b'<html>\n<title> - IMPROVING DATA SECURITY AT CONSUMER REPORTING AGENCIES</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n         IMPROVING DATA SECURITY AT CONSUMER REPORTING AGENCIES\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n              SUBCOMMITTEE ON ECONOMIC AND CONSUMER POLICY\n\n                                 OF THE\n\n                         COMMITTEE ON OVERSIGHT\n                               AND REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             March 26, 2019\n\n                               __________\n\n                           Serial No. 116-12\n\n                               __________\n\n      Printed for the use of the Committee on Oversight and Reform\n      \n      \n      \n      \t\t[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n      \t\t\n      \t\t\n\n\n                  Available on: http://www.govinfo.gov\n                    http://www.oversight.house.gov or\n                        http://www.docs.house.gov\n                        \n                               __________\n                               \n                    U.S. GOVERNMENT PUBLISHING OFFICE\n                    \n36-064 PDF                 WASHINGTON : 2019             \n\n\n\n                   COMMITTEE ON OVERSIGHT AND REFORM\n\n                 ELIJAH E. CUMMINGS, Maryland, Chairman\n\nCarolyn B. Maloney, New York         Jim Jordan, Ohio, Ranking Minority \nEleanor Holmes Norton, District of       Member\n    Columbia                         Justin Amash, Michigan\nWm. Lacy Clay, Missouri              Paul A. Gosar, Arizona\nStephen F. Lynch, Massachusetts      Virginia Foxx, North Carolina\nJim Cooper, Tennessee                Thomas Massie, Kentucky\nGerald E. Connolly, Virginia         Mark Meadows, North Carolina\nRaja Krishnamoorthi, Illinois        Jody B. Hice, Georgia\nJamie Raskin, Maryland               Glenn Grothman, Wisconsin\nHarley Rouda, California             James Comer, Kentucky\nKatie Hill, California               Michael Cloud, Texas\nDebbie Wasserman Schultz, Florida    Bob Gibbs, Ohio\nJohn P. Sarbanes, Maryland           Clay Higgins, Louisiana\nPeter Welch, Vermont                 Ralph Norman, South Carolina\nJackie Speier, California            Chip Roy, Texas\nRobin L. Kelly, Illinois             Carol D. Miller, West Virginia\nMark DeSaulnier, California          Mark E. Green, Tennessee\nBrenda L. Lawrence, Michigan         Kelly Armstrong, North Dakota\nStacey E. Plaskett, Virgin Islands   W. Gregory Steube, Florida\nRo Khanna, California\nJimmy Gomez, California\nAlexandria Ocasio-Cortez, New York\nAyanna Pressley, Massachusetts\nRashida Tlaib, Michigan\n\n                     David Rapallo, Staff Director\n              Richard Trumka, Subcommittee Staff Director\n                          Amy Stratton, Clerk\n                      Contact Number: 202-225-5051\n\n               Christopher Hixon, Minority Staff Director\n                                 ------                                \n\n              Subcommittee on Economic and Consumer Policy\n\n                Raja Krishnamoorthi, Illinois, Chairman\nMark DeSaulnier, California,         Michael Cloud, Texas, Ranking \nKatie Hill, California                   Minority Member\nRo Khanna, California                Glenn Grothman, Wisconsin\nAyanna Pressley, Massachusetts       Chip Roy, Texas\nRashida Tlaib, Michigan              Carol D. Miller, West Virginia\nGerald E. Connolly, Virginia\n                         \n                         \n                         \n                         C  O  N  T  E  N  T  S\n\n                              ----------                              \n                                                                   Page\nHearing held on March 26, 2019...................................     1\n\n                               Witnesses\n\nMichael Clements, Director, Financial Markets and Community \n  Investment, Government Accountability Office\n    Oral Statement...............................................     3\nAndrew Smith, Director, Bureau of Consumer Protection, Federal \n  Trade Commission\n    Oral Statement...............................................     5\nMike Litt, Consumer Campaign Director, U.S. PIRG\n    Oral Statement...............................................     6\nJennifer Huddleston, Research Fellow, Mercatus Center at George \n  Mason University\n    Oral Statement...............................................     8\n\n The prepared statements for the above witnesses are available \n  at: https://docs.house.gov.\n\n                           INDEX OF DOCUMENTS\n\n                              ----------                              \n\nThe documents listed below are available at: https://\n  docs.house.gov.\n\n  * Consumer Finance Protection Bureau Complaint; submitted by \n  Rep. Krishnamoorthi\n\n  * R Street Institute Letter; submitted by Rep. Miller\n\n  * National Association of Federally-Insured Credit Union \n  Letter; submited by Rep. Miller\n\n  * Credit Union National Association Letter; submitted by Rep. \n  Miller\n\n  * Conference of State Bank Supervisors Letter; submitted by \n  Rep. Krishnamoorthi\n\n  * Epic.org Letter; submitted by Rep. Krishnamoorthi\n\n \n         IMPROVING DATA SECURITY AT CONSUMER REPORTING AGENCIES\n\n                              ----------                              \n\n\n                        Tuesday, March 26, 2019\n\n                  House of Representatives,\n                 Committee on Oversight and Reform,\n              Subcommittee on Economic and Consumer Policy,\n                                                   Washington, D.C.\n\n    The subcommittee met, pursuant to notice, at 3:40 p.m., \n2154 Rayburn House Office Building, Hon. Raja Krishnamoorthi \n(chairman of the subcommittee) presiding.\n    Present: Representatives Krishnamoorthi, Hill, DeSaulnier, \nPressley, Tlaib, Grothman, and Miller.\n    Mr. Krishnamoorthi. The subcommittee will come to order. \nWithout objection, the chair is authorized to declare a recess \nof the committee at any time. This hearing is entitled, \nImproving Data Security at Consumer Reporting Agencies. I \nwelcome all of you here today. Thank you so much for coming. I \nnow recognize myself for five minutes to give an opening \nstatement.\n    The Subcommittee on Economic and Consumer Policy is \ndedicated to addressing the issues affecting American consumers \nand our larger economy. Today, we look at what can be done to \nimprove data security by consumer reporting agencies, otherwise \nknown as CRAs.\n    September 7, 2017, changed our data security landscape \nforever. That was the day that Equifax announced that it had \nexposed the social security numbers and other sensitive \ninformation of nearly half of all Americans. Specifically, 148 \nmillion Americans had their sensitive information exposed.\n    That event educated many people for the first time about \nCRAs and the huge amounts of sensitive information that they \nhold. What people still may not know is how many more of these \ncompanies exist in America. The Consumer Financial Protection \nBureau, or CFPB, estimates that there are more than 400 CRAs \ntoday.\n    Criminals want access to the treasure troves of data that \nCRAs hold. They want that information so they can open \nfraudulent accounts and run up debt in the names of innocent \npeople. In studying this issue, I was deeply saddened to learn \nabout one Illinois resident whose credit was so badly damaged \nby identity theft resulting from the Equifax breach, that the \nperson was denied both employment and housing.\n    This is but one example illustrating the extreme and \ndecades-lasting implications of allowing peoples\' social \nsecurity numbers, birthdates, addresses, driver\'s license \nnumbers, and credit card information to be exposed to cyber \ncriminals.\n    Again, I want to let this sink in. This one particular \nbreach, with regard to Equifax has the potential to cause \nextreme harm to nearly half of the population, or 148 million \nAmericans.\n    A year and a half has passed since the Equifax breach and \nthe causes of that breach have been investigated and exposed. \nMoving forward, it is our job in Congress to help prevent \nfuture data breaches and to prevent more Americans from having \ntheir sensitive, personal information compromised.\n    Through the Gramm-Leach-Bliley Act, otherwise known as \nGLBA, Congress directed the Federal Trade Commission to \nimplement data security rules for CRAs. To achieve that, it \ncreated the, ``Safeguards Rule,\'\' which requires CRAs to take, \n``reasonable steps to protect consumer data.\'\' But the FTC has \nlimited recourse against the CRAs that violates the Safeguards \nRule. It cannot seek penalties for first violations, and the \nFTC can only seek monetary compensation for consumers if they \nhave identified a specific harm.\n    Because the negative effects of a breach can often take \nyears to surface, it is extremely difficult to reduce this harm \nto a single dollar amount. CRAs also hold huge sway over the \nlives of consumers. The information they control could \ndetermine if someone gets a loan, a job, insurance, or a home. \nYet, CRAs are not accountable to those same individuals.\n    If consumers dislike a CRA, they cannot hold them \naccountable by taking their business elsewhere. But Congress \ncan and should hold CRAs accountable by giving Federal \nwatchdogs the tools they need to make CRAs care more about data \nsecurity.\n    Failure to implement proper data security must cost CRAs \nmore than investing in good security to prevent a breach. That \nis why today, Senator Elizabeth Warren and Chairman Elijah \nCummings released a proprietary report by the Government \nAccountability Office, the GAO, which we will closely examine \nin this hearing.\n    In this new report, GAO has recommended giving the FTC \npenalty authority for first violations to prevent breaches and \nto protect data security. This is a nonpartisan analysis, and \nin fact, democratic and republican FTC chairmen have called for \nincreased penalty authority for first-time violations, \nincluding the current FTC Chairman, Mr. Joseph Simons.\n    Enhancing FTC penalty power to enforce data security \nfollows the model set by regulations in the banking industry. \nThere, so far, knock on wood, we have avoided the types of \nlarge, harmful data breaches that brought us here today.\n    Simply put, GAO does not think that the current regulatory \nsystem is strong enough to get CRAs to improve their data \nsecurity. So far, many CRAs have been able to internalize the \nprofit off of consumer data, externalize the risk, and leave \nconsumers holding the bag.\n    Today\'s hearing is the first step in ensuring the data of \nAmerican consumers is being properly protected. Now, with that, \nI would like to recognize our Distinguished Ranking Member, \nMrs. Miller, sitting in for the ranking member. You have five \nminutes.\n    Mrs. Miller. Thank you, Mr. Chairman. I do not have an \nopening statement, but I do want to thank you all, you \nwitnesses, for appearing here today, and I look forward to your \ntestimony and our discussion.\n    I also have the prepared remarks of Ranking Member Cloud, \nand I ask unanimous consent that they be inserted in the \nrecord.\n    Mr. Krishnamoorthi. Without objection, so entered.\n\n    [The Prepared Statement referenced above follows.]\n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mrs. Miller. Thank you, Mr. Chairman, and I yield back.\n    Mr. Krishnamoorthi. Thank you, Mrs. Miller. Today, we are \njoined by Mr. Andrew Smith, the Director of the Bureau of \nConsumer Protection of the Federal Trade Commission; Mr. \nMichael Clements, the Director of Financial Markets and \nCommunity Investment at the GAO; as well as Mike Litt, the \nConsumer Campaigns Director at U.S. Public Interest Research \nGroup; and finally, Jennifer Huddleston, a Research Fellow at \nthe Mercatus Center.\n    If the witnesses would please rise, I will begin by \nswearing you in.\n    [Witnesses sworn.]\n    Mr. Krishnamoorthi. Let the record show that the witnesses \nanswered in the affirmative. Thank you and please be seated. \nThe microphones are sensitive, so please speak directly into \nthem. Without objection, your written statements will be made \npart of the record.\n    I should tell you about the lighting system. I told a \ncouple of you, but green means go; red means stop; yellow is \ndifferent than what we see at stop lights. Here, you have to \nspeed up, not slow down. So with that, why don\'t we begin with \nDirector Clements? You are now recognized to give an oral \npresentation of your testimony.\n\nSTATEMENT OF MICHAEL CLEMENTS, DIRECTOR, FINANCIAL MARKETS AND \nCOMMUNITY INVESTMENT, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Clements. Chairman Krishnamoorthi, Representative \nMiller, and members of the subcommittee, I am pleased to be \nhere today to discuss a recent report addressing oversight of \nconsumer reporting agencies or CRAs. Our bottom-line message: \nactions are needed to strengthen oversight at CRAs.\n    CRAs serve an essential function in the financial services \nindustry. These companies collect large amounts of sensitive \ninformation about consumers. These companies maintain and \nanalyze that information and ultimately package the information \ninto consumer reports.\n    These reports help determine whether and how much consumers \npay for credit and can also be used in employment and rental \ndecisions among other purposes. At the same time, consumers \nhave limited choice in the CRA marketplace. Unlike many other \nproducts and services, consumers cannot exercise choice if they \nare dissatisfied with a CRA.\n    Further, consumers do not have the legal right to delete \ntheir records with a CRA. CFPB and FTC have noted the level of \nconsumer protection required can depend upon consumers \nexercising choice in the marketplace. Less choice implies the \nneed for greater oversight.\n    The 2017 cyber attack on Equifax with the theft of at least \n145 million consumers\' records has focused attention on \noversight of CRAs. With this context, a focus on FTC\'s and \nCFBP\'s oversight of data security in the CRA marketplace.\n    First, FTC. FTC enforces CRA compliance with the FTC Act \nand the Gramm-Leach-Bliley Act, or GLBA, among others. Section \n5 of the FTC Act authorizes FTC to investigate and take \nenforcement action against companies that engage in unfair or \ndeceptive practices, including those related to data \nprotection. FTC has taken action against 66 companies, \nincluding CRAs, under Section 5 for unfair or deceptive \npractices related to data protection.\n    GLBA seeks to ensure that financial institutions protect \nconsumers\' non-public information. As required by GLBA, FTC \nadopted its Safeguards Rules. Among other things, the \nSafeguards Rule requires that financial institutions assess the \nrisk to consumer information and have a plan to mitigate those \nrisks.\n    FTC can enforce the Safeguards Rule through injunction, \nredress, and discouragement. However, assessing monetary harm \ncan be difficult with data breaches, because, for example, the \nresulting harm may occur years in the future. Thus, we \nrecommend that Congress consider granting FTC civil money \npenalty authority for violations of GLBA. This would give FTC \nthe tools to carry out the enforcement authority that Congress \nhas already provided to FTC.\n    Second, CFPB. CFPB enforces and examines CRA compliance \nwith several consumer protection laws, including the Dodd-Frank \nAct in portions of GLBA. Under the Dodged-Frank Act, CFPB \nsupervises larger market participant CRAs. Those with more than \n$7 million in annual receipts from consumer reporting.\n    However, we found that CFPB does not have a good handle of \nthe number of CRAs that meet its larger market participant \nthreshold. Thus, we recommended that CFPB identify additional \nsources of information that would help ensure that it is \ntracking all CRAs that meet its threshold.\n    From 2015 through 2017, CFPB examined several CRAs. \nHowever, we found that its prioritizing process does not \nroutinely account for data security risk. To determine specific \nareas of compliance to assess, CFPB considers sources such as \nconsumer complaints and past exam finding. While important, \nthese sources do not consider how an institution would detect \nand respond to cyber threats.\n    Following the Equifax cyber attack, CFPB initiated data \nsecurity exams of the major CRAs, but it is unclear whether and \nhow CFPB would incorporate data securities into its \nprioritization process going forward.\n    Thus, we recommended that CFPB assess whether its process \nfor prioritizing CRA examinations sufficiently incorporates \ndata security risks that CRAs pose to consumers\' information.\n    Chairman, Krishnamoorthi, Ranking Member Miller, and \nmembers of the subcommittee, this concludes my prepared \nstatement. I would be pleased to respond to any questions you \nmay have.\n    Mr. Krishnamoorthi. Thank you very much, Mr. Clements.\n    Mr. Smith, please.\n\nSTATEMENT OF ANDREW SMITH, DIRECTOR, BUREAU OF CONSUMER \nPROTECTION, FEDERAL TRADE COMMISSION\n\n    Mr. Smith. Thank you, Chairman Krishnamoorthi. Mr. Chairman \nand members of the subcommittee, I am Andrew Smith. I am the \nDirector of the Bureau of Consumer Protection at the Federal \nTrade Commission. I appreciate the opportunity to appear before \nyou here today to discuss data security at the consumer \nreporting agencies.\n    I also want to thank Mr. Clements and GAO for its recently \nissued recommendations to improve the tools available to the \nFTC to enforce the data security laws applicable to consumer \nreporting agencies.\n    My written statement represents the views of the \ncommission. This opening statement represents my ideas alone \nand not necessarily the views of the commission or any \nindividual commissioner.\n    To promote the security of consumers\' personal information, \nincluding information at the credit bureaus, the FTC focuses on \nthree main areas. The first of these is enforcement. For nearly \ntwo decades, the FTC has been the Nation\'s leading data \nsecurity enforcement agency, where charged with enforcing data \nsecurity requirements contained in specific laws, such as the \nFair Credit Reporting Act and the Gramm-Leach-Bliley Act. We \nalso enforce Section 5 of the FTC Act, which prohibits unfair \nor deceptive practices, including unfair or deceptive practices \nwith respect to data security.\n    In this law enforcement role, the commission has settled or \nlitigated more than 60 actions against businesses that \nallegedly failed to take reasonable precautions to protect \nconsumers\' personal information. In 2017, the commission took \nthe unusual step of publicly confirming its investigation of \nEquifax and the Equifax data breach, due to the scale of public \ninterest in the matter.\n    Our second area of focus is policymaking. The FTC has \nconducted workshops, issued reports, and made rules to promote \ndata security. For example, just earlier this month, we \nannounced a notice of proposed rulemaking to update our \nSafeguards Rule under the Gramm-Leach-Bliley Act.\n    The Safeguards Rule was originally issued in 2002. It \nrequires financial institutions within the FTC\'s jurisdiction, \nincluding credit bureaus, to implement reasonable process-based \nsafeguards to protect personal information.\n    The proposed revisions to the Safeguards Rule are based on \nour nearly 20 years of enforcement experience. These revisions \nare intended to retain the process-based approach of the \nSafeguards Rule and to provide financial institutions with more \ncertainty regarding the FTC\'s expectations with respect to data \nsecurity.\n    Our third area of focus is education. The commission has \nissued numerous guidance documents for businesses including \nwritten materials, blog posts, and a comprehensive small \nbusiness cyber education campaign, which includes, how-to \nvideos and training materials. These materials distill lessons \nlearned from our enforcement actions in a succinct and \naccessible manner.\n    With respect to cyber security at credit bureaus, the \neducation of consumers is also critically important. Following \nthe Equifax breach in September 2017, we established a \ndedicated web page for victims of the breach. During that first \nmonth, the FTC blog on the Equifax breach reached the most \nviewed Government webpage, nationwide, surpassing pages for \ndisaster assistance after major hurricanes. The FTC\'s Credit \nFreeze FAQs article and IdentityTheft.gov recovery steps also \nmade the top five most viewed Government webpages in September \n2017.\n    We vigorously use our existing authority to protect \nconsumers, but we need additional tools. In this regard, we \nappreciate and agree with GAO\'s recommendation to give the FTC \ncivil penalty authority for violations of the Safeguards Rule.\n    In fact, however, we have called more broadly on Congress \nto enact comprehensive data security legislation that includes \nrulemaking, civil penalty authority, and enhanced jurisdiction \nfor the FTC.\n    First, the legislation should authorize the FTC to issue \ndata security rules under the Administrative Procedures Act, so \nthat we can keep up with business and technological changes. \nWhere we currently have rulemaking authority, we have used it, \nas demonstrated by the proposed revisions to the Safeguards \nRule, which I just mentioned.\n    Second, the legislation should allow the FTC to obtain \ncivil penalties for data security violations. Currently, we \nhave authority to seek civil penalties for data security \nviolations under the Children\'s Online Privacy Protection Act \nand the Fair Credit Reporting Act, and we have used it. To help \nensure effective deterrents, we urge Congress to enact \nlegislation to allow the FTC to seek civil penalties for data \nsecurity violations in appropriate circumstances.\n    Now finally, the legislation should extend the FTC\'s \njurisdiction over data security to nonprofits and common \ncarriers. Entities in these sectors often collect sensitive \nconsumer information and significant breaches have been \nreported, particularly in the nonprofit educational and \nhospital sectors.\n    Thank you for the opportunity to appear before you, and I \nlook forward to answering your questions.\n    Mr. Krishnamoorthi. Thank you, Mr. Smith.\n    Mr. Litt, you have five minutes.\n\nSTATEMENT OF MIKE LITT, CONSUMER CAMPAIGNS DIRECTOR, U.S. PIRG\n\n    Mr. Litt. I am sorry about that.\n    Mr. Krishnamoorthi. Take two.\n    Mr. Litt. All right, good afternoon. Again, my name is Mike \nLitt with U.S. PIRG. I appreciate the opportunity to testify \nbefore you today.\n    In order to improve data security at credit reporting \nagencies, also known as credit bureaus, we need robust \nfinancial penalties, stronger oversight, and better consumer \ncontrol of our data. You mentioned the Equifax breach. All we \nhave to do is look at that to see the real dangers that are \nposed to real people when credit reporting agencies drop the \nball on their data security and lose our data.\n    I am one of the 148 million Americans whose financial DNA \nwas exposed, and we are put at risk of identity theft and all \nsorts of fraud for the rest of our lives. Equifax still has not \npaid a penalty after putting people in harm\'s way. We have no \nchoice over Equifax or the other credit bureaus--that can \ncollect our information and sell it.\n    And when they lose it, we cannot leave them the way we can \nother companies. It is exactly that dynamic, why it is \nimportant that we have robust financial penalties when data is \nlost and strong oversight to prevent data loss in the first \nplace.\n    If you are a larger credit bureau and you do not comply \nwith the Federal Trade Commission\'s Safeguards Rule. There \nshould be mandatory penalties. If you lose personal data, there \nshould be mandatory fines, but at the very least, we need to \nmake sure that the FTC can actually issue penalties for the \nfirst violation of the law. They investigated the Equifax \nbreach, but they will only be able to issue a consent order and \nthen only if Equifax breaks that order and then violates the \nlaw a second time can there actually be any fines. We need to \nchange that.\n    Next, I would like to discuss some ideas for oversight from \nmy written testimony. The Consumer Financial Protection Bureau \ndoes have tools that the FTC does not. It can issue civil \npenalties after first violation of the law. It can examine \ncompanies to catch problems ahead of time.\n    We know from Equifax\'s SEC filing last month, that the CFPB \nhas been investigating the Equifax breach, and they have \nexpressed their intent to actually issue civil penalties.\n    So clearly, the CFPB is using its authority to take action \non data security. We would like to see them consider and \nprioritize data security for examinations of other companies as \nwell. The oversight committee\'s report on the Equifax breach \nthat came out in December shows that hackers exploited \nunencrypted info and weak data controls. The FTC just proposed \nan amendment to its Safeguards Rule that would require some \ngood first steps for security measures, such as data encryption \nand multi-factor authentication and data controls.\n    Finally, I would like to talk about better consumer control \nover our own data. The best way to stop an identity thief from \nopening new accounts in your name is to get credit freezes, \nalso known as security freezes at all three of the national \ncredit bureaus. Basically, a credit freeze blocks or freezes \naccess to your credit reports.\n    Before the Equifax breach, the credit bureaus charged fees \nfor freezes in most of the states. After the breach, 19 states \nmade freezes free. Congress followed suit. Passed a law that \neliminated fees for everybody. In my written testimony, I \nexplain problems with the national freeze that we would like to \nsee fixed, and we have got some other ideas in there for better \nconsumer control.\n    But really the best solution would be to make sure that \naccess to our own credit reports is actually frozen \nautomatically by default. We should not have to opt in to \ncontrol access to our own data.\n    So to summarize all of this, we are not the customers of \nthe credit bureaus, but the credit reporting agencies possess \nvast amounts of our personal information, including our \nfinancial DNA and that is really why we need to be able to have \nrobust financial penalties and stronger oversight to \nincentivize them to protect our data.\n    The FTC and the CFPB should use their authorities and be \ngranted expanded authorities in order to achieve those goals. \nAdditionally, we should be given more control over our own \npersonal data.\n    I look forward to working with you. Thank you so much.\n    Mr. Krishnamoorthi. Thank you, Mr. Litt.\n    Ms. Huddleston, you have five minutes.\n\nSTATEMENT OF JENNIFER HUDDLESTON, RESEARCH FELLOW, MERCATUS \nCENTER AT GEORGE MASON UNIVERSITY\n\n    Ms. Huddleston. Thank you. Good afternoon. Chairman \nKrishnamoorthi, Representative Miller, and distinguished \nmembers of the Economic and Consumer Policy Subcommittee.\n    My name is Jennifer Huddleston, and I am a Research Fellow \nwith the Mercatus Center at George Mason University. My \nresearch focuses, primarily, on the intersection of law and \ntechnology, including the important issue surrounding data \nsecurity and data privacy.\n    Thank you for the opportunity to discuss some of these \nissues today, particularly in regards to the 2017 Equifax \nbreach. These conversations are particularly important as we \ncontinue to see headlines around data breaches and data \nprivacy.\n    As policymakers consider how to address such concerns, they \nshould be careful to avoid unintended consequences to \ninnovation, as a result. With this in mind, I would like to \nfocus on three key points today.\n    First, that regulators should avoid an overly expansive \ndefinition of harm in their approach to data security to avoid \nunintended consequences to innovation. Second, the way the \nFTC\'s current enforcement approach has provided a balanced \napproach to data security and data privacy allowing innovation \nto flourish and providing consumers a form of redress. Finally, \nwith regards to credit reporting agencies, that policy \nsolutions should be narrowly tailored and focused on the unique \nposition of these agencies and the data they possess, so as to \navoid, or limit, unintended consequences to broader data base \nindustries.\n    To begin, regulators should be cautions about an overly \nexpansive definition of harm and their approach to data \nsecurity that could have unintended consequences to innovation. \nWhile there is general agreement that data breaches have the \npotential for harm, there is disagreement on when harm occurs, \nthe need for Government intervention, and what particularly \nconstitutes harm in these scenarios.\n    There is a wide range of personal preferences and what \ninformation we choose to share publicly or privately through \nvarious data systems. A flexible system provides options for \nboth consumers and businesses and encourages innovative \nsolutions when it comes to data security. While it is easy to \nrush to the worst conclusions when we see scary headlines and \nhear news of breaches such as Equifax, only focusing on the bad \ncould prevent future innovation that would provide better \nalternatives and better data security, more generally.\n    A lack of flexibility and a rigid system could lock in \nexisting options, rather than providing incentives to innovate \nand provide better data security, more generally.\n    Now I would like to turn to the general success of the \nFTC\'s current enforcement approach with regards to balancing \ninnovation and redress for consumer harm. The FTC has been \nactive in both personal data and credit reporting and financial \nprivacy. It has addressed data breaches under both deception \nand unfairness doctrines as well as other laws when specified.\n    But in general, it has built a common law of consent \ndecrees, rather than more formal regulation and adjudication. \nWhile this allows for greater flexibility as innovation \nevolves, it also can raise concerns due to lack of clarity and \ncertainty for regulated parties.\n    At the same time, though, this approach has allowed \nconsumers benefits of a data-driven economy while still \nproviding redress when consumer harm occurs.\n    Finally, with regards to the unique situation of credit \nreporting agencies, the policy solutions in regard should be \nnarrowly tailored so as to avoid unintended consequences to \ndata base industries, more generally.\n    The credit reporting agencies are in a unique situation, in \nthat there is no opt in or opt out for consumers. Additionally, \ndue to high barriers to entry, there may be less concern about \npotential impact on competition that such regulation could \nhave.\n    Given these factors, the policy solutions to address these \nconcerns with regards to data breaches and data security should \nfocus on these unique aspects and the data that is uniquely \nconcerning when it comes to these agencies.\n    At the same time, though, we should also consider, what, in \naddition to regulation, or as an alternative to regulation, \nmight be done more generally. For example, consumer education \nand empowerment, including increased transparency so that \nconsumers are aware of what to do in the event of data breaches \nand what resources are available to them. As well as common law \nalternatives for those that have experienced harm and \naccountability for those who caused it.\n    The U.S. has been a leader in innovation, and this makes it \nespecially important to carefully consider the potential for \nunintended consequences and not prevent potentially innovative \nsolutions that would provide better security in the future.\n    Thank you, and I welcome your questions.\n    Mr. Krishnamoorthi. Thank you, Ms. Huddleston.\n    First of all, thank you to all of you for joining us today. \nAll of the witnesses, and of course, the members of the \naudience.\n    I want to start with Mr. Litt. I recognize myself for five \nminutes of questions.\n    You know, Equifax had very sensitive information about at \nleast 148 million people: their names, social security numbers, \naddresses, dates of birth and so on. Do the other CRAs have \nsimilar information about as many consumers?\n    Mr. Litt. Yes, in fact it is probably more. The CFPB has \nsaid that each of the credit bureaus possess approximately 200 \nmillion different consumer files.\n    Mr. Krishnamoorthi. I mentioned some types of personal \ninformation. Are there other types of sensitive information \nthey possess?\n    Mr. Litt. Well they have information that is in our credit \nfiles that could show whether you are in debt or debt \ncollection, your credit history. Also credit bureaus have \ninvestigative reports on some consumers. So these are basically \nbackground checks that can include interviews with your \ncoworkers, your neighbors, your friends and family, other \npeople in your life.\n    Mr. Krishnamoorthi. Do you have any indication that CRAs \nare collecting less information today than they were at the \ntime of the Equifax breach?\n    Mr. Litt. No, I have absolutely no indication of that.\n    Mr. Krishnamoorthi. Can you explain a couple of the more \nserious risks that consumers face when their sensitive data is \nexposed?\n    Mr. Litt. Yes, so in the case of the Equifax breach where \nyou have just your name and your social security number, an \nidentity thief can try to apply for a utilities account, \ncredit, a loan, get a smart phone on your account. Then they \ncan use your date of birth and they can try to apply for your \nsocial security benefits, your tax refund that you might be \ncounting on, your medical services and benefits.\n    Mr. Krishnamoorthi. Okay, without objection, I would like \nto enter into the record, a complaint submitted to the Consumer \nFinancial Protection Bureau by an Illinois parent who was a \nvictim of the Equifax data breach.\n    Mr. Krishnamoorthi. This was the complaint and, you know, I \nread a portion of this earlier, or read about it earlier. But \nbasically, this person was unable to receive housing or \nemployment because of the harm from the data breach.\n    Director Smith, I have a question for you. With their high \nconcentration of sensitive information, are CRAs subject to \nconstant attack by cyber criminals? What is the nature of the \nattacks and the threats posed by cyber criminals?\n    Mr. Smith. So that is probably a better question for the \ncredit bureaus, but, you know, our understanding is that \nfinancial institutions, generally, and credit bureaus, \nspecifically, are subject to constant attack, given the value \nof the information that they warehouse.\n    I think what you find is if you spoke with financial \ninstitutions, they would say that they are under constant \nattack. That is one of the issues for us in the FTC. We want to \nmake sure that financial institutions are always monitoring for \npenetration and intrusion so that the breaches are actually \nbeing detected. Because that is one of my real fears -- that \nthere are breaches that are going undetected.\n    Mr. Krishnamoorthi. Well that is what I was going to ask \nyou next. Equifax may have garnered the most attention, but, \nyou know, can you talk about other data breaches at any other \nCRAs in recent years?\n    Mr. Smith. Well we have brought some enforcement actions in \nconnection with data breaches at consumer reporting agencies. \nThe most prominent is probably our action against ChoicePoint \nseveral years ago where they were selling credit reports to a \nring of known identity thieves. There we sought--well we \nobtained $10 million in penalties and $5 million in consumer \nredress.\n    I will say that most of the cases of the 66 cases that Mr. \nClements mentioned in the data security area, a couple have \ninvolved credit bureaus but mostly not. It is mostly other \ntypes of companies and primarily operating online.\n    Mr. Krishnamoorthi. Got it. Mr. Clements, can I ask you the \nnext question? Can you identify other, you know, regulatory \nareas where, you know, the penalty for a first violation has \nbeen found to be effective or, you know, what\'s the nature of \nthe impact of such a type of penalty?\n    Mr. Clements. We do know in the banking space that the \nFederal banking regulators, that would be, for example, Office \nof Comptroller of the Currency, the Federal Reserve, and FDIC, \ndo have civil penalty authority under GLBA for those type of \nviolations.\n    They are also examining these institutions on a regular \nbasis. If it is a larger institution, it is subject to \ncontinuous reviews. If it would be a smaller institution, every \n12 to 18 months there would be an examination.\n    Mr. Krishnamoorthi. Got it. I am out of time. I am going to \nrecognize Mrs. Miller for the next set of questions.\n    Mrs. Miller. Thank you, Mr. Chairman.\n    Ms. Huddleston, in your testimony you state that the \nFederal Trade Commission\'s current approach has been flexible \nand therefore has allowed innovation to flourish while still \nprotecting consumers. Can you please expand upon that?\n    Ms. Huddleston. Thank you, Mrs. Miller. I would point to \nthe fact that the Federal Trade Commission has been active in \ndata breaches and data privacy going back to the late 1990\'s \nwith GeoCities. Our data security and our innovation when it \ncomes to online websites and what we expect them to protect has \ncome a long way. Part of this has been rather than having an \nex-ante approach of regulation, they have been able to provide \na flexible guidance that allows different methods to develop to \nbetter protect consumers.\n    Mrs. Miller. Thank you. While it may sometimes be a useful \ntool, enforcement actions by Federal agencies should not be the \nonly way to ensure consumer data is safe. Would you agree?\n    Ms. Huddleston. One of the interesting elements with \nenforcement actions is how once they are enacted they can be \nunflexible and unmoving. This can affect both consumers and \ncompanies that are subject to consent decrees. At the same \ntime, there are also already existing tools, including the \ncommon law for consumers who may have direct proof for harm of \nsomething like identity theft. There can also be criminal \nissues involved depending on the nature of what has happened as \na result of the breach.\n    Mrs. Miller. What are the pitfalls of excessive Government \nintervention in a rapidly evolving area like information \ntechnology?\n    Ms. Huddleston. We have benefited a lot from innovation and \nmany of us have seen how rapidly, in our lifetime, things have \nchanged as a result of allowing innovation to accelerate. If we \nhave a lot of regulation in a rapidly changing area, such as \ndata security, it is possible we may lock in the existing \nsystem, rather than getting a better system that could protect \nour data more.\n    Mrs. Miller. What are some buffers that could be created to \nnarrowly tailor regulatory authority?\n    Ms. Huddleston. When considering what to do with regards to \nthe credit reporting agencies, such as Equifax and these \nconcerns, I would suggest that we look very carefully at how we \nare defining data and how are defining what entities are \ncovered. So that we are truly addressing those concerns.\n    Mrs. Miller. What can the Federal Trade Commission do to \nprovide greater education to consumers?\n    Ms. Huddleston. I think that in light of the Equifax \nbreach, what we have seen is a lot of consumers really want to \nget interested in how they can protect themselves and take \nthose steps as we heard mentioned in earlier testimony.\n    Immediately after the Equifax breach, the blog post on what \nto do was one of the most visited Government websites. Continue \nto provide that information to consumers, be it through \nwebsites or through other educational campaigns, so that \nconsumers can then take the appropriate and next steps \nthemselves.\n    Mrs. Miller. Thank you. We have heard a lot recently about \nthe General Data Privacy Regulations, or GDPR, in Europe and \nthe California Consumer Privacy Act, or CCPA. What are the \nproblems with expansive, top-down regulatory regimes such as \nthis?\n    Ms. Huddleston. With the GDPR, we have already seen that \nthere are fewer data actors in Europe. You already had a very \ntop-down regulatory regime, but smaller players have had to \nexit the market, in some cases, because of the cost of \ncompliance.\n    Therefore, you may not be getting innovative solutions that \ncould be more protective, and you are not seeing the type of \ncompetition that we would like to see when it comes to that, \nthat can provide better security.\n    Mrs. Miller. Thank you. Mr. Chairman, I have here three \nletters addressed to our subcommittee concerning issues before \nus today. The first is from the R Street Institute, a \nnonpartisan think tank. The second is from the National \nAssociation of Federally Insured Credit Unions. And the third \nis from the Credit Union National Association. I ask unanimous \nconsent that these letters be inserted in the record.\n    Mr. Krishnamoorthi. Without objection, so entered.\n    Mrs. Miller. Thank you. I yield back my time.\n    Mr. Krishnamoorthi. Thank you, Mrs. Miller.\n    Ms. Pressley, you are on the clock for five minutes.\n    Ms. Pressley. Thank you, Mr. Chair, and I want to thank all \nof our witnesses for joining us today. It is clear from your \ntestimony that consumer reporting agencies occupy a very unique \nspace.\n    They deal in consumer data, but they do not deal with \nconsumers. Their customers are businesses. Their products are \nthe data that they gather about you and me and millions of \nother Americans. They have the power to affect peoples\' lives \nin critical ways. They provide the reports that determine \neverything, from whether you can get a loan to whether you can \nobtain housing or even employment. Yet, they put people at risk \nwhen they lack adequate data protection safeguards like we saw \nwith the Equifax breach which impacted nearly 148 million \nconsumers in 2017.\n    In fact, last month at a hearing held by the Financial \nServices Committee, which I am a member of, I asked the CEO of \nEquifax whether anyone on their leadership team was held \naccountable for this data breach. His response was, ``There was \nplenty of accountability. The entire leadership team in 2017 \ndid not receive a bonus.\'\'\n    This is, I am sure, you would agree, an insult to the \nmillions of consumers that were affected by the breach and \ncontinue to this day to struggle to bounce back after having \ntheir data compromised.\n    So I want to touch on what options, if at all, consumers \nhave in this market. You spoke to some of this you--all of \nyou--in your testimony. If you could elaborate, where clearly \nthere is no accountability for CRAs when breaches like this \nhappen.\n    Director Clements, in the GAO report you explain that \nconsumers lack choices in the consumer reporting market. So if \nwe could unpack that, just for the record, ``Consumers are not \nvoluntarily providing their data to CRAs. Business are not \nvoluntarily providing their data to CRAs.\'\' Businesses are \ndoing that, correct?\n    Mr. Clements. Consumer data ultimately is input to the \nprocess. So you are correct.\n    Ms. Pressley. Okay. So, consumers are never actively \nproviding consent for our data to be provided to CRAs. Again \ngiven your testimony, that is an accurate characterization, \ncorrect?\n    Mr. Clements. Right.\n    Ms. Pressley. Okay. So if a constituent of mine is \ndissatisfied with Equifax\'s data protection practices, can he \nor she choose to remove their data to the competitor\'s and only \nhave Experian and TransUnion maintain their files?\n    Mr. Clements. No.\n    Ms. Pressley. Well what about leaving the consumer \nreporting market, entirely? Could someone force the CRAs to \ndelete their records?\n    Mr. Clements. The CFPB has told us that consumers have no \nlegal right to remove their data from a CRA.\n    Ms. Pressley. Okay and so consumers do not voluntarily opt \nin to have their information shared to the CRAs, nor can they \nopt out? Instead, businesses are providing it, whether \nconsumers want them to or not. And once the CRAs have the \ninformation, consumers are essentially locked out, correct?\n    Mr. Clements. That is correct.\n    Ms. Pressley. Okay. Mr. Litt, I have a couple of minutes \nleft. Most other private businesses cannot avoid consumers the \nway CRAs can. Most businesses have to try to consumers happy or \nrisk losing them to their competitors. But CRAs are different. \nCan consumers make decisions with their dollars that would \nincentivize CRAs to ensure that they protect the sensitive data \nabout their customers?\n    Mr. Litt. No, they have no say in the matter.\n    Ms. Pressley. Without the pressure of market forces, is \ndata security at CRAs a necessary area for Government \nregulation?\n    Mr. Litt. Absolutely.\n    Ms. Pressley. Back to you, Director Clements. The GAO \nreport indicates that CFPB has identified credit reporting as a \nhigher risk market for consumer harm. Can you explain why it \nmade that determination?\n    Mr. Clements. I cannot explain CFPB\'s logic. Our logic, \nwhat we think CRA is a high-risk area. One is it serves an \nessential function in the marketplace, in financial services \nindustry. Second would be the large amount of sensitive \ninformation that is contained there. Then third, the fact that \nconsumers have limited choice in this marketplace.\n    Ms. Pressley. Thank you. So without consumer choice, CRAs \nlack the same market pressures as typical businesses to \nadequately protect consumer data. That is a market failure, and \nit reinforces the need for strong Government rules to help \nensure sufficient consumer data protection at CRAs.\n    Thank you all for your testimony here today, your expert \ntestimony. I look forward to working with all of my colleagues \nso that we can provide ample oversight and accountability for \nthese CRAs, since clearly, they cannot be trusted to do that \nthemselves.\n    Thank you. I yield my time.\n    Mr. Krishnamoorthi. Thank you, Ms. Pressley.\n    Now, Mr. Grothman. You have five minutes.\n    Mr. Grothman. Very good. I will start out with a question \nfor Mr. Smith. Am I correct in saying that the FTC has \nauthority to take enforcement action against credit reporting \nagencies that do not properly protect consumers\' personal \nidentifiable information or that act in an unfair and deceptive \nmanner when it comes to consumers\' personal data?\n    Mr. Smith. Yes. We enforce the Fair Credit Reporting Act \nagainst consumer reporting agencies. We enforce our Safeguards \nRule against consumer reporting agencies. As you noted, we have \ngeneral authority to prohibit unfair and deceptive practices.\n    Mr. Grothman. You brought over 60 cases against companies \nsince 2002?\n    Mr. Smith. For data security violations, yes.\n    Mr. Grothman. You brought 30 cases against companies for \nviolating the Gramm-Leach-Bliley Act, including the Safeguards \nRule?\n    Mr. Smith. That sounds Okay to me. That sounds right.\n    Mr. Grothman. What is the process for bringing one of these \ncases?\n    Mr. Smith. Generally we would learn of the case through a \nvariety of means. It might be press reports. It might be \nconsumer complaints. It might be tips or reports from other \nagencies. Then we will usually issue a civil investigative \ndemand, which is an administrative subpoena to the company and \nconduct the investigation through the normal course.\n    Mr. Grothman. As a practical matter, my data has been \nbreached, how do I find out about it?\n    Mr. Smith. You will generally find out about it because the \ncompany notifies you, because there are, in every state, there \nare laws that require companies where there is an authorized \naccess or acquisition of data, requires the company that has \nbeen breached to send the affected consumers a notice.\n    Mr. Grothman. Okay, but as a practical matter, that is if \nthe company identifies or contacts me themselves. What bad \nthing would happen to me that I would find out about it? Or how \noften, when there is a breach, do bad things happen?\n    Mr. Smith. So it is very difficult for us to say how often, \nwhen there is a breach, do bad things happen. Every once in a \nwhile, we can actually tie breached information to subsequent \nfraud against consumers. One example of that is when there was, \nI think it was the Yahoo had their user names and passwords \nthat consumers used at other sites. So, there was a sum ability \nto link, but generally, the proximate causation of compromised \ndata to any eventual consumer harm, that can be a difficult \nthing to show.\n    Mr. Grothman. Okay. How many people, do you think, had bad \nthings happen because of this? Do you have any idea?\n    Mr. Smith. Because of?\n    Mr. Grothman. Of the breaches.\n    Mr. Smith. Of breaches generally or of the Equifax breach, \nspecially?\n    Mr. Grothman. Well, both.\n    Mr. Smith. So we spend a lot of time studying identity \ntheft in the economy, generally. We know that there is sort of \na background level of identity theft. In any given year, a \ncertain number of us will be subject to identity fraud. The \nreasons for that may be difficult to discern.\n    What we are looking at when we try to look at sort of gross \naggregate levels of harm to consumers is following a big breach \nlike Equifax, is there any change to that background level of \nidentity theft?\n    My understanding, and again, I am not commenting on any \nparticular investigation that we have in front of us. But my \nunderstanding is that Equifax has claimed that there has not \nbeen any increase, generally, in the gross level, of identity \ntheft. But that just could mean that the information has not \nyet been used.\n    Mr. Grothman. Okay. Do we have any hard numbers as far as \nin the Equifax breach? How many people had a bad thing happen \nto them? Not getting a letter in the mail saying that, you \nknow, your identity has been breached, but a bad thing was done \nwith that information?\n    Mr. Smith. Right. I think that is going to be very \ndifficult for anyone to show. I mean, the bad things that we \nwould be thinking about would be someone opening a credit card \nin your name, for example. That is the causation, the cause of \nlink between the Equifax breach and that new account opening in \nyour name.\n    Mr. Grothman. They really do not know. Nobody knows. Okay.\n    Ms. Huddleston, you are a scholar focusing at the \nintersection of technology and the law. Do you think the FTC \nhas an approach to ensuring data privacy and security has been \neffective so far?\n    Ms. Huddleston. The good thing about the FTC\'s approach to \ndata privacy and security is that it has been flexible to move \nwith the technology. The concern is that, because it is often \ndone through consent decrees, it does not necessarily provide \nregulated entities with the knowledge of what is constantly \nexpected of them. At the same time, our court system and the \ncommon law may be able to provide redress for those consumers \nwho do have the measurable harm you were mentioning in your \nearlier question.\n    Mr. Grothman. Okay. I think I have time for one more \nquestion. This is kind of a little bit off the topic, but just \nin general, I always think with these agencies, the major \nconcern is that there are flaws in their information, in which \nyou could be harmed, and you do not even know that you are \nbeing harmed.\n    Do you think we are doing an adequate job of policing that \npotential problem? In other words, if there are Glenn Grothmans \nin the world, and the other guy is a spendthrift, to what \ndegree are we catching that sort of thing? Or to what degree \nare people\'s credit score being harmed unfairly? Do we catch \nthat sort of thing?\n    Mr. Smith. So I can start on that. I think that mistaken \nidentity is a big problem in the credit reporting system. We \nwant to make sure--so my name is Andrew Smith. There are tens \nof thousands of Andrew Smiths. How do I make sure that a bad \nAndrew Smith does not get mixed up with me? Or how do I make \nsure that his information does not wind up in my file? Those \nare challenging issues that are a part of the data security \nissues, right, but they do not have to do with data quality.\n    Mr. Grothman. Right. It is not exactly on point, but I \nthink probably insofar as you worry about these agencies. I \nguess with what we have done, we will go one. The chairman is \ngiving me the hook. That is Okay.\n    Mr. Smith. Well I will say that we brought a case, just a \ncouple of months ago, for this very accuracy issue, where there \nwas information about a bad person showing up in your file. It \nwas against a company called Real Page and we obtained a $3 \nmillion penalty under the Fair Credit Reporting Act. So there \nare laws against it, and they are enforced.\n    Mr. Grothman. Thank you.\n    Mr. Krishnamoorthi. Very good. Thank you.\n    Ms. Tlaib, you have five minutes.\n    Ms. Tlaib. Thank you. I want to thank all of our witnesses \ntoday for joining us. Director Clements, I would like to \ndiscuss the Consumer Financial Protection Bureau\'s role in \nensuring data security at consumer reporting agencies. In \nMichigan alone, close to 4.6 million consumers were impacted by \nEquifax\'s unprecedented data breach.\n    My constituents, of course, do not have the luxury of \nconstant credit monitoring. So it is imperative that we remain \ndiligent in our oversight of these credit reporting agencies, \nespecially now that they are using credit scoring and reports \nfor car insurance and other elements directly impacting \npeople\'s quality of life.\n    How many CRAs fall within CFPP\'s larger participant \nsupervisor power?\n    Mr. Clements. CFPB has told us it is tracking between 10 \nand 15 of those companies.\n    Ms. Tlaib. The GAO report, the Government Accountability \nOffice report recommends that CFPB leverage traditional \nresources of information to make sure it is tracking all CRAs \nthat may qualify, why?\n    Mr. Clements. CFPB told us that it was unsure whether that \nwas the exact number of companies that its threshold of $7 \nmillion of annual receipts. So there could be a few additional \ncompanies.\n    Ms. Tlaib. Has CFPB indicated a willingness to do that?\n    Mr. Clements. CFPB has mentioned a willingness to leverage \nother data sources.\n    Ms. Tlaib. To fulfill its mission, it is important the CFPB \nknows all of the CRAs that falls within its jurisdiction. So \nthe CFPB has the power to conduct supervisor examinations of \nCRAs. After the Equifax breach, the GAO report indicated that \nCFPB even developed internal guidelines for examining data \nsecurity. Did CFPB actually conduct any examinations of data \nsecurity at CRAs?\n    Mr. Clements. Our understanding is that following the \nEquifax breach, the CFPB has conducted multiple targeted data \nsecurity exams at CRAs. What it was not doing was incorporating \nthat type of information prior to the Equifax breach. So it was \nnot looking at data security prior to the breach.\n    Ms. Tlaib. The GAO report indicated that CFPB has the \nauthority to conduct these data security examinations of CRAs--\nthese acronyms in D.C. I cannot believe it. Pursuant to its \ngeneral authority to assess compliance with Federal consumer \nprotection laws, such as Dodd-Frank Act, preventing any fair, \ndeceptive, and abusive acts in practice. Yet, The GAO report \nindicated that CFPB has not committed to continue considering \ndata security risks in selecting examinations going forward. Is \nthat correct?\n    Mr. Clements. That is correct.\n    Ms. Tlaib. GAO\'s report also said, in light of the Equifax \nbreach, as well as the CFPB\'s acknowledgement of the CRA market \nas a higher risk market for consumers, it is important for CFPB \nto routinely consider factors that could inform the extent that \nCRA data security risks, such as the number of consumers that \ncould be affected by a data security incident and nature of \npotential harm, resulting from the loss of exposure of \ninformation.\n    So this GAO report recommends continue[ing] to prioritize \nthe risk of data breach in selecting examination topics. Can \nyou explain why that is particularly important?\n    Mr. Clements. Certainly. In the past, what CFPB was looking \nat when it was doing the supervision was focusing on consumer \ncomplaints, past exam filings and public filings. So they ended \nup looking at issues such as the accuracy of the data and the \ndispute resolution process. We do not dispute at all that those \nare important, but it was not factoring in the risk to consumer \ninformation that a breach might happen.\n    That was...just within the prioritization process. Does \nthat mean that in every instance they would need to do that \ntype of exam? At least you are considering it when you are \nmaking a decision of, "I am going to do an exam of a CRA. What \nfactors should I look at in that assessment?"\n    Ms. Tlaib. Thank you. The report also noted that other \ninstitutions that hold sensitive consumer data like insured \ndepository institutions are already subject to technology \nexaminations, which include cyber security component. Would we \nnot want the same kind of supervision on CRAs as we have for \nbanks?\n    Mr. Clements. I think our findings really get to two \npoints. On the one hand is factoring in on those examinations \nthat CFPB is conducting data security. Then the other \nrecommendation we make in D.C. is to have some predictability \nand a penalty available should the firm not meet the \nrequirements in that case of Gramm-Leach-Bliley. So really, our \nfindings were a combination of both examinations and the \npenalty.\n    Ms. Tlaib. Okay, thank you so much. I yield my time.\n    Mr. Krishnamoorthi. Thank you, Ms. Tlaib.\n    Ms. Hill, you are up for five minutes.\n    Ms. Hill. Thank you, Mr. Chairman and thank you all for \nbeing here. I know you have touched on the answers to some of \nthese, but I want to get clarification on a few things and just \nget this for the record.\n    Director Clements, I would like your help in understanding \nthe scope of the credit reporting market. People may be \nfamiliar with the big three: Equifax, Experian, and TransUnion, \nbut I was struck by the following statement in the GAO report, \nwhich states, ``According to the CFPB, the consumer reporting \nmarket comprises more than 400 companies, and these companies \nissue three billion reports and make more than 36 billion \nupdates to consumer files each year.\'\'\n    So beyond the big three, there are hundreds of these \ncompanies out there, each holding our sensitive information. Is \nthat correct?\n    Mr. Clements. That is our understanding from CFPB, yes.\n    Ms. Hill. Great. These CRAs have subsidiaries that conduct \nmarketing activities. The GAO report indicates that CRAs are \nable to share information with their affiliates for marketing \npurposes as long as they disclose that and give consumers an \noption to opt out. Is that right?\n    Mr. Clements. It depends on the relationship that the \nindividual would have with the credit reporting agency. If I \nhave a relationship with the credit reporting agency, for \nexample, if I am buying a credit monitoring service, the credit \nreporting agency can then share that information with its other \naffiliates. But again, it needs to provide notice, opt out \noption. Then I, as the consumer, would have to not opt out. If \nthat is the case, there can be sharing with other affiliates \nwithin the CRA.\n    Ms. Hill. What would another case be where they would not \nhave the sharing opportunity?\n    Mr. Clements. If I am not a customer of the CRA, then I do \nnot have a customer relationship and then the rules are \nslightly different.\n    Ms. Hill. Different how?\n    Mr. Clements. There would be less sharing opportunities in \nthat case, because again, I am not a customer in that instance.\n    Ms. Hill. Okay. So in addition to consumers being concerned \nabout their information being breached through the backdoor, \nthey also have to worry about it leaving through the front door \non its way to the marketing arms of the CRA. Is that right?\n    Mr. Clements. Again, it depends on the customer \nrelationship and whether the customer choose the opt in or opt \nout of the sharing.\n    Ms. Hill. I mean, actually like it is not usually, even you \n``opt in or opt out\'\' it is not a very transparent process. I \nthink it is usually you check a box, because you are trying to \nhurriedly fill out a form to get something that you need, but \nis that what you are referring to?\n    Mr. Clements. I think in terms that the specifics we did \nnot get into that. I probably defer to FTC or CFPB in terms of \nthe ease of a customer opting in or opting out.\n    Ms. Hill. Okay. Director Smith, FTC published a helpful \nguidance to companies about complying with the Safeguards Rule \nthat you make available online. It is entitled, ``Financial \nInstitution and Customer Information: Complying with the \nSafeguards Rule.\'\' In the How to Comply Section, it states, \n``One of the earliest steps companies should take is to \ndetermine what information they are collecting and storing and \nwhether they have the business need to do so. You can reduce \nthe risks to customer information if you know what you have and \nkeep only what you need.\'\'\n    Director Smith, it does not appear that CRAs were heeding \nthat advice prior to the Equifax breach. Since then, have you \nseen any indication that CRAs have downsized the amount of data \nthey are keeping about us?\n    Mr. Smith. So we do not have any information about them \ndownsizing the information. I would say that, that guidance is \nmore sort of directed at companies being mindful of the \ninformation that they have, inventorying it, and making sure \nthat they still have a need for it. I suspect that if we were \nto ask the CRAs, they would say, ``This is information that we \nneed.\'\'\n    Ms. Hill. Okay. Do know if Equifax or any of the other CRAs \nhave reduced their use of social security numbers?\n    Mr. Smith. Not to my knowledge, no.\n    Ms. Hill. Okay, Mr. Litt, social security numbers are used \nboth as identifiers and authenticators, can you please explain \nthe difference?\n    Mr. Litt. Sure an identifier basically matches your file, \nmatches you to your file. And an authenticator proves who you \nsay you are. So you can think of an identifier as a username \nand an authenticator as a password.\n    Ms. Hill. Okay so, in theory, an authenticator should be \nsomething secret that only you can provide. Is that right?\n    Mr. Litt. That is right.\n    Ms. Hill. So after Equifax exposed so many social security \nnumbers, they are no longer a secret, should CRAs stop using \nthem as authenticators?\n    Mr. Litt. Yes, they should start using them, at least as \npart of their authentication process.\n    Ms. Hill. Does the continued use of social security numbers \nas authenticators help fuel identity theft?\n    Mr. Litt. Yes, they do, especially with the Equifax breach, \nbecause that is more than half the adult population, and you \ncannot change them.\n    Ms. Hill. Do you know if Equifax or the other CRAs have \nstopped using social security numbers in the authentication \nprocess?\n    Mr. Litt. I am not aware of that.\n    Ms. Hill. So at this point, social security numbers are \nwidely known, and I would like to see companies acting \naccordingly and to stop using them as authenticators. Thank you \nso much.\n    Mr. Krishnamoorthi. Thank you, Ms. Hill.\n    With unanimous consent, I enter the following statements \ninto the record. I have a letter from the Conference of State \nBank Supervisors and a letter from the Electronic Privacy \nInformation Center.\n    Without objection, so entered.\n    Mr. Krishnamoorthi. I would like to thank our witnesses for \ntheir testimony today. Without objection, all members will have \nfive legislative days, within which, to submit additional \nwritten questions for the witnesses, to the chair, which will \nbe forwarded to the witnesses for their responses. I ask our \nwitnesses to please respond as promptly as you are able at that \ntime.\n    Thank you so much again. This meeting is adjourned.\n    [Whereupon, at 4:41 p.m., the subcommittee was adjourned.]\n\n                                 [all]\n</pre></body></html>\n'