Organization as it functions on a day to day basis. Tonight, at 8 p. M. Eastern, on cspans q a. On thursday, richard smith, the former ceo and chairman equifax, testified on the data breach at his company that compromise the records of an 100 40 Million Consumers. This testimony to the House Financial Services committee was his fourth appearance before a Congressional Committee in a week. Its three hours and 15 minutes. The committee will come to order. The chair is authorized to declare a risk a t any time. Entitledng is examining the Equifax Breach. September 7, equifax announced what it called a Cyber Security incident. 145 million u. S. Consumers, nearly half of all americans. If you are hearing my voice your either the victim of the breach or know someone who is. Thats how massive this was. Criminals got everything they need to steal your identity, open credit card accounts in thise and cause you may be the most harmful the world has ever seen. The companys response has left much to be desired. Equifax failed to disclose the breach to shareholders for weeks. Senior executives sold their equifax shares after the company knew of the breach but before they disclosed the breach. The federal trade commission will get to the the Justice Department will get to the bottom of this. By the federal trade commission is required. Congress must insure federal regulators do their jobs so justice can be served. We must examine if our agencies and fair Credit Reporting act are up to the job. Largescale Security Breaches are becoming common. Of increasing sophistication efforts toks demand safeguard consumers. Starts withonsumers acquiring effective measures to prevent breaches. Given the governments own track record with protecting personal information, witness the opm example. A recent we must be cautious about attempts to never let a good crisis go to waste and impose a washington solution. Ensurelieve we need to we have a consistent National Standard for breach notification to better protect consumers and hold counties Companies Accountable and be sure this is not repeated. Our committee passed such legislation nearly two years ago. The bipartisan Data Security act. Need to revisit and improve upon the legislation should be obvious to all. The status quo is failing consumers and leaving them vulnerable. To working with members of both sides and working with the administration to ensure that americans will be protected and no longer have to the breaches we are discussing today. I recognize the Ranking Member of the committee for three minutes. At equifaxive breach in the companys subsequent failures are a scale we have never seen before. It is more egregious because the impact customers never chose to these to do consumers cannot end their relationship with equifax. You are stuck with this company. Equifaxerested in what will do moving forward to provide full redress for those who have been harmed. Theylso interested in why have sent this witness today without the authority to commit equifax to future actions. We need to hear what happened and what equifax plans to do. Ird know this hearing wont ansell everything and we would like to know more. This is why democrats are requesting a minority day hearing to get more answers to the questions surrounding this breach and the impact on consumers and solutions for moving forward. For example i would like to know i would like to make sure credit agencies do not profit off of this incident by exploiting fears. This is not the time to focus on selling consumers more product. Response is the tip of the iceberg. The system needs an overhaul. Thats why i introduce a comprehensive Consumer Credit reporting act. Towould shift the burden Credit Reporting agencies and away from consumers. Theould also shrink importance of Credit Reports in our lives. Employment checks and limiting when cras can collect information on consumers. It is time to end the hold equifax has on our consumers. You are now recognized for one and a half minutes. Mr. Smith. I know you have been before several committees this week. This is not just incompetence on the part of you and your company , but disregard for the law. This has affected more than one third of the American People. The data has been potentially compromised and they had to wait more than a month to find out about it. The American Public deserves better. They deserve a system that efficiently notifies them. I believe it is time to move forward. We need to find solutions. I hope if one good thing comes american its that the consumers can get a system that works for them. I share that its going to have oversight over this data breach and that security type of bill and i ensure we will try to look thoroughly at ways to protect the American Consumers. The chair now recognizes mr. Clay, the Ranking Member of the institutions subcommittee for one minute. He is not here. We will then go to the gentleman from michigan who also appears to not be here. The gentleman from minnesota is recognized for one minute. Think the chair and Ranking Member for this hearing. A lot has been said about the Equifax Breach. There are a few things we have to bear in mind. Players in two other reportingry of credit dominate the whole field. Know, i have been concerned about market concentration. Big andequifax is too we need to increase competition. If they had to worry about a theycompetitor, i believe would be better at safeguarding consumers data. Hights are concentrated so that basically other than they can be lax with the data of people. To people talking about issues that are important. There has been some movement in of well i will leave that. Time has expired. Miss moloney, you have one minute. Equifax was not just a breach of security. Massiveot just a database breach. It was a breach in the trust of the American People in your company. We have the best markets in the world. Run more the markets on trust then on cap at all. A breach of trust is something our markets cannot tolerate. Being my colleagues in committed in finding procedures Going Forward that this does not happen again and that the law is enforced against those who breach and break the law. Time has expired. Today we will receive the testimony of richard smith. Prior to september 26 of this year, mr. Smith had been the ceo at equifax since 2005. He held very management positions at General Electric both where he worked for 22 years. Smith you are recognized for five minutes. You. Ank me toyou for allowing come before you know. I am rick smith. For the past 12 years i have served as chairman and ceo of equifax. Over the last month, ive had the opportunity to talk to many American Consumers and read their letters. The anger andnd frustration we have caused at equifax. On our datal attack occurred on my watch. I take full responsibility for it as the ceo. I want every american to understand that i am deeply apologetic and sorry that this breach occurred and i want people to know equifax is committed to dedicate their forward to make things right. Americans ever right to know how this happened. Toim prepared to know testify about what i learned and what i did about this wall ceo. And also what i know about the incident as a result of being briefed by the ongoing investigation. We know the us attack was made possible by a combination of human error and technological error. The human error involved the failure to apply a patch to a portal in march 2017. The technological error involved a scanner that failed to detect vulnerability on this portal. Both errors have since been addressed. Im july 20 ninth and 30th, suspicious activity was detected. Responseed our protocol at the time. The team shut down the portal and began their internal security investigation. On august 2, we hired top Cyber Security forensic and legal experts. We also notified the fbi. At that time we did not know the nature of the scope of the incident. It was not until late august that we concluded we had experienced a major data breach. Tor the weeks leading up september 7, our team continued working aroundtheclock preparing to make things right. We took four steps to protect consumers. We determined when and how to alert the public and we relied on the advice of our experts that we needed to have a plan in place. Number two, developing a website to Offering Free Services those impacted and to all americans. Three, preparing for increased Cyber Attacks which were advised or common after a Company Announces a breach. Number four, continuing to coordinate with the fbi and their investigation of the hackers while also notifying federal and state agencies. Role of our remediation program, mistakes were made, which i am deeply apologetic. I regret the frustration that many felt when our websites and call centers were overwhelmed in the early weeks. It is no excuse and certainly did not help that two of her call centers were shut down due to hurricane irma. Since then the company has increased its capacity. Over 420 million u. S. Consumers visit our website and our call times and wait times at the call centers have been reduced substantially. At my direction, the Company Offered a broad package of services to all americans. All of them free and aimed to protect the consumers. We developed a new Service January 31 2018 that will give all consumers the power to control access to their credit data by allowing them to lock and unlock access to their data for free for life. In the hands of the American Consumer. Data security is a National Security problem. Putting consumers in control of their credit data is the first step. A Single Company can solve larger problem on its own. We need a Public Partnership to protect data and i look forward to being part of the dialogue. Thank you again for inviting me to speak. All close again by saying how sorry i am that this breach occurred on my watch. I want tonal note, thank the many hardworking and dedicated employees that i have worked with tirelessly over the past 12 years. Equifax is a good company with thousands of great people trying to do what is right every day. They will continue to work tirelessly to right the wrong. Thank you. Gentleman from california. I would request that the witness be sworn. It has not been the practice of the committee to swear in witnesses as you know. The witness has two find before coming here that the testimony will be truthful. That should be sufficient. Five minutes for questions. This is yournow fourth appearance before congress. That speaks to the gravity of this situation. The number of Committee Jurisdiction that this crosses. Since you have testified three other times. Thee is a lot of focus on nature and scope of the breach, it took a month before people were notified. Enforcementin law asked equifax to delay notification . Mentioned we were in communication with the fbi. They did not necessarily did they the flow of information to the public. Were there outside Data Security consultants that delayd the company to communication with a month we yet with me and mandiant. Tandem with our tame our did they advise you to delay it . It wasnt until the 24th that we realized the size of the breach. Developt continue to until the time we went public on the the seventh. The company came out this monday with continued efforts. It was a fluid process of understanding the scope of the breach. Led to believe the vulnerability was first publicized in early march. Then it was immediately categorized as a critical vulnerability i Cyber Security authorities. What do you believe is a reasonable amount of time for a critical vulnerability patch to be pushed out and implemented on an affected applications . Our policy is within 48 hours. We did that. So what happened . On the eighth of march we were notified. Communication was disseminated to those who needed to know about the patch. A two things happens. Ne was the human error the individual who was responsible for the patching process did not ensure there was the munication. That was error number one. Error number two was on march 15 we used a scanning technology which looks around the systems for vulnerability. For some reason, the scanner did not detect the vulnerability. And ahad a human error technological error, both resulting in the fact that it was not patch. Notify thechose to , there are state breach laws as you know. We have a patchwork. But under what breach notification did you notify the public notify the public . Were trying to abide by all state laws on the recommendation, making sure we had an accurate understanding of the breach and as i mentioned earlier, that took weeks. Is very difficult to retrace the footprints of these criminals. Where they had been, what they had done. We had to recreate inquiries using our security team. You are located in georgia, correct . Georgia regime that you followed . Yes we are in atlanta. Allre being mindful of state laws for breach notification. Also making sure we have an accurate understanding of what data has been compromised. That was not until late in august. Mr. Smith, i appreciate you being here today. I want to understand what capacity are you in today. Are you a volunteer, i paid please makeld you it clear to me. I am the former chairman and ceo of 12 years. Formertting here is a ceo and someone who has agreed to work with are you a volunteer . Yes. You can you today to explain what has taken place you have the ability to talk about what happens Going Forward and how we can correct the mishaps the problems of equifax. Are you empowered to do that today . I have the opportunity to talk from the perspective as a ceo. Are you bound by the commitment from the company today . Your capacity today is simply to try to explain and take responsibility rather than how we go forward for the future, is that right . Correct. I have views and i am prepared to discuss those. The commitments are made by the company themselves. Time tove such limited. Eal with so many problems while i appreciate you taking responsibility and apologizing, you being here today does not do much for us in terms of how we are going to move forward and correct the problems of equifax. Our consumers are at great risk. Not been able to freeze my credit with equifax. I cannot get through. You are talking about improvements you have made. Are you close enough with the company to know what has been done to be available to consumers . Yes. I have an understanding that what has been done to make the Service Level to consumers better. They have staffed up dramatically on the call centers. I am told that the backlog of consumers trying to get through and could secure services has now been emptied and the flow is now that. Not sure about i worry about that. And i worry how long consumers will be able to get what you describe as free service from equifax . Time thatoing to be a kicks and where they will be charged for trying to straighten out whatever problems have been created because of this hacking . The company has offered five services to every american. Youn walk through those of wants. They give protection to the consumer. Not just those impacted, but any consumers. Following under january 2018, for one year. Consumer theor a ability to have control for life. To lock and unlock when they choose versus us doing it. It will be free for life starting january 2018. It will be enabled as an application on a cell phone. If someones identity has been stolen, and usually it takes a long time to unravel that, are you going to provide service and protection and assistance to the consumer until that is taken care of . Yes. We of the five Services Offer today is the ability to lock access to your file. Be enhanced in january with easier user interface. Preventow we can identity five it Identity Fraud. You as the consumer prevents who accesses it. Is whenyou are saying one finds oneself in that position, equifax will provide them with the service and assistance in perpetuity . The chair recognizes the gentleman from misery. I had a long meeting this past week with some experts in Data Security and how they can be protected. Madef the comments they was companies only spend 6 on security. Do you know off the top of your head what your company spends on security . I do. I think what you are referring to is the benchmark of the present of the i. T. Budget. 6 is the average. 10 to 14 of the budget of i. T. Security. We are the 12 range. Aware are you are you aware of new protocols so that this doesnt happen again . Yes. Someone was the forensic review and step two is remediation for shortterm, mediumterm, and longterm. Worlde also engaged in a Class Consultant to come out and rethink everything we have done for a longterm plan. As a result of this breach, enormous. Re is an i would imagine this would bankrupt your company for a number of reasons. Do you have an insurance policy to cover this kind of a breach . Yes. I have discussed that in the past. We do have a tower of Insurance Coverage that is common in our world. Cyber security, general liability insurance. Company isy the protected, is that right . Protected, is that right . There are limits and i cannot expose those limits. In your testimony a minute ago you talked about new security processes. You are talking about creating a partnershipte for identity verification. Can you explain we believe is a blicprivateu partnership in regards to this . Yes, congressman. There are two thoughts. The right of Center Security incidents around the country and world is running at a pace that has never been seen before and i am convinced there is more we can do. Private partnership to get ahead of it and not just react to it. I reflect, the more and talk to experts in the area of Cyber Security, i am convinced there is an opportunity for this partnership between public and private to rethink the concept of a social and the number, name, earth is being the most as being the most secure way to identify people. This was introduced back in the 30s and i think there should be any way to identify consumers. The chairman is in a good job to discussing the notification problems in regard to this situation. Can you tell me what do you believe is a better way to notify the individuals . A minute ago you said he basically new on the 24th that individual data had been breached and it wasnt until the seventh, which is two weeks later, they made a note to the individuals. Even if you cannot get your phones up and running, do you think it would have been better to notify the individual is not my just a public declaration saying we have been breached . Informationpeoples could have been breached. Therefore, all of you in our system need to take precautions and let them on her own take whatever precautions they can. Do you think there was a better way to go about it . We took aeassure you lot of time to think about the notification process. I will make one point of clarification. On the 24th, the knowledge we wassurrounding the breach fluid. Say iser thing i will firm saidl securities to prepare ourselves for Security Breaches. Between the 24th and the seventh, a lot of energy was and securing whatever we could to give us the best protection against Cyber Attacks. Also, as you mentioned, we had to train and some people staff people. Time for the gentleman has expired. There is currently a vote taking place on the floor. Over 10 minutes left in the vote. We will declare one more member then declare a recess. Ladychair recognizes gentle from new york, ms. Maloney. Mr. Smith, as you well know, americans rely on the three Credit Bureaus. A group of companies to safeguard our most Sensitive Information. It is because these Credit Bureaus hold this key personal information that we subject your companies to very rigorous Data Security standards. The Credit Bureaus are subject to the federal trade ,ommissions safeguards rule intended to ensure the security and confidentiality of the information in we have a lot in play information. We have a law in place that protects, supposedly, exactly against exactly what happened here. If not, we will know equifax is clearly above the law. The safeguards rule requires that equifax have an Information Security program in place that can identify reasonably for seeable risks to the security of your data and can protect against these risks. This risk was obviously foreseeable because the department of Homeland Security literally sent you and the other Credit Bureaus notice the exactu about vulnerability that the hackers exploited. And yet, your Security Program did not protect against this , announcedor seeable risk. In my mind, this is the most open and shut violation of the i have ever seen in the history of this country. My question to you is do you believe that equifax violated the ftcs safeguards rule . Congresswoman, i understand your points. It is it it is my understanding that we complied not the rule and this does prevent 100 against data breaches. How in the world could you let this happen when you were warned by the Homeland Security department . My second question, the safeguards rule also requires you to have a patched Management System, essentially a system in place to catch security flaws as soon as a six for a flop a fix for it flies released. You testified that your patch Management System failed in this case, even though there was a patch release almost immediately. Equifax did not implement the patch like it was supposed to. Credit to the other two bureaus a letter about their Information Security program to make sure their systems were for protected. Ghly one of them wrote back a very detailed response, which i would like to submit to the record, along with a letter in which they explained their patch Management System functions correctly. When they got the notice from Homeland Security, they immediately and american. Ecurity patch they also stated their patch Management System will literally shut down. It will not even work. It shuts down automatically if it patch isnt implemented immediately. My question is whitening didnt your patch Management System automatically shutdown versus ends when the Security Patch wasnt implemented . Why was this law allowed to go unpatched for months before you noticed it why was this law of flaw allowed to go unpatched for months . You already testified your person failed to implement it. I was referring to that has to be identified by us, not by outside software manufacturers. Like i said, my oral testimony my time is a most of and i have one more question i think is important read you may not important. You may not know this but it is considered best practices to have chief officers that have independent business line to report directly to the ceo and word of directors board of directors. Equifax, you are using an outdated governance model and have your chief Information Officer reporting to the general counsel, not directly to the ceo. Yourestion is why was chief Information Officer not reporting directly to you and the board . And why were you using an old model . Was it because you do not think Information Security information was important enough to be reported directly to you . Congresswoman, i dont think it believes it i dont think i believe it matters who he reports to. It wasnt reported to you or the board. It went to the council and it violated test practices for companies. Ces for time has expired. There is one vote depending on the floor. The committee stands in recess pending the conclusion of that vote. Mexico for five minutes. Thank you for being here today. Just to try to get the Playing Field underneath us, you would describe the processes at equifax with regard to outside as being very engaged and pretty professional, we had a humanistic more or less. Is that kind of correct . Mr. Smith i would say we had two very important errors. I understand we have a lot of Critical Data here. Thismith i would describe as one that put a top priority on security. How much of your time in your 12 years did you spend each day security . Mr. Smith when i first came here we had no say ever security organizations. I made a priority 12 years ago to engage consultants and help scope it out. We went from basically no people how knowledgeable are you on the subject . Mr. Smith we had 13 reviews. You personally. Hade routine reviews routine reviews. How many times have these things ched under your watch . Mr. Smith to the best of my knowledge, there was one notification on march 8. Is the firm still using that software . Mr. Smith it was deployed in two locations and has been patched. It . Ut you are still using i am not savvy on all the cyber crimes but when i hear the secretary of the treasury say that 50 of his time every day , i wast on Cyber Threats trying to get some sense from you how much of your time every day because this is probably one of the more critical things, and i didnt get a very solid answer. I tend to fall on the side that says there is a little bit of a lax culture here. To patch these threats and i clicked on the first website and it talks about something open source. It was pretty good. They lost their way three or four years ago. To be using those pieces of software but even just the first says three out of five stars, we probably ought to be looking at better alternatives out there. Then you just have these patches that come out and no one actually response to them. Who made that decision where in the hierarchical scheme was that decision to not implement the patch come from . Mr. Smith again, on the eighth of march, the notification came out from Homeland Security great basin communication from the organization. The patching process was owned by the chief Information Officer, who was under his organization. Surely somebody more than just an agent at the field level sure we doith being not have any vulnerabilities. Surely it was not that low. Has that decisionmaking stream been made public . Mr. Smith the owner of the process for patching was a direct report to talking internally in equifax. Do not worry about outside because you are the one responsible. Processdecision scheme, made public and can we know who information . That let me clarify if i may. The owner of the process ofernal to equifax patching any software was a individual who was in direct report to the chief Information Officer. Ok. I am almost out of time. Your assertion that this is just human error overlooks the fact that you had unencrypted information, anybody that gets in can just read it. Is that industry standards . That we dont encrypt it. Mr. Smith that is not correct. We use tokenization, encryption your testimony and couple days ago answered you have a lot of information that was in plain sight. I think that shows we have not identified the process internally that was very lax in my opinion. The time for the gentleman has expired. The chair identifies the gentlelady from new york. Thank you. Mr. Smith, in your testimony you stated you are deeply sorry this event occurred and that u. N. Team andership that you and the equifax Leadership Team worked tirelessly to make this right. However, according to an article, you are retiring with a payday worth as much as 90 million. My question to you, sir, do you believe it is right for you to walk away with a payday worth 90 million when the lives of more than 145 million hardworking americans have been compromised . Mr. Smith one, i do deeply apologize for the breach of those American Consumers. I heard of this article. I cannot reconcile that number. Let me be very clear how much are you getting . Mr. Smith when you retire, i can announce my retirement at that time. I also told the board back in early or mid september that i would not take a bonus Going Forward. I also told the board i would the an advisor, unpaid, hoping the board and Management Team for as long, and i asked for nothing. That was disclosed in the proxy and that was pension i accumulated over my career. That is some equity i earned in the past. You told the Ranking Members that you are here in your capacity as an advisor to equifax now . Mr. Smith unpaid. Ok, so are you advising equifax to set up a conversation fun for impacted Compensation Fund for impacted consumers . To smith the advice i gave the board has been followed, and that was to offer five freervices for 1 five services for one year. But that is not a Compensation Fund. Mr. Smith correct. As Ranking Member of the house Small Business committee, i am concerned on the impact this historic reach will have on this countrys 29 million Small Businesses. Oftenss credit is inexplicably part of the credit score. I wrote a letter requesting information about equifaxs plans help Small Businesses but we have not received any response. What steps is equifax taking to educate Small Businesses and what it means for their business . I understand the question mr. Smith . If we have not responded to your letter, i will make sure the company doesnt respond in writing to your request, specifically to your question however, if a Small Business man or woman was the proprietor of that company as an individual, they would be covered by what we are doing for them Going Forward offering this free lock products lock product for life. Two, Small Businesses in america are very important customers of ours. I know that. Mr. Smith we have told them and others the data we have for Small Businesses has not been compromised. Compromised . Not mr. Smith if you are an individualmr. Smith , the information will be offered for free. The businesses were not compromised. Equifax working with lenders to establish a safe way to check current scores for Credit Scores for borrowers seeking a Small Business loan . If you are a proprietor of the Small Business and you have the ability to access all the Free Services we have just discussed. Past monday, it was announced approximately 2. 5 million additional u. S. Consumers have been potentially impacted by the breach. Will beassure us there not more discoveries of even more consumers that will be potentially impacted as a result of this breach . Mr. Smith it is to my understanding of the press release i out for my company on monday not only set to. 5 Million Consumers for impacted additionally but also that the forensic review by mandate was now complete. The time for the gentlelady has expired. The chair identifies the gentleman from michigan. Write it here. ,s the chairman had indicated securities and Exchange Commission falls under that purview. You obviously know that you have certain duties and responsibilities as a ceo not just in the running of a company but in the paperwork filing that has to go on that and be filed with organizations like the fcc. Was Data Security ever an area you listed as a sufficiency in regards to any of these requirements . Mr. Smith congressman, i dont recall this ever being described as a deficiency. Communicated by other means. You have internal controls. Do right, presumably you your analysis on it. So Data Security was never part of that . Issue . Th as a control as a control issue or an area of concern. Mr. Smith it is always viewed as an area of risk for the company. I dont ever recall it being considered an area of control. Under sec rules, when you have a Material Change in the condition of your company, you have to filing form commonly known as 8k. Form is there regarding Financial Condition or prospects. When significant event occurred, you file this. When did you file that . Mr. Smith i do not recall. According to my information it was september 7. Mr. Smith that makes sense. Ok. I heard an earlier testimony that you had not been directed by the fbi to withhold information from the public or to slow walk or do anything anything, right . There may be two different questions there. The fbi evolved from a series of communications. But no they did not mr. Smith the fbi did not. The consultants did guide us. Did they tell you you better file that 8k . Mr. Smith as you mentioned it was filed on the seventh. On the seventh, but you discovered this in july. Mr. Smith with all due respect, we did not discover this in july. In july, somebody on the what theyeam noticed described as suspicious activity. They put it in perspective. See millionsmpany of suspicious activities against our data so you had an indicator. Lets us call it an indicator on july 29 are you hired a can of july 29. You hired a consultant on august 22. Why did it take a month and a week and wife can you tell your board about this and why didnt you tell your board about this . Mr. Smith when maintenance was mandiant was hired, they had to rebuild the inquiries. It wasnt until late august when we saw i will take that. It still took two weeks for your file. Had members that sold shares and you had the public who thought nothing was wrong and they were buying and selling shares of equifax. What a reasonable shareholder have gotten some of this information they would have said maybe i will not purchase that stock. It seems like i would be a reasonable step for an investor. Mr. Smith if i may leave the rest of the points you made on the sale. The sale of the three individuals, two of them were back in august. Got it. I know it was prefile. Ill think there was insider information. When i am pointing out to you is that if your own executives did not know this was going on and was being filed, it seems like you have the public both coming and going. Not just the data but also for the fact that you falsely put your stock out there any particular price. Mr. Chairman, my time has expired. The time for the gentleman has expired. A gentlemanentifies from california. I renew my request that the witness has been sworn when john e. Umpf was here we swore in that witness and that is the precedent of this committee in situations like this. The chair has already spoken to the matter. You made a point that you are an unpaid volunteer for your company. I want to thank you for that service aside from the 90 , you are uncompensated. I know you have disputed that figure so i ask you to respond for the record in detail how much you have made pension Stock Options and celery equifax during your term there. We will see whether the reports of 90 million are accurate. Timeline. March tothe period july when you should have noticed or your company should have noticed the problem and should have a attention to the Homeland Security advisory, etc. That is one part of the timeline. Another part starts on july 1 when your chief Information Officer told you about the attack and that the website was shut down. There are those in this Committee Room who said the company did not act immediately on that on july 31. That is not entirely true. In just one day, on his first august 1, three of your executives sold money on their stock. That shows an immediate action right after the cio reports. Does your company have any policies on allowing executives , getting legal advice before they do that, or is it up to each executive to decide . Mr. Smith multiadjustable. Let me address old. There was never a report on the 31st issued. It was a verbal communication. You were told in the website was shut down. Something significant happens because the next day three of your executives sold millions of dollars in stock. Answer the question of if your company has a policy of getting approval and legal review before your employees sell. Mr. Smith yes, there is a clearing process. And how we passed that clearing process selling the stock just a day after the chief Information Officer tells the ceo there has been a data breach . Mr. Smith these three were section 16 officers. They all follow the process. And you do not think the process is broken when it approves the sale of 2 million stocks within 24 hours of when the ceo gets a report of the wet enormous data breach have had in your industry . Mr. Smith mr. Smith i have no indication the process was broken. To the best of my knowledge, these three individuals who sold just to your look. Your luck. The initial response of equifax was to have a website advertising sure way to help consumers. In the website you trick consumers into forgoing their right to sue. Whose idea of the company was it to do that . Mr. Smith the arbitration clause is what you are referring to. When we found out it was in there you just found out . Mr. Smith it is a standard clause. It was never intended to be in there. It was removed within 24 hours. After a huge outcry, including members of this committee. He put out press releases putting people they may be among the 143 Million People. Is it the intention of equifax to send a notice to those whose data were compromised or is it up to them to find out . Mr. Smith he felt what we thought was due process. We sent out press releases and setup a website. Are you going to give notice to the 143 Million People . Please send them a letter . Will you send them a letter . Or and email . Or an email . No sir. And youxpose their data will not give them a notice, not even an email. 420 million u. S. Consumers website. To our that is more than people in the country. The time has expired. Thank you, mr. Chairman. Forgive me if im appear a little bit more disturbed or harsh but this issue is very, very close to home. This past year, my tax identity was stolen. To be frank, it has been a complete and utter nightmare. This isnt just another data breach. It is a breach of trust. But we learned our tax identity was stolen, guess who we turned to for help . The Credit Reporting agencies. Although giving a free year of monitoring is a good first step, i do not have much confidence to be honest in the product. In addition, as a chairman of investigationsnd committee, i will be closely monitoring the additional act coming out regarding this case, especially those concerning the ate of stocks by employees equifax. None of us should prejudge before knowing all of the facts. Let a survey asking you this. What would you tell people like people who have previously experienced Identity Theft of some kind, and have turned to help . X for would you tell these people who feel completely at a loss . How could anybody ever trust and we talked about trust is a committee this company again and feel protected in the future . Mr. Smith we are a 118yearold company. Data is paramount to our ability to gain trust, have trust with consumers and companies around the world. What i would tell consumers is please go to our website and take advantage of the five offerings we have offered for a year for free. Secondly, january 31 when the new lifetime locked front becomes available for free for life, i would strongly recommend every american go get the product as well. I recently read comments from Richard Cordray where he stated his intention to provide accountability concerning the data breach. Credit reporting agencies are overlooking for consumers, but not for cyber products. I cannot recall we have been in communication since they have been our regulator. I personally have been involved prior to the breach . Mr. Smith i cannot recall. I was not personally involved myself. What interactions have you breach . Them since the mr. Smith i have not had any interactions since the breach. Wow. I wanted to take it opportunity questions. Some can you do what categories of Consumer Information was accessed . Mr. Smith i will give that a shot. We tried to be very clear in the series of press releases we have had in the past. Ore credit file, their Credit History with us, was not compromised. We talked about a database we had were somebody asked about Small Businesses. We have a database on Small Business. That was not compromised. Kind of personal id information . Mr. Smith date of birth, name, Social Security number, i think there were 2009000 credit cards ,000 credit cards. There was a dispute document were a consumer could dispute they paid an obligation. They could upload that to a system. That was another example of what was compromised. Was sort of Financial Products could be opened in my name if thoses pieces of data were part of the breach . Mr. Smith if a consumer takes it manage of the Free Services, no one has access to the file lostthought my file was before when my tax returns were breached. Again, my trust in the product low i haveltime several more questions. I yield back. Thank you, mr. Chairman. Mr. Smith, i agree with the Ranking Member when she says i will ask you questions. You are unpaid, you say you are no longer really with the company. I do not know what we will do in reference to this. Im here asking questions. I do not know whether how long you will be advising for free, whatever that deal is. Know when a consumer has a problem they cannot just get out it the way some kind of with some kind of explanation. Are your former employer, because of nature of the business, they have a special responsibility in regards to cyber incidents. It is clearly a problem with equifax, but probably a bigger problem across the board with all Public Companies. There was a survey that found of corporations to not did not talk about Crisis Management with management. If they fail to plan for these , equifaxs failure to response to warning and the delay to get information to the public and the cloth misstep that you acknowledged today and yesterday are a few examples of equifaxs lack of preparation. What i am trying to find out is, prior to this breach, did equifax ever adopt a written breach Response Plan that included a formal process of notifying the public or did equifax merely formulate a cyber breach . Lan post the secondly, prior to the breach, did equifax ever have a crises plan in anticipation of a breach because you knew the significance of the data you work here to protect you are here to protect . Finally, if you say that there is, can you share with this committee the documents with evidence of equifaxs former cyber crisis Response Plan . Mr. Smith yes we did happen to have a written documentation on Crisis Management, including cyber. Obviously, this is one of the top crises we could face as a company. Because we just a management and have them provide you that documentation. We will do that. My other two questions, ten breacha writ inponse and did you test it anticipation of a breach. . Like a fire drill a something should happen this is what we would do. Did you do that . Mr. Smith it has been done. The challenge is when you look at the size of this breach and the fact that we offered it to every american that was a victim or not a victim, the sheer scale of trying to stand up to the environment and hire thousands , that takes weeks to train. You cannot just expect them to be trained and impactful day one. Worldentioned in my testimony, the team has gotten better each and every day from a perspective. And tha i do apologize. You mention a few of the things where he made mistakes early on. Yes, we do have practice 20 disagree with you. For example, the kind of information you are here to protect, you have to make sure each and every individual you hire is prepared. It is like information we have protected documents, they cannot hire someone and say we can take a chance and maybe they can learn what their onthejob if something happens are on the job and if something happens we can excuse it. You need to make sure you have a plan that protects both because of the nature of the information you are given and because of the numbers of people that are dependent upon you to protect their information. Mr. Smith i understand your point. The gentlemans time has expired. The chair recognizes this gentleman. I would recognize the gentleman from kentucky. Mr a representative from your company put it well, americans expect there mortgages to be approved on time, their auto applications to be accepted while theyre at the dealership, and Retail Credit approved well there at the counter. Can you assess for us the extent to which this breach and painful experience for the american welle how this may very described that miracle of instant credit . Mr. Smith if we were to get to the point where we allowed consumers to opt out of the credit system, that would be devastating to the economy. If we do not allow consumers that ability to instantly lock and unlock the point of underwriting to your example, that would be devastating to the flow of credit. The contents the extent of the Lifetime Product will roll give the security with he or she deserves the ability to turn on and off access to credit so the flow is uninterrupted. Can you tell me about credit freezes as a solution or maybe not a best solution to problems like this . We were talking about is a consumer to tell a Credit Bureau not to release a Credit Report unless the consumer contact the bureau in advance. Mr. Smith the credit freeze itself is something that was born out of regulation in 2003, couldnt a lot in 2004 put into law in 2004. It is often confused with a credit lock. Provide freeze largely the same amount of protection as a credit lock. However, states dictate different means of communicating between a consumer and a Credit Reporting agency. It could often be cumbersome, requires phone calls and mailing things back and forth. The flow of credit can be distracted. The idea of a lock is to make it far more userfriendly where you can be on your smart form and toerally topple on unlock and off to lock. Security,ook at data you talked about the many different state laws you have to navigate. Tell us your view after this painful experience of what you think would be a solution. What a National Uniform breach rule be better for the American Consumer . That is what a lot of us are thinking in the aftermath of this breach. Mr. Smith pres. Trump i have not given that much thought but i will mr. Smith i have not given that much thought but i will. What about fraud alerts . Are they sufficient . Mr. Smith i think they do have value. Do alerts to add value add value. The alerts gives consumers a piece of mind. The most valuable step is the concept for consumers to control who accesses their credit data with a lock. I think the next step there would be to not only have equifax offer the solution, but imagine a consumer being able to lock and unlock for free for life access to all three Credit Reports. Ultimatehem the protection. You went over this a little bit about the steps gives them the ultimate protection. He went over this a little bit about why it took you a while to notify americans about the breach. Why did it take so long . I think the average american would expect a more expeditious notification of the compromise of their information. Mr. Smith we have a couple of thoughts. One was to make sure it was as accurate as possible for who was impacted and who was not. Thats a time as i alluded to in the oral testimony. The forensic us of anthat advised increased frequency in Cyber Attacks. We had developed plans to make sure we were prepared for those attacks. My time is expiring. Can i ask you if one of my constituents approaches me with a problem, will you commit to working with my office to help any of my constituents whose identifications have been compromised . Mr. Smith i will ensure the company does that. Votes are currently taking place on the floor. The chair intends to recognize one more member and then go into recess. The chair recognizes the derailment from massachusetts for five minutes. Mr. Smith, i want to join my colleagues by saying i do not who doesnteone work for the company is here. As if someone in the audience now of whorrently k has the ability to change internal policies . No. This is great. Thank you for coming, i appreciate it very much. From this point forward, do not take it personal. I know you cannot do anything about it or it i will use you because im hoping one or two people back in the company are watching. Probably not because they do not care. You will find out. Is it fair and accurate to say at any given moment, equifax has the Financial Information of approximate 1. 2 million americans . Mr. Smith if i may. There are people working at equifax who do care. You can defend the company with a piggyback on the payroll. When they put you back on the payroll. Mr. Smith yes, over 200 million u. S. Consumers. And your accuracy rate is around 95 . Mr. Smith how are you defining accuracy . You are referring to the credit file . There was an independent study done a number of years ago and found if you do find an error as something that is a negative influence on a consumers ability to get a loan, over 99. 9 . Ok. I use 95 because that is what i read that the numbers are close. You have 200 million records which means at any given moment, there are 10 million americans who you have financial records reps. You had 500 service with a 20,000 customers problem that your company. Reated per service rep million, you 145 will have 3000 service reps for 145 million. That leaves 48,000 people with a not you,ou created, your former Company Created per service rep. Do you think that is good . Not you, your former companymr. Smith ir mathmr. Smith . The math we have is 99 . Number two, if you have an issue with your credit file, we have an online electronic let us talk about that for a minute. Since you are the ceo in 2014, you are familiar with miller versus equifax. You have heard of that case i am sure. Mr. Smith vaguely. That is a case where a judge found congratulations on that case because that case was determined that you did not have to pay an 18 million penalty. We had to pay a 1. 5 Million Dollars penalty because that is the most the constitution youred in the judge found actions were reprehensible. Her words, not mine read it is stated clearly your own experts testified it is equifaxs policy to investigate and correct files filed,ter a lawsuit is which is why i wanted to talk to somebody in the company to see if they are willing to change that. Since there is no one here i guess not. I just wondered, you thought that was ok . Apparently you thought i was a good policy in 2014. Mr. Smith if a consumer has a dispute on his or her credit file we take it seriously. Toy have the ability communicate with us directly. We work with the banks ignoredis case you just it and didnt do anything about it. The only reason there was a lawsuit was because two people with the same name of miller, the records are combined. And you refuse after you proved repeatedly for years to do anything about it. It happens all the time. Everyone of us get complaints from our constituents that your company, not just you, the other that your different, industry treats them like dirt. They cannot get student loans, they cant get auto loans, they cannot get atm cards because you will not do anything by your own policies admitted by your own people who used to work for the do not doat says we anything until you file a lawsuit. In the last 13 seconds i will speak to america and say for the 145 Million People, file a lawsuit and maybe you will get equity. Otherwise they will keep doing to you what they have been doing to you forever. The time for the gentleman has expired. Votes are pending on the floor. The committee stand in recess. Stands in recess. This is one hour and 50 minutes. [gavel] committee will come to order without objection. I recognize the Ranking Member. Clause d, im submitting a consideration for notifying you of our intent to hold a minority hearing on the equifax data breach. Commanding properly supported by the majority of minority members. The gentlemane from california, chairman of our Foreign Affairs committee. Mr. Chairman, thank you. I thank mr. Smith for being here today. Ande september 7, my office all these offices have received a lot of angry and anxious socalled and emailed by our constituents and i think one of the things that really stands out is how can a company that deals in data not protect that data. Es in whate answer li your company did not do. You did not protect their personal information. You did not encrypt that data. You did not catch a vulnerability patch a vulnerability you were alerted 8. On march he did not disclose the breach to the public until 120 days after it occurred and the insidertrading allegations only add fuel to the fire. Before september 7, who else outside the company, your heart Legal Counsel and the fbi hired Legal Counsel and the fbi, who was made notified of the breach . According to media reports, the lifelock executive fran roche was notified before the lifelock attack before the attack went public. Eo you know who called mr. Roch to give him the heads up . According to bloomberg, armed with information only a handful of people had at the time, mr. Roche mobilized the Rapid Response team. He knew the company would receive an onslaught of calls and signups in the coming days and he was right. The phones were ringing off the health, he bragged it was bigger than the anthem breach. A tenfold increase in lifelock customers and here is the quote, most him, are paying the full price rather than discounts. Most were paying 30 instead of 10. It is a really incredible response from the market unqu ote. Incredible,hat is that actually your company profited off of the relationship with lifelock which is a company to which you provide credit monitoring services. Heres the point i would like to make, lifelock gets this head sup, the credit karma or intersections or the other competitors, did they get similar notice . Again, congressman, i am unaware of the lifelock discussion, let alone anyone else. It is fair to say that lifelock benefited from both the breach and the foreknowledge of it. Lifelocks Parent Company value rises seen it by 10 . Officials aty equifax of stock in semantic . In symantec . Mr. Smith i do not serve. A list ofu provide executives that do. Someone in the company gave them a heads up so they had the opportunity to get the phone banks ready and in advance of everyone else, started calling about their service and at a 9. 99 instead of the 9. 91 discount. Someone tipped them off from the outside and so much of them off from the inside and if you found out which acte executives owned stock. Mr. Smith your source was bloomberg . I will look into that. The time for the gentleman has now expired. Scott frome mr. Georgia. I represent the great state of georgia. I love georgia. With this news first came to me and my staff reported it, i immediately wanted to do everything i could to make sure we would be able to make sure that out of this, that after this that equifax would be standing tall. That they would be clean. That is my objective as a congressman from georgia. Because, as you said, you represent a legacy for our great state. You are a 128 year old company. People,oy 2030,000 many of whom are my constituents. Many of whom work and toil at your company and they are great people doing a great job. Rep. Scott it is important for the American People to know that what we have before us is a shameful situation for 145 tolion american citizens lose the privacy of their Social Security number. Topit be known it is the management, it is you who is responsible for this. What i want to do is to be at the front of this. To make sure that equifax regains the confidence and trust of the American People. My comments to you are going to be geared to that. Chairman call mr. For an investigation by the Justice Department and certainly by the sec. You are leaving this company but there are others who are going to be there and we have to make sure equifax comes out clean and standing tall. Thanthis means more you said you were knowledgeable about this breach on july 31. Here is what happened. Executives sold 2 million worth of stock. And not only that, mr. Ceo, former ceo, it was your chief Financial Officer who led that charge to sell that stock. Now nobodys going to tell me youre getting information on july 31st and here they go dumping their stock, less than 24 hours later, that has to be investigated and cleared. If were going to get the confidence of the American People back. So its this insider trading, anybody can see that, and im sure, and i hope that your predecessor, your, the guy whos going to be taking your place, i hope hes listening. That would be the first thing, and then the second thing, we need to make sure that these guys who sold that stock, who made 653,000 in savings from that stock with that inside information, that they pay that money back, and that they are fired. 143 Million People losing this is no justification, we have got to make sure, and you have got to make sure that we clean this mess up. Now i want to talk about the other way in which we can do this. You mentioned numerous times that it wasnt the intent of equifax to include the arbitration piece. Well now some have it, some dont, thats the next thing that needs to be done. No more of this arbitration clause. When you do things like that, the public will take notice, our and our job is to clean that mess up and make sure we bring equifax back standing tall. We back to the American People. Now the other thing that i would like finally, is my staff informed me that most mortgage lenders pull all 3 reports from the big 3 Credit Reporting agencies. Equifax, transunion and experian, so when you talk about this new lifetime lock product, its not going to be effective unless everybody does it. I wish i had more time, but were going to clean this mess up and were going to restore the integrity and the trust of the American People. Time for the gentleman has expired. Now acknowledges the gentleman from illinois. Thank you, mr. Chairman, i know many of us have been hearing from our constituents, i certainly have, marty says equifax has, they should have done it for me or pay me to do given away my private information. They should have done it for me or pay me to do all this of signing up and paying for these Credit Reports . Someone should go to jail for this. Another constituent said, this careless actions caused the loss of personal information on a scale never seen before, because they failed to patch their servers for a known problem, combined with the careless handling of highly sensitive personal information, their action went far beyond carelessness to negligence. Legislation should be put forward to increase regulation on these entities, not the chris not decrease regulation. Equifax must be held accountable and liable foreall damage that caused the breach and all Credit Reporting firms must be held to Higher Standards of security. And another said my personal information has been lost twice. Both companies are offering a limited subscription to identify protection companies, hpf is offering a free year subscription to protect my id, owned by experian. Equifax is offering a oneyear membership to a trusted subsidiary. It seems like a twisted Marketing Campaign to me, he said. Home Point Financial claims to have lost those social numbers, birth dates, drivers license numbers and many of these numbers cannot be changed. What good is a oneyear membership . This data is lost and valuable until i pass away. Is it ethical that a company that loses all my personal data conveniently owns the service of the product it wants me to pay for to help protect me from its eventual use. Its time that all these companies are held liable and forced to offer lifetime membership memberships, please help us, all of us, this is out of control. Many other constituents glen constituents concerned. Talk with parents of young people whose information has been compromised. When this Committee Sends questions for the record which , there will be many, will the response come from you or equifax . They will come from the company, congressman. How should we respond in getting those answers from equifax . Equifax has been investigating the breach for over two months. Has the identity of the hackers been determined . Mr. Smith no, congressman. We are engaged with the fbi. Do have an opinion of it will be determined . Mr. Smith i do not. Did outside Data Security consultants tell equifax it to delay notifying the public . What change allowed equifax to notify the public in september . Mr. Smith it was trying to thence a team effort of forensic examiner likaw firm tried to balance with a and security notifying the consumers. Did a playbook exist . Mr. Smith there was a crisis hadgement process we have in place for some time. It does not appear like you were ready for. That is our question. The incredible delays. You have heard from my constituents. This is a small sampling of incredible frustration and fear. Their information has been compromised and this is information you cannot go back and change. You can i get a new birthday or a Social Security number. If equifax had notified consumers within one week, did equifax have the ability to do so . Mr. Smith we moved with haste, as i mentioned in my oral testimony. And my written testimony wasnt until august, that was continuing to move, we moved as quickly as possible thereafter. Rep. Hultgren has there been any uptick in Identity Fraud or theft since the breach . Mr. Smith not that i am aware of. Rep. Hultgren which you expect Something Like that to occur . Mr. Smith if consumers take services we the offer, that will give them great protection. Rep. Hultgren there is a concern when the same entities are the chair now recognizes the gentleman from illinois. Rep. Foster what i would like to talk about are things that congress could have done before this that could have prevented this. You would have needed a team thats looking every day for Security Breaches, which you obviously didnt have in place, so that one way to make that happen is by making a requirement that you actually carry enough insurance to make customers whole when this thing happens. Its my understanding that statutory damages for a breach like this are roughly a 1,000 per person, which means that the total potential liability for 140 Million People is 140 million, more than 10 times the market capitalization of equifax, so you clearly can never self insurer or at least a company with your Business Model could never self insure. On the other hand some of these have settled for a lot more, a lot less, just a few dollars per person for a data breach incident so it not clear what it should be. What would you personally for , yourself or one of your family want as remuneration for having your private information up for sale on the dark web . Mr. Smith congressman, the suite of services we are providing for free, in some cases rep. Foster if i came up to you and said i want to publish your information on the dark web, which he did for the thousand dollars would you do it for 1000 dollars . Mr. Smith no sir. Rep. Foster 10,000, 100,000, everyone has that number, but its well north of a few dollars per person. Without even having a negotiation, were having this pain inflicted on people. So now, so lets just stick with the 1,000 a person, just thats statutory on there, plus punitive damages. So now if congress were to require that any company like yours that held information for people, you know, without asking them necessarily to opt in, that you had a requirement that you would hold enough insurance to make them whole if there was a massive data breach, that would be a very expensive insurance policy, correct . It. Did not disclose that you can say a 140,000 n 140 million liability. Most customers are going to end up getting less than what their actual damages are. Do you know how much of the average customer, you would charge someone who waited to get their credit unfrozen . Mr. Smith one of the offers we have two consumers is an insurance policy. Over five Different Services for free. Losss the consumer has expenses in trying to get their credit repaired, that is 1 million. Ok, but im trying to understand under what conditions you would have assembled a team, either yourself or an insurance carrier, assembled a team that would have prevented this . If you have tens of billions of dollars of coverage on this, i imagine that would have funded a very Aggressive Team of people who would every time a patch came out, they would say oh, boy, lets go and figure out if you have applied that patch, and they would be looking at your source code for anything a Company Offering that kind of coverage would demand. Do you think thats a possible way that we could actually prevent this in the future . Mr. Smith congressman, we have notifications routinely every year for patches. This is a very unfortunate mistake, i mentioned the mistake, i apologized for it. The insurance approach is not the solution. It is preventing the human error and the technological error that occurred. But there will always be human errors, what you need is a red team who sits there and looks for human errors and flags that immediately and this has to be a very expert team, nothing short of that is going to rapidly catch the kind of human errors that will natural happen. So anyway, this is one of the things im looking at, because its the only free Market Solution that i think that has a chance of preventing this in the future. Thank you. Time for the gentleman now expires. The chernow recognizes the gentleman from colorado mr. Tipton. Tipton the question was around whether or not you had protocols in place to be able to address whether or not the information was being reported properly internally. But also to the Government Entities that are responsible for oversight. And i didnt hear you respond to the answer, whether you have written protocols in place to make sure that the governing bodies overseeing you are notified in a timely manner . Would you address that . Mr. Smith yes, there were protocols in place, the protocols starting when the security individual saw suspicious activity. Protocol number one, he or she shut down the particular portal. Started the internal investigation followed by the Additional Protocol they followed which was to notify and , engage outside cyber Forensic Auditor. And engage outside counsel to help us with the investigation and protocols followed all the way throughout the time of notifying the regulators, ags and the consumers. Rep. Tipton looking forward to try and be a little more solutions oriented. Understand and appreciate the comments that you have made, regretting what took place. Are there protocols, are there actions that this Congress Might be taking in terms of the some of the regulatory bodies to incentivize earlier action, earlier notification, not only to the governing bodies, but also to the consumers as well that we ought to be looking at . Mr. Smith congressman, i would love to see both congress and companies tackle is the concept of is there a better way to identify consumers in america, other than ssn. Its unfortunately the number of breaches that occurred over the years have exposed so many ssns that were vulnerable. So i would love to see us engage in that discussion. Rep. Tipton in terms of internally, the wall street that independent groups analyze vulnerabilities of equifax. Do you look at that sort of analysis and who is responsible for identifying that and taking it seriously to see that patches arent needed but were being proactive to make sure that the breaches do not take place . Mr. Smith yes, we routinely bring in outside consultants and advisors to help us check and double check. Steps we have taken since the toach as well as longterm make sure we are more secure. Discipline yields back. Chernow recognizes the gentleman from maryland. Mr. Delaney. Delaney i have questions about how your board interactive around this matter generally. It says in your testimony that you became aware of the information on august 11. But that you notified the lead member of the board of directors mark fiedler, on august 22nd, did you have any conversations with other Board Members before that . Let me clarify if i may. The first debriefing i had of any significance was on the 17th of august. The 1ipton between 7th and the second, did you have any conversations with other Board Members . 25th, we the 24th and had to Board Meetings. Rep. Tipton is it normal to wait so long to update your board . Mr. Smith the data was developing everything all day. I thought that was an appropriate timeline. For tipton requirements Public Companies as it relates controls, was Cyber Security considered by the directors of the Audit Committee . I used to have to sit down with my Management Team and get certificates where they would assure me things were being done in accordance with our procedures and the Audit Committee would review these things so they could do their jobs under the requirements of the law. Process, im sure you engaged in a similar process in your company. Ways toh we had two engage with the board. The top of the list was Cyber Security. We also went through deep dives with the board of directors on Security Risks. The main communication we had was with the Technology Committee. ,t is comprised of individuals most of whom have a deep understanding of security. Ofy would go into details our security standing as well. Rep. Tipton if you could put it in a pie chart, what percentage of time was spent thinking about Cyber Security risk . Mr. Smith i would be guessing if i were to make that guess. Rep. Tipton did you regularly have full discussions around the board table about this specific risk. Riskdentified it was a factor in your financial statements. Would you say 5 , 10 , 1 . You chaired the board so you have a sense as to what occurred. Agenda, was there a regular item about Cyber Security or data breaches at every Board Meeting. Mr. Smith not every Board Meeting. Rep. Tipton which committee is responsible for the . Mr. Smith the Technology Committee. Rep. Tipton the Audit Committee did not . Mr. Smith the entire board had a few. The Technology Committee, we are a Technology Company, it was responsible for oversight. Rep. Tipton with the Technology Company make a presentation every Board Meeting . Mr. Smith yes. Rep. Tipton were there discussions about the Technology Budget at the board level . Mr. Smith the Technology Committee would approve the Technology Budget every year. And they would bring it to the board for approval or Committee Level . How mindful was the board to the likelihood of a risk like that. Mr. Smith very likely. Rep. Tipton your board spent time a we took that very seriously. Rep. Tipton as part of the disclosure statement you received as ceo, your report certified things are being done correctly, was there some mention of the cyber risk and the potential for data breach louvre and assurances the system louvre was in place. That is a risk we face. Rep. Tipton have you had any other significant events in the company where you notified your board with these problems . Mr. Smith have we ever notified the board of a Security Risk in rep. Tipton if you realize you are not going to make your earnings, would you call the board and notify them . Mr. Smith if there were a risk to our financials, we would notify the board. Rep. Tipton sooner than five days . Mr. Smith we have never had to do that during my time there. The gentlemans time has expired. We now recognize the gentleman from north carolina. We are addressing an egregious concern in our country. We have National Security threats. Financial systems, our government, private sector spends hundreds of millions of dollars every year regarding Cyber Security measures. We are aware that 143 Million Consumers exploited and another 2. 5 Million People have been affected by this initial count. Are you sure that the 2. 5 million additional people who ha ve reported their data has been compromised, is that the last . Mr. Smith it is my understanding from the forensic it is not unusual. That my understanding is he said the forensic review is rep. Pittenger prior to this security breach, did equifax g preventive measures in place to combat a data breach of this magnitude . Mr. Smith a breach of this magnitude would not have occurred if everything was in place. Rep. Pittenger elaborate on additional measures you believe could have taken place at this time. Mr. Smith from the time of the announcement and before the announcement, we engaged experts to help us increase monitoring techniques, they call it white labeling. A variety of things were put in place before the announcement on september 7. Plans, 90n, succeeded 90 plan 60 day plans and day plans. We have a Consulting Firm to help us rethink our strategy. Rep. Tipton you engage in testing your databases for vulnerabilities . Mr. Smith we do. Rep. Tipton can you please explain the process . I would like you to explain the process of the standard by which equifax stores consumers personal information . Mr. Smith there are a variety of techniques used from a security perspective. Rep. Tipton is there an encryption procedure in place . Mr. Smith there is encryption, masking, there are layers in different ways to secure the data. Rep. Tipton do you feel like there was adequate encryption in place, could you have done more to prevent what occurred . If we could have prevented the human error and the scanner from not finding this, that would have prevented the issue. There are different techniques used in different areas. Rep. Tipton how do you and the rest of the leadership of equifax plan to restore the trust of consumers . Is a you for coming, this hard time in your life but it is a much harder time for the americans whose data was exploited. Recognizes thew chairman from missouri. Thank you for being here. More than 2. 5 million missourians had their information exposed in the Equifax Breach and that will likely be impacted by it for years to come. Can you share with this committee and the American Public what types of activity that these people can expect whose identity has been compromised . Tell them what kind of activity they can expect from the thieves that took their personal information and, you know, because most americans have never had an Identity Theft occurred to them. Can you give them, give us some examples of what they can expect over the next year . Mr. Smith congressman, i would answer that two ways. One, we have offered a comprehensive suite of Services Free to all americans these are five Different Things we talked about earlier. We have offered that to every they could have been impacted by the different breaches. Rep. Tipton but, describe for this committee and the American Public the hellish nightmare they are about to go through when they go to the irs and someone filed taxes in their name and get a refund by the irs or that someone has gotten a credit card in their name. Mr. Smith congressman, one of the things we talked about is the lock. The consumer takes that lock, locks access to the file, no one can open a credit card in his or her name, as an example. Rep. Tipton equifax has offered consumers a year of free credit monitoring service. Free credit freezes and they promised to provide a better product that has been described lock on Consumer Credit report. At an energy and commerce meeting, he stated that credit freezes and credit lots are quotefor truly are virtually the same. What isare the same, the need for the new term. Mr. Smith Congress Introduced , the protection to the consumer is largely the same. The ability to freeze and unfreeze is cumbersome and dictated at state levels. The locks coming out in january 2018 will be useful. Unlockrs can lock and from their iphone. Rep. Tipton because security freezes are covered by state law, will consumers be protected from financial liability . Mr. Smith locking or freezing protect the consumer from credit accessing their to rent an apartment. It is a secure way to protect their credit filing. Rep. Tipton i am talking about the activity that occurs when they are compromised. When their identity is compromised. What kind of comfort can you give these people. Thatou tell them anything your company will work with them to resolve this or what . Mr. Smith we are working with consumers. We have five or 10 products can lock free and they and unlock their credit file for free. Rep. Tipton do you agree that scaring consumers into a product that is covered by a contractual ,greement with your company this is already covered by many state laws and raises concern. Mr. Smith the freeze is still our product. The way a consumer gets access to freezing is state law. The time for the gentleman has expired. The terror now recognizes the gentlelady from utah the chair now recognizes the gentlelady from utah. Are affected by the breach. If you extrapolate that to utah, thatis 4. 3 million utahans are affected. What sort of Financial Products could be opened in my constituents name if their data was part of the breach . Mr. Smith we have the data of those who were victims of the criminal hack by state level. If that would be interesting to you, we could get you to we can get that to your staff. If they were affected, what kind of products could be opened in their name . Mr. Smith they can lock in their file so no one can access it. The lock prevents that from happening. , if they did not get a lot that means credit cards can be opened in their name, i just want to get a list of things they want to look out for. Victimth if you are a of the criminal attack, we will send you notifications of the suspicious activity on your file. Had there been any uptake of theft or Identity Fraud since the breach . Mr. Smith not that i am aware of. Rep. Love how do you know . Mr. Smith we have it on file. Rep. Love if there were to be some of kids, when you expect to upticks,re to be some see do you expect to those. For my constituents that were impacted, how long should they expect to remain concerned about the potential risk to their credit file. Mr. Smith the first thing they should do is lock their file. If they lock their file, they will rest better. What im trying to do is give a clear vision to people who are watching what you need to do. I understand blocking their file. Some people watching can do that. But in the meantime, i need to give them an idea of what to look out for. What they need to be aware of. Mr. Smith if the consumers in utah or anyone in america takes advantage of the free service, whether you are a victim of not or not, they get monitoring of all credit files. File fors your credit us to look at suspicious activity. Scanninga dark web service. We scan the dark web for activity. We have the ability to lock the product for the. Those five products should get the u. S. Consumer far more comfort. Can you explain the difference between a credit lot and a credit freeze. Mr. Smith the credit lock was passed at the state level. Is the ability and means by which a consumer versus the to us lock will be an application enabled, on and off, much more userfriendly. Reiterate i want to one more thing, you are committing to work with people who may have been affected or may have had their identity taken and used for their lifetime . Mr. Smith we are offering every american citizen a lifetime lock. They can lock and unlock for life. The chair now recognizes the gentleman from new jersey. As a former microsoft executive, i have an appreciation for corporate integrity and where the buck stops. Ive had these issues come up all the time. It is where you handle them. Your response has been more of equifix. M than out of the 145 million can tumors impacted, only 7. 5 million have signed up for monitoring services. Why do you think only 10 have and why not auto opt everyone in . Mr. Smith it requires the consent of the consumer. Mr. Smith why not send them a letter rep. Love why not send them a letter . Can we get more people signed up . Are you not willing to do that . The 2. 5 million released earlier, the victims of the crime on monday. They were notified by a male. As for the they were notified by email. We followed the process that was legal. What is being done to resolve the problems of your website. To make them more stable and to make essential information more accessible. What do you do about the websites crashing. Mr. Smith we have come a long way. Taken the right steps to fix that experience. Centersrience with call and the website were far better than on september 2. Rep. Gottheimer when they crash, people get even mornings when theyu verify crash, people get even more anxiety. Freezinglot, credit and Identity Theft insurance . Mr. Smith the arbitration clause is a product we sell the consumer. Theintent was never to have arbitration clause apply. We were made aware that within 24 hours and took the arbitration clause off. Rep. Gottheimer equifax is claiming to provide ever 1 million in Identity Theft coverage for consumers. But the timeframe can be unclear. Thisequifax believe insurance is in lieu of reimbursing customers for their actual losses . I know this does not cover everything. Mr. Smith it is expenses incurred. The fiver services we are offering up front including inability to lock for life is the right step for consumers. Rep. Gottheimer i think this is a big issue. You see these Insurance Companies providing these coverages but it does not cover what people think. When liability occurs there are holes. Im sure you heard about the phone call wait times. One of my constituents wrote they were on the phone for an hour. What has the improvement in . Been . Mr. Smith we have gone from 500 callcenter people to over 2500. Rep. Gottheimer the wait time now . Mr. Smith it has come down significantly. Rep. Gottheimer can you get us those numbers . Mr. Smith it should be more than a couple rep. Gottheimer it should be more than a couple of minutes. People have huge anxiety over this issue. People cannot feel like this is a scam. They have to feel like you are making their lives better. Thank you for your time. The time for the gentleman has expired. The chair now recognizes the gentleman from arkansas. Mr. Hill. Mr. Smith we have had the family rep. Hill my family has had the pleasure of being in the oem breach and we are so gratified ut seeing your email abo being in the Equifax Breach. People,sas, 1. 2 million some 40 of the population of the state are covered by the breach wife equifax by equifax . We appreciate our chance to ask the hard questions. I want to follow up on some of the line of questioning and start out talking about the management practicing at equifax. Did you have a weekly executive Management Meeting . Mr. Smith are you referring to post breach . Rep. Hill as a general practice at equifax, did you have an executive Management Meeting on a regular basis . Mr. Smith yes, we had routine operating mechanics to run the company. Rep. Hill it is a mix and im sure a mix of levels of people in the company came depending on the topic. In your director report meeting, with mr. Gamble the in those meetings . Mr. Smith it would depend on the meeting itself. He would be involved with many of the meetings. The president of information systems, would he have been in that meeting . Mr. Smith i have 12 to 13 direct reports. Reports tore direct me. They would be in most of the meetings we have. Rep. Hill mr. Kelly, the chief legal officer . Mr. Smith yes. Rep. Hill i am curious, in that meeting, of your trusted 8 andrs, between march the end of july, did this topic come up among that group. Mr. Smith no sir. Rep. Hill in that time between march 8 and the end of july, when did you really when were you told it was a Serious Business . Mr. Smith it was not until the detailed review we had on the 17th of august with the Cyber SecurityForensics Team and a legal team, my team. The 17th of august was the first deep dive. Rep. Hill turn and talk about section 16 officers in the company. The people we talked about our section 16 officers. Correct. that is plan, assume your s, that wouldolding be covered by someone preplanned to sell stock . Mr. Smith yes. Rep. Hill both your personal holders and any money options that were in the money at the time of filing. Your plan as a corporate officer . Mr. Smith some officers may have had a 75 one plan. The generalent was counsel has a clearing process he has to approve. Rep. Hill how many days a quarter you think you have available for trading under those plans . Mr. Smith 30 day window, we wait a day or two, general indication is sooner in the opening. Rep. Hill can you think of a time when your general counsel canceled that window due to material nonpublic information when you were ceo . You could not use the window because people had material, nonpublic information . Mr. Smith a few times, yes. Rep. Hill did you have a lead director on your Public Company board . Mr. Smith someone we call the presiding director. Rep. Hill winded that person find out about this . Mr. Smith the 22nd of august. Rep. Hill thank you, my time has expired. The chair now recognizes the gentleman from minnesota. Emmer you have heard this over and over today in your prior three congressional hearings. I, like most people are very concerned about the timeline of events. I appreciate what i take is a sincere apology of yourself on the half of equifax and the knowledge meant of both the human error the knowledge error andoth human the process that did not work. The timeline of the discovery of the issue, the sale by company top companye of stock by executives in minnesota we have over 2 Million People identified at this point. It raises significant ethical and legal questions. I want to start by echoing what our chairman said at the outset of this hearing and that is the company, and i would say current and former executives like yourself, i would hope, will continue to cooperate to the fullest extent so that the truth can actually get out into the light and people can know exactly what happened. Onnow you cannot commit behalf of the company but im sure you can commit on your own behalf that even in your current capacity youre going to continue to operate to the fullest extent. Mr. Smith absolutely. Rep. Emmer i wanted to talk about the area. But iit is about equifax dont know if people are talking about even if we all know it, it seems to be unspoken. This is a fastchanging environment. I was in a business in minnesota and they have this Huge Investment in technology. They take you into the back room and they have these flatscreen and they are showing you all impactstime the of what is coming in at the minute. This is a huge issue. 2014, the u. S. Postal service had a breach that exposed personal data on almost one million employees. In 2015 had almost three quarters of a Million People affected by a breach. The office of personnel 2015 andt had one in sec had the breach of the edgar online silences. System. G this is not just about equifax. This is a much bigger issue. There are two areas i would like to talk to you about. I get worried in this place that the snap reaction of elected officials is more regulation, more stuff that you have to comply with, which i suspect takes resources away from the stuff you are trying to do to keep up with the everchanging technology and the way the bad guys are trying to breach the systems. Talk about that before we talk about rethinking Social Security numbers and dates of birth for identification. Mr. Smith congressman i share your views. A recent publication came out that in 2016 alone there were 4 billion pieces of Consumer Information hacked in one year alone. It is a rate i have not seen in my career accelerating into a real issue that public and private partnerships can work on. Can prevent a breach like this occurring, i am all for it. As you go forward, into the next stage of your career with the experience you have, would you give a word of caution to those of us looking at this to be very careful about if there is a magic regulation because of the compliance cost that come with it and how that could negatively impact your ability or others ability to keep up with the technology. Yes. Oftentimes, we are all in a rational environment. The first thing we think is regulation is the issue. I think there are a lot of things the public can do. You mentioned one of them, think about the identifier that we use for the American Public and the position beyond that. Thank you very much. Time. The time of the gentleman has expired. The chair recognizes the gentle lady from arizona. Thank you. I am troubled by the data breach that compromised the personal information of 145 million americans. Every american should take precautionary measures to ensure his or her financial security. Arizona seniors are particularly at risk, especially now. We must make safeguards to protect them from financial fraud. I have been working with the congressman of maine to pass a senior safe act. This ensures Financial Institutions have the regulatory flexibility to report instances of abuse of seniors. Everyone needs to know his or her data is safe when applying for a credit card, accessing a Small Business loan or buying a home. Todays hearing is an important step in finding out what went wrong and what must be done to protect consumers. Thank you for being here today. By your account, it took equifax 40 days to let the American People know, Via Press Release , about a data breach that lasted 77 days. The exposure of the i. T. Staff for the 65 days leading up to the breach. That adds up to 182 days of equifax failing to put arizona families first. Your testimony before this seeks to explain your activities before the press release, but does not excuse the end result. An arizona person whose name was taken was left vulnerable and in the dark about the data breach for 117 days. That is disgraceful and unacceptable. More than most, people in arizona value privacy. We value the independence to make Financial Decisions for families and economic future. Instead of taking precaution to secure our data, equifax made millions of people vulnerable to Identity Theft and financial fraud. Now we must take every step possible to minimize the damage and better address the breaches. It is believed for the vast majority of americans, this was limited to their credit header data. That includes name, address, date of birth as well as addresses, alias and Social Security numbers. My first question is while this information is highly compromising, it does not include their most private Financial Information. Are you aware of attempts to broaden the scope of the breach to capture private Financial Information . If so, were any of those attempts successful . If not, why do you think hackers opted to forego it . Congresswoman, there are millions of attempted or suspicious attacks each and every year across a wide array of our data assets. We have no knowledge, the Forensic Audit could done audit done, that any of the core credit, that you referred to data was compromised. As to why, that goes back to the written and oral testimony i gave, which is the software that sat in a different environment completely outside the credit file that was not patched. Thats why they were able to penetrate that environment. Your testimony stated it took the i. T. Staff 76 days to notice suspicious activity after the breach began. Could you tell me exactly how were the intruders blending in with normal Network Traffic and what do you think took the i. T. Staff so long to notice the breach . They were fairly sophisticated, the criminal hackers. They moved about the system without moving large files, but files themselves in size were not suspicious. They were clever enough not to move at speeds. We have velocity indicators to look for things moving at very high speeds. They were sophisticated enough to do neither. While the Equifax Breach was significant, it was only the datargest database breach in the u. S. All five have happened within the last five years in our country. We, as a community here in Congress Must recognize they are increasingly frequent and undermine the trust americans put in the marketplace and their government. Whether it is equifax or not, americans deserve to have institutions public and private that work in good faith to safeguard data. I would urge that congress should recognize that Cyber Security is not a niche issue. We must find real, Bipartisan Solutions that give americans the opportunity to succeed. I yield back my time. We recognize the gentleman of ohio. Thank you for your testimony and sincere apology. We recognize all these companies are staffed by humans and humans fail, as do technology. However, we also recognize the high duty of care, responsible by fiduciaries. Concerned about the reporting structure on the board and the attention given to governance. Does the i. T. Report through the cfo or direct report to you as ceo . Direct report to me. Within the i. T. , you said you are a Technology Company. What is the structure like within i. T. . Is there an Information Security officer that stays in the i. T. Channel or broken out separately . The chief Security Officer, global Security Officer is a direct report into the company. The general counsel reports directly to me. Ok. So, you feel that your governance structure was adequate . Im not sure i understand the question. Given that this error happened, you mentioned you had some closed loop system failures where you had things that are supposed to happen, but didnt have a closed loop system. Do you feel there was failure in governance . Was structure part of the issue at all . I dont believe so. Ill think structure determines success or failure of a process or the business. It is people and technologies doing the right thing. So, having the Security Officer report to me and cfo, im not sure would change the outcome we experienced. Ok. Thats concerning, but thats your philosophy. On trading, so, when you look at , aside from the Cyber Security concerns, which have been covered extensively, i was planning to go down the similar path of my colleague, mr. Hill. Talked about how trade or Board Members, executives within the company are approved. What is the timing like for that . And i noted that you said there were times where because shareholders of record inside the company had information that was nonpublic and material, that those trades were suspended. I cant think of a more public time where it would be appropriate to suspend a trade than while you had a breach of this. Was that an error, omission or do you feel the governance worked correctly in that instance as well . Let me be clear, if i may. There is a process to clear es, it goes to the general counsel. These three individuals that traded, it is my understanding they had no knowledge of the breach. Remember back to the time we talked about earlier . It was the 31st was when the portal was shut down. We hired the Forensic Auditors and law firm on the second. It wasnt until later in mid august that we had indication something was going on that involved large amounts of data. They traded the first and second of august. They followed the process we had in place at that time. Ok. So, based on the knowledge that your counsel had, reviews the reviews these sorts of things, would it have been part of the procedure to say, hey, we have just had some very substantial Material Information that is nonpublic. Isnt there a clear concern, four days of testimony here, im sure you are going to keep talking about this for a long time, that given the amount of Material Information that was nonpublic, that executives and Board Members should not be trading in these shares . Congressman, again, clarification. The 31st of july, the only indication we had there was a suspicious incident. No knowledge of a breach until weeks and weeks later. Number two, it should be noted, this is the topic that is priority for the board of directors and theres investigation currently going on by the independent board of directors. Do you think it was a mistake to not cancel pending trade even if it was ordered before the discovery of this nonpublic information . Given there were actually going to occur . Congressman, on the first and second of august, we had no idea other than a suspicious incident and a dispute portal. My time is expired. I yield back. Gentleman yields back. The chair recognizes the gentleman from colorado. The gentleman passes at the moment. Gentleman from tennessee is recognized for five minutes. Thank you, mr. Chairman. Thank you, mr. Smith for being here today. If i could, i think my standpoint in listening to others question you today, really the most glaring problem is the length of time between when this breach occurred, when the public was notified. I have heard your explanation this morning. On september 7, when equifax claimed they recently discovered a Cyber Security incident involving Consumer Information, of course you knew in july. If i could back it up, from a governance standpoint, did planax have a preexisting in place for contingency such as this . Before i answer the question, point of clarification. I was not aware in july there was a breach. I was not aware until midaugust as i said before, not until late august there was a breach. That continued to evolve to september 7, and that continued to monday of this week. To answer your question specifically, yes, there was a Crisis Management written protocol in place applied to many crises, including a data breach. Did it anticipate a breach as big as this breach . No, the Crisis Management protocol we have in place is a breach in general. It doesnt specify you react differently for 145 million versus 5 million. Did equifax, in fact, use that protocol for this breach . Yes. Was it executed properly . Not without issue, as we talked about. Thats because the system, the people were overwhelmed on the sheer volume. I understand the website that you set up that provides consumers information about the breach, which is equifax security 2017. Com, that domain name was secured about august 22, does that sound about right . Sounds about right. Orthat website in some form fashion was ready to go some two weeks prior to the announcement, is that right . Yes, congressman. Thats approximately right. The thing we talked about is the data still moving. It was fluid. Wanted to be as accurate and transparent as possible on the data. Number two, we talked about the Cyber SecurityForensic Team and recommended we prepare for increased Cyber Attacks post announcement, and third, we had to standup the environment you referred to to get access to Free Services. This morning, the chairman asked you about Law Enforcement. I understand the fbi is involved, they are leading the investigation, is that correct . Thats correct. Is the secret service also involved . Not to my knowledge. Are there other Law Enforcement agencies involved in the investigation . There may be. I have been focused on the fbi. Law enforcement, including the fbi, may possibly be other Law Enforcement. There are other agencies involved in the investigation. Is there any Law Enforcement agency or agency whatsoever that the mac and recommend to you or equifax that you not disclose this breach until you disclosed it in september . To the best of my knowledge, no. They were involved starting august 2. We communicated with them routinely throughout the process and we made them aware in september that we planned on going live on september 7. As you mentioned earlier, you the cyber Forensics Team on or around october august 2. You mentioned hired for legal purposes. You also hired a pr crisis team. Yes, congressman, we did. Who is that . In fact, we hired two. A Company Calls everland, a well known crisis team at the tactical level to help us understand, track a variety of input from different sources, social media, broadcast the broadcast media, regulators, state ags and Crisis Management , a strategic consultant as well. You mentioned king and spalding. Have you contacted any other law firm requiring the bankruptcy of equifax . No, sir. No bankruptcy protection whatsoever . A law firm or anyone else . No, sir. Equifax soughtat information on bankruptcy protection for equifax . Not that im aware of. The chair recognized the gentleman from maine. Thank you for being here. I know you have been on the hill quite some time. A lot of these questions have been asked before. But you know, this is so important because it goes central to our economy. It really does. Here we are on a progrowth agenda, we want to have lower taxes and you are regulations and trade in Energy Prices that are stable. Then this happens. I know you folks got hacked. And i know you are doing the best you can with it. But, you know, the result of this might not be felt for quite some time. Think about this, a third of our country, 40 of our country, i dont know, 60 of adults. 145 Million People. 145 million. Criminals now have the Social Security numbers, addresses, birth dates. When my mom was 89, had to sign her up for medicare. You need her Social Security number. This is serious stuff. I accept your apology, i hope he American People do, i dont know if they will. We have 1. 3 Million People, a half million got affected by this. Now, i am also very concerned about the perception, at least, of wrongdoing when it comes to our securities law. You are a publicly traded company, or equifax is. In rural maine, people saving for college or retirement, little savers, small investors, the little guy, they can buy some of your shares in the open market and take a bet your growth is going to reward them. Take a bet on the economy. All of a sudden, we have material here, if you believe it. I dont know, this investigation that is going on, that says in late july, you folks knew about a breach and a breach which is central to your business. My gosh. You folks collect all this Sensitive Information and sell it to banks and automobile dealers and what have you to make sure they get accurate Credit Reports and money flows to the economy and families can buy homes and cars and is mrs. Can grow. This is really serious stuff. So, any breach of that information, your Business Plan , is central. Two your success as a company and therefore affects your stock price. Now, we see information, if its true, i dont know. You had folks on the inside and its really hard, mr. Smith, for me to accept the fact that you have a dozen people reporting to you and they didnt know what the heck was going on when something is so central to your Business Plan. It looks like some of these folks acted, three, in particular that i mentioned, acted to sell their stock before the breach was announced, a month before to escape loss in the stocks they own, which is stock in your company. If thats the case, the little guy gets screwed. Because guys on the inside who know this information avoid the loss. The little folks that i represent in maine are hard working. They save every penny and they are worthy of all the income they have. They invested in your company, in america and they get screwed. I have a question for you. Now, i may be wrong about this, mr. Smith, but the information i have is public. Says you own 285,000 shares of equifax. Is that true . I believe thats right. Ok, fine. Given the roughly market value of that, its outstanding price per share, it is 28 million bucks or something. Did you or did you sell any of your stock between the time when the breach was learned on the inside and when you announced it to the public when anybody else in america had that information . No, sir. Ok. Here is one of the things that drive me crazy. Confidence. Business confidence at a 15 year high. We have consumers confident about the direction for a growing economy. Then Something Like this happens, which shakes our confidence. Now, i know they mentioned this and i want to support it also, and ask everybody in our conference, republicans and democrats to support a way for congress to help. That is called the senior safe act. We think its a good idea if seniors who are vulnerable to this Identity Theft and fraud are able to go to bank tellers and Insurance Agents and say we suspect fraud of all times. We want to speak up to the authorities and not be liable for doing so. Thats a great bill. Thank you for being here. Appreciate your time. The time has expired. The chair recognizes the gentleman from pennsylvania. Thank you, mr. Chairman. Mr. Smith, when i heard about the breach, i was very concerned like all americans were. Equifax, which is tasked with guarding millions of americans sensitive and personal data has violated the trust in the American People. Its not acceptable. I commend the chairman for having these meetings and to determine how we can prevent this from happening in the future. My people sent me hear to share their voice. I would like to say their comments. One men wrote, i am more than angry about the equifax data breach. I understand crime will always be part of life that i am outraged to the response of the situation. They have allowed my personal information to be compromised. This has the potential to impact us for the rest of our lives. Robert in pennsylvania wrote, quote, equifax must be held severely accountable for the massive data breach affecting american,ry adult including all of my family. They must be held was possible, including for the disingenuous response. Described equifax directions as an endless circular conversation and added i am tired of this ongoing fiasco. These are real people whose concerned need to be addressed, hard working americans are scared and deserve answers and they need to be made whole. I understand we are talking about the time line here. Equifax discovered the breach on july 29 and notified the fbi two days later. The Investigative Team was brought in two days later. Equifax did not notify the public for a month. I understand it was partly due to public notification would affect more bad actors to compromise the system. More than a month elapsed from the breach to public notification. Im curious if there was an event or fact that led you to make the disclosure. For example, september 7 was the date it was disclosed. Did you know something on september 7 that you did not know on september 6 . Clarification, we are not aware of a breach of any sort in the july time frame. Again, at that time you noticed activity july 29 that was suspicious. We notice suspicious activity on our databases around the world to the tune of millions per year. What we saw in late july was nothing we havent seen before, suspicious activities. Unfortunately, in this environment very common. A couple days later, you are engaging outside vendors. That is not unusual. What did you know september 7 that you did not know on september 6 . I dont have a specific answer. I can tell you the time frame between midtolate august and september was very fluid. Continues to develop. We found 5 million more impacted. It was ever evolving set of facts. You testified data was not encrypted on your database. Is there a reason for that . There are Different Levels of security in different informant. Encryption is one, masking is one, firewalls. Encryption at rest and encryption in motion is another technique. Theres no one single technique that protects the consumers data. A lot of people are watching at home, wondering if their data was compromised in the breach. Many americans are wornderring if their information is currently held at equifax is safe. Is their information currently safe today . We have no knowledge that any other information we have in our database in the u. S. , around the world was compromised. It was limited to this one portal. Is there a reason you are choosing not to disclose the scope of Insurance Coverage . Yes, there is. Can you share that with us . I prefer not to. The reason being, congressman, when you disclose a number, it puts a target out there for others, for lawsuits, so on and so forth. Thats going to be disclosed in discovery. You already have lawsuits out there. Yes. You are choosing not to yes. I yield back. The chair recognized the chairman from north carolina. Thank you, mr. Chairman and mr. Smith. I think whats infuriated the in northserved carolina, they didnt volunteer to have their information stored at your company. They did not say equifax, take my data. There is a major element, its a trust element. Thats really been shattered. Personnelft to a topic. Why were the Security Officer and Information Officer allowed to retire instead of resigning and being fired . I believe you, yourself, resigned. It is semantics, they are out of a job now. The day we announced their stepping down, they are no longer effective. They are individuals who can add an advisory to smooth transition between themselves and the two announced interim individuals we have at the cio level and the chief Security Officer level. Then, if those individuals were replaced with fulltime people, which they will be, they can add value. Nothing more than having them assist in a smooth transition. What was the total cash value of their retirement packages, if you dont mind . I dont know specifically. We can get that information to you. If you would, please. Did the chief Security Officer, and chief Information Officer undergo financial repercussions as a result of their retirement other than foregone future salary . They lost their jobs and theres no bonus. Just foregone future salary and no bonus. Correct . Thats correct. And no severance. Did the discussion to allow them to retire instead of terminating did it increase the scope of the severance . You said there was no severance. Right. In general, if an employee at s,e Equifax Corporation retire do they have more access to benefits, receive a better separation agreement than someone that resigns or is fired . Not to my knowledge. Did equifax not punish the individuals responsible but rewarded them for this decision by not firing anybody . No, sir, they are both out of a job. Chairman, i yield back. Gentleman yields back. The chair recognizes the gentleman from indiana, mr. Messer. Thank you for being here. I admire your stamina sitting here. The more i hear, the madder i get. Excuse my tone as i go to this. Have you had an opportunity to log on to the equifax page and do this process of determining whether you were part of the breach . Absolutely. I did it. I had to give my birthday multiple times, i had to give parts or all of my Social Security four or five times. I answered a question or two wrong, so i had to call into the web page, call into the calling service and give my Social Security number another time. Has it crossed your mind, given the recent breach and the fact you have disclosed personal information for 140 million americans that people might be a little comfortable giving you their Social Security number seven or eight times to know whether they are impacted . I talked to people myself. I share your frustration. I share their frustration. We tried to improve that process as much as we can. We have to validate you are who you are before we offer the product. Its frustrating to a lot of people and obviously, you havent built a great record on trust. Will equifax profit for the new data provided by americans to your website . Will you take that information, now that i have entered it again and use it commercially . The intent of this service is a service to offer the service for free, not cross sell or upsell you as a consumer. This is the Privacy Notice you have to click on. It says here, i think in two columns that this information can be used for joint marketing with other financial companies, for affiliates for every day purposes, marketing purposes by, it looks to me like equifax and the company doing it for you. If you are can you are a consumer that gets a free service from us, we dont cross sell or up sell you. The form says you will. Do i believe you or the form . Excuse me . The form says you will. Do i believe you or the form . This is the Privacy Notice. Again, will equifax have the opportunity to use the information provided by consumers in their operations of commerce, therefore make a profit on it. Ill say one more time, when you come to us to get a free service, we are not going to cross the website. There is a phrase the road to hell is paved with good intentions. I think your intentions were probably fine as 140 Million People lost their information. Looks to me, based on this form, that you have the ability to do that. I want to ask you this question, have you ever met anybody who had their identity stolen . Yes. A pretty miserable experience. Yes. It destroys their life. Almost 4 Million People in indiana, its important to remember these people are real people that have had their lives put at risk. Congressman, i couldnt agree more. I talked to people at my church, that work for us, my daughters, my wife, my family. I understand the anchor the anger and frustration. Im glad you appreciate that frustration. Well turn to that in a minute. Its as you have these five services you will provide. When it comes to real compensation for people who had their identity stolen, the reality is they are not going to get much from you, is that fair . They are going to get five services, plus the sixth service number, give you a total assets of your company are about 6. 6 billion according to your annual report. Approximately. 147 Million People, that is about 4700 per person if you liquidate. If 1 of those people have damage, you get 4700 that you would have to compensate them anyway. I want to ask you this, you mentioned how frustrated you were. A lot of American People struggle, you consider this Major Business screw up, right . Its a breach, obviously 147 Million People. And you mentioned, let me use your phrase, the folks you found most directly responsible for that, they lost their job, no bonus, no severance. Is that what happened . Thats your words. My words are, im responsible and i stepped down. Does it seem fair to you you would get a 40 million to a 90 million bonus as you exit after you presided potentially over the biggest business screw up in modern history where 140 million americans had their personal information stolen . Congressman, the only thing i walked away with, its all disclosed in the proxy, this was my pension and prior compensation. The American People are frustrated. And listen, again, i appreciate you being here, but they have a right to be frustrated. It doesnt seem fair. Time of the gentleman has expired. The chair now recognizes the gentleman from georgia. Thank you. Thank you for being here, mr. Smith. I am impressed that youre here considering that you are no longer in your previous position. I dont know that you would have had to have been here, but i appreciate your attendance here because i know this is difficult. Its a difficult time for 147 million americans as well. A couple questions regarding some of the things you said earlier. Where i want to be focused is prevent Something Like this from happening again . I spent 30 years in the i. T. Business and security was always at the forefront of things we were working on. And so very interested in how what transpired to cause the problem, how can we avoid this in the future . First of all, you mentioned in a couple of instances as you were addressing some of the members asking questions here that you complied with all the state laws regarding notification. And you mentioned state laws earlier regarding cybersecurity. Is it state laws that govern our cybersecurity policy . Is there not a federal law that governs that . And if there are, why is that not applicable . Congressman, the only point of clarification, the only thing were trying to be mindful there was as we learned and gained more insight on the size and scope and nature of the breach is making sure we balance our desire for accuracy, completeness of the picture with the state laws of communication. Thats what i was referring to. Ok. I understand. But are there federal laws that are applicable in this instance . Is cybersecurity pretty much governed by state law . Im not sure what youre saying. Its not governed by state law. The state law was just the communication that i was referring to. Ok. The actual applying of the patch, from what i understood in your previous testimony and you answering questions was you were notified of the vulnerability. A patch was provided. It was communicated that that patch should be applied, but somewhere that did not happen. I guess the human error was the individual who was to apply the patch to that portal did not follow through. Is that correct . Its a little bit more than that. It was an individual in the i. T. Organization who received notification from security. That individual is responsible for the patching process and never ensured that the proper person was communicated to and then did not close that loop. Is there a level of oversight that should be there . I mean, quite often when i was in the military and worked in communications and intelligence, we always had to person two person integrity. There was always somebody looking over the shoulder to make sure that a process was completed. Same thing when i was working with many governments in their i. T. , there was always a Security Patch. That there was always someone else to come back through and make sure that it was applied. Was that process not in place . Yes. Sterday to clarify, this individual owned the communication and the patching process to ensure it was not closed. He did neither. Secondly, the closed loop process was also the scanner we talked about. The scanner, which was applied i believe it was march 15, to look across the environment for this vulnerability did not find this vulnerability. And that is currently under investigation as to why. Ok. That kind of hit my next question, that being under investigation as to why that did not happen and is there some liability on some individuals that, you know, potentially were nefarious in this process . The individual who i just discussed that was responsible for the patching process is no longer with the company. All right. Thank you, mr. Chairman. I yield back. Gentleman yields back. Chair recognizes the gentlelady from new york. Thank you, mr. Chairman. And thank you for having this very important meeting as we have over 145 million u. S. Consumers who have been affected by this. And i think you, mr. Smith, for being here and being willing to answer these questions. You know, everybody is really angry. Our constituents are calling us. People are concerned about the security breach. Social security numbers, birth dates, addresses, drivers license numbers, credit card numbers for up to 200,000 consumers and all kinds of data has been breached. And it took, i know youve discussed this over and over, but six weeks to notify regulators. My first question on this is did you or your firm notify the Credit Bureaus that before you announced this breach so they could prepare for what our consumers are trying to find answers to and many state laws also require this. Did your Company Actually do that . Did you notify those Credit Bureaus that were your customers . Let me make sure i understand the question, congresswoman. Did we notify specifically on . Ns union and experi right. Prior to the date that it took six weeks before the actual patch was discovered and released. Thats when you got your i cant remember the dates on my my colleagues asked you when you got your crisis Management Team, when you lawyered up when you got everybody ready before you actually disclosed that. But when did you actually notify your customers, the Credit Bureau customers who relied on your information . Again, i think i understand the question. So it was in late august, not late july, that the picture started to come together that we had a Data Security issue. We went live on september 7. Two into your question specifically, we did not go to beforenion or experion the release went out on september 7. So they didnt have any knowledge of this happening, so they werent able to prepare when this was to come later on, as your company. Yeah. It was not public at that time. Right. Let me ask you, so you described the suspicious activity and the patches and millions of patches occur. Is there like a priority or a way that your Team Identifies what patches are more important, more valuable, more vulnerable than others . Is there some protocol in place for that . Yes, there is. Let me clarify, though, if i may. Its not millions and millions of patches per year. What i was referencing is in any given year it is not unusual to have millions of suspicious or potential attacks. Specific to patches, patches and the requirement for patches are very common. And theyre stratified in different categories, from critical to high to medium to low risk. And the protocol internally for the amount of time required or allowed to apply the patch depends on the criticality of the issue itself. So what would you rate this patch that did not get it was critical. It was critical. When was the actual date that you discovered that patch . 8, we werearch notified by sert of the need to patch on the ninth. The email went out to the teams to apply the patch. And as we talked about before, there was a human error. The individual did not communicate and close the process. On the 15th of march the scanning device did not find the vulnerability. But thats in march. Did you notify the Credit Bureaus or other customers how many customers do you have, this confidential data is actually on your site do you have in control of . How many people would you say, actual individuals have their are on the site that would be vulnerable, not just the total credit population in the United States is roughly 230, 240 Million People. So that many people were affected by this . No, congresswoman. The number weve disclosed was 145. 5 million. The services were offering are o allamericans, but at this point, 145. 5 were impacted. Let me just go quickly because i decided to go look on to your site as my colleague pointed out. Its ironically called trusted i. D. Premiere. Com. And i went to this and put my own information and said i may have been breached and it does send me to another i have to go through some protocols, reenter more digits on my Social Security, my name and then it reveals to me that nonetheless, please enter more personal information. If people listening to this in to this and my constituents go on to find out if theyve had their data breached, will they be vulnerable if they reenter this on this website . Weve taken many steps since it is breach to make sure thats secure. So this is secure. They can go reenter their data and it will be secure. Yes. Thank you. Time has expired. The chair recognizes the gentleman from colorado. Mr. Smith, thank you for your testimony today. Thanks for lasting so long. Just a few questions for you. And i do have some sympathy for, you know, the attack, the breach, whether its Anthem Blue Cross or lowes, home depot, j. P. Morgan chase, the Democratic National committee, lots of hacks have occurred and Everybody Needs to stay vigilant to that. My questions to you, sir, are going to be more Credit Reporting agencies are not everybodys best friends, you know. You have a job where you try to actually say this guy is a good credit risk, this gal is not a good credit risk, whatever. And we had and it may have been you and executives from union a few trans years ago, and there was a question about whether or not the algorithms that are the basis for peoples Credit Reports were going to be disclosed to us as members of congress or whatever and i think the testimony was that those were proprietary and patentable and were key pieces of information for the different organizations. Did you were you one of the ones that testified for us . Congressman, i was not. You may be referring to the most common credit score in the industry is a score called the fico score. Right. That may be what youre referring to. So we wanted to get information at that point about how a fico score was calculated. Just, you know, is it fair to whoever is getting their credit score or Credit Report, and we were told no, thats proprietary information. Do you know whether in this hack how you guys develop the fico score was stolen . Congressman, were a reseller, if you will, in some cases of that fico score, and theres no indication that we housed fico scores that were hacked in any way. Ok. So the algorithm or whatever is that proprietary information, to your knowledge, wasnt part of this theft. Yeah. The algorithms is developed and controlled and owned by another Company Called fair isaacs and your company dont have how that algorithm is created or developed . That is correct. Ok. I was asked by somebody from the Energy Committee and i know you may have testified earlier today. Do you know whether there was a foreign actor who was the perpetrator of this hack . Weve engaged the fbi and the fbi is continuing in their investigation. There were some statements you made that there was a clever kind of ability to get around some of the safeguards you all had in terms of the speed or the volume. Is there a concern on your part or anybody at the companys part that this was an inside job . No indication of that at all. So, i mean, when somebody comes in and hacks, its like theyre trying to break into the bank, and your bank housed a lot of information, if you will. And you had some safeguards you got the patch, so theres a vulnerability that they were able to get inside the bank, but then they were able to avoid a number of the different kinds of defenses you had within the bank. Mishear miss here your testimony . Thats correct. So in this investigation are you doing an internal investigation on top of the fbi investigation, how is that proceeding . Yes. If i understand your question, theres the forensic investigation, which is done on the data that was compromised. It was done by an independent firm. There is an internal investigation being done by outside counsel to look at all the processes internally and individuals involved internally, if that answers your question. And then theres the fbi investigation as well. All right. Last question. Just what i was looking at , theres like a hundred lawsuits, class action suits, variety of suits. You are asked by mr. Rothfuss whether you had insurance for this. Are you self insured . You didnt want to give us an amount. Do you have insurance for this . We have cyber insurance, yes. And is there a Self Insurance , do you have Self Insurance . Do you have sort of money in reserve for Something Like this . Theres a retention that we have and then on top of that is a stack of participants up to a limit. And my last question, do you still retain shares in the company . Absolutely. Thank you. Time of the gentleman has expired. There are no more members in the queue. Id like to thank the witness for his testimony today. Without objection, all members will have five legislative days within which to submit additional questions for the witness to the chair which will be forwarded to the witness for his response. I would ask, mr. Smith, that you please respond as promptly as you are able. This hearing stands adjourned. [gavel] [captions Copyright National cable satellite corp. 2017] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org] tonight on afterwards, a radio host and contributed discusses his book, how the right lost its mind. Donald trump represent a big middle finger from voters to the establishment, but if you really wanted to deal with some of these issues, you would have gone with a marco rubio or scott walker or carly fiorina, and they did not. A master of twitter, but he was crude, rude, a serial liar, thinskinned, erratic, a fraud. This was relatively wellknown. Conservatives who not that long ago used to argue that character mattered, and that the president was a role model, have somewhat somehow found a way to rationalize the behavior of somebody who insults women, mocks the disabled, mocks pows, paid a multimillion dollar fine for defrauding students who just wanted an education. On monday, President Trump delivered a statement on the mass shooting in las vegas that left more than 50 people dead and more than 100 injured. A moment oferved silence on the white