[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
EXAMINING THE EQUIFAX DATA BREACH,
CONTINUATION
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
OCTOBER 25, 2017
__________
Printed for the use of the Committee on Financial Services
Serial No. 115-50
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
______
U.S. GOVERNMENT PUBLISHING OFFICE
30-339 PDF WASHINGTON : 2018
HOUSE COMMITTEE ON FINANCIAL SERVICES
JEB HENSARLING, Texas, Chairman
PATRICK T. McHENRY, North Carolina, MAXINE WATERS, California, Ranking
Vice Chairman Member
PETER T. KING, New York CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma BRAD SHERMAN, California
STEVAN PEARCE, New Mexico GREGORY W. MEEKS, New York
BILL POSEY, Florida MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri WM. LACY CLAY, Missouri
BILL HUIZENGA, Michigan STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin DAVID SCOTT, Georgia
STEVE STIVERS, Ohio AL GREEN, Texas
RANDY HULTGREN, Illinois EMANUEL CLEAVER, Missouri
DENNIS A. ROSS, Florida GWEN MOORE, Wisconsin
ROBERT PITTENGER, North Carolina KEITH ELLISON, Minnesota
ANN WAGNER, Missouri ED PERLMUTTER, Colorado
ANDY BARR, Kentucky JAMES A. HIMES, Connecticut
KEITH J. ROTHFUS, Pennsylvania BILL FOSTER, Illinois
LUKE MESSER, Indiana DANIEL T. KILDEE, Michigan
SCOTT TIPTON, Colorado JOHN K. DELANEY, Maryland
ROGER WILLIAMS, Texas KYRSTEN SINEMA, Arizona
BRUCE POLIQUIN, Maine JOYCE BEATTY, Ohio
MIA LOVE, Utah DENNY HECK, Washington
FRENCH HILL, Arkansas JUAN VARGAS, California
TOM EMMER, Minnesota JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York VICENTE GONZALEZ, Texas
DAVID A. TROTT, Michigan CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia RUBEN KIHUEN, Nevada
ALEXANDER X. MOONEY, West Virginia
THOMAS MacARTHUR, New Jersey
WARREN DAVIDSON, Ohio
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
TREY HOLLINGSWORTH, Indiana
Kirsten Sutton Mork, Staff Director
C O N T E N T S
----------
Page
Hearing held on:
October 25, 2017............................................. 1
Appendix:
October 25, 2017............................................. 27
WITNESSES
Wednesday, October 25, 2017
Cable, Sara, Director, Data Privacy and Security, Assistant
Attorney General, Consumer Protection Division, Office of
Attorney General, Commonwealth of Massachusetts................ 4
Litt, Mike, Consumer Advocate, U.S. Public Interest Research
Group.......................................................... 8
McGee, Kathleen, Chief, Bureau of Internet and Technology,
Division of Economic Justice, Office of the New York State
Attorney General............................................... 5
Moy, Laura, M., Deputy Director, Center on Privacy and
Technology, Georgetown University Law Center................... 7
Wu, Chi Chi, Staff Attorney, National Consumer Law Center........ 6
APPENDIX
Prepared statements:
Cable, Sara.................................................. 28
Litt, Mike................................................... 90
McGee, Kathleen.............................................. 99
Moy, Laura, M................................................ 103
Wu, Chi Chi.................................................. 124
Additional Material Submitted for the Record
Waters, Hon. Maxine:
Letter from VantageScore..................................... 137
New York Times article entitled, ``Equifax Grip on Mortgage
Data Squeezes Smaller Rivals''............................. 142
Written questions for the record submitted by Democratic
members for October 5, 2017 Equifax hearing................ 146
Press statement from CFPB entitled, ``Supervisory Highlights
Focused on Problems Discovered with Credit Bureaus''....... 160
Written statements for the record from the first Equifax
hearing on October 5th..................................... 163
Information about ID theft tools available to consumers on
CFPB's website............................................. 171
EXAMINING THE EQUIFAX DATA BREACH,
CONTINUATION
----------
Wednesday, October 25, 2017
U.S. House of Representatives,
Committee on Financial Services,
Washington, D.C.
The committee met, pursuant to notice, at 2 p.m., in room
2128, Rayburn House Office Building, Hon. Ted Budd [member of
the committee] presiding.
Present: Representatives Rothfus, Mooney, Budd, Waters,
Maloney, Sherman, Meeks, Capuano, Clay, Scott, Green, Ellison,
Perlmutter, Himes, Foster, Kildee, Sinema, Beatty, Heck,
Gottheimer, Gonzalez, Crist, and Kihuen.
Mr. Budd [presiding]. The committee will come to order.
Without objection, the chair is authorized to declare a recess
of the committee at any time, and all members will have 5
legislative days within which to submit extraneous materials to
the chair for inclusion in the record. Pursuant to clause D-5
of rule three of the Committee on Financial Services, this
additional hearing day has been scheduled with reference to
October 25th, 2017, full committee hearing entitled ``Examining
the Equifax Data Breach.''
The Chair now recognizes the Ranking Member of the
committee, the gentlelady from California, for 4 minutes for an
opening statement.
Ms. Waters. Thank you very much, Mr. Chairman.
And thank you to all of the witnesses who are here today to
better understand the causes and impact of the massive data
breach at Equifax. State government experts and consumer
advocates to testify here today, I want to thank you for being
here to testify today.
Unfortunately, the CEOs of each of these three major credit
bureaus have refused to attend this hearing. It is particularly
troubling that since the massive breach, Equifax has yet to
send an executive to testify before Congress who actually has
the ability to examine all the issues with our broken credit
reporting system. Committee Democrats requested this minority
day hearing and invited the chief executive officers of
Equifax, Experian, and TransUnion, which are the three
nationwide consumer reporting agencies in this country, as well
as a group of senior staff from legal authority to commit the
company to future action.
Equifax has badly mishandled virtually every aspect of this
breach. They failed to update a known software vulnerability
for several weeks. They failed to properly notify law
enforcement agencies, as required by many State data breach
laws and regulations, and even in announcing to the public
about the breach, failed to provide consumers with the tools
they needed to safeguard against identity theft and other harm
that could be caused by the unauthorized exposure of their
sensitive financial and personally identifiable information for
free.
But Equifax isn't the only major credit bureau to have
faced a major cyberattack. About 2 years ago, Experian, one of
the other major bureaus, also had a breach that exposed
millions of T-Mobile customers' information. Yet the head of
Experian also declined to come to testify today.
These security breaches at the major credit bureaus are
just one of the many problems within the credit reporting
industry. That is why I have long called for a complete
overhaul of the entire credit reporting system, and I recently
introduced H.R. 3755, the Comprehensive Consumer Credit
Reporting Reform Act. My bill shifts the burden of removing
mistakes from credit reports onto the credit bureaus and
furnishers--away from consumers--limits credit checks for
employment purposes, and reduces the time period that negative
items stay on credit reports, among many other key reforms.
It is clearly time for us to fix the vast problems within
the credit reporting sector. There is enormous concern and
frustration from consumers across the country about the lack of
control they have over how these companies collect, maintain,
and sell consumer data.
It is time for us to ensure there are adequate measures to
hold these firms accountable for their business practices. And
I find it unacceptable that the three major credit bureaus have
still failed to take even the most basic steps to protect
consumers after this latest massive breach by immediately
providing all consumers with free credit freezes.
If executives at the three nationwide consumer reporting
agencies are watching this hearing today, I want them to know
that the days of their companies being able to operate with
impunity are now over. I thank you, and I yield back the
balance of my time.
Mr. Budd. Gentlelady yields back.
The Chair now recognizes the gentleman from Michigan, Vice
Ranking Member Mr. Kildee, for 1 minute.
Mr. Kildee. Thank you, Mr. Chairman.
And thank you to the Ranking Member for organizing this
important hearing. This breach, the Equifax breach should never
have happened. Because of unacceptable security lapses, Equifax
exposed the personal information of over 145 million Americans.
For a company whose very business involves the collection
of America's most personal financial information, it is almost
inconceivable that this major breach occurred. And I know I am,
and other members of this committee, are very concerned with
potential insider trading by several high-level Equifax
executives, and we have requested the SEC (Securities Exchange
Commission) to fully investigate these actions.
Even worse than the breach itself, or the potential insider
trading, has been how Equifax treated the American public and
its customers since this breach was exposed. Weeks passed
between the discovery of this breach and when it was disclosed
to the public, yet Equifax was completely unprepared to address
the concerns of Americans.
I am grateful that we are having this hearing today to see
how we can move forward and make sure this does not happen
again and to do what we can to help the over 145 million
Americans impacted. Thank you, and I yield back.
Mr. Budd. Gentleman yields back.
The Ranking Member is recognized for 4 minutes to introduce
the panel of witnesses.
Ms. Waters. Thank you very much, Mr. Chairman.
And welcome to all of our witnesses today. First I would
like to introduce Sara Cable. Ms. Cable is an Assistant
Attorney General and the Director of Data Privacy and Security
in the Consumer Protection Division of the Massachusetts
Attorney General's Office as an Adviser to Attorney General
Healey and her chief of staff.
Ms. Cable leads the office's data privacy and security
enforcement and advocacy efforts. Ms. Cable oversees the
office's review of thousands of data security incidents each
year and leads several investigations of data security and
privacy matters affecting the financial, health care,
insurance, legal, and retail sectors.
And then there is Kathleen McGee. Ms. McGee is presently
the Chief of the Bureau of Internet and Technology for the
Office of the New York State Attorney General. The bureau is
responsible for the enforcement of New York's privacy, data
security, and consumer protection laws in the online and
technology environment, as well as for enforcement of New
York's data breach notification laws. The bureau investigates a
wide range of issues affecting the tech space, including
privacy violations, data security breaches, online safety,
native advertising, deception, and fraud.
Then there is Chi Chi Wu. Ms. Wu is a Staff Attorney at
National Consumer Law Center (NCLC), where her specialties
include fair credit reporting, credit cards, tax-related
consumer issues, and medical debt. She frequently serves as a
resource for policymakers and the media on consumer credit
issues. Ms. Wu is the lead author of the NCLC treatise Fair
Credit Reporting Act and has been advocating for a reform of
the credit reporting system for over a decade.
And then there is Laura Moy. Ms. Moy is the Deputy Director
of the Center on Privacy and Technology at Georgetown Law. She
is a public interest advocate who writes and speaks on a number
of technology policy issues, including consumer privacy and law
enforcement surveillance. Ms. Moy has testified previously
before this committee, and we are pleased she is here with us
again today.
Mike Litt--last, but certainly not least--Mr. Litt is a
national consumer advocate for the U.S. Public Interest
Research Group (PIRG) an organization that advocates for the
interest of American consumers and stands up against power
interests when they push the other way. He is a leading voice
on credit freezes and identity theft prevention and has co-
authored a number of valuable resources on the topic.
Again, I want to welcome all of our witnesses to today's
hearing and thank you for being here today. I yield back the
balance of my time.
Mr. Budd. Gentlelady yields back.
Ms. Cable, you are recognized for 3 minutes to give an oral
presentation of your testimony.
STATEMENT OF SARA CABLE
Ms. Cable. Thank you.
Good afternoon, Chairman, Ranking Member Waters,
distinguished members of the committee. Thank you for inviting
me to testify today.
My name is Sara Cable. I am an Assistant Attorney General
in the Massachusetts Attorney General's Office and Director of
Data Privacy and Security in its Consumer Protection Division.
On September 19th, our office filed the first State civil
enforcement action against Equifax. Our goal with our suit is
to hold the company accountable for the harm it caused nearly 3
million of our consumers, approximately half of the adult
population of our State, harm that, in our view, Equifax could
have and should have prevented.
We sued Equifax under our State Consumer Protection Act and
our Data Breach and Data Security Laws, which are recognized as
among the strongest in the Nation. We allege that this breach
was foreseeable and preventable, but that Equifax failed to
develop, implement, and maintain reasonable safeguards required
by Massachusetts law to protect the sensitive personal data of
the consumers it held in its systems, and presumably off which
it profited.
Because my time is short, I want to highlight one key point
for the committee. While the Equifax breach may be notable for
its scope and impact, it is not unique. Our experience strongly
suggests to us that businesses large and small are not doing
what they need to be doing to protect consumers' information
from foreseeable threats.
Over the last 10 years, since the Massachusetts Data Breach
Notice Law went into effect, our office has received notice of
over 19,000 data breach incidents impacting Massachusetts
residents. In 2016 alone, we received notice of over 4,000 data
breaches. This is 25 percent more than in 2015 and a nearly
tenfold increase from 2008, the first full year that our breach
law went into effect.
Now, with this kind of volume, we can't possibly
investigate every single breach. And I think it is worth noting
that just because a company is breached does not necessarily
mean that it did anything wrong or that it failed to have
reasonable safeguards in place. But for the ones into which we
take a closer look, it suggests to us that many of these
breaches could have been prevented through reasonable, and
indeed basic, security safeguards.
To this day, we continue to see breaches impacting entities
in every sector that result from the failure to employ basic
security safeguards in compliance with Mass law. And just some
of these are companies that don't even have a written
information security program, much less follow the one that
they have; companies that cut corners by using outdated and
unsupported software; or companies hoarding vast amounts of
sensitive consumer data in their network without a present or
contemplated business need and leaving it unsecured.
Now, to be sure, there are entities that do it right, but
we are seeing far too often that entities are not treating
consumers' information like the valuable asset it is. And that
is even with the constant drumming of headlines about the risks
of data breach incidents.
And I will conclude to note that, in the case of Equifax,
which was subject to both State and Federal law, even that law
as it exists today was not enough to prevent this breach. And I
would submit that any law that is proposed that is weaker than
the law that we currently have today is worse than doing
nothing for consumers.
Thank you very much.
[The prepared statement of Ms. Cable can be found on page
28 of the Appendix.]
Mr. Budd. Thank you.
Ms. McGee, you are now recognized for 3 minutes to give an
oral presentation of your testimony.
STATEMENT OF KATHLEEN MCGEE
Ms. McGee. Thank you, Mr. Chairman, Madam Ranking Member,
and other distinguished committee members.
I am Kathleen McGee, Chief of the Bureau of Internet and
Technology at the New York State Office of the Attorney
General, Eric T. Schneiderman. Thanks for the opportunity to
testify today.
After learning about the Equifax breach, our office
immediately launched an investigation. And while I cannot share
the details of that ongoing investigation, suffice it to say,
we are getting to the bottom of the Equifax breach and are
working to ensure credit bureaus protect the sensitive consumer
data that they hold.
States have had a central role in protecting consumers and
their data for nearly 2 decades, as my written statements
detail more fully. But in these remarks, I would like to make a
few points regarding any Federal legislation.
First, law must keep pace with the ever increasing rate of
technological change. States have proven the ability to act
quickly in that regard, and Congress should not limit States'
ability to innovate in this area.
Second, when it comes to enforcement, States occupy a
leading role and must continue to do so. States together play a
big role after major breaches like Target or Equifax, but less
well-known are actions taken in response to smaller breaches
that occur in the hundreds each year in New York and other
States. Even under the best of circumstances, it is unlikely a
Federal agency would be as responsive as the States to breaches
involving local business and relatively small numbers of local
consumers.
These breaches may be smaller, but the victims are no less
in need of law enforcement protection. Smaller breaches are the
rule, not the exception.
I respectfully urge this committee to ensure that any data
security or breach legislation meets the following
requirements, which we consider vital to protecting consumer
data. First, any bill should not preempt State law. Indeed, it
should expressly set a floor, not a ceiling on data security
and breach response standards.
Second, as with many other Federal consumer protection
laws, Federal data security requirements must be enforceable by
States, as well. And any Federal penalties must be recoverable
by the States, as well.
Third, if preemption is contemplated, the language must be
drawn very carefully to avoid unintended consequences. Broad
preemption language might be interpreted to set aside laws that
concern personal privacy or computer crimes, causing serious
public harm.
In the meantime, as this body considers legislation and
States continue to innovate, our office will continue to
enforce data security protections on behalf of New Yorkers and
to work with New York State's lawmakers to update our own
protections. We very much appreciate your committee's efforts.
And I thank you for your time today.
[The prepared statement of Ms. McGee can be found on page
99 of the Appendix.]
Mr. Budd. Thank you.
Ms. Wu, you are now recognized for 3 minutes to give an
oral presentation of your testimony.
STATEMENT OF CHI CHI WU
Ms. Wu. Mr. Chairman, Ranking Member Waters, and members of
this committee, thank you for inviting me to testify today.
I am testifying on behalf of the low-income clients of the
National Consumer Law Center. NCLC has long advocated for the
need to reform the U.S. credit reporting system. We have
testified many times before Congress about the unacceptable
error levels in credit reports--one in five consumers, with one
in 20 having very serious errors--and the Kafkaesque methods
that these companies use to handle disputes, creating an
automated version of voicemail hell and always siding with the
creditor or debt collector that provided the wrong information.
These inaccuracies, the barriers consumers face in trying
to fix errors, and the Equifax data breach all stem from the
same origin: A corporate culture of impunity and arrogance,
which you can also see by the fact that all three credit bureau
CEOs failed to show up today.
By now, you have probably heard the refrain that American
consumers are not the customer, but rather the commodity of
credit reporting agencies. We can't vote with our feet; we are
captives. As a result, the credit reporting agencies get away
with all sorts of abuses, cutting corners in personnel and
systems, and failing to invest in doing things right.
A March 2017 report from the Consumer Financial Protection
Bureau (CFPB) documented these issues, prompting Director
Cordray to remark, ``We were surprised to find that their
quality control systems were either rudimentary or virtually
nonexistent.''
Now, a data company that underinvests in quality control
for accuracy and compliance is likely to be the same company
that will underinvest in information security. It all stems
from the same attitude, ``Let's just see how much we can cut
costs.'' And Equifax is not alone. We think Experian and
TransUnion suffer from similar cultures.
So what is to be done? One suggestion has been to give
authority to the Consumer Bureau under the Gramm-Leach-Bliley
Act to supervise for data security. And we completely agree
with that. But just as critically, we believe Congress should
enact wider reforms of the credit reporting industry.
That is why we strongly support H.R. 3755 and we thank
Ranking Member Waters for introducing it. H.R. 3755 would
vastly improve the broken credit reporting system, increase
accuracy, and help victims of abusive lending and overly
punitive negative reporting practices.
Another reform we need are free security freezes. Victims
of Equifax's negligence shouldn't have to pay to protect
themselves from the threat of ID theft. Equifax and TransUnion
have offered free credit locks, but a lock isn't the same as a
freeze. A lock isn't required by law so there is limited
recourse if something goes wrong. Plus, Equifax and TransUnion
could stop offering free locks at any moment. Also,
TransUnion's lock requires consumers to agree to forced
arbitration and receive targeted advertising.
And by the way, last night's Senate vote nullifying the
bureau's arbitration rule is only going to increase the culture
of arrogance and impunity. And Experian isn't even offering
free locks or free freezes.
Thank you for the opportunity to testify and I look forward
to your questions.
[The prepared statement of Ms. Wu can be found on page 124
of the Appendix.]
Mr. Budd. Thank you.
Ms. Moy, you are now recognized for 3 minutes to give an
oral presentation of your testimony.
STATEMENT OF LAURA MOY
Ms. Moy. Good afternoon, Mr. Chairman, Ranking Member
Waters, and the members of the committee. Thank you so much for
inviting me to testify.
Consumers are frustrated, as I think many members of this
committee are. We lack control over what happens with data
about us. We lack control over who has access to information
that we should be able to control: Information about our
finances, health, and families; information about things we do
in the supposed privacy of our own homes; information about
where we go, who we speak to, and what we think; information
that can be used to steal our identities, ruining our finances,
and maybe even our employment.
Congress cannot lead from behind in protecting consumers. A
breach of sensitive data is a bell that cannot be un-rung.
Consumers need better control and protections, closer
regulatory oversight, stronger enforcement, and greater
incentives for companies to do the absolute best they can to
protect our information.
And companies can do much better. The massive Equifax
breach happened over the course of months because the company
failed to patch a critical system vulnerability about which it
had ample notice and failed to detect the breach once it was
underway.
I urge this committee to give full consideration to the
policy recommendations advanced by my fellow witnesses today.
In my limited time, I would like to offer a few key points.
First, I agree with my co-panelists that preemption of
State law is not the answer. States are the engines of reform,
and State laws on data security, medical identity theft, and
protection of biometric data are some examples of some of the
critical innovations happening at the State level.
Federal legislation in this area should set a floor, not a
ceiling, to allow for critically important State laws,
especially those on data security and breach notification. But
Federal legislation is needed. Federal legislation should avoid
a so-called harm trigger that limits protection to potential
financial harm.
The breach of personal information is a serious harm in its
own right. And consumers may suffer serious emotional or even
physical harms or misuses of their personal information. Harm
is not limited to financial harm alone.
Federal legislation must also be sufficiently flexible so
it covers information that is captured by emerging technology.
We can't always forecast the next big threat, but
unfortunately, we know that there will be one. Whether by
continuing to allow States to increase protections on their own
or establishing agency rulemaking authority to define covered
information moving forward, Federal legislation must provide
flexibility to meet new threats.
Federal legislation should also include robust enforcement
authority for both Federal and State regulators. Given the
thousands of data breaches, and you just heard some of those
numbers, in the thousands of data breaches reported each year,
Federal authorities alone cannot protect consumers. State
attorneys general and other State regulators must play a
critical role.
Thank you, and I look forward to your questions.
[The prepared statement of Ms. Moy can be found on page 103
of the Appendix.]
Mr. Budd. Thank you.
Mr. Litt, you are now recognized for 3 minutes to give an
oral presentation of your testimony.
STATEMENT OF MIKE LITT
Mr. Litt. Thank you, Mr. Chairman, Ranking Member--as a
consumer advocate for U.S. PIRG, I appreciate the opportunity
to discuss next steps after the Equifax breach. Equifax still
has not provided or even clearly explained what is needed to
fully protect consumers.
Once your information has been stolen, there is only one
kind of ID theft that can be stopped before it happens. That is
where somebody opens a credit account in your name. The way to
prevent that is by blocking access to your credit reports with
all three credit bureaus.
It is beyond time for all consumers to have the right by
law to control access to their credit reports with free credit
freezes.
In my written testimony, I explained how Equifax's
TrustedID Premier product fails to fully protect consumers. I
also highlight concerns with its forthcoming lifetime lock.
Locks and freezes appear to function similarly in that they
block access to your credit report. The bottom line is freezes
are better because they are a right by law and not conditional
on terms set by the credit bureaus.
Also, creditors run credit checks with any one or a
combination of credit bureaus, so it is important that you
block access to your credit reports at all three bureaus.
Getting a lock or a freeze at just one but not the others is
basically like locking your front door, but leaving your garage
and back doors wide open.
All 50 States and D.C. have their own laws governing fees
for freezes, temporary lifts, and permanent removals. There are
approximately 158 million consumers in 42 States that must pay
a fee between $3 to $10 per bureau. We did not give the credit
bureaus permission to collect our information or sell it or, in
the case of Equifax, to lose it. So why do we have to pay to
control access to our reports?
The PIRG has helped pass the first State freeze laws. Now
we support Federal legislation that would set free freezes for
all Americans as the floor. We also support legislation that
would require freezes to be placed within 15 minutes of online
and phone requests, as is the law in 10 States and D.C. States
should be allowed to find even more ways of giving consumers
control over access to their own reports. Federal legislation
should not preempt or replace existing stronger State laws for
privacy, breach notification, or data security, either.
We also strongly support H.R. 3755, introduced by Ranking
Member Waters. While the transfer of Fair Credit Reporting Act
responsibilities to the consumer bureau has jumpstarted the
compliance efforts of the big three credit bureaus, this bill
will give required improvements.
Thank you for your attention and for the opportunity to
present my testimony.
[The prepared statement of Mr. Litt can be found on page 90
of the Appendix.]
Mr. Budd. Thank you.
The Chair now recognizes the distinguished Ranking Member,
Ms. Waters, for 5 minutes.
Ms. Waters. Thank you very much, Mr. Chairman.
It is unfortunate that the three CEOs for the major credit
reporting agencies rejected the opportunity to discuss their
business model and what actions Congress should consider in the
wake of the Equifax data breach to better oversee the use of
consumer data.
So let me ask each of the panelists: Do consumers have
sufficient control over the existing use of, and
commercialization of, their data collected, maintained, and
compiled by the largest consumer reporting agencies and other
businesses? Let me just go down the line, start with Ms. Cable.
Do they?
Ms. Cable. Sure, thanks for the question. I would submit,
no, they don't.
Ms. McGee. I would submit that was a rhetorical question.
No, they don't.
Ms. Waters. Ms. Wu?
Ms. Wu. Absolutely not. They need more control and
protection.
Ms. Waters. Ms. Moy?
Ms. Moy. Absolutely not. And they are frustrated and asking
for more.
Ms. Waters. Mr. Litt?
Mr. Litt. Absolutely not. They need that control.
Ms. Waters. OK. I would like to go back to each of you and
ask you if you could briefly mention maybe one action Congress
should take with respect to the oversight of consumer reporting
agencies, to empower consumers to have better control of their
personal information? Just one thing, each of you, starting
with Ms. Cable.
Ms. Cable. I could say under State law in Massachusetts,
our legislators have proposed a bill that would require
entities seeking a credit report to get the consumer's written
consent before they do so.
Ms. Waters. All right.
Ms. McGee. I think New York's big focus here is on
transparency and acknowledgment that the consumer understands
what data is being collected about her and how it is being
used.
Ms. Waters. Thank you.
Ms. Wu?
Ms. Wu. We would advocate for free credit freezes or even
freezes by default, also a strong Consumer Financial Protection
Bureau and the ability of the bureau to supervise for data
security.
Ms. Waters. Ms. Moy?
Ms. Moy. I think that many companies know what they ought
to be doing on data security and they are not doing it. And I
think that we need stronger enforcement authority accompanied
by civil penalties.
Ms. Waters. OK. Mr. Litt?
Mr. Litt. It is time for consumers across the entire
country to have the right to control access to their credit
reports with free credit freezes.
Ms. Waters. Thank you so very much.
I think Ms. Wu mentioned that you are familiar with the
bill that I introduced. And we tried to address those issues,
each of those issues that you have identified.
I have one other that concerns me greatly, and that is the
use of this data, individuals' data in employment efforts that
are being made. An individual applies for a job and the job
requires that they check their credit, that their credit be
checked. Do you think that credit information should be used in
employment efforts?
Ms. Wu?
Ms. Wu. I do not think credit reports should be used in
employment, except for very, very, very narrow circumstances. I
absolutely support the provision in H.R. 3755 to severely
restrict the use of credit reports in employment. It is
bizarre. Somebody loses their job, they can't pay their bills,
and their inability to pay their bills means they can't get
another job. And credit has nothing to do with your ability to
perform a job.
Ms. Waters. Thank you.
And let me ask Ms. McGee. We have tried to reduce the time
that negative information stays on your credit report. What do
you think about that?
Ms. McGee. We support that. We supported that provision in
the National Consumer Assistance Plan that we agreed upon with
the three credit reporting agencies. And we see that H.R. 3755
provides some very robust protections with respect to
consumers. We support that.
Ms. Waters. Thank you.
Ms. Moy, what else can we do to ensure that consumers have
access to their credit information? How often should they be
able to get it? How should the bureaus respond to the request
for information that they have collected on you?
Ms. Moy. So I agree with what others have said, that
freezes ought to be something that consumers can have on an
ongoing basis and for free. I also think that while one credit
report annually is a place to start, I think that--particularly
if credit reports are being accessed by folks, by entities
without the consent of the consumer, and particularly if they
are being accessed for purposes such as employment--then
consumers ought have access to their credit report on an
ongoing basis, not just a view into it once a year.
Ms. Waters. Thank you.
Mr. Litt, many people are wondering what they can do to
protect themselves who are victims of the breaches that have
taken place. What about credit freezes? Should they be charged?
And if they are charged, how long should that charge continue,
like with Equifax?
Mr. Litt. Yes, consumers should not be charged to have
access to their own credit reports or to control access to
their own credit reports, which is really the only way to
protect yourself from new account identity fraud, which is the
only kind of identity theft that can actually be prevented once
your information is out there. Unfortunately, there are far too
many Americans who have to pay a fee between $3 to $10 per
bureau, and that should stop.
Ms. Waters. Thank you.
I yield back the balance of my time.
Mr. Budd. Chair now recognizes the gentlelady from New
York, Mrs. Maloney, for 5 minutes.
Mrs. Maloney. Thank you. I want to thank the Ranking Member
for looking out for consumers and calling this important
Oversight Committee.
I would first like to ask Ms. Wu, as you know, one of the
reasons why the Equifax breach was so bad was that the
information that was stolen included the Social Security
numbers and the date of birth for over 145 million people. That
is half the population of this country.
And both of these materials are critical pieces of
identification that cannot be changed. And this is a huge
problem for 145 million people.
Now, some people have suggested that we should move away
from using the Social Security numbers as a key piece of
identifying information and start using unique ID numbers that
are more easily changeable. Do you think that would be helpful?
And if so, what do you think should be in charge of coming up
with new ID numbers that would replace Social Security numbers?
And that is the question for Ms. Wu.
Ms. Wu. Thank you for the question Congresswoman Maloney.
The fundamental issue with the case of the Social Security
Number is it is used as a verifier, not as an identifier, or
both as a verifier and an identifier. It is like using your e-
mail address as your password. That number shouldn't be serving
two roles.
You do need a number, some sort of identifier number for
credit reports--just make sure you've got the right person. And
in fact, what we have criticized credit reporting agencies for
years was using partial Social Security numbers to match people
because that results in things like mixing two people's credit
files up.
But you do need better ways to verify that someone is who
they say they are. And, I suggest that an entity like the
Consumer Bureau is a good one to start figuring out those
issues.
Mrs. Maloney. OK, thank you.
Now, as you know, Equifax was covered by the Fair Trade
Commission Safeguards Rule, and this is intended to ensure the
security and confidentiality of this sensitive information.
Now, I happen to think that Safeguards Rule is one of the
strongest data security rules out there.
It is the same rule that banks and credit unions are
subject to and has largely been successful since it was first
established by this body in 2002. And I think Equifax blatantly
violated the Safeguards Rule by not having an information
security system in place that can identify reasonably
foreseeable risks.
And in this case, they were notified. They were notified by
the Homeland Security Department that there was this type of
weakness in the system. The other two groups caught it. They
didn't even bother to correct it.
So I want to ask you, if the Safeguards Rule had been
properly enforced and implemented by the FTC, then the Equifax
hacks shouldn't have happened in the first place. But it is
also possible that we need to look at updating the Safeguards
Rule in light of the breach.
So, Ms. Moy, and I would like to follow it with Mr. Litt,
what are your thoughts on this? Do you think we need to update
the Safeguards Rule or do you think we just need to ensure that
the rule is properly enforced? Obviously, Equifax did not
enforce this rule even when they were notified that this type
of breach would happen.
So, first, Ms. Moy, and then I would like Mr. Litt to
answer, too.
Ms. Moy. Thank you. That is an excellent question. And, as
I said before, I think a lot of times companies know what they
need to do and they are just not doing it. And it seems that
that was in fact a case with the Equifax breach. As you
mentioned, they were notified of the critical vulnerability in
Apache Struts back in March and failed to, by DHS.
But I will just say I do think that it is time to take a
look, at least, at updating the Safeguards Rule. For example,
it could explicitly mention encryption.
Mrs. Maloney. Yes or no, because my time is running out,
Mr. Litt, should we update the Safeguards Rule?
Mr. Litt. Yes, we should finish updating the Safeguards
Rule.
Mr. Maloney. OK. Now, I would also like to ask you, in
light of Equifax's decision to wait a full 6 weeks to notify
the public of the breach, do you think that part of the problem
is that there is no explicit data breach notification provision
or requirement in the Gramm-Leach-Bliley Act?
Mr. Litt. We believe that any kind of Federal legislation
would need to set a floor and not preempt stronger existing
State laws.
Mrs. Maloney. OK. Ms. Moy, what do you think?
Ms. Moy. So I think many consumers do feel at the point
where they get notification, it is too late. That said, I do
think that folks ought to know that their information was
breached.
Mrs. Maloney. My time is expired. Thank you very much.
Mr. Budd. Thank you.
The Chair now recognizes the gentleman from California, Mr.
Sherman, for 5 minutes.
Mr. Sherman. Mr. Chairman, we have had a tradition in this
committee room of every Republican member putting the national
debt clock up while they had their time. Earlier today, that
seems to have been suspended, and the only member to put up the
national debt clock during hearings we had earlier today was
myself.
Are you familiar as to why this change was made? Does it
have anything to do with a budget resolution we are voting on
tomorrow that will add a couple of trillion dollars to that
debt clock?
I yield to the Chairman.
Mr. Budd. I yield without comment back to the gentleman
from California.
Mr. Sherman. The gentleman's response is instructive. In an
effort to stay true to Chairman Hensarling's commitment to a
balanced budget, I will continue to have the national debt
clock up during my 5 minutes. Not that I don't think the
graphics presented by our Ranking Member aren't excellent, I
know that they will be up during much of today's hearing.
I will point out I have added two things that I would
commend to Chairman Hensarling. One is to add to the fact that
the Republican tax cut will add $150 billion to $200 billion.
And this committee has played a role in pressuring the Fed to
abandon quantitative easing, and that will add another $80
billion to $100 billion a year to our national debt. So while
the flame of fiscal responsibility may have been blown out of
one side of the room, the flame continues to flicker on this
side.
Mr. Litt, people are talking about locking versus freezing.
And you pointed out that if you are going to do either, you
have to do it with all three credit rating agencies. Equifax
says they will do one for free. Will they pay the fee, though,
to the other two credit rating agencies to lock or freeze your
credit? Or is that on the consumer?
Mr. Litt. Disappointingly, they have not said whether they
will do that or not, and they are calling on TransUnion and
Experian to offer free locks. And so they are not paying for
that.
Mr. Sherman. OK, so they are the ones that screwed up.
Mr. Litt. Exactly.
Mr. Sherman. So their competitors should pay the cost. My
God, it is as if my locksmith lost my key and he will provide a
new lock to my front door, and then he calls upon competing
locksmiths to provide me with a replacement for my back and
side doors. That is amazing.
I will ask the representative for the New York Attorney
General's Office, is there an effort to hold Equifax
accountable and sue them for whatever consumers have to pay, or
better yet, to establish a fund that would fund consumers
locking or freezing their credit with the other two agencies?
Ms. McGee. As I mentioned earlier, we are pursuing an
investigation, so I am not going to comment on relief that we
might seek, except to say that we are seeking full relief for
New York consumers as Massachusetts is seeking full relief for
their consumers. And we are looking at the full system. We have
publicly called in Equifax and their competitors, as well, to
understand the system better and to see whether or not there
could be structural changes.
Mr. Sherman. Thank you. So as soon as Mr. Hensarling will
cosponsor the bill, I will introduce legislation to say that if
you have a data breach where you have even advised people that
they need to buy three locks, that you have to provide one of
the locks for free and pay for the other two.
To say that Equifax should call upon its competitors to do
this for free, perhaps there could be some reduced cost, but as
things stand now, though, Mr. Litt, if I want to implement
Equifax's suggestions, I go to Equifax and I freeze or lock my
file, and then I pay money out of my own pocket to freeze or
lock at the other two agencies. Is that correct?
Mr. Litt. That is right.
Mr. Sherman. I yield back.
Mr. Budd. Chair now recognizes the gentleman from New York,
Mr. Meeks, for 5 minutes.
Mr. Meeks. Thank you, Mr. Chairman.
You know, indeed, this is a sad day, I think, for
consumers. Let me start out that way. I have to start out by
saying, first, I am disappointed but not surprised at all, even
though it is not directly related to this hearing, that my
Republican colleagues in the Senate along with the assistance
of the Vice President of the United States and the White House
decided to roll back consumers' access to the courts in favor
of the most powerful players in Washington, D.C. Bad day for
consumers.
Instead of protecting options for consumers, i.e.,
consumers who are merely seeking a recourse for the wrongs done
to them, my Republican colleagues have opted to limit choice
and force consumers into unfair arbitration agreements that
stack the cards against them.
I am also concerned that I think it is unprecedented that
you have a person who is serving on an acting basis for the OCC
decided to insert himself in this debate, and I believe placed
inappropriate political pressure on what is supposed to be an
independent CFPB. And I just have to take this opportunity to
remind people that an independent CFPB was not there prior to
the 2008 crisis. In fact, there was no agency focused primarily
on the consumer.
And sure, we had banking regulators responsible for
ensuring institutions operated with prudence and in a proper
way. However, we had no single player at bat for the consumer.
So we created this independent Consumer Financial Protection
Bureau that this Administration and my Republican colleagues
continue to undercut and undermine with little regard for the
consumer and the underdog.
So, regarding today's hearing, I am further disappointed
that Equifax refused to appear before this committee again. And
I believe that avoiding responsibility is a proven failed
strategy in Washington, D.C.
As we saw with, and has happened in this committee before,
when the Enron executive that pled the Fifth before Congress,
and the Wells Fargo's past CEO who failed to acknowledge his
poor oversight. And then we had Equifax's prior CEO come in
here, he said is no longer with Equifax and so the individuals
who are now in charge of Equifax, they, in fact, have not been
before this committee yet. It was bad advice then and it is bad
advice now.
Furthermore, I hope that Equifax can correct the
Congressional Record, because when this former employee was
before this body at our last hearing, he suggested to me that
Equifax had a breach response plan that was tested prior to its
May incident. A recent Wall Street Journal report alleges just
the opposite.
Therefore, I am very concerned that Equifax's former CEO
potentially made misstatements before this committee. I hope he
is not getting in the habit of the 45th President, who
continues to make misstatements whenever he speaks.
The Wall Street Journal reported the following: Equifax was
ill-prepared to face the increasing frequency of data breaches
and that a review of the company found, and I quote, no
evidence of regular cybersecurity audits, or an emergency plan
to respond to an intrusion. So I sent a letter to Equifax to
correct the Congressional Record. I have yet to hear back from
them.
Now, I am going to ask my friend--I know that we have
Kathleen McGee here who is from my friend Attorney General
Schneiderman's office. Let me just ask you, real quickly, in
what ways can States help get institutions to a place where
they are better prepared for the next breach? What are you
doing in New York? And what can we utilize nationally to help
make sure this never happens again?
Ms. McGee. Thank you. Across this country, 48 States and
territories, all the territories, have data security laws in
place. We are the incubators and the innovators for the
frontlines for innovation and data technology. We are the
gatekeepers. We innovate and protect consumers on the ground.
We should not be superseded or preempted by a Federal law.
And we would encourage that this body consider establishing a
stricter floor, not a ceiling, if it considers passing a
national standard.
Look to the States for the innovation. New York has good
suggestions, Massachusetts. California was an innovator passing
the initial law back in 2002. So we would suggest you look to
the States first. Thank you.
Mr. Budd. Thank you.
The gentleman from California is well aware, the debt clock
is traditionally used only at full committee hearings. And my
Democratic colleagues previously requested we not display it
during their questioning time. Also, members are reminded not
to engage in personalities.
The Chair now recognizes the gentleman from Georgia, Mr.
Scott, for 5 minutes.
Mr. Scott. Well, thank you very much, Mr. Chairman.
First of all, I wanted to commend our Ranking Member, Ms.
Waters, for putting this hearing together.
And then, second, I am the Georgia Congressman representing
Equifax. And I can't tell you how disappointed, I can't tell
you how insulting, I can't tell you how just downright rabid
that they are making me as a Georgia Congressman.
Now, with this terrible breach, impacting 145 million
people--and first, they send up here to speak to us the former
CEO. How, I ask these panelists, do you think--and the American
people--that we can even begin to fix this problem if these
bone-headed executives and current CEO will refuse to come
before Congress and to answer questions?
How can they expect to get a seat at the table? How can we
respond to the American people? Some of these American people
don't even know what Equifax does or these credit agencies.
Their lives are impacted in a very negative way.
And yet they will refuse to come before Congress. Now, they
may be thinking that they are sticking it to Members of
Congress, but when you violate Members of Congress, when you
insult Members of Congress, when you disrespect Members of
Congress, you are insulting and disrespecting the American
people. We speak for them. And for them to do this is a
dastardly deed.
And I hope, Ms. Waters, that you will pursue my request
that we had yesterday evening to ask for a subpoena. That will
get their lazy asses up here and respond to the American
people.
Now, I apologize for anybody that feels I have offended you
with that, but I meant it. That is what they are. And until
they are sitting in that chair, we have to hold Equifax
accountable.
Let me tell you what they did. Do you know what they did?
In March, they brought evidence of the leak. They also brought
a way to fix the leak, with a patch, and they refused. The CEO
at that time, Mr. Smith, said that he found out on July 1st.
And then, the most dastardly deed of all that they did was
they went 24 hours later and sold $2 million in stock, and not
just anybody, their three top executives, led by their chief
financial officer. And you mean to tell me that nobody is
looking at this as insider trading?
This is one of the most despicable, shameful acts of
financial mismanagement in the history of these United States.
And for them not to come before this Congress and answer these
questions, the people who will run the company, is a total
disrespect. And not only that, it is highly un-American. And it
is not something that I will accept.
Ms. Wu, I want to ask you this. Tell me, the American
people need to know, will they be having to look beyond their
shoulders, looking around corners worried for the rest of their
lives because they don't know who has their Social Security,
they don't know who has their birth--these are vital pieces of
information. Is that what we have to look forward to? Could you
please answer that?
Ms. Wu. Unfortunately, the answer is yes. We will all be
looking over our shoulders for the rest of our lives.
Mr. Scott. Thank you.
Mr. Budd. Gentleman's time has expired.
Chair now recognizes the gentleman from Texas, Mr. Green,
for 5 minutes.
Mr. Green. Thank you, Mr. Chairman.
I especially want to thank the Ranking Member for her
energy and effort to cause this hearing to take place.
Equifax is in a unique position. They collect information
on consumers without consent. They don't have to have your
consent to collect your information. Once they collect the
information, they seem to think that they can handle it with
impunity. If there is negligence or if there is some reason for
a security breach that might cause litigation in ordinary
circumstances, Equifax seems to think that arbitration is the
methodology by which a dispute should be resolved.
It causes me great concern to know that Equifax and many
other companies, especially banks, are being aided and abetted
by Congress, because Congress, yesterday, the Senate more
specifically, decided to eliminate the consumer protection rule
that would allow consumers to litigate as opposed to go to
arbitration.
This is an unbelievable circumstance. And I am interested
in comments from members of the panel on your position as it
relates to arbitration, especially with a company that collects
information without your permission.
Let's start with our very first panelist, if you would
please, ma'am.
Ms. Cable. Thank you for question. I think it is safe to
say our office's position is that we are disappointed in the
developments of yesterday. I think it is a big step back for
consumers. I think the unfairness in the Equifax matter is
patently obvious to anyone.
And it is one of the big reasons why, as a State attorney
general, we are working so hard to hold Equifax accountable for
this. And to circle back on how we hold Equifax accountable
here, I think money talks. Without getting to the specifics of
what we may or may not request in litigation, our Consumer
Protection Act authorizes us to ask the court to award us up to
$5,000 per violation. There are at least 3 million violations
in Massachusetts.
And so we think the State attorney generals are uniquely
positioned and, in light of yesterday's development, may be a
very few of the entities still positioned to hold Equifax
accountable in the court of law.
Mr. Green. Ms. Cable, if you would please, I detected a
moment of candor. You said money talks. Kindly explain, please.
Ms. Cable. I think a way to get the attention of a company
like Equifax is to--how do I say this--require them to
internalize the costs of this breach that they seem so eager to
externalize onto the American public.
Mr. Green. And how does one go about this, please?
Ms. Cable. In our litigation under State consumer
protection law, we can seek civil penalties, as I mentioned, up
to $5,000 per violation. We are also authorized to seek
consumer restitution for ascertainable losses that consumers
suffer.
We are also authorized under our law to have the court
impose permanent injunctive relief to improve security
procedures and other appropriate relief to make consumers
whole. Certainly, all of those are on the table in our
litigation.
Mr. Green. Ms. Wu, please. Yes.
Ms. Wu. So, absolutely, consumers were the losers in the
vote last night. And any Republican who voted for getting rid
of the arbitration rule, and yet criticized Equifax, was a
hypocrite, because Equifax will greatly benefit from what
happened last night. Not only because they will be able to
immunize themselves from liability over things like credit
monitoring products, but because they can actually put in
arbitration agreements--for these locks, for example, that they
are offering, so-called, for free--that you have to agree to
arbitration. And they can put things in those arbitration
agreements like ``You will never sue us under the Fair Credit
Reporting Act, no matter how badly we mess up your credit
report.'' So the American people are definitely the losers.
Mr. Green. Mr. Litt, please.
Mr. Litt. There were already concerns with locks, because
TransUnion and Experian require consumers to give up their
rights to a day in court. So last night's vote, unfortunately,
makes things even more problematic.
Mr. Green. Thank you very much. I yield back the balance of
my time.
Mr. Rothfus [presiding]. Gentleman yields back.
The Chair recognizes the gentleman from Michigan, Mr.
Kildee, for 5 minutes.
Mr. Kildee. Thank you, Mr. Chairman, and again to the
Ranking Member, thank you for arranging this hearing.
I am really grateful for the panel for being here. This has
been really helpful.
Like probably all of my colleagues, I received a lot of
complaints about this breach, and particularly about the way
customers were treated by Equifax as they tried to, somehow,
figure this out and manage it.
So I want to tell the story of an individual from my
district. His name is Jim. He is from Linden, Michigan. It is a
small town outside of my hometown of Flint. He is a
grandfather. He has got five grandchildren. He is a retired
banker. He spent his whole career working with credit reporting
agencies. He understands exactly how they operate.
When he heard about this breach, Jim went to the Equifax
website to see if his information had been released, had been
stolen, in effect, which it had been. So he, like many, decided
he would freeze his credit as a precautionary measure. So in
navigating through their website, he wound up not on the page
to freeze his credit, but on the page where Equifax offered,
for purchase, its product to protect his identity online. I am
sure you understand the irony in landing on that page.
Realizing the error, Jim got on the phone. He called
Equifax. He wanted to correct the problem. It took him over an
hour on the phone with two different individuals, two different
call centers, finally to resolve that issue.
He was also to freeze his wife's credit, but Equifax
charged him $20 to do so. So he reached out to my office,
wanted to make a consumer complaint regarding Equifax. We were
able to intervene, get his money refunded. But his biggest
complaint was that Equifax made it so hard for him to deal with
an issue that was not his fault and, in fact, was their fault.
This guy is a retired banker. He is tech savvy. He
understands customer service; he understands how to navigate a
website. He couldn't do it without our help. Not everybody can
do that. Not everybody has the presence of mind to call their
Member of Congress. And Lord knows, there is no way we could
deal with 145 million of these complaints.
So my concern is, what happens to those folks who don't
know who to call, who don't know where to go? How do they
protect themselves? And so I guess I would ask just for any of
the panelists who might want to offer, what do we tell our
constituents? How do they protect themselves from something
like this?
I mean, what happened with Jim, who knows what the other
consequences might be, but the frustration he had--and without
our help he would be paying them to fix a problem that they
created, let alone the potential of economic ruin that he could
have faced as a result of this data being lost and being
essentially stolen. What do we tell our constituents? How they
protect themselves?
Ms. Wu. So, thank you for the question and the story,
Congressman Kildee. Unfortunately your constituent is not
alone. We have heard of many other stories where consumers had
trouble getting freezes and end up actually getting not only a
lock product, but a paid lock product. They ended up having to
pay for it and of course agree to arbitration, which is now
going to prevent them from bringing lawsuits.
It is a terrible situation. All I can say is that they
should try to keep working on getting those freezes. If they
can't get them, they should complain not only to their Member
of Congress and their attorney general's office, but to the
Consumer Financial Protection Bureau, which has sometimes had
success in dealing with these complaints and getting people's
money back.
But that points to the fact we need a strong Consumer
Bureau. If we don't have a strong Consumer Bureau, even the
little bit of progress we have made in terms of improving
accuracy and dispute handling, because the Consumer Bureau can
supervise these folks and get into their systems, is going to
be lost.
And this is the culture of impunity I am telling you about
that I said. You know, this is not just an accident. They
deliberately pushed people toward their locks and their paid
products when people try to find the freezes.
Mr. Kildee. Thank you.
Mr. Litt. If I may, a default freeze would actually take
care of people if they didn't know that they had to opt in for
one. But there should be no barriers, including costs. So, at
the very least, freezes should be free to place, as well as to
lift.
Ms. Moy. You make the point that the consumers who will
lose out the most from a breach like this are those who lack
the resources in time or in money to figure out how to protect
themselves, and that is a problem that absolutely must be
addressed.
Mr. Kildee. Thank you. My time is expired. I thank the
panel, again, and I thank the Ranking Member for arranging this
hearing. It is very important. Thank you.
Mr. Rothfus. Gentleman's time is expired.
The Chair recognizes the gentleman from Nevada, Mr. Kihuen,
for 5 minutes.
Mr. Kihuen. Thank you, Mr. Chairman, and thank you, Madam
Ranking Member, for organizing this hearing, and thank you to
all of you for being here and for your testimony.
Mr. Litt, I have a question, and maybe for the rest of
panelists as well. Given that half of the population of the
U.S. had their Social Security numbers exposed as part of this
recent breach, do you find it troubling that such numbers are
still being used by Equifax to authenticate consumers
requesting freezes, copies of credit reports, and other
products and services offered by the consumer reporting
agencies?
Mr. Litt. Yes, it is troubling. While the other
authentication questions do serve as added security, Social
Security numbers were never meant to be used as identifiers to
begin with. And so this also raises the question for looking
into transition into a new system.
Mr. Kihuen. What would a new system look like, in your
opinion?
Mr. Litt. Well, we would look at things like two-factor
authentication as a place to start, and then I think that we
are encouraged and hopeful that Congress would look into ways
to transition, as well.
Mr. Kihuen. Thank you. Anybody else want to answer?
Ms. Wu. Thank you for the question, Congressman. As I said
earlier, the problem is the use of the Social Security number
as the verifier to say that you are who you are. You do need
some sort of identification number, and whether it is a Social
Security number, or something else, you need a unique item to
distinguish between consumers.
The former CEO of Equifax, his name is Richard Smith, and
you need to be able to figure out which Richard Smith you are
dealing with. The problem is, you are also using the Social
Security number as the verifier. So, you input that number and
then the system tells me, OK, you are the real Richard Smith.
And that is the problem. We need other ways of verifying
someone's identity.
Mr. Kihuen. Thank you.
And I have a follow up on that, Ms. Wu. In your testimony,
you described this breach as one of the worst, if not the
worst, breaches in American history. Apart from the total
number of consumers impacted, what else makes this the worst in
American history?
Ms. Wu. Well, the reason why this breach is probably one of
the worst in American history is because of the type of
information that is stolen, because it was Social Security
numbers and dates of birth, and in some cases, driver's
licenses. This is the crown jewel of information that can be
used for ID theft.
Other breaches involved your e-mail and password. Well, you
can change your e-mail address. You can change your password.
Your credit card number, you know, Target involved a lot of
credit card numbers. You can get a new credit card number.
It is almost impossible to change your Social Security
number. It is very hard. And you can't change your date of
birth. So this is going to haunt us forever. This is going to
increase the risk of identity theft for half the American
population for the rest of their lives. And that is what makes
it so terrible.
Mr. Kihuen. Thank you. I think you answered my other
question that, how long are consumers likely to be at risk? So
you were talking about for the rest of their life. So half of
the American population who has been impacted by this is now at
risk for the rest of their life because of this breach?
Ms. Wu. Yes, that is right. And the best we can do is try
to mitigate it by telling people to put freezes on their credit
reports. And that is why, at least those freezes should be
free. And I agree with Mr. Litt, they should be by default.
That would help a lot to prevent identity theft.
Mr. Kihuen. Thank you.
And, Ms. Cable, I do have a very quick question.
Immediately following the announcement of the breach,
Massachusetts launched an investigation and filed a lawsuit
against the company. While I understand that you cannot comment
on the status of the case, as the matter is still ongoing, can
you provide a high-level overview of allegations your office is
making in the privacy and data security and privacy protections
that Massachusetts residents are entitled to under the law,
State law?
Ms. Cable. Absolutely, Congressman. So the facts underlying
our complaint are the facts that I think this committee has
heard before. Equifax had this information. In March, it
learned that it had a vulnerable software in place in its
public-facing website. There was a patch available. It was
aware of it. It failed to implement it.
I think, importantly, it also failed in other respects. It
failed to detect the presence of hackers in its network. I have
seen reports that the hackers got in, in March. They didn't
notice it until the end of July. So over 4 months, somehow they
didn't know that there were thieves in their network. And
another point is, they didn't realize that this data, 145
million person's information, was compromised.
I think that calls into question, and we have raised it in
our complaints, serious questions of who was minding the store,
putting the patch issue aside.
As I mentioned, we sued under our State data security
regulations. And I will just highlight some of the regulations
that are at issue in this case, to give you a sense of what our
law provides. We allege Equifax failed to identify and assess
reasonably foreseeable risks to the security of its
information. It failed to evaluate and improve its existing
safeguards.
Mr. Rothfus. The gentleman's time has expired.
Mr. Kihuen. Thank you, Mr. Chairman.
Mr. Rothfus. The Chair recognizes the gentleman from Texas,
Mr. Gonzalez, for 5 minutes.
Mr. Gonzalez. Thank you, Mr. Chairman, and thank you,
Ranking Member Waters.
Well, as a trial lawyer who represented consumers for 20
years, I certainly believe Equifax should be held liable and
punished for their negligence. But knowing what we know now,
with the multiple breaches from the credit reporting agency--
and I guess this question would go to Ms. McGee and Ms. Cable--
would you support a direct cause of action against Equifax by
consumers?
Ms. McGee. I will answer by saying, first of all, New York
State law does not have under our data protection law an
independent cause of action for consumers. It is not our intent
to open that up, but that does then directly turn me to the
arbitration issue, which is--for New York, when we saw that
arbitration was going to be a barrier to justice for consumers
who are trying to seek redress from the very entity that they
had placed their sort of last hope when they traditionally had
a data breach and now were victimized by that actual entity and
then forced into an arbitration clause, if they wanted to avail
themselves of any relief, we acted quickly to seek redress and
the arbitration clause was removed.
It poses a real problem when consumers are hobbled in
seeking rights in consumer protection because of these
arbitration clauses. Our offices come out very strongly in
statements condemning yesterday's decision and in other forced
arbitration clauses, and that is a real problem.
Mr. Gonzalez. But do you believe that they should have the
capacity to bring their own claims?
Ms. McGee. At this point, under New York law, we don't. We
don't provide that redress under New York law--
Mr. Gonzalez. Do you think it is a good idea?
Ms. McGee. I think that, under certain circumstances, class
actions can provide a way for a sea of change under law and can
provide another way for companies to change the way that they
do business. So as a generic matter, I personally don't think
that it is a bad idea. But right now, I don't see any way in
New York for there to be a change in that.
Mr. Gonzalez. Fair enough. I guess the next question is to
anyone on the panel is, how are we quantifying the damages? It
seems like we can't get to that number anytime soon. How do we
get there? At some point, how do we protect folks who had their
information stolen from them? And it seems like it is just--we
are looking into a crystal ball and we don't know where the end
is.
How would you address that, Ms. Cable?
Ms. Cable. I certainly, as a fellow litigator, appreciate
that question. And speaking in generalities, in Massachusetts,
one measure of damages--and certainly not the only--is the cost
of placing, temporary lifting, and permanently lifting a
security freeze. To do all three of those actions in
Massachusetts would cost a consumer $15 at one of the three
bureaus, so $45 at all three. Three million consumers in
Massachusetts, presumably, had to pay that cost, and so I think
that comes out to $135 million in Massachusetts alone.
That is just one small measure that doesn't count identity
theft or other forms of financial fraud that, as my co-
panelists have highlighted, is very likely to occur here. I
think establishing damages that may not have happened yet is
either impossible or impracticable as a matter of law and it is
what it is.
I think one solution would be establishing minimum
statutory damages and allowing the consumer to seek either the
higher of the actual or the minimum. I think the law can
advance this issue forward by establishing some kind of measure
for damages here.
Mr. Gonzalez. Very well. And the reason I say that is
because $5,000 just seems nothing compared to some people can
be damaged at such a high value. I guess my next question, and
I hate to pick on all the lawyers, but I will address Ms. Moy.
Which State has the most stringent protection for data breaches
in the country?
Ms. Moy. So, again, with breaches, I think that when it
comes to notification, many consumers feel that it is too late.
So that the laws to look at for really strong protection for
consumers are going to be the data security laws.
And some at this table have good ones. Massachusetts has a
very strong one. New York has new cybersecurity regulations.
Connecticut also recently has a good law, and Illinois.
California, of course, is a good one to look at. Texas,
actually, is an interesting State because it covers a broad set
of information.
Mr. Gonzalez. Which is changing, by the way. I don't know
if you followed this last legislative session.
Ms. McGee. I am not aware of the changes. I will have to
look into that.
Mr. Gonzalez. Under DTPA--and consumer laws have been
watered down recently. But I am curious--and you just told us--
you just mentioned a few States that do have good laws. What
States would you say do not? And I guess my time is up. Thank
you very much.
Mr. Rothfus. The gentleman's time is expired.
The Chair recognizes the gentlewoman from Ohio, Mrs.
Beatty, for 5 minutes.
Mrs. Beatty. Thank you, Mr. Chairman. And thank you to our
Ranking Member, Congresswoman Waters.
I really appreciate us having an opportunity to have this
dialog and to have it with you as our eyewitnesses. And I don't
want to take my time to repeat everything that has been said.
But let me certainly echo the displeasure that we have that
Equifax could not be here, chose not to be here, chose not to
sit and respond to something that has affected 143-plus-million
individuals. I find that appalling that they are ignoring a
request to come before this committee.
I am also saying, Mr. Chairman, I am disappointed that we
don't have seats across the aisle filled. This is not a
partisan issue. This is not about Democrats. This is about 143
million people having their entire life disrupted because of a
company that had had some 57,000 complaints about
misinformation, about inaccuracies on their credit reports.
And I am as upset as anyone else, because I tried to work
with them. I actually offered a bill in the last session, and
in this session, and if they would have spent more time working
with me than against the bill that would allow consumers to get
a free credit report, it would have been helpful.
But they didn't want to get a free credit score, because it
is one thing to say, OK, once a year, we have a law now that
you can get your annual report. But what happens when you go in
to buy a home? What happens when they ask you what is your
credit score?
And they did not want to even do it once a year to give
them a free credit score. And so, I hope someone plays this
tape back to them so they can understand that we represent
hard-working Americans. We represent people who want to have a
better future. And when you have the breaches that they have
had and you don't come to the table to respond to it, that is
simply unacceptable.
I guess, as I am sitting here today, I believe one of the
ways we can really get companies to focus on cybersecurity is
to put in place a system where there is a monetary penalty for
each person's data that is breached. You know, let them feel
some of the consequences that 143 million people are
experiencing.
When you think about--we have the data up here--one out of
five consumers has had an error on their report. So there were
already issues with them. There were already things that they
knew that this could be a possibility, and what did they do?
They ignored it. That is unacceptable.
So, let me ask you, what do you think about putting a
penalty in where the Equifaxes or future Equifaxes would have
to pay that? And what should that number be? Should it be
$1,000, should it be $5,000, should it be a greater number?
Ms. Wu?
Ms. Wu. Well, thank you, Congresswoman Beatty, and thank
you for the question. And I completely agree there should be
some sort of penalty when companies lose our data. You know, it
is unacceptable. And in addition to the types of damages that
Ms. Cable talked about, in terms of freezes and lifting, there
is time spent, there is aggravation, there is being upset that
your information is out there with thieves and you are
potentially a victim next.
And that should all be compensated. You know, the maximum
statutory damages under the Fair Credit Reporting Act is
$1,000. That was 40 years ago. It probably should be a lot
greater than that.
Mrs. Beatty. So should we be looking at legislation to make
that number more in line with today's cost of living?
Ms. Wu. Well, certainly increasing the statutory damages is
something we would be in favor of. And as you know, there was
the bill just the same day that Equifax announced its breach,
there was a hearing on a bill to reduce those damages under the
Fair Credit Reporting Act.
Mrs. Beatty. Well, I think my time is up. So, Mr. Chairman,
I yield back.
Mr. Rothfus. The gentlewoman yields back. The Chair
recognizes the Ranking Member for unanimous consent requests.
Ms. Waters. Thank you very much. I have a number of them,
Mr. Chairman. I have 31 communications in support of 3755, the
Comprehensive Consumer Credit Reporting Reform Act. We have--
Mr. Rothfus. Without objection.
Ms. Waters --thank you--testimony that was written and sent
to us today from Consumers Union.
Mr. Rothfus. Without objection.
Ms. Waters. Two such documents.
Mr. Rothfus. Without objection.
Ms. Waters. I have ``Equifax Grip on Mortgage Data Squeezes
Smaller Rivals'' from the New York Times.
Mr. Rothfus. Without objection.
Ms. Waters. From Salon, I have a communication.
Mr. Rothfus. Without objection.
Ms. Waters. ``Equifax Grip on Mortgage Data Squeezes
Smaller Rivals,'' another one from the New York Times.
Mr. Rothfus. Without objection.
Ms. Waters. Written questions for the record submitted by
Democratic members for October 5th, Equifax hearing.
Mr. Rothfus. Without objection.
Ms. Waters. Written statement asked to be submitted by FICO
to this hearing.
Mr. Rothfus. Without objection.
Ms. Waters. Press statement was released from CFPB,
``Supervisory Highlights Focused on Problems Discovered with
Credit Bureaus.''
Mr. Rothfus. Without objection.
Ms. Waters. Written statements for the record from the
first Equifax hearing on October 5th.
Mr. Rothfus. Without objection.
Ms. Waters. And information on CFPB's website about ID
theft tools available to consumers.
Mr. Rothfus. Without objection.
Ms. Waters. Thank you very much. I yield back.
Mr. Rothfus. There being no members remaining to question
the panel, this concluded today's hearing. Without objection,
all members will have 5 legislative days within which to submit
additional written questions for the witnesses to the Chair,
which will be forwarded to the witnesses for their response. I
ask our witnesses to please respond as promptly as you are
able.
This hearing is adjourned. Thank you.
[Whereupon, at 3:42 p.m., the committee was adjourned.]
A P P E N D I X
October 25, 2017
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]