[Senate Hearing 116-40]
[From the U.S. Government Publishing Office]





                                                         S. Hrg. 116-40

                 EXAMINING PRIVATE SECTOR DATA BREACHES

=======================================================================

                                HEARING

                               before the

                PERMANENT SUBCOMMITTEE ON INVESTIGATIONS

                                 of the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED SIXTEENTH CONGRESS


                             FIRST SESSION

                               __________

                             MARCH 7, 2019

                               __________

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
        
              [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  
              
              
              
                   U.S. GOVERNMENT PUBLISHING OFFICE
	                      
36-304 PDF                 WASHINGTON: 2019
        

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio                    GARY C. PETERS, Michigan
RAND PAUL, Kentucky                  THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma             MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah                    KAMALA D. HARRIS, California
RICK SCOTT, Florida                  KYRSTEN SINEMA, Arizona
MICHAEL B. ENZI, Wyoming             JACKY ROSEN, Nevada
JOSH HAWLEY, Missouri

                Gabrielle D'Adamo Singer, Staff Director
               David M. Weinberg, Minority Staff Director
                     Laura W. Kilbride, Chief Clerk
                      Thomas Spino, Hearing Clerk


                PERMANENT SUBCOMMITTEE ON INVESTIGATIONS

                       ROB PORTMAN, Ohio Chairman
RAND PAUL, Kentucky                  THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma             MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah                    KAMALA D. HARRIS, California
JOSH HAWLEY, Missouri                JACKY ROSEN, Nevada

            Andrew Dockham, Staff Director and Chief Counsel
                John Kilvington, Minority Staff Director
                      Kate Kielceski, Chief Clerk
                      
                      
                      
                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Portman..............................................     1
    Senator Carper...............................................     3
    Senator Hassan...............................................    12
    Senator Rosen................................................    17
    Senator Hawley...............................................    20
    Senator Harris...............................................    22
    Senator Peters...............................................    25
Prepared statements:
    Senator Portman..............................................    47
    Senator Carper...............................................    50

                               WITNESSES
                        Thursday, March 7, 2019

Mark Begor, Chief Executive Officer, Equifax Inc.; Accompanied by 
  Jamil Farshchi, Chief Information Security Officer.............     7
Arne Sorenson, President and Chief Executive Officer, Marriott 
  International..................................................     8
Andrew Smith, Director, Bureau of Consumer Protection, U.S. 
  Federal Trade Commission.......................................    35
Puente Cackley, Director, Financial Markets and Community 
  Investment, U.S. Government Accountability Office..............    37
John Gilligan, Chief Executive Officer, Center for Internet 
  Security.......................................................    38

                     Alphabetical List of Witnesses

Begor, Mark:
    Testimony....................................................     7
    Prepared statement...........................................    54
Cackley, Puente:
    Testimony....................................................    37
    Prepared statement...........................................    79
Gilligan, John:
    Testimony....................................................    38
    Prepared statement...........................................    90
Smith, Andrew:
    Testimony....................................................    35
    Prepared statement...........................................    69
Sorenson, Arne:
    Testimony....................................................     8
    Prepared statement...........................................    59

                                APPENDIX

Equifax Audit....................................................    98
Letter From Our President........................................   106
February 18, 2019 New York Times Article.........................   108
March 6, 2019 Wall Street Journal Article........................   112
Responses to post-hearing questions for the Record:
    Mr. Begor and Mr. Farshchi...................................   116
    Mr. Sorenson.................................................   121
    
    
    

 
                 EXAMINING PRIVATE SECTOR DATA BREACHES

                              ----------                              


                        THURSDAY, MARCH 7, 2019

            U.S. Senate, Permanent Subcommittee on 
                                    Investigations,
   Committee on Homeland Security and Governmental Affairs,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 10:05 a.m., in 
room SD-106, Dirksen Senate Office Building, Hon. Rob Portman, 
Chairman of the Subcommittee, presiding.
    Present: Senators Portman, Hawley, Johnson, Carper, Hassan, 
Harris, Rosen, and Peters.

            OPENING STATEMENT OF SENATOR PORTMAN\1\

    Senator Portman. This hearing of the Permanent Subcommittee 
on Investigations (PSI) will come to order.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Portman appears in the 
Appendix on page 47.
---------------------------------------------------------------------------
    It seems no industry is immune from data breaches that 
expose sensitive consumer information.
    Some of the biggest breaches have seen recently include 
Google, Uber, Facebook, and the department store Saks Fifth 
Avenue.
    Government agencies have not been immune from this. They 
have also suffered significant breaches, including over 20 
million security clearance background files that were held by 
the Office of Personnel Management (OPM).
    Locating network vulnerabilities that hackers can exploit 
to gain access to sensitive information is a key issue. 
Actually, Senator Hassan and I have worked on together with 
some specific legislation. She is here this morning.
    Earlier this year, the President signed our Hack DHS Act, 
as an example, into law, which will strengthen DHS' 
cybersecurity by using ``white hat'' hackers to locate 
previously unknown vulnerabilities in the Department's systems.
    Last night, Senator Carper and I released a report on how 
the Equifax data breach occurred and how hackers were able to 
steal personal and financial data on over 145 million 
Americans.
    That report documents how Equifax failed to follow basic 
cybersecurity practices and protocols, which prevented the 
company from identifying and patching an exploitable 
vulnerability on its system.
    During the course of our investigation, we also learned the 
company failed to preserve important documents related to the 
breach.
    Equifax employees told us they frequently used a chat 
application called ``Microsoft Lync.''
    When Equifax first discovered the breach on July 29, 2017, 
the security team used that chat platform to discuss the hacked 
system and even the company's response.
    Our report uncovered that Equifax did not issue a notice 
not to destroy documents related to the breach until August 22, 
2017, and failed to set the chat platform to archive any of 
these chats until September 15, 2017, a month and a half after 
the breach was discovered, again, back on July 29th.
    Prior to September 15, Equifax was not archiving any Lync 
chats based on its own document retention policy. Counsel for 
Equifax told the Subcommittee they could not find any of the 
chats Equifax employees told us about documenting the discovery 
of the breach.
    As a result, the Subcommittee is left with an incomplete 
record. So are the American people.
    After discovering the breach, Equifax waited 6 weeks to 
disclose to the public on September 7, 2017, that hackers had 
compromised its collection of personal and financial 
information, again, on over 145 million Americans.
    Adding to this delay, the hackers had access to the 
information since May 13, 2017, 3 months before they were 
discovered.
    Equifax Chief Executive Officer (CEO) Mark Begor is here 
today to discuss our report's findings.
    We are also going to hear today from Arne Sorenson, 
Marriott's CEO, on the data breach his company disclosed in 
November 2018. That breach of the Starwood reservation database 
occurred in July 2014, 2 years before Marriott acquired 
Starwood in September 2016.
    But this was not the first time Starwood suffered a 
databreach.
    In November 2015, Starwood announced that it had discovered 
malware on some of its systems at hotels designed to steal 
credit card information at the point of sale. At the time, 
Starwood stated this breach did not impact its guest 
reservation database.
    In November 2018, Marriott announced it had discovered that 
a hacker had accessed the Starwood guest reservation database.
    Marriott's investigation determined that the hacker had 
access to guest information related to 383 million guest 
records since 2014.
    As part of that database, the hackers also gained access to 
over 23 million passport numbers and 9.1 million credit card 
numbers, most of which were expired.
    Marriott learned of the breach on September 8, 2018, but 
waited almost 12 weeks to notify the public on November 30, 
2018.
    The goal of today's hearing and the Subcommittee's report 
is to fully understand these breaches, but also to focus on the 
future, to focus on solutions.
    Companies and government agencies alike must take steps to 
protect the data consumers entrust to them. That is clear.
    When that data is compromised, we need to know as soon as 
possible so we can do everything we can to ensure criminals are 
no longer taking advantage of us as consumers. That seems 
clear.
    I look forward to working with my Ranking Member, Senator 
Carper, and others on this Committee, including the Chairman 
and Senator Hassan, and ensuring that we can move forward with 
legislation that ensures both the protection of consumer data 
and prompt notification when data is compromised.
    I also want to thank Senator Carper and his staff for their 
dedication to these issues and him and his staff for leading 
this investigation.
    With that, I turn to Senator Carper for his opening 
statement.

             OPENING STATEMENT OF SENATOR CARPER\1\

    Senator Carper. Thanks. Thanks, Mr. Chairman. Our thanks to 
both of our witnesses this morning for joining us.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Carper appears in the 
Appendix on page 50.
---------------------------------------------------------------------------
    I want to take a moment to say a special thanks to members 
of the minority staff and the members of the majority staff who 
have worked hard for months to prepare us for this day.
    According to a 2017 study by the Pew Research Center, the 
vast majority of Americans have personally experienced a major 
databreach. My guess is most of us in this room on this side of 
the panel are among them. About half of our country believes 
their personal information is less secure than it was 5 years 
ago.
    Our Subcommittee initiated an investigation into the causes 
of private sector data breaches shortly after Equifax announced 
its breach in the fall of 2017. As we conducted our work, a 
seemingly endless stream of new, high-profile incidents were 
announced. One after the other, well-known companies, including 
Google, Facebook, Ticketfly, T-Mobile, Orbitz, Saks Fifth 
Avenue, Lord & Taylor, Under Armour, and, eventually, Marriott, 
announced that they too had suffered breaches.
    Mr. Begor and Mr. Sorenson, we thank you for your 
appearance today and for your help in better understanding how 
these private sector data breaches occur and what can be done 
to prevent them, including steps that we can take. While my 
colleagues and I will have some tough questions for you, as the 
Chairman has indicated, our goal here is to ensure that the 
mistakes and oversights that contributed to the attacks your 
companies suffered are well understood so that other American 
businesses are less likely to fall victim to hackers.
    When hackers are able to obtain someone's personal 
information, the consequences are real. The 2017 Pew study I 
referred to found that more than 40 percent of the individuals 
polled had discovered fraudulent charges on their credit cards. 
Others reported that someone had attempted to take out loans in 
their name, file tax returns in their name, or steal their 
identity. Several of those things have happened to my own 
family and I suspect to the families of many of us in this 
room.
    Even when a breach victim is fortunate enough to avoid 
becoming a victim of crimes like these, they often deal with 
months or even years of hassle and worry as they swap out 
compromised credit and debit cards, change their online 
passwords, and monitor their bank accounts and credit reports 
for suspicious activities.
    Given the vast amount of information collected on consumers 
these days and the skill and relentlessness of the hackers 
seeking to steal that information, it is critical that 
businesses make cybersecurity a priority at the very top level 
of a company--the board and the CEOs, as well. The constant 
stream of data breach notifications we see year in and year out 
is a sign to me that we could, and should, be doing a lot 
better.
    As my colleagues have heard me say many times, everything I 
do I know I can do better. The same is true of all of us. In 
this one particular area, we need as a country to do a whole 
lot better. It is a shared responsibility.
    Equifax and its two main competitors--TransUnion and 
Experian--have built their business models around the 
collection and dissemination of consumers' most sensitive 
financial information. That includes names, nicknames, dates of 
birth, Social Security numbers, telephone numbers, current and 
former addresses, account balances, and payment histories.
    This data collection is not something consumers can opt out 
of. Credit reporting agencies collect personal information 
without our knowledge or our explicit authorization.
    If someone shops regularly at a retail chain that gets 
hacked, that person can opt not to shop there any longer if 
doing so makes them uncomfortable. They cannot, however, keep 
their information away from Equifax. Knowing this, you would 
think that protecting the sensitive information its entire 
business relies on would be Equifax's top priority. Yet 
information obtained by this Subcommittee and included in a 
bipartisan report released last night illustrates a years-long 
neglect of basic cybersecurity practices and a decision by 
company officials to prioritize the ease of doing business over 
security.
    In 2015, Equifax officials learned through an internal 
audit that the company's information technology (IT) systems 
were riddled with thousands of unpatched vulnerabilities, 
hundreds of them deemed critical or high risks. They also 
learned that the company lacked a mature inventory of its IT 
assets, making it more difficult to address problems as they 
arose.
    By the time the Department of Homeland Security announced, 
in March 2017, that versions of the widely used web application 
software Apache Struts included a serious security flaw, 
Equifax had still not properly responded to its 2015 audit 
findings or brought its cybersecurity practices in line with 
industry standards.
    Despite being informed that the announced flaw in Apache 
Struts was extremely dangerous and easy to exploit, Equifax 
officials appear to have approached the challenge it presented 
with no sense of urgency whatsoever.
    Scans of the company's networks failed to find the 
vulnerable version of Apache Struts it was using, and key staff 
who were in positions to make the necessary security 
enhancements were left off internal communications. The 
vulnerability was discussed at regular security meetings held 
in March and April 2017, but it is not clear who attended those 
meetings. Senior managers interviewed by the Subcommittee were 
nominally in charge of IT management and cybersecurity at 
Equifax, and they told Subcommittee staff that they did not 
regularly attend the meetings themselves.
    Former top Equifax officials we interviewed were very frank 
about the priority they placed on cybersecurity. One key former 
security official told Subcommittee staff that ``security was 
not first'' at Equifax. That is an understatement. The 
company's former chief information officer (CIO) was extremely 
dismissive of the importance of key security processes during 
his interview, saying that he considered the patching of 
security flaws to be a ``lower level responsibility that was 
six levels down'' from him.
    There is no evidence that these two individuals or any 
other top executives at Equifax directed staff to take steps to 
update the company's IT asset inventory or conduct a more 
thorough search for the vulnerable Apache Struts software. This 
lack of initiative would be bad enough on its own, but Equifax 
also left itself blind to incoming attacks by allowing the 
tools it needed to monitor for malicious web traffic to expire. 
When hackers moved in May 2017 to attack Equifax through a 
version of Apache Struts still in use on the company's 
websites, nobody saw them coming. What is more, nobody 
discovered them until July--78 days after the hackers first 
gained entry. During the 78 days the hackers spent inside of 
Equifax's IT network, they accessed multiple data repositories 
containing information on more than 145 million people, and 
probably half the people in this room are among them.
    There are tools available that could have sent alerts to 
Equifax staff as the hackers manipulated the information in the 
databases, but Equifax had not installed them.
    Once Equifax found the hackers at the end of July 2017, 
Equifax executives waited an additional 6 weeks before letting 
the public know what had happened--6 weeks.
    Because Equifax was unaware of all the assets it owned, 
unable to patch the Apache Struts vulnerability, and unable to 
detect attacks on key portions of its network, consumers were 
left unaware for months that criminals had obtained their most 
sensitive personal and financial information. Consumers were 
also unaware that they should take steps to protect themselves 
from fraud.
    Importantly, these failures stand in stark contrast to the 
experiences of TransUnion and Experian, which both quickly 
identified and addressed the same Apache Struts vulnerability 
and have not announced data breaches.
    I have a friend, and when you ask him how he is doing, he 
says, ``Compared to what?'' I think the obvious question here 
is for Equifax compared to TransUnion and Experian.
    The data breach announced by Marriott this past November 
does not appear to have been caused by the kind of cultural 
indifference to cybersecurity the record indicates existed at 
Equifax. Rather, it looks like Marriott inherited this attack 
through its acquisition of Starwood. But the size of this 
breach--up to 500 million people were reported to have been 
affected at one point--requires that we take a close look and 
learn what happened and why.
    I have questions about Marriott's data retention policies. 
For example, I understand why a hotel chain might collect 
passport information in some cases, but I do not know why it 
would need to maintain records of millions of guest passport 
numbers, as appears to have occurred in this case.
    This incident also raises questions about the degree to 
which cybersecurity concerns do and should play a role in 
merger and acquisition decisions. In Starwood, Marriott 
acquired a company that it knew had serious cybersecurity 
challenges and had actually been attacked before. Despite this, 
Marriott chose to initially leave Starwood's security system in 
place after acquiring the company. We need to learn more about 
the priority that Marriott executives chose to place on 
addressing security flaws at Starwood as it worked to integrate 
its systems into its own.
    What we do know today is that large-scale data breaches are 
not going to stop. We cannot afford to shrug our shoulders and 
write them off as a cost of doing business. There are real 
costs to approaching cybersecurity challenges with this frame 
of mind and real harm that can occur both to consumers' 
pocketbooks and to the companies' bottom lines.
    Here in Congress, I think it is long past time for us to 
come to agreement on a Federal data security law that lays out 
for private industry what we expect from them, both in data 
protection and in data breach notification.
    We also need to ensure that the system we have established 
for sharing information on cyber threats and cybersecurity best 
practices is as effective as it can be and it is updated over 
time. If a company as large and sophisticated as Equifax can 
fail so badly at implementing basic cybersecurity practices, we 
can certainly do a better job making clear what will and will 
not work when it comes to blocking hackers and preventing data 
breaches.
    My thanks again, Mr. Chairman, for the work that you and 
your staff and my staff have put in on this complex and 
important issue. We look forward to hearing from our witnesses 
today. Again, thank you for joining us.
    Senator Portman. Thank you, Senator Carper.
    I would now like to call the first panel of witnesses. 
First we have Mark Begor, who is the chief executive officer of 
Equifax. He has served in that capacity since April 2018. 
Again, as we just heard, the Equifax breach was discovered in 
July 2017.
    Second, Arne Sorenson is here. He is the president and 
chief executive officer of Marriott International, Inc. He has 
held that position since 2012. Again, as we just heard, 
Marriott acquired Starwood in 2016. The breach occurred at 
Starwood in 2014 and was discovered in 2018.
    We are also going to swear in someone else this morning, 
Jamil Farshchi, who is the current chief information security 
officer (CISO) at Equifax. It was requested should Mr. Begor 
need some special expertise, technical assistance, so I am 
going to ask you to raise your hand as well.
    It is the custom of this Subcommittee to swear in all of 
our witnesses, so at this time I would ask you all to please 
stand and raise your right hand. Do you swear the testimony you 
will give before this Subcommittee will be the truth, the whole 
truth, and nothing but the truth, so help you, God?
    Mr. Begor. I do.
    Mr. Farshchi. I do.
    Mr. Sorenson. I do.
    Senator Portman. Let the record reflect the witnesses, all 
three, answered in the affirmative.
    Gentlemen, all your written testimony will be printed in 
the record in its entirety, so I would ask that you try to 
limit your oral testimony to 5 minutes.
    Mr. Begor, we will hear from you first.

 TESTIMONY OF MARK BEGOR,\1\ CHIEF EXECUTIVE OFFICER, EQUIFAX 
INC.; ACCOMPANIED BY JAMIL FARSHCHI, CHIEF INFORMATION SECURITY 
                     OFFICER, EQUIFAX INC.

    Mr. Begor. Chairman Portman, Ranking Member Carper, and 
distinguished Members of the Subcommittee, thank you for the 
opportunity to be here today. I am Mark Begor, Chief Executive 
Officer of Equifax. With me today is Jamil Farshchi, our Chief 
Information Security Officer.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Begor appears in the Appendix on 
page 54.
---------------------------------------------------------------------------
    Let me begin by expressing my personal regret for the 
disruption that our 2017 cyber attack had on millions of 
Americans.
    Cyber crime is one of the greatest threats facing our 
country today. U.S. corporations are continually fighting 
criminals that operate outside the rule of law and attempt to 
steal data for their own gain. These attacks are no longer a 
hacker in the basement attempting to penetrate a company's 
security perimeter, but instead are carried out by increasingly 
sophisticated criminal rings and, even more challenging, 
nation-states that are well funded or the military arms of 
nation-states. These attacks on U.S. businesses are attacks on 
U.S. consumers and are attacks on America. This war is getting 
more challenging and more sophisticated, and there is no end in 
sight. Fighting these attackers will require cooperation 
between government, law enforcement, and the private sector.
    We appreciate that Members of this Subcommittee have 
introduced legislation that promotes this type of partnership, 
and we support these efforts.
    The fact that Equifax suffered a data breach does not mean 
the company did not have an appropriate data security program 
or that the company failed to take cybersecurity seriously. I 
understand that before the attack, the company's security 
program was well funded and staffed and leveraged strong 
administrative and technical safeguards.
    In April 2018, when I joined Equifax, I made a personal 
commitment internally and externally to build a culture within 
Equifax where security is a part of our Deoxyribonucleic acid 
(DNA) and committed that Equifax would be an industry leader 
around data security. I am proud of the leadership, cultural 
enhancements, and investments that Equifax has made over the 
past 18 months. We have added experienced senior leaders and 
board members to enhance our security and technology skill 
sets. In 2018 alone, we added close to 1,000 incremental 
security and IT professionals to our team. Between 2018 and 
2020, we are increasing our technology and security spending by 
50 percent, totaling an incremental $1.25 billion.
    We recognize that being an industry leader means actively 
sharing our security learnings and best practices. We have been 
openly sharing all of our cyber learnings with our customers, 
our competitors, the U.S. Government, and the rest of the 
private sector.
    Last year, we established a number of meaningful security 
partnerships that will help raise the entire security community 
by leveraging our joint learnings.
    In addition to the goal of being a leader in data security, 
Equifax has been working diligently to support U.S. consumers. 
When Equifax announced the cyber attack, its response was 
guided by a desire to focus on helping and supporting consumers 
first.
    Since the 2017 incident, Equifax has invested more than $80 
million to assist impacted consumers. When we announced the 
incident, we offered an identity theft and credit monitoring 
service free for all Americans, regardless if they were 
impacted by the cyber incident. Last November, when that 
service was nearing its end, Equifax voluntarily extended that 
protection for another year.
    Going forward, we are investing over $50 million to make it 
easier for consumers to interact with us, both over the 
Internet and in our call centers. We want to make sure we are a 
consumer-friendly credit bureau at every step of the way.
    To close, I would like to thank Chairman Portman for 
holding this hearing. Equifax is committed to our mission to 
become an industry leader in data security, and we are 
investing unprecedented resources in technology, security, and 
people.
    Thank you again for the opportunity to testify and for your 
focus on protecting American businesses and consumers from 
cyber attacks.
    Senator Portman. Thank you, Mr. Begor.
    Mr. Sorenson, we will now hear from you.

 TESTIMONY OF ARNE SORENSON,\1\ PRESIDENT AND CHIEF EXECUTIVE 
                OFFICER, MARRIOTT INTERNATIONAL

    Mr. Sorenson. Chairman Portman, Ranking Member Carper, and 
members of the Subcommittee, thank you for the opportunity to 
testify today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Sorenson appears in the Appendix 
on page 59.
---------------------------------------------------------------------------
    The subject the Subcommittee is tackling--private sector 
cyber attacks--is an increasingly urgent one, one that has hit 
Marriott directly with the data security incident we announced 
on November 30, 2018. We deeply regret this incident and are 
committed to determining how it occurred, supporting our 
affected guests, and enhancing security measures to protect 
against future attacks.
    For 91 years, Marriott has been in the business of serving 
people. We began as a small family business in Washington, 
D.C., serving hamburgers and root beer at The Hot Shoppes. 
Today we are a global hospitality company, conducting 
operations in all 50 of the United States and 130 countries and 
territories. Throughout that time, we have built our reputation 
by putting people first and focusing on the care of our guests.
    As a company that prides itself on taking care of people, 
we recognize the gravity of this criminal attack on the 
Starwood Guest Reservation Database and our responsibility for 
protecting data concerning our guests. To all of our guests, I 
sincerely apologize. We are working hard every day to rebuild 
your confidence in us.
    Because this incident involved the Starwood database, let 
me provide some background on the merger of Marriott with 
Starwood.
    Marriott signed a merger agreement with Starwood in 
November 2015 and closed the transaction in September 2016. 
Between these two events, we obtained information about 
Starwood's network and conducting an assessment on integrating 
the two systems, although this inquiry was legally and 
practically limited by the fact that, until the merger closed, 
Starwood remained a direct competitor.
    We made the decision to retain Marriott's reservation 
system as the central system for the combined group of hotels 
and to retire Starwood's system. Migrating all of Starwood's 
1,270 hotels onto Marriott's reservation system while avoiding 
disruption of the reservation process was a significant 
undertaking that took us about 2 years. We made additional 
investments to enhance security of the system while it was 
operating.
    Following the discovery of the incident, we accelerated the 
retirement of Starwood's reservation system and, as of December 
18, 2018, are no longer using the Starwood Guest Reservation 
database to conduct business or operations.
    Until our investigation of the incident announced on 
November 30, we were unaware that the Starwood Guest 
Reservation database had been infiltrated by an attacker. Our 
investigation was initiated following an alert on September 7, 
2018, from a cybersecurity tool. In response, our IT team 
swiftly implemented containment measures. We retained industry 
experts to conduct a forensic investigation and deploy 
additional defenses.
    Unraveling the scope of the attack required extensive 
forensic work by experts. We also contacted the Federal Bureau 
of Investigation (FBI), which continues its investigation. As 
our investigation unfolded, we learned that the intruder had 
been in the Starwood system since 2014.
    On November 19, 2018, we determined that the intruder had 
accessed files containing personal information of guests who 
had made reservations at Starwood properties. We believe that 
the upper limit for the total number of guest records involved 
in this incident is approximately 383 million.
    What do we mean by ``guest records''? Take my name for an 
example, which is in the database multiple times with 
variations such as Arne Sorenson, Arne M. Sorenson, Arne Morris 
Sorenson, sometimes with my home address, other times with my 
business address, and yet again without any address. Each entry 
represents a separate record even though they all related to 
one person. We cannot confidently determine whether records 
with similar names, or even identical names, represent one 
person or multiple people, but we know that the information for 
fewer than 383 million unique people was involved.
    In the days immediately after November 19, we worked 
quickly to make sure that we could share useful information 
with our guests. On November 30, we provided broad public 
notice of the incident via a press release and notification 
banners across Marriott and Starwood websites and apps. We 
stood up a website with consumer information in multiple 
languages as well as call centers to answer questions and 
offered guests free web monitoring service, among other steps.
    In assessing the impact of this event, you should know that 
Starwood did not keep guests' Social Security numbers, and the 
overwhelming majority of payment card information was 
encrypted. To date, we have not found data removed from the 
Starwood database on the Internet or Dark Web, which we 
continue to monitor.
    Finally, we know this is a race that has no finish line. 
Cyber attacks are a pervasive threat. We are committed to 
responding to these evolving threats with a layered defense 
approach and continuous improvement. Our founder, J. Willard 
Marriott, was fond of saying that success is never final. We 
are applying that critical review process to learn from this 
incident as we work diligently to regain the level of trust 
that our guests have come to expect from us over the years.
    Thank you, and I welcome your questions.
    Senator Portman. I would like to thank both the witnesses 
for their statements, and I think they make a good point that 
this is a matter that requires cooperation between government 
and the private sector at every level.
    I am going to delay my questioning until we have a chance 
to be sure that our two colleagues, who I know have other 
commitments, have a chance to ask theirs. For this first 
round--I will be coming back and asking some questions. I want 
to give them a chance first before they have to leave, and I 
now turn to my Ranking Member, Senator Carper.
    Senator Carper. Senator Hassan, if you and Senator Rosen 
have other obligations, go ahead and ask your questions.
    Senator Hassan. I am fine if you want to go ahead.
    Senator Carper. All right. Thanks.
    Again, thank you. I think it was Maya Angelou who used to 
say, ``People may not remember what you say, they may not 
remember what you do, but they will remember how you made them 
feel''--Maya Angelou. ``People may not remember what you say, 
they may not remember what you do, but they will remember how 
you made them feel.'' First, I want to say I was glad to hear 
both of you apologize. As I used to say to my kids, who are now 
grown, ``The three most important words are `please' and `thank 
you.' The couple others that mean a lot are `I am sorry,' 
especially when we screw up.'' Especially with respect to 
Equifax, the amount of screw-up is just almost unbelievable.
    Equifax has known since 2015 that its approach to 
cybersecurity was lacking, and among other issues, Equifax 
learned during an internal audit that was conducted that year 
that the company had left a number of critical and high-risk 
security flaws unpatched.
    The company also learned it lacked the comprehensive IT 
asset inventory, meaning it would be difficult to address new 
security issues as they were brought to the company's 
attention.
    When the Department of Homeland Security informed the 
public about a major security risk in certain versions of 
Apache Struts, apparently a very commonly used piece of 
software, it also told the public that the vulnerability was 
easy to exploit.
    Knowing all of that, Equifax relied on the same flawed 
policies and procedures which ultimately failed to identify the 
presence of the vulnerable versions of Apache Struts. Equifax 
circulated a notice about the vulnerability to an email list 
that did not include application owners, put the issues on the 
agenda of two meetings that senior leaders failed to attend 
regularly, and conducted repeated scans that failed to identify 
the vulnerability which allowed hackers to access the online 
dispute portal.
    Mr. Begor, if Equifax knew that it lacked a mature 
inventory of its IT assets, why didn't senior IT and security 
officials and staff do more to improve the inventory before the 
2017 data breach? Specifically, why did Equifax fail to conduct 
a follow up audit after the 2015 review to determine whether 
the company had made progress in addressing its patch 
management issues?
    Mr. Begor. Ranking Member, I think as you know, I joined in 
April 2018. In the first few weeks of joining Equifax, I went 
into great detail to understand the forensics and what caused 
the breach, what routines and processes were in place at the 
time. As I stated in my testimony, there were controls in 
place. They clearly were not strong enough. We have taken great 
steps since then. We have doubled the size of our security 
team. I described in my testimony a few minutes ago our 
increased spending on data and security and our approach to 
making security central to the DNA of the company.
    We also changed the incentives in the company. We are 
unique in corporate America, I think, that in our annual bonus 
system, which the top 3,900 out of 11,000 employees participate 
in, 25 percent of that bonus is tied to cybersecurity. That 
went into effect in 2018. It has continued in 2019, and it will 
continue going forward. Ranking Member, that incentive is only 
punitive, meaning if we do not make progress on our security 
improvements, if we do not take our security forward, the 
metric will reduce the individual's bonus, including mine. 
There is real buy-in to making security a part of our DNA, 
which we think is quite critical.
    I would also say--and I think Mr. Sorenson said the same 
thing--this will not end, meaning you can never be good enough. 
The investments and spending will continue, and as I pointed 
out, we have increased our technology and security spending in 
2018, 2019, and 2020 by 50 percent. Security is a top priority 
at Equifax. It is a top priority of mine, the board, the 
leadership team, and the whole organization going forward.
    Senator Carper. I spent many years of my life in the Navy--
I am a retired Navy captain, a Vietnam veteran--and we have a 
standard in the Navy and a process in the Navy that says if the 
captain of the ship is asleep in his or her wardroom in the 
middle of the night and the ship runs aground, the captain of 
the ship is held responsible. Has that happened in this case?
    Mr. Begor. In my view, Senator, it has. I think you know 
that the prior CEO is no longer with the company. The prior 
CISO is no longer with the company. The prior CIO is no longer 
with the company.
    If you look at our technology and security organization, we 
have upgraded really strong talent in approximately two-thirds 
of both of those organizations. As I talked about, we have 
added significant resources, approximately 1,000 incremental 
people since July 2017. We had 10,000 people globally at the 
beginning of last year. Last year, we added approximately 
1,000, and those were all in security and technology. There has 
been a lot of accountability. Again, I was not there, but there 
is a new team at Equifax that takes security intensely 
seriously.
    Senator Carper. Equifax's competitors, which have the same 
extremely sensitive data on American consumers as Equifax, 
operated with a stronger sense of urgency once they learned 
about the Apache Struts vulnerability. As you assumed the 
leadership of this organization, you must have wondered, if 
they are doing this, why didn't we at Equifax? We have asked 
about what you have done. You explained a bit about what you 
have done to change the culture of your company around 
cybersecurity.
    If you are advising other companies, whether they happen to 
be companies that deal in the sort of business that you have, 
your business model, what advice would you have for those other 
companies today?
    Mr. Begor. First, it is a war. I think Mr. Sorenson said 
the same thing. I think this Subcommittee understands that 
these criminals that are attacking U.S. companies are 
increasingly sophisticated. We get attacked multiple times per 
day, and with the system we have now, I get an alert on my 
phone from my Chief Information Security Officer and his team 
when there is an attempted attack on Equifax. Point number one 
is that this threat is not going away. Point number two is we 
really applaud the Subcommittee's focus on sharing best 
practices. As the Senator may know, it is challenging for a 
company that goes through a data security breach to be open 
about actually having it. Therefore, I think these forums are 
critically important.
    When I joined Equifax in April, my first call was to my two 
competitors, and what I told them was that there are no trade 
secrets around data security. This is a war we face as an 
industry. It is a war we face for American companies, as you 
pointed out, for the government, and it is one that is not 
going to end. We applaud the idea of sharing actively what we 
are learning from each other. For example, what are the 
Internet Protocol (IP) addresses that are from known bad 
actors? If one company knows it, let us make sure the next 
company knows it and share those so we can really build our 
defenses up, because the threat is increasingly sophisticated 
and challenging.
    Senator Carper. I will close this round with this thought. 
The Constitution of our country was first ratified in Delaware. 
December 7, 1787, we ratified it before anyone else had. The 
very beginning of the Constitution started with these words, 
the Preamble: ``We, the people of the United States, in order 
to form a more perfect union . . .'' It does not say to form a 
perfect union but ``a more perfect union.'' Our goal in this 
realm has to be perfection, knowing we will never get there, 
but we need to strive for that.
    Thank you.
    Senator Portman. Senator Hassan.

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan. Thank you, Mr. Chair, and thank you, 
Ranking Member Carper, both of you, for this investigation but 
also for your bipartisan leadership of this Subcommittee. Thank 
you to both of our witnesses for being here today.
    Let me start with a couple of questions, Mr. Begor, to you. 
You said in your testimony you believe that, despite some 
errors, Equifax took cybersecurity very seriously even before 
the 2017 breach. I know that the 2017 breach occurred before 
your time at the helm of the company, but the facts presented 
in the Subcommittee's report make clear that the company's pre-
breach security practices were really not in keeping with 
serious cybersecurity practice.
    The report shows that Equifax had forgotten to update a 
security certificate known as an ``SSL Certificate'' that 
encrypted data transfers between Equifax's customers and the 
website.
    When Equifax developers attempted to install new 
certificates, they realized that some of the old ones had 
expired as much as 8 months earlier. That failure led to the 
exploitation, as you have acknowledged, of millions of 
Americans' data by what appears to be Chinese hackers. Equifax 
should have routinely audited its SSL Certificates to make sure 
they had not expired, especially since these certificates can 
only protect user data when they are current.
    Let me just ask you a few questions. When Equifax sought to 
upgrade its SSL Certificates on July 29, 2017, how many expired 
certificates did your team come across? How many of the 
certificates had been expired by more than a day?
    Mr. Begor. Senator, I do not have that information in front 
of me. If you would like me to, I could ask my Chief 
Information Security Officer if he could help with that 
question.
    Senator Hassan. That would be terrific. Thank you.
    Mr. Begor. OK.
    Senator Hassan. Good morning.
    Mr. Farshchi. Good morning. Unfortunately, I also was not 
at Equifax during the time of this incident, and so I do not 
have that information with me right at this moment. But I am 
happy to go back to the team to look at----
    Senator Hassan. Does the company have that information?
    Mr. Farshchi. I believe we do, yes.
    Senator Hassan. Do you know if any of these certificates 
had been expired for more than 8 months?
    Mr. Farshchi. Unfortunately, because I was not there, I do 
not have the specifics regarding the certificates.
    Senator Hassan. I would expect that even though you were 
not there, that you would know this or have access to it, 
because it seems to me that is the type of investigation and 
understanding that you would want to develop moving forward.
    Mr. Begor. Senator, if I could just add, as you might 
imagine, we have a much different process today, much more 
robust, and we know exactly which certificates are expired, 
which ones are critical. They are risk-rated. We also do 
automatic scanning as a protocol that would be quite helpful in 
today's environment. We are continually investing in new 
technologies to make sure we stay in front of new risks and 
very rapidly address those.
    Senator Hassan. You are routinely auditing your SSL 
certificates now?
    Mr. Begor. Yes.
    Senator Hassan. I am seeing nodding, too.
    [Mr. Farshchi nodding.]
    OK. You are making sure that they are current and they are 
not in danger of imminently expiring, correct?
    Mr. Begor. That is correct.
    Senator Hassan. OK. Would you support a law that would 
require companies like Equifax that deal with millions of 
Americans' personally identifiable information (PII) to adhere 
to clear cybersecurity standards and practices, such as 
auditing your security certificates on a continuous basis, 
standards established by National Institute of Science and 
Technology (NIST), and enforced through your regulator?
    Mr. Begor. First, Senator, I agree that Equifax is in a 
unique position with the data we hold versus most companies. We 
understand that, and we take it seriously.
    With regards to all of the elements you talked about, those 
are standard protocols for us today and things that we are 
following as a company, and are the highest standards of data 
security.
    With regards to legislation, we would be happy to work with 
your office and understand, what is the right legislation to 
move forward. But we are doing the things you talked about.
    Senator Hassan. I understand you are doing things, but you 
are doing things after a major breach. What I want to make sure 
is that Americans whose information is in custody of an entity 
they may not even know anything about do not have to wait for 
there to be a breach before companies start doing what they 
should responsibly do.
    We have all discussed that this is an ongoing threat. It 
has been an ongoing threat for a while now. We need to make 
sure that there are standards in place just the way we have 
safety standards in many other industries.
    Let me move on just to another aspect of this. It appears 
from the PSI report that one of Equifax's biggest weaknesses 
was that the company's policy made individual developers 
responsible for identifying and patching vulnerabilities in the 
software they use rather than relying on a full company effort 
to address any vulnerabilities. As Senator Carper mentioned, 
unfortunately, when DHS alerted Equifax to an urgent and 
critical vulnerability in a piece of software called ``Apache 
Struts,'' the single developer who was using the software was 
not notified by his superiors about DHS' urgent message about 
those vulnerabilities. As a result, that developer was unaware 
of a critical vulnerability that eventually was exploited by 
hackers.
    You mentioned in your testimony that human error was 
certainly part of the problems that led to the breach, and I 
think we have all acknowledged that up here, too. However, 
human error happens at every level of government and every 
level of the private sector. So it is incumbent upon security 
professionals and leaders of any security system, government or 
private sector, to build in extensive redundancies to mitigate 
against inevitable human errors.
    It appears that prior to the breach, Equifax had not built 
in those redundancies, and as a result, human error became a 
single point of failure in a critical cyber attack. What 
redundancies has Equifax built into its system to ensure that 
inevitable human errors never again lead to this kind of 
breach?
    Mr. Begor. Senator, we agree with your summary there that a 
single point of failure is not ideal which is why we have a 
number of redundancies. If the Senator is OK, I would ask my 
Chief Information Security Officer maybe to talk in more 
detail.
    Senator Hassan. That would be terrific. Yes, thank you.
    Mr. Farshchi. Yes, one of the key tenets of our program is 
assurance. We want to make sure we have as many layers of 
security as absolutely possible because we know that any given 
control may fail or may be bypassed from a sophisticated 
attacker.
    As it relates to patching, we have updated all of our 
processes. We have implemented automated tools to be able to 
help reduce the risk of human error. We have established patch 
champions, individuals specifically accountable for the 
implementation of these patches across the entire enterprise. 
Then we have an automated tracking system to continue to track 
and manage them.
    I would mention one more. On the back end, we continuously 
scan our environment, so we do not just rely on one system, one 
process, or one individual. We have a belt-and-suspenders 
approach across the entire program.
    Senator Hassan. Thank you. That is helpful. I appreciate 
your indulgence, Mr. Chair.
    Mr. Sorenson, I did have a question for Marriott. I will 
submit it for the record. I want us to be thinking about what 
kind of standards we should have when companies merge that 
might help us make sure that we are getting to problems before 
they occur.
    Thank you.
    Senator Portman. Thank you, Senator Hassan. We look forward 
to continuing to work with you on these issues you raised today 
and others.
    I am going to reclaim some of my time now. I will be back 
with more. To follow up on the points that Senator Hassan made, 
she talked updating certificates on the website. She talked 
about building in redundancies. Mr. Begor, you were in your 
testimony pretty confident that they were doing the right 
things by saying, ``The program also leveraged strong 
administrative and technical safeguards . . . and was subject 
to regular, ongoing review through external and internal 
assessments.''
    There is a third concern that I have that I think we need 
to raise this morning and be sure that we are aware of a lack 
of follow up to an audit that was done. There was a 2015 audit 
of the security of your system. It found over 8,500 known 
critical high or medium vulnerabilities on Equifax systems.
    Here is an audit that discovers these vulnerabilities. 
These vulnerabilities had not been patched when the breach 
occurred, and many of them were over 90 days old. A copy of 
that audit is there with you on the witness table for you all 
to look at this morning. I am going to ask that that 2015 audit 
be made part of the record,\1\ without objection.
---------------------------------------------------------------------------
    \1\ The information referenced by Senator Portman appears in the 
Appendix on page 98.
---------------------------------------------------------------------------
    My question for you is: How does a company that at that 
time, as you indicated, placed a high priority on cybersecurity 
allow 8,500 vulnerabilities to exist unpatched on its systems? 
Of course, my follow-up is: Since you have become CEO and you 
stepped in and aggressively tried to address these issues, have 
you addressed these patching vulnerabilities on Equifax's 
systems? How could that have happened? What has been done?
    Mr. Begor. Thank you, Senator. As you point out, I was not 
at Equifax during the breach. I spent quite a bit of time 
looking at the past. I am a big believer that we want to learn 
from mistakes and learn from things that were not going as well 
as they could have been. I will be clear right now that there 
is no question that what we did in the past, we can do a lot 
better today and tomorrow, and we already have. We have made 
significant changes in our security protocols, our 
infrastructure, and the evolution in the organization. As I 
mentioned earlier, we brought in really top talent. It starts 
with people leading these organizations.
    I think the Senator may know that the CISO Jamil Farshchi 
reports directly to me, and also has a line into the board to 
our Technology Committee, which is a best practice in many 
companies. We have doubled the size of his team.
    With regards to your specific question around audits and 
patch management, we have also doubled the size of our audit 
team, and as a new element, we have added IT and cyber experts 
as a part of our internal audit team. Historically, those were 
just financial kinds of employees in our audit teams. Now we 
have experienced technologists and security people in our 
independent audit teams and are doing some of that work.
    With regards to follow up of audits----
    Senator Portman. Just hold there for a second. When you 
look back at the 8,500 vulnerabilities that were reported 
through that audit, what happened? Why were those 
vulnerabilities not patched? What was the issue?
    Mr. Begor. Senator, as you may imagine, a large 
organization like Equifax has many patches that are underway at 
all times. They are coming in weekly and daily, and it is part 
of----
    Senator Portman. The race is never won, as was said earlier 
by Mr. Sorenson.
    Mr. Begor. Yes, and----
    Senator Portman. But the question is: What did you learn 
from it? In other words, as you look back--I understand that 
you have beefed up your cybersecurity presence and you have the 
CISO reporting, and you have put a bonus system in place that 
incentivizes all your executives to look at it. But what 
happened? How could those 8,500 vulnerabilities not have been 
addressed at that time? What did you learn from that?
    Mr. Begor. I learned Senator, that it is not how you want 
to operate. We do not operate that way today. There is a real 
focus on both risk prioritizing and patching so the most 
critical areas are done first. The next ones happen after that. 
There is real follow up. There is tracking. I think Mr. 
Farshchi talked about how we follow up on those. We now have 
automated systems to track those, but there is a real rigor, as 
there should be around ensuring that that work is completed and 
those vulnerabilities are shut down.
    Senator Portman. That 2015 audit, if it had been followed 
up on, would have made a difference, it appears to us, based on 
our analysis of what happened. Where are you now? Have you done 
a recent audit? Are you continuing to audit?
    Mr. Begor. We audit routinely. I do not know--I believe the 
last audit was done by the internal audit team in the fourth 
quarter. We also have third parties coming in and doing work 
around our cybersecurity efforts. We do our own perimeter 
testing by our own internal team. We also bring in third 
parties that the internal team does not know are trying to 
penetrate the exterior of our system. There are all levels of 
rigor around getting external inputs like audits around our 
systems and processes.
    Senator Portman. So you have done a follow up audit 
comparable to that 2015 audit, and you have responded to what 
has been discovered, because I assume that it also discovered 
that there were certain vulnerabilities.
    Mr. Begor. Correct. You want your audit to identify things 
that will make the system better. That is the way I think about 
audit teams. I do not know how many audits have been done since 
the cyber breach in 2017, and I can follow up with your office 
on the number of audits, but there have been numerous. As you 
might know, there are also regulatory organizations, the 
Consumer Financial Protection Bureau (CFPB), the Attorneys 
General (AG), and others, that are involved in discussions with 
us around audits, as well as our customers are doing audits.
    Senator Portman. Our interest is to figure out, what the 
heck happened. How could you have an audit that uncovers these 
vulnerabilities and not act on it? With regard to legislation 
we are looking at what role should audits play? If you could 
provide that to the Subcommittee, that would be very helpful, 
when your last audit was, any results of the audit, how you 
react to it today, that would be much appreciated. Senator 
Rosen.

               OPENING STATEMENT OF SENATOR ROSEN

    Senator Rosen. Thank you. I want to thank you for bringing 
this very important, privacy and security. It is issue number 
one not just for all of us as individuals but for all the 
companies and businesses that serve us, that we expect to 
protect us and our communities every single day.
    I do have something to talk about, acquisition and data 
migration. As a former software developer, I have actually done 
that in my prior life, so I have some comments on that.
    But first I want to talk about the global nature, Mr. 
Sorenson, about Marriott hotels. Of course, you are worldwide. 
You operate in all 50 U.S. States and in 130 countries and 
territories. Americans stay at Marriott hotels all over the 
world, so it is crucial that our data collected is secure. You 
have noted yourself approximately 23 million passports have 
possibly been compromised, no matter where the hotel has been 
physically located.
    My question to you is: Last year, Secretary of State Mike 
Pompeo stated publicly that China was responsible for the cyber 
attack on your Marriott system and theft of consumer data. Do 
you believe that to be the case?
    Mr. Sorenson. First, good morning, Senator Rosen.
    Senator Rosen. Thank you.
    Mr. Sorenson. Nice to be here and to be able to answer your 
questions. The short answer is we do not know, and I feel quite 
inadequate about even drawing inferences from the information 
that we have obtained.
    When we first discovered information had been extracted 
from the system, which was November 19th, it has been all hands 
on deck basically to make sure that we----
    Senator Rosen. No preliminary data has come out as to where 
the ISPs may be located or any commonalities in other hacks, 
other hacking attempts with other companies across the world?
    Mr. Sorenson. We have shared everything we have with the 
FBI, including the addresses used and the malware tools used in 
the system so that they can do that kind of investigation. We 
have simply been focused on making sure the door is closed and 
communicating with our customers.
    Senator Rosen. Do you have policies here in the United 
States that apply abroad, taking into account, obviously, 
foreign laws and regulations?
    Mr. Sorenson. We do. We have policies certainly about data 
collection and retention. We also have an obligation to comply 
with local law. I think one of the things that is unusual about 
the Marriott cyber attack is this passport information, and the 
numbers I----
    Senator Rosen. How long do you retain the passport 
information?
    Mr. Sorenson. The passport information that was accessed, 
again, was in the Starwood reservation system, and it had been 
there for a number of years.
    Senator Rosen. Do you have a responsibility when you buy a 
company to do an audit of the company that you are either 
buying or--I guess it is like buying a home, isn't it? Do you 
get an inspection? What does the seller disclose? What is the 
buyer's responsibility? Did you buy it as is so you just took 
no method of auditing the data coming across?
    Mr. Sorenson. The bottom line is we do buy it as is. When 
you are acquiring a public company and ultimately buy those 
shares, there is nobody left as a seller anymore. We are 
Starwood today as well as Marriott. But, of course, we did 
diligence.
    Senator Rosen. I want to tell you as a former computer 
programmer, I have worked for companies where I have done this 
acquisition and data migration, and while the other system is 
still up, I had a team of people working with me to maintain 
that system, auditing that system, making sure it had 
integrity, while we were training and moving that data over.
    Where was your responsibility in maintaining and, as you 
migrated, protecting that data?
    Mr. Sorenson. We were very much taking the same approach, 
so really in three periods we could look at separately. One is 
the 3\1/2\ week due diligence period before we signed documents 
to acquire Starwood--very abbreviated, public company to public 
company. That was, ``Tell us about your IT system.'' Our IT 
team was involved in that and asking questions. But it was 
quite brief, and we did not learn about any of this.
    The second period is between the fall of 2015 and the fall 
of 2016, between signing and closing the transaction. While we 
had not closed, our IT team, was deeply engaged in 
understanding Starwood's system, understanding the data, 
understanding the vulnerabilities, and being ready essentially 
for the moment the transaction closed to say, OK, now what are 
we going to do with this system, both from a cybersecurity 
perspective, data retention perspective, but also an operating 
perspective, obviously.
    Immediately after closing, it was bringing in not just our 
internal expertise but external expertise and saying help us 
identify the risks in this system. Let us make sure we are 
doing things to address those risks and enhance them. In 
retrospect, we wish we had done even more. Obviously, something 
happening.
    But even while that system is running independently before 
the data migration and before it is turned off, we are very 
much trying to make sure that we are addressing the security 
flaws that we think are there.
    Senator Rosen. As we think about those 23 million passports 
and other data that may have been breached worldwide, do you 
have--I just want to be sure--a consistent policy, of course, 
taking into consideration certain other governments' laws or 
regulations, for how you keep the data, how you retain the 
data, and your responsibility toward the data?
    Mr. Sorenson. Let me give you just a couple of data points 
here, if I could. My number is just a little bit different than 
the Committee's. About 19 million total passports accessed.
    Senator Rosen. Nineteen or 23, it is an awful lot.
    Mr. Sorenson. It is a big number.
    Senator Rosen. It is an awful lot of passports.
    Mr. Sorenson. About 5 million of those were unencrypted.
    Senator Rosen. That makes it better?
    Mr. Sorenson. No. Those are the ones that obviously would 
have been----
    Senator Rosen. We know that hackers can beat the 
encryption, so that is not really a factor here, I do not 
believe.
    Mr. Sorenson. I actually do think part of our strategy 
going forward is to rely on encryption and tokenization to say 
whatever data we keep in this space, for example, it should all 
be encrypted. That by itself is not necessarily a totally 
adequate defense, but it is one of the tools we should use.
    I think one of the other things that is clear, there are 
dozens of countries around the world that require us to collect 
passport data. Sometimes they require us to make physical 
copies of passports for guests in those hotels.
    In the Marriott system, legacy, that was done at the hotel 
level and not centralized in the data platform, if you will.
    In the Starwood system, it was done locally and then 
essentially centralized into the data system.
    There are pros and cons of allowing it to be entirely at 
property level. One of the pros is it is a smaller target, if 
you will.
    Senator Rosen. That is right.
    Mr. Sorenson. One of the cons may be----
    Senator Rosen. It is more diffuse, harder to get 
centralized.
    Mr. Sorenson. That is right.
    Senator Rosen. Much easier to break into and bigger reward.
    Mr. Sorenson. One of the cons, on the other hand, is then 
if each hotel needs the same elaborate system of cyber 
defenses, can you make sure that you are delivering that? Those 
are issues we are working through right now.
    I think in all likelihood, everything--passports will be 
encrypted. Second, I think we will look very hard at not 
centralizing any of it, but making sure that we have 
appropriate tools at the proper level to protect against cyber 
attacks.
    Senator Rosen. Perhaps how long you store customer 
information, sensitive information like their credit card 
numbers and those extra security----
    Mr. Sorenson. We are looking at that, too, absolutely.
    Senator Rosen. Thank you. I think my time is up.
    Senator Portman. Thank you, Senator Rosen. Senator Hawley.

              OPENING STATEMENT OF SENATOR HAWLEY

    Senator Hawley. Thank you, Mr. Chairman and Ranking Member, 
and thank you for having this important hearing. Thank you, 
witnesses, for being here.
    Mr. Begor, let me start with you. You may know that as 
Attorney General of Missouri, I and 43 other Attorneys General 
launched a multi-state action after the announcement of the 
Equifax breach in 2017, and among other things, we sent a 
letter to Equifax in which we expressed particular concern with 
Equifax's post-breach activities, including the offering of a 
fee-based service to guard against data breach at the same time 
that you were offering a free service. Here is from the letter: 
``We object to Equifax using its own data breach as an 
opportunity to sell services to breach victims. Selling a fee-
based product that competes with Equifax's own free offer of 
credit monitoring services to victims of Equifax's own data 
breach is unfair, particularly if consumers are not sure if 
their information was compromise.''
    Can you give us an update on the status of this product? 
Are you still doing that?
    Mr. Begor. Senator, thank you for the question. As I 
mentioned in my testimony this morning, we offered a free 
product for all Americans, whether they were impacted or not, 
at the time of the data breach. I do not know the exact timing 
of when we stopped marketing to consumers, but soon after the 
data breach--it may have been when we received the letter from 
you and the other Attorneys General--we stopped marketing to 
U.S. consumers. We recently started again marketing in October 
on a very limited basis.
    The other thing that we offered in January of----
    Senator Hawley. But this is a free product, though. You 
said you were marketing a free product.
    Mr. Begor. No, Senator. When the breach happened, we 
offered a free credit monitoring product to any American, and 
it was opened up to any American whether they were impacted by 
the data breach or not. That happened in September 2017.
    In January 2018, we added another free product for any 
American that is free for life, that is a Lock & Alert product 
where, on your mobile device, you can lock your credit file or 
unlock it. Equifax is the only credit bureau offering that.
    Last, you talked about marketing to consumers. We stopped 
marketing in the--I do not know the exact date; I can come back 
to your office--but in the fourth quarter of 2017 to U.S. 
consumers.
    Senator Hawley. What about the fee-based product, however, 
that you were offering after the announcement of the breach?
    Mr. Begor. That is what I was referring to, Senator. We 
stopped that in the fourth quarter of----
    Senator Hawley. You stopped marketing it----
    Mr. Begor. That is correct.
    Senator Hawley [continuing]. In the fourth quarter. OK.
    We raised a number of other concerns, the Attorneys 
General, in that same letter and in that same multi-state 
action, including the terms of service that required customers 
to waive their rights, charges customers pay for a security 
freeze with other credit monitoring companies, and overly long 
wait times for the Equifax customer support call center. Can 
you give us an update on how you have addressed these concerns?
    Mr. Begor. Yes, Senator. On the freezing your credit file, 
I referred to what Equifax proactively did in January 2018 
offering a free lock product to any American, and that is still 
offered today. You can get that today. I have it on my phone. 
It allows you to lock or unlock your credit file at no charge 
and it's free for life.
    As the Senator also knows, last September the Senate passed 
S. 2155 that offers consumers free freezes for life. That was 
passed, and that is in place, and we have implemented that 
along with the other two national credit bureaus.
    With regards to our customer service center, there were 
clearly some challenges there as I look back on what happened 
in the fourth quarter. Staffing up for something like the 
breach response is challenging. In my testimony this morning, I 
talked about the incremental $50 million of investment we are 
making now in our customer service capabilities to enhance our 
abilities to manage our day-to-day interactions with consumers 
as well as investing to make it easier for consumers to 
interact with us when they have a question, outside of a data 
breach but just in their normal day-to-day activities with the 
credit bureau, whether it is around a dispute or a question on 
their file.
    Senator Hawley. Thank you.
    Mr. Sorenson, in the testimony you have provided, the 
written testimony you have provided to this Committee, you 
noted--and I am going to make sure I get this right. You noted 
that you have not received any substantiated claims of loss 
from fraud attributable to the incident, and that none of the 
security firms that you have engaged to monitor the Dark Web 
have found evidence that information contained in the affected 
tables has been or is being offered for sale, and that you have 
not been notified by any banks or credit card networks that 
Starwood had been identified as a common point of purchase in 
any fraudulent transactions.
    Do you take this to be a thorough accounting of which 
sources might know about your customers' data used by third 
parties? Is it sufficient for you just to wait for them to 
report to you?
    Mr. Sorenson. I think the answer certainly to the first 
question is no. It is hard to feel like anything is thorough in 
this space. You pick up signals from a number of different 
places. We use a number of different tools, for example, to try 
and go after the same thing.
    We take some comfort in this, but it is only some comfort. 
I think we are grateful for the partnerships we have with the 
financial institutions so we can have a little bit of that 
dialogue about what they might be seeing. But, one of the 
reasons we put the WebWatcher out and made it available to our 
customers is that it is another tool to look regularly at the 
so-called Dark Web to see whether a particular customer's 
information is showing up on that Dark Web.
    Senator Hawley. If I could just press a little deeper here, 
in your written testimony does this reflect an ad hoc list of 
sources that could report this information about personal 
information of users? Or does this reflect some sort of 
cybersecurity methodology that you have in place in order to 
protect your consumers' data?
    Mr. Sorenson. No, I do not think this is really in the 
first instance about protecting consumers' data. I think it is 
about assessing what we can assess about the cyber breach that 
occurred. If you will, the attack happened--successful, I 
suppose, if you take it from the attackers' perspective. 
Information was obtained. We have been wrestling with the 
consequences of that. One of the tools that we are using is to 
try and figure out, OK, what can we tell about where that data 
has ended up.
    The tools that we use to protect the data in the first 
place I think are different and in many respects I would say 
much more fundamentally important, because we want to avoid 
that data from getting out in the first instance at all.
    Senator Hawley. You do have some cybersecurity methodology 
that you have now put in place to systematically protect your 
consumers' data? That is what you are telling me?
    Mr. Sorenson. A whole range of tools.
    Senator Hawley. My final question here, Mr. Chairman. Are 
you complying with General Data Protection Regulation (GDPR), 
Mr. Sorenson? I understand that GDPR in Europe requires 
reporting within 72 hours if at least one Marriott customer 
resides in the European Union (EU). Is that your understanding 
as well?
    Mr. Sorenson. Yes, and we believe we are.
    Senator Hawley. Thank you, Mr. Chairman.
    Senator Portman. Thank you, Senator Hawley.
    Senator Harris.

              OPENING STATEMENT OF SENATOR HARRIS

    Senator Harris. Thank you. Thank you, Mr. Chairman, for 
bringing this subject up. As California's AG, I supported 
expanding California's laws as it relates to the requirement of 
the report of data breaches and have met with many folks over 
the years who have suffered greatly because of the breach of 
their personal information and data. The risks are obviously 
many.
    Mr. Begor, Equifax is facing lawsuits from consumers whose 
information was affected by the breach. In response, your 
lawyers have argued that even though their information was 
stolen, consumers cannot prove that they were harmed. It was 
recently reported that none of the data stolen from Equifax in 
2017 has been used in identity theft or other fraudulent 
activity and that the stolen data has not been offered for sale 
on the Dark Web.
    Do those assertions remain true?
    Mr. Begor. They do, Senator Harris. To date, we use a 
variety of outside experts as well as our own, like Marriott, 
to try to understand where the data went and what it was used 
for. Our analysis is that there has been no evidence that the 
data has been sold and no evidence of increased identity theft 
as a result of Equifax data that was stolen in 2017.
    Senator Harris. A former senior intelligence official 
recently told CNBC that the hack was more likely the work of a 
foreign intelligence agency than a garden variety criminal, 
which would explain why the stolen information has not been 
used for garden variety crimes. If a foreign power, especially 
a hostile foreign power, is using the data it stole from 
Equifax to target U.S. officials or American operatives, does 
it remain your position that there has been no injury or harm 
caused by this breach?
    Mr. Begor. Senator, we do not know who took the data, and 
we still do not, and we are working closely with the FBI. Days 
after identifying the cyber breach in 2017, we started 
collaboratively working with the FBI and other authorities. We 
have the same goal. We have been completely transparent about 
who took the data, and we just do not know who it is at this 
stage. We continue to work with those authorities.
    Senator Harris. It would be important for us to know that 
you appreciate the fact that if the data were breached for the 
purposes of gaining information about U.S. officials or 
American operatives, there would most certainly be harm and 
damage and injury that would result from that. Do you 
appreciate that concern?
    Mr. Begor. Of course, Senator. In my testimony this 
morning, I started out by expressing regret for what happened. 
I talked about what we are doing for consumers, which was our 
initial focus and continues to be our focus around supporting 
consumers, the free credit monitoring that we offer, the other 
free products that we have rolled out subsequent to the data 
breach around supporting consumers.
    Senator Harris. Do you understand that there have been 
targeted violations of privacy as it relates to employees of 
the U.S. government and that there is a concern among the 
intelligence community (IC) and all of us that there is a 
focused concern and actually a triangulation around officials, 
American officials, and, in particular, those who may be 
involved in our military or in intelligence work, and the 
attempt being to get their personal information for the 
purposes of attempt to compromise those individuals? Are you 
aware of that concern?
    Mr. Begor. I have read and I have listened to the experts 
who we work with about the threat on American companies and on 
American consumers as well as government employees.
    Senator Harris. Will you commit to this Committee that you 
will have that as a priority among your priorities in 
understanding and thinking about the potential harm that has 
resulted from these breaches?
    Mr. Begor. Senator, I testified this morning that security 
is a top priority at Equifax today. We have doubled our 
security team.
    Senator Harris. Is that yes?
    Mr. Begor. The answer is everything we are doing is around 
yes.
    Senator Harris. OK. Great.
    Mr. Sorenson, as Senator Rosen referenced, in November 2018 
hackers exposed the personal information of up to 383 million 
Marriott customers, including millions of passport numbers. 
Shortly after, cybersecurity firms and recently our government 
was hired to assess the damage attributed to the hack and 
attributed it to Chinese intelligence. In addition to passport 
numbers, could hackers have accessed guests' itineraries and 
the names of their traveling companions?
    Mr. Sorenson. Yes--well, traveling companions I am not 
certain about, but reservation data was obtained, I think most 
recently as far as we can tell in 2016, so that would have been 
my upcoming reservation or perhaps a past reservation that I 
had had at one of the Starwood hotels. We do not think, based 
on what we have been able to tell so far, that any reservation 
data post-2016 was obtained by the cyber attacker. In the 2018 
instance, which was the first one after we acquired Starwood, 
we do not think individual reservation data was there.
    This is not 100 percent provable, but we believe that that 
means there is no longer any upcoming reservation data which 
was obtained, because if 2016, 2 years--we tend not to take 
reservations more than a year out. Probably nothing that is 
still, if you will, a future reservation.
    Senator Harris. As it relates to the names of traveling 
companions, it is the custom of Marriott hotels to collect the 
information of whoever is occupying the room, whoever has the 
credit card plus whatever guests they may have. Isn't that 
correct?
    Mr. Sorenson. This is the Starwood reservation database, 
and certainly in many instances, a hotel would note somebody 
else who might be sharing a room, but not necessarily in every 
instance. If the person who made the reservation is showing up 
and checking in and getting the key, the front desk may or may 
not take the time to make the effort to figure out whether a 
spouse or a child or somebody else was traveling with them. But 
certainly it would have happened in some circumstances.
    Senator Harris. For those folks whose names may have been 
exposed but they are not actually the individual who was 
contracted with the hotel to pay for the room, have those 
people been notified of this breach?
    Mr. Sorenson. We tried very hard to notify everybody that 
we could. The first tool we used, of course, was a broad press 
release with broad public dissemination, and then carrying on 
the banner, if you will, the top line of the Marriott.com, 
Starwood.com apps, all the rest of it.
    In addition, we sent out in excess of 50 million emails to 
folks that we had email addresses on to also make sure that we 
were notifying them in that way.
    Is it possible that somebody has slipped through the 
cracks? Of course. I think the more likely that they were 
repeat customers of ours, the more likely they are travelers, 
the more likely that they would have been either notified by us 
directly or seen the news.
    Senator Harris. Mr. Chairman, just one last question and it 
is a brief question.
    Is it correct that Marriott is the top hospitality provider 
for the American Government and the United States military?
    Mr. Sorenson. I do not know that we have the data which 
would tell us that. We are the largest hotel company by rooms--
--
    Senator Harris. Can you follow up with the Committee and 
see if you may have the answer to that question?
    Mr. Sorenson. I will ask and see whether we can find out, 
yes.
    Senator Harris. Thank you.
    Senator Portman. Thank you, Senator Harris. Senator Peters.

              OPENING STATEMENT OF SENATOR PETERS

    Senator Peters. Thank you, Mr. Chairman. Thank you to our 
witnesses today.
    Mr. Begor, if a consumer is delinquent on a payment but 
later makes the necessary payment to bring the account current, 
it is my understanding that that delinquency stays on the 
credit report for 7 years. Is that correct?
    Mr. Begor. Yes, it is, Senator.
    Senator Peters. If a consumer misses a single credit card 
payment and then you will continue to follow them for basically 
7 years, and then they are going to have an opportunity to in 
that 7 years basically demonstrate that they are a good credit 
risk, a good credit score, and as a result of that then get 
additional credit as a result of that after that 7-year period. 
Is that correct? If there is not any other activity?
    Mr. Begor. There is not, Senator. But as you may know, in 
the credit scoring models that we and other credit bureaus use, 
using your example if there was one delinquent payment, as that 
ages out, it becomes less predictive--has less impact on an 
individual's credit score and ability to obtain credit.
    Senator Peters. But, still, it is the expectation it takes 
7 years--you want to watch it for 7 years, basically, just to 
see how it acts. Obviously, there is a slope there. I bring 
that up because I think that most people--certainly everybody 
that I talked to believes that Equifax was beyond being just 
delinquent on one payment when it came to the securing of this 
critical data and this cybersecurity hack, and that the 
information that has now been put out or has been taken will 
likely be there forever. The fact that you have not seen some 
of these activities in the short run may make sense because if 
you are a bad actor, you may wait a while before you actually 
use this data for nefarious purposes.
    I just find it kind of interesting in that delinquent 
payments for a consumer you follow for 7 years although you 
have offered the credit freeze for a lifetime, when it comes to 
credit monitoring it is only 2 years. Credit monitoring is 
certainly much more preferable to consumer convenience than it 
is to freeze and to unfreeze, to go back and forth. I know you 
want to build consumer trust, but if you are telling your 
consumers, we will watch you for 7 years because you have 
missed one payment, but we had this massive breach, and we gave 
all your personal information, somebody got all your personal 
information to millions of people and it is going to be out 
there for the rest of your life, but we will help you for 2 
years.
    It seems to me that it would make sense that at a minimum 
you would offer credit monitoring for the 7 years just as you 
monitor your customers for 7 years.
    My question to you, Mr. Begor: Would you support mandating 
free credit reporting for 7 years for all consumers whose 
personally identifying information (PII) was the subject of a 
breach of a credit reporting agency?
    Mr. Begor. Senator, we think it is situational on what the 
consumer should be offered. We offered 12 months starting in 
the fourth quarter of 2017. We voluntarily extended it for 
another 12 months late last year. We will continue to look at 
that as we go forward. Again, it is my view that legislation is 
not required, that we are doing the right thing for consumers.
    I would just remind the Senator that while the credit 
monitoring is a valuable product, what the Senate passed last 
September in S. 2155 offering a free freeze for consumers is 
the most important way to protect your data. Then Equifax has a 
supplemental lock product that is available on your phone or 
mobile device that is free for life to do the same thing with 
some more functionality. If you are at a car dealership and 
getting an auto loan, you can unlock your credit file. Then 
when you finish getting that financial transaction, you can 
lock it again. No one can see that data once it is either 
frozen by S. 2155 or locked by our free-for-life product.
    Senator Peters. But you still see the value of monitoring 
because you are offering it to your customers for up to 2 
years, that that is a better product for folks than just the 
freeze and unfreeze, which is more cumbersome. I think you 
mentioned that at the beginning.
    My question is what--you said you will re-evaluate this on 
a situational basis. What is that situational basis? What is 
the criteria you will be using as to whether or not to extend 
this beyond the 2 years?
    Mr. Begor. Senator, it really depends on how we can see the 
data have been used and what they are being used for. These are 
some of the criteria we take into account. I would make the 
point that while credit monitoring is quite valuable, we 
believe that it is critically important to give consumers 
control about who has access to their data.
    Senator Peters. I would like to in the remaining time touch 
briefly on another important subject, and that is the 
collecting of data on minors. How many minors had their 
personally identifiable information compromised in the 2017 
breach?
    Mr. Begor. Senator, I do not have that information in front 
of me. I would be happy to get back to your office with that.
    Senator Peters. Is it greater than zero?
    Mr. Begor. I do not know the answer to that, Senator.
    Senator Peters. You will provide that to me?
    Mr. Begor. Yes.
    Senator Peters. That would be great.
    Do you have any policies regarding the collection of 
information on minors?
    Mr. Begor. The policy is that we do not. As you may know, 
S. 2155 allows a parent to put a freeze on their children's 
credit file, if, in fact, they have one. We are diligent about 
managing minors' freezes because it is an area of focus by 
impostors or fraudulent individuals who want to create a credit 
file for identity theft purposes not only on minors but other 
Americans.
    Senator Peters. Is there any instance where a young child 
would need a non-frozen account?
    Mr. Begor. Not to my knowledge, Senator.
    Senator Peters. But a parent has to opt out even though 
there is no reason to have a non-frozen account. But the parent 
has to be active in doing that. OK.
    Last year I worked to pass legislation that protects 
children from synthetic identification (ID) fraud. It is a form 
of identity theft that I know you know very well where stolen 
security numbers of children are paired with fake names and 
birth dates to apply for loans, credit cards, and other 
accounts. Could any minors' information that was exposed in the 
2017 breach be used as part of identity theft or a synthetic ID 
fraud operation?
    Mr. Begor. Senator, I will have to get back to you on what 
minors' data were included, in the theft that took place in 
2017.
    Senator Peters. Great. Well, I appreciate working with you 
on that.
    Thank you.
    Senator Portman. We will have a short second round. Senator 
Carper, do you have any additional questions?
    Senator Carper. Both Equifax and Marriott publicly 
announced their data breaches within weeks of learning of them, 
and while this is better than some companies have done in 
recent years, as you know, it is a lot longer than, for 
example, Target waited when it suffered a breach in 2013. In 
fact, Target learned about a cyber attack, you may recall, 
affecting its customers in the middle of holiday season--I was 
one of them that year--and informed the Department of Justice 
(DOJ) and the public literally within days, and this allowed 
Target customers to take precautions against fraud and identity 
theft and to monitor their bank and credit card statements.
    Mr. Begor, the hackers who attacked Equifax were in the 
company network for 78 days before Equifax discovered their 
presence. I think that is correct. By the time Equifax informed 
the public, consumers' information had been in the hands of 
hackers for close to 4 months.
    Given the damage that can be done with the type of 
information Equifax collects, why do you suppose the folks who 
were in positions of responsibility prior to your arrival, why 
wait 6 weeks to step forward? Why not follow the Target example 
so that people could take swift action to protect themselves as 
soon as possible? If I had been you coming into a new situation 
as the new CEO, I would have said to the people who were there 
before me, ``What were you thinking? How could you have allowed 
this to happen?'' Did you ever have those kinds of 
conversations?
    Mr. Begor. Senator, I had a lot of conversations when I 
joined last April, as you might imagine, and I hope you get a 
sense for the pace of change, the breadth of change, the 
priority around security. There is a whole new team here. We 
have added extensive resources, and we are very serious about 
security.
    With regards to the time frame with the data breach, my 
strategy--and I believe it was the team strategy at the time--
was to be accurate and quick in completing the work. As the 
Senator probably knows, it is a very complex process once you 
find out that you have a data breach to really determine which 
elements of your database were affected. We brought in the very 
best forensic experts within days of the data breach--I think 
it was a day or two--contacted the FBI and got them involved in 
it. From my look back at what the team did, they moved as 
quickly as they could to ensure that we were going to be 
complete and accurate.
    From my perspective, making an announcement that there was 
a data breach but not knowing which Americans were impacted, 
and is it 50 million, 2 million, 150 million, it took time to 
do the forensics to figure it out. My approach is to be 
accurate and complete with a real focus around the consumer 
first. We want to make sure that for those consumers who are 
impacted, we can identify who they are and then communicate 
with them quickly.
    Senator Carper. Mr. Sorenson, really the same question. I 
would like to hear from you about the factors that went into 
Marriott's decision on the timing of its public notice.
    Mr. Sorenson. An alert on September 7, 2018, was triggered. 
That alert went to a third party who was operating the 
reservation system for us with, in effect a copy to the IT 
group at Marriott. We heard from that third-party operator the 
next day, on September 8th, that that alert had been received 
and immediately started to mobilize resources to contain and to 
ascertain why that alert went off.
    It was not until November 19, 2018, that we learned that 
data about our customers had been exfiltrated from our system. 
We announced publicly 11 days later on November 30th.
    We, of course, had lawyers and security experts and all 
sorts of other folks who were engaged in the conversation about 
timing, how quickly could we go. We also wanted to make sure 
that we had set up call centers and websites so that the moment 
we released this information publicly, the customers had a 
place to go and find out more and sign up for the WebWatcher 
services and do the other things that were necessary.
    That 11-day time, of course, met the legal requirements, 
but it also was practically about as fast as we could move it 
and be able to communicate something which was concrete and 
useful to customers and then be able to deliver something of 
what we anticipated they would need and want.
    Senator Carper. Thank you. Let me just ask both of you do 
you have any sense of how many State data breach notification 
laws your companies are subject to? Would it be fair to say 
there may be even 50 such State laws that you are subject to at 
this time?
    Mr. Begor. If it is OK, Senator, I will go first. You are 
correct and it is quite a challenge in----
    Senator Carper. I was going to ask, what kind of challenge 
does that present if it is true?
    Mr. Begor. I do not know if the exact number is 50, but 
they are all different, and it creates challenges in a 
situation like Equifax, as perhaps Marriott's too, in complying 
with the requirements. There are different notification 
documents that are required. There are different ways you may 
communicate with a consumer. There are different ways you are 
allowed to communicate with the consumer. We have been 
longstanding supporters of Federal legislation that would unify 
the requirements and ensure there is a consistent time element. 
Once you figure out which consumers are impacted and what 
States they are in, then there are requirements in how you must 
communicate with them. We are very supportive of a Federal 
legislation to unifiy the standards.
    Senator Carper. Thank you.
    Same question, Mr. Sorenson. What kind of challenge do you 
have with respect to who to notify, when to notify, what to 
disclose about a data breach with the different States?
    Mr. Sorenson. It was not among the biggest challenges we 
faced, I would put it that way, although if memory serves, we 
found someplace between 20 and 30 States had specific 
notification requirements with a deadline. Now, we, of course, 
met those deadlines and then ultimately communicated to all 50 
States.
    Outside the United States, there were probably, I do not 
know, 20 or 30 countries that had various kinds of notification 
deadlines. Obviously, there is nothing that the Federal 
Government can do with that.
    Sadly, I suppose, in some respects, this ground is too well 
trod, and so there are folks that can help us figure out where 
those requirements are and how to meet them.
    It would be simpler, of course, to have one sort of U.S. 
standard, but, that is something that we would be happy to work 
with your office on and give whatever input we could from the 
experience we have had.
    Senator Carper. Mr. Chairman, I am sitting here thinking, 
believe it or not, of something Richard Nixon of all people 
once said. Richard Nixon once said, ``The only people who do 
not make mistakes are people who do not do anything.'' We all 
make mistakes. I have said to my sons now, 29 and 30 years old, 
I have said to them many times, ``Nothing wrong with making a 
mistake. The key is just we do not want to continue making the 
same mistake.''
    In this case, mistakes not only harmed your companies, but 
as we have talked about, they harm 150 million really innocent 
people across this country.
    The question is: What do we do about it? You have talked to 
us today about a number of things that each of you have done. I 
am pleased to hear the statements of apology, of contrition, 
acknowledging the harm and the damage that has been done. God 
knows I wish, as I am sure 148 million people wish, that the 
kind of thinking and actions that you have displayed in the 
last year or so that you have been in your position, Mr. Begor, 
that that kind of thinking had existed in the previous 
Administration, if you will.
    You talked about what I think is really important. 
Leadership is most important in grading the success of any 
organization I have ever been a part of, business, government, 
or military--always the key. If the leader does not say 
cybersecurity is important, if the board does not say 
cybersecurity is important, nobody else down the line is going 
to make it important in the end.
    It appears to us that you have done that, both of you, and 
have made it very clear right from the top that this is 
important. You have aligned incentives, financial incentives, 
for the folks who are helping run your company so that their 
incentives are all lined up with that in mind. It sounds like 
you have done a lot with respect to hiring the kind of 
workforce that you need to enable the desires and the wishes of 
the directives from on top to make sure that they are carried.
    One of the things that I think a lot about, Mr. Chairman, 
is the workforce--I know you do, too. We have focused in 
Delaware for a number of years now--at the University of 
Delaware, Delaware State University, Wilmington University, and 
Delaware Technical Community College--on trying to make sure 
that we are turning out a better workforce to help take on all 
these jobs that are available out here to be done.
    With regard to the Federal Government and what our 
responsibilities are, I was privileged to chair this Committee, 
the Homeland Security and Governmental Affairs Committee, for a 
while and led it with a fellow named Tom Coburn from Oklahoma, 
and we focused this Committee--as Senator Portman knows, he was 
part of this--on what we needed to do within the Federal 
Government and what we needed to do as legislators. Frankly, in 
those years, those couple of years, we did a lot, and we have 
continued to do a number of things. I really think, Mr. 
Chairman, that this is a ripe time for us as a Committee. We 
have new talent on either end here, Democrat and Republican, 
bright people with real-world experience that can bring a lot 
to this. I think it is really an ideal time for us to do our 
job of oversight. We have done all this legislating, and it is 
being implemented. Let us find out to what effect, to what 
good. That is a big part of our job.
    The last thing I will say is I would ask to enter for the 
record some newspaper articles\1\ I read on the train coming 
down this morning from the last several weeks about the 
dramatic increases in attacks from China and from Iran. I 
remember when President Barack Obama met with President Xi in 
Washington State. You may remember this. It was 2015. I think 
it was September 2015. Jeh Johnson, who was the Secretary of 
Homeland Security, gave me his eyewitness account, and in that 
meeting, President Obama apparently said to President Xi, ``We 
know you are attacking us, and we know that you are coming 
after our trade secrets. We know you are coming after our 
business secrets, our military secrets, and we want you to 
stop.''
---------------------------------------------------------------------------
    \1\ The newspaper articles referenced by Senator Carper appears in 
the Appendix on page 108.
---------------------------------------------------------------------------
    President Xi apparently said, ``No, we do not do that. That 
is not the policy of our country, and that is not what we are 
about.''
    President Obama basically said, ``This is who is doing it, 
this is where they are located, and we want you to stop.''
    President Xi said, ``No, we are not really doing that.'' I 
am told that President Obama said, ``Look, if you do not stop, 
you will wish you had,'' essentially in so many words.
    As you may recall, there was a dramatic drop in attacks by 
China.
    About 2 months before that, the Congress, the United 
States, and the President had essentially signed off on a five-
nation deal with Iran that called for gradually lifting 
sanctions. At the time Iranian elements were unrelentingly 
attacking, especially our financial services companies. I was a 
strong supporter of lifting sanctions in return for the 
Iranians stopping their development of nuclear weapons and 
opening up to incredible, very intrusive inspections, and they 
are still ongoing. You know what happened? Literally within a 
month, the frequency of Iranian attacks greatly dropped, almost 
like China a couple of months later.
    There is another element here, Mr. Chairman, that we do not 
think much about, and there is so much that they can do, so 
much that other companies can do and need to do. There is work 
for us to do in terms of creating the workforce and making sure 
they are available. There is stuff that we can do in our 
oversight role. But there is also a role here for the 
Administration in reaching out to other countries and getting 
them to work with us instead of being out there undermining 
what we are trying to do.
    There is plenty of work to do, a multilayered approach, and 
we appreciate your being here today and helping to put a 
spotlight on this, letting us know what you have done to clean 
up the messes that you inherited, especially at Equifax. It has 
given us an opportunity to think ourselves how we can better do 
our own jobs. Thank you. Because everything we do, everything I 
do, I know we can do better, and that certainly includes this.
    Thank you.
    Senator Portman. I cannot believe government can do 
anything better than it is doing. Well, thank you.
    To the witnesses, I have two follow up questions here that 
we want to get into the record, but let me reiterate what I 
said earlier, which is we appreciate your being here. We are 
trying to learn. The lessons that you have learned within your 
companies are really important for what we are trying to do 
legislatively, understanding what happened, what could be done 
differently.
    This was frightening, scary, for hundreds of millions of 
families whose personal and financial data was compromised 
through the two companies you now lead. I appreciate the fact 
that you acknowledge that and understand that this is about 
hackers, it is about technology, but it is ultimately about 
people. The frustration that many Americans have right now that 
nothing is sacred or safe and it is good to know, as Mr. 
Sorenson has said and Mr. Begor has said, that some of this 
data apparently has not been used yet by criminals in ways that 
one might have thought it could have been. That does not mean 
it did not happen or is not happening right now.
    Also, as was raised earlier, some of this information may 
be being used by foreign actors in ways that are counter to our 
national interests by targeting individuals. It is really 
important that we get to the bottom of what happened, what is 
being done, and what can be done in the future legislatively.
    Let me go back, if I could, to the cybersecurity protocols, 
Mr. Begor, that we talked about earlier. In your testimony you 
seem to have leaned a little bit heavily, I thought, on the 
fact that the program at the time, I said, ``leveraged strong 
administrative and technical safeguards . . . and was subject 
to regular, ongoing review through external and internal 
assessments.'' We talked about the audit that was not respected 
despite some really troubling data it uncovered.
    The other part that I think we need to talk about this 
morning--and I was waiting to hear what my colleagues were 
going to address, and they addressed a lot of this, but that is 
the IT inventory. The investigation, as you know, found that 
Equifax at the time failed to follow this basic practice of 
maintaining an IT inventory of applications and assets on its 
systems. Without having this list, Equifax was not able to find 
the application that was vulnerable and exploited by the 
hackers. That is the one that has been talked about previously 
called ``Apache Struts.'' You did not even have it on your 
inventory, and so you could not find it. I guess I have a few 
questions.
    One, since the breach, has Equifax generated a 
comprehensive list of applications on its systems?
    Mr. Begor. We have, Chairman, and in great detail, and I 
think my colleague Mr. Farshchi talked about some of the other 
automated systems that we put in place to track all of our 
systems and make sure we understand not only the systems and 
all the assets that we have, but also when there is a patch 
that needs to be completed, those are all automated, and we are 
watching them. Then there are multilayers of defense. It is 
more than just one layer. I think the Chairman knows that all 
the elements have to be done well and done with the latest 
technology, which is what we are continuing to put in place.
    Senator Portman. The National Institute of Science and 
Technology, has now issued a recommendation that there be an IT 
inventory in every company that could be affected by these 
breaches. Let me ask you this: If Equifax had kept an up-to-
date IT inventory, would that have been helpful to have 
identified the vulnerability?
    Mr. Begor. In my analysis of what happened in 2017, there 
was an inventory. It was not as complete as it should be. The 
protocols and the procedures and the resources we now have in 
place are at the highest standards. Like most companies, we 
follow the NIST protocols, and as I mentioned earlier this 
morning, Chairman, we have third parties actually auditing us 
against those NIST standards as a part of how we are managing 
our security program going forward.
    Senator Portman. We have a difference of opinion on that. 
Our investigation identified that there was not a complete 
inventory. Mr. Farshchi, maybe you can respond to this, but was 
there an inventory or not? Did that affect the ability to find 
the vulnerability?
    Mr. Farshchi. Certainly. Inventory is an important control 
across any organization to defend against the threats. I was 
not here at the time, but looking back, we did have an 
inventory. It just was not a complete inventory. Since that 
time, what we have done is we have built in those controls, as 
Mr. Begor was saying, and so we do have a complete inventory of 
our assets. And note that----
    Senator Portman. It sounds like, if I am right, that you 
did not have a complete inventory and Apache Struts was not 
something that was able to be identified. Is that accurate?
    Mr. Farshchi. What I would say is this: The inventory for 
Apache Struts is typically not in the inventory that you 
highlight in the report, and it is a technical nuance. But the 
specifics of that particular vulnerability typically are not 
included in the asset inventory. Because it is a source code 
vulnerability, it is typically in a code repository instead.
    Senator Portman. We have a little difference of opinion on 
this one, so we follow up with you. Again, it is about the 
future going forward. Are you telling me that something of the 
nature of Apache Struts would not be in your current inventory 
and, therefore, you would not be able to find that 
vulnerability today?
    Mr. Farshchi. No; it absolutely is in our inventory.
    Senator Portman. It should be in the inventory?
    Mr. Farshchi. It is just it is a different type of 
inventory, Senator.
    Senator Portman. OK. Well, if they had had in the inventory 
that they were reviewing, clearly it would have made a 
difference. Do you agree with that statement?
    Mr. Farshchi. Made a difference with respect to what, 
Senator?
    Senator Portman. The ability to find the vulnerability.
    Mr. Farshchi. It would have helped.
    Senator Portman. Thank you. OK. Mr. Sorenson, thank you for 
being here, too. I want to follow up on one of the points that 
we found in our investigation. It is true the big breach 
happened at Starwood in 2014. Then you acquired Starwood in 
2016. Is that correct? Then in 2018, you were able to identify 
that something had happened. You said the alert was issued in 
2018.
    However, we have not mentioned today there was a 2015 
breach at Starwood that was acknowledged, and so when you 
bought Starwood, you knew about--I assume you knew about that 
breach. Is that correct?
    Mr. Sorenson. Yes, we did.
    Senator Portman. That breach was a credit card breach. 
Numbers were taken at points of sale at 54 different 
properties, and January 22, 2016, to be exact--the president of 
Starwood sent a public letter out saying that the guest 
reservation database was not impacted by that breach. I have a 
copy of that letter there at the witness table for you. I would 
like to enter that 2016 letter into the record,\1\ without 
objection.
---------------------------------------------------------------------------
    \1\ The letter referenced by Senator Portman appears in the 
Appendix on page 106.
---------------------------------------------------------------------------
    Of course, in reality, the reservation system had been 
breached considerably in 2014. The letter said do not worry, 
reservation system has not been breached.
    My question to you is just a simple one: When you did your 
due diligence, which you talked about having done, did you look 
at that letter, and did you examine this issue? Could you have 
determined, therefore, earlier what happened?
    Mr. Sorenson. It is a very fair question. The short answer 
is we knew about the point of sale breach that Starwood has 
suffered. We worked with the Starwood team and we worked 
independently to try and make sure we understood the scope of 
that breach.
    As far as we know today, it was totally unrelated to the 
reservation system breach that we have been talking about 
announced in November--different tools, a different system. In 
a sense, the point of sale is obviously distributed at the 
properties and the restaurants and at the front desk. The 
reservation system, by comparison, which was the larger breach 
we disclosed in November, is a centralized system. Again, the 
team has said they do not relate to each other, although 
certainly from a colloquial perspective, it feels similar, it 
feels like a warning. It feels like somehow it is relating to 
Starwood's customers, which it is.
    We did try and understand that point of sale thing, and we 
were satisfied that Starwood had taken the steps necessary in 
order to deal with that breach. Separately, we did some things 
on the reservation platform side, but it was in retrospect 
clearly not enough.
    Senator Portman. Well, lessons learned, and we appreciate 
the testimony you have already given us, and we appreciate the 
opportunity to stay in touch with you and your experts to help 
to be sure that we are putting together the kind of legislation 
that can help avoid these problems in the future.
    You made a statement earlier. This is a race that has no 
finish line. I think that is accurate. I think it is also 
accurate that this is a marathon that has to be run at a 
sprinter's pace because there will be continual innovative 
hacking. I noticed this morning, to Senator Carper's point, 
that while the President was in Hanoi in negotiations with 
Chairman Kim, there was an increase apparently--this is a 
report, take it as such--in North Korean hacking, commercial 
hacking of U.S. targets. It is something that we are going to 
have to continually assess, and government is not often good at 
that. We put a law in place, as Senator Carper said. We do not 
do the proper oversight and follow up, and we sometimes get 
behind the curve. We want your ongoing cooperation with this 
panel to be able to put together what makes sense and then to 
update it as necessary, because you are going to both be in 
your companies engaged in this for a long time into the future.
    Thank you again for being here.
    Senator Carper. Mr Chairman, just a unanimous consent (UC) 
request, if I could, to enter for the record articles from 
February 16th, New York Times,\1\ ``Chinese and Iranian hackers 
renew their attacks on U.S. companies''; and the Wall Street 
Journal is I think as recently as yesterday, ``Iranian Hackers 
Have Hit Hundreds of Companies in Past Two Years.'' I would ask 
they be considered and included in the record.
---------------------------------------------------------------------------
    \1\ The New York Times articles referenced by Senator Carper 
appears in the Appendix on page 108.
---------------------------------------------------------------------------
    Thank you.
    Senator Portman. Thank you all for your testimony.
    Senator Carper. Thanks to all of you.
    Senator Portman. OK. We will now call our second panel of 
witnesses for the hearing. Please come forward and take a seat.
    This is the expert panel that is going to give us 
information about how to solve so many of the problems we just 
talked about. We welcome you. We are going to start by 
introducing the panel.
    Alicia Cackley is here with us. She is Director of 
Financial Markets and Community Investment at the Government 
Accountability Office (GAO). We appreciate GAO's work on this 
issue and on this report.
    Second, we have Andrew Smith with us, who is Director of 
the Bureau of Consumer Protection at the Federal Trade 
Commission (FTC).
    Third, we have John Gilligan with us. Mr. Gilligan is the 
president and chief executive officer at the Center for 
Internet Security (CIS).
    Again, it is the custom of the Subcommittee to swear in all 
witnesses, so at this time, I would ask you to stand up again 
and raise your right hand. Do you swear the testimony you will 
give before this Subcommittee will be the truth, the whole 
truth, and nothing but the truth, so help you, God?
    Mr. Smith. I do.
    Ms. Cackley. I do.
    Mr. Gilligan. I do.
    Senator Portman. Please be seated. Let the record reflect 
that all the witnesses answered in the affirmative.
    Your written testimony will all be made part of the record, 
so if you could keep your oral presentation to 5 minutes, that 
would be great. Mr. Smith, I think we told you you would go 
first, so we are going to call on you first.

  TESTIMONY OF ANDREW SMITH,\1\ DIRECTOR, BUREAU OF CONSUMER 
           PROTECTION, U.S. FEDERAL TRADE COMMISSION

    Mr. Smith. Thank you. Chairman Portman, Ranking Member 
Carper, and Members of the Subcommittee, I am Andrew Smith, the 
Director of the Bureau of Consumer Protection at the Federal 
Trade Commission. I appreciate the opportunity to present the 
Commission's views on how Congress can help the FTC further its 
efforts to prevent data breaches in the private sector.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Smith appears in the Appendix on 
page 69.
---------------------------------------------------------------------------
    My written statement represents the views of the 
Commission, but this opening statement represents my views 
alone and not necessarily the views of the Commission or of any 
individual Commissioner.
    Let me begin by summarizing the FTC's current efforts to 
protect consumers by promoting data security and preventing 
data breaches.
    Our work has three primary areas of focus. The first is 
enforcement. For nearly two decades, the FTC has been the 
Nation's leading data security enforcement agency. We are 
charged with enforcing data security requirements contained in 
specific laws such as the Children's Online Privacy Protection 
Act (COPPA), Fair Credit Reporting Act (FCRA), and the Gramm-
Leach-Bliley Act (GLBA). But we also enforce Section 5 of the 
FTC Act, which prohibits unfair or deceptive practices, 
including unfair and deceptive practices with respect to data 
security.
    In this law enforcement role, the Commission has settled or 
litigated more than 60 actions against businesses that 
allegedly failed to take reasonable precautions to protect 
their customers' personal information. For example, we have 
brought cases against manufacturers of consumer products like 
smartphones, computers, routers, and connected toys. We have 
also brought cases against companies like data brokers that 
collect consumers' sensitive personal information.
    Our second area of focus is policymaking. The FTC has 
conducted workshops, issued reports, and made rules to promote 
data security. For example, just this week we announced a 
Notice of Proposed Rulemaking (NPR) to update our Safeguards 
Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule was 
originally issued in 2002 and requires financial institutions 
within the FTC's jurisdiction to implement reasonable process-
based safeguards to protect personal information in their 
control. The proposed revisions to the Safeguards Rule are 
based on our nearly 20 years of enforcement experience. These 
revisions are intended to retain the process-based approach of 
the original rule while providing financial institutions with 
more certainty with respect to the FTC's data security 
expectations.
    Our third area of focus is business education. The 
Commission has issued numerous guidance materials for business, 
including a guide called ``Start with Security'' in 2015, a 
series of columns in 2017 called ``Stick with Security,'' and 
last year, a comprehensive small business cyber education 
campaign, which includes written guidance, how-to videos, and 
training materials for businesses. These materials distill the 
lessons learned from our enforcement actions in a succinct and 
accessible manner. We have vigorously used our existing 
authority to protect consumers, but this authority is limited 
in some important respects, and the Commission has called on 
Congress to enact comprehensive data security legislation that 
includes rulemaking, civil penalty authority, and enhanced 
jurisdiction for the FTC.
    First, the legislation should give the FTC the authority to 
issue data security rules under the Administrative Procedures 
Act (APA) so that we can keep up with business and 
technological changes. Where we currently have rulemaking 
authority, we have used it, as demonstrated by this week's 
proposed revisions to the Safeguards Rule, which I just 
described.
    Second, legislation should allow the FTC to obtain civil 
penalties for data security violations. Currently, we have 
authority to seek civil penalties for data security violations 
under the Children's Online Privacy Protection Act and the Fair 
Credit Reporting Act. We also can get civil penalties for 
violations of an existing administrative order. But as a 
general matter, we cannot obtain civil penalties in de novo 
cases. To help ensure effective deterrence, we urge Congress to 
enact legislation to allow the FTC to seek civil penalties for 
data security violations in appropriate circumstances.
    Finally, the legislation should extend the FTC's 
jurisdiction over data security to nonprofits and common 
carriers. Entities in these sectors often collect sensitive 
consumer information and significant breaches have been 
reported, particularly in the educational and nonprofit 
hospital sector.
    Thank you for the opportunity to appear before you, and I 
look forward to answering your questions.
    Senator Portman. Thank you, Mr. Smith. Ms. Cackley.

  TESTIMONY OF ALICIA PUENTE CACKLEY,\1\ DIRECTOR, FINANCIAL 
       MARKETS AND COMMUNITY INVESTMENT, U.S. GOVERNMENT 
                     ACCOUNTABILITY OFFICE

    Ms. Cackley. Thank you, Chairman Portman, Ranking Member 
Carper. My name is Alicia Puente Cackley, and I am a Director 
in the Financial Markets and Community Investment Team at the 
Government Accountability Office. I am pleased to be here today 
to testify about Internet privacy and data security issues.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Cackley appears in the Appendix 
on page 79.
---------------------------------------------------------------------------
    My statement will discuss the Federal Trade Commission's 
role and authorities for overseeing Internet privacy and 
stakeholders' views on potential actions to enhance that 
Federal oversight. My testimony is primarily based on our 
January 2019 report on Internet privacy as well as prior GAO 
reports on various privacy issues.
    As you are aware, the United States does not have a 
comprehensive Internet privacy law governing the collection, 
use and sale, or other disclosure of personal information. In 
prior work, we have found that gaps exist in the Federal 
privacy framework, which does not fully address changes in 
technology in the marketplace. At the Federal level, FTC 
currently has the lead in overseeing Internet privacy using its 
statutory authority under Section 5 of the FTC Act to protect 
consumers from unfair and deceptive practices.
    However, to date, FTC has not issued regulations for 
Internet privacy other than those protecting financial privacy 
and the Internet privacy of children, which were required by 
law.
    For FTC Act violations, FTC may promulgate regulations, but 
is required to use procedures that differ from traditional 
notice and comment processes and that FTC staff said add time 
and complexity.
    Stakeholders GAO interviewed had varied views on FTC's 
oversight of Internet privacy. Most industry stakeholders said 
they favored FTC's current approach: direct enforcement of its 
unfair and deceptive practices statutory authority, which they 
said allows for flexibility. Other stakeholders, including 
consumer advocates and most former FTC and the Federal 
Communications Commission (FCC) Commissioners GAO interviewed, 
favored having FTC issue and enforce regulations.
    Stakeholders identified three main areas in which Internet 
privacy oversight could be enhanced.
    First, through statute. Some stakeholders told GAO that an 
overarching Internet privacy statute could enhance consumer 
protection by clearly articulating to consumers, industry, and 
agencies what behaviors are prohibited.
    Second, through rulemaking. Some stakeholders said that 
regulations can provide clarity, fairness, and flexibility.
    Third, through civil penalty authority. Some stakeholders 
said FTC's Internet privacy enforcement could be more effective 
with authority to levy civil penalties for first-time 
violations.
    Recent data breaches at Federal agencies, retailers, 
hospitals, insurance companies, consumer reporting agencies, 
and other large organizations highlight the importance of 
ensuring the security and privacy of personally identifiable 
information collected and maintained by those entities. Such 
breaches have resulted in the potential compromise of millions 
of Americans' personally identifiable information which could 
lead to identity theft and other serious consequences.
    These recent developments regarding Internet privacy and 
data security suggest that this is an appropriate time for 
Congress to consider comprehensive Internet privacy 
legislation. Although FTC has been addressing Internet privacy 
through its unfair and deceptive practices authority and FTC 
and other agencies have been addressing this issue using 
statutes that target specific industries or consumer segments, 
the lack of a comprehensive Federal privacy statute with 
specific standards leaves consumers' privacy at risk.
    In our January 2019 report, we recommended that Congress 
consider developing comprehensive legislation on Internet 
privacy that would enhance consumer protections and provide 
flexibility to address a rapidly evolving Internet environment. 
Issues that should be considered include: which agency should 
oversee Internet privacy; what authorities agencies should have 
for that oversight, including notice and comment rulemaking 
authority and first-time violation civil penalty authority; and 
how to balance consumers' need for Internet privacy with 
industry's ability to provide services and innovate.
    Mr. Chairman and Ranking Member, this concludes my prepared 
statement. I am pleased to respond to any questions you may 
have.
    Senator Portman. Thank you for your testimony and your help 
on this issue. Mr. Gilligan.

TESTIMONY OF JOHN GILLIGAN,\1\ CHIEF EXECUTIVE OFFICER, CENTER 
                     FOR INTERNET SECURITY

    Mr. Gilligan. Chairman Portman, Ranking Member Carper, and 
Members of the Subcommittee, my name is John Gilligan. I serve 
as the Chief Executive Officer of the Center for Internet 
Security, a nonprofit cybersecurity organization. In my oral 
statement this morning, I would like to share my perspectives 
on the logical question that may be asked after this morning's 
testimony, which is: What can be done to prevent major 
cybersecurity breaches?
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Gilligan appears in the Appendix 
on page 90.
---------------------------------------------------------------------------
    I asked myself a similar question in the early 2000s as the 
Chief Information Officer of the United States Air Force (USAF) 
after the National Security Agency's (NSA) annual penetration 
analysis found our cybersecurity posture to be woefully 
inadequate, despite the Air Force spending literally over $1 
billion a year on cybersecurity. I went to NSA and asked them: 
Where should I start?
    After consulting their offensive and defensive experts, NSA 
came back with a prioritized list of the system weaknesses that 
were most commonly exploited by attackers. By a large margin, 
the most common weakness exploited was misconfigured software, 
that is, software that did not have appropriate security 
settings enabled or software that was not properly patched. As 
a result of their guidance, I launched an initiative in the Air 
Force to ensure security-enabled configurations with up-to-date 
patches for all of our operating systems.
    Based on the positive experience with the Air Force in 
identifying most frequent cyber attack patterns and the 
associated mitigating security controls, the NSA effort was 
subsequently adopted by the private sector in 2009 and became 
known as the ``SANS Top 20.'' In 2015, the effort was 
transitioned to my current organization, the Center for 
Internet Security, and what became named the ``Critical 
Security Controls,'' or just the ``CIS Controls.''
    The Critical Security Controls represent a set of 
internationally recognized prioritized actions that form the 
foundations for basic cyber hygiene or effective cyber defense. 
The controls are regularly updated by a global network of cyber 
experts. The Critical Security Controls have been assessed as 
preventing up to 90 percent of pervasive and dangerous cyber 
attacks. The controls act as a clear, actionable, and free 
blueprint for system and network operators to improve cyber 
defense by identifying specific actions to be done in a 
priority order.
    CIS has analyzed major data breaches over the past 2 years 
and have found in each one the root cause of the breach related 
to the failure to properly implement one or more of the 
Critical Security Controls. The Equifax breach is no exception. 
We found that 5 of the 20 Critical Security Controls were not 
properly implemented by Equifax.
    Many organizations are seeing the value of the Critical 
Security Controls. California, Ohio the Republic of Paraguay, 
the European Technical Standards Organization--have adopted the 
controls as a standard for cybersecurity. The Aerospace 
Industries Association and the Atlantic Council have also 
endorsed the Critical Security Controls.
    As Congress considers ways to improve cybersecurity in the 
United States, I offer the following recommendation. I start 
with the recognition that the NIST Cybersecurity Framework is 
an excellent top-level guidance document that points to other 
more detailed documents and best practices for implementation 
guidance, including the Critical Security Controls. While a 
logical construct, this approach has some unintended 
consequences. In particular, government and private sector 
organizations who wish to implement the NIST Cybersecurity 
Framework must then select for implementation from among the 
very comprehensive lists of standards, guidelines, and best 
practices that are referenced in the Framework.
    This same problem is magnified for organizations that are 
required to comply with multiple high-level frameworks that are 
similar to the NIST Cybersecurity Framework. For example, 
financial organizations are required to certify against the 
Payment Card Industry (PCI), security framework. Organizations 
with international presence are often required to follow the 
International Standards Organization (ISO), cybersecurity 
frameworks and so on.
    While the individual policies and regulations are well 
intended, they are contributing to much confusion and 
inefficiency in achieving the common goal of effective cyber 
defense.
    Recognizing that our multiple cybersecurity frameworks and 
duplicative policies have contributed to great confusion, I 
would recommend that NIST be chartered to develop a single 
cybersecurity implementation guideline that can be used to 
satisfy the requirements of the NIST Cybersecurity Framework, 
PCI, ISO, Institute of Electrical and Electronics Engineers 
(IEEE), and similar general security frameworks. This 
implementation guideline should provide clear guidance on what 
constitutes basic cyber hygiene and specify a prioritization 
for implementation of appropriate controls. I note that the 
United Kingdom and Australia have done exactly this with the 
Australian Signals Directorate's ``Essential Eight'' and the 
United Kingdom National Cyber Security Center's ``Cyber 
Essentials.'' I offer the Center for Internet Security's 
Critical Security Controls as a point of departure or a model 
for such an effort.
    This concludes my remarks. I look forward to your 
questions.
    Senator Portman. Thank you, Mr. Gilligan. Thanks to all 
three of the witnesses. As we heard this morning, these data 
breaches have become a fact of doing business, haven't they? It 
is a matter of constantly keeping up. It never ends.
    The best estimate we have, the most recent data we have 
comes from the first half of 2018, and that is there were 291 
data records compromised every second. I do not think that has 
slowed down. It has probably increased. It is an ever present 
danger to consumers, to businesses, to our government, and to 
our national security.
    Mr. Smith, I found your testimony interesting. As has been 
alluded to today, 50 States have different stands on this. Most 
States have passed their own breach notification laws. In fact, 
I think every State has some sort of breach notification law, 
don't they, Mr. Gilligan?
    Mr. Gilligan. I believe that is the case.
    Senator Portman. Yes. That is good but they vary 
significantly from State to State. Let me ask you this, Mr. 
Smith: What benefit would there be from having a single 
standard at the Federal level for breach notification 
legislation given, again, this climate we have of increased 
technological interconnectedness and the number of breaches we 
are seeing?
    Mr. Smith. Right. It seems like there would be some benefit 
to uniformity. I should, though, say that our current 
Commission, as you know, is composed of five Commissioners. All 
of them are new within the last year or so, and they have not 
had an opportunity to testify on whether or not they would 
support a uniform data breach notification standard. Past 
Commissions have supported such a uniform notification 
standard.
    Senator Portman. But in your personal capacity this 
afternoon, what is your opinion?
    Mr. Smith. I was interested, actually, by what Mr. Sorenson 
said when he said, yes, it was a challenge, but it was not 
necessarily their primary challenge. I worked at the FTC in the 
early 2000s, and at that time California had passed its first-
in-the-Nation data breach notification standard. We dealt with 
it under the ChoicePoint breach, which was a huge breach at the 
time. We started looking at whether we should have a uniform 
standard, and, in fact, the Commission, I believe, testified in 
favor of it at that time. Bills were introduced in 2006 to say 
we need a national standard, every State is going to enact 
their own standard. Well, every State has, and the sky has not 
fallen.
    I feel as though companies have probably figured out how to 
comply. I do have to say that I think there is always a benefit 
to uniformity in terms of ease of compliance. But from what I 
can tell in the market, companies seem to be able to comply 
with this multiplicity of standards.
    Senator Portman. Ease of compliance is one issue, and I do 
think that is something we will hear about from the private 
sector that they would prefer to know what the standards are 
and not to perhaps even inadvertently not follow a standard 
that is different State to State. But beyond that, it is about 
protection. It about the consumer.
    Mr. Smith. Right.
    Senator Portman. It is about the government's security and 
so on. Do you think there is some benefit to that, in other 
words, having a high standard that we can, therefore, ensure we 
have better security?
    Mr. Smith. One of the critical aspects of any kind of a 
breach notification standard is the trigger for notification. I 
think that in the earlier panel it was mentioned that there is 
a 72-hour notice requirement in GDPR. From the perspective of 
someone who focuses on consumer protection, I want to get 
notices to consumers that are useful, that give actionable----
    Senator Portman. Accurate.
    Mr. Smith. Accurate, give them actionable information. I 
think the worst thing--and we have seen it in some of these 
breaches--is piecemeal notification. One notice goes out, ``Oh, 
we thought that was breached, and you should do this in 
response.'' Then another notice goes out, ``Oh, we have 
discovered this other asset was breached.''
    Senator Portman. This adds to the frustration that people 
already feel.
    Mr. Smith. It adds to the frustration. You need to give a 
company time to investigate. They have to investigate quickly. 
Give them time to investigate, figure out who was affected, and 
what information was compromised and what consumers can do to 
protect themselves as well as develop the systems to respond--
the 800 lines, the credit monitoring, things like that. So, 30 
days, 45 days, something like that. The FTC has a rule that 
applies to breaches of certain health care information where 
the standard is as quickly as possible, but in no event longer 
than 60 days. I do not know if that is the right cut or not, 
but you need to give people a little bit of time to conduct a 
thorough investigation.
    Senator Portman. I do not disagree with that, but I think 
60 days is excessive given----
    Mr. Smith. Could well be.
    Senator Portman [continuing]. The fast-moving nature of 
this and the potential for people's information to be 
compromised.
    On the Administrative Procedures Act, I noted you talked 
about that in your oral remarks. I think the Administrative 
Procedures Act rulemaking probably does give us more 
flexibility. In other words, as I said earlier to the previous 
panel, we want to be able to respond quickly to a changing 
threat because it is going to be evolving. However, there is 
concern that unless it was specifically related to rulemaking 
authority for cybersecurity legislation, it could get out of 
hand.
    Can you speak to that for a moment? One, do you think rules 
under the APA are necessary, and do you think that will add to 
flexibility? Second, how do you narrow it to being sure that it 
is responsive to the congressional actions we might take on 
this one issue?
    Mr. Smith. Right. The Commission has testified in favor of 
APA rulemaking for data security only. I think what folks 
imagine would be a bill like several that we have seen 
introduced, where Congress says, Companies, you shall assess 
risk and develop a plan to keep data safe and maybe provide 
some other boundaries for what the program ought to look like, 
and, FTC, you shall have rulemaking authority under the 
Administrative Procedures Act, to execute only that law, right? 
Not APA rulemaking authority for everything in the world.
    What we have right now--and it was referred to by Ms. 
Cackley--is rulemaking authority under the Magnuson-Moss 
Warranty Act, which requires us not only to do Notices of 
Proposed Rulemaking and taking of comments; we have to do 
Advanced Notices of Proposed Rulemaking. We have to have 
hearings. We have to issue interim reports. We have to allow 
for interim appeals.
    What that means--it is not impossible to do, but what it 
means is that, from soup to nuts, a ``Mag-Moss'' rule takes us 
10 years.
    Senator Portman. Yes, it slows down the process 
considerably.
    One final point, and then I will go to Senator Carper. On 
the nonprofits you mentioned, you said that private carriers 
and nonprofits should be under the FTC rubric for this purpose. 
Can you give us a couple of examples of that? I am thinking 
about hospitals where there had been some breaches as an 
example where sensitive medical information could be released 
inadvertently sometimes, sometimes through hackers.
    Mr. Smith. Right. Hospitals are the issue. If it is medical 
information, health care information, and it is a hospital, 
then that will be covered by Health Insurance Portability and 
Accountability Act of 1996 (HIPAA), and we work closely with 
the Department of Health and Human Services (HHS) and the 
Office of Civil Rights (OCR) to enforce and administer HIPAA 
standards.
    What we have seen with nonprofit hospitals are breaches of 
employee data, not covered by HIPAA, and that is a real 
challenge. We have also seen breaches at educational 
institutions. We have seen breaches at common carriers, and 
there is, I think, a bit of an open question about the Federal 
Communications Commission's authority to address those.
    Senator Portman. Jurisdiction over that, yes.
    Mr. Smith. Jurisdiction to address those breaches.
    Senator Portman. Thank you. All things to look at. Senator 
Carper.
    Senator Carper. Thank you for your really illuminating 
testimony this morning. You were sitting out in the audience, 
and I do not know what you were thinking about, but you came to 
the table prepared, and it is very much appreciated.
    One of the things that is always helpful to me when we have 
a panel of well-informed, thoughtful witnesses is to see where 
do you think you agree, and the question would be: Where do you 
think you agree as a panel with respect to what Congress should 
do next? Would you just start us off, Ms. Cackley?
    Ms. Cackley. Senator, I think where certainly my testimony 
and Mr. Smith's testimony were in agreement was around the need 
for legislation and what some of the elements of that 
legislation could include, which is to say notice and comment 
rulemaking authority, civil penalty authorities. Those were the 
things that would best help the FTC or whichever agency 
Congress chooses to invest with this issue, oversight over this 
issue, the necessary tools to be able to get the job done.
    Senator Carper. All right. Thank you.
    Mr. Smith, where do you think the three of you agree on 
what we should be doing next, our to-do list, if you will?
    Mr. Smith. Particularly with respect to the statutory 
authority for the Federal Trade Commission to make rules in the 
area of data security and enforce using civil penalties and 
also the expanded jurisdiction, we certainly agree on that. I 
agree with Mr. Gilligan from CIS about the importance of these 
useful rubrics like the CIS Critical Security Controls to 
educate businesses and to focus their attention on things that 
really matter. For a lot of businesses, I think that data 
security is sort of an insurmountable obstacle. It is beyond 
anyone's comprehension. These types of rubrics I think help 
businesses to focus their attention in the right place.
    We have done the same thing this week with our GLBA 
Safeguards Rule. The rule began in 2002 and at the time was 
quite influential, but it is very basic. It requires companies 
to have good data security, conduct data assessments, and 
appoint people to be responsible. In our new rule, which is 
somewhat longer, we offer more specifics about encryption and 
penetration testing and some of the other best practices, which 
provides businesses with an auditable standard, provides them 
with clear information about our expectations, and also, 
candidly, provides us with more ability to enforce.
    Senator Carper. Mr. Gilligan, same question. Where do you 
agree?
    Mr. Gilligan. I think there is fundamental agreement that 
this is a complex issue. There are a number of regulatory 
bodies--Federal Trade Commission being one--who have 
jurisdictions over parts of our economy. One of the functions 
that the Center for Internet Security provides is what we call 
the ``Multi-State Information Sharing and Analysis Center,'' 
where, under funding from Congress and under DHS sponsorship, 
we provide security support for State, local, tribal, and 
territorial governments.
    Included in State, local, tribal, and territorial is almost 
every different domain that you might imagine, and they are all 
struggling dealing with cybersecurity. While I am personally 
not an expert in data breach reporting, I can say that the 
States and local governments are struggling trying to deal with 
all of the well-intended regulations that I mentioned in my 
testimony. I think some consolidation of that and 
simplification and, as I suggested, perhaps using something 
like the Critical Security Controls as the technical 
implementation foundation. That is where most organizations 
need relief--and that needs to be continuously updated. That is 
what most organizations need help to focus on the problem, and 
as I said, the breaches that have been discovered invariably 
are the result of failure to implement very simple controls in 
a comprehensive way.
    Senator Carper. I asked my staff to gather a handful of 
tips for consumers, for regular folks, to follow if they become 
a data breach victim, and the short list--it is not a 
comprehensive list, but one of those is change your password. 
Another would be to contact your bank or your credit card 
company. A third would be to contact a credit reporting bureau. 
A fourth would be to sign up for credit monitoring. That is for 
folks who had become a breach victim.
    Mr. Gilligan, what would you suggest that consumers can do 
to protect themselves prospectively, not after they become a 
victim but prospectively? Any tips?
    Mr. Gilligan. I think it would be largely parallel to the 
list you just mentioned. One of the things that I would 
recommend is that all consumers freeze their credit reporting, 
which is often a vehicle through which their particular 
personal information is compromised.
    I think having good hygiene with regard to passwords, with 
regard to software updates and use of security software are 
also things that all consumers should do on a regular basis in 
order to protect themselves.
    Senator Carper. Mr. Smith, Ms. Cackley, anything you want 
to add to that list?
    Mr. Smith. I would direct consumers to our website, 
FTC.gov, where we have a tremendous amount of information about 
how to protect yourself in the event of a data breach, both 
general information as well as specific information. For 
example, we have pages that are dedicated to tax identity 
theft. We have a page dealing with connected toys. Just a 
couple of months ago, in December 2018, there was a phishing 
scam where consumers received what appeared to be authentic 
emails from Netflix saying, ``You need to provide us with your 
payment information again.'' We developed a specific page or 
consumer education to deal with that because it was an 
important threat to consumers.
    We also built pages for the Marriott breach and the Equifax 
breach that gave specific information for consumers who had 
received those notices about what they could do to protect 
themselves, including some of the measures that your staff 
mentioned.
    Finally, when consumers believe that they may be a victim 
of identity theft, they need to go to Identitytheft.gov, which 
is operated by the FTC, and there we have tools such as the 
identity theft affidavit that you can use with the credit 
bureaus to have fraudulent information removed from your credit 
report, as well as receive other rights under the Fair Credit 
Reporting Act.
    Senator Carper. All right. Thank you.
    Ms. Cackley, one last word?
    Ms. Cackley. I would say just that consumers need to 
educate themselves, thinking prospectively. They need to 
understand what data is potentially available to other people, 
what companies are collecting their data, and how they can set 
privacy controls potentially or do whatever else they can to 
keep themselves safe.
    Senator Carper. Terrific. Thank you. You had to wait here 
for a while in order to share your thoughts with us, but for us 
it was well worth the wait and we thank you very much.
    Senator Portman. I cannot tell you how much we appreciate 
your testimony and also the ongoing work with us on this 
because we have some real expertise here.
    By the way, with regard to the FTC--I think I speak for 
Senator Carper on this, too--we really want you to feel 
responsible. In other words, one of the concerns that I have 
had is there is so much of this going on, breaches, some of 
which relate to private companies, some, as you mentioned 
earlier, nonprofits. Many people are concerned about where 
their information is going, even if it is not a business per se 
that you would normally think of as we saw in the earlier 
panel, but even any of these websites where, you are giving 
information and that information is then being given out to 
other people. Folks want to know about it. I hope--and maybe 
Ms. Puente Cackley can do some work on this going forward--that 
you all feel empowered to be that one stop for a consumer. If 
they have a concern, they can go to your website and figure out 
both what is going on with the specific issue, as we talked 
about earlier, if there has been a breach at a big company and, 
they can find out what the information is about how they can 
protect themselves, but also just general information.
    I assume you feel you have that responsibility already, but 
we want to be sure that whatever legislation we do squarely 
puts that responsibility, frankly, and accountability on the 
FTC. Any thoughts on that?
    Mr. Smith. We are the country's only general jurisdiction 
consumer protection agency. Of course, we have a lot of 
consumer protection agencies--the Food and Drug Administration 
(FDA) or the Securities and Exchange Commission or the banking 
agencies. We are the only ones who take a general view to the 
whole marketplace, and we believe that should Congress pass 
legislation with respect to data security or privacy, we are 
the agency that is best equipped to enforce and administer that 
statute, not only because of our more than 20 years' experience 
with privacy and data security--in fact, if you look at the 
Fair Credit Reporting Act, which has been around since 1970, 
and we have been in charge of enforcing and administering it--
but also just our general know-how with respect to how to 
protect consumers and our focus on consumer harm, whether it is 
deceptive practices or unfair practices. We have the goods to 
show for it, right? We have brought 60 cases plus in the data 
security area and the same in the privacy area.
    Finally, I would say that I think that, unlike an agency 
that has specific jurisdiction, I think we are less susceptible 
to capture. If you look at the more than 100-year history of 
the FTC, we have proven remarkably immune to that, and I would 
worry about a special agency dealing with privacy in terms of 
the potential for regulatory capture.
    Senator Portman. I think that is consistent with where we 
would like to go with legislation just to affirm that and to 
make sure there is a clear line of responsibility.
    My final question is about Ohio, of course, and it is to 
Mr. Gilligan, because he mentioned Ohio in his list of States 
and countries that have put in place some kind of an Internet 
security control system. We have recently in Ohio established 
our Center for Internet Security Controls as a standard for 
cyber defense after passing the Ohio Data Protection Act. Could 
you discuss briefly the role of the CIS controls within the 
Ohio Data Protection Act and how legislation of this kind can 
incentivize companies to implement some of these baseline cyber 
controls we have talked about today?
    Mr. Gilligan. Thank you, Senator. The Ohio legislation is 
ground-breaking legislation in that for the first time it 
provides specific guidance with regard to expectations for 
cybersecurity. As you mentioned, it does reference a couple of 
the Federal guidelines, specifically it references several NIST 
documents. But the Critical Security Controls is only one of 
the references that really provides specific implementation 
guidance, and so we believe that that is the type of guidance 
that is required.
    As you know, the Ohio legislation is voluntary, and the 
intent of it is really to provide positive incentives to those 
doing business within Ohio to improve their status of 
cybersecurity, and we think that is sort of the right way to 
go, to provide a clear definition of what are the expectations, 
encourage through positive rewards organizations to comply with 
those best practices, and to serve as an example for industry 
as well.
    Senator Portman. Thank you, Mr. Gilligan. Senator Carper.
    Senator Carper. Mr. Chairman, before we close, I just want 
to thank a couple members of our staff from the majority side 
and the minority side by name and insert for the record the 
names of some other folks who have worked on this. We have been 
at this for a while. There are some people who have come and 
gone, and I want to just have those names entered for the 
record: on the majority staff, Andy Dockham, and Patrick 
Warren, especially for their hard work, and there are others, I 
know, as well.
    On the minority staff, I want to thank Roberto Berrios, 
Brandon Reavis, Meeran Ahn, and John Kilvington; our law 
clerks, Conor Daly, Justin Azar, and Taylor Burnett, who helped 
prepare for this hearing. We have a number of folks, former 
staff, former law clerks, who have gone on to other pursuits, 
but we are grateful to them. We will enter those names for the 
record. We are only as good as the people we have behind us, 
and we are blessed by the folks that sit behind us and help us.
    Senator Portman. Thank you, Senator Carper. I thank the 
witnesses for their testimony this morning. Both panels I 
thought were very informative. I also want to thank your staff, 
Senator Carper, and you for leading on this important issue of 
protecting consumer information. That is how we work here. It 
is a nonpartisan approach, and my staff also deserves 
recognition for doing a great job in working with our witnesses 
and others to make sure this was a thorough investigation.
    As with our other investigations, we are going to be 
looking at legislation, so we want your continued help on that. 
I look forward to working with Senator Carper on that.
    The hearing record will remain open for 15 days for any 
additional comments or questions by any of the Subcommittee 
Members, and with that, this hearing is adjourned.
    [Whereupon, at 12:32 p.m., the Subcommittee was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]