[Senate Hearing 115-361]
[From the U.S. Government Publishing Office]


                                                    S. Hrg. 115-361


  AN OVERVIEW OF THE CREDIT BUREAUS AND THE FAIR CREDIT REPORTING ACT

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
                   BANKING,HOUSING,AND URBAN AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                                   ON

EXAMINING THE CONSUMER REPORTING AGENCIES AND THE FAIR CREDIT REPORTING 
                                  ACT

                               __________

                             JULY 12, 2018

                               __________

  Printed for the use of the Committee on Banking, Housing, and Urban 
                                Affairs
                                
                                
                                
 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                               


                Available at: http: //www.govinfo.gov /
                
                
                                __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
32-483 PDF                  WASHINGTON : 2018                     
          
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected]. 

            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS

                      MIKE CRAPO, Idaho, Chairman

RICHARD C. SHELBY, Alabama           SHERROD BROWN, Ohio
BOB CORKER, Tennessee                JACK REED, Rhode Island
PATRICK J. TOOMEY, Pennsylvania      ROBERT MENENDEZ, New Jersey
DEAN HELLER, Nevada                  JON TESTER, Montana
TIM SCOTT, South Carolina            MARK R. WARNER, Virginia
BEN SASSE, Nebraska                  ELIZABETH WARREN, Massachusetts
TOM COTTON, Arkansas                 HEIDI HEITKAMP, North Dakota
MIKE ROUNDS, South Dakota            JOE DONNELLY, Indiana
DAVID PERDUE, Georgia                BRIAN SCHATZ, Hawaii
THOM TILLIS, North Carolina          CHRIS VAN HOLLEN, Maryland
JOHN KENNEDY, Louisiana              CATHERINE CORTEZ MASTO, Nevada
JERRY MORAN, Kansas                  DOUG JONES, Alabama

                     Gregg Richard, Staff Director

                 Mark Powden, Democratic Staff Director

                      Joe Carapiet, Chief Counsel

              Kristine Johnson, Professional Staff Member

                 Elisha Tuku, Democratic Chief Counsel

            Laura Swanson, Democratic Deputy Staff Director

              Phil Rudd, Democratic Legislative Assistant

                       Dawn Ratliff, Chief Clerk

                      Cameron Ricker, Deputy Clerk

                     James Guiliano, Hearing Clerk

                      Shelvin Simmons, IT Director

                          Jim Crowell, Editor

                                  (ii)


                            C O N T E N T S

                              ----------                              

                        THURSDAY, JULY 12, 2018

                                                                   Page

Opening statement of Chairman Crapo..............................     1
    Prepared statement...........................................    30

Opening statements, comments, or prepared statements of:
    Senator Brown................................................     2

                               WITNESSES

Peggy L. Twohig, Assistant Director, Office of Supervision 
  Policy, Division of Supervision, Enforcement, and Fair Lending, 
  Bureau of Consumer Financial Protection........................     5
    Prepared statement...........................................    31
Maneesha Mithal, Associate Director, Division of Privacy and 
  Identity Protection, Bureau of Consumer Protection, Federal 
  Trade Commission...............................................     6
    Prepared statement...........................................    35
    Responses to written questions of:
        Senator Scott............................................    42

              Additional Material Supplied for the Record

Statements and letters submitted by Chairman Crapo...............    43
Reports and letters submitted by Senator Scott...................    52
Letter submitted by Senator Reed.................................   155
Report submitted by Senator Warren...............................   157

                                 (iii)

 
  AN OVERVIEW OF THE CREDIT BUREAUS AND THE FAIR CREDIT REPORTING ACT

                              ----------                              


                        THURSDAY, JULY 12, 2018

                                       U.S. Senate,
          Committee on Banking, Housing, and Urban Affairs,
                                                    Washington, DC.
    The Committee met at 10:04 a.m., in room SD-538, Dirksen 
Senate Office Building, Hon. Mike Crapo, Chairman of the 
Committee, presiding.

            OPENING STATEMENT OF CHAIRMAN MIKE CRAPO

    Chairman Crapo. The Committee will come to order. The 
Committee hearing today is entitled ``An Overview of the Credit 
Bureaus and the Fair Credit Reporting Act''.
    Credit bureaus play a valuable role in our financial system 
by helping financial institutions assess a consumer's ability 
to meet financial obligations and also facilitating access to 
beneficial financial products and services.
    Given this role, they have a lot of valuable personal 
information on consumers and, therefore, are targets of 
cyberattacks.
    Last year, Equifax experienced an unprecedented 
cybersecurity incident which compromised the personal data of 
over 145 million people.
    Following that event, the Banking Committee held two 
oversight hearings on the breach and consumer data protection 
at credit bureaus. The first hearing with the former Equifax 
CEO examined details surrounding the breach, while the second 
hearing with outside experts examined what improvements might 
be made surrounding credit reporting agencies and data 
security.
    This Committee also recently held a hearing on 
cybersecurity and risks to the financial services industry. 
These hearings demonstrated bipartisan concern about the 
Equifax data breach and the protection of consumers' personally 
identifiable information, as well as support for specific 
legislative measures to address such concerns.
    Some of these were addressed in Senate bill 2155, the 
``Economic Growth, Regulatory Relief, and Consumer Protection 
Act'', which included meaningful consumer protections for 
consumers who become victims of fraud.
    For example, it provides consumers unlimited free credit 
freezes and unfreezes per year. It allows parents to turn on 
and off credit reporting for children under 18 and provides 
important protections for veterans and seniors.
    Last month a New York Times article commenting on the bill 
noted that ``one helpful change . . . will allow consumers to 
`freeze' their credit files at the three major credit reporting 
bureaus--without charge. Consumers can also `thaw' their files, 
temporarily or permanently, without a fee.''
    Susan Grant, director of consumer protection and privacy at 
the Consumer Federation of America, expressed support for these 
measures, calling them ``a good thing.''
    Paul Stephens, director of policy and advocacy at the 
Privacy Rights Clearinghouse, similarly noted that the freeze 
provision ``has the potential to save consumers a lot of 
money.''
    But there is still an opportunity to see whether more 
should be done, and today's hearing will help inform this 
Committee in that regard.
    Today I look forward to hearing more from the witnesses 
about the scope of the Fair Credit Reporting Act and other 
relevant laws and regulations as they pertain to credit 
bureaus; the extent to which the Bureau of Consumer Financial 
Protection and the FTC, whom the two witnesses represent today, 
oversee credit bureau data security and accuracy; the current 
state of data security, data accuracy, data breach policy, and 
dispute resolution processes at the credit bureaus; and what, 
if any, improvements could be made.
    States have begun to react in their own ways to various 
aspects of the public debate on privacy, data security, and the 
Equifax data breach.
    Two weeks ago, California enacted the California Consumer 
Privacy Act which will take effect on January 1, 2020. The act, 
which applies to certain organizations conducting business in 
California, establishes a new privacy framework by creating new 
data privacy rights, imposing special rules for the collection 
of minors' consumer data, and creating damages frameworks for 
violations and businesses failing to implement reasonable 
security procedures.
    Many members are interested in learning more about what 
California and other States are doing on this front.
    Additionally, 2 weeks ago, eight State banking 
commissioners jointly took action against Equifax in a consent 
order requiring the company to take various actions regarding 
risk assessment and information security.
    I have long been concerned about data collection and data 
privacy protections by the Government and the private sector.
    Given Americans' increased reliance and use of technology 
where information can be shared by the swipe of a finger, we 
should be careful to ensure that companies and Government 
entities who have such information use it responsibly and keep 
it safe.
    Senator Brown.

           OPENING STATEMENT OF SENATOR SHERROD BROWN

    Senator Brown. Thank you, Mr. Chairman. Thanks very much to 
our witnesses. Thanks for holding this hearing today. I hope my 
colleagues would excuse me to particularly welcome Ms. Twohig 
to our Committee. She is from the Consumer Protection Bureau, 
grew up in Fairview Park, a westside suburb of Cleveland. She 
graduated from Ohio State. She worked for the Cleveland 
Foundation, the preeminent community foundation in the United 
States of America. She has a long career as a public servant 
with the FTC, the Treasury Department, and was an early 
employee of this terrific agency, the Consumer Financial 
Protection Bureau. And not to leave you out, but thank you both 
for joining us.
    The consumer credit reporting system is stacked against 
Americans. A bad credit report can keep you out of a job; it 
can put you on a list where you will be targeted with expensive 
credit cards or high-cost loans. You are almost powerless to do 
anything about it.
    Americans have basically no control over these reports that 
can dictate their lives and their family's plans for the 
future. They often do not know whether they are accurate or 
whether they are inaccurate.
    Six years ago I chaired a Subcommittee hearing where 
consumer advocates in the CFPB identified problems in the 
credit reporting industry. We have had several hearings in this 
Committee over the last year on credit reporting companies and 
on data privacy. In the meantime, breach after breach has 
occurred.
    Last year, as we know, 148 million Americans had their 
sensitive data stolen as hackers exploited a known security 
flaw that Equifax did not fix. Millions more have been affected 
by breaches at banks like JPMorgan Chase, stores like Target, 
Whole Foods, even Trump hotels. Congressional efforts, 
including provisions included in S. 2155, have not done 
anything meaningful to address accuracy of credit reports, to 
fix privacy concerns, or to give consumers controls over their 
own personal data.
    At the same time, big tech companies continually add more 
and more of our personal information to their digital 
warehouses. They have financial and personal details about 
hundreds of millions of Americans. They see the potential for a 
big payday in selling that data to credit reporting companies. 
These companies are amassing more and more of our data, but 
still seem totally unprepared to deal with cyberattacks. They 
are building virtual, shall we say, silver platters for 
hackers.
    People want and deserve a lot more control over their 
personal information. Credit reporting presents a unique 
problem because often Americans do not even know these 
corporations collect their data in the first place. Right now 
consumers cannot vote--as many of my colleagues like to say, 
cannot simply vote with their feet when a company does not 
treat them well, when a credit bureau fails to protect their 
privacy. Congress passed the Fair Credit Reporting Act in the 
first place to rein in credit bureaus that originally 
functioned as unsupervised supervisory agencies collecting 
personal information that we would be appalled to see in 
someone's credit report today.
    After scandals at Facebook, people are rightfully worried 
about big companies once again compiling and selling piles of 
personal data on every American without our knowledge, out of 
our control or our consent. More Americans would be surprised 
at how lenders are putting this data to use. Last week the 
Washington Post ran a story about a company called ``Mariner 
Finance'' that uses a loophole in the FCRA to look at people's 
credit records without their permission and then targets them 
with scams. Mariner sends checks for thousands of dollars to 
struggling families that can be cashed the day they are plucked 
from the mail. But the checks are really just expensive loans 
waiting to trap the consumer who cashes them.
    Now, Mariner will tell you they are increasing ``access to 
credit''--their term. But that was exactly what we were told 
about subprime loans. Some will say, including potentially your 
boss at the CFPB, that the market will take care of that. Well, 
the market clearly has not. The fact is Mariner is weaponizing 
people's credit history to target them with an expensive loan 
and making huge profits for the hedge fund that owns it. Your 
credit report can be used to force you into court, rightly or 
wrongly, to settle debts. But what if your credit card company 
or your cable provider erroneously reports a missed payment or 
defaulted account? They are protected. You cannot take them to 
court at all. And that is just absolutely outrageous.
    It turns out that is a big problem. A CFPB paper found last 
year that credit reporting companies have not been doing enough 
to ensure the information they get is accurate. They are 
protected and consumers are not, in part because of the 
behavior of this U.S. Senate and because of a Supreme Court 
that moves more and more to protect corporate interests. What 
incentive do these companies have? The people they hurt will 
not be able to have their day in court.
    We have heard all this before. The credit reporting system 
is backward. Like so much of our economy, it works for big 
corporations. It works for people with privilege. It does not 
work for regular Americans.
    The Fair Credit Reporting Act is 50 years old. The amount 
and type of information collected today would have been 
unthinkable when it was created. It is time for a serious 
overhaul that puts Americans in control of their own data. I 
have introduced bills and so have many of my colleagues that 
would do just that. I hope the Committee will not only listen 
to the advice we get today, but will also take action to give 
people control over what should be their personal information.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you, Senator Brown. We will now move 
to our witnesses and their testimony.
    First we will hear from Ms. Peggy Twohig, who currently 
serves as the Assistant Director for Supervision Policy in the 
Division of Supervision, Enforcement, and Fair Lending at the 
Bureau of Consumer Financial Protection. The Office of 
Supervision is responsible for developing strategy across bank 
and nonbank markets and ensuring that policy decisions are 
consistent across markets, charters, and regions.
    After that we will hear from Ms. Maneesha Mithal, who 
serves as the Associate Director for the Division of Privacy 
and Identity Protection in the Bureau of Consumer Protection at 
the Federal Trade Commission. In this capacity she supervises 
the work in the area of data security, identity theft, credit 
reporting, and behavioral advertising and general privacy.
    We appreciate both of you joining us today, and we will 
proceed in the order that you were introduced. Ms. Twohig.

  STATEMENT OF PEGGY L. TWOHIG, ASSISTANT DIRECTOR, OFFICE OF 
 SUPERVISION POLICY, DIVISION OF SUPERVISION, ENFORCEMENT, AND 
     FAIR LENDING, BUREAU OF CONSUMER FINANCIAL PROTECTION

    Ms. Twohig. Good morning, Chairman Crapo, Ranking Member 
Brown, and thank you for that special introduction. I am very 
proud of my Cleveland roots. And thank you for the opportunity 
to testify today about the work of the Bureau of Consumer 
Financial Protection to address consumer protections in the 
credit reporting market. My name is Peggy Twohig, and I am 
Assistant Director for Supervision Policy at the Bureau.
    Credit reporting plays a critical role in consumer 
financial services and has enormous reach and impact. Over 200 
million Americans have credit files with tradelines furnished 
voluntarily by over 10,000 providers. This information is used 
by creditors and other types of businesses to make decisions 
about individual transactions with consumers. In particular, 
creditors rely on this information to decide whether to approve 
loans and what terms to offer. Accurate credit reporting is 
important to creditors and other businesses to make good 
business decisions. For an individual consumer, an accurate 
credit report can be even more important given the significant 
impact that information can have on that consumer's ability to 
obtain financial and other products and services.
    Because of the importance of accuracy to businesses and 
consumers, the structure of the Fair Credit Reporting Act 
creates interrelated legal standards and requirements to 
support the policy goal of accurate credit reporting. These 
requirements anticipate that all reports will not be perfect; 
instead, the FCRA requires that credit reporting agencies, or 
CRAs, have ``reasonable procedures to assure maximum possible 
accuracy'' of reports. It also imposes certain accuracy 
obligations on furnishers of credit report information. And the 
FCRA has a dispute and investigation framework, with 
obligations on both CRAs and furnishers, to ensure that 
potential errors are investigated and errors are corrected 
promptly.
    The written testimony of the Bureau reviews the legal 
authority of the Bureau to supervise and enforce the Federal 
consumer financial laws applicable to CRAs. I will focus here 
on the work the Bureau has done exercising these authorities.
    In both its supervision and enforcement work, the Bureau 
has focused on credit reporting accuracy and dispute handling 
by both CRAs and furnishers. As discussed in a special edition 
of Supervisory Highlights published last year, the Bureau's 
supervisory work has prioritized reviews of key elements 
underpinning accuracy. As a result of these reviews, the Bureau 
directed specific improvements in data accuracy and dispute 
resolution at one or more CRA, including: improving oversight 
of incoming data from the furnishers; instituting quality 
control programs of compiled consumer reports; monitoring 
furnished dispute metrics to identify and correct root causes; 
improved investigations of consumer disputes, including a 
review of relevant information provided by consumers; and 
improving communication to consumers of dispute results.
    In supervising bank and nonbank furnishers, the Bureau has 
found furnishers that were not complying with their FCRA 
obligations and directed them to comply, including developing 
reasonable written policies and procedures regarding the 
accuracy of information they furnish; taking corrective action 
when they furnished information they determined to be 
inaccurate; and bringing their dispute handling practices into 
compliance. The Bureau has also brought enforcement actions and 
entered into a number of settlements related to violations of 
the FCRA's accuracy and dispute investigation requirements.
    Turning to data security, CRAs hold a tremendous amount of 
sensitive information about consumers. If CRAs do not protect 
this data, it may lead to data breaches, creating the risk of 
substantial harm to consumers, including the risk of identity 
theft. Since the Equifax breach, the Bureau has increased its 
attention to data security issues in our supervisory and 
enforcement work.
    The Bureau has the authority to conduct data security 
investigations and to conduct examinations at certain nonbanks, 
including larger CRAs. This authority includes assessing the 
facts and circumstances to determine whether a CRA's data 
security practices constitute a violation of Federal consumer 
financial law, including the prohibition against unfair, 
deceptive, or abusive acts and practices, or the FCRA.
    Our supervisory, enforcement, and consumer education 
efforts will continue in this important area. Consumers should 
have confidence that their credit reports are secure and comply 
with all applicable legal requirements.
    Thank you again for the opportunity to testify today at 
this important hearing. I would be happy to answer your 
questions about the Bureau's work related to credit reporting.
    Chairman Crapo. Thank you very much.
    Ms. Mithal.

 STATEMENT OF MANEESHA MITHAL, ASSOCIATE DIRECTOR, DIVISION OF 
PRIVACY AND IDENTITY PROTECTION, BUREAU OF CONSUMER PROTECTION, 
                    FEDERAL TRADE COMMISSION

    Ms. Mithal. Thank you. Chairman Crapo, Ranking Member 
Brown, and Members of the Committee, my name is Maneesha 
Mithal, and I am the Associate Director of the Division of 
Privacy and Identity Protection at the Federal Trade 
Commission. I appreciate the opportunity to appear before you 
today to discuss the Fair Credit Reporting Act, credit bureaus, 
and data security.
    As you know, the FCRA is intended to help consumers in 
three ways.
    First, it helps consumers prevent the misuse of sensitive 
consumer report information by limiting recipients to those who 
have a legitimate need for it.
    Second, it works to improve the accuracy and integrity of 
the consumer reporting system.
    And, third, it promotes the efficiency of the Nation's 
banking and consumer credit systems.
    Now, the Commission has played a key role in the 
implementation, enforcement, and interpretation of the FCRA 
since its enactment. Let me mention three key examples.
    First, in 2012 the Commission published a study of credit 
report accuracy. According to the study findings, one in four 
consumers identified errors on their credit reports that might 
affect their credit scores. Four out of five consumers who 
filed disputes experienced some modification to their credit 
report. And 5 percent of consumers experienced a change in 
their credit score that could impact their credit risk 
classification.
    The second activity that the FTC engages in is enforcement. 
Enforcement continues to be a top priority for the Commission. 
Since 2011, the Bureau has been examining the nationwide credit 
bureaus. As a result, the FTC has focused its FCRA law 
enforcement efforts on other entities in the credit reporting 
area and other aspects of the consumer reporting industry more 
broadly. One example is enforcing a law against furnishers that 
are not supervised by the Bureau. The FTC has settled cases 
against data furnishers that allegedly had inadequate policies 
and procedures for reporting accurate information to CRAs.
    Another example is employment background screening CRAs. 
For instance, in the InfoTrack case, the Commission alleged 
that a background screening CRA failed to have reasonable 
procedures to ensure the maximum possible accuracy of the 
consumer reports it provided, and as a result, it provided 
inaccurate information suggesting that job applicants may have 
been registered sex offenders when they were, in fact, not.
    Third, the Commission continues to educate consumers and 
businesses on their consumer reporting rights and obligations 
under the FCRA. One example is our publication ``Credit and 
Your Consumer Rights'', which provides an overview of credit 
for consumers, explains consumers' legal rights, and offers 
practical tips to help solve credit problems.
    Now, let me close by mentioning the importance of credit 
bureaus maintaining reasonable security of the consumer 
information that is entrusted to them. Since 2001, the 
Commission has undertaken substantial efforts to promote data 
security in this and other sectors. We enforce several laws 
requiring companies to maintain reasonable security, including 
the FTA Act, the Gramm-Leach-Bliley safeguards rule, and 
certain provisions of the FCRA. The Commission has brought over 
60 law enforcement actions against companies that allegedly 
engaged in unreasonable data security practices.
    Last year the Commission took the unusual step of publicly 
confirming its investigation into the Equifax data breach due 
to the scale of the public interest in the matter. And although 
we aggressively enforce our data security laws, I believe there 
are some gaps in our authority. For example, we cannot seek 
civil penalties for violations of most data security laws. To 
fill in these gaps, the Commission has supported Federal data 
security legislation on a bipartisan basis for over a decade. 
My written testimony discusses these issues in further detail, 
and I am happy to answer any questions you might have.
    Chairman Crapo. Thank you, Ms. Mithal. And my first 
question is for you. This is primarily just sort of a 
housekeeping item, but as I indicated in my opening statement, 
the Economic Growth, Regulatory Relief, and Consumer Protection 
Act has some significant provisions in it in this arena in 
terms of protecting consumers with the ability to place 
security freezes on their credit files with credit bureaus. 
This provision will empower consumers to protect their credit 
in the event of future data breaches or incidents of identity 
theft. I am just seeking your commitment that you and the FTC 
will move expeditiously to implement these credit bureau 
provisions in Senate bill 2155.
    Ms. Mithal. Absolutely, you have our commitment to 
implement those provisions expeditiously, and we have already 
begun. We issued a consumer blog post, and we have begun our 
rulemaking process, so thank you.
    Chairman Crapo. Thank you.
    Ms. Twohig, credit bureaus--well, let me put it this way: I 
have long been concerned about the ever increasing amounts of 
big data that are being collected, both in the private sector 
and in the public sector by the Government. And as you know, 
one of the agencies that I have been worried about is the 
Consumer Financial Protection Bureau.
    Are credit bureaus required to provide data to the Bureau?
    Ms. Twohig. So, Senator, thank you for that question. In 
our supervisory work, they are required to respond to our 
requests when we are conducting an examination, and the 
requests that we make of the credit bureaus are similar to the 
requests we make of other financial service providers that we 
oversee through our examination authority. So that would be we 
request information such as how they are complying with the law 
and their compliance management systems, so, for example, their 
board and management oversight, their policies and procedures, 
their monitoring, their training, what audits they are doing. 
So all the elements that go into a compliance management 
system, we ask for that general information.
    And then more specifically, we ask for more specific 
information when we are determining particular compliance with 
particular provisions of the law. So, for example, we may need 
specific information about consumer files when we are doing 
transaction testing to ensure, for example, that they were 
complying with the law in following up on a consumer's dispute.
    Chairman Crapo. My understanding is that the agency is 
seeking to collect specific credit card transactional data on 
hundreds of millions of accounts. Is that not correct?
    Ms. Twohig. My understanding, Senator, is that a separate 
part of the Bureau, its research arm, collects in a credit 
panel de-identified information on consumers for research 
purposes.
    Chairman Crapo. But you are not in a position to describe 
exactly what they are collecting?
    Ms. Twohig. Correct. We would need to follow up with you 
and get you the details on that.
    Chairman Crapo. All right. Let me go back again to the 
information that you are familiar with. Is the data that you 
are requiring provided by mandate or is it purchased?
    Ms. Twohig. So the area that I work in, Supervision, the 
legal requirement under Dodd-Frank is that they are required to 
respond to supervisory requests for the information we need to 
conduct the examination.
    Chairman Crapo. All right. And are there other private 
sector entities that are required to provide data in addition 
to the credit bureaus? And what are they? For example, credit 
card companies, banks, others?
    Ms. Twohig. So there are various provisions of different 
kinds of law that do require reporting to the Bureau. I 
believe, for example, under the CARD Act, credit card issuers 
are required to provide their agreements that then the Bureau 
posts on the website. I am not familiar, sitting here right 
now, with all the different provisions that might require 
reporting to the Bureau, but there are a number of different 
requirements that would come into play.
    Chairman Crapo. All right. I appreciate that. And just 
quickly, I have only got about a minute left, so if you could 
each give me about a 30-second answer, sort of a high-level 
answer as to what have we learned from the Equifax data breach 
about what we need to do from here?
    Ms. Twohig. So, Senator, I can tell you that even though 
the Bureau's investigations are not public, in this instance it 
is a matter of public record that the Bureau is investigating 
Equifax. We are coordinating with the FTC on that 
investigation, so that is in process. So I think it is 
premature to really answer that question.
    Chairman Crapo. All right. Ms. Mithal.
    Ms. Mithal. Like Ms. Twohig, I cannot comment on the 
specifics, but what I can say is two things.
    One is that we have learned that credit bureaus do hold the 
most sensitive information about consumers available in the 
marketplace, and it is incumbent on these credit bureaus to 
protect that information.
    And, second, I think that in terms of the big data 
breaches, I think the FTC could use more authority to seek 
civil penalties against companies that violate the laws that we 
enforce.
    Chairman Crapo. All right. Thank you.
    And Senator Brown has indicated that he wants to yield his 
first slot to Senator Schatz, so, Senator Schatz, please go 
ahead.
    Senator Schatz. Thank you, Chairman, and thank you to 
Ranking Member Brown. I promise I will not make a habit out of 
this. I appreciate it very much.
    Thank you very much for your testimony. Ms. Twohig, I 
wanted to follow up on something Ms. Mithal described. There 
was an FTC report that found that 5 percent of credit reports 
contain confirmed material errors. So these are confirmed 
material errors. There are more errors than that. But even if 
it is just 5 percent, that is the bare minimum of confirmed 
material errors. You are talking about 10 million people. And 
worse than that, 2 years later 84 percent of those errors 
remained on the credit reports.
    Can you tell me a little bit about what your supervisory 
work is entailing and what you found as it relates to accuracy 
and dispute resolution?
    Ms. Twohig. Thank you for that question, Senator. I would 
be happy to talk about that.
    As I said, because of the concerns about credit report 
accuracy, the Bureau did its first rule to identify what larger 
participants in the marketplace it was going to establish a 
nonbank supervision program for that was not already in a 
statute with respect to credit bureaus, consumer reporting 
agencies, because of the priority that the Bureau gave to look 
into that market and to be able to apply first ever supervisory 
authority on that industry. So they had never, before the 
Bureau, been examined by any Federal or State regulator. We 
prioritized that, and we have been conducting that work. And so 
we have been very focused on looking at their compliance with 
the accuracy and the dispute resolution provisions of the FCRA.
    Senator Schatz. And what have you found?
    Ms. Twohig. We found that, in general, as a big-picture 
matter, supervision is an attempt to get companies to have a 
preventive--to prevent law violations, to have a proactive 
approach to compliance, to make sure that they have their 
compliance house in order so that violations do not occur in 
the first place. We think we have made progress in shifting 
their attitude and culture toward more of a proactive 
compliance posture. But we have found problems with their 
compliance with the law, and we have given them directives to 
improve where we have found they have fallen short, and we have 
seen improvements over time. But that is not to say there is 
not more work to do, Senator.
    Senator Schatz. Thank you.
    Ms. Mithal, Senator Kennedy and I have a bill that would 
give consumers more tools to manage their credit reports, and I 
think it is really important for this Committee, especially for 
Republicans on this Committee, to recognize that we all know 
that we cannot blow up the system, that although there are 
consumers problems related to these credit bureaus, we still 
need some measure of creditworthiness, and we are not intending 
to be so disruptive as to create problems in lending. But there 
are some basic things that we can do to empower consumers, and 
I want to make sure that--they are not customers. They have not 
enlisted. People generally speaking do not sign up with these 
credit bureaus. But they are consumers, and our bill tries to 
empower consumers to, for instance, know what the credit 
bureaus know, be able to see those same lines, and to have an 
online portal that is no labyrinthine that allows a person to 
resolve any dispute in a straightforward manner.
    Is it fair to say, Ms. Mithal, that you support the goals 
of this legislation?
    Ms. Mithal. Absolutely. I think credit report inaccuracy 
issues continue to harm those consumers that are affected by 
it. Not only is it the lack of credit in the future; it is the 
time and expense it takes to clear up their credit report. So I 
think the tools that you are aiming to provide consumers 
through your bill, those are the types of tools that are 
absolutely worth considering.
    Senator Schatz. Can you talk a little bit about the 
importance of an online portal?
    Ms. Mithal. Sure. So I think one of the problems for 
consumers is that it is very difficult to know how to navigate 
the credit reporting system, and so I think the easier we can 
make it for consumers, the more tools we could provide for 
them, the more one-stop shops we can provide for them, I think 
that is very useful, consistent with, as you said, the kind of 
free flow of credit information.
    Senator Schatz. One final question, which I think I will 
take for the record for both of you. It is sort of twofold.
    First, we should draw a distinction between breaches which 
create credit score problems and credit inaccuracies, and the 
endemic problem of these credit bureaus basically getting it 
wrong anywhere from 5 to 15 percent of the time, but at least 5 
percent of the time in a material way. So although the Equifax 
breach caused us to think about these bureaus and focus on that 
question, this is not a cybersecurity question exclusively. It 
is also a basic consumer rights question.
    So my question for the record is: What specifically are the 
pain points for consumers as they go about trying to resolve 
these questions?
    Senator Schatz. And I have run out of time, and I 
appreciate the indulgence of the Chair and the Ranking Member.
    Chairman Crapo. Thank you.
    Senator Scott.
    Senator Scott. Thank you, Mr. Chairman. And thank you to 
the witnesses for being here today.
    I have worked for the last 6 or 7 years on something called 
the ``opportunity agenda,'' trying to find a way to empower 
those folks living in distressed communities. As you probably 
both know, we have about 50 million Americans today who live in 
those distressed communities, and as I think about ways to 
empower those folks living in distressed communities, the 
access to credit issue jumps out very clearly.
    The BCFP has found that 26 million Americans are credit 
invisible; another 19 million Americans are unscorable because 
their information is either insufficient and/or just too old. 
It should come as no surprise that there is a strong 
correlation between your income and whether you have a credit 
score or a credit record. Almost 30 percent of Americans living 
in low-income areas are credit invisible. An additional 15 
percent of Americans living in those areas are unscorable. In 
South Carolina, when you combine those two numbers together, 
that means about nearly one out of every four South Carolina 
adults are in that category.
    A solution to bring credit invisibles out of the shadows is 
S. 3040, the Credit Access and Inclusion Act. Credit invisibles 
regularly make payments for their rent, gas, water, 
electricity, and cell phones. New credit scoring models 
recognize these payments are payments that are predictive of 
your actual credit risk.
    Unfortunately, the FCRA ensures that missed payments and 
collection are reported to the credit bureaus, but not 
necessarily the ones you make on time.
    The Brookings Institution states that the consideration of 
this payment data will lead to a 21-percent increase to prime 
credit for those earning less than $20,000 a year and a 15-
percent increase to prime credit for those earning between 
$20,000 and $30,000 a year. That will make a huge difference 
for creditworthy folks trying to climb the economic ladder, and 
my bill helps us get there.
    Ms. Twohig, what is the impact on a consumer of being 
credit invisible when it comes to interest rates, applying for 
a job, or finding an apartment?
    Ms. Twohig. Senator, first of all, I want to say that the 
Bureau shares your concern about access to credit. In fact, one 
of the Bureau's strategic goals is to ensure that all consumers 
have access to consumer financial services.
    With respect to the particular impact, the particular 
impact will vary for each consumer and what they are applying 
for and what they are trying to do in the particular credit or 
other markets. But I think it is fair to say that if a consumer 
does not have a credit file with one of the national credit 
reporting companies or if it does not have enough in that file 
to score, then that consumer is basically shut out of the 
mainstream credit markets.
    Senator Scott. Well, that kind of leads to my second 
question. The BCFP has suggested that more of this information 
at the credit bureaus will help credit invisibles access 
mainstream credit sources. It sounds like you would concur that 
that would be accurate?
    Ms. Twohig. So alternative data of the type you are 
discussing is also something that the Bureau is interested in 
learning more about and is monitoring. In fact, the Bureau 
issued last year a Request for Information from the public to 
get information about different kinds of alternative data and 
the aspects of that alternative data and how it could help 
consumers and access to credit. We received over 100 comments. 
We are currently monitoring that information and studying that 
information and learning more about it. But I think also it is 
fair to say that if that information is accurate and 
predictive, then that could be part of the solution to increase 
access to credit.
    Senator Scott. Thank you.
    I will just say to my Chairman and the Ranking Member, who 
I know both have a passion for finding ways to bring those 
folks who are today credit invisible out of the shadows and 
into a place where they can rely on a strong credit score to be 
able to have lower interest rates, greater access to better 
jobs, and certainly be able to find places to live in higher-
quality communities, and all that is anchored in your credit 
score and not being credit invisible. So hopefully S. 3040 will 
be on the top of the docket for both of you. Thank you both.
    Chairman Crapo. Thank you, Senator Scott.
    Senator Menendez.
    Senator Menendez. Thank you.
    Ms. Twohig and Ms. Mithal, let me start off by asking you 
each to give me the last four digits of your Social Security 
number.
    Ms. Twohig. Senator, I really do not want to do that in a 
public forum.
    Ms. Mithal. I have the same reaction.
    Senator Menendez. All right. How about telling me which 
stores you opened credit cards with?
    Ms. Twohig. Which stores?
    Senator Menendez. Yeah.
    Ms. Twohig. I do not think I have opened any credit cards 
with a store lately.
    Ms. Mithal. That is not something I would be willing to 
share in a public forum.
    Senator Menendez. Or maybe can you tell us the outstanding 
balance on your home mortgage loans?
    Ms. Twohig. Senator, I would prefer not to share that kind 
of information either.
    Ms. Mithal. Same.
    Senator Menendez. I am not surprised. But that information, 
which I am sure you would not want to be shared or sold without 
your permission, and yet under current law consumer reporting 
agencies like Equifax can share and sell your information, 
where you live, where you pay your bills, and whether you pay 
on time, what you filed for, whether you filed for bankruptcy, 
without ever having to get your consent. Isn't that right?
    Ms. Mithal. That is correct, although there are certain 
limitations on how they can use the data.
    Senator Menendez. Now, American consumers are at the mercy 
of three megacompanies who control the security and safety of 
their personal information, and that makes no sense. Consumers 
should have the ability to control when, how, and to whom their 
data is shared, just like you wanted to control it here in this 
public forum.
    Last year a massive Equifax data breach laid bare the 
systemic problems with the credit reporting industry. Its 
failure to guard sensitive data left 145.5 million Americans 
exposed to identity theft and fraud.
    Ms. Mithal, Equifax waited an inexplicable 6 weeks to 
disclose a breach that had occurred. Worse, over months after 
the breach, millions of consumers were still unaware of the 
breach in part because there is no national requirement to 
alert consumers. My bill, S. 2188, the Consumer Data Protection 
Act, would require consumer reporting agencies to quickly 
notify the Federal Trade Commission, the CFPB, law enforcement, 
and consumers of a breach while keeping intact existing strong 
State consumer protection laws.
    Generally speaking, does the FTC support the idea of 
requiring companies to provide notification to consumers where 
there is a data security breach?
    Ms. Mithal. Absolutely, and the Commission has done so for 
almost--for over a decade on a bipartisan basis.
    Senator Menendez. Now, let me ask you, another issue we 
need to address here is the ability to hold consumer reporting 
agencies accountable when there is a breach, when they have 
clearly failed to protect consumers' personal data. My 
legislation also provides FTC the authority to pursue fines 
against a consumer reporting agency such as Equifax that 
negligently, knowingly, or willingly causes a data breach.
    In your view, would the institution of a monetary penalty 
framework incentivize consumer reporting agencies to better 
secure consumer data?
    Ms. Mithal. Yes.
    Senator Menendez. Let me ask another question for both 
witnesses. Given the unique and varied nature of consumer harm 
that results from a data breach at a consumer reporting agency, 
which includes everything from identity theft to difficulty 
purchasing a home or securing employment, would it be helpful 
to have a comprehensive study analyzing both the immediate and 
long-term costs and damages to individuals affected by data 
breaches at consumer reporting agencies?
    Ms. Mithal. So I think that there is no question that there 
is tremendous harm to consumers from data breaches of their 
sensitive information, and I think it would be worth 
considering a study to quantify that harm.
    Senator Menendez. Ms. Twohig.
    Ms. Twohig. I would agree with Ms. Mithal, and to the 
extent the Bureau can be helpful providing technical expertise 
in analyzing that topic, we would be happy to do so.
    Senator Menendez. Well, thank you. I really did not want to 
know your Social Security numbers, by the way, or your balances 
on your mortgages, which I hope is virtually nil. But this is 
the very essence of what we are talking about as we deal with 
this issue here today.
    Thank you, Mr. Chairman.
    Chairman Crapo. Senator Kennedy.
    Senator Kennedy. Thank you, Mr. Chairman.
    Ms. Mithal, can we agree that the work of the CRAs 
facilitates commerce in America?
    Ms. Mithal. Absolutely.
    Senator Kennedy. Do you agree with that, too, Ms. Twohig?
    Ms. Twohig. Yes.
    Senator Kennedy. And I think we can also agree, can we not, 
that that is a good thing in our free enterprise system?
    Ms. Mithal. Yes.
    Ms. Twohig. Yes.
    Senator Kennedy. When the CRAs gather information about me, 
do they ask my permission?
    Ms. Mithal. No.
    Ms. Twohig. No.
    Senator Kennedy. Do they pay me for the information?
    Ms. Mithal. No.
    Ms. Twohig. No.
    Senator Kennedy. They gather this information, and they 
assign me a score basically making an evaluation, a judgment 
about me, whether I am a creditworthy person or not. Is that 
correct?
    Ms. Mithal. Correct.
    Senator Kennedy. And in 5 to 10 percent of the cases, they 
get it wrong. They have some bad data. Is that correct?
    Ms. Mithal. Yes.
    Senator Kennedy. If they have bad data and I call them up 
and I say, ``Hey, you have got bad data on me. You did not talk 
to me first. I could have fixed this up front, but you did not 
talk to me. But you have got some bad data on me, and it is 
affecting my life and my family's life,'' and the CRA says, 
``OK. We will get back to you,'' and they never get back to me, 
or they get back to me and say, ``We disagree.'' What is my 
recourse?
    Ms. Mithal. So under the FCRA there is a dispute process 
where credit reporting agency is required to respond within a 
particular amount of time, and though at the end of the day, 
when the credit bureau says that, ``No, you, in fact, owe this 
debt,'' the consumer owes the debt.
    Ms. Twohig. That is right. The consumer can put a statement 
on their credit report if they are not satisfied with the 
results of the dispute investigation.
    Senator Kennedy. How long does that take?
    Ms. Mithal. I believe under the FCRA the investigation 
process is 30 to 45 days.
    Ms. Twohig. That is right.
    Senator Kennedy. I have to fill out a bunch of forms, do I?
    Ms. Mithal. Yes.
    Senator Kennedy. OK. How long do you think it takes to fill 
out all those forms and make the phone calls and say, ``Hey, 
you have got my information wrong''?
    Ms. Mithal. So I think there is certainly some time it 
takes on the part of the consumer to kind of understand the 
dispute process, to go through the dispute process, and to 
implement it.
    Senator Kennedy. And if I have got a day job, I cannot do 
that at work, right?
    Ms. Mithal. Yes, it is certainly a lot of time and expense 
to dispute----
    Senator Kennedy. I might do it at night or on the weekends? 
Can I call them up on the weekends? Do the CRAs work on the 
weekends, do you know?
    Ms. Twohig. I believe they have an online portal that you 
can file a dispute online and submit documents. Now the 
consumers can submit documents in support of their dispute 
online.
    Senator Kennedy. OK. And let us suppose at the end of the 
process they come back to me and they say, ``No, we are not 
changing anything,'' or--I know this does not happen very 
often, but you get somebody having a bad day, and they say, 
``Hey, we are not changing anything. And, by the way, we do not 
care because we do not have to. You are not my customer.'' What 
do I do?
    Ms. Mithal. So I think speaking for----
    Senator Kennedy. Do I file a complaint with the FTC?
    Ms. Mithal. Sure, you can file a complaint with the FTC, 
and we have----
    Senator Kennedy. Do I need a lawyer?
    Ms. Mithal. No, you do not need a lawyer.
    Senator Kennedy. Does it take time? I bet it is not a one-
page form.
    Ms. Mithal. Yes, it takes time.
    Senator Kennedy. It is not a one-page form, is it?
    Ms. Mithal. It is multiple pages.
    Senator Kennedy. And how quickly would the FTC act?
    Ms. Mithal. It would take a while.
    Senator Kennedy. Like how long is ``a while''?
    Ms. Mithal. It could take--so let me just clarify. We do 
not act on behalf of individual consumers.
    Senator Kennedy. I understand. How long would it take?
    Ms. Mithal. It would take several months to investigate, 
probably----
    Senator Kennedy. It could take a year, couldn't it?
    Ms. Mithal. Sure.
    Senator Kennedy. It could take 2 years sometimes, doesn't 
it?
    Ms. Mithal. Sure.
    Senator Kennedy. In the meantime, they have got bad data 
about me, and they did not pay me for it. They did not even ask 
me.
    Now, I think the CRAs perform an important service and do 
facilitate commerce. But it seems to me that we ought to be 
smart enough, particularly with technology, to come up with a 
system that says we are going to make it as easy as possible 
for the people with respect to whom the CRAs have bad 
information so those people can get it fixed and they can get 
it fixed quickly and they can get it fixed efficiently and they 
can get it fixed inexpensively and they can get it fixed so 
they do not have to miss their kids' ball games.
    Now, I think Senator Schatz and I have a bill that will do 
that. What is wrong with that bill? You think it is a good 
bill, don't you?
    Ms. Mithal. I do think it is a good bill, and I would 
support the goals of the legislation, which is, as you 
articulated, to make it a lot easier for consumers to file 
disputes with consumer reporting agencies.
    Senator Kennedy. Ms. Twohig.
    Ms. Twohig. Senator, I would say that all the issues you 
have just pointed out are the reason why we have prioritized at 
the Bureau supervising both the CRAs and furnishers----
    Senator Kennedy. Yes, ma'am, I know you prioritized, and I 
am not fussing at you, but you are still part of the 
bureaucracy. And it is pretty intimidating for the average 
American who did not ask to be brought into this system--it is 
a good system, but it is pretty intimidating when the CRAs get 
it wrong. And we ought to make it as easy as possible for them 
to get it fixed. That is good for them. That is good for the 
companies. That is good for the free enterprise system. And I 
think we can do better.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you.
    Senator Warner.
    Senator Warner. Well, thank you, Mr. Chairman. First of 
all, thank you for holding this hearing. I think you are 
hearing bipartisan concern. I want to thank the Ranking Member 
for also yielding to us. I also want to point out, though, that 
Ms. Twohig and Ms. Mithal are long-time career professionals. I 
think they would lean in to being willing to try to help us fix 
this problem. But they cannot fix this problem on their own 
without Congress acting.
    So I want to reiterate what I think a lot of Members have 
said. I had no choice in Equifax having my data. Senator 
Menendez raised this, Senator Kennedy has, Senator Schatz has. 
To me, as a former business guy, it is remarkable that a data 
breach based upon sloppy cybersecurity standards that took 
place over a year ago that the public was not notified until 11 
months ago, that we still--and this is not your fault at this 
point, because Congress has not acted--that they have paid no 
penalty to date. They took a little bit of a hit in the market, 
but they have almost recovered from that because they do not 
expect Congress to do its job to give the FTC the ability to 
put a civil penalty process in place.
    Now, Senator Warren and I have a very comprehensive bill 
that I am sure she will speak to as well that would put a 
liability regime in place that would particularly in the event 
of negligent behavior put a real incentive to make sure that 
credit reporting agencies up their game.
    Let me just again, for the record, Ms. Mithal, the FTC at 
this point does not have the ability to put any civil penalty 
on a CRA based on performance, do they?
    Ms. Mithal. Not on the basis of data security violations 
generally, no.
    Senator Warner. So unless the Congress acts, whether it is 
Senator Warren's bill, Senator Menendez's bill, Senator 
Kennedy's bill, Senator Schatz's bill, you do not have the 
tools. As a matter of fact, if we go and look at the so-called 
Safeguards Rule--and we have heard from Ms. Twohig's testimony 
that CFPB does not have authority under the Safeguards Rule to 
examine or look at the practices of the CRA. Ms. Mithal, does 
the FTC have the authority under the Safeguards Rule to examine 
credit reporting agencies to ensure that that rule is being 
followed?
    Ms. Mithal. So just to be clear, we do not have examination 
authority, but we can investigate CRAs to make sure that they 
are following the Gramm-Leach-Bliley Safeguards Rule. But, 
significantly, as you point out, we do not have the authority 
to seek civil penalties under the Safeguards Rule.
    Senator Warner. Right, and if memory serves, I am sure 
Senator Kennedy remembers as well, FTC indicated they had 
opened an investigation into the Equifax breach, but here we 
are over a year after the breach took place and 11 months after 
the public was finally notified, yet we still do not have a 
result. And even if you come up with a result, you do not have 
the ability to impose penalties because you have no liability 
regime in place.
    Ms. Mithal. Not under data security, yes.
    Senator Warner. Well, Mr. Chairman, I think this is an 
area, because I can assure you, sitting from the intel side, 
this is a problem that is not going to go away. This is a 
problem that is going to only exponentially increase. And 
Senator Menendez went down the path of would you be willing to 
offer your personal information, you wouldn't. But if somebody 
has hacked in and got that information from Equifax and 
contacts you with that personalized information and you combine 
that with the next realm of misinformation and disinformation, 
and you suddenly have a live stream video of what appears to be 
a face of somebody you recognize popping up on your social 
media account asking you to do something, either invest in some 
company or vote for some candidate, you put those two together, 
and you have a potential crisis that goes well beyond just 
financial concerns. And if we do not act, I think we are going 
to be irresponsible in ensuring that kind of activity does not 
take place, because I agree with Senator Kennedy, the 
incentives are not there at all for any CRA to clean up its act 
at all. There are no civil penalties, there is no liability 
regime. And I think we can do better, and I think these career 
professionals actually would want us to do better if we would 
give them the tools.
    Let me just say in my last 30 seconds, Senator Scott raised 
a little bit of this question about some of the folks who are 
unbanked. I am concerned as well, as we think through--Ms. 
Mithal, this is for you. As we start looking at the use of 
artificial intelligence, machine learning, you know, there are 
going to be a lot of tools used particularly by nonbank 
financial institutions who may provide credit lending, how we 
make sure that we ensure fairness in this new regime. But at 
this moment in time, again, I do not believe the FTC has the 
appropriate ability to look at a nonbank financial institution 
who is using AI techniques to grant a loan under FCRA. Is that 
correct?
    Ms. Mithal. So we did do a report on this issue a few years 
ago, and we did mention that there are certain circumstances 
when companies use AI technology to make decisions about credit 
or housing or employment eligibility that we would have 
authority to take action under the FCRA, but that is against a 
limited set of entities that are third parties using the 
information. So there are some gaps there.
    Senator Warner. And I would only say, Mr. Chairman and 
Ranking Member, that if we think what is happen with Equifax 
was something, wait until you see the nonbank financials start 
to use AI in the sophisticated way. And if we do not get ahead 
of this in terms of we ought to be able to use good data and 
good information, but if we do not put some rules in place, the 
Equifax breach will pale in comparison to what the next 
generation of attacks will look like.
    Thank you, Mr. Chairman.
    Chairman Crapo. I share your concerns, Senator Warner.
    Senator Warren.
    Senator Warren. Thank you very much, Mr. Chairman. Thanks 
for holding this hearing. Thank you, Ranking Member Brown, for 
letting us go ahead of you here.
    I want to pick up on the same theme that my colleagues have 
been talking about. After Equifax disclosed its massive data 
breach last year, I sent letters to Equifax and the other large 
credit bureaus and Federal regulators seeking information about 
the breach and the options for holding Equifax accountable.
    My staff compiled that information in an investigative 
report that my office issued in February, and I would like to 
submit a copy of that report for the record, Mr. Chairman. Mr. 
Chairman?
    [Laughter.]
    Senator Brown. Without objection.
    Senator Warren. Without objection.
    Chairman Crapo. Without objection.
    Senator Warren. Thank you, Mr. Chairman. Thank you.
    Chairman Crapo. What did I just agree to?
    [Laughter.]
    Senator Warren. So we put this report together, and one of 
the key findings of this report is that Federal agencies do not 
have the legal tools they need to stop data breaches at credit 
bureaus and hold credit bureaus accountable for compromising 
sensitive personal information. As Senator Warner was just 
pointing out, the FTC has some authority to oversee data 
security at credit bureaus, but it currently has no authority 
to seek civil penalties against the bureaus for compromising 
consumer information.
    So let me just ask, Ms. Mithal: Do you think the FTC should 
have that authority?
    Ms. Mithal. Yes.
    Senator Warren. Good. Thank you. In fact, the response the 
FTC sent to my letter specifically requested legislation that 
would ``allow the FTC to seek civil penalties to help ensure 
effective deterrence of cybersecurity breaches,'' so asking for 
it.
    Meanwhile, the CFPB has some supervisory authority over 
large credit bureaus, but limited ability to issue rules on how 
the bureaus must safeguard sensitive consumer data. Is that 
right, Ms. Twohig?
    Ms. Twohig. That is correct.
    Senator Warren. Good. In other words, even if the CFPB 
spots serious cybersecurity problems at the credit bureaus it 
supervises, it cannot issue new rules to try to address these 
problems. Is that right?
    Ms. Twohig. So we do not have the authority under the 
safeguards provisions of the Gramm-Leach-Bliley Act or the 
Safeguards Rule.
    Senator Warren. OK. So in response to my letter to the 
CFPB, then-Director Cordray said that the agency supported new 
legislation because ``Federal laws that are applicable to data 
security have not kept pace with technological and 
cybersecurity developments.'' In other words, want the 
authority to do this.
    So after receiving these responses, Senator Warner and I 
spent months working with each other and with experts in the 
field to develop the Data Breach Prevention and Compensation 
Act. Our bill would authorize the FTC to impose large and 
automatic penalties on any large credit bureau that allowed 
sensitive consumer information to be accessed. The way we see 
it, if credit bureaus collect our personal information without 
our permission, then they should have an absolute obligation to 
protect that data from hackers and thieves.
    The bill would also create a new Office of Cybersecurity at 
the FTC with the responsibility to establish cybersecurity 
standards at credit bureaus and supervise compliance with those 
standards.
    Ms. Mithal, do you think the FTC would be better equipped 
to oversee how credit bureaus protect sensitive information if 
Senator Warner's and my bill became law?
    Ms. Mithal. So I certainly do think we have the expertise. 
I think it is a question of resources. And so if your law comes 
with resources, that would be welcome.
    Senator Warren. OK, good. Fair enough. Fair enough. But you 
have got to have the authority, or you cannot do anything.
    Ms. Mithal. Correct.
    Senator Warren. So thank you.
    Mr. Chairman, I know that you and many of your Republican 
colleagues on this Committee are concerned about the lack of 
adequate protection of consumer data at credit bureaus, and I 
hope you will work with Senator Warner and with me to push this 
legislation forward.
    Our Federal agencies have made absolutely clear that they 
need more legal authority to protect consumers. We cannot just 
cross our fingers and hope that another breach does not happen 
because another breach will happen. And if we fail to act, then 
we bear some responsibility for that. More of our constituents 
will be harmed unless Congress acts.
    So I urge you to join with Senator Warner and me and others 
on this Committee to try to push our bill forward.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you, Senator Warren.
    Senator Cortez Masto.
    Senator Cortez Masto. Thank you. Thank you, Mr. Chair and 
Ranking Member for, I agree, this important discussion. And 
thank you to both of you for being here and all of the work 
that you do.
    I am curious. I want to talk a little bit about exclusive 
contracts. Last October, right after the announcement of 
Equifax's massive data breach, the New York Times ran an 
article about how Equifax and Freddie Mac have an exclusive 
relationship that harms both consumers and small businesses. I 
am curious if either one of you are familiar with that article 
or familiar with this concept that there are exclusive 
contracts.
    Ms. Mithal. I am not.
    Ms. Twohig. I am not familiar either.
    Senator Cortez Masto. So this is not something that either 
one of your organizations is looking into as something that is 
harmful to individual consumers or small businesses?
    Ms. Mithal. I can only speak to privacy and cybersecurity 
issues, and that is not something that is on our radar screen.
    Senator Cortez Masto. OK.
    Ms. Twohig. And for the Bureau of Consumer Financial 
Protection, as I said at the outset, we can confirm that we are 
investigating Equifax's data security practices in coordination 
with the FTC. Beyond that, our investigations are not public.
    Senator Cortez Masto. Thank you very much.
    Ms. Twohig, let me jump back then to the concept of--and I 
agree with my colleagues--this concern that all of this data is 
being collected on all of us individually, and we have no 
control over it. So, Ms. Twohig, let me start with you. As you 
well know, credit systems around the world have differing 
standards for consumer control of their own privacy. For 
instance, the new privacy laws in the European Union provide 
more privacy options than we do here in the United States. In 
fact, Americans have really little say over what data can be 
aggregated by these credit bureaus.
    If an opt-in system for credit bureaus was established, how 
would that impact people, our communities, and our economy? In 
other words, also--and as you address that, what is the 
reaction we are seeing to the implementation of the general 
data protection regulations in the European Union? And the 
reason I bring this up is because we have all been talking 
about opt-in, but there is this concern that somehow it is 
going to have an impact on our economy, on our businesses, and 
so I am curious if you have any insight into that, either one 
of you. Let me start with you, Ms. Twohig.
    Ms. Twohig. So at the outset, I would say that the Economic 
Growth, Regulatory Relief, and Consumer Protection Act provides 
additional important consumer protections in my view to allow 
consumers to get a free security freeze. And so even though 
that is not exactly what----
    Senator Cortez Masto. That is not an opt-in.
    Ms. Twohig. That is not an opt-in, but it is one step 
toward more control if consumers choose to exercise it.
    Senator Cortez Masto. But it is less than what the European 
Union requires?
    Ms. Twohig. I believe so.
    Senator Cortez Masto. Any other----
    Ms. Mithal. Yes, I guess I would say that I would have a 
bit of a concern about an across-the-board opt-in. I could see 
people who have a bad credit history or who have criminal 
records or bankruptcies not wanting that information to be 
reported and thus not opting into the system, and I think that 
could raise the cost of credit across the board. So I do have 
some concerns about that.
    I agree with the general concept that consumers should have 
more control, but there are other potential means of 
accomplishing that.
    Senator Cortez Masto. Do you think that some of the 
legislation you have heard today gives more of that control to 
consumers?
    Ms. Mithal. I think there are some very interesting options 
worth exploring through that legislation.
    Senator Cortez Masto. Thank you. I appreciate that.
    And let me also then go back to this idea, I agree with my 
colleague Senator Scott and the concern about too many adults 
have credit invisible and unscorable credit, and I think that 
is harmful in so many different ways. But I also understand, 
Ms. Twohig, from what you said that you are studying the issue 
or the agency is studying the issue on alternative data. Can 
you talk a little bit more about that and when you are going to 
anticipate completion of that study and what your intent is 
after the study is completed?
    Ms. Twohig. So I do not have a particular date, and I am 
not sure there is a particular study. It is just something that 
the Bureau is very interested in and has requested information 
so we could learn more about that. I can tell you the Acting 
Director has created an Office of Innovation with the goal of 
seeing what the Bureau can do to spur innovation in all kinds 
of ways, and that would include the use of alternative data and 
avenues for increasing access to credit.
    Senator Cortez Masto. OK. Thank you.
    One final question. I know that a number of States just 
recently announced a consent order last week with Equifax, and 
I believe these States really took the lead on this and did 
their necessary investigation. One of the reasons why I have 
concerns that there needs to be more of this collaboration 
between States and the Federal Government in this area is 
because I have seen here, as we have had these hearings, that 
State oversight is even more necessary now. What I have seen 
from Director Mulvaney and really the CFPB nominee Kraninger 
have not shown any willingness to challenge the financial 
services industry.
    So given what I know and what I have seen here, let me ask 
you this: There is legislation in the House--it is H.R. 3626--
and it requires enhancing information sharing between the 
Federal and State regulators when conducting the TSP exams. 
Would that be something you would support? And I am asking both 
of you.
    Ms. Twohig. So I can say as a general matter that--and I 
have been with the Bureau since its beginning in the 
Supervision Program. We have placed a priority on developing 
relationships with State regulators, and my enforcement 
colleagues the same for the State Attorneys General, and so we 
have close and cooperative relationships with those regulators, 
and the Acting Director has said he wants to improve that even 
more.
    Senator Cortez Masto. That is wonderful to hear. Thank you.
    Ms. Mithal. And I would echo that sentiment, and I just 
want to also say that I think we have been talking a lot about 
gaps in the FTC's authority, but I do want to say whatever 
authority Congress gives us, we exercise very aggressively. So 
we have brought over 60 data security cases, and we have looked 
at a variety of sectors. So I did not want to make it sound 
like we were sitting on our hands.
    Senator Cortez Masto. Thank you. And I notice my time is 
up. Thank you both.
    Chairman Crapo. Thank you.
    Senator Jones.
    Senator Jones. Thank you, Mr. Chairman, and thank you to 
the witnesses for coming here today.
    I want to mention something about--I want to go back to 
cybersecurity like so many others, but from a little bit 
different angle. I appreciate all of the colleagues on this 
Committee concerned with the Equifaxes of the world and the 
holders of this information. But, you know, I am an old 
prosecutor, and when we had a bank robbery, we just did not 
focus on what happened at the bank. We focused on who got the 
money and trying to catch those folks. So my question is: We 
have heard a lot today about Equifax and the CRAs. Is law 
enforcement involved in that investigation? If they are not, I 
would like to know why. And if so, can we have an expectation 
at some point when the investigation is released that there has 
been an effort and we hopefully can find out who did this? 
Because I agree with Senator Warner, this problem is not going 
away, and we need to focus on perpetrators as much as those 
holding the data. I will give that to both of you.
    Ms. Mithal. So I do not think I could talk about this in 
the context of a specific nonpublic investigation, but what I 
can say is that we work very closely with criminal authorities. 
I think it is a kind of one-two punch type situation where we 
want to make sure as a civil matter that agencies and companies 
that are entrusted with consumer data are doing everything they 
can to protect it, and at the same time we work with criminal 
law enforcement authorities to catch the bad guys and to try to 
share information to accomplish that. So I agree it is a very 
important part of the equation.
    Senator Jones. All right.
    Ms. Twohig. And that would be the same for the Bureau of 
Consumer Financial Protection in terms of coordinating with 
criminal law enforcement agencies.
    Senator Jones. All right. When this investigation is 
public, would you expect there to be some element of the report 
about the culprits in this particular Equifax matter?
    Ms. Mithal. I really cannot speak to that.
    Senator Jones. All right. That is fair enough.
    The other thing I would like to mention is that a recent 
study showed that Alabama, my State, ranked third from the 
bottom in terms of average credit scores, and I know there are 
a lot of things that impact credit scores. But what seemed 
clear is that there were also regional differences that have 
remained kind of static, and one of the--CFPB and FTC both have 
tools to educate customers, which I think is as important as 
anything in trying to get folks to get their scores up. I see 
TV ads all the time. But that is not the same--you know, trying 
to get your free credit score is not the same as trying to say 
get your free credit score up.
    So could you both briefly describe some of the tools that 
your agencies have with regard to education and what you 
believe could be the most effective way to educate the public 
about how to maintain a good credit score?
    Ms. Mithal. So I can start with that. We have what I 
believe is a world-class Office of Consumer and Business 
Education, and one of the things we do is we put out financial 
literacy materials, materials about credit scores and how to 
check your credit reports, and I think what we recognize is 
that a lot of people will not know the FTC, and so they will 
feel a lot more comfortable getting this information from their 
local communities, their churches, their schools, their 
libraries. And so we do not copyright our information. We put 
it out there for the local communities to put out in their own 
communities, and we would be happy to work with your office to 
get our materials out. We are also members of the Interagency 
Financial Literacy Task Force. So, again, I think we are 
trying--I absolutely agree that education is a very important 
part of what we do, and we need to get the word out to 
consumers so they can help protect themselves.
    Senator Jones. Great. Do you want to address that, Ms. 
Twohig?
    Ms. Twohig. Same for the Bureau. Consumer education is a 
very important part of what we do, and we have materials and 
education materials about how to create a credit file so 
consumers can have access to mainstream credit. Our Community 
Affairs Office is also doing active work in certain communities 
to try to help the communities understand what they can do 
locally to help consumers understand how they can create and 
build their credit files and positive credit history.
    Senator Jones. Great. Well, thank you both, and my staff 
will reach out to you so that we can do some affirmative things 
in Alabama.
    In the remaining moment, I would just like to follow back 
up with what Senator Scott said about the bill that he and I 
have introduced on the Credit Access Inclusion Act. And, Mr. 
Chairman and Senator Brown, I would also urge this Committee to 
get involved and try to get that bill out. A companion bill 
that I think is identical passed the House unanimously, and in 
an era in which the divide over Supreme Court nominations and 
things like are about to get greater, I do not want a bill that 
is a truly bipartisan bill to fall through the cracks like 
this, and I would urge the Committee to take some action and 
let us get that done. So thank you.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you, Senator Jones.
    Senator Van Hollen.
    Senator Van Hollen. Thank you, Mr. Chairman and Ranking 
Member, and thank you both for your testimony here today.
    We have talked about a number of things. Two of the 
categories we have talked about are: one, how do we create more 
incentives to discourage or prevent or deter credit rating 
agencies from becoming victims of data breaches? Obviously no 
one has an interest in having a big data breach, but the cost-
benefit analysis needs to be changed, and that is what Senators 
Warner and Warren have been talking about.
    The other issue, which Senator Kennedy and Senator Schatz 
have been talking about, is the accuracy of the information 
collected by the credit rating agencies, and I want to focus on 
that for a moment because, yes, I absolutely agree that we 
should make it easier for consumers to try to get their 
complaints submitted and processed more quickly. But it still 
appears to me that when you look at the sort of incentives of 
the CRAs, when they get it wrong, other than making the 
consumer whole again or correcting the error, they do not seem 
to have any penalty applied. So let me know if there is a 
current penalty that can be applied when they get it wrong. And 
we already know that in 5 percent of the cases they get it 
wrong, which represents millions and millions of Americans, 
which can have a devastating impact on their lives. So it seems 
to me in addition to making it easier to remedy the situation 
from the point of view of a consumer, we should also create 
greater incentives for the CRAs to get it right in the first 
place so that the burden is on them when they get it wrong, 
that there is some penalty to be paid for getting it wrong.
    Are there any penalties right now that either of you can 
apply when you just find that they are getting it wrong a lot?
    Ms. Mithal. So we do have the authority to seek civil 
penalties for companies that do not have reasonable procedures 
to have maximum possible accuracy. So I have been clarifying 
that under the FCRA we do not have the authority to get 
penalties under data security, but for accuracy we do, and we 
have gotten those civil penalties. But I just want to emphasize 
the statutory standard is reasonable procedures for accuracy, 
so it is not that every inaccuracy in a credit report will get 
a civil penalty.
    Senator Van Hollen. Right. Would it make sense to think of 
those--applying more of a penalty when people get it wrong? In 
other words, as I understand it right now, if you are a 
consumer who believes you have bad information that is 
negatively affecting your credit report, you go through this 
long process, right? You get on the phone. You may be put on 
hold. You do what you said. It may take a couple years. At the 
end of the day, what you, the FTC, determines is whether or not 
the consumer's complaint was correct, right?
    Ms. Mithal. So we look to see whether the company's 
procedures were reasonable.
    Senator Van Hollen. Oh, you just look at the reasonable 
nature of that. And if you find that they were unreasonable, 
what do you do to the company?
    Ms. Mithal. So we have gotten civil penalties against 
several companies. One was a couple of years ago against a 
company. We got about a $2.6 million civil penalty. There is 
another check authorization company; we got about a $3.5 
million civil penalty. So, again, it depends on the facts and 
circumstances, and we look at several statutory factors in 
determining the appropriate penalty amount.
    Senator Van Hollen. Would it be worth looking at greater 
sort of deterrent mechanisms so that there is more of a burden 
on the CRAs to get it right in the first place? And if so, what 
kind of suggestions would you have?
    Ms. Mithal. So I certainly kind of sympathize with the goal 
of making it easier for consumers to dispute credit report 
inaccuracy and also to make the whole process easier for 
consumers. And I think that is a goal worth exploring, and I 
would be happy to work with your staff and others on this 
Committee to accomplish that goal.
    Senator Van Hollen. All right. Anything else?
    Ms. Twohig. So, Senator, similarly, the Bureau can get 
penalties where there has been noncompliance with the FCRA's 
reasonable procedures provisions. In fact, it brought a case 
against a consumer reporting agency and got, I believe, about 
$5 million in penalties for their failure to comply with that 
part of the law.
    More generally, I think I also sympathize with the problems 
you are pointing out, and that is exactly why we have used this 
new supervisory authority that has never existed before until 
the Bureau was created to prioritize looking at the national 
credit reporting agencies and other consumer reporting agencies 
to ensure that they are looking at all aspects of accuracy. 
There are various different components of really what it takes 
to get a quality data control system. There is the incoming 
information. There is compiling it, and there is monitoring any 
indications of problems after the fact. We have broken it down 
and looked at various aspects and worked through our 
supervisory authority to require improvements in each part of 
those pieces of the system.
    Senator Van Hollen. Good, because I think until--let us say 
you are CRA. Until you have to suffer--right now, a consumer 
goes through this complaint process, and the CRA at the end of 
the day, OK, they have got to make them whole, right? ``Oh, we 
made a mistake 2 years ago that has affected your life.'' But 
there is no other penalty to be applied unless they somehow 
have a system that you determined has met this--that has been 
shaky. And even with those systems today, as we know, 5 percent 
error rate which affects tens of millions of people.
    So, anyway, I look forward to working with the Chairman and 
the Ranking Member and all of you. Thanks.
    Senator Brown [presiding]. Thank you, Senator Van Hollen.
    My questions are for both of you. I have a couple of 
questions. A lot of people, as we know, work hard every day, 
sometimes people are working multiple jobs to keep up with 
their bills. If they are injured or if they fall ill, we do not 
have--many, many, many companies in this country do not have 
any kind of leave policy. Some do not have good health 
insurance, so when people are injured or fall ill, huge 
unexpected medical costs can haunt their credit report for 
years.
    Given this type of debt is generally out of a person's 
control--they obviously did not choose this--should we not 
pause medical debt reporting, at least until more Americans 
have access to affordable insurance? We will start with you.
    Ms. Twohig. So, Senator, I think it is correct that medical 
debt is different than other kinds of debt. It can cause 
special problems for consumers. They can be subject to medical 
debt collection when they are just waiting for reimbursement. 
So I think it is a different kind of debt than regular debt.
    Senator Brown. Go ahead.
    Ms. Mithal. I agree with that, and I think S. 2155 was an 
excellent start in at least excluding certain medical debt for 
veterans, and I think that this is an idea worth exploring.
    Senator Brown. But it should be broader than that.
    Ms. Mithal. I think that is an idea worth exploring, yes.
    Senator Brown. Partially a follow-up to Senator Cortez 
Masto, I mentioned Mariner Finance in my opening statement. It 
is a company that sends cashable checks to people who might be 
in financial trouble, but the check is, as we know, a high-cost 
loan. The industry claims these prescreened offers that are 
allowed by the FCRA help borrowers get a better deal, but it 
looks like shady lenders fundamentally are taking advantage of 
a loophole to target struggling families. Wouldn't consumers be 
better off and less likely to face predatory lending practices 
if they had to opt into these offers, had to opt in rather than 
having to take steps to opt out? We will start with you.
    Ms. Mithal. Sure. So I also read the article, and I was 
very troubled by the practices. I cannot speak on any 
particular company, but the types of practices described in the 
article were very troubling. So under the FCRA, prescreened 
offers are permitted if they are a firm offer of credit, and so 
that is something that the statute specifically allows. If 
Congress were to determine to change that, we would enforce 
that requirement as well. So that is something that the law 
currently requires, but, again, we would be ready to work with 
Congress on any potential changes to that.
    Senator Brown. Ms. Twohig.
    Ms. Twohig. I would agree with that. Consumers now have a 
right to opt out, but as you suggest, Senator, that is 
different than having the default the other way, and we would 
be happy to work with you to consider whether there is a policy 
determination you think would be better for consumers.
    Senator Brown. That is mostly yes?
    Ms. Twohig. We would be happy to work with you to consider 
the pros and cons of going that direction.
    Senator Brown. So it is not quite a yes.
    Ms. Twohig. Not quite a yes.
    Senator Brown. OK. The Fair Credit Reporting Act protects 
companies that provide information to credit bureaus. Consumers 
cannot take them to court to get fixes. We know that. We have 
all heard the horror stories of someone trying to fix 
inaccurate data on a credit report. If consumers were allowed 
to have their day in court, would providers be more careful 
ensuring the data they report to credit bureaus as accurate? 
Ms. Twohig.
    Ms. Twohig. So there is a private right of action under the 
Fair Credit Reporting Act, and there are private actions filed 
by consumers if they believe that their information is 
inaccurate. So I just want to make sure I understand what you 
are----
    Senator Brown. There is a private right of action, but that 
private right of action has been, to put it mildly, diluted by 
this Congress and by decisions made by Government, correct?
    Ms. Twohig. I cannot speak to that. What I can say is that 
we are well aware at the Bureau of our obligation to ensure 
compliance with the law, which is indeed why we have 
prioritized supervising and enforcing in that area.
    Senator Brown. I agree with you, and I appreciate that, and 
I appreciate your service over the years. But don't providers--
the credit providers fundamentally know there is not a 
particularly effective private right of action. Do they not 
know that?
    Ms. Twohig. I cannot speak to what they know.
    Senator Brown. Well, yeah, you can. The credit providers 
know about forced arbitration. The credit providers know how 
the laws have changed. The credit providers know where the 
power in this society resides. It is not with consumers. It is 
not with employees. It is with employers. It is with credit 
reporting companies. You have had a string of really important 
jobs. You are obviously a really bright woman. You do recognize 
that, correct?
    Ms. Twohig. I recognize that it can be hard for an 
individual consumer, and that is actually why I have spent my 
career in public service trying to do what I can do----
    Senator Brown. I get all that, and thank you again for 
that. But you are not willing to say that the credit providers 
would be more careful ensuring the data they report to credit 
bureaus is accurate if the laws were written to give consumers 
more power in the marketplace?
    Ms. Twohig. They probably would be more careful if the laws 
were written that way.
    Senator Brown. Would you like to respond to that, too?
    Ms. Mithal. I agree with what Ms. Twohig said.
    Senator Brown. Which part? The part of----
    Ms. Mithal. That companies would be more likely to shore up 
their practices if consumers had more power.
    Senator Brown. I guess I do not know why a simple ``yes'' 
is not clear there. When credit providers know that the law is 
mostly--the power of the law is mostly on their side and not on 
the consumer side. You know, Anatole France said, ah, the 
majesty of the law. It prohibits rich people as well as poor 
people from sleeping under bridges. Yeah, it does. Well, that 
tells you a lot about where the power in society is, and the 
power more and more is residing with those with more and more 
power and influence and privilege. And consumers have less and 
less of that. It is just so clear to me that the credit 
providers act worse because the law so often is on their side 
and the power resides in them.
    Senator Donnelly.
    Senator Donnelly. Thank you, Mr. Chairman. Thank you to the 
witnesses.
    On May 24th, the Economic Growth, Regulatory Relief, and 
Consumer Protection Act was signed into law. I negotiated and 
wrote that legislation along with Chairman Crapo and several of 
my colleagues here. This new law includes important new 
consumer protection related to the credit bureaus to benefit 
servicemembers, veterans, and all Americans. The law provides 
free credit freezes, credit monitoring for servicemembers, and 
protections for veterans from VA billing delays.
    I would like to highlight these consumer-friendly 
provisions and receive feedback and updates from you on efforts 
to oversee the implementation and enforcement.
    The new law includes a provision to provide free credit 
monitoring for active-duty servicemembers. The FTC was provided 
1 year to complete the rulemaking which will help shape the 
credit monitoring services provided.
    Ms. Mithal, I expect the FTC to complete its rulemaking as 
soon as possible so troops can start receiving this important 
service. What is the FTC's expected timeline for the 
rulemaking?
    Ms. Mithal. So, Senator, I can assure you we are working as 
expeditiously as possible to complete the rulemaking, and I am 
hoping that we would have a Notice of Proposed Rulemaking out 
by hopefully at least the fall. I do not have complete control 
over that, but that is what I am committing to.
    Senator Donnelly. Obviously, the sooner the better.
    Ms. Mithal. Absolutely.
    Senator Donnelly. Section 301 of the new law includes a 
section I authored with Senator Perdue to allow every American 
to freeze and unfreeze their credit free of charge and set 
year-long fraud alerts. Additionally, the FTC and the major 
credit bureaus have to set up web pages where consumers can 
easily freeze their credit, set a fraud alert, and opt out of 
prescreened credit offers. These provisions allow Americans to 
take control of their credit files. The law requires compliance 
by September 21st. These provisions will make things easier for 
consumers.
    Could you please speak about the provisions generally and 
your expectation for the level of communication and 
collaboration that will occur between your agencies and the 
credit bureaus during implementation to ensure consumers 
benefit as was intended? If you could each respond.
    Ms. Twohig. So I can assure you, Senator, that the Bureau 
is going to work expeditiously to update--to implementation 
what it needs to do in implementing the Economic Growth, 
Regulatory Relief, and Consumer Protection Act. That would 
include updating the summary of rights that goes to consumers 
so that when they get their credit report, they have the 
information about these important new protections available to 
them, as well as educating consumers. We work collaboratively 
with the FTC and share information about that kind of 
information, as well as, of course, overseeing the compliance 
with these new provisions.
    Senator Donnelly. Ms. Mithal.
    Ms. Mithal. And I would say, first of all, I think these 
are very important rights, and they give important tools to 
consumers, so thank you for your work on that.
    As to our implementation, we have put out some guidance to 
consumers informing them of the new updates to the law that 
will take place in September, and we have already begun 
discussions with the CRAs about creating an online portal to 
effectuate all those tools for consumers. And so we are hoping 
to be ready--or we will be ready by September when the law goes 
into effect.
    Senator Donnelly. OK. Section 302 of the new law is based 
off the Protecting Veterans Credit Act, which I introduced with 
Senator Rounds to ensure veterans are not wrongly penalized by 
medical bill payment delays at the Department of Veterans 
Affairs. Many veterans had their credit scores damaged when the 
VA was late to pay medical bills. That will not be a problem 
any longer due to this new law.
    Your agencies, again, have oversight and enforcement 
authority. Can you speak as to how this provision will ensure 
that veterans are not wrongly penalized for medical debt that 
is actually the VA's responsibility? Ms. Twohig.
    Ms. Twohig. Senator, you can be sure that we will be 
looking for compliance with those important new provisions.
    Senator Donnelly. Ms. Mithal.
    Ms. Mithal. And, again, I think the provisions provide very 
important new rights for veterans. I think there have been 
recent studies showing the lack of predictiveness of medical 
debt, and so I think that is a very important provision, and we 
will do everything we can to support it.
    Senator Donnelly. All right. Thank you, Mr. Chairman.
    Senator Brown. Thank you, Senator Donnelly.
    I ask unanimous consent to enter into the record a letter 
from several consumer advocacy groups. Without objection.
    Thanks for being the last guy standing.
    [Laughter.]
    Senator Donnelly. Ready to help anytime.
    Senator Brown. That concludes the questioning for today. 
Questions for the record are due from Senators in 1 week, by 
Thursday, July 19th. We ask the two of you to respond to those 
questions as quickly as possible.
    Thank you for joining us. This concludes the hearing.
    [Whereupon, at 11:29 a.m., the hearing was adjourned.]
    [Prepared statements, responses to written questions, and 
additional material supplied for the record follow:]
               PREPARED STATEMENT OF CHAIRMAN MIKE CRAPO
    Today's hearing is entitled ``An Overview of the Credit Bureaus and 
the Fair Credit Reporting Act''.
    Credit bureaus play a valuable role in our financial system by 
helping financial institutions assess a consumer's ability to meet 
financial obligations, and also facilitating access to beneficial 
financial products and services.
    Given this role, they have a lot of valuable personal information 
on consumers and therefore are targets of cyberattacks.
    Last year, Equifax experienced an unprecedented cybersecurity 
incident which compromised the personal data of over 145 million 
Americans.
    Following that event, the Banking Committee held two oversight 
hearings on the breach and consumer data protection at credit bureaus.
    The first hearing with the former Equifax CEO examined details 
surrounding the breach, while the second hearing with outside experts 
examined what improvements might be made surrounding credit reporting 
agencies and data security.
    This Committee also recently held a hearing on cybersecurity and 
risks to the financial services industry.
    These hearings demonstrated bipartisan concern about the Equifax 
data breach and the protection of consumers' personally identifiable 
information, as well as support for specific legislative measures to 
address such concerns.
    Some of these were addressed in S. 2155, the Economic Growth, 
Regulatory Relief and Consumer Protection Act, which included 
meaningful consumer protections for consumers who become victims of 
fraud.
    For example, it provides consumers unlimited free credit freezes 
and unfreezes per year.
    It allows parents to turn on and off credit reporting for children 
under 18, and provides important protections for veterans and seniors.
    Last month, a New York Times article commenting on the bill noted 
that, ``one helpful change . . . will allow consumers to `freeze' their 
credit files at the three major credit reporting bureaus--without 
charge. Consumers can also `thaw' their files, temporarily or 
permanently, without a fee.''
    Susan Grant, director of consumer protection and privacy at the 
Consumer Federation of America expressed support for these measures, 
calling them ``a good thing.''
    Paul Stephens, director of policy and advocacy at the Privacy 
Rights Clearinghouse, similarly noted that the freeze provision ``has 
the potential to save consumers a lot of money.''
    But there is still an opportunity to see whether more should be 
done, and today's hearing will help inform this Committee in this 
regard.
    Today, I look forward to learning more from the witnesses about: 
the scope of the Fair Credit Reporting Act and other relevant laws and 
regulations as they pertain to credit bureaus; the extent to which the 
Bureau of Consumer Financial Protection and the FTC, whom the two 
witnesses represent, oversee credit bureau data security and accuracy; 
the current state of data security, data accuracy, data breach policy, 
and dispute resolution processes at the credit bureaus; and what, if 
any, improvements could be made.
    States have begun to react in their own ways to various aspects of 
the public debate on privacy, data security, and the Equifax data 
breach.
    Two weeks ago, California enacted the California Consumer Privacy 
Act which will take effect on January 1, 2020.
    The Act, which applies to certain organizations conducting business 
in California, establishes a new privacy framework by creating new data 
privacy rights, imposing special rules for the collection of minors' 
consumer data, and creating a damages framework for violations and 
businesses failing to implement reasonable security procedures.
    Many Members are interested in learning more about what California 
and other States are doing on this front.
    Additionally, 2 weeks ago, eight State banking commissioners 
jointly took action against Equifax in a consent order requiring the 
company to take various actions regarding risk assessment and 
information security.
    I have long been concerned about data collection and data privacy 
protections by the Government and private industry.
    Given Americans' increased reliance and use of technology where 
information can be shared by the swipe of a finger, we should ensure 
that companies and Government entities who have such information use it 
responsibly and keep it safe.
                                 ______
                                 
                 PREPARED STATEMENT OF PEGGY L. TWOHIG
     Assistant Director, Office of Supervision Policy, Division of 
    Supervision, Enforcement, and Fair Lending, Bureau of Consumer 
                          Financial Protection
                             July 12, 2018
    Chairman Crapo, Ranking Member Brown, thank you for the opportunity 
to testify today about the work of the Bureau of Consumer Financial 
Protection (Bureau) to address consumer protections in the consumer 
reporting market. My name is Peggy Twohig, and I am the Assistant 
Director for Supervision Policy at the Bureau. The Office of 
Supervision Policy is responsible for developing supervision strategy 
across bank and nonbank markets and ensuring that policy decisions are 
consistent across markets, charters, and regions.
    Prior to my work at the Bureau, I was Director of the Office of 
Consumer Protection at the Department of the Treasury (Treasury), where 
I worked on the proposal to create a new consumer agency as part of 
financial regulatory reform. Immediately before joining Treasury, I 
served as Associate Director of the Division of Financial Practices at 
the Federal Trade Commission (FTC). My 17-year tenure at the FTC 
focused on enforcement and policy issues related to consumer financial 
services. I have also worked as a litigator in private practice with 
the firm of Arnold & Porter in Washington, DC.
Credit Reporting System
    The consumer reporting market plays a critical role in the overall 
consumer financial services market and has enormous reach and impact; 
over 200 million Americans have credit files with tradelines furnished 
voluntarily by over 10,000 providers. This information is used by many 
different types of businesses, including creditors, insurers, 
landlords, telecommunications providers, and employers, to make 
decisions about individual transactions with consumers. In particular, 
creditors rely on the information in consumers' credit files to make 
decisions as to whether to approve a variety of credit transactions, 
including mortgages, credit cards, student loans, and auto loans. And, 
when extending credit, creditors use that information to determine what 
terms to offer.
    Accurate consumer report information is therefore important to 
creditors and other consumer report users to make good business 
decisions. For any individual consumer, an accurate consumer report can 
be even more important, given the significant impact that information 
can have on the consumer's ability to obtain or pay for financial and 
other products and services. Despite the impact credit reports can have 
on a consumer, consumers do not get to choose who collects and sells 
consumer report information about them.
    Because of the importance of consumer report accuracy to businesses 
and consumers, the structure of the Fair Credit Reporting Act (FCRA) 
creates interrelated legal standards and requirements to support the 
policy goal of accurate credit reporting. These requirements anticipate 
that all reports will not be perfect; instead the FCRA requires that 
credit reporting agencies (CRAs) have ``reasonable procedures to assure 
maximum possible accuracy'' of reports. \1\ It also imposes certain 
accuracy obligations on furnishers. \2\ The FCRA also sets forth a 
dispute and investigation framework, with obligations on both CRAs and 
furnishers, to ensure potential errors are investigated and corrected 
promptly, if necessary. \3\ This dispute resolution framework is 
important to the efficient operation of credit markets, as it provides 
a standard mechanism for identifying and resolving inaccuracies when 
they occur.
---------------------------------------------------------------------------
     \1\ FCRA Section 607(b), 15 U.S.C. 1681e(b).
     \2\ FCRA Section 623(a). 15 U.S.C. 1681s-2(a) .
     \3\ FCRA Section 611, 15 U.S.C. 1681i; FCRA Section 623(b), 15 
U.S.C. 1681s-2(b).
---------------------------------------------------------------------------
Bureau Authority Over Consumer Reporting Agencies and Furnishers
    Congress authorized the Bureau to assess compliance with the 
requirements of Federal consumer financial laws as part of its 
supervision of both depository institutions and nondepository 
institutions. As defined by the Dodd-Frank Wall Street Reform and 
Consumer Protection Act (Dodd-Frank Act), Federal consumer financial 
laws include most provisions of the Fair Credit Reporting Act. \4\ The 
FCRA is the primary statute that governs consumer reporting by CRAs, 
furnishing information to CRAs, and using reports generated by CRAs. 
Together with its implementing regulation, Regulation V, \5\ the FCRA 
imposes obligations on the compilation, maintenance, furnishing, use, 
and disclosure of information associated with credit, insurance, 
employment, and other decisions made about consumers.
---------------------------------------------------------------------------
     \4\ Id. at 5481(14), (12)(F).
     \5\ 12 CFR part 1022.
---------------------------------------------------------------------------
    Federal consumer financial laws also include substantive provisions 
of Title X of the Dodd-Frank Act. \6\ One of these provisions is the 
prohibition on a covered person or service provider from engaging in 
unfair, deceptive, or abusive acts or practices (UDAAP). \7\ Many CRAs 
are ``covered persons'' under the Dodd-Frank Act because they collect, 
analyze, maintain, or provide consumer report information or other 
account information used or expected to be used in connection with 
decisions regarding the offering or provision of consumer financial 
products or services and delivered, offered, or provided in connection 
with a consumer financial product or service. \8\ Depending on the 
facts and circumstances of any given transaction, CRAs might also be 
considered service providers. \9\
---------------------------------------------------------------------------
     \6\ 12 U.S.C. 5481(14).
     \7\ 12 U.S.C. 5531, 5536(a).
     \8\ Id. at 5481(5), (15)(A)(ix).
     \9\ Id. at 5481(26) (defining ``service provider'' as ``any 
person that provides a material service to a covered person in 
connection with the offering or provision by such covered person of a 
consumer financial product or service . . . '').
---------------------------------------------------------------------------
    The Bureau has supervisory authority over consumer reporting 
agencies that are larger participants in the consumer reporting market. 
In July 2012, the Bureau promulgated the first larger participant rule 
to define larger participants in the consumer reporting market because 
of the importance of this function to efficient credit markets. \10\ 
The larger participant rule defines a larger participant of the 
consumer reporting market as a nonbank covered person with more than $7 
million in annual receipts resulting from relevant consumer reporting 
activities. \11\ The Bureau estimated 30 companies that account for 
about 94 percent of the market's annual receipts met the larger 
participant threshold. \12\
---------------------------------------------------------------------------
     \10\ https://www.consumerfinance.gov/policy-compliance/rulemaking/
final-rules/defining-larger-participants-consumer-reporting-market/.
     \11\ 12 CFR 1090.104.
     \12\ https://www.consumerfinance.gov/about-us/newsroom/consumer-
financial-protection-bureau-to-supervise-credit-reporting/.
---------------------------------------------------------------------------
    Participants in this market include nationwide consumer reporting 
companies, consumer report resellers, and specialty consumer reporting 
companies. \13\ The Bureau reviews the operations of these larger 
participants for compliance with Federal consumer financial laws, 
including the FCRA and Regulation V. The Bureau also has supervisory 
authority over a substantial number of entities that furnish credit 
information to CRAs. As part of its exercise of this authority, the 
Bureau reviews compliance with the FCRA's furnishing requirements at 
other institutions subject to the Bureau's supervisory authority, such 
as large banks. The Bureau also has enforcement authority over nearly 
every person, regardless of status as a supervised entity, who violates 
the FCRA. \14\ The Bureau is the first Federal or State agency to have 
both supervisory and enforcement authority over CRAs and the other 
participants in the consumer reporting market.
---------------------------------------------------------------------------
     \13\ The term ``consumer reporting company'' means the same as 
``consumer reporting agency,'' as defined in the Fair Credit Reporting 
Act, 15 U.S.C. 1681a(f), including nationwide consumer reporting 
agencies as defined in Section 1681a(p) and nationwide specialty 
consumer reporting agencies as defined in Section 1681a(x).
     \14\ E.g., Section 1029 of the Dodd-Frank Act excludes certain 
motor vehicle dealers from the Bureau's rulemaking, enforcement, or 
other authority.
---------------------------------------------------------------------------
    In addition to enforcement and supervisory authority over CRAs, the 
Bureau has broad authority to promulgate rules ``as are necessary to 
carry out the purposes of' the FCRA. \15\ The Bureau's rules are 
applicable to any person subject to the FCRA, except certain motor 
vehicle dealers. \16\ The Bureau does not, however, have rulemaking 
authority (or supervisory or enforcement authority) under Sections 
615(e) and 628 of the FCRA. These provisions direct the Federal banking 
agencies, the National Credit Union Administration, the FTC, the 
Commodity Futures Trading Commission, and the Securities and Exchange 
Commission to promulgate regulations relating to Red Flags, and 
Disposal of Records. The FTC used its authority under these provisions 
of the FCRA to promulgate its ID Theft Red Flags Rule \17\ and its 
Consumer Report Records Disposal Rule. \18\ Other agencies have 
promulgated comparable rules pursuant to these sections.
---------------------------------------------------------------------------
     \15\ 15 U.S.C. 1681s(e)(1).
     \16\ 12 CFR 1022.1(b)(2).
     \17\ 16 CFR Part 681.
     \18\ 16 CFR Part 682.
---------------------------------------------------------------------------
    CRAs and other participants in the consumer reporting market may 
also be subject to other laws within the Bureau's authority, such as 
the Gramm-Leach-Bliley Act's (GLBA) notice and opt-out and privacy 
provisions. GLBA gives the Bureau rulemaking and enforcement authority 
over these provisions. \19\ (Since these provisions are Federal 
consumer financial laws they are also within the Bureau's supervisory 
authority under section 1024 of the Dodd-Frank Act.) The Bureau cannot, 
however, implement GLBA section 501(b), which requires that financial 
institutions develop, implement, and maintain comprehensive information 
security programs that contain administrative, technical, and physical 
safeguards. \20\ The Bureau has no supervisory, enforcement, or 
rulemaking authority with regard to GLBA section 501 (b) or its 
implementing rules; that section is excluded from the definition of 
Federal consumer financial law. \21\ Section 501(b) is implemented by 
rules and guidelines promulgated by the FTC and other agencies and 
include the FTC's GLBA Customer Information Safeguards Rule. \22\
---------------------------------------------------------------------------
     \19\ 15 U.S.C. 6804(a)(1)(A) and 6805(a)(8). The Bureau's GLBA 
authority does not extend to certain motor vehicle dealers. 12 CFR 
1016.1(b)(1).
     \20\ 15 U.S.C. 6801(b).
     \21\ 15 U.S.C. 5481(12), (14).
     \22\ 16 CFR Part 314.
---------------------------------------------------------------------------
Bureau Credit Reporting Work
    In both its supervision and enforcement work, the Bureau has 
focused on credit reporting accuracy and dispute handling by both CRAs 
and furnishers.
    In March 2017, the Bureau issued a special edition of its 
Supervisory Highlights publication in which it reported out on the 
supervisory work undertaken in consumer reporting. \23\ As discussed in 
the report, the Bureau has focused its supervisory work on the key 
elements underpinning accuracy. As a result of these reviews, the 
Bureau directed specific improvements in data accuracy and dispute 
resolution at one or more CRA, including:
---------------------------------------------------------------------------
     \23\ https://www.consumerfinance.gov/documents/2774/201703-cfpb-
Supervisory-Highlights-Consumer-Reporting-Special-Edition.pdf.

---------------------------------------------------------------------------
    improved oversight of incoming data from furnishers;

    institution of quality control programs of compiled 
        consumer reports;

    monitoring of furnisher dispute metrics to identify and 
        correct root causes;

    enhanced oversight of third-party public records service 
        providers;

    adherence to independent obligation to reinvestigate 
        consumer disputes, including review of relevant information 
        provided by consumers; and

    improved communication to consumers of dispute results.

    In addition, the Bureau directed both bank and nonbank furnishers, 
consistent with the FCRA's requirements, to develop reasonable written 
policies and procedures regarding accuracy of the information they 
furnish and to take corrective action when they furnished information 
they determined to be inaccurate. The Bureau also found that furnishers 
foiled to either conduct investigations or send results of dispute 
investigations to consumers and demanded that these furnishers bring 
their dispute handling practices into compliance with legal 
requirements.
    In addition to supervisory work, the Bureau has brought enforcement 
actions and entered into settlements related to institutions' violation 
of the FCRA's accuracy and dispute investigation requirements. \24\ The 
Bureau will continue to examine and investigate CRAs and furnishers, 
using the authority and tools provided by the Dodd-Frank Act and other 
statutes.
---------------------------------------------------------------------------
     \24\ See, e.g., http://files.consumerfinance.gov/f/
201510_cfpb_consent-order_general-information-serviceinc.pdf; http://
files.consumerfinance.gov/f/201512_cfpb_consent-order_clarity-services-
inc-timothy-ranney.pdf; https://files.consumerfinance.gov/f/documents/
bcfp_security-group-inc_consent-order_2018-06.pdf; https://
files.consumerfinance.gov/f/documents/201701_cfpb_CitiFinancial-
consent-order.pdf.
---------------------------------------------------------------------------
    The Bureau is also focused on educating consumers by providing 
consumers with tools and information to help them know what to do when 
they encounter a problem, or how to avoid problems in the first place. 
For example, we provide information to consumers about how they can 
obtain access to their credit reports to check their accuracy and 
dispute any information they believe to be incorrect. \25\
---------------------------------------------------------------------------
     \25\ For information about how to access your credit reports and 
how to dispute errors: https://www.consumerfinance.gov/consumer-tools/
credit-reports-and-scores/; For information about obtaining credit 
reports: https://www.consumerfinance.gov/ask-cfpb/how-do-i-get-a-copy-
of-my-credit-reports-en-5/; For information about how to dispute 
errors: https://www.consumerfinance.gov/ask-cfpb/how-do-i-dispute-an-
error-on-my-credit-report-en-314/; For information about common credit 
issues: https://www.consumerfinance.gov/about-us/blog/3-common-credit-
issues-and-what-you-can-do-fix-them/.
---------------------------------------------------------------------------
Data Security
    CRAs hold a tremendous amount of information about consumers, 
including sensitive financial information. If CRAs do not protect this 
data, it may lead to data breaches and other unauthorized access to it. 
Unauthorized access to data at consumer reporting agencies creates the 
risk of substantial harm to consumers, including the risk of identity 
theft. Because of these risks, since the Equifax breach, the Bureau has 
increased its attention to data security issues in our supervisory and 
enforcement activities.
    The Bureau has the authority to conduct data security 
investigations and examinations at nonbanks over which it has 
supervisory authority, including CRAs.
    Data security reviews conducted by the Bureau are comprised of 
three specific inquiries, consistent with the three prongs of the 
Bureau's general examination authority. \26\ First, the Bureau assesses 
the facts and circumstances to determine whether a nonbank's data 
security practices and policies constitute violations of Federal 
consumer financial law, including violations of the Dodd-Frank Act's 
prohibition against unfair, deceptive or abusive acts and practices 
(UDAAP) \27\ and of the Fair Credit Reporting Act. \28\ Second, the 
Bureau obtains information about compliance management systems and 
procedures relating to data security practices. Third, the Bureau 
detects and assesses risks posed by potential data security lapses to 
consumers and to markets for consumer financial products and services.
---------------------------------------------------------------------------
     \26\ Section 1024 of the Dodd-Frank Act grants the Bureau the 
authority to conduct examinations of certain nonbank financial 
institutions, including larger participants in the consumer reporting 
market, under its risk-based supervision program for the purposes of: 
(a) assessing compliance with the requirements of Federal consumer 
financial law; (b) obtaining information about the activities and 
compliance systems or procedures of such person; and (c) detecting and 
assessing risks to consumers and to markets for consumer financial 
products and services. 15 U.S.C. 5514.
     \27\ Both courts and executive branch agencies have found that, in 
certain circumstances, insufficient data security can constitute an 
unfair or deceptive practice. FTC v. Wyndham Worldwide Corp., 799 F.3d 
236 (3d Cir. 2015); FTC v. AshleyMadison.com, No. 1:16-cv-02438 (D.D.C. 
filed Dec. 14, 2016); available at https://www.ftc.gov/enforcement/
cases-proceedings/152-3284/ashley-madison.
     \28\ FCRA Section 607(a), 15 U.S.C. 1681e.
---------------------------------------------------------------------------
    In addition to this work, the Bureau website has a list of 
resources and information for consumers about data breaches to help 
consumers understand what steps or actions they can take to protect 
their personal information. \29\ The Bureau also provides resources to 
help consumers protect themselves from identity theft, \30\ to help 
military personnel and their families secure their identities, \31\ and 
specific resources on the Top 10 ways to protect yourself in the wake 
of the Equifax data breach. \32\ In addition, the Bureau's online tool, 
Ask CFPB, has provided consumers with answers to frequently asked 
questions about a variety of topics, including identity theft, credit 
freezes, fraud alerts, and credit and identity monitoring. \33\
---------------------------------------------------------------------------
     \29\ https://www.consumerfinance.gov/equifaxbreach.
     \30\ https://www.consumerfinance.gov/about-us/blog/identity-theft-
protection-following-equifax-data-breach/.
     \31\ https://www.consumerfinance.gov/about-us/blog/servicemembers-
should-secure-their-identity-after-equifax-data-breach/.
     \32\ https://www.consumerfinance.gov/about-us/blog/top-10-ways-
protect-yourself-wake-equifax-data-breach/.
     \33\ Available at http://www.consumerfinance.gov/askcfpb/search/
?selected-facets=tag-exact%3Aidentity+theft.
---------------------------------------------------------------------------
Conclusion
    Large breaches call for a coordinated response, and the Bureau will 
continue to coordinate with other Federal and State agencies. We will 
also continue to exercise our authority to examine and investigate 
credit reporting companies and furnishers of information, and to 
educate consumers about important consumer financial issues. Consumers 
should have confidence that their credit reports comply with all 
applicable legal requirements.
    Thank you again for the opportunity to testify today at this 
important hearing. I would be happy to answer your questions about the 
Bureau's work related to credit reporting.
                                 ______
                                 
                 PREPARED STATEMENT OF MANEESHA MITHAL
Associate Director, Division of Privacy and Identity Protection, Bureau 
            of Consumer Protection, Federal Trade Commission
                             July 12, 2018
Introduction
    Chairman Crapo and Members of the Committee, my name is Maneesha 
Mithal, and I am the Associate Director for the Division of Privacy and 
Identity Protection at the Federal Trade Commission (Commission or 
FTC). \1\ I appreciate the opportunity to appear before you today to 
discuss the Fair Credit Reporting Act, credit bureaus, and data 
security.
---------------------------------------------------------------------------
     \1\ While the views expressed in this statement represent the 
views of the Commission, my oral presentation and responses to 
questions are my own and do not necessarily reflect the views of the 
Commission or any individual Commissioner.
---------------------------------------------------------------------------
    Congress enacted the Fair Credit Reporting Act \2\ (FCRA) in 1970, 
recognizing the importance of ``fair and accurate credit reporting'' to 
maintain ``the efficiency of the banking system'' and ``the public[']s 
confidence'' in that system, while at the same time balancing the 
``need to insure that consumer reporting agencies exercise their grave 
responsibilities with fairness, impartiality, and a respect for the 
consumer's right to privacy.'' \3\ The FCRA helps to (1) prevent the 
misuse of sensitive consumer report information by limiting recipients 
to those who have a legitimate need for it; (2) improve the accuracy 
and integrity of consumer reports; and (3) promote the efficiency of 
the Nation's banking and consumer credit systems. Since the FCRA's 
passage, Congress has amended the statute to address developments in 
the consumer reporting system and the marketplace and to increase 
consumers' rights and protections with respect to the collection and 
use of their data. \4\
---------------------------------------------------------------------------
     \2\ 15 U.S.C. 1681-1681x.
     \3\ Id. 1681(a).
     \4\ The Consumer Credit Reporting Reform Act of 1996, Title II, 
Subtitle D, Chapter 1, of the Omnibus Consolidated Appropriations Act 
for Fiscal Year 1997 (Public Law No. 104-208, Sept. 30, 1996), made 
extensive revisions to the FCRA, including expanding the duties of 
consumer reporting agencies, increasing obligations on users of 
consumer reports, and adding furnishers of information to consumer 
reporting agencies as a category of entities with statutory 
obligations. There were a number of more modest revisions over the next 
7 years, the most significant of which was a 1999 amendment that 
specifically authorized the Federal financial agencies to promulgate 
regulations for the banks and other entities subject to their 
jurisdiction. The Fair and Accurate Credit Transactions Act of 2003, 
Public Law No. 108-159 (Dec. 4, 2003) (FACT Act), added several 
sections to assist consumers and businesses in combating identity theft 
and reduce the damage to consumers. The Commission, often in 
conjunction with the Federal financial agencies, issued numerous rules 
to implement the various FACT Act provisions.
---------------------------------------------------------------------------
    The Commission has played a key role in the implementation, 
enforcement, and interpretation of the FCRA since its enactment. \5\ In 
the last decade, the Commission has brought over 30 actions to enforce 
the FCRA against consumer reporting agencies (CRAs), users of consumer 
reports, and furnishers of information to CRAs. As the consumer 
reporting system evolves and new technologies and business practices 
emerge, vigorous enforcement of the FCRA continues to be a top priority 
for the Commission, as well as consumer and business education 
concerning applicable rights and responsibilities under the statute.
---------------------------------------------------------------------------
     \5\ As enacted, the FCRA established the Commission as the primary 
Federal enforcement agency, with wide jurisdiction over entities 
involved in the consumer reporting system; the primary exceptions to 
the Commission's jurisdiction are federally regulated financial 
institutions. See 15 U.S.C. 1681s(a)-(b). Pursuant to the Consumer 
Financial Protection Act of 2010 (CFPA), Title X of Public Law 111-203, 
124 Stat. 1955 (July 21, 2010) (The Dodd-Frank Wall Street Reform and 
Consumer Protection Act), the Commission shares its FCRA enforcement 
role with the Bureau of Consumer Financial Protection (Bureau) in many 
respects.
---------------------------------------------------------------------------
    This testimony first provides background on the FCRA. Next, it 
discusses marketplace developments related to credit report accuracy. 
It then discusses the Commission's work to enforce the accuracy 
provisions of the FCRA and educate consumers and businesses about their 
respective rights and responsibilities under the statute. Finally, it 
discusses the data security requirements applicable to credit bureaus 
and the FTC's efforts to promote data security in this sector.
Background on the FCRA
    CRAs assemble or evaluate consumer data for third parties to use to 
make critical decisions about the availability and cost of various 
consumer products and services, including credit, insurance, 
employment, and housing. \6\ These consumer reports are often used to 
evaluate the risk of future nonpayment, default, or other adverse 
events. For example, complete and accurate consumer reports enable 
creditors to make informed lending decisions, benefiting both creditors 
and consumers. Errors in consumer reports, however, can cause consumers 
to be denied credit or other benefits or pay a higher price for them. 
Errors in consumer reports can also cause credit issuers to make 
inaccurate decisions that result in declining credit to a potentially 
valuable customer or issuing credit to a riskier customer than 
intended.
---------------------------------------------------------------------------
     \6\ 15 U.S.C. 1681a(d) and (f).
---------------------------------------------------------------------------
    The FCRA imposes a number of obligations on CRAs. For example, to 
protect the privacy of sensitive consumer report information, CRAs must 
take reasonable measures to ensure that they provide such information 
only to those who have a statutorily specified ``permissible purpose'' 
to receive it. \7\ CRAs must also comply with requirements to help 
ensure the accuracy of consumer reports, including requirements that 
CRAs (1) maintain reasonable procedures to ensure the ``maximum 
possible accuracy'' of consumer reports \8\ and (2) maintain procedures 
through which consumers can dispute and correct inaccurate information 
in their consumer reports. \9\
---------------------------------------------------------------------------
     \7\ Id. 1681b(a), (c). Permissible purposes under the FCRA 
include, but are not limited to, the use of a consumer report in 
connection with a determination of eligibility for credit, insurance, 
or a license; in connection with the review of an existing account; and 
for certain employment purposes.
     \8\ Id. 1681e(b).
     \9\ Id. 1681i(a)-(d)(1).
---------------------------------------------------------------------------
    Under the FCRA, if a consumer disputes the completeness or accuracy 
of information contained in his or her file, the CRA must complete a 
reasonable investigation within 30 days. The CRA must notify the 
furnisher of the disputed information within five business days. If a 
disputed item is found to be inaccurate or incomplete or cannot be 
verified, the CRA must delete or modify the information and notify the 
furnisher. In general, the CRA must provide the consumer with written 
notice of the results of the investigation in accordance with the 
procedures set forth in the statute within 5 business days after the 
completion of the investigation.
    In addition, the FCRA imposes obligations on those who furnish 
information about consumers to CRAs, such as entities extending credit. 
For example, furnishers have a duty to report accurate information and 
investigate consumer disputes of inaccurate information. \10\
---------------------------------------------------------------------------
     \10\ Id. 1681s-2(a)-(b).
---------------------------------------------------------------------------
    Users of consumer reports have obligations under the statute as 
well. For example, if a user of a consumer report takes an adverse 
action against a consumer--such as a denial of credit or employment--
based on information in a consumer report, the user must provide an 
adverse action notice to the consumer, which explains how the consumer 
can obtain a free copy of the report and dispute any inaccurate 
information in the report. \11\
---------------------------------------------------------------------------
     \11\ Id. 1681m(a). The adverse action notice also must include a 
statement that the CRA that supplied the consumer report did not make 
the decision to take the adverse action and cannot give the consumer 
any specific reasons for the decision. Id. 1681m(a)(2)(B).
---------------------------------------------------------------------------
Credit Report Accuracy
    In 2012, the Commission published a study of credit report accuracy 
mandated by the FACT Act, which amended the FCRA. \12\ It was the first 
major study that looked at all of the primary groups that participate 
in the credit reporting and scoring process--consumers, furnishers 
(e.g., creditors, lenders, debt collection agencies), the Fair Isaac 
Corporation (which develops FICO credit scores), and the national 
credit bureaus. \13\ To implement the study, researchers worked with 
approximately 1,000 consumers to review their free credit reports from 
the three major credit bureaus. The researchers helped consumers 
identify and dispute possible errors on their credit reports. According 
to the study findings, 25 percent of consumers identified errors on 
their credit reports that might affect their credit scores and 80 
percent of these consumers who filed disputes experienced some 
modification to their credit reports. Overall, 13 percent of consumers 
experienced a change in their credit scores after a dispute and 5 
percent of consumers experienced an increase in their credit scores 
such that their credit risk tier decreased and the consumer may be more 
likely to be offered a lower loan interest rate.
---------------------------------------------------------------------------
     \12\ Public Law No. 108-159 (Dec. 4, 2003).
     \13\ Section 319 of the Fair and Accurate Credit Transactions Act 
of 2003: Fifth Interim Federal Trade Commission Report to Congress 
Concerning the Accuracy of Information in Credit Reports (Dec. 2012), 
available at https://www.ftc.gov/reports/section-319-fair-accurate-
credit-transactions-act-2003-fifth-interim-federal-trade.
---------------------------------------------------------------------------
    There have been significant changes in the marketplace aimed at 
increasing credit report accuracy since the Commission published its 
study. For example, the Bureau has been exercising its supervisory 
authority over the nationwide credit bureaus and it periodically 
publishes Supervisory Highlights describing its findings. Last year, it 
published an edition focused on accuracy issues in credit reporting and 
the handling and resolution of consumer disputes, and it pointed to 
several specific improvements it directed in these areas. \14\
---------------------------------------------------------------------------
     \14\ See Supervisory Highlights Consumer Reporting Special Edition 
(Mar. 2, 2017), available at https://www.consumerfinance.gov/data-
research/research-reports/supervisory-highlights-consumer-reporting-
special-edition/.
---------------------------------------------------------------------------
    In addition, in 2015, the nationwide credit bureaus announced a 
Nationwide Consumer Assistance Plan (NCAP) as a result of a settlement 
with over 30 State attorneys general, with a number of provisions 
designed to improve the accuracy of credit reports. \15\ These 
provisions include requiring all data furnishers to use the most 
current reporting format; removing any previously reported medical 
collections that have been paid or are being paid by insurance; 
requiring debt collectors to regularly update the status of unpaid 
debts and remove debts no longer being pursued for collection; and 
implementing an enhanced dispute resolution process for consumers that 
are victims of fraud or identity theft or are involved in mixed files 
(where two consumer files are mistakenly mixed together). NCAP 
contained a phased implementation plan scheduled to be completed this 
year.
---------------------------------------------------------------------------
     \15\ See, e.g., National Consumer Assistance Plan, News Release 
(Jun. 9, 2016), available at http://
www.nationalconsumerassistanceplan.com/news/news-release/.
---------------------------------------------------------------------------
FTC Activities To Promote Credit Report Accuracy
Law Enforcement
    FCRA enforcement continues to be a top priority for the Commission. 
With the advent in 2011 of the Bureau's supervisory authority over the 
nationwide credit bureaus and the coordination efforts between the 
agencies, the FTC has focused its FCRA law enforcement efforts on other 
entities in the credit reporting area and other aspects of the consumer 
reporting industry more broadly.
    For example, the FTC settled cases against furnishers that 
allegedly had inadequate policies and procedures for reporting accurate 
credit information to CRAs. In Credit Protection Association, LP, the 
Commission alleged that a debt collector failed to have adequate 
policies and procedures to handle consumer disputes, did not have a 
policy requiring notice to consumers of the outcomes of investigations 
about disputed information, and in numerous instances failed to inform 
consumers of the outcome of disputes. \16\ The settlement included 
$72,000 in civil penalties. \17\ And, in Tricolor Auto Acceptance, LLC, 
the Commission alleged that the loan-servicing department of an auto 
dealer failed to have written policies and procedures designed to 
ensure that the credit information it reported to CRAs was accurate and 
failed to properly investigate consumer disputes regarding the accuracy 
of credit information. \18\ The settlement included $82,000 in civil 
penalties.
---------------------------------------------------------------------------
     \16\ U.S. v. Credit Protection Association, LP, No. 3:16-cv-01255-
D (N.D.Tex. filed May 9, 2016), available at https://www.ftc.gov/
enforcement/cases-proceedings/142-3142/credit-protection-association.
     \17\ As specified by the Federal Civil Penalty Inflation 
Adjustment Act of 1990, 28 U.S.C. 2861, as amended by the Debt 
Collection Improvements Act of 1996, Public Law 104-134, 31001(s)(1), 
110 Stat. 1321-373, in relevant part, civil penalties under the FCRA 
are capped at $3,500 per violation for violations occurring before 
August 1, 2016, $3,756 per violation for violations occurring between 
that date and January 23, 2017, and $3,817 for violations occurring on 
or after January 24, 2017.
     \18\ U.S. v. Tricolor Auto Acceptance, LLC, No. 3:15-cv-3002 
(N.D.Tex. filed Sept. 16, 2015), available at https://www.ftc.gov/
enforcement/cases-proceedings/142-3073/tricolor-auto-acceptance-llc.
---------------------------------------------------------------------------
    In addition, the FTC has settled cases against background screening 
CRAs that compile background reports on consumers that may include 
driving records, employment and education history, eviction records, 
and criminal records for use in making employment and housing 
decisions. These settlements include allegations relating to 
inaccuracies in consumer reports, as well as failures to protect the 
privacy of consumer reports by ensuring permissible use. For example, 
in InfoTrack Information Services, Inc., the Commission alleged that a 
background screening CRA failed to have reasonable procedures to ensure 
the maximum possible accuracy of consumer report information and, as a 
result, provided inaccurate information suggesting that job applicants 
potentially were registered sex offenders. \19\ The settlement included 
$1 million in civil penalties, which was suspended upon payment of 
$60,000 based on inability to pay. In Instant Checkmate, Inc., the 
Commission alleged that the CRA compiled public record information into 
background reports and marketed its services to landlords and employers 
but failed to comply with several FCRA provisions, including failing to 
maintain reasonable procedures to ensure the accuracy of its reports, 
failing to have reasonable procedures to ensure that those using its 
reports had permissible purposes for accessing them, and providing 
reports to users that it did not have reason to believe had a 
permissible purpose to receive them. \20\ The settlement included 
$525,000 in civil penalties.
---------------------------------------------------------------------------
     \19\ U.S. v. Infotrack Information Services, Inc., No. 1:14-cv-
02054 (N.D.Ill. filed Apr. 9, 2014), available at https://www.ftc.gov/
enforcement/cases-proceedings/122-3092/infotrack-information-services-
inc-et-al.
     \20\ U.S. v. Instant Checkmate, Inc., No. 3:14-cv-00675-H-JMA 
(S.D.Cal. filed Apr. 9, 2014), available at https://www.ftc.gov/
enforcement/cases-proceedings/122-3221/instant-checkmate-inc.
---------------------------------------------------------------------------
    The FTC has also brought cases against check authorization CRAs for 
failing to comply with their accuracy obligations. Check authorization 
companies compile consumers' personal information and use it to help 
retail merchants throughout the United States determine whether to 
accept consumers' checks. In its settlements with Telecheck \21\ and 
Certegy, \22\ two of the Nation's largest check authorization 
companies, the Commission charged these companies with failing to 
follow FCRA accuracy procedures, failing to follow proper procedures 
for consumer disputes, and failing to establish and implement 
reasonable written policies regarding the accuracy of information the 
companies furnish to other CRAs. The FTC obtained $3.5 million in civil 
penalties against each company.
---------------------------------------------------------------------------
     \21\ U.S. v. TeleCheck Services, Inc., No. 1:14-cv-00062 (D.D.C. 
filed Jan. 16, 2014), available at https://www.ftc.gov/enforcement/
cases-proceedings/112-3183/telecheck-services-inc.
     \22\ U.S. v. Certegy Services, Inc., No. 1:13-cv-01247 (D.D.C. 
filed Aug. 15, 2013), available at https://www.ftc.gov/enforcement/
cases-proceedings/112-3183/telecheck-services-inc.
---------------------------------------------------------------------------
Business Guidance and Consumer Education
    The Commission also continues to educate consumers and businesses 
on their consumer reporting rights and obligations under the FCRA. The 
FTC has published guidance for employment and tenant background 
screening companies regarding their obligations under the FCRA, 
including with respect to accuracy and consumer disputes. \23\ For 
furnishers, the FTC publication Consumer Reports: What Information 
Furnishers Need To Know provides an overview of obligations under the 
FCRA. \24\ Similarly, for users of consumer reports, FTC guidance 
includes publications for employers, landlords, insurers, and 
creditors, as well as guidance on secure disposal of consumer 
information for all businesses. \25\
---------------------------------------------------------------------------
     \23\ See ``What Employment Background Screening Companies Need To 
Know About the Fair Credit Reporting Act'' (Apr. 2016), available at 
https://www.ftc.gov/tips-advice/business-center/guidance/what-
employment-background-screening-companies-need-know-about; ``What 
Tenant Background Screening Companies Need To Know About the Fair 
Credit Reporting Act'' (Oct. 2016), available at https://www.ftc.gov/
tips-advice/business-center/guidance/what-tenant-background-screening-
companies-need-know-about-fair.
     \24\ See Consumer Reports: ``What Information Furnishers Need To 
Know'' (Nov. 2016), available at https://www.ftc.gov/tips-advice/
business-center/guidance/consumer-reports-what-information-furnishers-
need-know.
     \25\ See Consumer Reports: ``What Employers Need To Know'' (Oct. 
2016), available at https://www.ftc.gov/tips-advice/business-center/
guidance/using-consumer-reports-what-employers-need-know; Consumer 
Reports: ``What Landlords Need To Know'' (Oct. 2016), available at 
https://www.ftc.gov/tips-advice/business-center/guidance/using-
consumer-reports-what-landlords-need-know; Consumer Reports: ``What 
Insurers Need To Know'' (Nov. 2016), available at https://www.ftc.gov/
tips-advice/business-center/guidance/consumer-reports-what-insurers-
need-know; ``Using Consumer Reports for Credit Decisions: What To Know 
About Adverse Action and Risk-Based Pricing Notices'' (Nov. 2016), 
available at https://www.ftc.gov/tips-advice/business-center/guidance/
using-consumer-reports-credit-decisions-what-know-about-adverse; 
``Disposing of Consumer Report Information? Rule Tells How'' (Jun. 
2005), available at https://www.ftc.gov/tips-advice/business-center/
guidance/disposing-consumer-report-information-rule-tells-how.
---------------------------------------------------------------------------
    The FTC also has a number of user-friendly resources for consumers 
designed to inform them of their rights under the FCRA and assist them 
with navigating the consumer reporting system. The publication Credit 
and Your Consumer Rights provides an overview of credit, explains 
consumers' legal rights, and offers practical tips to help solve credit 
problems. \26\ The FTC also has publications that explain how consumers 
can obtain their free annual credit reports from each of the nationwide 
consumer reporting agencies \27\ and use the FCRA's dispute procedures 
to ensure that information in their consumer reports is accurate. \28\ 
For consumers seeking employment or housing, the FTC has materials on 
employment background checks \29\ and tenant background checks. \30\ 
The Commission continues to update and expand its materials as new 
issues arise.
---------------------------------------------------------------------------
     \26\ ``Credit and Your Consumer Rights'' (June 2017), available at 
https://www.consumer.ftc.gov/articles/pdf-0070-credit-and-your-
consumer-rights.
     \27\ ``Free Credit Reports'' (Mar. 2013), available at https://
www.consumer.ftc.gov/articles/0155-free-credit-reports.
     \28\ See ``Disputing Errors on Credit Reports'' (Feb. 2017), 
available at https://www.consumer.ftc.gov/articles/0151-disputing-
errors-credit-reports.
     \29\ See ``Background Checks'' (Mar. 2018), available at https://
www.consumer.ftc.gov/articles/0157-background-checks.
     \30\ See FTC Consumer Blog, ``Renting an Apartment? Be Prepared 
for a Background Check'' (Nov. 2016), available at https://www.ftc.gov/
tips-advice/business-center/guidance/disposing-consumer-report-
information-rule-tells-how.
---------------------------------------------------------------------------
Data Security
    The FTC is committed to protecting consumer privacy and promoting 
data security in the private sector. The Commission is the Nation's 
primary data security regulator and enforces several statutes and rules 
that impose data security requirements on companies across a wide 
spectrum of industries, including credit bureaus. Since 2001, the 
Commission has undertaken substantial efforts to promote data security 
in the private sector through enforcement of Section 5 of the FTC Act, 
which prohibits unfair or deceptive acts or practices, such as 
businesses making false or misleading claims about their data security 
procedures, or failing to employ reasonable security measures. \31\ The 
Commission is also the Federal enforcement agency for the Children's 
Online Privacy Protection Act (COPPA), which requires reasonable 
security for children's information collected online. \32\
---------------------------------------------------------------------------
     \31\ 15 U.S.C. 45(a). If a company makes materially misleading 
statements or omissions about a matter, including data security, and 
such statements or omissions are likely to mislead reasonable 
consumers, they can be found to be deceptive in violation of Section 5. 
Further, if a company's data security practices cause or are likely to 
cause substantial injury to consumers that is neither reasonably 
avoidable by consumers nor outweighed by countervailing benefits to 
consumers or to competition, those practices can be found to be unfair 
and violate Section 5.
     \32\ 15 U.S.C. 6501-6506; see also 16 CFR Part 312 (COPPA Rule).
---------------------------------------------------------------------------
    Further, the Commission's Safeguards Rule, which implements the 
Gramm-Leach-Bliley Act (GLB Act), sets forth data security requirements 
for financial institutions within the Commission's jurisdiction, which 
includes credit bureaus. \33\ The Safeguards Rule requires financial 
institutions, or companies that are significantly engaged in offering 
consumer financial products or services, to develop, implement, and 
maintain a comprehensive information security program for handling 
customer information. The plan must be appropriate to the company's 
size and complexity, the nature and scope of its activities, and the 
sensitivity of the customer information it handles. The FTC has 
exclusive enforcement authority with respect to nonbank consumer 
financial services providers.
---------------------------------------------------------------------------
     \33\ 16 CFR Part 314, implementing 15 U.S.C. 6801(b).
---------------------------------------------------------------------------
    Finally, the FCRA requires consumer reporting agencies to use 
reasonable procedures to ensure that the entities to which they provide 
consumer reports have a permissible purpose for receiving that 
information \34\ and also requires the secure disposal of consumer 
report information. \35\ This section describes the FTC's efforts to 
enforce these laws, educate consumers and businesses, and develop 
policies in this area.
---------------------------------------------------------------------------
     \34\ 15 U.S.C. 1681e.
     \35\ Id. 1681w. The FTC's implementing rule is at 16 CFR Part 
682.
---------------------------------------------------------------------------
Law Enforcement
    The Commission has brought over 60 law enforcement actions against 
companies that allegedly engaged in unreasonable data security 
practices. Last year, the Commission took the unusual step of publicly 
confirming its investigation into the Equifax data breach due to the 
scale of public interest in the matter.
    The FTC has significant experience with enforcing data security 
laws against CRAs. In 2006, the FTC brought the seminal Choicepoint 
case against a CRA that sold consumer reports to identity thieves who 
did not have a permissible purpose to obtain the information under the 
FCRA, as well as failed to employ reasonable measures to secure the 
personal information it collected and misrepresented its security 
practices under Section 5 of the FTC Act. \36\ The complaint alleged 
that ChoicePoint failed to monitor subscribers even after receiving 
subpoenas from law enforcement authorities alerting it to fraudulent 
activity. The settlement included injunctive relief, as well as $10 
million in civil penalties--the largest FCRA civil penalty in FTC 
history--and $5 million in consumer redress. A few years later, the FTC 
settled another action against the company when it suffered a data 
breach because it turned off a key electronic security tool used to 
monitor access to one of its databases, in violation of the 
Commission's order. \37\
---------------------------------------------------------------------------
     \36\ U.S. v. Choicepoint, Inc., No. 1:06-cv-00198-GET (N.D.Ga. 
filed Jan. 30, 2006), available at https://www.ftc.gov/enforcement/
cases-proceedings/052-3069/choicepoint-inc.
     \37\ U.S. v. Choicepoint, Inc., No. 1:06-cv-00198-JTC (N.D.Ga. 
filed Oct. 19, 2009), available at https://www.ftc.gov/enforcement/
cases-proceedings/052-3069/choicepoint-inc.
---------------------------------------------------------------------------
    The Commission has also brought actions against companies for 
failing to dispose of consumer report information securely. For 
example, in the PLS Financial Services, Inc. case, the FTC alleged that 
the company violated the FCRA Disposal Rule by failing to take 
reasonable steps to protect against unauthorized access to credit 
reports in the improper disposal of the consumer information, violated 
the Safeguards Rule requirements for financial institutions to develop 
and use safeguards to protect consumer information, and violated the 
FTC Act by misrepresenting that it had implemented reasonable measures 
to protect sensitive consumer information. \38\ The settlement included 
injunctive relief and $101,500 in civil penalties.
---------------------------------------------------------------------------
     \38\ U.S. v. PLS Financial Services, Inc., No. 112-cv-08334 
(N.D.Ill. filed Oct. 17, 2012), available at https://www.ftc.gov/
enforcement/cases-proceedings/1023172/pls-financial-services-inc-et-al.
---------------------------------------------------------------------------
Business Guidance and Consumer Education
    In addition to law enforcement, the FTC provides extensive business 
guidance on data security. The agency's goal is to provide information 
to help businesses protect the data in their care and understand what 
practices may violate the laws the FTC enforces. The FTC provides 
general business education about data security issues, as well as 
specific guidance on emerging threats.
    In 2015, the FTC launched its Start with Security initiative, which 
includes a guide for businesses, \39\ as well as 11 short videos, \40\ 
that discuss 10 important security topics and give advice about 
specific security practices for each. In 2016, the FTC published a 
business advisory on how the National Institute of Standards and 
Technology Cybersecurity Framework applies to the FTC's data security 
work \41\ and released an update to ``Protecting Personal Information: 
A Guide for Business'', which was first published in 2007. \42\ Last 
year, the FTC published its Stick with Security blog series offering 
additional insights into the Start with Security principles, based on 
the lessons of recent law enforcement actions, closed investigations, 
and experiences companies have shared about data security in their 
business. \43\
---------------------------------------------------------------------------
     \39\ ``Start With Security: A Guide for Business'' (June 2015), 
available at https://www.ftc.gov/tips-advice/business-center/guidance/
start-security-guide-business.
     \40\ ``Start With Security: Free Resources for Any Business'' 
(Feb. 19, 2016), available at https://www.ftc.gov/news-events/audio-
video/business.
     \41\ FTC Business Blog, ``The NIST Cybersecurity Framework and the 
FTC'' (Aug. 31, 2016), available at https://www.ftc.gov/news-events/
blogs/business-blog/2016/08/nist-cybersecurity-framework-ftc.
     \42\ ``Protecting Personal Information: A Guide for Business'' 
(Oct. 2016), available at https://www.ftc.gov/tips-advice/business-
center/guidance/protecting-personal-information-guide-business.
     \43\ FTC Business Blog, ``Stick With Security: A Business Blog 
Series'' (Oct. 2017), available at https://www.ftc.gov/tips-advice/
business-center/guidance/stick-security-business-blog-series.
---------------------------------------------------------------------------
    In addition to data security guidance, the FTC provides business 
guidance related to data breaches. In September 2016, the FTC released 
Data Breach Response: A Guide for Business, \44\ and a related video, 
which describes immediate steps companies should take when they 
experience a data breach, such as taking breached systems offline, 
securing physical areas to eliminate the risk of further harm from the 
breach, and notifying consumers, affected businesses, and law 
enforcement. The guide also includes a model data breach notification 
letter businesses can use to get started.
---------------------------------------------------------------------------
     \44\ ``Data Breach Response: A Guide for Business'' (Oct. 2016), 
available at https://www.ftc.gov/tips-advice/business-center/guidance/
data-breach-response-guide-business.
---------------------------------------------------------------------------
    The FTC also provides businesses with specific guidance on emerging 
threats. For example, most recently the FTC released a staff 
perspective and related blog post to help businesses prevent phishing 
scams. \45\ Following a workshop, \46\ the FTC published a blog post 
describing ransomware, \47\ how to defend against it, and essential 
steps to take if businesses become victims. \48\ Further, the FTC 
develops targeted guidance for companies in specific industries. For 
example, staff developed specific security guidance for debt buyers and 
sellers. \49\
---------------------------------------------------------------------------
     \45\ FTC Staff Perspective, ``Businesses Can Help Stop Phishing 
and Protect Their Brands Using Email Authentication'' (Mar. 2017), 
available at https://www.ftc.gov/reports/businesses-can-help-stop-
phishing-protect-their-brands-using-email-authentication-ftc-staff; FTC 
Business Blog, ``Want To Stop Phishers? Use Email Authentication'', 
Mar. 3, 2017, available at https://www.ftc.gov/news-events/blogs/
business-blog/2017/03/want-stop-phishers-use-email-authentication.
     \46\ Fall Technology Series: ``Ransomware'' (Sept. 7, 2016), 
available at https://www.ftc.gov/news-events/events-calendar/2016/09/
fall-technology-series-ransomware.
     \47\ Ransomware is malicious software that infiltrates computer 
systems or networks and uses tools like encryption to deny access or 
hold data ``hostage'' until the victim pays a ransom.
     \48\ FTC Business Blog, ``Ransomware--A Closer Look'' (Nov. 10, 
2016), available at https://www.ftc.gov/news-events/blogs/business-
blog/2016/11/ransomware-closer-look.
     \49\ ``Buying or Selling Debts? Steps for Keeping Data Secure'' 
(Apr. 2015), available at https://www.ftc.gov/tips-advice/business-
center/guidance/buying-or-selling-debts-steps-keeping-data-secure.
---------------------------------------------------------------------------
    The Commission also educates consumers on security. For example, 
the FTC has provided guidance for consumers on securing their home 
wireless networks, a critical security step for protecting devices and 
personal information from compromise. These resources are accessible on 
the FTC's consumer guidance website, consumer.ftc.gov. The FTC also 
assists consumers affected by data breaches through its 
identitytheft.gov website that allows consumers who are victims of 
identity theft to quickly file a complaint with the FTC and get a free, 
personalized guide to recovery that helps streamline many of the steps 
involved. In the wake of the announcement of the Equifax data breach 
last year, the agency published numerous materials and created a 
dedicated page on its website, ftc.gov/Equifax, with resources to 
educate consumers about fraud alerts, active duty alerts, credit 
freezes and locks, credit monitoring, and how to reduce the risk of 
identity theft.
Policy Initiatives
    The FTC engages in a variety of policy initiatives to enhance data 
security. The FTC has hosted workshops and issued reports to highlight 
the privacy and security implications of new technologies. For example, 
last year the FTC hosted a workshop to examine consumer injury in the 
context of privacy and data security and various issues related to the 
injuries consumers suffer when information about them is misused. \50\ 
Most recently, the Commission announced plans to hold a series of 
public hearings on the impact of market developments on competition and 
consumer protection enforcement, including the Commission's remedial 
authority to deter unfair and deceptive conduct in privacy and data 
security matters. \51\
---------------------------------------------------------------------------
     \50\ Informational Injury Workshop (Dec. 12, 2017), available at 
https://www.ftc.gov/news-events/events-calendar/2017/12/informational-
injury-workshop.
     \51\ Press Release, ``FTC Announces Hearings on Competition and 
Consumer Protection in the 21st Century'' (June 20, 2018), available at 
https://www.ftc.gov/news-events/press-releases/2018/06/ftc-announces-
hearings-competition-consumer-protection-21st.
---------------------------------------------------------------------------
Conclusion
    Thank you for the opportunity to provide the Commission's testimony 
on credit report accuracy and security. We look forward to continuing 
to work with Congress and this Committee on these important issues.
        RESPONSES TO WRITTEN QUESTIONS OF SENATOR SCOTT
                      FROM MANEESHA MITHAL

Q.1. I greatly appreciated the FTC's guidance and technical 
assistance as I authored legislation, the Protecting Children 
From Identity Theft Act (S. 2498), to stamp out synthetic ID 
fraud. Your team has long been a leading voice on this issue. 
Thanks to Chairman Crapo, the legislation was included in the 
Economic Growth, Regulatory Relief, and Consumer Protection Act 
(Section 215 of S. 2155) and enacted into law this May.
    Please answer the following with specificity:
    For the benefit of this Committee, could you explain what 
synthetic ID fraud is and who predominantly falls victim to 
this crime?

A.1. Synthetic identify theft is a technique used by some 
identity thieves in which they apply for credit using a mixture 
of real, verifiable information of an existing person with 
fictitious information, thus creating a ``synthetic'' identity. 
Often these identity thieves use real Social Security numbers 
(SSNs) of people they know are unlikely to have existing credit 
files, such as children or recent immigrants. Using a 
consumer's SSN to apply for loans, utility accounts, property 
accounts, driver's licenses, and vehicle registrations can have 
long-term consequences that can leave victims burdened with 
unauthorized debt and a flawed credit history. This type of 
identity theft has been on the rise in recent years and was a 
topic of discussion at the Federal Trade Commission's 2017 
Identity Theft conference.

Q.2. How exactly will the Protecting Children From Identity 
Theft Act cut down on synthetic ID fraud?

A.2. Synthetic identity theft often happens because there is no 
convenient mechanism to ensure that an SSN matches with other 
information provided by an applicant for credit or other 
services. Currently, the SSA's Consent-Based Social Security 
Number Verification system--while created to fight synthetic 
identity theft and other fraud--requires financial institutions 
to obtain a physical written signature from a consumer before 
making a request to verify an SSN with the SSA. This 
requirement has been time consuming and has undermined the 
effectiveness of the verification system. In an era where many 
consumers expect instant access to credit, financial 
institutions will be more likely to take verification measures 
when the process is quick and efficient.
    The Protecting Children From Identity Theft Act, which was 
incorporated into Section 215 of the Economic Growth, 
Regulatory Relief, and Consumer Protection Act, allows certain 
financial institutions, including credit reporting agencies 
(CRAs), to receive customers' consent by electronic signature 
to verify their name, date of birth, and Social Security number 
with the Social Security Administration (SSA). It also directs 
SSA to modify their databases to allow for the financial 
institutions, including CRAs, to electronically and quickly 
request and receive accurate verification of consumer data. 
These measures will result in a quicker and more efficient 
verification process that will help reduce synthetic identity 
fraud.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]