b'<html>\n<title> - SECURING CONSUMERS\' CREDIT DATA IN THE AGE OF DIGITAL COMMERCE</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n     SECURING CONSUMERS\' CREDIT DATA IN THE AGE OF DIGITAL COMMERCE\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n        SUBCOMMITTEE ON DIGITAL COMMERCE AND CONSUMER PROTECTION\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            NOVEMBER 1, 2017\n\n                               __________\n\n                           Serial No. 115-70\n                           \n                           \n                           \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n\n      Printed for the use of the Committee on Energy and Commerce\n\n                        energycommerce.house.gov\n                        \n                                __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n27-917 PDF                  WASHINGTON : 2018                     \n          \n-----------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).\nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3354435c73504640475b565f431d505c5e1d">[email&#160;protected]</a> \n                       \n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                          GREG WALDEN, Oregon\n                                 Chairman\n\nJOE BARTON, Texas                    FRANK PALLONE, Jr., New Jersey\n  Vice Chairman                        Ranking Member\nFRED UPTON, Michigan                 BOBBY L. RUSH, Illinois\nJOHN SHIMKUS, Illinois               ANNA G. ESHOO, California\nMICHAEL C. BURGESS, Texas            ELIOT L. ENGEL, New York\nMARSHA BLACKBURN, Tennessee          GENE GREEN, Texas\nSTEVE SCALISE, Louisiana             DIANA DeGETTE, Colorado\nROBERT E. LATTA, Ohio                MICHAEL F. DOYLE, Pennsylvania\nCATHY McMORRIS RODGERS, Washington   JANICE D. SCHAKOWSKY, Illinois\nGREGG HARPER, Mississippi            G.K. BUTTERFIELD, North Carolina\nLEONARD LANCE, New Jersey            DORIS O. MATSUI, California\nBRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida\nPETE OLSON, Texas                    JOHN P. SARBANES, Maryland\nDAVID B. McKINLEY, West Virginia     JERRY McNERNEY, California\nADAM KINZINGER, Illinois             PETER WELCH, Vermont\nH. MORGAN GRIFFITH, Virginia         BEN RAY LUJAN, New Mexico\nGUS M. BILIRAKIS, Florida            PAUL TONKO, New York\nBILL JOHNSON, Ohio                   YVETTE D. CLARKE, New York\nBILLY LONG, Missouri                 DAVID LOEBSACK, Iowa\nLARRY BUCSHON, Indiana               KURT SCHRADER, Oregon\nBILL FLORES, Texas                   JOSEPH P. KENNEDY, III, \nSUSAN W. BROOKS, Indiana             Massachusetts\nMARKWAYNE MULLIN, Oklahoma           TONY CARDENAS, California\nRICHARD HUDSON, North Carolina       RAUL RUIZ, California\nCHRIS COLLINS, New York              SCOTT H. PETERS, California\nKEVIN CRAMER, North Dakota           DEBBIE DINGELL, Michigan\nTIM WALBERG, Michigan\nMIMI WALTERS, California\nRYAN A. COSTELLO, Pennsylvania\nEARL L. ``BUDDY\'\' CARTER, Georgia\nJEFF DUNCAN, South Carolina\n\n                                 7_____\n\n        Subcommittee on Digital Commerce and Consumer Protection\n\n                         ROBERT E. LATTA, Ohio\n                                 Chairman\nGREGG HARPER, Mississippi            JANICE D. SCHAKOWSKY, Illinois\n  Vice Chairman                        Ranking Member\nFRED UPTON, Michigan                 BEN RAY LUJAN, New Mexico\nMICHAEL C. BURGESS, Texas            YVETTE D. CLARKE, New York\nLEONARD LANCE, New Jersey            TONY CARDENAS, California\nBRETT GUTHRIE, Kentucky              DEBBIE DINGELL, Michigan\nDAVID B. McKINLEY, West Virgina      DORIS O. MATSUI, California\nADAM KINZINGER, Illinois             PETER WELCH, Vermont\nGUS M. BILIRAKIS, Florida            JOSEPH P. KENNEDY, III, \nLARRY BUCSHON, Indiana                   Massachusetts\nMARKWAYNE MULLIN, Oklahoma           GENE GREEN, Texas\nMIMI WALTERS, California             FRANK PALLONE, Jr., New Jersey (ex \nRYAN A. COSTELLO, Pennsylvania           officio)\nGREG WALDEN, Oregon (ex officio)\n\n                                  (ii)\n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Robert E. Latta, a Representative in Congress from the State \n  of Ohio, opening statement.....................................     1\n    Prepared statement...........................................     3\nHon. Janice D. Schakowsky, a Representative in Congress from the \n  State of Illinois, opening statement...........................     5\nHon. Greg Walden, a Representative in Congress from the State of \n  Oregon, opening statement......................................     7\n    Prepared statement...........................................     9\nHon. Frank Pallone, Jr., a Representative in Congress from the \n  State of New Jersey, opening statement.........................    10\n    Prepared statement...........................................    11\n\n                               Witnesses\n\nFrancis Creighton, President and Chief Executive Officer, \n  Consumer Data Industry Association.............................    13\n    Prepared statement...........................................    15\n    Answers to submitted questions...............................   120\nJames Norton, Adjunct Lecturer, Johns Hopkins University Zanvyll \n  Krieger School of Arts and Sciences............................    36\n    Prepared statement...........................................    38\n    Answers to submitted questions...............................   130\nBruce Schneier, Fellow and Lecturer, Belfer Center for Science \n  and International Affairs, Harvard Kennedy School, and Fellow, \n  Berkman Center for Internet and Society at Harvard Law School..    44\n    Prepared statement...........................................    46\n    Answers to submitted questions \\1\\...........................   133\nAnne P. Fortney, Partner Emeritus, Hudson Cook, LLP..............    55\n    Prepared statement...........................................    57\n    Answers to submitted questions...............................   136\n\n                           Submitted Material\n\nStatement of Jeff Greene, Senior Director, Global Government \n  Affairs and Policy, Symantec Corporation, November 1, 2017, \n  submitted by Mr. Harper........................................   108\nLetter of November 1, 2017, from the Electronic Frontier \n  Foundation to Mr. Latta and Ms. Schakowsky, submitted by Mr. \n  Harper.........................................................   116\n\n----------\n\\1\\ Mr. Schneier did not answer submitted questions for the \n  record by the time of printing.\n\n \n     SECURING CONSUMERS\' CREDIT DATA IN THE AGE OF DIGITAL COMMERCE\n\n                              ----------                              \n\n\n                      WEDNESDAY, NOVEMBER 1, 2017\n\n                  House of Representatives,\n     Subcommittee on Digital Commerce and Consumer \n                                        Protection,\n                          Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 10:32 a.m. in \nRoom 2123, Rayburn House Office Building, Hon. Robert E. Latta \n(chairman of the subcommittee) presiding.\n    Members present: Representatives Latta, Harper, Burgess, \nLance, Guthrie, McKinley, Kinzinger, Bilirakis, Bucshon, \nMullin, Walters, Costello, Walden (ex officio), Schakowsky, \nCardenas, Dingell, Matsui, Welch, Kennedy, Green, and Pallone \n(ex officio).\n    Also present: Representatives Barton, Cramer, and Duncan.\n    Staff present: Kelly Collins, Staff Assistant; Zack \nDareshori, Staff Assistant; Melissa Froelich, Chief Counsel, \nDigital Commerce and Consumer Protection; Adam Fromm, Director \nof Outreach and Coalitions; Ali Fulling, Legislative Clerk, \nOversight and Investigations/Digital Commerce and Consumer \nProtection; Elena Hernandez, Press Secretary; Paul Jackson, \nProfessional Staff, Digital Commerce and Consumer Protection; \nBijan Koohmaraie, Counsel, Digital Commerce and Consumer \nProtection; Katie McKeogh, Press Assistant and Digital \nCoordinator; Alex Miller, Video Production Aide and Press \nAssistant; Madeline Vey, Policy Coordinator, Digital Commerce \nand Consumer Protection; Everett Winnick, Director of \nInformation Technology; Greg Zerzan, Counsel, Digital Commerce \nand Consumer Protection; Michelle Ash, Minority Chief Counsel, \nDigital Commerce and Consumer Protection; Jeff Carroll, \nMinority Staff Director; Lisa Goldman, Minority Counsel; \nCaroline Paris-Behr, Minority Policy Analyst; Tim Robinson, \nMinority Chief Counsel; and C.J. Young, Minority Press \nSecretary.\n    Mr. Latta. Well, good morning. I would like to call the \nEnergy and Commerce Subcommittee on Digital Commerce and \nConsumer Protection to order. And I also wanted to thank our \nwitnesses for being here this morning. And I recognize myself \nfor a 5-minute opening statement.\n\nOPENING STATEMENT OF HON. ROBERT E. LATTA, A REPRESENTATIVE IN \n                CONGRESS FROM THE STATE OF OHIO\n\n    One month ago, this subcommittee was the first to hear \ntestimony from former Equifax CEO Richard Smith about how his \ncompany\'s failure to protect against a known security data \nvulnerability led to the exposure of over 145 million \nAmericans\' sensitive information.\n    Today, we continue our investigation into the Equifax \nbreach. We will focus on: helping the public get answers; how \nis the industry responding to this breach; what the industry \nresponse has been to this breach; has the cybersecurity \nlandscape changed as a result of the breach; and what laws and \nregulations govern the protection of individuals\' information \ncollected by businesses.\n    On Friday, our full committee chairman, Greg Walden, raised \nquestions about how the actions taken by businesses that use \npersonal data affect security, privacy, and individuals\' online \nidentities. The Equifax data breach was a stark demonstration \nof the responsibility that credit bureaus and all companies \nhave when holding millions of Americans\' sensitive information. \nIn fact, Congress has recognized the sensitivity of this data \nand specifically enacted laws regarding the credit bureaus\' \nbusiness model.\n    Today, we are looking for answers about how best to secure \nconsumers\' credit data in order to protect against another \nbreach of this magnitude. We want to shine a light on security \npractices and understand a path forward to restore confidence \nto U.S. consumers.\n    For example, lenders, including banks and retailers, use \ncredit reports and related data to evaluate the likelihood that \nborrowers will repay their loans. This credit information \nassists consumers in accessing credit, buying a house, or \nsecuring a job. However, consumers may not know or understand \nwhat data has been collected on them and how it is being used \nby the credit reporting industry and their paying customers, \nincluding the Federal Government. Today, we hope to shed light \non these questions and provide more information for those \nconsumers.\n    With regard to Equifax, the subcommittee has taken a \ncomprehensive review of the circumstances surrounding the \nbreach. For example, it came to our attention last month that \nthe Internal Revenue Service had awarded a no-bid contract to \nEquifax. On October 10, Ranking Member Schakowsky and I, along \nwith Chairman Walden and Ranking Member Pallone, sent a \nbipartisan letter to the IRS Commissioner raising questions \nabout the IRS decision to award a contract to Equifax for \nidentity verification services in the aftermath of the Equifax \nbreach. That contract has since been rescinded.\n    We also sent a bipartisan letter on October 16 to the \nGeneral Services Administration about the agency\'s \nconsideration of data security practices when vetting vendors, \nlike Equifax, and awarding Government contracts. We are looking \nforward to the GSA\'s response.\n    Chairman Walden and I remain committed to working in a \nbipartisan fashion to get answers for the American public and \nto hold Equifax accountable.\n    When former CEO Richard Smith came to Washington last \nmonth, he said, quote, ``The breach occurred because of both \nhuman error and technology failures.\'\' These quote/unquote \n``errors\'\' and ``failures\'\' allowed criminals to access over \n145 million Americans\' data. As a result, names, addresses, \nbirth dates, and full nine-digit Social Security numbers were \nexposed and certain drivers licenses, credit cards, and credit \ndispute information were taken.\n    If your credit card information is stolen, you can contact \nVisa or MasterCard, and they will reissue a new card and a \ncredit card number. If your Social Security number is stolen, \nit is much, much more complicated to get a new number. A Social \nSecurity number is intrinsically tied to each and every one of \nus.\n    According to the FTC, there were nearly 400,000 identity-\ntheft complaints in 2016, which amounts to 13 percent of all \nconsumer complaints received. Nearly 30 percent of consumers \nreported that their data was used to commit tax fraud in 2016. \nConsumers also reported that their stolen data was used for \ncredit card fraud, rising to more than 32 percent in 2016 from \nnearly 16 percent in 2015.\n    In the aftermath of the Equifax breach, months later, \nconsumers may still be confused about how best to protect \nthemselves. This subcommittee and agencies like the Federal \nTrade Commission have been providing useful information to \nconsumers in the aftermath of the Equifax breach, but the post-\nbreach consumer protection responses from Equifax have yet to \nbe reassuring.\n    Data collected and stored by credit bureaus must be \nprotected and safeguarded at all times, and when a breach \nhappens, consumers need swift and concrete answers from the \ncompany affected. There are important questions about the best \nways to protect sensitive data, including cybersecurity \nstandards, trends, best practices, and emerging threats, \nparticularly with respect to known cybersecurity \nvulnerabilities.\n    There are also important questions about the regulatory \nlandscape in which the credit bureaus operated before this \nmassive breach, especially the legal and regulatory framework \nfor credit bureaus, including the safeguards framework in the \nGramm-Leach-Bliley Act and consumer protections contained in \nthe Fair Credit Reporting Act.\n    Also, what is the relationship between data breaches and \nthe incidence of identity theft and fraud? Data breaches may \nhave become so commonplace that data experts and security \nexperts have expressed concerns about breach fatigue.\n    Congress cannot afford to be lax or idle in its oversight \nof these critical issues. The testimony today is an important \nstep toward answering the many questions that consumers are \nlooking for, and I look forward to hearing from our witnesses \ntoday.\n    [The prepared statement of Mr. Latta follows:]\n\n               Prepared statement of Hon. Robert E. Latta\n\n    One month ago, this subcommittee was the first to hear \ntestimony from former Equifax CEO Richard Smith about how his \ncompany\'s failure to protect against a known data security \nvulnerability led to the loss of over 145 million Americans\' \nsensitive information.\n    Our investigation continues into the Equifax breach and \ntoday\'s hearing is another step to get answers for the public \nabout:\n    <bullet> what the industry response has been to this \nbreach,\n    <bullet> if the cybersecurity landscape has shifted as a \nresult of the breach, and\n    <bullet> what laws and regulations are at issue.\n    On Friday, our Full Committee Chairman Greg Walden authored \nan op-ed in which he raised questions about how actions taken \nby businesses built around individual\'s data affect security, \nprivacy, and individual\'s online identities. All of these \nissues are critically important to understand in our digital \neconomy and I look forward to working with the chairman and my \nfellow subcommittee chairman on these issues in the coming \nmonths.\n    The Equifax data breach was a stark demonstration of the \nresponsibility that credit bureaus and all companies have when \nholding millions of Americans\' sensitive information. In fact, \nCongress has recognized the sensitivity of this data and \nspecifically enacted laws regarding the credit bureau business \nmodel.\n    Today, we are looking for answers about how best to secure \nconsumers\' credit data in order to protect against another \nbreach of this magnitude.\n    We want to shine a light on security practices and \nunderstand the path forward to restore confidence to U.S. \nconsumers.\n    Credit bureaus prepare credit reports based upon \nindividuals\' financial transactions history to provide such \nreports to third parties.\n    For example, lenders, including banks and retailers, use \ncredit reports and related data to evaluate the likelihood that \nborrowers will repay their loans.\n    This credit information assists consumers in accessing \ncredit, buying a house, or securing a job.\n    However, consumers may not know or understand what data has \nbeen collected on them and how it\'s being used by the credit \nreporting industry and their paying customers, including the \nFederal Government.\n    The subcommittee has taken a comprehensive review of the \ncircumstances around the breach.\n    For example, it came to our attention last month that the \nInternal Revenue Service had awarded a no-bid contract to \nEquifax.\n    On October 10th, Ranking Member Schakowsky and I, along \nwith Chairman Walden and Ranking Member Pallone, sent a \nbipartisan letter to IRS Commissioner John Koskinen raising \nconcerns about the IRS\'s decision to award a contract to \nEquifax for identity verification services in the aftermath of \nthe Equifax breach. The contract has since been rescinded.\n    We also sent a bipartisan letter on October 16th to the \nGeneral Services Administration about the agency\'s \nconsideration of data security practices when vetting vendors \nlike Equifax and awarding Government contracts. We look forward \nto GSA\'s response.\n    I thank my colleagues across the aisle for working together \non this serious matter. Chairman Walden and I remain committed \nto working in a bipartisan fashion to get answers for the \nAmerican public and to hold Equifax accountable.\n    When former CEO Richard Smith came to Washington last \nmonth, he said quote: ``the breach occurred because of both \nhuman error and technology failures.\'\'\n    These quote-unquote ``errors\'\' and ``failures\'\' allowed \ncriminals to access over 145 million Americans\' data.\n    As a result, names, addresses, birthdates, and full nine-\ndigit Social Security numbers were exposed.\n    And certain driver\'s license, credit card, and credit \ndispute information were taken.\n    If your credit card information is stolen, you can contact \nVisa or MasterCard and they\'ll reissue you a new card and \ncredit card number.\n    If your Social Security number is stolen, it\'s much, much \nmore complicated to get a new number.\n    A Social Security number is intrinsically tied to each and \nevery one of us.\n    According to the FTC, there were nearly 400,000 identity \ntheft complaints in 2016, or 13 percent of all consumer \ncomplaints received, with 29 percent of consumers reporting \nthat their data was used to commit tax fraud in 2016.\n    Consumers also reported that their stolen data was used for \ncredit card fraud; rising to more than 32 percent in 2016 from \nnearly 16 percent in 2015.\n    In the aftermath of the Equifax breach, months later, \nconsumers may still be confused about how best to protect \nthemselves.\n    All of this is disconcerting, and frankly unacceptable.\n    This subcommittee, and agencies like the Federal Trade \nCommission, have been providing useful information to consumers \nin the aftermath of the Equifax breach.\n    But the post-breach consumer protection responses from \nEquifax have yet to be reassuring.\n    Data collected and stored by credit bureaus must be \nprotected and safeguarded at all times, and when a breach \nhappens consumers need swift and concrete answers from the \ncompany affected.\n    Our subcommittee members continue to ask whether consumers \ncan be confident in the security of their data.\n    There are important questions about the best ways to \nprotect sensitive data, including cybersecurity standards, \ntrends, best practices and emerging threats particularly with \nrespect to known cybersecurity vulnerabilities.\n    There are also important questions about the regulatory \nlandscape in which the credit bureaus operated before this \nmassive breach.\n    For example, what is the legal and regulatory framework for \ncredit bureaus, including the safeguards framework in the \nGramm-Leach-Bliley Act and consumer protections contained in \nthe Fair Credit Reporting Act?\n    Finally, what is the relationship between data breaches and \nincidence of identity theft and fraud?\n    Data breaches may have become so commonplace that data \nsecurity experts have expressed concerns about ``breach \nfatigue.\'\'\n    Though there may be fatigue, Congress cannot afford to be \nlax or idle in its oversight over these critical issues.\n    I look forward to the testimony of the panel.\n\n    Mr. Latta. And the Chair now recognizes the ranking member \nof the subcommittee from Illinois for 5 minutes. The gentlelady \nis recognized.\n    Ms. Schakowsky. I thank you, Mr. Chairman.\n    Before I give my opening remarks, I must mention that I \nactually considered raising a point of order against the \nsubcommittee accepting testimony from James Norton at the \nhearing today.\n    I want to make perfectly clear that I am not objecting to \nanything that Mr. Norton might say, but this committee has \nrules of order, and they need to be followed. James Norton was \nnot listed on the memorandum that was distributed by the \ncommittee, and we found out that he was going to testify last \nnight and saw testimony very late last night.\n    While I understand that another witness was unable to make \nthe hearing today because of illness, this last-minute \nreplacement is really not respectful to the members of the \nsubcommittee. It is disrespectful to the other witnesses on the \npanel. It is disrespectful, I believe, to the millions of \nAmericans that are concerned about the security of their credit \ninformation. And it violates the committee\'s rules.\n    So Mr. Norton is here and ready to testify, and I \nappreciate that he was able to prepare so quickly. I will not \nbe objecting today, but I do want to make it clear that \nviolations of the committee rules are not acceptable and that I \nwill object if this happens again.\n    I want to also say that I appreciate the bipartisan way in \nwhich we have been able to work together. The rules are \nimportant.\n    So if I could begin----\n    Mr. Latta. Thank you very much. And the lady is recognized \nfor 5 minutes. Thank you.\n\n       OPENING STATEMENT OF HON. JANICE D. SCHAKOWSKY, A \n     REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS\n\n    Ms. Schakowsky. Thank you.\n    So today we continue our conversation on data security in \nthe wake of the Equifax data breach.\n    In our October 3rd hearing with former Equifax CEO Richard \nSmith, I asked him if I, as a consumer, can opt out of Equifax. \nAfter all, I never opted in. Equifax collects my data--that is, \nlike, 1,500 pieces of information on each individual--whether I \nwant it to or not, and now my data is at risk because Equifax \nfailed to adequately protect it.\n    Mr. Smith essentially said, ``No, you can\'t opt out. That\'s \nnot how it works.\'\' This is incredibly frustrating for \nconsumers, including the 145.5 million victims of the Equifax \nbreach. That is about half the population. We have little power \nto protect their sensitive personal information, as credit \nreporting agencies and data brokers go under-regulated and \nunder-scrutinized. I venture to say a lot of people didn\'t even \nknow about Equifax until the breach came out.\n    We need to change that power balance by strengthening \nconsumer protections around credit data. I don\'t buy the \nnarrative that the Equifax breach happened because of a single \ncareless employee. The system in place at Equifax allowed for a \nknown and well-publicized security vulnerability in the Apache \nStruts software to go unpatched for months.\n    After the breach was discovered, Equifax took nearly 6 \nweeks to notify consumers. Congress, the Federal Trade \nCommission, and the Consumer Financial Protection Bureau were \nnot notified.\n    The website set up for consumers was a mess. Equifax \ntweeted links to a fake website. And the company is only \nproviding 1 year of free credit monitoring services. We are \nawaiting clarification from Equifax on the credit lock service \nthat it promised to offer at our last hearing.\n    Those failures should not be a surprise. What incentive \ndoes Equifax have to protect consumer data on the front end \nwhen consumers aren\'t its real customers? I have not heard a \nparade of companies saying that they will refuse to provide \nEquifax with consumer data or refuse to use its services. This \nmarket is failing American consumers, and that is why Congress \nand consumer watchdogs must step in.\n    I welcome the CFPB Director, Richard Cordray\'s call for \nembedded regulators at the credit reporting agencies. I look \nforward to the results of investigations into the breach, such \nas the investigation at the Federal Trade Commission. State \nattorneys general are also pursuing legal action against the \ncompany. And, ultimately, we need stronger legislation.\n    Last month, I joined several other members of this \nsubcommittee in introducing the Secure and Protect Americans\' \nData Act. Our bill establishes data security requirements to \nprotect consumers\' personal information. That includes special \nrequirements for data brokers like Equifax that collect \nconsumer data often without the consumers\' knowledge. And it \nempowers the Federal Trade Commission to enforce those \nregulations with civil penalties.\n    Our bill requires timely notification to State and Federal \nlaw enforcement agencies and to consumers when a data breach \noccurs.\n    Finally, our bill requires meaningful remedies for breach \nvictims. Victims would be entitled to 10 years of free credit \nmonitoring or quarterly credit reports. And our bill enables \nbreach victims to control access to their personal information \nand credit reports at no charge.\n    Our legislation would be a good first step, but I am \ninterested in further action the Congress could take. In \nwritten testimony, Mr. Schneier calls for making credit freezes \nthe default so that consumers are opting in to have their data \nshared rather than paying to opt out.\n    I expect the industry to engage with these ideas, given the \nproblems consumers face. Old excuses that this is too big a \nchange from the status quo don\'t cut it anymore.\n    On October 12, the Democratic members of the subcommittee \nrequested a hearing with current Equifax employees. We also \ncalled for advancing bipartisan data security legislation \nthrough the committee by the end of this year. And, Chairman \nLatta, I repeat that call today. Our subcommittee has been \nbipartisan in demanding answers for breach victims. We should \nnow be bipartisan in pursuing action. I stand ready to work \nwith you on real solutions to protect American consumers.\n    And thank you for the latitude you have given me, and I \nyield back.\n    Mr. Latta. Well, thank you very much.\n    The gentlelady does yield back.\n    And the Chair now recognizes the chairman of the full \ncommittee, the gentleman from Oregon, for 5 minutes.\n\n  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF OREGON\n\n    Mr. Walden. I thank the chairman. And thank you for your \nleadership on this and many other issues that we have \nsuccessfully moved through.\n    This morning, we are here to discuss the topic of \nprotecting America\'s data in the digital age.\n    The advent of new technologies has reduced barriers and \neased the ability of consumers to access credit and make needed \npurchases in ways unimaginable not very long ago. In literally \nminutes, using one\'s phone, Americans can procure a loan to \npurchase a refrigerator, a car, or even a home. The most \nremarkable thing about this is how unremarkable it has become.\n    As with any invention, the technological innovations that \nhave facilitated access to credit bring with them new perils. \nAs this committee explored in our hearing last month, Equifax, \nthe credit reporting agency entrusted to safeguard the most \nimportant financial data of millions of Americans, instead \nallowed hackers to access that information through their \nfailure to implement a software patch that had been brought to \ntheir attention by the Department of Homeland Security. There \nis no excuse for that.\n    And, in fact, consumers all over America now are trying to \nfigure out what do they do next. We had a conversation of that \nin my own household this weekend. A relative of mine and we \nhave been breached. Everybody is going, ``Now what do I do? And \nwhy do I have to pay? And what do I have to sign up--where do I \ngo?\'\' This has to get fixed. Enough.\n    Consumers are the one that are getting taken to the \nwoodshed here. Companies are making billions of dollars off of \nour data, and we have had it. And we want to do the right \nthing; we don\'t want to do what Government often does, which is \ncompletely overreact and create a whole new regulatory regime \nthat doesn\'t work. But let the message go out: This is serious \nstuff, and consumers are dramatically affected. They are \ninconvenienced, and it becomes costly to them.\n    Unfortunately, the Equifax incident was only one example of \nthe keepers of sensitive data failing to do their duty. For \nmillions of current and former U.S. Government employees, \nincluding many people in this room, the Federal Office of \nPersonnel Management similarly failed to live up to its trust \nto protect their most sensitive data. The OPM breach allowed \nhackers to access data used by the U.S. Government to determine \nwhether a security clearance could be granted, including the \nconsumer credit information, demonstrating that even the \nGovernment struggles to protect its most sensitive data.\n    These incidents and others like them demonstrate the \nchallenges of protecting consumer information in this digital \nage. We know it is not easy. They also remind us of how high \nthe stakes are and how critically important it is that \nAmericans know that when they fill out an application to obtain \ncredit they are not exposing their most personal information to \nbad actors all over the world.\n    There are a host of laws on the books already that require \ncompliance--let\'s not lose sight of that--and that furnishers \nof consumer credit informations are required to take steps to \nsecure the data already under the law. The Gramm-Leach-Bliley \nAct prohibits financial institutions from disclosing nonpublic \ninformation without the consumers\' consent. That is a law. The \nFair Credit Reporting Act deems the unauthorized disclosure of \nconsumer reports to be, quote, ``an unfair or deceptive act or \npractice.\'\' That is a law.\n    The Dodd-Frank Act created an entirely new Federal \nbureaucracy, the Consumer Financial Protection Bureau, and \ncharged it, among other duties, with the task of protecting \nconsumer financial information. Despite these new and sweeping \npowers, the Bureau seemed completely unaware that a company had \nfailed to implement the necessary software patch that could \nhave saved Americans\' data from hackers.\n    As I noted at the Equifax hearing last month, you can\'t fix \nstupid. But, surely, we can do better. Despite all these \nexisting laws and authorities, Equifax allowed the most \nsensitive consumer credit information of 145 million Americans \nto be exposed. Equifax\'s entire business model is predicated on \ncollecting, maintaining, and securing individuals\' private \nfinancial transaction history. It failed, and now Equifax must \nface serious consequences.\n    All of us, I am sure, are interested in any insights our \nwitnesses can provide into how, despite these policies and \nprocedures, incidents like the Equifax breach still happen. \nThere are longstanding Federal, State, and private data \nsecurity standards and requirements for protecting Americans\' \nsensitive financial data. I am interested in learning more \nabout any gaps or areas for improvement. The instantaneous \nability to obtain credit is a remarkable blessing in the \nelectronic age, but it doesn\'t work when your data are stolen \nand sold on the dark net. Our ability to obtain credit is only \nas strong as our data protection.\n    So I appreciate our witnesses today. And I especially \nappreciate our substitute witness, who at the last minute made \naccommodations to share your knowledge with us. Thank you. I am \nsorry the witness that we had scheduled had to leave, violently \nill. And so we appreciate, on short notice, your ability to \ncome and help inform us in our work.\n    [The prepared statement of Mr. Walden follows:]\n\n                 Prepared statement of Hon. Greg Walden\n\n    This morning we are here to discuss the topic of protecting \nAmericans\' data in the digital age. The advent of new \ntechnologies has reduced barriers and eased the ability of \nconsumers to access credit and make needed purchases in ways \nunimaginable even a few generations ago.\n    In literally minutes, using only one\'s phone, Americans can \nprocure a loan to purchase a refrigerator, a car, or even a \nhouse. The most remarkable thing about this is how unremarkable \nit has become.\n    As with any invention, the technological innovations that \nhave facilitated access to credit bring with them new perils. \nAs this committee explored in our hearing last month, Equifax, \na credit reporting agency entrusted to safeguard the most \nimportant financial data of millions of Americans, instead \nallowed hackers to access that information through their \nfailure to implement a software patch that had been brought to \ntheir attention by the Department of Homeland Security.\n    Unfortunately, the Equifax incident was only one example of \nthe keepers of sensitive data failing to do their duty. For \nmillions of current and former U.S. Government employees, \nincluding many people in this room, the Federal Office of \nPersonnel Management similarly failed to live up to its trust \nto protect their most sensitive data.\n    The OPM breach allowed hackers to access data used by the \nU.S. Government to determine whether a security clearance \nshould be granted, including consumer credit information, \ndemonstrating that even the Government struggles to protect its \nmost sensitive information.\n    These incidents and others like them demonstrate the \nchallenges of protecting consumer information in the digital \nage. They also remind us of how high are the stakes, and how \ncritically important it is that Americans know that when they \nfill out an application to obtain credit they are not exposing \ntheir most personal information to the world.\n    There are a host of laws on the books that require the \ncompilers and furnishers of consumer credit information to take \nsteps to secure that data. The Gramm-Leach-Bliley Act prohibits \nfinancial institutions from disclosing nonpublic information \nwithout the consumer\'s consent.\n    The Fair Credit Reporting Act deems the unauthorized \ndisclosure of consumer reports to be an ``unfair or deceptive \nact or practice.\'\'\n    The Dodd Frank Act created an entirely new Federal \nbureaucracy, the Consumer Financial Protection Bureau, and \ncharged it, among other duties, with the task of protecting \nconsumer financial information.\n    Despite these new and sweeping powers, the Bureau seemed \ncompletely unaware that the company had failed to implement the \nnecessary software patch that could have saved Americans\' data \nfrom hackers.\n    As I noted at the Equifax hearing last month, ``you can\'t \nfix stupid.\'\' But surely we can do better.\n    Despite all of these existing laws and authorities, Equifax \nallowed the most sensitive consumer credit information of 145 \nmillion Americans to be exposed.\n    There is no excuse.\n    Equifax\'s entire business model is predicated on collecting \nand maintaining individual\'s private financial transaction \nhistory. It failed, and now Equifax must face serious \nconsequences.\n    All of us, I am sure, are interested in any insights our \nwitnesses can provide into how, despite these policies and \nprocedures, incidents like the Equifax breach still happen. \nThere are long-standing Federal, State and private data \nsecurity standards and requirements for protecting Americans\' \nsensitive financial data. I am interested in learning about any \ngaps or areas for improvement.\n    The instantaneous ability to obtain credit is a remarkable \nblessing that remains all too unavailable for most people \nliving in less technologically advanced places. But for the \ncompanies and networks that make this privilege possible comes \ngreat responsibility.\n    Our ability to obtain credit is only as strong as our data \nprotection. In the cyber world foxes are always trying to break \ninto the henhouse. It is our duty, and the duty of the \npossessors of sensitive consumer information, to make sure we \nhave a strong fence.\n    I look forward to hearing from our witnesses.\n\n    Mr. Walden. And, with that, Mr. Chair, I yield back the \nbalance of my time.\n    Mr. Latta. Well, thank you very much.\n    The gentleman yields back the balance of his time.\n    The Chair now recognizes the ranking member of the full \ncommittee, the gentleman from New Jersey, for 5 minutes.\n\nOPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE \n            IN CONGRESS FROM THE STATE OF NEW JERSEY\n\n    Mr. Pallone. Thank you, Mr. Chairman.\n    I am glad we are holding this hearing, and I hope the \ncommittee will focus on how the practices of the credit \nreporting and data collection industries affect consumers.\n    But today\'s hearing should not take the place of additional \nhearings on the data breach at Equifax. Too many questions \nremain unanswered, and that is why every Democratic member of \nthis subcommittee wrote to you, Mr. Chairman, requesting \nadditional hearings with current Equifax executives.\n    The Equifax breach exposed more than 145 million Americans \nto lifelong threats resulting from their personal information \nbeing exposed. Equifax says that it is, and I quote, ``taking \nresponsibility for its failures,\'\' but Equifax is only \nproviding victims with protections for 1 year. It refuses to \ngive people meaningful control over how Equifax shares and \nsells the personal information that it collects. And that is \nnot taking responsibility; it is taking advantage, in my \nopinion.\n    Consumer reporting agencies collect vast amounts of \npersonal information on almost every American, including \nchildren. And this is the information that determines whether \nsomeone gets a job or a new home or can afford medical care. \nAnd these companies are data brokers, too, selling all of that \ninformation to advertisers and others.\n    You and I are not their customers. We are the product. \nThese companies make their money selling our information to \nother companies, often without our knowledge and certainly \nwithout our approval. So they have no reason to limit the \ninformation they collect, to limit sharing or selling of that \ninformation, or to properly secure it.\n    Cyber attacks happen on an hourly basis, with more than \n1,100 this year alone. Consumer reporting agencies and data \nbrokers make rich targets for hackers because of the \nsensitivity and quantity of information they hold. And those \ncompanies know it. In fact, it was reported that Equifax was \nwarned by a security researcher in late 2016 that Equifax was \nvulnerable to attack, but Equifax did nothing and had no \nincentive to do anything.\n    Right now, there are gaping holes in the laws and \nregulations when it comes to collecting and securing our \npersonal information. The bill that Ranking Member Schakowsky \nand I introduced, the Secure and Protect Americans\' Data Act, \nwould close some of these loopholes.\n    It would provide the Federal Trade Commission with the \nauthority to assign monetary penalty against companies that \nfail to protect personal information or who fail to provide \ntimely and meaningful notice to consumers that their \ninformation has been stolen. It would also give additional \nprotections to victims after a breach. The bill would require \nthat companies that failed to secure individuals\' personal \ninformation provide free credit freezing or locking to a victim \nfor at least 10 years after a breach.\n    So we all need to reexamine this industry\'s approach to \nconsumer protection, including on issues like forced \narbitration and the Federal Government\'s examination or \nauditing of these companies. We should also look at freezing \ncredit reports by default, ensuring the data that is collected \nis actually correct, and give people control over their own \npersonal information.\n    Now, in our hearing and again today, on the Equifax breach, \nChairman Walden said that, and I quote, ``we can\'t fix \nstupid.\'\' But we have seen over and over again that breaches \nare not the result of stupidity. They happen because these \ncompanies choose not to invest in security. And, ultimately, it \nis the American people that pay the price for that choice.\n    [The prepared statement of Mr. Pallone follows:]\n\n             Prepared statement of Hon. Frank Pallone, Jr.\n\n    I\'m glad we are holding this hearing, and I hope the \ncommittee will focus on how the practices of the credit \nreporting and data collection industries affect consumers. But \ntoday\'s hearing should not take the place of additional \nhearings on the data breach at Equifax. Too many questions \nremain unanswered. And that\'s why every Democratic member of \nthis subcommittee wrote to you, Mr. Chairman, requesting \nadditional hearings with current Equifax executives.\n    The Equifax breach exposed more than 145 million Americans \nto lifelong threats resulting from their personal information \nbeing exposed. Equifax says that it is ``taking \nresponsibility\'\' for its failures. But Equifax is only \nproviding victims with protections for 1 year. It refuses to \ngive people meaningful control over how Equifax shares and \nsells the personal information that it collects. That\'s not \n``taking responsibility.\'\' It\'s taking advantage.\n    Consumer reporting agencies collect vast amounts of \npersonal information on almost every American, including \nchildren. This is the information that determines whether \nsomeone gets a job or a new home, or can afford medical care. \nAnd these companies are data brokers too, selling all of that \ninformation to advertisers and others.\n    You and I are not their customers. We are the product. \nThese companies make their money selling our information to \nother companies, often without our knowledge and certainly \nwithout our approval. So they have no reason to limit the \ninformation they collect, to limit sharing or selling of that \ninformation, or to properly secure it.\n    Cyberattacks happen on an hourly basis, with more than \neleven-hundred this year alone. Consumer reporting agencies and \ndata brokers make rich targets for hackers because of the \nsensitivity and quantity of information they hold. And those \ncompanies know it. In fact, it was reported that Equifax was \nwarned by a security researcher in late 2016 that Equifax was \nvulnerable to attack. Equifax did nothing and had no incentive \nto do anything.\n    Right now, there are gaping holes in the laws and \nregulations when it comes to collecting and securing our \npersonal information. The bill that Ranking Member Schakowsky \nand I introduced, the Secure and Protect Americans\' Data Act, \nwould close some of those holes. It would provide the Federal \nTrade Commission with the authority to assign monetary \npenalties against companies that fail to protect personal \ninformation or who fail to provide timely and meaningful notice \nto consumers that their information has been stolen. It would \nalso give additional protections to victims after a breach. The \nbill would require that companies that failed to secure \nindividuals\' personal information provide free credit freezing \nor locking to a victim for at least 10 years after a breach.\n    We also need to reexamine this industry\'s approach to \nconsumer protection, including on issues like forced \narbitration, and the Federal Government\'s examination or \nauditing of these companies. We should also look at freezing \ncredit reports by default, ensuring the data that is collected \nis actually correct, and give people control over their own \npersonal information.\n    In our hearing on the Equifax breach, Chairman Walden said \nthat we ``can\'t fix stupid,\'\' but we have seen over and over \nagain that breaches are not the result of stupidity. They \nhappen because these companies choose not to invest in \nsecurity. Ultimately, it\'s the American people that pay the \nprice for that choice.\n    Thank you, I yield back.\n\n    Mr. Pallone. I yield the remainder of my time to \nCongresswoman Matsui.\n    Ms. Matsui. Thank you, Ranking Member Pallone. And I am \nvery pleased to cosponsor the Secure and Protect Americans\' \nData Act that you introduced with Ranking Member Schakowsky.\n    The need for data security and breach notification \nrequirements are not new. California passed notification \nlegislation a decade and a half ago. But 15 years later, many \nAmericans don\'t know what happens to their online data, as the \nEquifax breach has shown us.\n    In an event that sensitive personal data maintained on an \ninformation system is breached, there is no comprehensive \nFederal law that will protect consumers. That is absolutely \nunacceptable.\n    Consumers deserve to know more about how their information \nis held once it is entered online. It may be that a \ncomprehensive profile of my constituents\' online activity could \nbe compiled without them having any knowledge of how or for \nwhat purpose that data is being used. Consumers deserve a \nFederal backstop when that data is compromised.\n    I look forward to working with the committee on ideas to \nbest provide that certainty to Americans.\n    Thank you, and I yield back.\n    Mr. Pallone. Thank you.\n    And I yield back, Mr. Chairman.\n    Mr. Latta. Thank you very much.\n    The gentleman yields back the balance of his time, and this \nnow concludes our Member opening statements. The Chair reminds \nMembers that, pursuant to committee rules, all Members\' opening \nstatements will be made part of the record.\n    Additionally, I ask unanimous consent that the Energy and \nCommerce Committee members not on the Subcommittee on Digital \nCommerce and Consumer Protection be permitted to participate in \ntoday\'s hearing.\n    Without objection, so ordered.\n    Again, I want to thank our witnesses for being with us \ntoday and taking time to testify on this very important matter \nbefore the subcommittee. Today\'s witnesses will have the \nopportunity to give 5-minute opening statements, followed by a \nround of questions from our members.\n    Our witness panel for today\'s hearing will include: Mr. \nFrancis Creighton, who is the president and CEO of the Consumer \nData Industry Association; Mr. James Norton, adjunct lecturer \nat the Johns Hopkins University; Mr. Bruce Schneier, who is the \nadjunct lecturer in public policy at the Harvard Kennedy \nSchool; and Ms. Anne Fortney, who is partner emeritus at Hudson \nCook.\n    And, again, I would like to again thank Mr. Norton for his \nlast-minute replacement of Mr. Greene, who informed the \nsubcommittee that he was unable to testify because of illness. \nSo we appreciate it.\n    And before we get started, again, our witnesses will have 5 \nminutes.\n    If you would like to pull the microphone up close and press \nthe button.\n    And, Mr. Creighton, you are recognized for 5 minutes. \nThanks again for your testimony today.\n\nSTATEMENTS OF FRANCIS CREIGHTON, PRESIDENT AND CHIEF EXECUTIVE \n  OFFICER, CONSUMER DATA INDUSTRY ASSOCIATION; JAMES NORTON, \n  ADJUNCT LECTURER, JOHNS HOPKINS UNIVERSITY ZANVYLL KRIEGER \n    SCHOOL OF ARTS AND SCIENCES; BRUCE SCHNEIER, FELLOW AND \nLECTURER, BELFER CENTER FOR SCIENCE AND INTERNATIONAL AFFAIRS, \nHARVARD KENNEDY SCHOOL, AND FELLOW, BERKMAN CENTER FOR INTERNET \nAND SOCIETY AT HARVARD LAW SCHOOL; AND ANNE P. FORTNEY, PARTNER \n                   EMERITUS, HUDSON COOK, LLP\n\n                 STATEMENT OF FRANCIS CREIGHTON\n\n    Mr. Creighton. Thank you.\n    When I took this position with CDIA back in May, I was \nexcited to come here because I wanted to work on an issue I am \npassionate about: How do we bring more people out of the \nfinancial shadows and into the regulated financial system? \nConsumer reporting is one of the best ways to achieve that \ngoal, and I am excited to have the opportunity to tell that \nstory.\n    But the news that was revealed on September 7 changed that \nconversation. The scale of the criminal attack at Equifax is \nbreathtaking, and, like you, I want to better understand what \nhappened and make sure it never happens again.\n    But in the wake of the attack, we have heard a number of \nstatements that go beyond making sure this doesn\'t happen \nagain, that somehow the credit reporting system is unregulated \nand that consumers are getting ripped off. Nothing could be \nfurther from the truth.\n    First, this industry is highly regulated. My written \nstatement goes into more detail, but we are subject to the Fair \nCredit Reporting Act, one of the most important and strongest \nconsumer protection statutes on the books today. FCRA subjects \nreporting companies to comprehensive regulatory and consumer \nprotection regimes. The FCRA protects privacy, includes \ncriminal penalties for people who abuse the system, mandates \nthe accuracy and completeness of consumer reports, and makes \nthe process transparent for consumers.\n    On data security, the nationwide consumer reporting \nagencies are subject to the FTC\'s safeguards rule as nonbank \nfinancial institutions under the Gramm-Leach-Bliley Act. We are \nalso regulated and face enforcement by the State attorneys \ngeneral, contractual obligations from our financial institution \ncustomers, make sure we meet the requirements of the Federal \nFinancial Institutions Examination Council.\n    At every level, this is a well-regulated industry. If in \nthe course of the investigation we find a regulatory gap in a \nparticular area, we pledge to work with you to address it. \nProtecting consumer data is the most important thing we do. It \nis not just good for business; it is the right thing to do.\n    But if this were just a question of regulation, that would \nbe one thing, but since the hack, we have heard people suggest \nthat maybe we don\'t need a consumer reporting system at all. \nOur credit reporting system today is the envy of the world. It \nis one of the main reasons American consumers have such a \ndiverse range of lenders and products from which to choose.\n    This stands in stark contrast to many other financial \nsystems, including those in developed nations. American \nconsumers have access to the most democratic and fair credit \nsystem ever to exist. Individual consumers have the liberty to \naccess credit anywhere in the country, from a wide variety of \nlenders, based solely on their own personal history of how they \npersonally have handled credit. So when a family tries to buy a \nhouse for the first time, they can access the right mortgage \nfor their own personal needs. A young person who comes here to \nwork on the Hill and has to buy a car to get to work can go to \nan auto dealer and drive off the lot the same day even if she \nor he has never been to this area. A young family can access \ncredit through a mainstream financial institution rather than \ndepending upon shadowy lending services.\n    Without access to a full credit report, lenders, landlords, \ncommunity banks, credit unions, insurance companies, and others \nwon\'t know how a consumer has handled their obligations in the \npast unless those service providers know the customer \npersonally.\n    Credit reports are also a check on human bias and \nassumptions. They provide lenders with facts that contribute to \nequitable treatment for consumers. CDIA members establish an \naccountable and colorblind system for judging creditworthiness. \nWithout this system, subjective judgments could be based on \nfactors other than the fact of creditworthiness.\n    Today\'s credit reporting system has made it possible for \nmiddle-class consumers to get credit at rates that previously \nwere reserved only for the wealthy. Credit reporting companies \nare innovating to solve the problem of the unbanked, thin-file, \nand credit-invisible consumers who have not had a chance to \nparticipate in the mainstream financial system.\n    This is a system that works whether you are at a global \nbank or at a community-based credit union, because companies \nshare critical information across the system to benefit \neveryone. In one sense, lenders take their sensitive customer \ninformation and share it with a trusted third party so that \nanother financial institution, potentially a competitor, can \nuse that information to make a more informed lending decision. \nThis results in lower prices, more choices for consumers, and a \nsafer and sounder financial system.\n    Our individual credit reports tell the story of our \nindividual choices. They are neither positive nor negative. \nThey are our best attempt at an accurate portrait of what we \nindividually have done. And they offer the tools lenders and \nothers need to make judgments about how a particular person \nwill handle his or her obligations in the future.\n    Thank you for having me here today. I look forward to your \nquestions today and in the future.\n    [The prepared statement of Mr. Creighton follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Latta. Again, thank you very much for testifying before \nus today.\n    And, Mr. Norton, you are recognized for 5 minutes.\n\n                   STATEMENT OF JAMES NORTON\n\n    Mr. Norton. Thank you, Chairman Latta, Ranking Member \nSchakowsky, and members of the subcommittee. Thank you very \nmuch for inviting me to testify before you today.\n    My name is James Norton, and I am the founder and president \nof Play-Action Strategies, a homeland security consulting firm \nhere in Washington, DC. I am also a member of the Johns Hopkins \nUniversity faculty, teaching graduate courses on homeland \nsecurity and cybersecurity.\n    Previously, I served in multiple positions at the \nDepartment of Homeland Security under President George W. Bush, \nincluding as Deputy Assistant Secretary of Legislative Affairs. \nI was a member of the Department\'s first team tasked with \nconfronting the then-nascent cybersecurity threat.\n    My testimony will focus on how attacks like the one that \nled to the Equifax breach fit into the larger cybersecurity \ncontext and what can be done to strengthen cybersecurity \nprotections on the front end.\n    Today, cybersecurity threats are pervasive, and any company \nor institution that houses large amounts of personal data is a \npotential target. Each year, hackers and other bad actors \nlaunch millions of attacks on cyber infrastructure maintained \nby governments, businesses, and individuals.\n    Current cyber threats take many forms and target a range of \nvulnerabilities, increasing the complexity of cybersecurity \nmissions. Attacks like the Equifax breach, the WannaCry \nransomware attack, and the Yahoo breach in 2013-2014 are more \nwidespread and complex than earlier intrusions, demonstrating \nthat bad actors are becoming more sophisticated in their \nefforts. So far, cybersecurity protections have largely failed \nto keep pace.\n    While security frameworks like those laid out in the Gramm-\nLeach-Bliley Act and the Fair Credit Reporting Act are \nimportant guideposts and should be maintained, lawmakers should \nresist the temptation to put in place rules and regulations \nthat requires companies and institutions to take specific \nfederally prescribed actions to address cybersecurity issues \nresulting in limited flexibility for private-sector companies \nto respond to emerging threats. Instead, I would encourage \nofficials to commit themselves to working collaboratively with \nbusinesses and consumers to share best practices and raise \nawareness about the scope and sophistication of cyber threats.\n    To help meaningfully address cybersecurity challenges, I \noffer the following recommendations for the subcommittee:\n    The Federal Government should take the lead in convening \nrelevant stakeholder meetings to develop and share best \npractices, including an examination of how efforts currently \nunderway within the Federal Government and in the private \nsector can be adapted for applications in other sectors, as \nwell as help businesses better understand the national security \nthreat with the intelligence that is available to the \nGovernment.\n    Government officials and private-sector leaders must make a \nmore concerted effort to ensure that consumers and even other \nbusinesses, especially small-business owners, are aware of the \nthreat and the tools that are publicly available in the \nmarketplace to reduce the vulnerability.\n    Businesses must encourage a path to integrate cybersecurity \ninto their companies\' culture through regular training and \nupdates, which obviously was lacking with Equifax.\n    I thank the committee for holding this important hearing, \nand I look forward to your questions. Thank you.\n    [The prepared statement of Mr. Norton follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Latta. Thank you very much for your testimony.\n    And, Mr.--I want to make sure I am pronouncing your name--\nit is ``Schneier\'\'? ``Schneier\'\'?\n    Mr. Schneier. Rhymes with ``frequent flyer.\'\'\n    Mr. Latta. OK.\n    Ms. Schakowsky. I said it wrong too. I added a D.\n    So ``Schneier,\'\' right?\n    Mr. Latta. We apologize. We want to make sure we get it \nright.\n    You are recognized for 5 minutes. Thank you very much for \ntestifying today.\n\n                  STATEMENT OF BRUCE SCHNEIER\n\n    Mr. Schneier. Thank you for having me.\n    I am Bruce Schneier. I am a fellow and lecturer at the \nHarvard Kennedy School. I am associated with the Berkman Center \nat Harvard. I also work for IBM. I am speaking for none of \nthem. And, actually, it is probably best if we just don\'t tell \nIBM that I am here.\n    The Equifax breach was bad. We have heard a lot of the \ndetails. This was very sensitive information about half of our \ncountry. And Equifax security really was laughably bad, both \nbefore, during, and after the attack. This is also not the \nfirst time. There is a Forbes article that outlines breach \nafter breach from Equifax.\n    So the question I ask is, what is going on? We have this \nlarge data-broker industry whose job is to collect information \nabout us to sell to other people. We are talking about \nfinancial information, but it is actually much more than that: \ninformation about our interests, about what we do, about what \nwe do on the internet, things we buy, places we go. It is \nthousands and thousands of data points about all of us, some of \nthem very intimate, that are wanted by others and are \ncollected, sorted, collated, and sold without our knowledge and \nconsent.\n    And the market can\'t fix this. A couple of people have said \nthat we are not the customers. And that is correct; we are not \nEquifax\'s customer.\n    Chairman Walden said, you know, there is no excuse for \nstupid. There actually is an excuse for what Equifax did. If \nyou are the CEO of Equifax--and he was here--and your choice is \nto either save 5 percent on your budget by having lax security \nand taking the chance or spending the money, you are going to \ntake the chance. You are rewarded by coming in under budget. As \nlong as your customers don\'t complain--and none of them did--\nthat is not a problem. Because we are the product, we are not \nprotected. And that is why this is not something that a market \ncan fix.\n    The CEO left with an $18 million pension. He did OK. His \ndecision was arguably the correct one in this environment.\n    All right. So what should we do here? There is a 2014 FTC \nreport on data brokers. It is worth picking up and reading \nagain. It talks about more transparency and more customer \ncontrol over their data.\n    I would like it if you would fund research into the actual \nharms that come from these breaches. One of the problems in \nlawsuits from customers is that proving harms is hard. If you \nwere the victim of identity theft in 6 months, was it because \nof Equifax or because of half a dozen other breaches? You don\'t \nknow. And without that direct connect, courts will throw out \ncases.\n    I would like to see a nationwide credit freeze, where \ncredit information is given upon permission. There is no reason \nwhy my credit should be given out without my permission. If I \nam applying for a car or I am applying for a mortgage, I am \ngoing to know, so I should be able to do that.\n    I would like some kind of data minimization. We talked \nabout opt out. Be careful, though. Opt out often doesn\'t mean \nopt out. In many of these cases, when you opt out, you opt out \nyour data being given away--not being collected, not being \nstored. You will be just as vulnerable when there is a breach \nif you opted out as if you opted in. So be careful what ``opt \nout\'\' means.\n    I would like the FTC to set minimum security standards, \nfinancial and nonfinancial.\n    And avoid questioning if this is too hard. Right now, a lot \nof these companies operate in Europe. The regulations are much \nmore stringent. Starting next year, we are going to see the \nGDPR, the generalized data protection regulations, even more \nstringent. And they can do things there they can bring here.\n    So a couple of final points.\n    This has some real foreign trade implications. Right now, \nthere are safe harbor rules that allow us, U.S. companies, to \ncollect data on Europeans. If we show that we are incompetent \nat it, those rules are going to be dropped, and we are going to \nhave a lot of problems for our U.S. companies doing business \noverseas.\n    And this has national security implications as well. \nSomeone mentioned that China went after the Office of Personnel \nManagement. They are after data on U.S. citizens. North Korea \nfunds a lot of their stuff using cyber crime. Russia wants our \ndata. The data of all of us, of all of you, are in these \ndatabases, and foreign governments want it. To the extent we \ndon\'t protect it, we are making it easier for them.\n    If you had half a dozen people standing behind you \nconstantly, taking notes on everything you did, you would \nnotice that, and there would be a law immediately making that \nillegal. That is what happens today. There are something like \n2,500 to 4,000 data brokers, and they are in your computer \nsecretly taking notes, collecting data on everything you do, \neverything all of us do.\n    That is a massive industry, and it is invisible. We need to \nmake it visible, and we need to institute some controls. This \nis not something the market can fix, because we are its \nproduct.\n    Thank you.\n    [The prepared statement of Mr. Schneier follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Latta. We appreciate your testimony this morning.\n    And, Ms. Fortney, you are recognized for 5 minutes.\n\n                  STATEMENT OF ANNE P. FORTNEY\n\n    Ms. Fortney. Thank you.\n    Good morning. I am Anne Fortney. Thank you for the \nopportunity to appear before you today.\n    I am the partner emeritus at Hudson Cook law firm. My \ncareer involved more than 40 years\' experience with consumer \nreporting and the credit industry, including service as the \nAssociate Director for Credit Practices at the Federal Trade \nCommission and as in-house counsel at a retail creditor. I also \nserved as a lawyer consulting clients on compliance.\n    Consumers today are understandably very worried about the \nsecurity of their personal information held by large \ncorporations, including credit bureaus. Some background may be \nhelpful in understanding the benefits of the system, the legal \nprotections, and, I think most importantly, the ways in which \nconsumers can personally manage their financial information.\n    Our consumer reporting industry evolved over many years in \norder to meet the needs of banks and commerce so that companies \ncould provide to consumers the products and services they want \nand need. In the late 19th century, creditors came together to \nshare customer payment information. These voluntary information \nexchanges then became credit bureaus.\n    Today, there are four principal credit reporting agencies, \nbut there are also consumer reporting agencies that deal in \ninformation other than credit. These deal in information \nrelating to medical payments, landlord/tenant experience, \ncheck-writing histories, employment, and insurance claims. Each \nkind of consumer reporting agency developed because industry \nmembers agreed to report their information voluntarily to a \ncentralized system in order to serve the respective needs.\n    Consumer reporting agencies today maintain large databases \non consumers, including personal identifying and sensitive \nfinancial information. By engaging in credit transactions, \nconsumers create their credit histories at credit reporting \nagencies. Consumers don\'t specifically opt in to having this \ndata maintained and used, but they benefit from the totality of \ncredit reporting agencies\' information when lenders use it to \nverify their identity as well as determine their eligibility \nfor credit.\n    Despite the clear benefits of the system, the disclosure \nand use of information in these databases pose risks to \nconsumers. Congress has enacted laws to protect consumers\' \nsensitive information while also assuring that the data is \navailable to meet the needs of commerce. My written statement \nsummarizes these laws, and, believe me, they are extensive.\n    In addition, Federal and State officials oversee the \ncollection, use, and security of consumers\' nonpublic data \nthrough bank supervision and legal enforcement. We may focus on \nbig data when there is a security breach, but companies holding \nconsumers\' personal data work continuously to secure the data \nby monitoring, detecting, evaluating, and addressing security \nthreats. And there are millions of such threats. They perform \nthis monitoring to comply with Federal and State laws, but they \nalso do it because the data and the integrity of their data is \nessential to their business. It is not an area where they cut \ncosts.\n    Despite best efforts, however, data breaches can and do \noccur. When measured against the volume of potential data \nsecurity threats, these breaches are very, very infrequent. But \nwhen it is my data that is involved, I am less concerned about \nwhether the system otherwise works so well. I think that is how \nwe all feel.\n    But I know I can protect myself against inaccurate data and \nthe risk of identity theft. Hereis how:\n    First, I monitor my credit report information through a \ncredit monitoring service. I check my credit report and review \nit for any suspicious activity. I accept my bank\'s offers for \nmy free credit score. I read my credit card billing statement \nwhen it arrives, and I notify the card issuer if I don\'t \nrecognize the charges. I also read my checking account \nstatement and contact the bank if there is check fraud. Like \neveryone, I lead a busy life, but these simple measures do not \ntake much time, they are free, and they make me feel secure.\n    I also know what to do if I am worried about being a victim \nof identity theft. I can place fraud alerts on my credit report \nat the three largest credit bureaus. I can get a free report if \nI do so. These alerts reduce the likelihood that someone can \nmisuse my information to open a fraudulent credit account.\n    I can also block the reporting of credit information that \nhas been the result of identity theft. I can go to credit \nbureaus\' websites to learn how to take these steps and to learn \nmore about how to keep my data secure.\n    I can also go to the FTC\'s website for identity privacy and \nonline security. It contains a wealth of useful information \nabout privacy and identity theft. The website will also tell me \nwhat to do if I become a victim of identity theft.\n    In sum, there is a tradeoff between consumers\' right to \nprivacy of their personal information and the commercial needs \nand benefits of that information. Our laws reflect that balance \nin the tradeoff. But we consumers are not powerless in our \nability to monitor and control the accuracy, confidentiality, \nand security of our information.\n    Thank you.\n    [The prepared statement of Ms. Fortney follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Latta. Well, thank you very much for your testimony \ntoday.\n    And, again, we appreciate all of our witnesses for being \nwith us today.\n    And that will conclude the witnesses, and we will start \nwith our Members\' questioning. And I will start with my 5 \nminutes.\n    Mr. Creighton, if I could start with you, considering the \nsize and scope of the Equifax breach, consumers are confused \nand rightfully skeptical about what they should be doing to \nprotect themselves.\n    Could you briefly--and briefly because I have limited \ntime--what should we tell our constituents about how the credit \nreporting industry is securing your sensitive data? And, trust \nme, we are all hearing it from our constituents from phone \ncalls when we are back home.\n    So thank you very much for being here.\n    Mr. Creighton. Sure. And I hear it too. Obviously, this \nimpacts us, everyone here on the panel, as much as it impacts \nyou.\n    What is the industry doing to protect our data? The same \nthing every company that has sensitive information is doing: \nThey are monitoring their systems. They are learning from every \nbreach that happens, not only in our industry but across the \neconomy. We are fighting this war on a daily basis. We are \ngetting attacked nonstop, from nation-states, as one of the \nother witnesses was mentioning, from criminals, and from many \nothers.\n    What do we do? We monitor. We test our system. We try to do \ndata minimization and encryption, inside and while the data is \nin transit, to make sure that if, in fact, somebody is in the \nsystem the information is not usable if they are in there and \nto try to keep them out of the system in the first place.\n    Taking care of consumers\' sensitive personal information is \nthe most important thing that we do. In this case, we failed. \nBut it is still the entire industry\'s number-one priority.\n    Mr. Latta. Thank you very much.\n    Mr. Norton, Equifax is subject to Federal data security \nstandards. Other industries are subject to Federal and State \nsecurity standards. However, breaches continue in all the \nsectors.\n    When companies are evaluating how to protect individuals\' \ndata from cyber criminals or nation-states, are there best \npractices to follow? And, most importantly, how effective are \nthe regulations that are out there in policing companies\' \ncybersecurity practices today?\n    Mr. Norton. Well, I think it is obvious by the number of \nattacks we have seen every day, every week, every year that we \nare not doing enough. So I think that is pretty clear, that, \nyou know, the larger corporations, whether it is Equifax, Home \nDepot, or Target, they have all been exposed and they have all \nbeen attacked because they all are targets because they have a \nlarge amount of information on their systems.\n    I think partnerships through places like Department of \nHomeland Security, Department of Commerce are important to \nestablish. I think real-time information needs to be exchanged \na lot faster than it is right know. I think we need to almost \nindoctrinate some of the business partners with the Federal \nGovernment in terms of allowing them to get some of this \nsensitive information and create that culture that I don\'t \nthink really exists, you know, at a lot of C-suites right now.\n    Mr. Latta. Let me ask you about what you just said. OK, \nexchanging that data in real time, that real-time data, how \nwould you describe that, and how should that be done?\n    Mr. Norton. Well, I think that you need, you know, \ncertainly, somebody that is at a senior level within--a CEO--so \nlet\'s use States, for example. After the 9/11 attacks, a lot of \nGovernors stood up homeland security apparatuses at the State \nlevel and they had homeland security advisers, and I think you \nneed a similar model at the CEO level, where the CEO has a \ncybersecurity--not just an adviser but somebody that is at a \nsenior level that can be in the meeting not once a month, not \nevery 6 months, not every quarter, but every day, and they can \nget briefed every day on these threats.\n    Any company that has large amounts of personal information, \nlike we were talking about earlier, like Equifax, or large \namounts of other types of IP, you know, for example, companies \nthat have, you know, high-end, valuable assets that might be \nfor sale, again, would be something that would be attacked.\n    So I think all these things need to be considered and need \nto be part of that exchange in terms of the day-to-day threat \ninformation. And if DHS or other agencies, you know, need more \nfunding or they need to continue to stand up, then that is an \narea that I think the subcommittee could definitely support.\n    Mr. Latta. Thank you.\n    Ms. Fortney, given your experience at the FTC and in your \nlegal practice, what potential consequences do you see for \nEquifax given the regulatory environment? And, again, what laws \nand regulations are at play in this situation?\n    Ms. Fortney. The first thing we need to do is find out \nexactly what happened. And the FTC has announced--they took the \nextraordinary step to announce that they were conducting what \nis usually a nonpublic investigation.\n    We don\'t know exactly what has happened. The fact that \nthere has been a security breach in general doesn\'t mean that \nthere is a violation of the law. From what we have read--and \nall I know is what I have read in the press--Equifax did not \ntake appropriate measures to prevent the breach.\n    The Fair Credit Reporting Act, if there is any credit \nreporting information that is involved, would come into play. \nThere are civil penalties, as well as the FTC\'s authority to \nprevent future violations.\n    The Gramm-Leach-Bliley rules also require Equifax to \nsafeguard the data on consumers that it holds, and there can be \npenalties there as well. I understand that there is some \nconfusion in terms of whether a violation of the rule itself \nwould result in penalties, but I think the FTC also has \nauthority under other laws.\n    In addition, the FTC has taken the position that their \nauthority to address unfair, deceptive acts or practices can \ncome into play when there is a serious security breach.\n    Mr. Latta. Thank you very much.\n    My time has expired, and the Chair recognizes the ranking \nmember of the subcommittee, the gentlelady from Illinois, for 5 \nminutes.\n    Ms. Schakowsky. Thank you.\n    Mr. Schneier, you recommended that Congress move forward \nwith legislative proposals to make a credit freeze the default, \neffectively blocking access to consumer credit reports except \nwhen the consumer permits access for the specific purpose.\n    You believe this step would protect consumers\' privacy and \nmake consumer information more secure. Is that correct?\n    Mr. Schneier. I think it will prevent the breaches. It is \nnot going to do anything to make Equifax\'s databases more \nsecure. It is not going to do anything to make our data less \nvulnerable, but it will make it less useful. And that, I think, \nis something that is real important.\n    Ms. Schakowsky. Well, let me ask you this. You said that \nwe, the public, are not the customer of Equifax or the data \nreporting agencies. We are, in the sense that--I am sort of \ngalled by the idea that I have to pay for the credit report. \nActually, I did also go for the one free, and somehow I must \nhave pushed a button that, then, $10 a month was charged in the \nfuture. I finally called them and said, ``How did that \nhappen?\'\' You know, I don\'t exactly know.\n    So we do pay a small amount every month. So they still do \ncharge us for our--you know, except for the one free.\n    Who are, then, the customers? I have gotten a--what do you \ncall it--preapproved credit cards in the mail. I didn\'t ask for \nthat. I am not seeking a loan. So who are the customers, then, \nof these CRAs?\n    Mr. Schneier. The customers are those who want to give you \noffers. And, certainly, anybody who sent you a preapproved \ncredit card got that data.\n    And they get data in very different ways. There was \nsomething I wrote about, and I don\'t remember the details, but \none lender was asking for people who had defaulted on loans so \nthey can sell them basically fraudulent products. The FTC did \nslap a fine on them, but those are the sort of things that are \nhappening.\n    And the way to think of it is that we are not their \ncustomers. And they deliberately make it hard--those credit \nfreezes and credit scores, they are deliberately deceptive. To \nget the free one, you have to navigate a very complex route, \nand occasionally you get taken. There are a lot of things these \ncompanies do----\n    Ms. Schakowsky. [Inaudible.] The score, you know?\n    Mr. Schneier. That is right.\n    Ms. Schakowsky. So the score isn\'t free, in some cases.\n    Mr. Schneier. That is right. Just the data is, so you can \nlook at it.\n    Ms. Schakowsky. Right.\n    Mr. Schneier. And, in some cases, there are things they can \ndo to make things easier, and they don\'t. So, for example, if I \nlog into my network at Harvard, this phone will make a noise \nand will tell me. So if someone else does it, I will know that. \nAnd you can get an app from some banks that, if your credit \ncard is used in a physical location you are not, like in \nCalifornia today, you would be alerted. You are not near your \ncard.\n    And that is sort of a customer-service type of thing. There \nis no reason in the world why the credit agencies can\'t do that \nsame thing: When someone wants my credit, I get an alert. You \nknow, retailer I like? Yes. You know, Russian scammy bank? No. \nI mean, I should be able to do that.\n    But that is a feature that is not going to be offered to \nthe product. As the product, we are supposed to, you know, shut \nup and do what we are told. And if you complain, there are \ngoing to be difficult avenues and you are going to get scammed.\n    Ms. Schakowsky. So I think people need to understand this \nis not just, I am applying to refinance my mortgage or I want \nto get a car. This is, my information is now a product that \nthey can sell to others. Is that right?\n    Mr. Schneier. And it is more than financial information. \nYou have to understand, it is our browsing habits, it is our \nreading habits, it is the things we do, it is the details of \nour life.\n    I mean, you have to assume that that will be purchased by \nsomebody who wants to use it against you. And I think all of \nour Government officials should be concerned about that. Do we \nwant our browsing habits in the hands of opposition research? \nKinda not.\n    Ms. Schakowsky. Have we seen any international reaction to \nthis Equifax breach? You talked about the problems that we may \nincur if our partners around the world think that we can\'t \nprotect data.\n    Mr. Schneier. I haven\'t heard anything about Equifax \nspecifically, but certainly there is agitation in Europe. A lot \nof these safe harbor agreements are very tenuous. And they are \nright now protecting American companies to store Europeans\' \ndata, but I think we can lose them at any time, especially as \nEurope is getting much more regulatory. The GDPR is coming, and \nit is going to be enforced starting in March, and all the U.S. \ncompanies are preparing for that.\n    Ms. Schakowsky. So there is personal and international \nconsequences for consumers and for business.\n    Mr. Schneier. I think there is. I worry about how the U.S. \nwill look in the world market if we show that we can\'t secure \nthe data of Canadians and British and Europeans.\n    Ms. Schakowsky. Thank you.\n    Mr. Latta. Thank you very much.\n    The gentlelady yields back, and the Chair now recognizes \nthe gentleman from Mississippi, the vice chairman of the \nsubcommittee, for 5 minutes.\n    Mr. Harper. Thank you, Mr. Chairman.\n    And thank you to each of you being here. Particularly, Mr. \nNorton, I want to thank you. On such short notice, I am sure \nyou had other things you might have preferred to do. But the \ninformation that each of you are providing is very important.\n    Who knows, Mr. Schneier? Maybe we will get back to just \nwriting letters. You know, maybe that is going to be the \nsolution to protect our personal information on some of this.\n    You know, this is still just an unbelievable event that has \nraised this to a new level. And, Mr. Creighton, I know that--\nyou know, we can talk about this. When I questioned the former \nCEO of Equifax, you know, he said, that is the number-one \nissue, which you restated, which is to protect that personal \ninformation, which was done very poorly.\n    So there are so many issues here, but do all three--and \nthis is for you, Mr. Creighton--do all three major credit \nreporting agencies provide the same information to every \nlender, merchant, et cetera? If not, why is that not the case?\n    Mr. Creighton. Different bureaus may have different \ninstitutions furnishing information into them. When a lender \nasks for information, they will provide the information that \nthey have, but not every bureau has exactly the same \ninformation that every other bureau does.\n    It is one of the reasons why Fannie Mae and Freddie Mac, \nfor example, require that their lenders collect all three \ncredit reports and merge them into one package, to make sure \nthey are getting full coverage.\n    Mr. Harper. So you could request three or four credit \nreports from different CRAs, and they could have variations \nbased upon that technique.\n    Mr. Creighton. Well, for example, if you are an auto \ndealer, a small auto dealer in a particular region, you might \nonly be working with one credit bureau.\n    Mr. Harper. Got it.\n    Now, do credit reporting agencies separate their credit \nreporting and noncredit reporting activities and businesses?\n    Mr. Creighton. Yes. This is an important point. The credit \nfile is distinct from any other business that they have. The \ncredit file is governed by the Fair Credit Reporting Act.\n    And the credit file is only certain kinds of information. \nIt is not the web browsing and all of that other information. \nWhat is in the credit file? Who are you? Who are you, \npersonally? Do you exist? That is, you know, basically public \ninformation. Do you have any judgments again you, like a \nbankruptcy? Do you have credit available? With whom do you have \nthat credit available? How much credit do you have? What is \nyour balance? Do you pay on time? Functionally, that is what is \nin the credit report.\n    Mr. Harper. OK. Thank you for that.\n    And, Mr. Norton, can you talk to us for just a minute and \nexplain a little bit about NIST, the National Institute of \nStandards and Technology, and their cybersecurity framework and \nits importance for today\'s, you know, hearing?\n    Mr. Norton. Yes, absolutely. And, you know, NIST several \nyears ago took an important step, providing voluntary guidance \nfor not only Federal agencies and State and local governments \nbut also for the private sector to start to build out a \nframework to start to talk about, you know, how do you secure \nthe enterprise----\n    Mr. Harper. So when did they start this?\n    Mr. Norton. I don\'t know the exact date. I think it was a \nfew years ago.\n    Mr. Harper. OK. Was Equifax a voluntary participant in \nthis?\n    Mr. Norton. I don\'t know if they were. I am not sure.\n    Mr. Harper. Can you find that out for us and let us know \nthat?\n    Mr. Norton. Sure.\n    Mr. Harper. And go ahead and explain this a little bit \nmore, the cybersecurity.\n    Mr. Norton. But I think to your point that, you know, it \nwas publicly available information, it was something that the \nGovernment was, you know, certainly promoting, in terms of this \nNIST standard, I think that, you know, having these standards \nare very important. I think, you know, the threat still, \nnecessarily, hasn\'t been digested by the private sector. And I \nthink that is part of, you know, a role that the Government \ncould play, in terms of briefing not only on the standards and \nthe voluntary compliance that they should really look at and \nthink about doing but also understanding what are these \nattacks, why are they a target, not just, you know, the bigger \nnation-states but the smaller gangs and the different \norganizations that are out there that, you know, are certainly \ntargeting these things for money, essentially, and to sell this \ndata.\n    Mr. Harper. You know, listening to each of your \ntestimonies, you know, I know Mr. Schneier mentioned that, you \nknow, CEOs willing to take a chance, I don\'t know if that is \ngoing to be the case on the Equifax deal. I think it was just \npure negligence. Somebody--multiple people dropped the ball on \nan easy--you know, this was not a complicated fix. And I know \nwe will find out more when FTC gets through with this and we \nget through with all the investigation that is there. But, you \nknow, constant upgrades of cyber defenses are necessary. They \nonly have to be, you know, correct one time. And, obviously, \nthis, they were in a big way.\n    So, Mr. Norton, do you believe that security standards will \nstop the data breaches as we have now?\n    Mr. Norton. You know, I think that it is certainly an \nimportant part of it. I think that having cybersecurity as a \none-person position within a business is not cybersecurity. \nThat is just having one person. I think you need to have a \nlarger enterprise strategy and plan, and it has to flow up from \nthe CEO all the way down to the lowest employee.\n    If you look at attacks like OPM was mentioned and others, \nit is really the training is an issue, where all employees need \nto be trained on cybersecurity. They need to understand exactly \nwhat these threats are. Because at your desktop is really the \nfront door of a business, and when you get, you know, a \nphishing email or a phishing attack and you click on that link, \nyou have just opened the door.\n    Mr. Harper. And maybe not giving an $18 million bonus to \nsomebody who totally failed in their number-one responsibility.\n    I yield back.\n    Mr. Latta. Thank you very much.\n    The gentleman yields back, and the Chair recognizes the \ngentleman from California for 5 minutes.\n    Mr. Cardenas. Thank you, Chairman Latta. I appreciate this \nopportunity for us as Congress to discuss this very, very \ncritical issue that faces hundreds and hundreds of millions of \nAmericans every single day.\n    In discussions of data breaches and breach legislation, \nthere has been a tendency to focus on financial harms to \nconsumers. Credit reports include a lot of nonfinancial \ninformation, and certainly these companies hold a significant \namount of personal information outside of the credit report \nthat is not financial.\n    Mr.--I am sorry if I pronounce your name wrong--\n``Schneer\'\'?\n    Mr. Schneier. ``Schneier.\'\' That is all right. Nobody has \ngotten it right today.\n    Mr. Cardenas. OK. ``Schneier.\'\' OK. Are you concerned about \nrepercussions of a breach beyond financial harms, and if so, \ncan you give us some examples?\n    Mr. Schneier. So, yes, I think the nonfinancial harms are \nconsiderable. I mean, just thinking of the OPM breach would be \nan example of just nonfinancial data in the hands of the \nChinese Government, and that would be a problem. So, depending \non who stole the Equifax data--we actually don\'t know if it was \ncriminals or a government right now--the harms can be \nconsiderable.\n    And the swap between financial and nonfinancial is fuzzy. \nIf you call your bank or your broker or your insurance company \nand don\'t remember your account, they are going to ask you a \nbunch of questions like where did you live, which of these cars \ndo you own. You have all had that experience. That is \nnonfinancial data, and that is going to be used to authenticate \nyou to a financial institution. So even nonfinancial data has \nvery serious financial ramifications because it is our \nsecondary authenticator.\n    Mr. Cardenas. So, in some cases, somebody might know the \nname of our favorite pet.\n    Mr. Schneier. Favorite pet is actually surprisingly easy. \nThose secret questions turn out to be very insecure.\n    And this is, sort of, again, you are looking at this \ntradeoff in security and convenience. What these companies \nwant--I mean, what the credit card companies want--is for it to \nbe really easy for you to get a new card, so they make that \napplication super-easy. If they made it more secure, made it \nharder for somebody else to get a card in your name, it would \nbe harder for you to get a card, and the companies don\'t want \nthat.\n    So they are making a tradeoff based on their bottom line, \nnot based on your security, to maximize their profits. And that \nis often ease of use, ease of access, making things easier.\n    Mr. Cardenas. Can you give us an example of how \nnonfinancial information can lead to financial harm to an \nindividual that their information has been breached or gotten \ninto the wrong hands?\n    Mr. Schneier. So I just talked about nonfinancial \ninformation being used as a financial authenticator. You can \ncertainly see personal embarrassment leading to all sorts of \nproblems. I mean, lots of instances of that, especially, you \nknow, people who are more marginalized. We see a lot of threats \nagainst women based on exposing personal information that is \nstolen from accounts. And, I mean, that is something that is a \nreal problem and hard to deal with.\n    I pulled up to--I talked about something Equifax did. It \nwasn\'t in my testimony, and I want to mention it, that in 2012 \nthey sold lists of people who were late on their mortgage \npayments to a discount loan company. That was one of their \nproducts. They were fined by the FTC for that. But those are \nthe sorts of practices you see from these companies.\n    Mr. Cardenas. So companies like Equifax, they have dual or \nmore than one role out there in the world? Or they see \nthemselves as being involved in businesses beyond just holder \nof information or reporting of our ability to pay, so to speak? \nThey are actually brokering information out there?\n    Mr. Schneier. If you go out to their website and look under \n``business products,\'\' which is different from the credit \nstuff, and they ask things that are optimized for restaurants, \nfor the travel industry, for--and I forget the whole list of \nindustries that they are selling data to. That data is \nnonfinancial data. It is data about us, slicing and dicing us \nin different categories, so we can be better marketed to.\n    Mr. Cardenas. So, basically, when an American puts their \nhouse up for sale and you see a sign out front, that is pretty \ncut and dry that you have hired somebody to broker for you, to \nactually do something for you, something so personal as we are \ngoing to sell our home.\n    But are you telling me that, unbeknownst to a bunch of \nAmerican citizens, that companies like Equifax are actually \nhaving signs out on their personal information and using it and \nmaking money off of it, unbeknownst to the average American?\n    Mr. Schneier. And that is the business model. The data-\nbroker business model is they collect information, either--they \nwill buy it. They will buy it from the Government. You know, \nStates will sell them driver\'s license information. They will \nget it from companies. They will get it from wherever they can. \nThey will correlate it. They will make inferences based on it. \nI mean, we are hearing about how some of that was used to \ntarget ads in the last election. And then they will sell that \nto people who want it.\n    Mr. Cardenas. OK.\n    Well, I yield back my time. Thank you, Mr. Chairman.\n    Mr. Latta. Thank you very much.\n    The gentleman yields back, and the Chair now recognizes the \nchairman emeritus of the full committee, the vice chairman, the \ngentleman from Texas.\n    Mr. Barton. Thank you, Chairman Latta. And I was here at \nthe gavel. I had to go run to a quick meeting, but I appreciate \nbeing allowed to ask questions at your hearing.\n    The current system is not working. I was here for Gramm-\nLeach-Bliley. I have been on this committee 33 years. We have \nall these--as the first gentleman said, in your testimony, it \nis a heavily regulated industry. You are right about that. But \nwhen it comes to data breaches, all that is required is \ndisclosure. There is no real penalty. Eventually, if it happens \nrepeatedly at the same institution, the FTC has some authority \nto impose some fines.\n    But all these laws that we have passed merely require that \nyou have to inform the customer, the consumer, of how their \ndata may be used, and if it is breached, you have to inform \nthem that it is breached. That is pretty much it. And I don\'t \nthink that works.\n    And if you listen to the opening statements on both sides \nof the aisle this morning, you know, Mr. Pallone\'s, Chairman \nWalden\'s, the chairman, Mr. Latta, they are all pretty strong \non condemnation of what is happening. I think that we are going \nto have to change the law and that we are going to have to do \nmore than require disclosure. I believe we are going to have \nto, on first offense, allow for some fines to be levied, some \nreal penalties. I would prefer that it be on a per-consumer \nbasis. That may or may not be workable.\n    So I guess I will go to Ms. Fortney.\n    Do you agree or disagree that we need to change the law and \nput some real teeth into what happens when there is a breach?\n    Ms. Fortney. I think the answer depends on whether the \nproblem with Equifax was a systemic problem or whether Equifax \nwas an outlier.\n    I think that the law currently exists in ways that \nconsumers can be protected. I think the FTC has indicated that \nthey will use their authority, not just under Gramm-Leach-\nBliley but also under Section 5 of the Federal Trade Commission \nAct, to redress consumers who have been harmed by security \nbreaches and by other data practices that are unfair to the \nconsumer.\n    Mr. Barton. Do you support that they be allowed to do that \nat a first offense?\n    Ms. Fortney. The FTC on their website says that they have \nbrought--sorry, their testimony said they have brought 60 cases \nagainst companies under Section 5 of the FTC Act based on \nunfair, deceptive practices involving data and data security.\n    Mr. Barton. Mr. Creighton, your testimony, I thought, was \nthoughtful. I thought it was well done.\n    My question to you would be, if we did impose or give some \nauthority to levy fines or a reimbursement to each consumer \nwhose data is breached, would that destroy the credit industry \nas it is today? Or would it, if it was done appropriately and \nat the appropriate level, would it perhaps strengthen it \nbecause it would give them an incentive to really protect \nconsumer data so that we don\'t have all these breaches?\n    Mr. Creighton. The incentives already exist for us to \nprotect the data. You know, if you add penalties and everything \nelse, it is not going to change our practices. Our practices \nare to protect the data today. So, I mean----\n    Mr. Barton. Then why do we have thousands of breaches or \nhundreds of breaches a year?\n    Mr. Creighton. It is true. Look, in the Government, you \nhave an incentive to protect your data also, and yet we have \nseen breach after breach after breach, including personal \ninformation for, as the chairman said, people in this room, \nsensitive market-moving information at the Securities and \nExchange Commission. We have seen that over and over and again \nthere. Those incentives need to be aligned, I would argue, more \ndirectly with where our incentives are, which is to protect the \ndata.\n    Yes, breaches happen, and every one of them is a problem. \nBut there are different scales of breaches. You know, is a lost \ncell phone that has some data on it considered a breach that \nautomatically is going to result--or do you have to look at \nwhat is the consumer harm?\n    Mr. Barton. Well, my time has expired. I will just make \nthis editorial comment. In the Equifax case, people at Equifax \nknew they had a problem with their system and they didn\'t do \nanything to fix it. They didn\'t do anything to fix it. But if \nthey would have known, if we don\'t get this fixed, we are going \nto pay $1,000 per consumer or $100 or maybe even $50, plus some \nof the things that Ms. Schakowsky and Mr. Pallone were talking \nabout, I believe they would have fixed it or tried to fix it \nsooner rather than later.\n    Thank you for your courtesy, Mr. Chairman. I appreciate it.\n    Mr. Latta. Well, thank you very much.\n    The gentleman\'s time has expired, and the Chair now \nrecognizes the gentlelady from Michigan for 5 minutes.\n    Mrs. Dingell. Thank you, Mr. Chairman.\n    I guess I am sort of, even before I begin, reacting to ``if \nEquifax is an outlier.\'\' I have been hacked so many times in \nthe last--the OPM, the Yahoo account, the Equifax, the Target, \nthe Sears, the Home Depot. You can tell I have a lot of credit. \nBut I have also been hacked more than that. I have a \npermanent--but I also will tell you that I think it is very \ncomplicated to put these credits--and you talk about it very \neasily, and that is what I do want to talk about, is I think it \nis very complicated for the average consumer, who, by the way, \nhas no idea what is happening.\n    Mr. Chairman, I thank you for studying this, because I \nthink it is hard for people to get a sense of how much of their \ninformation is held by companies, because it is not tangible. \nPeople don\'t understand what you are holding. You can\'t hold \nit. You can\'t touch it. And we really only think about it after \nit has been stolen or floating around the internet. So when it \nhas been stolen, like someone like me, 10, 15, 20 times, you \nthink about it. But I think young people, in particular, don\'t \nunderstand what information they are giving away or what is out \nthere.\n    We have spent a lot of time talking about the legal issues \nfaced, but, for me, it comes down to the question, do Americans \nreally know when they are giving their personal information \naway? Do they know the consequences? And how can we improve \ntransparency?\n    ``Transparency\'\' is a buzzword that we are all talking a \nlot about right now, but I think there is a shocking lack of \ntransparency when it comes to how consumers\' data is used and \nsold. So I want to talk about that a little more, and I want to \ntalk about who is even holding it.\n    Mr. Creighton, I was just interested in your organization. \nThe companies you represent possess a huge amount of granular \npersonal information on us. It is collected without ever really \nasking. And we are all supposed to trust that it is going to be \nkept safely, just like the Equifax was.\n    But I couldn\'t even figure out who is holding my data that \nis part of you. I know who the Equifax and Experians of the \nworld are, but I couldn\'t find who your other members are. \nThere is no mention of your member companies on your website, \nand a Google search turned up nothing. And I went and looked at \nyour 990, and it has only got your board members.\n    So this is a yes-or-no question, a friendly yes-or-no, but \nI want to know: Why should the American people trust an \norganization like yours to keep their information safe if we \ndon\'t even know who has it and how they are using it?\n    Mr. Creighton. First of all, thank you for your comments \nabout the website. We are in the process of redoing it, and I \nthink you will see a lot more information when it rolls out \nlater this year.\n    Mrs. Dingell. I am a Dr. Google in this committee. I Google \na lot.\n    Mr. Creighton. Good. Well, I think you will be more pleased \nin the future when you see the website. It has been a priority \nof mine since I have taken this position.\n    Our association represents the main large credit bureaus. \nWe also represent a series of specialty and other credit \nbureaus that hold other kinds of information that specifically \nwork with a particular industry--for example, the mortgage \nindustry.\n    We also represent a series of background screening \ncompanies that are in our association because they are working \nmainly on public documents, on public files, which are really \nthe basis, the foundation on which the credit report is built.\n    And so that is the core of our membership, are the bureaus \nand the special----\n    Mrs. Dingell. I really think that--I have a lot more \nquestions for you, but I have a minute left. But I do hope that \nyou will make public who your companies are and why they are \ncollecting it.\n    And maybe someday somebody could explain--I understand \nthere are other websites that do this too. I do Credit Karma \nalmost every other day. It is free. Why should the American \nconsumer, my other colleagues on both sides, have to pay for \ntheir own credit data when you can go to a site like Credit \nKarma or others--I don\'t want to--you know, there are other \nsites out there. But I think we should look at how people have \nfree access.\n    But I want to go to Mr. Schneier in the very short time \nthat I have left.\n    Mr. Schneier, do you think the American consumers can take \nproactive steps to protect their data, financial or otherwise, \nif they don\'t even know who owns it?\n    Mr. Schneier. There is ``can,\'\' and there is ``can.\'\'\n    So Ms. Fortney gave a really nice list of ``here are all \nthe things that you could do to protect yourself.\'\' And I am \nlistening to that list, and I am thinking, no way in the world \ncan I go home at Thanksgiving and tell my relatives--because \nthey are going to be a lot harder than you are--that they \nshould do all of that. I can\'t expect people to become experts \nin this, to take the time.\n    And it is not just we don\'t know who has it; it is that it \nis being made deliberately hard to figure it out, to take these \nsteps. So, no, I don\'t.\n    Mrs. Dingell. Do you think that we should find a simpler \nway to tell consumers who is collecting their data, what kind \nof data they have, and take these privacy notices--which, \nactually, somebody read the other day, and we found some--and \nmake it in simple language, a couple sentences?\n    Mr. Schneier. More transparency and more control cannot \nhurt.\n    Mrs. Dingell. Thank you.\n    Mr. Latta. Thank you very much.\n    The gentlelady\'s time has expired, and the Chair now \nrecognizes the chairman of the Health Subcommittee of Energy \nand Commerce, the gentleman from Texas, for 5 minutes.\n    Mr. Burgess. Thank you, Mr. Chairman.\n    And I can\'t help but observe, I feel like this is Groundhog \nDay. The previous Congress, I was chairman of this \nsubcommittee, and for 2 years we worked on data breach \nnotification. And we actually got a bill through the \nsubcommittee and the full committee. It never saw time on the \nfloor. It did become controversial before it passed out of the \nfull committee. And I can\'t help but think, had those \nrequirements been in place, at least the length of time between \ndiscovery of a breach and notification of the person who was \nbreached, I think that would have been helpful.\n    But I am always struck when we have these discussions--and \nI realize this is not a law enforcement panel in front of us, \nbut do any of you know, is anybody trying to catch the thief \nhere, or the thieves?\n    Mr. Creighton. Thank you for asking that.\n    We have to, as a society, come to terms with the fact that \nwe have people attacking our systems every day. If this were a \nphysical bank and there were 200 North Koreans who were \nstorming in and taking money out of the accounts, there would \nbe a national response. At what point are companies able to \ncompete against nation-states who are attacking our systems?\n    I don\'t know that this breach was a nation-state attack. I \ndon\'t know one way or the other. But at what point are American \ncompanies expected to fight back against countries that are \nattacking them?\n    Mr. Burgess. Well, then that brings up--and this is really \na question for anyone on the panel. I am also concerned--I \nmean, Equifax obviously did not cover themselves in glory in \nthis story, but in some ways they are a victim too. Their \nbusiness was damaged by someone who came in--it wasn\'t Frank \nand Jesse James storming the Northfield bank, but they were \ndamaged by this activity.\n    And if we were ever able to catch the thief, are there \nsufficient criminal penalties to act as a deterrent? Does \nanyone know that?\n    Mr. Schneier. So, it depends. Our laws are very, very \nnation-specific, and the internet is very international. So a \nlot of cyber crime comes out of Southeast Asia and Sub-Saharan \nAfrica and Eastern Europe and places where we just do not have \nefficient enforcement and there is really jurisdictional \narbitrage going on by cyber criminals.\n    And so, you know, enforcement works, but it really has \nlimitations here. And that is why we really want to do what we \ncan on the front end, because catching the bad guys, it is not \ngoing to work if it is a, you know, criminal organization in a \ncountry we just have no jurisdiction over.\n    Mr. Burgess. But assuming we do stumble upon a bad guy, the \nproverbial guy in the basement who is doing bad things and \nhacking into things where they shouldn\'t, do we ever punish \npeople like that?\n    Mr. Schneier. Yes, all the time.\n    Mr. Burgess. And what is the range--do you know what the \nrange of punishments are?\n    Mr. Schneier. I have no idea, but I am sure it is not \npretty.\n    Mr. Burgess. Do you feel it is a sufficient deterrent?\n    Mr. Schneier. You know, that is probably a more complicated \nquestion I don\'t know enough to answer.\n    Mr. Burgess. Yes. And I don\'t know that any of us do. But I \ndo worry that--again, Equifax is a poor example, but sometimes \nit does seem like we victimize the victim in some of the things \nthat we do in punishing people who were the recipients of the \nbreach, not the perpetrator of the breach.\n    Mr. Creighton, let me ask you--and I think, Mr. Schneier, \nyou brought this up also. There is a great commercial out, \nwhere someone who--they get in a cab, and they have left--``Oh, \nmy gosh, I left my debit card at the restaurant,\'\' and she \ndoesn\'t think it is a big deal. Her companion has a near panic \nattack and meltdown. ``Oh, my gosh, this is terrible. You left \nyour card.\'\' And it turns out the person who left the card went \non her phone and froze the debit card.\n    That seems like a very good approach if you knew that \nsomeone was accessing--so I guess let me ask you, Mr. \nCreighton, as a data broker, is there any way to notify people \nthat their data is being accessed? Is there a system or could \nthere be a system in place where--is there an app for that?\n    Mr. Creighton. First of all, we represent the credit \nbureaus, not the data brokers.\n    Mr. Burgess. OK. I beg your pardon.\n    Mr. Creighton. But, yes, and those are coming online now \nand were coming on line in advance of the breach. TransUnion \nhas their lock system up right now. It is free for everybody. \nIt is at base, just like Mr. Schneier is discussing, where you \ncan turn it on and turn it off.\n    Equifax has announced in this room that they will be \noffering a similar product that they are engineering now at the \nend of January. And Experian\'s is coming on line as well.\n    The point is to give the consumers that ability to easily \ngo back and forth to lock their credit. It is different legally \nfrom a freeze, but it is meant to achieve the same goal without \nall of the cumbersome regulatory burdens that exist from the \nState governments.\n    Mr. Burgess. Mr. Schneier?\n    Mr. Schneier. I don\'t know anything about those. I like \nhearing that. I mean, the devil is in the details, so we would \nhave to see the details, but that all sounds good.\n    I mean, that is really what we want. You want the user to \nget control. And I know when someone accesses my credit because \nI want them to; I am applying for something. Those feel like \ngood things. And if they are simple to use, that feels like a \nreally big step. It is not going to protect my data, but it is \ngoing to make it harder to monetize.\n    Mr. Burgess. Which would be a good thing.\n    Thanks, Mr. Chairman. I will yield back.\n    Mr. Latta. Thank you very much.\n    The gentleman yields back, and the Chair recognizes the \ngentlelady from California for 5 minutes.\n    Ms. Matsui. Thank you, Mr. Chairman.\n    And thank you for the witnesses here today.\n    I find that every time we come to the hearings like this, I \nfeel like the problem gets bigger and bigger, because the \nsolutions are very disparate, and it is, kind of, very \nconfusing, and there is not the simple solution that all of us \nwant because we are all really very busy.\n    This commercial practice of collecting, aggregating, using, \nand selling consumer information has become functionally \nubiquitous. Companies and data brokers maintain databases full \nof sensitive and personal consumer information. These are \nnatural targets for cyber thieves. But it is possible that an \nattacker can compromise one device using a known vulnerability \nand move readily within an information system to gain access to \npersonal information.\n    Mr. Schneier, regardless of the method of attack, how would \nconsumers benefit from comprehensive Federal standards that \nestablish reasonable information security practices?\n    Mr. Schneier. I mean, again, I think want to say the devil \nis in the details, right? You know, I want someone like the FTC \nto have some broad authority to figure it out. I mean, I don\'t \nthink we can sit here and say, you know, here is what we should \ndo.\n    There was a point made in that corner of the room that \nlegislating the details will always lag technology. And I \nreally think you have to start looking at what are the results \nwe want. So I like the idea of, you know, a fine if data is \nbreached. Let the companies figure out what to do, let the \nmarket work on the technical security solutions, but we want \nthis particular outcome.\n    Ms. Matsui. Right.\n    Mr. Schneier. So those are the sort of mechanisms that I \nthink will work best here.\n    Ms. Matsui. OK. But I think the problem is also--the fact \nis we want to know, I think, that there is a Federal standard, \nwhatever that is. Because right now everything is just all over \nthe place.\n    Mr. Schneier. Yes. I agree there has to be a Federal \nstandard. And this is also what is going to be needed when we \nstart dealing with international agreements.\n    Ms. Matsui. Right.\n    Mr. Schneier. What is the U.S. standard, and how can we \nassure the U.S. companies\' European customers that we are not \ngoing to lose their data?\n    Ms. Matsui. So you feel that this is going to be a \nnecessary step anyway. Is that correct?\n    Mr. Schneier. My guess is we are going to have to do this--\n--\n    Ms. Matsui. OK.\n    Mr. Schneier [continuing]. That the world is moving that \nway. Europe is turning into the regulatory powerhouse----\n    Ms. Matsui. Sure.\n    Mr. Schneier [continuing]. And they are going to be leading \nus more and more.\n    Ms. Matsui. Because we are reacting more than----\n    Mr. Schneier. Yes. We are not going to like it, but I think \nwe are going to be stuck with it, just because there is such a \nhuge market.\n    Ms. Matsui. OK.\n    Now, with all the consumer data that companies collect, we \nmust keep pace with the evolving threat. Each year, we continue \nto see an increase in the variety, number, and damage caused by \ncyber attacks, yet relatively unsophisticated methods, such as \nphishing or emails with malware, remain some of the most common \nforms of attack. We have recently seen a decrease in zero-day \nvulnerabilities and an increase in simple exploits used to \ncarry out attacks.\n    Mr. Schneier, how can both business and individuals better \nprotect themselves against new applications of old exploits?\n    Mr. Schneier. Well, so this is the definitive problem, that \npeople are your weakest link. And we are certainly finding, you \nknow, from nation-states on down, that the vector of going to \nthe people--you know, Equifax was a vulnerability in the \nsystem. We talked about that. It is in many more cases that \nsomeone will get a person to do something. So tax fraud is a \nhuge crime right now, and that basically involves convincing \nsomeone in HR to mail you a copy of everyone\'s W-2 and you file \nfake tax returns in all their names and you get the money. This \nis huge now, and it didn\'t exist 5 years ago.\n    Ms. Matsui. Right.\n    Mr. Schneier. And there are tech solutions that deal with \nthis. And the problem is, as Mr. Norton talks about, is getting \ncompanies to use them, to make the purchase, to make things \nmore inconvenient, for security.\n    Ms. Matsui. How do we do that anyway?\n    Mr. Schneier. That has to be incentives. The penalty for \ngetting it wrong has to be more than the penalty for doing it \nright.\n    Ms. Matsui. OK.\n    Mr. Schneier. And that wasn\'t the case for Equifax.\n    Ms. Matsui. OK.\n    I am also concerned about the question of who owns our \nuser-generated data. You know, in 2014, agriculture technology \nproviders and a coalition of major farm organizations came \ntogether to agree on data privacy and security principles to \ncover the massive data sets generated by innovation such as \nprecision agriculture. These principles covered issues such as \nhow data gathered from the farm is protected and shared. These \nprinciples also recognized that farmers owned the information \ngenerated by their farming operations, generally required \nfarmers to be notified that their data is being collected, and \nrequired disclosure over how the data is used. But today\'s \nconsumer has considerably less information over how, when, and \nwhat information is shared about them.\n    And I guess, Mr. Schneier, I am asking you this question, \nbut somebody else can answer it too: Shouldn\'t consumers also \nhave clarity over when and how their data is used?\n    Mr. Schneier. Yes.\n    Mr. Creighton. The Fair Credit Reporting Act goes into \ngreat detail about the seven permissible purposes that can be \nused for specifically credit reporting data. The other kinds of \ndata that you are talking about, that is a different question. \nBut in the credit reporting space, the Fair Credit Reporting \nAct is very firm about what exactly the information can be used \nfor.\n    Ms. Matsui. And when and how?\n    Mr. Creighton. And when and how, yes. And by whom, yes.\n    Ms. Matsui. All right.\n    I see my time has expired. Thank you very much.\n    Mr. Latta. Thank you.\n    The gentlelady\'s time has expired, and the Chair now \nrecognizes the gentleman from New Jersey for 5 minutes.\n    Mr. Lance. Thank you, Mr. Chairman.\n    Good afternoon to the panel. Thank you for joining us \ntoday.\n    I am appalled by the scale and the impact of the Equifax \nbreach. Equifax blatantly mishandled consumers\' most personal \ninformation. Constituents have called my office in New Jersey, \nconcerned about their online security. And many were affected \nand their personally identifiable information compromised.\n    And, Mr. Norton, many organizations and individuals do not \nhave up-to-date security or properly patched operating systems \nor software. What are some basic practical steps people can \ntake immediately or in the short term to protect their computer \nsystems?\n    Mr. Norton. Absolutely. Thank you.\n    You know, something as simple as changing your password, \nyou know, once a week or once a month and taking those logical \nsteps; making sure that you have, you know, appropriate \nsoftware security that is publicly available in the marketplace \nfor your home computers; that you are aware of your devices and \nyou have passwords on, you know, all of your devices; that you \nare constantly aware of, you know, information that you have \nthat is out there.\n    I mean, cybersecurity really requires a lot of individual \nvigilance, which is a big change, I think, for a lot of \nconsumers at home who are, you know, in the marketplace and \nthey have their information online and they become very used to \njust processing things online, as we talked about in this \nhearing.\n    I think one of the challenges, though, is that we haven\'t \nactually put a value on loss of data, what does it mean to lose \nyour individual person\'s piece of data, outside of just \ngetting, you know, a piece of credit reporting for a year, you \nknow, what is the other value of that. And I think that is \nanother discussion or a large discussion that you are obviously \nhaving here, but I think it is an important one, and it goes \nto, you know, potential penalties or things that could motivate \ncompanies to then, you know, have larger enforcement and larger \nstrategies within their businesses. So I think there is that, \nas well.\n    Mr. Lance. Thank you.\n    Would anyone else on the panel like to comment?\n    Mr. Schneier. The unfortunate thing is that most of our \ndata is not under our control. So what can you do to protect \nyour data at Equifax? Nothing. What could you have done to \nprotect your data at the OPM? Nothing. What can you do to \nprotect your data at Google? Kind of nothing. We are forced to \ntrust these entities.\n    These companies have our data. Our pictures are stored on \nFlickr, and our email is on Gmail, and our computers really \nhave very little right now. In some ways, that is a security \nbonus, because most of us aren\'t very good at securing our \nmachines. But it does mean that these breaches become bigger \nand more catastrophic because we have too much there.\n    I mean, there are things we can do around the edges--good \npassword management, have antivirus. I mean, I can rattle \nthrough the tips. But, by and large, the security of our data \nis not under our control.\n    Mr. Lance. Thank you very much.\n    Ms. Fortney, are you aware of the Consumer Financial \nProtection Bureau\'s bringing any enforcement actions against a \ncredit bureau?\n    Ms. Fortney. The Bureau does supervise the agencies. They \nhave brought enforcement actions, not in the area of data \nsecurity, but they have brought enforcement actions against the \ncredit bureaus. And I think they are also involved in the \nongoing investigations that are the result of the Equifax \nbreach.\n    Mr. Lance. Thank you.\n    Mr. Creighton, what is the credit lock product that the \nmajor credit bureaus are proposing, and how are they different \nfrom credit freezes?\n    Mr. Creighton. Thank you. That is an important question.\n    First of all, the bureaus are responding to consumer \ndemand, as Mr. Schneier was saying, that they want more access \nto their information and how they can control it. And, right \nnow, State law mandates, in most States, a freeze. Those \nfreezes are different in every single State, and they are often \nPIN-based. And so what happens is that you put a freeze on your \naccount, you get a PIN. If you are like me, you then lose that \nPIN. And when you go back----\n    Mr. Lance. Or like me. Yes.\n    Mr. Creighton. Right. And when you go back and you try to \nget a new iPhone, as has been reported this week, people don\'t \nrealize that that is a credit transaction, they don\'t have \ntheir PIN, they can\'t turn it off, it takes 3 days, and they \nhave missed the window to order the new iPhone.\n    Now, the lock product functionally works the same way. It \nis app-based. And it allows a consumer to turn it to red, ``I \ndon\'t want any new offers of credit,\'\' and when I do want an \noffer of credit, I flip it to green.\n    Mr. Lance. I see.\n    Mr. Creighton. But it doesn\'t contain the same legal \nstrictures that happen as a result of State law.\n    Mr. Lance. Well, thank you very much. This is very \ninteresting, and I hope that we are able to pursue it further.\n    And, Mr. Chairman, I yield back 10 seconds.\n    Mr. Latta. Thank you very much.\n    The gentleman yields back, and the Chair now recognizes the \ngentleman from Indiana for 5 minutes.\n    Mr. Bucshon. Thank you, Mr. Chairman.\n    I want to make a couple of quick comments, and then I will \nhave a few questions.\n    First of all, I think it is important, potentially, to \nunderstand that we authorize a lot of people to get our data \nunsuspectingly. And, I mean, for this card, for example, here--\nI don\'t want to hold--it is just a card that goes to a grocery \nstore, right? That gives you your discount. All that data is \ncollected. You have authorized it, when you signed up to the \ncard, you have authorized it to be sold for any reason. Same \nthing is true on your emails. Same thing is true everywhere.\n    You know, I used a search engine yesterday. I have a piano \nI want to sell. Today, on my Instagram, an add for a piano came \nacross my Instagram, OK?\n    I have used credit agencies because I have some rental \nproperty. Mostly, the people have to authorize you to get their \ninformation. So there are protections there where they have to \nauthorize it.\n    The point I am making is that this is a really complicated \nproblem. We are talking about a breach. That is not that \ncomplicated, because we had human error that didn\'t patch. That \nis pretty straightforward. But we do have a larger problem with \ndata, we have a larger problem with internet, that all of us \nare working to figure out how do we best protect the consumer.\n    I do have concerns about these long legal-department-\ngenerated authorizations that are attached to all of these \nthings. And I do think we may have to look at that area and \nmake consumers more aware of what they are actually \nauthorizing.\n    I mean, what do you do? You go and start an email account, \nand you get to the end, and it says, you know, unless you agree \nto these things, you can\'t start it, I mean, you can\'t do it. \nAnd most of us just click--I mean, does anyone here just click \n``agree\'\' without reading it? Right. I mean, we all do. But \nthat is actually a legal document that is very long that has \nspecific legal ramifications that seem simple but aren\'t.\n    I mean, you know, you do a search engine on a piano, and \nthe next day on your Instagram account you have piano ads. I \nmean, that is kind of spooky. Everyone is concerned about the \nNSA. I am more concerned--I am concerned about that, but this \ntype of thing.\n    So the question I have, you know, Mr. Creighton, first of \nall, it has been about 3 months since the Equifax breach, yet \nstill thousands of Americans are unaware if their data has been \nstolen. Do you think that--you know, 48 States have conflicting \nState notification laws that have played in this issue. And do \nyou believe that a uniform Federal law on notification might \naddress the difficulties with Americans receiving notification?\n    Mr. Creighton. Consumers would benefit from a national data \nbreach notification.\n    Mr. Bucshon. OK. So the answer is, yes, they would?\n    Mr. Creighton. Yes, sir.\n    Mr. Bucshon. The other thing is, when we had the Equifax \nCEO here, honestly, in fairness to him, I thought he was a \ngenuine witness. You know, there were issues, but I think his \ntestimony was genuine. But there were flaws in their system of \nreporting within their company; I understand that.\n    But, you know, one thing that was brought up is--I \nrepresent a rural area of the United States. And he was talking \nabout getting online and going to their website and seeing all \nthe things that you can do to protect yourself and all that. I \nthink we all have to recognize the fact that even in the United \nStates--I mean, I think the penetrance of internet access in my \ndistrict may be about 65 percent of the people, believe it or \nnot, maybe 70 percent. That leaves 30 percent, 35 percent of \nthe people out there that they just can\'t pull up a website and \nsee.\n    I mean, how can we address notification or this type of \nthing or best practices in an age where--I think all of us \nmentioned, ``Well, their websites show us this,\'\' right? But \n30, 35 percent of the people I represent may not have internet \naccess.\n    Mr. Creighton. Congressman, it is a big problem. And \nreaching rural consumers is one of the big challenges. That is \nwhy, when we talk about the lock product, for example, it \ndoesn\'t mean we aren\'t still obligated to offer the freeze \nproduct, because you have to maintain call centers and other \nthings so that people have access.\n    But the credit reporting system serves probably your \nconsumers, your constituents, better than anybody else. A rural \nconsumer generally has one physical bank near them, right? But \nin today\'s world, you, as a consumer, even a rural consumer, \ncan access the entire world of credit available to you. If you \nare getting a mortgage, you don\'t----\n    Mr. Bucshon. Right. I get all that. What I was trying to \nget at is that I think we have to recognize that not everyone \nout there that has had their data breached because they have \ngone to their local bank to get a loan can be notified that \nthey have been compromised by telling them to go to a website.\n    I mean, I don\'t know how else we address that. I addressed \nthis same question with the CEO of Equifax. And we are \nadvancing, I think, a lot in consumer access to information. \nBut one area, I just think people have to recognize, across \nrural America, necessarily, people don\'t have access to that \ninformation. We need to do a better job.\n    I yield back.\n    Mr. Latta. Thank you.\n    The gentleman\'s time has expired, and the Chair now \nrecognizes the gentleman from Oklahoma for 5 minutes.\n    Mr. Mullin. Thank you, Mr. Chairman.\n    And thank you to the witnesses for being here.\n    Mr. Norton, I kind of want to start with you. Just in your \nopinion, does the current Federal regulatory structure, does it \nhave enough safety safeguards in it for the consumer?\n    Mr. Norton. You know, I think it is a matter of corporate \nresponsibility and whether or not they are, you know, making \nthe appropriate investments. And, clearly, they are not, from \nthe top down. I think that is why we are seeing these things.\n    Mr. Mullin. And that leads me to my next point. As a \nmanufacturer, if you manufacture a product, and even if the \nproduct is misused--like, inside my district, we had a gas can \ncompany that essentially went out of business because of all \nthe litigations about, you know, the problems with the gas can. \nAnd what was happening was people were literally pouring the \ngas right out of the gas can on a fire and they were catching \nfire. Obviously not the smartest thing to do, right? But they \nwere still open for lawsuits. They still had a responsibility, \nfor whatever reason, to the consumer, even though the product \nwas obviously being misused, outside its manufacture and \ndesign.\n    We had these websites--and, Mr. Schneier, you brought this \nup--that you are vulnerable. I don\'t care what you do, you are \nvulnerable. Where does the responsibility lie? Is it just on \nthe consumer? Either one of you guys can answer this. Is it \njust on the consumer?\n    Mr. Norton. No. Absolutely, I think that it is--consumers \ncertainly can help drive the market and change the market, and \nhearings like this will help, I think, drive corporations to \naccept further responsibility. I think it goes back, again, to \nnot putting a value on data, as an individual. Companies have \nput a value on it, but we haven\'t put a value on it, in terms \nof loss of data, as the individual.\n    Mr. Mullin. But, as Mr. Schneier said, we can safeguard \nourselves--there is a huge difference between a manufacturing \nproduct being misused by the person holding the product versus \na consumer that has no idea what has happened to their data. \nThey are letting it be sold, it is going out there without our \nintention. So we are not even not using it within the \nmanufacturer\'s instructions; it is the manufacturer--I am \nbreaking it down to layman\'s terms. It is the holding company \nthat has our information that isn\'t safeguarding it to begin \nwith. And we are the ones paying for it. Where do the \nresponsibilities lie?\n    Mr. Schneier. I think your analogy is good, that we \ndefinitely have consumer misuse, but you actually have \nfundamentally unsafe products.\n    Mr. Mullin. Right.\n    Mr. Schneier. And, in those cases, you really need to hold \nthe designers, the manufacturers, the data holders, the app \nmakers, the system makers responsible to some degree, that we \ncannot have a system where you have to be an expert in order to \nsurvive in the 21st century.\n    I mean, I don\'t want to be an expert in gas cans to be able \nto use that product. And maybe I am going to do something \nstupid, but I would like it if the system prevents me, as much \nas possible, from doing something stupid. And----\n    Ms. Fortney. I would like to----\n    Mr. Schneier [continuing]. That is sort of a way of \nthinking about regulation.\n    Mr. Mullin. Ms. Fortney?\n    Ms. Fortney. I would like to address that.\n    I think, first of all, there are consequences for companies \nthat do not secure consumers\' data, and there are penalties \nthat can attach. There is an enforcement regime by the Federal \nTrade Commission, the Consumer Financial Protection Bureau.\n    In addition, I think the question is, what should consumers \ndo when they have the information that their data is being used \nand that it could be breached? Because I think, no matter what \nwe do, no matter what security procedures are there, given the \nmany, many attempts from all over the world to access data that \nis being held in any type of large database in the United \nStates, there is the risk of a breach. And I do think that what \nconsumers need to do is really know more about what they can do \nto protect themselves.\n    We are talking about notice here, and one of the notices \nthat we haven\'t really focused on is a notice required under \nthe Gramm-Leach-Bliley Act----\n    Mr. Mullin. But we are talking--we are talking about \nnotices. That is not good enough. There is a difference. They \nenter in that business taking a risk, the same thing as a \nmanufacturer enters a business in taking a risk too.\n    Ms. Fortney. Right.\n    Mr. Mullin. We don\'t see insurance policies paying off to \nthose consumers that were breached by Equifax. Whereas, with a \nmanufacturer, if something happens, you see insurance \ncompanies. That is why they have insurance. They are stepping \nup and taking responsibility for it. We are not seeing that in \nthe digital world. We are seeing it as, ``Well, that is the \nrisk of being online.\'\' And I take that risk seriously.\n    But it seems like there is a disconnect. ``Well, we know it \nis going to be breached. There are cyber issues going on out \nthere.\'\' But that is the business that they are in.A consumer \nought to feel safe about doing business with that person, not \nalways constantly being concerned.\n    All of us up here have had our credit card stolen. I am \ncurrently, right now, on my fifth credit card with this one \ncompany this year alone because it has been----\n    Mr. Schneier. What is the number?\n    Mr. Mullin. Evidently it is out there someplace.\n    But we are just looking at how--I am not looking to put \nmore regulations or more burdens on the companies, but there \nhas to be a sense of responsibilities for the consumer to feel \nsafe, because just notifications is being reactive, not \nproactive.\n    Ms. Fortney. Yes, but I began my remarks by saying there \nare penalties for breaches. And then the next question is, what \ncan consumers do once there has been a breach? And I think \nthere are remedies available.\n    Mr. Mullin. I am out of time. I apologize, Mr. Schneier. I \nwould love to hear your response on it, but I am out of time on \nit.\n    Mr. Chairman, I yield back.\n    Mr. Latta. Well, thank--I am sorry?\n    Ms. Schakowsky. Can I ask another question?\n    Mr. Latta. The gentlelady is recognized for one other \nquestion.\n    Ms. Schakowsky. Oh--sorry. Sorry.\n    Mr. Latta. OK. Just wanted to make sure. I thought you may \nhave coordinated there.\n    The Chair now recognizes for 5 minutes the gentleman from \nTexas.\n    Mr. Green. Thank you, Mr. Chairman. I want to thank the \nchairman and ranking member for holding this hearing.\n    I appreciate the time of our witnesses.\n    While the recent data breach at Equifax is bad enough on \nits own right, it also has shone a light on several larger \nproblems. The first is the lack of knowledge or control over \nwho collects information on us and what information they \ncollect and what they do with it.\n    In 2014, the FTC issued a report recommending Congress \nenact legislation to make the data-broker industry more \ntransparent following the Equifax breach. It is a good time to \ntake a closer look at these issues.\n    Mr. Schneier, in your testimony, you state that the data \nbrokers collect information on everything that we do on the \ninternet. Can you elaborate on the scope of the information, \nsuch as what kinds of data are collected and how many of our \ntransactions on- and offline are recorded or collected by data \nbrokers?\n    Mr. Schneier. So that is hard, because it is collected in \nsecret, and we actually don\'t know. We see shadows of it. We \nsee shadows of it in the lists that they sell.\n    And this is data brokers writ large. This is not credit \nbureaus specifically.\n    So you will see them selling lists of, you know, seniors \nwho have debt problems; or, you know, people who have \nparticular medical conditions; or interest groups of, sort of, \nany unimaginable distinctions. And you often can go and look at \nthe different types of lists that are sold.\n    But the industry is really so opaque that we don\'t know. We \njust know that it is all being--whatever can be collected is \nbeing collected. We really don\'t know how it is being used. You \nknow, we are hearing a lot about some big-data analytics were \nused in the last election. We don\'t know the details of that.\n    It is a very opaque industry. It makes your question much \nharder to answer than it should be.\n    Mr. Green. OK.\n    In the FTC\'s 2014 report, one of the FTC\'s recommendations \nwas the creation of a website to let consumers see what \ninformation data brokers have on them and to opt out of having \nit shared in the future.\n    Mr. Schneier, can you talk a little bit about this \nparticular suggestion and what the obstacles would be to create \nsuch a website?\n    Mr. Schneier. The obstacles would be that the companies \ndon\'t want to do that and that, if they did it, it would be \nkind of horrific.\n    This is a story from Europe, because Europe has laws that \nrequire some kind of disclosure. And Max Schrems, who is a law \nstudent, sued--successfully in a European court--Facebook to \nget all the data Facebook had on him. And he got a stack of \npaper 1,000 sheets high of all the data Facebook had on him. \nAnd Facebook has that data times everybody who is on Facebook.\n    Mr. Green. OK.\n    You mentioned that data brokers operating in Europe can and \ndo follow the EU\'s more stringent privacy laws. Can you compare \nfor us the difference between the scope of personal data \ncollected in the European Union versus the United States, \nparticularly regarding our online activities?\n    Mr. Schneier. So I am not an expert, and I would hesitate \nto do that. That is an important question to ask, and there are \npeople who are doing that research.\n    Europe has rules about what can be collected and under what \ncircumstances, how it can be stored, how it can be used, and \nhow it must be deleted. You might have heard about the right to \nbe forgotten, which is a contentious European law.\n    European law is very complicated here, and it is still \nunder a lot of change. So that is an important question. I \nreally want you to find someone who is an expert in that to \ntalk to that.\n    Mr. Green. Well, it seems just common sense that data knows \nno boundaries. They don\'t know the borders of the United States \nor Europe. It seems like our country should partner with the EU \nand other countries to see if we can coordinate our regulations \non this.\n    Because I think, if you heard the questions earlier and \nlistened to them, our data should be our data, and we should be \nable to have control over who looks at it, instead of just \ndeciding that maybe ``I think I need a new car\'\' and send me \nsomething. But I think that is what we need to do.\n    Mr. Chairman, thank you all for holding the hearing, and it \nbrings up a lot of issues we need to deal with. Thank you.\n    Mr. Harper [presiding]. The gentleman yields back.\n    The Chair will now recognize Mr. Bilirakis from Florida for \n5 minutes.\n    Mr. Bilirakis. Thank you. Thank you, Mr. Chairman. I \nappreciate it.\n    I thank the panel for their testimony today.\n    Mr. Creighton, some consumers have suggested to me to \nminimize the identifiable data collected, like using partial \nSocial Security numbers or partial driver\'s license \nidentification.\n    Is this possible for CRAs to do? And would it help better \nprotect consumers from bad actors not authorized to use such \ndata?\n    Mr. Creighton. Social Security numbers are used as \nidentifiers, and they are important identifiers. They are not \nused, necessarily, by financial institutions to authenticate a \nconsumer, but they are used to identify them.\n    And that is important because you have a lot of people in \nthis country, a shocking number, really, when you look at it, \nwho have similar names, similar dates of birth, similar Social \nSecurity numbers. Having the full 10-digit Social Security \nnumber is going to be helpful for making sure that we have the \nright person that we are able to match.\n    And we have an obligation under the Fair Credit Reporting \nAct to make sure that we are matching the correct data with the \ncorrect person.\n    Mr. Bilirakis. How about using the driver\'s license \nidentification? Wouldn\'t that suffice?\n    Mr. Creighton. Well, not everyone has a driver\'s license, \nfirst of all. And, you know, whether we like it or not, the \nSocial Security number has, in effect, in the United States, \nbecome a universal identifier. And it is the one piece of \ninformation that crosses over many different databases, \nparticularly in the Government.\n    Mr. Bilirakis. And you think you have to use all nine \nnumbers as opposed to----\n    Mr. Creighton. Yes. I mean, now, there are a number of \nstatutes around the country where the minimization of the \nSocial Security number has led to issues. For example, on \ncredit reports today, it is much harder to know what all the \nliens and judgments you may have against you are, because in \ncertain courts you no longer have full Social Security numbers \nand so we can\'t do the full match. And since we can\'t do the \nfull match, we have just taken off a lot of that data.\n    That degrades the entire credit reporting system. It is a \nlittle bit less complete because of that. And that is \nproblematic, because if you are a lender, in order to make a \nsafe and sound lending decision, you should know the full set \nof obligations that a consumer has.\n    Mr. Bilirakis. Thank you.\n    Mr. Norton, are there one or two recommendations you can \nmake for the small- to medium-size companies with limited \nresources that are most effective in limiting vulnerabilities \nto criminal hacking?\n    Mr. Norton. Yes, absolutely. I think that small businesses, \nobviously, are the most at risk, number one, because they do \nhave those limited resources. Typically, a small business could \nbe, you know, just a handful of people, and, you know, what \nkind of investment do they need to make internally?\n    And I think just starting that conversation amongst the \nsmall businesses is an important step and just saying, OK, \nlook, we have X number of computers, X number of people that \ncan access our database. So I think, just internally, alone, \nstarting there and saying, OK, do we have, you know, the \nappropriate passwords, you know, do we need some type of \nencryption on our network that can be publicly available and \nbrought in the marketplace, you know, do we have a point person \nwithin the business, and even if the business has three people, \nsomebody that is responsible for that, and just kind of having \nthose access controls I think is a good starting place for \nsmall businesses.\n    And then the larger businesses, I would say it is a very \nsimilar model, in terms of maybe you are getting to 50 or 100 \nbut, again, starting to carve out, you know, as they look at \ntheir outyears and starting to develop a strategy of, OK, you \nknow, in this calendar year, whenever their fiscal year starts, \nthis is how much money we are going to start to invest in this \nparticular area, which is just as critical as keeping the \nlights on or paying the gas bill or paying employees\' salaries. \nIt has to become part of the day-to-day culture. And I think \nthat is an important conversation they need to have just to \nstart to secure themselves.\n    Mr. Bilirakis. Thank you very much.\n    My third question, again, for Mr. Norton or Ms. Fortney. Is \nthere a legitimate worry about criminals using consumers\' data \nto establish a Social Security Administration online account in \ntheir name and claiming their benefits? Where or how does a \nvictim go about to protect oneself in that scenario?\n    You both can answer the question. I do have some time.\n    Ms. Fortney. I assume that there are protections there, but \nthis is not an area where I have worked. I focus primarily on \ncredit reporting, the credit industry, and other aspects of \ndata security. I would like for Mr. Norton to address it.\n    Mr. Bilirakis. Yes, please.\n    Mr. Norton. Of course, there are some, you know, steps you \ncan take in terms of, if you believe you have been a victim of, \nyou know, some sort of fraud, contacting the Social Security \nAdministration and letting them know. And I believe there are \nsome things you can fill out to let them know.\n    I think it is also not the easiest process in the world. I \nthink that is one of the challenges for the individual \nconsumer, is the fact that, what does somebody do? You know, \nyou can\'t really necessarily go down to a police station and \nfill out a police report just the same way as if somebody \nrobbed your home and took your TV and a couple other things. \nThis is a very different problem, and I think that that is part \nof the challenge here.\n    And it is just like we were discussing earlier. Not \neverybody can go online and fill out paperwork or, you know, \nhave the ability to even call. And so doing things in a more \nefficient way and finding ways for, you know, kind of, one \npoint of entry, not 19 Government agencies for the individual \nconsumer and individual small business, I think would be \nanother important step for this subcommittee to help for the \nconsumers.\n    Mr. Bilirakis. OK.\n    Thank you very much, Mr. Chairman. I will yield back.\n    Mr. Harper. The gentleman yields back.\n    The Chair now recognizes the gentleman from Pennsylvania, \nMr. Costello, for 5 minutes.\n    Mr. Costello. Thank you.\n    I would like to ask my questions and then offer some \nobservations so that each of you can think it through.\n    Ms. Fortney, in your written testimony, you mentioned the \nupdates that were made to the FCRA in 2003, which included new \nmeasures to protect consumers from identity theft and other \nunauthorized use of the data they have on file with the CRAs.\n    Do you believe extended fraud alerts are a sufficient \nrecourse option for consumers who wish to remain credit-active \nbut want to opt in?\n    Second, are you aware of any backlogs or delays in the \nprocess related to extended fraud alerts? And, if so, do you \nhave any suggestions on how to streamline consumers\' access to \nthese and other protections available?\n    And then the next question to all witnesses: What would be \nthe most effective means of reducing the administrative burden \nso victims of data breaches can protect themselves from credit \nfraud without facing impediments to obtaining credit if and \nwhen they need it?\n    And then, finally, Mr. Schneier, you state, ``Congress \nshould not create a new national identifier to replace Social \nSecurity numbers. That would make the system of identification \neven more brittle.\'\' I would like you to elaborate on that.\n    Many of my constituents who were impacted by the Equifax \ndata breach have shared with me numerous frustrations they \ncontinue to face both in dealing with the immediate aftermath \nof the breach and in trying to find the best path forward to \nprevent the fraudulent use of the information that was \ncompromised. What I find frustrating is that so much of this \nburden falls on the consumers.\n    In the case of the Equifax breach, nearly 50 percent of the \nU.S. population can be considered a victim. With half our \nNation directly impacted by this breach and millions more \naffected by other recent data breaches, it is astounding to me \nand my constituents that so much of the burden remains on \nconsumers and that they have to deal with it themselves, first \nby determining whether they were impacted, then by figuring out \nwhat makes the most sense in terms of monitoring or freezing \ntheir credit and dealing with all the administrative hurdles \nand potential barriers to credit that go along with it.\n    I would imagine many people might not know where to start \nor become so frustrated in trying to stay ahead of identity \ntheft that they give up trying and instead resort to dealing \nwith fraud if and when it occurs instead of using the resources \nthat may be available to protect them against further harm.\n    And, with that, the questions that I asked, if all of you \nwould answer.\n    Ms. Fortney. OK. Thank you.\n    First of all, fraud alerts are a useful tool for someone \nwho thinks they might be a victim of identity theft or might \nbecome a victim of identity theft. In order to get a fraud \nalert, the consumer goes on the website of one of the three \nmajor credit bureaus, puts in the necessary information, and \ndoes get the alert. There is not an inquiry into the request \nfor an identity theft report or anything of that kind. So I \nthink it is a relatively streamlined process.\n    I think the other thing to keep in mind is that, when we \nare looking here at credit reporting data--because Equifax is a \ncredit bureau--we need to focus on the fact that there are a \nlot of provisions in the Fair Credit Reporting Act that were \nenacted in 2003 to prevent identity theft. There are certain \nrules in terms of address discrepancies. There are rules that \nrequire furnishers to identify the consumers before they \nprovide the information.\n    So I think there are a lot of protections in the Fair \nCredit Reporting Act because we are focusing, in the case of \nEquifax, primarily on data that involved the credit bureau.\n    Mr. Schneier. I am going to quickly address your Social \nSecurity number question.\n    Mr. Creighton is right that a Social Security number is \nactually a pretty good identifier. Name and birth date is \nterrible, too many duplicates. We have learned that from \nattempts to purge voter rolls. And a Social Security number is \nsomething everybody has.\n    Where it fails as an authenticator, where it fails is that \nknowledge of it proves that you are you. It is a public number \nand shouldn\'t be treated as a secret or any kind of \nauthenticator. So I don\'t think we need to replace it. I think \nit works just fine as long as we recognize its limitations.\n    We are much better off, instead of one large authentication \nsystem, where a failure in it is a catastrophic failure, to \nhave multiple context-specific authentication systems. Just \nlike you have a dozen cards in your wallet, they do different \nthings, there is no real reason why it can\'t just be one card \nexcept----\n    Mr. Costello. Do you find that implementable? Do you find \nthat implementable for----\n    Mr. Schneier. Yes, I think we can. I mean, you will see \nit--you see it on your phone. You have lots of different \nauthenticators. Again, there are many different sites. They all \nwork through your phone. Industry does figure this out. It is \ncomplicated, but, yes, I do think it is doable.\n    Mr. Creighton. Congressman, your second question was can we \nbe more helpful to consumers who want to lock their credit or \nfreeze their credit or something like that. And these new \nproducts that are coming on the market now--TransUnion already \nhas it; the other two bureaus have them coming out now--that \nallow people, on an app-based system, to lock and unlock their \ncredit.\n    Mr. Costello. Right.\n    Mr. Creighton. The other thing is more and more credit card \ncompanies are including your credit score on their statements. \nAnd that is a good way for you to just check and make sure that \nthere are no changes from month to month that you weren\'t \nexpecting.\n    Mr. Costello. Thank you.\n    Mr. Harper. The gentleman yields back.\n    The Chair now recognizes the gentlelady from California, \nMrs. Walters, for 5 minutes.\n    Mrs. Walters. Thank you, Mr. Chairman.\n    Last month, this subcommittee began an investigation into \nthe Equifax breach that resulted in the theft of 145 million \nAmericans\' personal and financial information. Equifax failed \nin their legal obligation to protect consumers.\n    Today, we continue our work to ensure the consumers\' \ninformation is secure and that companies are taking adequate \nsecurity measures to protect their sensitive data. It is vital \nthat we confront these security challenges so that our digital \ne-commerce continues to develop and helps fuel the American \neconomy.\n    Ms. Fortney, we have discussed the regulatory framework. Do \nyou believe the regulatory framework for CRAs is sufficient to \nprotect U.S. consumers from data breaches and satisfy \nconsumers\' privacy concerns?\n    Ms. Fortney. Yes, I do. And I can say that having worked \nwith the Fair Credit Reporting Act for more than 40 years. I \nhave seen this act amended by Congress several times as new \nconcerns arise. And, as we mentioned, in 2003, because people \nwere becoming increasingly concerned about identity theft, new \nprovisions were put in the act.\n    The act imposes really strict requirements on consumer \nreporting agencies with respect to the accuracy of the \ninformation, the provision of credit reports to people who only \nhave very definite permissible purposes.\n    The act provides for notice to consumers when the \ninformation has been used on them in a way that is adverse to \ntheir interests.\n    I could go on and on. My written statement has many, many \nprotections here.\n    I think the question really is, is there anything in the \nFair Credit Reporting Act or other law that resulted in the \nEquifax breach? In other words, was there any deficiency in any \nof these laws? And I think we don\'t know the answer to that \nbecause we don\'t know exactly what the circumstances were that \nled to the Equifax breach.\n    What we do know is that, by and large, we have one of the, \nif not the most robust systems of credit reporting and consumer \nreporting generally in the world. We have one of the strongest \neconomies in the world. You start taking away some of the \nbenefits, if you start over-regulating this industry and you \nstart allowing people to remove information from the system, \nthe system is not going to work as well.\n    And I think all you have to do is compare our system to \nthat of other countries, including developed countries, that \ndon\'t have credit reporting systems that are as comprehensive, \nand I think you will see there are a lot more benefits to \nconsumers.\n    Mrs. Walters. This question is for you, again, the next \none. What level of responsibility should lenders, banks, credit \nunions, insurers, et cetera, demand from CRAs when they are the \npurchasers of a credit reporting product?\n    Ms. Fortney. What measures should they demand?\n    Mrs. Walters. What level of responsibility should lenders \ndemand from CRAs?\n    Ms. Fortney. Again, the level of responsibility is in the \nFair Credit Reporting Act, has been for many years, and that is \nthat the consumer reporting agency that is providing the credit \nreport must identify the recipient of that report, must be able \nto authenticate that this is somebody who has a permissible \npurpose under the statute to receive the report. And I think \nthat is something that has been at the heart of the Fair Credit \nReporting Act from the beginning.\n    Mrs. Walters. OK.\n    Mr. Creighton, is there any type of financial or personal \ndata that is illegal or impermissible for CRAs or data \nfurnishers to collect and possess?\n    Mr. Creighton. Oh, there are multiple. I mean, you can \nreally only collect certain kinds of data at credit reporting \nbureaus, not referring to the larger data brokers. It is \nbasically just, you know, your identifying information; whether \nthere are any public liens or judgments against you, like a \nbankruptcy; do you have credit, from whom, how much; your \nbalance; and do you pay on time. And that is all regulated by \nthe Fair Credit Reporting Act.\n    After that, you are outside of the Fair Credit Reporting \nAct, and so you are in a different regulatory scheme.\n    But the Fair Credit Reporting Act, as I said in my \ntestimony, is a very important and very strong consumer \nprotection statute that has criminal penalties, it has \ntransparency requirements. It is probably the model on which \nyou are all going to work from if you do go down the path for \nother data broker information.\n    Mrs. Walters. OK. Thank you.\n    And I yield back the balance of my time.\n    Mr. Harper. The gentlelady yields back.\n    The Chair will now recognize Ranking Member Schakowsky for \na followup question.\n    Ms. Schakowsky. Thank you.\n    Mr. Schneier, you were just shaking your head on the idea \nthat I think that Mr. Creighton was saying, that it is very \nstrictly regulated, what kind of information that they could \nhave. I just wondered if you wanted to add something else.\n    Mr. Schneier. So, I mean, I am thinking of the data brokers \nwrit large. I mean, yes, the credit bureaus are regulated, what \nthey can collect, but the data brokers can collect everything. \nI mean, Google knows what kind of porn we all like, because \nthat is how we search it, and they can collect that.\n    So, as you move out from the very narrow place we have \nregulated, all bets are off. And I think we really need to look \nat how this bigger industry is moving and not just credit \nbureaus.\n    Ms. Schakowsky. OK.\n    So I understand, I think, what your association does. But \nEquifax has a business outside of being a credit reporting \nagency. So what I am trying to understand, does your trade \nassociation then deal with the rest of that? And are they not \nalso a data broker?\n    Mr. Creighton. Yes, they are. Not all of my members are \ndata brokers. What we do specifically at CDIA is the--we are, \nessentially, the Fair Credit Reporting Act association. So we \nrepresent the credit bureaus inside the companies. That is \nreally, very narrowly, what we do, is the Fair Credit Reporting \nAct-governed databases that they have, the companies that do \nit, the credit bureaus.\n    Ms. Schakowsky. The databases. But those same companies--\nwell, first of all, even under their credit reporting data \nfunction, they can sell to advertisers who offer credit, right?\n    Mr. Creighton. Some offers of credit, yes. Prescreened, \nfirm offers of credit. That is correct.\n    Ms. Schakowsky. OK. But I don\'t want those cards.\n    Mr. Creighton. You can opt out, though.\n    Ms. Schakowsky. This is--excuse me?\n    Mr. Creighton. You can opt out of prescreened offers. That \nis an option that you have as a consumer, to opt out of \nprescreened offers.\n    Ms. Schakowsky. Who knows that?\n    Mr. Schneier. Yes, good luck figuring out how.\n    Ms. Schakowsky. I am sorry?\n    Mr. Schneier. Good luck figuring out how.\n    Ms. Schakowsky. Yes. I mean----\n    Ms. Fortney. Every prescreened solicitation contains a \nnotice that the Federal Trade Commission has determined must be \nplaced there--it must be clear and conspicuous--telling \nconsumers that receive these prescreened offers that they have \nreceived the offer because of prescreening and telling them how \nto opt out.\n    Ms. Schakowsky. You know, I will tell you--and maybe it is \nlike those security, you know, 12-, 10-point, 8-point notices \nthat we all get and that we all press ``agree.\'\' I mean, \nreally--and I think that is just--and I heard your whole list \nof things that we can do to protect ourselves. And I am sure \nyou are in the 1 percent that actually can do that. This is \nreally a lot of work for people who even have the ability on \nthe computer.\n    But I wanted to ask you something else. So, to the extent, \nthough, that Equifax is a data broker, you have no relationship \nto them?\n    Mr. Creighton. No. We are specifically representing them on \nthe credit bureau part of the----\n    Ms. Schakowsky. OK. I want to quote what you said at the \nvery beginning. You said, ``The scale of the criminal act at \nEquifax was unprecedented.\'\' I checked back with the record.\n    Mr. Creighton. ``Breathtaking,\'\' I think----\n    Ms. Schakowsky. So what do you mean? What is the criminal \nact?\n    Mr. Creighton. Well, information on 145 million people was \nreleased. It was not information from the credit bureau. It was \nnot the credit file information. That database is about 220 \nmillion people. It was not that file. It was a file that they \nhad that included other kinds of information that they \ncollected in other ways.\n    Ms. Schakowsky. So what law did they break?\n    Mr. Creighton. Well, under the Federal Trade Commission \nAct, they probably committed a--I mean, we should let the \ninvestigation play itself out so that we know. But I would \nsuggest that they probably have UDAP problems. And then they \nalso have--I mean, I would defer to counsel who might know \nbetter----\n    Ms. Schakowsky. Well, I want to, you know, home in on----\n    Mr. Creighton. Look, I mean, they are going to have----\n    Ms. Schakowsky. You said very unequivocally, ``The scale of \nthe criminal act at Equifax was unprecedented\'\'--``criminal act \nat Equifax.\'\'\n    Mr. Creighton. So I am talking about the----\n    Ms. Schakowsky. I mean, I tend to feel that that is true. \nBut, as an expert on this, I want to know----\n    Mr. Creighton. Right. No, I was referring specifically to \nthe hackers being criminals. Right? I mean, let\'s remember that \nwhoever broke into this system did not do it legally. They were \ncriminals who broke into Equifax. And we don\'t know what their \nmotives were, but they were criminals who did this. It was a \ncriminal hack, it was a criminal attack on an American company, \nis the point I was trying to make.\n    Ms. Schakowsky. OK.\n    Thank you. I yield back.\n    Mr. Harper. Seeing that there are no further witnesses \nwishing to ask questions, I want to thank each and every one of \nyou for taking the time to be here today.\n    Before we conclude, I would like to include the following \ndocuments to be submitted for the record, by unanimous consent: \none, the written statement of Jeff Greene, Senior Director of \nGlobal Government Affairs and Policy, Symantec; and a letter \nfrom the Electronic Frontier Foundation.\n    [The information appears at the conclusion of the hearing.]\n    Mr. Harper. Pursuant to committee rules, I remind members \nthat they have 10 business days to submit additional questions \nfor the record. I would ask that witnesses submit their \nresponse within 10 business days upon receipt of the questions.\n    Without objection, this subcommittee is adjourned.\n    [Whereupon, at 12:44 p.m., the subcommittee was adjourned.]\n    [Material submitted for inclusion in the record follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'