[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]




                               BEFORE THE


                     U.S. HOUSE OF REPRESENTATIVES


                             FIRST SESSION


                            OCTOBER 5, 2017


       Printed for the use of the Committee on Financial Services

                           Serial No. 115-46


30-242 PDF                WASHINGTON : 2018                 


                    JEB HENSARLING, Texas, Chairman

PATRICK T. McHENRY, North Carolina,  MAXINE WATERS, California, Ranking 
    Vice Chairman                        Member
PETER T. KING, New York              CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California          NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma             BRAD SHERMAN, California
STEVAN PEARCE, New Mexico            GREGORY W. MEEKS, New York
BILL POSEY, Florida                  MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri         WM. LACY CLAY, Missouri
BILL HUIZENGA, Michigan              STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin             DAVID SCOTT, Georgia
STEVE STIVERS, Ohio                  AL GREEN, Texas
RANDY HULTGREN, Illinois             EMANUEL CLEAVER, Missouri
DENNIS A. ROSS, Florida              GWEN MOORE, Wisconsin
ROBERT PITTENGER, North Carolina     KEITH ELLISON, Minnesota
ANN WAGNER, Missouri                 ED PERLMUTTER, Colorado
ANDY BARR, Kentucky                  JAMES A. HIMES, Connecticut
KEITH J. ROTHFUS, Pennsylvania       BILL FOSTER, Illinois
LUKE MESSER, Indiana                 DANIEL T. KILDEE, Michigan
SCOTT TIPTON, Colorado               JOHN K. DELANEY, Maryland
ROGER WILLIAMS, Texas                KYRSTEN SINEMA, Arizona
BRUCE POLIQUIN, Maine                JOYCE BEATTY, Ohio
MIA LOVE, Utah                       DENNY HECK, Washington
FRENCH HILL, Arkansas                JUAN VARGAS, California
TOM EMMER, Minnesota                 JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York              VICENTE GONZALEZ, Texas
DAVID A. TROTT, Michigan             CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia            RUBEN KIHUEN, Nevada
TED BUDD, North Carolina

                  Kirsten Sutton Mork, Staff Director 
                            C O N T E N T S

Hearing held on:
    October 5, 2017..............................................     1
    October 5, 2017..............................................    63

                       Thursday, October 5, 2017

Smith, Richard F., Adviser to the Interim Chief Executive Officer 
  and Former Chairman and Chief Executive Officer, Equifax.......     5


Prepared statements:
    Smith, Richard F.............................................    64

              Additional Material Submitted for the Record

Waters, Hon. Maxine:
    Letter to Chairman Hensarling................................    85
Ellison, Hon. Keith:
    Letter from Consumers Union..................................    72
Maloney, Hon. Carolyn:
    Letter to TransUnion and Experian............................    80
    Letter from Experian.........................................    82
Messer, Hon. Luke:
    Equifax Privacy Notice.......................................    84
Smith, Richard F.:
    Written responses to questions for the record submitted by 
      Ranking Member Waters......................................    87
    Written responses to questions for the record submitted by 
      Representative Ellison.....................................    94
    Written responses to questions for the record submitted by 
      Representative Heck........................................    95
    Written responses to questions for the record submitted by 
      Representative Meeks.......................................    99
    Written responses to questions for the record submitted by 
      Representative Sinema......................................   100
    Report of the Special Committee of the Board of Directors of 
      Equifax, Inc...............................................   101



                       Thursday, October 5, 2017

                     U.S. House of Representatives,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The committee met, pursuant to notice, at 9:19 a.m., in 
room 2128, Rayburn House Office Building, Hon. Jeb Hensarling 
[chairman of the committee] presiding.
    Present: Representatives Hensarling, Royce, Lucas, Pearce, 
Posey, Luetkemeyer, Huizenga, Duffy, Stivers, Hultgren, Ross, 
Pittenger, Wagner, Barr, Rothfus, Messer, Tipton, Williams, 
Poliquin, Love, Hill, Emmer, Zeldin, Trott, Loudermilk, Mooney, 
MacArthur, Davidson, Budd, Kustoff, Tenney, Hollingsworth, 
Waters, Maloney, Velazquez, Sherman, Meeks, Capuano, Clay, 
Lynch, Scott, Cleaver, Ellison, Perlmutter, Himes, Foster, 
Kildee, Delaney, Sinema, Beatty, Heck, Vargas, Gottheimer, and 
    Chairman Hensarling. The committee will come to order.
    Without objection, the Chair is authorized to declare a 
recess of the committee at any time, and all members will have 
5 legislative days within which to submit extraneous materials 
to the chair for inclusion in the record.
    The hearing is entitled ``Examining the Equifax Data 
    I now recognize myself for 3-1/2 minutes to give an opening 
    On September 7, Equifax announced what it called a, quote, 
``cybersecurity incident'' at its business that potentially 
affects 145 million U.S. consumers--nearly half of all 
Americans. In other words, if you are hearing my voice, you are 
either the victim of the breach or you know someone who is. 
That is how massive this breach was.
    The criminals got basically everything they need to steal 
your identity, open credit card accounts in your name, and 
cause you untold frustration and financial calamity. This may 
be the most harmful failure to protect private consumer 
information the world has ever seen.
    The company's response to this breach has left much to be 
desired. For weeks, Equifax failed to disclose the breach to 
consumers and its shareholders. It provided confusing 
information about whether people were victims of the breach or 
    And, beyond belief, senior executives sold their Equifax 
shares after the company knew of the breach and before the 
company disclosed the breach. I trust the Justice Department 
and Securities Exchange Commission (SEC) will get to the bottom 
of this.
    Clearly, action by the Federal Trade Commission, the 
Consumer Financial Protection Bureau, and potentially other 
regulators is required. Congress must ensure that Federal law 
enforcement and Federal regulators do their jobs so justice can 
be served and victims are made whole.
    We must thoroughly examine if our agencies in statutes like 
Gramm-Leach-Bliley, the Fair Credit Reporting Act, and UDAAP 
are up to the job.
    In this era, big data, large-scale security breaches 
unfortunately are becoming all too common. By the increasing 
frequency and sophistication of cyber attacks, this clearly 
demands heightened vigilance and enhanced efforts to safeguard 
    Protecting consumers obviously starts with requiring 
effective measures to prevent data breaches in the first place. 
Given the Federal Government's own poor track record when it 
comes to protecting personal information witness the SEC and 
the Office of Personnel Management (OPM) hacks as two recent 
    We must be cautious about attempts to never let a good 
crisis go to waste and impose a Washington-forced technology 
solution that may be antiquated as soon as it is imposed. 
However, I do believe that we need to ensure we have a 
consistent national standard for both data security and breach 
notification in order to better protect our consumers, hold 
companies accountable, and assure that this affair does not 
repeat itself.
    Our committee passed such legislation nearly 2 years ago, 
the bipartisan Data Security Act. The need to revisit that 
legislation and, where necessary, improve upon it should be 
obvious to all. The status quo is clearly failing consumers and 
leaving them extremely vulnerable.
    So I look forward to working with members of both sides of 
the aisle and working with the Administration to ensure that 
Americans across the country will be protected and will no 
longer have to lose sleep over the kind of breaches that we are 
discussing today.
    I yield back the balance of my time.
    I now recognize the Ranking Member of the Committee, the 
gentlelady from California, for 3 minutes.
    Ms. Waters. Thank you, Mr. Chairman.
    The massive breach at Equifax and the company's subsequent 
failures are a lapse on a scale we have never seen before. 
Equifax's failure to safeguard consumer data is all the more 
egregious because the impacted customers never chose to do 
business with Equifax.
    And because of the broken business models of our country's 
credit reporting agencies, these consumers can't end their 
relationship with Equifax. They can't shop around for a better 
deal. They are literally stuck with this company.
    So I am very interested in what Equifax will do moving 
forward to provide full redress for all of those who have been 
harmed. I am also interested in why Equifax has sent this 
committee a witness today without the authority to commit 
Equifax to future action.
    The members of this committee need to hear not just about 
what has happened but also about what Equifax plans to do 
moving forward. I already know that this hearing won't answer 
all of the questions, and I and other members would like to 
know more.
    This is why committee Democrats are requesting a minority 
day hearing to get more answers to the questions surrounding 
not only this breach but also its impact on consumers and 
solutions for consumers moving forward.
    For example, I, for one, would like to make sure that 
credit reporting agencies do not inappropriately profit off of 
this incident by exploiting consumers' legitimate fears. Now is 
not the time to focus on how to sell consumers more products. 
Now is the time to fix what has been broken.
    But this breach and Equifax's woeful response are just the 
tip of the iceberg. The whole credit reporting system needs a 
complete overhaul. That is why I introduced H.R. 3755, the 
Comprehensive Consumer Credit Reporting Reform Act. This 
legislation would, among other things, shift the burden of 
removing credit report mistakes to credit reporting agencies 
and away from consumers.
    And my bill would also shrink the importance of credit 
reports in our lives by limiting the use of credit reports in 
employment checks and limiting when CRAs can collect 
information on consumers. It is time to end the strangledhold 
that Equifax, TransUnion, and Experian have on our consumers' 
    Mr. Chairman, I yield back.
    Chairman Hensarling. The gentlelady yields back.
    The Chair now recognizes the gentleman from Missouri, Mr. 
Luetkemeyer, the Chairman from our Financial Institutions 
Subcommittee for 1-1/2 minutes.
    Mr. Luetkemeyer. Thank you, Mr. Chairman.
    Mr. Smith, I know you have sat before several committees 
this week, and I trust you have heard the anger from Congress 
and the American people. This is not just incompetence on the 
part of you and your company but also negligence and disregard 
for the law and for consumers.
    There is a failure on the part of you, your board, and your 
senior management, and your failures have impacted more than 
one-third of the American people. What is most egregious to me 
is that the American people's data had potentially been 
compromised, had to wait more than a month to find out about 
    The American public deserves better. They deserve prompt 
notification so they can safeguard their identity. They deserve 
a system that effectively and efficiently notifies them, not 
one that has slowed down because of turf wars, regulatory 
complex, or fear of litigation.
    I believe it is now time to move forward, and we need to 
find solutions to this problem. I hope that if one good thing 
comes from this yet another major data breach, it is that the 
American consumers can finally get a system that works for 
    I Chair the Financial Institutions Subcommittee that is 
going to have oversight over this data breach and a security 
informational-type of bill, and I can assure you we are going 
to try and look very thoroughly at this incident as others drum 
up some ways to protect the American consumers.
    Mr. Chairman, with that, I yield back.
    Chairman Hensarling. The gentleman yields back.
    The Chair now recognizes the gentleman from Missouri, Mr. 
Clay, the Ranking Member of the Financial Institutions 
Subcommittee for 1 minute. Apparently he is not here.
    We then will go to the gentleman from Michigan, who also 
appears not to be here.
    The gentleman from Minnesota, Mr. Ellison, is recognized 
for 1 minute.
    Mr. Ellison. I would like to thank the Chair and Ranking 
Member for this important hearing.
    A lot has been said about the Equifax breach and a lot of 
the same things will be repeated today, but there are a few 
things that I think we have to bear in mind: One is that 
Equifax and two other big players in this industry of credit 
reporting dominate basically the whole field.
    As members of this committee know, I have been quite 
concerned about market concentration. I believe Equifax is just 
too big. It needs to be reduced in size. We need to increase 
competition and we need--and if Equifax had to worry about a 
real competitor, I believe they would be better at safeguarding 
the data of consumers.
    It is the fact that markets have concentrated it so high 
that other than TransUnion and Experian, Equifax doesn't have 
to worry about much competition--that they can be lax with the 
data of people.
    I look forward to the gentleman talking about some issues 
that I think are very important. I know that there has been 
some movement in the area of--well, I will leave that to you 
for the rest of the questioning.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentlelady from New York, Mrs. 
Maloney, Ranking Member of the Capital Markets Subcommittee for 
1 minute.
    Mrs. Maloney. Mr. Smith, Equifax was not just a breach of 
security. It was not just a massive, huge database breach. It 
was a breach in the trust of the American people in your 
    We have the best markets in the world, and I believe that 
our markets run more on trust than it does on capital. So a 
breach of trust is something our markets cannot tolerate.
    I join my colleagues in being committed to finding 
procedures going forward that this does not happen again, and 
that the law is enforced against those who breach and break the 
    Chairman Hensarling. The time of the gentlelady has 
    Today we will receive the testimony of Mr. Richard Smith, 
who is the former CEO and Chairman of Equifax and adviser to 
the interim CEO. Prior to September 26 of this year, Mr. Smith 
had been the Chairman and Chief Executive Officer at Equifax 
since 2005. Before joining Equifax, Mr. Smith held various 
management positions at General Electric where he worked for 22 
    Without objection, the witness' written statement will be 
made part of the record.
    Mr. Smith, you are now recognized for 5 minutes to give an 
oral presentation of your testimony. Thank you.


    Mr. Smith. Thank you. Thank you Chairman Hensarling, 
Ranking Member Waters, and the honorable Members of the 
committee. Thank you for allowing me to come before you today 
to testify. Again, I am Rick Smith, and for the past 12 years, 
I have had the honor of serving as Chairman and CEO of Equifax.
    Over the past month or so, I have had the opportunity to 
talk to many American consumers and read their letters, those 
impacted and not impacted alike, and understand their anger and 
frustration that we have caused at Equifax.
    This criminal attack on our data occurred on my watch, and 
I take full responsibility for that attack as the CEO. I want 
every American and everyone here to understand that I am deeply 
apologetic and sorry that this breach occurred; and that, I 
also want the American public to know that Equifax is committed 
to dedicate our energy and time going forward to making things 
    Americans have a right to know how this happened, and today 
I am prepared to testify about what I learned and what I did 
about this incident while CEO of the company, and also what I 
know about the incident as a result of being briefed by the 
company's ongoing investigation.
    We now know that this criminal attack was made possible by 
a combination of a human error and a technological error. The 
human error involved the failure to apply a patch to a dispute 
portal in March 2017. The technological error involved a 
scanner that failed to detect the vulnerability on this 
particular portal that had not been patched. Both errors have 
since been addressed.
    On July 29 and 30, the suspicious activity was detected. We 
followed our security incident response protocol at that time. 
The team immediately shut down the portal, and they began their 
internal security investigation.
    On August 2, we hired top cybersecurity forensic and legal 
experts. We also notified the Federal Bureau of Investigation 
(FBI). At that time, we did not know the nature or the scope of 
the incident. It was not until late August that we concluded 
that we had experienced a major data breach.
    Over the weeks leading up to September 7, our team 
continued working around the clock to prepare to make things 
right. We took four steps to protect consumers: First, 
determining when and how to notify the public, relying on the 
advice of our experts that we needed to have a plan in place as 
soon as we announced; No. 2, helping consumers by developing a 
website, staffing up massive call centers, and offering free 
services not only to those impacted but to all Americans; No. 
3, preparing for increased cyber attacks, which we were advised 
are common after a company announces a breach; and finally, No. 
4, continuing to coordinate with the FBI in their criminal 
investigation of the hackers while at the same time notifying 
Federal and State agencies.
    In the rollout of our remediation program, mistakes were 
made for which I am, again, deeply apologetic. I regret the 
frustration that many Americans felt when our websites and our 
call centers were overwhelmed in the early weeks. It is no 
excuse, but it certainly did not help that two of our larger 
call centers were shut down due to Hurricane Irma.
    Since then, however, the company has dramatically increased 
its capacity. And I can report to you today that we have had 
over 420 million U.S. consumers visit our websites and that our 
call times, our wait times at the call centers have been 
reduced substantially.
    At my direction, the company offered a broad package of 
services to all Americans, all of them free, aimed at 
protecting the consumers. In addition, we developed a new 
service available on January 31 of 2018 that will give all 
consumers the power to control access to their credit data by 
allowing them to lock and unlock access to their data for free 
for life, putting the power to control access to credit data in 
the hands of the American consumer. I am looking forward to 
discussing in as much detail as you would like that service 
offering during my testimony.
    As we have all painfully learned, data security is a 
national security problem. Putting consumers in control of 
their credit data is a first step toward a long-term solution 
to the problem of identity theft.
    But no single company can solve a larger problem on its 
own. I believe we need a private-public partnership to evaluate 
how to best protect Americans' personal data going forward, and 
I look forward to being a part of that dialog.
    Chairman Hensarling, Ranking Member Waters, and honorable 
Members of the committee, thank you again for inviting me to 
speak today. I will close again by saying how sorry I am that 
this breach occurred on my watch.
    On a personal note, I want to thank the many hardworking 
and dedicated employees that I worked with so tirelessly over 
the past 12 years. Equifax is a very good company with 
thousands of great people trying to do what is right every day. 
I know they will continue to work tirelessly as we have over 
the past few months to right the wrong.
    Thank you.
    [The prepared statement of Mr. Smith can be found on page 
64 of the Appendix.]
    Mr. Sherman. Mr. Chairman, point of order.
    Chairman Hensarling. The gentleman from California will 
state his point of order.
    Mr. Sherman. I would request that the witness be sworn.
    Chairman Hensarling. It has not been the practice of the 
committee to swear in witnesses, as you know. The witness has 
to sign before coming here that the testimony will be truthful. 
That should be sufficient.
    The Chair yields himself 5 minutes for questions.
    Mr. Smith, I know this is your fourth appearance before 
Congress, but I think you know it speaks to the gravity of the 
situation, the number of our constituents which are impacted 
and, frankly, the number of committee jurisdiction lines that 
this crosses.
    Since you have testified three other times, I will attempt 
to plow a little new ground. As you know, there is a lot of 
focus on--I guess to use your phrase--once the nature and the 
scope of the breach was realized, this still took approximately 
a month before people were notified of the breach.
    Did someone in law enforcement ask Equifax to delay 
notification to the public?
    Mr. Smith. Mr. Chairman, as I mentioned in my written and 
oral comments, we were in communication routinely throughout 
the process with the FBI, but they did not necessarily dictate 
the flow of communication to the public.
    Chairman Hensarling. OK. Were there outside data security 
consultants that advised the company to delay notification for 
a month?
    Mr. Smith. Mr. Chairman, we worked very closely with 
Mandiant--that may ring a bell. Mandiant is viewed as, if not 
the leading, one of the leading cyber forensic firms in our 
country--and our outside counsel, global law firm King & 
Spalding. And, yes, they both, in tandem with our team, managed 
the flow of communication externally.
    I would say, Mr. Chairman, one thing--
    Chairman Hensarling. I am sorry. Did they advise you to 
delay it for approximately 4 weeks?
    Mr. Smith. They guided us in our announcement on the 7th. 
The 4 weeks--Mr. Chairman, it wasn't until around the 24th that 
we really realized the size of the breach, and even that 
continued to develop from the 24th of August until the time we 
went public on the 7th.
    And as you may have seen, the company came out, I think it 
was this Monday, with continued evidence on 2.5 million more 
consumers. So it was a very fluid process of understanding the 
scope, the size, and the nature of the breach.
    Chairman Hensarling. Mr. Smith, I am led to believe the 
Apache Struts CVE-20175638 vulnerability was first publicized 
in early March, at which point it was immediately categorized 
as a critical vulnerability by numerous cybersecurity 
authorities. What do you believe is a reasonable amount of time 
for a critical vulnerability patch to be pushed out and 
implemented on all affected applications?
    Mr. Smith. Yes. Our policy, our program at the time was 
within 48 hours and we did that. We were notified--
    Chairman Hensarling. I am sorry. You did do that?
    Mr. Smith. Yes.
    Chairman Hensarling. So what happened?
    Mr. Smith. So on the 8th of March we were notified, as you 
mentioned. On the 9th of March, following the standard 
protocol, the communication was disseminated to those who 
needed to know about the patch.
    Two things happened, Mr. Chairman: One was a human error, 
an individual who was responsible for what we call the patching 
process did not ensure that there was communication and closed-
loop communication to the person who needed to apply the patch. 
That was error number one.
    Error number two was on the 15th of March, we used a 
technology called a scanning technology, which looks around the 
systems for vulnerabilities. That scanner, for some reason, did 
not detect the Apache vulnerability. So we had a human error, 
as I alluded to in my oral testimony, and a technological 
error, both resulting in the fact that it was not patched.
    Chairman Hensarling. Mr. Smith, once Equifax chose to 
notify the public--there are currently roughly 47-odd State 
breach notification laws, as you are well aware. So I know we 
have a patchwork. But under what breach notification regime did 
you notify the public?
    Mr. Smith. Well, Mr. Chairman, we were mindful of the State 
laws and trying to abide by all the State laws, while at the 
same time following the recommendation of Mandiant, making sure 
we had clear and accurate understanding of the breach. And as I 
mentioned earlier, that took weeks.
    It was very difficult to retrace the footprints of these 
criminals, where they had been, what they had done. We had to 
recreate inquiries, we being Mandiant and the security team and 
our outside legal adviser. That took a long time.
    Chairman Hensarling. Mr. Smith, you are located in Georgia, 
correct? Was that a Georgia regime notification that you 
followed? You didn't follow the 47-odd State notification 
regimes, did you?
    Mr. Smith. Yes, sir, we are headquartered and domiciled in 
Atlanta, Georgia. My point was we were aware of and mindful of 
all State laws for breach notification while also making sure 
we had an accurate and clear understanding of what data had 
been compromised, and that was not until late in August.
    Chairman Hensarling. My time has expired.
    The Chair now recognizes the Ranking Member for 5 minutes.
    Ms. Waters. Thank you very much, Mr. Chairman.
    Mr. Smith, I appreciate your being here today. But I want 
to understand what capacity you are in today. Are you a 
volunteer? A paid adviser? Do you play any role in the company? 
Would you please make that clear to me?
    Mr. Smith. Yes. Congresswoman, I am the former Chairman and 
CEO, 12 years in that role. Today I am sitting here as the 
former CEO but also someone who has agreed to work with the 
    Ms. Waters. Are you a volunteer?
    Mr. Smith. Yes, I am not paid.
    Ms. Waters. You are not paid. And so you came today to try 
and perhaps explain what has taken place. But do you have the 
ability to talk about what happens going forward and how we can 
correct the mishaps, the errors, the problems of Equifax? Are 
you empowered to do that today?
    Mr. Smith. Congresswoman, I have the ability to talk 
looking forward from my perspective as an individual who was a 
CEO for 12 years.
    Ms. Waters. But if you make a commitment here today, are 
you bound by any commitment you make for the company today?
    Mr. Smith. No. Commitments will have to be made by the 
company themselves.
    Ms. Waters. And so your capacity today is simply to try and 
explain and take responsibility rather than how we go forward 
for the future. Is that right?
    Mr. Smith. That is largely correct, Congresswoman. I do 
have views, again, on paths forward, and I am prepared to 
discuss those. But commitments will have to be made by the 
company themselves.
    Ms. Waters. Well, that creates a little bit of a problem 
for us today. We have such limited time to deal with so many 
problems. And while I appreciate your taking responsibility and 
apologizing, your being here today doesn't do much for us in 
terms of how we are going to move forward and correct the 
problems of Equifax.
    Our consumers are at great risk. As a matter of fact, I 
have not been able to freeze my credit with Equifax. I can't 
get through. And you are talking about the improvements that 
you have made. Are you close enough with the company to know 
exactly what has been done to be available to consumers?
    Mr. Smith. Congresswoman, yes, I have an understanding that 
what has been done to make this service level to consumers 
better. I mentioned in my comments, they have staffed up 
dramatically on the call centers.
    I am told--it is a few days old now--that the backlog of 
consumers trying to get through and secure their free services 
has now been emptied and that the flow is now almost 
    Ms. Waters. I am not sure about that, and I worry about 
    In addition, I will tell you what else I worry about. How 
long will consumers be able to get what you describe as free 
service from Equifax? Is there a time that is going to kick in 
where they are going to be charged for trying to straighten out 
whatever problems have been created because of this serious 
hacking that has been done?
    Mr. Smith. The company has offered five services to every 
American, not just those impacted.
    Ms. Waters. How many?
    Mr. Smith. Five different services--I can walk through 
those, if you are interested--which give protection to the 
consumer and, again, not just those impacted but any U.S. 
    Ms. Waters. For how long?
    Mr. Smith. For 1 year from the time they sign up followed 
by, in January 2018, under my watch, we started developing this 
product which is the ability for a consumer to control access 
to their data for life.
    They will have the ability to lock access and unlock when 
he or she chooses versus us being able to do that on their 
behalf. And that will be free for life, starting in January 
2018. It will be enabled as an application on one's cellphone, 
for example, so very easy for a consumer to use.
    Ms. Waters. OK. I might have missed part of that. But if 
one's identity has been stolen, and usually it takes a long 
time to unravel that, are you going to provide service and 
protection and assistance to the consumer until that is taken 
care of?
    Mr. Smith. Yes, Congresswoman. Again, the product we have 
today, one of the five services we offer today is the ability 
to lock your access to your file. It will be enhanced in 
January with easier user interface. That is the most secure way 
we have to prevent someone from--preventing identity fraud by 
accessing your credit file. You, as a consumer, determine who 
accesses it, who does not, and when.
    Ms. Waters. OK. But I am clear. I think what you have said 
is when one find's oneself in that position that Equifax will 
provide them with the service and assistance in perpetuity?
    Mr. Smith. For life.
    Ms. Waters. Thank you. I yield back the balance of my time.
    Chairman Hensarling. The gentlelady yields back.
    The Chair now recognizes the gentleman from Missouri, Mr. 
Luetkemeyer, Chairman of our Financial Institutions 
    Mr. Luetkemeyer. Mr. Smith, thank you.
    You know, we have--I had a long meeting this past week with 
some experts in data security and how they can be protected. 
And one of the comments that was made was that when it comes to 
information technology budgets, the average company only spends 
6 percent on security. Do you know off the top of your head 
roughly what your company spent for security out of their 
information technology budget?
    Mr. Smith. Congressman, I do. I think what you are 
referring to is there is a benchmark on a percent of the IT 
budget that--
    Mr. Luetkemeyer. Right.
    Mr. Smith --is directed towards security, and 6 percent is 
the average. IBM, who creates a benchmark, views 10 percent, 14 
percent as being best in class. We are in the 12 percent range.
    Mr. Luetkemeyer. OK. Have you put in place or are you aware 
of new protocols that you have got in place to make sure this 
never happens again, your company?
    Mr. Smith. Yes. We have implemented multiple protocols over 
the years, and at the time of the breach step one was the 
forensic review, step two was remediation plans for short term, 
medium term, and long term. We have implemented those to make 
sure we are more secure. We have also engaged a world-class 
consultant to come out and rethink everything we have done for 
a long-term plan.
    Mr. Luetkemeyer. OK. As a result of this breach, the 
exposure is ginormous here, quite frankly. It could, I would 
imagine, bankrupt your company if something--if this was--for a 
number of reasons here. Do you have an insurance policy to 
cover this kind of a breach?
    Mr. Smith. Yes. I have discussed that in the past. We do 
have a tower of insurance coverage that is common in our world. 
It is cybersecurity, general liability insurance.
    Mr. Luetkemeyer. OK. So basically the company is protected. 
Is that right?
    Mr. Smith. Well, there are limits--
    There are limits to any coverage you have and limits here 
as well. I have not disclosed those limits.
    Mr. Luetkemeyer. OK. In your testimony, both written 
testimony and your verbal testimony a minute ago, you talked 
about new security processes and you were talking here, 
creating a public-private partnership to begin a dialog on 
replacing Social Security numbers as a touchstone for identity 
verification in this country.
    Can you explain what you believe is a public-private 
partnership with regards to this?
    Mr. Smith. Yes, Congressman. There are two thoughts there: 
One, the rise and the intensity and severity of cybersecurity 
incidents around the country and the world is running at a pace 
that has never been seen before. And I am convinced there is 
more we can do in public-private partnership to get ahead of 
the curve on cybersecurity, not just reacting to it.
    Number two is, the more I reflect, think, and talk to 
experts in the area of cybersecurity, I am convinced there is 
an opportunity for this partnership between public and private 
to rethink the concept of a Social Security number, name, date 
of birth as being the most secure way to identify consumers in 
the U.S.
    It is an instrument that was introduced, as you well know 
far better than I, back in the 1930s. I think it is time we 
think about a new way to identify consumers.
    Mr. Luetkemeyer. The Chairman did a good job of discussing 
the notification problems with regards to this situation. Can 
you tell me, what do you believe is a better way to notify the 
individuals? A minute ago you said you basically knew on the 
24th that individual data had been breached, and it wasn't 
until the 7th, which is 2 weeks later, that you really made a 
notification to the individuals.
    Even if you can't get your systems up and running so you 
can take phone calls, don't you think it would be better to 
have at least notified the individuals, if not by just a public 
declaration saying, hey, we have been breached, millions of 
people's information could have been breached; therefore, all 
of you who are in our systems need to take precautions and let 
them on their own take whatever precautions they can rather 
than wait to find out if they had been hacked or if their 
information has been breached? Don't you think there would be a 
better way to go about it?
    Mr. Smith. Congressman, I can reassure you that we took a 
lot of time to think about the notification process. I will 
make one point of clarification. On the 24th, the knowledge we 
had surrounding the breach was still fluid. It was fluid 
through the 7th. In fact, it was fluid--the forensics did not 
conclude until Monday of this week.
    The other thing I will say is that Mandiant, the 
cybersecurity forensic experts, recommended that we really 
prepare ourselves for significant increase, cyber attacks, when 
you went live with an announcement.
    So between the 24th and the 7th, a lot of energy was spent 
securing wherever we could secure our facilities to give us the 
best protection against cyber attacks. And also, as you 
mentioned, Congressman, we had to standup the environment call 
centers, train people, staff people, pull together the product, 
the service offering, so a lot of work was being done over 
those 2 weeks.
    Chairman Hensarling. The time of the gentleman has been 
    The Chair wishes to advise all members, there is currently 
a vote taking place on the floor, over 10 minutes left in the 
vote. We will clear one more member and then declare a recess 
pending end of votes.
    The Chair now recognizes the gentlelady from New York, Mrs. 
Maloney, Capital Markets Subcommittee Ranking Member.
    Mrs. Maloney. Thank you.
    Mr. Smith, as you well know, Americans rely on the three 
credit bureaus, a select group of companies to safeguard some 
of our most sensitive information. And it is because these 
credit bureaus hold this key personal information that we 
subject your companies to very rigorous data security 
    The credit bureaus are subject to the Federal Trade 
Commission's (FTC's) safeguards rule, which is intended to 
ensure the security and confidentiality of the information. So 
we have a law in place that protects--supposedly--against 
exactly what happened here.
    And now we will see if the FTC is willing to enforce it. 
And if they are not, then we will know that Equifax is clearly 
above the law. The safeguards rule requires, among other 
things, that Equifax have an information security program in 
place that can identify reasonably foreseeable risk to the 
security of your data and can protect against these risks.
    This risk was obviously reasonable, foreseeable, because 
the Department of Homeland Security literally sent you and the 
other credit bureaus notice warning you about the exact 
vulnerability that the hackers exploited. And yet, your 
security program did not protect against this obviously 
foreseeable announced risk.
    So in my mind, this is the most open and shut violation of 
the safeguards rule that I have ever seen in the history of 
this country. So my question to you, Mr. Smith, is, do you 
believe that Equifax violated the FTC's safeguard rule?
    Mr. Smith. Congresswoman, I understand your point, and it 
is my understanding we were in compliance with the safeguards 
rule and that the safeguards rule does not prevent 100 percent 
against data breaches.
    Mrs. Maloney. How in the world could you let this happen 
when you were warned by the Homeland Security Department?
    My second question, the safeguard rule also requires you to 
have a patch management system, essentially a system in place 
to patch security flaws as soon as a fix for the flaw is 
released. But you have testified that your patch management 
system failed in this case, even though there was a patch 
released almost immediately.
    Equifax did not implement the patch like it was supposed 
to. Now, I wrote to the other two credit bureaus a letter about 
their information security programs to make sure that their 
systems were fully protected. And one of them wrote me back, 
Experian. They wrote me a very detailed response, which I would 
like to submit to the record along with my letter--
    Chairman Hensarling. Without objection.
    Mrs. Maloney --in which they explained that their patch 
management system functioned correctly. And when they got the 
notice from Homeland Security they immediately implemented the 
security patch. They also stated that their patch management 
system will literally shut down. It won't even work. It shuts 
down automatically if a patch isn't implemented immediately.
    So my question is, why didn't your patch management system 
automatically shut down your systems when the security patch 
wasn't implemented? Why was this flaw allowed to go unpatched 
for months before you noticed it?
    Mr. Smith. Congresswoman, a patch has to be identified. We 
are routinely notified from--
    Mrs. Maloney. It was identified by the Homeland Security 
Department when they notified you. You already testified that 
your person failed to implement it.
    Mr. Smith. Yes. I was referring to, it has to be identified 
by us not by the outside, either a software manufacturer or, in 
this case, Department of Homeland Security. As I said in my 
oral testimony--
    Mrs. Maloney. My time is almost up and I have one more 
question and I think it is important. You may not know this, 
Mr. Smith, but it is actually considered best practices in a 
company with lots of sensitive, personal information to have 
their chief information security officer have independent 
business lines that report directly to the CEO and to the board 
of directors.
    But at Equifax, you were using an outdated corporate 
governance model and had your chief information security 
officer reporting to the general counsel, not directly to the 
CEO, and board.
    So my question is, why was your chief information security 
officer not reporting directly to you and the board? And why 
were you using an old model? Was it because you don't think 
that information security was important enough to be reported 
directly to you?
    Mr. Smith. Congresswoman, I don't believe it matters where 
the chief information security officer reports. It was a 
priority for me. It was a priority for the board. It is a 
priority for the company. Having--
    Mrs. Maloney. But it wasn't reported to you or the board. 
It went to the counsel.
    Mr. Smith. It did not hinder our ability--
    Mrs. Maloney. And it violated best practices for security 
    Chairman Hensarling. The time of the gentlelady has 
expired. There is one vote pending on the floor. The committee 
stands in recess pending conclusion of that vote.
    Chairman Hensarling. The committee will come to order.
    The Chair now recognizes the gentleman from New Mexico, Mr. 
Pearce, Chairman of our Terrorism and Illicit Finance 
Subcommittee for 5 minutes.
    Mr. Pearce. Thank you, Mr. Chairman.
    And thank you, Mr. Smith, for being here today.
    To get the playing field level underneath us, you would 
describe the processes at Equifax with regard to outside hacks 
to be very engaged and pretty professional. We had a human 
mistake, more or less. Is that kind of correct?
    Mr. Smith. Congressman, I would say, obviously, we 
committed two very unfortunate errors, the one you mentioned, 
    Mr. Pearce. I am asking about the overall culture and the 
approach to security, understanding that you have got a lot of 
critical data here.
    Mr. Smith. Yes. I would describe the culture and the focus 
as one that put a top priority on security, yes.
    Mr. Pearce. How much of your time in your 12 years did you 
spend each day, you say, on cybersecurity?
    Mr. Smith. Congressman, when I first came here we had no 
cybersecurity organization. I made it a priority 12 years ago 
to engage consultants to help us scope it out. We went from 
basically no people to 225.
    Mr. Pearce. So how much time--how knowledgeable are you on 
the subject?
    Mr. Smith. We had routine reviews.
    Mr. Pearce. No. You. You, you personally.
    Mr. Smith. That is what I am saying.
    Mr. Pearce. So you had routine reviews.
    How many times had the Apache Struts been fixed? How many 
times had it been patched underneath your watch?
    Mr. Smith. Well, we have vulnerabilities in general terms 
across software. The Apache Struts, the best of my knowledge, 
this particular open source software, there was one 
notification on March 8.
    Mr. Pearce. So is the firm still using that software?
    Mr. Smith. It was deployed in two locations. It has been 
    Mr. Pearce. But it is still using it? I am not that savvy 
on all the cyber crimes, but when I hear the Secretary of the 
Treasury say that 50 percent of his time every day is spent on 
cyber threats, I was trying to get some sense from you how much 
of your time every day, because this is probably one of the 
more critical things. And when I didn't get a very solid 
answer, then I tend to fall on the side that says that there is 
a little bit of a lax culture here.
    I just Googled Apache Struts to--I just opened the first 
website, and it talks about something that came out open-
source. It was pretty good, but they lost their way about 3 or 
4 years ago. To be using a piece of software that the first 
Google result says 3 out of 5 stars, we probably ought to be 
looking at better alternatives out there.
    And then you have these patches that come out and no one 
actually responds to them or they--so who made that decision? 
Where in the hierarchical scheme did that decision not to 
implement the patch that was suggested, where did that decision 
come in?
    Mr. Smith. Again, on the 8th of March, the notification 
came out, as you alluded to from the Department of Homeland 
Security. A security team sends out a communication to the 
organization. The patching process, to be clear, to your 
question, was owned by the chief information officer. It was 
under his--in his organization.
    Mr. Pearce. Where in this--surely somebody more than just 
an agent at the field level was tasked with being sure that we 
don't have any vulnerabilities. Surely it was not that low. So 
has that decisionmaking stream been made public?
    Mr. Smith. The owner of the process for patching was a 
direct report to--
    Mr. Pearce. No. I am talking about internally in Equifax. 
Don't worry about who out there, outside, because you are the 
one responsible. So is that decision scheme, is the decision 
process made public, and can we know who? Can we get that 
    Mr. Smith. Congressman, let me clarify now, if I may. The 
owner of the process internal to Equifax for the patching, in 
this case, of Apache Struts or any software that needs to be 
patched, was an individual who was a direct report to the chief 
information officer. He is no longer with the company.
    Mr. Pearce. OK. I am about out of time.
    Now, your assertion that this is just human error overlooks 
the fact that you had unencrypted information. Anybody that 
gets in can read it. It is not encrypted. Is that industry 
standards that we don't encrypt personally identifiable 
information (PII)?
    Mr. Smith. Congressman, that is not correct. We use 
tokenization. We use encryption. We use masking.
    Mr. Pearce. Your testimony a couple days ago answered that 
you have a lot of information that was just in plain text. I 
think those all indicate--and the fact that we haven't 
identified the process--indicate a culture internally that was 
very lax, in my opinion.
    Thank you, Mr. Chairman. I yield back.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentlelady from New York, Ms. 
    Ms. Velazquez. Thank you, Mr. Chairman.
    Mr. Smith, in your testimony you stated that you are deeply 
sorry that this event occurred and that you and the Equifax 
leadership team have worked tirelessly over the last 2 months 
to make things right. However, according to an article in 
Fortune Magazine published on September 26, you are retiring 
with a payday worth as much as $90 million.
    So my question to you, sir, do you believe it is right for 
you to walk away with a payday worth $90 million when the lives 
of more than 145 million hardworking Americans had been 
potentially compromised?
    Mr. Smith. Congresswoman, one, again, I do deeply apologize 
for the breach to those American consumers.
    I have heard of this article. I can't reconcile that 
number. Let me be very clear. I was--
    Ms. Velazquez. How much are you getting in your retirement 
    Mr. Smith. When I retired, I did announce my retirement. 
And at that time--so I also told the board back in early 
September, mid-September that I would not take a bonus going 
forward. I also told the board that I would be an adviser, 
unpaid, helping the board and helping the management team for 
as long--and I asked for nothing beyond what was disclosed in 
the proxy, and that is a pension that I have accumulated over 
my career, and that is some equity that I have earned in the 
    Ms. Velazquez. So you told the Ranking Member that you are 
here in your capacity as an adviser to Equifax now?
    Mr. Smith. Unpaid.
    Ms. Velazquez. OK. And so are you advising Equifax to set 
up a compensation fund for impacted consumers to help them 
rebuild their lives?
    Mr. Smith. Congresswoman, the advice I gave to the board 
and the management has been followed, and that was to offer 
five free services for 1 year followed by the ability to lock 
and prevent identity theft against their credit file for life.
    Ms. Velazquez. But that is not a compensation fund?
    Mr. Smith. Correct.
    Ms. Velazquez. So, Mr. Smith, as Ranking Member of the 
House Small Business Committee, I am concerned about the impact 
this historic breach will have on our country's 29 million 
small businesses. As you know, the availability of business 
credit is often inextricably tied to owner's personal credit 
    Last week, Senator Shaheen and I wrote a letter requesting 
information about Equifax efforts to help small business 
clients, but we haven't received any response.
    So what steps is Equifax taking to educate small businesses 
and what does it means for their businesses?
    Mr. Smith. Congresswoman, I understand the question. If we 
have not responded to your letter, I will make sure that the 
company does respond in writing to your request.
    Specifically to your question, however, if a small 
businessman or woman was also the proprietor of that company, 
as an individual, they would be covered by what we are doing 
for them going forward, offering this free lock product for 
life. Number two, to clarify if I may, small businesses in 
America are very important customers of ours.
    Ms. Velazquez. I know that.
    Mr. Smith. And we have told them and others through 
different functions that they have not been compromised. The 
data we have on small businesses was not compromised.
    Ms. Velazquez. They were not compromised?
    Mr. Smith. If you are an individual, again, as I said, as a 
proprietor, you are covered by the services we are offering for 
free. The small business database that we manage was not 
    Ms. Velazquez. So let me ask you, how is Equifax working 
with lenders to establish a safe way to check credit scores for 
borrowers seeking a small business loan?
    Mr. Smith. Again, Congresswoman, if you were a proprietor 
of that small business, you have the ability to access all the 
free services that we just discussed.
    Ms. Velazquez. So, this past Monday, it was announced that 
approximately 2.5 million additional U.S. consumers have been 
potentially impacted by the breach. Can you assure us that 
there will be no more discovery of even more consumers who have 
been potentially impacted as a result of this breach?
    Mr. Smith. It is my understanding that the press release 
that came out from the company on Monday not only said 2.5 
million consumers were impacted additionally but also that the 
forensic review by Mandiant was now complete.
    Ms. Velazquez. I yield back.
    Chairman Hensarling. The time of the gentlelady has 
    The Chair now recognizes the gentleman from Michigan, Mr. 
Huizenga, Chairman of our Capital Markets Subcommittee.
    Mr. Huizenga. As the Chairman had indicated, I Chair the 
Capital Markets, Securities, and Investments Subcommittee, 
where the Securities and Exchange Commission falls under that 
    You obviously know that, under Sarbanes-Oxley, you have 
certain duties and responsibilities as a CEO, not just in the 
running of the company, but in the paperwork filing that has to 
be filed with organizations like the SEC.
    Was data security ever an area you listed as a deficiency 
in regards to any of these Sarbanes-Oxley requirements?
    Mr. Smith. Congressman, I don't recall it ever being 
described as a deficiency or filed as a deficiency. It is 
routinely communicated in Ks and Qs and other means.
    Mr. Huizenga. But you had internal controls?
    Mr. Smith. Yes.
    Mr. Huizenga. All right. And presumably you do your 
analysis on that?
    Mr. Smith. Yes.
    Mr. Huizenga. So data security was never a part of that?
    Mr. Smith. Not that I--as far as a control issue?
    Mr. Huizenga. Well, as a control issue or as an area of 
    Mr. Smith. It is always viewed as an area of risk for the 
company. I don't ever recall it being communicated as an area 
of concern or the lack of controls.
    Mr. Huizenga. Well, under SEC rules, when you have a 
material change in the condition of your company, you have to 
file a form commonly known as 8-K. That 8-K form is there 
regarding financial condition or prospects and when significant 
events have occurred. When did you file that 8-K?
    Mr. Smith. I don't recall.
    Mr. Huizenga. According to my information, it was September 
    Mr. Smith. That makes sense. That is the day we went public 
with the release on the breach itself.
    Mr. Huizenga. OK. I heard in earlier testimony that you had 
not been directed by the FBI to withhold information from the 
public or to slow-walk or to do anything, right? This was not a 
directive from either the Federal Government through the FBI or 
any other law enforcement agency or any of your consultants?
    Mr. Smith. Maybe two different questions there. The FBI 
specifically involved from the second and the very fluid series 
of communication through, in fact, today even.
    Mr. Huizenga. But, no, they did not--
    Mr. Smith. Not the FBI. You said the consultants. The 
consultants did guide us on the communications.
    Mr. Huizenga. Did those same consultants tell you you 
better file that 8-K?
    Mr. Smith. The 8-K, as you mentioned, was filed on the 7th.
    Mr. Huizenga. On the 7th, but you discovered this in July.
    Mr. Smith. Congressman, in all due respect, we did not 
discover it in July. In July, the 29th and 30th, someone on the 
security team noticed what they described as suspicious 
activity. And to put it in perspective, we as a company see 
millions of suspicious activities against our data from outside 
every year.
    Mr. Huizenga. So you had an indicator--let's call it an 
indicator--July 29th. You hired a consultant, based on your 
previous testimony, August 2, correct?
    Mr. Smith. That is correct.
    Mr. Huizenga. OK. So why did it take a month plus, 5 weeks, 
to file a form with the SEC. And, coupled with that, when did 
you let your board know about this?
    Mr. Smith. I will answer both of those, if I may.
    So, as I talked about in the written testimony and the 
oral, from the 2nd of August, when Mandiant, the cybersecurity 
forensic firm, was hired and King & Spalding was hired, a 
global law firm, very fluid. They had to rebuild the footsteps 
of the criminals, where they had been. They had to rebuild the 
inquiries. It wasn't until late August that there became an 
indication of a significant--
    Mr. Huizenga. OK. So let's even take that. It still then 
took 2 weeks for you to file an 8-K, which, in the meantime, 
you had executives that sold shares. You had the public 
thinking nothing was wrong--buying and selling shares of 
Equifax. Would a reasonable shareholder have gotten some of 
this information and said, ``Hey, wait a minute, there is 
something going on at Equifax, maybe I am not going to purchase 
that stock''? That seems like that would be a reasonable step 
for an investor.
    Mr. Smith. And, Congressman, if I may, let me address the 
point you made on the sale. The sale of the three individuals, 
individuals, two of them, was back on August 1st.
    Mr. Huizenga. Got it. Regardless, I know it was prefiled. I 
am not saying that there was necessarily insider information or 
something nefarious with that. What I am pointing out to you is 
that, even though your own executives, if they didn't know that 
this was going on and an 8-K has not been filed, it seems to me 
that you got the public both coming and going, that you have 
not only the data, but also the fact that you falsely put your 
stock out there at a particular price.
    So, Mr. Chairman, my time is expired.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from California, Mr. 
    Mr. Sherman. Mr. Chairman, I will renew my request that the 
witness be sworn. When John Stumpf was here his company had 
adversely affected only 3 or 4 million consumers. We swore in 
that witness. That is the precedent of this committee in 
situations like this.
    Chairman Hensarling. The Chair has already spoken to the 
    Mr. Sherman. Mr. Smith, you have made a point that you are 
an unpaid volunteer for your company. I want to thank you for 
that service. Aside from $90 million, you are uncompensated. I 
know you have disputed the $90 million figure. So I would ask 
you to respond for the record in detail how much you have made, 
pension, stock options, and salary, from Equifax during your 
term there, and we will see whether the reports of $90 million 
are accurate.
    Timeline. There is the period from March to July when you 
should have noticed or your company should have noticed the 
problem, should have paid attention to the Homeland Security 
advisory, et cetera, but on--so that is one part of the 
timeline. Another part starts on July 1, when your chief 
information officer told you about the attack and that the 
website was shut down.
    Now, there are those in this committee room who have said 
that the company didn't act immediately on that on July 31. 
That is not entirely true. In just one day, August 1st, three 
of your executives sold $2 million of their stock. That shows 
an immediate action right after the CIO report. Does your 
company have any policies on allowing executives to sell stock, 
getting legal advice before they do so, et cetera, or is it up 
to each executive to decide how to obey the security laws?
    Mr. Smith. Congressman, let me address both. One, there was 
never a report issued on the 31st, just to be clear. That was a 
verbal communication between--
    Mr. Sherman. Right. But you were told, and the website was 
shut down. Something pretty significant happened because, the 
next day, three of your executives sold $2 million worth of 
stock. Please answer the question whether your company has a 
policy of getting approval and legal review before your 
employees sell stock.
    Mr. Smith. Yes, there is a clearing process.
    Mr. Sherman. And how would you pass that clearing process, 
selling the stock just the day after the chief information 
officer tells the CEO that there has been this data breach?
    Mr. Smith. There is a clearing process required for any 
section 16 officer. These three were section 16 officers. They 
all followed the process. The chief--
    Mr. Sherman. And you don't think the process is broken when 
it approves the sale of 2 million stocks within 24 hours of 
when the CEO gets a report of the most enormous data breach--
what turned out to be the most important data breach we have 
had in your industry?
    Mr. Smith. Congressman, I have no indication the process 
was broken. These three individuals who sold had no knowledge--
to the best of my knowledge, had no knowledge--
    Mr. Sherman. Just your luck.
    Now, the initial response of Equifax was to have a website 
advertised as your way to help consumers. And then, in the 
website, you tricked consumers--this was the plan--tricked 
consumers into foregoing their right to sue. Whose idea at the 
company was it to do that?
    Mr. Smith. The arbitration clause is what you are referring 
    Mr. Sherman. Exactly.
    Mr. Smith. That was never intended--when we found out the 
arbitration clause was in there, within one day, we took it 
    Mr. Sherman. You just found out--somehow it popped in, and 
you didn't know it was there?
    Mr. Smith. It is a standard clause in products where 
consumers have options to buy product. It was never intended to 
be in there for the free service. It was removed within 24 
    Mr. Sherman. After a huge outcry, including many members of 
this committee.
    Now, you have put out press releases telling people that 
they may be among the 143 million people. Is it the intention 
of Equifax to send a notice to those whose data were 
compromised, or is it up to them to go to your difficult-to-use 
over-burdened website to find out?
    Mr. Smith. We followed what we thought was due process. We 
sent out press releases, set up a website.
    Mr. Sherman. How about noticing? Are you going to give 
notice to the 143 million people? Are you going to send them a 
    Mr. Smith. No, sir.
    Mr. Sherman. Are you going to send them an email?
    Mr. Smith. No, sir.
    Mr. Sherman. So everybody out there figures there is a two-
thirds chance they weren't affected, and they may do nothing, 
and you have exposed their data, and you won't give them a 
notice, not even an email.
    Mr. Smith. 420 million U.S. consumers have come to our 
    Mr. Sherman. 420 million U.S. consumers. That is more than 
the number of people in the country.
    Mr. Smith. Because they have come multiple times.
    Mr. Sherman. Which means that many haven't come at all. You 
won't notify people. I yield back.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentlelady from Missouri, Mrs. 
Wagner, Chairman of our Oversight and Investigations 
    Mrs. Wagner. Thank you, Mr. Chairman.
    Mr. Smith, forgive me if I appear a little bit more 
disturbed or harsh than some of my colleagues, but this issue 
hits very, very close to home for me. This past year, my tax 
identity was stolen, and to be frank with you, it has been a 
complete and utter nightmare. For me this isn't just another 
data breach. It is a breach of trust.
    When we learned that our tax identity was stolen, guess who 
we turned to for help? That is right: The credit reporting 
agencies. So, although giving a free year of credit monitoring 
is a good step, the first step I should say, I don't have much 
confidence, to be perfectly honest, in the product, sir.
    In addition, as the Chairman of the Oversight and 
Investigations Committee, I will be closely monitoring the 
additional facts that come out regarding this case, especially 
those concerning the sale of stocks by executives at Equifax.
    Although none of us should, I should say, prejudge before 
knowing all the facts, and I am sure that the SEC and DOJ will 
get to the bottom of this. Let me start by asking you this, 
briefly, Mr. Smith, what would you tell people like me, people 
who have previously experienced identity theft of some kind and 
turned to Equifax for help? What do you say to these people who 
feel completely at a loss for what to do next? How can anyone 
possibly ever trust--and we have talked about trust here at the 
committee--this company again, and be confident that they can 
be protected in the future, please?
    Mr. Smith. Thank you, Congresswoman.
    And we are a 118-year old company, and protecting and being 
a trusted steward of our data is paramount to our ability to 
gain trust, have trust with consumers and companies around the 
world. What I would tell consumers is, first, please go to our 
website, take advantage of the five offerings that we have 
offered for a year for free. And, second, January 31, when the 
new lifetime lock product becomes available for free for life, 
I would strongly recommend that every American go get that 
product as well.
    Mrs. Wagner. I recently read comments from the Consumer 
Financial Protection Bureau (CFPB) Director Richard Cordray 
where he stated his intention to provide accountability 
concerning the data breach.
    As you know, the CFPB began supervising credit reporting 
agencies on behalf of consumers, I believe, in 2012, but not 
its cybersecurity systems, which has been left to the FTC. What 
interactions, sir, did you have with the CFPB prior to the 
breach regarding cybersecurity?
    Mr. Smith. Congresswoman, I can't recall--obviously, we 
have been in communication with the CFPB since they have been 
our regulator, and I personally have been involved in those 
    Mrs. Wagner. Prior to the breach, sir?
    Mr. Smith. I can't recall. I was not personally involved 
with the CFPB regarding cybersecurity myself.
    Mrs. Wagner. Wow. What interactions have you had with them 
since the breach then?
    Mr. Smith. I have not had interaction with the CFPB since 
the breach.
    Mrs. Wagner. Wow. Mr. Smith, I did want to take an 
opportunity to ask you some questions that I have been hearing 
from my constituents back home. Can you detail what categories 
of consumer information were accessed during the months-long 
    Mr. Smith. Yes, I will give that a shot. We try to be very 
clear in the series of press releases we have had in the past 
that the consumers' core credit file, which is their credit 
history with us, was not compromised. We talked about a 
database we have, where someone asked on small businesses, we 
have a database on small business; that was not compromised.
    Mrs. Wagner. What kind of personal identification 
information specifically?
    Mr. Smith. So, as we have disclosed in press releases, date 
of birth, name, Social Security number. I think there were 
200,000, 209,000 credit cards that were compromised. There is a 
document, Congresswoman, called a dispute document, where a 
consumer could dispute that they paid an obligation, take a 
picture of that, for example, upload that into the system. That 
was another example that was compromised.
    Mrs. Wagner. Let me ask you this, Mr. Smith, what sort of 
financial products, for instance, could be opened in my 
constituents' names if those pieces of data that you just 
named, for instance, were part of the breach?
    Mr. Smith. Congresswoman, if the consumer takes advantage 
of the free service and locks their file, no one has access to 
that file.
    Mrs. Wagner. I thought my file was locked before, after my 
tax returns were breached, when I reached all of you, so, 
again, my trust in the product is at an all-time low.
    I have several more questions. I will submit them for the 
    Mrs. Wagner. I thank the Chairman, and I yield back.
    Chairman Hensarling. The gentlelady yields back.
    The Chair now recognizes the gentleman from New York, Mr. 
    Mr. Meeks. Thank you, Mr. Chairman.
    Mr. Smith, I agree with the Ranking Member when she 
initially said, you know, I am here; I am going ask you 
questions, but I don't know. You know, you are unpaid. You say 
you are no longer really with the company. You are an unpaid 
adviser. I don't know what we are going to do with reference to 
the future. So I am here. I am going to ask you questions. I 
don't know whether--how long you are going to be advising them 
for free or whatever that deal is.
    But I know that, when a consumer has a problem, they can't 
just get out of it in the way that some kind of measly 
explanation or something of that nature and it is all over 
with. And you have an extra--or Equifax, your former employer, 
has a, because of the nature of the business in which they are 
in, they have a special responsibility in regards to cyber 
incidents. And I think that it is probably a problem--it is 
definitely, clearly, a problem with Equifax but probably a 
bigger problem across the board with all public companies.
    There was a PricewaterhouseCoopers survey that found 23 
percent of corporate directors did not discuss crisis planning 
with management and that 38 percent of directors did not 
discuss their management testing of these crises. And 
consistent with this data, it seems that Equifax's board and 
management failed to plan for this crisis, given the company's 
numerous gaffes, as you have admitted to. Equifax's failure to 
quickly respond to Homeland Security Department's warning, the 
company's delayed notification to the public, and the company's 
arbitration clause misstep, which you acknowledged today and 
yesterday at the hearing, are just a few examples of Equifax's 
lack of preparation.
    So what I am trying to find out then is, prior to this 
breach, did Equifax ever adopt a written breach response plan 
that included a formal process for notifying the public and 
regulators, or did Equifax merely formulate a cyber crisis plan 
post the breach?
    Second, prior to the breach, did Equifax ever test a crisis 
plan in anticipation of a cyber breach because you knew the 
significance of the data that you were here to protect?
    And, finally, if you say that there is, can you share with 
this committee the documents with evidence of Equifax's former 
cyber crisis response plan?
    Mr. Smith. Congressman, I understand your question, and, 
yes, we did have and do have written documentation on crisis 
management, including cyber, obviously being one of the top 
crises we could face as a company and have faced. So we can 
reach out to management, have them provide you that crisis 
management documentation. We will do that.
    Mr. Meeks. And now was there any--my other two questions, 
was there a written breach response as opposed to the plan of 
what you would do, something that you say, and did you test it, 
a crisis plan in anticipation of a breach so that if--like a 
fire drill, if something should happen, this is what we are 
going to do, have a plan, have you done that, was that done?
    Mr. Smith. Yes, Congressman, it has been done. The real-
life challenge is, when you look at the size of this breach and 
the fact that we offered it to every American that was a victim 
or not a victim, the sheer scale of trying to stand up the 
environment from a technology perspective, hire thousands of 
people that take weeks to train. You can't just hire 2,000 
people, 3,000 people, and expect them to be trained and 
impactful day one.
    As I mentioned in my oral testimony, the team has gotten 
better each and every day from a technological perspective in 
the web environment and from the call centers. But, again, I do 
apologize. You mentioned a few of the things where we made 
mistakes early on, but, yes, we do have and have practiced--
    Mr. Meeks. Let me disagree with you. For example, the kind 
of information that you were to protect, you have to make sure 
that each and every individual that you hire is prepared. It is 
like information that we have at the CIA or some other places, 
protected documents. They can't hire somebody and say: Oh, well 
we could take a chance and maybe they will learn while they are 
on the job, and if something happens, it will be OK, and we 
will just excuse it.
    You have got to be sure that you are putting individuals in 
and have a plan that is going to protect folks because of the 
nature of the information of which you are given and because of 
the numbers of people that are dependent upon you to protect 
their information.
    Mr. Smith. I understand your point.
    Mr. Pearce [presiding]. The gentleman's time has expired.
    The Chair now recognizes the gentleman from Wisconsin, Mr. 
    I would recognize the gentleman from Kentucky, Mr. Barr.
    Mr. Barr. Mr. Smith, a representative from your company, I 
think, put it well. He said: Americans expect their mortgages 
to be approved on time, their auto loan applications to be 
accepted while they are at the dealership, and the retail 
credit approved while they are at the counter. Disrupting the 
miracle of instant credit would hurt the economy.
    Can you assess for us the extent to which this breach and 
this painful experience for the American people, how this may 
very well disrupt that miracle of instant credit?
    Mr. Smith. Congressman, if we were to get to the point 
where we allowed consumers, for example, to opt out of the 
credit system, that would be devastating to the economy. If we 
don't allow consumers that ability to instantly lock and unlock 
at the point of underwriting, to your example, that could be 
devastating for the flow of credit in our economy.
    So the intent of the lifetime product that we are going to 
roll out January 31st gives that consumer the ability--gives 
them the security level that he or she deserves with the 
ability to instantly turn on and turn off access to the credit 
so that flow is uninterrupted.
    Mr. Barr. Can you tell me about credit freezes as a 
solution or maybe not the best solution to problems like this? 
And what we are talking about here is a consumer telling a 
credit bureau to not release a credit report unless the 
consumer contacts the bureau in advance to say otherwise.
    Mr. Smith. The credit freeze itself, Congressman, was 
something that was born out of regulation in 2003, put into law 
in 2004, and it is oftentimes confused with a credit lock. So 
if I may just spend a second and talk about both.
    A credit freeze, from a consumer's perspective, largely 
provides the same amount of protection as a credit lock would. 
However, States dictate different means of communicating 
between the consumer and the credit reporting agency that 
oftentimes can be cumbersome, require phone calls into call 
centers, can require mailing things back and forth. So that 
flow that you talked about, a flow of credit, can be disrupted.
    The idea of the lock is to make it far more user-friendly, 
where you can be on your smartphone and literally toggle on to 
unlock, toggle off to lock. It is far less cumbersome than the 
    Mr. Barr. So, as we look at data security, you talked about 
the many different State laws that you have to navigate. Tell 
us your view after this painful experience what you think would 
be a solution. Would a national uniform breach notification 
rule be better for the American consumer? That is what a lot of 
us are thinking in the aftermath of this breach.
    Mr. Smith. I have not given that much thought, Congressman, 
but I will.
    Mr. Barr. What about fraud alerts under the Fair Credit 
Reporting Act, are they sufficient?
    Mr. Smith. I think the most--they do add value. Fraud 
alerts do add value. Clearly, the monitoring of those alerts 
gives consumers peace of mind. I think the most significant 
step forward, Congressman, is this concept where consumers can 
control who accesses their credit data with a lock, and I think 
the next step forward there would be to not only have Equifax 
offer that solution, but imagine a consumer being able to lock 
and unlock for free-for-life access to all three credit 
reports, Experian's, TU's, and ours. That gives them the 
ultimate protection.
    Mr. Barr. You went over this a little bit about the steps 
that you took after learning of the breach and why it took a 
while for you to notify the American people about the breach, 
but why did it take so long? I think the average American would 
expect a more expeditious notification of the compromise of 
their personal identifiable information.
    Mr. Smith. Congressman, we were driven by a couple of 
thoughts. One was making sure we were as accurate as possible 
in who was impacted and who was not. And that just took time. 
As I alluded to in the oral testimony, that developed over the 
weeks of mid to late August.
    Number two, as I mentioned, Mandiant, the cyber forensic 
examiner, who is viewed as world class in what they do, had 
advised us to expect an increased frequency of cyber attacks, 
and we had to develop plans to make sure we were prepared for 
those attacks.
    Mr. Barr. My time is expiring. Can I just ask you if one of 
my constituents approaches me with a problem, will you commit 
to me to working with my office to help any of my constituents 
whose identification has been compromised?
    Mr. Smith. Congressman, I will ensure the company does 
    Mr. Barr. Thank you.
    I yield back.
    Chairman Hensarling [presiding]. The time of the gentleman 
has expired.
    The Chair wishes to alert all members that votes are 
currently taking place on the floor. The Chair intends to 
recognize one more member and then go into recess.
    The Chair now recognizes the gentleman from Massachusetts, 
Mr. Capuano, for 5 minutes.
    Mr. Capuano. Thank you, Mr. Chairman.
    Mr. Smith, I want to join my colleagues in saying I don't 
have a clue why somebody who doesn't work for the company is 
here. Is there anybody in the audience that you know of that 
currently works for Equifax and has the authority to change 
internal company policies? Is there anyone in the audience that 
you know of that has that ability?
    Mr. Smith. No, Congressman.
    Mr. Capuano. No. Well, this is great. Thank you for coming. 
I appreciate it very much. So, therefore, from this point 
forward, don't take it personal because I know you can't do 
anything about it, but I will use you because I am hoping that 
maybe one or two people back in the company are watching. Maybe 
not. Probably not because they don't care. But we will find 
    Is it fair and accurate to say that, at any given moment, 
Equifax has the financial records of approximately 200 million 
Americans? That is a rough number. Does that sound right?
    Mr. Smith. Congressman, if I may, there are 10,000 people 
back working at Equifax that do care.
    Mr. Capuano. Fine. Just answer my question. You can defend 
the company when they put you back on the payroll. Since you 
don't represent them, how would you know? So how many average 
    Mr. Smith. I spent 12 years there.
    Mr. Capuano. Say again?
    Mr. Smith. I spent 12 years there. That is how I know.
    Mr. Capuano. OK. We will get to that in a minute.
    Mr. Smith. But to answer your question, yes, it is over 200 
million U.S. consumers.
    Mr. Capuano. So 200 million. And your accuracy rate is 
about 95 percent. Is that--I read that--is that a fair number?
    Mr. Smith. How are you defining ``accuracy''?
    Mr. Capuano. No errors of significant numbers.
    Mr. Smith. You are referring to the credit file itself?
    Mr. Capuano. Yes.
    Mr. Smith. There was an independent study done a number of 
years ago. PERC did the study and found that if you defined an 
error as something that has a negative influence on a 
consumer's ability to get a loan, either yes goes to no, no 
goes to yes, interest rate goes up, over 99.9 percent--over 99 
    Mr. Capuano. Well, I used 95 percent because that is what I 
read, but the numbers will be close. So you have 200 million 
records. You get a 95 percent accuracy rate, which means a 5-
percent error rate, which means, at any given moment, there are 
10 million Americans who you have financial records on and you 
had 500 service reps. That is 20,000 customers with a problem 
that your company created per service rep.
    Now, you get 145 million--you are ramping up; you are going 
to hire, give or take, 3,000 service reps--145 million, that 
leaves 48,000 people with a problem you created--not you, your 
former company--created per service rep, 48,000. Do you think 
that is good?
    Mr. Smith. Two points of clarification. I disagree with 
your math, in all due respect. The math we have is 99 percent. 
Number two is most of the disputes--if you have an issue with 
your credit file, we have an online electronic--
    Mr. Capuano. Let's talk about that for a minute. Let's talk 
about--I am sure, since you were the CEO in 2014, you are 
familiar with the case of Miller v. Equifax?
    Mr. Smith. Vaguely.
    Mr. Capuano. You have heard of that case, I am sure.
    Mr. Smith. Vaguely, yes.
    Mr. Capuano. And that is a case where the judge found, we 
didn't find it--as a matter of fact, congratulations on that 
case because that case was actually determined that you didn't 
have to pay an $18 million penalty; you only had to pay a 
million and a half dollar penalty because that is the most the 
Constitution allowed, and the judge found that your actions 
were reprehensible. Those are her words, not mine. And it 
stated very clearly here that your own expert testified that it 
is Equifax's policy to investigate and correct files only after 
a lawsuit is filed, which is why I wanted to talk to somebody 
in the company to see if they are willing to change that, but 
since there is nobody here, I guess not.
    I just wondered, do you think that is OK? You thought--
apparently, you thought that was a good policy in 2014?
    Mr. Smith. Congressman, if a consumer has a dispute on 
something on his or her credit file, we take that seriously. 
They have the ability to communicate with us directly 
electronically or over the phone. We work with the furnisher, 
the banks, the--
    Mr. Capuano. In this particular case, you just ignored it. 
You didn't do anything about it, and the only reason there was 
a lawsuit is because two people with the same name of Miller, 
their records got combined, and you refused, after you were 
proven repeatedly for years, to do anything about it. And it 
happens all the time.
    Every one of us gets complaints from our constituents that 
your company--not just you; the other two are no different--
that your industry treats them like dirt. They can't get 
student loans. They can't get auto loans. They can't get ATM 
cards because you won't do anything by your own policies 
admitted by your own people who used to work for the company 
that says we don't do anything until you file a lawsuit.
    So, here, in my last 13 seconds, I am going to speak to 
America, and I am going to say for the 145 million people: File 
a lawsuit and maybe you will get some equity. Otherwise, they 
are going to keep doing to you what they have been doing to you 
    Chairman Hensarling. The time of the gentleman has expired.
    Votes are pending on the floor. The committee stands in 
    Chairman Hensarling. The committee will come to order.
    Without objection, I recognize the Ranking Member for 1 
    Ms. Waters. Thank you very much, Mr. Chairman.
    Pursuant to clause 2(j)(1) of rule XI and clause (d)(5) of 
rule III of the rules of this committee, I am submitting for 
your consideration a letter signed by all of the Democrats of 
the Financial Services Committee notifying you of our intent to 
hold a Democratic hearing, also known as a minority hearing, on 
the Equifax data breach. I look forward to working with you to 
determine the date, time, and location of such a hearing.
    Chairman Hensarling. The demand being properly supported by 
the majority and minority members, the additional hearing day 
will be scheduled with the concurrence of the Ranking Member, 
and members will receive notice once the new hearing day is 
    I now recognize the gentleman from California, Mr. Royce, 
Chairman of our Foreign Affairs Committee.
    Mr. Royce. Mr. Chairman, thank you.
    And I thank Mr. Smith for being here today.
    Now, since September the 7th, my office--I am sure all of 
these offices--have received a lot of angry and anxious phone 
calls and emails by our constituents. I think one of the things 
that really stands out is, how could a company that deals in 
data not protect that data?
    I think the answer lies in what your company did not do. 
You did not protect their personal information. You did not 
encrypt that data. You did not patch a vulnerability that you 
were alerted to on March the 8th. You did not disclose the 
breach to the public until 117 days after it occurred. And 
then, on top of it, the insider trading allegations only add 
fuel to that fire.
    So let me turn to my questions. Before September 7, who 
else outside the company and your hired legal counsel and the 
FBI, who else was made aware of the breach? Was the FTC 
    Mr. Smith. Congressman, at the appropriate time, all 
outside constituents were notified, including the FTC.
    Mr. Royce. Well, let me ask you this, Mr. Smith: According 
to media reports, LifeLock executive Fran Rosch was notified 
before the hack actually became public. According to that 
individual, he got a call while vacationing in Maine. And I 
just ask, are you aware of this? Do you know who called Mr. 
Rosch to give him the heads-up?
    Mr. Smith. No, sir, I am not aware of that.
    Mr. Royce. Well, according to Bloomberg, armed with 
information only a handful of people had at the time, Mr. Rosch 
mobilized the rapid response team. He knew the company would 
receive an onslaught of calls and signups in the coming days, 
and I will quote from Bloomberg: He was right. In fact, the 
phones were ringing off the hook. He bragged that it was bigger 
than the Anthem breach, bigger than anything they had ever seen 
before, a tenfold increase in LifeLock customers.
    And here's the kicker. Quote from him: ``Most are paying 
the full price rather than discounts,''--I think that means 
most were paying $30 instead of $10--``it is a really 
incredible response from the market,'' unquote.
    I will tell you what is incredible here: That actually your 
company profited off the relationship with LifeLock, which is a 
company to which you provide credit monitoring services. Here 
is the point I would like to make: LifeLock gets this heads-up. 
Did Credit Karma or Intersections or the other competitors, did 
they get similar notice, that you are aware?
    Mr. Smith. Again, Congressman, I am unaware of the LifeLock 
discussion, let alone anyone else.
    Mr. Royce. Well, it is fair to say I think that LifeLock 
benefited from both the breach and the foreknowledge of it. 
LifeLock's parent company, Symantec, has seen its stock rise by 
more than 10 percent since the breach was made public.
    Mr. Smith, do you or any current executives at Equifax own 
stock in Symantec?
    Mr. Smith. I do not, sir.
    Mr. Royce. Well, what I would like to know is, if you could 
provide a list of any executives who do, because someone 
notified them in advance. Someone in the company gave them a 
heads-up so that they had an opportunity to get the phone banks 
ready and in advance of anybody else start calling about their 
service and at a price $29.99 instead of the $9.99 discount 
that obviously was of great benefit to that company. Somebody 
tipped them off on the inside, and I think it would behoove 
Equifax to find out who that is. And if you could start by 
finding out which executives own stock, that might help us get 
to that answer.
    Mr. Smith. Congressman, your source was Bloomberg. Is that 
    Mr. Royce. That is correct.
    Mr. Smith. We will look into that.
    Mr. Royce. Very good. I appreciate it.
    Yesterday, in the Senate, the question was asked if we had 
seen any evidence--
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from Georgia, Mr. 
    Mr. Scott. Thank you very much, Mr. Chairman. Good to have 
you, Chairman.
    First of all, I want to make a couple of points very clear. 
I represent the great State of Georgia. I love Georgia. When 
this news first came to me, my staff reported it, I immediately 
wanted to do all I could to make sure that we would be able to 
make sure that Equifax would be standing tall, that they would 
be clean. That is my objective as the Congressman from Georgia 
because, as you said, you represent a legacy of our great 
State. You are a 128-year-old company. You employ 30,000 
people, many of whom are my constituents, many of whom who work 
and toil in the vineyards at your company, and they are great 
people doing a great job.
    It is important for the American people to know that what 
we have before us is a despicable, a shameful situation for 145 
million American citizens to lose the privacy of their Social 
Security numbers and all of that, but let it be known that it 
is the top management--it is you--who is responsible for this.
    Now, what I want to do is to be at the front of this spear, 
to make sure that Equifax regains the confidence and trust of 
the American people. So my comments here to you, Mr. CEO, are 
going to be geared to that.
    First of all, I want to call, Mr. Chairman, and be the 
first one to call for an investigation by the Justice 
Department, by the CFPB, and certainly by the SEC. Now, Mr. 
Smith, you are leaving this company, but there are others who 
are going to be there, and we have to make sure that Equifax 
comes out clean and standing tall.
    Now, what disturbs me perhaps more than anything was the 
timeline. You said that you became knowledgeable about this 
breach on July the 31st, but here is what happened: On August 
1st, your executives sold $2 million worth of stock. And not 
only that, Mr. CEO, former CEO, it was your chief financial 
officer who led that charge to sell that stock. Now, nobody is 
going to tell me you are getting information on July 31st and 
here they go dumping their stock less than 24 hours later. That 
has to be investigated and cleared if we are going to get the 
confidence of the American people back. So it is this insider 
trading; anybody can see that. And I am sure and I hope that 
your successor--the guy who is going to be taking your place, I 
hope he is listening. That would be the first thing.
    And then the second thing, we need to make sure that these 
guys who sold that stock, who made $653,000 in savings from 
that stock with that inside information, that they pay that 
money back and that they are fired. 143 million people losing 
this is no justification. We have got to make sure and you have 
got to make sure that we clean this mess up.
    Now, I want to talk about the other way in which we can do 
this. You mentioned numerous times that it wasn't the intent of 
Equifax to include the arbitration piece. Well, now some have 
it; some don't. That is the next thing that needs to be done. 
No more of this arbitration clause. When you do things like 
that, the public will take notice. Our job is to clean this 
mess up and make sure we bring Equifax back standing tall. We 
owe that to the American people.
    Now, the other thing that I would like finally is my staff 
informed me that most mortgage lenders pull all three reports 
from the big three credit reporting agencies: Equifax, 
TransUnion, and Experian. So, when you talk about this new free 
lifetime lock product, it is not going to be effective unless 
everybody does it.
    I wish I had more time, but we are going to clean this mess 
up, and we are going to restore the integrity and trust of the 
American people.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from Illinois, Mr. 
    Mr. Hultgren. Thank you, Mr. Chairman.
    I know most of us have been hearing from our constituents. 
I certainly have. Marty from Wauconda, Illinois, wrote me, 
said: Equifax has jeopardized my private information, which I 
never gave them. Why should I have to do all of the work to 
monitor my credit? They should have done it for me or pay me to 
do all this of signing up and freezing my credit reports. They 
should pay me for my time. Should someone go to jail for this? 
Do you agree?
    James from Spring Grove said: This company, Equifax's 
careless actions have caused the loss of personal information 
on a scale never seen before, not due to some new or 
sophisticated hacking technique, but because they failed to 
patch their servers for a known problem. Combined with the 
careless handling of highly sensitive personal information and 
the likely criminal sales of stocks prior to reporting the 
breach, their action went far beyond carelessness to 
negligence. Legislation should be put forward to increase 
regulations on these entities, not decreased legislation that 
is proposed. Equifax must be held accountable and liable for 
all damage caused by their breach, and all credit reporting 
firms must be held to much higher standards of information 
    John from Auburn said: In the last 6 months, my private 
personal information has been lost twice, once by Home Point 
Financial, my mortgage company, and then again by Equifax. Both 
companies are offering a limited subscription to identity 
protection companies. HPF is offering a free year's 
subscription to protect my ID owned by Experian. Equifax is 
offering a 1-year member to TrustedID Premier, an Equifax 
subsidiary, which they acquired in 2013. Seems like a twisted 
marketing campaign to me, he said. Home Point Financial claims 
to have lost Social Security numbers, birth dates, driver's 
license numbers. Many of these lost numbers cannot be changed. 
What good is a 1-year membership? This data is lost and 
valuable until I pass away. Is it ethical that a company that 
loses all my personal data also conveniently owns a service 
that sells a product and wants me to pay to help protect me 
from its eventual use? It is time that all these companies are 
held liable and forced to offer lifetime memberships. Please 
help us, all of us. This is out of control.
    Many other constituents, again concerned, talked with 
parents of young people whose information has been compromised.
    Mr. Smith, when this committee sends questions for the 
record, of which there will be many, will the response to our 
questions come from you or from Equifax?
    Mr. Smith. They will come from the company, Congressman.
    Mr. Hultgren. And how should we respond in getting those 
answers from Equifax?
    Mr. Smith. I will make sure someone from the company 
reaches out to your staff.
    Mr. Hultgren. That would be great.
    Equifax has been investigating the breach now for over 2 
months. Has the identity of the hackers been determined?
    Mr. Smith. No, Congressman, it has not. As you know, we are 
engaged with the FBI, and the FBI is running that investigation 
for us.
    Mr. Hultgren. Do you have an opinion of whether it will 
eventually be determined who did it?
    Mr. Smith. I do not.
    Mr. Hultgren. Did outside data security consultants tell 
Equifax it should delay notifying the public, and if so, why, 
when, and for how long? What changed that allowed Equifax to 
notify the public in September?
    Mr. Smith. Again, it was trying to balance--it was a team 
effort, and it relied upon the input from our outside forensic 
examiner, a global law firm that we talked about, and our team. 
It was trying to balance accuracy, clarity, transparency with 
the urgency of contacting the consumers.
    Mr. Hultgren. Was an event like this in the scope and scale 
contemplated by your security staff in a preventable sense? Did 
a playbook exist for responding to a material breach of 
Equifax's PII database?
    Mr. Smith. Yes. There was a crisis management process that 
we have had in place for quite some time, and a data breach is 
one of the crisis examples that we practice routinely.
    Mr. Hultgren. It just doesn't appear like you were ready 
for it, and that is our question, of the incredible delays. You 
have heard from my constituents. This is just a small sampling 
of incredible frustration, fear that their information has been 
compromised, and they don't know if it is ever going to change. 
Echoing what one of them said, this is information you can't go 
back and change. You can't go back and get a new birth date or 
a new Social Security number.
    If Equifax had wished to notify the public within let's say 
1 week of discovering the breach, would it have been capable of 
doing so? Could it have had both the resources and the plan in 
place to do so? Why or why not?
    Mr. Smith. Congressman, we moved with haste. As I mentioned 
in my oral testimony and the written testimony, it wasn't until 
late August that we got a sense for the size and scope of the 
breach, and even that was continuing to move. We moved as 
quickly as possible thereafter.
    Mr. Hultgren. Has there been any uptick in identity theft 
or fraud since the breach?
    Mr. Smith. Not that I am aware of.
    Mr. Hultgren. Would you expect something like that to 
occur, and why might there not be an uptick yet?
    Mr. Smith. If consumers take advantage of the services that 
we are offering, Congressman, to lock their file, that will 
give them great protection.
    Mr. Hultgren. Obviously, there is a concern when still 
those kinds of same entities are involved.
    My time has expired. I yield back.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from Illinois, Mr. 
    Mr. Foster. Thank you, Mr. Chairman.
    What I would like to talk about are things that Congress 
should have done or can do at this point that would have 
prevented this. And, what that means is that you would have 
needed a team of really smart highly motivated people looking 
every day for any security flaw, which you obviously did not 
have in place.
    And one way to make that happen is by making it a 
requirement that you actually carry enough insurance to make 
customers whole when this thing happens. It is my understanding 
that statutory damages for a breach like this are roughly 
$1,000 per person, which means that the total potential 
liability for 140 million people is $140 billion, more than 10 
times the market capitalization of Equifax. You clearly can 
never self-insure, or at least a company with your business 
model could never self-insure.
    On the other hand, some of these have settled for a lot 
more--a lot less, just a few dollars per person for some data 
breach instances. So it is not clear what it should be.
    My first question is, what would you personally for 
yourself or one of your family want as remuneration for having 
your private information up for sale on the dark web?
    Mr. Smith. Congressman, the suite of services we are 
providing for free in some cases--
    Mr. Foster. No. I am saying if I came up to you and said, 
``I want to publish your information on the dark web,'' would 
you do it for $1,000, personally, just personally or on behalf 
of members of your family?
    Mr. Smith. No, sir.
    Mr. Foster. No, you would not. OK. $10,000? $100,000? 
Everyone has that number, but it is well north of a few dollars 
per person. OK. But that is sort of what is happening. Without 
even having a negotiation, we are having this pain inflicted on 
    Let's just stick with the $1,000 a person, just the 
statutory number on there. Oh, plus punitive damages. And so, 
now, if Congress were to require that any company like yours 
that held information for people without asking them 
necessarily to opt in, that you had a requirement that you 
would hold enough insurance to make them whole if there was a 
massive data breach, that would be a very expensive insurance 
policy, correct? Right?
    Now, you indicated earlier that you had not disclosed how 
much insurance against data breach you are actually carrying. 
Is that correct? And you don't intend to tell us that?
    Mr. Smith. That is correct.
    Mr. Foster. That is correct. OK. Is it fair to say that it 
is not enough to cover $140 billion, $1,000-per-customer type 
liability? Is it less than that? Are you comfortable saying 
    Mr. Smith. Yes, it is less than that.
    Mr. Foster. OK. And so it is likely that many customers may 
end up getting less than they think really their actual damages 
    Have you thought through, say, how much per hour the 
average customer would charge someone to just sit on hold 
waiting to try to get attention to getting their credit 
    Mr. Smith. Remember, Congressman, one of the offers we have 
to consumers is an insurance policy. You are aware of that? We 
offer five different services for free. One is, if a consumer 
has lost expenses in trying to get their credit repaired, 
trying to take time off of work, up to a million dollars.
    Mr. Foster. OK. But I am trying to understand under what 
conditions you would have assembled a team, either yourself or 
an insurance carrier, assembled a team that would have 
prevented this. If you would have tens of billions of dollars 
of coverage on this, I imagine that would have funded a very 
aggressive team of people who would, every time a patch came 
out, they would say, oh, boy, let's go and try to figure out if 
you have applied that patch. And they would be looking at your 
source code for everything that an insurance company that was 
offering that kind of coverage would demand. And I was 
wondering if you think there is a possible way that we can 
actually prevent this in the future.
    Mr. Smith. Congressman, we have notifications routinely 
every year for patches. This is a very unfortunate mistake. I 
mentioned the mistake; I apologized for it. The insurance 
approach is not the solution. It is preventing the human error 
and the technological error that occurred.
    Mr. Foster. But there will always be human errors, and what 
you need is a red team who sits there and looks for human 
errors and flags them immediately. And this has to be a very 
expert team. Nothing short of that is going to rapidly catch 
the kind of human errors that will naturally happen. So, 
anyway, this is one of the things I am looking at, because it 
is the only free market solution that I think has a chance of 
preventing this in the future. Thank you.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from Colorado, Mr. 
    Mr. Tipton. Thank you, Mr. Chairman.
    Mr. Smith, I appreciate you being here. I did want to 
follow up on some previous questions that I had heard. The 
question was around whether or not you had protocols in place 
to be able to actually address whether or not the information 
was being reported properly internally, but then also to the 
government entities that are responsible for oversight.
    And I did not hear you respond to the answer whether or not 
you have written protocols in place to be able to have a 
timeline to be able to make sure that the governing bodies 
overseeing you are notified in a timely manner. Would you 
address that?
    Mr. Smith. Yes, Congressman. Thank you for that question. 
Yes, there were protocols in place. The protocols started with 
when the security individual saw suspicious activity. Protocol 
No. 1, he or she shut down the particular portal, started the 
internal investigation, followed by the traditional protocol 
that they followed, which is to notify and engage outside cyber 
forensic auditor Mandiant, engage outside counsel to help us 
with the investigation, and then protocols followed throughout 
all the way to the time of notifying the regulators, AGs, and 
the consumers.
    Mr. Tipton. Looking forward, to try and be a little more 
solutions-oriented--I understand and appreciate the comments 
that you have made regretting what took place--are there 
protocols, are there actions that this Congress might be 
taking, in terms of some of the regulatory bodies, to be able 
to incentivize earlier action, earlier notification, not only 
to the governing bodies but also to the consumers as well that 
we ought to be looking at?
    Mr. Smith. Congressman, the one thing I mentioned before I 
would love to see both Congress and companies tackle is the 
concept of, is there a better way to identify consumers in 
America other than SSN? It is unfortunate the number of 
breaches that have occurred over the years has exposed so many 
SSNs that we are all vulnerable to that. So I would love to see 
us engage in that discussion.
    Mr. Tipton. Well, in terms of internally, there are some 
independent--I believe The Wall Street Journal had noted 
independent groups that analyzed the vulnerability of you, of 
Equifax, in terms of what you are going to be dealing with.
    Do you look at that sort of analysis, and who is 
responsible for identifying that and taking it seriously, to 
see that patches aren't needed, but we are being proactive to 
make sure that the breaches do not take place?
    Mr. Smith. Yes. We routinely bring in outside consultants, 
advisers to help us check, double-check, rethink tactical steps 
we can take as we have taken since the breach as well as long-
term strategical steps we can take to make sure we are more 
    Mr. Tipton. Great. Thank you.
    Mr. Chairman, those are the questions that I had. I yield 
    Chairman Hensarling. The gentleman yields back.
    The Chair now recognizes the gentleman from Maryland, Mr. 
    Mr. Delaney. Thank you, Mr. Chairman.
    Thank you, Mr. Smith, for being with us here today.
    I have a couple of questions about how you interacted or 
how your board interacted around this matter generally. So it 
says in your testimony that you became aware of the information 
on August 11, but that you notified the lead member of the 
board of directors, Mark Feidler, on August 22. Did you have 
any conversations with other board members before that?
    Mr. Smith. Let me clarify, if I may. The first debriefing I 
had of any significance was on the 17th of August. That 
included Mandiant.
    Mr. Delaney. Got it. Sorry. But between the 17th and the 
22nd, did you speak to any other board members?
    Mr. Smith. On the 22nd of August was the first discussion 
with the lead director.
    Mr. Delaney. What about other board members?
    Mr. Smith. The 24th and 25th, we had two board meetings 
where the entire board was updated.
    Mr. Delaney. Is it normal to wait this long to convene your 
board when a matter of this scale has occurred?
    Mr. Smith. The data was fluid, moving, developing each and 
every day, and I felt that was an appropriate timeline.
    Mr. Delaney. Under the Sarbanes-Oxley requirements for 
public companies as it relates to their internal controls, was 
cybersecurity or data breaches ever considered as part of the 
board of directors and the audit committee?
    Mr. Smith. In what way?
    Mr. Delaney. Well, I ran two public companies, and I used 
to have to sit down with my management team and get 
certificates where they would assure me that things were being 
done in accordance with our procedures. And then the audit 
committee would review these things so that they could do their 
job under the requirements of the law.
    So, in that process, I assume you engaged in a similar 
process at your company.
    Mr. Smith. We had two ways to engage as it relates to 
security with the board of directors. One was at the entire 
board level routinely through a device we call ERM, enterprise 
risk management. At the top of that list was cybersecurity. 
Also go through deep dives with the board of directors on 
security risks.
    The second means of communicating with the board was 
through a committee we have called the Technology Committee. 
The Technology Committee is comprised of individuals, some of 
which have a deep understanding of security. They would go into 
details of our security efforts as well.
    Mr. Delaney. If you were to put the board's time in a pie 
chart representing 100 percent of the time they spent on 
matters related to the company, what percentage of their time 
would you say was spent on thinking about cybersecurity risk 
and data breaches?
    Mr. Smith. I would be guessing if I were to make that--take 
a stab at that.
    Mr. Delaney. Did you regularly have full discussions around 
the board table about this potential risk? You identify it as a 
risk factor in your financial statements--I mean, in your 10K.
    Mr. Smith. Absolutely.
    Mr. Delaney. So would you say 5 percent, 10 percent, 15 
percent, 1 percent?
    Mr. Smith. Congressman--
    Mr. Delaney. You chaired the board so you have a sense as 
to what occurred in the board meeting. I assume you set the 
agenda. So, on the agenda, was there a regular item about 
cybersecurity or data breaches in every board meeting?
    Mr. Smith. Not in every board meeting, but routinely 
throughout the year, through committee meetings and through 
board meetings, the board was apprised.
    Mr. Delaney. Which committees had responsibility for this? 
The Audit Committee?
    Mr. Smith. As I just mentioned, the Technology Committee.
    Mr. Delaney. The technology. So the Audit Committee didn't.
    Mr. Smith. The Audit Committee would have purview as well. 
The entire board would have a view. But the Technology 
Committee--we are a technology company--
    Mr. Delaney. Right.
    Mr. Smith. --was responsible for oversight of security and 
technology at the board level.
    Mr. Delaney. Would the technology company make a 
presentation at every board meeting?
    Mr. Smith. Yes.
    Mr. Delaney. Were there discussions about the technology 
budget at the board level, about whether it was adequate in the 
area of cybersecurity?
    Mr. Smith. The Technology Committee, Congressman, would 
approve the technology budget every year.
    Mr. Delaney. Got it. And they bring it to the board for 
approval, or they just do it at the committee level?
    Mr. Smith. Yes.
    Mr. Delaney. In your opinion, how mindful was the board 
before this event occurred as to the likelihood of a risk like 
    Mr. Smith. Very mindful.
    Mr. Delaney. So you would say that your board spent 
considerable time trying to get to the bottom of--
    Mr. Smith. The board understands, Congressman--it is a data 
company, to your point--that data security is the number one 
risk we have and took that very seriously.
    Mr. Delaney. And as part of the disclosure statements that 
you received as a CEO, where your direct reports would certify 
that things were being done correctly, did one of those 
certificates include some mention of the cyber risk and the 
data breach, the potential for data breach and assurances that 
the systems were in place?
    Mr. Smith. We disclose in every K and every Q that security 
is a risk and one risk we face.
    Mr. Delaney. Got it. Got it. And have you had other 
significant events in the company where you notified your board 
of these problems the day they happened?
    Mr. Smith. Have we ever notified the board of a security 
risk in the past?
    Mr. Delaney. So let's say you had analyst expectations as 
to your earnings and realized during the quarter you were going 
to miss them, would you call the board, your lead director that 
day and notify them, or would you wait 4 or 5 days?
    Mr. Smith. If there were risks to our financials to a 
particular quarter, we would notify the board.
    Mr. Delaney. Sooner than 5 days?
    Mr. Smith. We have never had to do that in my time there.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from North Carolina, 
Mr. Pittenger.
    Mr. Pittenger. Thank you, Mr. Chairman.
    Mr. Smith, we are addressing a very egregious concern in 
our country. Obviously, we have major threats, national 
security threats affecting our financial systems, our 
infrastructure, our government. The private sector spends 
hundreds of millions of dollars every year regarding 
cybersecurity measures, as well as energy companies and other 
    Today, we are aware that not just the 143 million 
consumers' personal information was exploited, but in addition, 
there are now another 2-1/2 million people that have been 
affected by this initial account. Can you assure us that the 2-
1/2 million are the last Americans whose data has been 
    Mr. Smith. Congressman, can you repeat that last part of 
your question? I missed that.
    Mr. Pittenger. Can you assure that the 2-1/2 million 
additional people who have been reported that their data has 
been compromised, is that the last?
    Mr. Smith. I am sorry. I missed that.
    Yes, it is my understanding from Mandiant, the forensic 
experts, that, one, movement from the time you announce to the 
final conclusion is not unusual.
    And number two is, while I have not had a chance to read 
the press release myself, it is my understanding that, on 
Monday, when it came out from the company, it said that the 
forensic review is, in fact, complete.
    Mr. Pittenger. Yes, sir. Prior to the security breach, did 
Equifax, in your opinion, have preventive measures in place to 
combat a data breach of this magnitude?
    Mr. Smith. Well, obviously, a breach of this magnitude 
would not have occurred if everything was in place.
    Mr. Pittenger. Elaborate with us on additional measures 
that you believe could be put in place at this time.
    Mr. Smith. Congressman, many have. From the time of the 
announcement, actually before the announcement, we engaged 
experts to help us increase monitoring, penetration techniques, 
what they call white-labeling of IP addresses. A variety of 
things were put in place before the announcement on September 
7. Those continue. We had 30-day plans, 60-day plans, 90-day 
plans. And as I was getting ready to step aside, we engaged a 
topnotch consulting firm to help us rethink our entire strategy 
for security.
    Mr. Pittenger. Do you actively engage in testing these 
databases for vulnerabilities?
    Mr. Smith. Yes, we do.
    Mr. Pittenger. Do you use third party, or do you do this 
    Mr. Smith. As I was just mentioning, we do both.
    Mr. Pittenger. OK. Could you please explain the process or 
standards by which Equifax has stored consumers' personal 
    Mr. Smith. Could you say that again, please?
    Mr. Pittenger. I would like you to explain the process or 
the standards by which Equifax has stored consumers' personal 
    Mr. Smith. Standards. I would say there are a variety of 
techniques used, from a security perspective. There are layers 
of security techniques we use. There is--I think it was 
mentioned or asked earlier.
    Mr. Pittenger. Is there an encryption procedure in place?
    Mr. Smith. That is where I was going. There is encryption. 
There is tokenization. There is masking. There are layers and 
different ways to secure that data.
    Mr. Pittenger. Do you feel like that there was adequate 
encryption in place? Could you have done more to prevent what 
    Mr. Smith. If we could have prevented the human error, if 
we could have prevented the scanner from not finding this, that 
would have stopped this issue, yes.
    Mr. Pittenger. So there was a thorough encryption process 
in place, in your opinion?
    Mr. Smith. Again, there are different techniques used in 
different areas, and encryption is only one of them.
    Mr. Pittenger. Moving forward, how do you and the rest of 
the leadership at Equifax plan to regain the trust of our 
    Mr. Smith. By making it right for the consumers.
    Mr. Pittenger. Well, I thank you for coming. This no doubt 
is probably the hardest time in your life, but it is a much 
harder time for the American people whose data was exploited, 
and we are here on their behalf.
    Mr. Smith. I agree. Thank you.
    Mr. Pittenger. I yield my time.
    Chairman Hensarling. The gentleman yields back.
    The Chair now recognizes the gentleman from Missouri, Mr. 
Clay, for 5 minutes.
    Mr. Clay. Thank you, Mr. Chairman.
    And, Mr. Smith, thank you for being here. More than 2-1/2 
million Missourians had their information exposed in the 
Equifax breach, and they will likely be impacted by it for 
years to come.
    Can you share with this committee and the American public 
what types of activity that these people can expect whose 
identity has been compromised and tell them what kind of 
activity they can expect from the thieves that took their 
personal information? Because most Americans have never had 
identity theft occur to them. Can you give us some examples of 
what they can expect over the next year?
    Mr. Smith. Congressman, I would answer that two ways. One, 
we have offered a comprehensive suite of services free to all 
Americans to protect their identity, to your point. That is 
those five different things we talked about earlier. The 
important point there is I have offered that--or we have 
offered that to every American.
    So, regardless of them being impacted by our breach or 
not--they could have been impacted by the OPM breach. They 
could have been impacted by the Anthem breach, Home Depot. We 
are covering all Americans with a suite of products.
    Mr. Clay. But describe for this committee and the American 
public the hellish nightmare they are about to go through when 
they find out that the IRS, that someone has filed taxes in 
their name to get a refund by the IRS, or that someone has 
gotten a credit card in their name.
    Mr. Smith. So, Congressman, one of the products we are 
offering, as we talked about, is the lock. If a consumer takes 
that lock, locks access to their file, no one can open up a 
credit card in his or her name, as an example.
    Mr. Clay. Equifax has offered consumers a year free of 
credit monitoring services, free credit freezes now, and a 
promise to provide a better product in several months described 
as, quote, ``lock,'' unquote on consumers' credit reports.
    At an Energy and Commerce Committee hearing held earlier 
this week, you stated that credit freezes and credit locks are, 
quote, ``virtually, if not exactly, the same,'' end quote. If 
the protections these products afford to consumers are the 
same, what is the need for the new term?
    Mr. Smith. Congressman, lock was introduced through 
regulation in 2003 and 2004. What I was referring to in the 
quote you mentioned is the protection to the consumer is 
largely the same. The difference is the ability to freeze and 
unfreeze can be very cumbersome and is dictated at the State 
level. The lock product coming out in January 2018 will be very 
user-friendly. A consumer can lock and unlock from their 
iPhone. That is the difference.
    Mr. Clay. OK. So, because security freezes are covered by 
State law, if something goes wrong, for example, if credit 
accounts are fraudulently accessed, will consumers be protected 
from financial liability?
    Mr. Smith. Congressman, again, locking or freezing protects 
the consumer from someone accessing their credit file to access 
credit, to rent an apartment. It is a secure way to protect 
their credit file.
    Mr. Clay. OK. Yes, but I am talking about the activity that 
occurs when they are compromised, when their identity is 
compromised. What kind of comfort can you give these people? 
Can you tell them anything, that your company will work with 
them to resolve this or what?
    Mr. Smith. Yes. Again, we are working with consumers 
impacted and not impacted. We are offering five different 
products today for free, followed by the lifetime ability to 
lock and unlock your file for free. That should give them 
comfort, an ability to stop people from opening and accessing 
their credit file.
    Mr. Clay. OK. Do you agree that steering consumers into a 
product that is covered by a contractual agreement with your 
company when the product you say is the same that is already 
covered by many State laws raises some concerns?
    Mr. Smith. No, sir, I do not. The freeze is still our 
product. The way a consumer gets access to freezing and 
unfreezing is set by State law.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentlelady from Utah, Mrs. 
    Mrs. Love. Thank you.
    Estimates are that about 60 percent of adults, U.S. 
population, is affected by the breach. If you extrapolate the 
information to Utah, that is about 1.43 million Utahns that are 
potentially affected.
    So my question is, what sort of financial products could be 
opened in my constituents' names if their data was part of the 
    Mr. Smith. Congresswoman, two things: One, if you are 
interested, we have the data of those that were a victim of the 
criminal hack by State level. If that would be interesting to 
you, we can get that to your staff.
    Mrs. Love. I would love that. That would be great. But I am 
still asking what type--if they were affected, what type of 
products could be opened in their names?
    Mr. Smith. Well, if they signed up for, as many, many have 
since the breach, with the lock product, the ability to lock 
their file so no one can access it, so no one can open a credit 
card, get a car loan, get a home equity loan, get a mortgage, 
the lock prevents that from happening.
    Mrs. Love. So, if they didn't get a lock and they are 
still--if they didn't get a lock, so that means credit cards 
could be opened in their name, other things could be opened. I 
just want to get a list of things that they need to look out 
    Mr. Smith. We monitor. We are offering a monitoring service 
as well. So, if you are a victim of the criminal attack, we 
will send you notifications if there is suspicious activity on 
your file.
    Mrs. Love. Have there been any upticks in identity theft or 
fraud since the breach?
    Mr. Smith. It was asked earlier. Not that I am aware of, 
    Mrs. Love. Not that you are aware of, OK.
    Mr. Smith. You mean since the breach?
    Mrs. Love. Yes.
    Mr. Smith. Yes, not that I am aware of.
    Mrs. Love. How would you know? How do you know?
    Mr. Smith. We have fraudulent flags on files.
    Mrs. Love. OK. And when would you expect to see an uptick? 
Because usually some of these things take time. So, if there 
were to be some upticks, when would you expect to see some of 
    Mr. Smith. It depends. There are some out there that say 
that the Social Security numbers, which is the piece of the PII 
that we focus the most on here, have been out in the public 
domain hacked in the past for quite some time.
    Mrs. Love. OK. So, for my constituents that were impacted, 
how long should they expect to remain concerned about the 
potential impact on their credit files or identity?
    Mr. Smith. They should always be vigilant and looking at 
the monitoring products that we offer. And, again, I go back, 
the first thing they should do is lock their file. If they lock 
their file, they are going to rest better.
    Mrs. Love. OK. So, in terms of--I am trying to--what I am 
trying to do is to give a clear vision to people who are 
watching what they need to do. I understand locking their file, 
and some people who are watching that today can do that. But in 
the meantime, I need to give them things to look out for, what 
to look out for either before they do that or, over the years 
what they need to be aware of.
    Mr. Smith. Maybe I will try to answer it this way: If the 
consumers in Utah or anywhere in America take advantage of the 
free service, whether you are a victim or not, of the five 
offerings we have--one is monitoring of all three credit 
bureaus' files. That is the first thing they should do. We do 
that for them for free. The second thing is access your credit 
file through us to look at it for suspicious activity. Three is 
we offer a dark web scanning service. We go out there for you 
and scan the dark web for activity. Four is we have the ability 
to lock the product for free. And there is a fifth one. I 
forget what the fifth one is.
    Those five products should give the U.S. consumer, the Utah 
consumer far more comfort, followed by January of next year the 
lifetime lock.
    Mrs. Love. So can you explain, and I may have missed this, 
can you explain the difference between a credit lock and a 
credit freeze?
    Mr. Smith. Yes. The credit freeze was enacted as part of 
FACTA back in 2003, passed into law at the State level. Each 
individual State passed it into law 2005--2004. The difference 
is the ability and the means by which a consumer communicates 
to us, TransUnion, and Experian, versus the lock, which will be 
an application enabled on and off, much more user-friendly, 
much quicker for the consumer.
    Mrs. Love. OK. And I just want to reiterate one more thing 
that was brought up by the Ranking Member, that you are 
committing to work with people who may have been or have been 
affected or may have had their identity taken and used for 
their lifetime?
    Mr. Smith. Yes. We are offering every citizen, American 
citizen a lifetime lock, the ability to lock and unlock for 
    Mrs. Love. OK. Thank you. I yield back.
    Chairman Hensarling. The gentlelady yields back.
    The Chair now recognizes the gentleman from New Jersey, Mr. 
    Mr. Gottheimer. Thank you, Mr. Chairman.
    And, Mr. Smith, thank you for being here today.
    As a former Microsoft executive, I have an appreciation for 
corporate integrity and where the buck stops. I get that issues 
come up all the time. It is how you handle them, of course, 
when they do come up.
    And it seems to me your response has been more of an 
Equiscam than an Equifix on too many of these accounts that 
have been brought up today. And if you are going to take 4 to 5 
weeks to tell consumers what happened, I just don't understand 
where the gap was in terms of putting information together so 
that you can respond well.
    One, and if you can help me here, out of the 145 million 
consumers impacted, only 7.5 million have signed up for 
monitoring services is my understanding. Why do you think only 
10 percent have, and why not just auto-opt everyone in since 
you have their information?
    Mr. Smith. It is illegal. It requires the consent of the 
    Mr. Gottheimer. Can you reach out--since you know their 
addresses and information and many of their emails, since, 
obviously, we know that you have them, why not reach out to 
them and send them a letter and say, ``Would you be interested 
in this''?
    Mr. Smith. I may have mentioned in my oral testimony, 
Congressman, that the awareness is at record highs for 
breaches. Over 400 million consumers have come to visit. They 
    Mr. Gottheimer. Couldn't you send out or would you be 
against sending a letter to them to give them information so 
they know, so hopefully we can get more people signed up?
    Mr. Smith. Again, I think they do know.
    Mr. Gottheimer. I am sorry, is that a no, you are not 
willing to do that?
    Mr. Smith. I was going to answer.
    Mr. Gottheimer. Please.
    Mr. Smith. So we sent the press release out to notify. We 
set up the website. Phone numbers. We followed State law where 
that was required for local advertisement to create the 
    The 2.5 million that was mentioned earlier that the company 
released of additional victims of this crime, on Monday, those 
individuals, because of the fear of false positives, were 
notified via email or will be notified via email.
    Mr. Gottheimer. So the rest, the 143 or 144 million plus, 
you will not be willing to reach out to?
    Mr. Smith. We follow the process that is legal, acceptable, 
and common for this size, yes.
    Mr. Gottheimer. Thank you for your answer.
    What is being done to resolve the problems with your 
website--I am sure you have read about them, heard about them, 
I have experienced them--to make them more stable, eliminate 
bad and confusing links, and to make essential information more 
accessible? And also I know people got emails saying, ``Sorry, 
we can't get to this for a few weeks.'' I think you have caught 
up there is my understanding. But what do you do about the 
website crashing?
    Mr. Smith. Yes, it has come a long way. Again, the volume 
was overwhelming, as I noted in my oral testimony early on. 
They have taken the right steps to fix that experience. It is 
my understanding that the experience at the call centers and 
the website are far, far better today than they were September 
    Mr. Gottheimer. Yes. And I think we should keep bringing 
them to your attention because when they crash, you know, 
people get even more anxiety. So, if you can please--there are 
a lot of resources out there that can help you with that.
    Can you verify for me that the arbitration clauses or other 
legal liability limitations are not being included in Equifax's 
offerings of credit monitoring, credit freezes, credit locks, 
and identity theft insurance?
    Mr. Smith. Congressman, the arbitration clause is a 
standard clause in products that we sell to consumers, and 
consumers have the right not to buy a product from us, but go 
somewhere else to get that product. The intent was never to 
have the arbitration clause apply to the free offerings. We 
were made aware of that and, within 24 hours, took that 
arbitration clause off.
    Mr. Gottheimer. Good. Thank you.
    Equifax is claiming, as you have talked about, to provide a 
million dollars in insurance coverage for identity theft to 
affected consumers, but the coverage has numerous limitations 
and exceptions, and the timeframe for covered loss can be 
unclear to some people.
    Does Equifax believe that this insurance is in lieu of 
reimbursing customers for their actual losses, and can you make 
clear to people the limitations of the insurance, because I 
know that it doesn't cover everything?
    Mr. Smith. That is correct. It is expenses incurred. I 
think, again, the five services we are offering upfront, 
combined with the lifetime ability to lock your file, are the 
right steps for the company to take for the consumers.
    Mr. Gottheimer. Yes. I think that this is a big issue 
because you see a lot of these insurance companies and they 
provide this coverage, but it really doesn't cover what people 
think. And so, as liability occurs, there are holes.
    I am sure you have heard about the phone call wait times. I 
know one of my constituents wrote in they were on the phone an 
hour the other day, and others have called in about it being 45 
minutes. How are we doing there? What has the improvement been?
    Mr. Smith. It has been dramatic. We have gone from 500 call 
center people to over I think it was 2,700 was the last number 
I have heard of trained people to handle those phone calls.
    Mr. Gottheimer. Do you know the wait time now?
    Mr. Smith. It has come down significantly. I don't have the 
exact number. I saw the data earlier in the week, Congressman.
    Mr. Gottheimer. Is that information you can get to us, just 
a sense of where you are now, average waits?
    Mr. Smith. Yes.
    Mr. Gottheimer. It seems to me it shouldn't be more than a 
couple minutes--obviously, there is huge capacity out there to 
add bodies and given how people have huge anxiety over this 
    I think that is the key here in my 8 seconds. People can't 
feel like this is an Equiscam. They have to feel like you are 
fixing things for them and making their lives better, given 
that their credit is hugely up for question now in front of 
many eyes. So thank you so much for your time.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from Arkansas, Mr. 
    Mr. Hill. I thank the Chairman.
    Thank you, Mr. Smith, for coming in today. I appreciate 
your chance to visit with the committees on Capitol Hill about 
this important issue.
    This is something my family understands. We have had the 
pleasure of being in the OPM breach, the IRS breach, and 
couldn't file our returns on time a year ago. And now I see we 
are gratified to receive your email about also being in the 
Equifax breach. So I can feel the frustration for a lot of 
    And in Arkansas, according to our attorney general, Leslie 
Rutledge, 1.2 million people in Arkansas, some 40 percent of 
the population of the State, are covered by the announced 
breach by Equifax. So we do appreciate our chance to sit down 
and ask the hard questions that we are being asked by our 
    I want to follow up on some of the line of questioning and 
start out just talking about the management practices at 
Equifax, if I could. Did you have a weekly executive management 
meeting with your top officers, your direct reports?
    Mr. Smith. Are you referring to post-breach?
    Mr. Hill. No, just generally. As a general practice at 
Equifax, did you have an executive management meeting with your 
direct reports on a regular basis? Maybe I shouldn't have said 
weekly. But did you?
    Mr. Smith. Yes, Congressman. We had routine operating 
mechanics to run the company. Some might be weekly. Some might 
be every other week. Some might be monthly. Some might be 
    Mr. Hill. Right. It is a mix, and I am sure a mix of levels 
of people in the company came, depending on the topic. But in 
your direct report meetings, would Mr. Gamble be in those 
meetings at that smaller group on whatever frequency it was?
    Mr. Smith. It would depend on the meeting itself, but 
largely, yes. He would be involved in many of the meetings we 
had as a CFO.
    Mr. Hill. And Mr. Loughran, who is the president of 
information systems, as well, would he have been in that 
    Mr. Smith. Again, I have got 12 to 13 direct reports--
    Mr. Hill. Is he one of them? Is he a direct report?
    Mr. Smith. Yes. So the three you are probably going to, and 
Rudy Ploder would be the third.
    Mr. Hill. Right.
    Mr. Smith. All three are direct reports to me. All three 
would be in most of the meetings we would have at the--
    Mr. Hill. And then Mr. Kelley as well, as the chief legal 
    Mr. Smith. Again, there are 13 or 14 individuals, yes.
    Mr. Hill. I am just curious. In that meeting of your 
trusted advisers at the top echelon of the company, between 
March 8 and the end of July, did this topic come up among that 
    Mr. Smith. No, sir, it did not.
    Mr. Hill. And in that period between March 8 and end of 
July, when did you really feel or you were told that it was a 
serious business challenge?
    Mr. Smith. It wasn't until--the detailed review we had is 
noted I think in written testimony on the 17th of August with 
the cybersecurity forensic team Mandiant, the outside legal 
team of King & Spalding, my team. It was the 17th of August was 
the first deep dive.
    Mr. Hill. Let me turn and talk about the section 16 
officers in the company. I am sure the people we just talked 
about are all section 16 officers. The chief legal officer, the 
CFO, yourself, the president of information systems, Mr. 
Loughran, are all section 16 officers.
    Mr. Smith. That is correct.
    Mr. Hill. And your 12b5-1 plan, I assume that is all 
holdings, and then any in-the-money options would be covered by 
somebody's preplan to sell stock?
    Mr. Smith. The 10b5-1 plan?
    Mr. Hill. Yes.
    Mr. Smith. Yes.
    Mr. Hill. Both your personal holdings and then any in-the-
money options that were in the money at the time of a filing, 
of an open period?
    Mr. Smith. You are referring to me?
    Mr. Hill. Well, no, just your plan as a corporate officer 
in the plan.
    Mr. Smith. Some officers may have had a 10b5-1 plan; others 
may not have.
    Mr. Hill. But it wasn't a requirement by the general 
counsel that everybody have one?
    Mr. Smith. No. The requirement was that the general 
counsel, as a clearing process, that he has to approve before a 
16b officer can sell stock.
    Mr. Hill. How many days a quarter do you think you had 
available for trading under those plans?
    Mr. Smith. It tends to be the first 30 days after the 
earnings call. We wait a day or two. Thirty-day window. The 
general indication is to sell it sooner in the opening versus 
    Mr. Hill. Can you think of a time when your general counsel 
canceled that window due to a material or nonpublic information 
effect while you were CEO? In other words, you couldn't use the 
window because people in the group had material or nonpublic 
    Mr. Smith. There were a few times, yes.
    Mr. Hill. Did you have a lead director since you were the 
chairman? In your public company board, did you have a lead 
    Mr. Smith. Similar. We called it a presiding director.
    Mr. Hill. Right. And when did that person find out about 
    Mr. Smith. The 22nd of August.
    Mr. Hill. OK. Thank you. My time has expired.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from Minnesota, Mr. 
    Mr. Emmer. Thank you, Mr. Chair.
    And thank you, Mr. Smith, for sitting through this again 
    Obviously, you have heard this over and over today and in 
your prior three congressional hearings. I, like most people, 
am very concerned about the timeline of events. I appreciate 
the what I take is a sincere apology of yourself on behalf of 
Equifax and the acknowledgement of both the human error that 
you point out from last March and the error in technology, the 
scanning process that didn't work.
    But the timeline of the discovery of the issue, the sale of 
the company stock by three top executives, and the disclosure 
of the breach to the impacted American consumer, which, in 
Minnesota's case, I believe we have a little over 2 million 
that have been identified at this point, raise serious 
potential ethical and legal questions.
    I wanted to start by echoing what our Chairman, Jeb 
Hensarling, said at the outset of this hearing, and that is 
that the company and I would say current and former executives 
like yourself I would hope are going to continue to cooperate 
to the fullest extent with the FBI, the SEC, any agency that is 
investigating this, so that the truth can actually get out into 
the light and people can know exactly what happened.
    I know you can't commit on behalf of the company, but I am 
sure that you can commit on your own behalf, that even in your 
current capacity, you are going to continue to cooperate to the 
fullest extent.
    Mr. Smith. Absolutely.
    Mr. Emmer. I wanted to talk a little bit about the area, 
because today it is about Equifax, but I don't know that people 
are talking about the--even though we all know it, it seems to 
be unspoken that this is such a fast-changing environment. I 
was in a business that will go unnamed in Minnesota, and they 
have this huge investment in technology. They take you into the 
back room, and they have got these TV screens, flat screens all 
around the room, and they are showing you in real time all of 
the attacks that are coming in by the second and the minute.
    I don't think it is just about Equifax. This is a huge 
issue. You look, in 2014, the U.S. Postal Service had a breach 
that exposed personal data on almost a million employees, and 
they had to shut it down. The IRS, in 2015, had almost three-
quarters of a million people affected by a breach. The Office 
of Personnel Management had one in June 2015. And even the SEC 
just last year had the breach of the EDGAR online filing 
    So this isn't just about Equifax; this is a much bigger 
issue. And in the short time that I have left, there are two 
areas that I would like to talk to you about. One is I get 
worried in this place that the snap reaction of elected 
officials is more regulation, more stuff that you have to 
comply with, which I suspect takes resources away from the 
stuff you are trying to do to keep up with the ever-changing 
technology and the way the bad guys are trying to breach these 
systems. I would like you to talk about that for a second 
before we talk about rethinking Social Security numbers and 
dates of birth for identification.
    Mr. Smith. Congressman, I share your views there. It is 
amazing. There was a recent publication that came out, I think 
it was last week. It talked about in 2016 alone, over 4 billion 
pieces of consumers' information were hacked in 1 year alone.
    It is at a rate that I have not seen in my career. It is 
accelerating, if nothing else, and it is a real issue that I 
think, again, public-private partnerships can work on. If 
regulation can prevent a breach like this occurring again, I am 
all for it. This was not an issue, in my humble opinion, that 
more regulation would have addressed.
    Mr. Emmer. As you go forward into the next stage of your 
career with this experience that you now have, would you give a 
word of caution to those of us who are looking at this that, be 
very careful about if there is magic regulation because of the 
compliance costs that come with it and how that could 
negatively impact your ability or others' ability to keep up 
with the technology?
    Mr. Smith. Yes. I mean, oftentimes, we are all in a 
reactionary environment, and the first thing we think about 
sometimes is that regulation is the issue. I think there are a 
lot of things that the public-private together can do. You 
mentioned one of them, which is to think about the identifier 
that we use for the American public, and is there a solution 
beyond SSN.
    Mr. Emmer. All right. Thank you very much.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentlelady from Arizona, Ms. 
    Ms. Sinema. Thank you, Mr. Chairman.
    I am deeply troubled by the Equifax data breach that 
compromised the personal information of over 145 million 
Americans. Every American should take precautionary measures to 
ensure his or her financial security. Arizona seniors are 
particularly at risk and especially now. We must make sure 
safeguards are in place to protect them from financial fraud.
    So I have been working with Congressman Bruce Poliquin of 
Maine to pass H.R. 3758, the Senior Safe Act. This bipartisan 
legislation ensures that financial institutions have the 
regulatory flexibility needed to report suspected instances of 
financial abuse of seniors.
    Every Arizonan deserves to have confidence that his or her 
data will be kept safe when applying for a credit card, 
accessing a small business loan, or buying a home. And today's 
hearing is an important step in finding out what went wrong and 
what must be done to protect consumers.
    Mr. Smith, thank you for being here today. By your account, 
it took Equifax 40 days to let the American people know via a 
press release about a data breach that had lasted for 77 days. 
Additionally, hackers exploited the failure of Equifax IT staff 
to patch software for the 65 days leading up to the breach. 
That adds up to 182 days of Equifax failing to put Arizona 
families first.
    Your testimony before this committee seeks to detail the 
internal deliberations and legal consultation leading up to the 
press release on September 7, but it does not excuse the end 
    An Arizonan whose name, address, and Social Security number 
was taken on day 1 of the breach, under your watch, was left 
vulnerable and in the dark about the data breach for 117 days. 
That is disgraceful and unacceptable.
    More than most, Arizonans value privacy. We value the 
independence to make our own financial decisions for our 
families and our economic futures. But instead of taking every 
precaution to secure our personal data, Equifax jeopardized our 
privacy and made millions of Arizonans significantly more 
vulnerable to identity theft and financial fraud. And now we 
must take every step possible to minimize the damage and better 
address future data breaches.
    It is believed that for the vast majority of Americans, 
this data breach was limited to their credit header data. 
Credit header data includes things like name, address, date of 
birth, known as NADOB data, as well as addresses, aliases, and 
Social Security numbers.
    So my first question to you, Mr. Smith, is while this 
information alone is highly compromising, it does not include 
Americans' most private financial information. Are you aware of 
attempts by these intruders to broaden the scope of the data 
breach to capture private financial information? If so, were 
any of those attempts successful? And if not, why do you think 
hackers opted to forego the more private financial data?
    Mr. Smith. Congresswoman, there are millions of attempted 
or suspicious attacks each and every year across a wide array 
of our data assets. We have no knowledge through the forensic 
audit done by Mandiant that any of the core credit, as you 
refer to it, data was compromised.
    As to why, that goes back to the written and oral testimony 
I gave, which is the Apache Struts software had sat in a 
different environment, completely outside of the core credit 
file, that was not patched. That is why they were able to 
penetrate that environment.
    Ms. Sinema. Mr. Smith, your testimony stated that it took 
the Equifax IT staff 76 days to notice suspicious activity 
after the breach began. Could you tell me exactly how were the 
intruders blending in with normal network traffic, while 
simultaneously stealing this data from Americans, and what do 
you think took the IT staff so long to notice the breach?
    Mr. Smith. They were fairly sophisticated, they being the 
criminal hackers. They moved about the system without moving 
large--what we define, in our environment, as large files. So 
the files themselves in size were not suspicious.
    They were also clever enough not to move at speeds--we have 
velocity indicators throughout the environments that would look 
for things that are moving at very high speeds. They were 
sophisticated enough to do neither.
    Ms. Sinema. Thank you.
    While the Equifax breach was significant, it is important 
to note it was still only the fifth largest data breach in the 
U.S., and all five of the largest data breaches have happened 
within the last 5 years in our country.
    And we as a community here in Congress must recognize that 
these data breaches here are increasingly frequent, and they 
undermine the trust that Americans place in the marketplace and 
their government.
    Whether it is Equifax or the Office of Personnel 
Management, Americans deserve to have institutions--both public 
and private--that work in good faith to safeguard their data 
from those who would harm them.
    And I would urge that Congress should recognize that 
cybersecurity is not a niche issue to be left to the next 
generation. We must find real bipartisan solutions that give 
Americans the opportunity to succeed.
    Thank you, Mr. Chairman. I yield back my time.
    Chairman Hensarling. The gentlelady's time has expired.
    The Chair now recognizes the gentleman from Ohio, Mr. 
    Mr. Davidson. Thank you, Mr. Chairman.
    Thank you for your testimony. Thank you for your sincere 
apology. We recognize that all these companies are staffed by 
humans, and humans fail, as does technology. However, we also 
recognize a high duty of care responsible for a fiduciary.
    I was a little concerned that I was tracking correctly the 
way that your reporting structure is on the board and the 
attention given to governance. Does IT report up through your 
CFO, or is that a direct report to you as the CEO?
    Mr. Smith. It is a direct report to me.
    Mr. Davidson. OK. Within the IT, you emphasized that you 
are a technology company. What is the structure like within IT? 
Is there an information security officer that stays in the IT 
channel, or is that broken out separately?
    Mr. Smith. The chief security officer, global security 
officer is a direct report into the general counsel of the 
company. The general counsel reports directly to me.
    Mr. Davidson. OK. So you feel that your governance 
structure was adequate?
    Mr. Smith. I am not sure I understand the question.
    Mr. Davidson. So given that this error happened, you 
mentioned that you had some closed-loop system failures, where 
you had things that are supposed to happen but you didn't have 
a closed-loop system to make sure they did happen. Do you feel 
there was any failure in governance? Was the structure part of 
the issue at all?
    Mr. Smith. I don't believe so. I don't think structure 
determines success or failure of a process or of a business. It 
is people and technologies doing the right thing. So having the 
chief security officer report into technology, report into me, 
report into CFO, I am not sure would change the outcome of what 
we just experienced.
    Mr. Davidson. OK. Well, that is a little concerning, but 
that is your philosophy.
    On trading, so when you look at--aside from the 
cybersecurity concerns, which have been covered extensively, I 
was really planning to go down a similar path to my colleague, 
Mr. Hill, who talked about how trades for board members, 
executives within the company are approved, what is the timing 
like for that?
    And I also noted that you said that there were times where 
because shareholders of record inside the company had 
information that was nonpublic and material that those trades 
were suspended. And I can't think of a more public time where 
it would probably have been appropriate to suspend a trade than 
while you had a breach of this. Was that an error, an omission, 
or do you feel that the governance worked correctly in that 
instance as well?
    Mr. Smith. Congressman, let me be very clear, if I may. 
There is a process to clear trades. It goes through the general 
counsel. I am not involved in that process. These three 
individuals that traded, it is my understanding they had no 
knowledge of the breach.
    You remember, back to the timeline we talked about earlier, 
it was the 31st was when the portal was shut down. We hired the 
forensic auditors and the law firm on the 2nd. It wasn't until 
later in mid-August that we had indication that something was 
going on that involved large amounts of data and PII.
    These guys traded the 1st and 2nd of August. They followed 
the process, the protocol that we had in place at that time.
    Mr. Davidson. OK. So based on the knowledge that your 
counsel had, I assume it reviews these sorts of things, would 
it have been part of the procedure to say, hey, we have just 
had some very substantial material information that is 
    Isn't there a clear concern--4 days of testimony here, I am 
sure you are going to keep talking about this for a long time--
that given the amount of material information that was 
nonpublic, that executives and board members should not be 
trading in these shares?
    Mr. Smith. Congressman, again, clarification: The 31st of 
July, the only indication we had there was a suspicious 
incident, no knowledge of a breach until weeks and weeks later.
    Number two, it should be noted, this is a topic that is of 
priority for the board of directors, and there is investigation 
currently going on by the independent board of directors.
    Mr. Davidson. Do you think it was a mistake to not cancel 
pending trades even if they had been ordered before the 
discovery of this nonpublic information given that they were 
actually going to occur in that period?
    Mr. Smith. Congressman, on the 1st and 2nd of August we had 
no idea, other than a suspicious incident in a dispute portal.
    Mr. Davidson. Mr. Chairman, my time has expired. I yield 
    Chairman Hensarling. The gentleman yields back.
    The Chair now recognizes the gentleman from Colorado, Mr. 
Perlmutter. The gentleman passes at the moment.
    The gentleman from Tennessee, Mr. Kustoff, is now 
recognized for 5 minutes.
    Mr. Kustoff. Thank you, Mr. Chairman.
    Thank you, Mr. Smith, for being here today.
    If I could, Mr. Smith, I think, from my standpoint in 
listening to others question you today, really the most glaring 
problem is the length of time between when this breach occurred 
to when the public was notified. And I have heard your 
explanations this morning.
    To that end, on September 7, when Equifax claimed that they 
recently discovered a, quote/unquote, ``cybersecurity 
incident'' involving consumer information, but, of course, you 
knew back in July. So if I can, let me back it up for just a 
    From a governance standpoint, did Equifax have a pre-
existing plan in place for contingency such as this, for a 
breach such as this?
    Mr. Smith. If I may, before I answer the question, point of 
clarification. I was not aware in July there was a breach. I 
was not aware until mid-August, as I have said before, and then 
not until late August that there was a breach, and even that 
data continued to evolve until September 7 and, again, until 
Monday of this week.
    To answer your question specifically, Congressman, yes 
there was a crisis management written protocol in place, and it 
applied to many crises, including a data breach.
    Mr. Kustoff. Did it anticipate a breach as big as this 
    Mr. Smith. No. The crisis management protocol that we have 
in place is a breach in general. It doesn't specify you react 
differently if it is 145 million versus 5 million.
    Mr. Kustoff. Did Equifax, in fact, use that protocol for 
this breach?
    Mr. Smith. Yes.
    Mr. Kustoff. Was it executed properly?
    Mr. Smith. Not without issue, as we talked about, but that 
is because the system, the people were overwhelmed on the sheer 
    Mr. Kustoff. So I understand it, the website that you have 
set up to provide consumers information about the breach, which 
is EquifaxSecurity2017.com, in fact, that domain name was 
secured on or about August 22. Does that sound about right?
    Mr. Smith. That sounds about right.
    Mr. Kustoff. All right. So that website, in some form or 
fashion, was ready to go some 2 weeks prior to the 
announcement. Is that right?
    Mr. Smith. Yes, Congressman, that is approximately right. 
And remember, the thing we talked about is, one, the data was 
still moving. It was fluid. We were wanting to be as accurate 
and as transparent as possible on the data; two, we talked 
about Mandiant, the cybersecurity forensic team had recommended 
that we prepare for increased cyber attacks post announcement; 
and third was we had to stand up the environment you are 
referring to so consumers can get access to free services.
    Mr. Kustoff. I do want to follow up, at the beginning, this 
morning, Chairman Hensarling asked you about law enforcement. 
As I understand it, the FBI is involved. They are leading the 
investigations. Is that correct?
    Mr. Smith. That is correct.
    Mr. Kustoff. Is the Secret Service also involved?
    Mr. Smith. Not to my knowledge.
    Mr. Kustoff. Are there any other law enforcement agencies 
involved in the investigation?
    Mr. Smith. There may be. I have been so focused on the FBI.
    Mr. Kustoff. I note that law enforcement, including the 
FBI, there may possibly be other law enforcement, there were 
other agencies that are involved in the investigation. Is there 
any law enforcement agency or any agency whatsoever that 
recommended to you or to Equifax that you not disclose this 
breach until when you disclosed it in September?
    Mr. Smith. To the best of my knowledge, no. They were 
involved starting August 2. We communicated with them routinely 
throughout the process. We made them aware in September. We 
planned on going live on September 7.
    Mr. Kustoff. You mentioned earlier that you hired Mandiant 
on or around August 2. That is right?
    You mentioned King & Spalding who you have hired for legal 
purposes. Have you also hired a PR crisis team?
    Mr. Smith. Yes, Congressman, we did.
    Mr. Kustoff. And who is that?
    Mr. Smith. In fact, we hired two, a company called Edelman, 
well-known crisis management team at the tactical level to help 
us understand, track a variety of input from different sources, 
social media, broadcast media, regulators, State AGs, so on and 
so forth; and then a crisis management, kind of a strategic 
consultant as well.
    Mr. Kustoff. You mentioned King & Spalding. Have you 
inquired of King & Spalding or any other law firm concerning 
bankruptcy protection for Equifax?
    Mr. Smith. No, sir.
    Mr. Kustoff. No bankruptcy protection whatsoever?
    Mr. Smith. Have I consulted a law firm--
    Mr. Kustoff. Or anyone else concerning bankruptcy 
protection for Equifax.
    Mr. Smith. No, sir.
    Mr. Kustoff. Let me ask it another way: Has anybody at 
Equifax sought advice for bankruptcy protection for Equifax?
    Mr. Smith. Not that I am aware of.
    Mr. Kustoff. That is all that I have. I yield back.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from Maine, Mr. 
    Mr. Poliquin. Thank you, Mr. Chairman. Appreciate it.
    Thank you, Mr. Smith, for being here. I know you have been 
on the Hill for quite some time, and a lot of these questions 
have been asked before. But this is so important because it 
goes central to our economy. It really does.
    Here we are on a new pro-growth agenda for this country 
where we want to have lower taxes and fewer regulations and 
trade that is fair and energy prices that are lower and stable 
and then something like this happens.
    Now, I know you folks got hacked, and I know you are doing 
the best you can with it. But the results of this might not be 
felt for quite some time. Think about this, about a third of 
our country, 40 percent of our country--I don't know what it 
is--60 percent of our adults, 145 million people, Mr. Smith, 
145 million, and criminals now have the Social Security 
numbers, their addresses, their birth dates.
    When my mom who is 89 had to go in and sign up for 
Medicare, what do you need? You need a Social Security number. 
And this is really, really serious stuff. I accept your 
apology. I hope the American people do. I don't know if they 
will. But we have a population of about 1.3 million people. I 
am guessing about .5 million got affected by this.
    Now, I am also very concerned about the perception of 
wrongdoing when it comes to our securities laws. You are a 
publically traded company, your Equifax is. That means folks in 
Maine and rural Maine that I represent who are saving for 
college or saving for their retirement, little savers, small 
investors, the little guy, they can buy some of your shares in 
the open market and take a bet that your growth is going to 
reward them and take a bet on the U.S. economy.
    And then all of a sudden we have material here--if you 
believe it. I don't know there is an investigation, I am sure, 
that is going on--that says that in late July you folks knew 
about a breach, and a breach which is central to your business. 
My gosh.
    You folks collect all the sensitive information and you 
sell it to banks and automobile dealers and what have you to 
make sure they get accurate credit reports and money can flow 
through the economy and families can buy homes and get 
mortgages and buy cars and businesses can grow.
    This is really serious stuff. So any breach of that 
information in your business plan is central to your success as 
a company and therefore it affects the stock price. So now we 
see information--if it is true. I don't know--that you had 
folks on the inside.
    And it is really hard, Mr. Smith, for me to accept the fact 
that you had about a dozen people reporting to you and they 
didn't know what the heck was going on when something is so 
central to your business plan.
    It looks like some of these folks acted--three in 
particular have been mentioned today--acted to sell their stock 
before the breach was announced, about a month before, to 
escape loss in the stocks that they own which is the stock in 
your company.
    If that is the case, the little guy gets screwed. Because 
the guys on the inside who know this information avoid the 
loss, but the little folks that I represent up in Maine--and 
they are hardworking, and they save every penny and they are 
worthy of all the income they have--they have invested in your 
company. They have invested in America. They have invested in 
our economy, and they get screwed.
    I have got a question for you. Now, I may be wrong about 
this, Mr. Smith, but the information I have that is public, it 
says that you own about 285,000 shares of Equifax. Is that 
    Mr. Smith. Yes, I believe that is right.
    Mr. Poliquin. OK. Fine. And given the--roughly, the market 
value of that of your outstanding price per share, it is about 
28 million bucks or something. Do you or did you sell any of 
your stock between the time when the breach was learned on the 
inside and when you announced it to the public when everybody 
else in America had that information?
    Mr. Smith. No, sir.
    Mr. Poliquin. OK. Here is one of the other things that 
drives me crazy: Confidence. We have business--out of 15-year 
business confidence at a 15-year high. We have consumers who 
are confident about the new direction for a growing economy 
with more jobs and fatter paychecks. And then something like 
this happens, which shakes our confidence.
    Now, I know that Kyrsten Sinema mentioned this, and I want 
to support it also and ask everybody in our conference, 
Republicans and Democrats, to support a way for Congress to 
help, and that is called the Senior Safe Act.
    We think it is a good idea if seniors who are very 
vulnerable to this sort of identity theft and fraud are able to 
go to their bank tellers and their insurance agents and those 
who plan for their retirement and say, we suspect fraud here of 
all types. We want to speak up to the authorities and not be 
liable for doing so. That is a great bill.
    Thank you, Mr. Smith, for being here. I appreciate your 
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from Pennsylvania, 
Mr. Rothfus.
    Mr. Rothfus. Thank you, Mr. Chairman.
    Mr. Smith, when I first heard about the breach, I was 
obviously very concerned, like all Americans were. Equifax, 
which is tasked with guarding millions of Americans' sensitive 
and personal data, has violated the trust of the American 
people. It is not acceptable, and I commend the Chairman for 
convening today's hearing so that we can understand what went 
wrong and how we can prevent it from happening in the future.
    My constituents in western Pennsylvania sent me here to be 
their voice, so I would like to share some of their thoughts on 
this situation. David from Allegheny County, Pennsylvania, 
wrote to us, quote, ``I am more than a bit angry about the 
Equifax data breach. While I understand that crime will always 
be a part of life, I am outraged by Equifax's response to the 
situation. They have allowed my personal information be 
compromised and made available. This has the potential to 
impact my wife and I for the rest of our lives.''
    Robert in Cambria County, Pennsylvania, wrote, quote, 
``Equifax must be held severely accountable for the massive 
data breach affecting nearly every adult American, including my 
entire family. They must answer for their weak and seemingly 
disingenuous initial response and notification regarding the 
    And Alan, also from Allegheny County, described his 
interactions with Equifax as, quote, ``an endless, circular 
conversation,'' and added, quote, ``frankly, I am rather tired 
of this ongoing fiasco.''
    These are real people whose concerns need to be addressed. 
Hardworking Americans are scared and they deserve answers, and 
they need to be made whole.
    I understand that--we talked about a little bit of a 
timeline here. Equifax discovered the breach on July 29 and 
notified the FBI 2 days later. Mandiant was brought in a few 
days after that to investigate, but Equifax did not notify the 
public for over a month.
    I understand from your testimony that this delay was partly 
due to a concern that public notification would invite more bad 
actors to compromise your systems. With that said, it is still 
concerning that more than a month elapsed between discovery of 
the breach and public notification.
    I am curious as to whether there was a specific event or 
fact that finally led Equifax to make the disclosure. For 
example, September 7 was the date that it was disclosed. Did 
you know something on September 7 that you did not know on 
September 6?
    Mr. Smith. Congressman, a point of clarification. So we did 
not--we were not aware of a breach of any sort back in the July 
timeframe you mentioned. Again, at that time it was--
    Mr. Rothfus. Well, you noticed activity on July 29 that was 
    Mr. Smith. We notice suspicious activity on our databases 
around the world to the tune of millions per year. So what we 
saw--thought we saw in late July was nothing we haven't seen 
before. Suspicious activities, unfortunately, in this 
environment are very common.
    Mr. Rothfus. But a couple days later you are already 
engaging outside vendors?
    Mr. Smith. Which that, in itself, was not unusual.
    Mr. Rothfus. What did you know on September 7 that you did 
not know on September 6?
    Mr. Smith. I don't have that specific answer. I can tell 
you this: The timeframe between mid to late August and 
September 7, as I mentioned before, was very fluid. As we just 
saw on Monday's announcement this week, that picture continued 
to develop as we found 2.5 million more consumers that were 
impacted and announced on this Monday. So it was an ever-
evolving set of facts.
    Mr. Rothfus. You testified that the data was not encrypted 
on your database. Is there a reason for that?
    Mr. Smith. Again, there are different levels of security in 
different environments: Encryption is one, tokenization is one, 
masking is one, firewalls are one, encryption at rest is one, 
encryption in motion is another technique. So there is no one, 
single technique that protects the consumers' data.
    Mr. Rothfus. A lot of people are watching at home wondering 
if their data was compromised in the breach. Many Americans are 
still wondering whether their personal information that is 
currently being housed at Equifax is safe. Is their information 
currently safe today?
    Mr. Smith. We have no knowledge that any other information 
we have in our database in the U.S., around the world was 
compromised. It was limited to this one dispute portal we have 
talked about now for a number of days.
    Mr. Rothfus. Is there a reason that you are choosing not to 
disclose the scope of insurance coverage?
    Mr. Smith. Yes, there is.
    Mr. Rothfus. Could you share that with us?
    Mr. Smith. I prefer not to. And the reason being, 
Congressman, is when you disclose a number it puts a target out 
there for others, for lawsuits, and so on and so forth.
    Mr. Rothfus. That is going to be disclosed in discovery, 
and you already have lawsuits out there.
    Mr. Smith. Yes.
    Mr. Rothfus. But you are choosing not to--
    Mr. Smith. Correct.
    Mr. Rothfus. I yield back, Mr. Chairman.
    Chairman Hensarling. The gentleman yields back.
    The Chair now recognizes the gentleman from North Carolina, 
Mr. Budd.
    Mr. Budd. Thank you, Mr. Chairman, and Mr. Smith.
    So I think what has infuriated the people I serve in North 
Carolina is they really didn't volunteer to have their data 
stored at your company. They didn't say Equifax, here, take my 
data. So there is an element, and it is a major one at your 
company, and it is a trust element, and that has really been 
    But let me shift over to a personnel topic. So why were the 
chief security officer and the chief information officer 
allowed to retire instead of resigning or being fired? I 
believe you, yourself, resigned.
    Mr. Smith. It is semantics. They are out of their job now. 
The day we announced they are stepping down, they are no longer 
effective. They are individuals who can add an advisory 
capacity for smooth transition between themselves and the two 
announced interim individuals we have at the CIO level and the 
chief security officer level.
    And then if those individuals are replaced with full-time 
people, which they will be at some point in time, they can add 
value there. So it is nothing more than having them assist in a 
smooth transition.
    Mr. Budd. Beyond just semantics, what was the total cash 
value of their retirement packages, if you don't mind?
    Mr. Smith. I don't know specifically. We can get that 
information to you.
    Mr. Budd. If you would, please.
    So did the chief security officer and the chief information 
officer undergo any financial repercussions as a result of 
their retirement other than foregone future salary?
    Mr. Smith. They lost their jobs, and there is no bonus.
    Mr. Budd. So just foregone future salary and no bonus, 
    Mr. Smith. Yes, correct. And no severance for either one.
    Mr. Budd. Did the discussion to allow them to retire 
instead of terminating their employment, did it increase or 
decrease the size and scope of their severance package with the 
company? You said there was no severance package.
    Mr. Smith. Correct.
    Mr. Budd. In general, does an employee at the Equifax 
Corporation who retires have access to more benefits, receive a 
better separation agreement than someone who resigns or is 
    Mr. Smith. Not to my knowledge.
    Mr. Budd. Well, so it is more likely than not--did Equifax 
not punish the individuals responsible but actually rewarded 
them through this decision by not firing anybody?
    Mr. Smith. No, sir. They are both out of a job.
    Mr. Budd. Chairman, I yield back.
    Chairman Hensarling. The gentleman yields back.
    The Chair now recognizes the gentleman from Indiana, Mr. 
    Mr. Messer. Mr. Smith, thank you for being here. You know, 
I admire your stamina in sitting through this, but I have to 
tell you, the more I hear about this, the madder I get. So 
excuse my tone as I go through this.
    Have you had an opportunity to log onto the Equifax page 
and do this process of determining whether you were part of the 
    Mr. Smith. Absolutely.
    Mr. Messer. I did it.
    Mr. Smith. Right.
    Mr. Messer. So in that, I had to give my birth date 
multiple times, had to give parts or all of my Social Security 
number, four or five times. I answered a question or two wrong, 
so I had to call into the web pages--I mean call into your 
calling service, and I had to give my Social Security another 
    Has it crossed your mind that given the recent breach and 
the fact that you guys have disclosed personal information for 
140 million Americans that people might be a little 
uncomfortable giving you their Social Security number again 
seven or eight times to find out whether they were impacted?
    Mr. Smith. Congressman, I have talked to a number of people 
myself, and I share your frustration. I share their 
frustration. We have tried to improve that process as much as 
we can, but we have to validate you are who you are before we 
can offer you the product.
    Mr. Messer. Well, it is frustrating to a lot of people, and 
obviously you haven't built a great record as an organization 
on trust.
    Will Equifax profit from the new data now being provided by 
tens of millions of Americans to your website? Will Equifax be 
able to take that information now that I have entered it again 
and use it commercially for itself or for partners?
    Mr. Smith. The intent of this service is a service. It is a 
utility. It is to offer you this service for free, not sell, 
cross sell, up sell you as a consumer.
    Mr. Messer. So looking here, this is the privacy notice you 
have to click on when you sign onto the web page. It says here, 
I think, in these two columns here, that this information can 
be used for joint marketing with other financial companies, for 
affiliates, everyday business purposes, for marketing purposes 
by, it looks to me like Equifax and the company that is doing 
this for you. Is that--
    Mr. Smith. Congressman, if you are a consumer that comes in 
and gets a free service from us, our intent is to have that in 
an environment where we don't cross sell, up sell you.
    Mr. Messer. Well, the form says you will. So am I to 
believe you or the form?
    Mr. Smith. Excuse me?
    Mr. Messer. The form here says you will. So am I to believe 
you or the form?
    Mr. Smith. I am not sure what form you are referring to.
    Mr. Messer. This is the privacy notice. So, again, will 
Equifax have the opportunity to use the information provided by 
consumers in their operations of commerce, therefore make a 
profit on it?
    Mr. Smith. I will say it one more time. The intent is when 
you come to us to get a free service, we are not going to cross 
sell or up sell you.
    Mr. Messer. With all due respect, there is a phrase, the 
road to hell is paved with good intentions. I think your 
intentions were probably fine as 140 million people lost their 
information. It looks to me, based on this form, that you guys 
have the ability to do that.
    I want to ask you this question: Have you ever met anybody 
who had their identity stolen, Mr. Smith?
    Mr. Smith. Yes.
    Mr. Messer. It is a pretty miserable experience, isn't it?
    Mr. Smith. Yes.
    Mr. Messer. It destroys their life. So as we talk about big 
numbers like 140 million people, almost 4 million people in 
Indiana, it is really important to remember that these people 
are real people that have had their lives put at risk.
    Mr. Smith. Congressman, I couldn't agree more. I have 
talked to people at my church that work for us, Equifax 
employees, people in the community, my three daughters, my 
wife, my family. I understand the anger and frustration they 
are going through.
    Mr. Messer. And I am glad you appreciate that frustration. 
We will return to this in just one quick second.
    As we have gone through this, you have said you have these 
five services you are going to provide. When it comes to real 
compensation for people who have had their identity stolen, the 
reality is they are not going to get much from you. Is that 
    Mr. Smith. What they are going to get, Congressman, is 
these five free services plus the sixth service, the lock and 
unlock for life.
    Mr. Messer. But if their identity is stolen, the 
compensation for you won't be much. You said earlier you won't 
throw out a number. I can give you a number. Total assets of 
your company are about 6.6 billion based on your annual report. 
Is that right?
    Mr. Smith. Approximately.
    Mr. Messer. Roughly that. So if you take 147 million 
people, that is about $47 per person, if you liquidate. If 1 
percent of those people have some kind of damage, you have got 
about $4,700 that you would have to even compensate them 
    I want to ask you this though, because you mentioned how 
frustrated you were, and I will leave you on this. This is 
where I think a lot of American people struggle. You would 
consider this a pretty major business screwup, right?
    Mr. Smith. It is a breach obviously that we are very, very 
sorry for.
    Mr. Messer. 147 million people.
    And you mentioned--let me use your phrase--the folks that 
you found most directly responsible for that, they lost their 
job, no bonus, no severance, right? Is that what happened to 
the people that you held responsible for this? That is your 
    Mr. Smith. My words are, I am ultimately responsible, and I 
stepped down.
    Mr. Messer. So does it seem fair to you that you would get 
a $40 million to a $90 million bonus as you exit after you 
presided over potentially the biggest business screwup in 
modern history where 140 million Americans had their personal 
information stolen?
    Mr. Smith. Congressman, the only thing I have walked away 
with is all disclosed in the proxy. It was my pension and prior 
compensation. I have asked for no more.
    Mr. Messer. Yes. The American people are frustrated. And 
again, I appreciate you being here, but they have a right to be 
frustrated. It doesn't seem fair.
    Chairman Hensarling. The time of the gentleman has expired.
    The Chair now recognizes the gentleman from Georgia, Mr. 
    Mr. Loudermilk. Thank you, Mr. Chairman.
    Mr. Smith, thank you for being here. I am impressed that 
you are here, considering that you are no longer in your 
previous position. I don't know that you would have had to have 
been here. I appreciate your attendance here because I know 
this is difficult. It is a difficult time for 147 million 
Americans as well.
    A couple questions regarding some of the things you said 
earlier. Where I want to be focused is how do we prevent 
something like this from happening again? I spent 30 years in 
the IT business, and security was always at the forefront of 
things we were working on. And so I am very interested in what 
transpired to cause the problem, how can we avoid this in the 
    First of all, you had mentioned in a couple of instances, 
as you were addressing some of the members asking questions 
here, that you complied with all the State laws regarding 
notification. And you mentioned State laws earlier regarding 
    Is it State laws that govern our cybersecurity policy? Is 
there not a Federal law that governs that? And if there are, 
why is that not applicable?
    Mr. Smith. Congressman, the only point of clarification, 
the only thing we are trying to be mindful of there was as we 
learned and gained more insight on the size and scope and 
nature of the breach is making sure we balance our desire for 
accuracy, completeness of the picture with the State laws of 
communication. That is what I was referring to.
    Mr. Loudermilk. OK. I understand. But are there Federal 
laws that are applicable in this instance, or is cybersecurity 
pretty much governed by State law?
    Mr. Smith. I am not sure what you are saying. It is not 
governed by State law. The State law was just the communication 
I was referring to.
    Mr. Loudermilk. OK. So the actual applying of the patch, 
from what I understood in your previous testimony and you 
answering questions, was you were notified of the 
vulnerability. A patch was provided. It was communicated that 
that patch should be applied, but somewhere that did not 
happen. I guess, it was the human error was the individual who 
was to apply the patch to that portal did not follow through. 
Is that correct?
    Mr. Smith. It is a little bit more than that. It was an 
individual in the IT organization who received notification 
from security. That individual was responsible for the patching 
process and never ensured that the proper person was 
communicated to and did not close that loop.
    Mr. Loudermilk. Is there a level of oversight that should 
be there? Quite often when I was in the military, and worked in 
communications and intelligence, we always had two-person 
integrity. There was always somebody looking over the shoulder 
to make sure that a process was completed.
    And same thing when I was working with many governments and 
their IT is that especially with the security patch, that there 
was always someone else to come back through and make sure that 
it was applied. Was that process not in place?
    Mr. Smith. Yes. To clarify, this individual owned the 
communication and the patching process to ensure it was not 
closed. He did neither. Second, the closed-loop process was 
also the scanner we talked about. And the scanner, which is 
applied, I believe it was March 15, to look across the 
environment for this vulnerability did not find this 
vulnerability, and that is currently under investigation as to 
    Mr. Loudermilk. OK. That was--it kind of hit my next 
question, is that being under investigation as to why that did 
not happen, and is there some liability on some individuals 
that potentially were nefarious in this process?
    Mr. Smith. The individual who I just discussed that was 
responsible for the patching process is no longer with the 
    Mr. Loudermilk. All right. Thank you, Mr. Chairman. I yield 
    Chairman Hensarling. The gentleman yields back.
    The Chair now recognizes the gentlelady from New York, Ms. 
    Ms. Tenney. Thank you, Mr. Chairman. And thank you for 
having this very important meeting, as we have over 145 million 
U.S. consumers who have been affected by this.
    And I thank you, Mr. Smith, for being here and being 
willing to answer these questions.
    You know, everybody is really angry. Our constituents are 
calling us. People are concerned about the security breach. 
Social Security numbers, birth dates, addresses, driver's 
license numbers, credit card numbers for up to 200,000 
consumers and all kinds of data has been breached. And it 
took--I know you have discussed this over and over--but 6 weeks 
to notify regulators.
    My first question on this is, did you or your firm notify 
the credit bureaus before you announced this breach so they 
could prepare for what our consumers are trying to find answers 
to? And many State laws also require this. Did your company 
actually do that? Did you notify those credit bureaus that were 
your customers?
    Mr. Smith. Let me make sure I understand the question, 
Congresswoman. Did we notify specifically TransUnion and 
Experian who--
    Ms. Tenney. Right. Prior to the date that the breach was. 
So it took 6 weeks before the actual patch was discovered and 
released. That is when you got your--I don't know--I can't 
remember the dates on--my colleagues asked you when you got 
your crisis management team, when you lawyered up, when you got 
everybody ready before you actually disclosed that. But when 
did you actually notify your customers, the credit bureau 
customers who relied on you for your information?
    Mr. Smith. Again, I think I understand the question. So it 
was in late August, not late July, that the picture started to 
come together that we had a data security issue. We went live 
on September 7.
    To answer your question specifically, we did not go to 
TransUnion or Experian before the release went out on September 
    Ms. Tenney. So they didn't have any knowledge of this 
happening, so they weren't able to prepare when this was to 
come later on, as your company did?
    Mr. Smith. It was not public at that time.
    Ms. Tenney. Right. Let me ask you, so you described the 
suspicious activity and the patches and millions of patches 
occur. Is there a priority or a way that your team identifies 
what patches are more important, more valuable, more vulnerable 
than others? Is there some protocol in place for that?
    Mr. Smith. Yes, there is. Let me clarify though, if I may.
    Ms. Tenney. OK.
    Mr. Smith. It is not millions and millions of patches per 
year. What I was referencing is, in any given year, it is not 
unusual to have millions of suspicious or potential attacks.
    Specific to patches, patches and the requirement for 
patches are very common, and they are stratified in different 
categories, from critical to high, to medium, to low risk. And 
the protocol internally for the amount of time required or 
allowed to apply the patch depends on the criticality of the 
issue itself.
    Ms. Tenney. So what would you rate this patch that was what 
was--did not get--
    Mr. Smith. It was critical.
    Ms. Tenney. It was critical. And that didn't--when was the 
actual date that you discovered that patch?
    Mr. Smith. Again, March 8 we were notified by CERT of the 
need to patch on the 9th. The email went out to the teams to 
apply the patch. And as we talked about before, there was a 
human error. The individual did not communicate and close the 
process. And on the 15th of March, the scanning device did not 
find the vulnerability.
    Ms. Tenney. But that is in March. Did you notify the credit 
bureaus or the other customers? How many customers do you have 
on your--do you know--the confidential data is actually on your 
site--do you have--in control of? How many people, would you 
say, actual individuals are on the site that would be 
vulnerable, not just--
    Mr. Smith. The total credit population in the United States 
is roughly 230 million, 240 million people.
    Ms. Tenney. So that many people were affected by this?
    Mr. Smith. No, Congresswoman. The number we disclosed was 
145.5 million. The services we are offering are to all 
Americans, but at this 145.5 were impacted.
    Ms. Tenney. OK. Well, let me just go quickly, because I 
decided to go look onto your site, as my colleague pointed out. 
It is ironically called TrustedIDPremier.com. And I went to 
this and put my own information, and it said I may have been 
    And it does send me to another--I have to go through some 
protocols, re-enter more digits, my Social Security number, my 
name, and then it reveals to me that, nonetheless, please enter 
more personal information.
    If people listening to this and my constituents go on to 
make sure--to find out if they have had their data breached, 
will they be vulnerable if they re-enter this on this website?
    Mr. Smith. We have taken many steps since the breach to 
make sure that site is very secure.
    Ms. Tenney. So this is secure? They can go re-enter their 
data, and it will be secure?
    Mr. Smith. Yes.
    Ms. Tenney. Thank you.
    Chairman Hensarling. The time of the gentlelady has 
    The Chair now recognizes the gentleman from Colorado, Mr. 
    Mr. Perlmutter. Mr. Smith, thank you for your testimony 
today. Thanks for lasting so long.
    Just a few questions for you. And I do have some sympathy 
for the attack, the breach. Whether it is Anthem, BlueCross, or 
Lowe's, or Home Depot, or JPMorgan Chase, or personnel 
department, the Democratic National Committee, lots of hacks 
have occurred, and everybody needs to stay vigilant to that.
    My questions to you, sir, are going to be more--credit 
reporting agencies are not everybody's best friends. You have a 
job where you try to actually say, this guy is a good credit 
risk, this gal is not a good credit risk, whatever.
    And we had--and it may have been you and executives from 
Experian and TransUnion a few years ago, and there was a 
question about whether or not the algorithms that are the basis 
for people's credit reports were going to be disclosed to us as 
Members of Congress.
    And I think the testimony was that those were proprietary 
and patentable and were key pieces of information for the 
different organizations. Were you one of the ones that 
testified for us?
    Mr. Smith. Congressman, I was not. You may be referring to 
the most common credit score in the industry is the score 
called the FICO score.
    Mr. Perlmutter. Right.
    Mr. Smith. That may be who you are referring to.
    Mr. Perlmutter. So we wanted to get information at that 
point about how a FICO score was calculated, is it fair to 
whoever is getting their credit score, credit report, and we 
were told, no, that is proprietary information. Do you know 
whether in this hack how you guys developed the FICO score was 
    Mr. Smith. Congressman, we are a reseller, if you will, in 
some cases of that FICO score, and there is no indication that 
we housed FICO scores that were hacked in any way.
    Mr. Perlmutter. OK. So the algorithm is that proprietary 
information, to your knowledge, wasn't part of this theft?
    Mr. Smith. Yes. The algorithm is developed and controlled 
and owned by another company called Fair Isaacs.
    Mr. Perlmutter. And your company doesn't have how that 
algorithm is created or developed?
    Mr. Smith. That is correct.
    Mr. Perlmutter. OK. I was asked by somebody from the Energy 
Committee, and I know you may have testified earlier today, do 
you know whether there was a foreign actor who was the 
perpetrator of this hack?
    Mr. Smith. We have engaged the FBI, and the FBI is 
continuing their investigation.
    Mr. Perlmutter. There were some statements you made that 
there was a clever kind of ability to get around some of the 
safeguards you all had in terms of the speed or the volume or--
    Mr. Smith. Uh-huh.
    Mr. Perlmutter. Is there a concern on your part or anybody 
at the company's part that this was an inside job?
    Mr. Smith. I have no indication of that at all.
    Mr. Perlmutter. So, when somebody comes in and hacks, it is 
like they are trying to break into the bank. And your bank 
housed a lot of information, if you will. And you had some 
safeguards. You got the patch, so there is a vulnerability that 
they were able to get inside the bank. But then they were able 
to avoid a number of the different kinds of defenses you had 
within the bank. Did I mishear your testimony?
    Mr. Smith. That is correct.
    Mr. Perlmutter. So in this investigation, are you doing an 
internal investigation on top of the FBI investigation? How is 
that proceeding?
    Mr. Smith. Yes. If I understand your question, there is the 
forensic investigation which was done on the data that was 
compromised. It was done by an independent firm called 
    There is an internal investigation being done by outside 
counsel to look at all the processes internally and the 
individuals involved internally, if that answers your question. 
And then there is the FBI investigation as well.
    Mr. Perlmutter. All right. Last question, just what I was 
looking at, there are 100 lawsuits, class-action suits, a 
variety of suits. You were asked by Mr. Rothfus whether you had 
insurance for this, are you self-insured. You didn't want to 
give us an amount. Do you have insurance for this?
    Mr. Smith. We have cyber insurance, yes.
    Mr. Perlmutter. OK. And is there a self-insurance? Do you 
have self-insurance? Do you have money in reserve for something 
like this?
    Mr. Smith. There is a retention that we have and then on 
top of that is a stack of participants up to a limit.
    Mr. Perlmutter. And my last question, do you still retain 
shares in the company?
    Mr. Smith. Absolutely.
    Mr. Perlmutter. OK. Thank you.
    Chairman Hensarling. The time of the gentleman has expired.
    There are no more members in the queue.
    I would like to thank the witness for his testimony today.
    The Chair notes that some Members may have additional 
questions for this panel, which they may wish to submit in 
writing. Without objection, the hearing record will remain open 
for 5 legislative days for Members to submit written questions 
to these witnesses and to place their responses in the record. 
Also, without objection, Members will have 5 legislative days 
to submit extraneous materials to the Chair for inclusion in 
the record.
    I would ask Mr. Smith that you please respond as promptly 
as you are able. This hearing stands adjourned.
    [Whereupon, at 1:44 p.m., the committee was adjourned.]

                            A P P E N D I X

                            October 5, 2017