Skip to main content

tv   Data Breaches  CSPAN  November 9, 2017 5:29pm-8:02pm EST

5:29 pm
>> live coverage from arlington national cemetery begins at 1 1:00 a.m. eastern right here on c-span. >> i'm the program director of the miami book fair. miami book fair takes place in downtown miami this year, we ve a little over 525 authors representing a huge genre.
5:30 pm
>> join book tv for the miami book fair, live from miami-dade ook college on c-span 2. equifax hters that reported a drop. recently, lawmakers heard from current and former c.e.o.'s to talk about ways they are trying to protect consumers. this hearing is more than two hours. >> good morning. now that our executive session is complete, we turn to the issue of data breach. it is not a new issue to
5:31 pm
explore. usedommittee has been folk on this. september 2004 choice point breach what many consider to be the data breach prompted investigations from this committee. for those who don't remember, choice point was a company originally created by equifax. n terms of the trajectory of inquiry, we have come full circle. we have paid attention. the committee has entertained to strengthen requirmements and impose requirements to notify their companies. sadly, we are truly in the era of major data breaches and this is at equifax and yahoo!.
5:32 pm
the equifax is potentially much more severe given the nature of the information compromised. i heard about the lasting effects of the equifax breach. i heard complaints it is difficult to set up the credit freeze and whether it is an effective tool. the breach reportedly exposed the personal data of 145 million consumers including names, birth dates and drivers' license numbers. the credit card numbers of 200,000 u.s. consumers and dispute documents containing identifying information from consumers. today equifax will have an update regarding the breach and prevent anything like this from happening again. he breach compromised over
5:33 pm
three billion. he compromised data included personal information backed up email. the three billion figure constitutes the yahoo! mail at the time of the breach. today, yahoo! representatives will have an update regarding these breaches and ensure the security of the data going forward. the our nation continues to face constantly evolving cyberthreats to our personal data. companies that store and collect data must step to provide adequate cyber security. the committee makes this a priority and i'm hopeful this will help the committee to better understand these
5:34 pm
challenges to address data breach notification. when there is a risk of real harm stemming from a breach, we must make sure that consumers have the information they need to protect themselves. i support a federal standard to replace the patch work of laws n 48 states in addition to the district of columbia and three other territories. this would ensure all consumers are treated the same. such a standard would provide timely noiks practices benefiting consumers and businesses. in order to ensure that businesses secure information appropriately, i have advocated for reasonable security requirements based on the size and scope of the company and the sensitivity of the information. however, in this regard, the facts of the equifax breach are particularly troubling.
5:35 pm
equifax was already subject to the safeguard rule which is considered to be a stringent regulation. nevertheless, the equifax breach occurred. and in handling security and handling the consumers. so i want to thank all of our witnesses for appearing here today and i look forward to hearing your testimony. i turn to senator nelson for his opening remarks. senator nelson: this as you stated is the long history and tradition of hearings we held on this hearing to discuss data scurelt and breaches. i want to thank several senators on this committee that have asked for this hearing. .enator baldwin, senator cortez thank you for all the more
5:36 pm
bringing this to the forefront. so if you start with the massive each of the choice point breach in 2005 and then and nuing with target neem cti group, heartland payment systems and many, many others, the parade of high profile data breaches seems to have no end and billions of consumers have had their sensitive personal, personally identifiable information compromised, including social security numbers, drivers' licenses, addresses, dates of birth.
5:37 pm
5:38 pm
that offer identity theft protection and credit monitoring services can't safeguard their own data from hackers, than how can consumers trust any company to protect their information. and let me say also, when you get up against the sophistication of state actors, such as russia and china, it's going to be hard to protect against them. so sadly, the question that millions of americans are now king is, as they struggle to figure out how to protect themselves in the wake of these massive preaches, what in the world do we do? so this committee, mr. chairman,
5:39 pm
is going to again consider what it would do to make sure that consumers are protected. but if we're going to do anything meaningful, we must have the political will to hold these companies accountable. over the years, the federal trade commission has brought numerous enforcement actions against companies for lax data security practices. but industry has recently challenged the f.t.c.'s well challenged legal authority to bring such actions. this piecemeal after the fact approach would be better served if the f.t.c. would prescribe rules that companies adopted reasonable practices in the first place. the f.t.c. have brought rules that apply to financial
5:40 pm
institutions like equifax. the institution should have the authority for the rest of the commercial sector. i think at the end of the day, it is only stiffer enforcement and stringent penalties are going to be able to help incentivize to help safeguard their consumer information and notify their consumers when they have been compromised. i strongly believe that without rigorous data security rules in place, it is not a question of if, that we will have another one, but when. we can either take action with commonsense rules or start planning for our next hearing on this issue. senator thune: thank you, senator nelson and i hope the hearing can inform our future acks. it needs to be addressed. and congress need to be heard
5:41 pm
from. glad to have our panel with us this morning. interim chief executive information at equifax and former c.e.o. of equifax. former c.e.o. of yahoo! and the deputy general counsel for rizon communications, parent company. and and the chief and executive officer of entrust data. we'll ask you to proceed with your comments and start on my left with you and ask if you can to confine your oral remarks close to five minutes at possible. but anything you want to add will be included in the written record of the hearing. thank you for being here. >> good morning.
5:42 pm
chairman thune, ranking member nelson, members of the committee, thank you for the opportunity to be here today. six weeks ago i was named executive officer of equifax. i never to become c.e.o. under the circumstance, but i'm honored to be in this position. speaking for everyone at equifax, i'm determined to issue the issues so we can regain the confidence of the american people. equifax and you can tell from my accent that i did not grow up in georgia. i'm a native of brazil. i worked the most in my adult life and i'm an engineer by training and have spent a lifetime of confronting and fixing complex business
5:43 pm
problems. this is the mindset. my first act was to address our consumer response in the call centers and our website. our engagement was and we are working hard to fix the problem. i apologize to the american people and i do so here today. but i promise each of you and the american people that equifax will be focused on strengthening security and providing data support for consumers. and we will give consumers more control.
5:44 pm
reduction in delays and back logs. second, we have revised our corporate structure. the chief securities officer now reports directly to me. i have appointed a chief information officer who will respond to the cybersecurity incident. third, we are improving our infrastructure. we have further hardening our networks and changing our procedures and detection tools and strengthening our mechanisms. fourth, we have committed to working with the entire industry to develop solutions to the growing cybersecurity and data protection services we all face.
5:45 pm
and finally, we promise to launch a new easy to use app in january that will give consumers access to personal credit data for free and for life. we are only scheduled with the development of the app and we are confident that the consumers will find it extremely valuable. we have done a lot in a short period of time, but this is just the beginning. i remind my team every day that there are no short cuts. strengthening the company's security capabilities and ensuring the consumers requires both. i have a long-term commitment and i pledge this is how we continue to proceed. he can which fa fax has 10,000 talented people and it is essential for the economy and
5:46 pm
helping consumers with the credit they need. our top job must need be the entrusted data. and now it's up to us that we need to regain the trust. we are committed to working with consumers, customers, congress and regulators on these issues and restore public trust. this has been my focus as first six weeks as c.e.o. thank you for your attention and elcome your questions. senator thune: mr. smith. >> thank you mr. chairman, thank you for the opportunity to testify before you today. i submitted my written testimony as well as to other committees in both the senate and the house and i have testified before over
5:47 pm
the past three, four weeks. that written testimony is the record of the events of the breach at equifax that occurred and i'm here today tore answer any questions you may have. senator thune: thank you, mr. smith. >> chairman thune, ranking member nelson and distinguished members of the committee, thank you for the opportunity to appear before you today. i have the honor and privilege of serving as yahoo!'s executive office since 2012. yahoo! is a victim of criminal tate-sponsored attacks on user information. we earned our users' trust. these attacks happened during my tenure and i apologize. when yahoo! learned about the
5:48 pm
attacks, yahoo! prompted to law enforcement and notified users who were directly impacted. we worked closely with law enforcement and f.b.i. who were able to identify the hackers response i will for these attacks. we now know the russian intelligence officers were responsible for highly and sophisticated attacks. the department of justice and f.b.i. charged four individual with these crimes against yahoo!. and the d.o.j. and yahoo! thanked us for our early engagement. law enforcement provided yahoo! with data files with dueser data. it was most likely stolen from the company in august of 2013. although yahoo! and its forensic
5:49 pm
reports didn't i identify, the company notified the users to be affected and took steps. i want to stress how serious the threat of cyberattacks and how personally i feel about these potential rifpks. after growing up in wisconsin i remember buying my first computer in college and seeing the potential of how this technology could change the world. by college i was hired google and first woman engineer. there over the next 13 years, i worked from software engineer and becoming a member of the executive committee. i became a c.e.o. of yahoo!. i'm humbled by the opportunity to lead them. my expense from yahoo! and google we have changed our world
5:50 pm
for the better and reinforced the potential dangers by cyber crime. i will discuss with the committee our efforts to the security measures and defenses yahoo! has in place in advancing consumer protections community. we worked hard from the top down and bottom up to protect our systems and users. e devote the resources to go against these threats. we roughly doubled our internal security staff and made significant efforts. improved our security processes. yahoo! had in place multiple place layers of protection. we were extremely committed to security and invested tremendous resources. i thank our members for their
5:51 pm
effort in addressing yahoo!'s security. while all of our measures have designed against the attacks, russian agents intruded in our systems. the threat have changed the playing field that today i believe all companies even the most well defended ones could fall victim. i will close that cybersecurity is a global challenge. no company, individual or even government agency is immune from these threats. the attacks on yahoo! demonstrates that the collaboration is essential in the fight against cyber crime. adepress i have pursuit of cyber criminals as the d.o.j. and f.b.i. exhibited could be a meaningful deterrent in preventing future crimes. e acting assist ant general,
5:52 pm
our nation's state attack is not a fair fight by working together we can help level the cyber field. thank you for addressing the committee today. >> chairman thune and ranking member nelson and members of the committee. thank you for the opportunity to testify today. i'm verizon's chief's privacy officer. verizon has a significant and long standing commitment to safeguard consumer data. in an increasing connected world, verizon recognizes that this is prereck which sits to compete. the very nature of our business has required that verizon makes data security a top priority. n july 25, 2016, versong announced it acquired yahoo!'s
5:53 pm
operating business. that closed on june 13, 2017. yahoo! is part of a new company. it consists of 20 digital and mobile bands and yahoo! news and yeah who supports. in september and december of 2016. yahoo! announced data was stolen in 2013 and 2014. these incidents happened before the ack acquisition. yahoo! disclosed one billion of the three billion accounts had likely been impacted. after verizon acquired yahoo!, we acquired new information and reviewed it with the assistance of the same outside forensic experts. based on that review, we concluded that will those accounts were impacted by the
5:54 pm
2013 security incident. yahoo! provided individual notice beginning on october 3, 2017, less than a week we determined the scope of the impacted user accounts. the review confirmed that the tolen information did not have stolen security numbers or financial information like bank account information. although verizon did not own yahoo!'s operating business or during the incident response, we understood that yahoo! took action to protect its users' account. yahoo! required password changes where passwords had not been changed since 2014. they invalidated and answers so they could not be used to access
5:55 pm
accounts. yahoo! took those actions. this means that yahoo! took steps in 2016 to protect all users including the additional user accounts that were notified in october of 2017. provide actively enhancing our ecurity is a evolution and gather intelligence, leverage to make improvements to our systems and provide more protection. as part of integrating, we are combining two strong existing security teams. we are examining the tools of each team and examining the best tools and practices. we are in the process of creating an advisory board that will have experts. and it will have an overall approach to security. and we remain committed to
5:56 pm
continuous improvement. at verizon, we are laser focused on our customers and we know that their information will be secure. as a result, we go to great lengths to integrate security across our plaintiffs and products. we are defending our companies' assets and customers including those with the yahoo! transaction. with the benefit of verizon's benefit and resources and commitment of the accountability, we will continue strive ahead of an evolving landscape. thank you for testifying today. i look forward to answering your questions. >> chairman thune, ranking to er nelson, thank you discuss the major data breach and urge actions to protect
5:57 pm
national information. we have provided secure and digital identities that are used around the world in banking. identity is a foundational element of our commerce system and the ways they build their financial lives. this information is targeted and we see more sophisticated attacks. incredibly complex world. it starts with the secure identity. this will become more critical as we drive toward connectivity linking our lives to a connected system. according to the 2017 investigations report, 4 % of all breaches can betraysed and able to compromise and gain access to data.
5:58 pm
the primary target is consumer identities. the information stolen has contained personally identifiable information, and the focus of this hearing is to examine the events and identify steps that could have been taken and determine if there are options to further safeguard. regarding the issues of steps, today organizations are challenged by increasingly complex states and attacks from nation states. this could bring experts and no system is free of vulnerable systems. there are documented best practices and numerous security tools to mitigate common attacks and major breaches are from stolen credentials. and today, a substantial amount
5:59 pm
of p.i.i. that is the basis of secure transactions has been stolen and could be used to defraud consumers. we need to find a balance between responsible iffer behavior and underlying security identities. it will be critical to implement the system that can respond to compromise to ensure consumer data is no longer at risk. the federal government provides a nine-digit number, our social security card. this is issued at birth and difficult to change without significant inconvenience to the citizen. this form of identification has not changed leading consumers to compromise. time is upon us to create a new identity framework. this will have a new framework. there are several examples of public-private partnerships
6:00 pm
delivering stronger identity frame works. a new identity framework will allow you to use to in a substantial breach or compromise. this new identity and be used in case of breach and allow the consumer to more easily recover their this new framework would minimize risk and be used in case of breach and allow the consumer to more easily recover their identity with minimal amers to protect their identities. the best path forward rests upon andpublic-private ecosystem constant self-assessment of vulnerabilities. whether it is through incentive or directive, we need to proceed now. we need to address information compromised while working toward
6:01 pm
longer-term solutions to greater more resilient identity for american consumers. thank you for your time today. sen. thune: thank you, mr. wilkinson. i will start with the questions, you describe the significant investments yahoo! made under your leadership with regards to security. nevertheless, the company failed to -- detect the 2013 breach, the largest in the security of the internet, for more than three years. even after the 2013 breach became apparent, yahoo! significantly underestimated the number of accounts implicated, by billions. i will give you an opportunity to answer the obvious question. that is, with such a strong security team in place, how did yahoo! fail to recognize that all 3 billion of its user accounts had been compromised, and why did it take more than three years to discover and
6:02 pm
disclose the breach? at yahoo! we deeply valued our user security and invested heavily in that security. inis frequently the case these type of cyber attacks, they are complex, they are persistent, and in often cases, the understanding of the facts evolve over time. to this day, as i understand it, we have not been able to identify the intrusion that led theft. safed. -- to that we verified the data came from yahoo!, but we do not understand how the act was perpetrated. that led to some of the areas where we had doubts about the information. sen. thune: why the delay in disclosing it? it took from 2013, three years.
6:03 pm
and how is it possible to underestimate by billions, literally, the number of consumers impacted by it? yahoo! did not know of the intrusion in 2013. we knew in november of 2016. we identified at the data was taken from yahoo!, likely from august of 2016, notified law enforcement and users and took effective actions on accounts. we estimated it affected more than one billion users. there have been recent announcements from verizon that i am not privy to, as i am no longer with the company. sen. thune: the 500 million originally disclosed and it jumped up to 3 billion, there is no real explanation to your knowledge, for how you miscalculated the number of people? ms. mayer: the 500 million
6:04 pm
to the fallelated of 2014 breach by the russian hackers for the indictments were issued by the doj and fbi. sen. thune: in prior testimony you said the failure to patch a known vulnerability in your system boil down to a single employee's failure to act, compounded by an i.t. scan that should have detected the failure, but did not. and then the vulnerability was allowed to persist for several months without corrective actions being taken. for a company that holds the most sensitive information on american consumers, i hope you can understand why this revelation is so hard to understand. can you explain why there were not more tripwires and redundancies to prevent things like this from happening?
6:05 pm
you testified these weaknesses have now been addressed. perhaps you could elaborate on how. >> yes, you're right. i referred to the fact we were notified march 8 of this year. i communicated protocol on the ninth, the vulnerability in the source software. the emailed did go out for our protocol on the 15th of march, we did a scan and the scanned and not find the vulnerability. aman error, as well as technology error, both led to the ability for criminals to access what we call a web portal dispute environment. why wouldn't you have had more redundancies built into your system? why was it -- basically comes down to, one employee. it seems really hard to fathom.
6:06 pm
a company that specializes in what you do. mr. smith: the redundancy was a scanner ended -- and it did not work as well as it could. a standard process of identifying a patch, and going back a week later with a technology scanner. sen. thune: you said you fixed to that? can you elaborate on that? candelabra on further steps equifax has taken since the breach. mr. smith: i will start and mr. barros can continue. we installed a new scanning technology to a new generation scanner. it seems to be a better scanner than the prior scanner. mr. barros: as you can imagine, it is my top priority. strengthening security systems in our company.
6:07 pm
we have done a comprehensive, top-down review on the process. we are strengthening all aspects of our operations. including our patching capabilities, enhancing and sureing our tools, to make we have an effective detected -- detection system in place. we have put stronger policies in place to make sure we have more redundants and closed loops. sen. thune: have you disposed of the data you no longer need? has equifax disposed of it? mr. barros: it is part of the process we're going through right now. how about in cryptic? mr. barros: whatever is necessary to do it.
6:08 pm
including encryption and all new technologies available to make sure we protect the data. sen. nelson: -- senator nelson. sen. nelson: we have had these hearings before. if we do not do something, we will be having a lot of these hearings again. wonderingint, i am that there is no such thing as data security. when you think of a sophisticated state actor, such yourina or russia, companies cannot stand up against them. institutionson or that can stand up against them is the national security agency.
6:09 pm
and what we are going to see in the future, not only personally identifiable information, but the state secrets of our country . are critical infrastructure, as represented by companies such as ewers. there is -- such as yours. there is going to be cooperation with a sophisticated player in the united states, which is the u.s. -- which is the nsa. otherwise, we, americans, will not have any more privacy. we do not do something and if you all do not do something to change this, we are going to be right back here on additional coming up on this same topic.
6:10 pm
ms. mayer, what do you think? you had a sophisticated state actor coming after you. you really think you could have protected yourself? robust defenses and processes are not sufficient protect against a state-sponsored attack, especially one that is sophisticated and persistent. we at yahoo! cooperated with the law enforcement and brought these breaches and intrusions to the attention of law enforcement, each time they were detected. and the doj and fbi were of great assistance to the company in identifying the perpetrators and bringing them to justice. is anelson: but that admission you are not protected against a state actor.
6:11 pm
>> we have to make sure we're changing our security systems to and keep up.
6:12 pm
>> that's a good intention. take more.to it's going to take an attitude change among companies such as go tothat we've got to extreme limits to protect our privacy.s all -- you hold a lot of financial guillotine over a lot of your customers by what their credit rating is. protected,a is not the poor little fella goes it and he's got it ready and he's got the down payment and then he can't get a because now, he's got something black mark on his credit rating that is not real theres been placed
6:13 pm
because of a data breach. can't close onla his house. consequences. what are you going to do about it? >> there's no dugout that -- securing databt is the core value of our company. apologize deeply to the american public for the breach that we had. we let the public down. i'll tell you this, i do agree other panelist here and your point earlier, a combination cooperation between public private to address this issue is needing. any 12 years running company tracking the increase of cyberattacks. i talked about it. not unusual for any one given year to see suspicious
6:14 pm
activity unwanted attempted attacks of millions per year. mr. smith, didn't you describe equifax as the victim failed toompany secure the security theerability that led to breach? is equifax really the victim? i described victim of a're a criminal attack. >> mr. wilkinson do you consider equifax to be a victim? >> senator i think a victim. there's been many victims in the case of these breaches. the criminal impact from hackers those enterprises creates them to be a victim in my opinion. >> well, do you believe that they had adequate security
6:15 pm
measures in place? >> based on my understanding of at breach that occurred equifax, we're talking about the fact patching security timely way,ies in a we've heard some discussion some in securityase stance they've had since the breach. these are the types of things suggest to you basically understand best practices. understand your question. have hadnsider them to appropriate security protocols? >> having not patched i would suggesting that that was adequate security protocol. no.o the answer is equifax is not the victim. customers of equifax? is that correct? ifi believe both are victims
6:16 pm
my opinion. >> thank you. >> senator nelson. your writtenif testimony, one of your public private partnership on social securities. -- if your that also rethinkingapply to use of passwords and user i.d. askers and i will mr. wilkinson to address this question also. mr. wilkinson,ny you talked about dynamic identities as a way to replace the social security number in modern age. a better to brazil as example where the government issuinge identity technology and issues some sort
6:17 pm
identity a fight last for three years. go to mr. wilkinson first and mr. smith. is that system working better for the consumer in brazil or is it just a helpful aspect but the job done get against this onslaught which nelson described if his question. are two questions. youour first question, passports,ion use of identifiers as well as social security number. with static information like pass poured or social security number, you have frame work.ak which is why we talk about the for additional security.
6:18 pm
some of those tools need to be deployed as we talk about where we use social security numbers as primary form of identification. testimony, i had additional samples a we see other countries doing. suggest to you are best practices. i suggest will be important for at. committee to look these countries moved to digital systems because they didn't have anything in place. what our recommendation is, from system that worked in united states but no secure. example that you site from of digital form identity that is issue by federal government for the withse providing a citizen a digital identity that they can use for certain transactions and limited life. way they avoid moreidentity frame work is
6:19 pm
secure and provides ability to be more resilient than what we see today. >> in your view, the consumer is better protected under this brazilian system? >> they can be, yes. >> mr. smith, what are you saying? >> i agree. using 1936 like ssn, concept.lived that some combination of digital think it's rake path. suggestriah, you legislation. we only have a minute, 23 left. what would this legislation look like? two key things that should be in data breach thatlation are number one, it be a national frame work so
6:20 pm
standard to comply with as we're responding to a data beach. number two, it's really porn it gets the standard right for when we know notify customers. it's important to notify customers about information that they really need but to make notifyingwe're not them so often about so many stop payingthey attention. to take anyone like issue with senator nelson's that reallylusion against the state actor like seen. a mere company is just unable to without going to n.s.a. anybody want to disagree with that? no takers. you mr. chairman. blumenthal. >> thank you mr. chairman. thank you for having this hearing. thank you to the witnesses for today.ere
6:21 pm
i think almost every american consumer at this point is aware risks thatceptable are entailed in many of our risk to theirices privacy information that they expect and reasonably anticipate be safeguarded by companies with them.iness where they are customers. breach in particular federalhe limits of the trade commission ability to protect customers and impose companies that negligenceata with and recklessness. why of the examples security can be met only with and promises to do
6:22 pm
time. next the real deterrence will come imposedse penalties are on executives like one today. our data can'td be trusted, then the government the tools to go after hackers and thieves and accountable.s common sense legislation i've breachced the data accountability enforce amount of 2017 would ensure that the ftc any data breach by any company or organization that hold sensitive consumer data including nonprofit and
6:23 pm
penalties that are actually sufficiently strong to motivate companies to implement the onset.rity at o at -- there is no real cure. when you were here last, i think the last time you were on least.ate side at you came for the judiciary committee, mr. smith. commit ahether you can none of your consumers would ever be required to go through arbitration. you said understandably that you were no lorne with the -- longer and you company couldn't guarantee. to ask barros.
6:24 pm
you guarantee no consumer will be required to go through arbitration if they decide to use one of your services? >> senator, i understand the first product when it came out and means to being removed. used by theis tool industry. especially the consumer industry. used a tool in the life the law. we'll con to evolve in this ofcess and examine the use this arbitration process. >> i apologize for interrupting is limited as you understand. yes or noe of those answers i think. can you guarantee that you won't understandtion -- i all of the one hand and other hand comments that can be made. consumers expect that they will right to go to court and
6:25 pm
have their rights indicated there. can you guarantee that will you force them to use arbitration? believe the customers have a choice to choose product. your product,ose they will not be forced into arbitration? you guaranteeing that? >> according to the law and use are the tools in the industry they'll have arbitration in place. >> you know difference between credit freeze and credit lock? >> yes and no. guarantee that the credit lock, if you use them, subject to consumer protection? laws wheretate consumers live? understand we use freeze and lock. day, itnd of the provides the same result. requires different
6:26 pm
regulated process where you will paying the freeze. >> credit freezes is regulated by state. you're resorting to credit lock. scrutiny?void state >> no. we did it because it's simple to use. access to use. easy to understand for the consumer. expired.e is thank you mr. chairman. round we'll have a second schatz.ator >> do you think consumers should be able to see the information uses when thek bank makes a credit decision? >> we have as an industry not done good job represented by the
6:27 pm
consumer. the unless is provided by the consumer in acquiring new karsh card. credit this information is usually financial institution. it works.stand how when the bank evaluates my to get arthiness, bunch of data. i don't get to see what they're looking at. think i should be able to see what they're looking at when worthiness?y credit this is also probably a yes or to answer. >> you have access to your credit report. score.e access to your this is information that used to make a decision. >> it's same information? >> credit report is the same as testify. is the same as they have. a's information to make decision. tare allowed to see information. >> you're telling me that the calledtion that so customer has, is all that a bank is provided by equifax?
6:28 pm
know.on't >> mr. smith, you sounded like you wanted to correct -- >> no. i may add something to it. if a consumer going to a bank to apply for a loan of some sort, thecally the underwriter at bank will pull a credit file. consumer has a right to get every year.at free they have access to score. the you're referring to, bangs don't just use a standard -- fico score.e co have their own score customers?our the people who's datas breached, customers, or customers?r >> we have customers as
6:29 pm
consumers. the customers -- [indiscernible] >> it seems that there's line on that side not to excuse what happened with yahoo!. it is different. differentives are between the credit reporting agencies who had zero financial get it right. you guys get informed by the department of homeland security that there's a vulnerability. you get provided the patch. you don't download the patch. doesn't work. executive cash out their stock. peoplen start charging to lock their credit or freeze credit. you then start to promote through life lock. you have commercials with life lock saying, theres been a breach. you might want it use this product. life lock subcontracts to equifax.
6:30 pm
verizon,side for yahoo! angolan other companies, if you screw up with your customers there's a customer relationship that it frayed. of the credit noorting agencies, there's vision on side of the pers -- commerce. there's no incentive on your side to do anything other than to charge us to solve the caused.that you there's no incentive on your side to spend the money that it take to transform the company to actually treat us like customers. lenders.omers are your customers are not the throughho got harmed breach. mr. barros you want to respond to that? that biggest incentive that we have is stewardship, obligation with to keep their data. accurate and safe. >> that's not a fiduciary. you have an earnings call tomorrow.
6:31 pm
to reportng presumably everything is fine and things starting to pick up. made more profit than usual in the wake of this problem. i would be remised if i didn't mention, people back home, i don't mean back home where i live, back home where all of us cannot understand how the yahoo!equifax and ceo of walked away with $90 million and possibly a and quarter billion dollars in stocks. unfathomable to the average person. i understand mr. myth, you and i had an exchange, this in the proxy. it's set by the board. control.under my i up alta. i'm saying is, regular people done unthat. they shouldn't understand how you harmed customers and walk moneyith the amount of that a small city or county uses for their annual operating
6:32 pm
budget. not fair and it's why this dias has an obligation to make a law and drag you back and forth and wave our fingers at you. you. >> thank you senator schatz. senator moran. you ranking member. let me start by asking this question. the premise. first mr. smith and mr. barros then ms. mayer. makes thenesses calculation. invest. decision how it it's investing data security. theuestion is, before breach has occurred at initially equifax and -- with both companies. before they occurred, what did expect? what did you say to your to youre committee, board of directors. what's the probability of breach
6:33 pm
company. at our then follow up question to that, probability today? you calculated what the probabilities were. decisionsinvestment how to invest in security. is it anyprobability different today for additional breach at either watch your prior to than it was the original breaches. mr. smith. >> we don't calculate the actual percentage probability. get a very comprehensive frame work called enterprise risk management. erm. for ten years, we've ranked data security as the most high risk -- high probability risk we have as a company. if we had a security event, it detrimental to the company. it.on't calculate >> does that statement mean you
6:34 pm
breach?pect a >> probability of a breach? >> is that calculation any different today mr. barros based atn changes that you've made the company? is it still the same probability of a breach occurring today and was prior to the earlier breaches? today, weeve that abandoned it. to in our company essentially. we would have to make significant investment. cop to do so. >> how much more money are you aending today to prevent breach from happening than you were pending as a company? >> it's a natural response. we're spending significant more money in that process. >> what percentage increase that your company as occurred as a learned from the breaches that occurred in the past? expecting to have a specific spike on the cost.
6:35 pm
today.spend 50% more from four times more. >> as a result spending four more, would you say it's less likely today that a breach company? your >> it's my understanding >> what will be your reduction? what's the restructure in probability? >> i don't have specific number. we have a series of action taking place today. say today a we believe better today than it was before. >> would it be better if you four times more, simple six more. >> we've been advised to make that we have installment of the technology. >> would yahoo! answer this question? >> we have at yahoo! one of the databases in the world. contained.sers that
6:36 pm
we described this as an armed race. hackers becoming more sophisticated. a breachyou predicted before it occurred? would you expect a breach? i'm consuming that's no. >> we did not calculate percentages and predict a breach. we took significant efforts in investment to increase our security. which included increasing the side of the team by a factors of two. we did like to empower users to passwords to yahoo! account key. increases our encryption. a bug bounty. teams to attack us and tell us where where.bilities
6:37 pm
we took extensive actions. turn to ms. zaccariah. is probability of breach less today? >> again, we don't calculate the of a breach. what we do do is -- >> let me ask the question differently. are customers more secure today were prior to the breach? a customer expect that it less expectation than before the earlier breach? >> verizon has taken security very seriously. we're bringing that same focus intensity that we've brought to protecting our customers and our network to any acquisition including yahoo!. >> what seems to be missing to the assurance that as , should have a sense
6:38 pm
their safer today than they were before. i don't have. assurance from any of the responses to my the case.that's we ought to be concerned today about a breach. we're taking all these steps. let me say -- do you believe companies in a similar business, companies that wouldots of data that affect customers, are they as as yourle to breaches companies and have been? yahoo!.not limited to it's not limited to equifax. ifry other company that's the data business is just as been ande as you have are today. out listd print efforts. in addition to response to steps causingk users to reset passwords, attack surface area
6:39 pm
.f our systems we did respond and change the of -- >> therefore today as a customer of yahoo!, i should feel how better that my data is safe? >> it's difficult to quantify. thee's no question, that users are better protected today because the breaches were detected and deviated? >> are you spending all the that necessary to increase protection? could they be safer if you did more? are you doing everything you do? >> i'm no longer with the company. case.as the verizonecurity team at will tell that their job is to defend against any and all attack. that's exactly what we're trying to do. >> the company provides them with the resources to accomplish goal? >> absolutely. >> mr. barros. >> statement for us.
6:40 pm
question, do you any disagree that the federal trade overssion has jurisdiction your data breaches and has the tolity to regulate and penalize for false and to penalize that far breaches. you agree that ftc is your regulator and has legal authority? did you say unfortunately? >> they make sure regulatory perspective is in place you.ank >> certainly because of the yahoo! incident. come -- tel come side -- >> i understand. thank you very much. baldwin. the senator with questiontart mr. barros, mr. smith.
6:41 pm
identify if you have any who pack n today about hacked equifax. possesses personal identifying information. can you identify to me if any of you have that information today? no evidence.e >> we engaged fbi on august 2nd. they're working with the fbi august 2nd. >> in our experience, these ownshes occur, everyone this data because it's out in public. you.ank we all know that the equifax the personalmised and financial information of americans.45 million we really can't even begin to
6:42 pm
ramifications this failure will have to the and individuals that are impacted. it's clear that equifax needs to do a lot more than it help victims respond to this breach. make aros, will you commitment right here and now proactively will notify every person who was impacted in this breach? no.or >> we have been notifying. have improved our web page to make sure social media is active in that moment. we have been working with have reached to us. we have a team working everyday. know you've acted in area where state law demands that you do so. you goingoesn't, are to reach tout to each and every
6:43 pm
individual that you believe was impacted by this breach? will execute according to the requirements under the law. >> if there's an absence of law the state, you won't do anything? actively engaged customers to make sure they use product that we have today. >> equifax set up a poorly where peoplerocess would have to go to the equifax werete to find out if they impacted. how many people have gone process?his this. smith mentioned to 400 million hits. >> do you know how many individuals? >> 30 million individuals of 145 million. you mentioned call centers in
6:44 pm
your testimony. equifax's call center located >> florida, nevada and las veg vegas. city, in north florida and in las vegas. >> are there any ou outside the united states? centers in cost costa rica. that's correct >> what other parts of the world? >> malaysia, india. .epends how the demand goes thead surge, we use flexibility.
6:45 pm
offering free now credit report locking for life reporty offering credit january 31,hrough between 18 -- 2018. a commitment that offer a free credit report monitoring for life? you enroll until january, you have another 12 months to use the product. in new product that we put can lockere customers and unlock their credit file. >> monitoring? >> we don't this open. >> victims of this breach will
6:46 pm
able to control access from the reports from all three credit agencies to protect themselves. the other agencies charge for each and $10 every freeze. be offering rebates to victims to cover their freezing costs with the other agencies? >> resolution has to be one that affects the customer. andas to be sustainable scalable and industry driven and government to make sure we reach out. step forwardirst which is to offer a service that customers can check and lock and unlock their credit data for free and for life. we want to work with the industry to make sure that we have similar capacities.
6:47 pm
>> mr. barros, you're from an internalpleted review of the stock trade senior equifaxr exposure. the special committee reports founded, none of the four engaged in insider trading. failed to mention officerye legal approved some of the stock sales same day that he called fbi to alert it. it took mr. kelley two more to inform the customers that they are no longer allowed to sell stock. totally inappropriate. the report does not mention mr. kelley and he still works for equifax.
6:48 pm
i like to ask mr. boros and mr. smith, do you believe waskelly's failure to act appropriate? perspective to provide who was appropriate or not. has actively defined needthe board executives directuently go out in a form. the special committee continues to review the and process as it relates to cybersecurity. >> there's a full investigation. pub -- report.r unusual for us to council andde
6:49 pm
outside experts. i mentioned earlier, one of the had three to four million suspicious activities, attempts that are database around the world. fbi.dn't engage the >> thank you. me say thank you chair and thisng member for holding hearing. equifax.art with i'm from nevada. there's about three million people there. dozen letter.four whove a woman in caroline, wrote no citizens have practices businesses or
6:50 pm
bureaus. equifax did not do enough to information. couple of questions to start with into the data that is selective. part of this is the data collection and we should be at that. breach of the 145 million customers. names,a collected was social securities, addresses, birth dates driver's license numbers and credit card information. is that true? >> in some cases yes and some no. youhat other data do this?t on the >> we have a piece that was effective. most of the data included social and datanumbers, name of bit. i will it for the record
6:51 pm
very helpful.be i think that's helpful in this discussion. to me the data breach that equity is egregious. time.pens all the we've heard it i think from what heard from ms. mayer, cube ticket is a global challenge. have top line sophisticated security. when you fail to do that, you accountable and customers should be notify. the discussion on the data. you those individuals that work with now and those customers that had credit locks credit freezes their data
6:52 pm
breached? >> it could be >> that's what they will go after. social security numbers. shouldn't customers be the ones opt in and opto when it comes to data that i'm sharing with you? the way the economy works. --n customer >> customer does not have a data that you're collecting. i know it. the credit reports do not tell data that you're checking. true.that >> i was attorney years. for eight
6:53 pm
everyday dwelt somebody who's identity was stolen. their lives th the-in -- they are going to have to clear their records for the live.heir that means that somebody will theirgoat and house in name. people will clit crime in their name. spending rest of their lives. is so egregious. will have an obligation to not but make at the data, sure you're protecting it. if there is a breach, you're doing everything you can to restitution to individuals. mr. wilkinson. the data andout social security numbers and that it differentok at way of identifying. i'm secure if you have anything
6:54 pm
specific on what we should be looking when looking at that fii. >> first thing to note. of the broaches, of items were leaked. this with other breaches that curd, we're getting close to all the personal information in the states. it's a good point to compare and contrast what happened with some of those breaches. that means financial payment reasonably resilient. it was a burden for customers,
6:55 pm
the ability for consumers to fraud new issue as a remediated and ability to do wellrce is relatively known. in addition, the liability largely fell to the financial institutions. looking to some examples like what we see in financial payments, ecosystem is a more example of a system we have in of identity today. our identity is out there. i continue to reinforce that our position is that. we believe more resilient brought needs to be forward. >> i agree with you. identities are out there. some of us it's too late. our kids it's not too late. andot to look to the future protect their information as well. it is something that to me, it's
6:56 pm
not static. we've got to continue to figure issue. we address this thatagree there should be public-private partnership we've got to figure this out for the benefit of those people that we're taking their data and they have no choice. they have no choice that companies are taking their information, they're monetizing it. they get stuck for the rest of their lives dealing with results of breach. so thank you. morning to all of our panelist. this is a question to the panel. although the most relevant aample that we can call on is response from equifax to the beach -- breach. there are state by state laws to individuals when there are security breaches of their personal information.
6:57 pm
laws represent the lowest amount of communication required. companiessted in what are deciding to proactively done to help notify and help the consumers affect by these breaches. mr. barros.rt mr. smith and equifax stated that taken big steps. haveof those steps seem to come only after public outcry to your initial response. more broadly, can you elaborate what considerations and you and your companies take boo account when notify and steps to -- remediateage the damage done. >> one of the the notification process. we took very seriously. the state requirements first time a innovation. >> i'm asking beyond that. minimal.
6:58 pm
what are you deciding to do beyond that and how do you -- considerations are you making? is one more i top priorities. consumer response. the consumer side we made our scalable.rs for .ou can get in and out >> i'm also talking about your efforts to notify customers beyond the requirements. >> we've been working with the customers making sure they use the service that we have provided for free. transitional period. we will continue to introduce and unlock for free for life. did use, wass we one acceptable. worked.like it
6:59 pm
>> we can pursue this on the record. my question. i'm asking for now. state laws are minimal you have to follow it. factors you are considering when you decide when a consumer? proactiveo! we took a stand. frequentlys education is required, we did it .verywhere accuracy and comprehensiveness very important. analyses how any new data maybe or abused. >> verizon what we do, we always obviously look at what the law
7:00 pm
requires. then we look at what we think is do for thehing to customer. you.ank holdr company doesn't consumer information. >> i wanted to follow up with mr. barros about the difference between credit lock and credit services. placing a freeze on their credit best waysthe customers can protect themselves. thefax stated it with waive fee for customers to place a freeze on their credit in response of the major data beach. stated that it will customers the ability lock their credit for free. can you share difference between credit lock and credit freeze in terms of consumer rights and
7:01 pm
protections. who has access to a consumer when it was frozen versus lock? >> fundamentally, theres no difference between a lock and a freeze. when you freeze a your a leg process and you make a phone call. you identify yourself. you ready to and execute. -- win you doe the lock, it's the simplicity of the process. they trying to goat to your file. up. see that my time is i think drunk driver experts who would disagree with you in terms of safe partly sunny. -- of the tensionally follow one of the things i will follow
7:02 pm
freeze a equifax customers.lping i thank you for your -- >> thank you. i want to start with the question to mr. barros. to your knowledge has any of the unless that was pretty muched and driver's license, social security, forkeds addresses, credit card information. a any have any indication a youse customers folks have data was breached. has been misused. have any indication a this data tousing choices.er in they weres of yahoo!.
7:03 pm
offen you have -- was that a rd flag that was brought tour company? saw no volume of report. we did roll out advance thatction against threats notified user if we saw any indication that their account accessed by a spate sponsored attack. me roll that out in county. >> mr. wilkinson, you said all publicformation is if domain but you out there in general. we would have to assume that. assuming a. does it surprise you that none of this information is out there. been used if the farthest ay and anybody can protect this point? be surprised.
7:04 pm
>> mr. barroser you mentioned in were how individuals contactedded. has direct yahoo! communication. data that's collected here does not seem to indicate any kind of e-mail address or a you can send out s.map warning signal will that change your profile in of being able to have quicker, more efficient and disseminate. >> we like to be more up front the secure. we have improved significantly
7:05 pm
web fight. have my phone numbers available for the customer to questions. we're doing this for social media inviting people to talk to us. sure that we can respond and direct them to the right solution. >> i can tell you that one of ways that people want to talk to you when they get their credit report and they see there they don't agree with. i think that your company years and the credit is anad realized this northerns problem for the -- i know that happens frequentsly. worked to correct this problem and toy to reach consumer.
7:06 pm
this to get --do complaint andr a work through the process, very time consuming and difficult. i'm going to consume that those tightening up in light of this security pretty we've seen. concerns a of my top i have. improve the process. >> i'm interested in your proposal to lock your information as an individual. said you would have on cost freejanuary at and the customer can opt in opt out. how did that work in they weres
7:07 pm
of your piz frame work? for >> the objective that we have service,esigned this make sure consumer will have the power in their hand to lock and file. their >> when they have a locked file, you?locked from >> yes, nobody can have -- access to that file.ation on that >> thank you. senatorher -- gardner. economy heard it said this is
7:08 pm
information. personal identification information. who owns the information that you provide to your clients customers? >> according to existing we knowry framework, that information >> does consumer have ability to say i don't want you to have that information? >> they have opportunity unlock file.ck the >> do i have an ability to say i want equifax to have .nformation about me >> the framework that we have exit, the consumer cannot out the file. >> the answer is no. a credit card, bank loan, that institution ability ceo, i have no to stop that from happening. file. can up lock your >> answer is no i can stop that. who's information is this.
7:09 pm
is it your file or my file? regulatoryg to perspective, i have the information. >> i get it. think it's right though? >> i think it's not my perspective to say it's right or wrong. it's the regulatory perspective a we work on. owns the credit card me?rmation a you have on do you think consumer should own data?
7:10 pm
should customer own their information? >> yes, i believe they should. controld we be able to our own information mr. barros? >> yes. >> you're saying by putting lock control , it's consumer control? >> when you look and unlock your file nobody can have access to your file.
7:11 pm
decision that was made to manage the data? --there were multiple deals tools we used to encrypt data, including masking, and firewalls, with multiple layers of encryption. >> it was made to leave it on encrypt at rest? , have youtook over directed company to encrypt such data or have even recommended to? >> we have done a top-down review of our security situation. >> yes or no question. is the data unencrypted at rest? >> i don't know at this stage.
7:12 pm
>> you don't know? isn't this the reason why it was breached? this data was unencrypted? >> encryption is one form of defense, and we have several forms in place to prevent this from happening. so the data remains unencrypted at rest? we have deployed several different tools and encryption is one tool. >> senator, if i may. this environments of attack is much more complex than before, with multiple layers of security. sickere are other experts, -- privacy experts year, is that a good system?
7:13 pm
>> i think we have spoken about the value of that, but from our companies perspective -- benny's yes it is highly data. to leavenswer then is it unencrypted would be irresponsible? information that's required to be encrypted, in this case it was not. question,uld ask one when did you notify the other credit reporting agencies of the breach? , we notifiedd them the public. >> that was around august. could you give me the actual dates? >> september 7. suspicious activity on
7:14 pm
the 29th and 30th of july. , and then wehe fbi went public on the seventh of september. >> so that is when credit rating agencies also received that information? is equifax currently under investigation by the department of justice? >> multiple investigations. >> thank you for your -- thank you. >> thank you for the panel here today. sir, it you are the ceo of large it -- you were the ceo of yahoo! during one of the largest breaches. you testified that the 2014 breach was state sponsored, but you did not conclude that the 2013's breach was not is that correct? >> we were not able to determine that's. >> thank you.
7:15 pm
you did not learn about any of the other breaches until 2016, is that correct? >> i learned about the breaches at the scale reported in december of 2014. intrusion inian our network, and we saw 26 individuals with political interest in russia with accounts compromised. we notified the fbi and we put , tolace a special notice make sure that people were aware this is happening. >> did you learn about the 2013 breach not until 2016? >> that is correct. >> what kind of information can you provide to support your claims? our board formed an independent committee, and they
7:16 pm
reported on their findings. >> is that publicly available? >> yes. >> mr. smith, mr. barros, current and former ceos of equifax, i am grateful for your presence. million ho 3.8 osiers. 68 percent of indiana's population was affected by this breach. can you see why they feel that the company does not have their back? >> yes. >> one of the tragic things about this whole episode is that many of these hoosiers, many americans, will not discover down the road that there was a breach. a mother in gary, indiana goes to buy a car and finds out that her credit has been ruined.
7:17 pm
what is equifax going to do to remedy the situation for that single mother? >> that was the idea behind the lifetime ability to lock and unlock your file. if it is locked, you do not have the ability to go rent a house falsely, you don't -- >> that is a prophylactic defensive, and it seems like a good thing to do. say, we have had these massive data breaches, and it is an affront to the basic sense of fairness that most americans, that top executives leave with of-- tens of millions dollars. i'm not strike to start a class
7:18 pm
war, but when i am seeing the -- twore to top officers thosers for the deaths of sailors, they were survey fired because of a lack of confidence. take free enterprise more seriously in the u.s., and i'm talking boards as well as executives, when things like this happen it offends the sensibility of most americans. can you understand why that is? can you understand why they are offended to be on the receiving end of a breach months after the fact where they may have lost tens to hundreds of millions of dollars? >> i understand your point senator. i only ask for pension. i have waived my bonus.
7:19 pm
worked for-- i have months off of generosity. you don't need to answer the question i'm not trying to personalize it, i am talking culturally. big business in the country. i'd like to talk about one policy issue before you move forward. the idea that credit reporting agencies will give consumers the ofht to request a locking access to credit policies, ask no cost to them, can you pledge, years ofs, that five now, equifax will not be charging consumers to lock and unlock their credit files? would you be opposed to congress ?roviding a law
7:20 pm
>> thank you. expected to lean in that direction, where consumers can lock their files, we want to make that free for life. >> thank you senator young. senator cantwell. cantwell: thank you, we have had several long cyber security meeting. homeland security has had some, i think the armed services community has had been. now is the time for us to be serious about passing legislation as we did out of the senate. particularly, we want to strengthen our infrastructure against possible attacks.
7:21 pm
these are not the only things being attacked. our networks, or nuclear power plants, our pipelines, a whole slew of things as we continue to grow. we've heard about how more devices and more productivity means more data for people to attack. , and i hopethings our committee will join in to discuss and bring cyber security legislation over the line this year -- i don't think it's too much to ask. i would like to speak on behalf of 3 million washingtonians who were affected by the breach. it was my understanding that a patch was lamented. -- it was my understanding that a patch was implemented that was not followed? >> that is correct.
7:22 pm
>> why can mr. barros not answer that question? >> he was not in position at the time. understanding, what happened was a combination of human error and technology. i defer to him because he actually work through this process. >> the reason i'm asking you understandtonight, i the dual role here, but we have to do both. the issue of cyber security is here. it is a national security issue, it is a sick -- a consumer issue , it's a future issue on identity theft and the ability for individuals to protect what they hold here. , at the federal level, up our game.
7:23 pm
to address this issue on international basis. what do we need to put in place to get people on the same page on fighting cybercrime? at the same time, we have to make sure that everyone understands hygiene, and that the hygiene of your day-to-day business, even your home computer, is going to be a critical role of the world we live in. i want you to understands enviable to speak on how one individual -- i want you to understand and speak on how one individual caused such a drastic issue. >> my first priority has been too hard and hours security systems. we have done a comprehensive review of process. patchingudes our capabilities, our tools, updating our tools, make -- making sure that our detecting
7:24 pm
the process is much more up to speed and up-to-date. to makechanged policies sure that we have redundancies and closed loops in place, to improve accuracy and precision. it is enough to have voluntary safeguards, or do you think that something more stringent is required for the industry? but we haveand, complied with this code before. the industry is ahead of that in many areas. we are using new tools. we definitely welcome the conversation. i would say that we need something more at this point in time. issue, if one employee was able to miss something as critical as this, and put some estate at risk, we
7:25 pm
need something to make sure that this is implemented. does anyone else on the panel want to answer that question? mr. wilkinson? >> the vulnerability that we are speaking out -- about was called the apache stress. we became aware of it in march publicly. this is a zero day vulnerability. they happen more often than we would like to speak about. when we become aware of the zero day trends, our need to react is quick, and have to be conclusive. this is something we are going to continue to see. that you continue to speak about, senator, of cyber security hygiene is very important. i liken it to locks on doors. what we do, there is still vulnerability in the ecosystem and the possibility to be
7:26 pm
breached. a lot of door won't prevent you from all crime, but you still put one on your door. the same idea applies to cyber security and a zero day trends. >> that is my point exactly, thank you so much for that. you just explained that you have to have -- we have national labs working day and night against the unbelievable amount of attacks happening every single day. we have all of his efforts that we're trying to do both with getting a workforce that the committee had a hearing on, to doing everything -- we need withnies to follow hygiene great religious fervor in its. if actors will continue to hack, we need to do something. but companies also needs to follow hygiene. thank you. peters: --is sen.
7:27 pm
next up is senator peter's. i know a lot of folks are angry about this incident. over 4 million in my state. this question as to mr. wilkinson. thist want to be clear, was a vulnerability that was discovered. a patch was created, the information went out, and my understanding is when this goes out, bad guys find out as well. you are basically broadcasting vulnerable information that people can figure out easily. experts i've spoken with have said that this was not a sophisticated hack. it was pretty simple because the
7:28 pm
roadmap was put out for folks to take. we've talked about national or state actors involved, but this was just basically a roadmap being put out for the bad guys. they just got in, is that correct? >> it is. when zero day trends are publicized, they do create a roadmap for bad guys. that is why we need to respond quickly to his -- to close those threats. the best practices hygiene. >> i want to paint a picture for the american public. put out for all the bad guys who wants to do us harm. we have a company that has some of the most sensitive personal information about each and every one of us, and as we heard from
7:29 pm
testimony, we don't have choice in the matter. companies can collect his information. toy don't even take the time look at a roadmap that has been put out -- there is a breach? i can't think of a clearer definition of gross negligence anywhere then a company that has been entrusted with the most trusted data and customers don't have a choice for you to hold that. to hold my equifax information, many don't, but you have that information. my other question i guess, is that after a breach has occurred, a criminal may wait before using that data, is that correct? >> that is correct. >> so it will be a while before we even see it being used. in your professional opinion, is there and are -- is there ever a --?t after a breach
7:30 pm
>> this type of data, being out exposedild, is forever and will never be credibly used for secure identity again. >> so we have to worry about this the rest of our lives? >> yes. barros, you mentioned there is free credit monitoring for one year. is that correct? >> yes. it started since we announced the breach in september 7. we extended to january, and you still have 12 month. >> why only 12 months when we believe -- when we heard that we have to worry about this for the rest of our lives? >> we believe that the action to come out of this is to protect consumers. >> for one year?
7:31 pm
>> well -- >> why not for the rest of their life? consumer can lock and unlock information for the rest of their life. >> but that is only with your company. this information is in all sorts of avenues that can be created to create a false identity. you are saying that you can lock your credit with us, going forward, when you still have more abilities with all other agencies? this is pretty simple if you are bad guy. don't go to equifax. i've got the keys to the kingdom, i am going to go other places. incentiveso create to stop this kind of behavior, and make sure people with --hest standards in place and certainly gross negligence should never be acceptable.
7:32 pm
if you are giving out information of mine and i did not have to have the information given, i understand you make money when you provide information to financial institution. you make money off of my information, which i have never asked. should letmum, you me know that you are making money off of that. i should begin you permission to make money off of my information. i don't understand why i don't have the ability or tools for any agency right now to make sure that i have control, as i we had talked about. i thinkof time, but this raises a host of major issues related to privacy and control of data. right now, we don't have any incentives to get companies to protect that information. you profit from it, you do not protected. a simple, sophisticated hack had access to 140 million people. there needs to be strong
7:33 pm
liability for companies that do andprotect information jeopardize americans for the rest of their life. you need to be stripped of that liability, and stepping up to make sure that those consumers are protected for the rest of their lives. hopefully we consider that moving forward. >> thank you senator. senator markey. >> thank you mr. chairman. pop -- then, the public wants us to do more to protect privacy, but earlier this year congress rescinded broadband privacy and security rules. this ensures that verizon and other broadband companies adopt reasonable security protection. these protections insured broadband providers implement up-to-date data security practices, provide appropriate oversight of security practices,
7:34 pm
properly dispose of sensitive information, and notify affected consumers within 30 days of a breach. still, verizon oppose these ensure thaty to they were of -- repealed. it was argued that we need a light touch. billion yahoo! accounts users, and 145 million users in america, understand that light touch me hands off and the rain. now because of congressional broadbandee reign for providers such as verizon to collect and share data of consumers without their consent is now the law. avoid security
7:35 pm
preventions and not promptly notify consumers when they have this testimonyd, states that security has always been in verizon's dna. during today's hearing you stated that verizon would support national security data legislation. but they have actively and vigorously lobbied to eliminate these notification protections. -- how are these two positions consistent? leaves thatverizon there should be a single national framework when it comes to data security and processing. we support legislation in both of those areas, and we would be happy, as i said earlier, to work with your office or other members of this committee on what that's should look like. we think that there should be
7:36 pm
one overarching framework, and this was not that. >> well here's where we are. we have nothing now. repealed the law that actually requires that there be protection. now we have nothing. he did notspective, have to repeal one of the most comprehensive data security and aivacy frameworks to develop national security framework. you could've advocated for congress to give the fcc -- the ftc to give security protections to websites as well. instead, you opted to eliminate the rules altogether. that is the problem we have right now, that we had very strong data security and privacy protections on the books. of there removed as part cra, a vote on the floor of the
7:37 pm
senate and house earlier this year. here, we hear concerns about the need to have legislation. we had it, and it was going to actually work, in terms of ensuring that the regulations would be put on the books. instead, we have nothing. in retrospect, do you think it was in the public interest to eliminate these data security and breach notification protections? if you could go back in time earlier this year, would you still remove those protection? >> yes i would, senator. again, we think there should be national data breach -- i appreciate, you advocated strongly to remove protections. even today, you are not regretful at all.
7:38 pm
that's going to be the environments in which we are working right now. that is where yahoo! was, if these other companies. that wasstronger she in place and going to be made wen stronger, and that is -- had a strong regime that was in place and was going to be stronger, and that is in fact what the american people want. they want to know there is real security around the eta that cuts to the right -- they want to know that there is real security around the data that cuts to their very identity. i think ultimately, we are going to see a big price as year after year goes by, because it is not talk but action that makes the difference. those actions have been taken. they were on the books. now that is gone. >> thank you senator markey.
7:39 pm
i think there are ways that we can address data breach that don't involve class-action lawyers. -- ween be looking at ought to be looking at the tools we need to hold bad actors accountable. next senator. >> thank you mr. chairman, and thank you for meeting at this important time. the impact is incredibly far-reaching. i want to take a moment to highlight how state and federal entities rely on these services such as equifax, for credit monitoring and other services. for example, equifax lost over a
7:40 pm
million -- over one million identity. methods arety of available to veterans. if they are not comfortable going online, they can access their information by fax. they can request changes to their facility, and the changes can be made if the social security number matches the person making the request. made in an era when valid social security numbers could be used as an effective tool for identity. that is no longer the case. my questions to you are simple. following the loss of millions of social security numbers,
7:41 pm
what's concrete steps -- what concrete steps did equifax take to notify consumers and offer solutions to the governments to prevent information and identity from the stolen? >> we have spoken with these different administrations in order to make sure we enhance the communication process and have solutions that will allow people to know how to protect themselves using our service. you went public about the breach, when did you contact the dod or the department of public affairs to inform them and explain what they would have to do? since i got here, i asked my
7:42 pm
people if they have done this, which they have done a few weeks ago. >> was anything done, mr. smith if you know, when the breach was known and when it became public? >> specific to the veterans? >> specific to government agencies in particular, but specifically to the u.s. department of veterans affairs, and the department of defense. >> not i am aware of. know, sod like to please find out and provide me --h that information to provide me with that information. >> we will do that. >> i want to be clear, that veterans need these funds to pay their rent, get groceries, to keep the lights on.
7:43 pm
when they notice that their disability benefit was not v.a.,ed and contact the this is only the first step of a complex and odorous maze that a veteran needs to go through just to get disability benefits restored. when they noticed that it does not go into the bank account to goes into, thinking back to when this breach occurred, you will see that veterans still be suffering because you did not tell the a -- the va. hopefully you told them that there is no evidence that you had. to understand first that it received information, then has to process the information to return fund to the u.s. treasury department. then they have to get a confirmation from the treasury that the fraudulent payment was actually recoup, and then when the treasury returns the funds,
7:44 pm
before that money is returned to the veteran. best case, a couple of weeks, but i wouldn't we surprised if it took a couple of. surprised wouldn't be if it took a couple of months. given your company's role in failing to safeguard medical equifax told like make commitments to work with the v.a., veterans organizations, and individual veterans to provide valuable support and services such as unlimited free credit services, and monitoring for life. would you make that commitments to the men and women who laid down their lives to protect you, your family, and your business? >> we have engaged with the department of defense and the veterans administrations.
7:45 pm
the products we have will be offered -- >> you will not offer credits monitoring to veterans 11 affected for life? >> they have been locked in -- >> again, that doesn't help. the bad guys are going to go somewhere else. you are saying that you will not make his commitments to our nations veterans? the people who protect your ability to make money, your freedoms? you are not going to support our disabled veterans, who are wounded in the service of the country? you will not provide credits monitoring to them for life? >> we believe that the lock product is a safer products in the monitoring we had. >> the answer is no. well i am over time erie it ideal the chair. -- i yield the chair. >> thank you for holding this
7:46 pm
important hearing. the testimony i have heard is pretty discouraging. 846,100 new mexicans who had their creditworthiness endangered by the carelessness of equifax employees. when you previously testified, mr. smith, you said that data was stolen and stored in plain text and had not been encrypted. this is an unacceptable practice for an organization with such hour over consumers lives, and it is painfully aware that americans cannot rely on large companies to protect their data. as a possible solution, congress banning use of unverified social security numbers in commerce. there is strong bipartisan support for this.
7:47 pm
these numbers were never supposed to be used for universal online identification number. i'm glad to hear that this is going forward with interest, and that congress is into it as well , we shouldinterest look at technology and trust onlineto look into security and ban the use of online such security numbers. i look forward to the work that is already been undertaken. the following are yes or no questions for the entire panel. necessary for online commerce to rely on a social security number -- mr. boros? please give me a yes or no, it is a simple question. number is acurity
7:48 pm
process that was developed in 1936. i think we need to have a different perspective when dealing with e-commerce. >> so your answer is yes it is necessary to rely on? >> today, some sites do rely on. >> mr. smith? >> i would love to see it replacement until then it is the standard. readouts collect or stores of security numbers for the conduct of our business. >> verizon would be happy to work on an alternative for social security numbers. social security number is a static identity -- as a static identity is not secure, will never be secure, and will not be secure the future. do your businesses require a
7:49 pm
social security number before you will do business with a consumer? is doneof our business business to business, so we deal mostly with entities. a small portion of our business thatrequires information varies on the consumer side. >> i concur. man -- miss mayor? >> no. not a typicalis one, but it is something that is required for a credit check. in an areaocused that is not collect social security numbers for consumer information. >> thank you. do you think that the developments of a security digital identity number could break the cycle of identity theft? >> yes.
7:50 pm
>> yes. think it is necessary, but not necessarily efficient. so, yes. >> yes. >> the final question, do you think that congress should these social security numbers while promoting the use of secure digital identification? >> i need to understand the proposition, but anything that can move us forward from a static number, we would support it. >> i agree. i don't know that my opinion matters, but i agree. >> mr. wilkinson says yes. the trusted identities group is comprised of a public and private partnership that is looking into in easy to use digital identity.
7:51 pm
i will ask the final question here. will you commit to working with my office on ways to improve the current working group and expand its efforts? >> definitely. >> thank you. mr. smith? >> yes. >> absolutely. very much mr. chairman. really appreciate you holding the steering, i know there was great interest on -- really appreciate you holding this hearing, i know there was great interest on both sides of the aisle. hopefully we can find a bipartisan way to deal with this situation. >> senator udall? udall: given that i am the last one to ask questions, i thought i would use this
7:52 pm
opportunity to welcome mr. wilkinson. i hope things are going well from my home state. a hundred of your employees are from our state, said thank you for being here. i know much of this ground has been covered. in your testimony, you mentioned brazil's model of identity model,ions, and in this the government works to provide digital certificates of identification. how did they ensure that the governments's private partners can keep citizen information safe? brazil is a great example, but there are some models that we can share with you, senator, that are being used around the world.
7:53 pm
certainly, the framework they built for security is close to what we are proposing going forward. but, -- the comment that sen. made was accurate. they're doing really good work that we would love to spend more time with the committee speak about to discuss what security could look like in the future. mr. smith appeared before -- >> thank you. i believe i have shared my frustrations before. equifax has announced that it is launching an app in january to allow consumers to lock and unlock credit data while giving consumers more
7:54 pm
control over their credit information. we do not want to have new avenues for hackers. are there additional cyber security challenges that come with the global technology and how these products will be tested? >> the products that are being developed as we speak, we are on time to deliver in january. theof the things is simplicity for how consumers can understand and use the application. we just started our development test now, and this is a connection to our main files, so all secure needs and requirements will be done in compliance with security. >> i have been working on election issues since i am i have an rules, and bill to upgrade our election equipment we had an attempt to hack 21 state equipment
7:55 pm
manufacturers or software companies. hand-in-handing with some of the attacks i've seen in companies. mayor, we hadiss attacks similar to what we think occurred in the 2016 election. in your experience with yahoo!, how do state-sponsored hacks differ from individual hacks? >> in many ways, the motivation is different. i would say they tend to be much more sophisticated -- >> the state-sponsored? >> yes, the state-sponsored or more sophisticated. they spanned over several companies trying to get together a picture of what they are actually seeking.
7:56 pm
they are very good at hiding their tracks. the four people indicted in the case with yahoo! one of them is considered one of the most dangerous hackers in the world today, a central figure in many cases around the world today. motivated tothat work such a sophisticated network, it is deftly an issue. >> what do you think we can do differently with state-sponsored attacks? that a really aggressive pursuit of hacking is important, and i was pleased with the fbi and the department of justice's work with yahoo! to bring the purpose -- the people who perpetrated the crimes against us to justice.
7:57 pm
i think we need to empower them legislatively and financially. not enough of now a disincentive to hack on a criminal or public level. you are talking about a much more aggressive pursuit in addition to everything we are doing to prevent this? >> yes, one of the individuals in the case was from canada and was extradited to the u.s. >> a good example. on the election site, we have to get back to paper ballots. it is issue that businesses face as well though, so thank you very much. >> thank you senator. you guys made it through. open,l keep the record
7:58 pm
and we will allow members to submit questions for the record for a couple of weeks, but we will want to close it out. if you could respond as quickly as you can in writing to the questions submitted by committee members, we will get that taken care of. -- ireciate you to appreciate you being here today, the shed light on this issue. committee has an interest in moving forward on the legislative front that will hopefully be effective until we can prevent these types of cyber attacks in the future. thank you again, and with that, this hearing is adjourned.
7:59 pm
8:00 pm
>> tonight on c-span, house republicans unveil their tax reform plan. then representative mccarthy and representative steny hoyer debate of's the bill. senate republicans have released their blueprint for tax reform, and it has significant differences from the house version passed out of committee. has seven taxsion brackets as opposed to four in the house version. italy repeals the deduction for state and local income taxes. that deduction is only partially
8:01 pm
bil.led in the senate senate leaders and treasury secretary steven mnuchin introduced the tax reform plan at a photo op on capitol hill. >> this country is lagging behind a lot of other countries, and our economics are not as good as they can be, and we are about to change that. we hope we can get our democratic colleagues to come with us. we are going to go ahead and get this country moving again.

51 Views

info Stream Only

Uploaded by TV Archive on