The key word is trying to come up with a solution is not sure we have arrived at that. After the october 2016 discovery that the dit could be vulnerable the irs is monitoring for any suspicious activity, we engaged with our friends. And asked them, and suspicious activity in january. And an incident in february, multilayer Defense Mechanisms, one of the mechanisms is notification to the address record for the individual. That led us to identify the we had an issue, we were able to find that in fact there is fraud that has taken place and immediately shut down the application. It is not discovered by accident. It was a notice generated from the taxpayer. The taxpayer came in and notified us. Taking responsibly for the irs, and the applications face. Please her young peoples lives at stake, to fit their unraveling that. The gentleman yields back. The chair would like to recognize the gentlelady from new jersey for five minutes. Good morning to all of you. In september the Inspector General reported Student Loans in the Department System to take advantage of students. As reprehensible as the fighting his this is not the first time Student Loan Companies have acted against the best interest of the students they are supposed to be serving. In 2015 the Consumer FinancialProtection Bureau conducted a public inquiry, signing complaints regarding loan servicers. More concerning the Current Administration has withdrawn a series of policy memos in the Previous Administration that was put in place for protection for student loan borrowers. And student loan borrowers, predatory lending practices. In terms of our focus, our focus on the servicing perspective, high quality outcomes of students and borrowers, we put in place a series of actions over the years and going through, and cant really talk about specifics, i would reiterate, focused on high quality product, generating the best outcomes of student borrowers. Are you aware of rollback of certain oversight, accountability, initiated in this administration that are overturning the accountabilities designed to protect students and vulnerabilities. I personally am not aware of any rollbacks. Anyone on this panel, any recent actions on the part of for the white house and department of education. That will negatively impact the accountability of who is or is not a good person or entity to work in this space. Is that a no . This january the Consumer FinancialProtection Bureau filed a lawsuit against the largest services of federal and private loan, according to the lawsuit, billions of dollars by withholding information about incomebased repayment programs. Instead, pushing borrowers into forbearance, for a cruel of the compound interest. Are you familiar with these allegations. Im familiar with those allegations. The Student Loans of 12 million borrowers and 6 million Service Contractors with the department of education. That is right. And the lenders interest. In the lenders interest, for the interest of the consumer. Is that right . The servicers act. And the lenders interest. And no expectation in the interest. In the case of private lenders, a servicer working on behalf of private lenders. Does it concern you companies publicly claim they have no responsibility to act in the best interest of the students they are supposed to be serving . We are in the procurement process. I cant make a comment on that. And they are also in the process. I cant make a comment on that. We cant make decisions about our services. I expect we ask you again about someone like navia and even though you cant express what is happening with regard to that company right now. We look at responsibility metrics i dont know by number the executive order or rule back that took place, and looking back at a companys business and reputation. And the best is taken care of the best. I you back. Mister george recognized for five minutes. When we notified that there was a problem. It happened the same day. You talked on february 27th this year. How many tax pyres are harmed by the breach that takes place . A proximally 100,000. The law requires you to notify congress when Something Like this happens. Im not familiar with that. The federal Information Security modernization act. Not later than 7 days after the date of the incident you should notify congress. Yes. You are supposed to do it within seven days. Is that accurate . It sound accurate. It doesnt sound accurate, that is the law. What did you Tell Congress . In that 7day timeframe, that is what i know. Is that true . I am not sure when they made notification to congress. We dont have it until april 6th which is longer than 7 days. You Tell Congress on april 6th. I would have to go back and check. That is important, right . Yes. Mister koskinen told us before the senate. I have to go back and confirm that for you, sir. We appreciate that but that is when Congress First learned on april 6th that there had been an incident. Here is what the statute said. Not more than 7 days, are you going to describe this as major . 100,000 people, i would say so. Same here, we wonder why you waited so long. I will find out for you. We would like to get that. Is this the first time the irs is waiting to Tell CongressImportant Information . I am not aware. I cant answer. There was a little incident that happened the last several years where the Internal Revenue service systematically and for a sustained period of time targeted taxpayers based on their political beliefs. Remember that situation . Im family with that. You did an investigation into that, a couple investigations. What the irs always forthcoming in a timely fashion with Important Information in that investigation . We found there were some mistakes in materials that should have been turned over. A nice way to say it. You might have a career in politics with that answer. Let me refresh your memory. The irs knew there was a gap in lowest learners email in february of 2014, did nothing to stop the disruption of back updates. 421 backup takes. And 24,000 do you know what he told congress. June 14, 2014. We have the Internal Revenue service, the agency has a lot of influence and impact on American People lives with a major breach that the losses you are supposed to Sell Congress within one week, within 7 days, they wait 38 days. Think about what congressman walker talks about. That took place before february 27th. When Mister Koskinen testified and said we are putting you on notice that there has been a major breach, 100,000 taxpayers impacted, look what he said in that testimony. On april 6, 2017, Mister Koskinen testified before the finance committee that we started working with education in october telling them we were very concerned, very concerned that the system could be utilized by criminals. The Mister Koskinen was on notice that there were potential problems, potential big problems, use the term very concerned clear back in october of last year. And on 27, the irs told you this is real. They dont comply with the law until congress within a week, they wait 38 days to tell us. Not supposed to be how it works. Doesnt sound so. The irs is treating taxpayers the way they are not supposed to and it is why this committee has been focused on trying to clean up the mess and i have been focused on saying Mister Koskinen has to go. I yells back. Thank you, mister jordan. Miss plaskett recognized for five minutes. I think the lovely chairwoman for the opportunity to speak. Thank you for being here. Everyone on both sides of the aisle are concerned about this issue. Most of us have children and have our own Student Loans or loans, as well as constituents. I did want to touch on something a few minutes ago, talking about lawsuits, this is a lawsuit, and a lower default rate with Loan Companies and have propensity to loan to a minority and underserved communities. The default rate of students who have loans is significantly lower than other Loan Companies. I will have to confirm that. The lower default rate is better but i have to confirm that. The portfolios are not the same for competition and sometimes there would be natural differences in the default rates. The Inspector Generals report, the systems were being misused by commercial third parties, something we talked about, things that we are very keen on, and are navigated a difficult system, the first incident into their own finances making decisions. And Student Loan Companies, student loan consolidators. And the special agent in charge of conducting that investigation for the ig, and commercial interests for loan consolidators. The commercial interest is key to me, and signaling companies, leading thousands of accounts, and using information, in a manner to control those accounts . My understanding it is a fee for service, and 1000 clients being charged for those services, it would be a commercial endeavor. Do you have a list of companies that were doing that . We identified some. We obtain a list of every Student Loan Company involved in activities. I dont want to commit a week, two weeks, a month. You give us a month it would be appreciated. To the outside. Special agent in charge, account holders taking advantage, sound outrageous and can you explain not just with aggressively pursuing but what about taking advantage of them. Dont want to speculate, to the extent they are providing services, and can receive correspondence for decisions on behalf and those might benefit them commercially. Are any of the same companies doing business with the permit of education . Not that i know of. We have a responsibility to help protect students from the kind of abuse but very pleased we are having this hearing to go through this. And a followup hearing within the next Student Loan Companies that are engaged in these activities and hope we have the ig from the department of education about what they found. And what you provided us and i hope we are able to do that. I yield back. Thank you. I want to say thank you for your willingness to accommodate me on tour the other night. It was not necessary but i appreciate that and you have the right to ask any witness for information and i am sure that will be followed up so thank you very much. You are recognized for five minutes. I apologize if i review some information that has been discussed in this hearing but raise your hand if you are responsible for fastfood. Gov. Rep the record reflect, raise your hand if you are responsible for the dart tool . All right. Let the record reflect garza and mister corbin raised their hand was october 25, 2016, irs conducted a Risk Assessment and concluded that the dart tool was needing stronger authentication measures. That correct . And set to take into improve the authentication measures . We started to work with the department of education. What did you do since october 25, 2016, to strengthen the dart tool. Increase monitoring on that application. So that we could become alerted should something suspicious happen. Were those efforts successful. In january those efforts that identified suspicious activity and at that time we partner with the department of education to get our two cyberteams together to review suspicious activity and we were informed by the permit of education, it was normal behavior. What steps are being taken to strengthen the authentication of dart . We have developed and implemented on the irs side, working with the department of education. How is encryption going to help with authentication if you have a user that has stolen potentials . The Authentication Solutions and providing application. Encryption on the back end, help with authentication, and stolen credentials. It does not improve authentication. A special applicant. If you have stolen credentials. Are you able to prove that you have the credentials, what do you do to prevent that from happening . There are keys that from the irs share with the department of education. As the applicant comes in and releases data to the department of education, they dont have access, to be encrypt that data, the government of education once it gets to their side, they will be able to decrypt the data. So the applicant so mister gray, how do you respond . What are you doing to strengthen authentication. To authenticate to the end user . We are dealing with proactive measures. It portends to something in the future, and what you have done. And we protect these systems. I referenced them in my opening statement. How does that help with this is the balance, this is an application form. I get that. It is your responsibility to confirm entering the data is indeed the person who owns that data. I recognize that is a tough job. And the theft of 100,000 students, so the dart tool is lacking, my concern is everyone is doing this. And i want to hear that too. The authorities i have are very adequate. In terms of what we are doing, the acceptability of the tool which at this point is a web application where students and prospective borrowers, the level of authentication for that. Disbursing the funds, and we are masking the data so that if an identity thief logs in to the system they will not see the data which would not allow them to exploit this vulnerability. I apologize for going over my time. Without objection i will recognize Mister Duncan for unanimous consent requests. You will not get to me for questions, make unanimous consent in this point. And the Financial Aid administrator of Tennessee College of technology, with problem and email. Thank you very much. Thank you, Mister Duncan. Miss kelly, you are recognized for five minutes. In recent years, hacking Identity Theft and fibers of the crimes have been on the rise. I have been a victim myself, federal agencies do their part to secure the systems but Congress Must acknowledge impact its own access on the ability to agencies to protect their it systems. Many agencies face serious challenges monitoring outdated legacy it systems. And severe budget cuts, and republican control harvesters. And the chief Information OfficerTerrence Mulholland testified, quote, the irs Budget System is the most critical challenge facing it modernization. What are the impact of budget cuts on the ability of the irs to modernize it systems. We putting taxpayers at greater risk . One of the Things Congress did last year. 290 million, we have a portion of that funding, to monitor systems closely, we continue to invest the review program, that allows us to create rules, as returns come in, to evaluate returns for potential fraud and Identity Theft and stop those returns before they are paid out. It is on. I want to thank congress for the money we did receive. That is extremely beneficial and puts Youth Technology in place protecting our systems at a higher level. Then they have done in the past. In this incident itself we were able to address the situation a lot quicker than we would have been able to in the past because of new monitoring capability in the Data Analytics capabilities that are implemented using those resources. Would you say more is needed . We would be thankful for Additional Resources or continued support in this area. It is not just it systems affected by resorts might increase progress on modernization and fibers of the security measures and would require significant Additional Resources in it areas. Do you agree with that assessment . I would agree with the assessment of our needs. I would agree as well. Yet again, congress failed to ensure agencies have resources to carry out their missions, under irs restructure and reform act of 1998 congress gained irs the authority a limited number of individuals, for critical and technical positions at level greater than general schedule rates. The Critical Pay Authority was intended to help the agency attract highly qualified individuals with advanced Technical Expertise who might otherwise be available for Government Service at normal federal levels. The irs uses its authority, from 1998 to 2013. And to make federal government jobs more appealing to highly qualified technical individuals interested in Public Service but earning a much highers chess salary. The streamlined critical pay that we had was beneficial for the irs. Because of that authority we were able to bring on board highlevel architects, engineers and cybersecurity experts. Over the last several years they helped us in sure that we were doing what was needed to secure our perimeter and make sure our systems are running much better. An important component of this is the streamlined part of the critical pay. It allows us to offer a job when we found somebody after the announcement was made and identified somebody much quicker than the normal process would have been. What we found was without the streamlined components when we got back to the individual who sees who are interested, the time had elapsed so long, they were not able or no longer available to come to work for us. It is a criminal component. It expired in 2013, not to be reauthorized. American taxpayers lose when congress ignores its responsibility. Congress can and should swiftly pass streamlined critical pay reauthorization and provide adequate resource levels for the type of security at all agencies. Thank you, madam chair. Thank you, ms. Kelly. Mister runcie recognized for five minutes. I look forward to reauthorization if we can get the reforms required as of our last couple hearings for the use of 168 slots. The kickoff of the Affordable Care act web site. And as you though, in that web site if somebody liking at their looking at their information at the top of the screen simply went up there and changed the state, they might look at somebodys personally identifiable identification. That was discovered right there in the http line, right . Do you remember that . That was on the c america s side. Right. And so dont have any details or specifics on that. Okay, just for historical sake, i actually did it. You could and somebody did it themselves. You could change the state, and you could end up with somebody elses identifiable information on your screen. Now, they would have said there was no breach, as mr. Gray is sort of saying, because there was no proof anyone took that information and used it. But let me ask another way. If you put a team of white knight hack ors on to this vulnerability, could you have harvested information, in your estimation . I think the evidence is that after the fact, yes, we there were people that were accessing that application for bad reasons. Okay. So, mr. Gray, i want to get you on the record, under oath, with an accountable statement. If theres evidence that people did nefariously gain some information, whether they used it or not, and that a team of white knight hackers or bad people could have harvested information, dont you have to admit that this is by definition a data breach . Not just a hypothetical vulnerable, but a vulnerability that was recognized that caused the shutdown of this tool . Thank you for the question and the request for clarification. I would say that when im speaking about a data breach, im speaking about the department of education systems, and through our analysis there was no Department Data that was compromised or viewed through this. This was a case of unlawfully obtained information that was used to go through our system to pull information from the drt. Okay. But in this case were talking about you together represent, like, an automobile. And youre saying that your righthand wheel didnt come off, but the lefthand wheel did or could have. Ultimately, the construction of the entire product was brought to a halt as a result of a failure. Right . Yes, sir. Okay. And both of you, i just want to make sure because i heard ms. Garza say it, but both of you admit that under the reforms as cios you have Budget Authority and the authority necessary to shut down or to make what changes are needed to control the security and accuracy of your work, is that right . Yes, sir. Okay. So now my question to you in the short time remaining is although this is about education and its about the tremendous impact on students who will have a burdensome time applying, if we are to do the next level of reforms that this committee would be required to, if weve given each of you authority and one of you says ive got a breach and the other says i dont, how do we resolve within the hierarchy of the executive office of the president , so to speak, how do we resolve making sure that the failure of the whole is, in fact, controlled by somebody . In other words, im looking at the two of you. You gave slightly different testimony. I think youve come together on testimony. But i want to know how in the future we do two things; one, make sure that somebody above you, sort of a supercia, can make sure that everyone, minutes looking at the entire vehicle and not just a left tire and a right hire. And then secondly, where were those White Knights in this process . Whenwhere were the people, third parties, who scrubbed this data and system trying to find those vulnerables . Because somebody found it, and it wasnt either of your teams. Ill take an answer from either of you in the time im allowed. I dont know where those White Knights were, sir. I do know that there were other entities within the government, usds specifically, that was assisting with as well. I dont know where they were. Okay. So as will said earlier, before the fact you dont know, after the fact, of course, you could recreate it. Ms. Garza, the two questions to you. Youre very senior in this position, youve had a lot of experience. One, how do we bring together organizations like you that have become interdependent to make sure theres oversight of the swire combined authority entire combined authority, and two, how do we make sure there are White Knights proactively in the future to try to find these things and maybe concurrently and constantly try to find them . Congressman, we actually do have processes in place where we do penetration testing, where we have individuals that come in and its our applications to insure test our applications to insure that they are not subject to white hackers coming in and getting away with the data. Although white hackers im okay with. Black hats [laughter] bad guys. So we do have that process in place, and we do use it. I dont recall right now if that process was utilized on this application. It clearly should have, and perhaps we would have been able to avoid this. As far as your other question, as the irs continues to work with other agencies to provide data, it becomes more and more important that we actually address the concern that you have raised. I dont have an answer for you right now, but its something that we need to be very thoughtful about, because i think this is going to start happening more often. Thank you. Thank you, madam chair. The gentlemans time has expired m. The prerogative of the chair, i think it would be helpful to this committee and to congress as a whole to get some sense of what kind of priority you put on testing your systems. Because its pretty obvious that Something Like this should have been tested and should have been aggressively tested anytime youre sharing data with another agency. So i hope the committee will follow up on that. Mr. Raskin, youre recognized for five minutes. Mr. Runcie why would they do that . Whats the sam . Can whats the scam . Can you explan how explain how that works for them . Theyre commercial and fee for Service Agencies these are legitimate businesses then, these are not internet scammers . Theyre not internet scammers, but the nature of the interaction between, you know, those entities and the [inaudible] i cant cardiackize characterize that. It seems and appeared that in cases where they want to have a level of control to create a transalabama or to transaction or to continue through the process, they change email addresses and potentially mailing addresses and so forth to facilitate the process that theyre taking the students and borrowers through. How do they profit from it . They take over the students account . They may charge, and im just going to make up a number. Lets say they charge 100 per consolidation or more. So theres an agreement that they will consolidate the loans and create a lowerpayment amount or whatever the agreement is, and they would be paid for that. So did this actually take place . I mean, in one example the i. G. Report in 2013 a company charged borrowers a monthly fee, i think it was 60, with the promise of enrolling them in the Public ServiceLoan Forgiveness Program eventually which they werent qualified for. Does that actually happen with people in. My understanding is that there are these companies that provide these services, and a part of that process sometimes is they put people into forbarnes with the understanding forbearance with the understanding theyre going to go into consolidation. Those are third Party Entities involved in a transaction that doesnt include the department, you know, except for the fact that theyre using the email addresses and the resources that we have to fulfill transactions where they make money. So just to get you straight there, theyre using your web site, essentially, as the framework to access their victims, then they prey on the people. But as far as you know, they might still be in this scam relationship with the students. Yeah, weve looked at ip addresses and some of the activity x in some cases you will actually see loan consolidations. Whether its 10 or 100 of their clients, we dont know. What weve stressed is use your education to make sure that people are aware that they can get these Services Done for free by leveraging resource that is the department provides. Well, i get complaints on a daily basis pretty much from my constituents who feel like the whole systems a scam. But youre talking about a scam on top of a scam, in a way with. People are in serious debt from college, and some of these kind of lowriding companies are able to access them, charge them more money to offer them either real or completely ill rusely services illusory services, right . Thats right. Who is the ombudsman or champion of americas students and College Graduates whos looking out for the scams in the irs, the department of education, every level of government . Is there anybody . I think we play a role, the department plays a role. For instance, i mentioned user education. The i. G. Has noticed that this is an issue, and were doing some things with our systems to make sure that we give them an additional tool or lever that they can use to prosecute be bad entities. So we play a role in that how many prosecutions have there been since this was revealed . I dont have that information. Have there been anywhere prosecutions . I we dont prosecute. It would have to be through the i. G. Or some other and let me just say, i know everybody up there has a tough job, but the overall institutional sense that i get is one of basic passivity and react at this time to events reacttivity to events rather than getting on top of it. I think theres more student debt in america than Credit Card Debt now. Its more than a trillion dollars. And, obviously, theres a lot of money being made there including by people who are going out and preying on people who are already laboring under the burden of these loans. Do we need to create an ombudsperson, somebody whos just a champion of the students and the graduates to make sure that theyre not getting ripped off at every step of the process . Yeah. I mean, we have am ombudsman, but its not its sort of a pervasive, allinclusive person that sort of challenges resources across government, across i. G. S, so that is potentially manager that could be useful. Something that could be useful. Where is that ombudsman located . Fha, they deal with Customer Service issues, they could be schoolrelateed issues. Did that person ever raise any of these issues with you about the scams being perpetrated on students through the web site . No. Those scams are done by third Party Entities that are outside of our scope. And so basically, it was nobodys responsibility to try to identify that threat. Is that right . I mean, thats not a gash cha question no. No. Im just trying to prevent this from happening again. There were cases of this going back four or five years now. Yeah. Again, the commercial entities that are marketing to students to provide services to those students and the students agree to, you know, obtain those services, and the questionable nature and value of those services is not something that we police. What weve been trying to do is provide user education and let people know that, you know, they dont need to use these resources. And weve, you know, working with Partner Organizations and so forth, but we dont have any control over those entities. Thank you very much for your answers, and i yield back, madam chair. Thank you, mr. Raskin. Mr. Hice, youre recognized for five minutes. Thank you, madam chair. No, congressman, i can bring that or go back and get that information for you. Please do. But would it surprise you that in 2013 alone it was over 5 billion . Does that come as a surprise to you . It does not come as a surprise, congressman. Okay. So its no surprise that over 5 billion, lets just say thats the average a year, 5 billion a year plus or minus in fraudulent returns. And now, as has been clearly established, ballpark 100,000 taxpayers were put at risk as thieves breached the drt, do you have any idea how many fraudulent returns resulted from those 100,000 taxpayers . So, congressman, what i know is that of the we have received about 111,000 returns filed under those Social Security numbers. Of those returns, 80 of them were either stopped by our filters prior to the refunds being paid, or they were the actual, legitimate taxpayer. Well, thats good information, but that was not my question. I want to know how many fraudulent tax returns came from those 100,000. Yes, sir. We have corn firmed about confirmed about 29,000 as identify theft. How many of those were fraudulent. Commissioner koskinen said about 8,000. Yes, congressman. There are 8,000 returns that were not stopped by our facilitiers that we have not filters that we have not been able to that were fraudulent. We have not been able to determine if they were fraudulent or the legitimate taxpayer. That was my question. Do you have any idea how much money was lost due to those 8,000 fraudulent returns . I believe that is about 32 million, sir. It is about 30 million. Does the irs reimburse the fraudulent tax returns from those who are victims . So when a true taxpayer comes in and files their return, they do get their full refund that theyre entitled to. Okay. And who pays for that . That comes out of the treasury, sir. So the taxpayers pay for i. Yes, sir. So we had 32 million just out of this 8,000 fraudulent returns. Is that 30 million, does it include the reimbursement from the victims . No, sir, it does not. So were talking 60 65 million many this one incident. Were talking if we have 5 billion a year in fraudulent returns, were probably talking 10 billion that it costs the taxpayers every year after the victims are paid back. Is that is of the 32, congressman, again we have not confirmed whether that is a framing lent return or the true okay. Im just going by what commissioner koskinen said, and i would think that he would be accurate in that information. Ms. Garza, im still scratching my head over your comments earlier that as far as youre concerned, you didnt know of any breach whatsoever, and yet its pretty well confirmed there was a breach here, and you even came bang around and admitted came back around and admitted that a little while ago. It depends on the timing, sir. In september it depends whether or not anyone broke into the system. I tell you with, i just struggle. It appears at the end of the day youre either in denial of what happened or youre incompetent or just untruthful in whats happening here. And i go back with whats been shared. Theres the abuse thats been inflicted on american citizens by the irs is inexcuse be bl, and its time that theres inexcusable, and its time that theres some accountability and change that takes place at the irs. This is just, its is so bothersome, its indescribable. Mr. Gray, let me come to you. Its my understanding that the department may have the data retrieval tool for the purposes of income repayment plans back up in june, is that correct . That is my understanding, sir. Okay. That being said, if its its taken more or less three months to fix it, correct . Yes, sir. Okay. If it has taken three months, why in the world was this not addressed last fall . Unfortunately, i cant answer that question because im not involved who can answer that question . Mr. Runcie. It wasnt addressed, i think its what we said a little bit before which was we were making a decision at the time based upon the fact there wasnt any criminal activity. What the commissioner said is we would continue to monitor the situation, and once this was confirmed criminal activity, we would take the system down. So that was the focus of it. And march 3rd when there was, when we were contacted, the system was taken down. The commissioner said that identify thieves used it to put forth false tax returns and made it clear that there was criminal activity and that because of such the system was going to have to be shut down. It looks like were talking out of both sides of our mouth. Madam chair, i thank you for indulging me extra time. I yield back. Thank you very much, mr. Hice. Mr. Clay, you are recognized for five minutes. Thank you, madam chair. And e find it deeply concerning that the Trump Administration has started rolling back the protections that help insure shah shah student that students are not taken advantage of by predatory Loan Companies. Mr. Runcie, secretary of education devos recently rolled back a critical protection put in place during the obama administration. This protection prohibited loan servicers from charging up to 16 in interest on overdue Student Loans if borrowers entered a loan Rehabilitation Program within 60 days of default. Mr. Runcie, why did she rescind that protective order . Im not awar there was a policy memo that was rescinded. Is that what youre referring to, representative clay in. Yes. So we, again, were in the process of going new a competition for servicers, and the focus of that competition is to make sure that we have the best contract in place thats focused on high quality outcomes for students and borrowers. So thats what were focused on. There hasnt been anything communicated from the secretary that would change our ability to go forward and to make sure that theres a vehicle in place to make sure that we optimize outcomes for and doesnt that action place the football interest of the the financial interest of the Loan Companies over the interest of our students . Thats not what were doing, and thats not whats been communicated to well, does it stall to Loan Companies that they can return to the predatory practices they engaged in before that take advantage of students . I mean, look, you and i know that People Struggle to pay these Student Loans. So they came up with a way to give them some kind of relief, and now were going to throw that out . Look, i see how youre focused on making sure that we have the best circumstances for borrowers and students. And, you know, if you look at income repayment plans which is a tool that was put in place to make it easier for students to manage their obligations and their debt, that has risen substantially. Our servicers in the department focused on making sure people get into plans that allow them to maintain and manage their debt. Okay, lets talk about those plans. Just last month the secretary withdrew another critical Consumer Protection afforded to student borrowers. Under the secretarys order, contracts for Debt Collection will no longer be based on a loan companys history of helping borrowers, but can again be based on a companys ability to collect debt. Can you explain why this change was made . Actually, the evaluation and, again, were in procurement mode, so there are certain things i cant talk about but the actual evaluation does include looking at past performance and responsibility as well as operational performance. So it is, the process is more than just looking at the ability to recover. Yeah, but doesnt that then go pack to allowing these go back to allowing these companies to prey on borrowers, and, i mean, make that the Standard Operating Procedure that, at all cause, collect the debt . I cant speculate on that, sir. And, look, there have been troubling reports recently that the department is reversing previous determinations that student loan borrowers qualified for a Loan Forgiveness Program to encourage Public Service. Borrowers may have relied for years on these determinations to plan their educations, their careers and their lives. And this program started in 2007. Under this Program Borrowers can have the remainder of their federal Student Loans forgiven after making ten years worth of payments be they serve in if they serve in fulltime Public Service jobs. Is that whats going on . Im aware of the issue, and my understanding is that there is potentially some lit base around that. Litigation around that. But the Public Service loan to have giveness is a vehicle thats out there. If you make payments for ten years on time, you could be forgiven the remainder of that. That programs in place, and we operationalize it. And are you intending on changing it . Im not aware that theres any intention to change it. You know, thats an overall departmental perspective. It all comes down to lets scam these students, lets scam these borrowers. And lets take care of the servicers. And i think you should be ashamed of yourselves. Well, what i can say is that and i can say this personally is that there is a dead, dedicated staff thats been there for quite some time, and our focus is not to facilitate any situation that compromises student ands borrowers. Were committed to making sure they have the resources to be successful. We know its difficult, its a huge portfolio, but my intention is the same as your intention, which is to make sure that we dont have a structure that compromises god help the borrowers. The gentlemans time has expired. The ranking members recognized for a unanimous consent request. Thank you very much, madam chair. I want to submit for the record a letter to the honorable Kathleen Teague just requesting certain documents with regard to this hearing. Without objection. The chair will recognize herself for five minutes. I have to say that i agree with my colleague from georgia who was here a few minutes ago that this situation of none of you all or people in your agencies being willing to take responsibility for whats happened. Either youre in denial or incompetent. I think the American People watching this are feeling the same way. Im troubled by my colleagues wanting to distract from the incompetence of the fsa and the irs on display here today. I want us to go after any bad actors outside the system, but our number one priority is to protect the American People. And everybody who works in country is affected by the irs. So, yes, we want to protect students from any be unsavory characters, but all americans are affected by the irs if they file their taxes, and most of them do. Thank goodness we have a system where most people voluntarily do what theyre supposed to do. So we, the problem we have with our Government Agencies is theres no accountability for any of you individually, and that is a shame, a real shame on this country. That you all can ignore the continued incompetence and not be held responsible. I do have some questions. The department has taken some steps, mr. Gray and mr. Runcie, to mitigate the burdens on students families and institutions caused by the drt suspension. But im concerned about the potential fraud, the flexibilities youve put in place may cause. How is the department protecting against fraudulent income reporting or insuring that no new doorways to fraud are opened in this process . And id like specifics, please. Well, in terms of and thank you, chairman foxx, chairwoman fofntle in terms of specifics, you know, the verification, the backend verification is something that weve used along with, you know, the schools. So we do regression analysis, and we come up with a formula that indicates a level of risk. And so what weve done in terms of giving flexibility is we would reduce the lowest risk element based upon our regression analysis so that even if welessingenned the if we lessened the verification burden, it would be on a riskmitigated basis. So we would only eliminate the lowest risk applicants potentially. So the other part is that were going to do this for a limited period of time, right . Because were going to get the tool back up october 1st, and so for all the fafsa cycles Going Forward, that wont be an issue. So its somewhat of a temporary way to address to balance the burden to the schools against the risk to taxpayers. Mr. Gray, do you have anything to add to that . Yes, maam. I would say there are also technical controls that we are looking at putting in place, and i would be happy to give a more indepth details about those controls specifically, but i would not want to reveal sense tv information right here. I understand. So, mr. Runcie, you touched on that youre trying to get the system back up for the 2018 fafsa filing period. Recognizing the balance between security and access, can you make the commitment to insure that theres no opportunity for the drt to be misused again when it is once again operational . And i want to ask each one of you, answer that question yes or no mr. Runcie . Yes, because thats all i need to know. Okay. Mr. Gray . Yes, maam. Ms. Garza. Im insure. Youre not sure. Mr. Corbin. Im also unsure. Mr. Cammas. We will be watching closely. I think youve given the American People great confidence today from the irs when you tell us you cannot secure the systems. Mr. Runcie, i want to come back to you. Ive been hearing troubling reports regarding the collection of defaulted Student Loans, and weve been hearing a lot about that this morning. Currently, struggling borrowers in default are without the Critical Services needed to rehabilitate hair loans or other their loans or other benefits. This is the responsibility of the department. Can i get a commitment from you and the department to provide my staff with critical information needed to assess the current loan default situation . Absolutely. And when . Two weeks. And when . Can we get, when will we know what the critical information is . When you get that to us . We can define what the critical information is within two weeks, and we could get you the information within a month, so well have that to you within a month. Thank you for telling us that. We will hold you to it. Thank you. Mr. Connolly, youre recognized for five minutes. I thank the chair. I just want to say the breach at department of education is something weve been warning about in this committee for quite only time. Department of education holds data on 139 million individuals, and i would echo what our colleague from ohio, mr. Jordan, said. The department of education may very well be in breach of law. And were going to explore that. However, i know what happened . To mr. Scott . I was just going to yield to mr. Scott he had to go. He had to go. All right, sorry. Then ill pursue. Mr. Gray, are you familiar with fisma . Yes, sir, i am. And what does that require you to do at the department of education in. To protect our information assets for the department. Well, thats not all it does. Doesnt it have a reporting requirement with respect to the legislative branch . Yes, sir, it does. And what is that reporting requirement . Within seven days of an incident and did the department of education comply with that sevenday reporting requirement . Sir, through our analysis of nearly 89,000 Social Security numbers, we did not enough that department identify that Department Data was compromised in this situation. Unlawfully obtained information was used to go through our system to access information through the drt, which is why we, we did report to u. S. Cert, and when it was identified that the compromise was through the drt, we that is when we did not report this as a major incident, because our information, meaning the information that the department holds, was not compromised. And is that still your position . Yes, sir. So from your point of view, fisma has not been triggered. A major breach of Department Information was not compromised. Is that the language of the law . That a major breach has to be compromiseed . That is to say, a major breach has to lead to the compromise of data . No, sir. The, when the irs reported this and we were notify bed on march 3rd notified on march 3rd, it was identified as an irs system. It was not a department of education system. We did thorough analysis of all of our system through fafsa, and nothing indicated, to my knowledge, that any of our information was compromised. Mr. Camus, is that your view. We have yet to determine the timeliness of the reporting of the incident, sir. No, thats not my question. My question is, do you concur with mr. Gray that there was no breach of data . Compromise of data. We, we would view it as once somebody was able to see somebody elses data, that that, in fact, has been a breach. So i would too. And, therefore, i would argue fisma is triggered. Would you agree . Yes, sir. [laughter] well, mr. Gray, sure does sound like youre splitting hairs. And youre coming up with a criterion that was not envisioned in the law itself, nor is it reflected in the language of the law itself. I mean, we dont have traffic laws that allow you to decide, well, i didnt hurt anyone. Yeah, i was speeding, but i didnt hurt anyone so, therefore, i shouldnt get a ticket. I mean, the law is there to make sure the legislative branch is informed in a timely fashion when this kind of activity occurs. And the reason isnt so that were keeping score, it is to make sure that were doing what we can on our part to protect Sensitive Data of american citizens. And it seems to me that it was incumbent upon the department the of education to inform us in a timely fashion. In fact, i would even argue if i were managing the department of education, the better part of wisdom would dictate that i inform them even if i didnt believe fisma was triggered. But the fact that months could go by and, as mr. Camus just said, a breach is a breach. Once its breached, you have to assume that datas compromised. And i just find your explanation very credible and i, frankly, think its a disservice to the people whose data you possess. And its an endaround with respect to the legislative branch. And i think its in violation of law. I know were going to pursue that more. But i dont think, i dont think thats something that puts the department of education in any kind of good light. My time is up. And im sorry i missed mr. Scot. I was going to testify to him. I thought i wassing with asked to. Thank you, madam chairman. Thank you, mr. Connolly, for hoping in on the issue honing in on the issue of the day and looking for what remedies we might have under the law. Mr. Meadows, youre recognized. Thank you, madam chairman. Were going to foul, mr. Gray, right now. Because i can tell you that mr. Connolly is spot on. And this is not your first rode owe, you know . We have rodeo. We have had these other issues before with regards to previous. And is it your sworn testimony today that this did not actually require noteification of congress . No, sir. My understanding is that the irs had reported the incident and that it was a breach. But the department of education, my understanding, when i was notified on march 3rd that the notification had already happened. I have learned in this hearing that it did not happen. Well, how can the American People actually people who share private information with you who expect it be protected have confidence when youre here today and you dont even know the full story that youre with finding out in a hearing when you knew that we were going to be looking at this . How can you find a hacker who truly wants to come in and do harm and you cant even be prepared for sworn testimony today on questions that i presume that you knew we were going to ask . I understand, sir. The wheres the outrage . Where is the outrage, mr. Gray . Are you not outraged . I absolutely am. Our why didnt you notify congress . My understanding was this was not a department of finish. You realize that was not did you have your counsel that said you dont have to notify us . Who did you check with who said you dont need to notify congress . We went through our Incident Response process who did an assessment finish. So why did you refer something to an outside agency before you notified your own i. G. P within your department . Our i. G. Was notified well, according to my documents you actually notified u. S. Cert first. According to your testimony. Why would you do that and wait to get the i. G. Involved . Because when we notify u. S. Cert, its to let them know we were investigating something had occurred. At that time, we werent sure what happened. Okay, so you notify the i. G. It was important enough to notify the i. G. , but it was not important to notify congress. Hindsight, sir, yes, it was important enough to notify congress. Well, at what point are we going to get this right . Because we continue to have breaches. Mr. Connolly and i have had a number of hearings where weve raised this as a concern, and yet what happens is, is were all coming in after the fact to look at this. To you not see a problem with that . I do see a problem with that. Well, when are we going to get it fixed . Sir, we receive on average more than 1. 5 million intrusion attempts every single month at the department. And what my team does is we assess to determine whether or not something had happened, nothing happened, and lo logistically, i mean, i know in this case its easy to say, okay, this should have been reported. I understand that. So youre saying its a matter of logistics on why you didnt report it. Because thats different than what you said earlier. Earlier you said you didnt think you had to report it. Based on the analysis that my team did, we our information, our information, information that i am, that so how confident are you that there was only 89,000 people that were affected . Based on the log analysis that was done at the department . Very confident. All right, a ten . Yes, sir. So if we find out theres more than that, are you willing to resign . If its, if i dont know the information, no, sir. I mean well, you said youre confident at a level of ten, so i guess i would stake my reputation on that if youre confident at a ten. So if theres more than that, because the irs knows that sometimes we find out theres actually more people affected than was originally thought. So if youre confident at a ten, are you willing to stake your reputation and your job on it . So, sir, the challenge here is that sir, i am representing people back home in north carolina, as every member here is. And you know what . They fail toll realize that you fail to realize that you cant protect Sensitive Information that they give you, and they dont understand that. I dont understand it. At what point are we going to have a confidence when people share their information with the government that it is not subject to being shared with another party . Isnt that what your jobs all about as cio . Yes, sir. All right. The next time are you going to inform congress when there may be a doubt . Will you inform us within the seven days . Absolutely. All right. Ms. Garza, last question to you. Why didnt you inform us . Congressman, we briefed the staff shortly after we brought down you didnt brief our staff. Why didnt you inform be congress . Thats the question of the day. Because according to your dig da, its 100,000, so certainly even meet that threshold, but why wouldnt you inform us . So, congressman, we did inform the congress that this was a data breach. The reason why it took as long as it did is because we were going through, analyzing the information. The initial population was much smaller than 100,000 that we thought were impacted. We also needed to coordinate with the department of education to determine whether this but didnt you find it just based on dumb luck . It was actually just one of your irs employees that actually got a transcript request and they said, hey, something doesnt smell right here . Congressman, we have multiple layers of thats not the question. Wasnt it dumb luck that you happened to find this . No. Finish. So it wasnt an i irs that happened to get a transcript . Be careful, youre under sworn testimony here. It was an irs employee. He received a notification as part of one of our Defense Mechanisms that his account had been accessed. Is so it was an irs employee who happened to have his stuff that was notified, and we said, hold on, weve got a problem here . Do you not see that that is almost laughable . One of our mechanisms to determine whether something has gone wrong is a notification to the taxpayer. Our systems automatically send out a so you purposely embed irs employees in this so they might get a personal notification so they can highlight this . Come on. Ill yield back. [inaudible] thank you, madam chair. Thank the panel. Ten years ago i was proud to lead the effort here in the house, and we teamed up with senator kenny on the senate side to create the Public ServiceLoan Forgiveness Program, and we paid close attention to that over the last ten years working with the u. S. Department of education along the way to create online resources to help borrowers understand whether theyre going to qualify for this program which includes reduced Monthly Payments as well as ultimate forgiveness of their outstanding principal if they commit ten years to Public Service. That includes the need to be assured that the employment you have, the particular employer that youre working for qualifies under that Public Service category and that you can count the time spent with that employer towards your ten years and, ultimately, earn the forgiveness. Congressman clay alluded a moment ago to the fact that theres some troubling position that the u. S. The president of education the u. S. Department of education has been taking over the last 18 months with respect to certain categories of employers. Theyre now telling borrowers who relied on an an assurance that that employer would qualify being told now that it wont, and there is some litigation around that, mr. Runcie, as you indicated. We need to get to the bottom of that, because there are borrowers that have relied on assurances that have come from the department, and they need to be able to count on that, otherwise the rugging is being pulled out from under them. I know that some of us here have been trying to get a briefing from the department over the last few weeks. That has not yet happened. Could you commit to us today that the department would be willing to brief us on this issue and whats happening with that . So i, its not just fsa. I mean, we obviously operationalize it and put the resources out there so people can avail themselves of Public Service loan forgiveness, but i think that would include other entities well, thats fine. Can you help us arrange to get that briefing done and get it done quickly so we know whats happening with this, and then we can take appropriate steps in our oversight capacity in. Absolutely. Its an important issue, and were focused on, so i will commit to working with my colleagues let me stay focused on the Public Service loan forgiveness piece, because when you talk about the universe of borrowers that are impacted by the breach that were talking about today using this data retrieval tool, you have the part of that universe that are folks that are, you know, involved with standard repayment, and then you have those who are in a loandriven repayment situation based on one program or the other. That includes Public Service loan forgiveness. And they have to be handled differently, because theyre impacted differently. And youve indicated that with respect to the standard repayment world that your going to youre going to try to get this tool back in service by beginning of the next year, so october is the goal. But with respect to lopedriven repayment loandriven repayment, youre trying to get that back up by may. So can you tell us how confident you are that i mean, it is may now. How confident are you that that is going to be available to folks that are benefiting from loandriven repayment arrangements . Is that going to happen . Yeah. Were very confident. You know, as the irs mentioned, theyve completed the end description part, and encryption part, and we have a timeline that gets us to a place where its up and running by the end of this month. So we know its only another few weeks, but we can comet commit to that. I appreciate that. Could you also let me know, i know one of the remedies are sort of stopgap remedies when someone is in this situation, perhaps not being able to access a tool that allows them to do things in a timely fashion, forbearance for two months, three months, what have you. That can work okay for the standard repayment folks because theres really no downside to losing a couple of months in terms of your repayment, but if time is of the essence in the sense that youre accruing time towards this tenyear repayment period, then forbearance isnt necessarily going to be a great solution for people that are in the loandriven repayment category. Is that something that the department has considered, and is this a way to provide a remedy there that doesnt complicate the lives of these folks that are in a particular program like that . Yeah, ill make sure that we are i know were considering a lot of different issues around it, and i believe thats one. But well certainly make sure that were focused on that, because i do understand the issue around that. Okay. I yield back, thank you. Wanted to add one thing, and were pretty firm on the end of may unless be potentially some requirements change, but i think were committed to the end of may. For for the tool being back up for the income driven repayment plan. Thank you, mr. Sarbanes, thank you, mr. Runcie. Mr. Mitchell, youre recognized. Thank you, madam chair. I join your dismay that rather than discuss the data breach, the impact it has on the ability of students to get assistance, how we deal with the data breach Going Forward that some wish to talk about issues that were now going to investigate as well which is potential bad actors. To obfuscate what the Current Issue is which is the irs and the department of eds inability to have this cool work and not have it breached, but rather, talk about other issues. We only have so much time here. We only have so many things we can do simultaneously. Lets talk about the issue we put on the table. So i am displayed, and i guess i shouldnt be surprised. Mr. Connolly, youve im sorry, mr. Gray, you seen the wizard of oz, right . Yes, sir. You see the part where they talk with thescarecrow and they ask him which way the yellow brick road is, you remember that part . Yes, sir. Tumor that part . Yes, sir. My opinion, frankly, sir, thats exactly what youre doing when you talk about the data breach happened at the irs. You know, when youve got something as sense ty as personal information from the number of students that you have, the moment in time that you think your datas been breached, you have a legal moral, if not legal responsibility to notify congress. Thats a lot of information. And it wasnt done. And its not the first time it wasnt done. And i dont understand that. And i dont know how it is we get across to the department that its actually responsibility by law, if not morally. Whats it take to get someone to understand that over there . Can you explain that to me . I have committed that i will to that, sir. I ran a private school for six and a halfyears as a ceo. Ms. Garza, the cio reported today me for a reason. To me for the reason. Do you know the deal we had if we got hacked . Do you know what deal was . Do you want to guess what the deal waswe got hacked . You held the cio accountable. The cios resignation was on my desk. Thats how sensitive that information was. And i am serious. Im absolutely serious. Ill give you his phone number, you can call him. His resignation was on my desk. His cell phone got buzzed anytime there were certain sets of activities, whatever hour of the night. Now, who in your staff gets called in the middle of the night or gets a buzz if that data goes out of whack . The cio is the first one who gets a call, and depending on type of breach, she will call me. Time limited. Ive heard or repeatedly budget concerns. That comes from the private sector, and im absolutely aa maized. The first time a problem comed up, Everyone Wants to whip out the taxpayers czechbook because, hey, just spend more money. From the world i come from, we first identify the problem, not just throw money at it. So its a question from me, ms. Garza. And, by the way, we all know who had their data hacked. False tax returns, i had it happen to me. My youngest son is dealing with it right now, this year. How much money do you need to tell this group, to Tell Congress that you can secure the system . Exactly how much do you need in your budget that youll put your letter of resignation there if you get hacked . How much money . I dont know how much money it would take. Well, you ask for more money all the time. We ask for Additional Resources to continue to fortify every year. Every year. Thats correct. I asked you a question. How much money do you these in your budget need in your budget for stated protection that youll put that budget request in and smudgesly tender simultaneously tender your resignation . I dont have that dollar amount in my mind. Criminal enterprises are constantly changing . Oh, i understand that. And their tactics. So to make a statement that we can guarantee a system as secure, quite frankly, is a little bit folly. We are doing everything we can to make sure that our systems are secure. We have not had a breach of our internal systems, although we have had data loss. And to put to try to come up with a dollar amount that would guarantee that something will not occur, i think, at that point i would think that were probably not going to end up being secure. Its, and my time is expiring, and i appreciate the patience. I anywhere else in the world in the private sector at least somebody says we really screwed up here. At least someone says, boy, we missed you know, they take accountability for it. My Technology Staff took it personally when someone tried, when you had people trying to hack. How we secured it. It was the game. It was their life. And the fact that folks can sit here and say, well, basically, stuff happens. But were going to talk about peoples information from the department of education or the irs, its not just stuff happens, its their life. Its their tax return. Its their personal information used to get credit elsewhere. This is not minor stuff. And i dont want see the perspective of concern and i dont see the perspective of concern that, well, well do the best we can. If its wrong, we may notify, we may not think its our problem, its the irs problem. Again, its they went that way. Ill join mr. Connolly and others in finding a why to hold folks accountable because we cant have this kind of data leaking out, people taking it and using it for adverse purposes. You should be ashamed. I yield back. Thank you. The gentlemans time has expired. Ms. Maloney, youre recognized for five minutes. Thank you, lady chair. We need to do everything we can to prevent Cyber Attacks from occurring, but when they do occur, its critical that we take them seriously and also learn from them. In 2015 criminal elements attacked the irs and its get transcription application, the tool that allows taxpayers to obtain copies of prior tax returns using a collection of personal information. And organized Crime Syndicate assessed this application using stolen personal information of individuals and obtained tax data for a staggering 300,000 individuals. Is that correct . Mr. Corbin . That is correct, congressman. And since that incident, the irs has been working diligently to increase the security of its systems. In january 2016 a result of cybersecurity improvements, the irs stopped an attempt to acquire the efiling pin number of taxpayerings. Mr. Corbin and taxpayers. Mr. Corbin and ms. Garza, is that correct, and you describe what the improvements were that were able for you to stop this ore attempt . Many so, congresswoman, for get transcripts, we took that application down and did an assessment level of risk, and we put in place what we call secure access authentication. It was a higher level of authentication that requires id proofing, financial verification and then an Activation Code in order to be able to get access to your transcript. We continue to take the dollars that were provided by congress, the 290 million, to invest in additional cyber tools that allowed us in this case to be able to detect when there was activity occurring on tools that we have outside the irs network. For the efile pinker congresswoman, we looked at that and again identified that that would be a vulnerability. The efile pin application is not back up. We eliminated the efile pin application and now require agi or the selfselect pin which taxpayers have. Okay. After the 2015 incident, you did a reassessment of the curt of all of your security of all of your online applications including the data retrieval tool. And as you stated in your testimony, that assessment and im quoting from your testimony indicated the need for strengthened procedures and led to collaboration with the board of education to best implement those procedures. Now, is that correct . That is correct. Okay. Now i want to turn to the 2017 data retrieval tool incident where criminals were able to use personal information gathered elsewhere to create student aid accounts on the the president of educations web sites on the department of educations web sites and obtain individuals sensitive tax information. Because the irs has improved its ability to detect fraud before processing return. This approval detection ability is illustrated by the fact automatic security filters were able to stop almost 65 of potentially fraudulent refunds from being issued and the data retrieval tool incident, is that correct . That is correct. We cant stop all Cyber Attacks. Thats just the reality of the day but we can learn from them. So i think youve shown your ability to do that. You know, why would somebody want to file a fraudulent return . What was the purpose of it . Congresswoman, most people file fraudulent returns without of obtaining a refund from that return. And are the successful . Congresswoman, fraudsters are successful but weve gotten so much better over the years. The irs has a Publicprivate Partnership called the Security Summit would work to protect tax ecosystem worked with state department of revenue come with Software Developers so that we can build a better system to help protect the tax ecosystem. As you did in this case with the data retrieval tool, we have new Data Elements or information that w were using in our filte. They did allow us to stop 80 of the returns that were filed in this event that were either potentially fraudulent or before the refunds were able to be pa paid. Thank you. My time is expired but hope we can continue to fund the i. T. Improvements that the irs requests so we can continue Going Forward in being more effective and stopping fraud and helping taxpayers. Thank you for your testimony today. Thank you ms. Maloney. Mr. Grossman, you are the one we have been looking for. The last one. You are recognized for five minutes. A few questions. How long hed been chief Information Officer over education . Eleven months. Since november of 2015 this committee has uncovered what we thought were significant shortcomings in your plans before you even there. As well as corruption of the former cio. Aas a new, what concerns you the most and what were your first actions as cao to clean this up . I have five focus areas when it came to the department. One was on security, another was organizational health. So policy challenges, numerous things we need to improve. And i will say in the last 11 months weve made significant progress at the department in terms of implementing processes, implementing policies, changing personnel. Okay. Last year you reported 192 incidents in your department. Can you tell us what information leaked out of those, give us how many files and what they covered . I would have to get that information for you. I do have a list of the information but i want to verify. Give me a broad, there must be some in your mind, what are some of things figured out there . Typically solstice could be numbers in a burden from one eventual to another individual or wasnt encrypted spirit in information connected with Social Security numbers . I dont want, i want to verify. Cant think of any example . Not at this moment. Okay. Is this i guess we will call this oh cio 14 handbook . Yes, sir. Do you know how recently this is updated . Aye one of leave is the current one you give your employees. Do you know how recently or how recent the most recent update was . Theres a draft circling right now that is being updated. It has been updated and it is being do you know how old this is . Several years. A little over six years now, okay. Is that satisfactory . No, sir. Could you give us a hard number as to when you feel you get something you available for your new employees . For 14 . Correct. The concurrent process within the Department Takes an amount of time so i cant comment on that but i will say that i have a solid draft that is going through concurrent footnote. Can you give us a gas . A month, four months . A year . Miters in the process is not six months to a year to go through formal concurrent. How far argue to the process . We started last week. We started the actual process last week. So you begin something that could be a year before we get something that is more than six years old . I will expedite because i know it is critical to the department. Is critical for the public. Could you give us, when we talk about the files of the solstice could be number, can you tell us what else is in those files . I would have to look at specific fm. At this point, sometimes there spreadsheets that contain Social Security numbers. I would have to look to verify. Okay. We will try mr. Runcie. Have they been breaches of not to my knowledge. No. There was i think about, mightve been four years ago there was a time when the system was open for a few minutes and there were 6000 cases of information that was viewed that should not of been viewed but that was the only systemic breach or exultation, not exultation but an incident that occurred. How long ago was that . It was a few years ago. Im not exactly sure. You that nobody breach anything for the last four or five years, three or four years well say . Theres been no material breach. This possibility there mightve been in it in here or there in terms of student aid data but none to my knowledge. Okay. They dont tell you . I would be informed if there was and im not aware of any. Okay. I would yield of the remainder of my time. Thank you very much. Im ready to close. None of my colleagues on the democrat side, so i will make some very brief comments. I will, do not broach our protocol, i will not ask questions, but i will let ms. Garza come mr. Corbin know that we will be asking you exactly how many fraudulent rets were filed as result of the breach, and when those people obtained that information. And we want an answer in what most of us would consider reasonable time. It has been extraordinarily difficult today to get any kind of specific answer out of any of you. I think mr. Mitchells comments about the scarecrow were entirely apt. You are blaming each other. The American People, frankly, are tired of this kind of display of incompetence again. You all cannot answer questions, or will not answer questions, its a little difficult to know. And let me tell you something. In my world, 30 million is a lot of money. A lot of money here and you all dont seem to take it seriously at all. That as a result of your not being able to take action when a breach is made and youre not following the law, to let congress know, its even more troubling to me that you take so long to do anything. The comments about some document that is very important taking seven years to update. Its pure incompetence. And i would gather, i mean, i would venture to say that we might be able to get better people coming in to your agencies to do the work that needs to be done, regardless of the pay, if they thought they could get something done. But they bureaucracies are so impossible to change. And i do want to note that both mr. Great and mr. Runcie came to the department mr. Gray and all of you all, too, in the irs under the obama administration. Our colleagues are going to raise cain with the existing departments. And make it appear as though this is the responsibility of the Current Administration. And i think it needs to be made abundantly clear that you all came in to these agencies under the Previous Administration. And have been kept on by the Previous Administration. We will also put into the record the expanded timeline in terms of when these problems began occurring, and point out where we possibly can be in action of the people are supposed to be working for the American People and keeping their data confidential. So i thank you all for being here today, and is hearing is dismissed. [inaudible conversations] [inaudible conversations]