[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]







      OVERSIGHT OF THE EQUIFAX DATA BREACH: ANSWERS FOR CONSUMERS

=======================================================================

                                HEARING

                               BEFORE THE

        SUBCOMMITTEE ON DIGITAL COMMERCE AND CONSUMER PROTECTION

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            OCTOBER 3, 2017

                               __________

                           Serial No. 115-59







[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]










      Printed for the use of the Committee on Energy and Commerce
                        energycommerce.house.gov
                                   ______
		 
                     U.S. GOVERNMENT PUBLISHING OFFICE 
		 
27-462                    WASHINGTON : 2019                 






























                    COMMITTEE ON ENERGY AND COMMERCE

                          GREG WALDEN, Oregon
                                 Chairman
JOE BARTON, Texas                    FRANK PALLONE, Jr., New Jersey
  Vice Chairman                        Ranking Member
FRED UPTON, Michigan                 BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois               ANNA G. ESHOO, California
TIM MURPHY, Pennsylvania             ELIOT L. ENGEL, New York
MICHAEL C. BURGESS, Texas            GENE GREEN, Texas
MARSHA BLACKBURN, Tennessee          DIANA DeGETTE, Colorado
STEVE SCALISE, Louisiana             MICHAEL F. DOYLE, Pennsylvania
ROBERT E. LATTA, Ohio                JANICE D. SCHAKOWSKY, Illinois
CATHY McMORRIS RODGERS, Washington   G.K. BUTTERFIELD, North Carolina
GREGG HARPER, Mississippi            DORIS O. MATSUI, California
LEONARD LANCE, New Jersey            KATHY CASTOR, Florida
BRETT GUTHRIE, Kentucky              JOHN P. SARBANES, Maryland
PETE OLSON, Texas                    JERRY McNERNEY, California
DAVID B. McKINLEY, West Virginia     PETER WELCH, Vermont
ADAM KINZINGER, Illinois             BEN RAY LUJAN, New Mexico
H. MORGAN GRIFFITH, Virginia         PAUL TONKO, New York
GUS M. BILIRAKIS, Florida            YVETTE D. CLARKE, New York
BILL JOHNSON, Ohio                   DAVID LOEBSACK, Iowa
BILLY LONG, Missouri                 KURT SCHRADER, Oregon
LARRY BUCSHON, Indiana               JOSEPH P. KENNEDY, III, 
BILL FLORES, Texas                       Massachusetts
SUSAN W. BROOKS, Indiana             TONY CARDENAS, California
MARKWAYNE MULLIN, Oklahoma           RAUL RUIZ, California
RICHARD HUDSON, North Carolina       SCOTT H. PETERS, California
CHRIS COLLINS, New York              DEBBIE DINGELL, Michigan
KEVIN CRAMER, North Dakota
TIM WALBERG, Michigan
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
EARL L. ``BUDDY'' CARTER, Georgia

        Subcommittee on Digital Commerce and Consumer Protection

                         ROBERT E. LATTA, Ohio
                                 Chairman
                                     JANICE D. SCHAKOWSKY, Illinois
                                       Ranking Member
GREGG HARPER, Mississippi            BEN RAY LUJAN, New Mexico
  Vice Chairman                      YVETTE D. CLARKE, New York
FRED UPTON, Michigan                 TONY CARDENAS, California
MICHAEL C. BURGESS, Texas            DEBBIE DINGELL, Michigan
LEONARD LANCE, New Jersey            DORIS O. MATSUI, California
BRETT GUTHRIE, Kentucky              PETER WELCH, Vermont
DAVID B. McKINLEY, West Virgina      JOSEPH P. KENNEDY, III, 
ADAM KINZINGER, Illinois                 Massachusetts
GUS M. BILIRAKIS, Florida            GENE GREEN, Texas
LARRY BUCSHON, Indiana               FRANK PALLONE, Jr., New Jersey (ex 
MARKWAYNE MULLIN, Oklahoma               officio)
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
GREG WALDEN, Oregon (ex officio) 



























  
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Robert E. Latta, a Representative in Congress from the State 
  of Ohio, opening statement.....................................     2
    Prepared statement...........................................     3
Hon. Janice D. Schakowsky, a Representative in Congress from the 
  State of Illinois, opening statement...........................     4
Hon. Greg Walden, a Representative in Congress from the State of 
  Oregon, prepared statement.....................................     5
    Prepared statement...........................................     7
Hon. Frank Pallone, Jr., a Representative in Congress from the 
  State of New Jersey, prepared statement........................     8
Hon. Michael C. Burgess, a Representative in Congress from the 
  State of Texas, prepared statement.............................    67

                               Witnesses

Richard Smith, Former Chairman and CEO of Equifax, Inc...........    10
    Prepared statement...........................................    12
    Answers to submitted questions \1\...........................    74

                           Submitted material

Statement of consumer groups.....................................    69
Statement of the Credit Union National Association...............    71
Article entitled, ``Equifax investigating stock sales made by 
  executives during data breach,'' CNN Wire, October 1, 2017.....    72

----------
\1\ The committee did not receive a response to Mr. Smith's 
  submitted questions for the record by the time of printing. 
 
      OVERSIGHT OF THE EQUIFAX DATA BREACH: ANSWERS FOR CONSUMERS

                              ----------                              


                        TUESDAY, OCTOBER 3, 2017

                  House of Representatives,
     Subcommittee on Digital Commerce and Consumer 
                                        Protection,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:00 a.m., in 
room 2123 Rayburn House Office Building, Hon. Robert Latta 
(chairman of the subcommittee) presiding.
    Members present: Representatives Latta, Harper, Burgess, 
Upton, Lance, Guthrie, McKinley, Kinzinger, Bilirakis, Bucshon, 
Mullin, Walters, Costello, Walden (ex officio), Schakowsky, 
Lujan, Clarke, Cardenas, Dingell, Matsui, Welch, Kennedy, 
Green, and Pallone (ex officio).
    Also present: Representatives Barton, Murphy, Carter, 
Degette, Tonko, and McNerney.
    Staff present: Jennifer Barblan, Chief Counsel, Oversight & 
Investigations; Ray Baum, Staff Director; Karen Christian, 
General Counsel; Kelly Collins, Staff Assistant; Zachary 
Dareshori, Staff Assistant; Jordan Davis, Director of Policy 
and External Affairs; Melissa Froelich, Chief Counsel, Digital 
Commerce and Consumer Protection; Adam Fromm, Director of 
Outreach and Coalitions; Ali Fulling, Legislative Clerk, 
Oversight & Investigations, Digital Commerce and Consumer 
Protection; Theresa Gambo, Human Resources/Office 
Administrator; Elena Hernandez, Press Secretary; Zach Hunter, 
Director of Communications; Bijan Koohmaraie, Counsel, Digital 
Commerce and Consumer Protection; Alex Miller, Video Production 
Aide and Press Assistant; Mark Ratner, Policy Coordinator; Dan 
Schneider, Press Secretary; Sam Spector, Policy Coordinator, 
Oversight & Investigations; Madeline Vey, Policy Coordinator, 
Digital Commerce and Consumer Protection; Hamlin Wade, Special 
Advisor, External Affairs; Jessica Wilkerson, Professional 
Staff, Oversight & Investigations; Everett Winnick, Director of 
Information Technology; Greg Zerzan, Counsel, Digital Commerce 
and Consumer Protection; Michelle Ash, Minority Chief Counsel, 
Digital Commerce and Consumer Protection; Priscilla Barbour, 
Minority Energy Fellow; Jean Fruci, Minority Energy and 
Environment Policy Advisor; Rick Kessler, Minority Senior 
Advisor and Staff Director, Energy and Environment; Alexander 
Ratner, Minority Policy Analyst; and Tuley Wright, Minority 
Energy and Environment Policy Advisor.

OPENING STATEMENT OF HON. ROBERT E. LATTA, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF OHIO

    Mr. Latta. Good morning. The subcommittee on Digital 
Commerce and Consumer Protection will come to order. The chair 
now recognizes himself for 5 minutes for an opening statement.
    Good morning. Today we are here to get the facts to learn 
what happened at Equifax that led to the personal information 
of over 143 million Americans' information being stolen. 
Americans need to know what Equifax is doing to fix the problem 
and help individuals that are impacted. We must find out what 
happened. The public deserves to know what happened and what 
steps are being taken to protect their sensitive data going 
forward.
    Today's hearing needs to shed some much needed information 
and light on this breach. We have received assurances from 
Equifax that Mr. Smith can speak for the company on concrete 
remediation steps that the company took in the aftermath to 
secure its computer systems to protect the affected U.S. 
customers as well as what happened when he was chief executive.
    As chairman of the Digital Commerce and Consumer Protection 
subcommittee, I often speak about the fact that we live in a 
digitally-connected world. That fact of life can have many 
positive implications, far and wide-ranging, for commerce, 
trade, communications, and entertainment. The breach is a 
massive reminder of the bad actors that are out there and the 
security challenges confronting our digitally integrated and 
data-powered economy.
    In this case, sensitive personal information that is used 
to build credit histories and allow individuals to engage in 
commerce, open credit cards, buy cell phones and appliances, 
and secure mortgages has been compromised. Reasonable security 
measures must be implemented, practiced, and continually 
improved by companies that collect and store data in order to 
guard against unauthorized access to sensitive personal 
information. Otherwise, consumers will face substantial 
financial harm.
    This risk is deeply concerning to me and I know that the 
other members of the subcommittee share this view. Priority 
number one: We must protect Americans and work to safeguard 
their personal information online. The recent Equifax data 
breach is unprecedented and is also unique because of the 
sensitivity of the information stolen, including full nine-
digit Social Security numbers.
    Over 143 million Americans are potentially impacted. This 
represents approximately 44 percent of the total U.S. 
population. In my home State of Ohio, approximately 5.2 million 
customers are likely affected. Based on the information 
released by Equifax, we are informed that the massive amounts 
of personal and financial information was assessed from mid-May 
through July 2017, including names, birthdates, addresses, and 
in some cases driver's license information. In addition, over 
200,000 people had their credit card information stolen and 
over 180,000 people had credit dispute documentation stolen.
    This is a staggering amount of sensitive personal 
information and impacts an extraordinary number of credit-
visible Americans that is in the hands of criminals that could 
result in fraud or identity theft. We need these numbers 
confirmed. Today, we must understand the following:
    First, how did the hackers get into Equifax's system for so 
many weeks and pull so much information out of the system 
without being detected?
    Second, what processes and procedures were in place in the 
event of such a breach and were those processes followed? There 
are many questions as to who knew what and when this 
information was known. This will have implications in other 
ongoing investigations. Further, the chief information officer 
and chief security officer made retirement announcements 
shortly after the public notice of the breach and have not been 
available for questions about their role.
    Again, despite months of delay, why was Equifax's 
notification and consumer protection process still met with 
misinformation, glitches, and overall confusion? For example, 
there were numerous reports of difficulties accessing Equifax's 
dedicated web site or call centers. And there were dismaying 
reports that the official Equifax Twitter account directed 
consumers to a fake web site.
    I believe the American public deserves to know the facts 
about when and how Mr. Smith, company management, and the board 
of directors were made aware its systems were vulnerable to 
hackers and how over 143 million sensitive personal data 
records were stolen. To that end, what were the steps taken and 
in what timeframe to notify and help individuals that were 
impacted? I look forward to getting these answers today and 
many more questions for the American people answered this 
morning.
    And at this time I will ask the gentlelady from Illinois, 
the ranking minority member, for 5 minutes for her opening 
statement.
    [The prepared statement of Mr. Latta follows:]

               Prepared statement of Hon. Robert E. Latta

    Good morning, today we are here to get the facts to learn 
what happened at Equifax that led to the personal information 
of over 143 million Americans being stolen. Americans deserve 
to know what Equifax is doing to fix the problems and help 
individuals that are impacted. We must find out what happened.
    The public deserves to know what happened and what steps 
are being taken to protect their sensitive data going forward.
    Today's hearing needs to shed some much needed light on 
this breach. We have received assurances from Equifax that Mr. 
Smith can speak for the company on concrete remediation steps 
the company took in the aftermath to secure its computer 
systems and to protect affected U.S. consumers, as well as what 
happened when he was the Chief Executive.
    As Chairman of the Digital Commerce and Consumer Protection 
Subcommittee, I often speak about the fact that we live in a 
digitally-connected world. That fact of life can have many 
positive implications, far and wideranging, for commerce, 
trade, communications and entertainment.
    This Equifax breach is a massive reminder of the bad actors 
that exist and of the security challenges confronting our 
digitally-integrated and data-powered economy. In this case, 
sensitive personal information that is used to build credit 
histories and allow individuals to engage in commerce-open 
credit cards, buy cell phones and appliances, and secure 
mortgages has been compromised.
    Reasonable security measures must be implemented, 
practiced, and continually improved by companies that collect 
and store data in order to guard against unauthorized access to 
sensitive personal information. Otherwise, consumers can face 
substantial financial harm. This risk is deeply concerning to 
me, and I know the other Members of this Subcommittee share 
that view.
    Priority number one: We must protect Americans and work to 
safeguard their personal information online.
    The recent Equifax data breach is unprecedented and it is 
also unique because of the sensitivity of information stolen- 
including full nine-digit social security numbers. Over 143 
million Americans are potentially impacted. This represents 
approximately 44% of the total U.S. population. In my home 
State of Ohio, approximately 5.2 million consumers are likely 
affected.
    Based on the information released by Equifax, we are 
informed that the massive amounts of personal and financial 
information was accessed from mid-May through July 2017, 
including names, birthdates, addresses, and in some cases, 
driver's license information. In addition, over 200,000 people 
had their credit card information stolen, and over 180,000 
people had credit dispute documentation stolen.
    That is a staggering amount of sensitive personal 
information. It impacts an extraordinary number of 
creditvisible Americans, that in the hands of bad actors that 
could result in fraud or identity theft. We need these numbers 
confirmed.
    Today, we must understand the following:
    First, how did the hackers get into Equifax's system for so 
many weeks and pull so much information out of the system 
without being detected?
    Second, what processes and procedures were in place in the 
event of such a breach and were those processes followed? There 
are many questions as to who knew what, and when this 
information was known? This will have implications in other 
ongoing investigations. Further, the Chief Information Officer 
and Chief Security Officer made retirement announcements 
shortly after the public notice of the breach and have not been 
available for questions about their role.
    And, despite months of delay, why was Equifax's 
notification and consumer protection process still met with 
misinformation, glitches, and overall confusion? For example, 
there were numerous reports of difficulties accessing Equifax's 
dedicated web site or call centers. And there were dismaying 
reports that the official Equifax Twitter account directed 
consumers to a fake web site.
    I think the American public deserves to know the facts 
about when and how Mr. Smith, company management, and the board 
of directors were made aware its systems were vulnerable to 
hackers and over 143 million sensitive personal data records 
were stolen. Then, what were the steps taken and in what 
timeframe to notify and help individuals that were impacted.
    I look forward to getting answers to these and many more 
questions for the American public this morning.

       OPENING STATEMENT OF HON. JANICE D. SCHAKOWSKY, A 
     REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS

    Ms. Schakowsky. Thank you, Mr. Chairman, for holding this 
hearing. The Equifax data breach was massive in scale: 145.5 
million American victims as of yesterday. I would call it 
shocking, but is it really? We have these underregulated, 
private, for-profit credit reporting agencies collecting 
detailed personal and financial information about American 
consumers. It is a treasure trove for hackers.
    Consumers don't have a choice over what information Equifax 
or, for example, TransUnion, or Experian have collected, 
stored, and sold. If you want to participate in today's modern 
economy, if you want to get a credit card, rent an apartment, 
or even get a job, often then a credit reporting agency may 
hold the key.
    Because consumers don't have a choice, we can't trust 
credit reporting agencies to self-regulate. It is not like when 
you get sick at a restaurant and decide not to go there 
anymore. Equifax collects your data whether you want to have it 
collected or not. If it has incorrect information it is really 
an arduous process--I have tried it--to get it corrected. When 
it comes to information security you are at the mercy of 
whatever Equifax decides is right and once your information is 
compromised the damage is ongoing.
    Given vast quantities of information and lack of 
accountability, a major breach at Equifax I would say would be 
predictable if not inevitable. I should really say breaches. 
This is the third major breach Equifax has had in the past 2 
years. From media reports and the subcommittee's meeting with 
Equifax officials after the breach, it is clear to me that the 
company lacked appropriate policies and practices around data 
security.
    This particular breach occurred when hackers exploited a 
known vulnerability that was not yet patched. It was months 
later before Equifax first discovered the breach, and it was 
another several weeks before Equifax shared news with the 
consumers, this committee, the Federal Trade Commission, and 
the Consumer Financial Protection Bureau.
    Senior officials at the company are saying they weren't 
immediately aware that the breach occurred, and yet by the way 
there were executives who sold over a million dollars in stock 
just before, days after the breach was discovered but yet not 
reported. And for a lot of Americans that just doesn't pass the 
smell test.
    The response to the breach was its own debacle. Equifax 
offered consumers credit monitoring services that initially 
came with a mandatory arbitration clause which fortunately has 
been corrected; Equifax tweeted links to the wrong URL 
directing victims to a fake web site; the call center was 
understaffed; and in the end Equifax has had to apologize for 
its supposed breach response almost as much as it has 
apologized for the breach itself.
    Equifax deserves to be shamed in this hearing, but we 
should also ask what Congress has done or failed to do to stop 
data breaches from occurring and what Equifax plans to do. The 
same day the Equifax breach went public the House Financial 
Services Committee held a hearing on FCRA Liability 
Harmonization Act, a bill to protect credit reporting agencies 
like Equifax from class action suits. Imagine.
    In fact, Equifax was lobbying for this bill after the 
breach was discovered in July, still not reported, and the 14 
Republicans sponsoring this bill should ask themselves whether 
this is really the industry they want to be in bed with. 
Companies like Equifax need more accountability, not less. I 
agree with the CFPB director Richard Cordray that the credit 
reporting agencies need embedded regulators to protect 
consumers' sensitive information.
    And then we need to go further. Last night, I reintroduced 
the Secure and Protect Americans' Data Act, along with Ranking 
Member Pallone and seven other members of the Energy and 
Commerce Committee. And our bill would establish, one, strong 
data security standards; two, require prompt breach 
notification, which we didn't get; and three, provide 
appropriate relief for breached victims.
    Chairman Latta, American consumers don't just need answers, 
they need action. I hope that our bill can be a starting point 
for discussion on strengthening protections for Americans' 
data. Consumers deserve a whole lot better than they got from 
Equifax. And I yield back.
    Mr. Latta. Thank you very much. The gentlelady yields back. 
The chair now recognizes the gentleman from Oregon, the 
chairman of the full committee, for 5 minutes.

  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF OREGON

    Mr. Walden. I thank the chairman. We are here to do today 
what it appears Equifax failed to do over the last several 
months and that is put consumers first. Our job is to get 
answers for the more than 145 million Americans who have had 
their personal information compromised and now fear they could 
be victims of fraud at any time.
    How could a major U.S. company like Equifax, which holds 
the most sensitive and personal data on Americans so let them 
down? It is like the guards at Fort Knox forgot to lock the 
doors and failed to notice the thieves were emptying the 
vaults. The American people deserve to know what went wrong. We 
want a clear timeline of events and to understand what to 
expect moving forward.
    Mr. Chairman, the Energy and Commerce Committee has always 
tried to put our consumers first in everything we do on public 
policy. So today we will begin to get the answers for the 
public, hold Equifax accountable, and make clear that 
businesses holding America's most sensitive data have a 
responsibility under existing laws to protect that data. Today 
gives whole new meaning to Mr. Smith Goes to Washington. It is 
not a run on the bank that is at issue, it is a run on 
financial records of 145 million Americans. And the 
consequences and the inconveniences for our fellow citizens is 
every bit as important to discuss today as the reasons behind 
why this breach occurred in the first place.
    Mr. Smith, as former chairman and CEO of Equifax at the 
helm during and immediately after the breach, we appreciate you 
being here and we expect your candor and full cooperation as we 
march toward getting the facts in this case. While there is no 
such thing as perfect security, companies do have a legal 
obligation to protect sensitive consumer data. This diligence 
is necessary to both comply with existing laws and maybe more 
importantly earn and keep the public's trust in a data-driven 
economy.
    Given the size of the breach and the sensitivity of the 
data, we expect to learn more about how Equifax failed to 
secure its systems and what contingency plans were in place. 
Further, we need to understand how information flowed through 
the organization and when you and other senior executives were 
notified about the breach. In other words, how important was 
cybersecurity to you as a CEO and to the rest of your executive 
team? Did your employees have a way to report to you if they 
had concerns about how the security team was functioning?
    While there are still many questions that need answers, a 
few details have emerged. First, the vulnerability that the 
hackers used to get into the Equifax system was discovered in 
early March. From the beginning, the vulnerability was 
described as critical and easily exploitable. That information 
was pushed out through multiple security information sharing 
channels including by the U.S. Computer Emergency Readiness 
Team to Equifax's chief security officer.
    For some period of time between March and August of 2017, 
the hackers were able to sit on Equifax's system and siphon out 
145 million records without being detected. How did this go 
unnoticed? Further, is there a process in place to raise flags 
or alarms when massive amounts of data are pulled out of the 
Equifax system?
    Then there are questions about Equifax's response for 
consumers that we need answers to. Why was the consumer-facing 
web site created on a separate domain from the main Equifax web 
site? Did anyone raise concerns about creating more consumer 
confusion with a separate web site? Are consumers able to sign 
up for the products offered by Equifax today? How many 
consumers have placed a fraud alert on their account or frozen 
their credit?
    And on top of all the other issues, multiple times Equifax 
tweeted the wrong URL directing consumers to the wrong web site 
to check if they were part of a breach. Talk about ham-handed 
responses, this is simply unacceptable and it makes me wonder 
whether there was a breach response plan in place at all and if 
anyone was in charge of overseeing and executing that plan. I 
have to agree with the interim CEO when he said there is 
insufficient support for consumers.
    It is important that as Congress does its work on public 
policy issues that the Federal Trade Commission and other 
agencies, including law enforcement agencies, continue their 
work especially in light of recent reports that indicated there 
are markers of nation state activity involved with this hack. 
But today, Mr. Smith, I and the rest of the committee and 
Congress and the country expect the answers. After all, the 
buck does stop with you as CEO and I thank you for being here. 
And I return the balance of my time.
    [The prepared statement of Mr. Walden follows:]

                 Prepared statement of Hon. Greg Walden

    We are here today to do what it appears Equifax failed to 
do over the last several months: put consumers first. Our job 
is to get answers for the more than 145 million Americans who 
have had their personal information compromised and now fear 
that they could be victims of fraud at any time.
    How could a major U.S. company like Equifax, which holds 
the most sensitive and personal data on Amercians, so let them 
down? It's like the guards at Fort Knox forgot to lock the 
doors and failed to notice thieves emptying the vaults.
    The American people deserve to know what went wrong. We 
want a clear timeline of events, and to understand what to 
expect moving forward.
    As Chairman of the Energy and Commerce Committee, I've 
tried to put consumers at the forefront of everything we do. 
Today we will begin to get answers for the public, hold Equifax 
accountable, and make clear that businesses holding Americans' 
sensitive information have a responsibility under existing laws 
to protect those data.
    Today gives whole new meaning to Mr. Smith Goes to 
Washington. It's not a run on the bank at issue, it's a run on 
the financial records of 145 million Americans. The consequence 
and inconveniences for our fellow citizens is every bit as 
important to discuss today as the reasons behind why this 
breach occurred in the first place.
    Richard Smith, the former Chairman and CEO of Equifax at 
the helm during and immediately after the breach, is here to 
testify. Mr. Smith, we expect your candor and full cooperation 
as we follow the facts in this case.
    While there is no such thing as perfect security, companies 
do have a legal obligation to protect sensitive consumer data. 
This diligence is necessary to both comply with existing law 
and, maybe more importantly, earn and keep the public's trust 
in our data driven economy.
    Given the size of the breach and the sensitivity of the 
data, we expect to learn more about how Equifax failed to 
secure its systems and what contingency plans were in place.
    Further, we need to understand how information flowed 
through the organization and when you and other senior 
executives were notified about the breach. In other words, how 
important was cybersecurity to you as CEO and to the rest of 
your executive team? Did your employees have a way to report to 
you if they had concerns about how the security team was 
functioning?
    While there are still many questions that need answers, a 
few details have emerged. First, the vulnerability that the 
hackers used to get into the Equifax system was discovered in 
early March. From the beginning, the vulnerability was 
described as critical and easily exploitable. That information 
was pushed out through multiple security information sharing 
channels, including by the U.S. Computer Emergency Readiness 
Team, to Equifax's Chief Security Officer.
    For some period of time between March and August 2017, the 
hackers were able to sit on Equifax's system and siphon out 145 
million records without being detected. How did this go 
unnoticed? Further, is there a process in place to raise flags 
or alarms when massive amounts of data are pulled out of the 
Equifax system?
    Then there are the questions about Equifax's response for 
consumers.
      Why was the consumer-facing web site created on a 
separate domain from the main Equifax web site?
      Did anyone raise concerns about creating more 
consumer confusion with a separate web site?
      Are consumers able to sign up for the products 
offered by Equifax today?
      How many consumers have placed a fraud alert on 
their account or frozen their credit?
    On top of all of the other issues, multiple times Equifax 
tweeted the wrong URL directing consumers to the wrong web site 
to check if they were a part of the breach. Talk about ham-
handed responses. This is unacceptable. And it makes me wonder 
whether there was a breach response plan in place, and if 
anyone was in charge of overseeing and executing that plan.
    I have to agree with the interim CEO, there is 
``insufficient support for consumers.'' It's important that as 
Congress does its work on public policy issues, that the 
Federal Trade Commission and law enforcement agencies continue 
with their work, especially in light of recent reports that 
indicated there are markers of nation-state activity.
    But today, Mr. Smith, I, the rest of this committee, 
Congress, and the country expect answers. After all, the buck 
stops with you, as CEO.

    Mr. Latta. Thank you very much. The gentleman yields back 
and the chair now recognizes the gentleman from New Jersey, the 
ranking member of the full committee. Good morning.

OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE 
            IN CONGRESS FROM THE STATE OF NEW JERSEY

    Mr. Pallone. Thank you, Mr. Chairman. While I understand 
that law enforcement and internal investigations into this 
incident are still ongoing, I expect to get more information 
today on what happened and why it took so long to inform the 
public. Most importantly, we want answers for consumers because 
Equifax's response to this breach has been unacceptable. So too 
has been Equifax's ongoing lax attitude when it comes to 
protecting consumer data.
    It has been 4 weeks since the breach was made public and at 
least 10 weeks since it was discovered by Equifax's employees, 
yet Equifax's customer service has been confusing and 
unhelpful. Equifax even tweeted a link to a fake web site. Many 
of the remedies Equifax is now offering to consumers were not 
offered upfront or in good faith. They were forced out of the 
company only after a public outcry and they are still 
inadequate.
    It is hard to imagine that anyone at Equifax thought it was 
a good idea to offer only 1 year of credit monitoring, with an 
arbitration clause at first to boot. Free and comprehensive 
credit monitoring and identity theft protection should be 
offered for far longer than a year. Most recently, Equifax 
added lifetime credit locks to its offering which consumer 
advocates suggest are weaker than credit freezes. Regardless, a 
lock or a freeze at only one credit bureau is almost useless. 
Equifax should work with the other credit bureaus to 
immediately create a free, quick, and easy-to-use freeze and 
unfreeze one-stop shop.
    And because credit freezes or locks may not work for 
everyone, going forward Equifax should do more than credit 
locks. It should give consumers more control over how their 
data is used and stored. In addition, if Equifax wants to stay 
in business, its entire corporate culture needs to change to 
one that values security and transparence. After all, this is 
not Equifax's first data breach in the past year.
    Consumers do not have any say in whether or not Equifax 
collects and shares their data and that is what makes this 
breach so concerning. This is unlike other breaches at stores 
such as Target and Michael's where consumers could make a 
choice and change their shopping habits if they were upset with 
how the companies protected data. That is simply not the case 
with Equifax.
    While data breaches have unfortunately become commonplace, 
it is long past time for Congress, beginning with this 
committee, to act. Since at least 2005, this subcommittee has 
been considering data breach legislation but it has never 
become law and it is time we changed that. Yesterday, Ranking 
Member Schakowsky and I reintroduced the Secure and Protect 
Americans' Data Act. This bill would require enforceable, 
robust data security practices and meaningful notice to 
consumers. It would also give additional protections to 
consumers after a breach. Of course, breaches will continue to 
occur, but they occur more often when there is no 
accountability and no preventive measures are in place. And our 
bill will not stop mistakes and cyber crimes from happening, 
but we need to start somewhere.
    So Mr. Smith, I read your op-ed in USA Today last month and 
the new CEO's op-ed in the Wall Street Journal last week and I 
appreciate that you are both sorry, but my question is what 
now? I would like to yield now the remainder of my time to my 
colleague from New Mexico.
    Mr. Lujan. Thank you to our ranking member, Mr. Pallone, 
and I thank the committee's leadership for organizing this 
important hearing. 145,500 thousand million Americans, 145.5 
million people at risk because of Equifax's failure. Now Mr. 
Smith, the American people deserve answers and I hope you are 
prepared to provide them. Not just about what caused the 
breach, but what Equifax is doing to prevent this from 
happening again and to ensure that those who were harmed are 
made whole.
    I worry that your job today is about damage control, to put 
a happy face on your firm's disgraceful actions and then depart 
with a golden parachute. Unfortunately, if fraudsters destroy 
my constituents' savings and financial futures there is no 
golden parachute awaiting them. We have questions and it is our 
expectation that you have concrete answers.
    And I hope this hearing is just the start of our 
committee's work. We need to work together to hammer out real 
solutions. I recently took a step in that direction by 
introducing the Free Credit Freeze Act to allow consumers to 
protect themselves by freezing and unfreezing their credit at 
no charge. It is unconscionable that Equifax failed so 
spectacularly to protect people's most sensitive personal data. 
It is even more reprehensible that the same company profits 
from the pain that they have caused.
    And I certainly hope that we can get some assurances from 
the committee's leadership that we will have a markup and a 
hearing on legislation to address this mess, and I hope that 
assurance can be given before the holidays of 2017. I yield 
back the balance of my time.
    Mr. Latta. Thank you very much. The gentleman yields back 
and this concludes our member opening statements. The chair 
would remind members that pursuant to the committee rules, all 
members' opening statements will be made part of the record.
    Today we have Mr. Richard Smith, the former chairman and 
CEO of Equifax, Inc., who is here to testify before the 
subcommittee. Mr. Smith will have the opportunity to give an 
opening statement followed by a round of questions from our 
members. And Mr. Smith, you are recognized for 5 minutes. Thank 
you.

STATEMENT OF RICHARD SMITH, FORMER CHAIRMAN AND CEO OF EQUIFAX, 
                              INC.

    Mr. Smith. Thank you. Chairman Walden, Ranking Member 
Pallone, Chairman Latta, Ranking Member Schakowsky, and the 
honorable members of the subcommittee, it is an honor to be 
here before you today.
    My name is Rick Smith and for the last 12 years I have had 
the honor of being the CEO and chairman of Equifax. Earlier 
this week, I submitted a written testimony which at this time I 
don't plan on going through any detail on that but rather I am 
here today to explain to you and the American people how 
criminal hackers were able to steal personal information on 
over 145 million Americans from our servers, and as 
importantly, to discuss with you today what our company's 
response was to that criminal hack.
    The criminal hack happened on my watch and as CEO I am 
ultimately responsible and I take full responsibility. I am 
here today to say to each and every person affected by this 
breach I am truly and deeply sorry for what happened. I have 
talked to many consumers, I have read your letters, and Equifax 
is committed to making it whole for you. Americans have a right 
to know how this happened and I am prepared to testify today 
about what I have learned and what I did about this incident in 
my role as CEO and as chairman of the board, and also what I 
know about the incident as a result of being briefed by the 
company's investigation which is ongoing.
    We know now that this criminal attack was made possible 
because of a combination of human error and technological 
error. The human error involved the failure to apply a software 
patch to our dispute portal in March of 2017. The technological 
error involved a scanner which failed to detect that 
vulnerability on that particular portal. Both errors have since 
been addressed.
    On July 29th and July 30th, suspicious activity was 
detected and a team followed our security incident protocol. 
The team immediately shut down the portal and began our 
internal security investigation. On August 2nd, we hired top 
cybersecurity forensic and legal experts and at that time we 
notified the FBI. At that time, to be clear, we did not know 
the nature or the scope of the incident. It was not until late 
August that we concluded that we had experienced a major 
breach.
    Over the weeks leading up to September 7th, our team 
continued working around the clock to prepare. We took four 
steps to protect consumers. Step number one, determining when 
and how to notify the public, relying on the advice of our 
experts that we needed to have a plan in place as soon as we 
announced. Step two, helping consumers by developing a web 
site, staffing up massive call centers, and offering services 
free to every American. Three, preparing for increased cyber 
attacks which we were advised by the cybersecurity experts that 
we should expect. And finally, continue to coordinate with the 
FBI and their criminal investigation of the hackers and also to 
notify other federal and state agencies.
    In the rollout of our remediation program mistakes were 
made, for which again I deeply apologize. I regret the 
frustration that many Americans felt when our web sites and 
call centers were overwhelmed in the early days. It is no 
excuse, but it certainly did not help that Hurricane Irma took 
down two of our larger call centers in the first few days after 
the breach. Since then, however, the company has dramatically 
increased its capacity and I can report to you today that we 
have handled over 420 million consumer visits to our web site 
in just over 3 weeks and the wait times at the call centers 
have been substantially reduced.
    At my direction, the company offered a broad package of 
services to all Americans. In addition, we developed a new 
service available on January 31st, 2018 that will give all 
consumers the power to control access to their credit data by 
allowing them to lock and unlock their credit files when they 
want and they can do that for free for life.
    Putting the power to control access to credit data in the 
hands of the American consumer is a step forward. I look 
forward to discussing this new tool with you during my 
testimony. As we have all painfully learned, data security is a 
national security problem. Putting the consumer in control of 
their credit data is a first step towards a long-term solution 
to the industry and the problem of identity theft.
    But no single company can solve the larger problem on its 
own. I believe we need a public-private partnership to evaluate 
how to best protect Americans' personal data going forward and 
I look forward to being a part of that dialogue.
    Chairman Walden, Ranking Member Pallone, Chairman Latta, 
Ranking Member Schakowsky, and the honorable members of the 
subcommittee, thank you again for inviting me here today to 
speak to you. I will close by saying again how sorry I am for 
this breach. On a personal note, I want to thank the many 
hardworking and dedicated employees who have worked with me so 
tirelessly over the past 12 years at Equifax. Equifax is a very 
good company with thousands of great people waking up every day 
trying to do what is right. I know they will continue to work 
tirelessly as we have over the past 2 months to right the 
wrong. I am looking forward to answering your questions. Thank 
you.
    [The prepared statement of Mr. Smith follows:]
 
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    
    Mr. Latta. Thank you very much. This concludes our witness 
testimony and we will move into the question and answer portion 
of our hearing. I will begin with the questioning and recognize 
myself for 5 minutes. And I would remind members because we do 
have quite a few members who want to ask questions today, I am 
going to try to keep the 5-minute rule on questions in place so 
you will hear the tapping. But I will begin with the 
questioning.
    Mr. Smith, the timeline of events is raising some red flags 
I would like to ask you about. According to your statement, the 
first time you heard about the breach of security was on July 
the 31st of 2017. Is that correct?
    Mr. Smith. Yes, Congressman. That is correct.
    Mr. Latta. And you first asked for a briefing about the 
breach on August the 15th. Is that correct?
    Mr. Smith. Yes. That is correct.
    Mr. Latta. And the first time the board of directors was 
notified about the breach was August the 24th. Is that correct, 
the full board?
    Mr. Smith. Congressman, on the 22nd of August I notified 
our lead director, presiding director at the time. The full 
board was briefed on the 24th and again on the 25th and 
subsequent meetings after that.
    Mr. Latta. All right. And you notified the public about the 
breach on September the 7th, correct?
    Mr. Smith. That is correct.
    Mr. Latta. OK. You state in your testimony that you began 
developing the remediation for consumers on August the 24th or 
the 25th. Why was there a 10-day delay between you finding out 
that personal information had likely been stolen and beginning 
to develop the remediation plan and do you think that 10-day 
window was responsible for having learned about that personal 
information being stolen to start talking about how to talk to 
the consumers?
    Mr. Smith. Congressman, I understand the question, if I may 
go back to the timeframe of the 31st. So if you go to the 29th 
and 30th, someone in security had detected what they deemed as 
suspicious activity. That is something that happens routinely 
around our business. On the 30th they bring down this 
particular portal and they start their own internal 
investigation.
    As I had mentioned in my opening comments and in my written 
testimony, on the 2nd of August they had engaged leading 
forensic experts, cyber experts, and King & Spalding, a leading 
law firm, and their cybersecurity team. When you talk to the 
forensics experts they will tell you the complications of 
trying to understand where these criminals were, the footprints 
they had left, the inquiries they had made, is a cumbersome, 
cumbersome process. That is why it took weeks before we had an 
indication for the breadth and the depth of the issue which 
brought us to the August 24th date that you had mentioned.
    Mr. Latta. Well, let me just back up to July the 31st when 
you learned, again you were talking with the experts at that 
time and you learned about the breach and you testified that 
you did not know that personal information had been stolen at 
that point. But did you ask anyone if personal information had 
been stolen when you found out about that breach?
    Mr. Smith. Congressman, on the 31st, all I was told at that 
time was that security had noticed a suspicious movement of 
data out of an environment we call a dispute portal. It wasn't 
until later that they understood that was an actual dispute 
document. We had no indication on the 31st of July there was 
any PII information that was vulnerable.
    Mr. Latta. OK, so I guess again, but again not knowing if 
that personal information had been stolen at that time, your 
company is built on data and at any point did you think it was 
important if somebody in the company started looking at if 
personal data had been stolen at that point?
    Mr. Smith. Congressman, I can tell you we are working with 
the best forensic auditors in the business. They do this for a 
living. We had a great cyber team from King & Spalding with us. 
It took them time. At that time they did not know if data had 
been compromised, exfiltrated, or what the data was.
    Mr. Latta. If we could go back to when you did find out 
about the breach and that conversation with your chief 
information officer, Mr. Webb, how did he exactly tell you that 
there had been a breach? Was it a phone call, an email, in 
person, or how did he notify you of the breach?
    Mr. Smith. It was a face-to-face brief meeting on the 31st. 
At that time he had just learned as well, so the data was very 
fresh to him. The incident was described as an incident not as 
a breach.
    Mr. Latta. Is that the normal way for that information if 
there had been a breach at the company to notify someone is for 
the CIO to come and just give a face-to-face, or is that the 
standard operating procedure then?
    Mr. Smith. Congressman, at that time we had no indication 
it was a breach. It was a suspicious activity.
    Mr. Latta. Did you tell anyone else in senior management or 
any other members of the board of directors about the breach at 
that time, or is it just not until on August the 22nd when you 
had the one call and then the 24th for the rest of the board of 
directors did anyone else know about the breach?
    Mr. Smith. Again, it is important to say on July 31st we 
did not know it was a breach at that time, suspicious activity 
only. The first notification to the board was the lead director 
on the 22nd of August, which followed in the chronology of 
events a meeting I had with our cybersecurity experts and our 
outside counsel had occurred on the 17th of August. That is 
when the picture was starting to develop.
    Mr. Latta. Thank you. My time is expired and I will 
recognize the gentlelady from Illinois, the ranking member, for 
5 minutes.
    Ms. Schakowsky. Thank you, Mr. Chairman. I am going to get 
right to it. I wanted to ask some questions about John Kelley, 
the chief legal officer, who I understand is responsible for 
security at Equifax or was at least at the time of the breach 
and its discovery. Is that right?
    Mr. Smith. That is correct, Congresswoman.
    Ms. Schakowsky. And Mr. Kelley in turn reports directly to 
you the CEO, correct?
    Mr. Smith. Correct.
    Ms. Schakowsky. OK. So we were told that Mr. Kelley was 
informed by the chief security officer the week of July 30th--
we have just been talking about that--that a cybersecurity 
incident you mentioned that had occurred. Is that correct?
    Mr. Smith. He was notified, it is my understanding, on the 
31st of July.
    Ms. Schakowsky. Thirty first, OK.
    Mr. Smith. That there was suspicious activity in a 
particular environment called a web portal that was a dispute 
environment.
    Ms. Schakowsky. We were told that Mr. Kelley--this is our 
staff--was informed at the same time that the incident might 
have compromised personally identifiable information. Is that 
correct?
    Mr. Smith. The only knowledge I have is he was notified on 
the 31st that there was suspicious activity in a consumer 
dispute portal.
    Ms. Schakowsky. Well, we were told that Mr. Kelley then 
wrote a short memo to you regarding the incident. Is that 
correct?
    Mr. Smith. Correct, Congresswoman. And in his email it said 
some suspicious activity.
    Ms. Schakowsky. OK. Around that same time, three Equifax 
executives sold over $1 million of Equifax stock. That is on 
August 1st and August 2nd, and it is reported that Mr. Kelley 
was ultimately responsible for approving those sales. Is it 
true that Mr. Kelley or one of his direct reports would have 
been required to sign off on these stock sales?
    Mr. Smith. Yes. Mr. Kelley who is our general counsel owns 
the clearance process and he would----
    Ms. Schakowsky. I have a lot of questions. So the answer is 
yes, he was supposed to sign off?
    Mr. Smith. Yes.
    Ms. Schakowsky. Did any one of these three executives have 
knowledge the cybersecurity incident had occurred?
    Mr. Smith. To the best of my knowledge, Congresswoman, no.
    Ms. Schakowsky. When were they informed that the incident 
had occurred?
    Mr. Smith. I don't know exactly the date that they were 
informed, but to the best of my knowledge they had no knowledge 
at the time they cleared their trades with the general counsel.
    Ms. Schakowsky. Do you know for sure that they didn't know?
    Mr. Smith. To the best of my knowledge they did not know.
    Ms. Schakowsky. And Mr. Kelley, who we were told knew of 
the breach and that it contained personal information and yet 
still approved the stock sale, is he still chief legal officer 
for Equifax?
    Mr. Smith. Congresswoman, I would come back to it again, he 
did not know it was a breach when he approved----
    Ms. Schakowsky. That it could have been a breach.
    Mr. Smith. All he knew at the time, it is my understanding, 
is suspicious activity when he approved the sales.
    Ms. Schakowsky. What the heck does suspicious--it could be 
a breach, right?
    Mr. Smith. It was deemed suspicious activity. We had no 
indication that PII was in fact compromised at that time. We 
had no idea if data was exfiltrated at that time.
    Ms. Schakowsky. So now I understand that you agreed to 
forego your 2017 bonus which has been about $3 million for the 
past 2 years, correct?
    Mr. Smith. That is correct.
    Ms. Schakowsky. But it has been reported that you will 
still retain $18 million in pension benefits from Equifax; is 
that accurate?
    Mr. Smith. That is correct.
    Ms. Schakowsky. Retiring, which is the category right now 
although the company maintains the right to change that 
designation, also means you will be free to sell your Equifax 
stock which is worth about $24 million. Is that correct?
    Mr. Smith. Congresswoman, that calculation, it is hard to 
say. It is a complicated calculation. It depends on the total 
shareholder return of the company at the time the stocks vest. 
There are multiple variables. That may be an estimate, I have 
seen different estimates, but it is hard to say what that 
number is and we won't know until the end of the year.
    Ms. Schakowsky. And that is in addition to Equifax stock 
you sold earlier in this year for $19 million. Is that correct?
    Mr. Smith. That sounds correct.
    Ms. Schakowsky. And according to one report, you could be 
eligible for $22 million in performance-based compensation 
depending how Equifax stock performs in the next 3 years. Is 
that right?
    Mr. Smith. Let me be very clear, if I may, Congresswoman. 
When I announced my retirement and thought it was best for the 
company to move forward with a new leader, I agreed to step 
down at that time with no further compensation. I agreed I 
should not get a bonus. I agreed there would be no severance. I 
asked for nothing beyond what I had already earned.
    Ms. Schakowsky. I was just informed by staff that the chief 
security officer told the chief legal officer verbally that 
there was PII that according to a call with staff yesterday 
that actually there was a mention of the breach of personally 
identifiable information. The CSO told us in a call yesterday 
is what I just heard from staff.
    Mr. Smith. Congresswoman, I have no documentation, no 
insight, no knowledge that anyone in the company had informed 
me or in that case the chief general counsel that there was a 
breach on July 31st. Is that what you said?
    Ms. Schakowsky. Yes. No, we didn't say a date. I am told 
that our staff didn't say a date. OK, let me just say I am glad 
the FBI is looking into it and many state attorneys general. 
The City of Chicago has sued, so we will probably get more 
information that way as well. Thank you.
    Mr. Latta. Thank you very much. The gentlelady's time has 
expired. The chair now recognizes the chairman of the full 
committee, the gentleman from Oregon, for 5 minutes.
    Mr. Walden. Thank you, Mr. Chairman.
    Mr. Smith, thanks again for being here today. As you know, 
this is an example of an Equifax credit report in my hand. It 
lists social security numbers, addresses, credit history, 
debts, all the sort of personal financial information. It is 
the lifeblood of Equifax, right? These data points are really, 
really important to what you do as a company?
    Mr. Smith. Congressman, that is correct.
    Mr. Walden. It is a $3 billion company, data on 820 million 
customers worldwide, and yet it appears this breach happened 
because the company didn't know it was running certain software 
on its system, right, the Apache Struts software that had the 
patch requirement?
    Mr. Smith. Congressman, as I alluded to in my opening 
comments and the written testimony, there was a human error and 
a technology error that did not allow us to identify and cover.
    Mr. Walden. And I think that is what we are trying to get 
to here. If I understand it right, your own information 
technology system did not tell the Equifax security division 
that the Apache Struts software, which contained the 
vulnerability that led to this breach, was running on the 
Equifax system. How did that happen?
    Mr. Smith. Congressman, the day after the notification came 
out from CERT, the security team notified a wide range of 
people in the technology team who were responsible for then 
finding the vulnerability, applying the patch, and then, days 
later as is typical protocol, to deploy a technology scanner to 
go then look for the vulnerability, find the vulnerability, and 
if it found a vulnerability it knew it was not patched. Both 
human deployment of the patch and the scanning deployment did 
not work. The protocol was followed.
    Mr. Walden. OK, so then people ask us how does that happen? 
If as sophisticated of a company as you headed is with so much 
at risk, how does this happen? And, we have colleagues that say 
we are going to double the fines, triple the fines, put fines 
in, do all these things, but how does this happen when so much 
is at stake? I don't think we can pass a law that, excuse me 
for saying this but I can't fix stupid, as a colleague of mine 
used to say. With so much at risk--I have talked to other 
software companies and people in this space who say some 
companies have an automated system that when a patch comes out 
it automatically gets installed. That is not what you had 
necessarily, right?
    Mr. Smith. I am unaware of an automatic patch. The system 
we have in place is security gets notification and it is not 
uncommon to get notification from software providers routinely 
about vulnerabilities that are discovered.
    Mr. Walden. Right.
    Mr. Smith. They follow the protocol, which is to notify the 
appropriate people within the timeframe that the protocol 
called for. Unfortunately, the human error was they did not 
find the patch. Did not know----
    Mr. Walden. If I could, the human error piece you reference 
is that they didn't know that that particular software was 
running on your system, Apache Struts was running? Because that 
is what needed patching, right?
    Mr. Smith. Congressman, great question, if I may clarify.
    Mr. Walden. Yes, please.
    Mr. Smith. The human error was the individual who is 
responsible for communicating in the organization to apply the 
patch did not.
    Mr. Walden. So does that mean that that individual knew 
that the software was there and it needed to be patched and did 
not communicate that to the team that does the patching? Is 
that the heart of the issue here?
    Mr. Smith. That is my understanding, sir.
    Mr. Walden. I was on a bank board for a while and we always 
had double checks on everybody, right. Do you not have a double 
check of some sort, an audit of some sort? It seems like that 
was a single point.
    Mr. Smith. The double check was the scanning device that 
was deployed a few days later.
    Mr. Walden. But did the scanning device--I don't know how 
that process works. Does it know you have that software or do 
you have to tell it that is what you are scanning for?
    Mr. Smith. It is the latter. You have got to tell it what 
it is looking for. It scans the environment looking for----
    Mr. Walden. And so the individual who didn't tell the IT 
team, that is where the individual failed. Was that the same 
person telling them what to look for?
    Mr. Smith. No. The scanner is deployed by the security 
team. And I should clarify there that the rationale or the 
reason why the scanner or the technology piece did not locate 
the vulnerability is still under investigation by outside 
counsel.
    Mr. Walden. All right, one final question. You have 
referenced the suspicious movements of data. You have 
referenced incident. The American people think all of that is 
breach. How regularly did you have incidents or suspicious 
movement of data? Is this a routine thing that people call, 
hey, we had another incident, we have another suspicious 
movement of data, or was this outside normal operations?
    Mr. Smith. Congressman, thank you for that question. As you 
alluded to in your comments, we do have a lot of data and our 
primary goal is to protect that data. And we have experienced 
millions of suspicious activities against our database any 
given year.
    Mr. Walden. But to the point that the head of your security 
team comes to you and says, hey, we have another one?
    Mr. Smith. Oh. That is not uncommon. It is not uncommon.
    Mr. Walden. How often would that happen in the course of a 
week that they would come to the CEO and say heads up?
    Mr. Smith. I don't have a number for you, Congressman, but 
it is not uncommon. It is not uncommon for us to engage 
forensic audit firms. It is not uncommon for us to engage 
outside counsel to help us think things through when there is 
suspicious activity. It is a part of doing business in a data 
business as you alluded to.
    Mr. Walden. Thank you for the indulgence of the committee. 
I yield the balance of my time.
    Mr. Latta. The gentleman yields back and the chair 
recognizes the ranking member of the full committee, the 
gentleman from New Jersey, for 5 minutes.
    Mr. Pallone. Thank you.
    Mr. Smith, you testified that on August 11th you were 
informed that hackers had stolen, ``a large amount of 
consumers' personally identifiable information,'' in this 
incident. And on August 17th, I guess a week later, you said in 
a speech, ``fraud is a huge opportunity for Equifax. It is a 
massive, growing business for us.'' So I am just looking for a 
number, Mr. Smith. At the time you gave that speech, roughly 
how many consumers did you believe had been compromised by the 
breach, if you could?
    Mr. Smith. Congressman, if I may clarify, I think you 
alluded to an August 11th date?
    Mr. Pallone. August 11th, initially, and then August 17th 
in the second speech.
    Mr. Smith. August 11th I had no indication. I was not 
informed at that time. My notification was before the August 
17th meeting. And you alluded to a speech?
    Mr. Pallone. Well, yes. On the 17th you said in a speech, 
fraud is a huge opportunity for Equifax. It is a massive 
growing business for us. I am just looking for a number. At the 
time, roughly, how many consumers did you believe had been 
compromised by the breach?
    Mr. Smith. On August 17th, which is I think on or around 
the date you had talked about that I gave a speech, we did not 
know how much data was compromised, what data was compromised. 
That story was still developing. And that speech you are 
alluding to is a very common speech we have in communities. I 
think this happened to be at a university that we talked to 
them, but at that time when I gave that speech I did not know 
size, the scope of the breach.
    Mr. Pallone. All right. During your tenure at Equifax you 
expanded the company's business into packaging and selling 
other people's data. And in that August 17th speech you 
explained that having free data with a gross margin of profit 
of about 90 percent is, ``a pretty unique model.'' And I get 
that this unique model is a good deal for Equifax, but can you 
explain how it is a good deal for consumers?
    Mr. Smith. Thank you, Congressman. I think I understand the 
question. Our industry has been around for a number of years as 
you know. In fact, Equifax is a 118-year-old company. We are 
part of a federally regulated ecosystem that enables consumers 
to get access to credit when they want access to credit and 
hopefully at the best rates available to them at that time. So 
we are very vital to the flow of the economy not just in the 
U.S. but around the world.
    Mr. Pallone. All right. And I want to turn to what Equifax 
is offering consumers in the wake of this breach, specifically 
the free credit lock service that is supposed to be introduced 
next year. We have been told that this free credit lock service 
could require consumers to consent to Equifax sharing or 
selling the information it collects from the service to third 
parties with whom the individual already has a business 
relationship for marketing or other purposes. Is that true?
    Mr. Smith. This product will be a web-enabled, mobile-
enabled application that will allow a consumer at the time he 
or she, if they decide they want access to credit, can simply 
toggle on and toggle off that application to give the bank, 
credit card issuer, auto lender, access to their credit file to 
approve their own.
    Mr. Pallone. Well, by agreeing to use the Equifax's lock 
service will consumers also be opting in to any additional 
marketing arrangements either via Equifax or any of its 
partners?
    Mr. Smith. Congressman, we are trying to change the 
paradigm, and what I mean by that is this will be in an 
environment viewed as a service, a utility not a product. But 
we know cross-selling, up-selling, or any products available to 
the consumer, when they go to get and sign up for the lock 
product it is a service to them and that is the only product 
the service will be able to get.
    Mr. Pallone. Now will Equifax give consumers an easy and 
free method to choose not to share their data in this way, even 
if the consumer already has a business relationship with the 
third party?
    Mr. Smith. Yes, Congressman. I would envision as this 
evolves over time the consumer will have the ability to invite 
into their world who they want to have access and who they do 
not. It will be their choice, their power, not ours, to make 
that decision.
    Mr. Pallone. Now last week, the interim CEO announced that 
by January 31st of 2018 Equifax would make locking and 
unlocking of a person's Equifax credit report free forever. A 
credit report lock is already included in TrustedID Premier and 
other services like credit monitoring and identity theft 
insurance. Will that still end after 1 year?
    Mr. Smith. Congressman, a couple of differences. Number 
one, the product we offer today for consumers protects the 
consumer at the same level of protection they would get January 
31st. The difference is today it is a browser-enabled product 
or service. The 31st of January it will be an application, much 
simpler and easier for the consumer to use. The protection is 
largely the same.
    So they get this free service when they sign through for 1 
year. At the end of the 1 year, effective January 31st of 2018, 
it goes into the new lock product.
    Mr. Pallone. I guess, the difference other than not 
expiring between the credit report lock that is part of 
TrustedID Premier and the credit locking tool that will be 
available in January, why not just extend the freeze program?
    Mr. Smith. There is a difference between the freeze product 
which came to pass with FACTA back in 2003, passed into law in 
2004. That is now governed by state laws in all states and it 
is a cumbersome process for a consumer. In many cases, some 
states require you to mail in your request for a freeze and 
then we must mail you a PIN, so your ability to get access to 
get credit when you want credit is encumbered.
    A consumer could go to a car dealer or to a bank to get a 
credit card, forget his or her PIN on a freeze product. Have to 
go back home, look for the PIN, mail the PIN in. So it is a 
cumbersome process. The lock product we are offering today is a 
big step forward. The lock product for the 31st of January is 
an even further step forward.
    Mr. Pallone. My time has run out, Mr. Chairman.
    Mr. Latta. Thank you very much. The gentleman's time has 
expired. The chair now recognizes the chairman emeritus of the 
full committee, the gentleman from Texas, for 5 minutes.
    Mr. Barton. Thank you, Mr. Chairman, and since I am not a 
member of this subcommittee, thank you for your courtesy in 
allowing me to ask questions.
    Mr. Smith, what is the market value of Equifax? What is 
your company worth, or your former company?
    Mr. Smith. Congressman, last time I checked it is somewhere 
close to $13 billion.
    Mr. Barton. Thirteen billion. I am told by my staff that 
this latest data breach was about 143 million people; is that 
right?
    Mr. Smith. We were informed yesterday from the company that 
it is typical in a forensic audit there was some slight 
movement and the numbers-adjusted press release came out from 
the company last night it is 145.5.
    Mr. Barton. Well, OK. I appreciate your accuracy there. But 
under current law you are basically required to alert each of 
those that their account has been hacked, but there is really 
no penalty unless there is some sort of a lawsuit filed and the 
Federal Trade Commission or a state attorney general files a 
class action lawsuit against your company. So you are just 
required to notify everybody and say so sorry, so sad. I 
understand that your company has to stay in business, has to 
make money, but it would seem to me that you might pay a little 
bit more attention to security if you had to pay everybody 
whose account got hacked a couple of thousand bucks or 
something. What would the industry reaction be to that if we 
passed a law that did that?
    Mr. Smith. Congressman, I understand your question. I think 
the path that we were on when I was there and the company has 
continued is the right path, and that is the path of allowing 
the consumers to control the power of who and when accesses 
their credit file going forward, taking the----
    Mr. Barton. Well, the consumer can't control the security 
of your system.
    Mr. Smith. That is true, sir. But they can control----
    Mr. Barton. And your security people knew there was a 
problem and according to staff briefings that I have been a 
part of they didn't act in a very expeditious fashion until the 
system had already been hacked. You are to be commended for 
being here. I don't think we subpoenaed you. I think you 
appeared voluntarily, which shows a commendable amount of 
integrity on your part.
    But I am tired of almost every month there is another 
security breach and it is OK, we have to alert you. I checked 
my file to see if I was one of the ones that got breached, and 
apparently I wasn't. I don't know how I escaped, but I didn't 
get breached. But my staff person did, and we looked at her 
reports last night and the amount of information that is 
collected is way beyond what you need to determine if she is 
creditworthy for a consumer loan. Basically, her entire adult 
history going back 10 years everywhere she has lived, her name, 
her date of birth, her social security number, her phone 
numbers, her addresses, her credit card, student loans, 
security clearance applications for federal employment, car 
insurance, even employment history of jobs that she worked when 
she was in high school. That is not needed to determine whether 
she is worthy of getting a $5,000 credit card loan or something 
and now it is all out in the netherworld of whoever hacked it.
    I can't speak for anybody but myself, but I think it is 
time at the federal level to put some teeth into this and some 
sort of a per-account payment. And again I don't want to drive 
credit bureaus out of business and all of that, but we could 
have this hearing every year from now on if we don't do 
something to change the current system.
    So I would hope that you would go back to your peers and 
work with the committee, the chairman and the subcommittee 
chairman and ranking member and let's figure out something to 
do that actually gives an incentive to the industry to protect 
ourselves. And the only way I know to do it is some fine per 
account hacked that is large enough that even a company that is 
worth $13 billion would rather protect their data and probably 
not collect as much data than just come up here and have to 
appear and say we are sorry.
     With that, Mr. Chairman, thank you for your courtesy and I 
yield back.
    Mr. Latta. The gentleman yields back and the chair now 
recognizes the gentleman from New Mexico for 5 minutes.
    Mr. Lujan. Thank you, Mr. Chairman.
    Mr. Smith, there is a difference between a lock product and 
a freeze, correct; those are two different things?
    Mr. Smith. Congressman, there is a process. It is a little 
different, but as far as the consumer and the protection that 
he or she would get from doing one versus the other is 
virtually if not exactly the same.
    Mr. Lujan. Well, virtually almost exactly is not the same. 
Are they different?
    Mr. Smith. It is the same.
    Mr. Lujan. So your lock product is the same as a freeze?
    Mr. Smith. As far as the protection----
    Mr. Lujan. Well, we will get into that later. I appreciate 
that clarification. Will Equifax be willing to pay for this 
freeze at Experian and TransUnion for consumers whose 
information was stolen?
    Mr. Smith. You are referring to the freeze or the lock?
    Mr. Lujan. You said they are the same so.
    Mr. Smith. Yes. Right now we offer a free lock product as 
you know for 1 year and then a free lifetime lock product for 
life starting January 31st, 2018.
    Mr. Lujan. And that also extends to Experian and 
TransUnion?
    Mr. Smith. No, sir. It does not.
    Mr. Lujan. Let me repeat the question. Will Equifax be 
willing to pay for that freeze for that lock at Experian and 
TransUnion for consumers whose information was stolen through 
Equifax?
    Mr. Smith. Congressman, the company has come out with what 
they feel is a comprehensive five different services today and 
a lifetime lock. I would encourage TransUnion and Experian to 
do the same. It is time we changed the paradigm, give the power 
back to the consumer to control who accesses his or her credit 
data. It is the right thing to do.
    Mr. Lujan. OK. I am down to limited time, Mr. Smith. I 
apologize. I will take that as a no that Equifax will not pay 
for Experian and TransUnion consumers. Do you think consumers 
should have to pay a penalty for your mistake including 
potential identity theft, false credit accounts, fraudulent tax 
returns, or medical identity theft, or do you commit to 
compensating any consumers who suffer harm as a consequence of 
your breach?
    Mr. Smith. We take this seriously. I have apologized. I 
will apologize again to the American consumer. We have offered 
a comprehensive set of products for free.
    Mr. Lujan. Mr. Smith, will those comprehensive sets of 
products make consumers whole?
    Mr. Smith. It will protect them going forward.
    Mr. Lujan. Will it make them whole, yes or no?
    Mr. Smith. It is hard for me to tell if someone has been 
harmed so I can't answer the question.
    Mr. Lujan. If someone's credit has been stolen and someone 
went and opened up a bunch of their accounts, bought furniture, 
bought cell phones, bought a bunch of fuel, and now this 
consumer can't fix their history they have been harmed. In that 
case will Equifax make that person whole?
    Mr. Smith. Congressman, as I have said I apologize. We have 
offered them a----
    Mr. Lujan. Thank you very much, sir.
    So I want to go back to the line of questioning earlier 
from Mr. Pallone. On August 11th, in your prepared testimony it 
says that you were aware of a large amount of consumer PII. On 
August 15th, it says in your prepared testimony a PII had been 
stolen, it appeared likely, and that you requested a detailed 
briefing to determine how much the company should proceed. On 
August 17th, it says, you, I held a senior leadership meeting 
to receive the detailed briefing on the investigation. You gave 
a speech also on the 17th about profiting off of fraud with 
these new markets. You shared with Mr. Pallone that you were 
not aware of PII being stolen. What is it?
    Mr. Smith. Congressman, on the 17th I had the full debrief 
from Mandiant, our forensic auditors, from outside counsel, and 
my team. I was aware on the 15th that there had been some PII 
compromise. How much the scope----
    Mr. Lujan. I appreciate that clarification. You were aware 
it was stolen and you just were not aware how much?
    Mr. Smith. I was not aware it was stolen. I was aware there 
was----
    Mr. Lujan. It says in your prepared testimony that you were 
aware, that you asked for a detailed briefing to determine how 
the company should proceed. So you were aware that PII was 
stolen on the 15th; is that true or not true?
    Mr. Smith. At that time, the 17th was the detailed review 
of when I learned about PII. And even at that time which PII, 
was it stolen, was it not stolen, those details came to life, 
Congressman, over the course of August.
    Mr. Lujan. Mr. Smith, on August 15th, were you aware that 
there was PII that was stolen or not?
    Mr. Smith. On August 15th----
    Mr. Lujan. Regardless of the amount were you aware of that?
    Mr. Smith. On August 15th, I was made aware that hackers, 
criminal hackers, had gotten into our system and had some PII 
information.
    Mr. Lujan. OK. Well, we can revert to your prepared 
testimony. The other question that I have that Ms. Schakowsky 
was asking on, is Chief Legal Officer John Kelley still 
employed by you, or by Equifax?
    Mr. Smith. Yes, he is.
    Mr. Lujan. And you were the CEO at the time that approved 
the terms of the retirement for David Webb and Susan Mauldin. 
Is their classification as retired permanent or could it 
potentially change to fired for cause like yours?
    Mr. Smith. There is an investigation going on by the board 
at this time.
    Mr. Lujan. And Mr. Chairman, I know that my time has 
collapsed here, if you will, but there is an article in WGN-TV 
that talks about Equifax doing their own investigation into the 
three executives that sold their stock and profited. And I 
guess they must have a pretty good investigative team there 
because between the press release that happened on Friday or 
whenever it came out, and then a story on Sunday, and today we 
have a revelation that those folks didn't know that this breach 
took place, I just hope we get to the bottom of this.
    And again, Mr. Chairman, I hope that we can be given 
assurance to the committee and to the American people that this 
committee will have a markup and a hearing with bills that we 
can take to the floor before the holidays to give the American 
people consumers confidence again because this is a mess. Thank 
you, Mr. Chairman.
    Mr. Latta. Thank you very much. The gentleman's time has 
expired. And the chair now recognizes the gentleman from 
Mississippi, the vice chairman of the subcommittee, for 5 
minutes.
    Mr. Harper. Thank you, Mr. Chairman.
    Mr. Smith, thank you for being here to testify today. In 
your written testimony and in response to some of the 
chairman's questions, you stated that you were informed of 
suspicious activity on July the 31st by your chief information 
officer and went on to discuss that. And you said, I certainly 
did not know that personal identifying information, PII, had 
been stolen or have any indication of the scope of the attack. 
Did you ask him if there had been any personal identifying 
information that had been obtained?
    Mr. Smith. Congressman, at that time I was informed it was 
a dispute portal document. A dispute portal document is 
something that typically houses if the company is disputing 
with us they paid off a utility bill he or she may take a 
picture of the utility bill. So at that time that was the 
conversation.
    Mr. Harper. Mr. Smith, not to interrupt, but my question 
was did you ask if any PII had been accessed?
    Mr. Smith. No, I did not.
    Mr. Harper. Were you made aware at that point of the Apache 
Struts patch?
    Mr. Smith. No, sir. I was not.
    Mr. Harper. Had you had any meetings with your chief 
information officer or your security department about any of 
this issue prior to July 31st?
    Mr. Smith. No, Congressman. I did not.
    Mr. Harper. Had you had any meetings with them about any 
other security information during that time from March until 
July 31st?
    Mr. Smith. Oh yes. We would have routine meetings, security 
reviews, IT reviews.
    Mr. Harper. How often do you have those?
    Mr. Smith. Common due process would be at least quarterly.
    Mr. Harper. And why did you not have this discussion come 
up and did you have, obviously that is more than a quarter, so 
how many meetings did you have between that time of March the 
8th until July the 31st with your security team?
    Mr. Smith. Make sure I understand your question. Why 
didn't----
    Mr. Harper. No. How many meetings did you have during that 
time from March the 8th until July the 31st?
    Mr. Smith. I don't have that information with me. If that 
is important we can get that.
    Mr. Harper. Well, how many do you remember? Do you remember 
any of those?
    Mr. Smith. So normally we would have IT reviews at least 
quarterly and security reviews at least quarterly. And then you 
would augment that on an as-needed basis.
    Mr. Harper. Well, with those meetings and those timelines 
of March the 8th until July 31st we are covering into three 
quarters. Not a total of 9 months, but you touch into three 
quarters of that year. And at any point in any of that did you 
have any information about this going on?
    Mr. Smith. No, sir. I did not.
    Mr. Harper. All right. In your testimony you indicate that 
the security department ran scans in March for the 
vulnerability but failed to identify it. Can you explain how 
this is possible and why was there never any confirmation of 
anybody coming back and checking to see, OK, we have this 
identified information, there was a failure of someone on the 
team to identify this that it was being used, that the software 
was even being used? Was there no one coming in to verify that? 
Do you have any outside person prior to the ones that you hired 
to look at this?
    Mr. Smith. Congressman, we get notifications routinely, the 
IT team and security team do, to apply applications. This 
individual as I mentioned earlier did not communicate to the 
right level to apply the patch. The follow-up was as you 
mentioned----
    Mr. Harper. You said this individual?
    Mr. Smith. Yes.
    Mr. Harper. So you had one person responsible for this?
    Mr. Smith. There is an owner of the patch process. There is 
a communication that comes out from security. It is a broad-
based communication. Once they receive notification from a 
software company, or in this case DHS, they notify appropriate 
people. Then an individual who owns the patch process cascades 
that communication.
    Mr. Harper. For everyone who is on your Equifax team is 
there anything more important than protecting the PII of the 
consumers?
    Mr. Smith. No, sir.
    Mr. Harper. Would you identify that as the number one 
responsibility of the company and everybody in your company?
    Mr. Smith. We have for years, sir, yes.
    Mr. Harper. OK. So it just appears, obviously, the job 
wasn't done and so we know that and we are trying to look at 
this. And I know too there was an Equifax spokeswoman who said, 
we have taken short-term mediation steps and continue to 
implement and accelerate long-term security improvements as 
part of ongoing actions to help prevent this type of incident 
from happening again.
    So we have 145.5 million people whose PII has been 
compromised. How many files do you have in the system?
    Mr. Smith. Worldwide?
    Mr. Harper. Yes, sir.
    Mr. Smith. I think someone mentioned earlier there is a 
public number out there of over 800 and some odd million 
consumers and 100 million companies, roughly.
    Mr. Harper. And we know this breach includes some from 
Canada, some from the U.K. Would that be fair to say even at 
this point?
    Mr. Smith. Congressman, a point of clarification there, 
there was some data that we had on, I think it is 7,000 
Canadians in the U.S. So the data was in the U.S., same 
environment. We had some data on U.K. citizens also in the U.S. 
That piece is still under investigation.
    Mr. Harper. My home State of Mississippi has three million 
people. Almost 1.4 million files have been breached in my 
state. If you take away people that are minors who don't have a 
file yet, almost my entire state is going to be impacted. So 
this is a travesty, something that was preventable, we know, 
and so saying that we want to protect what goes forward doesn't 
bring us a lot of comfort today. Thank you and I yield back.
    Mr. Latta. The gentleman yields back. The chair now 
recognizes the gentleman from California for 5 minutes.
    Mr. Cardenas. Thank you very much. I thought I prepared for 
this committee, but I have more chicken scratch notes. I don't 
even know where to start.
    Mr. Smith, welcome to Washington. Are you currently 
employed by Equifax?
    Mr. Smith. No, sir.
    Mr. Cardenas. You are not. When you decided to come before 
this committee were you specifically requested by name to come 
to this committee by this committee or were you offered up by 
Equifax as the representative of Equifax to come represent 
Equifax before this committee?
    Mr. Smith. I believe I was asked specifically to come 
before the committee.
    Mr. Cardenas. By Equifax or the committee?
    Mr. Smith. My understanding is by the committee.
    Mr. Cardenas. OK. OK. Apparently the committee asked for 
the CEO at the time and at that time you were still the CEO, 
but you are no longer the CEO. Did you inquire as to why the 
current CEO or interim CEO didn't come before this committee?
    Mr. Smith. I did not, but I felt personally it was my 
obligation. The breach occurred under my watch. And as I said 
in my written testimony and my oral testimony I ultimately take 
that responsibility, so I thought it was important that I be 
here.
    Mr. Cardenas. Thank you. I get the picture. On August 31st 
or, excuse me, on July 31st you were notified of the suspicious 
activity that eventually as we now know was a 145 million 
person breach? Was it July 31st, was it?
    Mr. Smith. Yes, Congressman. It was a brief interaction----
    Mr. Cardenas. A verbal interaction?
    Mr. Smith. Yes.
    Mr. Cardenas. And then you just referenced as an answer to 
another one of my colleagues' questions on that on August 31st 
you received some kind of email referring to the possible 
breach?
    Mr. Smith. A point of clarification, I was notified on the 
31st of July by the chief information officer, Dave Webb, in a 
very brief interaction that this portal seemed to have a 
suspicious incident. There was a communication trail internally 
between others that also referenced that I was aware of this 
incident through my interaction with Dave Webb.
    Mr. Cardenas. So that written trail was not directed to 
you, you were just mentioned in that trail that you had been 
verbally notified?
    Mr. Smith. That is my recollection.
    Mr. Cardenas. OK. Mr. Chairman, is it appropriate for this 
committee to ask for that trail of documents?
    Mr. Latta. For our counsel, but I would say----
    Mr. Cardenas. OK. Well, if it is appropriate, Mr. Chairman, 
what I would like is for my office and this committee to 
receive copies of that trail. That it has been referenced more 
than once to some of our questions here on this committee, on 
this congressional committee.
    It has come to my attention that several people are no 
longer with the corporation. You are not officially with the 
corporation anymore. The CIO at that time is no longer the CIO 
of the corporation, of Equifax?
    Mr. Smith. That is correct.
    Mr. Cardenas. And then there is another higher-up that is 
no longer----
    Mr. Smith. The chief security officer.
    Mr. Cardenas. OK, chief security officer. However, John 
Kelley was the chief legal officer at that time but still is 
currently the chief legal officer, correct?
    Mr. Smith. That is correct.
    Mr. Cardenas. OK. Apparently, the chief legal officer on or 
about, between July 29th and August 1st went to outside counsel 
and hired outside counsel. Correct?
    Mr. Smith. No, Congressman. What occurred on August 2nd is 
that the chief security officer reached out to a forensic 
expert, cyber expert, and outside counsel King & Spalding, and 
she engaged them at that time.
    Mr. Cardenas. OK, thank you. When executives at Equifax 
want to sell stock they need to get the chief legal officer to 
sign off?
    Mr. Smith. Yes, correct, Congressman. There is a protocol 
that requires the general counsel of Equifax to approve that 
sale.
    Mr. Cardenas. OK. And John Gamble, Joseph Loughran, Rodolfo 
Ploder, they are all high-ups with Equifax. They apparently 
sold stock on or about August 1st or 2nd in the amount of 
approximately 1.8 million, give or take. So they had to get an 
OK from John Kelley before they did that, correct?
    Mr. Smith. That is correct, sir.
    Mr. Cardenas. OK. And apparently they did get the OK?
    Mr. Smith. Yes. That is my understanding.
    Mr. Cardenas. And you were the CEO at the time that they 
sold that stock?
    Mr. Smith. And I have no step in that----
    Mr. Cardenas. I get it.
    Mr. Smith. Yes. I was----
    Mr. Cardenas. I am referring to John, but you were the CEO 
at the time.
    Thank you, Mr. Chairman. Just a little bit of latitude on 
my time. Just a little bit, please. What I would like to 
request of you, Mr. Chairman, and also the Ranking Member 
Schakowsky, that we ask for a specific hearing of this 
committee where we get John Kelley, chief legal officer, who 
was then the chief legal officer of Equifax and who is 
currently still the chief legal officer, hopefully when and if 
we get him here he will still have that title.
    I am a bit disturbed that we are Congress holding a hearing 
and that Equifax has before us someone who no longer works for 
them. Thank you very much, Mr. Chairman. I hope that we can ask 
for that hearing where we have John Kelley, the chief legal 
officer, before us.
    Mr. Latta. Thank you very much. The gentleman's time has 
expired and the chair now recognizes the former chair of the 
full committee, the gentleman from Michigan, for 5 minutes.
    Mr. Upton. Thank you, Mr. Chairman.
    Mr. Smith, every family watches over their financial data 
with great concern. It impacts their daily life whether it is 
going to get a mortgage, a loan, a car, they have to have that 
credit score that gets them often even a job. So they view that 
data as it relates to them as very, very private and they want 
it to be secure.
    Here is an Equifax credit report for somebody that I know. 
It is 131 pages long, unbelievable in terms of the data that 
has been collected on this particular individual. I would guess 
that most individuals have no clue that there is that much data 
that has been assembled on their own personal family account.
    Now you said earlier that the data was compromised. So a 
question that I have to ask is does that word ``compromise'' 
include the word or the term ``manipulated''? Are those folks 
who broke into that account, are they able to actually change 
the accurate data that might be reflective of their own 
personal story? Can that be changed?
    Mr. Smith. Congressman, I understand your question. The 
database was attacked by criminals, that we know. The forensic 
experts that we engaged in this case, Mandiant, has led us to 
believe that there is no indication the data that is left 
behind has been manipulated.
    Mr. Upton. Now one of the things that is in this report, 
any credit report, is you verify the income of that individual 
to make sure that it is accurate. And as I understand it, and I 
go again in personal experience, when one goes to get a loan 
whether it is a mortgage or a car, often one of those little 
boxes that you check is that you are allowing permission to 
look at that tax return of the individual. Is that not correct?
    Regardless of self-employed income, regardless of automated 
underwriting findings, when self-employed income is used to 
qualify, the following documentation is required: most recent 2 
years of their individual tax returns with all schedules and W-
2s and K-1s; most recent 2 years' business returns; IRS forms 
1120 and 1120S; 1065s in which the borrower has ownership 
interest at 25 percent or more; and a complete and signed IRS 
form 4506-T is required for every borrower on the loan 
application. Tax transcripts validated from the IRS are 
required for each year documented in the loan file.
    So the question is if that is collected, is someone who is 
a bad actor actually able to use the personal information 
stolen from this report to then perhaps file a false tax return 
come the first of the year?
    Mr. Smith. Congressman, I think I understand your question. 
A couple points of clarification. A credit report does not 
contain employment and income information. There are many 
lenders who will ask you as a consumer when going to get a loan 
to validate your income and there are many means as you alluded 
to in your readings there as to how you might do that. But the 
credit report does not contain employment income data.
    Number two, the unfortunate criminal hack that we referred 
to this morning in written testimony and press release over the 
past month or so was clear to say it did not include the credit 
report information that you just picked up there. It was 
limited to nonetheless a large number, but limited to an 
environment we call a consumer dispute portal, not the credit 
file itself.
    Mr. Upton. The last question I have is how did you know? We 
have had a lot of hearings, a number of them classified. 
Breaches made into Department of Energy, utilities, a whole 
number of different major players where hackers are coming in 
trying to break and penetrate daily. What tripped these guys 
up? How did you identify in fact a breach had been made? What 
was their mistake?
    Mr. Smith. Congressman, there is a piece of technology 
called a decryptor, and it was a decryptor that allowed us to 
see some of the data. And once we saw the data that is what the 
start of the conversation earlier in the testimony here, that 
is when we saw the suspicious data and were able to shut off 
the portal at the end of July.
    Mr. Upton. Yield back, my time is expired.
    Mr. Latta. Thank you very much. The gentleman yields back 
and the chair now recognizes the gentlelady from Michigan for 5 
minutes.
    Mrs. Dingell. Thank you, Mr. Chairman.
    Mr. Smith, I first want to say we appreciate your coming 
and testifying today. We have spent a lot of time talking today 
about the what, the when, the where, and the whys of this 
breach and I agree with all of my colleagues that we need to be 
expressing extreme displeasure.
    But I want to ask a few questions about where we go from 
here, because I hope this has awoken the American consciousness 
about privacy and credit that they need to be paying far more 
attention to. This breach is different than most. Not only the 
scale of those affected but the type of information taken. In 
the past, folks usually just changed your passwords, maybe you 
got a new credit card and that was it. It was an annoyance but 
it had no real impact on your life.
    That is not so simple when it is your social security 
number or other personal information. You can't change your 
social security number and I can't change my mother's maiden 
name. This data is out there forever. Clearly something needs 
to be done. We can all sit here and talk about what went wrong, 
but we are doing the public a disservice to not at least begin 
the discussion on how to improve data security. That is why I 
am a proud co-sponsor of Representative Schakowsky and Ranking 
Member Pallone's bill. It is a good first step that needs to be 
given serious consideration. And I am also introducing the Data 
Protection of 2017. Whatever path we choose going forward, it 
is important that we take action on the topic and that all 
American consumers pay attention.
    Now I would like to ask a few questions. Nobody has asked 
this question yet, so just a quick yes or no. Have you or 
anyone on your team seen signs that the attackers were backed 
by a nation state?
    Mr. Smith. Congresswoman, we have engaged the FBI. At this 
point that is all I will say.
    Mrs. Dingell. I don't think it is all the same, but thank 
you. After your security department blocked the suspicious 
traffic you mentioned in your testimony, did anyone from your 
team or outside companies venture beyond the parameter of your 
network to attempt to locate where they came from?
    Mr. Smith. Congresswoman, yes. We have the ability to track 
the IP address of the criminals, but as you know finding the 
location where the IP address does not necessarily tell you 
where they are from. It is easy to set up IP addresses anywhere 
in the world.
    Mrs. Dingell. I think we all care about this, but I want to 
move to this other topic. I share your belief that placing 
control of access to consumers' credit data should be placed in 
the hands of the consumer, but most people have no idea that 
Equifax was even holding their data. I unfortunately learned a 
long time ago because this isn't the first data theft and Doris 
and I were part of something else where they got our social 
security numbers and mother's maiden names.
    It is one thing to take steps to mitigate damages after a 
breach has occurred, but going forward we must give consumers 
the chance to protect themselves before a breach happens. Do 
you believe that consumers can take reasonable steps to secure 
their identity and information if they don't even know who has 
it?
    Mr. Smith. Congresswoman, I think we can help. I think we 
can help by the announcement of this offering to all Americans 
the ability to lock and unlock your credit file for life for 
free. There needs to be a greater awareness, I understand your 
point clearly. And I think making this available to all 
Americans is one step in doing that.
    Mrs. Dingell. So I was just actually even educating my 
colleagues up here about Credit Karma and they were stunned by 
how easy it was with two little factoids to suddenly unleash 
the amount of money they had in every one of the credit card 
companies, what any data inquiries have been, and all of the 
different factors. I think most people don't understand that it 
is not just you, but Experian and TransUnion who are also 
collecting this data.
    Why do consumers have to pay you to access their credit 
report? Why should that data not be free?
    Mr. Smith. Congresswoman, the consumer has the ability to 
access the credit report for free from each of the three credit 
reporting agencies once a year, and you combine that with the 
ability to lock your credit file for life for free again is a 
step forward.
    Mrs. Dingell. Well, I am running out time. But like my 
colleague over here, when you find mistakes, which a number of 
us have and we are luckier than 99 and 9/10ths, it is very 
difficult to fix and when you do fix it you still have to pay. 
I think we need a longer debate about who owns this data and 
how we educate the American people. Thank you, Mr. Chairman.
    Mr. Latta. Thank you very much. The gentlelady's time has 
expired and the chair now recognizes the gentleman from New 
Jersey for 5 minutes.
    Mr. Lance. Thank you, Mr. Chairman.
    Good morning to you, Mr. Smith. Criminals perpetrated this 
fraud. Is it possible that these criminals are from another 
country?
    Mr. Smith. Congressman, it is possible but at this time----
    Mr. Lance. It is possible. Number two, is it possible it is 
the government of another country?
    Mr. Smith. As I mentioned to the congresswoman a few 
minutes ago, we have engaged the FBI they will make that 
conclusion.
    Mr. Lance. Do you have any suspicions in that regard either 
persons from other countries or the government of another 
country?
    Mr. Smith. Congressman, I will defer that. We have the FBI 
involved.
    Mr. Lance. Yes, I know we have the FBI involved. Do you 
have an opinion to the two questions I have just asked?
    Mr. Smith. I have no opinion.
    Mr. Lance. You have no opinion. The stock that was sold by 
your colleagues, Mr. Gamble and Mr. Loughran--I hope I am 
pronouncing that right--Mr. Ploder, as I understand it that 
stock was sold on August 2nd. Is it usual that executives of a 
mature company, not a company that has just come onto an 
Exchange, is it usual that the significant amounts of stock are 
sold?
    Mr. Smith. Congressman, a few points here of clarification. 
The stock was sold on the 1st and the 2nd. So----
    Mr. Lance. Yes, I said the 2nd. Yes.
    Mr. Smith. The 1st was, I think, the first day it was sold.
    Mr. Lance. Yes.
    Mr. Smith. It is not unusual for stock to be sold at the 
end of a quarter. After we have our earnings call the window 
opens up. We encourage those who are going to sell, sells early 
in the window. The window is open for about 30 days. They sell 
as early in the window as possible and that is what occurred 
here.
    Mr. Lance. You believe that this stock was sold merely as a 
matter of course as would be true in any other quarter?
    Mr. Smith. Yes.
    Mr. Lance. You do not believe it was based upon knowledge 
known by these gentleman related to the breach?
    Mr. Smith. Congressman, I have known these individuals, 
some of them up to 12 years. They are honorable men. They are 
men of integrity. They followed due process. They went through 
the clearance process through the general counsel. I have no 
indication that they had any knowledge of the breach at the 
time they made the sale.
    Mr. Lance. Did you have knowledge of the breach at that 
time?
    Mr. Smith. I did not, sir.
    Mr. Lance. Weren't you warned well in advance of this that 
there was suspicious activity?
    Mr. Smith. I was notified on July 31st in a conversation 
with the chief information officer that there was suspicious 
activity detected in an environment called the web portal for 
consumer dispute. No indication of a breach.
    Mr. Lance. That was prior to the sale of the stock; is that 
accurate?
    Mr. Smith. The 31st of July, but there is no indication of 
a breach at that time.
    Mr. Lance. From my perspective as a layman the difference 
between a breach and suspicious activity is not one that I 
believe is particularly relevant. A breach might have technical 
connotations to it, but certainly you were aware of untoward 
activity prior to that date; is that accurate?
    Mr. Smith. No, Congressman, it is not. On the 31st we had 
no indication that documents were taken out of the system, what 
information was included. It was very early days. It took the 
forensic experts as I mentioned earlier from then until the 
24th to start to develop a clear picture and that picture still 
changed the 24th because we heard just last night the 
additional announcement.
    Mr. Lance. Many calls have been received by Equifax at your 
call center since September 7th. Do you know how many calls 
have been dropped or missed due to staffing shortages or other 
issues?
    Mr. Smith. Congressman, I don't have the exact number, but 
as I said in my opening testimony I apologize for that startup. 
It was overwhelming in volume, overwhelming. I think I 
mentioned over 400 million U.S. consumers coming to a web site 
in 3 weeks. We went live in a very short period of time with 
call centers. Our two larger call centers were taken down in 
the first few days by Hurricane Irma. The team is committed and 
was committed to make the experience better for the consumer 
and I am told that each and every day the process is getting 
better.
    Mr. Lance. On August 22nd, you notified a lead director, 
Mr. Fiedler--I hope I am pronouncing that right--of the data 
breach, and the full board was informed later, I believe 2 days 
later. Why was there nearly a week between August 17th and 
August 22nd before members of the board were alerted?
    Mr. Smith. Congressman, the picture was very fluid.
    Mr. Lance. Fluid, fluid. What does that mean?
    Mr. Smith. We were learning new pieces of information each 
and every day. As soon as we thought we had information that 
was of value to the board I reached out to the lead director as 
you said, Mark Fiedler, on the 22nd, convened a board meeting 
on the 24th. Convened a second board meeting on the 25th and 
had subsequent board meetings routinely, if not daily in many 
cases, through as recently as last week.
    Mr. Lance. Thank you. And my time has expired, Mr. 
Chairman.
    Mr. Latta. Thank you very much. The gentleman's time has 
expired and the chair now recognizes the gentlelady from 
California for 5 minutes.
    Ms. Matsui. Thank you, Mr. Chairman, and thank you, Mr. 
Smith, for appearing here today.
    As many of my colleagues have highlighted, the events that 
led to this data breach and the actions that Equifax management 
took after the fact are very upsetting. It seems that many 
Americans are in a place of breach fatigue. But this latest 
event that potentially impacts nearly half of all Americans 
should light a fire under every member here and I think you 
have noticed that it has lit a fire.
    We cannot follow the same script after the next inevitable 
data breach. That is one of the reasons why I am also 
supporting Congresswoman Schakowsky's Secure and Protect 
Americans' Data Act. And it is not as if this type of 
legislation is unprecedented. Forty-eight states have 
implemented laws that require consumers to be notified of 
security breaches.
    And I am pleased that my home state of California was the 
first state to pass this kind of notification law in 2002. 
Today, if California residents' personal data is hacked, state 
law requires that they are notified in the most expedient time 
possible and without unreasonable delay. We must act to ensure 
that all Americans are subject to protections like this at the 
federal level.
    Mr. Smith, because Equifax without doubt has the 
information of many California residents, the company is 
subject to the California data breach notification law. Can you 
please describe to me how Equifax complied with the state law? 
Were California residents notified of the breach as required?
    Mr. Smith. Congresswoman, I don't have the specific 
knowledge of the California law. I can tell you though that we 
worked as a team including with our counsel to help us ensure 
we were doing what was right for the consumer in the most 
expedient manner as possible. So we are aware of the 
requirements of the specific state laws, I just don't have the 
specific knowledge as it relates to the State of California.
    Ms. Matsui. So you also don't know, because the law also 
requires Equifax to submit a copy of the breach notification to 
the California attorney general, you don't know whether this 
was done?
    Mr. Smith. Congresswoman, I do not. But we can have our 
team follow up through staff if that would be helpful.
    Ms. Matsui. OK. In the context of this breach, if data that 
you hold is about me do I own it? Do I own my data?
    Mr. Smith. Could you please repeat the question?
    Ms. Matsui. In the context of this breach, if the data that 
you hold is about me do I own it?
    Mr. Smith. Congresswoman, we are part of a federally 
regulated ecosystem that has been around for a long time and it 
is there to help consumers get access with their consent to 
credit when they want access to credit.
    Ms. Matsui. Well, can you explain what makes data about me 
mine compared to what would make it someone else's?
    Mr. Smith. The intent, if you will, of the solution we have 
recommended, we implement, and are going live with in January 
of 2018, is in fact to give you as the consumer through this 
lock product for life, for free, the ability to control who 
accesses your personal information and who does not.
    Ms. Matsui. So at that point in time you believe that I 
own, I can say I own my data; is that right?
    Mr. Smith. You will have the ability to control who 
accesses and when they access your data.
    Ms. Matsui. OK. Could I ask you some further questions 
following along to what others have asked about, credit locks 
and credit freezes? Now limiting access to credit even for a 
short amount of time can have real financial consequences 
especially for low-income populations. How quickly will a file 
be able to be locked and unlocked and how will you ensure that 
speed?
    Mr. Smith. Congresswoman, thank you for that question. That 
is a great advantage of the product we are offering for free 
versus the freeze, which again came about in 2004 out of 
regulation, and there states dictate how quickly you can access 
to freezing and unfreezing your file and oftentimes that can 
take days if not weeks because we are mailing data back and 
forth to the consumer.
    In this case, the intent is in January of 2018, on your 
iPhone, you can freeze and unfreeze your file instantly at the 
point you want it locked and unlocked.
    Ms. Matsui. So, and I recall that one of my colleagues 
asked whether a credit lock is the same thing as a credit 
freeze and you said it was; is that correct?
    Mr. Smith. As far as protection to the consumer, 
Congresswoman, it is. As far as ability to lock or unlock and 
freeze or unfreeze, a lock is far more user-friendly.
    Ms. Matsui. OK. So you currently offer a credit lock 
product now and you plan to offer this other one for free 
starting the end of January. Would a lock be more economical 
for you or would a freeze be? I am trying to get the sense of 
the difference, because I think there is a difference here.
    Mr. Smith. Yes, if I may one more time try to clarify. As 
far as protection they are the same. The lock you are getting 
that we offered to the consumers on September 7th gives you the 
same level of security you would get from a freeze or from the 
product that is going out in January. The difference is today's 
lock is browser-enabled; January's lock will be an app on an 
iPhone. And secondly, it will be instant on and instant off 
versus the freeze or today's lock.
    Ms. Matsui. OK. I have more questions but I know I have run 
out of time. Thank you.
    Mr. Latta. Thank you very much. The gentleman from Illinois 
is recognized for 5 minutes.
    Mr. Kinzinger. Thank you, Mr. Chairman, and sir, thank you 
for being here today.
    This is obviously a huge issue, 145 1A\1/2\ million people 
affected by this data breach. It is nearly half of all 
Americans. That is a failure on multiple levels. It is a 
failure to keep consumer personal information secure. It is a 
failure to appropriately respond to a breach and a failure to 
notify the public and much more. My constituents and the 
American people need not just answers but they want assurances 
that they are not going to be financially ruined by this.
    I do want to make a quick point. Mr. Lujan asked you if the 
people that would be harmed by this would be made whole and you 
made a statement. And I understand that there is probably some 
legal and technical reasons for this, but you said I don't know 
if consumers were harmed. I just want to make the point that I 
think that idea that people are not harmed in this is 
ludicrous. Of course they are going to be harmed. Even if there 
is no financial harm that comes to them just even having this 
information exposed is a massive deal, but I feel that we are 
going to see bigger repercussions from that.
    But let me say now, Mr. Smith, I was surprised to find out 
that Equifax initially included a requirement that consumers 
consent to a mandatory arbitration clause. Why did that happen? 
Why was that at the beginning part of the rollout?
    Mr. Smith. Congressman, thank you for that question and I 
want to clarify. The product offering that went live or the 
service offering on the 7th, it was never intended to have that 
arbitration clause apply to this breach. It was a standard 
boilerplate clause as a part of a product. As soon as we 
learned that that boilerplate term was applied to this free 
service, I think it was within 24 hours we removed that and 
tried to clarify that. That was a mistake and one of the 
mistakes I alluded to in my oral testimony about the 
remediation product on September 7th.
    Mr. Kinzinger. So does Equifax require consumers to consent 
to arbitration with respect to any of its other products and if 
not is that information prominently disclosed to the consumer?
    Mr. Smith. Not as it relates to the breach, Congressman.
    Mr. Kinzinger. Well, the question is what about any other 
products do you require consent to arbitration?
    Mr. Smith. Some of the consumer products we have there is 
an arbitration clause in there. It is a standard clause.
    Mr. Kinzinger. What is the reason for that?
    Mr. Smith. I don't have that answer other than it is a 
standard clause.
    Mr. Kinzinger. If you could get that to me that would be 
good. Your press release indicates that the company has found 
no evidence of unauthorized activity on Equifax's core consumer 
or commercial credit reporting databases. What are Equifax's 
core consumer and commercial credit reporting databases and how 
are they distinct from the databases containing personal 
information that was subject to the unauthorized theft?
    Mr. Smith. Congressman, the area that was impacted here was 
a consumer dispute portal where the consumers would come in and 
they would dispute activity with us. As separate then a 
congressman had talked about, had the credit file in their 
hand. That is separate from the core credit data that consumers 
have in our database.
    Mr. Kinzinger. So in essence, were there 145.5 million 
people that at one point had disputed credit issues then, if 
that was the----
    Mr. Smith. It is a portal they used and they could have 
been in that portal for multiple reasons. And we also by 
regulation have got to keep data for extended periods of time, 
in some cases 7-plus years. So it is a lot of data for a lot 
years, but it is outside the core credit file itself.
    Mr. Kinzinger. Which company, and I guess you kind of went 
into this, which company databases were accessed, but why 
wouldn't you consider that then--maybe this is a change now 
after this--why wouldn't you consider that to be part of the 
core consumer and commercial credit reporting databases?
    Mr. Smith. It is just the way we define it. The credit file 
itself is housed and managed in a completely separate 
environment from a database that consumers can come into 
directly. The core credit file itself is largely accessed by 
corporations, companies that we deal with versus consumers.
    Mr. Kinzinger. OK. So I just want to make sure and you will 
have to forgive me, I am not an IT expert. So to get 145 
million people's records in only the dispute database, I guess 
I am trying to figure out if--you didn't really answer the 
question in terms of were there 145 million people that have 
disputed at some point in time, half of Americans, or was there 
another entry somehow through that that went into other 
information? Maybe I just don't understand the IT part of this.
    Mr. Smith. The only entry was through the consumer dispute 
portal and that is a completely separate environment from the 
credit file itself. We also, as you might recall, house a lot 
of data for small businesses in America and that environment 
which is part of the definition that you were alluding to was 
not compromised either.
    Mr. Kinzinger. OK. And lastly, are your core consumer or 
commercial credit reporting databases encrypted?
    Mr. Smith. We use many techniques to protect data: 
encryption, tokenization, masking, encryption in motion, 
encrypting at rest. To be very specific this data was not 
encrypted at rest.
    Mr. Kinzinger. OK, so this wasn't but your core is?
    Mr. Smith. Some, not all. Some data is encrypted, some is 
tokenized. Some it is in motion, some is masked. There is 
varying levels of security techniques that the team deploys in 
different environments around the business.
    Mr. Kinzinger. OK, thank you, sir. I yield back.
    Mr. Latta. Thank you very much. The gentleman yields back. 
The chair now recognizes the gentleman from California for 5 
minutes.
    Mr. McNerney. I thank the chair for holding this hearing.
    Mr. Smith, it is my understanding that the compromised 
information was due to an unpatched vulnerability in the web 
application framework Apache Struts? Besides the company's 
online consumer dispute resolution portal, does Equifax have 
any other portals that use Apache Struts?
    Mr. Smith. No, sir. This was the environment that had 
deployed Struts.
    Mr. McNerney. All right. That was a simple answer. You 
might need to restart my time. In addition to Equifax's credit 
monitoring and reporting services, the company has Equifax for 
business offerings and in this capacity operates as a data 
broker. As a part of these services the company collects large 
amounts of data about consumers without consumers having any 
knowledge of this happening. Was this information compromised 
in the breach?
    Mr. Smith. I think I understand your question, but could 
you repeat that one more time, please, so I get it right?
    Mr. McNerney. OK. Well, you are familiar with the Equifax 
for business offerings?
    Mr. Smith. Yes. We do have product offerings and solutions 
for small businesses, medium sized businesses and large 
business across the country, correct.
    Mr. McNerney. Right. Was information from Equifax for 
business also compromised in the breach?
    Mr. Smith. No, Congressman, it was not. It goes back to the 
question earlier on as part of our, what we call our core 
credit data. It was not compromised.
    Mr. McNerney. Well, in your testimony you noted that 
``throughout my tenure as CEO of Equifax we took data security 
and privacy extremely seriously and devoted substantial 
resources to it.'' Could you tell us about what investments 
Equifax made in cybersecurity during your tenure?
    Mr. Smith. Yes, Congressman, I can. When I came to the 
company 12 years ago we had virtually no focus on 
cybersecurity. At that time cybersecurity was not as 
sophisticated as it today. We have gone from the environment to 
a team now of over 225 professionals focusing each and every 
day on security around the world.
    Mr. McNerney. So what timeframe is that?
    Mr. Smith. That was from the time I started 12 years ago.
    Mr. McNerney. So you say that you hired up to 250 personnel 
to fix the issue?
    Mr. Smith. I did not, the team did. I didn't hire them, 
sir, but we now have a staff of 225 cyber or security experts 
around the world. We made substantial investments over that 
timeframe. In the last 3 years alone we have invested 
approaching a quarter billion dollars in security. There is an 
IBM benchmark. It says financial service companies who tend to 
be best in class spend somewhere between 10 and 14 percent of 
their IT budget in security.
    Mr. McNerney. Well, the company was notified of the 
vulnerability in the Apache Struts system days before the 
attack occurred.
    Mr. Smith. Yes. We were notified by Department of Homeland 
Security in March of 2017.
    Mr. McNerney. And the attack occurred after the 
notification?
    Mr. Smith. Yes.
    Mr. McNerney. So was there a human failure? How could 250 
professionals that are designed and hired for that purpose let 
a breach like that happen after they were notified?
    Mr. Smith. Yes, Congressman. What happened and it was in my 
oral testimony was the notification comes out. We had a 
communication process in place. I described it as a human error 
where an individual did not ensure communication got to the 
right person to manually patch the application. That was 
subsequently followed by a technological error where a piece of 
equipment we use which scans the environment looking for that 
vulnerability did not find it.
    Mr. McNerney. You mentioned that in your opening testimony. 
That seems like a lack of competence or a professional error of 
some kind. What did you call it?
    Mr. Smith. I described it as a human error and a technology 
error, and I apologize for that but that is what happened.
    Mr. McNerney. OK, moving on. Do you believe that the FTC 
has an important role in protecting consumers from future data 
breaches? How much of a role should the FTC be playing at this 
point given what has happened?
    Mr. Smith. I think there is a role for the business to do 
more, industry to do more. We talked about earlier this concept 
of offering the consumer the ability to control their data and 
lock and unlock when he or she so choose. And if there is 
particular legislation that arises out of this horrific breach, 
I am sure you would find the management at Equifax and the 
industry willing to work and cooperate with the regulators.
    Mr. McNerney. Well, the reason I am asking is the Federal 
Trade Commission is an enforcement body, but it doesn't have 
any rulemaking authority. And do you think the FTC should have 
rulemaking authority? Do you think it would have made a 
difference or do you think it will make a difference in the 
future or do you have an opinion?
    Mr. Smith. I have no opinion.
    Mr. McNerney. Well, my final question then is how long will 
individuals be vulnerable to identity theft problems due to 
this breach?
    Mr. Smith. We, Congressman, offered five different 
individual services, as you may or may not be aware, effective 
September. One is the ability to monitor your credit files from 
all three of us for free, another is to lock your file, another 
is a dark web scanning product.
    Mr. McNerney. That doesn't answer my question. How long are 
we going to be vulnerable? How long are we going to--our social 
security numbers are out there. This is forever, right?
    Mr. Smith. Unfortunately, the number of breaches around a 
social security number has been on the rise as you know, and 
many even this year. So there is another thought and that is, 
do we think about how secure, really, is an SSN and is that the 
best identifier for consumers going forward?
    Mr. McNerney. Thank you, Mr. Chairman.
    Mr. Latta. Thank you very much. The gentleman's time has 
expired and the chair now recognizes the gentleman from 
Kentucky for 5 minutes.
    Mr. Guthrie. Thank you, Mr. Chairman.
    Thank you for being here, Mr. Smith. We appreciate you 
being here to testify. And there is a medical hearing going on 
upstairs, so I have been back and forth so I will try not to 
double a question. But when I was here earlier and a lot of 
people have asked, a lot of us wondered, you know, July 31st 
was the suspicious activity and then it seemed the activity or 
the notice in the board was about 3 weeks later, August 24th 
and 25th.
    And so not to repeat before, I heard you say that it was 
suspicious activity and therefore you didn't realize it was a 
breach and then the action took place 3 weeks later when you 
did. Looking back now, knowing how colossal this is and how big 
it is, would you have done different? So from July 31st to 
August the 24th, what would you have done different that didn't 
happen or Equifax didn't do?
    Mr. Smith. Congressman, that is an appropriate question. To 
be honest, time for reflection will come. There has been no 
time for reflection. This has been a team of people including 
myself working around the clock for the last 6, 8 weeks trying 
to understand the forensics, trying as best we could to stand 
up an environment to offer consumers services to protect 
themselves. There will be an opportunity where I will have the 
time to catch my breath and reflect. I have not had a chance to 
do so now.
    Mr. Guthrie. Thank you and I appreciate that. Well, 1.9 
million Kentuckians were exposed in this hack. And one of the 
questions we have about the process that Equifax underwent to 
help people determine that and one was setting up a new web 
site, not just a portal within your web site, for consumers to 
visit. And was that an appropriate response? I know there were 
some issues with getting on to the web site. And the question 
is were you part of the deliberation and why did you choose to 
set up a new web site that seemed to cause issues as opposed to 
just doing a portal on your current web site?
    Mr. Smith. Congressman, good question. It was strictly due 
to the sheer volume of incoming visitors that we had expected. 
The traditional web site that we would use to interact with 
consumers services a total of maybe 7- to 800,000 consumers at 
any one given point in time over a period of time. I mentioned 
in my opening comments earlier, this new microsite as we call 
it that we set up had a capacity to surge to much higher 
levels. We had some 400-, and I think it was, 20 million 
consumers come to visit us in the first 3 weeks on that web 
site. Our traditional Equifax web site could not have handled 
that volume on day 1.
    Mr. Guthrie. OK. According to reports, many consumers 
weren't able to determine with certainty if their information 
was breached. So why was Equifax unable to provide clarity or 
certainty on whether individuals' information was breached?
    Mr. Smith. When you went to the web site, Congressman, and 
you typed in six of your nine digits of your social security 
number, if it was likely that you were breached it would say 
something along the lines of it looks like you may have been 
compromised or breached as opposed to it is definite that you 
have been breached, and that is because it was six digits 
versus nine. The point is we offer these five different 
services to every American. It didn't matter if you were 
compromised or not, every American was offered the same 
services.
    Mr. Guthrie. So, and just going forward, because we have to 
also do an analysis and so what we are going to do as a 
legislative body going forward to protect the American people. 
And what your business does and what people in your business do 
are important is when you can sit down at a car dealer, and I 
think you kind of mentioned earlier, walk away with a car that 
afternoon because somebody can check that you are creditworthy, 
and so having those types of services are available.
    So what steps is Equifax doing to rebuild the confidence? 
People aren't confident that their information is flowing out 
there. But the ability to be able to access credit almost 
immediately if you have the proper credit is something that 
your services provide, but the risk is having all that 
information in one place plus the convenience of what your type 
of business offers. So what you doing to rebuild or how can 
people be confident that this can go forward?
    Mr. Smith. Congressman, that is a really good question. And 
we are a 118 year old company and we have done a lot of great 
things for consumers over those 118 years. We take being a 
trusted steward seriously. So step one is to make sure we think 
more holistically, broadly, about steps we can and have taken 
to make sure we are more secure today than we were at the time 
of the breach.
    Second thing we could do is offer these services to 
consumers we offered on September 7th to make sure they are 
protected. And third is to launch this whole paradigm shift 
effective January of next year which is to put the power of the 
control of the consumer credit in the consumers' hands, not our 
hands.
    Mr. Guthrie. Thank you, and that would be helpful. So I 
appreciate that and now my time is expired. I yield back.
    Mr. Smith. Thank you.
    Mr. Latta. Thank you very much. The gentleman's time has 
expired. And pursuant to committee rules we will go with the 
members on the subcommittee by order of appearance and then 
after that the non-subcommittee members. So the chair would 
recognize the gentleman from Florida for 5 minutes.
    Mr. Bilirakis. Thank you, Mr. Chairman. I appreciate it.
    Mr. Smith, one of my constituents accessed Equifax's web 
site, equifaxsecurity2017.com., to determine if they were 
affected. They informed me that whether you submit your own 
identifying information or whether you submit a random name and 
social security number you get the same message that you may be 
affected. What course of action should consumers who haven't 
received correspondence yet as to whether they are affected or 
not, what is the course of action? And if they were affected 
what are the next steps?
    Mr. Smith. Congressman, it is my understanding that those 
who have gone online to register and that were not notified 
immediately that that backlog is completely now drained, if you 
will. So if you are trying to sign up for the service, if I 
understand your question correctly, you have now been notified.
    Mr. Bilirakis. OK. I understand that Equifax currently is 
waiving fees to freeze and unfreeze your credit. How long is 
that exemption going to stay in place because it is so very 
important?
    Mr. Smith. It is important. Congressman, we have announced 
on September 7th the ability to lock and unlock your file at 
Equifax for free for 1 year from the time you sign up. We have 
also announced on a product we have been working on for quite 
some time, effective in January of 2018, the ability to lock 
and unlock your file with Equifax for life for free. That will 
be the next generation of the lock that we offered in 
September.
    Mr. Bilirakis. OK. As CEO, what level of involvement did 
you have with regard to the data security and data protection?
    Mr. Smith. Yes. The----
    Mr. Bilirakis. Obviously, the buck stops with you. I 
understand that. But what level of involvement did you have?
    Mr. Smith. So data security reported to a direct report of 
mine, my general counsel, and I would have active involvement 
with my general counsel, with the head of security, routinely 
throughout the year.
    Mr. Bilirakis. OK. What responsibilities did Ms. Mauldin, 
again the chief security officer at Equifax at the time of the 
breach, have with respect to data security, data protection, 
and data breach notification? What were her responsibilities?
    Mr. Smith. Those were core to her responsibilities. She was 
the head of cybersecurity and physical security in all 24 
countries that we operate.
    Mr. Bilirakis. How many briefings did you have with Ms. 
Mauldin between March 8th and July 29th of 2017? How many 
briefings?
    Mr. Smith. I don't recall. We had, as a congressman asked 
earlier, there are routine meetings which we go through 
security strategy, security quarterly reviews, investment 
decisions required for security, but the actual number of times 
in that timeframe I don't recall.
    Mr. Bilirakis. OK, so say a half dozen, a dozen?
    Mr. Smith. That would be a guess, I don't know.
    Mr. Bilirakis. It would be a guess. More than three?
    Mr. Smith. If it is important to you, Congressman, we can 
find that information.
    Mr. Bilirakis. Give me that information, I appreciate that. 
What responsibilities did Mr. Webb, the chief information 
officer at Equifax at the time of the breach, have with respect 
to data security, data protection, and data breach 
notification?
    Mr. Smith. Directly, none, sir. He was expected obviously 
as the head of technology to work closely with the head of 
security, but the security function was a separate function. 
But you can't do security without IT, you can't do IT without 
security.
    Mr. Bilirakis. How many briefings did you have with Mr. 
Webb, again between March the 8th and July 27th of 2016?
    Mr. Smith. If I may just clarify again, on March 8th is 
when the CERT came out saying there was a vulnerability in 
Apache Struts. I was not even notified to put it in perspective 
that there was an incident and didn't know what the incident 
was until July 31st. So the number of meetings I would have 
with Dave Webb would not have been related to this incident.
    Mr. Bilirakis. All right, Mr. Chairman. Thank you, I yield 
back.
    Mr. Latta. Thank you very much. The gentleman yields back 
and the chair recognizes the gentleman from Indiana for 5 
minutes.
    Mr. Bucshon. Thank you, Mr. Chairman. Thank you for being 
here. And again I was at the Health Subcommittee hearing too, 
so I am back and forth. Sorry about that.
    But is it possible for people who never signed up or used 
Equifax directly could have been impacted by the breach?
    Mr. Smith. Yes, Congressman.
    Mr. Bucshon. OK. So how does Equifax get the information on 
people who have never directly associated with Equifax at all? 
I mean I am not familiar with that.
    Mr. Smith. Yes. We get it from banks, telecommunications 
companies, credit card issuers, so on and so forth.
    Mr. Bucshon. So just like, when we go to apply for a loan 
they send you the information because they want to get a data, 
they want to get the information on my credit rating, for 
example?
    Mr. Smith. Correct. As I define it we are part of the 
federally regulated ecosystem that enables banks to loan money 
to consumers.
    Mr. Bucshon. Right. So it is up to the banks at that point 
to notify the individual which credit agencies they are 
utilizing to assess their credit risk, or is it up to the 
credit agencies?
    Mr. Smith. Traditionally, the contributors of the data in 
that case, Congressman, the banks, would give their data to all 
three. That is the benefit of the system is you get a holistic 
view of an individual's credit risk.
    Mr. Bucshon. Yes, and my point is I guess because a lot of 
people I talk to back in Indiana, southern Indiana, have no 
idea who Equifax is, right. And many of those people have 
applied for home loans and other things and matter of fact 
probably at some point you have their information, but they 
just, they may or may not have been notified who had sent the 
information to them, probably the bank or other agency.
    And that is just something I think that is also maybe an 
issue that people don't understand or have not been told who is 
being used to assess their credit risk, and hence something 
like this happens they have no idea whether or not their 
information has been compromised.
    Mr. Smith. I understand your point.
    Mr. Bucshon. Yes. I also have a lot of constituents in 
rural and lower income areas that may or may not have access to 
the internet and WiFi. The penetrance of that it is interesting 
depending on where you are of people who actually have WiFi and 
the internet is not as high as you might think in rural 
America, but some of those people still have probably applied 
for loans and other things where their information could have 
been acquired by your company.
    How are you notifying all of those people other than saying 
that you have a web site? And you may have already answered 
that and I apologize if you have. But that is important because 
again the penetrance of people having access to the internet 
may be not as high as you think when you come out to like rural 
Indiana and other areas.
    Mr. Smith. Yes. Coming from Indiana I understand rural 
Indiana.
    Mr. Bucshon. There you go.
    Mr. Smith. Congressman, we have set up the web site that 
you mentioned at a press release across the country. We have 
also set up for those that don't have access to the web, to the 
internet, call centers. We have staffed up. We have gone from 
some 500 call center agents to over 2,700. So----
    Mr. Bucshon. I guess that is, again, I understand the call 
centers and all that. I knew you had done that. But I guess 
that is again making the assumption that people have watched 
the news and know that there has been a breach and that they 
are proactive in trying to find out whether they have been 
involved or not.
    Is there any, other than a passive way for them to find 
out, is there anything proactive from Equifax's point of view 
that might notify them that their data may have been 
compromised?
    Mr. Smith. Well, in many states there is local 
requirements, state requirements to take out advertisements in 
newspapers and so forth. We follow those. One indication I did 
mention earlier, it may or may not help those in rural Indiana, 
but the visibility this has gotten is extremely high. I 
mentioned 400 and some odd million consumers had come to our 
web site, so it has gotten the press.
    Mr. Bucshon. And probably after today it will be, maybe 
more people will know. So thank you for answering those 
questions. Like I said, my main concern is that my constituents 
understand whether or not their data has been compromised and 
then what are their options going forward. You have outlined 
most of those things today. I am not going to ask you that 
again.
    But I do think it is important to recognize that you know, 
although they are important, passive ways to have people become 
aware of their data may be compromised is one approach, but 
also actively informing people proactively might very well be 
important in certain areas of the country. Thank you, I yield 
back.
    Mr. Latta. The chair now recognizes the gentleman from 
Texas for 5 minutes.
    Mr. Green. Thank you, Mr. Chairman, and I apologize. We 
have a Health Subcommittee upstairs and I appreciate it. That 
is not to take away the importance of this hearing. I want to 
thank you and our ranking member for setting it.
    We are here to discuss one of the worst and most impactful 
hacks that we have seen. It is a breach that was entirely 
preventable due to a level of negligence that in some 
industries may be considered criminal. The credit reporting 
industry is infamously unforgiving and it is an industry that 
helps perpetuate the cycle of poverty. Agencies like Equifax 
force those with lower credit scores to pay more money for 
loans and mortgages, less than perfect credit scores can even 
result in higher rates for products that they don't require 
credit like our auto insurance premiums. These people who have 
a harder time paying back higher interest rates make it more 
likely they won't be able to pay their debt back on time and 
will hurt their credit further. Yet Equifax and the rest of the 
credit reporting industry expect forgiveness for breach after 
breach, lobbying Congress for even less liability.
    When restaurants fail regular health inspections they are 
routinely shut down for violations. They are shut down even if 
problems haven't yet occurred as a consequence of their 
violations. It isn't clear to me why Equifax, who is beyond 
that point, should be allowed to continue operating when they 
have failed spectacularly at their core business and endangered 
the public. In the next couple months, Senate Republicans may 
repeal the Consumer Financial Protection Bureau's arbitration 
rule thus allowing companies like Equifax to put clauses in 
their fine print forcing individuals into arbitration 
agreements instead of class action agreements where they stand 
a chance of being able to cover some of their loss.
    But it should be clear to us by all that is now not the 
time to roll back consumer safeguards in the financial industry 
and I support my colleague and our ranking member Congresswoman 
Schakowsky's Secure and Protect Americans' Data Act. I look 
forward to hearing what our witness has to say.
    Mr. Smith, ID theft protection companies have seen a big 
jump in business and share price since the breach of your 
company including LifeLock who has reported a tenfold increase 
in enrollment for their credit monitoring and other services. 
LifeLock has a contract to purchase credit monitoring services 
from Equifax, meaning that every time someone signs up for 
LifeLock protection from the impact of Equifax' data breach 
they again involuntarily sign up for Equifax to provide those 
services and Equifax makes money on that breach. What is the 
value of that contract that LifeLock has with Equifax?
    Mr. Smith. Congressman, I don't recall what that is. But at 
the same time, those same consumers have the ability to come to 
us directly and get free product.
    Mr. Green. OK. If it is available I would hope you would 
send it and share it with the committee. Mr. Smith, an Equifax 
report marketed to its business customers says that leading 
lifestyle databases available commercially offer hundreds of 
response segments covering almost every conceivable aspect of 
how consumers live and what they spend their money on and what 
interest they have.
    Can you tell us on as granular level as possible what the 
sources are for that data for every conceivable aspect of a 
consumer's life?
    Mr. Smith. Congressman, I am not quite sure what you are 
referring to. We are not a data provider in the area of 
behavioral analytics, behavioral data, social media data, so I 
am not quite sure what you are referring to.
    Mr. Green. Well, I have a lot of constituents who are 
concerned about, for example, they say oh, I don't need to 
worry about this breach, I haven't applied for credit for 10 
years. But that is not always the case because these hundreds 
of millions who are released, maybe they bought a car 20 years 
ago and that data still goes forward, I assume.
    Mr. Smith, Equifax customers are businesses who purchase 
data and credit reports on consumers. The American public is 
essentially Equifax's product. How many times per year on 
average does Equifax sell access to a given individual's credit 
file to a potential creditor and how much do they make every 
time they sell it?
    Mr. Smith. If I understand the question, Congressman, we 
take the data that is given to us by the credit ecosystem of 
the U.S., add analytics to it, and then when a consumer wants 
credit again through credit card, home loan, a car, the bank 
then comes to us for that data and for the analytics and we 
charge them for that.
    Mr. Green. OK. Well, the question was how many times does 
Equifax receive payment for that individual credit file? If my 
local car dealer contacts Equifax and so they pay a fee to 
Equifax for that information?
    Mr. Smith. Yes, Congressman. If you as an individual want 
to go to that car dealership and get a loan for a car they come 
to us or our two competitors, and when they take your data, 
access your data we do get paid for it.
    Mr. Latta. Pardon me. The clock wasn't started right. You 
have about 15 seconds.
    Mr. Green. I am sorry?
    Mr. Latta. You have about 15 seconds. The clock didn't 
start up on you, so you have 15 seconds.
    Mr. Green. Oh, OK. Oh, I thought I just had a perpetual 
time.
    Mr. Latta. No.
    Mr. Green. Mr. Chairman, I just have one more question. The 
products that Equifax are so far providing victims of the 
breach do not include anything they won't need if it weren't 
for Equifax's laxes on their data. You, however, made more than 
$69 million in 2016. And so, but that is the concern that this 
committee has and I know we have for all our constituents.
    And I thank you, Mr. Chairman, for your time.
    Mr. Latta. Well, thank you very much. I appreciate the 
gentleman's questions. And the chair now recognizes the 
gentleman from Oklahoma for 5 minutes.
    Mr. Mullin. Thank you, Mr. Chairman.
    Mr. Smith, what is your current job?
    Mr. Smith. I am retired.
    Mr. Mullin. You are retiring. Are you still getting paid by 
the company?
    Mr. Smith. No, sir.
    Mr. Mullin. So you are fully retired and so you have no 
affiliation at all with the company? You are not on as a 
contractor or as----
    Mr. Smith. No, Congressman. What I agreed to do because I 
love this company, I spent 12 years with 10,000 people trying 
to do the right thing, is I told the board it was right for me 
to step down and have new leadership, take this company in a 
new direction. So when I retired I agreed to work for as long 
as the board required, for free, to help make it right for the 
consumers. So the affiliation is to do free work with the board 
of directors and the interim CEO.
    Mr. Mullin. So you are not getting paid in any manner, not 
through any type of shares, stocks, anything?
    Mr. Smith. Nothing. The day I announced my retirement that 
ended.
    Mr. Mullin. Do you still own stock in the company?
    Mr. Smith. I am sorry?
    Mr. Mullin. Do you still have stock in the company?
    Mr. Smith. Oh, yes.
    Mr. Mullin. Have you sold any of it?
    Mr. Smith. I have been there for 12 years. Yes, sir.
    Mr. Mullin. In recent, since this has become aware to the 
public?
    Mr. Smith. During this breach?
    Mr. Mullin. Yes.
    Mr. Smith. Oh. No, sir.
    Mr. Mullin. Are you aware of the individuals that have?
    Mr. Smith. Yes. There are three individuals who reported 
directly to me while I was their CEO.
    Mr. Mullin. That sold stock?
    Mr. Smith. Yes. One, yes, and all three of them are men I 
have known, I mentioned earlier, for a number of years. Two for 
almost 12 years and one for 3 or 4 years and they are men of 
high integrity.
    Mr. Mullin. Did they sell it before this went public?
    Mr. Smith. Yes. As I said before, we went public with this 
knowledge on September 7th.
    Mr. Mullin. And when did they sell their stock?
    Mr. Smith. August 1st and 2nd.
    Mr. Mullin. So after the breach?
    Mr. Smith. No, sir. The timeline of the end of July, 29th 
and 30th and notification on the 31st of suspicious activity, 
at that time 1 or 2 days prior to their selling there was no 
indication of a breach.
    Mr. Mullin. So what would cause them to sell it?
    Mr. Smith. As a what we call a Section 16 Officer, there is 
a limited window in which they can sell. It tends to be right 
after the earnings call for no more than 30 days, so this is a 
natural process. The window opened after the second quarter 
window, second quarter call.
    Mr. Mullin. In your opening statement you had mentioned 
that there was an error in the portal and it was 3 weeks before 
you were notified of a breach?
    Mr. Smith. If I can clarify?
    Mr. Mullin. Yes.
    Mr. Smith. There was a software, it is called an open 
source software that was deployed in this environment, this 
consumer dispute portal.
    Mr. Mullin. Right.
    Mr. Smith. We never found a vulnerability, didn't patch 
that vulnerability. That was the issue.
    Mr. Mullin. So who was in charge overseeing that? Who was 
supposed to be watching those portals for you?
    Mr. Smith. Ultimately me.
    Mr. Mullin. I know. Ultimately you, I get that. But who did 
you have hired that was supposed to watch that?
    Mr. Smith. There was on the vulnerability side, there was 
the----
    Mr. Mullin. Do you have a department that is dedicated to 
this?
    Mr. Smith. Yes. There is a chief information officer who 
was ultimately responsible. He was----
    Mr. Mullin. Is that person still over that department?
    Mr. Smith. No, sir. He is gone.
    Mr. Mullin. He is gone. You said you put in, once you were 
made aware of the breach you put in four plans of action, 
right. The first one was, do you remember?
    Mr. Smith. Notification.
    Mr. Mullin. Notification. The second one was a call center. 
The third one was increased cyber attacks, preparing for that. 
The fourth one was coordinating with law enforcement. I am also 
or was CEO, not on a company the size that you have but from 
the companies that my wife and I have had and we have protocols 
put in place of what could happen. We know cyber attacks 
happen, you hear it every day on the news.
    These four things that you named were common sense, things 
that should have been put in place to begin with. It should 
have been the fire alarm. You are in that world. This should be 
on the side of the wall where you pull the handle and it 
immediately goes into place. How was it that it was just now 
thought of that you needed to have four common sense principles 
put in place on how to react to something in a world where we 
knew you were vulnerable at?
    Mr. Smith. We have protocol, team followed protocol. This 
is well known what to do. From hiring a cyber forensic expert 
we knew what to do, we have done it before. Engaging a world-
leading cyber arm of a law firm, we knew what to do. These are 
all protocols that they knew what to do.
    The one thing, Congressman, it is not a switch on a wall. 
It is the ability to stand up the environment we had to stand 
up----
    Mr. Mullin. It took a long time to stand up and that is the 
issue we have here is you are on the leading front of this. And 
the four things that you identified to me, I don't mean to 
simplify it by saying a switch on a wall, but these protocols 
should have already been put in place and you should have been 
on a react much, much sooner than what took place. And with 
that I am sorry. I don't mean to cut you off, but the chairman 
has indulged me longer than what he should have and I 
appreciate your time. Thank you, Mr. Chairman.
    Mr. Latta. Thank you very much. The gentleman's time has 
expired and the chair now recognizes the gentlelady from 
California, Mrs. Walters, for 5 minutes.
    Mrs. Walters. Thank you, Mr. Chairman.
    Mr. Smith, before I get to my question I just want to say 
that on behalf of the 15 million Californians whose information 
was exposed, we expect better. Your business model was based on 
collecting and maintaining the most sensitive information on 
folks and you let us all down and that happened on your watch. 
And from my briefings it appears that this could have been and 
frankly should have been prevented.
    Now Equifax's business model depends on gathering consumer 
information, repackaging it, and selling it. Equifax has set up 
a web site in which consumers can enter information to 
determine if they are at risk and sign up for credit monitoring 
and credit lock. To participate, a person has to give Equifax 
the same type of personal information, including social 
security number, which Equifax put at risk in this breach. I 
want to know what Equifax is planning to do with this 
information besides offering credit monitoring and credit 
locks. Can you ensure me that Equifax will not plug this 
information back into its core business operation and sell it 
to its lenders?
    Equifax should not benefit from the situation and I want to 
know that Equifax is going to wall off this information and 
guarantee that the company will not profit from this situation.
    Mr. Smith. Congresswoman, thank you for your comments. And 
as I mentioned in my written testimony and my oral testimony, I 
have said throughout the morning and I will say again today, as 
the CEO it was under my watch. I am responsible. I am 
accountable and I apologize to all of your consumers in 
California.
    The intent of this offering that we are giving to your 
constituents in California and to consumers across the country 
is in an environment where we are not going to sell other 
products. It is to come there and be service protection of the 
five offerings that you had mentioned, not to sell and take 
your data and monetize that. It is to take and protect you with 
these five services.
    Mrs. Walters. Equifax's breach notification web site uses a 
stock installation of WordPress. This causes me a lot of 
concern because it seems to have insufficient security for a 
site asking people to provide part of their social security 
number. Can you assure me that this web site is secure and will 
not further endanger the personal information of my 
constituents?
    Mr. Smith. Congresswoman, we took what we believe was the 
right amount of time working hastily from late August to going 
live on the 7th. One of the four work streams the Congressman 
from Oklahoma mentioned was ensuring we were prepared for what 
was going to be increased cyber attacks as told to us by our 
forensic examiners. And one of the first things we did was 
ensure that the web site we were bringing consumers to, to get 
these free services, was as secure as possible. So that was one 
of our top priorities.
    Mrs. Walters. OK. And finally, my last question is how many 
U.S. consumers have enrolled in the credit monitoring service 
TrustedID? I will just finish here, because I know multiple 
people who have enrolled including my immediate family and they 
were told that they would receive an email to complete the 
process. After days of waiting they have not received an email 
and wanted to know what the delay is in processing this 
protection and when will they be able to complete the process 
to help protect their information?
    Mr. Smith. I understand the question and I mentioned 
earlier that over 400 million consumers have come to the web 
site. I would assume we don't have 400 million consumers in the 
country so a number of them came back multiple times. But it is 
a lot of volume. Number two, I was told in the last few days 
that the backlog waiting for those emails has now been 
fulfilled, had been drained. As you come into the system it is 
a more immediate response, so the team seems to have made great 
progress in the last couple weeks.
    Mrs. Walters. OK, thank you. And I yield back the balance 
of my time.
    Mr. Latta. Thank you very much. The gentlelady yields back 
and the chair now recognizes the gentleman from Pennsylvania 
for 5 minutes.
    Mr. Costello. Thank you, Mr. Chairman. I have heard from 
hundreds of constituents in my congressional district. There 
are approximately 5 1A\1/2\ million in Pennsylvania. I have 
reviewed each and every one of the constituent stories that I 
have received.
    And among my growing concerns, your baseline security 
practices leading up to the breach, the company's awareness of 
the breach developments and relevant timing, how consumers can 
get assistance in securing their accounts, how reliable the 
recovery efforts are in the wake of the breach, and the path 
forward long term for consumers' personal information and 
making sure they are safe despite the breach.
    And it is this last one that is so particularly angering 
because it is going to potentially be so destructive to 
hundreds of millions of Americans what might happen to them in 
the years to come. And as the head of the company and 
throughout the company, the culture of that company has to know 
how predictable the damage can potentially be.
    And so I ask you, is it not predictable how bad it might 
get for the individuals who have been compromised in terms of 
how much damage could be wrought upon them individually in the 
years to come?
    Mr. Smith. Congressman, let me start by saying that like 
you I have talked to constituents, consumers across this 
country who have been impacted. I have personally read letters 
from consumers complaining and voicing their anger and 
frustration, so I know what you were seeing back home in 
Pennsylvania.
    Mr. Costello. See, I think the anger is going to be 
multiplied thousands of times when something actually happens. 
So when you talk about how predictable some of this is, the 
rollout of the call centers and the second rollout and the 
third rollout, it has to be predictable how massive this is and 
what would need to be put in place from a protocol perspective 
in order to address what is coming.
    And the slow rollout and how poor it was done to me is just 
inexcusable. I mean you have to have departments dedicated to 
dealing with this potential and it doesn't appear to me as 
though that was planned. Or if it was planned it was planned 
extremely poorly.
    Mr. Smith. I understand your point, but it requires a 
little more color. We went from 500 call center agents to a 
need of almost 3,000. Properly handled call center agents to 
handle consumer calls took time. We did the best we could in a 
short period of time to ramp those up. I mentioned in my 
opening comments two of our larger call centers in the first 
weekend----
    Mr. Costello. I understand, the hurricane.
    Mr. Smith [continuing]. Taken out by Hurricane Irma. We 
were not prepared for that kind of call volume.
    Mr. Costello. How couldn't you be? How couldn't you be?
    Mr. Smith. It is not our traditional business model. Our 
traditional business model is dealing with companies, not 400 
million consumers coming to the web site.
    Mr. Costello. But your business model has a couple hundred 
million customers, so on a breach of this scale obviously you 
are going to have at least that number and probably twice that 
amount calling, inquiring as to whether or not they are subject 
to the breach and that wasn't done.
    Mr. Smith. Congressman, the difference is again the primary 
business model we have is dealing with companies, not with 
hundreds of millions of consumers. We did the best we could to 
react as quickly as we could. I had mentioned that the service 
is getting better each and every day. We have listened to 
consumers' feedback and tried to make changes to the web site, 
we have made changes to the call center.
    Mr. Costello. You are familiar with the Safeguards Rule 
that is essentially what you operate under?
    Mr. Smith. Yes.
    Mr. Costello. How often does a forensic consultant issue a 
letter or a certification or a law firm issue a certification 
that they feel your protocol is in compliance with the 
Safeguards Rule?
    Mr. Smith. We are in compliance. I am not sure how often 
that is actually communicated, is you are saying communicates 
with us?
    Mr. Costello. How would you know that you are in compliance 
then? Because if you said you followed protocol and protocol 
led to this, then it is very difficult for me--that calls into 
question whether the Safeguards Rule is sufficient enough. 
Because if you are saying you are in compliance with it and you 
followed protocol and this still happened that unearths a whole 
other set of questions.
    Mr. Smith. Again the speed of reaction and the scale of the 
reaction was unprecedented for. I am not making any excuses.
    Mr. Costello. Yes. But there is a corporate governance 
issue here as I see it and that is your board of directors gets 
together, you are CEO. You have a chief information officer, 
you have a chief security officer and at least once a year and 
probably quarterly you have, I presume, outside forensic 
consultants doing this stuff every single day from you on 
retainer. And the speed at which you have to do this just to 
run your company operationally you don't ever stop. It is 
obviously ongoing and persistent.
    And it just seems to me that through insurance policies, 
through reporting to your board, through your board wanting to 
make sure that they are doing their job that you are going to 
be looking for certifications from your outside forensic 
consultants doing audits to say yes, you are doing good. You 
are doing good. Here are the new threats. Here is how we are 
updating. That is the kind of information I think would be 
extremely helpful that we have not received any information 
from today.
    But I would ask you since I am well over my time that I 
would like to know how often your board asks you to certify 
whether or not you are in compliance and what is that protocol 
and when was the last time you updated that protocol? You said 
you have complied with protocol. When was the last time that 
was updated?
    Mr. Smith. I understand your question. We will get you that 
information.
    Mr. Costello. Do you yield back after you are already well 
over? I yield back.
    Mr. Latta. Your time is expired, how is that? The chair now 
recognizes the gentleman from Georgia--I am sorry. The 
gentleman from New York, 5 minutes.
    Mr. Tonko. Thank you, Mr. Chair. Americans should know 
their sensitive personal information is safe. Their security is 
exposed when private companies including Equifax can collect 
their private information without their direct knowledge or 
consent, and it is why I am co-sponsoring Representative 
Schakowsky's measure, H.R. 3896, the Secure and Protect 
Americans' Data Act.
    Mr. Smith, we are here today because months after the 
breach actually took place your company, Equifax, revealed that 
its for-profit business practices have exposed the highly 
sensitive personal information of some 145 1A\1/2\ million 
Americans and counting. Your data breach exposed a critical 
vulnerability in the American economy and the information 
security of the American people. Victims of this breach span 
every age group, every race, class, and other demographic. They 
now face a lifetime at risk of fraud, identity theft, and other 
crimes as a result of the private data that you exposed.
    I have many, many questions and allow me to be the conduit 
through which my constituents ask you, Mr. Smith, their 
questions. I will go first to Garance (ph.), a constituent, 
pointed out to me it would be wrong to call the victims of this 
breach Equifax customers. Most of them never asked to be 
tracked and judged by a private company with little public 
oversight or accountability. This is unacceptable. And he asks 
why he has been impacted in this manner. Any comment to 
Garance's question?
    Mr. Smith. Again, Congressman, I have read many similar 
letters and talked to people back home in Atlanta who voice 
that same concern. I can tell you this. Where a company has 
been around for 118 years, have 10,000 employees trying to what 
is right each and every day, I apologize to the individual who 
wrote you that letter. I apologize to America for what happened 
and we are going to try to make it right.
    Mr. Tonko. My constituent Jason from Albany asked, Mr. 
Smith, did you to the best of your knowledge employ the best 
and most effective defense available to you to prevent this 
breach?
    Mr. Smith. A crisis never occurs if everything has gone 
right. In this case as I mentioned earlier we had a human error 
and a technology error. It wasn't because we were unwilling or 
unable to make the financial investments in people, process, or 
technology though.
    Mr. Tonko. My constituent Tanya asks, how do I get Equifax 
to fix this without signing over my rights and what related 
costs will I, Tanya, be expected to pay over my lifetime?
    Mr. Smith. The five products we launched or the services we 
offered in September are all free. They are all spelled out in 
the press release that gives that individual significant 
protection. The most comprehensive change is coming in January 
of next year which is the ability for consumers to lock and 
unlock their data when they want and only when they want.
    Mr. Tonko. And any related costs that she should expect to 
pay over her----
    Mr. Smith. Those services are all free.
    Mr. Tonko. A number of my constituents would like to know, 
given that the sole purpose of credit agencies is to secure 
handling of consumers' confidential information which they 
spectacularly failed to do that why is this company allowed to 
continue to exist?
    Mr. Smith. We have a rich history of helping those who want 
to get access to credit to get access to credit. The company 
has done many great things to help those in the unbanked world 
who would never otherwise have access to credit because of what 
we do, bring them into the credit world.
    Mr. Tonko. Constituent Lee from Albany asks, why are you 
using this gross misconduct to turn your victims into customers 
for a paid monitoring service that you will profit from?
    Mr. Smith. That is not the intent. Our intent is to offer 
those five services for free, followed by the sixth service, 
which is a lifetime lock for free.
    Mr. Tonko. My constituent Karen asks why have you not 
notified each person whose data you compromised? Most never 
asked you to collect it and securely store their private 
information, so we are the representatives and why should they 
be responsible for your malpractice?
    Mr. Smith. Following the recommendation of those who 
advised us we did notify through the press release notifying 
the entire population, not just those who were victim of the 
criminal act but all Americans, to get access to these products 
and services for free.
    Mr. Tonko. And my constituent James from Defreestville, New 
York asks why did it take you so long to announce the data 
breach and why shouldn't you be held responsible for every day 
of failing to report?
    Mr. Smith. I think hopefully my written testimony and my 
oral testimony and the dialogue we have had today has talked 
about the timeline in enough granularity to help that person 
understand what occurred from March through September 7th.
    Mr. Tonko. And a constituent Stephanie from East Greenbush 
asks, do they know if the people were targeted or randomly 
picked? Why some but not others?
    Mr. Smith. At this point all indications are it was at 
random. It was not targeting of individuals specifically.
    Mr. Tonko. I have exhausted my time, but let me assure you, 
Mr. Smith, I have many, many, many constituent questions that 
continue to pour forth and we are going to provide those after 
the hearing here and would expect that they would all be 
answered. And again thank you for your response. I yield back, 
Mr. Chair.
    Mr. Latta. Thank you very much. The gentleman yields back 
and the chair now recognizes the gentleman from Pennsylvania 
for 5 minutes.
    Mr. Murphy. Thank you, Mr. Chairman, for allowing me to sit 
in on this hearing. My fellow members have already asked a lot 
of questions, very important high level questions, but I want 
to take a few moments to dig a little more deeply into a few 
specific issues.
    We now know that Equifax information security department 
ran scans that should have detected systems that were 
exploitable by the Struts' vulnerability but that the scans 
didn't detect any. Obviously at least one system was 
vulnerable. So if the scan wasn't properly configured to catch 
this vulnerability, in other words you missed a major breach, 
is it possible that it has also been improperly configured to 
detect similar vulnerabilities?
    Mr. Smith. I have no knowledge of that. I have no knowledge 
of that being the case.
    Mr. Murphy. But now you have to feed the information in 
these scans and it has to be complete and accurate information 
and this information apparently was fed in an inomplete way; 
isn't that true?
    Mr. Smith. Could you repeat the question, please?
    Mr. Murphy. In order to scan something a human has to feed 
it information, right?
    Mr. Smith. I am not a scanning expert, Congressman. My 
understanding is you have got to configure the scanner in 
certain ways to look for certain vulnerabilities.
    Mr. Murphy. Yes, but a lot of what is going on here is you 
are blaming, they say no humans are involved here, but 
configuring is done by a human being, isn't it right? And some 
inaccurate information got in there too. So if it was 
improperly configured to catch the vulnerability, is it 
possible it has also been improperly configured to detect 
similar vulnerabilities?
    Mr. Smith. I have no indication to believe that is the 
case.
    Mr. Murphy. We have also heard a lot about the web site 
Equifax set up to handle the consumer protection response at 
equifaxsecurity2017.com. As it has been pointed out, this looks 
like a web site that scanners would use for phishing. In fact, 
it was widely reported in the press someone switched two words 
and made it into phishing web site that looked almost 
identical. Luckily, this person was just trying to make a 
point, but I think that point is well taken.
    You said earlier today that you set up this external web 
site because Equifax's own domain wouldn't be able to handle 
the sheer amount of traffic. Now why wouldn't your web site be 
able to handle this traffic? I mean it just doesn't make sense 
a company of your size and knowledge doesn't understand how to 
handle traffic for over a 100 million people. Don't you use an 
elastic cloud computing service that would have accounted for 
this traffic?
    Mr. Smith. Congressman, a point of clarification, if I may. 
This phishing site that you referred to was mentioned a few 
times today, was a error by an individual in the call center. 
My understanding is----
    Mr. Murphy. Well, let me get this other question though. 
OK, we have that established, but I want to ask this question 
though. Your own domain wouldn't be able to handle the sheer 
amount of traffic, but don't you use something like an elastic 
cloud that would allow for greater traffic?
    Mr. Smith. The environment the microsite is in is a cloud 
environment that is very, very scalable. The traditional 
environment that we operate in could not handle 400 million 
consumer visits in 3 weeks.
    Mr. Murphy. Well, I am going to come back to some of this 
stuff too. I want to come back to the issue of patching the 
March vulnerability. Now I know this has come up a few times, 
but I want to make sure to highlight this point since it is 
critical in understanding how this breach occurred here.
    Our understanding is that fixing this vulnerability 
required more effort than simply installing a patch. But we 
also understand that when Equifax did patch the vulnerability 
it took less than 3 days to do so. So if the patch only took a 
few days to apply, why did Equifax fail to install it 
immediately after it was announced as critical?
    Mr. Smith. Patching takes a variety of time. I am not sure 
where you got the note that it is 3 days. Patching can take 
from days to up to a week or more to apply a proper patch.
    Mr. Murphy. Did you notify everybody it was going to take 
some time? Did you notify all your customers it was going to 
take some time? Did you notify people there was the risk of 
your trying to apply the patch?
    Mr. Smith. I know of no standard protocol that we would 
notify----
    Mr. Murphy. I didn't ask about standard protocol. I asked 
did you notify people.
    Mr. Smith. I have no knowledge that we would notify 
customers or consumers of a patching process.
    Mr. Murphy. So you didn't notify anybody that the patch was 
going to take place and in the meantime there was a risk that 
existed?
    Mr. Smith. I have no knowledge of need----
    Mr. Murphy. Did you notify other people--did other people 
and the executives of your company, were you aware of it?
    Mr. Smith. As I have said before I was not.
    Mr. Murphy. You were not aware that there was this problem 
with the vulnerability? You just told me it takes a few days or 
a few weeks, but you weren't aware that it existed?
    Mr. Smith. That is correct.
    Mr. Murphy. Well, let me wrap up with one final thought 
here. In your testimony you state that the breach occurred 
because of both human error and technological failures, or 
technology failures. So looking at the three features I just 
highlighted--the improperly configured scans, the poorly chosen 
web site, the lack of patching--these are not failures of 
technology. A human misconfigured the scan. A human selected 
the web site name. A human failed to apply the patch.
    While I understand that cybersecurity is an immensely 
complicated field, we have dealt with this many times in this 
committee and sometimes flaws in technology we rely on are 
really to blame, but I also think it is important to be upfront 
about the causes of breaches like this. And if we continue to 
blame technology for human failures to provide inadequate 
cybersecurity, I think we are going to have a very difficult 
time improving our capabilities and preventing future cyber 
threats.
    Mr. Chairman, I recognize I am out of time. We will see you 
again in my subcommittee.
    Mr. Latta. Thank you very much. The gentleman's time has 
expired and the chair now recognizes the gentleman from 
Maryland for 5 minutes.
    Mr. Sarbanes. Thank you, Mr. Chairman.
    Mr. Smith, thank you for being here. You have been the 
president of the company for, CEO for 12 years; is that right?
    Mr. Smith. That is correct.
    Mr. Sarbanes. There is three things I think that the public 
is angry about. Certainly, as my colleague was indicating, we 
are getting a lot of messages and contacts, inquiries from our 
constituents across the country.
    First of all, they want to understand. And you have tried 
to explain it today, but I am not sure it is going to be 
satisfactory why there weren't sufficient protections in place 
on the front end so that this kind of breach wouldn't happen in 
the first place given the sensitivity of the information that 
you are keeping in the company. The second thing is how quickly 
once a breach was discovered you came clean to the public and 
provided information on what was happening. There seems to have 
been a delay there that concerns people.
    The third is whether the services that you are now 
providing to people, you have enumerated to five or six free 
services that you are providing to people, whether that is 
going to be a sufficient assurance to folks going forward that 
their identity can be protected, that their information is safe 
and so forth. So you are trying to fix things now, but there is 
going to continue to be, I think, serious questions about all 
three of those things that I just mentioned.
    I wanted to ask you about the kind of remedies that you 
have out there because there is some confusion. I got a 
question from a constituent who had purchased a monitoring 
service that would cover his family including a child under the 
age of 18. So first of all, can you tell me, it is possible for 
someone under the age of 18 to have their identity stolen. Is 
that correct as far as you understand?
    Mr. Smith. Is it possible?
    Mr. Sarbanes. Yes.
    Mr. Smith. As it relates to this breach?
    Mr. Sarbanes. Just generally. Identity, if certain 
information about a minor is divulged to some unscrupulous 
actor that can be used to steal the identity of that person.
    Mr. Smith. If someone has a social security number, at any 
age, can that be compromised? Yes. It could not be compromised 
in this case because this database they got into it is my 
understanding only was for those who had credit, credit active 
or inactive, and they have been in a credit environment.
    Mr. Sarbanes. OK. But my understanding is that when you 
provide a family service you are collecting information and 
holding information that includes the social security number of 
people who may be under the age of 18.
    Mr. Smith. I have no knowledge that under 18, not credit 
active, was compromised here. I can look into that.
    Mr. Sarbanes. OK.
    Mr. Smith. But I have no knowledge.
    Mr. Sarbanes. If that is the case, is this free service 
that you are providing going to cover any exposure or 
information that is related to a minor, as opposed to somebody 
who is over the age of 18, if you had information on that 
minor?
    Mr. Smith. I can look into that, Congressman. The intent of 
the coverage was to cover anyone in America who is in the 
credit system. So if you are under 18 and not in the credit 
system, I will check your one point which is on this concept 
called family plan that you are alluding to where you lock down 
consumers, you monitor consumers. I don't believe their social 
security numbers were in this system, but we can verify that.
    Mr. Sarbanes. Well, that is important because----
    Mr. Latta. If I could just interrupt. I think again we had 
a little clock issue. You have about 30 seconds left. Thank 
you.
    Mr. Sarbanes. OK. I think it is important because it may be 
that with respect to credit reporting the implications of this 
breach only attach to people that are 18 or older. But if you 
are holding information about minors like a social security 
number that is part of the portfolio of information you are 
getting from a family, for example, particularly when the 
family has paid for this service, you are holding their social 
security number, so any breach that makes that information 
available outside of the arena in which it is supposed to be 
kept close creates vulnerability for that person.
    It is not like we get a new social security number when we 
turn 18. So that is going to follow them all the way through 
and create some real risk for them. So I think that is a piece 
of this that we need to understand much better, and I want to 
thank my constituents for bringing that to our attention.
    Mr. Smith. I understand your point. To the best of my 
knowledge, that data is not included in the breach, but I will 
look into it.
    Mr. Sarbanes. Thank you. I yield back.
    Mr. Latta. Thank you very much. The chair now recognizes 
the gentleman from Georgia, 5 minutes.
    Mr. Carter. Thank you, Mr. Chairman. And I want to thank 
you for allowing me to sit in on this today.
    Mr. Smith, thank you for being here. I know it has been a 
tough day. It has been a tough past couple of weeks. I 
appreciate you being here and that is important. I am not going 
to apologize for my colleagues and their questions and their 
aggressiveness, if you will, because as you know people are 
upset and they are mad. You get it and I get it, we all 
understand it. But nor am I going to pile on, so I want to go a 
kind of different route, if you will.
    One of the things that I have learned in the 2 1A\1/2\ 
years that I have been up here is to be very careful about my 
southern phrases, but one of my southern phrases has always 
been that you know, fool me once shame on you, fool me twice 
shame on me. And I want to know what we can learn from this. 
Now this is not the first time that a data breach has happened. 
Perhaps it is the biggest that has ever happened, but it has 
happened to other companies before.
    Now to the extent that you weren't prepared for this or 
that it happened to you and I hope that was not due to 
complacency, I hope it was not due to you not doing everything 
that you could to have prevented it, but my question is this. 
Can you share with us any information about the attackers? What 
do you know and what do you not know about them at this point?
    Mr. Smith. Congressman, thank you for that. As I mentioned 
in my opening comments and my written testimony, earlier this 
week we have engaged the FBI and they currently have the 
investigation in their hands. So at this juncture we are not 
disclosing what we know about the hackers.
    Mr. Carter. How has your cooperation with the FBI been? Has 
your experience with them thus far been good and anything 
that--this is important. It is important for everyone. Yes, 
everyone is upset and rightfully so. They should be upset. When 
your personal data is out there obviously it is very upsetting. 
But I am trying to go in a different direction. I am trying to 
figure out how we can prevent this from happening.
    Mr. Smith. The cooperation with the FBI as best I know has 
been good. It is ongoing. We have lines of communication into 
the FBI not just after a breach but routinely throughout the 
year. So I would say it has been a very good cooperation, 
Congressman.
    Mr. Carter. Let me ask you this. Through this experience, 
if you had to do anything different what would you have done?
    Mr. Smith. Congressman, I was asked that question earlier 
and my answer will be the same now as it was earlier. There 
will be time for reflection personally and as an organization. 
That coupled with the investigation that we continue to 
undertake to look at processes in-house. But this juncture, 
since I was notified in mid-August through this morning, it has 
all been about the forensics. It has been about trying to 
protect and do what is right for the consumer and there has 
been no time to reflect on what I would do differently.
    Mr. Carter. OK. Well, when that time comes we need to know, 
because we don't need to let this happen again and other 
companies need to learn from it. This is obviously as I said 
earlier you are not the first company to suffer from this. You 
are not the first Georgia company to suffer from this. We 
understand that. It doesn't make it any less egregious to what 
has happened, but where I am trying to go is what can we do 
better to prevent this from happening again? These guys are 
good, we know that. Listen, cybersecurity is hard. It is way 
above my pay grade, I can tell you that.
    Mr. Smith. Congressman, thank you for that. As I mentioned 
in my comments I take full responsibility as CEO.
    Mr. Carter. And I understand that and I appreciate that.
    Mr. Smith. If there is one thing I would love to see this 
country think about is, the concept of a social security number 
in this environment being private and secure, I think it is 
time as a country to think beyond that. What is a better way to 
identify consumers in our country in a very secure way, and I 
think that way is something different than an SSN, a date of 
birth, and a name.
    Mr. Carter. Well, you are exactly right. I remember my time 
in the Georgia State Legislature when we changed the, you used 
to have your social security number on your driver's license. 
That used to be your driver's license number, and that was not 
that long ago. And that is what tells me that this is something 
that is changing dramatically and quickly and we need to be 
prepared for it.
    So I know that you are putting out fires right now, but at 
some point we need to learn from this. We need to know, look, 
we shouldn't have done this and we should have done that. What 
could we have done differently? What will benefit another 
company to allow that this doesn't happen? And I hope, and thus 
far you appear to have been honest about all this, I hope that 
if part of what the problem was complacency that you admit that 
and say don't ever let your guard down.
    Mr. Smith. Thank you, Congressman. I would love to be part 
of that dialogue about what lies ahead to protect individuals' 
identities.
    Mr. Carter. Well, again I want to thank you for being here 
and it says a lot about you and about your company.
    Thank you, Mr. Chairman. I yield back.
    Mr. Latta. The gentleman yields back. The chair now 
recognizes the gentlelady from California for 5 minutes.
    Ms. Eshoo. Thank you, Mr. Chairman. First, I would like to 
recognize a former colleague that is here in the chamber with 
us. Saxby Chambliss who served in the House and in the Senate, 
it is good to see you, very nice to see you.
    Mr. Smith, it seems to me that you have accomplished 
something that no one else has been able to accomplish and that 
is that you have brought Republicans and Democrats together in 
outrage and distress and frustration over what has happened, 
because this is huge. This is almost half of the country and 
their information.
    The American people are, I think they have privacy in their 
DNA. We don't like Big Brother. We don't like people having 
information on us. We know in an information age and then the 
digital age that that is impossible, but boy, when that is 
breached, when the privacy goes out the window it really puts a 
dent in people's lives. I equate it with because they don't 
feel that they can do anything about it. They feel helpless. I 
come from earthquake country and when that rattle first starts 
you really do feel helpless. You feel absolutely helpless.
    Now, the question has been posed rhetorically by some 
members, because I have been sitting in for awhile at this 
hearing, what can be done. I have the privilege of representing 
most of Silicon Valley. I have asked this question about the 
protection in terms of privacy breaches in our country to just 
about every CEO I have met and they have responded like a 
chorus and said there are two main reasons for breaches in our 
country, number one, a lack of hygiene in systems and very poor 
security management. That is why I have legislation. Senator 
Hatch is the lead sponsor in the Senate. I have the bill in the 
House.
    So it is distressing to me knowing this information that 
Homeland Security notified Equifax, this is almost 7 months 
ago, this has to do with a patch. So I know there are a lot of 
questions that have probed this, but you as CEO at the time, 
when Homeland Security informed your company that there was a 
breach what did you say to your CIO officer? Did you understand 
what the breach was? Did you understand what the patch meant? 
Did you understand the timeliness, the need for timeliness to 
have this fixed and did anything change in that department? Was 
there a new policy put in place by you?
    Mr. Smith. Congresswoman, to clarify, when the CERT came 
out in March there was no notification of a breach. There was 
notification----
    Ms. Eshoo. What did it mean?
    Mr. Smith. What it meant was----
    Ms. Eshoo. I mean if I got a notice from Homeland Security 
that is like the FBI knocking on the door. It is the federal 
government. That in and of itself is a bit menacing, isn't it?
    Mr. Smith. What it meant was an open source software 
commonly used and deployed around the world called Apache 
Struts had a vulnerability and the notification was the 
vulnerability should be patched.
    Ms. Eshoo. All right. And did you ask if it was patched?
    Mr. Smith. We get notifications----
    Ms. Eshoo. No, you got the notification from Homeland 
Security, all right? What did you do about it the day you found 
out? The company was notified on, I believe, the 9th of March. 
When did you know?
    Mr. Smith. The team, security team followed a protocol and 
instantly within a day sent notification out to many people in 
the organization that a patch needed to be applied to Apache 
Struts.
    Ms. Eshoo. And did you ask your team when it was applied?
    Mr. Smith. The security team did and they spoke with the IT 
team as well.
    Ms. Eshoo. When did they take care of it?
    Mr. Smith. Throughout the testimony we talked about what 
occurred was there was a communicate----
    Ms. Eshoo. Well, just tell me when it happened. When was it 
actually----
    Mr. Smith. The following day communication was sent out to 
those that needed to be notified.
    Ms. Eshoo. You already said that. I want to know when they 
did it, when they took care of it.
    Mr. Smith. They took care of it in July because we never 
found it. It wasn't until, if you recall, we had the human 
error, we did the scan, the technology never found it. In July 
we saw suspicious activity, took the portal down, found the 
vulnerability, applied the patch.
    Ms. Eshoo. Well, I thank the chairman. We have in the rules 
of the full committee which are approved at the beginning of 
every Congress that members of the full committee can 
participate in subcommittees where they are not members and I 
appreciate the legislative courtesy. And I think there is a lot 
more to be done on this issue, Mr. Chairman, if I might make 
the recommendation. I think we should have the CIO, the chief 
information officer, come in because I don't think that this 
resolved. So thank you.
    Nice to see you, Saxby.
    Mr. Latta. Thank you very much. The gentlelady's time has 
expired. And we are just going to ask one quick follow-up 
question so I am going to yield to the ranking member first.
    Ms. Schakowsky. First of all, Mr. Chairman, I would like to 
insert for the record a letter from consumer groups, too, a 
letter from Credit Union National Association, and an article 
from WGN-TV.
    Mr. Latta. Without objection, so ordered.
    [The information appears at the conclusion of the hearing.]
    Ms. Schakowsky. Oh, sorry.
    So in closing, Mr. Smith, I want to quote again from you, 
from your testimony. You mentioned the five fixes, so-called, 
and you put, ``This puts the control of consumers' credit 
information where it belongs, with the consumer.'' So I want to 
ask you a question. What if I want to opt out of Equifax? I 
don't want you to have my information anymore. I want to be in 
control of my information. I never opted in. I never said it 
was OK to have all my information and now I want out. I want to 
lock out Equifax. Can I do that?
    Mr. Smith. Congresswoman, that requires a much broader 
discussion around the rule that credit reporting agencies--
because that data as you know, today, doesn't come from the 
consumer it comes from the furnishers and the furnishers 
provide that data to the entire industry.
    Ms. Schakowsky. No, I understand that and that is exactly 
where we need to go, to a much larger discussion because most 
Americans really don't know how much information, what it is, 
that you have it, and they never said OK. So I am hoping this 
will lead to a wider discussion. Thank you.
    Mr. Latta. Thank you very much. The gentlelady yields back. 
And if I may just go back to what we had a little discussion 
earlier, again going back to your testimony. From August the 
15th when you were informed that it appeared likely that 
consumer, that information had been stolen, again why was there 
again a 10-day delay between finding out about that personal 
information that could have likely been stolen to developing 
that remediation plan? That 10-day window, why did it take 10 
days to start that remediation?
    Mr. Smith. Well, Congressman, there was continuous motion 
going on around the clock from that time through yesterday 
trying to develop the product, build the communication plan, 
stand up web sites, inform those that needed to be informed. It 
wasn't like on a certain date something occurred, it was 
continual motion by many people for many, many weeks.
    Mr. Latta. Let me ask just a quick follow-up on that then, 
because again with that 10-day period of time, when was the 
appropriate time that it was really to start talking to the 
consumers at that point in time or again waiting until when you 
did in September? Because again there was that lag time there 
when information could have been stolen on individuals.
    Mr. Smith. Yes. The whole goal was to make sure the data we 
had was accurate, was as clear for the U.S. consumer as 
possible. Number two was to make sure for the forensic 
cybersecurity specialists that our environment was as secure as 
possible. Remember, they said expect increased attacks. Number 
three was to stand up the call centers and the web sites for 
hundreds of millions of consumers and that just took time as I 
alluded to earlier.
    Mr. Latta. Well, thank you very much. And seeing that there 
are no other members present to ask questions, we want to thank 
you very much for testifying before the subcommittee today. And 
pursuant to committee rules I remind members that they have 10 
business days to submit additional questions for the record and 
I ask that the witness submit his response within 10 business 
days upon request of any questions submitted. Without 
objection, the subcommittee is adjourned.
    [Whereupon, at 1:03 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

             Prepared statement of Hon. Michael C. Burgess

    Today the DCCP subcommittee will focus on a massive data 
breach executed against Equifax, but this is just one of many 
recent data breaches nationwide. Millions of consumer data, 
including personally identifiable information, have been 
compromised leaving customers vulnerable to criminal entities 
operating mostly on the dark web. In addition, Equifax did not 
notify consumers until 40 days after observing suspicious 
traffic and shutting down the source of this traffic.
    In an effort to quickly respond to consumers, Equifax's 
website and call centers were overwhelmed and initially unable 
to inform individuals if their information had been 
compromised. Another frustrating factor was the inclusion of a 
mandatory arbitration clause in the terms and conditions of 
credit monitoring services being offered, but I understand this 
has since been removed.
    The issue of data breach notification has been before this 
subcommittee for many years. There is a history of bipartisan 
cooperation, indicating a strong desire to get this right for 
all consumers. At this point, there is likely not a single 
Member of Congress who has not had a constituent, or 
themselves, affected by a data breach or cyber attack. Without 
a reasonable federal standard on data security and breach 
notification, companies are implementing various security 
protocols and hoping they don't become the next victim of a 
breach. The lack of a single, federal standard has led to 
numerous state laws, but data breaches transcend physical 
boundaries.
    Last Congress, this subcommittee passed the Data Security 
and Breach Notification Act, which would have required breach 
notification to customers within 30 days, including ways to 
inquire with the company as well as how to contact the Federal 
Trade Commission. Companies also had to alert customers that 
reasonable measures were taken to restore the integrity, 
security and confidentiality of the data system.
    One of the most important sections of the bill would have 
required entities to implement and maintain reasonable security 
measures and practices appropriate to the size and type of 
entity, as well as protect personal information against 
unauthorized access. These reasonable measures are based on 
industry accepted practices while remaining flexible to allow 
advancement in accordance with the security technology market. 
Currently, such measures might include 2-factor authentication 
as well as immediate patching of known software 
vulnerabilities. According to Mr. Smith's testimony, the flaw 
used to perpetrate the Equifax breach was a known security 
vulnerability that had an existing patch.
    Had the Data Security and Breach Notification bill passed 
out of this committee with bipartisan support, it may well have 
become law and prevented, or at least softened the blow of, a 
data breach on the massive scale experienced by Equifax.
    As we work through what happened and how consumers can 
recover their data security, I hope we can again find 
bipartisan consensus on data security and breach notification 
going forward.
                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                 [all]