[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]







                   EXAMINING THE EQUIFAX DATA BREACH, 
                              CONTINUATION

=======================================================================

                                HEARING

                               BEFORE THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            OCTOBER 25, 2017

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 115-50





[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]










                                   ______
		 
                     U.S. GOVERNMENT PUBLISHING OFFICE 
		 
30-339 PDF                WASHINGTON : 2018                 






















                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    JEB HENSARLING, Texas, Chairman

PATRICK T. McHENRY, North Carolina,  MAXINE WATERS, California, Ranking 
    Vice Chairman                        Member
PETER T. KING, New York              CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California          NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma             BRAD SHERMAN, California
STEVAN PEARCE, New Mexico            GREGORY W. MEEKS, New York
BILL POSEY, Florida                  MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri         WM. LACY CLAY, Missouri
BILL HUIZENGA, Michigan              STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin             DAVID SCOTT, Georgia
STEVE STIVERS, Ohio                  AL GREEN, Texas
RANDY HULTGREN, Illinois             EMANUEL CLEAVER, Missouri
DENNIS A. ROSS, Florida              GWEN MOORE, Wisconsin
ROBERT PITTENGER, North Carolina     KEITH ELLISON, Minnesota
ANN WAGNER, Missouri                 ED PERLMUTTER, Colorado
ANDY BARR, Kentucky                  JAMES A. HIMES, Connecticut
KEITH J. ROTHFUS, Pennsylvania       BILL FOSTER, Illinois
LUKE MESSER, Indiana                 DANIEL T. KILDEE, Michigan
SCOTT TIPTON, Colorado               JOHN K. DELANEY, Maryland
ROGER WILLIAMS, Texas                KYRSTEN SINEMA, Arizona
BRUCE POLIQUIN, Maine                JOYCE BEATTY, Ohio
MIA LOVE, Utah                       DENNY HECK, Washington
FRENCH HILL, Arkansas                JUAN VARGAS, California
TOM EMMER, Minnesota                 JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York              VICENTE GONZALEZ, Texas
DAVID A. TROTT, Michigan             CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia            RUBEN KIHUEN, Nevada
ALEXANDER X. MOONEY, West Virginia
THOMAS MacARTHUR, New Jersey
WARREN DAVIDSON, Ohio
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
TREY HOLLINGSWORTH, Indiana

                  Kirsten Sutton Mork, Staff Director
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    October 25, 2017.............................................     1
Appendix:
    October 25, 2017.............................................    27

                               WITNESSES
                      Wednesday, October 25, 2017

Cable, Sara, Director, Data Privacy and Security, Assistant 
  Attorney General, Consumer Protection Division, Office of 
  Attorney General, Commonwealth of Massachusetts................     4
Litt, Mike, Consumer Advocate, U.S. Public Interest Research 
  Group..........................................................     8
McGee, Kathleen, Chief, Bureau of Internet and Technology, 
  Division of Economic Justice, Office of the New York State 
  Attorney General...............................................     5
Moy, Laura, M., Deputy Director, Center on Privacy and 
  Technology, Georgetown University Law Center...................     7
Wu, Chi Chi, Staff Attorney, National Consumer Law Center........     6

                                APPENDIX

Prepared statements:
    Cable, Sara..................................................    28
    Litt, Mike...................................................    90
    McGee, Kathleen..............................................    99
    Moy, Laura, M................................................   103
    Wu, Chi Chi..................................................   124

              Additional Material Submitted for the Record

Waters, Hon. Maxine:
    Letter from VantageScore.....................................   137
    New York Times article entitled, ``Equifax Grip on Mortgage 
      Data Squeezes Smaller Rivals''.............................   142
    Written questions for the record submitted by Democratic 
      members for October 5, 2017 Equifax hearing................   146
    Press statement from CFPB entitled, ``Supervisory Highlights 
      Focused on Problems Discovered with Credit Bureaus''.......   160
    Written statements for the record from the first Equifax 
      hearing on October 5th.....................................   163
    Information about ID theft tools available to consumers on 
      CFPB's website.............................................   171

 
                   EXAMINING THE EQUIFAX DATA BREACH, 
                              CONTINUATION

                              ----------                              


                      Wednesday, October 25, 2017

                     U.S. House of Representatives,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The committee met, pursuant to notice, at 2 p.m., in room 
2128, Rayburn House Office Building, Hon. Ted Budd [member of 
the committee] presiding.
    Present: Representatives Rothfus, Mooney, Budd, Waters, 
Maloney, Sherman, Meeks, Capuano, Clay, Scott, Green, Ellison, 
Perlmutter, Himes, Foster, Kildee, Sinema, Beatty, Heck, 
Gottheimer, Gonzalez, Crist, and Kihuen.
    Mr. Budd [presiding]. The committee will come to order. 
Without objection, the chair is authorized to declare a recess 
of the committee at any time, and all members will have 5 
legislative days within which to submit extraneous materials to 
the chair for inclusion in the record. Pursuant to clause D-5 
of rule three of the Committee on Financial Services, this 
additional hearing day has been scheduled with reference to 
October 25th, 2017, full committee hearing entitled ``Examining 
the Equifax Data Breach.''
    The Chair now recognizes the Ranking Member of the 
committee, the gentlelady from California, for 4 minutes for an 
opening statement.
    Ms. Waters. Thank you very much, Mr. Chairman.
    And thank you to all of the witnesses who are here today to 
better understand the causes and impact of the massive data 
breach at Equifax. State government experts and consumer 
advocates to testify here today, I want to thank you for being 
here to testify today.
    Unfortunately, the CEOs of each of these three major credit 
bureaus have refused to attend this hearing. It is particularly 
troubling that since the massive breach, Equifax has yet to 
send an executive to testify before Congress who actually has 
the ability to examine all the issues with our broken credit 
reporting system. Committee Democrats requested this minority 
day hearing and invited the chief executive officers of 
Equifax, Experian, and TransUnion, which are the three 
nationwide consumer reporting agencies in this country, as well 
as a group of senior staff from legal authority to commit the 
company to future action.
    Equifax has badly mishandled virtually every aspect of this 
breach. They failed to update a known software vulnerability 
for several weeks. They failed to properly notify law 
enforcement agencies, as required by many State data breach 
laws and regulations, and even in announcing to the public 
about the breach, failed to provide consumers with the tools 
they needed to safeguard against identity theft and other harm 
that could be caused by the unauthorized exposure of their 
sensitive financial and personally identifiable information for 
free.
    But Equifax isn't the only major credit bureau to have 
faced a major cyberattack. About 2 years ago, Experian, one of 
the other major bureaus, also had a breach that exposed 
millions of T-Mobile customers' information. Yet the head of 
Experian also declined to come to testify today.
    These security breaches at the major credit bureaus are 
just one of the many problems within the credit reporting 
industry. That is why I have long called for a complete 
overhaul of the entire credit reporting system, and I recently 
introduced H.R. 3755, the Comprehensive Consumer Credit 
Reporting Reform Act. My bill shifts the burden of removing 
mistakes from credit reports onto the credit bureaus and 
furnishers--away from consumers--limits credit checks for 
employment purposes, and reduces the time period that negative 
items stay on credit reports, among many other key reforms.
    It is clearly time for us to fix the vast problems within 
the credit reporting sector. There is enormous concern and 
frustration from consumers across the country about the lack of 
control they have over how these companies collect, maintain, 
and sell consumer data.
    It is time for us to ensure there are adequate measures to 
hold these firms accountable for their business practices. And 
I find it unacceptable that the three major credit bureaus have 
still failed to take even the most basic steps to protect 
consumers after this latest massive breach by immediately 
providing all consumers with free credit freezes.
    If executives at the three nationwide consumer reporting 
agencies are watching this hearing today, I want them to know 
that the days of their companies being able to operate with 
impunity are now over. I thank you, and I yield back the 
balance of my time.
    Mr. Budd. Gentlelady yields back.
    The Chair now recognizes the gentleman from Michigan, Vice 
Ranking Member Mr. Kildee, for 1 minute.
    Mr. Kildee. Thank you, Mr. Chairman.
    And thank you to the Ranking Member for organizing this 
important hearing. This breach, the Equifax breach should never 
have happened. Because of unacceptable security lapses, Equifax 
exposed the personal information of over 145 million Americans.
    For a company whose very business involves the collection 
of America's most personal financial information, it is almost 
inconceivable that this major breach occurred. And I know I am, 
and other members of this committee, are very concerned with 
potential insider trading by several high-level Equifax 
executives, and we have requested the SEC (Securities Exchange 
Commission) to fully investigate these actions.
    Even worse than the breach itself, or the potential insider 
trading, has been how Equifax treated the American public and 
its customers since this breach was exposed. Weeks passed 
between the discovery of this breach and when it was disclosed 
to the public, yet Equifax was completely unprepared to address 
the concerns of Americans.
    I am grateful that we are having this hearing today to see 
how we can move forward and make sure this does not happen 
again and to do what we can to help the over 145 million 
Americans impacted. Thank you, and I yield back.
    Mr. Budd. Gentleman yields back.
    The Ranking Member is recognized for 4 minutes to introduce 
the panel of witnesses.
    Ms. Waters. Thank you very much, Mr. Chairman.
    And welcome to all of our witnesses today. First I would 
like to introduce Sara Cable. Ms. Cable is an Assistant 
Attorney General and the Director of Data Privacy and Security 
in the Consumer Protection Division of the Massachusetts 
Attorney General's Office as an Adviser to Attorney General 
Healey and her chief of staff.
    Ms. Cable leads the office's data privacy and security 
enforcement and advocacy efforts. Ms. Cable oversees the 
office's review of thousands of data security incidents each 
year and leads several investigations of data security and 
privacy matters affecting the financial, health care, 
insurance, legal, and retail sectors.
    And then there is Kathleen McGee. Ms. McGee is presently 
the Chief of the Bureau of Internet and Technology for the 
Office of the New York State Attorney General. The bureau is 
responsible for the enforcement of New York's privacy, data 
security, and consumer protection laws in the online and 
technology environment, as well as for enforcement of New 
York's data breach notification laws. The bureau investigates a 
wide range of issues affecting the tech space, including 
privacy violations, data security breaches, online safety, 
native advertising, deception, and fraud.
    Then there is Chi Chi Wu. Ms. Wu is a Staff Attorney at 
National Consumer Law Center (NCLC), where her specialties 
include fair credit reporting, credit cards, tax-related 
consumer issues, and medical debt. She frequently serves as a 
resource for policymakers and the media on consumer credit 
issues. Ms. Wu is the lead author of the NCLC treatise Fair 
Credit Reporting Act and has been advocating for a reform of 
the credit reporting system for over a decade.
    And then there is Laura Moy. Ms. Moy is the Deputy Director 
of the Center on Privacy and Technology at Georgetown Law. She 
is a public interest advocate who writes and speaks on a number 
of technology policy issues, including consumer privacy and law 
enforcement surveillance. Ms. Moy has testified previously 
before this committee, and we are pleased she is here with us 
again today.
    Mike Litt--last, but certainly not least--Mr. Litt is a 
national consumer advocate for the U.S. Public Interest 
Research Group (PIRG) an organization that advocates for the 
interest of American consumers and stands up against power 
interests when they push the other way. He is a leading voice 
on credit freezes and identity theft prevention and has co-
authored a number of valuable resources on the topic.
    Again, I want to welcome all of our witnesses to today's 
hearing and thank you for being here today. I yield back the 
balance of my time.
    Mr. Budd. Gentlelady yields back.
    Ms. Cable, you are recognized for 3 minutes to give an oral 
presentation of your testimony.

                     STATEMENT OF SARA CABLE

    Ms. Cable. Thank you.
    Good afternoon, Chairman, Ranking Member Waters, 
distinguished members of the committee. Thank you for inviting 
me to testify today.
    My name is Sara Cable. I am an Assistant Attorney General 
in the Massachusetts Attorney General's Office and Director of 
Data Privacy and Security in its Consumer Protection Division.
    On September 19th, our office filed the first State civil 
enforcement action against Equifax. Our goal with our suit is 
to hold the company accountable for the harm it caused nearly 3 
million of our consumers, approximately half of the adult 
population of our State, harm that, in our view, Equifax could 
have and should have prevented.
    We sued Equifax under our State Consumer Protection Act and 
our Data Breach and Data Security Laws, which are recognized as 
among the strongest in the Nation. We allege that this breach 
was foreseeable and preventable, but that Equifax failed to 
develop, implement, and maintain reasonable safeguards required 
by Massachusetts law to protect the sensitive personal data of 
the consumers it held in its systems, and presumably off which 
it profited.
    Because my time is short, I want to highlight one key point 
for the committee. While the Equifax breach may be notable for 
its scope and impact, it is not unique. Our experience strongly 
suggests to us that businesses large and small are not doing 
what they need to be doing to protect consumers' information 
from foreseeable threats.
    Over the last 10 years, since the Massachusetts Data Breach 
Notice Law went into effect, our office has received notice of 
over 19,000 data breach incidents impacting Massachusetts 
residents. In 2016 alone, we received notice of over 4,000 data 
breaches. This is 25 percent more than in 2015 and a nearly 
tenfold increase from 2008, the first full year that our breach 
law went into effect.
    Now, with this kind of volume, we can't possibly 
investigate every single breach. And I think it is worth noting 
that just because a company is breached does not necessarily 
mean that it did anything wrong or that it failed to have 
reasonable safeguards in place. But for the ones into which we 
take a closer look, it suggests to us that many of these 
breaches could have been prevented through reasonable, and 
indeed basic, security safeguards.
    To this day, we continue to see breaches impacting entities 
in every sector that result from the failure to employ basic 
security safeguards in compliance with Mass law. And just some 
of these are companies that don't even have a written 
information security program, much less follow the one that 
they have; companies that cut corners by using outdated and 
unsupported software; or companies hoarding vast amounts of 
sensitive consumer data in their network without a present or 
contemplated business need and leaving it unsecured.
    Now, to be sure, there are entities that do it right, but 
we are seeing far too often that entities are not treating 
consumers' information like the valuable asset it is. And that 
is even with the constant drumming of headlines about the risks 
of data breach incidents.
    And I will conclude to note that, in the case of Equifax, 
which was subject to both State and Federal law, even that law 
as it exists today was not enough to prevent this breach. And I 
would submit that any law that is proposed that is weaker than 
the law that we currently have today is worse than doing 
nothing for consumers.
    Thank you very much.
    [The prepared statement of Ms. Cable can be found on page 
28 of the Appendix.]
    Mr. Budd. Thank you.
    Ms. McGee, you are now recognized for 3 minutes to give an 
oral presentation of your testimony.


                   STATEMENT OF KATHLEEN MCGEE

    Ms. McGee. Thank you, Mr. Chairman, Madam Ranking Member, 
and other distinguished committee members.
    I am Kathleen McGee, Chief of the Bureau of Internet and 
Technology at the New York State Office of the Attorney 
General, Eric T. Schneiderman. Thanks for the opportunity to 
testify today.
    After learning about the Equifax breach, our office 
immediately launched an investigation. And while I cannot share 
the details of that ongoing investigation, suffice it to say, 
we are getting to the bottom of the Equifax breach and are 
working to ensure credit bureaus protect the sensitive consumer 
data that they hold.
    States have had a central role in protecting consumers and 
their data for nearly 2 decades, as my written statements 
detail more fully. But in these remarks, I would like to make a 
few points regarding any Federal legislation.
    First, law must keep pace with the ever increasing rate of 
technological change. States have proven the ability to act 
quickly in that regard, and Congress should not limit States' 
ability to innovate in this area.
    Second, when it comes to enforcement, States occupy a 
leading role and must continue to do so. States together play a 
big role after major breaches like Target or Equifax, but less 
well-known are actions taken in response to smaller breaches 
that occur in the hundreds each year in New York and other 
States. Even under the best of circumstances, it is unlikely a 
Federal agency would be as responsive as the States to breaches 
involving local business and relatively small numbers of local 
consumers.
    These breaches may be smaller, but the victims are no less 
in need of law enforcement protection. Smaller breaches are the 
rule, not the exception.
    I respectfully urge this committee to ensure that any data 
security or breach legislation meets the following 
requirements, which we consider vital to protecting consumer 
data. First, any bill should not preempt State law. Indeed, it 
should expressly set a floor, not a ceiling on data security 
and breach response standards.
    Second, as with many other Federal consumer protection 
laws, Federal data security requirements must be enforceable by 
States, as well. And any Federal penalties must be recoverable 
by the States, as well.
    Third, if preemption is contemplated, the language must be 
drawn very carefully to avoid unintended consequences. Broad 
preemption language might be interpreted to set aside laws that 
concern personal privacy or computer crimes, causing serious 
public harm.
    In the meantime, as this body considers legislation and 
States continue to innovate, our office will continue to 
enforce data security protections on behalf of New Yorkers and 
to work with New York State's lawmakers to update our own 
protections. We very much appreciate your committee's efforts. 
And I thank you for your time today.
    [The prepared statement of Ms. McGee can be found on page 
99 of the Appendix.]
    Mr. Budd. Thank you.
    Ms. Wu, you are now recognized for 3 minutes to give an 
oral presentation of your testimony.


                     STATEMENT OF CHI CHI WU

    Ms. Wu. Mr. Chairman, Ranking Member Waters, and members of 
this committee, thank you for inviting me to testify today.
    I am testifying on behalf of the low-income clients of the 
National Consumer Law Center. NCLC has long advocated for the 
need to reform the U.S. credit reporting system. We have 
testified many times before Congress about the unacceptable 
error levels in credit reports--one in five consumers, with one 
in 20 having very serious errors--and the Kafkaesque methods 
that these companies use to handle disputes, creating an 
automated version of voicemail hell and always siding with the 
creditor or debt collector that provided the wrong information.
    These inaccuracies, the barriers consumers face in trying 
to fix errors, and the Equifax data breach all stem from the 
same origin: A corporate culture of impunity and arrogance, 
which you can also see by the fact that all three credit bureau 
CEOs failed to show up today.
    By now, you have probably heard the refrain that American 
consumers are not the customer, but rather the commodity of 
credit reporting agencies. We can't vote with our feet; we are 
captives. As a result, the credit reporting agencies get away 
with all sorts of abuses, cutting corners in personnel and 
systems, and failing to invest in doing things right.
    A March 2017 report from the Consumer Financial Protection 
Bureau (CFPB) documented these issues, prompting Director 
Cordray to remark, ``We were surprised to find that their 
quality control systems were either rudimentary or virtually 
nonexistent.''
    Now, a data company that underinvests in quality control 
for accuracy and compliance is likely to be the same company 
that will underinvest in information security. It all stems 
from the same attitude, ``Let's just see how much we can cut 
costs.'' And Equifax is not alone. We think Experian and 
TransUnion suffer from similar cultures.
    So what is to be done? One suggestion has been to give 
authority to the Consumer Bureau under the Gramm-Leach-Bliley 
Act to supervise for data security. And we completely agree 
with that. But just as critically, we believe Congress should 
enact wider reforms of the credit reporting industry.
    That is why we strongly support H.R. 3755 and we thank 
Ranking Member Waters for introducing it. H.R. 3755 would 
vastly improve the broken credit reporting system, increase 
accuracy, and help victims of abusive lending and overly 
punitive negative reporting practices.
    Another reform we need are free security freezes. Victims 
of Equifax's negligence shouldn't have to pay to protect 
themselves from the threat of ID theft. Equifax and TransUnion 
have offered free credit locks, but a lock isn't the same as a 
freeze. A lock isn't required by law so there is limited 
recourse if something goes wrong. Plus, Equifax and TransUnion 
could stop offering free locks at any moment. Also, 
TransUnion's lock requires consumers to agree to forced 
arbitration and receive targeted advertising.
    And by the way, last night's Senate vote nullifying the 
bureau's arbitration rule is only going to increase the culture 
of arrogance and impunity. And Experian isn't even offering 
free locks or free freezes.
    Thank you for the opportunity to testify and I look forward 
to your questions.
    [The prepared statement of Ms. Wu can be found on page 124 
of the Appendix.]
    Mr. Budd. Thank you.
    Ms. Moy, you are now recognized for 3 minutes to give an 
oral presentation of your testimony.


                     STATEMENT OF LAURA MOY

    Ms. Moy. Good afternoon, Mr. Chairman, Ranking Member 
Waters, and the members of the committee. Thank you so much for 
inviting me to testify.
    Consumers are frustrated, as I think many members of this 
committee are. We lack control over what happens with data 
about us. We lack control over who has access to information 
that we should be able to control: Information about our 
finances, health, and families; information about things we do 
in the supposed privacy of our own homes; information about 
where we go, who we speak to, and what we think; information 
that can be used to steal our identities, ruining our finances, 
and maybe even our employment.
    Congress cannot lead from behind in protecting consumers. A 
breach of sensitive data is a bell that cannot be un-rung. 
Consumers need better control and protections, closer 
regulatory oversight, stronger enforcement, and greater 
incentives for companies to do the absolute best they can to 
protect our information.
    And companies can do much better. The massive Equifax 
breach happened over the course of months because the company 
failed to patch a critical system vulnerability about which it 
had ample notice and failed to detect the breach once it was 
underway.
    I urge this committee to give full consideration to the 
policy recommendations advanced by my fellow witnesses today. 
In my limited time, I would like to offer a few key points.
    First, I agree with my co-panelists that preemption of 
State law is not the answer. States are the engines of reform, 
and State laws on data security, medical identity theft, and 
protection of biometric data are some examples of some of the 
critical innovations happening at the State level.
    Federal legislation in this area should set a floor, not a 
ceiling, to allow for critically important State laws, 
especially those on data security and breach notification. But 
Federal legislation is needed. Federal legislation should avoid 
a so-called harm trigger that limits protection to potential 
financial harm.
    The breach of personal information is a serious harm in its 
own right. And consumers may suffer serious emotional or even 
physical harms or misuses of their personal information. Harm 
is not limited to financial harm alone.
    Federal legislation must also be sufficiently flexible so 
it covers information that is captured by emerging technology. 
We can't always forecast the next big threat, but 
unfortunately, we know that there will be one. Whether by 
continuing to allow States to increase protections on their own 
or establishing agency rulemaking authority to define covered 
information moving forward, Federal legislation must provide 
flexibility to meet new threats.
    Federal legislation should also include robust enforcement 
authority for both Federal and State regulators. Given the 
thousands of data breaches, and you just heard some of those 
numbers, in the thousands of data breaches reported each year, 
Federal authorities alone cannot protect consumers. State 
attorneys general and other State regulators must play a 
critical role.
    Thank you, and I look forward to your questions.
    [The prepared statement of Ms. Moy can be found on page 103 
of the Appendix.]
    Mr. Budd. Thank you.
    Mr. Litt, you are now recognized for 3 minutes to give an 
oral presentation of your testimony.


                     STATEMENT OF MIKE LITT

    Mr. Litt. Thank you, Mr. Chairman, Ranking Member--as a 
consumer advocate for U.S. PIRG, I appreciate the opportunity 
to discuss next steps after the Equifax breach. Equifax still 
has not provided or even clearly explained what is needed to 
fully protect consumers.
    Once your information has been stolen, there is only one 
kind of ID theft that can be stopped before it happens. That is 
where somebody opens a credit account in your name. The way to 
prevent that is by blocking access to your credit reports with 
all three credit bureaus.
    It is beyond time for all consumers to have the right by 
law to control access to their credit reports with free credit 
freezes.
    In my written testimony, I explained how Equifax's 
TrustedID Premier product fails to fully protect consumers. I 
also highlight concerns with its forthcoming lifetime lock. 
Locks and freezes appear to function similarly in that they 
block access to your credit report. The bottom line is freezes 
are better because they are a right by law and not conditional 
on terms set by the credit bureaus.
    Also, creditors run credit checks with any one or a 
combination of credit bureaus, so it is important that you 
block access to your credit reports at all three bureaus. 
Getting a lock or a freeze at just one but not the others is 
basically like locking your front door, but leaving your garage 
and back doors wide open.
    All 50 States and D.C. have their own laws governing fees 
for freezes, temporary lifts, and permanent removals. There are 
approximately 158 million consumers in 42 States that must pay 
a fee between $3 to $10 per bureau. We did not give the credit 
bureaus permission to collect our information or sell it or, in 
the case of Equifax, to lose it. So why do we have to pay to 
control access to our reports?
    The PIRG has helped pass the first State freeze laws. Now 
we support Federal legislation that would set free freezes for 
all Americans as the floor. We also support legislation that 
would require freezes to be placed within 15 minutes of online 
and phone requests, as is the law in 10 States and D.C. States 
should be allowed to find even more ways of giving consumers 
control over access to their own reports. Federal legislation 
should not preempt or replace existing stronger State laws for 
privacy, breach notification, or data security, either.
    We also strongly support H.R. 3755, introduced by Ranking 
Member Waters. While the transfer of Fair Credit Reporting Act 
responsibilities to the consumer bureau has jumpstarted the 
compliance efforts of the big three credit bureaus, this bill 
will give required improvements.
    Thank you for your attention and for the opportunity to 
present my testimony.
    [The prepared statement of Mr. Litt can be found on page 90 
of the Appendix.]
    Mr. Budd. Thank you.
    The Chair now recognizes the distinguished Ranking Member, 
Ms. Waters, for 5 minutes.
    Ms. Waters. Thank you very much, Mr. Chairman.
    It is unfortunate that the three CEOs for the major credit 
reporting agencies rejected the opportunity to discuss their 
business model and what actions Congress should consider in the 
wake of the Equifax data breach to better oversee the use of 
consumer data.
    So let me ask each of the panelists: Do consumers have 
sufficient control over the existing use of, and 
commercialization of, their data collected, maintained, and 
compiled by the largest consumer reporting agencies and other 
businesses? Let me just go down the line, start with Ms. Cable. 
Do they?
    Ms. Cable. Sure, thanks for the question. I would submit, 
no, they don't.
    Ms. McGee. I would submit that was a rhetorical question. 
No, they don't.
    Ms. Waters. Ms. Wu?
    Ms. Wu. Absolutely not. They need more control and 
protection.
    Ms. Waters. Ms. Moy?
    Ms. Moy. Absolutely not. And they are frustrated and asking 
for more.
    Ms. Waters. Mr. Litt?
    Mr. Litt. Absolutely not. They need that control.
    Ms. Waters. OK. I would like to go back to each of you and 
ask you if you could briefly mention maybe one action Congress 
should take with respect to the oversight of consumer reporting 
agencies, to empower consumers to have better control of their 
personal information? Just one thing, each of you, starting 
with Ms. Cable.
    Ms. Cable. I could say under State law in Massachusetts, 
our legislators have proposed a bill that would require 
entities seeking a credit report to get the consumer's written 
consent before they do so.
    Ms. Waters. All right.
    Ms. McGee. I think New York's big focus here is on 
transparency and acknowledgment that the consumer understands 
what data is being collected about her and how it is being 
used.
    Ms. Waters. Thank you.
    Ms. Wu?
    Ms. Wu. We would advocate for free credit freezes or even 
freezes by default, also a strong Consumer Financial Protection 
Bureau and the ability of the bureau to supervise for data 
security.
    Ms. Waters. Ms. Moy?
    Ms. Moy. I think that many companies know what they ought 
to be doing on data security and they are not doing it. And I 
think that we need stronger enforcement authority accompanied 
by civil penalties.
    Ms. Waters. OK. Mr. Litt?
    Mr. Litt. It is time for consumers across the entire 
country to have the right to control access to their credit 
reports with free credit freezes.
    Ms. Waters. Thank you so very much.
    I think Ms. Wu mentioned that you are familiar with the 
bill that I introduced. And we tried to address those issues, 
each of those issues that you have identified.
    I have one other that concerns me greatly, and that is the 
use of this data, individuals' data in employment efforts that 
are being made. An individual applies for a job and the job 
requires that they check their credit, that their credit be 
checked. Do you think that credit information should be used in 
employment efforts?
    Ms. Wu?
    Ms. Wu. I do not think credit reports should be used in 
employment, except for very, very, very narrow circumstances. I 
absolutely support the provision in H.R. 3755 to severely 
restrict the use of credit reports in employment. It is 
bizarre. Somebody loses their job, they can't pay their bills, 
and their inability to pay their bills means they can't get 
another job. And credit has nothing to do with your ability to 
perform a job.
    Ms. Waters. Thank you.
    And let me ask Ms. McGee. We have tried to reduce the time 
that negative information stays on your credit report. What do 
you think about that?
    Ms. McGee. We support that. We supported that provision in 
the National Consumer Assistance Plan that we agreed upon with 
the three credit reporting agencies. And we see that H.R. 3755 
provides some very robust protections with respect to 
consumers. We support that.
    Ms. Waters. Thank you.
    Ms. Moy, what else can we do to ensure that consumers have 
access to their credit information? How often should they be 
able to get it? How should the bureaus respond to the request 
for information that they have collected on you?
    Ms. Moy. So I agree with what others have said, that 
freezes ought to be something that consumers can have on an 
ongoing basis and for free. I also think that while one credit 
report annually is a place to start, I think that--particularly 
if credit reports are being accessed by folks, by entities 
without the consent of the consumer, and particularly if they 
are being accessed for purposes such as employment--then 
consumers ought have access to their credit report on an 
ongoing basis, not just a view into it once a year.
    Ms. Waters. Thank you.
    Mr. Litt, many people are wondering what they can do to 
protect themselves who are victims of the breaches that have 
taken place. What about credit freezes? Should they be charged? 
And if they are charged, how long should that charge continue, 
like with Equifax?
    Mr. Litt. Yes, consumers should not be charged to have 
access to their own credit reports or to control access to 
their own credit reports, which is really the only way to 
protect yourself from new account identity fraud, which is the 
only kind of identity theft that can actually be prevented once 
your information is out there. Unfortunately, there are far too 
many Americans who have to pay a fee between $3 to $10 per 
bureau, and that should stop.
    Ms. Waters. Thank you.
    I yield back the balance of my time.
    Mr. Budd. Chair now recognizes the gentlelady from New 
York, Mrs. Maloney, for 5 minutes.
    Mrs. Maloney. Thank you. I want to thank the Ranking Member 
for looking out for consumers and calling this important 
Oversight Committee.
    I would first like to ask Ms. Wu, as you know, one of the 
reasons why the Equifax breach was so bad was that the 
information that was stolen included the Social Security 
numbers and the date of birth for over 145 million people. That 
is half the population of this country.
    And both of these materials are critical pieces of 
identification that cannot be changed. And this is a huge 
problem for 145 million people.
    Now, some people have suggested that we should move away 
from using the Social Security numbers as a key piece of 
identifying information and start using unique ID numbers that 
are more easily changeable. Do you think that would be helpful? 
And if so, what do you think should be in charge of coming up 
with new ID numbers that would replace Social Security numbers? 
And that is the question for Ms. Wu.
    Ms. Wu. Thank you for the question Congresswoman Maloney. 
The fundamental issue with the case of the Social Security 
Number is it is used as a verifier, not as an identifier, or 
both as a verifier and an identifier. It is like using your e-
mail address as your password. That number shouldn't be serving 
two roles.
    You do need a number, some sort of identifier number for 
credit reports--just make sure you've got the right person. And 
in fact, what we have criticized credit reporting agencies for 
years was using partial Social Security numbers to match people 
because that results in things like mixing two people's credit 
files up.
    But you do need better ways to verify that someone is who 
they say they are. And, I suggest that an entity like the 
Consumer Bureau is a good one to start figuring out those 
issues.
    Mrs. Maloney. OK, thank you.
    Now, as you know, Equifax was covered by the Fair Trade 
Commission Safeguards Rule, and this is intended to ensure the 
security and confidentiality of this sensitive information. 
Now, I happen to think that Safeguards Rule is one of the 
strongest data security rules out there.
    It is the same rule that banks and credit unions are 
subject to and has largely been successful since it was first 
established by this body in 2002. And I think Equifax blatantly 
violated the Safeguards Rule by not having an information 
security system in place that can identify reasonably 
foreseeable risks.
    And in this case, they were notified. They were notified by 
the Homeland Security Department that there was this type of 
weakness in the system. The other two groups caught it. They 
didn't even bother to correct it.
    So I want to ask you, if the Safeguards Rule had been 
properly enforced and implemented by the FTC, then the Equifax 
hacks shouldn't have happened in the first place. But it is 
also possible that we need to look at updating the Safeguards 
Rule in light of the breach.
    So, Ms. Moy, and I would like to follow it with Mr. Litt, 
what are your thoughts on this? Do you think we need to update 
the Safeguards Rule or do you think we just need to ensure that 
the rule is properly enforced? Obviously, Equifax did not 
enforce this rule even when they were notified that this type 
of breach would happen.
    So, first, Ms. Moy, and then I would like Mr. Litt to 
answer, too.
    Ms. Moy. Thank you. That is an excellent question. And, as 
I said before, I think a lot of times companies know what they 
need to do and they are just not doing it. And it seems that 
that was in fact a case with the Equifax breach. As you 
mentioned, they were notified of the critical vulnerability in 
Apache Struts back in March and failed to, by DHS.
    But I will just say I do think that it is time to take a 
look, at least, at updating the Safeguards Rule. For example, 
it could explicitly mention encryption.
    Mrs. Maloney. Yes or no, because my time is running out, 
Mr. Litt, should we update the Safeguards Rule?
    Mr. Litt. Yes, we should finish updating the Safeguards 
Rule.
    Mr. Maloney. OK. Now, I would also like to ask you, in 
light of Equifax's decision to wait a full 6 weeks to notify 
the public of the breach, do you think that part of the problem 
is that there is no explicit data breach notification provision 
or requirement in the Gramm-Leach-Bliley Act?
    Mr. Litt. We believe that any kind of Federal legislation 
would need to set a floor and not preempt stronger existing 
State laws.
    Mrs. Maloney. OK. Ms. Moy, what do you think?
    Ms. Moy. So I think many consumers do feel at the point 
where they get notification, it is too late. That said, I do 
think that folks ought to know that their information was 
breached.
    Mrs. Maloney. My time is expired. Thank you very much.
    Mr. Budd. Thank you.
    The Chair now recognizes the gentleman from California, Mr. 
Sherman, for 5 minutes.
    Mr. Sherman. Mr. Chairman, we have had a tradition in this 
committee room of every Republican member putting the national 
debt clock up while they had their time. Earlier today, that 
seems to have been suspended, and the only member to put up the 
national debt clock during hearings we had earlier today was 
myself.
    Are you familiar as to why this change was made? Does it 
have anything to do with a budget resolution we are voting on 
tomorrow that will add a couple of trillion dollars to that 
debt clock?
    I yield to the Chairman.
    Mr. Budd. I yield without comment back to the gentleman 
from California.
    Mr. Sherman. The gentleman's response is instructive. In an 
effort to stay true to Chairman Hensarling's commitment to a 
balanced budget, I will continue to have the national debt 
clock up during my 5 minutes. Not that I don't think the 
graphics presented by our Ranking Member aren't excellent, I 
know that they will be up during much of today's hearing.
    I will point out I have added two things that I would 
commend to Chairman Hensarling. One is to add to the fact that 
the Republican tax cut will add $150 billion to $200 billion. 
And this committee has played a role in pressuring the Fed to 
abandon quantitative easing, and that will add another $80 
billion to $100 billion a year to our national debt. So while 
the flame of fiscal responsibility may have been blown out of 
one side of the room, the flame continues to flicker on this 
side.
    Mr. Litt, people are talking about locking versus freezing. 
And you pointed out that if you are going to do either, you 
have to do it with all three credit rating agencies. Equifax 
says they will do one for free. Will they pay the fee, though, 
to the other two credit rating agencies to lock or freeze your 
credit? Or is that on the consumer?
    Mr. Litt. Disappointingly, they have not said whether they 
will do that or not, and they are calling on TransUnion and 
Experian to offer free locks. And so they are not paying for 
that.
    Mr. Sherman. OK, so they are the ones that screwed up.
    Mr. Litt. Exactly.
    Mr. Sherman. So their competitors should pay the cost. My 
God, it is as if my locksmith lost my key and he will provide a 
new lock to my front door, and then he calls upon competing 
locksmiths to provide me with a replacement for my back and 
side doors. That is amazing.
    I will ask the representative for the New York Attorney 
General's Office, is there an effort to hold Equifax 
accountable and sue them for whatever consumers have to pay, or 
better yet, to establish a fund that would fund consumers 
locking or freezing their credit with the other two agencies?
    Ms. McGee. As I mentioned earlier, we are pursuing an 
investigation, so I am not going to comment on relief that we 
might seek, except to say that we are seeking full relief for 
New York consumers as Massachusetts is seeking full relief for 
their consumers. And we are looking at the full system. We have 
publicly called in Equifax and their competitors, as well, to 
understand the system better and to see whether or not there 
could be structural changes.
    Mr. Sherman. Thank you. So as soon as Mr. Hensarling will 
cosponsor the bill, I will introduce legislation to say that if 
you have a data breach where you have even advised people that 
they need to buy three locks, that you have to provide one of 
the locks for free and pay for the other two.
    To say that Equifax should call upon its competitors to do 
this for free, perhaps there could be some reduced cost, but as 
things stand now, though, Mr. Litt, if I want to implement 
Equifax's suggestions, I go to Equifax and I freeze or lock my 
file, and then I pay money out of my own pocket to freeze or 
lock at the other two agencies. Is that correct?
    Mr. Litt. That is right.
    Mr. Sherman. I yield back.
    Mr. Budd. Chair now recognizes the gentleman from New York, 
Mr. Meeks, for 5 minutes.
    Mr. Meeks. Thank you, Mr. Chairman.
    You know, indeed, this is a sad day, I think, for 
consumers. Let me start out that way. I have to start out by 
saying, first, I am disappointed but not surprised at all, even 
though it is not directly related to this hearing, that my 
Republican colleagues in the Senate along with the assistance 
of the Vice President of the United States and the White House 
decided to roll back consumers' access to the courts in favor 
of the most powerful players in Washington, D.C. Bad day for 
consumers.
    Instead of protecting options for consumers, i.e., 
consumers who are merely seeking a recourse for the wrongs done 
to them, my Republican colleagues have opted to limit choice 
and force consumers into unfair arbitration agreements that 
stack the cards against them.
    I am also concerned that I think it is unprecedented that 
you have a person who is serving on an acting basis for the OCC 
decided to insert himself in this debate, and I believe placed 
inappropriate political pressure on what is supposed to be an 
independent CFPB. And I just have to take this opportunity to 
remind people that an independent CFPB was not there prior to 
the 2008 crisis. In fact, there was no agency focused primarily 
on the consumer.
    And sure, we had banking regulators responsible for 
ensuring institutions operated with prudence and in a proper 
way. However, we had no single player at bat for the consumer. 
So we created this independent Consumer Financial Protection 
Bureau that this Administration and my Republican colleagues 
continue to undercut and undermine with little regard for the 
consumer and the underdog.
    So, regarding today's hearing, I am further disappointed 
that Equifax refused to appear before this committee again. And 
I believe that avoiding responsibility is a proven failed 
strategy in Washington, D.C.
    As we saw with, and has happened in this committee before, 
when the Enron executive that pled the Fifth before Congress, 
and the Wells Fargo's past CEO who failed to acknowledge his 
poor oversight. And then we had Equifax's prior CEO come in 
here, he said is no longer with Equifax and so the individuals 
who are now in charge of Equifax, they, in fact, have not been 
before this committee yet. It was bad advice then and it is bad 
advice now.
    Furthermore, I hope that Equifax can correct the 
Congressional Record, because when this former employee was 
before this body at our last hearing, he suggested to me that 
Equifax had a breach response plan that was tested prior to its 
May incident. A recent Wall Street Journal report alleges just 
the opposite.
    Therefore, I am very concerned that Equifax's former CEO 
potentially made misstatements before this committee. I hope he 
is not getting in the habit of the 45th President, who 
continues to make misstatements whenever he speaks.
    The Wall Street Journal reported the following: Equifax was 
ill-prepared to face the increasing frequency of data breaches 
and that a review of the company found, and I quote, no 
evidence of regular cybersecurity audits, or an emergency plan 
to respond to an intrusion. So I sent a letter to Equifax to 
correct the Congressional Record. I have yet to hear back from 
them.
    Now, I am going to ask my friend--I know that we have 
Kathleen McGee here who is from my friend Attorney General 
Schneiderman's office. Let me just ask you, real quickly, in 
what ways can States help get institutions to a place where 
they are better prepared for the next breach? What are you 
doing in New York? And what can we utilize nationally to help 
make sure this never happens again?
    Ms. McGee. Thank you. Across this country, 48 States and 
territories, all the territories, have data security laws in 
place. We are the incubators and the innovators for the 
frontlines for innovation and data technology. We are the 
gatekeepers. We innovate and protect consumers on the ground.
    We should not be superseded or preempted by a Federal law. 
And we would encourage that this body consider establishing a 
stricter floor, not a ceiling, if it considers passing a 
national standard.
    Look to the States for the innovation. New York has good 
suggestions, Massachusetts. California was an innovator passing 
the initial law back in 2002. So we would suggest you look to 
the States first. Thank you.
    Mr. Budd. Thank you.
    The gentleman from California is well aware, the debt clock 
is traditionally used only at full committee hearings. And my 
Democratic colleagues previously requested we not display it 
during their questioning time. Also, members are reminded not 
to engage in personalities.
    The Chair now recognizes the gentleman from Georgia, Mr. 
Scott, for 5 minutes.
    Mr. Scott. Well, thank you very much, Mr. Chairman.
    First of all, I wanted to commend our Ranking Member, Ms. 
Waters, for putting this hearing together.
    And then, second, I am the Georgia Congressman representing 
Equifax. And I can't tell you how disappointed, I can't tell 
you how insulting, I can't tell you how just downright rabid 
that they are making me as a Georgia Congressman.
    Now, with this terrible breach, impacting 145 million 
people--and first, they send up here to speak to us the former 
CEO. How, I ask these panelists, do you think--and the American 
people--that we can even begin to fix this problem if these 
bone-headed executives and current CEO will refuse to come 
before Congress and to answer questions?
    How can they expect to get a seat at the table? How can we 
respond to the American people? Some of these American people 
don't even know what Equifax does or these credit agencies. 
Their lives are impacted in a very negative way.
    And yet they will refuse to come before Congress. Now, they 
may be thinking that they are sticking it to Members of 
Congress, but when you violate Members of Congress, when you 
insult Members of Congress, when you disrespect Members of 
Congress, you are insulting and disrespecting the American 
people. We speak for them. And for them to do this is a 
dastardly deed.
    And I hope, Ms. Waters, that you will pursue my request 
that we had yesterday evening to ask for a subpoena. That will 
get their lazy asses up here and respond to the American 
people.
    Now, I apologize for anybody that feels I have offended you 
with that, but I meant it. That is what they are. And until 
they are sitting in that chair, we have to hold Equifax 
accountable.
    Let me tell you what they did. Do you know what they did? 
In March, they brought evidence of the leak. They also brought 
a way to fix the leak, with a patch, and they refused. The CEO 
at that time, Mr. Smith, said that he found out on July 1st.
    And then, the most dastardly deed of all that they did was 
they went 24 hours later and sold $2 million in stock, and not 
just anybody, their three top executives, led by their chief 
financial officer. And you mean to tell me that nobody is 
looking at this as insider trading?
    This is one of the most despicable, shameful acts of 
financial mismanagement in the history of these United States. 
And for them not to come before this Congress and answer these 
questions, the people who will run the company, is a total 
disrespect. And not only that, it is highly un-American. And it 
is not something that I will accept.
    Ms. Wu, I want to ask you this. Tell me, the American 
people need to know, will they be having to look beyond their 
shoulders, looking around corners worried for the rest of their 
lives because they don't know who has their Social Security, 
they don't know who has their birth--these are vital pieces of 
information. Is that what we have to look forward to? Could you 
please answer that?
    Ms. Wu. Unfortunately, the answer is yes. We will all be 
looking over our shoulders for the rest of our lives.
    Mr. Scott. Thank you.
    Mr. Budd. Gentleman's time has expired.
    Chair now recognizes the gentleman from Texas, Mr. Green, 
for 5 minutes.
    Mr. Green. Thank you, Mr. Chairman.
    I especially want to thank the Ranking Member for her 
energy and effort to cause this hearing to take place.
    Equifax is in a unique position. They collect information 
on consumers without consent. They don't have to have your 
consent to collect your information. Once they collect the 
information, they seem to think that they can handle it with 
impunity. If there is negligence or if there is some reason for 
a security breach that might cause litigation in ordinary 
circumstances, Equifax seems to think that arbitration is the 
methodology by which a dispute should be resolved.
    It causes me great concern to know that Equifax and many 
other companies, especially banks, are being aided and abetted 
by Congress, because Congress, yesterday, the Senate more 
specifically, decided to eliminate the consumer protection rule 
that would allow consumers to litigate as opposed to go to 
arbitration.
    This is an unbelievable circumstance. And I am interested 
in comments from members of the panel on your position as it 
relates to arbitration, especially with a company that collects 
information without your permission.
    Let's start with our very first panelist, if you would 
please, ma'am.
    Ms. Cable. Thank you for question. I think it is safe to 
say our office's position is that we are disappointed in the 
developments of yesterday. I think it is a big step back for 
consumers. I think the unfairness in the Equifax matter is 
patently obvious to anyone.
    And it is one of the big reasons why, as a State attorney 
general, we are working so hard to hold Equifax accountable for 
this. And to circle back on how we hold Equifax accountable 
here, I think money talks. Without getting to the specifics of 
what we may or may not request in litigation, our Consumer 
Protection Act authorizes us to ask the court to award us up to 
$5,000 per violation. There are at least 3 million violations 
in Massachusetts.
    And so we think the State attorney generals are uniquely 
positioned and, in light of yesterday's development, may be a 
very few of the entities still positioned to hold Equifax 
accountable in the court of law.
    Mr. Green. Ms. Cable, if you would please, I detected a 
moment of candor. You said money talks. Kindly explain, please.
    Ms. Cable. I think a way to get the attention of a company 
like Equifax is to--how do I say this--require them to 
internalize the costs of this breach that they seem so eager to 
externalize onto the American public.
    Mr. Green. And how does one go about this, please?
    Ms. Cable. In our litigation under State consumer 
protection law, we can seek civil penalties, as I mentioned, up 
to $5,000 per violation. We are also authorized to seek 
consumer restitution for ascertainable losses that consumers 
suffer.
    We are also authorized under our law to have the court 
impose permanent injunctive relief to improve security 
procedures and other appropriate relief to make consumers 
whole. Certainly, all of those are on the table in our 
litigation.
    Mr. Green. Ms. Wu, please. Yes.
    Ms. Wu. So, absolutely, consumers were the losers in the 
vote last night. And any Republican who voted for getting rid 
of the arbitration rule, and yet criticized Equifax, was a 
hypocrite, because Equifax will greatly benefit from what 
happened last night. Not only because they will be able to 
immunize themselves from liability over things like credit 
monitoring products, but because they can actually put in 
arbitration agreements--for these locks, for example, that they 
are offering, so-called, for free--that you have to agree to 
arbitration. And they can put things in those arbitration 
agreements like ``You will never sue us under the Fair Credit 
Reporting Act, no matter how badly we mess up your credit 
report.'' So the American people are definitely the losers.
    Mr. Green. Mr. Litt, please.
    Mr. Litt. There were already concerns with locks, because 
TransUnion and Experian require consumers to give up their 
rights to a day in court. So last night's vote, unfortunately, 
makes things even more problematic.
    Mr. Green. Thank you very much. I yield back the balance of 
my time.
    Mr. Rothfus [presiding]. Gentleman yields back.
    The Chair recognizes the gentleman from Michigan, Mr. 
Kildee, for 5 minutes.
    Mr. Kildee. Thank you, Mr. Chairman, and again to the 
Ranking Member, thank you for arranging this hearing.
    I am really grateful for the panel for being here. This has 
been really helpful.
    Like probably all of my colleagues, I received a lot of 
complaints about this breach, and particularly about the way 
customers were treated by Equifax as they tried to, somehow, 
figure this out and manage it.
    So I want to tell the story of an individual from my 
district. His name is Jim. He is from Linden, Michigan. It is a 
small town outside of my hometown of Flint. He is a 
grandfather. He has got five grandchildren. He is a retired 
banker. He spent his whole career working with credit reporting 
agencies. He understands exactly how they operate.
    When he heard about this breach, Jim went to the Equifax 
website to see if his information had been released, had been 
stolen, in effect, which it had been. So he, like many, decided 
he would freeze his credit as a precautionary measure. So in 
navigating through their website, he wound up not on the page 
to freeze his credit, but on the page where Equifax offered, 
for purchase, its product to protect his identity online. I am 
sure you understand the irony in landing on that page.
    Realizing the error, Jim got on the phone. He called 
Equifax. He wanted to correct the problem. It took him over an 
hour on the phone with two different individuals, two different 
call centers, finally to resolve that issue.
    He was also to freeze his wife's credit, but Equifax 
charged him $20 to do so. So he reached out to my office, 
wanted to make a consumer complaint regarding Equifax. We were 
able to intervene, get his money refunded. But his biggest 
complaint was that Equifax made it so hard for him to deal with 
an issue that was not his fault and, in fact, was their fault.
    This guy is a retired banker. He is tech savvy. He 
understands customer service; he understands how to navigate a 
website. He couldn't do it without our help. Not everybody can 
do that. Not everybody has the presence of mind to call their 
Member of Congress. And Lord knows, there is no way we could 
deal with 145 million of these complaints.
    So my concern is, what happens to those folks who don't 
know who to call, who don't know where to go? How do they 
protect themselves? And so I guess I would ask just for any of 
the panelists who might want to offer, what do we tell our 
constituents? How do they protect themselves from something 
like this?
    I mean, what happened with Jim, who knows what the other 
consequences might be, but the frustration he had--and without 
our help he would be paying them to fix a problem that they 
created, let alone the potential of economic ruin that he could 
have faced as a result of this data being lost and being 
essentially stolen. What do we tell our constituents? How they 
protect themselves?
    Ms. Wu. So, thank you for the question and the story, 
Congressman Kildee. Unfortunately your constituent is not 
alone. We have heard of many other stories where consumers had 
trouble getting freezes and end up actually getting not only a 
lock product, but a paid lock product. They ended up having to 
pay for it and of course agree to arbitration, which is now 
going to prevent them from bringing lawsuits.
    It is a terrible situation. All I can say is that they 
should try to keep working on getting those freezes. If they 
can't get them, they should complain not only to their Member 
of Congress and their attorney general's office, but to the 
Consumer Financial Protection Bureau, which has sometimes had 
success in dealing with these complaints and getting people's 
money back.
    But that points to the fact we need a strong Consumer 
Bureau. If we don't have a strong Consumer Bureau, even the 
little bit of progress we have made in terms of improving 
accuracy and dispute handling, because the Consumer Bureau can 
supervise these folks and get into their systems, is going to 
be lost.
    And this is the culture of impunity I am telling you about 
that I said. You know, this is not just an accident. They 
deliberately pushed people toward their locks and their paid 
products when people try to find the freezes.
    Mr. Kildee. Thank you.
    Mr. Litt. If I may, a default freeze would actually take 
care of people if they didn't know that they had to opt in for 
one. But there should be no barriers, including costs. So, at 
the very least, freezes should be free to place, as well as to 
lift.
    Ms. Moy. You make the point that the consumers who will 
lose out the most from a breach like this are those who lack 
the resources in time or in money to figure out how to protect 
themselves, and that is a problem that absolutely must be 
addressed.
    Mr. Kildee. Thank you. My time is expired. I thank the 
panel, again, and I thank the Ranking Member for arranging this 
hearing. It is very important. Thank you.
    Mr. Rothfus. Gentleman's time is expired.
    The Chair recognizes the gentleman from Nevada, Mr. Kihuen, 
for 5 minutes.
    Mr. Kihuen. Thank you, Mr. Chairman, and thank you, Madam 
Ranking Member, for organizing this hearing, and thank you to 
all of you for being here and for your testimony.
    Mr. Litt, I have a question, and maybe for the rest of 
panelists as well. Given that half of the population of the 
U.S. had their Social Security numbers exposed as part of this 
recent breach, do you find it troubling that such numbers are 
still being used by Equifax to authenticate consumers 
requesting freezes, copies of credit reports, and other 
products and services offered by the consumer reporting 
agencies?
    Mr. Litt. Yes, it is troubling. While the other 
authentication questions do serve as added security, Social 
Security numbers were never meant to be used as identifiers to 
begin with. And so this also raises the question for looking 
into transition into a new system.
    Mr. Kihuen. What would a new system look like, in your 
opinion?
    Mr. Litt. Well, we would look at things like two-factor 
authentication as a place to start, and then I think that we 
are encouraged and hopeful that Congress would look into ways 
to transition, as well.
    Mr. Kihuen. Thank you. Anybody else want to answer?
    Ms. Wu. Thank you for the question, Congressman. As I said 
earlier, the problem is the use of the Social Security number 
as the verifier to say that you are who you are. You do need 
some sort of identification number, and whether it is a Social 
Security number, or something else, you need a unique item to 
distinguish between consumers.
    The former CEO of Equifax, his name is Richard Smith, and 
you need to be able to figure out which Richard Smith you are 
dealing with. The problem is, you are also using the Social 
Security number as the verifier. So, you input that number and 
then the system tells me, OK, you are the real Richard Smith. 
And that is the problem. We need other ways of verifying 
someone's identity.
    Mr. Kihuen. Thank you.
    And I have a follow up on that, Ms. Wu. In your testimony, 
you described this breach as one of the worst, if not the 
worst, breaches in American history. Apart from the total 
number of consumers impacted, what else makes this the worst in 
American history?
    Ms. Wu. Well, the reason why this breach is probably one of 
the worst in American history is because of the type of 
information that is stolen, because it was Social Security 
numbers and dates of birth, and in some cases, driver's 
licenses. This is the crown jewel of information that can be 
used for ID theft.
    Other breaches involved your e-mail and password. Well, you 
can change your e-mail address. You can change your password. 
Your credit card number, you know, Target involved a lot of 
credit card numbers. You can get a new credit card number.
    It is almost impossible to change your Social Security 
number. It is very hard. And you can't change your date of 
birth. So this is going to haunt us forever. This is going to 
increase the risk of identity theft for half the American 
population for the rest of their lives. And that is what makes 
it so terrible.
    Mr. Kihuen. Thank you. I think you answered my other 
question that, how long are consumers likely to be at risk? So 
you were talking about for the rest of their life. So half of 
the American population who has been impacted by this is now at 
risk for the rest of their life because of this breach?
    Ms. Wu. Yes, that is right. And the best we can do is try 
to mitigate it by telling people to put freezes on their credit 
reports. And that is why, at least those freezes should be 
free. And I agree with Mr. Litt, they should be by default. 
That would help a lot to prevent identity theft.
    Mr. Kihuen. Thank you.
    And, Ms. Cable, I do have a very quick question. 
Immediately following the announcement of the breach, 
Massachusetts launched an investigation and filed a lawsuit 
against the company. While I understand that you cannot comment 
on the status of the case, as the matter is still ongoing, can 
you provide a high-level overview of allegations your office is 
making in the privacy and data security and privacy protections 
that Massachusetts residents are entitled to under the law, 
State law?
    Ms. Cable. Absolutely, Congressman. So the facts underlying 
our complaint are the facts that I think this committee has 
heard before. Equifax had this information. In March, it 
learned that it had a vulnerable software in place in its 
public-facing website. There was a patch available. It was 
aware of it. It failed to implement it.
    I think, importantly, it also failed in other respects. It 
failed to detect the presence of hackers in its network. I have 
seen reports that the hackers got in, in March. They didn't 
notice it until the end of July. So over 4 months, somehow they 
didn't know that there were thieves in their network. And 
another point is, they didn't realize that this data, 145 
million person's information, was compromised.
    I think that calls into question, and we have raised it in 
our complaints, serious questions of who was minding the store, 
putting the patch issue aside.
    As I mentioned, we sued under our State data security 
regulations. And I will just highlight some of the regulations 
that are at issue in this case, to give you a sense of what our 
law provides. We allege Equifax failed to identify and assess 
reasonably foreseeable risks to the security of its 
information. It failed to evaluate and improve its existing 
safeguards.
    Mr. Rothfus. The gentleman's time has expired.
    Mr. Kihuen. Thank you, Mr. Chairman.
    Mr. Rothfus. The Chair recognizes the gentleman from Texas, 
Mr. Gonzalez, for 5 minutes.
    Mr. Gonzalez. Thank you, Mr. Chairman, and thank you, 
Ranking Member Waters.
    Well, as a trial lawyer who represented consumers for 20 
years, I certainly believe Equifax should be held liable and 
punished for their negligence. But knowing what we know now, 
with the multiple breaches from the credit reporting agency--
and I guess this question would go to Ms. McGee and Ms. Cable--
would you support a direct cause of action against Equifax by 
consumers?
    Ms. McGee. I will answer by saying, first of all, New York 
State law does not have under our data protection law an 
independent cause of action for consumers. It is not our intent 
to open that up, but that does then directly turn me to the 
arbitration issue, which is--for New York, when we saw that 
arbitration was going to be a barrier to justice for consumers 
who are trying to seek redress from the very entity that they 
had placed their sort of last hope when they traditionally had 
a data breach and now were victimized by that actual entity and 
then forced into an arbitration clause, if they wanted to avail 
themselves of any relief, we acted quickly to seek redress and 
the arbitration clause was removed.
    It poses a real problem when consumers are hobbled in 
seeking rights in consumer protection because of these 
arbitration clauses. Our offices come out very strongly in 
statements condemning yesterday's decision and in other forced 
arbitration clauses, and that is a real problem.
    Mr. Gonzalez. But do you believe that they should have the 
capacity to bring their own claims?
    Ms. McGee. At this point, under New York law, we don't. We 
don't provide that redress under New York law--
    Mr. Gonzalez. Do you think it is a good idea?
    Ms. McGee. I think that, under certain circumstances, class 
actions can provide a way for a sea of change under law and can 
provide another way for companies to change the way that they 
do business. So as a generic matter, I personally don't think 
that it is a bad idea. But right now, I don't see any way in 
New York for there to be a change in that.
    Mr. Gonzalez. Fair enough. I guess the next question is to 
anyone on the panel is, how are we quantifying the damages? It 
seems like we can't get to that number anytime soon. How do we 
get there? At some point, how do we protect folks who had their 
information stolen from them? And it seems like it is just--we 
are looking into a crystal ball and we don't know where the end 
is.
    How would you address that, Ms. Cable?
    Ms. Cable. I certainly, as a fellow litigator, appreciate 
that question. And speaking in generalities, in Massachusetts, 
one measure of damages--and certainly not the only--is the cost 
of placing, temporary lifting, and permanently lifting a 
security freeze. To do all three of those actions in 
Massachusetts would cost a consumer $15 at one of the three 
bureaus, so $45 at all three. Three million consumers in 
Massachusetts, presumably, had to pay that cost, and so I think 
that comes out to $135 million in Massachusetts alone.
    That is just one small measure that doesn't count identity 
theft or other forms of financial fraud that, as my co-
panelists have highlighted, is very likely to occur here. I 
think establishing damages that may not have happened yet is 
either impossible or impracticable as a matter of law and it is 
what it is.
    I think one solution would be establishing minimum 
statutory damages and allowing the consumer to seek either the 
higher of the actual or the minimum. I think the law can 
advance this issue forward by establishing some kind of measure 
for damages here.
    Mr. Gonzalez. Very well. And the reason I say that is 
because $5,000 just seems nothing compared to some people can 
be damaged at such a high value. I guess my next question, and 
I hate to pick on all the lawyers, but I will address Ms. Moy. 
Which State has the most stringent protection for data breaches 
in the country?
    Ms. Moy. So, again, with breaches, I think that when it 
comes to notification, many consumers feel that it is too late. 
So that the laws to look at for really strong protection for 
consumers are going to be the data security laws.
    And some at this table have good ones. Massachusetts has a 
very strong one. New York has new cybersecurity regulations. 
Connecticut also recently has a good law, and Illinois. 
California, of course, is a good one to look at. Texas, 
actually, is an interesting State because it covers a broad set 
of information.
    Mr. Gonzalez. Which is changing, by the way. I don't know 
if you followed this last legislative session.
    Ms. McGee. I am not aware of the changes. I will have to 
look into that.
    Mr. Gonzalez. Under DTPA--and consumer laws have been 
watered down recently. But I am curious--and you just told us--
you just mentioned a few States that do have good laws. What 
States would you say do not? And I guess my time is up. Thank 
you very much.
    Mr. Rothfus. The gentleman's time is expired.
    The Chair recognizes the gentlewoman from Ohio, Mrs. 
Beatty, for 5 minutes.
    Mrs. Beatty. Thank you, Mr. Chairman. And thank you to our 
Ranking Member, Congresswoman Waters.
    I really appreciate us having an opportunity to have this 
dialog and to have it with you as our eyewitnesses. And I don't 
want to take my time to repeat everything that has been said.
    But let me certainly echo the displeasure that we have that 
Equifax could not be here, chose not to be here, chose not to 
sit and respond to something that has affected 143-plus-million 
individuals. I find that appalling that they are ignoring a 
request to come before this committee.
    I am also saying, Mr. Chairman, I am disappointed that we 
don't have seats across the aisle filled. This is not a 
partisan issue. This is not about Democrats. This is about 143 
million people having their entire life disrupted because of a 
company that had had some 57,000 complaints about 
misinformation, about inaccuracies on their credit reports.
    And I am as upset as anyone else, because I tried to work 
with them. I actually offered a bill in the last session, and 
in this session, and if they would have spent more time working 
with me than against the bill that would allow consumers to get 
a free credit report, it would have been helpful.
    But they didn't want to get a free credit score, because it 
is one thing to say, OK, once a year, we have a law now that 
you can get your annual report. But what happens when you go in 
to buy a home? What happens when they ask you what is your 
credit score?
    And they did not want to even do it once a year to give 
them a free credit score. And so, I hope someone plays this 
tape back to them so they can understand that we represent 
hard-working Americans. We represent people who want to have a 
better future. And when you have the breaches that they have 
had and you don't come to the table to respond to it, that is 
simply unacceptable.
    I guess, as I am sitting here today, I believe one of the 
ways we can really get companies to focus on cybersecurity is 
to put in place a system where there is a monetary penalty for 
each person's data that is breached. You know, let them feel 
some of the consequences that 143 million people are 
experiencing.
    When you think about--we have the data up here--one out of 
five consumers has had an error on their report. So there were 
already issues with them. There were already things that they 
knew that this could be a possibility, and what did they do? 
They ignored it. That is unacceptable.
    So, let me ask you, what do you think about putting a 
penalty in where the Equifaxes or future Equifaxes would have 
to pay that? And what should that number be? Should it be 
$1,000, should it be $5,000, should it be a greater number?
    Ms. Wu?
    Ms. Wu. Well, thank you, Congresswoman Beatty, and thank 
you for the question. And I completely agree there should be 
some sort of penalty when companies lose our data. You know, it 
is unacceptable. And in addition to the types of damages that 
Ms. Cable talked about, in terms of freezes and lifting, there 
is time spent, there is aggravation, there is being upset that 
your information is out there with thieves and you are 
potentially a victim next.
    And that should all be compensated. You know, the maximum 
statutory damages under the Fair Credit Reporting Act is 
$1,000. That was 40 years ago. It probably should be a lot 
greater than that.
    Mrs. Beatty. So should we be looking at legislation to make 
that number more in line with today's cost of living?
    Ms. Wu. Well, certainly increasing the statutory damages is 
something we would be in favor of. And as you know, there was 
the bill just the same day that Equifax announced its breach, 
there was a hearing on a bill to reduce those damages under the 
Fair Credit Reporting Act.
    Mrs. Beatty. Well, I think my time is up. So, Mr. Chairman, 
I yield back.
    Mr. Rothfus. The gentlewoman yields back. The Chair 
recognizes the Ranking Member for unanimous consent requests.
    Ms. Waters. Thank you very much. I have a number of them, 
Mr. Chairman. I have 31 communications in support of 3755, the 
Comprehensive Consumer Credit Reporting Reform Act. We have--
    Mr. Rothfus. Without objection.
    Ms. Waters --thank you--testimony that was written and sent 
to us today from Consumers Union.
    Mr. Rothfus. Without objection.
    Ms. Waters. Two such documents.
    Mr. Rothfus. Without objection.
    Ms. Waters. I have ``Equifax Grip on Mortgage Data Squeezes 
Smaller Rivals'' from the New York Times.
    Mr. Rothfus. Without objection.
    Ms. Waters. From Salon, I have a communication.
    Mr. Rothfus. Without objection.
    Ms. Waters. ``Equifax Grip on Mortgage Data Squeezes 
Smaller Rivals,'' another one from the New York Times.
    Mr. Rothfus. Without objection.
    Ms. Waters. Written questions for the record submitted by 
Democratic members for October 5th, Equifax hearing.
    Mr. Rothfus. Without objection.
    Ms. Waters. Written statement asked to be submitted by FICO 
to this hearing.
    Mr. Rothfus. Without objection.
    Ms. Waters. Press statement was released from CFPB, 
``Supervisory Highlights Focused on Problems Discovered with 
Credit Bureaus.''
    Mr. Rothfus. Without objection.
    Ms. Waters. Written statements for the record from the 
first Equifax hearing on October 5th.
    Mr. Rothfus. Without objection.
    Ms. Waters. And information on CFPB's website about ID 
theft tools available to consumers.
    Mr. Rothfus. Without objection.
    Ms. Waters. Thank you very much. I yield back.
    Mr. Rothfus. There being no members remaining to question 
the panel, this concluded today's hearing. Without objection, 
all members will have 5 legislative days within which to submit 
additional written questions for the witnesses to the Chair, 
which will be forwarded to the witnesses for their response. I 
ask our witnesses to please respond as promptly as you are 
able.
    This hearing is adjourned. Thank you.
    [Whereupon, at 3:42 p.m., the committee was adjourned.]

                            A P P E N D I X



                            October 25, 2017


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




                                 [all]