[House Hearing, 115 Congress] [From the U.S. Government Publishing Office] EXAMINING THE EQUIFAX DATA BREACH, CONTINUATION ======================================================================= HEARING BEFORE THE COMMITTEE ON FINANCIAL SERVICES U.S. HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION __________ OCTOBER 25, 2017 __________ Printed for the use of the Committee on Financial Services Serial No. 115-50 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] ______ U.S. GOVERNMENT PUBLISHING OFFICE 30-339 PDF WASHINGTON : 2018 HOUSE COMMITTEE ON FINANCIAL SERVICES JEB HENSARLING, Texas, Chairman PATRICK T. McHENRY, North Carolina, MAXINE WATERS, California, Ranking Vice Chairman Member PETER T. KING, New York CAROLYN B. MALONEY, New York EDWARD R. ROYCE, California NYDIA M. VELAZQUEZ, New York FRANK D. LUCAS, Oklahoma BRAD SHERMAN, California STEVAN PEARCE, New Mexico GREGORY W. MEEKS, New York BILL POSEY, Florida MICHAEL E. CAPUANO, Massachusetts BLAINE LUETKEMEYER, Missouri WM. LACY CLAY, Missouri BILL HUIZENGA, Michigan STEPHEN F. LYNCH, Massachusetts SEAN P. DUFFY, Wisconsin DAVID SCOTT, Georgia STEVE STIVERS, Ohio AL GREEN, Texas RANDY HULTGREN, Illinois EMANUEL CLEAVER, Missouri DENNIS A. ROSS, Florida GWEN MOORE, Wisconsin ROBERT PITTENGER, North Carolina KEITH ELLISON, Minnesota ANN WAGNER, Missouri ED PERLMUTTER, Colorado ANDY BARR, Kentucky JAMES A. HIMES, Connecticut KEITH J. ROTHFUS, Pennsylvania BILL FOSTER, Illinois LUKE MESSER, Indiana DANIEL T. KILDEE, Michigan SCOTT TIPTON, Colorado JOHN K. DELANEY, Maryland ROGER WILLIAMS, Texas KYRSTEN SINEMA, Arizona BRUCE POLIQUIN, Maine JOYCE BEATTY, Ohio MIA LOVE, Utah DENNY HECK, Washington FRENCH HILL, Arkansas JUAN VARGAS, California TOM EMMER, Minnesota JOSH GOTTHEIMER, New Jersey LEE M. ZELDIN, New York VICENTE GONZALEZ, Texas DAVID A. TROTT, Michigan CHARLIE CRIST, Florida BARRY LOUDERMILK, Georgia RUBEN KIHUEN, Nevada ALEXANDER X. MOONEY, West Virginia THOMAS MacARTHUR, New Jersey WARREN DAVIDSON, Ohio TED BUDD, North Carolina DAVID KUSTOFF, Tennessee CLAUDIA TENNEY, New York TREY HOLLINGSWORTH, Indiana Kirsten Sutton Mork, Staff Director C O N T E N T S ---------- Page Hearing held on: October 25, 2017............................................. 1 Appendix: October 25, 2017............................................. 27 WITNESSES Wednesday, October 25, 2017 Cable, Sara, Director, Data Privacy and Security, Assistant Attorney General, Consumer Protection Division, Office of Attorney General, Commonwealth of Massachusetts................ 4 Litt, Mike, Consumer Advocate, U.S. Public Interest Research Group.......................................................... 8 McGee, Kathleen, Chief, Bureau of Internet and Technology, Division of Economic Justice, Office of the New York State Attorney General............................................... 5 Moy, Laura, M., Deputy Director, Center on Privacy and Technology, Georgetown University Law Center................... 7 Wu, Chi Chi, Staff Attorney, National Consumer Law Center........ 6 APPENDIX Prepared statements: Cable, Sara.................................................. 28 Litt, Mike................................................... 90 McGee, Kathleen.............................................. 99 Moy, Laura, M................................................ 103 Wu, Chi Chi.................................................. 124 Additional Material Submitted for the Record Waters, Hon. Maxine: Letter from VantageScore..................................... 137 New York Times article entitled, ``Equifax Grip on Mortgage Data Squeezes Smaller Rivals''............................. 142 Written questions for the record submitted by Democratic members for October 5, 2017 Equifax hearing................ 146 Press statement from CFPB entitled, ``Supervisory Highlights Focused on Problems Discovered with Credit Bureaus''....... 160 Written statements for the record from the first Equifax hearing on October 5th..................................... 163 Information about ID theft tools available to consumers on CFPB's website............................................. 171 EXAMINING THE EQUIFAX DATA BREACH, CONTINUATION ---------- Wednesday, October 25, 2017 U.S. House of Representatives, Committee on Financial Services, Washington, D.C. The committee met, pursuant to notice, at 2 p.m., in room 2128, Rayburn House Office Building, Hon. Ted Budd [member of the committee] presiding. Present: Representatives Rothfus, Mooney, Budd, Waters, Maloney, Sherman, Meeks, Capuano, Clay, Scott, Green, Ellison, Perlmutter, Himes, Foster, Kildee, Sinema, Beatty, Heck, Gottheimer, Gonzalez, Crist, and Kihuen. Mr. Budd [presiding]. The committee will come to order. Without objection, the chair is authorized to declare a recess of the committee at any time, and all members will have 5 legislative days within which to submit extraneous materials to the chair for inclusion in the record. Pursuant to clause D-5 of rule three of the Committee on Financial Services, this additional hearing day has been scheduled with reference to October 25th, 2017, full committee hearing entitled ``Examining the Equifax Data Breach.'' The Chair now recognizes the Ranking Member of the committee, the gentlelady from California, for 4 minutes for an opening statement. Ms. Waters. Thank you very much, Mr. Chairman. And thank you to all of the witnesses who are here today to better understand the causes and impact of the massive data breach at Equifax. State government experts and consumer advocates to testify here today, I want to thank you for being here to testify today. Unfortunately, the CEOs of each of these three major credit bureaus have refused to attend this hearing. It is particularly troubling that since the massive breach, Equifax has yet to send an executive to testify before Congress who actually has the ability to examine all the issues with our broken credit reporting system. Committee Democrats requested this minority day hearing and invited the chief executive officers of Equifax, Experian, and TransUnion, which are the three nationwide consumer reporting agencies in this country, as well as a group of senior staff from legal authority to commit the company to future action. Equifax has badly mishandled virtually every aspect of this breach. They failed to update a known software vulnerability for several weeks. They failed to properly notify law enforcement agencies, as required by many State data breach laws and regulations, and even in announcing to the public about the breach, failed to provide consumers with the tools they needed to safeguard against identity theft and other harm that could be caused by the unauthorized exposure of their sensitive financial and personally identifiable information for free. But Equifax isn't the only major credit bureau to have faced a major cyberattack. About 2 years ago, Experian, one of the other major bureaus, also had a breach that exposed millions of T-Mobile customers' information. Yet the head of Experian also declined to come to testify today. These security breaches at the major credit bureaus are just one of the many problems within the credit reporting industry. That is why I have long called for a complete overhaul of the entire credit reporting system, and I recently introduced H.R. 3755, the Comprehensive Consumer Credit Reporting Reform Act. My bill shifts the burden of removing mistakes from credit reports onto the credit bureaus and furnishers--away from consumers--limits credit checks for employment purposes, and reduces the time period that negative items stay on credit reports, among many other key reforms. It is clearly time for us to fix the vast problems within the credit reporting sector. There is enormous concern and frustration from consumers across the country about the lack of control they have over how these companies collect, maintain, and sell consumer data. It is time for us to ensure there are adequate measures to hold these firms accountable for their business practices. And I find it unacceptable that the three major credit bureaus have still failed to take even the most basic steps to protect consumers after this latest massive breach by immediately providing all consumers with free credit freezes. If executives at the three nationwide consumer reporting agencies are watching this hearing today, I want them to know that the days of their companies being able to operate with impunity are now over. I thank you, and I yield back the balance of my time. Mr. Budd. Gentlelady yields back. The Chair now recognizes the gentleman from Michigan, Vice Ranking Member Mr. Kildee, for 1 minute. Mr. Kildee. Thank you, Mr. Chairman. And thank you to the Ranking Member for organizing this important hearing. This breach, the Equifax breach should never have happened. Because of unacceptable security lapses, Equifax exposed the personal information of over 145 million Americans. For a company whose very business involves the collection of America's most personal financial information, it is almost inconceivable that this major breach occurred. And I know I am, and other members of this committee, are very concerned with potential insider trading by several high-level Equifax executives, and we have requested the SEC (Securities Exchange Commission) to fully investigate these actions. Even worse than the breach itself, or the potential insider trading, has been how Equifax treated the American public and its customers since this breach was exposed. Weeks passed between the discovery of this breach and when it was disclosed to the public, yet Equifax was completely unprepared to address the concerns of Americans. I am grateful that we are having this hearing today to see how we can move forward and make sure this does not happen again and to do what we can to help the over 145 million Americans impacted. Thank you, and I yield back. Mr. Budd. Gentleman yields back. The Ranking Member is recognized for 4 minutes to introduce the panel of witnesses. Ms. Waters. Thank you very much, Mr. Chairman. And welcome to all of our witnesses today. First I would like to introduce Sara Cable. Ms. Cable is an Assistant Attorney General and the Director of Data Privacy and Security in the Consumer Protection Division of the Massachusetts Attorney General's Office as an Adviser to Attorney General Healey and her chief of staff. Ms. Cable leads the office's data privacy and security enforcement and advocacy efforts. Ms. Cable oversees the office's review of thousands of data security incidents each year and leads several investigations of data security and privacy matters affecting the financial, health care, insurance, legal, and retail sectors. And then there is Kathleen McGee. Ms. McGee is presently the Chief of the Bureau of Internet and Technology for the Office of the New York State Attorney General. The bureau is responsible for the enforcement of New York's privacy, data security, and consumer protection laws in the online and technology environment, as well as for enforcement of New York's data breach notification laws. The bureau investigates a wide range of issues affecting the tech space, including privacy violations, data security breaches, online safety, native advertising, deception, and fraud. Then there is Chi Chi Wu. Ms. Wu is a Staff Attorney at National Consumer Law Center (NCLC), where her specialties include fair credit reporting, credit cards, tax-related consumer issues, and medical debt. She frequently serves as a resource for policymakers and the media on consumer credit issues. Ms. Wu is the lead author of the NCLC treatise Fair Credit Reporting Act and has been advocating for a reform of the credit reporting system for over a decade. And then there is Laura Moy. Ms. Moy is the Deputy Director of the Center on Privacy and Technology at Georgetown Law. She is a public interest advocate who writes and speaks on a number of technology policy issues, including consumer privacy and law enforcement surveillance. Ms. Moy has testified previously before this committee, and we are pleased she is here with us again today. Mike Litt--last, but certainly not least--Mr. Litt is a national consumer advocate for the U.S. Public Interest Research Group (PIRG) an organization that advocates for the interest of American consumers and stands up against power interests when they push the other way. He is a leading voice on credit freezes and identity theft prevention and has co- authored a number of valuable resources on the topic. Again, I want to welcome all of our witnesses to today's hearing and thank you for being here today. I yield back the balance of my time. Mr. Budd. Gentlelady yields back. Ms. Cable, you are recognized for 3 minutes to give an oral presentation of your testimony. STATEMENT OF SARA CABLE Ms. Cable. Thank you. Good afternoon, Chairman, Ranking Member Waters, distinguished members of the committee. Thank you for inviting me to testify today. My name is Sara Cable. I am an Assistant Attorney General in the Massachusetts Attorney General's Office and Director of Data Privacy and Security in its Consumer Protection Division. On September 19th, our office filed the first State civil enforcement action against Equifax. Our goal with our suit is to hold the company accountable for the harm it caused nearly 3 million of our consumers, approximately half of the adult population of our State, harm that, in our view, Equifax could have and should have prevented. We sued Equifax under our State Consumer Protection Act and our Data Breach and Data Security Laws, which are recognized as among the strongest in the Nation. We allege that this breach was foreseeable and preventable, but that Equifax failed to develop, implement, and maintain reasonable safeguards required by Massachusetts law to protect the sensitive personal data of the consumers it held in its systems, and presumably off which it profited. Because my time is short, I want to highlight one key point for the committee. While the Equifax breach may be notable for its scope and impact, it is not unique. Our experience strongly suggests to us that businesses large and small are not doing what they need to be doing to protect consumers' information from foreseeable threats. Over the last 10 years, since the Massachusetts Data Breach Notice Law went into effect, our office has received notice of over 19,000 data breach incidents impacting Massachusetts residents. In 2016 alone, we received notice of over 4,000 data breaches. This is 25 percent more than in 2015 and a nearly tenfold increase from 2008, the first full year that our breach law went into effect. Now, with this kind of volume, we can't possibly investigate every single breach. And I think it is worth noting that just because a company is breached does not necessarily mean that it did anything wrong or that it failed to have reasonable safeguards in place. But for the ones into which we take a closer look, it suggests to us that many of these breaches could have been prevented through reasonable, and indeed basic, security safeguards. To this day, we continue to see breaches impacting entities in every sector that result from the failure to employ basic security safeguards in compliance with Mass law. And just some of these are companies that don't even have a written information security program, much less follow the one that they have; companies that cut corners by using outdated and unsupported software; or companies hoarding vast amounts of sensitive consumer data in their network without a present or contemplated business need and leaving it unsecured. Now, to be sure, there are entities that do it right, but we are seeing far too often that entities are not treating consumers' information like the valuable asset it is. And that is even with the constant drumming of headlines about the risks of data breach incidents. And I will conclude to note that, in the case of Equifax, which was subject to both State and Federal law, even that law as it exists today was not enough to prevent this breach. And I would submit that any law that is proposed that is weaker than the law that we currently have today is worse than doing nothing for consumers. Thank you very much. [The prepared statement of Ms. Cable can be found on page 28 of the Appendix.] Mr. Budd. Thank you. Ms. McGee, you are now recognized for 3 minutes to give an oral presentation of your testimony. STATEMENT OF KATHLEEN MCGEE Ms. McGee. Thank you, Mr. Chairman, Madam Ranking Member, and other distinguished committee members. I am Kathleen McGee, Chief of the Bureau of Internet and Technology at the New York State Office of the Attorney General, Eric T. Schneiderman. Thanks for the opportunity to testify today. After learning about the Equifax breach, our office immediately launched an investigation. And while I cannot share the details of that ongoing investigation, suffice it to say, we are getting to the bottom of the Equifax breach and are working to ensure credit bureaus protect the sensitive consumer data that they hold. States have had a central role in protecting consumers and their data for nearly 2 decades, as my written statements detail more fully. But in these remarks, I would like to make a few points regarding any Federal legislation. First, law must keep pace with the ever increasing rate of technological change. States have proven the ability to act quickly in that regard, and Congress should not limit States' ability to innovate in this area. Second, when it comes to enforcement, States occupy a leading role and must continue to do so. States together play a big role after major breaches like Target or Equifax, but less well-known are actions taken in response to smaller breaches that occur in the hundreds each year in New York and other States. Even under the best of circumstances, it is unlikely a Federal agency would be as responsive as the States to breaches involving local business and relatively small numbers of local consumers. These breaches may be smaller, but the victims are no less in need of law enforcement protection. Smaller breaches are the rule, not the exception. I respectfully urge this committee to ensure that any data security or breach legislation meets the following requirements, which we consider vital to protecting consumer data. First, any bill should not preempt State law. Indeed, it should expressly set a floor, not a ceiling on data security and breach response standards. Second, as with many other Federal consumer protection laws, Federal data security requirements must be enforceable by States, as well. And any Federal penalties must be recoverable by the States, as well. Third, if preemption is contemplated, the language must be drawn very carefully to avoid unintended consequences. Broad preemption language might be interpreted to set aside laws that concern personal privacy or computer crimes, causing serious public harm. In the meantime, as this body considers legislation and States continue to innovate, our office will continue to enforce data security protections on behalf of New Yorkers and to work with New York State's lawmakers to update our own protections. We very much appreciate your committee's efforts. And I thank you for your time today. [The prepared statement of Ms. McGee can be found on page 99 of the Appendix.] Mr. Budd. Thank you. Ms. Wu, you are now recognized for 3 minutes to give an oral presentation of your testimony. STATEMENT OF CHI CHI WU Ms. Wu. Mr. Chairman, Ranking Member Waters, and members of this committee, thank you for inviting me to testify today. I am testifying on behalf of the low-income clients of the National Consumer Law Center. NCLC has long advocated for the need to reform the U.S. credit reporting system. We have testified many times before Congress about the unacceptable error levels in credit reports--one in five consumers, with one in 20 having very serious errors--and the Kafkaesque methods that these companies use to handle disputes, creating an automated version of voicemail hell and always siding with the creditor or debt collector that provided the wrong information. These inaccuracies, the barriers consumers face in trying to fix errors, and the Equifax data breach all stem from the same origin: A corporate culture of impunity and arrogance, which you can also see by the fact that all three credit bureau CEOs failed to show up today. By now, you have probably heard the refrain that American consumers are not the customer, but rather the commodity of credit reporting agencies. We can't vote with our feet; we are captives. As a result, the credit reporting agencies get away with all sorts of abuses, cutting corners in personnel and systems, and failing to invest in doing things right. A March 2017 report from the Consumer Financial Protection Bureau (CFPB) documented these issues, prompting Director Cordray to remark, ``We were surprised to find that their quality control systems were either rudimentary or virtually nonexistent.'' Now, a data company that underinvests in quality control for accuracy and compliance is likely to be the same company that will underinvest in information security. It all stems from the same attitude, ``Let's just see how much we can cut costs.'' And Equifax is not alone. We think Experian and TransUnion suffer from similar cultures. So what is to be done? One suggestion has been to give authority to the Consumer Bureau under the Gramm-Leach-Bliley Act to supervise for data security. And we completely agree with that. But just as critically, we believe Congress should enact wider reforms of the credit reporting industry. That is why we strongly support H.R. 3755 and we thank Ranking Member Waters for introducing it. H.R. 3755 would vastly improve the broken credit reporting system, increase accuracy, and help victims of abusive lending and overly punitive negative reporting practices. Another reform we need are free security freezes. Victims of Equifax's negligence shouldn't have to pay to protect themselves from the threat of ID theft. Equifax and TransUnion have offered free credit locks, but a lock isn't the same as a freeze. A lock isn't required by law so there is limited recourse if something goes wrong. Plus, Equifax and TransUnion could stop offering free locks at any moment. Also, TransUnion's lock requires consumers to agree to forced arbitration and receive targeted advertising. And by the way, last night's Senate vote nullifying the bureau's arbitration rule is only going to increase the culture of arrogance and impunity. And Experian isn't even offering free locks or free freezes. Thank you for the opportunity to testify and I look forward to your questions. [The prepared statement of Ms. Wu can be found on page 124 of the Appendix.] Mr. Budd. Thank you. Ms. Moy, you are now recognized for 3 minutes to give an oral presentation of your testimony. STATEMENT OF LAURA MOY Ms. Moy. Good afternoon, Mr. Chairman, Ranking Member Waters, and the members of the committee. Thank you so much for inviting me to testify. Consumers are frustrated, as I think many members of this committee are. We lack control over what happens with data about us. We lack control over who has access to information that we should be able to control: Information about our finances, health, and families; information about things we do in the supposed privacy of our own homes; information about where we go, who we speak to, and what we think; information that can be used to steal our identities, ruining our finances, and maybe even our employment. Congress cannot lead from behind in protecting consumers. A breach of sensitive data is a bell that cannot be un-rung. Consumers need better control and protections, closer regulatory oversight, stronger enforcement, and greater incentives for companies to do the absolute best they can to protect our information. And companies can do much better. The massive Equifax breach happened over the course of months because the company failed to patch a critical system vulnerability about which it had ample notice and failed to detect the breach once it was underway. I urge this committee to give full consideration to the policy recommendations advanced by my fellow witnesses today. In my limited time, I would like to offer a few key points. First, I agree with my co-panelists that preemption of State law is not the answer. States are the engines of reform, and State laws on data security, medical identity theft, and protection of biometric data are some examples of some of the critical innovations happening at the State level. Federal legislation in this area should set a floor, not a ceiling, to allow for critically important State laws, especially those on data security and breach notification. But Federal legislation is needed. Federal legislation should avoid a so-called harm trigger that limits protection to potential financial harm. The breach of personal information is a serious harm in its own right. And consumers may suffer serious emotional or even physical harms or misuses of their personal information. Harm is not limited to financial harm alone. Federal legislation must also be sufficiently flexible so it covers information that is captured by emerging technology. We can't always forecast the next big threat, but unfortunately, we know that there will be one. Whether by continuing to allow States to increase protections on their own or establishing agency rulemaking authority to define covered information moving forward, Federal legislation must provide flexibility to meet new threats. Federal legislation should also include robust enforcement authority for both Federal and State regulators. Given the thousands of data breaches, and you just heard some of those numbers, in the thousands of data breaches reported each year, Federal authorities alone cannot protect consumers. State attorneys general and other State regulators must play a critical role. Thank you, and I look forward to your questions. [The prepared statement of Ms. Moy can be found on page 103 of the Appendix.] Mr. Budd. Thank you. Mr. Litt, you are now recognized for 3 minutes to give an oral presentation of your testimony. STATEMENT OF MIKE LITT Mr. Litt. Thank you, Mr. Chairman, Ranking Member--as a consumer advocate for U.S. PIRG, I appreciate the opportunity to discuss next steps after the Equifax breach. Equifax still has not provided or even clearly explained what is needed to fully protect consumers. Once your information has been stolen, there is only one kind of ID theft that can be stopped before it happens. That is where somebody opens a credit account in your name. The way to prevent that is by blocking access to your credit reports with all three credit bureaus. It is beyond time for all consumers to have the right by law to control access to their credit reports with free credit freezes. In my written testimony, I explained how Equifax's TrustedID Premier product fails to fully protect consumers. I also highlight concerns with its forthcoming lifetime lock. Locks and freezes appear to function similarly in that they block access to your credit report. The bottom line is freezes are better because they are a right by law and not conditional on terms set by the credit bureaus. Also, creditors run credit checks with any one or a combination of credit bureaus, so it is important that you block access to your credit reports at all three bureaus. Getting a lock or a freeze at just one but not the others is basically like locking your front door, but leaving your garage and back doors wide open. All 50 States and D.C. have their own laws governing fees for freezes, temporary lifts, and permanent removals. There are approximately 158 million consumers in 42 States that must pay a fee between $3 to $10 per bureau. We did not give the credit bureaus permission to collect our information or sell it or, in the case of Equifax, to lose it. So why do we have to pay to control access to our reports? The PIRG has helped pass the first State freeze laws. Now we support Federal legislation that would set free freezes for all Americans as the floor. We also support legislation that would require freezes to be placed within 15 minutes of online and phone requests, as is the law in 10 States and D.C. States should be allowed to find even more ways of giving consumers control over access to their own reports. Federal legislation should not preempt or replace existing stronger State laws for privacy, breach notification, or data security, either. We also strongly support H.R. 3755, introduced by Ranking Member Waters. While the transfer of Fair Credit Reporting Act responsibilities to the consumer bureau has jumpstarted the compliance efforts of the big three credit bureaus, this bill will give required improvements. Thank you for your attention and for the opportunity to present my testimony. [The prepared statement of Mr. Litt can be found on page 90 of the Appendix.] Mr. Budd. Thank you. The Chair now recognizes the distinguished Ranking Member, Ms. Waters, for 5 minutes. Ms. Waters. Thank you very much, Mr. Chairman. It is unfortunate that the three CEOs for the major credit reporting agencies rejected the opportunity to discuss their business model and what actions Congress should consider in the wake of the Equifax data breach to better oversee the use of consumer data. So let me ask each of the panelists: Do consumers have sufficient control over the existing use of, and commercialization of, their data collected, maintained, and compiled by the largest consumer reporting agencies and other businesses? Let me just go down the line, start with Ms. Cable. Do they? Ms. Cable. Sure, thanks for the question. I would submit, no, they don't. Ms. McGee. I would submit that was a rhetorical question. No, they don't. Ms. Waters. Ms. Wu? Ms. Wu. Absolutely not. They need more control and protection. Ms. Waters. Ms. Moy? Ms. Moy. Absolutely not. And they are frustrated and asking for more. Ms. Waters. Mr. Litt? Mr. Litt. Absolutely not. They need that control. Ms. Waters. OK. I would like to go back to each of you and ask you if you could briefly mention maybe one action Congress should take with respect to the oversight of consumer reporting agencies, to empower consumers to have better control of their personal information? Just one thing, each of you, starting with Ms. Cable. Ms. Cable. I could say under State law in Massachusetts, our legislators have proposed a bill that would require entities seeking a credit report to get the consumer's written consent before they do so. Ms. Waters. All right. Ms. McGee. I think New York's big focus here is on transparency and acknowledgment that the consumer understands what data is being collected about her and how it is being used. Ms. Waters. Thank you. Ms. Wu? Ms. Wu. We would advocate for free credit freezes or even freezes by default, also a strong Consumer Financial Protection Bureau and the ability of the bureau to supervise for data security. Ms. Waters. Ms. Moy? Ms. Moy. I think that many companies know what they ought to be doing on data security and they are not doing it. And I think that we need stronger enforcement authority accompanied by civil penalties. Ms. Waters. OK. Mr. Litt? Mr. Litt. It is time for consumers across the entire country to have the right to control access to their credit reports with free credit freezes. Ms. Waters. Thank you so very much. I think Ms. Wu mentioned that you are familiar with the bill that I introduced. And we tried to address those issues, each of those issues that you have identified. I have one other that concerns me greatly, and that is the use of this data, individuals' data in employment efforts that are being made. An individual applies for a job and the job requires that they check their credit, that their credit be checked. Do you think that credit information should be used in employment efforts? Ms. Wu? Ms. Wu. I do not think credit reports should be used in employment, except for very, very, very narrow circumstances. I absolutely support the provision in H.R. 3755 to severely restrict the use of credit reports in employment. It is bizarre. Somebody loses their job, they can't pay their bills, and their inability to pay their bills means they can't get another job. And credit has nothing to do with your ability to perform a job. Ms. Waters. Thank you. And let me ask Ms. McGee. We have tried to reduce the time that negative information stays on your credit report. What do you think about that? Ms. McGee. We support that. We supported that provision in the National Consumer Assistance Plan that we agreed upon with the three credit reporting agencies. And we see that H.R. 3755 provides some very robust protections with respect to consumers. We support that. Ms. Waters. Thank you. Ms. Moy, what else can we do to ensure that consumers have access to their credit information? How often should they be able to get it? How should the bureaus respond to the request for information that they have collected on you? Ms. Moy. So I agree with what others have said, that freezes ought to be something that consumers can have on an ongoing basis and for free. I also think that while one credit report annually is a place to start, I think that--particularly if credit reports are being accessed by folks, by entities without the consent of the consumer, and particularly if they are being accessed for purposes such as employment--then consumers ought have access to their credit report on an ongoing basis, not just a view into it once a year. Ms. Waters. Thank you. Mr. Litt, many people are wondering what they can do to protect themselves who are victims of the breaches that have taken place. What about credit freezes? Should they be charged? And if they are charged, how long should that charge continue, like with Equifax? Mr. Litt. Yes, consumers should not be charged to have access to their own credit reports or to control access to their own credit reports, which is really the only way to protect yourself from new account identity fraud, which is the only kind of identity theft that can actually be prevented once your information is out there. Unfortunately, there are far too many Americans who have to pay a fee between $3 to $10 per bureau, and that should stop. Ms. Waters. Thank you. I yield back the balance of my time. Mr. Budd. Chair now recognizes the gentlelady from New York, Mrs. Maloney, for 5 minutes. Mrs. Maloney. Thank you. I want to thank the Ranking Member for looking out for consumers and calling this important Oversight Committee. I would first like to ask Ms. Wu, as you know, one of the reasons why the Equifax breach was so bad was that the information that was stolen included the Social Security numbers and the date of birth for over 145 million people. That is half the population of this country. And both of these materials are critical pieces of identification that cannot be changed. And this is a huge problem for 145 million people. Now, some people have suggested that we should move away from using the Social Security numbers as a key piece of identifying information and start using unique ID numbers that are more easily changeable. Do you think that would be helpful? And if so, what do you think should be in charge of coming up with new ID numbers that would replace Social Security numbers? And that is the question for Ms. Wu. Ms. Wu. Thank you for the question Congresswoman Maloney. The fundamental issue with the case of the Social Security Number is it is used as a verifier, not as an identifier, or both as a verifier and an identifier. It is like using your e- mail address as your password. That number shouldn't be serving two roles. You do need a number, some sort of identifier number for credit reports--just make sure you've got the right person. And in fact, what we have criticized credit reporting agencies for years was using partial Social Security numbers to match people because that results in things like mixing two people's credit files up. But you do need better ways to verify that someone is who they say they are. And, I suggest that an entity like the Consumer Bureau is a good one to start figuring out those issues. Mrs. Maloney. OK, thank you. Now, as you know, Equifax was covered by the Fair Trade Commission Safeguards Rule, and this is intended to ensure the security and confidentiality of this sensitive information. Now, I happen to think that Safeguards Rule is one of the strongest data security rules out there. It is the same rule that banks and credit unions are subject to and has largely been successful since it was first established by this body in 2002. And I think Equifax blatantly violated the Safeguards Rule by not having an information security system in place that can identify reasonably foreseeable risks. And in this case, they were notified. They were notified by the Homeland Security Department that there was this type of weakness in the system. The other two groups caught it. They didn't even bother to correct it. So I want to ask you, if the Safeguards Rule had been properly enforced and implemented by the FTC, then the Equifax hacks shouldn't have happened in the first place. But it is also possible that we need to look at updating the Safeguards Rule in light of the breach. So, Ms. Moy, and I would like to follow it with Mr. Litt, what are your thoughts on this? Do you think we need to update the Safeguards Rule or do you think we just need to ensure that the rule is properly enforced? Obviously, Equifax did not enforce this rule even when they were notified that this type of breach would happen. So, first, Ms. Moy, and then I would like Mr. Litt to answer, too. Ms. Moy. Thank you. That is an excellent question. And, as I said before, I think a lot of times companies know what they need to do and they are just not doing it. And it seems that that was in fact a case with the Equifax breach. As you mentioned, they were notified of the critical vulnerability in Apache Struts back in March and failed to, by DHS. But I will just say I do think that it is time to take a look, at least, at updating the Safeguards Rule. For example, it could explicitly mention encryption. Mrs. Maloney. Yes or no, because my time is running out, Mr. Litt, should we update the Safeguards Rule? Mr. Litt. Yes, we should finish updating the Safeguards Rule. Mr. Maloney. OK. Now, I would also like to ask you, in light of Equifax's decision to wait a full 6 weeks to notify the public of the breach, do you think that part of the problem is that there is no explicit data breach notification provision or requirement in the Gramm-Leach-Bliley Act? Mr. Litt. We believe that any kind of Federal legislation would need to set a floor and not preempt stronger existing State laws. Mrs. Maloney. OK. Ms. Moy, what do you think? Ms. Moy. So I think many consumers do feel at the point where they get notification, it is too late. That said, I do think that folks ought to know that their information was breached. Mrs. Maloney. My time is expired. Thank you very much. Mr. Budd. Thank you. The Chair now recognizes the gentleman from California, Mr. Sherman, for 5 minutes. Mr. Sherman. Mr. Chairman, we have had a tradition in this committee room of every Republican member putting the national debt clock up while they had their time. Earlier today, that seems to have been suspended, and the only member to put up the national debt clock during hearings we had earlier today was myself. Are you familiar as to why this change was made? Does it have anything to do with a budget resolution we are voting on tomorrow that will add a couple of trillion dollars to that debt clock? I yield to the Chairman. Mr. Budd. I yield without comment back to the gentleman from California. Mr. Sherman. The gentleman's response is instructive. In an effort to stay true to Chairman Hensarling's commitment to a balanced budget, I will continue to have the national debt clock up during my 5 minutes. Not that I don't think the graphics presented by our Ranking Member aren't excellent, I know that they will be up during much of today's hearing. I will point out I have added two things that I would commend to Chairman Hensarling. One is to add to the fact that the Republican tax cut will add $150 billion to $200 billion. And this committee has played a role in pressuring the Fed to abandon quantitative easing, and that will add another $80 billion to $100 billion a year to our national debt. So while the flame of fiscal responsibility may have been blown out of one side of the room, the flame continues to flicker on this side. Mr. Litt, people are talking about locking versus freezing. And you pointed out that if you are going to do either, you have to do it with all three credit rating agencies. Equifax says they will do one for free. Will they pay the fee, though, to the other two credit rating agencies to lock or freeze your credit? Or is that on the consumer? Mr. Litt. Disappointingly, they have not said whether they will do that or not, and they are calling on TransUnion and Experian to offer free locks. And so they are not paying for that. Mr. Sherman. OK, so they are the ones that screwed up. Mr. Litt. Exactly. Mr. Sherman. So their competitors should pay the cost. My God, it is as if my locksmith lost my key and he will provide a new lock to my front door, and then he calls upon competing locksmiths to provide me with a replacement for my back and side doors. That is amazing. I will ask the representative for the New York Attorney General's Office, is there an effort to hold Equifax accountable and sue them for whatever consumers have to pay, or better yet, to establish a fund that would fund consumers locking or freezing their credit with the other two agencies? Ms. McGee. As I mentioned earlier, we are pursuing an investigation, so I am not going to comment on relief that we might seek, except to say that we are seeking full relief for New York consumers as Massachusetts is seeking full relief for their consumers. And we are looking at the full system. We have publicly called in Equifax and their competitors, as well, to understand the system better and to see whether or not there could be structural changes. Mr. Sherman. Thank you. So as soon as Mr. Hensarling will cosponsor the bill, I will introduce legislation to say that if you have a data breach where you have even advised people that they need to buy three locks, that you have to provide one of the locks for free and pay for the other two. To say that Equifax should call upon its competitors to do this for free, perhaps there could be some reduced cost, but as things stand now, though, Mr. Litt, if I want to implement Equifax's suggestions, I go to Equifax and I freeze or lock my file, and then I pay money out of my own pocket to freeze or lock at the other two agencies. Is that correct? Mr. Litt. That is right. Mr. Sherman. I yield back. Mr. Budd. Chair now recognizes the gentleman from New York, Mr. Meeks, for 5 minutes. Mr. Meeks. Thank you, Mr. Chairman. You know, indeed, this is a sad day, I think, for consumers. Let me start out that way. I have to start out by saying, first, I am disappointed but not surprised at all, even though it is not directly related to this hearing, that my Republican colleagues in the Senate along with the assistance of the Vice President of the United States and the White House decided to roll back consumers' access to the courts in favor of the most powerful players in Washington, D.C. Bad day for consumers. Instead of protecting options for consumers, i.e., consumers who are merely seeking a recourse for the wrongs done to them, my Republican colleagues have opted to limit choice and force consumers into unfair arbitration agreements that stack the cards against them. I am also concerned that I think it is unprecedented that you have a person who is serving on an acting basis for the OCC decided to insert himself in this debate, and I believe placed inappropriate political pressure on what is supposed to be an independent CFPB. And I just have to take this opportunity to remind people that an independent CFPB was not there prior to the 2008 crisis. In fact, there was no agency focused primarily on the consumer. And sure, we had banking regulators responsible for ensuring institutions operated with prudence and in a proper way. However, we had no single player at bat for the consumer. So we created this independent Consumer Financial Protection Bureau that this Administration and my Republican colleagues continue to undercut and undermine with little regard for the consumer and the underdog. So, regarding today's hearing, I am further disappointed that Equifax refused to appear before this committee again. And I believe that avoiding responsibility is a proven failed strategy in Washington, D.C. As we saw with, and has happened in this committee before, when the Enron executive that pled the Fifth before Congress, and the Wells Fargo's past CEO who failed to acknowledge his poor oversight. And then we had Equifax's prior CEO come in here, he said is no longer with Equifax and so the individuals who are now in charge of Equifax, they, in fact, have not been before this committee yet. It was bad advice then and it is bad advice now. Furthermore, I hope that Equifax can correct the Congressional Record, because when this former employee was before this body at our last hearing, he suggested to me that Equifax had a breach response plan that was tested prior to its May incident. A recent Wall Street Journal report alleges just the opposite. Therefore, I am very concerned that Equifax's former CEO potentially made misstatements before this committee. I hope he is not getting in the habit of the 45th President, who continues to make misstatements whenever he speaks. The Wall Street Journal reported the following: Equifax was ill-prepared to face the increasing frequency of data breaches and that a review of the company found, and I quote, no evidence of regular cybersecurity audits, or an emergency plan to respond to an intrusion. So I sent a letter to Equifax to correct the Congressional Record. I have yet to hear back from them. Now, I am going to ask my friend--I know that we have Kathleen McGee here who is from my friend Attorney General Schneiderman's office. Let me just ask you, real quickly, in what ways can States help get institutions to a place where they are better prepared for the next breach? What are you doing in New York? And what can we utilize nationally to help make sure this never happens again? Ms. McGee. Thank you. Across this country, 48 States and territories, all the territories, have data security laws in place. We are the incubators and the innovators for the frontlines for innovation and data technology. We are the gatekeepers. We innovate and protect consumers on the ground. We should not be superseded or preempted by a Federal law. And we would encourage that this body consider establishing a stricter floor, not a ceiling, if it considers passing a national standard. Look to the States for the innovation. New York has good suggestions, Massachusetts. California was an innovator passing the initial law back in 2002. So we would suggest you look to the States first. Thank you. Mr. Budd. Thank you. The gentleman from California is well aware, the debt clock is traditionally used only at full committee hearings. And my Democratic colleagues previously requested we not display it during their questioning time. Also, members are reminded not to engage in personalities. The Chair now recognizes the gentleman from Georgia, Mr. Scott, for 5 minutes. Mr. Scott. Well, thank you very much, Mr. Chairman. First of all, I wanted to commend our Ranking Member, Ms. Waters, for putting this hearing together. And then, second, I am the Georgia Congressman representing Equifax. And I can't tell you how disappointed, I can't tell you how insulting, I can't tell you how just downright rabid that they are making me as a Georgia Congressman. Now, with this terrible breach, impacting 145 million people--and first, they send up here to speak to us the former CEO. How, I ask these panelists, do you think--and the American people--that we can even begin to fix this problem if these bone-headed executives and current CEO will refuse to come before Congress and to answer questions? How can they expect to get a seat at the table? How can we respond to the American people? Some of these American people don't even know what Equifax does or these credit agencies. Their lives are impacted in a very negative way. And yet they will refuse to come before Congress. Now, they may be thinking that they are sticking it to Members of Congress, but when you violate Members of Congress, when you insult Members of Congress, when you disrespect Members of Congress, you are insulting and disrespecting the American people. We speak for them. And for them to do this is a dastardly deed. And I hope, Ms. Waters, that you will pursue my request that we had yesterday evening to ask for a subpoena. That will get their lazy asses up here and respond to the American people. Now, I apologize for anybody that feels I have offended you with that, but I meant it. That is what they are. And until they are sitting in that chair, we have to hold Equifax accountable. Let me tell you what they did. Do you know what they did? In March, they brought evidence of the leak. They also brought a way to fix the leak, with a patch, and they refused. The CEO at that time, Mr. Smith, said that he found out on July 1st. And then, the most dastardly deed of all that they did was they went 24 hours later and sold $2 million in stock, and not just anybody, their three top executives, led by their chief financial officer. And you mean to tell me that nobody is looking at this as insider trading? This is one of the most despicable, shameful acts of financial mismanagement in the history of these United States. And for them not to come before this Congress and answer these questions, the people who will run the company, is a total disrespect. And not only that, it is highly un-American. And it is not something that I will accept. Ms. Wu, I want to ask you this. Tell me, the American people need to know, will they be having to look beyond their shoulders, looking around corners worried for the rest of their lives because they don't know who has their Social Security, they don't know who has their birth--these are vital pieces of information. Is that what we have to look forward to? Could you please answer that? Ms. Wu. Unfortunately, the answer is yes. We will all be looking over our shoulders for the rest of our lives. Mr. Scott. Thank you. Mr. Budd. Gentleman's time has expired. Chair now recognizes the gentleman from Texas, Mr. Green, for 5 minutes. Mr. Green. Thank you, Mr. Chairman. I especially want to thank the Ranking Member for her energy and effort to cause this hearing to take place. Equifax is in a unique position. They collect information on consumers without consent. They don't have to have your consent to collect your information. Once they collect the information, they seem to think that they can handle it with impunity. If there is negligence or if there is some reason for a security breach that might cause litigation in ordinary circumstances, Equifax seems to think that arbitration is the methodology by which a dispute should be resolved. It causes me great concern to know that Equifax and many other companies, especially banks, are being aided and abetted by Congress, because Congress, yesterday, the Senate more specifically, decided to eliminate the consumer protection rule that would allow consumers to litigate as opposed to go to arbitration. This is an unbelievable circumstance. And I am interested in comments from members of the panel on your position as it relates to arbitration, especially with a company that collects information without your permission. Let's start with our very first panelist, if you would please, ma'am. Ms. Cable. Thank you for question. I think it is safe to say our office's position is that we are disappointed in the developments of yesterday. I think it is a big step back for consumers. I think the unfairness in the Equifax matter is patently obvious to anyone. And it is one of the big reasons why, as a State attorney general, we are working so hard to hold Equifax accountable for this. And to circle back on how we hold Equifax accountable here, I think money talks. Without getting to the specifics of what we may or may not request in litigation, our Consumer Protection Act authorizes us to ask the court to award us up to $5,000 per violation. There are at least 3 million violations in Massachusetts. And so we think the State attorney generals are uniquely positioned and, in light of yesterday's development, may be a very few of the entities still positioned to hold Equifax accountable in the court of law. Mr. Green. Ms. Cable, if you would please, I detected a moment of candor. You said money talks. Kindly explain, please. Ms. Cable. I think a way to get the attention of a company like Equifax is to--how do I say this--require them to internalize the costs of this breach that they seem so eager to externalize onto the American public. Mr. Green. And how does one go about this, please? Ms. Cable. In our litigation under State consumer protection law, we can seek civil penalties, as I mentioned, up to $5,000 per violation. We are also authorized to seek consumer restitution for ascertainable losses that consumers suffer. We are also authorized under our law to have the court impose permanent injunctive relief to improve security procedures and other appropriate relief to make consumers whole. Certainly, all of those are on the table in our litigation. Mr. Green. Ms. Wu, please. Yes. Ms. Wu. So, absolutely, consumers were the losers in the vote last night. And any Republican who voted for getting rid of the arbitration rule, and yet criticized Equifax, was a hypocrite, because Equifax will greatly benefit from what happened last night. Not only because they will be able to immunize themselves from liability over things like credit monitoring products, but because they can actually put in arbitration agreements--for these locks, for example, that they are offering, so-called, for free--that you have to agree to arbitration. And they can put things in those arbitration agreements like ``You will never sue us under the Fair Credit Reporting Act, no matter how badly we mess up your credit report.'' So the American people are definitely the losers. Mr. Green. Mr. Litt, please. Mr. Litt. There were already concerns with locks, because TransUnion and Experian require consumers to give up their rights to a day in court. So last night's vote, unfortunately, makes things even more problematic. Mr. Green. Thank you very much. I yield back the balance of my time. Mr. Rothfus [presiding]. Gentleman yields back. The Chair recognizes the gentleman from Michigan, Mr. Kildee, for 5 minutes. Mr. Kildee. Thank you, Mr. Chairman, and again to the Ranking Member, thank you for arranging this hearing. I am really grateful for the panel for being here. This has been really helpful. Like probably all of my colleagues, I received a lot of complaints about this breach, and particularly about the way customers were treated by Equifax as they tried to, somehow, figure this out and manage it. So I want to tell the story of an individual from my district. His name is Jim. He is from Linden, Michigan. It is a small town outside of my hometown of Flint. He is a grandfather. He has got five grandchildren. He is a retired banker. He spent his whole career working with credit reporting agencies. He understands exactly how they operate. When he heard about this breach, Jim went to the Equifax website to see if his information had been released, had been stolen, in effect, which it had been. So he, like many, decided he would freeze his credit as a precautionary measure. So in navigating through their website, he wound up not on the page to freeze his credit, but on the page where Equifax offered, for purchase, its product to protect his identity online. I am sure you understand the irony in landing on that page. Realizing the error, Jim got on the phone. He called Equifax. He wanted to correct the problem. It took him over an hour on the phone with two different individuals, two different call centers, finally to resolve that issue. He was also to freeze his wife's credit, but Equifax charged him $20 to do so. So he reached out to my office, wanted to make a consumer complaint regarding Equifax. We were able to intervene, get his money refunded. But his biggest complaint was that Equifax made it so hard for him to deal with an issue that was not his fault and, in fact, was their fault. This guy is a retired banker. He is tech savvy. He understands customer service; he understands how to navigate a website. He couldn't do it without our help. Not everybody can do that. Not everybody has the presence of mind to call their Member of Congress. And Lord knows, there is no way we could deal with 145 million of these complaints. So my concern is, what happens to those folks who don't know who to call, who don't know where to go? How do they protect themselves? And so I guess I would ask just for any of the panelists who might want to offer, what do we tell our constituents? How do they protect themselves from something like this? I mean, what happened with Jim, who knows what the other consequences might be, but the frustration he had--and without our help he would be paying them to fix a problem that they created, let alone the potential of economic ruin that he could have faced as a result of this data being lost and being essentially stolen. What do we tell our constituents? How they protect themselves? Ms. Wu. So, thank you for the question and the story, Congressman Kildee. Unfortunately your constituent is not alone. We have heard of many other stories where consumers had trouble getting freezes and end up actually getting not only a lock product, but a paid lock product. They ended up having to pay for it and of course agree to arbitration, which is now going to prevent them from bringing lawsuits. It is a terrible situation. All I can say is that they should try to keep working on getting those freezes. If they can't get them, they should complain not only to their Member of Congress and their attorney general's office, but to the Consumer Financial Protection Bureau, which has sometimes had success in dealing with these complaints and getting people's money back. But that points to the fact we need a strong Consumer Bureau. If we don't have a strong Consumer Bureau, even the little bit of progress we have made in terms of improving accuracy and dispute handling, because the Consumer Bureau can supervise these folks and get into their systems, is going to be lost. And this is the culture of impunity I am telling you about that I said. You know, this is not just an accident. They deliberately pushed people toward their locks and their paid products when people try to find the freezes. Mr. Kildee. Thank you. Mr. Litt. If I may, a default freeze would actually take care of people if they didn't know that they had to opt in for one. But there should be no barriers, including costs. So, at the very least, freezes should be free to place, as well as to lift. Ms. Moy. You make the point that the consumers who will lose out the most from a breach like this are those who lack the resources in time or in money to figure out how to protect themselves, and that is a problem that absolutely must be addressed. Mr. Kildee. Thank you. My time is expired. I thank the panel, again, and I thank the Ranking Member for arranging this hearing. It is very important. Thank you. Mr. Rothfus. Gentleman's time is expired. The Chair recognizes the gentleman from Nevada, Mr. Kihuen, for 5 minutes. Mr. Kihuen. Thank you, Mr. Chairman, and thank you, Madam Ranking Member, for organizing this hearing, and thank you to all of you for being here and for your testimony. Mr. Litt, I have a question, and maybe for the rest of panelists as well. Given that half of the population of the U.S. had their Social Security numbers exposed as part of this recent breach, do you find it troubling that such numbers are still being used by Equifax to authenticate consumers requesting freezes, copies of credit reports, and other products and services offered by the consumer reporting agencies? Mr. Litt. Yes, it is troubling. While the other authentication questions do serve as added security, Social Security numbers were never meant to be used as identifiers to begin with. And so this also raises the question for looking into transition into a new system. Mr. Kihuen. What would a new system look like, in your opinion? Mr. Litt. Well, we would look at things like two-factor authentication as a place to start, and then I think that we are encouraged and hopeful that Congress would look into ways to transition, as well. Mr. Kihuen. Thank you. Anybody else want to answer? Ms. Wu. Thank you for the question, Congressman. As I said earlier, the problem is the use of the Social Security number as the verifier to say that you are who you are. You do need some sort of identification number, and whether it is a Social Security number, or something else, you need a unique item to distinguish between consumers. The former CEO of Equifax, his name is Richard Smith, and you need to be able to figure out which Richard Smith you are dealing with. The problem is, you are also using the Social Security number as the verifier. So, you input that number and then the system tells me, OK, you are the real Richard Smith. And that is the problem. We need other ways of verifying someone's identity. Mr. Kihuen. Thank you. And I have a follow up on that, Ms. Wu. In your testimony, you described this breach as one of the worst, if not the worst, breaches in American history. Apart from the total number of consumers impacted, what else makes this the worst in American history? Ms. Wu. Well, the reason why this breach is probably one of the worst in American history is because of the type of information that is stolen, because it was Social Security numbers and dates of birth, and in some cases, driver's licenses. This is the crown jewel of information that can be used for ID theft. Other breaches involved your e-mail and password. Well, you can change your e-mail address. You can change your password. Your credit card number, you know, Target involved a lot of credit card numbers. You can get a new credit card number. It is almost impossible to change your Social Security number. It is very hard. And you can't change your date of birth. So this is going to haunt us forever. This is going to increase the risk of identity theft for half the American population for the rest of their lives. And that is what makes it so terrible. Mr. Kihuen. Thank you. I think you answered my other question that, how long are consumers likely to be at risk? So you were talking about for the rest of their life. So half of the American population who has been impacted by this is now at risk for the rest of their life because of this breach? Ms. Wu. Yes, that is right. And the best we can do is try to mitigate it by telling people to put freezes on their credit reports. And that is why, at least those freezes should be free. And I agree with Mr. Litt, they should be by default. That would help a lot to prevent identity theft. Mr. Kihuen. Thank you. And, Ms. Cable, I do have a very quick question. Immediately following the announcement of the breach, Massachusetts launched an investigation and filed a lawsuit against the company. While I understand that you cannot comment on the status of the case, as the matter is still ongoing, can you provide a high-level overview of allegations your office is making in the privacy and data security and privacy protections that Massachusetts residents are entitled to under the law, State law? Ms. Cable. Absolutely, Congressman. So the facts underlying our complaint are the facts that I think this committee has heard before. Equifax had this information. In March, it learned that it had a vulnerable software in place in its public-facing website. There was a patch available. It was aware of it. It failed to implement it. I think, importantly, it also failed in other respects. It failed to detect the presence of hackers in its network. I have seen reports that the hackers got in, in March. They didn't notice it until the end of July. So over 4 months, somehow they didn't know that there were thieves in their network. And another point is, they didn't realize that this data, 145 million person's information, was compromised. I think that calls into question, and we have raised it in our complaints, serious questions of who was minding the store, putting the patch issue aside. As I mentioned, we sued under our State data security regulations. And I will just highlight some of the regulations that are at issue in this case, to give you a sense of what our law provides. We allege Equifax failed to identify and assess reasonably foreseeable risks to the security of its information. It failed to evaluate and improve its existing safeguards. Mr. Rothfus. The gentleman's time has expired. Mr. Kihuen. Thank you, Mr. Chairman. Mr. Rothfus. The Chair recognizes the gentleman from Texas, Mr. Gonzalez, for 5 minutes. Mr. Gonzalez. Thank you, Mr. Chairman, and thank you, Ranking Member Waters. Well, as a trial lawyer who represented consumers for 20 years, I certainly believe Equifax should be held liable and punished for their negligence. But knowing what we know now, with the multiple breaches from the credit reporting agency-- and I guess this question would go to Ms. McGee and Ms. Cable-- would you support a direct cause of action against Equifax by consumers? Ms. McGee. I will answer by saying, first of all, New York State law does not have under our data protection law an independent cause of action for consumers. It is not our intent to open that up, but that does then directly turn me to the arbitration issue, which is--for New York, when we saw that arbitration was going to be a barrier to justice for consumers who are trying to seek redress from the very entity that they had placed their sort of last hope when they traditionally had a data breach and now were victimized by that actual entity and then forced into an arbitration clause, if they wanted to avail themselves of any relief, we acted quickly to seek redress and the arbitration clause was removed. It poses a real problem when consumers are hobbled in seeking rights in consumer protection because of these arbitration clauses. Our offices come out very strongly in statements condemning yesterday's decision and in other forced arbitration clauses, and that is a real problem. Mr. Gonzalez. But do you believe that they should have the capacity to bring their own claims? Ms. McGee. At this point, under New York law, we don't. We don't provide that redress under New York law-- Mr. Gonzalez. Do you think it is a good idea? Ms. McGee. I think that, under certain circumstances, class actions can provide a way for a sea of change under law and can provide another way for companies to change the way that they do business. So as a generic matter, I personally don't think that it is a bad idea. But right now, I don't see any way in New York for there to be a change in that. Mr. Gonzalez. Fair enough. I guess the next question is to anyone on the panel is, how are we quantifying the damages? It seems like we can't get to that number anytime soon. How do we get there? At some point, how do we protect folks who had their information stolen from them? And it seems like it is just--we are looking into a crystal ball and we don't know where the end is. How would you address that, Ms. Cable? Ms. Cable. I certainly, as a fellow litigator, appreciate that question. And speaking in generalities, in Massachusetts, one measure of damages--and certainly not the only--is the cost of placing, temporary lifting, and permanently lifting a security freeze. To do all three of those actions in Massachusetts would cost a consumer $15 at one of the three bureaus, so $45 at all three. Three million consumers in Massachusetts, presumably, had to pay that cost, and so I think that comes out to $135 million in Massachusetts alone. That is just one small measure that doesn't count identity theft or other forms of financial fraud that, as my co- panelists have highlighted, is very likely to occur here. I think establishing damages that may not have happened yet is either impossible or impracticable as a matter of law and it is what it is. I think one solution would be establishing minimum statutory damages and allowing the consumer to seek either the higher of the actual or the minimum. I think the law can advance this issue forward by establishing some kind of measure for damages here. Mr. Gonzalez. Very well. And the reason I say that is because $5,000 just seems nothing compared to some people can be damaged at such a high value. I guess my next question, and I hate to pick on all the lawyers, but I will address Ms. Moy. Which State has the most stringent protection for data breaches in the country? Ms. Moy. So, again, with breaches, I think that when it comes to notification, many consumers feel that it is too late. So that the laws to look at for really strong protection for consumers are going to be the data security laws. And some at this table have good ones. Massachusetts has a very strong one. New York has new cybersecurity regulations. Connecticut also recently has a good law, and Illinois. California, of course, is a good one to look at. Texas, actually, is an interesting State because it covers a broad set of information. Mr. Gonzalez. Which is changing, by the way. I don't know if you followed this last legislative session. Ms. McGee. I am not aware of the changes. I will have to look into that. Mr. Gonzalez. Under DTPA--and consumer laws have been watered down recently. But I am curious--and you just told us-- you just mentioned a few States that do have good laws. What States would you say do not? And I guess my time is up. Thank you very much. Mr. Rothfus. The gentleman's time is expired. The Chair recognizes the gentlewoman from Ohio, Mrs. Beatty, for 5 minutes. Mrs. Beatty. Thank you, Mr. Chairman. And thank you to our Ranking Member, Congresswoman Waters. I really appreciate us having an opportunity to have this dialog and to have it with you as our eyewitnesses. And I don't want to take my time to repeat everything that has been said. But let me certainly echo the displeasure that we have that Equifax could not be here, chose not to be here, chose not to sit and respond to something that has affected 143-plus-million individuals. I find that appalling that they are ignoring a request to come before this committee. I am also saying, Mr. Chairman, I am disappointed that we don't have seats across the aisle filled. This is not a partisan issue. This is not about Democrats. This is about 143 million people having their entire life disrupted because of a company that had had some 57,000 complaints about misinformation, about inaccuracies on their credit reports. And I am as upset as anyone else, because I tried to work with them. I actually offered a bill in the last session, and in this session, and if they would have spent more time working with me than against the bill that would allow consumers to get a free credit report, it would have been helpful. But they didn't want to get a free credit score, because it is one thing to say, OK, once a year, we have a law now that you can get your annual report. But what happens when you go in to buy a home? What happens when they ask you what is your credit score? And they did not want to even do it once a year to give them a free credit score. And so, I hope someone plays this tape back to them so they can understand that we represent hard-working Americans. We represent people who want to have a better future. And when you have the breaches that they have had and you don't come to the table to respond to it, that is simply unacceptable. I guess, as I am sitting here today, I believe one of the ways we can really get companies to focus on cybersecurity is to put in place a system where there is a monetary penalty for each person's data that is breached. You know, let them feel some of the consequences that 143 million people are experiencing. When you think about--we have the data up here--one out of five consumers has had an error on their report. So there were already issues with them. There were already things that they knew that this could be a possibility, and what did they do? They ignored it. That is unacceptable. So, let me ask you, what do you think about putting a penalty in where the Equifaxes or future Equifaxes would have to pay that? And what should that number be? Should it be $1,000, should it be $5,000, should it be a greater number? Ms. Wu? Ms. Wu. Well, thank you, Congresswoman Beatty, and thank you for the question. And I completely agree there should be some sort of penalty when companies lose our data. You know, it is unacceptable. And in addition to the types of damages that Ms. Cable talked about, in terms of freezes and lifting, there is time spent, there is aggravation, there is being upset that your information is out there with thieves and you are potentially a victim next. And that should all be compensated. You know, the maximum statutory damages under the Fair Credit Reporting Act is $1,000. That was 40 years ago. It probably should be a lot greater than that. Mrs. Beatty. So should we be looking at legislation to make that number more in line with today's cost of living? Ms. Wu. Well, certainly increasing the statutory damages is something we would be in favor of. And as you know, there was the bill just the same day that Equifax announced its breach, there was a hearing on a bill to reduce those damages under the Fair Credit Reporting Act. Mrs. Beatty. Well, I think my time is up. So, Mr. Chairman, I yield back. Mr. Rothfus. The gentlewoman yields back. The Chair recognizes the Ranking Member for unanimous consent requests. Ms. Waters. Thank you very much. I have a number of them, Mr. Chairman. I have 31 communications in support of 3755, the Comprehensive Consumer Credit Reporting Reform Act. We have-- Mr. Rothfus. Without objection. Ms. Waters --thank you--testimony that was written and sent to us today from Consumers Union. Mr. Rothfus. Without objection. Ms. Waters. Two such documents. Mr. Rothfus. Without objection. Ms. Waters. I have ``Equifax Grip on Mortgage Data Squeezes Smaller Rivals'' from the New York Times. Mr. Rothfus. Without objection. Ms. Waters. From Salon, I have a communication. Mr. Rothfus. Without objection. Ms. Waters. ``Equifax Grip on Mortgage Data Squeezes Smaller Rivals,'' another one from the New York Times. Mr. Rothfus. Without objection. Ms. Waters. Written questions for the record submitted by Democratic members for October 5th, Equifax hearing. Mr. Rothfus. Without objection. Ms. Waters. Written statement asked to be submitted by FICO to this hearing. Mr. Rothfus. Without objection. Ms. Waters. Press statement was released from CFPB, ``Supervisory Highlights Focused on Problems Discovered with Credit Bureaus.'' Mr. Rothfus. Without objection. Ms. Waters. Written statements for the record from the first Equifax hearing on October 5th. Mr. Rothfus. Without objection. Ms. Waters. And information on CFPB's website about ID theft tools available to consumers. Mr. Rothfus. Without objection. Ms. Waters. Thank you very much. I yield back. Mr. Rothfus. There being no members remaining to question the panel, this concluded today's hearing. Without objection, all members will have 5 legislative days within which to submit additional written questions for the witnesses to the Chair, which will be forwarded to the witnesses for their response. I ask our witnesses to please respond as promptly as you are able. This hearing is adjourned. Thank you. [Whereupon, at 3:42 p.m., the committee was adjourned.] A P P E N D I X October 25, 2017 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] [all]