[Senate Hearing 115-401]
[From the U.S. Government Publishing Office]
S. Hrg. 115-401
PROTECTING CONSUMERS IN THE ERA OF
MAJOR DATA BREACHES
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
NOVEMBER 8, 2017
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available online: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
33-395 PDF WASHINGTON : 2019
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).E-mail,
[email protected].
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
JOHN THUNE, South Dakota, Chairman
ROGER F. WICKER, Mississippi BILL NELSON, Florida, Ranking
ROY BLUNT, Missouri MARIA CANTWELL, Washington
TED CRUZ, Texas AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska RICHARD BLUMENTHAL, Connecticut
JERRY MORAN, Kansas BRIAN SCHATZ, Hawaii
DAN SULLIVAN, Alaska EDWARD MARKEY, Massachusetts
DEAN HELLER, Nevada CORY BOOKER, New Jersey
JAMES INHOFE, Oklahoma TOM UDALL, New Mexico
MIKE LEE, Utah GARY PETERS, Michigan
RON JOHNSON, Wisconsin TAMMY BALDWIN, Wisconsin
SHELLEY MOORE CAPITO, West Virginia TAMMY DUCKWORTH, Illinois
CORY GARDNER, Colorado MAGGIE HASSAN, New Hampshire
TODD YOUNG, Indiana CATHERINE CORTEZ MASTO, Nevada
Nick Rossi, Staff Director
Adrian Arnakis, Deputy Staff Director
Jason Van Beek, General Counsel
Kim Lipsky, Democratic Staff Director
Chris Day, Democratic Deputy Staff Director
Renae Black, Senior Counsel
C O N T E N T S
----------
Page
Hearing held on November 8, 2017................................. 1
Statement of Senator Thune....................................... 1
Prepared statement........................................... 3
Statement of Senator Nelson...................................... 4
Prepared statement........................................... 5
Statement of Senator Wicker...................................... 25
Statement of Senator Blumenthal.................................. 26
Statement of Senator Schatz...................................... 28
Statement of Senator Moran....................................... 30
Statement of Senator Baldwin..................................... 33
Statement of Senator Cortez Masto................................ 36
Statement of Senator Hassan...................................... 38
Statement of Senator Capito...................................... 40
Statement of Senator Gardner..................................... 42
Statement of Senator Young....................................... 45
Statement of Senator Cantwell.................................... 47
Statement of Senator Peters...................................... 49
Statement of Senator Markey...................................... 51
Statement of Senator Duckworth................................... 53
Statement of Senator Udall....................................... 55
Statement of Senator Klobuchar................................... 58
Witnesses
Paulino do Rego Barros, Jr., Interim Chief Executive Officer,
Equifax, Inc................................................... 6
Prepared statement........................................... 7
Richard Smith, Former Chairman and Chief Executive Officer,
Equifax, Inc................................................... 9
Prepared statement........................................... 9
Marissa Mayer, Former Chief Executive Officer, Yahoo!, Inc....... 10
Prepared statement........................................... 12
Karen Zacharia, Chief Privacy Officer, Verizon Communications
Incorporated................................................... 14
Prepared statement........................................... 15
Todd Wilkinson, President and Chief Executive Officer, Entrust
Datacard....................................................... 17
Prepared statement........................................... 18
Appendix
News Release dated November 3, 2017 from Marisa Salcines, Media
Relations, Equifax............................................. 61
Letter dated November 7, 2017 to Hon. John Thune and Hon. Bill
Nelson from Brad Thaler, Vice President of Legislative Affairs,
National Association of Federally-Insured Credit Unions........ 68
Letter dated November 8, 2017 to Hon. John Thune and Hon. Bill
Nelson from David French, Senior President, Government
Relations, National Retail Foundation.......................... 70
Letter dated November 17, 2017 to Hon. John Thune and Hon. Bill
Nelson from Steven G. Madison, Quinn Emanuel................... 72
Letter dated December 19, 2017 to Hon. John Thune from Theodore
M. Hester, King & Spalding LLP................................. 74
Response to written questions submitted to Pauline do Rego
Barros, Jr. by:
Hon. John Thune.............................................. 84
Hon. Dean Heller............................................. 86
Hon. Bill Nelson............................................. 86
Hon. Richard Blumenthal...................................... 87
Hon. Tammy Duckworth......................................... 89
Hon. Catherine Cortez Masto.................................. 90
Response to written question submitted to Marissa Mayer by:
Hon. Dean Heller............................................. 93
Response to written questions submitted to Karen Zacharia by:
Hon. John Thune.............................................. 93
Hon. Bill Nelson............................................. 94
Hon. Catherine Cortez Masto.................................. 95
Response to written question submitted to Todd Wilkinson by:
Hon. Bill Nelson............................................. 96
Hon. Richard Blumenthal...................................... 96
PROTECTING CONSUMERS IN THE ERA OF MAJOR DATA BREACHES
----------
WEDNESDAY, NOVEMBER 8, 2017
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 10:04 a.m. in
room SD-106, Dirksen Senate Office Building, Hon. John Thune,
Chairman of the Committee, presiding.
Present: Senators Thune [presiding], Wicker, Blunt, Moran,
Sullivan, Heller, Capito, Gardner, Young, Nelson, Cantwell,
Klobuchar, Blumenthal, Schatz, Markey, Udall, Peters, Baldwin,
Duckworth, Hassan, and Cortez Masto.
OPENING STATEMENT OF HON. JOHN THUNE,
U.S. SENATOR FROM SOUTH DAKOTA
The Chairman. Good morning. Now that our executive session
is complete, we turn to the issue of data breaches.
Data breach is not a new issue for the Committee to
explore. In fact, the Committee has been focused on the
consumer impact of data breaches since before I was elected to
the U.S. Senate.
The September 2004 ChoicePoint breach, what many consider
to be the first high-profile data breach of the modern era,
prompted a number of investigations from this Committee, from
the FTC, and from Federal and state authorities.
For those that don't remember, ChoicePoint was a data
aggregation company originally created by Equifax, who, as fate
would have it, is represented here today. In terms of the
trajectory of congressional inquiry into major data breaches,
you might say we've come full circle.
In the intervening years, Congress, and this Committee in
particular, have paid close attention to data breaches big and
small. In addition, the Committee has entertained a variety of
proposals to strengthen data security requirements for
companies across the board, as well as to impose Federal
requirements for affected companies to notify their consumers
following the discovery of a breach.
Sadly, we are truly in the era of major data breaches.
These include the large-scale breaches at Equifax and Yahoo!
that we are examining today.
While the Yahoo! breaches are larger in terms of affected
consumers, the Equifax breach is potentially much more severe
given the sensitive nature of the consumer information
compromised. In fact, I've heard from many constituents in
South Dakota who are concerned about the lasting effects of the
Equifax breach. I have also heard complaints that it is
difficult to set up a credit freeze, and questions about
whether credit monitoring is an effective tool to prevent
identity theft.
The Equifax breach reportedly exposed the sensitive
personal data of about 145.5 million U.S. consumers, including
their names, Social Security numbers, birth dates, addresses,
and in some cases, driver's license numbers.
Also exposed were the credit card numbers for more than
200,000 U.S. consumers and dispute documents containing
personal identifying information for more than 180,000 U.S.
consumers.
Today, Equifax will have an opportunity to provide an
update regarding the breach, as well as its much-criticized
efforts to mitigate the harm and prevent anything like this
from happening again.
The Yahoo! breach we will discuss today compromised over 3
billion user accounts and followed a prior breach in which
hackers stole similar types of information from at least 500
million users. The compromised data included names, telephone
numbers, dates of birth, partial passwords, unencrypted
security questions and answers, backup e-mail addresses, and
employment information. The 3 billion figure constitutes the
entirety of the Yahoo! Mail and other Yahoo!-owned accounts at
the time of the breach.
Today, Yahoo! representatives will have an opportunity to
provide an update regarding these breaches as well as efforts
to mitigate the harm and ensure the security of consumer data
going forward.
The massive data breaches at Equifax and Yahoo! illustrate
quite dramatically that our Nation continues to face constantly
evolving cyber threats to our personal data. Companies that
collect and store personal data on American citizens must step
up to provide adequate cybersecurity, and there should be
consequences if they fail to do so.
The Committee has made cybersecurity a priority, and I am
hopeful that today's hearing will help the Committee to better
understand these challenges as it considers legislation to
address data breach notification and data security issues.
When there is a risk of real harm stemming from a breach,
we must make sure that consumers have the information that they
need to protect themselves. That's why I support a uniform
Federal breach notification standard to replace the patchwork
of laws in 48 states in addition to the District of Columbia
and three other territories.
A single Federal standard would ensure all consumers are
treated the same with regard to notification of data breaches
that might cause them harm. Such a standard would also provide
consistency and certainty regarding timely notification
practices benefiting both consumers and businesses.
In order to ensure that businesses secure information
appropriately, I have also advocated for uniform reasonable
security requirements to protect consumer data, based on the
size and scope of the company and the sensitivity of the
information. However, in this regard, the facts of the Equifax
breach are particularly troubling.
As a credit bureau, Equifax was already subject to the
Safeguards Rule under the Gramm-Leach-Bliley Act, which is
considered to be a stringent regulation. Nevertheless, the
Equifax breach occurred, and its implications on American
consumers appear dire.
Enhancing security and protecting the personal data of
American consumers will continue to be a priority for this
Committee. So I want to thank all of our witnesses for
appearing here today. And I look forward to hearing your
testimony.
I will now turn to Senator Nelson for his opening remarks.
[The prepared statement of Senator Thune follows:]
Prepared Statement of Hon. John Thune, U.S. Senator from South Dakota
Good morning. Now that our executive session is complete, we turn
to the issue of data breaches.
Data breach is not a new issue for the Committee to explore. In
fact, the Committee has been focused on the consumer impact of data
breaches since before I was elected to the U.S. Senate.
The September 2004 ChoicePoint breach, what many consider to be the
first high-profile data breach of the modern era, prompted a number of
investigations from this Committee, the FTC, and Federal and state
authorities.
For those that don't remember, ChoicePoint was a data aggregation
company originally created by Equifax, who as fate would have it, is
represented here today. In terms of the trajectory of congressional
inquiry into major data breaches, you might say we have come full
circle.
In the intervening years, Congress, and this Committee in
particular, have paid close attention to data breaches big and small.
In addition, the Committee has entertained a variety of proposals to
strengthen data security requirements for companies across the board,
as well as to impose Federal requirements for affected companies to
notify their consumers following the discovery of a breach.
Sadly, we are truly in the era of major data breaches. These
include the large-scale breaches at Equifax and Yahoo! that we are
examining today.
While the Yahoo! breaches are larger in terms of affected
consumers, the Equifax breach is potentially much more severe given the
sensitive nature of the consumer information compromised. In fact, I
have heard from many constituents in South Dakota who are concerned
about the lasting effects of the Equifax breach. I have also heard
complaints that it is difficult to set up a credit freeze, and
questions about whether credit monitoring is an effective tool to
prevent identity theft.
The Equifax breach reportedly exposed the sensitive personal data
of about 145.5 million U.S. consumers, including their names, social
security numbers, birth dates, addresses, and in some cases, driver's
license numbers.
Also exposed were the credit card numbers for more than 200,000
U.S. consumers and dispute documents containing personal identifying
information for more than 180,000 U.S. consumers.
Today, Equifax will have an opportunity to provide an update
regarding the breach, as well as its much-criticized efforts to
mitigate the harm and prevent anything like this from happening again.
The Yahoo! breach we will discuss today compromised over 3 billion
user accounts and followed a prior breach in which hackers stole
similar types of information from at least 500 million users.
The compromised data included names, telephone numbers, dates of
birth, partial passwords, unencrypted security questions and answers,
backup e-mail addresses, and employment information.
The 3 billion figure constitutes the entirety of the Yahoo! Mail
and other Yahoo!-owned accounts at the time of the breach.
Today Yahoo! representatives will have an opportunity to provide an
update regarding these breaches as well as efforts to mitigate the harm
and ensure the security of consumer data going forward.
The massive data breaches at Equifax and Yahoo! illustrate quite
dramatically that our Nation continues to face constantly evolving
cyber threats to our personal data.
Companies that collect and store personal data on American citizens
must step up to provide adequate cybersecurity. And there should be
consequences if they fail to do so.
The Committee has made cybersecurity a priority, and I am hopeful
that today's hearing will help the Committee to better understand these
challenges as it considers legislation to address data breach
notification and data security issues. When there is risk of real harm
stemming from a breach, we must make sure that consumers have the
information they need to protect themselves.
That is why I support a uniform Federal breach notification
standard to replace the patchwork of laws in 48 states, in addition to
the District of Columbia and three other territories.
A single Federal standard would ensure all consumers are treated
the same with regard to notification of data breaches that might cause
them harm. Such a standard would also provide consistency and certainty
regarding timely notification practices, benefiting both consumers and
businesses.
In order to ensure that businesses secure information
appropriately, I have also advocated for uniform, reasonable security
requirements to protect consumer data, based on the size and scope of
the company and the sensitivity of the information.
However, in this regard, the facts of the Equifax breach are
particularly troubling. As a credit bureau, Equifax was already subject
to the Safeguards Rule under the Gramm-Leach-Bliley Act, which is
considered to be a stringent regulation.
Nevertheless, the Equifax breach occurred and its implications on
American consumers appear dire.
Enhancing security and protecting the personal data of American
consumers will continue to be a priority for this Committee. I want to
thank all of the witnesses for appearing here today. I look forward to
hearing your testimony.
I will now turn to Senator Nelson for his opening remarks.
STATEMENT OF HON. BILL NELSON,
U.S. SENATOR FROM FLORIDA
Senator Nelson. Thank you, Mr. Chairman. This, as you
stated, is the latest edition in the long history of hearings
that we've held on this Committee to discuss data security and
breaches.
I want to thank several Senators on this Committee who have
asked for this hearing, including Senator Baldwin in
particular, and Senator Cortez Masto. Thank you for all the
more bringing this to the forefront.
If you start with the massive breach of the ChoicePoint
breach in 2005, continuing with Target, Neiman Marcus,
Snapchat, Sony, Citigroup, CVS, South Shore Hospital, Heartland
Payment Systems, and many, many others, the parade of high-
profile data breaches seems to have no end. Billions of
consumers have had their sensitive personal, personally
identifiable information compromised, including Social Security
numbers, driver's licenses, addresses, dates of birth.
For years going forward, criminals can use this data to
steal the identity of innocent consumers and create fake
accounts in their names and commit other types of fraud. I
might point out that right now we estimate $5 billion a year is
being stolen from the U.S. Treasury just on fake Federal income
tax returns of which they get a refund.
On top of that, we also recently found out the 2013 Yahoo!
breach compromised the personal data, it's hard to believe, of
3 billion users. That's the biggest data breach in history. And
yet today, here we are once again dealing with the aftermath of
the recent Equifax breach involving the personal identification
information of nearly 145 million Americans.
Now, this most recent breach raises an even more troubling
question because if credit reporting agencies that offer
identity theft protection and credit monitoring services can't
even safeguard their own data from hackers, then how can
consumers trust any company to protect their information? Let
me say also when you get up against the sophistication of state
actors such as Russia and China, it's going to be hard to
protect against them.
Sadly, the question that millions of Americans are now
asking is, as they struggle to figure out how to protect
themselves in the wake of these massive breaches, ``What in the
world do we do?''
So this Committee, Mr. Chairman, is going to again consider
what it would do to make sure that consumers are protected. But
if we're going to do anything meaningful, we must have the
political will to hold these companies accountable.
Over the years, the Federal Trade Commission has brought
numerous enforcement actions against companies for lax data
security practices, but industry has recently challenged the
FTC's well-established legal authority to bring such actions.
Furthermore, this piecemeal, after-the-fact approach would
be better served if the FTC were able to prescribe rules that
require companies to adopt reasonable security practices in the
first place. The FTC has already put forward rules that apply
to financial institutions like Equifax. The agency should have
a similar authority for the rest of the commercial sector.
Mr. Chairman, I think at the end of the day, only stiffer
enforcement and stringent penalties are going to be able to
help incentivize companies to properly safeguard their consumer
information and to notify their consumers when they've been
compromised. I strongly believe that without rigorous data
security rules in place, it is not a question of if that we
will have another breach, but when.
We can either take action with commonsense rules, or we can
start planning for our next hearing on this issue.
Thank you, Mr. Chairman.
[The prepared statement of Senator Nelson follows:]
Prepared Statement of Hon. Bill Nelson, U.S. Senator from Florida
Thank you, Mr. Chairman, and thank you for holding this important
hearing.
Mr. Chairman, this is the latest edition in a long history of
hearings we've held in this Committee to discuss data security and
breaches. Starting with the massive ChoicePoint breach in 2005, and
continuing with Target, Neiman Marcus, Shapchat, Sony, Citigroup, CVS,
South Shore Hospital, Heartland Payment Systems, and many, many others,
the parade of high-profile data breaches seems to have no end.
And here we are once again, today, dealing with the aftermath of
what is by most accounts the most serious data breach to date. Over 145
million consumers have had their sensitive personal data compromised,
including Social Security numbers, drivers' license numbers, addresses,
dates of birth. For years going forward, criminals can use this data to
steal the identity of innocent consumers and create fake accounts in
their names and commit other types of fraud.
On top of that, we also recently found out that the 2013 Yahoo
breach compromised the personal data of 3 billion users, making it the
biggest data breach in history.
The repercussions of these massive breaches will probably not be
fully understood for many years. As consumers struggle to figure out
how to protect themselves in the wake of these massive breaches, this
committee will, no doubt, once again, consider what it can do to make
sure consumers are protected from these breaches. But if we are going
to do anything meaningful, Congress must have the political will to
hold these corporations accountable.
Over the years, the Federal Trade Commission has brought numerous
enforcement actions against companies for lax data security practices.
But industry has recently challenged the FTC's well-established legal
authority to bring such enforcement actions. Furthermore, this
piecemeal, after-the-fact approach would be better served if the FTC
were able to prescribe rules that require companies to adopt reasonable
security practices in the first place. The FTC has already promulgated
such rules under the Gramm Leach Bliley Act that apply to financial
institutions like Equifax. The agency should have similar authority for
the rest of the commercial sector.
That is why I intend to re-introduce the Data Security and Breach
Notification Act, which Senator Blumenthal and I introduced in the last
Congress. Only stiffer enforcement and stringent penalties will help
incentivize companies to properly safeguard consumer information and
promptly notify them when their data has been compromised.
Mr. Chairman, I strongly believe that without such rigorous data
security rules in place, the next massive data breach is right around
the corner. So we can either take action to enact these common-sense
rules or we can start planning for our next hearing on this issue,
because it's not going away on its own.
The Chairman. Thank you, Senator Nelson. And I, too, hope
that the hearing today can inform our future actions. It's an
issue that I think needs to be addressed, and Congress needs to
be heard from.
So I'm glad to have our panel with us this morning. On my
left, and your right, is Mr. Paulino do Barros, Jr., who is the
Interim Chief Executive Officer at Equifax. Next to him is Mr.
Richard Smith, who is the former CEO at Equifax; Ms. Marissa
Mayer, who is the former CEO at Yahoo!, Incorporated; Ms. Karen
Zacharia, who is the Deputy General Counsel and Chief Privacy
Officer for Verizon Communications Incorporated, the parent
company of Yahoo! since 2017; and Mr. Todd Wilkinson, who is
President and Chief Executive Officer of Entrust Datacard
Corporation.
So we'll ask you to proceed with your comments. I'll start
on my left with you, Mr. Barros, and ask, if you can, to
confine your oral remarks as close to 5 minutes as possible,
but anything that you want to add will be included in the
written record of the hearing. So thank you for being here.
Mr. Barros.
STATEMENT OF PAULINO do REGO BARROS, JR.,
INTERIM CHIEF EXECUTIVE OFFICER, EQUIFAX, INC.
Mr. Barros. Good morning. Chairman Thune, Ranking Member
Nelson, members of the Committee, thank you for the opportunity
to be here today. My name is Paulino do Rego Barros, Jr. Six
weeks ago, I was named interim Chief Executive Officer of
Equifax. I never expected to become CEO in these circumstances,
but I am honored to be in this position. Speaking for everyone
at Equifax, I'm determined to address all the issues from the
data breach, so that we can regain the confidence of the
American people.
Although Equifax is based in Atlanta, I think you can tell
from my accent that I did not grow up in Georgia. I'm a native
of Brazil. I have had the privilege of working most of my adult
life in the U.S. My children were born here. I'm an engineer by
training, and I have spent a lifetime confronting and fixing
complex business problems. This is the mindset I bring to my
new position.
My first act as CEO was to immediately address our consumer
response in the call centers and our website. Our engagement
with consumers was not acceptable, and we are working hard to
fix the problems.
I also apologized to the American people, and I do so again
here today. What I promise each of you and the American people
is that Equifax will be focused every day on strengthening
security and providing better support for consumers. We will be
an industry leader in giving consumers more control over
personal credit data.
In advance of your questions, I would like to review
briefly some of the actions we have taken in the past 6 weeks.
First, my highest priority has been to improve service for
consumers. To this end, I have visited call centers, spoken
with call center representatives, personally taken calls from
consumers, and helped resolve their issues. Through social
media, we have expanded communications with consumers. Most
significantly, we have improved the website, added staff to
call centers, and made the overall experience more consumer-
friendly. The result is a substantial reduction in delays and
backlogs.
Second, we have revised our corporate structure. The Chief
Security Officer now reports directly to me. I have also
appointed a Chief Transformation Officer to oversee the
company's response to the cybersecurity incident.
Third, we are rapidly improving our security
infrastructure. We are further hardening our networks, changing
our patching procedures, introducing new vulnerability
detection tools, and strengthening our accountability
mechanisms.
Fourth, we have committed to working with the entire
industry to develop solutions to the growing cybersecurity and
data protection challenges we all face.
And, finally, we promised to launch a new easy-to-use app
in January that will give consumers the power to lock and
unlock access to personal credit data, for free, and for life.
I am pleased to report that we are on schedule with the
development of the app, and we are confident consumers will
find it extremely valuable.
We have done a lot in a short period of time, but this is
just the beginning. I remind my team every day that there are
no shortcuts. Strengthening the company's security capabilities
and serving consumers requires both a daily engagement and a
long-term commitment. And I pledge this is now how we will
continue to proceed.
Equifax is made up of 10,000 talented and dedicated people.
Our business is not well understood, but it is essential for
the economy and for helping consumers obtain the credit they
need. Our top job must be to protect the data entrusted to us.
We did not meet the public's expectations, and now it's up to
us to prove that we can regain their trust.
We are committed to working with consumers, customers,
Congress, and regulators to remedy these issues and restore
public trust. This has been my focus during my first 6 weeks as
CEO, and it will continue to be my focus every day I am in this
job.
Thank you for your attention. I welcome your questions.
[The prepared statement of Mr. Barros follows:]
Prepared Statement of Paulino do Rego Barros, Jr.,
Interim Chief Executive Officer, Equifax
Chairman Thune, Ranking Member Nelson, Members of the Committee,
thank you for having me here today. My name is Paulino do Rego Barros,
Jr. Six weeks ago, I was named interim Chief Executive Officer of
Equifax. I never expected to become CEO in these circumstances. But I
am honored to have this opportunity to help. Speaking for everyone at
Equifax, we are determined to address all the issues from the data
breach so that we can regain the confidence of the American people.
Although Equifax is based in Atlanta, I think you can tell from my
accent that I did not grow up in Georgia. I am a native of Brazil. I
have had the privilege of working most of my adult life in the United
States, and my children were born here. In my heart, I have grown to
appreciate all that the American way of life and doing business
represents--especially when it comes to respect for the consumer.
We have provided the Committee with the summary that Mandiant
provided at the conclusion of its forensic investigation. Mr. Smith
testified about the details of the breach in prior hearings, and we
have briefed Congressional staff about the incident. My focus today
will be on our steps going forward as a company, not on the forensic
details of the breach.
I am an engineer by training. I have spent a lifetime confronting
and fixing complex business problems. This is the mindset I bring to my
new position. My first act as CEO was to immediately address the
consumer call centers and website. Our initial engagement with
consumers was not acceptable. We are working hard to fix these
problems.
In an Op-Ed in the Wall Street Journal, published on my third day
as CEO, I acknowledged that we let down U.S. consumers, our customers,
and even our families and friends. I apologized to the American people,
and I want to emphasize again to all those who have been affected by
the breach how deeply sorry I am. I wish I could turn back the clock to
prevent all of this from happening, but I can't. What I promise each of
you, and the American people, is that Equifax will be focused every day
on strengthening security and providing better support for consumers.
We will be an industry leader in giving consumers more control over
personal credit data.
In advance of your questions, I would like to review briefly some
of the actions we have taken in the past six weeks.
First, my highest priority has been to improve service for
consumers. To this end, I have visited call centers, spoken with call
center representatives, personally taken calls from consumers, and
helped resolve consumer issues. Through social media, we have expanded
communications with consumers. Most significantly, we have improved the
usability of the website, added staff to the call centers, made the
overall experience more consumer-friendly, and substantially reduced
delays and backlogs.
Second, we have revised our corporate structure. The Chief Security
Officer now reports directly to me, ensuring greater accountability
over this critical function. I have also appointed a Chief
Transformation Officer to oversee the company's response to the
cybersecurity incident and coordinate our efforts to build a new
future. This will allow me to have direct insight into every aspect of
our remediation efforts.
Third, we are rapidly improving our data security infrastructure.
We are further hardening our networks, changing our procedures to
require ``closed loop'' confirmation when software patches are applied,
rolling out new vulnerability detection tools, and strengthening
accountability mechanisms. We have also engaged PwC to assist us with
our security program, including strategic remediation and
transformation initiatives that will help us identify and implement
solutions to strengthen our long-term data protection and cybersecurity
posture.
We are also working to reinforce the culture of security throughout
the entire company. Security is the responsibility of all Equifax
employees, whether or not they are members of our Security or
Information Technology teams. Since taking this position, I have spoken
to our employees at multiple town hall meetings about the absolute
necessity of good security practices and the critical importance of
protecting consumer information.
Fourth, we have committed to working with the entire industry to
develop solutions to the growing cybersecurity and data protection
challenges we all face. We see this breach as a turning point--not just
for Equifax, but for everyone interested in protecting personal data.
Finally, we promised to launch a new easy-to-use app in January
that will give consumers the power to lock and unlock access to
personal credit data--for free, for life. I am pleased to report that
we are on schedule with the development of the app, and we are
confident consumers will find it extremely valuable.
We have done a lot in a short period of time, but this is just a
start. I remind my team every day that there are no shortcuts.
Strengthening the company's security capabilities and serving consumers
requires both a daily engagement and a long-term commitment. I pledge
this is how we will continue to proceed.
When I was offered the position, I understood the magnitude of this
challenge, but I also recognized an opportunity to give back to the
company and this country. Some of my family and friends thought I was
crazy for accepting the challenge. Some of you may think the same. I
understand. Although the task ahead of us is difficult, I believe that
my prior training and years of experience have prepared me well for
this job.
Before I close, I want to express my personal appreciation to Rick
Smith. Through this challenging transition, he has been fully
supportive, as I knew he would be. His contributions to the company
have been significant, and I am grateful for his service.
Equifax is made up of 10,000 talented and dedicated people. Our
business is not well understood, but it is essential for the economy
and for helping consumers obtain the credit they need. Because of our
industry, consumers are able to obtain loans for homes, cars,
education, and other vital needs. Our business plays an important role
in the economy, and our top job must be to protect the data entrusted
to us. We did not meet the public's expectations, and now it is up to
us to prove that we can be trusted again. We are committed to working
with consumers, customers, Congress, and regulators to remedy these
issues and restore public trust. This has been my focus during my first
six weeks as CEO. It will continue to be my focus every day I am in
this job.
Thank you for your attention. I welcome your questions.
The Chairman. Thank you, Mr. Barros.
Mr. Smith.
STATEMENT OF RICHARD F. SMITH, FORMER CHAIRMAN
AND CHIEF EXECUTIVE OFFICER, EQUIFAX, INC.
Mr. Smith. Thank you. Thank you, Chairman Thune, Ranking
Member Nelson, and the honorable members of the Committee. I
thank you for the opportunity to testify before you today. I
submitted my written testimony to this Committee as well as to
a number of other committees in both the Senate and the House I
have testified before over the past 3 or 4 weeks. That written
testimony is the record of the events of the breach that
Equifax incurred, and I'm here today, Mr. Chairman, to answer
any questions you may have. Thank you.
[The prepared statement of Mr. Smith follows:]
Prepared Statement of Richard F. Smith, Former Chairman
and Chief Executive Officer, Equifax, Inc.
Chairman Thune, Ranking Member Nelson, and Honorable Members of the
Committee, thank you for the opportunity to testify before you today.
I was honored to serve as the Chairman and Chief Executive Officer
of Equifax for 12 years, until I retired on September 25. As I have
previously testified before other Committees of the United States
Senate, and before House panels as well, as CEO I was ultimately
responsible for what happened on my watch. Equifax was entrusted with
Americans' private data and we let them down. For that, I remain deeply
sorry. We now know that criminals executed a major cyberattack on
Equifax, hacked into our data, and were able to access information for
over 145 million American consumers. The information accessed includes
names, Social Security numbers, birth dates, addresses, and in some
instances, driver's license numbers; credit card information for
approximately 209,000 consumers was also stolen, as well as certain
dispute documents with personally identifying information for
approximately 182,000 consumers. I want to again express my apologies
to everyone affected by this breach.
When we first learned of suspicious activity, I and many others at
Equifax worked with outside experts to understand what had occurred and
do everything possible to make this right. Ultimately we realized we
had been the victim of a massive theft, and we set out to notify
American consumers, protect against increased attacks, and remediate
and protect against harm to consumers. We developed a robust package of
remedial protections for each and every American consumer--not just
those affected by the breach--to protect their credit information. The
relief package includes: (1) monitoring of consumer credit files across
all three bureaus, (2) access to Equifax credit files, (3) the ability
to lock the Equifax credit file, (4) an insurance policy to cover out-
of-pocket costs associated with identity theft; and (5) dark web scans
for consumers' social security numbers. All five of these services are
free and without cost to all Americans. We have also taken steps to
better protect consumer data moving forward. Equifax also announced a
new service that I understand will be available by January 31, 2018,
that will allow consumers to control their own credit data, by allowing
them to lock and unlock their credit files at will, repeatedly, for
free, for life. This puts the control of consumers' credit information
where it belongs--with the consumer. I was pleased to see the company
move forward with this plan, which we had put in motion months ago, and
which I directed the company to accelerate, as we were constructing the
remedial package in response to the breach.
I previously testified in detail about how the breach occurred and
what I and Equifax knew and did at specific points in time as this
episode unfolded. I would of course be happy to provide the Committee
with that detailed information if helpful. I understand that the FBI's
investigation and Equifax's own review and remediation are ongoing, as
are, of course, numerous other investigations.
Where do we go from here? As you consider the public policy
implications of these breaches, two observations occur to me. First, an
industry standard placing control of access to consumers' credit data
in the hands of the consumers should be adopted. Equifax's free
lifetime lock program will allow consumers, and consumers alone, to
decide when their credit information may be accessed. This should
become the industry standard. Second, we should consider the creation
of a public-private partnership to begin a dialogue on replacing the
Social Security Number as the touchstone for identity verification in
this country. It is time to have identity verification procedures that
match the technological age in which we live.
The list of companies and government agencies that have suffered
major hacks at the hands of sophisticated cybercriminals is sadly very
long, and growing. I was deeply disappointed when Equifax was added to
that list. I stepped away from a company I led and loved and helped
build for more than a decade. But I remain strongly committed to
helping address the important questions this episode has raised. Part
of that continues today, as I have previously voluntarily appeared and
appear today at this hearing voluntarily to share what I know. Going
forward, government and the private sector need to grapple with an
environment where data breaches will occur. Giving consumers more
control of their data is a start, but is not a full solution in a world
where the threats are always evolving. I am hopeful there will be
careful consideration of this changing landscape by both policymakers
and the credit reporting industry.
Equifax was founded 118 years ago and now serves as one of the
largest sources of consumer and commercial information in the world.
That information helps people make business and personal financial
decisions in a more timely and accurate way. Behind the scenes,
millions of Americans have accessed credit, whether to buy a house or a
car, pay for college, or start a small business, because of the
services offered by Equifax. During my time at the company, working
together with our employees, customers, and others, we saw the company
grow from approximately 4,000 employees to almost 10,000. Some of my
proudest accomplishments are the efforts we undertook to build credit
models that allowed and continue to allow many unbanked Americans
outside the financial mainstream to access credit in ways they
previously could not have. I remain deeply grateful for the 12 years I
spent leading the company.
The hard work of regaining the trust of the American people that
was developed over the course of the company's history is ongoing and
must be sustained. I believe the company, under the leadership of Lead
Director Mark Feidler, and interim CEO Paulino do Rego Barros, Jr.,
will continue these efforts with vigor and commitment.
Chairman Thune, Ranking Member Nelson, and Honorable Members of the
Committee, thank you again for inviting me to speak with you today.
This was a very difficult experience for the men and women of Equifax
but I am confident that under the leadership of Paulino and Mark the
company will work tirelessly to regain the trust of American consumers.
I look forward to answering your questions and assisting you in any way
I can.
The Chairman. Thank you, Mr. Smith.
Ms. Mayer.
STATEMENT OF MARISSA MAYER,
FORMER CHIEF EXECUTIVE OFFICER, YAHOO!, INC.
Ms. Mayer. Chairman Thune, Ranking Member Nelson, and
distinguished members of the Committee, thank you for the
opportunity to appear before you today.
I had the honor and privilege of serving as Yahoo!'s Chief
Executive Officer from July 2012 through the sale of its core
operating business in June of this year. As you know, Yahoo!
was the victim of criminal state-sponsored attacks on its
systems, resulting in the theft of certain user information. We
worked hard over the years to earn our users' trust. As CEO,
these thefts occurred during my tenure, and I want to sincerely
apologize to each and every one of our users.
When Yahoo! learned of the state-sponsored attack on its
systems in late 2014, Yahoo! promptly reported it to law
enforcement and notified the users understood at that time to
have been directly impacted. Yahoo! worked closely with law
enforcement, including the FBI, who were ultimately able to
identify and expose the hackers responsible for these attacks.
We now know that Russian intelligence officers and state-
sponsored hackers were responsible for highly complex and
sophisticated attacks on Yahoo!'s systems. The Department of
Justice and FBI announced a 47-count indictment charging four
individuals with these crimes against Yahoo! and its users. The
DOJ and FBI praised Yahoo! for our extensive cooperation and
early proactive engagement with law enforcement.
In November 2016, law enforcement provided Yahoo! with data
files that a third party claimed contained Yahoo! user data.
Yahoo! determined that user data was mostly likely stolen from
the company in August 2013. Although Yahoo! and its outside
forensic experts were unable to identify the intrusion
associated with the August 2013 theft, the company promptly
disclosed the incident, notified the users believed to have
been affected, and took steps to secure all user accounts.
I want to stress how seriously I view the threat of cyber
attacks and how personally I feel about these potential risks.
After growing up in Wisconsin, I remember buying my first
computer in college, developing a passion for computer science
and writing code, and seeing the potential for how this
emerging technology could change the world. After college, I
was hired by a small startup named Google, as their 20th
employee and first woman engineer. There, over the next 13
years, I worked my way up from software engineer to ultimately
becoming a member of the executive operating committee.
In July 2012, I became the CEO of Yahoo! I will always be
grateful for and humbled by the opportunity to have led Yahoo!
and its employees for the last five years. My experiences from
Yahoo! and Google have shown me the amazing potential of the
Internet to change our world for the better. They, however,
have also reinforced the potential dangers posed by cyber
crime.
I am here today to discuss with the Committee, as best I am
able, our efforts to confront the challenges of cybersecurity,
including some of the security measures and defenses Yahoo! had
in place in the hopes of further advancing consumer protection
and security.
Throughout my tenure as CEO, we worked hard from the top
down and bottom up to protect our systems and our users. We
devoted substantial resources to security with a shared goal of
staying ahead of the sophisticated and constantly evolving
threats. After I joined Yahoo!, we roughly doubled our internal
security staff and made significant investments in its
leadership and the team.
In addition to improving our talent, we also improved our
security processes and system defenses. Yahoo! had in place
multiple layers of sophisticated protection. During my tenure
at Yahoo!, we were extremely committed to security and invested
tremendous resources. I want to thank all of our team members
for their tireless efforts in addressing Yahoo!'s security.
Unfortunately, while all of our measures helped Yahoo!
successfully defend against the barrage of attacks by both
private and state-sponsored hackers, Russian agents intruded on
our systems. The threat from state-sponsored attacks has
changed the playing field so dramatically that today I believe
all companies, even the most well-defended ones, could fall
victim to these crimes.
I will close by saying that cybersecurity is a global
challenge. As we have all witnessed, no company, individual, or
even government agency is immune from these threats. The
attacks on Yahoo! demonstrate that strong collaboration between
the public and private sectors is essential in the fight
against cyber crime. In addition, aggressive pursuit of cyber
criminals, as the DOJ and FBI exhibited in Yahoo!'s case, could
be a meaningful deterrent in preventing future crimes like
these.
To echo the words of the then Acting Assistant Attorney
General overseeing the investigation of the cyber crime
perpetrated against Yahoo!: a nation-state attack is not a fair
fight, and it is not a fight you will win alone. By working
together, we can help to level the cyber playing field.
Thank you for the opportunity to address the Committee
today.
[The prepared statement of Ms. Mayer follows:]
Prepared Statement of Marissa Mayer, Former Chief Executive Officer,
Yahoo!, Inc.
Chairman Thune, Ranking Member Nelson, and distinguished Members of
the Committee, thank you for the opportunity to appear before you today
to discuss important issues surrounding consumer protection and data
security.
I had the honor and privilege of serving as Yahoo's Chief Executive
Officer from July 2012 through the sale of its core operating business
in June of this year. As you know, Yahoo was the victim of criminal
state-sponsored attacks on its systems resulting in the theft of
certain user information. First and foremost, I want to reiterate how
sorry I am for these incidents. We worked hard over the years to earn
our users' trust, and we fought hard to preserve it. As CEO, these
thefts occurred during my tenure, and I want to sincerely apologize to
each and every one of our users.
When Yahoo learned of a state-sponsored attack on its systems in
late 2014, Yahoo promptly reported it to law enforcement and notified
the users understood at that time to have been directly impacted. Yahoo
worked closely with law enforcement, including the Federal Bureau of
Investigation (``FBI''), who were ultimately able to identify and
expose the hackers responsible for the attacks. We now know that
Russian intelligence officers and state-sponsored hackers were
responsible for highly complex and sophisticated attacks on Yahoo's
systems. On March 15, 2017, the U.S. Department of Justice (``DOJ'')
and FBI announced a 47-count indictment charging four individuals with
these crimes against Yahoo and its users. In connection with the
government's investigation, the DOJ and FBI praised Yahoo for our
extensive cooperation and ``early, proactive engagement'' with law
enforcement, as well as our ``leadership and courage,'' and described
Yahoo as ``great partners'' in the government's multi-year
investigation.
As part of our cooperation with the government to try to prevent
these type of crimes, in November 2016, law enforcement provided Yahoo
with data files that a third party claimed contained Yahoo user data.
Yahoo worked closely with law enforcement and leading forensic experts
to investigate and analyze that data. Following the investigation,
Yahoo determined that user data was most likely stolen from the company
in August 2013. Although Yahoo and its outside forensic experts were
unable to identify the intrusion associated with the August 2013 theft,
the company promptly disclosed the incident, notified users believed to
have been affected, and took steps to secure all user accounts,
including by requiring potentially affected users to change passwords.
The stolen account information included names, e-mail addresses,
telephone numbers, dates of birth, hashed passwords and, in some cases,
encrypted or unencrypted security questions and answers. The stolen
account information did not include unprotected passwords, social
security numbers, or sensitive financial information, such as payment
card data or bank account information.
Before I go on, I want to stress how seriously I view the threat of
cyber attacks, and in particular state-sponsored attacks, such as those
that victimized Yahoo and its users, and how personally and deeply I
feel about these potential risks. After growing up in Wausau,
Wisconsin, I remember buying my first computer in college, developing a
passion for computer science and writing code, and seeing the potential
for how this emerging technology could change the world. After college,
my commitment to this field only grew after I was hired by a small
start-up named Google as their 20th employee and first woman engineer.
There, over the next 13 years, I worked my way up from software
engineer to Vice President of Search Products and User Experience,
ultimately becoming a member of the executive operating committee.
In July of 2012, I became the CEO of Yahoo. As a pioneer of the
World Wide Web, Yahoo was founded in 1994 as the hobby of two Stanford
University students and over the next 20 years, Yahoo grew into one of
only three Internet companies in the world with more than one billion
monthly users. Yahoo is a guide to digital information discovery,
focused on informing, connecting, and entertaining users through its
search, communications, and digital content products. I will always be
grateful for, and humbled by, the opportunity to have led Yahoo and its
employees for the last five years.
My experiences from Yahoo and Google have shown me the amazing
potential of the Internet to change our world for the better. They,
however, have also reinforced the potential dangers posed by cyber
crime.
With an increasingly connected world also comes a new host of
challenges, including a dramatic rise in the frequency, severity, and
sophistication of hacking, especially by state-sponsored actors. I am
here today to discuss with the Committee, as best I am able, our
efforts to confront the challenges of cybersecurity, including some of
the security measures and defenses Yahoo had in place, in the hope of
further advancing consumer protection and security. Please understand
that the investigations regarding the Yahoo attacks remain active and
ongoing, and there are limits on what I know and can discuss about the
specific security events. Investigations into data security incidents
often evolve over time and my statements today are based on, and
limited to, information from my time at Yahoo.
Throughout my tenure as CEO, we took our obligations to our users
and their security extremely seriously. We worked hard from the top
down and bottom up to protect our systems and our users. We devoted
substantial resources to security--both offensively and defensively--
with the shared goal of staying ahead of these sophisticated and
constantly evolving threats. After I joined Yahoo, we roughly doubled
our internal security staff and made significant investments in its
leadership and the team. We hired strategically, filling our ranks with
security specialists who focused on threat investigations, e-crimes,
product security, risk management, and offensive engineering.
In addition to improving our talent, we also improved our security
processes and systems defenses. Yahoo's security investments and
initiatives included the adoption of a comprehensive information
security program that enhanced our policies, procedures, and controls.
Yahoo focused its program on the core National Institute of Standards
and Technology Cybersecurity Framework functions: identify, protect,
detect, respond, and recover.
Yahoo had in place multiple layers of sophisticated protection.
Through cross-company initiatives like SSL and HTTPS end-to-end
encryption, Account Key and multi-factor authentication, and password
hashing and salting protections, Yahoo also helped bolster the
company's security defenses and protect its users.
Recognizing that the best defense begins with a strong offense,
Yahoo also adopted an attacker-centric approach to its information
security program. For example, Yahoo staffed independent teams of some
of the world's most sophisticated hackers to proactively attack our
systems and report any vulnerabilities. Yahoo also formalized a ``bug
bounty'' program, whereby the company pays security researchers who
report vulnerabilities to the company. Since its inception, Yahoo's bug
bounty program helped enhance and harden the security of our products.
The bounties awarded by the company surpassed $2 million, with more
than 2,500 security researchers participating worldwide.
During my tenure at Yahoo, we were extremely committed to our
security programs and initiatives and invested tremendous resources in
them. I want to thank all of our team members for their tireless
efforts in addressing Yahoo security. As CEO, working with them over
the past five years was nothing short of a privilege.
Unfortunately, while all our measures helped Yahoo successfully
defend against the barrage of attacks by both private and state-
sponsored hackers, Russian agents intruded on our systems and stole our
users' data. The threat from state-sponsored attacks has changed the
playing field so dramatically that today I believe that all companies,
even the most-well-defended ones, could fall victim to these crimes.
I will close by saying that cybersecurity is a global challenge
where the security threats, attacks, and techniques continually evolve.
As we all have witnessed: no company, individual, or even government
agency is immune from these threats. The attacks on Yahoo demonstrate
that strong collaboration between the public and private sectors is
essential in the fight against cyber crime. In addition, aggressive
pursuit of cyber criminals, as the DOJ and FBI exhibited in Yahoo's
case, could be a meaningful deterrent in preventing future crimes like
these.
To echo the words of the then Acting Assistant Attorney General
overseeing the investigation of the cyber crime perpetrated against
Yahoo: a nation-state attack is not a fair fight, and it is not a fight
you will win alone. By working together, we can help level the cyber
playing field.
Thank you for the opportunity to address the Committee today. I
look forward to your questions.
The Chairman. Thank you, Ms. Mayer.
Ms. Zacharia.
STATEMENT OF KAREN ZACHARIA, CHIEF PRIVACY OFFICER, VERIZON
COMMUNICATIONS INCORPORATED
Ms. Zacharia. Chairman Thune, Ranking Member Nelson, and
members of the Committee, thank you for the opportunity to
testify here today. My name is Karen Zacharia, and I am
Verizon's Chief Privacy Officer.
Verizon has a significant and long-standing commitment to
protecting and safeguarding consumer data and building trust
online. In an increasingly connected world, Verizon recognizes
that strong security and consumer trust are prerequisites to
compete in the 21st century digital economy. The very nature of
our business has always required that Verizon make data
security a top priority.
On July 25, 2016, Verizon announced that it had entered
into an agreement to acquire Yahoo!'s operating business. That
acquisition closed on June 13, 2017. Yahoo! is now part of a
new company formed by Verizon called Oath. Oath consists of
more than 50 digital and mobile brands globally, including
HuffPost, Yahoo! News, Yahoo! Sports, Tumblr, and AOL.
In September and December 2016, Yahoo! announced that
certain user data was stolen in two separate incidents in 2013
and 2014. These incidents happened well before Verizon's
acquisition of Yahoo!. At the time of the December 2016
announcement, Yahoo! disclosed that more than 1 billion of the
approximately 3 billion accounts existing in 2013 had likely
been impacted.
After Verizon acquired Yahoo!, we obtained new information
from a third party and reviewed it with the assistance of the
same outside forensic experts that Yahoo! had used previously.
Based on that review, we concluded that all accounts, and not
just a subset, were impacted by the 2013 security incident.
Yahoo! then provided further individual notices to the impacted
users beginning on October 3, 2017, less than a week after we
determined the scope of the impacted user accounts.
In addition, the review confirmed that the stolen
information did not include Social Security numbers. It also
did not include passwords and clear text. And it did not
include sensitive financial information like payment card data
or bank account information.
Although Verizon did not own Yahoo!'s operating business at
the time of the 2013 data theft or during Yahoo!'s incident
response, we understood that Yahoo! took actions around the
time of its announcements to protect its users' accounts.
Yahoo! required password changes for user accounts where
passwords had not been changed since 2014. Yahoo! also
invalidated unencrypted security questions and answers so that
they could not be used to access an account. Yahoo! took these
actions on user accounts beyond those thought to have been
impacted by the security incidents. This means that Yahoo! took
steps in 2016 to protect all users, including the additional
user accounts that were individually notified in October 2017.
Proactively enhancing our security is a top priority at
Verizon and Oath. We carefully track the evolution of attacks,
gather intelligence, leverage technology advances to make
improvements to our systems, and to apply more advanced
protection to our user accounts. As part of integrating Yahoo!
and AOL into Oath, we are combining two strong existing
security teams. We are examining the practices and tools of
each team, and applying the best practices and tools across
Oath.
We are also in the process of creating an advisory board
that will consist of external security experts. The board will
provide input to Oath on its overall approach to security.
Security has always been in Verizon's DNA, and we remain
committed to continuous improvement to meet the security
challenges of the future.
At Verizon and Oath, we are laser-focused on the needs of
our customers. We know that they expect that their information
will be secure. As a result, we go to great lengths to
integrate security across our networks, platforms, and
products. We are committing substantial resources to defend our
company's assets, networks, and customers, including those
acquired with the closing of the Yahoo! transaction.
With the benefit of Verizon's experience and resources,
along with a commitment to the highest level of accountability,
Verizon and Oath will continue to strive to stay ahead of an
ever-evolving threat landscape.
Thank you again for the opportunity to testify today. I
look forward to answering your questions.
[The prepared statement of Ms. Zacharia follows:]
Prepared Statement of Karen Zacharia, Chief Privacy Officer,
Verizon Communications Incorporated
Chairman Thune, Ranking Member Nelson, and Members of the
Committee, thank you for the opportunity to testify.
Witness Biography
My name is Karen Zacharia. I am Verizon's Chief Privacy Officer and
I lead the Privacy Office, a centralized department responsible for
privacy and data security compliance. My team provides its expertise
across the company so that throughout the lifecycle of our products and
services we are addressing privacy and data security every step of the
way. We maintain and update Verizon's privacy policies, counsel on
internal and external privacy principles and requirements, and provide
training to employees on existing and new privacy laws and Verizon
policies. My office also spends a significant amount of time focusing
on core privacy commitments like transparency and choice so that our
customers can make meaningful choices when it comes to their personal
information.
Verizon/Oath/Yahoo Background
Verizon has a significant and longstanding commitment to protecting
and safeguarding consumer data and building trust online. In an
increasingly connected world, Verizon recognizes that strong security
and consumer trust are prerequisites to compete in the 21st Century
digital economy. The very nature of our business has always required
that Verizon make data security a top priority.
On July 25, 2016, Verizon announced that it had entered into an
agreement to acquire Yahoo's operating business. That acquisition
closed on June 13, 2017. Yahoo is now part of a new company formed by
Verizon called Oath. Oath consists of more than 50 digital and mobile
brands globally, including HuffPost, Yahoo News, Yahoo Sports, Tumblr
and AOL.
2013 and 2014 Yahoo Security Incidents
In September and December of 2016, Yahoo announced that certain
user data was stolen in two separate incidents in 2013 and 2014. These
incidents happened well before Verizon's acquisition of Yahoo.
At the time of the December 2016 announcement, Yahoo disclosed that
more than one billion of the approximately three billion accounts
existing in 2013 had likely been impacted. After Verizon acquired
Yahoo, we obtained new information from a third party and reviewed it
with the assistance of the same outside forensic experts that Yahoo had
used previously. Based on that review, we concluded that all accounts--
and not just a subset--were impacted by the 2013 security incident.
Yahoo then provided further individual notices to the impacted users
beginning on October 3, 2017--less than a week after we determined the
scope of the impacted user accounts.
In addition, the review confirmed that the stolen information did
not include Social Security numbers. It also did not include passwords
in clear text. And it did not include sensitive financial information
like payment card data, or bank account information.
Although Verizon did not own Yahoo's operating business at the time
of the 2013 data theft or during Yahoo's incident response, we
understand that Yahoo took actions around the time of its announcements
to protect its users' accounts. Yahoo required password changes for
user accounts where passwords had not been changed since 2014. Yahoo
also invalidated unencrypted security questions and answers so that
they could not be used to access an account. Yahoo took these actions
on user accounts beyond those thought to have been impacted by the
security incidents. This means that Yahoo took steps in 2016 to protect
all users, including the additional user accounts that had been
individually notified in October 2017.
Verizon's Focus Following Acquisition of Yahoo
Proactively enhancing our security is a top priority at Verizon and
Oath. We carefully track the evolution of attacks, gather intelligence,
and leverage technology advances to make improvements to our systems
and to apply more advanced protection to our users' accounts.
As part of integrating Yahoo and AOL into Oath, we are combining
two strong, existing security teams. We are examining the practices and
tools of each team, and applying the best practices and tools across
Oath. We are also in the process of creating an advisory board that
will consist of external security experts. This board will provide
input to Oath on its overall approach to security.
Security has always been in Verizon's DNA and we remain committed
to continuous improvement to meet the security challenges of the
future.
Conclusion
At Verizon and Oath, we are laser-focused on the needs of our
customers. We know that they expect that their information will be
secure. As a result, we go to great lengths to integrate security
across our networks, platforms, and products. We are committing
substantial resources to defend our company's assets, networks, and
customers, including those acquired with the closing of the Yahoo
transaction.
With the benefit of Verizon's experience and resources, along with
a commitment to the highest level of accountability, Verizon and Oath
will continue to strive to stay ahead of an ever-evolving threat
landscape.
Thank you again for the opportunity to testify today. I look
forward to answering your questions.
The Chairman. Thanks, Ms. Zacharia.
Mr. Wilkinson.
STATEMENT OF TODD WILKINSON, PRESIDENT
AND CHIEF EXECUTIVE OFFICER, ENTRUST DATACARD
Mr. Wilkinson. Chairman Thune, Ranking Member Nelson, and
members of the Committee, thank you for the opportunity to
discuss the recent major data breaches that have touched the
vast majority of American consumers and the urgent actions
necessary to protect sensitive personal information.
For almost 50 years, Entrust Datacard has provided
solutions that enable the creation of secure physical and
digital identities that are used around the world in banking,
government, and enterprise applications. Identity is a
foundational element of our commerce system and the way
Americans build their financial lives. The value of identity is
the primary reason this information is targeted and why we
continue to see more sophisticated attacks that lead to
significant data breaches.
We live in an incredibly connected and complex world. The
challenge of protecting data is an evolving and sophisticated
task, but it starts with a secure identity. This will only
become more critical as we continue to drive toward greater
connectivity, linking virtually every aspect of our lives to a
connected system.
According to the 2017 Verizon Data Breach Investigations
Report, 43 percent of all data breaches can be traced to a
phishing attack in which a malicious actor was able to
compromise an identity and use this information to gain access
to data. Once compromised, a primary target is consumer
identities. The information stolen in the most recent breaches
contained a significant amount of personally identifiable
information, or PII, belonging to millions of American
citizens. The focus of this hearing is to examine the recent
data breach events, identify steps that could have been taken
to ensure the safety of consumer data, and to determine if
there are options to further safeguard consumer identities in
the future.
Regarding the issue of steps that can be taken to better
ensure the safety of consumer data, today organizations are
challenged by increasingly complex systems and arising attacks
from nation-states and other well-organized groups. This
Committee can bring forward a number of experts. Most will
agree that no system is free from vulnerabilities, and all have
the potential to be breached. However, there are documented
best practices and numerous security tools available to
mitigate common attacks, and the vast majority of major
breaches are still the result of common security mistakes and
stolen credentials resulting from poor cyber hygiene.
Today, a substantial amount of PII that is the basis of our
identities used for secure transactions has already been stolen
and can potentially be used to defraud consumers. It is
essential to now find a balance between driving responsible
behavior in enterprise security and providing an answer to the
underlying security of consumer identities. To address consumer
identity, it will be critical to implement a resilient identity
system that can respond to compromise with the ability to
recover quickly and to ensure consumer data is no longer at
risk.
Today, the Federal Government provides a nine-digit number
issued on a paper card, our Social Security card. This static
number is generally issued at birth and difficult to change
without significant inconvenience to the citizen.
While we have made significant advances in technology, this
foundational form of identification has not changed, leaving
consumers vulnerable to compromise. Our recommendation to this
Committee is that the time is upon us to create a new identity
framework. This new framework would create a modern secure
identity through a collaboration of government and industry.
There are several examples of public-private partnerships
around the world delivering stronger identity frameworks as a
foundation for commerce. A new identity framework will allow
citizens to utilize a more secure method to transact, and to do
so in a manner that reduces the potential of breach or
compromise. In all use cases, this new identity framework could
minimize risk and inconvenience to the consumer in cases of
breach, and allow a consumer to more easily recover their
identity with minimal impact.
Our identity system today is broken; it is not secure. It
is time to leverage available technologies to provide Americans
with new mechanisms to protect their identities. In my
company's previous testimony, we have recommended the best path
forward rests upon a public-private ecosystem that's built upon
good security governance, secure identities, and constant self-
assessment of vulnerabilities. Whether we drive adoption via
incentive or directive, we need to proceed now. I urge you to
focus on near-term actions to address the consumer information
that has already been compromised while working toward longer-
term solutions which create a more resilient identity for
American consumers.
Chairperson Thune, Committee members, fellow panelists,
thank you for your time today.
[The prepared statement of Mr. Wilkinson follows:]
Prepared Statement of Todd Wilkinson, President
and Chief Executive Officer, Entrust Datacard
Chairman Thune, Ranking Member Nelson and members of the Committee,
thank you for the opportunity to discuss the recent major data breaches
that have touched the vast majority of American consumers and the
urgent actions necessary to protect sensitive personal information.
For almost 50 years, Entrust Datacard has provided solutions that
enable the creation of secure physical and digital identities that are
used around the world in banking, government and enterprise
applications. Identity is a foundational element of our commerce system
and the way Americans build their financial lives. The value of
identity is the primary reason this information is targeted and why we
continue to see more sophisticated attacks that lead to significant
data breaches.
We live in an incredibly connected and complex world. The challenge
of protecting data is an evolving and sophisticated task, but it all
starts with a secure identity. This will only become more critical as
we continue to drive toward greater connectivity, linking virtually
every aspect of our lives to a connected system. According to the 2017
Verizon Data Breach Investigations Report, 43 percent of all data
breaches can be traced to a phishing attack in which a malicious actor
was able to compromise an identity and use this information to gain
access to data. Once compromised, a primary target is consumer
identities. The information stolen in the most recent breaches
contained a significant amount of personally identifiable information
(PII) belonging to millions of American consumers.
The focus of this hearing is to examine the recent data breach
events, identify steps that could have been taken to better ensure the
safety of consumer data and to determine if there are options to
further safeguard consumer PII in the future.
Regarding the issue of steps that can be taken to better ensure the
safety of consumer data, there are well documented best practices and
numerous security tools available to mitigate common attacks. However,
this committee can bring forward a number of experts, and most will
agree that no system is free from vulnerabilities and all have the
potential to be breached.
Additionally, a substantial amount of PII has already been stolen
and can potentially be used to defraud consumers. It is essential to
now find a balance between driving responsible behavior in enterprise
security and providing an answer to the underlying security of the
consumer identity. To address consumer identity, it will be critical to
implement a resilient identity system that can respond to compromise,
with the ability to quickly recover and to ensure consumer data is no
longer at risk.
The State of Identity Today
The implications of using an insecure identity go far beyond that
of financial burden or inconvenience to the consumer. The use cases for
our government issued identity stretch across all aspects of life, and
if compromised, there is no process in place by which citizens can
easily reestablish and recover their identity.
Commerce
Over the course of an eligible consumer's life they will engage in
a variety of commerce activities that require the completion of an
application that includes the public disclosure of their recognized
identity--their social security number. From opening a banking account,
to applying for a home or auto loan to requesting a new credit card
from a big box retailer. While the application may take on a variety of
forms--paper, digital and oral--the one thing each application has in
common is that the citizen is put at risk of their personal identity
credentials being compromised. Paper application documents that are not
disposed of properly, or the breach of a digital database are common
and easily compromise the consumer's identity. Yet, without the
disclosure of the identity credential, a consumer is not be able to
establish their identity and is restricted from conducting commerce.
Employment
The social security number was introduced in the 1930s as a means
of recording and dispensing funds earned by citizens for retirement.
The number was also intended for tax recording purposes.
When applying for employment, or when completing new employment
paperwork, employees are required to provide employers with their
social security number. Each time a person applies for a position and
with each subsequent employment change, the applicant must provide an
employer with their social security number.
Recent breaches of employee data have also been reported, exposing
the personal information of millions. In June 2015, the Office of
Personnel Management (OPM) announced that over 21 million records
containing PII, including social security numbers, were stolen.
In the case of the OPM breach, the records compromised were tied to
background investigation records, a common practice among many
employers today. Many times, new employees are required to submit their
identity for review by their employer. Should the identity of an
individual be compromised without their prior knowledge, it could be
career limiting: a background check of an employee whose identity has
been compromised might falsely reveal financial difficulties or
criminal histories--causing the applicant to lose the job opportunity
and the employer to lose a valuable employee. The breach of personal
information can also create the opportunity for bribery or blackmail
from criminals or foreign powers that might hone in on those whose
personal information reveals financial burdens or compromising
information.
Insecure Identity: Risks and Impacts
To better illustrate this point, let's reflect on another major
breach that occurred in 2013. In March 2014, one of my staff members at
the time, David Wagner, testified in front of this committee in
response to a breach of credit and debit card information by a major
retailer that affected more than 40 million people. While this breach,
and subsequent breaches of payment data, impacted consumers, they were
able to quickly address the compromise. This is because the payment
ecosystem was designed to be resilient. When fraud occurs, the
liability largely falls to the financial institution not the consumer.
In addition, financial cards are easily replaced by new payment
credentials, thereby eliminating the risk of fraud on a compromised
payment card.
The difference with today's conversation is that the compromised
data is not a credit or debit card that can be easily replaced. It is a
social security number, a name, an address that can have far reaching
and long lasting impacts to those compromised. Over 145 million
Americans' insecure identities are now forever at risk, and they have
limited ability to protect themselves. A key question for this
committee to consider is: What do we do now given these identities are
forever compromised? The critical issue to address is the ability to
recover from a data breach with a resilient secure identity.
Secure, Modern Identities
To address the challenges brought on by the current pattern of
breached insecure identities, we should focus on how to help consumers
recover. In today's environment, the only recourse a consumer has is to
work with each credit reporting agency to lock their credit, ensuring
that it cannot be used or to contract with a credit monitoring service
that will do this on behalf of the consumer. The consumer is burdened
with the cost and the time it takes to try to protect themselves.
Given most American consumer identities have already been
compromised, it is imperative that action is taken to put the consumer
back in control of how and when their identity is used. It is our
strong recommendation that any use of personal information, whether an
account opening, credit requests, transaction attempts, etc. require
consumer authorization through a strong authentication mechanism.
Putting the consumer in control could be implemented by leveraging the
consumer's mobile device, as is common in banking applications today.
The technology required for implementation is well tested and works at
scale.
A modern secure identity system needs to strike a balance of
providing an appropriate level of information to enable commerce
activities, while providing consumers with the ability to quickly, and
cost effectively, reestablish their identity and then move on with
their lives without fear of further repercussions.
Key Characteristics of a Modern Secure Identity: Identity Should Be
Dynamic
As already mentioned, today's primary identity source, the social
security number, is issued at birth and is difficult to change without
significant inconvenience to the citizen. With a dynamic identity, a
compromised identity can be revoked and replaced, reducing
inconvenience or effort on the part of the citizen.
Dynamic identities are commonplace in Brazil, where Infraestrutura
de Chaves Publicas (ICP)--Brasil issues digital certificates (a digital
identity) for citizen identification. In this example, the government
owns the core identity issuing technology, but partners with industry
to provide consumer options for how to access this identity system.
These certificates generally last one to three years and can be used to
digitally sign documents with the same force as a written signature,
access government systems online and provide easier and secure online
access to financial institutions. A critical point is that ICP-Brasil
has institutionalized the concept of dynamic identities. Even if the
identity is not compromised, it still has a relatively short validity
period. And in the event of a compromise, the process to replace the
identity with a new one is well understood and easily executed.
Identity is Easy to Issue, Revoke and Manage
We must be able to issue an identity (and revoke and re-issue it)
without tremendous effort on the part of the user. When an identity is
revoked, the revocation must be pervasive so that everyone can easily
know what has been revoked and reissued. Payment cards are easily
revoked; attempts to pay with a cancelled card are immediately
declined.
The Consumer Controls their Identity
When individuals are personally accountable and in control of their
own secure identities, they can determine which factors are in place to
help confirm their identities. Identity factors are not reliant on data
like address, telephone number, mother's maiden name or names of pets--
these examples, like social security numbers, are static pieces of
information that are easy for someone else to discover. Instead, more
sophisticated factors like fingerprints and facial recognition could be
used. Other factors, such as behavioral attributes and verifications
through a mobile device, are also in wide use. The user can choose to
confirm their identity through a variety of factors--a best practice in
enterprise security is to use more than one factor. Individuals should
have the ability to select which and how many factors to use, giving
them control over how they secure and manage their identity.
A New Identity Framework
Our recommendation to this committee is that the time is upon us to
create a new identity framework. This new framework would create a
modern secure identity through a collaboration between government and
industry. In all use cases, this new identity could minimize risk and
inconvenience to the consumer in cases of breach, and allow a consumer
to more easily recover their identity with minimal impact.
Our identity system today is broken--it is not secure. It is time
to leverage available technologies to provide Americans with new
mechanisms to protect their identities. In my company's previous
testimony, we recommended the best path forward rests upon a private-
public ecosystem that is built upon good security governance, secure
identities and constant self-assessments of vulnerabilities.
Whether we drive adoption via incentives or directives, we need to
proceed now. I urge you to focus on near-term actions to address the
consumer information that has already been compromised while working
toward long-term solutions which create a more resilient identity.
Chairperson Thune, committee members, fellow panelists--Thank you
for your time today.
The Chairman. Thank you Mr. Wilkinson.
I'm going to start with the questions, and I'll start with
Ms. Mayer. In your opening statement, you described the
significant investments that Yahoo! made under your leadership
with respect to its internal security. Nevertheless, despite
these investments, the company apparently failed to detect the
2013 breach, which was the largest breach in the history of the
Internet, for more than 3 years. And even after the 2013 breach
became apparent, Yahoo! significantly underestimated the number
of accounts implicated by billions.
And so I'll give you an opportunity to answer the obvious
question, but that is with such a strong security team in
place, how did Yahoo! fail to recognize that all 3 billion of
its user accounts had been compromised? And why did it take
more than 3 years to discover and to disclose the breach?
Ms. Mayer. At Yahoo!, we deeply valued our user security
and invested heavily in that security. As is frequently the
case in these types of cyber attacks, they are complex, they
are persistent, and in often cases, the understanding of the
facts evolves over time. To this day, we, as I understand it,
still have not been able to identify the intrusion that led to
that theft, which is to say we have received files from law
enforcement that contained Yahoo! data, and we verified that it
came from Yahoo!. We don't exactly understand how the act was
perpetrated. And that certainly led to some of the areas where
we had gaps in information.
The Chairman. Why the delay in disclosing it? I mean, it
took 3 years. How was it possible to underestimate by billions
literally the number of consumers who were impacted by it?
Ms. Mayer. Yahoo! did not know of the intrusion in 2013. We
learned of the intrusion by files that were presented to us in
November 2016. And in a very short period of time, we verified
that that data was taken from Yahoo!, that it was most likely
from August 2013, notified law enforcement, notified our users,
and took protective actions on all the accounts. And at that
time, we estimated that it affected more than 1 billion users.
There have been recent announcements from Verizon that I'm not
privy to since I'm no longer with the company.
The Chairman. So the 500 million that was originally
disclosed, and then it jumped up to 3 billion, there's no real
explanation, at least to your knowledge, for how you
miscalculated the number of people impacted?
Ms. Mayer. The 500 million number was related to the fall
2014 breach by the Russian hackers where the indictments were
issued by the DOJ and FBI.
The Chairman. Mr. Smith, in prior testimony before
Congress, you said that the failure to patch a known
vulnerability in your system basically boiled down to a single
employee's failure to act, compounded by an IT scan that should
have detected that failure, but didn't. Then to add insult to
injury, the vulnerability was allowed to persist for several
months without corrective action being taken.
So for a company that holds some of the most sensitive
personal information on millions of American consumers, I hope
you can understand why this revelation is so hard to
understand. Can you explain why there weren't more trip wires
or redundancies built into your system to prevent something
like this from happening? You've also testified that these
weaknesses have now been addressed, perhaps you could also
elaborate on how.
Mr. Smith. Yes, Mr. Chairman, you're right. In prior
testimonies, I refer to the fact that we were notified by U.S.
CERT on March 8 of this year, communicated per our protocol on
the ninth to patch the vulnerability in the Apache Struts
software, open-source software, that existed. The e-mail did go
out per our protocol. On the fifteenth of March, we then
scanned, and the scanner did not find the vulnerability. So the
human errors I described in the past, as well as the technology
error, both led to the ability for the criminals to access what
we call our web portal dispute environment.
The Chairman. But why wouldn't you have had more
redundancies built into your system? Why did it basically come
down to one employee? That seems really hard to fathom for a
company that specializes in what you do.
Mr. Smith. A clarification. Yes, the redundancy was a
scanner, and the scanner did not work as well. So you had the
human process, which is standard process of identifying a
patch, the vulnerability, applying the patch, and then going
back a week later with a technology scanner to see if the patch
was applied.
The Chairman. You said you've fixed that or can you
elaborate a little bit on that? And maybe Mr. Barros as well
could elaborate on any further steps that Equifax has taken
since the breach.
Mr. Smith. I'll start, and Mr. Barros can continue, if you
will.
What we had installed shortly after, about the time of one
of my last hearings, was a new scanning technology. We upgraded
a scanning technology to a new generation scanner that seems to
be a better scanner than the prior scanner. There were some
process changes Paulino may want to talk about as well.
Mr. Barros. Sure. As you can imagine, security is my top
priority, including strengthening security systems in our
company. We have done a comprehensive top-down review of the
process with the help of PwC and Mandiant, and we are
strengthening all aspects of our operations, including our
patching capabilities. We are enhancing and updating our tools
to make sure that we have an effective patching system in
place. We have actually put stronger policies in place to make
sure that we have more redundancies and closed loops, in order
to make sure that our actions will be executed with accuracy.
The Chairman. Have you disposed of the data that you no
longer need? Has Equifax disposed of----
Mr. Barros. This is part of the process that we're going
through right now. We are evaluating the data architecture that
we have to have in place.
The Chairman. How about encrypted?
Mr. Barros. We are adding whatever is necessary to do it,
including encryption, including tokenization, including all new
technologies available to make sure that we protect the data,
both with respect to the data itself and the architecture of
the data.
The Chairman. Thank you.
Senator Nelson.
Senator Nelson. Ladies and gentlemen, we've had these
hearings before, and if we don't do something, we're going to
be having these hearings again. At this point, I'm wondering
that there is such a thing as data security. When you think of
a sophisticated state actor such as China or Russia, your
companies can't stand up against them.
The only person or institution that can stand up against
state actors is the National Security Agency. And what we're
going to see in the future for not only personally identifiable
information, but the state secrets of our country, many of
which are critical infrastructure, as represented by companies
such as yours, is a need for cooperation between the most
sophisticated player in the United States, the NSA, and you
all.
Otherwise, Americans are not going to have any more
privacy. And if we don't do something and if you all don't do
something to change this, we're going to be right back here
having additional hearings on this same topic.
Ms. Mayer, what do you think? You had a sophisticated state
actor coming after you. How do you really think that you could
have protected yourself?
Ms. Mayer. Even robust defenses and processes are not
sufficient to protect against a state-sponsored attack,
especially when it's extremely sophisticated and persistent.
We, at Yahoo!, cooperated with law enforcement and brought
these breaches and intrusions to the attention of law
enforcement swiftly each time they were detected, and the DOJ
and FBI were of great assistance to the company in identifying
the perpetrators and bringing them to justice.
Senator Nelson. That's an admission that you're not
protected against a state actor.
So now, Ms. Zacharia, you all own Yahoo!. What are you all
going to do about it?
Ms. Zacharia. Thank you, Senator. A couple of different
things. First, your point that we have to work together is
absolutely right. I think we need to work both with industry
and with government to try to tackle this problem. And that's
true in a number of different areas. Verizon, for example, has
long believed that there should be national data security and
data breach legislation, and we would be happy to work with any
of the Senators here on what that legislation should look like.
In addition, though, all of our security teams need to
understand that security isn't static, it's always changing.
The attackers are getting better, the tools are getting better,
the intelligence that we're gathering is changing. And so as
that's happening, we have to make sure that we're changing our
security systems to improve and keep up.
Senator Nelson. That's a good intention, but it's going to
take more. It's going to take an attitude change among
companies such as yours that you have got to go to extreme
limits to protect customers' privacy.
So, Mr. Smith, you hold a financial guillotine over a lot
of your customers by virtue of what their credit rating is. So
if your data is not protected, and a poor little fellow goes to
buy a house, and is ready with the down payment, he may not get
a mortgage because he has got a black mark on his credit rating
that is not real, but has been placed there because of a data
breach, preventing him from closing on his house. This has huge
consequences. What are you and Mr. Barros going to do about it?
Mr. Smith. Mr. Senator, there is no doubt that securing
data is the core value of our company. And I will also, like
Mr. Barros said, apologize deeply to the American public for
the breach that we had. We let the public down.
I'll tell you this, I do agree with the other panelists
here, and your point earlier, Mr. Senator, a combination
cooperation between public-private to address this issue is
needed. In my 12 years of running the company and tracking the
velocity, the increase, of cyber attacks is remarkable to see.
In prior testimonies, I talked about the fact that it's not
unusual for us in any one given year to see suspicious
activity, unwarranted attempted attacks, of millions per year.
Senator Nelson. Mr. Smith, didn't you describe Equifax as
the victim when the company failed to secure the security
vulnerability that led to the breach? Is Equifax really the
victim?
Mr. Smith. I believe I described it as a--we're a victim of
a criminal attack.
Senator Nelson. Mr. Wilkinson, do you consider Equifax to
be a victim?
Mr. Wilkinson. Senator, I think they are a victim, as my
fellow panelists pointed out. Certainly, there have been many
victims in the cases of these breaches. But the criminal impact
from hackers moving into these enterprises creates them also to
be in a position to be a victim, in my opinion.
Senator Nelson. Well, do you believe that they had adequate
security measures in place?
Mr. Wilkinson. Based on my understanding of the breach that
occurred at Equifax, and we're talking about effectively
patching of security vulnerabilities in a timely way, we've
heard some discussion of some of the increase in security
stance that they've had since the breach. These are the types
of things that I would suggest to you are basically understand
are best practices. Most security----
Senator Nelson. I don't understand your answer. Do you
consider them to have had appropriate security protocols?
Mr. Wilkinson. Having not patched for as long as they did,
I would not recommend suggesting that that was adequate
security protocol.
Senator Nelson. OK. So the answer is no.
Mr. Wilkinson. No.
Senator Nelson. So Equifax is not the victim, it's the poor
customers of Equifax who are victims. Is that correct?
Mr. Wilkinson. Both are--I believe both are victims,
Senator, in my opinion.
Senator Nelson. OK. Thank you.
Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Nelson.
Senator Wicker.
STATEMENT OF HON. ROGER F. WICKER,
U.S. SENATOR FROM MISSISSIPPI
Senator Wicker. Mr. Smith, in your written testimony, one
of your suggestions is a public-private partnership to begin a
dialogue on replacing Social Security numbers as methods of
verification. I wonder if your suggestion would also apply to
rethinking the use of passwords and user ID numbers.
And I'm going to ask Mr. Wilkinson to address this question
also because in your testimony, Mr. Wilkinson, you talk about
dynamic identities as a way to replace the Social Security
number in the modern age, and you point to Brazil as a better
example where the government owns core identity issuing
technology and issues some sort of digital identity that might
last for 3 years.
So I'll go to Mr. Wilkinson first and then back to Mr.
Smith. Is that system working better for the consumer in
Brazil, or is it just a helpful aspect, but it still doesn't
get the job done against this onslaught which Senator Nelson
described in his question?
Mr. Wilkinson. Thank you for the question, Senator. There
were two questions. In the beginning, in your first question,
you asked the question about the use of passwords and, you
know, identifiers, as well as Social Security number. With
static information, like username password or Social Security
number, you have a generally weak identity framework, which is
why we talk about the need for additional security.
Now, there are many tools today that many companies are
using around secure authentication that help overcome some of
the vulnerabilities that we see from things like username
passwords. Some of those tools need to be deployed as we talk
about where we use Social Security numbers as a primary form of
our identification that forms the basis of our identity.
In my written testimony, I also provided some additional
examples of what we see other countries doing that I won't
suggest to you are best practices, but I would suggest would be
important for this Committee to look at. In some cases, these
countries have moved to digital identity systems, in part
because they didn't have anything in place.
What our recommendation is, of course, we've moving from a
system that's worked in the United States for probably 50 years
but no longer is secure. The example that you cite from Brazil
is a form of digital identity that is issued by the Federal
Government for the purpose of providing a citizen with a
digital identity that they can use for certain transactions,
high-security needs, digital signing requirements, and has a
limited life, in that case, 3 to 5 years. So the combination of
the way that they have deployed that identity framework is more
secure and provides the ability to be more resilient than what
we see today, and what we're able to recover from in the event
of a breach like what we just talked about from Equifax.
Senator Wicker. In your view, the consumer is better
protected under this Brazilian system?
Mr. Wilkinson. They can be, yes.
Senator Wicker. Mr. Smith, what do you say?
Mr. Smith. I would agree. And not much I can add to that,
but the concept of using a static 1936 instrument like the SSN
and thinking it's secure, we've outlived that concept. Some
combination of digital multifactor authentication, as Mr.
Wilkinson talked about, I think is the right path.
Senator Wicker. Ms. Zacharia, you suggest legislation, and
it might be that all five members of the panel are advocating
legislation. We only have one minute and 23 seconds left, but
in general, what would this legislation look like?
Ms. Zacharia. I think the two key things that should be in
data breach legislation are, number one, that it be a national
framework so that we have one standard to comply with as we're
responding to a data breach; and, number two, it's really
important that it get the standard right for when we notify
customers. It's important to notify customers about information
that they really need, but to make sure that we're not
notifying them so often about so many things that they stop
paying attention.
Senator Wicker. And would anyone like to take issue with
Senator Nelson's overall conclusion that really against a state
actor like we've seen, a mere company is just unable to
withstand that without going to NSA? Does anybody want to
disagree with that?
[No audible response.]
Senator Wicker. No takers.
Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Wicker.
Senator Blumenthal.
STATEMENT OF HON. RICHARD BLUMENTHAL,
U.S. SENATOR FROM CONNECTICUT
Senator Blumenthal. Thank you, Mr. Chairman. Thank you for
having this hearing.
Thank you to the witnesses for being here today.
I think almost every American consumer at this point is
aware of the unacceptable risks that right now are entailed in
many of our business practices, risks to their privacy
information that they expect and reasonably anticipate will be
safeguarded by companies that do business with them and where
they are customers.
The Equifax breach, in particular, exposed the limits of
the Federal Trade Commission's ability to protect consumers and
impose civil penalties on companies that treat our data with
negligence and recklessness. Under current law, even some of
the most egregious examples of lax security can be met only
with apologies and promises to do better next time, not fines
or other penalties for real deterrents that provide incentives
to business executives to actually do better. The real
deterrent will come when those penalties are imposed on
executives, like the ones before us today. And if the entities
that hold our data cannot be trusted to protect it, then the
government needs to have the tools to not only go after hackers
and thieves, but also hold companies accountable.
Commonsense legislation I have introduced, the Data Breach
Accountability and Enforcement Act of 2017, would ensure that
the FTC can investigate any data breach by any company or
organization that holds sensitive consumer data, including
nonprofits, and can impose civil penalties that are actually
sufficiently strong to motivate companies to implement strong
security at the onset. In this area, truly an ounce of
prevention is worth a pound of cure. In fact, in many
instances, for many consumers, there is no real cure.
When you were here last, I think it was the last time you
were on the Senate side at least, you came before the Judiciary
Committee, Mr. Smith, and I asked you whether you could commit
that none of your consumers would ever be required to go
through arbitration. You said, understandably, that you were no
longer with the company, and, therefore, you couldn't
guarantee.
So I'm going to ask Mr. Barros, and I appreciate your being
here today, I have the same question. Can you guarantee that no
consumer will be required to go through arbitration if they
decide to use one of your services or products?
Mr. Barros. Senator, I understand the issue related to the
arbitration clause initially included in the TrustedID Premier
product when it came out, and it was immediately removed.
Arbitration is a tool used by the industry, especially the
consumer industry. We have used that tool as permitted by the
law. We will continue to evolve in this process and examine the
use of this arbitration process----
Senator Blumenthal. And I apologize for interrupting you,
but my time is limited, as you understand. So this is one of
those yes-or-no answers, I think. Can you guarantee that you
won't use arbitration? I understand all of the ``on the one
hand, on the other hand'' comments that could be made. But
consumers expect that they will have a right to go to court and
have their rights vindicated there. Can you guarantee that you
will not force them to use arbitration?
Mr. Barros. I believe the consumers have a choice to choose
the products that they need.
Senator Blumenthal. But if they choose your products, they
will not be forced into arbitration. You are guaranteeing that?
Mr. Barros. We work according to the law and use the tools
that the industry uses to have arbitration in place.
Senator Blumenthal. Do you know the difference between a
credit freeze and a credit lock?
Mr. Barros. Yes, I know.
Senator Blumenthal. Can you guarantee that the credit lock,
if you use them, will be subject to consumer protection under
the state laws where consumers live?
Mr. Barros. I understand the way we use freeze and lock, at
the end of the day for the consumer, it provides the same
result. The state law requires a different regulatory process
for you to obtain the freeze.
Senator Blumenthal. The difference is credit freezes are
regulated by states----
Mr. Barros. Correct.
Senator Blumenthal.--credit locks are not. You're resorting
to credit locks. Is it to avoid state----
Mr. Barros. No.
Senator Blumenthal.--oversight and scrutiny?
Mr. Barros. I'm sorry. No, no, not at all. We did it
because it's simple to use, it's more accessible to use, and
it's easy to understand by the consumer.
Senator Blumenthal. My time has expired. Thank you, Mr.
Chairman. I hope we'll have a second round.
The Chairman. Thank you, Senator Blumenthal.
Senator Schatz.
STATEMENT OF HON. BRIAN SCHATZ,
U.S. SENATOR FROM HAWAII
Senator Schatz. Thank you, Mr. Chairman.
Mr. Barros, thank you for being here. Do you think
consumers should be able to see the same information that their
bank uses when the bank makes a credit decision?
Mr. Barros. We have, as an industry, not done a good job
representing to the consumer the role we play in this process.
The information is provided by the consumer when they are in
the process of acquiring a new car, or a credit card. This
information is turned over to, usually or most of the time, a
financial institution.
Senator Schatz. Right. I understand how it works, I'm just
saying that when the bank evaluates my creditworthiness, they
get a bunch of data. I don't get to see what they're looking
at. Do you think I should be able to see what they're looking
at when evaluating my creditworthiness?
Mr. Barros. You----
Senator Schatz. This is also probably a yes-or-no answer.
Mr. Barros. You have access to your credit report. You have
access to your score. This is the information that they use,
most of the time, to make a decision.
Senator Schatz. It's the same information?
Mr. Barros. A credit report is the same as they have, the
same--my credit--my score is the same as they have. So it's
information they use to make a decision. They're allowed to see
the information.
Senator Schatz. You're telling me that the information that
a so-called customer has is all that a bank is provided by
Equifax?
Mr. Barros. I don't know. I don't know what the--I don't
know what information the bank provides. I know what I provide
to the bank.
Senator Schatz. Yes, well, Mr. Smith, you sounded like you
wanted to correct----
Mr. Smith. No, no, just if I may add something to it for
clarification.
Senator Schatz. Sure.
Mr. Smith. If a consumer is going to a bank to apply for a
loan of some sort, typically the underwriter at the bank would
pull a credit file, either ours, TU, or Experian. The consumer
has the right to get access to that free every year themselves.
They also have access to the score, as Mr. Barros said. I think
what you're referring to is the banks don't just use a standard
score like a FICO score, they may have their own score, and
that score is not disclosable to the individual consumer.
Senator Schatz. OK. Are we your customers? Are people--the
people that--the people whose data was breached, are we your
customers, or are the lenders your customers? How do you see
that?
Mr. Barros. Well, a small part of Equifax's business deals
directly with consumers, but most of Equifax's customers are
institutions that have individual consumers as their customers.
Senator Schatz. OK. Because it seems to me that there is
actually a line on this, on that side of the dais, which is to
say, not to excuse what happened with Yahoo!, but it is
different. The incentives are different between the credit
reporting agencies, who have essentially zero financial
incentive to get it right.
You guys get informed by the Department of Homeland
Security that there is a vulnerability. You get provided the
patch. You don't download the patch. Your scanner doesn't work.
Executives cash out their stock. You then start charging people
to lock their credit or freeze their credit. You then start to
promote through LifeLock, you have commercials with LifeLock,
saying, ``Hey, there's been a breach. You might want to use
this product.'' LifeLock subcontracts to Equifax. You guys
continue to be profitable.
On the other side, for Verizon, for Yahoo!, for Google, for
other companies, if you screw up with your customers, there is
a customer relationship that is frayed.
But in the case of the credit reporting agencies, there is
no volition on the side of the customers, and that's the
foundational problem here, which is that there is no incentive
on your side to do anything other than to charge us to solve
the problem that you caused, there is no incentive on your side
to spend the money that it would take to transform the company
to actually treat us like customers because your customers are
lenders, your customers are not the people who got harmed
through the breach.
Mr. Barros, do you want to respond to that?
Mr. Barros. I think that the biggest incentive that we have
is the stewardship that we have, the obligation that we have
with the consumers to keep their data accurate and safe.
Senator Schatz. Right, but that's not a fiduciary. I mean,
you have an earnings call I think tomorrow or shortly, and
you're going to report presumably that everything is fine or
that things are starting to pick up or maybe even--I don't
know, maybe even that you made more profit than usual in the
wake of this problem.
And I would be remiss if I didn't mention because people
back home, and I don't mean just back home where I live, but
back home where all of us live, cannot understand how the CEO
of Equifax and the CEO of Yahoo! walked away with $90 million
and $27 million and possibly a quarter of a billion dollars in
stocks. This is unfathomable to the average person.
And I understand, Mr. Smith, you and I had an exchange in
the Banking Committee where you said, ``This was in the proxy,
it's set by the board, it's not under my control.'' I
understand all that. What I'm saying is regular people don't
understand that, and they shouldn't understand how you harm
consumers and then walk away with the amount of money that a
small city or county uses for their annual operating budget.
It's not fair and it's why this dais has an obligation to make
a law and not just drag you back and forth and wave our fingers
at you.
Thank you.
The Chairman. Thank you, Senator Schatz.
Senator Moran.
STATEMENT OF HON. JERRY MORAN,
U.S. SENATOR FROM KANSAS
Senator Moran. Thank you, Mr. Chairman. Thank you to the
Ranking Member.
Let me start by asking this question. Let me set the
premise, perhaps first to Mr. Smith and Mr. Barros, and then
Ms. Mayer and Ms. Zacharia.
So a business makes a calculation, it determines
probabilities, and it makes a decision about how it invests, in
this case, invests in its data security based upon the
probabilities of events happening.
And so my question is, before the breaches occurred with
both companies, what did you expect? What did you say to your
executive committee or to your board of directors, what's the
probability of a breach occurring at our company? And then the
second, the follow-up question to that is, what's that
probability today?
So you calculated what the probabilities were, you make
investment decisions about how to invest in security, and what
that probability is. Is it any different today for additional
breaches at either one of your companies than it was prior to
the original breaches?
Mr. Smith?
Mr. Smith. Thank you, Senator. I'd put in a framework like
this, we don't calculate the actual percentage probability.
We've got a very comprehensive framework called Enterprise Risk
Management. I'm sure you've heard of that, ERM. And for 10
years or so we've always ranked data security as the most high-
risk, high-probability risk we have as a company. If we had a
security, cybersecurity event, it would be detrimental to the
company. We don't calculate, is it 50 percent, 60 percent, 10
percent, or 5 percent, but we have----
Senator Moran. Does that statement mean that you would
expect a breach?
Mr. Smith. The probability of a breach----
Senator Moran. Is high.
Mr. Smith. Yes.
Senator Moran. OK. And is that calculation any different
today, Mr. Barros, based upon the changes that you've made at
the company? Is it still the same probability of a breach
occurring today or tomorrow as it was prior to the earlier
breaches?
Mr. Barros. Well, we believe that today we are better than
we were at the time of the breach for one reason. This was a
pivotal point in our industry and in our company, essentially.
We have to make significant investments and continue to do so
to make sure that we are better today and we will be better
tomorrow.
Senator Moran. So how much more money are you spending
today to prevent a breach from happening than you were
spending, as a company, prior to the earlier breach?
Mr. Barros. As a natural response to the incident, we are
spending significantly more money in that process.
Senator Moran. But what percentage increase at your company
has occurred as a result of what you learned from the breaches
that have occurred in the past?
Mr. Barros. We are expecting to have a specific spike on
the costs for the----
Senator Moran. Do you spend 50 percent more today than you
did before?
Mr. Barros. Easily.
Senator Moran. Or 75, 100, 200 percent more?
Mr. Barros. Four times more.
Senator Moran. Four times more.
Mr. Barros. Yes.
Senator Moran. And as a result of spending four times more,
would you say it's less likely today that a breach occurs at
your company than the probability of it occurring before?
Mr. Barros. This is my understanding.
Senator Moran. And what's the reduction in probability?
Mr. Barros. I don't have a specific number because we have
a series of actions taking place today. I can say today that we
believe that it is better today than it was before.
Senator Moran. Would it be better if you were spending,
instead of four times more, six times more? Is the technology
out there that you could acquire to prevent this from
happening----
Mr. Barros. We are acquiring technology, and new tools, to
make sure our security is strengthened and improved. We've been
advised by specialists to make sure that we follow a sequence
for installing this technology. There's a timing to do it.
Senator Moran. Would Yahoo! answer this question in its
circumstances?
Ms. Mayer. We have at Yahoo! one of the most valuable data
bases in the world just because of the sheer number of users
that are contained therein. We describe this as an arms race.
Hackers become ever more sophisticated, and we have to become
sophisticated in turn. So----
Senator Moran. So would you have predicted a breach before
it occurred? Would you expect a breach? I assume the answer to
that's no, or you would have been doing something more?
Ms. Mayer. We did not calculate percentages and/or predict
a breach. I will say we took significant efforts and investment
to increase our security, which included increasing the size of
the team by a factor of two. We did things like empowering our
users to opt out of passwords and into something called Yahoo!
Account Key. We increased our encryption, constantly changing
the types of encryption we used to thwart hackers. We
introduced a Bug Bounty where outside developers, if they
discovered a vulnerability, could report it, and we would
reward them. We hired outside teams to attack us and tell us
where our vulnerabilities were. We introduced machine learning
to monitor our system and evolve with the hackers to ultimately
identify when intrusions occurred. So we took extensive
actions.
Senator Moran. Let me turn to Ms. Zacharia. Is the
probability of a breach less today at Yahoo! than it was prior
to your acquisition of the company?
Ms. Zacharia. So, again, we don't calculate the probability
of a breach, but what we do do is what our----
Senator Moran. Well, let me ask the question differently
then. Are customers more secure today than they were prior to
the breach? Can a customer expect that it will have less
expectation that their data is at risk than before the earlier
breach?
Ms. Zacharia. Well, what I can tell you, Senator, is that
Verizon has always taken security very seriously, and we're
bringing that same focus and that same intensity that we've
always brought to protecting our customers and our network to
any new acquisition, including Yahoo!.
Senator Moran. What seems to be missing to me, the
assurance that, as a customer, however we define ``customer,''
should have a sense that they're safer today than they were
before, and I don't have any assurance from any of the response
to my questions that that's the case, that we ought to be just
as concerned today about a breach as prior to. And, you know,
what I hear is that we're talking all these steps.
Let me ask you this question: Do you believe that other
companies in a similar business, companies that have lots of
data that would affect consumers if there was a breach, are
they as vulnerable to breaches as your companies are and have
been? This is not limited to Yahoo!, it's not limited to
Equifax. Every other company that's in the data business is
just as vulnerable as you have been and are still today?
Ms. Mayer. I would point out that the list of efforts that
I discussed earlier were our ongoing defenses. In addition, in
response to the breach, we took significant steps, causing our
users to reset their passwords, changing our encryption,
changing the attack surface area of our systems and the access
that even internal employees had to those systems. So by all
means, we did respond and change the level of protection given
to our users.
Senator Moran. And, therefore, today, as a customer of
Yahoo!, I should feel how much better that my data is safe?
Ms. Mayer. I think it's difficult to quantify, but there is
no question, in my mind, that the users are better protected
today because these breaches were detected and remediated for.
Senator Moran. Are you spending all the money necessary to
increase that protection? Could they be safer if you did more,
or are you doing everything you can do?
Ms. Mayer. I am no longer with the company----
Senator Moran. That's true.
Ms. Mayer.--but I would say that certainly during my
tenure, that was the case.
Senator Moran. Ms. Zacharia?
Ms. Zacharia. Yes, and the security--exactly right, I
agree--the security teams at Verizon would tell you that their
job is to defend against any and all attacker, and that's
exactly what we're trying to do.
Senator Moran. And the company provides them with the
resources to accomplish that goal?
Ms. Zacharia. Absolutely.
Senator Moran. Mr. Barros.
Mr. Barros. It's the same for us.
Senator Moran. And the final question is, Do any of you
disagree that the Federal Trade Commission has jurisdiction
over your data breaches and has the ability to regulate and to
penalize for faults to prevent and then to penalize if there
are breaches? Do you all agree that FTC is your regulator and
has legal authority?
Mr. Barros. Enforcing it.
Senator Moran. Did you say unfortunately?
Mr. Barros. I said that they make sure the regulatory
perspective is in place.
Senator Moran. OK. Thank you.
Ms. Zacharia?
Ms. Zacharia. Certainly for the Yahoo! incident, I'm not
trying--so on the telecom side of Verizon, that's a little bit
of a complicated question, but for the Yahoo! incident that
we're here talking about today, absolutely.
Senator Moran [presiding]. I understand. Thank you very
much.
In the absence of the Chairman, I recognize Senator
Baldwin.
STATEMENT OF HON. TAMMY BALDWIN,
U.S. SENATOR FROM WISCONSIN
Senator Baldwin. Thank you.
I want to just start with a question of the panel: Mr.
Barros, Mr. Smith, and Mr. Wilkinson in particular. Just
identify if you have any information today about who hacked
Equifax, who possesses the personal identifying information of
about 145 million Americans, and what you believe they intend
to do with it? Can you identify to me if any of you have that
information today?
Mr. Barros. No, we have no evidence.
Mr. Smith. The only thing I'll add, Senator, is we engaged
the FBI on August 2----
Senator Baldwin. Yes.
Mr. Smith.--and have been working with and cooperating with
the FBI since August 2.
Mr. Wilkinson. In our experience, in the vast majority of
these breaches, once the breach has occurred, everyone owns
this data, because it's out in the public.
Senator Baldwin. Thank you.
So we all know that the Equifax breach compromised the
personal and financial information of more than 145 million
Americans. And we really can't even begin to know what
ramifications this failure will have to the families and
individuals that are impacted. And I think it's clear that
Equifax needs to do a lot more than it has to help victims
respond to this breach.
Mr. Barros, will you make a commitment right here and now
that Equifax will proactively notify every person who was
impacted in this breach, yes or no?
Mr. Barros. We have been notifying. We have been working
with consumers. We have improved our webpage and are making
sure that our social media efforts are active. We have been
working with the consumers that have reached out to us, and I
have a team working every day to make sure that we engage
consumers.
Senator Baldwin. I know that you have acted in areas where
state law demands that you do so. Where it doesn't, are you
going to reach out to each and every individual that you
believe was impacted by this breach to let them know?
Mr. Barros. We will execute according to the requirements
that they have in the law.
Senator Baldwin. And if there's an absence of law in a
state, you won't do anything?
Mr. Barros. We are actively engaging with consumers to make
sure that they use the product that we have today.
Senator Baldwin. Equifax set up a poorly functioning
process where people would have to go to the Equifax website to
find out if they were impacted. How many people have gone
through this process?
Mr. Barros. We have, as Mr. Smith mentioned in his
statement the last time, we had close to--initially--for a
period of time, we had close to 400 million hits.
Senator Baldwin. Do you know how many individuals?
Mr. Barros. 30 million individuals have----
Senator Baldwin. 30 million?
Mr. Barros. 30 million, yes.
Senator Baldwin. Out of 145 million. You mentioned call
centers in your testimony. Where are Equifax's call centers
located?
Mr. Barros. We have one call center in Lake City, Florida,
and we have one call center in Nevada, in Las Vegas.
Senator Baldwin. And where?
Mr. Barros. The two major operations that we have are in
Lake City in north Florida, where I visited a couple Saturdays
ago, and one in Las Vegas as well.
Senator Baldwin. Are there any out of the--outside of the
United States?
Mr. Barros. We use our--as a surge, for surge impact, we
use call centers in Costa Rica--sorry. We use call centers in
Costa Rica, we use call centers in other parts of the world.
That's correct.
Senator Baldwin. What other parts of the world?
Mr. Barros. It varies from Malaysia, India. It depends on
how the demand goes. Most of the calls that we have handled
recently have been for specific problems have been here in U.S.
Senator Baldwin. Most of them.
Mr. Barros. Yes.
Senator Baldwin. Equifax----
Mr. Barros. Out of the surge. I'm sorry. Out of the surge.
When we had a surge, we used the flexibility and capacity that
we have.
Senator Baldwin. Equifax is now offering free credit report
locking for life, but only offering credit report monitoring
through January 31, 2018. Will you make a commitment that
Equifax will offer free credit report monitoring for life?
Mr. Barros. We have the first service that was available,
which is TrustedID Premier. That is actually valid for a year.
So if you enroll before the end of January, you have another 12
months to use the product with the five characteristics that
have been described. The new product that we have put in place
where consumers can lock and unlock their credit file will be
available for free and for life at the end of January.
Senator Baldwin. And monitoring?
Mr. Barros. We don't have the scope of the project to offer
monitoring at this stage.
Senator Baldwin. Victims of this breach will really need to
be able to control access to the reports from all three credit
agencies to fully protect themselves. The other agencies charge
between $5 and $10 for each and every freeze. Will you be
offering rebates to the victims to cover their freezing costs
with the other reporting agencies?
Mr. Barros. Senator, I believe that the resolution has to
be one that protects the consumer, it has to be sustainable, it
has to be scalable, it has to be industry-driven, and we have
to work with the government to make sure that we reach out to
the consumers to execute that. We gave our first step forward,
which was to offer a service that consumers can check and lock
and unlock their credit data for free and for life. And we want
to work with the industry to make sure that there is a similar
capacity to do it for all credit reporting agencies.
Senator Baldwin. Mr. Barros, your firm recently completed
an internal review of the stock trades executed by four senior
Equifax executives prior to the public disclosure of the breach
and hack. The special committee report found that, quote, none
of the four executives engaged in insider trading. The report
failed to mention that Equifax's Chief Legal Officer, John J.
Kelley, approved some of the stock sales on the same day that
he called the FBI to alert it that the company had a problem.
It took Mr. Kelley two more weeks to inform the executives that
they were no longer allowed to sell stock. This is totally
inappropriate, and yet the report does not even mention Mr.
Kelley, and he still works for Equifax. I would like to ask
both Mr. Barros and Mr. Smith, do you believe Mr. Kelley's
failure to act was appropriate?
Mr. Barros. I think it's not my perspective to provide if
it was appropriate or not. The board has actively and
conclusively determined that the four executives did the
preclearance in a correct form. The board's special committee
continues to investigate and review the process as it related
to the cybersecurity incident, including policies and
procedures.
Senator Baldwin. Mr. Smith?
Mr. Smith. The only thing I would add, Senator, is there
was a full investigation by the independent directors of the
board. You saw the report. It was published I think it was
earlier this week or last week. The second thing I would say,
it is not unusual for us to engage outside counsel, outside
forensic experts, in this case, Mandiant, or the FBI. I
mentioned earlier to one of the Senators, we have 3 to 4
million suspicious activities, suspicious attempts at our
database around the world, so it's not unusual that--and, by
the way, he didn't engage the FBI, it was the security team.
That is not an unusual step in itself.
The Chairman [presiding]. Thank you, Senator Baldwin.
Senator Cortez Masto.
STATEMENT OF HON. CATHERINE CORTEZ MASTO,
U.S. SENATOR FROM NEVADA
Senator Cortez Masto. Thank you. And, first of all, let me
just say thank you, Chair, and the Ranking Member for holding
this hearing. I really appreciate that.
So let me start with Equifax and some of the concerns I
have. I'm from Nevada, and there are about 3 million people
there, and of the 3 million people, 1.3 million were impacted
by this breach. In fact, I received over 4 dozens letters. Let
me just give you an example of one of them. I have a woman in
Carlin who wrote, ``No citizen has a say in the reporting
practices of businesses to credit bureaus. I did not choose
Equifax to store my information, nor did my husband, nor any of
our children, yet it is there, and clearly Equifax did not do
enough to protect our information.''
So a couple of questions to start with, and I want to drill
down into the data that is collected because I think part of
this is the data collection, and we should be looking at that.
Equifax, my understanding of the breach of the 145 million
consumers, the data that was collected was names of those
consumers, Social Security numbers, addresses, birthdates,
driver's license numbers, and credit card information. Is that
true, yes or no?
Mr. Barros. In some cases, yes; in some cases, no.
Senator Cortez Masto. What other data do you collect on
consumers besides the data that I just identified?
Mr. Barros. Most of the data affected included Social
Security numbers, name, date of birth, and address, that's it.
Senator Cortez Masto. What other data do you collect other
than what I just----
Mr. Barros. We have a----
Senator Cortez Masto. So I'm going to ask for the record,
we'll submit that, if Equifax could provide me with that
question, that would be very helpful, because I'm curious, does
Yahoo! collect driver's license numbers?
Ms. Mayer. Not to my knowledge.
Senator Cortez Masto. OK. So I think that's helpful in this
discussion because to me the data breach that happened at
Equifax is egregious. It happens all the time. We're all
getting pinged. Government is getting pinged. Companies are
getting pinged. We've heard it. I think, from what I've heard
from Ms. Mayer, cybersecurity is a global challenge, we're
always all getting pinged.
It is incumbent upon all of us, including the private
sector, to not only have the top-line security, sophisticated
security, always evolving with it, always ensuring that you're
protecting that data, and when you fail to do that, then, yes,
you should be held accountable, and the reinforcement should be
swift, and consumers should be notified, and there should be
restitution for those consumers. But we haven't had the
discussion on the data. To me, that's what this is about
because, quite frankly, even those individuals that you work
with now and those consumers that had credit locks and credit
freezes, their data was still breached, correct?
Mr. Barros. Could be. If they----
Senator Cortez Masto. Right. So it doesn't matter because
that's what they're going to go after, is that Social Security
number. And I see, Mr. Wilkinson, you're nodding yes. Isn't
that correct?
Mr. Wilkinson. Yes, Senator.
Senator Cortez Masto: So shouldn't consumers be the ones to
say, ``I want to opt in or opt out when it comes to the data
that I am sharing with you''? Don't you agree?
Mr. Barros. Well, this is part of the way the economy
works. When you--when the consumer goes and----
Senator Cortez Masto. The consumer doesn't have a choice,
sir. The consumer does not have a choice on the data that
you're collecting. That's what I hear from my consumers. That's
what I hear all the time. I know it. And quite frankly, the
credit reports that I get as a consumer do not tell me all the
data that you're collecting on me. Isn't that true?
Mr. Barros. The credit report collects your--the trade
lines that we have on your--for your----
Senator Cortez Masto. That's true, isn't it? And let me
just say I was attorney general for 8 years in the State of
Nevada. Identity theft in the State of Nevada and across this
country is through the roof, and every day we dealt with
somebody whose identity was stolen. And what is so egregious
about what you have done is now for the rest of their lives,
the woman in Carlin and all of the people that I hear from
Nevada, of the 1.3 million people whose identities were stolen,
they are going to have to clear their record for the rest of
their lives.
And what does that mean? That means that somebody is going
to buy a boat in their name, a house in their name, people are
going to commit crimes in their name, and, believe me, as a
prosecutor, I've seen it. So they are spending the rest of
their lives clearing their record and their good name, and
that's why this is so egregious.
And I think you have an obligation not only to look at the
data that you're collecting, but make sure you're protecting
it, and if there is a breach, you are doing everything you can
to remediate and bring restitution to those individuals whose
information is stolen.
So let me talk to you because I've got a short period of
time. Mr. Wilkinson, you talked about the data and Social
Security numbers, and the idea that now we have to look at a
different way of identifying the PII. I'm very curious if you
have anything specific on what we should be doing when we're
looking at that data and PII that is shared and collected?
Mr. Wilkinson. Well, the first thing to note, and it has
been noted a few times, which is in the case of these breaches,
in the case of this most recent breach, 145 million items of
personal information was leaked. When you combine this with
other breaches that have occurred, and there's a list of
breaches that we could cite, we're getting very close to all of
the personal information in the United States has already been
breached in some way. So, of course, the question applies,
which is, what are we trying to protect at this point?
In the case of some of the financial card breaches, like
the Target breach from several years ago, or 3 years ago, that
we actually testified, my company testified on behalf of the
request to appear at that time, I think it was a good point to
compare and contrast between what has happened with some of
those breaches and in this case, and that is the financial
payment system is reasonably resilient.
In that case, despite the fact that it was a burden for
consumers, the ability for consumers to have a new card
reissued, have that fraud remediated, and be back in business,
the ability to do commerce, is relatively well known and
relatively resilient. In addition, the liability largely fell
to the financial institutions, the issuers of those financial
cards, credit cards, and debit cards.
So I think looking to some examples like what we see in
financial payments ecosystem is an example of a more resilient
system than what we have in this form of identity today.
But our identities are out there, so I continue to
reinforce that our position is that we would--we believe that a
more resilient identity framework needs to be brought forward.
There are several examples. I cited----
Senator Cortez Masto. And I'm running out of time, and I
know my time is up, but let me just say this. I agree with you,
our identities are out there. Some of us are--it's too late.
Mr. Wilkinson. Yep.
Senator Cortez Masto. But to our kids, it's not too late.
Mr. Wilkinson. Right.
Senator Cortez Masto. And we've got to look to the future
and protecting their information as well. So it is something
that to me, we--it's not static. We've got to continue to
figure out how we address this issue, if we're going talk about
digital identities or the government coming up with something
different. But I do agree with you, that there should be that
public-private partnership. We've got to figure this out for
the benefit of those people that we're taking their data, and
they have no choice. They have no choice that companies are
taking their personal information, they're monetizing it, and
then they get stuck for the rest of their lives dealing with
the results of a breach.
Mr. Wilkinson. Right.
Senator Cortez Masto. So thank you.
The Chairman. Thank you, Senator Masto.
Senator Hassan.
STATEMENT OF HON. MAGGIE HASSAN,
U.S. SENATOR FROM NEW HAMPSHIRE
Senator Hassan. Thank you, Mr. Chair.
And good morning to all of our panelists.
This is a question to the panel, although the most relevant
example that we can call on is a response from Equifax this
summer to the major data breach it endured. There are state-by-
state laws requiring private and public entities to notify
individuals when there are security breaches of their
personally identifiable information. These laws represent the
lowest amount of communication required. I'm interested in what
companies are deciding to proactively do to help notify and
help the consumers affected by these breaches.
So we could start perhaps with Mr. Smith and Mr. Barros. I
know that you have both stated that Equifax has taken big steps
to further the consumer satisfaction in their interactions with
your company, but many of those steps seem to have come only
after public outcry to your initial response.
So my question more broadly is, Can each of you elaborate
on what considerations you and your companies take into account
when determining steps to notify and remediate the damage done
to consumers from data breaches?
Mr. Smith. Senator, if I may start, and, Mr. Barros, if you
want to add on, one of the notification processes we took
obviously very seriously, the state requirements as far as time
and notification----
Senator Hassan. But, of course, I'm asking beyond that
because those are minimal. So what are you guys now deciding to
do beyond that? And how do you--what considerations are you
making?
Mr. Barros. Well, my top priorities have been our consumer
response and hardening our security system. This is what I
mentioned at the beginning. On the consumer side, we definitely
made our call centers more scalable. We improved our platforms.
So in other words, you can get in and out--you can have access
within 3 minutes, you can have a response back from Equifax. It
is----
Senator Hassan. But I am also talking about your proactive
efforts to notify consumers beyond the requirements that state
law, for instance, gives you.
Mr. Barros.--correct. Now, with the amount of hits that we
have, we've been working with the consumers to make sure that
they use the services that we have provided for free for them
for the transition period, and we will continue to do that. We
are going to introduce our new app, which will allow consumers
to lock and unlock their Equifax credit file, for free, for
life.
Senator Hassan. Well, Mr. Smith.
Mr. Smith. Senator, the one thing I'd add is that the
process we did use was, one, legal and acceptable, and it
seemed like it worked. He mentioned we had four----
Senator Hassan. Again, I----
Mr. Smith.--consumers.
Senator Hassan.--we can pursue this on the record. That
isn't my question, and I want to get to the other panelists.
I'm asking for now, regardless of--state laws, at a minimum,
you have to follow it. But what are the factors that you are
considering when you decide when to notify a consumer? And if
any of the other panelists would like to answer just very
briefly, that would be helpful.
Ms. Mayer. At Yahoo!, we generally took a proactive stance
due to the global nature of our business, which is to say, yes,
laws vary from state to state, but our view was frequently if
user notification was required anywhere, we did it everywhere--
--
Senator Hassan. Right.
Ms. Mayer.--and we endeavored to be both accurate and
comprehensive because accuracy and comprehensiveness are very
important, as well as analyze how any data might have been
misused or abused, and also be swift in the response.
Senator Hassan. Yes, ma'am.
Ms. Zacharia. Yes. At Verizon, what we do is first we
always obviously look at what the law requires, but then we
look at what we think is the right thing to do for the
customer. And if in a particular situation we think it's the
right thing to notify the customer, then that's what we do.
Senator Hassan. Thank you.
Mr. Wilkinson. Our company doesn't hold consumer
information, so it's not applicable.
Senator Hassan. I didn't think so, but just checking.
I wanted to follow up with Mr. Barros about the difference
between credit lock and credit freeze services. Placing a
freeze on their credit is one of the best ways consumers can
protect themselves, of course, from identity fraud. Equifax has
stated that it will waive the fee for consumers to place a
freeze on their credit for several more months in response to
the major data breach earlier this year.
At that point, the company has stated, and I believe you
stated in your testimony, Mr. Smith, that it will offer
consumers the ability to lock their credit for free. Can you
please share with the Committee the legal differences between a
credit lock and a credit freeze in terms of consumers' rights
and protections, and who has access to a consumer's credit
report when it is frozen versus locked?
Mr. Barros. Fundamentally, there is no difference between a
lock and a freeze. When you freeze--when you freeze, you use a
regulatory process to do it, and you make a phone call, you
identify yourself, you get a PIN, and you're ready to execute a
freeze or not. The reason why we're offering a lock product is
the simplicity of the process. So in financial institutions,
they are trying to get to your file to open an account, and
won't be able to do that in either situation, if the file is
frozen, or if the file is locked.
Senator Hassan. Well--and I see that my time is up--I think
there are experts who would disagree with you in terms of your
statement that there is no difference between a freeze or a
lock. And one of the things I will follow up with you in
writing about is the degree of fees that Equifax gets from
helping consumers unfreezing or unlocking their information.
I thank you for your indulgence, Mr. Chair.
The Chairman. Thank you, Senator Hassan.
Senator Capito.
STATEMENT OF HON. SHELLEY MOORE CAPITO,
U.S. SENATOR FROM WEST VIRGINIA
Senator Capito. Thank you, Mr. Chairman.
I think all of the panelists for being here today.
I want to start with a simple question to Mr. Barros. To
your knowledge, has any of the information that was breached--
driver's license, Social Security, birthdates, addresses,
credit card information--do you have any indication that any of
those customers that you--or folks whose data was breached has
been misused, or did you have any indication that somebody was
using this data to make other purchases or other things of that
nature?
Mr. Barros. To the best of my knowledge, it's premature to
make an assessment that it has been used already.
Senator Capito. Mm-hmm, mm-hmm.
Ms. Mayer, what about in terms of Yahoo! and the data that
was breached there? Did you have any indications at Yahoo! that
an individual's data had been misused? Was that a red flag that
was brought to your company?
Ms. Mayer. No, we saw no volume of reports. We did roll out
a program advanced protection against threats that notified
users if we saw any indication that their account might be
accessed by a state-sponsored attacker, and we rolled out that
program I believe in 2015. So users are notified in real time
if there is any suspicious activity on their accounts.
Senator Capito. Right.
So, Mr. Wilkinson, in light of the fact that you said all
this information is in the public domain, not just with the bad
actors, but out there in general probably, we would have to
assume that, I mean, you're assuming that, I would assume that,
does it surprise you that none of this information that's out
there has been used in a nefarious way that anybody can detect
at this point?
Mr. Wilkinson. Yes, it would surprise me if none of it had
been used in a nefarious way to this point given the timeframe
that we're talking about.
Senator Capito. Yes, and that surprises me as well.
Mr. Barros, you mentioned in terms of how individuals were
contacted, that obviously Yahoo! has a direct communication
with their customers through their e-mail accounts. All of the
data that's collected here does not seem to indicate any kind
of e-mail address or phone number that you can send out a mass
warning signal. So your customers basically have to opt-in to
find out. And you said you've been out on social media telling
the ways to do that.
Will that change your profile in terms of being able to
have quicker, more efficient, and wider spread way to
disseminate information to those of the folks who have
information that you're collecting, some kind of a
communication tool with all these individuals?
Mr. Barros. It frustrates us as well, because we would like
to have more proactive engagement with the consumer. As I said,
we have improved significantly our website. It's much more user
friendly today. It's easier to access. We have more phone
numbers available for consumers to ask questions. These phone
numbers are public. Our website has these phone numbers as
well.
We are proactively doing this through social media,
inviting people to talk to us----
Senator Capito. Right.
Mr. Barros.--to make sure that we can respond and direct
them to the right solution.
Senator Capito. Well, I can tell you that one of the ways
that people want to talk to you is when they get their credit
report and see something on there that they don't agree with,
and I think that your company through the years, and the credit
bureaus in general, have realized that this is an enormous
problem for the American consumer if there's a false entry on
their credit report, especially if it's one that knocks down
their credit rating. And I'm sure--I know that happens
frequently, and I know you've worked to try to correct this
problem and try to reach the consumer.
But I would hope that, having tried to do this myself with
my own personal credit report and experiencing how frustrating
it is to get through to whoever I was trying to get through to,
Equifax or the other two credit reporting agencies, to try to
register a complaint and work through the process, it's very
time-consuming and difficult.
So I'm going to assume that those processes are tightening
up, particularly in light of this security breach that we've
seen at your company in terms of consumer-friendliness.
Mr. Barros. Right. One of the top concerns that I have is
how to improve our response to consumers. We are looking at
this process to make sure that we have a better way to
communicate with consumers.
Senator Capito. And I'm also interested in your proposal to
lock your information as an individual that you said you would
have on-stream in January at cost-free where the customer could
opt-in and then opt-out, unlock and lock their own personal
data. How does that work in terms of your business framework?
If a consumer locks the data out, are you then locked out to
reporting to your customer how that customer's data would
influence their credit rating in terms of purchasing a home or
something like that?
Mr. Barros. Yes, it's part of the process. So the objective
that we have when we designed this service was to make sure
that the consumer would have the power in their hand to lock
and unlock their file----
Senator Capito. So when they have a locked file, it's
locked from you disseminating it to anybody?
Mr. Barros. Yes, nobody can have access to that information
in their file.
Senator Capito. OK. Thank you.
The Chairman. Thank you, Senator Capito.
Next up is Senator Gardner.
STATEMENT OF HON. CORY GARDNER,
U.S. SENATOR FROM COLORADO
Senator Gardner. Thank you, Mr. Chairman. Thank you to our
witnesses for being here today. I hear a lot of conversations
about your file, meaning your personal information. I've heard
it said that this is consumer information, this is personal
identification information.
Mr. Barros, can you tell me who owns the information that
you provide to your clients, customers?
Mr. Barros. According to the existing regulatory framework,
we own the information.
Senator Gardner. Does the consumer have any ability to say,
``I don't want you to have that information''?
Mr. Barros. They have the opportunity today to lock and
unlock their file, and, therefore, not allow anyone to have
access to it.
Senator Gardner. But do I have an ability to say, ``I don't
want Equifax to have any information about me''?
Mr. Barros. I understand that from the regulatory framework
that we have today, the consumer cannot delete their file.
Senator Gardner. So the answer is no. So I, as a consumer,
apply for a credit card or a bank loan. That institution then
provides it to you, and I have no ability to stop that from
happening.
Mr. Barros. You can lock and unlock your file.
Senator Gardner. So the answer is no, I can't stop that.
And the answer is no, I can't prevent you from getting it. So
whose information is this? Is it my file or is it your file?
Whose file is it?
Mr. Barros. According to the regulatory perspective, I have
the information----
Senator Gardner. So it's your file, not my file. So all the
information about me, all the consumer information I produce,
all the data, everything that I own that defines my life, I
have no control over that. Is that correct? Other than you've
got it and I can tell you whether I want you to give it or sell
it to somebody else.
Mr. Barros. This is how the industry framework----
Senator Gardner. I get it. I get it. Do you think it's
right, though?
Mr. Barros. I think it's not my perspective to say it's
right or wrong. This is the regulatory perspective that we work
under.
Senator Gardner. Who owns the credit card information that
you have on me? That's you then at that point, correct?
Mr. Barros. I just have a trade line on the credit card
information.
Senator Gardner. So do you think consumers should own their
data?
Mr. Barros. I think my----
Senator Gardner. Ms. Mayer, should consumers own their
data, own their own information?
Ms. Mayer. Yes, I believe that they should.
Senator Gardner. Should we be able to control our own
information, Mr. Barros?
Mr. Barros. Yes. This is the effort that we're making
through the process, where consumers should control the
information that we have, the credit----
Senator Gardner. But you're saying by putting a lock or an
unlock that can be hacked by somebody is consumer control?
Mr. Barros. If you lock and unlock--when you lock and
unlock your file, nobody can have access to your file.
Senator Gardner. Would you support a mechanism that allowed
consumers to say, ``I don't want that information to go to
Equifax, Experian, TransUnion''?
Mr. Barros. This is a decision that is bigger than our
industry. I think we need to understand how the economy is
going to behave in that situation.
Senator Gardner. Mr. Smith, it's my understanding that the
data access through Equifax's consumer dispute portal was not
encrypted at rest. Is that correct?
Mr. Smith. Correct.
Senator Gardner. If the answer is yes, as you said it was,
was the fact that this data remained unencrypted at rest the
result of an oversight or was that a decision that was made to
manage that data unencrypted at rest?
Mr. Smith. There are multiple tools we use and used to use
when I was there to secure data: encryption at rest, encryption
in motion, tokenization, masking, firewalls, multiple layers of
security. Encryption is only one. If you look across our----
Senator Gardner. So a decision was made to leave it
unencrypted at rest?
Mr. Smith. Correct.
Senator Gardner. Mr. Barros, since you took over, as part
of your internal response to the breach, have you directed the
company to encrypt such data, or have you been recommended to
encrypt such data, so it is encrypted at rest?
Mr. Barros. We have done a top-down review, a comprehensive
top-down review, of our security situation. We use outside
companies to help do that: PwC and Mandiant. We are
strengthening----
Senator Gardner. So let me just--a yes-or-no question, Does
the data remain unencrypted at rest?
Mr. Barros. It's going to be part of the process that has
been reviewed----
Senator Gardner. Yes or no, does the data remain
unencrypted at rest?
Mr. Barros. I don't know at this stage.
Senator Gardner. You don't know if this--this is the reason
why it was breached, is that correct?
Mr. Barros. This----
Senator Gardner. This data was unencrypted.
Mr. Barros. Encryption is one form of defense. We have
several forms of defense and tools in place now that can help
prevent this from happening again.
Senator Gardner. And the data remains unencrypted at rest.
Mr. Barros. We have deployed several different tools, and
encryption is one tool.
Mr. Smith. Senator, if I may. It's my understanding that
the entire environment in which this criminal attack occurred
is now much different. It's a more modern environment with
multiple layers of security that did not exist before.
Encryption is only one of those levels of security.
Senator Gardner. There are other experts, the privacy
experts here. Is it a reliable, safe methodology to leave this
data unencrypted at rest?
Mr. Wilkinson.
Mr. Wilkinson. I think we've spoken of the high value of
identity information and what it can be used for today.
Certainly, as Mr. Smith noted, encryption is one of the tools,
but certainly from our company's perspective, a very important
one to be used for data that is data of this type that is of
high value.
Senator Gardner. So your answer is----
Mr. Wilkinson. Yes.
Senator Gardner.--it is irresponsible to leave this
unencrypted at rest.
Mr. Wilkinson. Other segments of the industry, I've
mentioned a few examples, of the payments ecosystem have PCI
requirements that require this kind of information, credit card
data at retailers and things like that, to be encrypted. In
this case, it was not.
Senator Gardner. When, Mr. Smith--I know my time is
expired, if I could ask one more question--when specifically
did you notify the other credit reporting agencies about the
breach?
Mr. Smith. Senator, we notified them when we notified the
public.
Senator Gardner. So the public and the other--and that was
around August. Can you give me the date again?
Mr. Smith. September 7 was when we went live with the----
Senator Gardner. September 7. The breach occurred August 2.
September 7?
Mr. Smith. No. We saw suspicious activity on the twenty-
ninth and thirtieth of July, notified the FBI the second----
Senator Gardner. The second. I'm sorry, that was the
second, yes.
Mr. Smith. That's when we notified the FBI. And we went
public with it on the seventh of September.
Senator Gardner. So the seventh of September is when the
other credit rating agencies also received that information.
Mr. Smith. That's when we went public with the entire
breach, yes.
Senator Gardner. Thank you. Is Equifax currently under
investigation by the Department of Justice or SEC?
Mr. Smith. There are multiple investigations.
Senator Gardner. Thank you.
The Chairman. Thank you, Senator Gardner.
Senator Young.
STATEMENT OF HON. TODD YOUNG,
U.S. SENATOR FROM INDIANA
Senator Young. Thank you, Chairman.
I thank our panelists for being here today.
Ms. Mayer, you were CEO of Yahoo! at the time of the
largest data breach in all of human history, the so-called 2013
and 2014 breaches. You've testified here today that the 2014
breach was state-sponsored, but you have not concluded that the
2013 breach was state-sponsored, is that correct?
Ms. Mayer. We have not been able to determine who
perpetrated the 2013 breach.
Senator Young. OK. Thank you. You've testified today you
didn't learn of either data breach until 2016, is that correct?
Ms. Mayer. I learned of the breaches at the scale reported
in 2016 in December----
Senator Young. What does that mean?
Ms. Mayer. In December 2014, we saw a Russian intrusion in
our network, and we saw 26 individuals all with Russian
connections and political interest in Russia with accounts
compromised. We notified the FBI, and we put in place a special
notice for those users that had to be dismissed by user action
to make sure they were aware that this had happened.
Senator Young. Thank you. Is it correct that you didn't
learn of the 2013 breach until 2016?
Ms. Mayer. That's right.
Senator Young. OK. What sort of information can you provide
this Committee that supports your claims, that you didn't learn
of the 2013 breach until 2016?
Ms. Mayer. Our board formed an independent committee, and
they have reported on their findings.
Senator Young. OK. And that's all publicly available?
Ms. Mayer. Yes.
Senator Young. OK. Thank you.
Mr. Smith, Mr. Barros, the former and current CEOs of
Equifax, I'm grateful for your presence here today. I represent
over 6.5 million Hoosiers. 3.8 million Hoosiers, 3.8 million
Hoosiers, 60 percent of Indiana's population, was impacted by
Equifax's data breach. Can you see why they feel like companies
like Equifax don't have their back? Yes?
Mr. Smith. Yes, Senator.
Senator Young. OK. You know, one of the tragic things about
this whole episode is that many of these Hoosiers, many
Americans won't discover until a number of years down the road
that there was in fact a data breach. A single mother of a few
children gets a new job in Gary, Indiana, goes to buy a car
because this job requires her to drive, and she finds out her
credit has been ruined. What is Equifax going to do to remedy
the situation for that single mother?
Mr. Smith. Let me jump in first, maybe then you can add to
it.
That was the idea behind the lifetime ability to lock and
unlock your file we talked about in four prior hearings. If
it's locked, Senator, you don't have the ability to go rent a
house falsely in your name or rent an apartment, get access to
a credit card.
Senator Young. That's prospective and prophylactic,
defensive, and it seems like a good thing to do. Let me return
to that momentarily.
I will say, you know, we've had these massive data
breaches, and it is effrontery to the basic sense of fairness
to most Americans that the top executives leave with tens of
millions of dollars. I'm not trying to make a class warfare
argument, but when I see the United States Navy just fired two
top officers in the Pacific on account of some sailors that
died in the wake of the USS John McCain situation, and they
were separated from the military service because of a loss of
confidence, I think this is an issue that we collectively in
Congress need to start discussing more seriously.
If the titans of free enterprise here in the United States
of America don't take more seriously--and I'm talking about
boards as well as executives--when things like this happen,
it's just--it offends the sensibilities of most Americans. Can
you understand that, why that would offend the sensibilities of
Americans, for them to be on the receiving end of a data
breach, and within months, somebody leaves with tens of
millions, maybe hundreds of millions, of dollars?
Mr. Smith. I understand your point, Senator, but as I've
said in prior testimonies, I left with nothing except a
pension. I've asked for nothing. I waived my bonus. There is no
equity coming next year. I'm working for 3 months to 6 months,
as long as needed for free, in an advisory capacity.
Senator Young. Yes.
Mr. Smith. What I'm walking away with, it was all disclosed
in the proxy, is my pension.
Senator Young. Yes.
Ms. Mayer, you don't need to answer the question. I don't
mean to personalize it, I'm just talking about culturally, big
business in this country.
I would like to touch on one policy issue before I move
forward. So the idea of the credit reporting agencies moving
forward will give consumers the right to request a locking of
access to their credit files at no cost to them.
Can you pledge, Mr. Barros, that 5 years from now, Equifax
won't be charging consumers to lock and unlock their credit
files? And would you be opposed to Congress implementing a law
today that states unequivocally that industry can't charge to
lock or unlock an unlimited number of times each year?
Mr. Barros. Thanks, Senator. The proposal that we have put
forward, which we definitely expect to lead the industry in
that direction, where consumers can lock and unlock their
files, is free, for life. This is a commitment that I have
made, and I definitely welcome the conversation with the rest
of the industry and the government.
Senator Young. Thank you for that. Thank you all.
The Chairman. Thank you, Senator Young.
Senator Cantwell.
STATEMENT OF HON. MARIA CANTWELL,
U.S. SENATOR FROM WASHINGTON
Senator Cantwell. Thank you, Mr. Chairman, and thank you
for holding this hearing. We've had several larger Commerce
Committee hearings on cybersecurity, certainly had some in the
Energy Committee, and I think Homeland Security has had some. I
think the Armed Services Committee has had some.
I think now is the time for us to be very serious about
passing legislation, as we did out of the Senate, that would
help us fight the issue of cyber crime, and particularly help
strengthen our critical infrastructure against state actor
attacks, as Ms. Mayer mentioned. But these aren't the only
things that are being attacked; our networks at nuclear power
plants, our pipelines, a whole variety of things.
And as we continue to grow the economy of the Internet of
Things, in the hearing we just had, I guess that was yesterday,
we also heard about how more devices and more connectivity
means more data entry portals for people to attack. So a couple
of things about--so I hope our Committee will join in the
efforts to get cybersecurity legislation over the goal line
this year. I think it's not too soon to act.
I, too, want to bring up that there are 3 million
Washingtonians that were impacted by the Equifax, according to
my information. It's my understanding, Mr. Barros, that a patch
was available that was not implemented, like a basic hygiene
issue wasn't followed. Is that correct?
Mr. Smith. That is correct.
Senator Cantwell. Why can't Mr. Barros answer that
question? Because he doesn't know or because----
Mr. Smith. He was not in the position at the time.
Senator Cantwell. OK.
Mr. Barros. Yes, I came to the position 6 weeks ago, and my
understanding is the same as Mr. Smith's, that what happened
was a combination of human error and technology. I defer to him
because he actually lived through this process.
Senator Cantwell. What was the technology error if a patch
was available and it wasn't implemented by an employee? And the
reason I'm asking you about this----
Mr. Barros. Sure.
Senator Cantwell.--and I understand the dual role here, but
my point is this: we have to do both. The issue of
cybersecurity is here, it's here. It's a national security
issue, it's a consumer issue, it's a, you know, future issue on
identity theft and the ability for individuals to protect the
things that they hold dear.
So we have to do both. We have to, at the Federal level, up
our game and make sure that we're making investments to help on
critical infrastructure and certainly addressing this issue on
an international basis. What do we need to put into place on an
international basis to get people on the same page in fighting
cyber crime? We have to do that. But at the same time, we need
to make sure that everybody gets hygiene and that the hygiene
of your day-to-day business and even your home computer and
everything else is going to be a critical aspect of the world
that we now live in. So I want you to know and be able to speak
to the fact that, you know, one individual failing to put a
patch in place caused this much damage.
Mr. Barros. Since I got to this job, my first priority has
been to harden our security systems. We have done a
comprehensive review of the process: improving our patching
capabilities, improving our tools, updating our tools, and
making sure the vulnerability detection process is much more up
to speed at this stage. We have changed our policies to make
sure that we have redundancies and ``closed loops'' in place to
improve the accuracy and precision of our execution.
Senator Cantwell. Do you think it's good enough to have
voluntary safeguards for the industry, or is it time to have
something more stringent?
Mr. Barros. I understand the safeguards that we have. I
think they provide the scope in which we complied with the
scope before. The industry is ahead of that in many
perspectives, deploying new tools, using new tools. We
definitely welcome the conversation.
Senator Cantwell. I would say that we need something more
at this point in time, that if on the hygiene issue, one
employee was able to miss something as critical as this and put
so much data at risk, that we need something to make sure that
this is implemented.
Does anybody else on the panel want to answer that
question?
Mr. Wilkinson?
Mr. Wilkinson. The vulnerability that we're speaking about,
now that you want the specifics of it, was called the Apache
Struts. It came out--we were aware of it in March, we became
aware of it in March publicly. This is a zero-day
vulnerability. These types of vulnerabilities are serious, and
they happen more often than we'd like to speak about. When we
become aware of zero-day threats, our need to react to those
kinds of threats is quick and has to be conclusive.
This is something that we're going to continue to see. It's
not new, it's going to continue to happen. This concept that
you continue to speak about, Senator, of cybersecurity hygiene
is a very important one, because I liken it a little bit to
locks on doors. We can speak for a bit about the fact that no
matter what we do, there is still some vulnerability in our
ecosystem, there is some possibility that we'll be breached,
but some of these best practices are, frankly, just like locks
on your front door. Just because that's not going to protect
you against all crime, you still put a lock on your front door.
Good cyber hygiene includes things like reacting quickly to
zero-day threats.
Senator Cantwell. Exactly. That is my point exactly. Thank
you so much for that because you just explained that you have
to have--we have our national labs working day and night
against the unbelievable amount of attacks that are happening
every single day. We have all of this effort that we're now
going to try to do both in getting a skilled workforce that
this Committee had a hearing on to doing everything, but we
need companies to follow a hygiene with great religious
feverance. I believe that we have to help do our part, too,
because if state-owned actors are going to continue to hack, we
need to do something, but we need the companies to follow a
hygiene and be very religious about it.
Thank you, Mr. Chairman. I know my time has expired.
The Chairman. Thank you, Senator Cantwell.
Next up is Senator Peters.
STATEMENT OF HON. GARY PETERS,
U.S. SENATOR FROM MICHIGAN
Senator Peters. Thank you, Mr. Chairman, and thank you so
much for putting together this hearing. This is an incredibly
important topic, and I think it angers most folks as they hear
about this incident and the impact that it's going to have on
over 140 million Americans in the case of the Equifax breach,
over 4 million in my state. And I just want to pick up and
expand a little bit before I have some questions on Senator
Cantwell's questions to Mr. Wilkinson.
My understanding--I just want to be clear of this--this was
a vulnerability that was discovered, there was a patch created.
The information went out. And that means, what my understanding
is when these go out, bad guys find out about them as well.
You're basically broadcasting that there is a vulnerability
that people can figure out pretty easily. So at least some of
the experts I've talked to have said this was not a
sophisticated hack, it was a pretty simple hack because the
roadmap was pretty much put out for folks to take.
So we've had discussions about national or state actors
involved, highly sophisticated networks. This was just
basically a roadmap was put out for the bad guys, and they
jumped in and got in. Is that correct?
Mr. Wilkinson. It is. I think that it goes back to the
discussion of when zero-day threats are publicized, they do
create a bit of a roadmap for the bad guys, as you said, which
is one of the reasons why the need to respond quickly to close
down those types of threats in your ecosystem is very, very
important.
Senator Peters. Right.
Mr. Wilkinson. Again, it's best practices, it's hygiene.
Senator Peters. Well, and I just want to paint the picture
for the American public to know that basically a roadmap was
put out for all the bad guys out there who want to do us harm,
that there is a vulnerability, and we have a company that has
some of the most sensitive personal information about each and
every one of us, and as we heard from testimony earlier, we
don't have any choice in the matter. Companies can collect all
this information, and they don't even take the time to look at
a roadmap that has just been out that there's a breach.
You know, I can't think of a clearer definition of gross
negligence anywhere. A company that has been entrusted with
this most sensitive data, and customers didn't have a choice
for you to hold it, and you're holding it. I didn't ask Equifax
to have that information. No one asked to do that. You're
holding that, and you don't take the precautions when a roadmap
has been put out.
So I guess, you know, the other question to you, Mr.
Wilkinson, is that after a breach has occurred, is it
oftentimes a criminal may wait some time, too, before using
this data?
Mr. Wilkinson. Absolutely.
Senator Peters. So this may be a while before we actually
see it being used?
Mr. Wilkinson. Yes.
Senator Peters. Can you say, in your professional opinion,
is there ever a point after a breach, especially one of this
magnitude, where consumers can no longer fear the formation of
fraudulent accounts where this could be used against them?
Mr. Wilkinson. No, Senator. I think that goes back to my
original comments, which is this type of data being out in the
wild, if you will, is forever now exposed and will never be
credibly used for secure identity again.
Senator Peters. So we have to worry about this the rest of
our lives.
Mr. Wilkinson. Yes.
Senator Peters. So we have to worry about this the rest of
our lives.
Mr. Barros, you mentioned that there is free credit
monitoring for one year. Is that correct for folks who may have
been victims of this?
Mr. Barros. Yes. It started since we announced the breach
on September 7. We extended the opportunity to enroll until the
end of January, and after that point, you still have 12 months
of free credit monitoring.
Senator Peters. So why only 12 months when we've heard that
we have to worry about this the rest of our life?
Mr. Barros. Because we believe--I believe, I strongly
believe, that the actions that have to come out of this
incident have to be to protect the consumers.
Senator Peters. For one year.
Mr. Barros. No, for----
Senator Peters. Why not for the rest of their life, which
is the----
Mr. Barros. The product that we have offered today is a
step forward in that direction where the consumer can lock and
unlock their file, and it's free for life.
Senator Peters. But that is only with your company. This
information, as we heard, can now be used for any of the other
access to any other credit reporting agencies. There are all
sorts of avenues now that you can basically use this
information to create a false identity, and you're saying that
your response, as a company, you can lock your credit with us
going forward, but you still have vulnerabilities with all of
the other agencies. They'll just go to--I mean, this is pretty
simple if you're a bad guy, just don't go to Equifax, go to one
of the others. I've got the keys to the kingdom. I'm going to
go other places.
You know, we have to create incentives, and I've heard that
from the panelists, incentives to stop this type of behavior
and to make sure people put the highest standards in place, and
certainly gross negligence should never be acceptable. To me,
what we need to do is, from an incentives standpoint, is if
you're giving information of mine, and I did not ask to have
that information given, I understand you make money when you
provide information to financial institutions, you make money
on my information, which I have never asked you to use.
At a minimum, you should let me know you're making money
off of that information, and I should actually give you
permission to give my information out. If you're going to make
money, I don't understand why I don't have the ability and the
tools for any kind of agency right now to be able to make sure
that I have control, as we've talked about. This should be my
information that we control.
So I'm out of time right now, but I think, you know, this
raises a host of major issues related to privacy and control of
data. And right now, we don't have the kinds of incentives to
get companies to really protect that information. You profit
from that information. You don't protect that information. You
allowed a simple, unsophisticated hack to have access to 140
million people's most private information.
There needs to be some strong liability. Companies that do
not protect information and jeopardize Americans for the rest
of their life need to be subjected to strict liability and need
to be stepping up and making sure that those consumers are
protected for the rest of their lives. And hopefully that's
something we can consider as we move forward in this Committee.
Thank you so much.
The Chairman. Thank you, Senator Peters.
I have Senator Markey has returned. Senator Markey, Senator
Duckworth, and Senator Klobuchar.
STATEMENT OF HON. EDWARD MARKEY,
U.S. SENATOR FROM MASSACHUSETTS
Senator Markey. Thank you, Mr. Chairman, very much. Mr.
Chairman, the public wants us to do more to protect their
privacy and security, yet earlier this year, Congress formally
rescinded the Federal Communications Commission's broadband
privacy and security rules, which ensured that broadband
companies, like Verizon, adopt reasonable data security
protections.
These protections ensured broadband providers implement up-
to-date best data security practices, provide appropriate
oversight of security practices, properly dispose of sensitive
information, and notify affected consumers within 30 days of a
breach. Yet, Verizon opposed these data security and privacy
protections and played an instrumental role in ensuring that
they were, in fact, repealed.
Broadband providers, like Verizon, argued that we needed a
light-touch regulatory framework like those governing websites
like Equifax and Yahoo!. Well, 3 billion Yahoo! account users
and 145 million Americans have now learned that light-touch
means hands-off, light-touch means no protections, light-touch
means free rein. And now, because of congressional action, free
rein for broadband providers, like Verizon, to collect, use,
share, and sell consumers' most sensitive information without
their consent is the law, free rein to ignore reasonable data
security protections and avoid promptly notifying consumers
when their sensitive information has been compromised.
Ms. Zacharia, your testimony states that security has
always been in Verizon's DNA. And during today's hearing you
stated that Verizon would support national data security
legislation. But Verizon actively and vigorously lobbied to
eliminate these data security and privacy breach notification
protections. How are these two positions consistent?
Ms. Zacharia. Senator, Verizon believes that there should
be a single national framework when it comes to data security
and privacy. We do support legislation in both of those areas,
and we'd be very happy, as I said earlier, to work with your
office or other members of this Committee on what that
legislation should look like, but we do think that there should
be one overarching framework, and the CRA was not that.
Senator Markey. Yes. Well, here's where we are: now we have
nothing. You know, now we have nothing. So you repealed the law
that actually required that there be protections. Now we have
nothing.
And from my perspective, you didn't have to repeal one of
the most comprehensive data security and privacy frameworks to
develop a national data security framework. You could have
advocated for Congress to give the Federal Trade Commission the
authority to prescribe data security protections to websites as
well. Instead, Verizon opted to eliminate the rules altogether.
So that's the problem that we have right now, that we had
very strong, you know, data security and privacy protections
that were on the books, and they were removed as part of a CRA,
a vote on the floor of the Senate and the House earlier this
year.
So as we sit here, we hear concerns about the need to have
legislation. We had it. We had it. And it was going to actually
work in terms of ensuring that we would have those regulations
that would be put on the books. But, instead, we don't have
anything.
So I guess in retrospect, do you think it was in the public
interest to eliminate these data security and breach
notification protections, Ms. Zacharia? If you could go back in
time earlier this year, would you still remove those
protections from the books?
Ms. Zacharia. Yes, I would, Senator. And, again, we do
think that there should be national data breach----
Senator Markey. Right. No, I appreciate that. We had it.
You advocated strongly to remove the protections. OK? That's
what you did. And even today you're not regretful at all. OK?
But that's going to be the environment within which we're
working right now. That's where Yahoo! was. That's where these
other companies were over in FTC land. OK? And we had a
stronger regime that was in place and going to be made even
stronger.
And that's, in fact, what the American people want. They
want real teeth to be put into these laws. They want real
accountability from the private sector in terms of the
guarantee that there is real security around this data that
goes right to the very identity of who people are as citizens
of our country. And instead of toughening those laws this year,
there was a weakening, a serious weakening.
And I think ultimately we're going to pay a big price as
year after year goes by because ultimately it's not talk, it's
going to be action that makes the difference. And those actions
had been taken, they were on the books. They were starting to
put a little teeth into the protections, and now that is gone.
Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Markey. Obviously some of
us have a difference of opinion on that subject. I think there
are ways that we can address data breach that don't
specifically have as their principal objective enriching class-
action lawyers, but I do think rather than rehashing that
debate, we ought to be looking at what we can do to prevent
breaches. I'm sure that government enforcement agencies, like
the FTC, which can help make consumers whole, have the tools
they need to hold bad actors accountable.
Next up is Senator Duckworth.
STATEMENT OF HON. TAMMY DUCKWORTH,
U.S. SENATOR FROM ILLINOIS
Senator Duckworth. Thank you, Mr. Chairman, and also
thanking the ranking member for convening this important
meeting. As today's proceedings made clear, the harm caused by
these massive data breaches is incredibly far-reaching. And I
just want to take a moment to highlight how both states and
Federal Government entities rely on these agencies, such as
Equifax, for services, for credit monitoring--for credit
services.
For example, Equifax's loss of millions of Social Security
numbers endangers the well-being of our nation's veterans, who
receive VA disability benefits. Now, at the current time, the
VA allows veterans to use a wide variety of methods to interact
with the Department. If a veteran is not comfortable going
online, he or she can actually manage their disability benefit
account by fax.
So, for example, a veteran can fax a request to change the
bank account into which their VA disability benefits are
deposited, and those changes will be made if the form includes
a Social Security number that matches the name of the
requestor. This policy and process was likely created in an era
when your valid Social Security number could serve as an
effective authentication tool. Obviously, that is no longer the
case.
So my initial questions to you, Mr. Barros and Mr. Smith,
is simple. Following Equifax's loss of millions of Social
Security numbers, what concrete steps did the company take to
notify government agencies, and specifically the United States
Department of Veterans Affairs, of the urgent need to
strengthen authentication policies to prevent service-disabled
veterans from having their benefits stolen?
Mr. Barros. We have--my team has actively worked with the
Department of Defense, the veterans associations, the
Department of Veterans Affairs, the CFPB, and the Senate, in
order to make sure that we enhance the communication process
and have solutions that allow military service members to be
informed about how to protect themselves using our services.
Senator Duckworth. So when you went public with the
information on the breach, when did you contact the DoD or the
Department of Veterans Affairs to inform them of the
significance of the breach and what they would have to do to
strengthen their processes?
Mr. Barros. I can say what I did since I got here. I asked
my people to make sure that they contacted DoD and the veterans
associations, and they have done that recently, in the last 2
or 3 weeks.
Senator Duckworth. Just a few weeks ago.
Mr. Barros. Yes.
Senator Duckworth. So was anything done? Mr. Smith, do you
know? Was anything done when the breach was known and when it
became public?
Mr. Smith. Specific to the veterans?
Senator Duckworth. Specific to government agencies in
particular, but specifically to----
Mr. Smith. Yes.
Senator Duckworth.--agencies in particular, but
specifically to the U.S. Department of Veterans Affairs and to
the Department of Defense.
Mr. Smith. Not that I'm aware of.
Senator Duckworth. So you just left our veterans exposed.
Mr. Smith. I'm saying not that I'm aware of.
Senator Duckworth. Not that you're--well, I'd like to know.
So please find out and provide me with that information.
Mr. Smith. We'll do that.
Senator Duckworth. So I want to be clear, the theft of VA
disability benefits is an urgent problem that can be
financially devastating for veterans who need these funds to
pay their rent, to afford their groceries, and to keep the
lights on. Even when a veteran notices that their disability
benefit was not received, and contacts the VA, this merely
represents a first step in what is an unacceptably complex and
onerous bureaucratic maze that a veteran must navigate to get
their disability benefits restored.
So as I understand it, this is what has to happen when a
veteran discovers that, say, their disability check did not go
into the bank account that it normally goes into. And thinking
back to when this breach occurred, you'll see that veterans
could still be suffering because you did not tell the VA, or
hopefully you told them, but I--you have no evidence that you
have.
First, the VA must confirm that with the financial
institution, where the money was sent erroneously, that it
received the information. Then the VA has to work out an
agreement with that financial entity to return those funds back
to the U.S. Treasury Department's general fund. Then the VA
must get a confirmation from the Treasury that the fraudulent
payment was actually recouped, and then wait until Treasury
actually returns the funds to VA before the VA will then send
that money back to the veteran. In the best case scenario, this
process can take weeks, but I wouldn't be surprised it would
take many months.
Now, my office has warned various veteran service
organizations of the need to notify their members of this
danger. And I'm working with the VA to strengthen
authentication policies and procedures. However, Mr. Barros,
given your company's role in failing to safeguard this critical
data, I would like Equifax's commitment to work with the VA,
the veteran service organizations, and with individual veterans
to provide valuable support and services, such as unlimited,
free credit freezes, and monitoring for life. Will you make
that commitment on behalf of the men and women who are willing
to lay down their lives to protect you and your family and your
business here in this country?
Mr. Barros. We have, again, actually engaged with the
Department of Defense and the veterans association, the
Department of Veterans Affairs, and the CFPB, and the Senate.
They will be offered the product that we have--they can use----
Senator Duckworth. So you're not going to offer credit
monitoring to all veterans who have been affected by your data
breach for life?
Mr. Barros. We're going to offer for them the lock and
unlock product, which will provide the same barrier----
Senator Duckworth. Again, again, as my colleague, Mr.
Peters, just mentioned, that does not apply, that doesn't help,
because the bad guys are going to go somewhere else. So
basically you're saying that you will not make this commitment
to our Nation's veterans.
Mr. Barros. I have----
Senator Duckworth. The people who protect your very ability
to make money, who protect your freedoms, you will not support
our veterans? Our disabled veterans who were wounded in their
service to this country, you will not provide credit monitoring
to them for life?
Mr. Barros. We believe the lock and unlock product is a
safer product than the monitoring that we have.
Senator Duckworth. So the answer is no.
I'm overtime. I yield back, Mr. Chairman.
The Chairman. Thank you, Senator Duckworth.
Senator Udall.
STATEMENT OF HON. TOM UDALL,
U.S. SENATOR FROM NEW MEXICO
Senator Udall. Thank you so much, Chairman Thune, and thank
you for holding this very important hearing. I must say some of
the testimony is pretty discouraging here.
There were 846,188 New Mexicans whose identity and possibly
their creditworthiness was endangered by the blatant
carelessness of Equifax employees. When you previously
testified, Mr. Smith, you specifically said that the data that
was stolen was stored in plain text and had not been encrypted.
This is an unacceptable practice for an organization with such
power over consumers' lives. And it's painfully clear that
Americans cannot rely on large companies that store their data
to protect it.
As one possible solution, Congress should consider banning
the use of unverified Social Security numbers in commerce.
There is the potential for strong bipartisan support for this.
Social Security numbers were never intended to be used as
universal online IDs. I'm glad to hear that the White House is
looking at this idea, and Congress should also evaluate this
possibility as well.
In that regard, this Committee should take a closer look at
the work that the National Institute of Standards and
Technology has initiated with the Trusted Identities Group to
develop secure online IDs and to ban the use of unverified
Social Security numbers. I look forward to working with others
and building on the work this group has already undertaken.
The following are yes-or-no questions for all of the
panelists. And I'm interested in banning the use of unverified
Social Security numbers. Is it necessary for online commerce to
rely on a Social Security number?
Mr. Barros.
[Pause.]
Senator Udall. Please give me a yes or no. It's a simple
question.
Mr. Barros. The Social Security number was developed in
1936. I think we need to have a better digital identifier when
dealing with e-commerce.
Senator Udall. So your answer is yes, it's necessary to
rely on it.
Mr. Barros. Today, some sites do rely on it. It's not--in
our case----
Senator Udall. Mr. Smith?
Mr. Smith. I'd love to see it replaced. Until there is a
replacement, it's the standard.
Senator Udall. Yes. Ms. Mayer?
Ms. Mayer. Yahoo! does not collect or store Social Security
numbers, so we did not need it for the conduct of our business.
Senator Udall. Yes.
Ms. Zacharia. Verizon is very happy to work with this
Committee and others to come up with an alternative for Social
Security numbers.
Senator Udall. Thank you.
Mr. Wilkinson?
Mr. Wilkinson. Social Security numbers, a static identity,
as a basis for our online identities, will not be secure, is
not secure, and will never be secure in the future.
Senator Udall. Do your businesses--another yes-or-no
question--do your businesses require a consumer's Social
Security number before you will do business with them?
Mr. Barros. Most of our business is done business-to-
business, so we deal mostly with entities.
Senator Udall. So----
Mr. Barros. It's just a small portion of our business that
require information that there is on the consumer side.
Senator Udall. Mr. Smith?
Mr. Smith. I concur.
Senator Udall. Ms. Mayer?
Ms. Mayer. No.
Senator Udall. Ms. Zacharia?
Ms. Zacharia. The answer is no, but it is part of--it's not
a requirement, but it is part of a typical way that we'll go
through a credit check for a new customer.
Senator Udall. Mr. Wilkinson?
Mr. Wilkinson. We're focused in the B2B area, and I don't
collect consumer information and Social Security numbers.
Senator Udall. Thank you.
Another question, do you think the development of a
security digital ID could break the cycle of data breaches and
identity theft?
Mr. Barros. Yes.
Mr. Smith. Yes.
Ms. Mayer. I think it's necessary, but not necessarily
sufficient.
Senator Udall. Ms. Zacharia.
Ms. Zacharia. Yes.
Mr. Wilkinson. Yes.
Senator Udall. And the final one, Do you think it's
worthwhile for Congress to consider legislation to restrict the
use of unverified Social Security numbers and other personal
information while promoting the use of secure digital
identification?
Mr. Barros. I need to understand the proposition, how it's
going to be, but essentially anything that can move us forward
from a static number, we'll be supportive.
Senator Udall. OK. The same?
Mr. Smith. I agree.
Senator Udall. Yes. Ms. Mayer?
[No audible response.]
Senator Udall. Yes. Just for the record, is that a yes or
no?
Ms. Mayer. I don't know that my opinion matters, but yes.
Senator Udall. Yes.
Ms. Zacharia. I agree.
Senator Udall. Yes.
Mr. Wilkinson. Yes.
Senator Udall. Mr. Wilkinson, yes.
The Trusted Identities Group is comprised of a public-
private partnership to promote the adoption of an easy-to-use
digital identity. And I'll just ask the final question here. I
was wondering if you would work with this group. But since I'm
running out of time here, will you commit to working with my
office on ways to improve the current working group and expand
its efforts?
Mr. Barros. Definitely.
Senator Udall. Thank you.
Mr. Smith.
[No audible response.]
Senator Udall. Yes.
Ms. Mayer?
[No audible response.]
Senator Udall. Yes.
Ms. Zacharia?
Ms. Zacharia. Absolutely.
Senator Udall. Thank you. Thank you.
Mr. Wilkinson. Yes.
Senator Udall. Thank you very much, Mr. Chairman. And I
really appreciate you holding this hearing. I know that there
was great interest on both sides of the aisle. And I think what
I've seen today, I've been here for a long time listening today
to the testimony, there are a lot of good ideas, and hopefully
we can find a bipartisan way to really deal with a very tough
situation.
Thank you very much.
The Chairman. Agreed. Thank you, Senator Udall.
My neighbor from Minnesota, Senator Klobuchar.
STATEMENT OF HON. AMY KLOBUCHAR,
U.S. SENATOR FROM MINNESOTA
Senator Klobuchar. Well, thank you very much, Mr. Chairman.
And I thought, given that I'm the last one here to ask
questions, I would use this opportunity to welcome Mr.
Wilkinson. I hope things have been going well from my home
state here before us again. And Entrust Datacard employs more
than 2,200 workers worldwide, and 800 of them in our state. So
thank you for being here.
So I'll start with you. And I know much of this ground has
been covered, but not this exact question. In your testimony,
you mentioned Brazil's model of issuing dynamic identities to
citizens. And in this model, the government partners with
industry to provide consumers options to access digital
certificates for identification. How do they ensure that the
government's private partners can keep citizens' information
safe?
Mr. Wilkinson. So some of the models that--you know, Brazil
is a great example, but there are certain models, Senator, that
we can share with you that are being used around the world that
I wouldn't necessarily promote in the U.S. in terms of, you
know, where the center of the trusted identity lies. But
certainly the framework that they've built for secure identity
is one that's very close to what we're proposing in terms of
looking forward to the framework for a secure identity going
forward.
The comment Senator Udall made just a few moments ago
talking about NIST and the work that they're doing with the
Trusted Identities Group is one that we follow very closely.
And they're actually also doing really good work that we would
love to spend more time with the Committee speaking about and
helping to describe what security identity could look like in
the future.
Senator Klobuchar. OK. Thank you very much.
Mr. Smith appeared before us in Judiciary, and I think I
expressed my--the shared frustration I have with others in the
Senate about what went on.
But I thought I would focus with you, Mr. Barros, on what's
happening now. So Equifax has announced that it would be
launching this app--right?--in January that will allow
consumers to lock and unlock personal credit data while
providing consumers with more control over their credit
information is a positive step. We don't want to have new
avenues for hackers. So are there additional cybersecurity
challenges that come with this mobile technology? And how is
the product going to be tested?
Mr. Barros. The product is being developed as we speak. We
are on time to deliver this in January. One of the advantages
of the system is the simplicity and how consumers can actually
understand and use the application to do that. We just started
our development tests now. And this is a straight connection to
our main files, so it has all the security needs and
requirements that will make the product be in compliance with
security.
Senator Klobuchar. OK. I've been working a lot, of course,
on the election issue, since I'm the Ranking on Rules, and
we've been really concerned. Senator Graham and I have a bill
to upgrade our election equipment when we had attempts to hack
21 state elections equipment, manufacturers, or software
companies. And so I see this as kind of going hand-in-hand with
the attacks I've seen on some of my companies, like Target and
other places.
Ms. Mayer, you know, we have individual hackers, and then
we also have these state-sponsored attacks, like what we
believe occurred in the 2016 election. So in your experience at
Yahoo!, how do state-sponsored attacks differ from those
committed by individual hackers?
Ms. Mayer. In many cases, the motivation is different. And
I would also say that they tend to be much more sophisticated,
much more----
Senator Klobuchar. The state-sponsored.
Ms. Mayer. The state-sponsored tend to be much more
sophisticated, persistent, they last for longer periods of
time, they attack more targets. And they span over often
several companies trying to stitch together a picture of what
they're actually seeking, and they are very good at hiding
their tracks.
The four people indicted in the case with Yahoo!, one of
them, Alexsey Belan, is considered to be perhaps the most
sophisticated and dangerous hacker in the world today, and he's
a central figure in many of these ongoing investigations. But
when you're that empowered, well-funded, motivated, and
sophisticated to work such a complex campaign, especially
across multiple targets and sources, it's an issue.
Senator Klobuchar. So what do you think we could be doing
differently for those kinds of state-sponsored attacks? What
should we be doing out of Congress, when you look at the whole
scope of things, the business, the government, the election
equipment?
Ms. Mayer. I think that really aggressive pursuit of the
hacking is important. And I was really pleased with the FBI and
Department of Justice's work with Yahoo! to bring the people
who perpetrated the crimes against us to justice. And I think
that we should be empowering them legislatively and financially
to pursue hacking because right now there is just not enough of
a disincentive to hack either on a commercial or criminal level
or a state-sponsored level.
Senator Klobuchar. And these would be international cases,
a lot of them obviously, and then they could involve sanctions
or other things if we find that. But that's what you're talking
about, much more aggressive about going after these in addition
to doing everything we can to protect the software.
Ms. Mayer. Yes. And one of the individuals in the Yahoo!
case was apprehended in Canada and has been extradited to the
U.S.
Senator Klobuchar. Mm-hmm. Good example. And I think on the
election side, you know, it's different. We have to get backup
paper ballots. It's a one-time occurrence, but it is a lot of
the same issues that business is facing as well.
So thank you very much.
Thank you.
The Chairman. Thank you, Senator Klobuchar.
I think we--you guys made it through.
We will keep the record open, and we'll allow Members to
submit questions for the record for a couple of weeks, but we
will want to close it out. So if you could respond as quickly
as you can in writing to the questions that the members of this
Committee submit, we'll get them included in the record.
And, again, I appreciate all of you being here today. I
think this has shed a lot of light on this subject. And as was
mentioned earlier by a number of the members on both sides of
this Committee, we have an interest in moving forward on the
legislative front in a way hopefully that will be effective in
helping to prevent these types of cyber attacks in the future.
So thank you again. And with that, this hearing is
adjourned.
[Whereupon, at 12:31 p.m., the hearing was adjourned.]
A P P E N D I X
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Response to Written Questions Submitted by Hon. John Thune to
Pauline do Rego Barros, Jr.
Question 1. On October 6, Equifax advised the Committee that it
would send direct mail notices to consumers whose credit card numbers
or dispute documents with personal identifying information were
impacted. It also advised that it would mail written notices to all of
the additional potentially impacted U.S. consumers--about 2.5 million--
identified since the September 7 announcement. Please provide an update
on the status of these notices, including what challenges Equifax has
faced in attempting to comply with 52 separate data breach notification
laws.
Answer. Equifax has completed mailing written notices to the three
populations identified above. While the 52 separate data breach
notification laws generally require notice to be sent to residents when
a consumer's personal information is acquired in an unauthorized manner
that compromises the security or confidentiality of that information,
statutes vary with regard to several aspects of the breach notification
requirements.
Generally, the most significant differences to reconcile include
the threshold for issuing a substitute notice versus a direct notice,
the required timing and content of the notification, regulator notices,
and the definition of personally identifiable information (``PII'').
While most states have the same general content requirements, some
states have specific content requirements that typically require
separate form notification letters in order to comply. As a result, the
information consumers receive about a multi-state incident may differ
depending on where they reside and the requirements of their states.
For example, California requires specific titles and headings,
Massachusetts notifications cannot include information about the nature
of the breach or the number of affected individuals, and Maryland and
North Carolina require that state-specific Attorney General contact
information be included in notices to their residents.
Notable variances in state breach notification statutes ultimately
result in varying levels of information being provided to consumers and
regulators depending on their state's specific requirements.
Question 2. Does Equifax support the enactment of a single Federal
breach notification standard? If so, what form should it take?
Answer. Yes. A single Federal breach notification standard would
help ensure that all impacted consumers and regulators receive the same
information regarding a breach incident in an efficient and expedient
manner. Lawmakers may want to consider key elements in developing a
Federal standard including:
Direct and Substitute Notices: All state statutes provide for a
substitute or alternate notice versus a direct notice to consumers
depending on the cost of a direct notice, the universe of affected
consumers residing in the state, or the lack of sufficient contact
information for the consumers. States agree that flexibility is
important when considering notification, and that all breach incidents
should not necessarily require a direct notification to all impacted
consumers.
Timing: Many states require notification ``in the most expedient
time and manner possible and without unreasonable delay'' following the
discovery of a breach (for example, New York and California data breach
statutes). This guidance allows the breached entity time to determine
the scope of the incident and the number of consumers impacted, and to
restore the integrity of systems before moving forward with public
notification. While a minority of states require notice within a
specific time frame, generally between 30 to 45 days, most states
recognize that it is important for a breached entity to conduct an
investigation and to complete corrective actions before providing
notification. This will help ensure that the security or technological
vulnerability has been addressed and the breach notification is
provided to the correct consumers and includes the most accurate
information regarding the incident.
Content Notification: Most states have the same general content
requirements and allow for a breached entity to provide a ``standard''
letter to a majority of impacted consumers that includes the date of
the breach; a general description of the incident; the type of PII
impacted; contact information for the breached entity; contact
information for the consumer reporting agencies, the Federal Trade
Commission and Attorneys General; steps taken to prevent a further
breach; and advice to consumers regarding protecting against identity
theft. Some states, however, have state-specific requirements that
require separate form notification letters, as noted in the response
above. Consistent content notification requirements across all states
would ensure that consumers receive the same information regarding a
breach incident regardless of where they reside. Further, the breached
entity would likely be able to make the disclosure more quickly and
efficiently, to the benefit of consumers.
Regulator Notices & Enforcement: Some states require notice be
provided to the state's Attorney General or other state regulators. A
Federal breach law may want to consider consolidating regulator notices
to a single Federal authority to streamline the initial notification,
centralize follow-up requests and information regarding the incident,
coordinate communication among various stakeholders, and, ultimately,
enforce a Federal breach notification standard.
Other provisions to consider when evaluating a Federal breach
notification standard should include whether PII is ``acquired'' versus
``accessed,'' whether the breached entity is a ``data owner'' versus a
``maintainer,'' the definition of PII, a risk-of-harm analysis, data
encryption, and ``electronic'' versus ``paper records.''
Question 3. On October 6, Equifax advised the Committee that it is
in the process of contacting U.S. state and Federal regulators and has
sent written notifications to all U.S. state attorneys general, which
includes Equifax contact information for regulator inquiries. Please
provide an update on the status of Equifax's efforts to contact U.S.
state and Federal regulators regarding the breach.
Answer. Equifax notified the Federal Bureau of Investigation
(``FBI'') about the incident in question on August 2, 2017. Equifax
notified the Federal Trade Commission (``FTC'') and the Consumer
Financial Protection Bureau (``CFPB'') via phone calls on September 7,
2017, at approximately the same time Equifax published its official
press release announcing the cybersecurity incident. In addition,
Equifax provided written notifications to 52 state attorneys general on
September 7, 2017. Upon the completion of the forensic investigation,
Equifax also provided supplemental notifications to those 52 state
attorneys general on October 12, 2017. We continue to cooperate with
these regulators and law enforcement agencies, among others, in
connection with the cybersecurity incident.
Question 4. At the time of the data breach, was Equifax in
compliance with the FTC Safeguards Rule? If so, do you believe the fact
that the data breach occurred signals that the rule should be
strengthened?
Answer. Data security and integrity are of paramount importance to
Equifax. Equifax has a formalized security program supported by
administrative, technical, and physical safeguards focused on the
protection of consumer data. Equifax has a security team in place that
is responsible for the coordination and execution of the Company's
information security program. The security team reports to Equifax's
Chief Security Officer, who reports directly to Equifax's CEO, and
operates using defined plans and procedures for responding to security
incidents, which are revised on a regular basis. Security incidents are
classified according to severity and escalated to management personnel
as appropriate. The security team includes dedicated incident response
managers and a Cyber Threat Center, which is staffed by security
professionals and uses technological capabilities to monitor the
Company's network. Equifax has physical safeguards in place to secure
its data centers. The data security incident that Equifax disclosed on
September 7, 2017, does not by itself suggest that the Safeguards Rule
needs revision. Equifax will be better informed to make regulatory and
legislative observations after the internal and external reviews of the
incident have been completed.
Question 5. What specific steps has Equifax taken to comply with
the Safeguards Rule since it discovered the data breach?
Answer. Equifax is conducting a root cause investigation related to
the incident announced on September 7, 2017 and is dedicated to
resolving any issues identified as a result of that investigation.
Moreover, Equifax has already made important improvements to its
data security infrastructure. It is further hardening its networks,
changing its procedures to require ``closed loop'' confirmation when
software patches are applied, rolling out new vulnerability detection
tools, and strengthening accountability mechanisms. Equifax has
implemented certain technological remediation steps as described in the
Mandiant executive summary, which was submitted to this Committee on
September 25, 2017. Equifax has also engaged PwC to help identify and
implement a security program transformation, including tactical
immediate changes, strategic remediation, and operational improvement
initiatives that will allow the Company to strengthen its long-term
data protection and cybersecurity posture.
Question 6. Does Equifax have any evidence showing that consumers
have experienced identity theft or other harm as a result of the data
breach? If so, please provide this evidence.
Answer. Equifax has not seen evidence that consumers have
experienced identity theft or other financial harm as a result of the
cybersecurity incident.
Question 7. Has Equifax identified any of the hackers or other
persons or entities that obtained consumer information from the company
in connection with the data breach?
Answer. Equifax is conducting an internal investigation into this
incident and continues to work closely with the FBI in the FBI's
investigation into this matter. At this time, Equifax is not aware that
the perpetrators have been identified.
______
Response to Written Question Submitted by Hon. Dean Heller to
Pauline do Rego Barros, Jr.
Question. Protecting data isn't just about the Internet--it's also
about the physical security of data. In my home state of Nevada, we
have the only Tier 5 rated data centers in the world. The best security
and reliability you can get from a data center. What standards are you
following to ensure that the data you manage is physically secure?
Answer. All Equifax facilities, including owned and operated data
centers, are governed by the Equifax Corporate Security Policy and the
Equifax Physical Security Tier Standard. Under the company's standard,
Equifax data centers and data storage facilities are classified as
``Tier 1--Critical Operations Facilities'' and have the most stringent
physical security requirements, including among others:
Security Intrusion Detection Systems and 24X7 Monitoring;
Man Traps;
Electronic access control systems;
Minimum two-factor authentication;
Formal access provisioning including formal visitor logs;
Cameras monitoring access points; and
Security guards.
In addition, Equifax performs annual Physical Security Surveys of
data centers, which include assessments of the effectiveness and
completeness of the controls in place based on identified risks to the
data center and the requirements of the Equifax Physical Security Tier
Standard. Equifax also performs preventative maintenance and testing of
all electronic physical controls.
______
Response to Written Questions Submitted by Hon. Bill Nelson to
Paulino do Rego Barros, Jr.
Question 1. Under Florida state law, breached companies must notify
affected consumers of a breach within 30 days. They can delay
notification if they receive explicit permission from law enforcement.
Was Equifax in compliance with Florida state law? Did the company
receive permission from law enforcement to delay notification?
Answer. The Company worked diligently with Mandiant to conduct a
detailed forensic analysis over the course of several weeks in order to
determine what information was accessed and identify potentially
impacted consumers in order to provide notification and an appropriate
public disclosure of the incident. As soon as the company understood
the potentially impacted population, it provided notification pursuant
to all state data breach notification laws and rolled out a
comprehensive support package to consumers on September 7, 2017.
Question 2. Do you agree that we need Federal legislation that sets
up a robust breach notification requirement that sufficiently protects
consumers, provides the Federal Trade Commission (FTC) with the
authority to promulgate data security standards, and provides for
strong Federal and state enforcement authority?
Answer. A single Federal breach notification standard would help
ensure that all impacted consumers and regulators receive the same
information regarding a breach incident in an efficient and expedient
manner. Lawmakers may want to consider key elements in developing a
Federal standard including:
Regulator Notices & Enforcement: Some states require notice
be provided to the state's Attorney General or other state
agencies. A Federal breach law may want to consider
consolidating regulator notices to a single Federal authority
to streamline the initial notification, centralize follow up
requests and information regarding the incident, coordinate
communication among various stakeholders, and ultimately,
enforce a Federal breach notification standard.
Direct and Substitute Notices: All state statutes provide
for a substitute or alternate notice versus a direct notice to
consumers depending on the cost of a direct notice, the
universe of affected consumers residing in the state, or the
lack of sufficient contact information for the consumers.
States agree that flexibility is important when considering
notification, and that all breach incidents should not
necessarily require a direct notification to all impacted
consumers.
Timing: Many states require notification ``in the most
expedient time and manner possible and without unreasonable
delay'' following the discovery of a breach (for example, New
York and California data breach statutes). This guidance allows
the breached entity time to determine the scope of the incident
and the number of consumers impacted, and to restore the
integrity of systems before moving forward with public
notification. While a minority of states require notice within
a specific time frame, generally between 30 to 45 days, most
states recognize that it is important for a breached entity to
conduct an investigation and to complete corrective actions
before providing notification. This will help ensure that the
security or technological vulnerability has been addressed and
the breach notification is provided to the correct consumers
and includes the most accurate information regarding the
incident.
Content Notification: Most states requires the same general
content requirements, and allow for a breached entity to
provide a ``standard'' letter to a majority of impacted
consumers that meets the requirements including the date of the
breach; general description of the incident; type of PII
impacted, contact information for the entity; contact
information for the consumer reporting agencies: the FTC and
Attorneys General; steps taken to prevent a further breach; and
advice to consumers to remain vigilant including reviewing
account statements, reporting unauthorized activity to law
enforcement and information regarding fraud alerts and security
freezes. Some states, however, have state-specific requirements
that typically require separate form notification letters, as
noted in the response above. Consistent content notification
requirements across all states would ensure that consumers
receive the same information regarding a breach incident
regardless of where they reside. Further, the breached entity
would likely be able to make the disclosure more quickly and
efficiently, to the benefit of consumers.
Other provisions to consider when evaluating a Federal breach
notification standard should include whether PII is ``acquired'' versus
``accessed,'' the breached entity is a ``data owner'' versus a
``maintainer,'' the definition of PII, a risk of harm analysis, data
encryption, and ``electronic'' versus ``paper records.''
______
Response to Written Questions Submitted by Hon. Richard Blumenthal to
Paulino do Rego Barros, Jr.
Question 1. Does any Federal agency currently have any kind of
authority to examine Equifax's records and data security procedures?
Answer. Equifax is subject to continuous examination by the CFPB,
as well the possibility of enforcement actions by the FTC and CFPB.
Question 2. Would you support efforts to protect the public's
personal and private information by giving the FTC supervisory
authority over non-bank financial institutions, such as credit
reporting agencies?
Answer. Equifax supports efforts to protect the public's personal
and private information, and is happy to engage with Congress about the
specific details of any proposed legislation that would help achieve
that goal.
Question 3. What is the difference between a credit lock and a
credit freeze?
Answer. At the most basic level, the lock and freeze do the same
thing: they prevent creditors and other lenders from accessing your
Equifax credit report, including criminals trying to open unauthorized
new accounts. Unless a consumer gives permission or takes an action,
such as removing, unlocking or lifting the freeze or lock, a lender or
other creditor cannot access the consumer's Equifax credit report with
a security freeze or a credit file lock in place.
Security freezes (also known as credit freezes) were created in the
early 2000s, are subject to regulation by each state, and use a PIN
based system for identity authentication. Credit file locks were
created more recently, are mobile-enabled, and use modern identity
authentication techniques, such as username and passwords and one time
passcodes for better user experience. The lock is a reliable, safe, and
simple option for consumers to lock and unlock their credit file from
their own personal device.
Detailed directions for freezing or locking an Equifax credit file
are set forth on the company's website. The directions are paraphrased
below:
Lock--To lock your Equifax credit file, enroll in TrustedID
Premier. This credit lock and monitoring service is free for
one year to all consumers who enroll by January 31, 2018. Once
you have finalized your activation in TrustedID Premier, visit
www.trustedid.com, login and simply click the lock button.
There are some exceptions where a lock may be delayed or may
not be possible. Once you have finalized your activation in
TrustedID Premier, visit www.trustedid.com, login, and simply
click the lock button.
To unlock an Equifax credit file, once you have finalized your
activation in TrustedID Premier, visit www.trustedid.com, log
in and simply click the unlock button.
Freeze--An Equifax security freeze can be placed by mail,
phone, or online. Equifax has waived the fee to add, lift, or
permanently remove a security freeze through January 31, 2018.
Any freeze activities after January 31, 2018 may be subject to
the fees provided by your state of residence. The easiest and
fastest way to freeze your Equifax credit file is by using
Equifax's online process found at the following link:
www.freeze.equifax.com. If you choose, you may also request a
security freeze by calling Equifax's automated line at 1-800-
685-1111. NY residents please call 1-800-349-9960. You may also
submit your request in writing to:
Equifax Security Freeze
P.O. Box 105788 Atlanta, Georgia 30348
When you freeze your Equifax credit file, you will receive a
10-digit randomly generated PIN from Equifax that you will need
to save and have available should you choose to temporarily
lift or permanently remove the freeze in the future.
Question 4. Brian Krebs, the founder of cybersecurity website
KrebsOn
Security.com has written that some credit lock services could allow for
access to consumers' credit files that a freeze might not. What is your
response to that concern?
Answer. Locking an Equifax credit file will prevent access to a
consumer's Equifax credit file by certain third parties. Locking the
Equifax credit file will not prevent access to the consumer's credit
file maintained by any other credit reporting agency. Entities that may
still have access to a consumer's locked Equifax credit file include
companies like Equifax Global Consumer Solutions, which provide
consumers with access to their credit report or credit score, or
monitor the consumer's credit file; federal, state, and local
government agencies; companies reviewing a consumer's application for
employment; companies that have a current account or relationship with
the consumer, and collection agencies acting on behalf of those whom a
consumer owes; for fraud prevention and detection purposes; and
companies that make pre-approved offers of credit or insurance to the
consumer. Consumers can opt out of pre-approved offers at
www.optoutprescreen.com.
Similarly, under state freeze laws certain third parties, like
those mentioned above, may continue to have access to a frozen Equifax
credit file.
Question 5. Can you commit that users of the new credit lock
program, or any other program your company intends to offer to
consumers to remedy their credit, will not be subject to mandatory
arbitration clauses?
Answer. Equifax is not currently offering any subscription services
to consumers for purchase. Equifax will not include an arbitration
clause in connection with the forthcoming credit lock service that will
be available in January 2018.
Question 6. Do you plan to target advertisements to users of this
new credit lock program, or collect and sell their data?
Answer. Equifax intends to empower consumers with control over
their Equifax credit file through the free lock service available at
the end of January 2018. At this time, Equifax does not plan to include
advertisements or sell the consumer's information to any third party.
Equifax currently intends to use the information provided by the
consumer to authenticate the consumer, maintain the consumer's Lock &
Alert account, and educate the consumer about Equifax products and
services.
Question 7. Why not create a service allowing users to easily
freeze and temporarily unfreeze their credit--instead of `lock' and
`unlock?
Answer. Please see response to question #3 (Blumenthal). Security
freezes are free on Equifax credit reports through January 31, 2018.
Question 8. Are you collaborating with the other credit reporting
agencies to develop a tool so consumers can easily freeze and unfreeze
their credit across all agencies? If not, can you commit to doing so?
Answer. Equifax is committed to working with the entire industry,
including Experian and TransUnion, to develop solutions to
cybersecurity and data protection challenges we all face.
Question 9. Do you agree that users affected by the Equifax breach
were harmed--even if they never ultimately become victims of identity
theft of their data is not accessed?
Answer. Equifax believes that the best way for consumers to protect
themselves and prevent any harm from occurring as a result of the
incident is to enroll in TrustedID Premier and utilize the free lock
service beginning in January.
______
Response to Written Questions Submitted by Hon. Tammy Duckworth to
Paulino do Rego Barros, Jr.
Question 1. Please describe how Equifax informed Federal agencies,
including the Department of Defense, the Department of Veterans
Affairs, and the Consumer Financial Protection Bureau, that the private
data of servicemembers and Veterans was potentially compromised. Please
include the specific dates that Equifax notified each agency, copies of
the notifications that were provided, and any advice and guidance
Equifax provided on how best to protect Veterans and Servicemembers.
Answer. Equifax is committed to helping military service members.
The company has been in direct communication with the Department of
Defense (as of November 1, 2017) and CFPB's Office of Servicemember
Affairs (as of October 24, 2017), and is working on efforts to inform
servicemembers, including those impacted by the cybersecurity incident,
regarding the incident and the various options available to them, such
as the free TrustedID Premier service, security freezes, and active
duty alerts, as well as other relevant information.
In addition, in response to the cybersecurity incident, Equifax
developed a robust package of remedial protections for each and every
American consumer--not just those affected by the breach--to protect
their credit information. The relief package includes (1) monitoring of
consumer credit files across all three bureaus, (2) access to Equifax
credit files, (3) the ability to lock the Equifax credit file, (4) an
insurance policy to cover out-of-pocket costs associated with identity
theft, and (5) dark web scans for consumers' social security numbers.
All five of these services are free and without cost to all Americans,
including Veterans and servicemembers.
Question 2. Please share in detail the specific actions Equifax
will take to ensure every Veteran and servicemember affected by this
data breach will not have to worry about missing their disability check
or becoming a victim of credit fraud.
Answer. In response to the cybersecurity incident, Equifax
developed a robust package of remedial protections for each and every
American consumer--not just those affected by the breach--to protect
their credit information. The relief package includes (1) monitoring of
consumer credit files across all three bureaus, (2) access to Equifax
credit files, (3) the ability to lock the Equifax credit file, (4) an
insurance policy to cover out-of-pocket costs associated with identity
theft, and (5) dark web scans for consumers' social security numbers.
All five of these services are free and without cost to all Americans,
including Veterans and servicemembers.
Equifax has also taken steps to empower consumers to control access
to their personal credit data moving forward. The Company announced a
new credit lock service that will be available by January 31, 2018,
that will allow consumers to control their own credit data, by allowing
them to lock and unlock their credit files at will, for free, for life.
Finally, in addition to the services described above, security
freezes, fraud alerts, and active duty alerts are available to help
protect against credit fraud.
Question 3. If Equifax is unwilling to provide a guarantee of
lifetime protections and credit freezes to servicemembers and Veterans,
please explain why that is the case. Please include in your explanation
any cost estimate(s) that Equifax produced or purchased projecting the
cost of providing lifetime protection for Veterans, servicemembers, and
any other class of American consumers for which Equifax obtained such
cost estimates.
Answer. Equifax is committed to supporting and protecting our
servicemembers and Veterans.
With respect to credit freezes, please note that in March 2017, the
Consumer Data Industry Association announced that the three nationwide
consumer reporting agencies (Equifax, Experian, and TransUnion) will
begin offering free credit file security freezes for eligible members
of the United States Armed Forces beginning in the first half of 2018.
Under these new guidelines, active duty servicemembers will be able to
place, lift, and remove a security freeze on their credit files at no
charge, regardless of whether they have been the victim of identity
theft or not.
Additionally, Equifax has announced a new service that will be
available by January 31, 2018, that will allow consumers to control
their own credit data, by allowing them to lock and unlock their credit
files at will, for free, for life.
Finally, Equifax would gladly participate in discussions regarding
recently proposed legislation and other Congressional proposals focused
on protecting our servicemembers and Veterans.
Question 4. As of April 1, 2017, more than 1,500 credit fraud
complaints had been filed by active duty servicemembers with the
Consumer Financial Protection Bureau. With news of the breach at
Equifax, that number is likely to increase exponentially over the
coming year. According to the Fair Credit Reporting Act, servicemembers
are protected by statute with an Active Duty Alert. Please share how
often Equifax provides Active Duty Alerts for servicemembers and
describe the process they must go through to place an Active Duty Alert
on their information.
Answer. Any active duty member of the military may request an
active duty alert for their Equifax credit file by using Equifax's
online service, phone, fax, or U.S. mail. All active duty
servicemembers can place an active duty alert either themselves or via
a power of attorney.
By placing an active duty alert, (1) an alert will be included on
the servicemember's credit report, which notifies creditors that they
should take extra precaution to confirm the servicemember's identity
before extending credit in his or her name, (2) the servicemember's
name is removed from preapproved firm offers of credit or insurance
(prescreening) for 2 years, and (3) information regarding the active
duty alert is referred to all three nationwide consumer reporting
agencies (Equifax, Experian, and TransUnion), so the servicemember need
only contact one and it will be activated on all three. Unless a
shorter period of time is specified, the active duty alert lasts 12
months.
For more information regarding the number of active duty alerts
placed in 2016 and 2017, please see the response to the question below.
Question 5. How many Active Duty Alerts for servicemembers did
Equifax provide in calendar years 2016 and 2017?
Answer. During calendar year 2016, Equifax placed approximately
41,900 active duty alerts for servicemembers. During calendar year
2017, Equifax has placed approximately 86,200 active duty alerts for
servicemembers.
Question 6. Will Equifax extend this alert to Reservists, National
Guard Soldiers and Airmen, and Veterans by December 31, 2017? If not,
please explain why.
Answer. Equifax respectfully submits that, as set forth in Section
605A(c) of the Fair Credit Reporting Act (``FCRA''), an active duty
alert applies to active duty military consumers and must be directly
requested by the active duty military consumer, or an individual acting
on behalf of or as a personal representative of the active duty
military consumer. However, even though an active duty alert applies
only to active duty servicemembers, under the FCRA, Reservists,
National Guard Soldiers and Airmen, and Veterans who are not on active
duty can still place a fraud alert, which provides many of the same
protections as an active duty alert, if they assert in good faith a
suspicion that they have been or are about to become a victim of fraud
or related crime, including identity theft.
______
Response to Written Questions Submitted by Hon. Catherine Cortez Masto
to Paulino do Rego Barros, Jr.
Question 1. When can I expect a substantive response to my letter
dated September 2017 regarding Equifax's position on mandatory pre-
dispute arbitration clauses and S.J. 47, Senate legislation seeking to
nullify the Consumer Financial Protection Bureau's rule limiting use of
such clauses?
Answer. Equifax is not currently offering any subscription services
to consumers for purchase. Equifax will not include an arbitration
clause in connection with the forthcoming credit lock application that
will be available in January 2018.
Question 2. Outside of the data (Social Security numbers,
addresses, birth dates, driver's license numbers and credit card
information) listed in your testimony in Committee, what other specific
data does Equifax collect on consumers?
Answer. Equifax works with a wide range of data furnishers, vendors
and with consumers directly to collect PII about consumers such as
their names, tax identification numbers, e-mail addresses, phone
numbers, IP addresses, and device identifiers. Equifax also works with
data furnishers, partners, and vendors from many industries to gather
information such as credit payment history, telecommunications and
utilities payment history, employment and income history, public
courthouse records, direct-measured deposits and investments,
demographics, property detail and valuations, commercial payment
history and profiles, education history, government sanctions lists,
and auto-related information from sources such as motor vehicle
registrations.
Question 3. Can you confirm what specific ``digital targeting
segments'' of consumers that Equifax's IXI Service provides?
Answer. Equifax's IXI Service has over 400 ``digital targeting
segments'' that are available on the market for use with delivering
advertising to audiences in a digital environment.
Question 4. Is it true that among Equifax IXI's ``digital targeting
segments'' are consumers who may need a ``sub-prime credit card,'' a
``revolver'' (someone with a high balance and will have to accrue
interest charges), a ``likely student loan target,'' and ``active debit
card users?''
Answer. Yes.
Question 5. Do you support offering consumers the opportunity to
view all the information held on them that is not displayed on credit
reports?
Answer. When a consumer receives a copy of his or her credit report
from Equifax Information Services LLC (``EIS''), the consumer receives
all information EIS has on that consumer.
Question 6. Do you support offering consumers the opportunity to
delete parts of their data?
Answer. Equifax will not offer consumers the opportunity to delete
their personally identifiable information or remove accurate
information on a credit report, except as required by law under the
FCRA, 15 U.S.C Sec. 1681 et seq., or applicable state laws.
As stated in the FCRA, ``the banking system is dependent upon fair
and accurate credit reporting. Inaccurate credit reports directly
impair the efficiency of the banking system, and unfair credit
reporting methods undermine the public confidence which is essential to
the continued functioning of the banking system.'' 15 U.S.C Sec. 1681,
Sec. 602(a)(1). The law further states that the purpose of FCRA is ``to
require consumer reporting agencies adopt reasonable procedures for
meeting the needs of commerce for consumer credit, personnel,
insurance, and other information in a manner which is fair and
equitable to the consumer, with regard to the confidentiality,
accuracy, relevancy, and proper utilization of such information in
accordance with the requirements of [the FCRA].'' Id. Sec. 1681, Sec.
602(b).
Offering consumers the ``opportunity to delete their data from
Equifax's systems'' would directly contradict the Federal obligation
placed on consumer reporting agencies (``CRAs'') to ensure that credit
reports are accurate. Should a consumer delete accurate data from
Equifax, or from any of the other CRAs, it would result in the creation
of inaccurate credit reports which ``directly impair the efficiency of
the banking system,'' as noted above by the FCRA. It could also result
in consumers potentially being considered ``unbanked'' by a lender,
therefore unfairly hindering their access to credit.
In the General Principles for Credit Reporting, The World Bank has
further concluded:
``Information quality is the basic building block of an
effective credit reporting environment. Accuracy of data
implies that such data is free of error, truthful, complete and
up to date. Inaccurate data may lead to numerous problems,
including unjustified loan denials or higher borrowing costs.''
General Principles for Credit Reporting, The World Bank,
September 2011, page 2.
In addition, The World Bank's International Committee on Credit
Reporting also recently stated:
``From a policy perspective, perhaps the most important role of
credit reporting consists in addressing information asymmetries
between creditors and borrowers in order to facilitate an
efficient and cost effective credit risk assessment. Through
this means, credit reporting can help achieve lower lending
costs, which in competitive markets are passed on to borrowers
in the form of lower cost of capital. Moreover, it can enhance
access to credit for individuals and firms. Credit reporting
also contributes to financial stability. For example, services
offered by Credit Reporting Service Providers (CRSPs) help
improve the quality of loans made by banks and other lenders
through the provision of tools used to evaluate credit risk
more effectively and consistently, as well as for the active
management of the loan portfolio. Credit reporting also serves
to discipline debtor behavior as regards the timely repayment
of their financial and certain other obligations, as a good
credit history facilitates access to credit and can often
obviate the need for debtors to put up tangible collateral for
loans.'' The Role of Credit Reporting in Supporting Financial
Sector Regulation and Supervision, International Committee on
Credit Reporting, The World Bank, January 2016, page 5.
Accurate and complete data ``facilitate[s] an efficient and cost
effective credit risk assessment'' and ``contributes to financial
stability.'' The opportunity for consumers to selectively delete
accurate information from CRAs would directly prevent a critically
important component of our financial system.
Under the FCRA, consumers have the right to receive a free, annual
copy of their credit report and to review the accuracy of the
information included on that report. In addition, consumers are
entitled to a free report in the event of an adverse action, such as
the denial of an application for credit, insurance, or employment,
based on information in the report. Further, consumers are entitled to
a free, annual copy of their credit report if they are unemployed and
plan to look for a job within 60 days; if the consumer is on welfare;
or if a report is inaccurate because of fraud, including identity
theft.
Further, under the FCRA, CRAs, and furnishers of information
provided to the CRA, are responsible for correcting inaccurate or
incomplete information on a credit report, and must comply with
established procedures outlined in the FCRA to enable consumers to
dispute information on their credit file.
Equifax complies with the above obligations under the FCRA, which
support the underlying goal of ensuring a system of ``fair and accurate
credit reporting'' for the benefit of consumers, lenders and the entire
financial system.
Question 7. Was the Chief Legal Counsel who approved of the stock
sales also aware that the firm contemporaneously contacted the FBI and
Mandiant?
Answer. The Equifax Legal Department approvals of the referenced
stock sales were not made ``contemporaneously'' with the contacts with
the FBI and Mandiant, as further explained below.
The Board of Directors of Equifax released a report by a Special
Committee of the Board of Directors regarding the trading of Company
securities by certain executives following the detection by Equifax
cybersecurity personnel of suspicious activity in the Company's network
and prior to public disclosure of the incident. A copy of the report by
the Special Committee and accompanying press release was provided to
the Committee on November 3, 2017. A copy of that report is also
enclosed with this submission. The report concludes that two of the
executives whose trades were reviewed received clearance from Legal
Department personnel on July 31, 2017, and two other executives
received Legal Department clearance on August 1, 2017.
Based on the early indications of suspicious activity, on August 2,
2017, (1) the Company's Senior Vice President, U.S. Legal--on behalf of
Equifax--retained the cybersecurity group at the law firm of King &
Spalding to guide the forensic investigation and provide legal and
regulatory advice; (2) King & Spalding engaged the independent
cybersecurity forensic firm, Mandiant, to aid in investigation of the
suspicious activity; and (3) the Company contacted the FBI. It was not
until later in August that the forensic investigation determined the
hackers may have accessed a database table containing a large amount of
consumers' PII, and potentially other data tables. The Chief Legal
Officer was not aware of these engagements or the contact of the FBI
before they were made, but became aware of them after they occurred.
Question 8. Did the Chief Legal Counsel approve any contracts with
Mandiant related to the July 29th ``suspicious traffic?''
Answer. The Chief Legal Officer was not involved in reviewing or
approving the agreement with Mandiant. The Company's Vice President
Legal reviewed and approved the agreement.
Question 9. What dividends did Equifax pay out to shareholders
following knowledge of the data breach?
Answer. Since the company's security team discovered the
unauthorized access on July 29, the company declared (1) a quarterly
dividend on August 4, 2017 of $0.39 per share, which was paid on
September 15, 2017, and (2) a quarterly dividend on November 9, 2017 of
$0.39 per share, which is payable on December 15, 2017. Decisions
regarding the declaration and payment of dividends depend on the
company's financial condition, earnings, prospects, current and future
funding requirements, applicable law, and other relevant factors. The
dividends paid in 2017 reflect consideration of these factors.
Question 10. Why did Equifax elect to pay out dividends to
shareholders given knowledge of the company's tremendous legal exposure
and the harm caused to consumers?
Answer. Decisions regarding the declaration and payment of
dividends depend on the company's financial condition, earnings,
prospects, current and future funding requirements, applicable law, and
other relevant factors. The dividends paid in 2017 reflect
consideration of these factors.
Question 11. Can you provide a list of every data breach or
incursion Equifax has experienced since 2010?
Answer. Equifax does have a system for tracking data breaches and
incidents. Equifax will provide a list responsive to this request as
soon as possible.
Question 12. What resources is Equifax making available to ensure
that community banks and credit unions are made whole as a result of
this data breach?
Answer. Following the announcement of the cybersecurity incident,
Equifax has met with and continues to work with community banks and
credit unions to provide them information about the cybersecurity
incident and to respond to specific questions raised. Equifax also made
available communication materials (i.e., FAQs) to the community banks
and credit unions that provide information about the cybersecurity
incident to their customers and members. Equifax continues to
accommodate requests from community banks and credit unions to further
discuss the cybersecurity incident.
Question 13. Can Equifax provide data on the number of active duty
servicemembers and seniors impacted by the data breach, broken down by
state?
Answer. Active duty status is not a data element that Equifax
possesses. As a result, Equifax is unable to calculate the number of
impacted active duty servicemembers. It is difficult to accurately
assess the number of impacted seniors. The dates of birth included
within the data associated with the cybersecurity incident consist of
self-reported birth dates or not dates at all and as a result, the
information may not be reliable for purposes of calculating the total
number of seniors impacted by the incident. For example, some dates in
the data do not appear to reflect accurate dates of birth (e.g., 1/1/
1111).
Question 14. Does Equifax take any actions to confirm or scrutinize
the data breach protections of the companies and organizations that it
sells and markets consumer information to?
Answer. Yes.
Question 15. Will you help Congress improve consumer protections by
supporting legislation to institute a stronger regulatory framework for
entities such as yourself to help ensure everyone responsible for
protecting consumers have improved defenses in place?
Answer. Equifax supports efforts to protect the public's personal
and private information, and is happy to engage with Congress about the
specific details of any proposed legislation that would help achieve
that goal.
______
Response to Written Question Submitted by Hon. Dean Heller to
Marissa Mayer
Question. Protecting data isn't just about the Internet--it's also
about the physical security of data. In my home state of Nevada, we
have the only Tier 5 rated data centers in the world. The best security
and reliability you can get from a data center. In your experience as
Former President and CEO of Yahoo!, what standards did you follow to
ensure that the data managed by Yahoo! was physically secure?
Answer. Throughout my tenure as CEO, we took our obligations to our
users and their security extremely seriously. Yahoo had in place
multiple layers of sophisticated protection, including strict controls
over the security of its data centers located throughout North America,
South America, Europe, and Asia. Yahoo deployed strong, industry
standard physical, technical, and procedural safeguards in accordance
with relevant regulations to protect user data. Cross-company
initiatives such as HTTPS end-to-end encryption helped to further
strengthen the company's security defenses and protect its users.
______
Response to Written Questions Submitted by Hon. John Thune to
Karen Zacharia
Question 1. Regarding the 2013 and 2014 breaches, Yahoo! has
pointed out that the stolen information did not include social security
numbers, clear text passwords, or other sensitive financial
information. Nevertheless, the account information that was compromised
did include information that could be used to access sensitive
information. Consumers have been known to e-mail personal information,
password reminders, as well as other sensitive details to themselves or
others. And while Yahoo! took action around the time of its
announcements to protect its user accounts, at least with respect to
the 2013 breach, there was a three-year window during which these
accounts were unprotected. Does Verizon have any evidence showing that
consumers were exposed to higher risk based on information subsequently
accessed from user accounts using stolen credentials? If so, please
provide this evidence.
Answer. Verizon has no evidence that the data elements taken by the
intruders in the 2013 and 2014 data thefts--including names, e-mail
addresses, telephone numbers, dates of birth, hashed passwords and
encrypted or unencrypted security questions and answers--resulted in
access and use of information in consumers' e-mail content to
perpetrate identity theft or financial fraud. Yahoo has received
complaints (e.g., via Yahoo Customer Care and civil lawsuits arising
from the 2013 and 2014 data thefts), some of which allege that harm has
occurred as a result of the 2013 and 2014 data thefts. However, these
claims have not been substantiated or causally connected to the data
thefts. In addition, Yahoo's systems would trigger additional
verification requirements, including a second login challenge, that
would provide security for accounts beyond the users' hashed passwords
(which were not taken in clear text in either incident). Yahoo also has
taken additional steps to enhance user security, including the
strengthening of internal controls and a forced password reset for
users. Yahoo also has encouraged users to adopt key-based
authentication in lieu of passwords.
Further, as the Department of Justice stated in a press release,
one of four state sponsored hackers who was indicted for the criminal
intrusions ``exploited his access to Yahoo's network for his personal
financial gain, by searching Yahoo user communications for credit card
and gift card numbers. . . .'' Dept. of Justice, Office of Public
Affairs, U.S. Charges Russian FSB Officers and Their Criminal
Conspirators for Hacking Yahoo and Millions of E-mail Accounts, March
15, 2017, at p. 1. We have no evidence, however, that the content of
any of the user communications referenced in the press release were
used to perpetrate identity theft or resulted in financial fraud.
Question 2. Does Verizon support the enactment of a single Federal
breach notification standard? If so, what form should it take?
Answer. Yes, Verizon supports enactment of a Federal breach
notification law that would set a national standard. This would provide
consumers across the country with consistent notices and will lead to a
greater understanding by consumers about why they are being notified
and what actions might be appropriate for them to take. The following
two elements are particularly important to include in a Federal breach
notification law: (a) mandating notices in the appropriate
circumstances, such as when there is a material risk of identity theft
or financial fraud, thus avoiding over-notification which desensitizes
consumers to the notices they receive; and (b) preempting the existing
state patchwork framework that currently exists which leads to consumer
confusion.
______
Response to Written Question Submitted by Hon. Bill Nelson to
Karen Zacharia
Question. Do you agree that we need Federal legislation that sets
up a robust breach notification requirement that sufficiently protects
consumers, provides the Federal Trade Commission (FTC) with the
authority to promulgate data security standards, and provides for
strong Federal and state enforcement authority?
Answer. Verizon supports the enactment of a Federal data security
and breach notification law that would set a national standard. Such a
law would provide consumers across the country with consistent
protections and notices. It will also lead to a greater understanding
by consumers about why they are being notified and what actions might
be appropriate for them to take. The following two elements are
particularly important to include in a Federal breach notification law:
(a) mandating notices in the appropriate circumstances, such as when
there is a material risk of identity theft or financial fraud, thus
avoiding over-notification which desensitizes consumers to the notices
they receive; and (b) preempting the existing state patchwork framework
that currently exists which leads to consumer confusion.
With regard to data security, whether it would be appropriate for
the Federal Trade Commission to promulgate standards would depend on
the structure of the data security provisions of a Federal law. With
regard to enforcement authority, we believe that is a role most
appropriate for the Federal Trade Commission. Whether state authorities
should also have enforcement authority would depend on the structure
and provisions of the law, such as available remedies.
______
Response to Written Questions Submitted by Hon. Catherine Cortez Masto
to Karen Zacharia
Question 1. What specific types of data does Yahoo and Verizon,
respectively, collect on consumer? Please list each individual piece of
consumer information both entities collect and maintain.
Answer. The Verizon Privacy Policy details the specific types of
data Verizon collects. The full privacy policy is available at http://
www.verizon.com/about/privacy/full-privacy-policy. A summary of certain
relevant portions of the Verizon Privacy Policy is included below:
Verizon collects information when consumers use our
products, services and sites, including call records, websites
visited, wireless location, application and feature usage,
network and device data including battery life and apps on a
consumer's device, product and device-specific information and
identifiers, service options chosen, mobile and device numbers,
video streaming and video packages and usage, movie rental and
purchase data, TV and other video viewership, and other similar
information.
Verizon also collects information consumers provide such as
name and contact information, images, voice recordings or voice
prints, the reason for contacting us, driver's license number,
Social Security Number and payment information.
Verizon may monitor or record communications with customers
or keep a record of these transactions.
Verizon collects information about consumer's user
identification, password and secret questions and answers when
they establish an online account or register on our sites or
apps.
Verizon also obtains information from third parties,
including credit information from outside credit reporting
agencies related to consumers applying for service with us.
Verizon also obtains information from outside companies such as
those that collect consumer information including demographic
and interest data.
The Yahoo Privacy Policy details the specific types of data Yahoo
collects. The full privacy policy is available at https://
privacy.yahoo.com. A summary of certain relevant portions of the Yahoo
Privacy Policy is included below:
Yahoo collects personal information when a user (i)
registers with Yahoo; (ii) uses Yahoo products or services;
(iii) visits Yahoo pages or the pages of certain Yahoo
partners; and (iv) enters a promotion or sweepstakes.
Upon registration, Yahoo asks for the user's name, e-mail
address, birth date, gender, ZIP code, occupation, industry,
and personal interests. For some products and services, such as
certain services available on Yahoo Finance, Yahoo may also ask
for a user's address and information about assets. Yahoo also
stores the user's IP address in its registration databases at
the time of registration.
Yahoo collects information about user transactions with
Yahoo and with some of Yahoo's business partners, including
information about the user's use of products and services that
Yahoo offers.
Yahoo's automated systems analyze communications content,
including incoming and outgoing user e-mails.
As part of using any Internet based services, Yahoo
automatically receives and records information from its users'
computers and browsers, including user IP address, Yahoo cookie
information, software and hardware attributes, and the page a
user requests.
Analytic tools such as Yahoo Analytics, Advertising
Insights, and Flurry from Yahoo use web beacons, cookies, and
similar technologies to collect data about visitors to Yahoo's
sites and apps and its customers' sites and apps.
Yahoo may obtain information from its partners and append it
to its existing user information to provide more relevant
content and advertising for users.
In certain situations, Yahoo also collects location data. If
a user provides permission, Yahoo may obtain pinpointed
physical location information from technologies like GPS, Wi-
Fi, or cell tower proximity. Yahoo also may collect data on
locations that a user searched for in certain properties (such
as Search and Maps) as well as other location data provided by
the user (such as postal code) to Yahoo.
Oath is currently reviewing this Privacy Policy to align Yahoo and
AOL policies and it may make changes in the future.
Question 2. When consumers delete their account or Yahoo, or
Verizon deactivates their accounts, do companies continue to store
their user data?
Answer. Verizon's policy is to maintain information about former
subscribers to our telecommunications services for as long as it is
reasonably necessary for business, operational, tax, or legal purposes.
This information may include name and contact information, payment
information, service usage information such as call records, and
service options they chose among other things.
Yahoo's website provides account details, including information
about account deletion, available at https://policies.yahoo.com/us/en/
yahoo/privacy/topics/data
storage/index.htm. Following a user's request for account deletion, a
hold period is activated--this hold period varies by jurisdiction and
is in place, among other reasons, to enable users to reactivate their
account if they initiated an account deletion in error. Following the
hold period, Yahoo will process the user's account deletion request.
This will result in data associated with the user's registered account
to be either deleted or anonymized. There may be exceptions, however,
including when there is a legal hold obligation for litigation
preservation or other limitations, including those technical in nature.
______
Response to Written Question Submitted by Hon. Bill Nelson to
Todd Wilkinson
Question. Do you agree that we need Federal legislation that sets
up a robust breach notification requirement that sufficiently protects
consumers, provides the Federal Trade Commission (FTC) with the
authority to promulgate data security standards, and provides for
strong Federal and state enforcement authority?
Answer. I do agree that a standardized breach notification
requirement should be instituted. The breach notification must first
establish a timeline for such a notification to consumers, but must
also take in to consideration the timeline required by an organization
to fully understand if a breach occurred. Every breach is different and
detection needs to be verified before imposing a breach notification
requirement on the affected business. Expanding the Federal Trade
Commission's (FTC) ability to oversee these regulations and any
subsequent enforcement actions will need to be decided upon by our
congressional leadership. Regardless of who is promoting legislation,
if the consumer notification process is to improve, it is critical that
the legislation include meaningful enforcement regulations.
______
Response to Written Question Submitted by Hon. Richard Blumenthal to
Todd Wilkinson
Question. Should Credit Rating Agencies be adequately audited for
cyber hygiene practices and compliance with the FTC's Safeguards Rule,
which implements the Gramm-Leach-Bliley Act and provides data security
requirements for non-bank financial institutions?
Answer. Yes, absolutely--and not just for financial institutions or
credit rating agencies. Any organization that touches personally
identifiable information (PII) should be subject to a minimum
requirement of data security hygiene. There are several government and
industry bodies (e.g., NIST and SANS respectively) that provide regular
recommendations for data security best practices. While it would be
impossible to write legislation to keep up with the rapidly evolving
threat landscape, it would be possible to refer to one of these current
frameworks as a minimum standard. But putting a baseline in place will
only be successful if there is sufficient oversight and meaningful
enforcement of the regulations.
[all]
This page intentionally left blank.
This page intentionally left blank.
This page intentionally left blank.