[Senate Hearing 115-129]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 115-129

 
           AN EXAMINATION OF THE EQUIFAX CYBERSECURITY BREACH

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
                   BANKING,HOUSING,AND URBAN AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                                   ON

     EXAMINING THE EQUIFAX CYBERSECURITY BREACH AND ITS IMPACT ON 
                APPROXIMATELY 143 MILLION U.S. CONSUMERS

                               __________

                            OCTOBER 4, 2017

                               __________

  Printed for the use of the Committee on Banking, Housing, and Urban Affairs
  
  
  
  
  
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 

                                


                Available at: http: //www.govinfo.gov /
                
                
  
                

                            _________ 

                U.S. GOVERNMENT PUBLISHING OFFICE
                   
 28-123 PDF             WASHINGTON : 2018       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001                     
                
                


            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS

                      MIKE CRAPO, Idaho, Chairman

RICHARD C. SHELBY, Alabama           SHERROD BROWN, Ohio
BOB CORKER, Tennessee                JACK REED, Rhode Island
PATRICK J. TOOMEY, Pennsylvania      ROBERT MENENDEZ, New Jersey
DEAN HELLER, Nevada                  JON TESTER, Montana
TIM SCOTT, South Carolina            MARK R. WARNER, Virginia
BEN SASSE, Nebraska                  ELIZABETH WARREN, Massachusetts
TOM COTTON, Arkansas                 HEIDI HEITKAMP, North Dakota
MIKE ROUNDS, South Dakota            JOE DONNELLY, Indiana
DAVID PERDUE, Georgia                BRIAN SCHATZ, Hawaii
THOM TILLIS, North Carolina          CHRIS VAN HOLLEN, Maryland
JOHN KENNEDY, Louisiana              CATHERINE CORTEZ MASTO, Nevada

                     Gregg Richard, Staff Director

                 Mark Powden, Democratic Staff Director

                      Elad Roisman, Chief Counsel

                      Joe Carapiet, Senior Counsel

                Brandon Beall, Professional Staff Member

                 Elisha Tuku, Democratic Chief Counsel

            Laura Swanson, Democratic Deputy Staff Director

           Corey Frayer, Democratic Professional Staff Member

                       Dawn Ratliff, Chief Clerk

                      Cameron Ricker, Deputy Clerk

                     James Guiliano, Hearing Clerk

                      Shelvin Simmons, IT Director

                          Jim Crowell, Editor

                                  (ii)
                                  


                            C O N T E N T S

                              ----------                              

                       WEDNESDAY, OCTOBER 4, 2017

                                                                   Page

Opening statement of Chairman Crapo..............................     1

Opening statements, comments, or prepared statements of:
    Senator Brown................................................     2

                                WITNESS

Richard F. Smith, former Chairman and Chief Executive Officer, 
  Equifax, Inc...................................................     4
    Prepared statement...........................................    39
    Responses to written questions of the Senate Banking 
      Committee..................................................    45

              Additional Material Supplied for the Record

Letter Submitted by the Credit Union National Association........    96
Equifax, Inc., ``Insider Trading Policy''........................    97
Equifax, Inc., ``Corporate Crisis Management Plan, Part I''......   111
Equifax, Inc., ``Corporate Crisis Management Plan, Part II''.....   156
Equifax, Inc., ``Corporate Crisis Management Program, Appendix 
  H''............................................................   180
Equifax, Inc., ``Regional Crisis Management Plan''...............   199
Equifax, Inc., ``Security Incident Handling Policy and 
  Procedures''...................................................   233

                                 (iii)


           AN EXAMINATION OF THE EQUIFAX CYBERSECURITY BREACH

                              ----------                              


                       WEDNESDAY, OCTOBER 4, 2017

                                       U.S. Senate,
           Committee on Banking, Housing, and Urban Affairs
                                                    Washington, DC.
    The Committee met at 10:03 a.m., in room SD-538, Dirksen 
Senate Office Building, Hon. Michael Crapo, Chairman of the 
Committee, presiding.

            OPENING STATEMENT OF CHAIRMAN MIKE CRAPO

    Chairman Crapo. This Committee will come to order.
    This morning, we will hear testimony from Richard Smith, 
former chairman and chief executive officer of Equifax, who 
held those positions until last week.
    I understand that you are now serving as an unpaid advisor 
to the company and appreciate your willingness to testify here 
and appear and testify about the events surrounding the breach 
and Equifax's response while you were leading the company.
    Given the severity of this data breach, Congress will 
continue to examine the facts behind it and what can be done to 
prevent similar situations.
    Cybersecurity is one of the most pressing issues facing 
companies, as well as consumers and Governments alike, and is 
one of the biggest threats to our financial system. The amount 
of data that the private industry and Government collect and 
store is very concerning. There is intrinsic vulnerability in 
collecting and storing personal financial information, and we 
need to have a meaningful discussion on how to protect and 
limit access to it.
    The Banking Committee takes its oversight of credit bureaus 
seriously, as they are financial institutions under the Gramm-
Leach-Bliley Act.
    Credit bureaus serve a critical function in our financial 
system and have become a daily part of every American's life. 
Every day, these institutions intersect in people's attempts to 
get credit cards, car loans, mortgages, and other items.
    Consumers may know about their involvement in their lives, 
such as when they directly request a credit report, but 
sometimes they do not, like when a company requests a 
background check to determine their eligibility for a cell 
phone.
    The ability of Americans to easily access credit is one of 
the many things that make our economy and our country the envy 
of the world. It is also why this breach is so shocking and 
concerning.
    Here is what we know based on information from Equifax. 
Equifax experienced a cybersecurity breach which potentially 
impacted more than 145 million U.S. consumers. The data that 
was taken included the names, Social Security numbers, birth 
dates, addresses, and in some cases driver's license numbers.
    In addition, credit card numbers for approximately 209,000 
consumers and dispute documents with personally identifiable 
information for approximately 182,000 consumers were accessed.
    According to Equifax, the unauthorized access took place 
from mid-May through July 2017, with Equifax discovering the 
situation on July 29 and then finally cutting off the 
intruders.
    Here is what we need to know. Why did it take Equifax 6 
weeks from the time it learned of the breach to tell the 
public, the regulators, and the 145 million American victims 
about it? Why were Equifax executives trading during this time? 
How strong were and are Equifax's cybersecurity practices?
    After the breach, what interactions did the company have 
with other credit bureaus and Government agencies, in order to 
understand what, if anything, can be improved in terms of 
information sharing and mitigating consumer harm?
    Additionally, there are valid and important questions about 
the steps Equifax has taken to remediate customers and whether 
more needs to be done to minimize the potential harm to those 
affected.
    In an op-ed last week, your successor admitted that answers 
to key consumer questions were often delayed, incomplete, or 
both. That same op-ed asserted that it is important to give 
consumers the power to protect and control access to their 
personal credit data.
    I look forward to having these questions answered and 
exploring different options on how companies can better 
safeguard consumers' information.
    Senator Brown.

           OPENING STATEMENT OF SENATOR SHERROD BROWN

    Senator Brown. Thank you, Chairman Crapo.
    The story of this data breach is a familiar one. A big 
financial institution screwed up. Executives walk away with 
millions of dollars. Tens of millions of Americans end up 
holding the bag.
    Unfortunately, Americans have come to expect that the 
Equifax scandal will play out the same way as the Wells Fargo 
scandal. A couple executives retire. Some of them lose some of 
their bonuses. A couple fines are issued, and only later do we 
find out the problems go much, much deeper.
    Most Americans never chose to have their data scooped up by 
Equifax. You have said that since 2005, Equifax has been 
rapidly transforming itself into a--your words--``global 
analytics company'' by collecting huge troves of information on 
people that you can sell to marketers and employers, but you 
almost never ask people if they want to be tracked.
    Most of the 145 million people--that number seems to climb 
every week or so--well over half of all adults in the United 
States, most of the 145 million people whose data you allowed 
to be stolen probably only had a vague idea of what Equifax 
was, if they had heard of you at all. Then they read in the 
paper that their personal information has, in fact, been 
compromised.
    But while they might not have known the name Equifax, they 
should have been able to expect that a company that gathers the 
most private information about them would have state-of-the-art 
protections for that information. A gold mine for hackers 
should be a digital Fort Knox when it comes to security.
    But security does not generate short-term profits. 
Protecting consumers apparently is not important to your 
business model, so you gathered more and more information. You 
peddled it to more and more buyers.
    For example, you bought a company called TALX so you could 
get access to detailed payroll information--the hours people 
worked, how much they were paid, even where they lived--7,000 
businesses.
    You were hacked there, too, exposing the workers of one 
proud Ohio company, 400,000 workers at Kroger, and an unknown 
number of people's information to criminals who used it to 
commit tax fraud.
    In May of this year, your outside law firm stated that 
Equifax had instituted additional security measures in order to 
prevent a recurrence of the TALX incident, just like you are 
claiming you are doing now. Yet at that same time, hackers had 
already taken advantage of another security flaw to get into 
Equifax's system.
    It has been 10 weeks since you discovered this latest 
breach, but I still do not think we have a complete answer to 
the question what happened and why.
    We do know that this breach could have been avoided if you 
had taken the simple step of administering security patches, 
but your response after the fact may have been just as 
negligent.
    You told the House yesterday that Equifax knew at least 
some people's data had been exposed on August 15th. Rather than 
giving victims a chance to protect themselves, you withheld 
this information from the public for weeks.
    You claim that you delayed telling the public about this 
hack so you could get an appropriate consumer response put 
together, but when you finally did tell people what happened, 
Equifax's website and call centers were immediately 
overwhelmed.
    You even tried to take advantage of the situation by 
sticking victims with a forced arbitration clause buried in the 
credit monitoring product you were shopping to victims. Think 
about that. You tried to take advantage further, even with all 
this, when the public was so upset because you had betrayed 
their trust and the public trust. You stick the victims with a 
forced arbitration clause buried in the credit monitoring 
product you were shopping to victims. At least in this 
instance, you backed down under public pressure, unlike Wells 
Fargo, which yesterday under withering questions continued to 
resist.
    Chairman Crapo and I sent a letter to you on September 22nd 
requesting basic information. For example, is there a company 
policy on stock sales? I would guess so, but the best we got 
from the company was, quote, ``Equifax will work with Committee 
staff to provide a copy of the policy,'' unquote. We are not 
talking about trade secrets here. I just do not get the 
obfuscation.
    Despite your promise to deliver a free CreditLock product 
next year, all of Equifax's actions up to this point 
demonstrate that this simply is not a company that deserves to 
be trusted with Americans' personal data.
    Your actions have exposed over half the country's adults to 
financial harm. Equifax has forfeited its right to corporate 
secrets. So please do not make the same mistake that Wells 
Fargo did. Now is the time to give this Committee the whole 
story.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you, Senator Brown.
    And now we will proceed to the testimony. We will hear 
testimony from Mr. Richard Smith, former chairman and chief 
executive officer of Equifax, Inc.
    Mr. Smith, your written statement will be made a part of 
the record in its entirety, and you may proceed with your oral 
remarks.

   STATEMENT OF RICHARD F. SMITH, FORMER CHAIRMAN AND CHIEF 
                EXECUTIVE OFFICER, EQUIFAX, INC.

    Mr. Smith. Thank you, and good morning. Thank you, Chairman 
Crapo, Ranking Member Brown, and Honorable Members of the 
Committee. Thank you for the opportunity to testify before you 
this morning.
    My name again is Rick Smith, and for the last 12 years, I 
have had the honor of serving as chairman and CEO as Equifax. 
As noted, I have submitted written testimony, which addresses 
the details of my testimony in far more detail than I will get 
in my oral comments.
    I have talked to many consumers, and I have read their 
letters. I understand how frustrated and fearful many Americans 
are about what happened at Equifax. This criminal attack took 
place on my watch, and I take full responsibility as CEO at the 
time. I want to say to every American, I am truly and deeply 
sorry for what happened.
    Americans have the right to know how this happened, and I 
am prepared to testify today about what I learned and what I 
did about the incident and my role as CEO and chairman of the 
board and also what I know and what I have learned about the 
incident as a result of being briefed by the company's 
investigation, which is ongoing.
    As we now know, this criminal attack was made possible 
because a combination of a human error and a technological 
error. The human error involved the failure to apply a patch to 
our dispute portal in March of 2017. The technological error 
involved a scanner, which failed to detect the vulnerability on 
this particular portal, which had not been patched. Both errors 
have since been addressed.
    On July 29th and July 30th, suspicious activity was 
detected. We followed our security incident response protocol 
at that time. The team immediately shut down the portal and 
began our internal security investigation.
    On August 2nd, we hired top security, cybersecurity, 
forensic, and legal experts, and we notified the FBI. At that 
time, we did not know the nature or the scope of the incident.
    It was not until late August that we concluded that we had 
experienced a major data breach.
    Over the weeks leading up to September 7th, our team 
continued working around the clock to prepare to make things 
right. We took four steps to protect consumers: first, 
determining when and how to notify the public, relying on the 
advice of our experts that we needed to have a plan in place as 
soon as we announced; two, helping consumers by developing a 
website and staffing up a mass of call centers and offering 
free services to every American; three, preparing for increased 
cyberattacks, which we were advised are common after the notice 
of a breach; and finally, number four, continue to coordinate 
with the FBI and their criminal investigation of the hackers 
and notifying other Federal and State agencies.
    In the rollout of our remediation program, mistakes were 
made for which again I am deeply apologetic. I regret the 
frustration that many Americans felt when our websites and call 
centers were overwhelmed in the early weeks. It is no excuse, 
but it certainly did not help that two of our larger call 
centers were shut down for days by Hurricane Irma.
    Since then, however, the company has dramatically increased 
its capacity, and I can report to you today that we have 
handled more than 420 million consumer visits to our website, 
and the wait time at our call centers have been dramatically 
reduced.
    At my direction, the company offered a broad package of 
service offerings to all Americans, all of them free to help 
protect consumers.
    In addition, we developed a new service that will be 
available January 31st, 2018, that will give all consumers the 
power to control access to their credit data by allowing them 
to lock and unlock their credit files whenever they want for 
free and for life, putting the power to control access to data 
in the hands of the American consumer. I am looking forward to 
discussing this tool with you in detail during my testimony.
    As we have all painfully learned, data security is a 
national security problem. Putting consumers in control of 
their credit data is a first step toward a long-term solution 
to the problem of identity theft.
    But no single company could solve the larger problem on its 
own. I believe we need a public-private partnership to evaluate 
how to best protect American consumers' personal data ongoing. 
I look forward to being a part of that dialogue.
    Chairman Crapo, Ranking Member Brown, and the Honorable 
Members of the Committee, thank you again for inviting me to 
speak before you today.
    I will close again by saying how sorry I am about this 
breach. On a personal note, I want to thank the many 
hardworking and dedicated people who have worked with me so 
tirelessly over the last 12 years. Equifax is a very good 
company with thousands of great people trying to do the right 
thing each and every day. I know that they will continue to 
work tirelessly, as we have over the past few months to right 
this wrong.
    Thank you.
    Chairman Crapo. Thank you, Mr. Smith.
    Mr. Smith, you recently discussed the need to give 
consumers control of their own data. Yesterday, you said, ``It 
is time we change the paradigm, give the power back to the 
consumer to control who accesses his or her credit data. It is 
the right thing to do.''
    But we are far from that reality today with credit bureaus. 
First, what needs to be changed to give consumers this power?
    Mr. Smith. Mr. Chairman, the start is this product we are 
introducing, which will come out in January of next year, which 
gives the consumer the ability to control who and when accesses 
the credit data. It will be a simple tool, Web-enabled on an 
application, and the consumer can simply dictate who gets 
access, who does not, and if he or she wants to go to a bank to 
get a credit card or a car loan, they simply can toggle on, 
open the access for the underwriter to look at their credit 
file, once complete, toggle off, and secure.
    Chairman Crapo. And it seems to me if that solution works 
that that is a solution or a part of the solution with regard 
to other private-sector actors or illegal actors. What about 
the Government? Does the Federal Reserve or the CFPB have 
access to your data, to Equifax's data?
    Mr. Smith. Sir, Mr. Chairman, if a consumer locks their--at 
the consumer level, is that the question?
    Chairman Crapo. Yes.
    Mr. Smith. If the consumer locks their file, they lock out 
anyone's access to that data.
    Chairman Crapo. So you are not in a position of being 
required by any Federal agency to provide this personally 
identifiable data to that agency?
    Mr. Smith. Mr. Chairman, I am not sure I understand the 
question. If a consumer locks their file to prevent access to 
their file from any other bank or telecommunications company, 
they would be the only ones who could unlock that file. We 
could not unlock that file on their behalf, if I understand the 
question correctly.
    Chairman Crapo. Even if asked by a Government agency as 
opposed to an inquiring bank?
    Mr. Smith. I would have to check that.
    Chairman Crapo. All right. Thank you. I would appreciate 
that.
    Mr. Smith. Thank you.
    Chairman Crapo. In the hearing yesterday, you mentioned 
that we may need to think about how secure Social Security 
numbers really are and if they are really the best identifier 
going forward for consumers. Could you give us your thoughts on 
that?
    Mr. Smith. Yes. Mr. Chairman, I worry about the fact that 
Social Security numbers have been out there since 1936 and used 
to be on our driver's license and used in our employment. You 
talked to many cybersecurity experts, and they say they vast 
majority of all SSNs have already been compromised.
    I am in no way skirting the issue of the horrific breach 
that we had. It was horrific, and I once again apologize to 
this Committee and to all Americans. But I would encourage a 
dialogue to talk about what is a better way to identify 
individuals, something beyond the SSN.
    Chairman Crapo. Do you have any ideas as to what that might 
be, what could we effectively transfer into?
    Mr. Smith. I do not, but I would love to be part of that 
dialogue, the combination of public and private partnership 
with academic, to think about that. There is a lot of thinking 
going on right now. I am sure with the right thought and a 
priority, we could crack that code.
    Chairman Crapo. All right. Thank you.
    There have been some issues and confusion relating to the 
product you just discussed and services that Equifax has 
offered in light of the breach. Some of my constituents have 
said they are having trouble gaining access to the remediation 
products being offered. What exactly are customers being 
offered today, and what do they need to do to obtain these 
products and services?
    Mr. Smith. Thank you.
    We are offering five different services for free, and to 
repeat, this is to all Americans, not just the victims of the 
criminal attack.
    Number one, it is a three-bureau monitoring, where you can 
monitor activity against your credit file from ourselves, 
TransUnion, and Experian. Two is the ability to lock the file. 
Number three is the ability to scan. We scan the dark web on 
behalf of the consumer looking for Social Security activity 
that might occur. Number four is access to our file for free, 
and number five is an insurance product that helps recoup costs 
up to a million dollars if a consumer has costs in trying to 
fight, repair their credit.
    So those are the five services we offer today to all 
Americans, and the other, Chairman, is the one we talked about 
that is available in 2018, January 31st of 2018, which is the 
next generation of Lock.
    Chairman Crapo. All right. Thank you very much.
    Senator Brown.
    Senator Brown. Thank you, Mr. Chairman.
    According to your testimony in the House yesterday, over 
the last 3 years, you have spent $250 million on cybersecurity. 
That is about $85 million a year, correct?
    Mr. Smith. Yes. That was an estimate that over the last 3 
years, it is approaching a quarter billion dollars.
    Senator Brown. And since 2016, you have made personally 
about $69 million; is that correct?
    Mr. Smith. I have not tracked that number, to be honest.
    Senator Brown. In hindsight, do you think Equifax should 
have spent more money protecting people's data rather than 
compensating you so well?
    Mr. Smith. I look back at the money we have spent. It is 
not a matter of the dollars spent. It was not a financial 
constraint, by any means. Obviously, when you look at the issue 
in hindsight, it is could you have spent money differently, not 
the total dollars spent.
    There is a benchmark out there that was done by IBM that 
benchmarks financial services company, and their total security 
spend is a percent of IT. And their benchmark talks about a 
range of 10 to 14 percent. Our range is in the range of 12 
percent. So, again, we are spending money in a range that----
    Senator Brown. Well, I am going to interrupt you because I 
know that in the House, House hearing, there were not nearly as 
many questions because your answers were pretty long, and I 
understand the complexities of this. But you are an IT company, 
and that is just not acceptable.
    Last August, this past August at a business school event at 
the University of Georgia, you bragged that Equifax gets its 
data basically cost-free. You were also asked how you approach 
data fraud, and you responded, quote, ``Fraud is a huge 
opportunity for us.'' Your SEC filings back that up. They state 
that a significant portion of your revenue comes from selling 
credit monitoring and fraud protection services to consumers. 
So do you think, Mr. Smith, it is fair that Equifax gets to 
take its consumers' data at almost no cost, make millions by 
selling it to data-mining companies and marketers, then charge 
fees to those consumers for credit monitoring products after 
they become identity theft victims?
    Mr. Smith. Senator, the vast majority of what we do is 
allowing consumers to get access to credit. We take their data 
combined with analytics and allow underwriters at banks, credit 
card lenders, automotive lenders, to make loans to consumers. 
We make very little money as a percent of our total revenue 
from selling monitoring products to consumers.
    Senator Brown. But the point is you keep making money off 
people's sensitive data either way.
    Equifax does not get its data directly from consumers, as 
you know, and as several on this Committee have pointed out, it 
gets it from their banks, their utility companies, their 
employers, all without consent of the borrowers and the 
employees.
    Congress long ago, as I think you know, decided that 
companies could not traffic in people's medical records for 
obvious and good reason and that they needed to consent to a 
transfer. Why should not we do the same with financial records? 
You know how important that personal financial data is to 
people. Why not do the same with financial records? Do you 
think we need to change the consumer reporting industry in this 
country to give Americans ownership of the data? For example, 
should they be allowed to request that you delete the data from 
your systems?
    Mr. Smith. Senator, two thoughts. One is we are a vital 
part to the global economy. We provide a great service to the 
consumer enabling them to get access to credit.
    We also enable the unbanked because of our data to have the 
opportunity to get into the credit market. So it is a vital and 
very important role we play and have played for many, many 
years.
    Yes, there are things we can do better as an industry and 
working with Government, and the one thing I would like to see 
us talk about as an industry is this concept of giving the 
consumer the power to control their data. One small step 
forward is the concept of this lock for life. I would like to 
see the entire industry move in that direction.
    Senator Brown. I am trying to read between the lines. Is 
that a yes or a no to the question of should consumers be 
allowed to request you delete their data from your system, 
their data that you gather without their knowledge?
    Mr. Smith. I believe a better way to get at that is through 
this lock concept.
    Senator Brown. So that means no?
    Mr. Smith. Correct.
    Senator Brown. Even though we do it with medical data and 
even though--I mean, fundamentally, if you do not think 
consumers should be allowed to control their own data, the 
question is why should a company that has had so many security 
failures be allowed to control their data. That is the 
fundamental question that this company has not--apparently has 
not asked or certainly has not answered to the public.
    Thank you.
    Chairman Crapo. Thank you.
    And I would note to the Senators that Senator Brown and I 
both stayed within our 5 minutes. I encourage all of you to 
follow that pattern.
    Senator Sasse. It was kind of impressive.
    Senator Kennedy. It was kind of unusual.
    [Laughter.]
    Chairman Crapo. Senator----
    Senator Sasse. I think it is me. Yeah.
    Chairman Crapo. ----Sasse.
    Senator Sasse. Thank you, Chairman.
    Mr. Smith, let us take a minute to talk about why we are 
here. Big picture, it is this. There is a really small group of 
credit bureaus in America, and by really small, I mean three. 
And if you are an American who buys a home or a car, you 
typically have to be cleared by one of those three, and even if 
you do not have a relationship with one of the three, if you 
are a consumer who did not choose this, so you think about the 
OPM hack, people were at least choosing to apply for a security 
clearance or to work for the Federal Government. We have people 
here who did not have any relationship with you and did not 
choose to engage with you.
    If you get a credit card from one of the countless offers 
that Americans get every day in their mailbox from department 
stores or gas stations or airlines, it is not uncommon for one 
of the three credit bureaus to then obtain your information. So 
what happens when something goes wrong? What happens when one 
of you big three is hacked? What happens if you are one of the 
145 million Americans who, in this case, had their information 
stolen? What happens if 5 years from now an American has their 
identity information stolen? What happens when there is a 
reasonable suspicion that folks at your organization may have 
engaged in insider trading?
    There is a lot of anxiety that Americans feel, and they are 
Americans who do not have the benefit of powerful attorneys and 
lobbyists. And for them, this hearing is one of their only 
shots at getting a full account of what went wrong, who is to 
blame, and what is going to happen about it in the future.
    So I would like to discuss this question about those who 
were impacted by the breach and how long you think Equifax's 
exposure or responsibility lasts. If you are an American, if 
you are one of those 145 million, you do not have the ability 
to change your name, your mother's maiden name, your birth 
date, your Social Security number, and your organization has 
committed to providing identity monitoring services for the 
next year.
    But I am curious about whether or not Equifax and your 
board have deliberated. Do you think your responsibility ends 
in 1 year, in 2 years, in 5 years, in 10 years? And if you 
think it ends at some point, have you tried to think about the 
goodwill and balance sheet impact of all this? How can you 
explain to an American whose identity might be stolen later, 
because of this breach, why your responsibility would ever end? 
Does it end?
    Mr. Smith. I understand the question, and it ends--it 
extends well beyond a year, Senator.
    The first step we took was the five services we mentioned 
to the Chairman a minute ago, which gets the consumer through 1 
year. The ultimate control for security for a consumer is going 
to the lifetime lock, the ability for a consumer to lock down 
his or her file to determine who they want to have access for 
life.
    Senator Sasse. But is not this--I would just interrupt. Is 
not this about people who might be breached in the future?
    I am talking about the 145 million whose data has already 
been stolen. Does your responsibility end, or what do you think 
your legal obligations are to them?
    Mr. Smith. I think the combination of the five services we 
are offering combined with a lifetime lock is a good 
combination of services.
    Senator Sasse. I actually think the innovation of some of 
the stuff you have proposed for the big three going forward is 
quite interesting, but why does any of that five really do much 
for the data that has already been stolen?
    Mr. Smith. Senator, again, the combination of the five 
offerings today plus the lifetime lock, we think is the best 
offering for the consumer.
    Senator Sasse. OK. I do not think you have really answered 
the question about whether your exposure legally ends for the 
145 million.
    Do you know the number? Can you do the 145 million 
breakdown by State? Not off the top of your head, but do you 
have the data that we on the Committee could have by tomorrow? 
Just to--have you got it in your 145 million records? Can you 
parse it by State so each of us understands how many 
constituents we have----
    Mr. Smith. I believe so.
    Senator Sasse. ----who have been exposed?
    Mr. Smith. We should have that capability. I am just 
hesitating on by tomorrow, but let me take that back to----
    [Pause to confer.]
    Mr. Smith. We do have it.
    Senator Sasse. OK. Great. Thank you.
    It is being reported in the media this morning that you 
have just received a no-bid contract from the IRS for fraud 
prevention. Can you explain to the American people, not just as 
consumers who have been exposed and breached here, but as 
taxpayers, why in the world should you get a no-bid contract 
right now?
    Mr. Smith. I am not sure it was a no-bid. My 
understanding--I do not profess to have the details there, 
Senator--it is with the IRS. It is a contract we have had in 
the past. I think it is being renewed.
    Senator Sasse. OK. We are going to follow up with the IRS 
as well, but if you could clarify back with us, my team will 
follow up with you.
    I have less than a minute left, but I want to open at least 
the allegations that Equifax executives engaged in insider 
trading relating to knowledge of this cyberbreach. One of the 
clearest times and definitions of insider trading occurs when a 
business executive trades their company's stock because of 
confidential knowledge that they have gained from their job.
    I am sure you can imagine why Americans are very mad about 
the possibility that this occurred here. Well, insider trading 
is going to be discussed a lot more later in this hearing. I 
wish you could just very quickly give us a timeline of the 
first steps. When did Equifax first learn of the May 2017 
breach, and when did you inform the FBI of that breach?
    Mr. Smith. Thank you. I will answer as quickly as I can.
    We notified the FBI cybersecurity forensic team and an 
outside global law firm on August 2nd. At that time, all we saw 
was suspicious activity. We had no indication, as I said in my 
oral testimony, of a breach at that time.
    You might recall that the three individuals sold stock on 
August 1st and 2nd. We did not have an indication of a breach 
until mid to late August.
    Senator Sasse. So you are saying that those three 
executives--Mr. Chairman, I will stop. You are saying those 
three executives had no knowledge of a breach on August 1st or 
2nd?
    Mr. Smith. To the best of my knowledge, they had no 
knowledge, and they also followed our protocol to have their 
stock sales cleared through the proper channels, which is our 
general counsel.
    Senator Sasse. We will have follow-ups on that, please.
    Thanks.
    Chairman Crapo. Senator Tester.
    Senator Tester. Thank you, Mr. Chairman, and I want to 
thank you for being here today, Mr. Smith.
    I apologize for not being here during your presentation. I 
had a business meeting on another committee, so I did not hear 
your timeline. So I will give you mine, and I will start with 
the first notification in March of this year by U.S.-CERT that 
you guys had a vulnerability. Did you do anything with that 
notification?
    Mr. Smith. Yes, Senator, we did. We were notified on March 
8th and on March 9th, following the traditional patch protocol. 
Communication was sent out.
    Senator Tester. Communication was sent out. Did you do 
anything to fix the potential vulnerability?
    Mr. Smith. There were two steps that I discussed in my oral 
testimony----
    Senator Tester. Yeah. Go ahead.
    Mr. Smith. ----which I will walk through. One was there was 
a communication breakdown in the patching organization within 
IT. The message did not get to the right person down to the 
utilization of patch.
    Senator Tester. So, ultimately, nothing happened?
    Mr. Smith. Well, two things happened.
    Senator Tester. You did the notification, but ultimately, 
in the end, there was nothing done with that notification to 
fix that vulnerability?
    Mr. Smith. Senator, yes. A scan was applied looking for the 
vulnerability. A technology scan was applied, did not find it, 
so the patch was not applied. Correct.
    Senator Tester. OK. So let us fast forward to the 29th of 
July, and you learned for the first time that your company has 
been hacked, do not know how big the hack is, but it has been 
hacked, and it was preceded by this notification from U.S.-
CERT.
    Three days after, as Senator Sasse pointed out, you had 
three high-level execs sell $2 million in stock. That very same 
day, you notified the FBI of the breach. Can you tell me if 
your general counsel was held accountable for allowing this 
stock sale to go forward, or did he not know about the breach?
    Mr. Smith. Senator, a clarification. On the 29th and 30th, 
a security person saw suspicious activity, shut the portal down 
on the 30th. There was no indication of a breach at that time.
    The internal forensics began on the 30th. On the 2nd, we 
brought in outside cyberexperts--forensic auditors, law firm, 
and the FBI. The trades took place on the 1st and the 2nd. At 
that time, the general counsel, who clears the stock sales, had 
no indication--or did the company--of a security breach.
    Senator Tester. Well, I am going to tell you something, and 
this is just a fact. And it may have been done with the best of 
intentions and no intent for insider trading, but this really 
stinks. I mean, it really smells really bad, and I guess 
smelling bad is not a crime.
    But the bottom line here is that you had a hack that you 
found out about on the 29th. You did not know how severe it 
was. You told the FBI about the breach. On that same day, high-
level execs sell $2 million worth of stock, and then you do 
some investigation, evidently, and you find out at the end of 
the month that--or at least by the first part of September that 
this is a huge hack, and you finally notify the public. And as 
was pointed out already in this Committee, these are people 
that did not ask for your service. You gathered it, and now it 
is totally breached.
    And then, as Senator Sasse said, ``What is the length of 
exposure here?'' and you said, ``Well, we are doing these five 
things.'' That is proactive, and I think we can all applaud 
those efforts. But I have got to tell you, that does not do a 
damn thing for the people who have been--had their identity 
stolen and their credit rating stolen.
    So let me ask you this. So their credit rate goes up a 
little bit, and they go buy a house for 250,000 bucks on a 30-
year note, and it cost them 25 grand. Are you liable for that?
    Mr. Smith. Senator, I understand your anger and your 
frustration. We apologize for the breach. We have done 
everything in our power to make it right for the consumer, and 
we think these services we are offering is a right first step.
    Senator Tester. Well, I would just tell you this, and I 
think Equifax must have--must be or been a good a company at 
one point in time, but this length of time on a breach this big 
in this day and age when we have folks that are pretty damn 
good at this stuff, especially when the Department of Homeland 
Security through U.S.-CERT says you got a problem, and was not 
really dealt with in a way like it was really a problem--I 
mean, you can say you sent out the directives, but in the end, 
3, 4 months later, you end up with a very severe breach.
    The problem we have got here--and I will just tell you 
this--is that the impact and the numbers by State is important. 
I think it is about 600,000 adults, and I think it is about 
two-thirds of the adults in Montana, which is about probably 4 
to 500,000 people, and in a State of a million, that is a lot, 
OK?
    And so, consequently, those people are going to be impacted 
negatively for a long, long time. Why? Because this happened, 
and you can say, ``Jeez, I am sorry it happened,'' but the 
notification for 6 weeks in this 21st century we live in is 
absolutely unacceptable. And I will just tell you that. It is 
unbelievable.
    And I appreciate you coming in front of the Committee.
    Chairman Crapo. Senator Scott.
    Senator Scott. Thank you, Mr. Chairman.
    Mr. Smith, thank you for being here this morning, and 
certainly, we all are a tad confused about the knowledge that 
you had and your execs had that seem to--at least their stock 
sales seem to suggest more information than we are getting 
here.
    So I just want to walk through the numbers as well as the 
timeline to better understand and appreciate what happened. You 
say that they did not know about the breach, but there was 
suspicious activity that was reported. Did you know about the 
suspicious activity on July the 29th?
    Mr. Smith. No, sir, I did not. So----
    Senator Scott. You were not notified about the suspicious 
activity?
    Mr. Smith. I was but not on the 29th. So on the 29th, a----
    Senator Scott. So the 31st, you were notified?
    Mr. Smith. Yes, correct.
    Senator Scott. OK. So the very next day after you were 
notified, your senior executives, including your CFO, sold $1.8 
million, nearly $2 million of stock, for a profit of--
comparatively speaking to your September 7th devalued stock, 
for about $655,000. So at the price that the execs sold their 
stock for netted them, comparatively speaking, to the stock 
price that would have been on September 7th had they sold it on 
September 7th--they netted $655,000 during the same window that 
the average person who learned about the breach lost $6.4 
billion or 36 percent of the stock value. Is that accurate?
    Mr. Smith. I have not done the math. I trust it is.
    Senator Scott. OK. So Equifax tells the public about the 
breach on September the 7th, which is 6 weeks later, and just 
walk through the math with me, then. The stock dropped to 
$92.98 a share, and it dropped from $146.26 per share, or a 36 
percent loss. The executives who sold the 1.8--1.8 trillion--
$1.8 million benefited about $655,000 if you average in that 36 
percent difference.
    There are roughly 120 million outstanding shares of 
Equifax. That means that folks who have Equifax stock in their 
retirement accounts, the mom-and-pop businesses that are saving 
for the future for a large purchase and they decided to invest 
in Equifax, all those folks bore the burden of a $6.4 billion 
drop in valuation at the same time that the general counsel who 
did not know, the CEO who did not know, so all the folks in the 
executive suite had no clue, but they were the luckiest 
investors on August the 1st to sell the stock at the best price 
to net $655,000. This was pure luck and nothing else. Question. 
Is it? Was it?
    Mr. Smith. No, sir. A few thoughts.
    Senator Scott. Thank you.
    Mr. Smith. Go back to the 29th and 30th. We have--we 
experience millions of suspicious potential attacks each year. 
It is not like the suspicious attack that occurred on the 29th 
and the 30th was the first of that year, of that month. 
Suspicious attacks occur all the time. That is number one.
    Number two----
    Senator Scott. Let me ask you a question right there, sir. 
If you were to look back at the executives' stock sales on the 
other millions of suspicious activity, was there ever a 
suspicious activity that led to, within a 48-hour window, sale 
of stock?
    Mr. Smith. The window was open post the second quarter 
earnings call. It is only open for a short period of time, as 
you might guess. We encourage executives to sell the first part 
of that window's opening. As you get into the opening, you know 
more and more about the quarter and the financial performance 
of the company, so you tend to discourage sales later on in 
that month. So the behavior you saw was normal behavior. That 
is point number one.
    Point number two is they did follow the protocol. They got 
the clearance. The general counsel approved the sale. The 
window was not closed by the general counsel until mid-August.
    The last point I will make, Senator, if I may. These are 
three men I have known for a long time, two of them for 11 to 
12 years. One has been my CFO for 3, 3\1/2\ years. These are 
honorable men who follow the protocol that was outlined by the 
organization.
    Senator Scott. Well, I will just close with this, Mr. 
Ranking Member.
    I believe in the rule of law for everyone. I believe that 
you are innocent until proven guilty, but I will say that what 
you guys want us to believe as a Committee, the U.S. Senate, 
the Congress, the investors in Equifax, and the entire Nation, 
what you all want us to believe is that the three luckiest 
investors who sold their stock did so without any knowledge 
that that suspicious activity may be bigger and more powerful 
than any other suspicious activity perhaps in the history of 
the company. I find that hard to believe.
    Senator Brown [presiding]. Senator Warner.
    Senator Warner. Thank you, Mr. Chairman.
    Mr. Smith, appreciate you being here, but we have seen a 
history of other companies, of Yahoo! announcing today their 
breach was actually 3 billion, not the billion they initially 
acknowledged.
    But for a company like yours, where American citizens have 
no right to opt in, we enter into no customer-based 
relationship with you, I think it raises a whole host of policy 
questions we cannot get into today, but I think this Committee 
needs to look at. I think we have to ask honest questions. Who 
owns this data? How do you get the right to this data that is 
our personal information, and yet your company's practices of 
cyberhygiene are sloppy in the extreme?
    The fact that there was known vulnerability, that you did 
not have appropriate internal controls in place to easily patch 
this is inexcusable. The fact that it took so long for the 
senior leadership to get its act together is inexcusable, and 
what I find, what I want to spend my time, because I could echo 
what my colleagues have said about how long it took and 
everything else, but then once the breach was known, the 
complete, sloppy, haphazard approach you took on remediation is 
again inexcusable.
    The fact that the site you put up, rather than you directed 
customers to go to, did not use your existing domain. You 
created a whole new domain site. In that domain site, there 
were known software glitches. You initially offered people what 
I believe was a bait-and-switch scam to say, ``We are going to 
give you a year of free protection, but, oh, by the way, you 
are going to give up all of your legal rights by agreeing to 
some small-print arbitration agreement.''
    The fact that the site that you directed people to was so 
faulty and so sloppily put together, that even entities like 
the Architect for the Capitol would not allow users to access 
the site because they thought it was so vulnerable, the fact 
that you then also required individuals after their information 
had been hacked into, abused, potentially now vulnerable for 
who knows how long to enter in your last name and your last six 
digits of your Social Security number, what in heaven's name 
were you all thinking?
    The fact that your official Twitter account mistakenly 
tweeted a phishing link four times instead of the company's 
actual breach response page, I mean, even if I want to try to 
give you the benefit of the doubt of sloppy cyberhygiene and 
somebody made a mistake and you did not find until after the 
fact and there were mistakes made, when this was all known and 
you said that you created a company that was an information-
based company, you had this level of sloppy cyber-response? 
What do you say to the 143 million-plus Americans who have had 
their private information violated, that even after the fact, 
your response was inadequate and on every level would not meet 
basic cyber-101-hygiene standards?
    Mr. Smith. Senator, I understand your frustration and the 
anger of the American public. I apologize not only for the----
    Senator Warner. But, sir, I am not asking you to apologize. 
I am asking you to say how do we tell the American people. How 
should any American say again, ``I have got no option of opting 
in whether you are going to get my personal credit 
information''? Why should any of us have any faith that you are 
putting anything in place that is appropriate when the 
immediate actions you took after the knowledge of the hack too 
place was so sloppy and so inadequate in terms of your 
remediation site?
    Mr. Smith. Again, Senator, the ramp-up was overwhelming for 
a company that is largely doing business with other companies, 
and we had to go from 500 call center people to almost 3,000 in 
2 weeks. We went to the Cloud Computing Amazon site for scale. 
We had, I think I mentioned in my oral testimony, over 400 
million consumers come to a website.
    Senator Warner. Sir, my time is up, but I would only say 
telling me how many more people you hired and scaled up, that 
is not what my question was. My question was, Why was your site 
so technically flawed? Why did you send people to a new domain 
site that was not properly registered? Why was your Twitter 
account sending people to the wrong site? Why was this site so 
badly put together that institutions like the Architect of the 
Capitol would not even allow consumers to touch it because it 
was so faulty? For a company that claims to be an information-
based company, even giving you the benefit of the doubt on 
everything that happened beforehand, your remediation efforts 
do not pass basic cyber-101-hygiene.
    Thank you, Mr. Chairman.
    Senator Roberts. Senator Perdue.
    Senator Perdue. Thank you, Ranking Member.
    Thank you, Mr. Smith, for being here today.
    Mr. Smith, just for the record, are you the current CEO of 
Equifax today?
    Mr. Smith. No, sir. I am retired.
    Senator Perdue. And you resigned your position; is that 
correct?
    Mr. Smith. Correct.
    Senator Perdue. Would you tell the Committee why you did 
that?
    Mr. Smith. Senator, I thought it was the best for the 
company to have a new leader come in and resurrect this great 
company. I have agreed, Senator, to work with the company for 
as long as needed. It has been a company I have loved working 
for, for 12 years. The company has done a lot of great things 
around the world. I have agreed to assist in any way I can for 
free for as long as they need.
    Senator Perdue. So, today, there are two issues before this 
Committee. I only have time in the few minutes here to get at 
one of these. The two issues are what happened, how did it 
happen, and what is going to be done to rectify that with the 
current individuals that were harmed by this.
    The second issue is a bigger issue, and that is this entire 
cybersecurity issue. When the now Chairman Jay Clayton of the 
SEC was before this Committee, we asked this same question. 
Under the antitrust laws, there are limitations for 
corporations like yours and the other guys in this business to 
talk to each other when you are threatened by cyberattacks; is 
that correct?
    Mr. Smith. There are ways for us to talk to different 
entities when needed. The agency is an example. There is a 
network we belong to where we talk about issues and trends in 
cybersecurity. We take advantage of that.
    Senator Perdue. So in this situation, were you able to talk 
to your two biggest competitors when you were warned earlier in 
March and then when you discovered it in July?
    Mr. Smith. No, Senator.
    Senator Perdue. So why were you not able to talk to them 
and warn them of similar activity?
    Mr. Smith. I am not sure it was that we were not able to, 
but we did not know enough at that time either to talk to them.
    Senator Perdue. So later when you did know enough 
internally, were you limited by antitrust law or 
considerations, or were you able to fully talk to these other 
two competitors?
    Mr. Smith. That, I am not aware of.
    Senator Perdue. OK. We think there is a problem in that the 
Secretary--I mean the SEC Chairman is aware of that. Actually, 
Senator Cardin and Senator Blunt are working on a data security 
act that would provide a national standard and make it clear--
because if you look at the current law, it is not clear--on 
these cyberbreach notifications for people within an industry 
and also between the companies and different agencies in the 
Federal Government.
    A national standard like this, would that be helpful for 
your predecessor or your successors and other people in this 
industry?
    Mr. Smith. I believe so.
    Chairman Crapo. Let us talk about credit report freezes. It 
seems to me that in the day of the app, when my 6-year-old 
grandson knows how to get on and get unlimited access to apps, 
that a person who has data stored in one of these credit 
companies could go on an app that--and they are online right 
now, how to manage your credit scores and so forth. Intuit has 
got them. They are all out there. What keeps you from giving 
the ability to freeze an account?
    Today, as I understand it, if you want to freeze your 
account, you have to go to your firm and each of the two 
biggest competitors and possibly others, pay a fee, get a PIN, 
remember the PIN, and then freeze it for--it is your 
determination, but to unfreeze it, you have to go back and 
activate the entire process again. That seems most Americans 
are not going to be able to do that.
    So what keeps the industry from actually moving toward a 
simple app that some individual can be informed about to 
preclude this sort of exposure?
    Mr. Smith. Senator, that is a great question. That is where 
we are heading. That is the July--or the January 31st product 
or service that we are offering, which is--will be an 
application on a smartphone, on a PC. It allows you to freeze 
or lock and unlock instantly at the time you want.
    I would encourage our two other competitors in the 
industry, Senator, to come together as an industry and offer 
that service to all consumers on one site. The things you could 
do if you had the consumers, the power at their fingertips, to 
lock and unlock anytime they want that for all three credit 
reporting agencies would be powerful. It would be a paradigm 
shift for the consumer.
    Senator Perdue. What would you tell your successor in terms 
of the number one--in most businesses, the number one entity 
they worry about is their customer. The individuals we are 
talking about, they really were not customers of Equifax. What 
advice would you give--and we have just got a few seconds 
left--what advice would you give your success to rectify this 
situation?
    Mr. Smith. Senator, we are a 118-year-old company. We have 
always prided ourselves as being a trusted steward of data. The 
number one thing we have got to do now as a company is regain 
the trust of the consumer in America.
    Senator Perdue. How do you do that?
    Mr. Smith. By doing what is right for the consumer. We are 
starting by doing, offering these five services, offering the 
lifetime lock. It takes time. When you have the size of 
criminal attack that we allowed to occur, it takes time to 
regain that trust.
    Senator Perdue. Thank you for being here.
    Mr. Smith. Thank you.
    Senator Perdue. Thank you, Mr. Ranking Member.
    Senator Roberts. Senator Warren.
    Senator Warren. Thank you, Mr. Chairman.
    Now, Mr. Smith, Equifax has been hacked several times in 
the past few years. It is consistently rated as having some of 
the worst data security practices in the financial services 
industry, and this latest hack happened through a hole in your 
system that had been identified months before and could have 
been fixed pretty easily. The whole thing is staggering. A 
company like Equifax that has sensitive personal information on 
most Americans should have the best data security in the 
industry, and instead, it has the worst. And I want to 
understand why.
    So I started to look into this, and one thing jumped out at 
me. In August, just a couple of weeks before you disclosed this 
massive hack, you said--and I want to quote you here--``Fraud 
is a huge opportunity for us. It is a massive growing business 
for us.''
    Now, Mr. Smith, now that information for about 145 million 
Americans has been stolen, is fraud more likely now than before 
that hack?
    Mr. Smith. Yes, Senator, it is.
    Senator Warren. Yeah. So the breach of your system has 
actually created more business opportunities for you.
    For example, millions of people have signed up for the 
credit monitoring service that you announced after the breach. 
Equifax is offering 1 year of free credit monitoring, but 
consumers who want to continue that protection after the first 
year will have to pay for it, will not they, Mr. Smith?
    Mr. Smith. Senator, the best thing a consumer could do is 
get the lifetime lock.
    Senator Warren. I am asking you the question. You are 
offering free credit monitoring, which you say is worth 
something, and you are offering it for only 1 year. If 
consumers want it for more than 1 year, they have to pay for 
it; is that right?
    Mr. Smith. Yes, Senator, but the most--the best thing a 
consumer can do is the lock product. That is better than 
monitoring.
    Senator Warren. OK. But they are going to have to pay after 
1 year if they want your credit monitoring, and that could be a 
lot of money. So far, 7.5 million people have signed up for 
free credit monitoring through Equifax since the breach. If 
just 1 million of them buy just one more year of monitoring 
through Equifax at the standard rate of $17 a month, that is 
more than $200 million in revenue for Equifax because of this 
breach.
    But there is more. LifeLock, another company that sells 
credit monitoring, has now seen a tenfold increase in 
enrollment since Equifax announced the breach. According to 
filings with the SEC, LifeLock purchases credit monitoring 
services from Equifax, and that means someone buys credit 
monitoring through LifeLock. LifeLock turns around and passes 
some of that revenue directly along to Equifax. Is that right, 
Mr. Smith?
    Mr. Smith. That is correct.
    Senator Warren. That is correct.
    OK. So from the second Equifax announced this massive data 
breach, Equifax has been making money off consumers who 
purchased their credit monitoring through LifeLock.
    Now, Equifax also sells products to businesses and 
Government agencies to help them stop fraud by potential 
identity thieves. Is that right, Mr. Smith?
    Mr. Smith. Yes, Senator. There is one clarification. You 
had mentioned the LifeLock relationship----
    Senator Warren. Uh-huh.
    Mr. Smith. ----which was accurate. At the same time, the 
majority of that revenue we normally generate is direct to 
consumer. We have shut that down. We are no longer selling a 
consumer product directly.
    Senator Warren. I am sorry. My question is every time 
somebody buys through LifeLock--and they have seen a tenfold 
increase since the breach--you make a little more money. We 
actually called the LifeLock people to find this out. So I 
asked you the question, but I already know the answer. It is 
true. You are making money off this.
    So let me go to the third one. Equifax sells products to 
businesses and Government agencies to help them stop fraud by 
potential identity thieves, right?
    Mr. Smith. To the Government, yes, not to the business.
    Senator Warren. You do not sell the businesses, to small 
businesses?
    Mr. Smith. We sell to business, but it is not to prevent 
fraud. That is not the primary focus or business----
    Senator Warren. But to stop identity theft, you do not have 
any products that you are touting for identity theft purposes?
    Mr. Smith. Senator, all I am saying is the vast majority of 
what we do for businesses is not fraud.
    Senator Warren. Look, you have got three different ways 
that Equifax is making money, millions of dollars, off its own 
screw-up, and meanwhile, the potential costs to Equifax are 
shockingly low. Consumers can sue, but it turns out that the 
average recovery for data breaches is less than $2 per 
consumer, and Equifax has insurance that could cover some big 
chunk of any potential payment to consumers.
    So I want to look at the big picture here. From 2013 until 
today, Equifax has disclosed at least four separate hacks in 
which it compromised sensitive personal data. In those 4 years, 
has Equifax's profit gone up? Mr. Smith.
    Mr. Smith. Yes, Senator.
    Senator Warren. Yes, it has gone up, right? In fact, it has 
gone up by more than 80 percent over that time.
    You know, here is how I see this, Mr. Chairman. Equifax did 
a terrible job of protecting our data because they did not have 
a reason to care to protect our data. The incentives in this 
industry are completely out of whack. Because of this breach, 
consumers will spend the rest of their lives worrying about 
identity theft. Small banks and credit unions will have to pay 
to issue new credit cards. Businesses will lose money to 
thieves, but Equifax will be just fine. Heck, it could actually 
come out ahead.
    Consumers are trapped. There is no competition, nowhere 
else for them to go. If we think Equifax does a lousy job 
protecting our data, we cannot take our data to someone else. 
Equifax and this whole industry should be completely 
transformed. Consumers--not you--consumers should decide who 
gets access to their own data.
    And when companies like Equifax mess up, senior executives 
like you should be held personally accountable, and the company 
should pay mandatory and severe financial penalties for every 
consumer record that is stolen.
    Mr. Chairman, we have got to change this industry before 
more people are injured.
    Thank you.
    Chairman Crapo [presiding]. Senator Tillis.
    Senator Tillis. Thank you, Mr. Chair.
    Mr. Smith, thank you for being here.
    I have one question that I want to get to. First, can you 
explain to me why you believe as a strategy the lock versus the 
delete option is in the best interest of the consumer?
    Mr. Smith. Yes. Senator, we, I think, provide a very 
valuable service to the consumer, allowing he or she to get 
access to credit when they want access to credit. If they are 
not in the system, they hinder their ability to get credit.
    Senator Tillis. How do you think that would--let us say 
that you had a delete option, so there was not a transactional 
opportunity for a consumer to have that information available 
to people who are maybe underwriting a loan. Let us say that if 
you took that to the logical conclusion and had all three of 
the information providers delete your financial record, how do 
you think that would affect somebody who is trying to apply for 
a mortgage or a loan or a credit card?
    Mr. Smith. We know what would happen. If you are not in the 
credit ecosystem, you do not get a loan.
    Senator Tillis. Do you think that is maybe even 
particularly more pronounced, given some of the changes that we 
have with financial regulations and underwriting practices and 
scrutiny from the Federal Government?
    Mr. Smith. I do.
    Senator Tillis. Look, the point that I am trying to make 
here is you all have a problem. I associate myself with a lot 
of the concerns.
    One thing I would ask you to do, you said the three 
individuals in question for a stock disposition are honorable 
people, that you have known them for several years. They have 
been employed by Equifax for several years. I think it would be 
very helpful to see what their pattern of stock dispositions 
have been over the years to see the process they have gone 
through, because I think that that would be helpful for this 
Committee. I think there is an appearance issue there that you 
all should--or that Equifax and the individuals should step up 
and address.
    Look, here is the other thing that we could be missing 
here. You all made a big mistake. You sound like you have got 
some remediation practices in place. I think you do have to get 
right on the long-term obligation you may have. There is a 
difference between a breach and exploitation.
    At least the other day, when I asked about any evidence of 
exploitation of the data breach, we have not seen any yet, but 
it seems to me, you have got to create some sort of a footprint 
on the data that was exploited so that over time, you could 
make a reasonable decision about whose problem it is to 
remediate any exploitation beyond the year pathway.
    Another thing--I mentioned it yesterday with Wells Fargo--
that I think is very important, the problem that resulted for 
maybe controls and processes at Equifax should be your problem, 
not the consumer's problem. In other words, you need to make it 
very easy and no cost to the consumer to fix a problem that 
they became a part of, and rather than you get into the details 
in this Committee, it would be helpful for me to get some 
assurances that that is the case.
    I use an example of an inappropriate parking ticket that I 
got using a park mobile app in Charlotte. When I called the 
folks up and said, ``I got a receipt right here,'' they said, 
``Well, you can go through 2 or 3 weeks. You can appeal. You 
can file it, and we are sure that it was because maybe your 
license tag got mixed up.'' I said, ``My license tag at the 
time was a 3.'' So I think they should have been able to figure 
it out, but they were trying to make their problem my problem. 
And you need to be absolutely certain--or Equifax and the 
people that are taking the helm need to be absolutely certain 
that they can convince us that you are addressing this and not 
making your problem the consumer's problem.
    I do think it is very important for people to understand 
the potential chilling effect that you could have if you erase 
your financial history from the system. We expect you all to 
protect it, and we expect you all to be good stewards of it. In 
this case, a variety of factors led to that not being the case, 
but we have to get there.
    I had another--just a comment to make. You are an 
aggregator of data. What this Committee and every committee 
that is taking a look at for cybersecurity needs to understand, 
the broad exposure that we have in this country. You are an 
aggregator of data. Again, I would think that your systems 
should be more impervious to attacks than mom-and-pop shops and 
other people who are aggregators of data based on their 
purchasing platforms and their supply chains.
    Congress needs to start thinking big picture here and how 
we can get the U.S. economy to a point to where when you become 
difficult or more difficult to penetrate, then I just go to the 
sources. And then I can pick it off and maybe actually do it in 
organizations that are far less sophisticated than you.
    If people think that the credit reporting agencies and the 
big banks are the only ones that are vulnerable, I would 
suggest that you go get a book that I have got on my desk right 
now in my office. It is called ``Hacking for Dummies''. It is a 
very important book for you all to understand, for the industry 
to understand, and for Congress to understand.
    You need to be held accountable. Equifax needs to be held 
accountable. We need to be held accountable for actually 
getting beyond the shiny objects of this breach, which are 
really important, and you need to protect the consumers and 
recognize we have a role to play to protect this economy, 
otherwise this is not going to end. It will be the CEO of the 
week and the breach of the week, and that is not the way that 
we should be leading from Capitol Hill.
    Thank you for being here, and we will potentially submit 
some other questions for the record. But I think it is in your 
best interest or those who are working with Equifax to give us 
more information on the stock disposition patterns for the 
executives in question.
    Thank you very much.
    Mr. Smith. Thank you. I understand, Senator.
    Chairman Crapo. Senator Heitkamp.
    Senator Heitkamp. Thank you, Mr. Chairman.
    North Dakota is a State of about 740,000 people. Our 
Attorney General estimates that 248,000 North Dakota families 
have been affected by this, and let me tell you, I have heard 
from a lot of them. And I want to just tell you that I am 
deeply concerned about the remedial efforts and how all of that 
rolled out to begin with.
    First off, if you have this level of information on 
consumers that they did not give you--that is all part of this 
thing that Elizabeth was talking about--and you do not have a 
system in place for a fire drill on what you do if you are 
breached, after you told us that you get notifications all the 
time of potential breaches--and then you say, ``Oh, we had to 
create all of this system. We had to create this thing out of 
whole cloth,'' right? That is what you have told us--why the 
roll-out after the breach was notified, why it went so poorly, 
and why people were not protected, and why in many cases, it 
was like, ``OK. We are going to charge you a fee if you do 
this. We are going to do this,'' my consumers are like, ``Why 
do I have to now spend money to protect myself when it is their 
fault?''
    And so I think it is not enough for you to say, ``My 
goodness, look at the magnitude of this,'' when you should have 
anticipated it, the same way you should anticipate whether you 
have a fire in a building. You should be ready when it happens, 
and it goes to what Senator Tillis just said. We all know it is 
going to happen again, and I am saying this because I want all 
CEOs who have access to this kind of information to know I am 
going to ask a question on what they are doing to prepare, to 
prepare for a breach.
    Now I want to get back to the FBI. You said, ``Look, we get 
a lot of these breaches. You know, this happens all the time. 
We did not realize it was as serious as what it was.'' What is 
the date you notified the FBI, and who made that notification?
    Mr. Smith. Senator, the date was August 2nd. The head of 
security at that time would have notified the FBI, the 
cybersecurity forensic team, and King & Spalding.
    Senator Heitkamp. And when would the head of security have 
notified your chief legal counsel or chief legal officer?
    Mr. Smith. On and around that same time.
    Senator Heitkamp. Yeah. And when did he approve the stock 
trades?
    Mr. Smith. Senator, he approved the stock trades on the 1st 
and the 2nd for the three individuals. At that time, as I 
alluded to earlier, it was a suspicious activity. There was no 
indication of a breach at that time.
    Senator Heitkamp. How many times do you notify the FBI? You 
do that every day, every week?
    Mr. Smith. I do not have that specific data, but it is not 
unusual. I mentioned earlier that we have millions----
    Senator Heitkamp. I get that. I want to know how many times 
when you are notified, you actually turned around and notified 
the FBI.
    Mr. Smith. We can get that information. I do not have that.
    Senator Heitkamp. Yeah. Well, that is a problem because it 
looks pretty suspicious, and your chief legal officer has some 
explaining to do because even after he knew that there was a 
notification to the FBI about this level of breach, he did not 
clawback or try to undo those transactions and reverse what 
clearly appears to be a pretty beneficial situation for three 
of your employees.
    I want to talk about remedial measures and go back to 
consumers. Obviously, we are in this very big discussion about 
what we are going to do with mandatory forced arbitration.
    You know, it is interesting because if I go out there and 
sign a contract with somebody, maybe I can protect myself. 
Maybe I cannot. I do not think that fine print in a contract is 
exactly anything other than illusory, but we can argue that 
point. But why should you ever make that choice and mandate 
forced arbitration in your business?
    Mr. Smith. Senator, a point of clarification--and this is 
part of our--my apology earlier--the intent was never to have 
arbitration clause in the product that--the services offered to 
the consumer at that time. It was a part of a boilerplate. It 
was a part of a product we were offering to consumers prior to 
the breach. It was a mistake we made.
    Senator Heitkamp. But let us just ignore for a minute the 
breach. Why should the consumer not be able to make that 
choice, especially in this situation when the consumer is not 
your community?
    Mr. Smith. Again, to be clear, that was not the intent for 
the breach. Arbitration clause is a legally, viable path for us 
to take at this time. That is why it was in the consumer 
offering.
    Senator Heitkamp. Yeah. Well, I think we have got some real 
challenges in taking a look at how we provide a real remedy to 
consumers in this situation, and this will not be the first 
time that we have a hearing like this. We had one yesterday; we 
are having one today.
    But I guess my warning, Mr. Chairman, would be I am going 
to ask every person out there who has responsibility as a CEO 
for consumer data to do the right thing, and that is right now 
start thinking about if this happens to me, how do I treat my 
consumers and the people who have lost their personal data. And 
maybe we ought to start thinking about opting in as opposed to 
opting out.
    And so I want my credit locked until I do not--until I 
unlock it. Why cannot I have that option? Why do I have to pay 
to have my credit locked?
    Mr. Smith. Senator, you do not. It is free. It is part of 
the offering we just made.
    Senator Heitkamp. For the breach, yeah.
    Mr. Smith. For lifetime.
    Chairman Crapo. Senator Schatz.
    Senator Schatz. Thank you, Mr. Chairman.
    You are retired as of last week. You leave with your base 
salary, unvested options, and a pension, roughly valued at $90 
million. Help me to understand why that is fair.
    Mr. Smith. Those numbers do not resonate with me, Senator.
    Senator Schatz. Well, what is the number, then? You should 
know.
    Mr. Smith. Clarification. I stepped down last week. I told 
the board at the time I stepped down, I will not take a bonus. 
There is on severance. I will work for as long as the company 
needs for free. I have asked for nothing. What I walk away with 
is a pension that I have earned over my career and unvested 
equity that was given to me and I earned in the past.
    Senator Schatz. Is it fair to say that is in the tens of 
millions of dollars?
    Mr. Smith. It is in the proxy. The proxy discloses the 
value of the----
    Senator Schatz. Right. And that is how we got to $90 
million, but if it is $45 million or it is $23 million or it is 
$38 million, my question stands. How is that fair?
    Mr. Smith. The pension, Senator, is something I have earned 
for my career, and the other piece is the earned equity I have 
already been given.
    Senator Schatz. Do you think that is fair?
    Mr. Smith. Senator, I grew up as a young guy in Midwest. I 
never envisioned having a career like I have had for the last 
36 years. I have been fortunate. I have worked hard, and I do 
not set those compensation levels. The board does, and the 
board is elected every year.
    Senator Schatz. Your investor presentation from August 
16th, 2017, mentions nothing about the data breach, even though 
by July 29th, you knew that your system had been compromised. 
By August 2nd, you had retained outside counsel and informed 
the FBI. I understand that you periodically inform the FBI. I 
assume you do not necessarily consistently retain outside 
counsel. I assume at some point around August 2nd, you knew 
that something more significant than usual was up; is that 
true?
    Mr. Smith. No, that is not true, Senator.
    It was not until later in August that we had some 
indication, the size, the scope, and the complexity of the 
breach. It was not on August 2nd.
    Senator Schatz. So August 16th, your message to investors 
was, quote, ``Enduring business fundamentals support long-term 
growth,'' and the first time data security is mentioned is at 
the end of your materials where you tout your role as a trusted 
steward of consumers' data. Do you think that Equifax should 
have disclosed the possibility of a major data breach to its 
investors?
    Mr. Smith. Senator, we talk to investors routinely. We 
disclose in our 10-K and Q's that one of the greatest risks we 
pose each and every day and fight every day is cybersecurity.
    Senator Schatz. Right. But you retained outside counsel. 
You informed the FBI. People are liquidating their stock, and I 
guess I am wondering whether that pattern seems to indicate 
that somebody knew something pretty significant was up. But 
somebody made a judgment to not disclose that, not just to 143 
million Americans but also investors. It seems to me that that 
is material. It seems to me that that is reportable, and 
whether or not you follow the letter of the law, it seems to me 
that investors ought to know if something is going to impact 
the company. And you had to have some clue that this was 
percolating in a negative way.
    Mr. Smith. Senator, we are very transparent with our 
investors that security is always a risk. They are very well 
aware of that. They price that into their value of the company.
    Obviously, on the 16th, I think, is what you refer to, the 
investor relations team had a presentation, on or around the 
16th. We had not gone public with anything. We did not know the 
scope or the size of a breach, so obviously, we could not 
disclose that at the investor meeting.
    Senator Schatz. Right. So you did not know the total scope 
and size of the breach. I get that. So you decided not to 
disclose it at all?
    Mr. Smith. To the investors?
    Senator Schatz. Yes.
    Mr. Smith. Yes. Because at that time, we were even 
uncertain if there was a breach at that time, and you could not 
go to an investor base and tell an investor base something 
before we had gone public with something.
    Senator Schatz. And why would not you inform the public 
about it?
    Mr. Smith. Sir, the timeline, as I walk through, from the 
28th, 29th, and 30th of July through September 7th lays that 
out, and it was not until late August we actually had an 
indication of the breach.
    Senator Schatz. So what happened on July 29th?
    Mr. Smith. July 29th is when a security individual saw 
suspicious activity, on the 30th saw it again, shut down the 
portal to stop the incident.
    Senator Schatz. And then it took you 6 weeks to figure it 
all out?
    Mr. Smith. Yes. Again, we bring in the cybersecurity 
experts who do this for a living, and the complexity, the size, 
the movement----
    Senator Schatz. You do not do it very well for a living, 
except to the extent that you make massive profits off of 
making mistakes. I understand you do this for a living, but to 
the extent that none of us have the volition to enter into a 
contract with you, you are not doing it well for a living, 
except that you are all making a very nice living at it.
    Thank you, Mr. Chairman.
    Senator Brown [presiding]. Thank you, Senator Schatz.
    Before calling Senator Kennedy, I want to do a 
clarification. Senator Sasse asked about if you had State-by-
State information. You seemed unsure. Your team informed you in 
real time that, in fact, you did have that.
    Chairman Crapo and I had sent a letter September 22nd 
requesting that State-level data on victims, so it appears that 
your team has this information. Why was it not provided to us 
in response to our September 22nd letter to the Chairman and 
me, the State-by-State data?
    [Pause to confer.]
    Mr. Smith. I was just informed by Senator Chambliss that it 
was given to each of the State AGs earlier. There are, as you 
saw, a released by the company--I believe it was Monday--of 
another 2.5 million consumers impacted. That has not yet been 
distributed to the AGs. I am told the AGs, State AGs have that 
record.
    Senator Brown. OK. We are not the State AGs, and the 
Chairman of the Banking Committee and the Ranking Member 
cosigned a letter. We do a lot of things bipartisanly in this 
Committee, and that letter was sent--it looks like 2 full weeks 
ago, and it was not provided, so I hope that you will get that 
to us quickly. And that is not the way that you should operate.
    Senator Kennedy.
    Senator Kennedy. Thank you, Mr. Chairman.
    Thank you for being here. I am over here, Mr. Smith.
    I found out about Equifax's contract with the Internal 
Revenue Service in an interview this morning with Stuart 
Varney. How big is that contract?
    Mr. Smith. Senator, I saw it this morning as well. Maybe it 
was last night, and it referenced a $7.5 million contract. I am 
not sure if that is multiyear.
    Senator Kennedy. Do you have other contracts with the 
Internal Revenue Service?
    Mr. Smith. We may, sir, but I am not aware of it.
    Senator Kennedy. Could you get me a list of all of 
Equifax's contracts with various Governments?
    Mr. Smith. Yes, Senator, we can do that.
    Senator Kennedy. The contract, the 7-million-and-change 
contract, does that involve taxpayer information that you would 
have access to?
    Mr. Smith. Senator, it is my understanding--I am not 
professed to be deep in this particular contract--it is to 
prevent fraudulent access to the IRS, but beyond that, I--if 
you want more information, we can get that for you.
    Senator Kennedy. Well, you realize to many Americans right 
now, that looks like we are giving Lindsay Lohan the keys to 
the mini bar.
    Mr. Smith. I understand your point.
    Senator Kennedy. Let me ask you about a credit freeze. I 
went through that. I have frozen my credit at all four of the 
bureaus. I would like a commitment from you today that you are 
going to ask your former company, though I think you still own 
quite a few shares--I want you to make a commitment to putting 
a free app available to anybody so that you can just go to your 
app, toggle on and off, access to your credit files.
    Mr. Smith. Senator, I agree with you. We like that idea. 
That is going to go live for every American consumer the end of 
January 2018. That will be free for life.
    Senator Kennedy. So you are committing to do it?
    Mr. Smith. Yes. Senator, we have been working on that for 
months.
    Senator Kennedy. OK. This whole unfortunate experience, Mr. 
Smith, has raised larger issues, and one of the issues that it 
has raised is to whom does your former company--I will call it 
your current company because you are still working there. To 
whom does your company have an obligation?
    My understanding of your business model is that you collect 
my information without my permission. You get the information. 
You take it along with everyone else's information, and you 
sell that information to businesses. Is that basically correct?
    Mr. Smith. That is largely correct.
    Senator Kennedy. And you also have a premium service to 
monitor the information that you collect about me. So if there 
is some bad information that you collect about me, you sell me 
a service to monitor it and correct it; is that right?
    Mr. Smith. Senator, just a clarification. Roughly 90 
percent of everything we do is helping banks and others make 
informed decisions about lending money to consumers. The 
monitoring you are referring to, to consumers, is a very small 
piece of what we do.
    Senator Kennedy. But it just seems incongruent to me that 
you have my information. You do not pay me for it. You do not 
have my permission. You make money collecting that information, 
selling it to businesses, and I think you do a service there. 
Do not misunderstand me.
    And you also come to me--you cannot run your business 
without me. My data is the product that you sell, and you also 
offer me a premium service to make sure that the data you are 
collecting about me is accurate. I mean, I do not pay extra in 
a restaurant to prevent the waiter from spitting in my food. 
You understand my concern?
    Mr. Smith. I understand your point, I believe, but another 
way to think about that is the monitoring part that you are 
referring to, Senator, in the future is far less required if 
you as a consumer have the ability to freeze or lock, as we 
call it, and unlock your file. And that is free for life.
    Senator Kennedy. But it is not just the freeze part. What 
if you have bad information about me? Have you ever--has an 
agency ever had bad information about you, and you had to go 
through the process of correcting it?
    Mr. Smith. Yes, Senator. There is a process that if----
    Senator Kennedy. It is a pain in the elbow, isn't it? I 
mean, the burden is kind of on--you have my data, which you 
have not paid me for. You are earning a good living, which I do 
not deny you. I believe in free enterprise. I think this is a 
very clever business model you have come up with, but you are 
earning your money by selling my data, which you get from me 
and do not pay me for, to other people. But if the data is 
wrong that you have about me, I would think you would want to 
make it as easy as possible to correct it, not as hard as 
possible.
    Mr. Smith. I understand your point, and it is an important 
point for the entire industry to make the process as consumer-
friendly as possible. If there is an error on your utility 
bill, if there is an error on your bank bill, your credit card 
statement, to work with consumers and make that----
    Senator Kennedy. Well, can you commit to me today that 
Equifax is going to set up a system where a consumer who 
believes that Equifax has bad information about him can pick up 
the phone and call a live human being with a beating heart and 
say, ``Here is this information you have about me that you are 
selling to other people. You are ruining my credit, and it is 
not true. And I want to get it corrected. How are you going to 
correct it? What information do you need from me to prove that 
it is incorrect, and when are you going to get back to me? And 
give me your name and phone number so I can call you''?
    Mr. Smith. Senator, I understand your point. There is a 
process that exists today. I would be more than happy----
    Senator Kennedy. Yeah. And it is difficult, Mr. Smith.
    Mr. Smith. I would be more than happy to get the company to 
reach out to your staff, explain what we do and what we are 
doing to improve that process. I hear you.
    Senator Brown. OK. I thank you, Senator Kennedy.
    Senator Kennedy. I am sorry. I went way over. I apologize.
    Senator Brown. That is all right.
    Senator Donnelly. Thank you, Mr. Chairman.
    Mr. Smith, on September 19th, myself, Senator Heller, 
Senator Tester, Senator Menendez sent you a letter, and the 
letter we sent expressed concerns about the impact on the 
roughly 1.3 million active duty U.S. military personnel, 
especially the nearly 200,000 currently stationed overseas who 
may lack the access and resources required to place a credit 
freeze on their files or take other necessary measures to 
adequate protect their personal information.
    We requested you immediately detail the specific actions 
Equifax will take to ensure our servicemembers are not 
victimized any further by thieves with access to personal 
information, such as Social Security numbers, dates of birth, 
and home addresses.
    In response, I received a generic letter from Equifax that 
never even mentioned servicemembers, that basically said thank 
you for your interest.
    In your written testimony today, you also make no mention 
of our servicemembers or the military. So I will again ask a 
question that should have been answered: What specific actions 
will Equifax take to ensure our servicemembers are not 
victimized any further?
    Mr. Smith. Senator, let me apologize if we did not get back 
to you. That was--someone dropped the ball, and I will look 
into that quickly for you.
    The servicemembers around the world have the same ability, 
if they have access to the Internet, to freeze, lock, get 
access to products. If not, they have the ability to have a 
power of attorney in the U.S. to act on their behalf.
    Senator Donnelly. Well, let me ask you about some of our 
young men and women who are at forward operating bases in Iraq 
or in Afghanistan, who may be somewhat other occupied----
    Mr. Smith. Yeah.
    Senator Donnelly. ----than having the chance to get on the 
computer and get their lock going on. So let me ask again and 
say for those members who are serving in remote or high-
conflict areas, what is it that you can do to make sure that 
their identities and financial information are safe?
    Mr. Smith. Again, they have the ability to have a power of 
attorney, and that power of attorney can act on their behalf.
    Senator Donnelly. You know, that is pretty weak tea for 
someone who is in a location where they may be occupied keeping 
our country safe and having their hands full with others.
    Mr. Smith. Senator, let me take that on. I will get back 
with the company and see if there is anything else we can do 
specifically for those overseas.
    Senator Donnelly. Let me ask you another question. Due to 
the cyberattack, roughly 145 million Americans have had their 
information compromised, and Equifax has said you now offer 
free credit freeze. But there is also Experian and TransUnion, 
and what I want to know is, Will Equifax also offer free credit 
freezes at Experian and TransUnion to ensure consumers are 
protected from theft and fraud?
    Mr. Smith. Senator, the lock that we offer for free for 
life is a product that I believe the entire industry should 
rally around. It is my understanding that TransUnion, one of 
the two other credit reporting agencies, also offers a lock 
product for free. It is my understanding it is not for life at 
this time, but they offer it for free.
    Senator Donnelly. Well, this breach was caused by Equifax. 
What will Equifax do to ensure that there are free credit 
freezes for those 145 million Americans at Experian and 
TransUnion as well? I do not want to see folks have to rally 
around this or rally around that or try to figure out how to 
navigate the Internet to get it done for themselves. What will 
you do for those 145 million Americans, our friends and 
neighbors, millions in my State, that will provide a free 
credit freeze at Experian and TransUnion?
    Mr. Smith. Again, Senator, the things we have done is the 
five services we offered for 1 year combined with a lock for 
life--and I would invite TransUnion and Experian to follow 
suit----
    Senator Donnelly. But those services you just described do 
not include a free credit freeze at Experian and TransUnion.
    Mr. Smith. That is correct.
    Senator Donnelly. So, in other words, Equifax will not do 
anything to provide that?
    Mr. Smith. Again, we are offering our five services plus 
lock of life.
    Senator Donnelly. Well, I guess that answers the question 
that I was asking, which then leads to my next question which 
is, What is Equifax's obligation to consumers who fall victim 
to identity theft or financial fraud in the future due to this 
breach? The damage caused to their credit, the money they may 
lose, how does Equifax plan to address the financial harm that 
can come to our families?
    Mr. Smith. Senator, the design, the thought was offer these 
five services, allow someone to lock their file for life to 
minimize the downstream harm.
    Senator Donnelly. But what happens if someone is harmed?
    Mr. Smith. Senator, that is the extent of our offering.
    Senator Donnelly. So because of your failure to stop this 
breach and a family is damaged financially, there will be no 
compensation provided?
    Mr. Smith. Again, Senator, the five services we are 
offering are for free. The lifetime lock is for free.
    Senator Donnelly. Which does not touch at all upon the 
question I just asked.
    Thank you, Mr. Chairman.
    Chairman Crapo [presiding]. Senator Rounds.
    Senator Rounds. Thank you, Mr. Chairman.
    Mr. Smith, I would like to go back into a little bit 
different question for a little while. I would suspect that 
there are probably thousands of CEOs and board chairmen for 
publicly traded companies as well as some large private 
companies that when they heard about the theft of data that was 
in your care, custody, and control, that they looked back at 
their own operations and said, ``Can that happen to us?'' And I 
would suspect that there were a number of chief information 
officers out there who were being called into the front offices 
to explain and to reassure that they did not have the same 
vulnerabilities that were found within your operation.
    I also suspect that since you have got experience in 
working in multiple major organizations that you have seen how 
boards work and that you have seen how the bosses do their own 
type of a command and control and get feedback.
    I would imagine that you have lost a lot of sleep wondering 
what it was that you could have done differently and what 
message you would send to other individuals if given the 
opportunity.
    We are going to have a lot of people that get hurt on this, 
and they are people that you had data from. If you could go 
back a year and look at your operation and tell us what you 
would do differently to demand things be changed, if there was 
any inkling at all, what would you do?
    Mr. Smith. Senator, as you might guess, since early August, 
myself and the entire team that has been focusing on addressing 
this issue has been working around the clock trying to, first 
and foremost, understand the forensic of what occurred and 
maybe why it occurred and then communicating to consumers and 
regulators and State AGs and the like. I have had no time to 
reflect on, as a leader who has apologized and takes full 
responsibility, what I would do differently. I am sure when I 
have time to reflect, there will be things I look back on and 
say, ``If I only had done this.'' That time will come, but, 
Senator, to be honest, I have not had that time to reflect.
    Senator Rounds. As many board members or chairmen would do, 
they rely on a CIO to provide them with assurances. Did you as 
a member or with the board doing their due diligence--do you 
feel that the due diligence that was expected of you as a board 
and as the chief operating--or the chief executive officer--do 
you feel like you did the due diligence necessary to assure 
yourselves and to get second opinions, that the CIO was 
actually doing the job that they needed to do, and that they 
were doing their own sense of due diligence in this process?
    Mr. Smith. The CIO I had has been there for 8 years. He was 
a very seasoned CIO. Ultimately, the responsibility stops with 
me, not him. He is no longer with the company nor is the chief 
security officer, but ultimately, that responsibility stops 
with me, Senator.
    Senator Rounds. I read your article. I read through your 
statement, your written statement, and I caught time and 
again--and we sometimes--we go for the fact that you were the 
victim of theft as well. There were bad people that got into 
your system. The obligation that you had to protect that 
information that was in your care, custody, and control is 
clear. And I think that sometimes organizations that have that 
data, they assume that somebody else is doing their job. They 
assume that there are reasonable expectations of due diligence 
being completed.
    I guess what I was hoping to hear is something along the 
lines of ``Yeah. If I could send a message to other CEOs out 
there, it is do not just listen. Do the double-checks. Find 
out. Ask for the outside assistance,'' and I guess I am not 
hearing that. And I know that this is early in your process, 
but nonetheless, it seems like that would have been one of the 
first things that most CEOs would have said is ``If I could do 
this over again, I would have fixed this. I could have had an 
opportunity. Why did not I think of it?'' I just--I am looking 
for that.
    And I know that you did make a point in there saying, ``We 
are using Social Security numbers out there, and we have got to 
go to a different system.'' If nothing else, you have thought 
about that. What would you do or what would you recommend in 
terms of a different system for identifying and maintaining 
data that belongs to individuals safe in a case like this? What 
can we do different?
    Mr. Smith. Yeah. I do not have that answer. I have spent a 
lot of time talking to people in the cyberworld, and they are 
convinced--they have convinced me that there has to be a better 
solution than an instrument that was introduced in 1936. It was 
never intended as an identifier for an individual.
    I am convinced that if you get the public, private, and 
academic partnership, we can crack that.
    Senator Rounds. But no real answer yet?
    Mr. Smith. Not yet.
    Senator Rounds. Thank you.
    Thank you, Mr. Chairman.
    Chairman Crapo. Senator Van Hollen.
    Senator Van Hollen. Thank you, Mr. Chairman.
    Mr. Smith, it is good to have you here. Consumers do not 
authorize Equifax or any credit reporting agency to collect 
their personal information, do they?
    Mr. Smith. Not to collect it.
    Senator Van Hollen. No. So you vacuum up lots of 
information, and you provide it to people who say they are 
interested in the credit of somebody who may be applying for a 
car loan or a home loan or other loan, right?
    Mr. Smith. Yes.
    Senator Van Hollen. So you have an incredible amount of 
power over people's lives, right? You collect all their 
personal information, and yet their life decisions may, in many 
cases, depend on what you say to a bank or another lender. Is 
not that right? OK. Is not it a fact that when someone goes for 
a loan, if you tell a lender that someone is a bad risk, they 
are a lot less likely to lend?
    Mr. Smith. Senator, I thought that is where you were going. 
We do not make that delineation for the bank. We have that 
data, may provide some analytics behind it, but ultimately, the 
banks----
    Senator Van Hollen. But you provide the credit scoring, 
right?
    Mr. Smith. There is an individual firm called FICO that 
provides the score.
    Senator Van Hollen. And they do that based on the 
information you provide, right?
    Mr. Smith. Correct.
    Senator Van Hollen. OK. Now, are you aware of the fact that 
when the Consumer Financial Protection Bureau did a survey, 
they found that Equifax, Experian, and TransUnion are the three 
most complained-about companies in America? Are you familiar 
with that finding?
    Mr. Smith. Yes. It is a little misleading.
    Senator Van Hollen. Well----
    Mr. Smith. That is the CFPB Complaint Portal. If I may, 
Senator?
    Senator Van Hollen. Well, no. Unfortunately, if the 
Chairman wants to give me more time, I will, but I will--I will 
just--you can submit something for the record, if you are 
interested, but I think the point I wanted to make is this was 
actually from September 8, 2016. I mean, this is even before we 
had the incredible introductions into the data and the exposure 
of data.
    People pay many other companies billions of dollars in the 
event that you make a mistake that needs to be corrected. Is 
not that the case?
    Mr. Smith. I am sorry. State that again?
    Senator Van Hollen. People, consumers who have information 
incorrectly included on one of your reports, they often have to 
pay a lot of money to other firms to get it corrected. Is not 
that the case?
    Mr. Smith. No, that is not the case. If a consumer has a--
you referred to in the CFPB----
    Senator Van Hollen. I am talking about the credit repair 
services. What do they do?
    Mr. Smith. Yeah, but the process the consumer could use, if 
they think they----
    Senator Van Hollen. No, but what about--what--the credit--I 
am asking these credit repair service companies--they are 
making money now to try to help consumers correct mistakes that 
are often put in your reports or other credit rating agencies. 
Is not that the case?
    Mr. Smith. There is an industry that does that, Senator. A 
consumer can come to us directly and dispute that issue.
    Senator Van Hollen. So I guess those industries are making 
billions of dollars, but they really do not need to exist, in 
your testimony. All they have to do is come to you.
    Are you aware of the fact that--I just--Mr. Chairman, I 
would like to put in the record, a Washington Post story from 
2008--16, how the careless errors of credit reporting agencies 
are ruining people's lives.
    Chairman Crapo. Without objection.
    Senator Van Hollen. I would also like to include in the 
record something from CNBC, a piece by Aaron Klein, a fellow at 
the Brookings Institute, titled ``The Real Problem With Credit 
Reports Is the Astounding Number of Errors''.
    Chairman Crapo. Without objection.
    Senator Van Hollen. And I would also, Mr. Chairman, like to 
put in the report the FTC study from February 2013 that said 5 
percent of consumers had errors on their credit reports that 
could result in less favorable terms for loans.
    Chairman Crapo. Without objection.
    Senator Van Hollen. Because the whole model of this 
industry is you collect information without permission from 
consumers, and yet their lives depend, in many ways--their 
economic lives depend on decisions you make.
    So I want to go back to something Senator Heitkamp asked 
you with respect to forced arbitration because, clearly, we 
have a powerful company that is often up against one individual 
who is trying to get something corrected on their credit rating 
report or whatever it may be, and yet in the aftermath of this 
incredible breach, you said that you would provide credit 
protection but only if consumers gave up their right to get 
their day in court. You want to have forced arbitration.
    Now, your testimony today is that was a mistake, that you 
did not mean to apply it in this case; is that right?
    Mr. Smith. That is correct.
    Senator Van Hollen. All right. But you do apply forced 
arbitration in many other situations, don't you?
    Mr. Smith. In the consumer products.
    Senator Van Hollen. And so if you are looking out for the 
rights of consumers, why do not you give them the choice of how 
they seek their remedy?
    Mr. Smith. Senator, I understand your issue today. That 
arbitration clause is a legal provision, and we follow that.
    Senator Van Hollen. And you have been--not just legal, but 
you have paid lobbyists on Capitol Hill--I am asking you a 
question, then. Have you paid lobbyists on Capitol Hill to 
fight the rule that was put forward by the Consumer Financial 
Protection Bureau?
    Mr. Smith. If you are referring to the harmonization bill 
that was proposed, which I think you are referring to--is that 
the bill?
    Senator Van Hollen. I am referring to the legislation----
    Mr. Smith. Arbitration specifically?
    Senator Van Hollen. ----that would overturn the Consumer 
Financial Protection Bureau's rule that prohibits forced 
arbitration clauses.
    Mr. Smith. Senator, if we spent time on that, I am not 
aware of that.
    Senator Van Hollen. So are you in favor, then? You said it 
is part of the law, and so you are just abiding by the law. But 
as somebody who has experience in this area, would you agree 
that consumers should have the right to decide how best to 
protect themselves in legal matters?
    Mr. Smith. Senator, if that becomes law, we will follow the 
law.
    Senator Van Hollen. No, that is not my question.
    Mr. Smith. I understand.
    Senator Van Hollen. My question is, Where do you stand on 
the issue of allowing consumers to choose how they seek 
recourses when they believe they have been wronged?
    Mr. Smith. Senator, I understand the question, and today, 
arbitration is a part of the law, and we are following the law.
    Senator Van Hollen. Yeah. And so you are following it even 
though it may be unfairly treating consumers; is that right?
    Mr. Smith. I understand your question.
    Senator Van Hollen. But, Mr. Chairman, if I just--but you 
chose to suspend that law. You could have enforced that on 
these individuals, right?
    Mr. Smith. It was never the intent, as it related to the 
breach----
    Senator Van Hollen. But it was the law. The law would have 
allowed you to do it, right?
    Mr. Smith. But it was never the intent----
    Senator Van Hollen. That is not what I am asking. The law 
would have allowed you to do that, right?
    Mr. Smith. Yes.
    Senator Van Hollen. And you chose not to because you 
thought in that circumstances, consumers would be better 
protected by having choices, and my only question to you, if it 
is good in that circumstances, why is not it good for consumers 
all the time?
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you.
    Now, that concludes the questioning, however, we have had a 
couple of requests for a second round, and so I will go with a 
brief 3-minute second round.
    Senator.
    Senator Brown. Thank you, Mr. Chairman.
    Following up on, I thought, Senator Van Hollen's very good 
line of questioning about your rather curious statement that 
you are following the law, but you are not following the law on 
the--in the one case, but you are in the other, I do not 
entirely get that.
    But let me take it a different way. In your written 
testimony, you state that terms and conditions attached to the 
free solutions that Equifax offered included an arbitration 
clause. You said this provision of forced arbitration clause 
was never, in this case, intended to apply, and you were 
informed the clause was included. Apparently, it was sent out 
to your customers, and you did not know it was in there, the 
clause, as customers often do not know these forced arbitration 
clauses are in there, the fine print. And I assume you are more 
sophisticated in these financial instruments and transactions 
than most of your customers, but leave that alone.
    You were informed the clause--and clause was included 
because it was, quote, your words, ``essentially 'cut and 
pasted' from a different Equifax offering.'' But this 
inadvertent error could have prevented, if not--if not 
unearthed and then protested, then pushed back and you dropped 
it, this inadvertent error could have prevented 145 million 
victims from pursuing their legal rights in court.
    So make that case again. Your company failed by allowing 
this breach of 145 million victims. You sent out a piece. You 
sent out a restitution to them with forced arbitration. You 
backed off the forced arbitration.
    So do not you think it is fundamentally unfair that the 
ability of 145 million Americans to seek justice in court could 
have been taken away simply by a cut-and-paste job? Does not 
that show how unfair forced arbitration is to customers?
    Mr. Smith. Senator, to be specific to this particular 
issue, it was an error, as you noted. We were made aware of the 
error, and I believe within 24 hours removed that clause. It 
was never intended to be a clause applied to the breach.
    Senator Brown. But that was not really the question.
    So, first of all, you say it was an error. I guess I 
believe that, that it was an error, although your company has 
given us cause to not believe some other things. But does not 
that show how unfair forced arbitration is? You did not ask--
you did not answer that question. If this inadvertent error, 
this cut-and-paste error had taken away forced--forced 
arbitration of 145 million Americans, does not that show how 
unfair forced arbitration is?
    Mr. Smith. I have no opinion on that.
    Senator Brown. But you used forced arbitration in other 
cases?
    Mr. Smith. Correct.
    Senator Brown. So you must not think it is--so it is unfair 
to those 145 million in that circumstance, but it is not unfair 
to customers in other circumstances on whom you oppose forced 
arbitration, both?
    Mr. Smith. Again, I go back, Senator. It was never the 
intent for us to have that arbitration clause in the breach 
service itself.
    Senator Brown. And I will close, Mr. Chairman. I appreciate 
your indulgence.
    I just cannot understand why you think--for those 145 
million in that case that forced arbitration is unfair, but in 
other uses in your company, you seem to think it is fair. It 
just puzzles me.
    Senator Brown. Senator Heitkamp.
    Senator Heitkamp. Thank you, Mr. Chairman.
    And I just wanted to come back and offer a couple 
suggestions because we are all struggling, and obviously, your 
company has had a huge hit to its reputation.
    We found out today that the IRS has been forced to continue 
your contract by your protest. That is why that contract was 
continued, and we, in spite of some very interesting timelines, 
the belief that you have that there was no insider training--
and so I am just going to offer a couple of suggestions for 
you.
    Number one, tell the IRS it is OK to migrate the contract 
someplace else and say, ``We are fixing, getting our house in 
order. We understand that we have a ways to walk back, our 
reputation, and we are going to withdraw our protest on the 
loss of that contract.''
    And the other thing I would suggest to the three 
individuals, who may be completely innocent--but the rest of 
the shareholders who took the hit--they are more innocent than 
employees of that company, of your company--they should give 
the money back. They should give the money back.
    And so I think there is other things. I think there is an 
attitude that we come here, we do everything possible, we are 
trying to do our level best, but many, many times, it is the 
symbolic things. It is like forcing the IRS to take this 
contract for another year, like a very suspicious timeline that 
has led us all to believe that there should at least, at a 
minimum, be an investigation. All of that could be undone with 
a gesture of goodwill.
    And so I understand you are not the CEO of the company. You 
said you are still in an advisory role. My advice to you is do 
some things that are very, very visible, and those are two 
things that you could do that would give us some certainty that 
this is being taken as seriously as it what it should be taken.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you.
    And I will conclude with 3 minutes of questions as well.
    Mr. Smith, I wanted to get back to my original question. A 
lot of the questions you have gotten today appropriately have 
been very specific with regard to Equifax and the Equifax 
breach.
    I want to focus on the broader issue as we conclude. In my 
initial questioning to you, I talked to you about whether there 
were--whether any Experian data went to other entities, and I 
was referring to governmental entities--the CFPB, the Federal 
Reserve. We just had discussion about the IRS, and there are 
contractual relationships, I understand, with the use of this 
data.
    Let me just talk about a the CFPB as an example. In 
September of 2014, the GAO did a report which I requested for 
on CFPB data collection. They found that CFPB at that time--
that is 3 years ago now--had access to account-level credit 
card data on between 546 to 596 million consumer accounts on a 
monthly basis, representing 87 percent of the credit card 
market. GAO also found that at that time, there was not 
adequate protection at the CFPB of this data that they were 
collecting.
    In this report, it indicated--again, this was in 2014--all 
of the sources of data that the CFPB was collecting--and 
Experian shows up in that report--700,000 vehicles per month, 
information procedure from Experian, vehicle purchases, and the 
data on those purchases, 10.7 million consumers, cosigners, and 
borrowers with consumer credit information from Experian, and 
another 600,000 samples of consumer credit reports and consumer 
credit scores on those reports from Experian.
    Now, Experian is not the only entity that is providing data 
to the CFPB. There are, in this same report, for example, nine 
unidentified large financial institutions using a commercial 
data aggregator who provided 25 to 75 million total account 
sets of data involving individual consumers' credit card 
account-level data with linkages to their credit reporting 
data.
    The reason, what I am getting into here, is this. Experian 
is not the only company or entity in America collecting data. 
There is massive data collection being undertaken in this 
country, and it is not just the three credit bureaus that are 
collecting this data.
    I believe that Congress need to address not only the issue 
with Experian, but the broader issue of the collection and use 
and protection of personally identifiable information that is 
being collected by the Government, by the private sector, and 
others with regard to this personally identifiable data.
    And I guess this is really more of a statement than a 
question, but I would like to know your opinion on that. Well, 
actually, there is a question first, and that is, Does Experian 
face requests from Federal regulators that are mandatory to 
provide data to them?
    Mr. Smith. Senator, Mr. Chairman, I assume you mean 
Equifax?
    Chairman Crapo. Yes. Excuse me.
    Mr. Smith. Yes.
    Chairman Crapo. Equifax.
    Mr. Smith. A general observation, a reaction to your 
thoughts there, if there was a better way to ensure that those 
that aggregate and manage significant amounts of data like we 
do, banks do, others in the industry, we would welcome that 
dialogue if there is a better path forward.
    But to answer your question specifically, do we aggregate 
and provide data to different Government entities, the answer 
is yes.
    Chairman Crapo. All right. Thank you.
    And I apologize. In fact, I gave the Experian examples, and 
that was just a mistake.
    But your answer is that, yes, Equifax also provides data to 
those regulators, and it is not always voluntary, is it? In 
other words, you must provide it on occasion when it is 
required from agencies?
    Mr. Smith. Yes.
    Chairman Crapo. So let me ask you the general question, 
then. As Congress looks at this issue, it seems to me that it 
should be obvious that we should look much more broadly than 
even just one private-sector company and even then just the 
private sector, but to the data collection that is going on 
across our society, including the data collection that the 
Government itself is collecting. Would you agree?
    Mr. Smith. The rate and pace of cyberattacks is increasing 
at a rate that is unbelievable. If there is a way for public-
private partnership to intelligently sit around a table and 
debate that and find better ways to manage and secure data, we 
would welcome that dialogue.
    Chairman Crapo. Thank you.
    And I note that Senator Sasse came in, so he will get the 
last word. We are doing a 3-minute round, Senator Sasse.
    Senator Sasse. Thank you, Mr. Chairman, and I would like to 
just associate myself with your comments right there about the 
digital revolution moment we are at, and the speed and pace of 
data aggregation and collection should push the Congress to 
have some real hard discussions about data ownership and 
transmission and implicit contracts where individuals are not 
contracting with one of the three credit bureaus and their data 
is still being managed and shipped in ways that they cannot 
control. I agree with you that we should have hearings and a 
lot of debate about this important topic in the digital 
revolution.
    Mr. Smith, I want to just see if I can be clear about where 
I think we stand nearly 2 hours into this hearing. Your 
company, which has only two competitors, right? Really you only 
have two competitors--has lost the data of 145 million 
Americans, and this is not a spreadsheet problem. This is a 
real human problem where 2 and 3 and 4 years from now, you are 
going to have real Americans whose identity is going to be 
stolen, and their credit is going to be abused in the future. 
And they are going to have difficulty qualifying for a home 
loan or a car loan or they are going to pay a differential 
interest rate than they should be paying because of the rotten 
credit score that they are going to have.
    And in response, your company could potentially make a 
profit from selling LifeLock products. Again, I agreed with you 
earlier that a lot of the forward-looking innovation that may 
come from this could incrementally improve things, but I think 
we are most interested right now in the retrospective moment 
for these 145 million.
    You are going to have a product that could potentially be 
sold to the very victims. It feels like a broken-windows 
business model where you did not actively chuck the bricks, but 
your company allowed bricks to be tossed through windows, and 
then you might potentially be able to sell new windows to some 
of the same people whose windows were just broken.
    And I think the way you explained your LifeLock product in 
your testimony makes some sense for what you plan to roll out 
in January of 2018, but it is still really hard to understand 
it as a fraud protection product when you think about the 
victims historically. So I want to go back for just a minute to 
this contract with the IRS.
    So we checked, and it appears to be a no-bid, even if it is 
a revolving contract that is a no-bid, but the purpose of the 
contract with the IRS looks like it is fraud prevention, right? 
You are trying to prevent fraudulent access.
    I will not ask for a show of hands in the room, but I do 
not know who would want to say we should buy fraud protection 
from the people who were just hacked and dumped 145 million 
American records.
    So just honestly as an American--and I appreciate the fact 
that you have resigned from the company, but as an American, 
why should anybody hire Equifax for fraud protection right now 
after the exposure?
    Mr. Smith. Senator, I understand your point. We are a 
company that has been around for 118 years and for most of 
those 118 years have done good things for many stakeholders, 
including the Government, and one of those things we have done 
very proudly is prevent fraud for many entities, including the 
Government.
    I come back. It was a horrific breach, and I apologize on 
behalf of the company for that breach. We will make it right as 
best we can, but it does not wipe out 118 years of good work we 
have done.
    Senator Sasse. Thank you.
    I am going to be following up with the IRS and asking them 
why this contract should go forward, but thank you for your 
willingness to appear before the Committee today.
    Mr. Smith. Thank you.
    Chairman Crapo. Thank you, Senator.
    And that concludes the questioning.
    Mr. Smith, we do appreciate you coming before the Committee 
and appearing today.
    For all Senators, all follow-up questions need to be 
submitted by next Wednesday, October 11th.
    And, Mr. Smith, we ask that you please respond promptly to 
those questions. We usually like to see the responses within a 
week, if possible.
    With that, this hearing is adjourned.
    Mr. Smith. Thank you.
    [Whereupon, at 12:01 p.m., the hearing was adjourned.]
    [Prepared statements, responses to written questions, and 
additional material supplied for the record follow:]
                 PREPARED STATEMENT OF RICHARD F. SMITH
       Former Chairman and Chief Executive Officer, Equifax, Inc.
                            October 4, 2017
Preliminary Statement
    Chairman Crapo, Ranking Member Brown, and Honorable Members of the 
Committee, thank you for the opportunity to testify today.
    I am here today to recount for this body and the American people, 
as best I am able, what happened when Equifax was hacked by a yet 
unknown entity and sensitive information of over 140 million Americans 
was stolen from its servers, and to outline the remediation steps the 
company took. We at Equifax clearly understood that the collection of 
American consumer information and data carries with it enormous 
responsibility to protect that data. We did not live up to that 
responsibility, and I am here today to apologize to the American people 
myself and on behalf of the Board, the management team, and the 
company's employees.
    Let me say clearly: As CEO I was ultimately responsible for what 
happened on my watch. Equifax was entrusted with Americans' private 
data and we let them down. To each and every person affected by this 
breach, I am deeply sorry that this occurred. Whether your personal 
identifying information was compromised, or you have had to deal with 
the uncertainty of determining whether or not your personal data may 
have been compromised, I sincerely apologize. The company failed to 
prevent sensitive information from falling into the hands of 
wrongdoers. The people affected by this are not numbers in a database. 
They are my friends, my family, members of my church, the members of my 
community, my neighbors. This breach has impacted all of them. It has 
impacted all of us.
    I was honored to serve as the Chairman and Chief Executive Officer 
of Equifax for the last 12 years, until I stepped down on September 25. 
I will always be grateful for the opportunity to have led the company 
and its 10,000 employees. Equifax was founded 118 years ago and now 
serves as one of the largest sources of consumer and commercial 
information in the world. That information helps people make business 
and personal financial decisions in a more timely and accurate way. 
Behind the scenes, we help millions of Americans access credit, whether 
to buy a house or a car, pay for college, or start a small business. 
During my time at Equifax, working together with our employees, 
customers, and others, we saw the company grow from approximately 4,000 
employees to almost 10,000. Some of my proudest accomplishments are the 
efforts we undertook to build credit models that allowed and continue 
to allow many unbanked Americans outside the financial mainstream to 
access credit in ways they previously could not have. Throughout my 
tenure as CEO of Equifax, we took data security and privacy extremely 
seriously, and we devoted substantial resources to it.
    We now know that criminals executed a major cyberattack on Equifax, 
hacked into our data, and were able to access information for over 140 
million American consumers. The information accessed includes names, 
Social Security numbers, birth dates, addresses, and in some instances, 
driver's license numbers; credit card information for approximately 
209,000 consumers was also stolen, as well as certain dispute documents 
with personally identifying information for approximately 182,000 
consumers.
    Americans want to know how this happened and I am hopeful my 
testimony will help in that regard. As I will explain in greater detail 
below, the investigation continues, but it appears that the breach 
occurred because of both human error and technology failures. These 
mistakes--made in the same chain of security systems designed with 
redundancies--allowed criminals to access over 140 million Americans' 
data.
    Upon learning of suspicious activity, I and many others at Equifax 
worked with outside experts to understand what had occurred and do 
everything possible to make this right. Ultimately we realized we had 
been the victim of a massive theft, and we set out to notify American 
consumers, protect against increased attacks, and remediate and protect 
against harm to consumers. We developed a robust package of remedial 
protections for each and every American consumer--not just those 
affected by the breach--to protect their credit information. The relief 
package includes: (1) monitoring of consumer credit files across all 
three bureaus, (2) access to Equifax credit files, (3) the ability to 
lock the Equifax credit file, (4) an insurance policy to cover out-of-
pocket costs associated with identity theft; and (5) dark web scans for 
consumers' social security numbers. All five of these services are free 
and without cost to all Americans. Equifax also recently announced an 
important new tool that has been under development for months that will 
allow consumers to lock and unlock their credit files repeatedly, for 
life, at no cost. This puts the control of consumers' credit 
information where it belongs--with the consumer. We have also taken 
steps to better protect consumer data moving forward.
    We were disappointed with the rollout of our website and call 
centers, which in many cases added to the frustration of American 
consumers. The scale of this hack was enormous and we struggled with 
the initial effort to meet the challenges that effective remediation 
posed. The company dramatically increased the number of customer 
service representatives at the call centers and the website has been 
improved to handle the large number of visitors. Still, the rollout of 
these resources should have been far better, and I regret that the 
response exacerbated rather than alleviated matters for so many.
How It Happened
    First and foremost, I want to respond to the question that is on 
everyone's mind, which is, ``How did this happen?'' In my testimony, I 
will address both what I learned and did at key times in my role as 
CEO, and what I have since learned was occurring during those times, 
based on the company's ongoing investigation. Chronologically, the key 
events are as follows:
    On March 8, 2017, the U.S. Department of Homeland Security, 
Computer Emergency Readiness Team (U.S.-CERT) sent Equifax and many 
others a notice of the need to patch a particular vulnerability in 
certain versions of software used by other businesses. Equifax used 
that software, which is called ``Apache Struts'', in its online 
disputes portal, a website where consumers can dispute items on their 
credit report.
    On March 9, Equifax disseminated the U.S.-CERT notification 
internally by email requesting that applicable personnel responsible 
for an Apache Struts installation upgrade their software. Consistent 
with Equifax's patching policy, the Equifax security department 
required that patching occur within a 48-hour time period. We now know 
that the vulnerable version of Apache Struts within Equifax was not 
identified or patched in response to the internal March 9 notification 
to information technology personnel.
    On March 15, Equifax's information security department also ran 
scans that should have identified any systems that were vulnerable to 
the Apache Struts issue identified by U.S.-CERT. Unfortunately, 
however, the scans did not identify the Apache Struts vulnerability. 
Equifax's efforts undertaken in March 2017 did not identify any 
versions of Apache Struts that were subject to this vulnerability, and 
the vulnerability remained in an Equifax web application much longer 
than it should have. I understand that Equifax's investigation into 
these issues is ongoing. The company knows, however, that it was this 
unpatched vulnerability that allowed hackers to access personal 
identifying information.
    Based on the investigation to date, it appears that the first date 
the attacker(s) accessed sensitive information may have been on May 13, 
2017. The company was not aware of that access at the time. Between May 
13 and July 30, there is evidence to suggest that the attacker(s) 
continued to access sensitive information, exploiting the same Apache 
Struts vulnerability. During that time, Equifax's security tools did 
not detect this illegal access.
    On July 29, however, Equifax's security department observed 
suspicious network traffic associated with the consumer dispute website 
(where consumers could investigate and contest issues with their credit 
reports). In response, the security department investigated and 
immediately blocked the suspicious traffic that was identified. The 
department continued to monitor network traffic and observed additional 
suspicious activity on July 30, 2017. In response, they took the web 
application completely offline that day. The criminal hack was over, 
but the hard work to figure out the nature, scope, and impact of it was 
just beginning.
    I was told about the suspicious activity the next day, on July 31, 
in a conversation with the Chief Information Officer. At that time, I 
was informed that there was evidence of suspicious activity on our 
dispute portal and that the portal had been taken offline to address 
the potential issues. I certainly did not know that personal 
identifying information (PII) had been stolen, or have any indication 
of the scope of this attack.
    On August 2, consistent with its security incident response 
procedures, the company: (1) retained the cybersecurity group at the 
law firm of King & Spalding LLP to guide the investigation and provide 
legal and regulatory advice; (2) reached out, though company counsel, 
to engage the independent cybersecurity forensic consulting firm, 
Mandiant, to investigate the suspicious activity; and (3) contacted the 
Federal Bureau of Investigation (FBI).
    Over the next several weeks, working literally around the clock, 
Mandiant and Equifax's security department analyzed forensic data 
seeking to identify and understand unauthorized activity on the 
network. Their task was to figure out what happened, what parts of the 
Equifax network were affected, how many consumers were affected, and 
what types of information was accessed or potentially acquired by the 
hackers. This effort included identifying and analyzing available 
forensic data to assess the attacker activity, determining the scope of 
the intrusion, and assessing whether the intrusion was ongoing (it was 
not; it had stopped on July 30 when the portal was taken offline). 
Mandiant also helped examine whether the data accessed contained 
personal identifying information; discover what data was exfiltrated 
from the company; and trace that data back to unique consumer 
information.
    By August 11, the forensic investigation had determined that, in 
addition to dispute documents from the online web portal, the hackers 
may have accessed a database table containing a large amount of 
consumers' PII, and potentially other data tables.
    On August 15, I was informed that it appeared likely that consumer 
PII had been stolen. I requested a detailed briefing to determine how 
the company should proceed.
    On August 17, I held a senior leadership team meeting to receive 
the detailed briefing on the investigation. At that point, the forensic 
investigation had determined that there were large volumes of consumer 
data that had been compromised. Learning this information was deeply 
concerning to me, although the team needed to continue their analysis 
to understand the scope and specific consumers potentially affected. 
The company had expert forensic and legal advice, and was mindful of 
the FBI's need to conduct its criminal investigation.
    A substantial complication was that the information stolen from 
Equifax had been stored in various data tables, so tracing the records 
back to individual consumers, given the volume of records involved, was 
extremely time consuming and difficult. To facilitate the forensic 
effort, I approved the use by the investigative team of additional 
computer resources that significantly reduced the time to analyze the 
data.
    On August 22, I notified Equifax's lead member of the Board of 
Directors, Mark Feidler, of the data breach, as well as my direct 
reports who headed up our various business units. In special telephonic 
board meetings on August 24 and 25, the full Board of Directors was 
informed. We also began developing the remediation we would need to 
assist affected consumers, even as the investigation continued apace. 
From this point forward, I was updated on a daily--and sometimes 
hourly--basis on both the investigative progress and the notification 
and remediation development.
    On September 1, I convened a Board meeting where we discussed the 
scale of the breach and what we had learned so far, noting that the 
company was continuing to investigate. We also discussed our efforts to 
develop a notification and remediation program that would help 
consumers deal with the potential results of the incident. A mounting 
concern also was that when any notification is made, the experts 
informed us that we had to prepare our network for exponentially more 
attacks after the notification, because a notification would provoke 
``copycat'' attempts and other criminal activity.
    By September 4, the investigative team had created a list of 
approximately 143 million consumers whose personal information we 
believed had been stolen, and we continued our planning for a public 
announcement of a breach of that magnitude, which included a rollout of 
a comprehensive support package for consumers. The team continued its 
work on a dedicated website, www.equifaxsecurity2017.com, where 
consumers could learn whether they were impacted and find out more 
information, a dedicated call center to assist consumers with 
questions, and a free credit file monitoring and identity theft 
protection package for all U.S. consumers, regardless of whether they 
were impacted.
    I understand that Equifax kept the FBI informed of the progress and 
significant developments in our investigation, and felt it was 
important to notify the FBI before moving forward with any public 
announcement. We notified the FBI in advance of the impending 
notification.
    On September 7, 2017, Equifax publicly announced the breach through 
a nationwide press release. The release indicated that the breach 
impacted personal information relating to 143 million U.S. consumers, 
primarily including names, Social Security numbers, birth dates, 
addresses and, in some instances, driver's license numbers.
    These are the key facts as I understand them. I also understand 
that the FBI's investigation and Equifax's own review and remediation 
are ongoing, as are, of course, numerous other investigations.
Protecting U.S. Consumers Affected by the Breach
    From the third week in August, when it became clear that our worst 
fears had come true and Equifax had experienced a significant breach, 
my direction was to continue investigating but first and foremost to 
develop remediation to protect consumers from being harmed and comply 
with all applicable notification requirements, based on advice of 
outside cybersecurity counsel and Mandiant. Significantly, a major task 
was the need to deploy additional security measures across the entire 
network because we were advised that as soon as Equifax announced the 
hack, there would be a dramatic increase in attempted hacking. There 
were three main components to Equifax's plan: (1) a website where 
consumers could look up if they were affected by the breach and then 
register for a suite of protective tools; (2) a call center to answer 
questions and assist with registration; (3) the package of tools 
themselves that the company was offering to everyone in the country. 
The task was massive--Equifax was preparing to explain and offer 
services to every American consumer.
    First, a new website was developed to provide consumers with 
additional information--beyond the press release--about the nature, 
extent, and causes of the breach. This was extremely challenging given 
that the company needed to build a new capability to interface with 
tens of millions of consumers, and to do so in less than 2 weeks. That 
challenge proved overwhelming, and, regrettably, mistakes were made. 
For example, terms and conditions attached to the free solutions that 
Equifax offered included a mandatory arbitration clause. That 
provision--which was never intended to apply in the first place--was 
immediately removed as soon as it was discovered. (I was informed later 
that it had simply been inadvertently included in terms and conditions 
that were essentially ``cut and pasted'' from a different Equifax 
offering.)
    The initial rollout of Equifax's call centers had frustrating 
shortcomings as well. Put simply, the call centers were confronted by 
an overwhelming volume of callers. Before the breach, Equifax had 
approximately 500 customer service representatives dedicated to 
consumers, so the company needed to hire and train thousands more, 
again in less than 2 weeks. To make matters worse, two of the larger 
call centers in Florida were forced to close for a period of time in 
the wake of Hurricane Irma. The closure of these call centers led to a 
reduction in the number of available customer service representatives 
and added to the already significant wait times that callers 
experienced. Many needlessly waited on hold or were otherwise unable to 
have their questions answered through the call centers, which I deeply 
regret. My understanding is that the call centers are now fully 
functional. The number of customer service representatives, which is 
now over 2,500, continues to increase, and I am informed that wait 
times have decreased substantially.
    Beyond the website and the call centers, the company also developed 
a comprehensive support package for all American consumers, regardless 
of whether they were directly affected by the incident or not, that 
includes free: (1) credit file monitoring by all three credit bureaus; 
(2) Equifax credit lock; (3) Equifax credit reports; (4) identity theft 
insurance; and (5) Social Security Number ``dark web'' scanning for one 
year. Importantly, enrolling in the program is free, and will not 
require consumers to waive any rights to take legal action for claims 
related to the free services offered in response to the cybersecurity 
incident or for claims related to the cybersecurity incident itself.
    Despite these challenges, it appears that Equifax's efforts are 
reaching many people. As of late September, the website had received 
over 420 million hits. And similarly, as of late September, over 7.5 
million activation emails have been sent to consumers who registered 
for the program.
    Equifax also recently announced a new service that I understand 
will be available by January 31, 2018, that will allow consumers to 
control their own credit data, by allowing them to lock and unlock 
their credit files at will, repeatedly, for free, for life. I was 
pleased to see the company move forward with this plan, which we had 
put in motion months ago, and which I directed the company to 
accelerate, as we were constructing the remedial package in response to 
the breach.
    The hard work of regaining the trust of the American people that 
was developed over the course of the company's 118 year history is 
ongoing and must be sustained. I believe the company, under the 
leadership of Lead Director Mark Feidler, and interim CEO Paulino do 
Rego Barros, Jr., will continue these efforts with vigor and 
commitment.
How To Protect Consumer Data Going Forward
    It is extremely important that notwithstanding the constant threat 
of cybercriminals, the American people and the Members of this 
Committee know that Equifax is doing everything in its power to prevent 
a breach like this from ever happening again. Since the potential 
breach was discovered, those inside and outside the company have worked 
around-the-clock to enhance the Company's security measures. While I am 
limited in what I can say publicly about these specific measures, and 
going forward these questions are best directed to new management, I 
want to highlight a few steps that Equifax has already taken to better 
protect consumer data moving forward, including the website developed 
to respond to the hack, and some changes still to come.
    In recent weeks, vulnerability scanning and patch management 
processes and procedures were enhanced. The scope of sensitive data 
retained in back-end databases has been reduced so as to minimize the 
risk of loss. Restrictions and controls for accessing data housed 
within critical databases have been strengthened. Network segmentation 
has been increased to restrict access from internet facing systems to 
back-end databases and data stores. Additional web application 
firewalls have been deployed, and tuning signatures designed to block 
attacks have been added. Deployment of file integrity monitoring 
technologies on application and web servers has been accelerated. The 
company is also implementing additional network, application, database, 
and system-level logging. These are just a few of the steps Equifax has 
taken in recent weeks to shore up its security protocols.
    Importantly, Equifax's forensic consultants have recommended a 
series of improvements that are being installed over the next 30, 60, 
and 90 day periods, which the company was in the process of 
implementing at the time of my retirement. In addition, at my direction 
a well-known, independent expert consulting firm (in addition to and 
different from Mandiant) has been retained to perform a top-to-bottom 
assessment of the company's information security systems.
    Beyond the recent technological enhancements, Equifax has also made 
several strategic personnel changes at the highest levels of the 
company. Accountability starts at the top and I, therefore, decided to 
step down as CEO and retire early to allow the company to move forward. 
Before I retired, our Chief Information Officer and Chief Security 
Officer also left the company. Equifax's interim appointments for each 
of these positions, including Paulino do Rego Barros, Jr., the interim 
CEO, are ready, able and qualified to step into their new roles and to 
help consumers, and the company, recover from this regrettable 
incident.
    It is my hope and expectation that, at the conclusion of the 
investigation, we will have an even more complete account of what 
happened, how future attacks by criminal hackers can be deterred and 
suspicious activity curbed more quickly, and most importantly, how 
consumers' concerns about the security of their personal data can be 
alleviated.
Toward a New Paradigm in Data Security
    Where do we go from here? Although I have had little time for 
reflection regarding the awful events of the last few weeks, this 
humbling experience has crystalized for me two observations: First, an 
industry standard placing control of access to consumers' credit data 
in the hands of the consumers should be adopted. Equifax's free 
lifetime lock program will allow consumers, and consumers alone, to 
decide when their credit information may be accessed. This should 
become the industry standard. Second, we should consider the creation 
of a public-private partnership to begin a dialogue on replacing the 
Social Security Number as the touchstone for identity verification in 
this country. It is time to have identity verification procedures that 
match the technological age in which we live.
    The list of companies and Government agencies that have suffered 
major hacks at the hands of sophisticated cybercriminals is sadly very 
long, and growing. To my profound disappointment, Equifax now finds 
itself on that list. I have stepped away from a company I have led and 
loved and help build for more than a decade. But I am not stepping away 
from this problem and I am strongly committed to helping address the 
important questions this episode has raised. Part of that starts today, 
as I appear at this hearing and others voluntarily to share what I 
know. Going forward, however, Government and the private sector need to 
grapple with an environment where data breaches will occur. Giving 
consumers more control of their data is a start, but is not a full 
solution in a world where the threats are always evolving. I am hopeful 
there will be careful consideration of this changing landscape by both 
policymakers and the credit reporting industry.
Conclusion
    Chairman Crapo, Ranking Member Brown, and Honorable Members of the 
Committee, thank you again for inviting me to speak with you today. I 
will close by saying again how so sorry I am that this data breach 
occurred. On a personal note, I want to thank the many hard-working and 
dedicated people who worked with me for the last 12 years, and 
especially over the last 8 weeks, as we struggled to understand what 
had gone wrong and to make it right. This has been a devastating 
experience for the men and women of Equifax. But I know that under the 
leadership of Paulino and Mark they will work tirelessly, as we have in 
the past 2 months, to making things right.
    I realize that what I can report today will not answer all of your 
questions and concerns, but I can assure you and the American public 
that I will do my level best to assist you in getting the information 
you need to understand this incident and to protect American consumers.
               RESPONSES TO WRITTEN QUESTIONS OF
       THE SENATE BANKING COMMITTEE FROM RICHARD F. SMITH
       
       
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


              Additional Material Supplied for the Record
              
LETTER SUBMITTED BY THE CREDIT UNION NATIONAL ASSOCIATION
       
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

EQUIFAX, INC., ``INSIDER TRADING POLICY''
               
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


EQUIFAX, INC., ``CORPORATE CRISIS MANAGEMENT PLAN, PART I''
      
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



EQUIFAX, INC., ``CORPORATE CRISIS MANAGEMENT PLAN, PART II''
      
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



EQUIFAX, INC., ``CORPORATE CRISIS MANAGEMENT PROGRAM, APPENDIX H''
   
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



EQUIFAX, INC., ``REGIONAL CRISIS MANAGEMENT PLAN''

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



EQUIFAX, INC., ``SECURITY INCIDENT HANDLING POLICY AND PROCEDURES''

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]