard is as quickly as possible, but in no event longer than 60 days. you need to give people a little bit of time to conduct a thorough -- i disagree. i think 60 days is excessive, given the fast-moving nature of this and the potential for people's information to be compromised.
12:29 am
administrative procedures act, you talked about that in your oral remarks. i think the administrative procedure act rulemaking probably does give us more flexibility. in other words, the previous panel would not be able to respond quickly to a changing threat because it will be revolving. there is concern that, unless it was specifically related to rulemaking authority for cyber security legislation, that it could get out of hand. can you speak to that for a moment? the you think rules under the apa are necessary? second, how do you narrow it to being sure that it is responsive to the congressional actions it might take on this one issue? mr. smith: the commission has testified on data security rulemaking only. i think what folks imagine would be a bill like several that we have seen introduced. congress says, company show
12:30 am
and ftc you shall have rulemaking authority under the administrative procedure act. only for that, to execute that, that law. right? not apa rulemaking authority for everything in the world. what we have right now -- referred to by ms. cackly, rulemaking authority under the magnuson moss act which requires us not only to do notices of proposed rulemaking and taking of comments, we have to do advance notices, we have to have hearings, issue interim reports, allow for interim appeals, what that means, it is not impossible to do, but what it means is that you know from soup to nuts, a magnus rule takes us 10 years. >> the process is considerable. one final point. on the nonprofits, you mentioned and you said private carriers and nonprofits should be under the ftc rubric for this purpose.
12:31 am
can you give us a couple examples? i think about hospitals for the -- where there have been breaches, as an example for sensitive medical information can be released inadvertently sometimes to hackers. >> so hospitals the issue of its medical information, healthcare information and it is a hospital, that will be covered by hipaa. we work closely with hhs and the office of civil rights to enforce and administer hipaa standards. what we have seen with nonprofit hospitals are breaches of employee data. not covered by hipaa. that's a real challenge. we've also seen breaches at educational institutions. and we have seen breaches at common carriers and there is -- i think a bit of an open question about the federal communication commissions authority. jurisdiction to address those issues. -- those breaches.
12:32 am
>> thank you. senator harper? >> thank you for that illuminating testimony. i was sitting on the audience and i don't know what you're thinking about, but you came to the table prepared. it's very much appreciated. one of the things is helpful to me is when we have a panel of well-informed, thoughtful witnesses. is to see where do you think you agree? where do you think you agree as a panel with respect to what congress should do next? if you could start us off, ms. cackly? >> senator, i think where certainly my testimony and mr. smith's testimony were in agreement was around the need for a legislation and what some of the elements of that legislation could include. which is to say, notice and comment rulemaking authority, civil penalty authorities.
12:33 am
those were the things that would best help the ftc or whichever agency congress chooses, to invest with, with this issue -- oversight over this issue. the necessary tools to be able to get the job done. >> all right thank you. mr. smith, what do you think you would agree on what we should be doing next? our to do list if you will? >> well, i mean particularly with respect to be statutory authority for the federal trade commission to make rules in the area of data security and enforce using civil penalties and also the expenditure -- the expanded jurisdiction, we agree on that. i agree with mr. gilligan from cis about the importance of these useful rubrics like the cis critical security controls to educate businesses and focus their attention on things that
12:34 am
really matter. for a lot of businesses, i think that data security is just sort of an insurmountable obstacle. it's beyond anyone's comprehension. these types of rubrics i think help businesses to focus their attention in the right place. we have done the same thing this week with our glba safeguards rule. were we have the rule began life in 2002 and at the time was quite influential. but it is very basic. it requires companies to have good data security, appoint people to be responsible and the new rule which is somewhat longer, we offer more specifics about encryption and penetration testing. and some of the other best practices, which one provides businesses with an audible standard, provides them with clear information about our expectations, and also candidly provides us more ability to enforce. >> mr. logan would you agree?
12:35 am
>> i think there is fundamental agreement that it's a complex issue. there are a number of regulatory bodies, the federal trade commission being one, who have jurisdictions over part of our economy. one of the functions that the center for internet security provides is what we call the multistate information sharing and analysis center. we provide under funding from congress and dhs sponsorship, we provide security support for state, local, tribal and territorial governments. included in state, local, tribal , and territorial is almost every different domain you might imagine. they are all struggling dealing with cybersecurity. while i am personally not an expert in data breach reporting. i can say the states and local governments are struggling trying to deal with all of the well intended regulations that i
12:36 am
mentioned in my testimony. and so i think some consolidation of that and simplification and as i suggested, perhaps using something like the critical security controls is really the technical implementation foundation. that is where most organizations -- and that needs to be continuously updated -- that's what most organizations need to help focus. and as i said, the breaches that have been discovered, invariably are the result of failure to implement very simple controls in a comprehensive way. asked my staff together a handful of tips for consumers for regular folks, to follow if they become a data breach victim. the shortlist, not a comprehensive list, one of those would be to change your password , another would be to contact your bank, contact your credit card company. third would be to contact a
12:37 am
credit reporting bureau. the fourth would be to sign up for credit monitoring. and that's for folks who have become a breach victim. mr. gilligan what would you suggest consumers can do to protect themselves after they become a victim? any tips? >> well i think it would be largely parallel to the list you just mentioned. one of the things i would recommend is that all consumers freeze their credit reporting. which is often a vehicle through -- their particular information is compromised. i think having good hygiene with regard to passwords. with regard to updates and security software are also things that all consumers should do on a regular basis in order to protect themselves. >> mr. smith and ms. cackly? anything you want to add to that?
12:38 am
>> i would direct consumers to our website, ftc.gov, for we -- where we have a tremendous amount of information about how to protect yourself. in the event of a data breach both general information as well as specific information. for example, we have pages dedicated to tax identity theft. we have a page dealing with connected toys. just a couple of months ago in december 2018, there was a phishing scam where consumers received what appeared to be authentic emails from netflix saying we need to give us your payment information again. to deal witha plan that specifically because it was an important threat to consumers. we also built pages for the marriott breach and the equifax reach that gave specific information for consumers who had received those notices about what they could do to protect themselves. including some of the measures that your staff mentioned. and finally, where consumers believe they may be a victim of
12:39 am
identity theft, they need to go to identitytheft.gov. which is operated by the ftc. we have tools, such as the identity theft affidavit you can use, with the credit bureaus to have fraudulent information removed from your credit report. as well as receive other rights under the fair credit reporting act. >> thank you. ms. cackly? >> i would say consumers need to educate themselves. thinking prospectively, they need to understand what data is potentially available to other, other people. what companies are collecting their data. and how they can set privacy controls potentially or do whatever else they can to keep themselves safe. >> terrific. thank you. you had to wait here for a while to share your thoughts with us.
12:40 am
but it was well worth the read. -- the wait. thank you very much. >> i can't tell you how much we appreciate the testimony and also the ongoing work with us. we have some real expertise here. with regard to the ftc, i think i speak for senator carver, we want you to feel responsible. in other words, one of the concerns i've had is, there's so much of this going on, breaches , some of which relates to private companies and some as you mentioned earlier, nonprofits. so many people are concerned their information is going, even if it's not a business per se he would normally think of as we saw in the earlier panel. these websites where you know, you are giving information and that information is given out to other people. folks want to know about it. and so i hope and maybe we can do work on this going forward. that you all feel empowered to
12:41 am
be that one-stop for a consumer. if they have a concern, they can go to your website and figure out, look what's going on with a specific issue as we talked about earlier. there's been a breach of the big company and they can find out what information is about how they can protect themselves. but also just general information. i assume you feel you have that responsibility already. we want to be sure whatever legislation we do squarely puts that responsibility frankly and accountability on the ftc. any thoughts on that? >> well we are. the country's only general jurisdiction consumer protection agency. so of course we have a lot of consumer protection agencies. that fda or the securities and exchange commission or the banking agencies. we are the only one who take a general view to the whole marketplace. and we believe that we are the
12:42 am
best equipped to address -- should congress pass legislation with respect to data security, believe we are the agency best equipped to enforce and administer that statute. not only because of our more than 20 years experience with privacy and data security, in fact if you look at the fair credit reporting act, that statute has been around since 1970. we've been in charge of enforcing and administering it. but also just our general know-how with how to protect consumers and our focus on consumer harm. whether it's deceptive practices or unfair practices. and we have the goods to show for it. we brought 60 cases plus in data security in the same in the privacy area. anally, i think unlike agency that has specific jurisdiction, we are less susceptible to capture.
12:43 am
if you look at the more than 100 year history of the ftc we have proven remarkably immune to that. i would worry about a special agency to deal with privacy in terms of the potential for dilatory capture. >> well again, i think that is consistent with where we would like to go with legislation. just to affirm that and make sure there's a clear line of responsibility. my final question is about ohio , of course. and it's to mr. gilligan because he mentioned ohio in his list of states and countries that have put in place some kind of a internet security control system. we have recently in ohio established our center for internet security controls, as a standard for cyber defense after passing the ohio data protection act. could you discuss briefly the role of the cis roles within the -- cis controls within the ohio data protection act and how legislation of this kind can incentivize companies to implement some of these baseline cyber controls we talked about today?
12:44 am
>> thank you senator. the ohio legislation is one of the groundbreaking legislations in that it for the first time provides specific guidance with regard to expectations for cyber security. as you mentioned, it does reference a couple of the federal guidelines. so it references several nist documents. but the critical security controls is really one that -- the only one of those that provides specific implementation guidance. so we believe that's the type of guidance that is required, as you know, the ohio legislation is voluntary. the intent of it is really to tovide positive incentives those doing business within ohio to improve their status of cyber security. and we think that sort of the right way to go.
12:45 am
to provide a clear definition of what are the expectations. encourage through positive rewards organizations to comply practices and to serve as an example for industry as well. >> thank you mr. gilligan. mr. carper? >> i just want to thank a couple of members of staff by name. and say for the record names of other folks who worked on the -- we've been at this for a while and some people have come and gone. majority staff andy gottman, patrick warrant for their hard work and the others i know as well. minority staff, i want to thank the law clerks, kaelin burnett helps prepare for this hearing. and we have a number of folks
12:46 am
who are former staff, former law clerks who have gone on to other pursuits. we are grateful and i went to enter those names for the record. >> thank you senator carper. again, thank the witnesses for their testimony this morning. the panels were very informative. and i also want to thank the staff senator carper for leading on this important issue of protecting consumer information. that is how we work here. it's a nonpartisan approach. my staff also is deserves recognition for doing a great job in working with the witnesses and others to make sure this is a thorough investigation. as with other investigations we will look at investigation. i look forward to hearing from senator carper. the hearing record will remain open for additional comments or questions by subcommittee members. with that, this hearing is adjourned. >> good job.
12:47 am
12:48 am
12:49 am
[captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org]
12:50 am
>> there's no apparent loss to the commercial use. it would suggest to me at least this is not some crime syndicate. >> china? >> i think there is good evidence that suggests that's where it is coming from. >> there is work for all of us. the companies themselves, the private sector, they have financial incentives. the customer protection has worked for congress to do. we've passed a lot of legislation. we need to do comprehensive oversight hearings to find out what is working and what is not , the responsibility of the federal trade commission, the fbi, department of homeland
12:51 am
security, are we working together? the other thing is, one of the reasons why i decided three years ago there was a dramatic -- a drop in attacks by the chinese and iranians was because we started working with them in a more collaborative way. and that has gone up in smoke in the last couple of years. we are seeing a simultaneous rise in attacks coming from iran and from china. >> the bill you are developing -- i introduced my first bill on notification basically three things, companies have a responsibility to protect sensitive information. number two, when there is a be properlyeeds to investigated. three, folks need to be notified. you had another piece of legislation that essentially said, we need a national standard. my hope is one of the things
12:52 am
that will flow from this hearing is that we actually do now find that common ground. we have a lot of different jurisdictions and federal agencies. making sure they are on the same page. >> anybody else is working on this? i think bellows has worked for me for a number of years. you have in the senate, you have senator boone, on the commerce committee. now we have the senior democrat on the commerce committee maria cantwell who knows a thing or two. we have new members in the senate who are knowledgeable about these issues. some have been here for a long time. time to taked stock, to get this done, for senator portman to provide as much as we can to get the job done. >> the data privacy bill? >> there's a bunch of bills that
12:53 am
have been introduced. a number of things have been enacted over the last six or seven years. we need to find out what's right and what's not. and in terms of notification, breach notification, the focus on prevention, focus on notifying folks who have been breached. we need to do that and do it right. not just 50 states doing their own thing. we need a common sense federal standard to get the job done. thank you. >> thank you. >> once, tv was three networks and a government supported service called pbs.
12:54 am
in 1979, a small network with an unusual name rolled out a big idea. let viewers decide on their own what was important to them. c-span opened the doors to washington policymaking for all to see, bringing you unfiltered content from congress and beyond. in the age of power to the people, this was true people power. the landscape has clearly changed. there is no monolithic media. broadway has given way to narrowcasting. c-span's big idea is more relevant today than ever. no government money supports c-span. it's nonpartisan coverage of washington is funded by your cable or satellite provider. on television and online, c-span is your unfiltered view of government so you can make your -- make up your own mind. >> on the next washington journal, daily beast columnist eleanor cliff on campaign 2020
12:55 am
and the democratic field. then, the washington examiner's senior columnist discusses president trump's reelection prospects and the 2020 democratic candidates. live tuesday on the c-span 1:45 a.m. eastern, a joint press conference with brazilian president jair bolsonaro. a discussion on corruption in venezuela. at 2:30 p.m., scott gottlieb on his tenure. on c-span3 at 9:30 a.m., the u.s. institute east hosts a panel on crimea five years after russian occupation. next, homeland security kiersten nielsen

8 Views

info Stream Only

Uploaded by TV Archive on