[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]



         IMPROVING DATA SECURITY AT CONSUMER REPORTING AGENCIES

=======================================================================

                                HEARING

                               BEFORE THE

              SUBCOMMITTEE ON ECONOMIC AND CONSUMER POLICY

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                               AND REFORM

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             March 26, 2019

                               __________

                           Serial No. 116-12

                               __________

      Printed for the use of the Committee on Oversight and Reform
      
      
      
      		[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
      		
      		


                  Available on: http://www.govinfo.gov
                    http://www.oversight.house.gov or
                        http://www.docs.house.gov
                        
                               __________
                               
                    U.S. GOVERNMENT PUBLISHING OFFICE
                    
36-064 PDF                 WASHINGTON : 2019             



                   COMMITTEE ON OVERSIGHT AND REFORM

                 ELIJAH E. CUMMINGS, Maryland, Chairman

Carolyn B. Maloney, New York         Jim Jordan, Ohio, Ranking Minority 
Eleanor Holmes Norton, District of       Member
    Columbia                         Justin Amash, Michigan
Wm. Lacy Clay, Missouri              Paul A. Gosar, Arizona
Stephen F. Lynch, Massachusetts      Virginia Foxx, North Carolina
Jim Cooper, Tennessee                Thomas Massie, Kentucky
Gerald E. Connolly, Virginia         Mark Meadows, North Carolina
Raja Krishnamoorthi, Illinois        Jody B. Hice, Georgia
Jamie Raskin, Maryland               Glenn Grothman, Wisconsin
Harley Rouda, California             James Comer, Kentucky
Katie Hill, California               Michael Cloud, Texas
Debbie Wasserman Schultz, Florida    Bob Gibbs, Ohio
John P. Sarbanes, Maryland           Clay Higgins, Louisiana
Peter Welch, Vermont                 Ralph Norman, South Carolina
Jackie Speier, California            Chip Roy, Texas
Robin L. Kelly, Illinois             Carol D. Miller, West Virginia
Mark DeSaulnier, California          Mark E. Green, Tennessee
Brenda L. Lawrence, Michigan         Kelly Armstrong, North Dakota
Stacey E. Plaskett, Virgin Islands   W. Gregory Steube, Florida
Ro Khanna, California
Jimmy Gomez, California
Alexandria Ocasio-Cortez, New York
Ayanna Pressley, Massachusetts
Rashida Tlaib, Michigan

                     David Rapallo, Staff Director
              Richard Trumka, Subcommittee Staff Director
                          Amy Stratton, Clerk
                      Contact Number: 202-225-5051

               Christopher Hixon, Minority Staff Director
                                 ------                                

              Subcommittee on Economic and Consumer Policy

                Raja Krishnamoorthi, Illinois, Chairman
Mark DeSaulnier, California,         Michael Cloud, Texas, Ranking 
Katie Hill, California                   Minority Member
Ro Khanna, California                Glenn Grothman, Wisconsin
Ayanna Pressley, Massachusetts       Chip Roy, Texas
Rashida Tlaib, Michigan              Carol D. Miller, West Virginia
Gerald E. Connolly, Virginia
                         
                         
                         
                         C  O  N  T  E  N  T  S

                              ----------                              
                                                                   Page
Hearing held on March 26, 2019...................................     1

                               Witnesses

Michael Clements, Director, Financial Markets and Community 
  Investment, Government Accountability Office
    Oral Statement...............................................     3
Andrew Smith, Director, Bureau of Consumer Protection, Federal 
  Trade Commission
    Oral Statement...............................................     5
Mike Litt, Consumer Campaign Director, U.S. PIRG
    Oral Statement...............................................     6
Jennifer Huddleston, Research Fellow, Mercatus Center at George 
  Mason University
    Oral Statement...............................................     8

 The prepared statements for the above witnesses are available 
  at: https://docs.house.gov.

                           INDEX OF DOCUMENTS

                              ----------                              

The documents listed below are available at: https://
  docs.house.gov.

  * Consumer Finance Protection Bureau Complaint; submitted by 
  Rep. Krishnamoorthi

  * R Street Institute Letter; submitted by Rep. Miller

  * National Association of Federally-Insured Credit Union 
  Letter; submited by Rep. Miller

  * Credit Union National Association Letter; submitted by Rep. 
  Miller

  * Conference of State Bank Supervisors Letter; submitted by 
  Rep. Krishnamoorthi

  * Epic.org Letter; submitted by Rep. Krishnamoorthi

 
         IMPROVING DATA SECURITY AT CONSUMER REPORTING AGENCIES

                              ----------                              


                        Tuesday, March 26, 2019

                  House of Representatives,
                 Committee on Oversight and Reform,
              Subcommittee on Economic and Consumer Policy,
                                                   Washington, D.C.

    The subcommittee met, pursuant to notice, at 3:40 p.m., 
2154 Rayburn House Office Building, Hon. Raja Krishnamoorthi 
(chairman of the subcommittee) presiding.
    Present: Representatives Krishnamoorthi, Hill, DeSaulnier, 
Pressley, Tlaib, Grothman, and Miller.
    Mr. Krishnamoorthi. The subcommittee will come to order. 
Without objection, the chair is authorized to declare a recess 
of the committee at any time. This hearing is entitled, 
Improving Data Security at Consumer Reporting Agencies. I 
welcome all of you here today. Thank you so much for coming. I 
now recognize myself for five minutes to give an opening 
statement.
    The Subcommittee on Economic and Consumer Policy is 
dedicated to addressing the issues affecting American consumers 
and our larger economy. Today, we look at what can be done to 
improve data security by consumer reporting agencies, otherwise 
known as CRAs.
    September 7, 2017, changed our data security landscape 
forever. That was the day that Equifax announced that it had 
exposed the social security numbers and other sensitive 
information of nearly half of all Americans. Specifically, 148 
million Americans had their sensitive information exposed.
    That event educated many people for the first time about 
CRAs and the huge amounts of sensitive information that they 
hold. What people still may not know is how many more of these 
companies exist in America. The Consumer Financial Protection 
Bureau, or CFPB, estimates that there are more than 400 CRAs 
today.
    Criminals want access to the treasure troves of data that 
CRAs hold. They want that information so they can open 
fraudulent accounts and run up debt in the names of innocent 
people. In studying this issue, I was deeply saddened to learn 
about one Illinois resident whose credit was so badly damaged 
by identity theft resulting from the Equifax breach, that the 
person was denied both employment and housing.
    This is but one example illustrating the extreme and 
decades-lasting implications of allowing peoples' social 
security numbers, birthdates, addresses, driver's license 
numbers, and credit card information to be exposed to cyber 
criminals.
    Again, I want to let this sink in. This one particular 
breach, with regard to Equifax has the potential to cause 
extreme harm to nearly half of the population, or 148 million 
Americans.
    A year and a half has passed since the Equifax breach and 
the causes of that breach have been investigated and exposed. 
Moving forward, it is our job in Congress to help prevent 
future data breaches and to prevent more Americans from having 
their sensitive, personal information compromised.
    Through the Gramm-Leach-Bliley Act, otherwise known as 
GLBA, Congress directed the Federal Trade Commission to 
implement data security rules for CRAs. To achieve that, it 
created the, ``Safeguards Rule,'' which requires CRAs to take, 
``reasonable steps to protect consumer data.'' But the FTC has 
limited recourse against the CRAs that violates the Safeguards 
Rule. It cannot seek penalties for first violations, and the 
FTC can only seek monetary compensation for consumers if they 
have identified a specific harm.
    Because the negative effects of a breach can often take 
years to surface, it is extremely difficult to reduce this harm 
to a single dollar amount. CRAs also hold huge sway over the 
lives of consumers. The information they control could 
determine if someone gets a loan, a job, insurance, or a home. 
Yet, CRAs are not accountable to those same individuals.
    If consumers dislike a CRA, they cannot hold them 
accountable by taking their business elsewhere. But Congress 
can and should hold CRAs accountable by giving Federal 
watchdogs the tools they need to make CRAs care more about data 
security.
    Failure to implement proper data security must cost CRAs 
more than investing in good security to prevent a breach. That 
is why today, Senator Elizabeth Warren and Chairman Elijah 
Cummings released a proprietary report by the Government 
Accountability Office, the GAO, which we will closely examine 
in this hearing.
    In this new report, GAO has recommended giving the FTC 
penalty authority for first violations to prevent breaches and 
to protect data security. This is a nonpartisan analysis, and 
in fact, democratic and republican FTC chairmen have called for 
increased penalty authority for first-time violations, 
including the current FTC Chairman, Mr. Joseph Simons.
    Enhancing FTC penalty power to enforce data security 
follows the model set by regulations in the banking industry. 
There, so far, knock on wood, we have avoided the types of 
large, harmful data breaches that brought us here today.
    Simply put, GAO does not think that the current regulatory 
system is strong enough to get CRAs to improve their data 
security. So far, many CRAs have been able to internalize the 
profit off of consumer data, externalize the risk, and leave 
consumers holding the bag.
    Today's hearing is the first step in ensuring the data of 
American consumers is being properly protected. Now, with that, 
I would like to recognize our Distinguished Ranking Member, 
Mrs. Miller, sitting in for the ranking member. You have five 
minutes.
    Mrs. Miller. Thank you, Mr. Chairman. I do not have an 
opening statement, but I do want to thank you all, you 
witnesses, for appearing here today, and I look forward to your 
testimony and our discussion.
    I also have the prepared remarks of Ranking Member Cloud, 
and I ask unanimous consent that they be inserted in the 
record.
    Mr. Krishnamoorthi. Without objection, so entered.

    [The Prepared Statement referenced above follows.]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mrs. Miller. Thank you, Mr. Chairman, and I yield back.
    Mr. Krishnamoorthi. Thank you, Mrs. Miller. Today, we are 
joined by Mr. Andrew Smith, the Director of the Bureau of 
Consumer Protection of the Federal Trade Commission; Mr. 
Michael Clements, the Director of Financial Markets and 
Community Investment at the GAO; as well as Mike Litt, the 
Consumer Campaigns Director at U.S. Public Interest Research 
Group; and finally, Jennifer Huddleston, a Research Fellow at 
the Mercatus Center.
    If the witnesses would please rise, I will begin by 
swearing you in.
    [Witnesses sworn.]
    Mr. Krishnamoorthi. Let the record show that the witnesses 
answered in the affirmative. Thank you and please be seated. 
The microphones are sensitive, so please speak directly into 
them. Without objection, your written statements will be made 
part of the record.
    I should tell you about the lighting system. I told a 
couple of you, but green means go; red means stop; yellow is 
different than what we see at stop lights. Here, you have to 
speed up, not slow down. So with that, why don't we begin with 
Director Clements? You are now recognized to give an oral 
presentation of your testimony.

STATEMENT OF MICHAEL CLEMENTS, DIRECTOR, FINANCIAL MARKETS AND 
COMMUNITY INVESTMENT, GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Clements. Chairman Krishnamoorthi, Representative 
Miller, and members of the subcommittee, I am pleased to be 
here today to discuss a recent report addressing oversight of 
consumer reporting agencies or CRAs. Our bottom-line message: 
actions are needed to strengthen oversight at CRAs.
    CRAs serve an essential function in the financial services 
industry. These companies collect large amounts of sensitive 
information about consumers. These companies maintain and 
analyze that information and ultimately package the information 
into consumer reports.
    These reports help determine whether and how much consumers 
pay for credit and can also be used in employment and rental 
decisions among other purposes. At the same time, consumers 
have limited choice in the CRA marketplace. Unlike many other 
products and services, consumers cannot exercise choice if they 
are dissatisfied with a CRA.
    Further, consumers do not have the legal right to delete 
their records with a CRA. CFPB and FTC have noted the level of 
consumer protection required can depend upon consumers 
exercising choice in the marketplace. Less choice implies the 
need for greater oversight.
    The 2017 cyber attack on Equifax with the theft of at least 
145 million consumers' records has focused attention on 
oversight of CRAs. With this context, a focus on FTC's and 
CFBP's oversight of data security in the CRA marketplace.
    First, FTC. FTC enforces CRA compliance with the FTC Act 
and the Gramm-Leach-Bliley Act, or GLBA, among others. Section 
5 of the FTC Act authorizes FTC to investigate and take 
enforcement action against companies that engage in unfair or 
deceptive practices, including those related to data 
protection. FTC has taken action against 66 companies, 
including CRAs, under Section 5 for unfair or deceptive 
practices related to data protection.
    GLBA seeks to ensure that financial institutions protect 
consumers' non-public information. As required by GLBA, FTC 
adopted its Safeguards Rules. Among other things, the 
Safeguards Rule requires that financial institutions assess the 
risk to consumer information and have a plan to mitigate those 
risks.
    FTC can enforce the Safeguards Rule through injunction, 
redress, and discouragement. However, assessing monetary harm 
can be difficult with data breaches, because, for example, the 
resulting harm may occur years in the future. Thus, we 
recommend that Congress consider granting FTC civil money 
penalty authority for violations of GLBA. This would give FTC 
the tools to carry out the enforcement authority that Congress 
has already provided to FTC.
    Second, CFPB. CFPB enforces and examines CRA compliance 
with several consumer protection laws, including the Dodd-Frank 
Act in portions of GLBA. Under the Dodged-Frank Act, CFPB 
supervises larger market participant CRAs. Those with more than 
$7 million in annual receipts from consumer reporting.
    However, we found that CFPB does not have a good handle of 
the number of CRAs that meet its larger market participant 
threshold. Thus, we recommended that CFPB identify additional 
sources of information that would help ensure that it is 
tracking all CRAs that meet its threshold.
    From 2015 through 2017, CFPB examined several CRAs. 
However, we found that its prioritizing process does not 
routinely account for data security risk. To determine specific 
areas of compliance to assess, CFPB considers sources such as 
consumer complaints and past exam finding. While important, 
these sources do not consider how an institution would detect 
and respond to cyber threats.
    Following the Equifax cyber attack, CFPB initiated data 
security exams of the major CRAs, but it is unclear whether and 
how CFPB would incorporate data securities into its 
prioritization process going forward.
    Thus, we recommended that CFPB assess whether its process 
for prioritizing CRA examinations sufficiently incorporates 
data security risks that CRAs pose to consumers' information.
    Chairman, Krishnamoorthi, Ranking Member Miller, and 
members of the subcommittee, this concludes my prepared 
statement. I would be pleased to respond to any questions you 
may have.
    Mr. Krishnamoorthi. Thank you very much, Mr. Clements.
    Mr. Smith, please.

STATEMENT OF ANDREW SMITH, DIRECTOR, BUREAU OF CONSUMER 
PROTECTION, FEDERAL TRADE COMMISSION

    Mr. Smith. Thank you, Chairman Krishnamoorthi. Mr. Chairman 
and members of the subcommittee, I am Andrew Smith. I am the 
Director of the Bureau of Consumer Protection at the Federal 
Trade Commission. I appreciate the opportunity to appear before 
you here today to discuss data security at the consumer 
reporting agencies.
    I also want to thank Mr. Clements and GAO for its recently 
issued recommendations to improve the tools available to the 
FTC to enforce the data security laws applicable to consumer 
reporting agencies.
    My written statement represents the views of the 
commission. This opening statement represents my ideas alone 
and not necessarily the views of the commission or any 
individual commissioner.
    To promote the security of consumers' personal information, 
including information at the credit bureaus, the FTC focuses on 
three main areas. The first of these is enforcement. For nearly 
two decades, the FTC has been the Nation's leading data 
security enforcement agency, where charged with enforcing data 
security requirements contained in specific laws, such as the 
Fair Credit Reporting Act and the Gramm-Leach-Bliley Act. We 
also enforce Section 5 of the FTC Act, which prohibits unfair 
or deceptive practices, including unfair or deceptive practices 
with respect to data security.
    In this law enforcement role, the commission has settled or 
litigated more than 60 actions against businesses that 
allegedly failed to take reasonable precautions to protect 
consumers' personal information. In 2017, the commission took 
the unusual step of publicly confirming its investigation of 
Equifax and the Equifax data breach, due to the scale of public 
interest in the matter.
    Our second area of focus is policymaking. The FTC has 
conducted workshops, issued reports, and made rules to promote 
data security. For example, just earlier this month, we 
announced a notice of proposed rulemaking to update our 
Safeguards Rule under the Gramm-Leach-Bliley Act.
    The Safeguards Rule was originally issued in 2002. It 
requires financial institutions within the FTC's jurisdiction, 
including credit bureaus, to implement reasonable process-based 
safeguards to protect personal information.
    The proposed revisions to the Safeguards Rule are based on 
our nearly 20 years of enforcement experience. These revisions 
are intended to retain the process-based approach of the 
Safeguards Rule and to provide financial institutions with more 
certainty regarding the FTC's expectations with respect to data 
security.
    Our third area of focus is education. The commission has 
issued numerous guidance documents for businesses including 
written materials, blog posts, and a comprehensive small 
business cyber education campaign, which includes, how-to 
videos and training materials. These materials distill lessons 
learned from our enforcement actions in a succinct and 
accessible manner.
    With respect to cyber security at credit bureaus, the 
education of consumers is also critically important. Following 
the Equifax breach in September 2017, we established a 
dedicated web page for victims of the breach. During that first 
month, the FTC blog on the Equifax breach reached the most 
viewed Government webpage, nationwide, surpassing pages for 
disaster assistance after major hurricanes. The FTC's Credit 
Freeze FAQs article and IdentityTheft.gov recovery steps also 
made the top five most viewed Government webpages in September 
2017.
    We vigorously use our existing authority to protect 
consumers, but we need additional tools. In this regard, we 
appreciate and agree with GAO's recommendation to give the FTC 
civil penalty authority for violations of the Safeguards Rule.
    In fact, however, we have called more broadly on Congress 
to enact comprehensive data security legislation that includes 
rulemaking, civil penalty authority, and enhanced jurisdiction 
for the FTC.
    First, the legislation should authorize the FTC to issue 
data security rules under the Administrative Procedures Act, so 
that we can keep up with business and technological changes. 
Where we currently have rulemaking authority, we have used it, 
as demonstrated by the proposed revisions to the Safeguards 
Rule, which I just mentioned.
    Second, the legislation should allow the FTC to obtain 
civil penalties for data security violations. Currently, we 
have authority to seek civil penalties for data security 
violations under the Children's Online Privacy Protection Act 
and the Fair Credit Reporting Act, and we have used it. To help 
ensure effective deterrents, we urge Congress to enact 
legislation to allow the FTC to seek civil penalties for data 
security violations in appropriate circumstances.
    Now finally, the legislation should extend the FTC's 
jurisdiction over data security to nonprofits and common 
carriers. Entities in these sectors often collect sensitive 
consumer information and significant breaches have been 
reported, particularly in the nonprofit educational and 
hospital sectors.
    Thank you for the opportunity to appear before you, and I 
look forward to answering your questions.
    Mr. Krishnamoorthi. Thank you, Mr. Smith.
    Mr. Litt, you have five minutes.

STATEMENT OF MIKE LITT, CONSUMER CAMPAIGNS DIRECTOR, U.S. PIRG

    Mr. Litt. I am sorry about that.
    Mr. Krishnamoorthi. Take two.
    Mr. Litt. All right, good afternoon. Again, my name is Mike 
Litt with U.S. PIRG. I appreciate the opportunity to testify 
before you today.
    In order to improve data security at credit reporting 
agencies, also known as credit bureaus, we need robust 
financial penalties, stronger oversight, and better consumer 
control of our data. You mentioned the Equifax breach. All we 
have to do is look at that to see the real dangers that are 
posed to real people when credit reporting agencies drop the 
ball on their data security and lose our data.
    I am one of the 148 million Americans whose financial DNA 
was exposed, and we are put at risk of identity theft and all 
sorts of fraud for the rest of our lives. Equifax still has not 
paid a penalty after putting people in harm's way. We have no 
choice over Equifax or the other credit bureaus--that can 
collect our information and sell it.
    And when they lose it, we cannot leave them the way we can 
other companies. It is exactly that dynamic, why it is 
important that we have robust financial penalties when data is 
lost and strong oversight to prevent data loss in the first 
place.
    If you are a larger credit bureau and you do not comply 
with the Federal Trade Commission's Safeguards Rule. There 
should be mandatory penalties. If you lose personal data, there 
should be mandatory fines, but at the very least, we need to 
make sure that the FTC can actually issue penalties for the 
first violation of the law. They investigated the Equifax 
breach, but they will only be able to issue a consent order and 
then only if Equifax breaks that order and then violates the 
law a second time can there actually be any fines. We need to 
change that.
    Next, I would like to discuss some ideas for oversight from 
my written testimony. The Consumer Financial Protection Bureau 
does have tools that the FTC does not. It can issue civil 
penalties after first violation of the law. It can examine 
companies to catch problems ahead of time.
    We know from Equifax's SEC filing last month, that the CFPB 
has been investigating the Equifax breach, and they have 
expressed their intent to actually issue civil penalties.
    So clearly, the CFPB is using its authority to take action 
on data security. We would like to see them consider and 
prioritize data security for examinations of other companies as 
well. The oversight committee's report on the Equifax breach 
that came out in December shows that hackers exploited 
unencrypted info and weak data controls. The FTC just proposed 
an amendment to its Safeguards Rule that would require some 
good first steps for security measures, such as data encryption 
and multi-factor authentication and data controls.
    Finally, I would like to talk about better consumer control 
over our own data. The best way to stop an identity thief from 
opening new accounts in your name is to get credit freezes, 
also known as security freezes at all three of the national 
credit bureaus. Basically, a credit freeze blocks or freezes 
access to your credit reports.
    Before the Equifax breach, the credit bureaus charged fees 
for freezes in most of the states. After the breach, 19 states 
made freezes free. Congress followed suit. Passed a law that 
eliminated fees for everybody. In my written testimony, I 
explain problems with the national freeze that we would like to 
see fixed, and we have got some other ideas in there for better 
consumer control.
    But really the best solution would be to make sure that 
access to our own credit reports is actually frozen 
automatically by default. We should not have to opt in to 
control access to our own data.
    So to summarize all of this, we are not the customers of 
the credit bureaus, but the credit reporting agencies possess 
vast amounts of our personal information, including our 
financial DNA and that is really why we need to be able to have 
robust financial penalties and stronger oversight to 
incentivize them to protect our data.
    The FTC and the CFPB should use their authorities and be 
granted expanded authorities in order to achieve those goals. 
Additionally, we should be given more control over our own 
personal data.
    I look forward to working with you. Thank you so much.
    Mr. Krishnamoorthi. Thank you, Mr. Litt.
    Ms. Huddleston, you have five minutes.

STATEMENT OF JENNIFER HUDDLESTON, RESEARCH FELLOW, MERCATUS 
CENTER AT GEORGE MASON UNIVERSITY

    Ms. Huddleston. Thank you. Good afternoon. Chairman 
Krishnamoorthi, Representative Miller, and distinguished 
members of the Economic and Consumer Policy Subcommittee.
    My name is Jennifer Huddleston, and I am a Research Fellow 
with the Mercatus Center at George Mason University. My 
research focuses, primarily, on the intersection of law and 
technology, including the important issue surrounding data 
security and data privacy.
    Thank you for the opportunity to discuss some of these 
issues today, particularly in regards to the 2017 Equifax 
breach. These conversations are particularly important as we 
continue to see headlines around data breaches and data 
privacy.
    As policymakers consider how to address such concerns, they 
should be careful to avoid unintended consequences to 
innovation, as a result. With this in mind, I would like to 
focus on three key points today.
    First, that regulators should avoid an overly expansive 
definition of harm in their approach to data security to avoid 
unintended consequences to innovation. Second, the way the 
FTC's current enforcement approach has provided a balanced 
approach to data security and data privacy allowing innovation 
to flourish and providing consumers a form of redress. Finally, 
with regards to credit reporting agencies, that policy 
solutions should be narrowly tailored and focused on the unique 
position of these agencies and the data they possess, so as to 
avoid, or limit, unintended consequences to broader data base 
industries.
    To begin, regulators should be cautions about an overly 
expansive definition of harm and their approach to data 
security that could have unintended consequences to innovation. 
While there is general agreement that data breaches have the 
potential for harm, there is disagreement on when harm occurs, 
the need for Government intervention, and what particularly 
constitutes harm in these scenarios.
    There is a wide range of personal preferences and what 
information we choose to share publicly or privately through 
various data systems. A flexible system provides options for 
both consumers and businesses and encourages innovative 
solutions when it comes to data security. While it is easy to 
rush to the worst conclusions when we see scary headlines and 
hear news of breaches such as Equifax, only focusing on the bad 
could prevent future innovation that would provide better 
alternatives and better data security, more generally.
    A lack of flexibility and a rigid system could lock in 
existing options, rather than providing incentives to innovate 
and provide better data security, more generally.
    Now I would like to turn to the general success of the 
FTC's current enforcement approach with regards to balancing 
innovation and redress for consumer harm. The FTC has been 
active in both personal data and credit reporting and financial 
privacy. It has addressed data breaches under both deception 
and unfairness doctrines as well as other laws when specified.
    But in general, it has built a common law of consent 
decrees, rather than more formal regulation and adjudication. 
While this allows for greater flexibility as innovation 
evolves, it also can raise concerns due to lack of clarity and 
certainty for regulated parties.
    At the same time, though, this approach has allowed 
consumers benefits of a data-driven economy while still 
providing redress when consumer harm occurs.
    Finally, with regards to the unique situation of credit 
reporting agencies, the policy solutions in regard should be 
narrowly tailored so as to avoid unintended consequences to 
data base industries, more generally.
    The credit reporting agencies are in a unique situation, in 
that there is no opt in or opt out for consumers. Additionally, 
due to high barriers to entry, there may be less concern about 
potential impact on competition that such regulation could 
have.
    Given these factors, the policy solutions to address these 
concerns with regards to data breaches and data security should 
focus on these unique aspects and the data that is uniquely 
concerning when it comes to these agencies.
    At the same time, though, we should also consider, what, in 
addition to regulation, or as an alternative to regulation, 
might be done more generally. For example, consumer education 
and empowerment, including increased transparency so that 
consumers are aware of what to do in the event of data breaches 
and what resources are available to them. As well as common law 
alternatives for those that have experienced harm and 
accountability for those who caused it.
    The U.S. has been a leader in innovation, and this makes it 
especially important to carefully consider the potential for 
unintended consequences and not prevent potentially innovative 
solutions that would provide better security in the future.
    Thank you, and I welcome your questions.
    Mr. Krishnamoorthi. Thank you, Ms. Huddleston.
    First of all, thank you to all of you for joining us today. 
All of the witnesses, and of course, the members of the 
audience.
    I want to start with Mr. Litt. I recognize myself for five 
minutes of questions.
    You know, Equifax had very sensitive information about at 
least 148 million people: their names, social security numbers, 
addresses, dates of birth and so on. Do the other CRAs have 
similar information about as many consumers?
    Mr. Litt. Yes, in fact it is probably more. The CFPB has 
said that each of the credit bureaus possess approximately 200 
million different consumer files.
    Mr. Krishnamoorthi. I mentioned some types of personal 
information. Are there other types of sensitive information 
they possess?
    Mr. Litt. Well they have information that is in our credit 
files that could show whether you are in debt or debt 
collection, your credit history. Also credit bureaus have 
investigative reports on some consumers. So these are basically 
background checks that can include interviews with your 
coworkers, your neighbors, your friends and family, other 
people in your life.
    Mr. Krishnamoorthi. Do you have any indication that CRAs 
are collecting less information today than they were at the 
time of the Equifax breach?
    Mr. Litt. No, I have absolutely no indication of that.
    Mr. Krishnamoorthi. Can you explain a couple of the more 
serious risks that consumers face when their sensitive data is 
exposed?
    Mr. Litt. Yes, so in the case of the Equifax breach where 
you have just your name and your social security number, an 
identity thief can try to apply for a utilities account, 
credit, a loan, get a smart phone on your account. Then they 
can use your date of birth and they can try to apply for your 
social security benefits, your tax refund that you might be 
counting on, your medical services and benefits.
    Mr. Krishnamoorthi. Okay, without objection, I would like 
to enter into the record, a complaint submitted to the Consumer 
Financial Protection Bureau by an Illinois parent who was a 
victim of the Equifax data breach.
    Mr. Krishnamoorthi. This was the complaint and, you know, I 
read a portion of this earlier, or read about it earlier. But 
basically, this person was unable to receive housing or 
employment because of the harm from the data breach.
    Director Smith, I have a question for you. With their high 
concentration of sensitive information, are CRAs subject to 
constant attack by cyber criminals? What is the nature of the 
attacks and the threats posed by cyber criminals?
    Mr. Smith. So that is probably a better question for the 
credit bureaus, but, you know, our understanding is that 
financial institutions, generally, and credit bureaus, 
specifically, are subject to constant attack, given the value 
of the information that they warehouse.
    I think what you find is if you spoke with financial 
institutions, they would say that they are under constant 
attack. That is one of the issues for us in the FTC. We want to 
make sure that financial institutions are always monitoring for 
penetration and intrusion so that the breaches are actually 
being detected. Because that is one of my real fears -- that 
there are breaches that are going undetected.
    Mr. Krishnamoorthi. Well that is what I was going to ask 
you next. Equifax may have garnered the most attention, but, 
you know, can you talk about other data breaches at any other 
CRAs in recent years?
    Mr. Smith. Well we have brought some enforcement actions in 
connection with data breaches at consumer reporting agencies. 
The most prominent is probably our action against ChoicePoint 
several years ago where they were selling credit reports to a 
ring of known identity thieves. There we sought--well we 
obtained $10 million in penalties and $5 million in consumer 
redress.
    I will say that most of the cases of the 66 cases that Mr. 
Clements mentioned in the data security area, a couple have 
involved credit bureaus but mostly not. It is mostly other 
types of companies and primarily operating online.
    Mr. Krishnamoorthi. Got it. Mr. Clements, can I ask you the 
next question? Can you identify other, you know, regulatory 
areas where, you know, the penalty for a first violation has 
been found to be effective or, you know, what's the nature of 
the impact of such a type of penalty?
    Mr. Clements. We do know in the banking space that the 
Federal banking regulators, that would be, for example, Office 
of Comptroller of the Currency, the Federal Reserve, and FDIC, 
do have civil penalty authority under GLBA for those type of 
violations.
    They are also examining these institutions on a regular 
basis. If it is a larger institution, it is subject to 
continuous reviews. If it would be a smaller institution, every 
12 to 18 months there would be an examination.
    Mr. Krishnamoorthi. Got it. I am out of time. I am going to 
recognize Mrs. Miller for the next set of questions.
    Mrs. Miller. Thank you, Mr. Chairman.
    Ms. Huddleston, in your testimony you state that the 
Federal Trade Commission's current approach has been flexible 
and therefore has allowed innovation to flourish while still 
protecting consumers. Can you please expand upon that?
    Ms. Huddleston. Thank you, Mrs. Miller. I would point to 
the fact that the Federal Trade Commission has been active in 
data breaches and data privacy going back to the late 1990's 
with GeoCities. Our data security and our innovation when it 
comes to online websites and what we expect them to protect has 
come a long way. Part of this has been rather than having an 
ex-ante approach of regulation, they have been able to provide 
a flexible guidance that allows different methods to develop to 
better protect consumers.
    Mrs. Miller. Thank you. While it may sometimes be a useful 
tool, enforcement actions by Federal agencies should not be the 
only way to ensure consumer data is safe. Would you agree?
    Ms. Huddleston. One of the interesting elements with 
enforcement actions is how once they are enacted they can be 
unflexible and unmoving. This can affect both consumers and 
companies that are subject to consent decrees. At the same 
time, there are also already existing tools, including the 
common law for consumers who may have direct proof for harm of 
something like identity theft. There can also be criminal 
issues involved depending on the nature of what has happened as 
a result of the breach.
    Mrs. Miller. What are the pitfalls of excessive Government 
intervention in a rapidly evolving area like information 
technology?
    Ms. Huddleston. We have benefited a lot from innovation and 
many of us have seen how rapidly, in our lifetime, things have 
changed as a result of allowing innovation to accelerate. If we 
have a lot of regulation in a rapidly changing area, such as 
data security, it is possible we may lock in the existing 
system, rather than getting a better system that could protect 
our data more.
    Mrs. Miller. What are some buffers that could be created to 
narrowly tailor regulatory authority?
    Ms. Huddleston. When considering what to do with regards to 
the credit reporting agencies, such as Equifax and these 
concerns, I would suggest that we look very carefully at how we 
are defining data and how are defining what entities are 
covered. So that we are truly addressing those concerns.
    Mrs. Miller. What can the Federal Trade Commission do to 
provide greater education to consumers?
    Ms. Huddleston. I think that in light of the Equifax 
breach, what we have seen is a lot of consumers really want to 
get interested in how they can protect themselves and take 
those steps as we heard mentioned in earlier testimony.
    Immediately after the Equifax breach, the blog post on what 
to do was one of the most visited Government websites. Continue 
to provide that information to consumers, be it through 
websites or through other educational campaigns, so that 
consumers can then take the appropriate and next steps 
themselves.
    Mrs. Miller. Thank you. We have heard a lot recently about 
the General Data Privacy Regulations, or GDPR, in Europe and 
the California Consumer Privacy Act, or CCPA. What are the 
problems with expansive, top-down regulatory regimes such as 
this?
    Ms. Huddleston. With the GDPR, we have already seen that 
there are fewer data actors in Europe. You already had a very 
top-down regulatory regime, but smaller players have had to 
exit the market, in some cases, because of the cost of 
compliance.
    Therefore, you may not be getting innovative solutions that 
could be more protective, and you are not seeing the type of 
competition that we would like to see when it comes to that, 
that can provide better security.
    Mrs. Miller. Thank you. Mr. Chairman, I have here three 
letters addressed to our subcommittee concerning issues before 
us today. The first is from the R Street Institute, a 
nonpartisan think tank. The second is from the National 
Association of Federally Insured Credit Unions. And the third 
is from the Credit Union National Association. I ask unanimous 
consent that these letters be inserted in the record.
    Mr. Krishnamoorthi. Without objection, so entered.
    Mrs. Miller. Thank you. I yield back my time.
    Mr. Krishnamoorthi. Thank you, Mrs. Miller.
    Ms. Pressley, you are on the clock for five minutes.
    Ms. Pressley. Thank you, Mr. Chair, and I want to thank all 
of our witnesses for joining us today. It is clear from your 
testimony that consumer reporting agencies occupy a very unique 
space.
    They deal in consumer data, but they do not deal with 
consumers. Their customers are businesses. Their products are 
the data that they gather about you and me and millions of 
other Americans. They have the power to affect peoples' lives 
in critical ways. They provide the reports that determine 
everything, from whether you can get a loan to whether you can 
obtain housing or even employment. Yet, they put people at risk 
when they lack adequate data protection safeguards like we saw 
with the Equifax breach which impacted nearly 148 million 
consumers in 2017.
    In fact, last month at a hearing held by the Financial 
Services Committee, which I am a member of, I asked the CEO of 
Equifax whether anyone on their leadership team was held 
accountable for this data breach. His response was, ``There was 
plenty of accountability. The entire leadership team in 2017 
did not receive a bonus.''
    This is, I am sure, you would agree, an insult to the 
millions of consumers that were affected by the breach and 
continue to this day to struggle to bounce back after having 
their data compromised.
    So I want to touch on what options, if at all, consumers 
have in this market. You spoke to some of this you--all of 
you--in your testimony. If you could elaborate, where clearly 
there is no accountability for CRAs when breaches like this 
happen.
    Director Clements, in the GAO report you explain that 
consumers lack choices in the consumer reporting market. So if 
we could unpack that, just for the record, ``Consumers are not 
voluntarily providing their data to CRAs. Business are not 
voluntarily providing their data to CRAs.'' Businesses are 
doing that, correct?
    Mr. Clements. Consumer data ultimately is input to the 
process. So you are correct.
    Ms. Pressley. Okay. So, consumers are never actively 
providing consent for our data to be provided to CRAs. Again 
given your testimony, that is an accurate characterization, 
correct?
    Mr. Clements. Right.
    Ms. Pressley. Okay. So if a constituent of mine is 
dissatisfied with Equifax's data protection practices, can he 
or she choose to remove their data to the competitor's and only 
have Experian and TransUnion maintain their files?
    Mr. Clements. No.
    Ms. Pressley. Well what about leaving the consumer 
reporting market, entirely? Could someone force the CRAs to 
delete their records?
    Mr. Clements. The CFPB has told us that consumers have no 
legal right to remove their data from a CRA.
    Ms. Pressley. Okay and so consumers do not voluntarily opt 
in to have their information shared to the CRAs, nor can they 
opt out? Instead, businesses are providing it, whether 
consumers want them to or not. And once the CRAs have the 
information, consumers are essentially locked out, correct?
    Mr. Clements. That is correct.
    Ms. Pressley. Okay. Mr. Litt, I have a couple of minutes 
left. Most other private businesses cannot avoid consumers the 
way CRAs can. Most businesses have to try to consumers happy or 
risk losing them to their competitors. But CRAs are different. 
Can consumers make decisions with their dollars that would 
incentivize CRAs to ensure that they protect the sensitive data 
about their customers?
    Mr. Litt. No, they have no say in the matter.
    Ms. Pressley. Without the pressure of market forces, is 
data security at CRAs a necessary area for Government 
regulation?
    Mr. Litt. Absolutely.
    Ms. Pressley. Back to you, Director Clements. The GAO 
report indicates that CFPB has identified credit reporting as a 
higher risk market for consumer harm. Can you explain why it 
made that determination?
    Mr. Clements. I cannot explain CFPB's logic. Our logic, 
what we think CRA is a high-risk area. One is it serves an 
essential function in the marketplace, in financial services 
industry. Second would be the large amount of sensitive 
information that is contained there. Then third, the fact that 
consumers have limited choice in this marketplace.
    Ms. Pressley. Thank you. So without consumer choice, CRAs 
lack the same market pressures as typical businesses to 
adequately protect consumer data. That is a market failure, and 
it reinforces the need for strong Government rules to help 
ensure sufficient consumer data protection at CRAs.
    Thank you all for your testimony here today, your expert 
testimony. I look forward to working with all of my colleagues 
so that we can provide ample oversight and accountability for 
these CRAs, since clearly, they cannot be trusted to do that 
themselves.
    Thank you. I yield my time.
    Mr. Krishnamoorthi. Thank you, Ms. Pressley.
    Now, Mr. Grothman. You have five minutes.
    Mr. Grothman. Very good. I will start out with a question 
for Mr. Smith. Am I correct in saying that the FTC has 
authority to take enforcement action against credit reporting 
agencies that do not properly protect consumers' personal 
identifiable information or that act in an unfair and deceptive 
manner when it comes to consumers' personal data?
    Mr. Smith. Yes. We enforce the Fair Credit Reporting Act 
against consumer reporting agencies. We enforce our Safeguards 
Rule against consumer reporting agencies. As you noted, we have 
general authority to prohibit unfair and deceptive practices.
    Mr. Grothman. You brought over 60 cases against companies 
since 2002?
    Mr. Smith. For data security violations, yes.
    Mr. Grothman. You brought 30 cases against companies for 
violating the Gramm-Leach-Bliley Act, including the Safeguards 
Rule?
    Mr. Smith. That sounds Okay to me. That sounds right.
    Mr. Grothman. What is the process for bringing one of these 
cases?
    Mr. Smith. Generally we would learn of the case through a 
variety of means. It might be press reports. It might be 
consumer complaints. It might be tips or reports from other 
agencies. Then we will usually issue a civil investigative 
demand, which is an administrative subpoena to the company and 
conduct the investigation through the normal course.
    Mr. Grothman. As a practical matter, my data has been 
breached, how do I find out about it?
    Mr. Smith. You will generally find out about it because the 
company notifies you, because there are, in every state, there 
are laws that require companies where there is an authorized 
access or acquisition of data, requires the company that has 
been breached to send the affected consumers a notice.
    Mr. Grothman. Okay, but as a practical matter, that is if 
the company identifies or contacts me themselves. What bad 
thing would happen to me that I would find out about it? Or how 
often, when there is a breach, do bad things happen?
    Mr. Smith. So it is very difficult for us to say how often, 
when there is a breach, do bad things happen. Every once in a 
while, we can actually tie breached information to subsequent 
fraud against consumers. One example of that is when there was, 
I think it was the Yahoo had their user names and passwords 
that consumers used at other sites. So, there was a sum ability 
to link, but generally, the proximate causation of compromised 
data to any eventual consumer harm, that can be a difficult 
thing to show.
    Mr. Grothman. Okay. How many people, do you think, had bad 
things happen because of this? Do you have any idea?
    Mr. Smith. Because of?
    Mr. Grothman. Of the breaches.
    Mr. Smith. Of breaches generally or of the Equifax breach, 
specially?
    Mr. Grothman. Well, both.
    Mr. Smith. So we spend a lot of time studying identity 
theft in the economy, generally. We know that there is sort of 
a background level of identity theft. In any given year, a 
certain number of us will be subject to identity fraud. The 
reasons for that may be difficult to discern.
    What we are looking at when we try to look at sort of gross 
aggregate levels of harm to consumers is following a big breach 
like Equifax, is there any change to that background level of 
identity theft?
    My understanding, and again, I am not commenting on any 
particular investigation that we have in front of us. But my 
understanding is that Equifax has claimed that there has not 
been any increase, generally, in the gross level, of identity 
theft. But that just could mean that the information has not 
yet been used.
    Mr. Grothman. Okay. Do we have any hard numbers as far as 
in the Equifax breach? How many people had a bad thing happen 
to them? Not getting a letter in the mail saying that, you 
know, your identity has been breached, but a bad thing was done 
with that information?
    Mr. Smith. Right. I think that is going to be very 
difficult for anyone to show. I mean, the bad things that we 
would be thinking about would be someone opening a credit card 
in your name, for example. That is the causation, the cause of 
link between the Equifax breach and that new account opening in 
your name.
    Mr. Grothman. They really do not know. Nobody knows. Okay.
    Ms. Huddleston, you are a scholar focusing at the 
intersection of technology and the law. Do you think the FTC 
has an approach to ensuring data privacy and security has been 
effective so far?
    Ms. Huddleston. The good thing about the FTC's approach to 
data privacy and security is that it has been flexible to move 
with the technology. The concern is that, because it is often 
done through consent decrees, it does not necessarily provide 
regulated entities with the knowledge of what is constantly 
expected of them. At the same time, our court system and the 
common law may be able to provide redress for those consumers 
who do have the measurable harm you were mentioning in your 
earlier question.
    Mr. Grothman. Okay. I think I have time for one more 
question. This is kind of a little bit off the topic, but just 
in general, I always think with these agencies, the major 
concern is that there are flaws in their information, in which 
you could be harmed, and you do not even know that you are 
being harmed.
    Do you think we are doing an adequate job of policing that 
potential problem? In other words, if there are Glenn Grothmans 
in the world, and the other guy is a spendthrift, to what 
degree are we catching that sort of thing? Or to what degree 
are people's credit score being harmed unfairly? Do we catch 
that sort of thing?
    Mr. Smith. So I can start on that. I think that mistaken 
identity is a big problem in the credit reporting system. We 
want to make sure--so my name is Andrew Smith. There are tens 
of thousands of Andrew Smiths. How do I make sure that a bad 
Andrew Smith does not get mixed up with me? Or how do I make 
sure that his information does not wind up in my file? Those 
are challenging issues that are a part of the data security 
issues, right, but they do not have to do with data quality.
    Mr. Grothman. Right. It is not exactly on point, but I 
think probably insofar as you worry about these agencies. I 
guess with what we have done, we will go one. The chairman is 
giving me the hook. That is Okay.
    Mr. Smith. Well I will say that we brought a case, just a 
couple of months ago, for this very accuracy issue, where there 
was information about a bad person showing up in your file. It 
was against a company called Real Page and we obtained a $3 
million penalty under the Fair Credit Reporting Act. So there 
are laws against it, and they are enforced.
    Mr. Grothman. Thank you.
    Mr. Krishnamoorthi. Very good. Thank you.
    Ms. Tlaib, you have five minutes.
    Ms. Tlaib. Thank you. I want to thank all of our witnesses 
today for joining us. Director Clements, I would like to 
discuss the Consumer Financial Protection Bureau's role in 
ensuring data security at consumer reporting agencies. In 
Michigan alone, close to 4.6 million consumers were impacted by 
Equifax's unprecedented data breach.
    My constituents, of course, do not have the luxury of 
constant credit monitoring. So it is imperative that we remain 
diligent in our oversight of these credit reporting agencies, 
especially now that they are using credit scoring and reports 
for car insurance and other elements directly impacting 
people's quality of life.
    How many CRAs fall within CFPP's larger participant 
supervisor power?
    Mr. Clements. CFPB has told us it is tracking between 10 
and 15 of those companies.
    Ms. Tlaib. The GAO report, the Government Accountability 
Office report recommends that CFPB leverage traditional 
resources of information to make sure it is tracking all CRAs 
that may qualify, why?
    Mr. Clements. CFPB told us that it was unsure whether that 
was the exact number of companies that its threshold of $7 
million of annual receipts. So there could be a few additional 
companies.
    Ms. Tlaib. Has CFPB indicated a willingness to do that?
    Mr. Clements. CFPB has mentioned a willingness to leverage 
other data sources.
    Ms. Tlaib. To fulfill its mission, it is important the CFPB 
knows all of the CRAs that falls within its jurisdiction. So 
the CFPB has the power to conduct supervisor examinations of 
CRAs. After the Equifax breach, the GAO report indicated that 
CFPB even developed internal guidelines for examining data 
security. Did CFPB actually conduct any examinations of data 
security at CRAs?
    Mr. Clements. Our understanding is that following the 
Equifax breach, the CFPB has conducted multiple targeted data 
security exams at CRAs. What it was not doing was incorporating 
that type of information prior to the Equifax breach. So it was 
not looking at data security prior to the breach.
    Ms. Tlaib. The GAO report indicated that CFPB has the 
authority to conduct these data security examinations of CRAs--
these acronyms in D.C. I cannot believe it. Pursuant to its 
general authority to assess compliance with Federal consumer 
protection laws, such as Dodd-Frank Act, preventing any fair, 
deceptive, and abusive acts in practice. Yet, The GAO report 
indicated that CFPB has not committed to continue considering 
data security risks in selecting examinations going forward. Is 
that correct?
    Mr. Clements. That is correct.
    Ms. Tlaib. GAO's report also said, in light of the Equifax 
breach, as well as the CFPB's acknowledgement of the CRA market 
as a higher risk market for consumers, it is important for CFPB 
to routinely consider factors that could inform the extent that 
CRA data security risks, such as the number of consumers that 
could be affected by a data security incident and nature of 
potential harm, resulting from the loss of exposure of 
information.
    So this GAO report recommends continue[ing] to prioritize 
the risk of data breach in selecting examination topics. Can 
you explain why that is particularly important?
    Mr. Clements. Certainly. In the past, what CFPB was looking 
at when it was doing the supervision was focusing on consumer 
complaints, past exam filings and public filings. So they ended 
up looking at issues such as the accuracy of the data and the 
dispute resolution process. We do not dispute at all that those 
are important, but it was not factoring in the risk to consumer 
information that a breach might happen.
    That was...just within the prioritization process. Does 
that mean that in every instance they would need to do that 
type of exam? At least you are considering it when you are 
making a decision of, "I am going to do an exam of a CRA. What 
factors should I look at in that assessment?"
    Ms. Tlaib. Thank you. The report also noted that other 
institutions that hold sensitive consumer data like insured 
depository institutions are already subject to technology 
examinations, which include cyber security component. Would we 
not want the same kind of supervision on CRAs as we have for 
banks?
    Mr. Clements. I think our findings really get to two 
points. On the one hand is factoring in on those examinations 
that CFPB is conducting data security. Then the other 
recommendation we make in D.C. is to have some predictability 
and a penalty available should the firm not meet the 
requirements in that case of Gramm-Leach-Bliley. So really, our 
findings were a combination of both examinations and the 
penalty.
    Ms. Tlaib. Okay, thank you so much. I yield my time.
    Mr. Krishnamoorthi. Thank you, Ms. Tlaib.
    Ms. Hill, you are up for five minutes.
    Ms. Hill. Thank you, Mr. Chairman and thank you all for 
being here. I know you have touched on the answers to some of 
these, but I want to get clarification on a few things and just 
get this for the record.
    Director Clements, I would like your help in understanding 
the scope of the credit reporting market. People may be 
familiar with the big three: Equifax, Experian, and TransUnion, 
but I was struck by the following statement in the GAO report, 
which states, ``According to the CFPB, the consumer reporting 
market comprises more than 400 companies, and these companies 
issue three billion reports and make more than 36 billion 
updates to consumer files each year.''
    So beyond the big three, there are hundreds of these 
companies out there, each holding our sensitive information. Is 
that correct?
    Mr. Clements. That is our understanding from CFPB, yes.
    Ms. Hill. Great. These CRAs have subsidiaries that conduct 
marketing activities. The GAO report indicates that CRAs are 
able to share information with their affiliates for marketing 
purposes as long as they disclose that and give consumers an 
option to opt out. Is that right?
    Mr. Clements. It depends on the relationship that the 
individual would have with the credit reporting agency. If I 
have a relationship with the credit reporting agency, for 
example, if I am buying a credit monitoring service, the credit 
reporting agency can then share that information with its other 
affiliates. But again, it needs to provide notice, opt out 
option. Then I, as the consumer, would have to not opt out. If 
that is the case, there can be sharing with other affiliates 
within the CRA.
    Ms. Hill. What would another case be where they would not 
have the sharing opportunity?
    Mr. Clements. If I am not a customer of the CRA, then I do 
not have a customer relationship and then the rules are 
slightly different.
    Ms. Hill. Different how?
    Mr. Clements. There would be less sharing opportunities in 
that case, because again, I am not a customer in that instance.
    Ms. Hill. Okay. So in addition to consumers being concerned 
about their information being breached through the backdoor, 
they also have to worry about it leaving through the front door 
on its way to the marketing arms of the CRA. Is that right?
    Mr. Clements. Again, it depends on the customer 
relationship and whether the customer choose the opt in or opt 
out of the sharing.
    Ms. Hill. I mean, actually like it is not usually, even you 
``opt in or opt out'' it is not a very transparent process. I 
think it is usually you check a box, because you are trying to 
hurriedly fill out a form to get something that you need, but 
is that what you are referring to?
    Mr. Clements. I think in terms that the specifics we did 
not get into that. I probably defer to FTC or CFPB in terms of 
the ease of a customer opting in or opting out.
    Ms. Hill. Okay. Director Smith, FTC published a helpful 
guidance to companies about complying with the Safeguards Rule 
that you make available online. It is entitled, ``Financial 
Institution and Customer Information: Complying with the 
Safeguards Rule.'' In the How to Comply Section, it states, 
``One of the earliest steps companies should take is to 
determine what information they are collecting and storing and 
whether they have the business need to do so. You can reduce 
the risks to customer information if you know what you have and 
keep only what you need.''
    Director Smith, it does not appear that CRAs were heeding 
that advice prior to the Equifax breach. Since then, have you 
seen any indication that CRAs have downsized the amount of data 
they are keeping about us?
    Mr. Smith. So we do not have any information about them 
downsizing the information. I would say that, that guidance is 
more sort of directed at companies being mindful of the 
information that they have, inventorying it, and making sure 
that they still have a need for it. I suspect that if we were 
to ask the CRAs, they would say, ``This is information that we 
need.''
    Ms. Hill. Okay. Do know if Equifax or any of the other CRAs 
have reduced their use of social security numbers?
    Mr. Smith. Not to my knowledge, no.
    Ms. Hill. Okay, Mr. Litt, social security numbers are used 
both as identifiers and authenticators, can you please explain 
the difference?
    Mr. Litt. Sure an identifier basically matches your file, 
matches you to your file. And an authenticator proves who you 
say you are. So you can think of an identifier as a username 
and an authenticator as a password.
    Ms. Hill. Okay so, in theory, an authenticator should be 
something secret that only you can provide. Is that right?
    Mr. Litt. That is right.
    Ms. Hill. So after Equifax exposed so many social security 
numbers, they are no longer a secret, should CRAs stop using 
them as authenticators?
    Mr. Litt. Yes, they should start using them, at least as 
part of their authentication process.
    Ms. Hill. Does the continued use of social security numbers 
as authenticators help fuel identity theft?
    Mr. Litt. Yes, they do, especially with the Equifax breach, 
because that is more than half the adult population, and you 
cannot change them.
    Ms. Hill. Do you know if Equifax or the other CRAs have 
stopped using social security numbers in the authentication 
process?
    Mr. Litt. I am not aware of that.
    Ms. Hill. So at this point, social security numbers are 
widely known, and I would like to see companies acting 
accordingly and to stop using them as authenticators. Thank you 
so much.
    Mr. Krishnamoorthi. Thank you, Ms. Hill.
    With unanimous consent, I enter the following statements 
into the record. I have a letter from the Conference of State 
Bank Supervisors and a letter from the Electronic Privacy 
Information Center.
    Without objection, so entered.
    Mr. Krishnamoorthi. I would like to thank our witnesses for 
their testimony today. Without objection, all members will have 
five legislative days, within which, to submit additional 
written questions for the witnesses, to the chair, which will 
be forwarded to the witnesses for their responses. I ask our 
witnesses to please respond as promptly as you are able at that 
time.
    Thank you so much again. This meeting is adjourned.
    [Whereupon, at 4:41 p.m., the subcommittee was adjourned.]

                                 [all]