Good morning we are here to get the facts of what happened. Americans deserve to know what they are doing to fix the problem and help individuals that are impacted. We will find out what happened. Todays hearing needs to shed some much needed information fre received assurances that mr. Smith can speak for the company on concrete steps that he took in the aftermath to secure the Computer System and protect the affected customers as well as what happened when he was chief executive. The chair of the Consumer ProtectionsAgency Speaks about how we are individually connected world. The fact of life can have many positive implications far and wide ranging for commerce, and trade. Massive reminder of bad actors that are out there and the security challenges facing our economy. In this case sensitive personal information that is used to build Credit History and allow individuals to engage by cell phone and secure mortgages as a compromise. Reasonable security measures must be implemented, the practice of collecting and storing data in order to get on this access. Otherwise consumers will face major financial harm. That is deeply concerning to me. I know the other members of the subcommittee share this view. Party number one, they must to safeguardcans the personal information online. The recent data breaches on resident and it is also unique because it is the sensitivity of information stolen. The full nine digit Social Security numbers. Over 143 million americans are potentially impacted. Half of theincludes total u. S. Population. In my own home state 2 million customers are widely affected based on the information released by equifax we are informed that the massive amount of personal and Financial Information was assessed from includingmidmay names, birth dates and addresses and in some cases drivers license information. Peoplenally 2 million have a credit card information stolen. What hundred 8000 head credit dispute documentation. This is a Staggering Amount of Sensitive Information that impacted a extra minority number we need these numbers confirmed. Today we must understand the following first. Under how did the hackers get the information and the able to pull so much without being detected. Second, what process and procedures were in place in the event of such a brief breach . There are many questions where this information was known. This will have implications and other ongoing investigations. Further the chief Information Officer and the chief Security Officer made a retirement announcement after the announcement of the breach. Again despite months of delay one of their notification and Consumer Protection processes such ash misinformation that overall confusion. The are numerous reports of assessing the dedicated website or call center. They were dismayed reports that the official equifax printer account we did this led to a affected website. The americans deserve to know the facts about this. To that end, what steps were taken. I look forward to getting these answers today and many more questions for the American People answered this morning. And at this time i will ask the gendal gentle lady from illinois, the Ranking Member or five minutes for her Opening Statement. Thank you, mr. Chairman, for holding this hearing. The equifax data breach was massive in scale. 145. 5 million american victims as of yesterday. I would call it shocking, but is it really . We have these unregulated private, forprofit Credit Reporting agencies collecting detailed personal and Financial Information about American Consumers. Its a treasure trove for hackers. Consumers dont have a choice over what information equifax or, for example, transunion or experian have collected, stored and sold. If you want to participate in todays modern economy, if you want to get a credit card, rent an apartment, or even get a job often, than a Credit Reporting Agency may hold the key because consumers dont have a choice, we cant trust Credit Reporting agencies to selfregulate. Its not like when you get sick at a restaurant and decide not to go there anymore. Equifax collects your data whether you want to have it collected or not. If it has Incorrect Information about you, its really an arduous process. I have tried it, to get it corrected. When it comes to Information Security, you are at the mercy of whatever equifax decides is right and once your information is compromised the damage is ongoing. Given vast quantities of information and lack of accountability, a major breach at equifax, i would say, would be predictable, if not inevitable. I should really say breaches. This is the third major breach equifax has had in the past two years. From media reports and the subcommittees meeting with equifax after the breach its clear that the company lact appropriate policies around Data Security. This particular breach occurred when hackers exploited a known vulnerability that was not yet patched. It was months later before equifax first discovered the breech and another several weeks before equifax shared news with the consumers, this committee, the federal trade commission and the Consumer Financial protection bureau. Senior officials at the company are saying they werent immediately aware that the breach occurred and, yet, by the way, there were executives who sold over a Million Dollars in stock just days after the breach was discovered, but yet not reported. And for a lot of americans, that just doesnt pass the smell test. The response to the breach was its own debacle. Equifax offered consumers Credit Monitoring Services that initially came with a mandatory arbitration clause, which fortunately has been corrected. Equifax tweeted links to the wrong url directing victims to a fake website. The call center was understaffed. In the end. Equifax has had to apologize for its postbreach response almost as much as it has apologized for the breach itself. Equifax deserves to be shamed in this hearing, but we should also ask what congress has done or failed to do to stop data breaches from occurring and what equifax plans to do the same day that Equifax Breach went public, the House Financial ServicesCommittee Held a hearing on ficra liability harmony act, a bill to protect Credit Reporting agencies like equifax from classaction suits. Imagine. In fact, equifax was lobbying for this bill after the breach was discovered in july, still not reported, and the 14 republican sponsoring this bill should ask themselves were this is really the industry they want to be in bed with. Companies like equifax need more accountability, not less. I agree with the cfbd director richard cordray, that the Credit Reporting agencies need embedded regulators to protect consumer Sensitive Information. Then we need to go further. Last night i reintroduced the secure and protect americans data act, along with Ranking Member pallone and seven other members of the energy and commerce committee. And our bill would establish one strong Data Security standards, two, require prompt breach notification which we didnt get and, three, provide appropriate relief for breached victims. Chairman latta, American Consumers dont just need answers, they need action. I hope that our bill can be a starting point for discussion on strengthening protections for americans data. Consumers deserve a whole lot better than they got from equifax. And i yield back. Thank you. The gentle lady yields back. Chair recognizes the gentleman from oregon, the chairman of the full committee for five minutes. I thank the chairman. Were here to do today what it appears equifax failed to do over the last several months and thats put consumers first. Our job is to get answers for the more than 145 million americans who have had their personal information compromised and now fear they could be victims of fraud at any time. How could a major u. S. Company like equifax, which holds the most sensitive and personal data on americans, so let them down. Its like the guards at fort knox forgot to lock the doors and failed to notice the thieves were emptying the vaults. The American People deserve to know what went wrong. We want a clear time line of events and to understand what to expect moving forward. As chairman i have always tried to put consumers first on everything we do on Public Policy. Today well begin to get the answers for the public, hold equifax accountable and make clear that businesses hold the americas most Sensitive Data have a responsibility under existing laws to protect those data. Today gives whole new meaning to mr. Mr. Smith goes to washington. Its not a run on the bank thats at issue, its a run on financial records of 145 million americans. And the consequences and the inconveniences for fellow citizens is every bit as important to discuss today as the reasons behind why this breach occurred in the first place. Mr. Smith, as former chairman and ceo of equifax at the helm during and immediately after the breach, we appreciate your being here, and we expect your candor and full cooperation as we march toward getting the facts in this case. While there is no such thing as perfect security, companies do have a legal obligation to protect sensitive consumer data. This diligence is necessary to both comply with existing laws and maybe more importantly earn and keep the Publics Trust in a datadriven economy. Given the size of the breach and the sensitivity of the data we expect to learn more about how equifax failed to secure its systems and what contingency plans were in place. Further, we need to understand how information flowed through the organization and when you and other Senior Executives were notified about the breach. In other words how important was Cyber Security to you as the ceo and the rest of the executive team. Did while there are still many questions that need answers, a few details have emerged. First, the vubltlnerability that the hackers used to get into the equifax system was discovered in early march. From the beginning the vulnerability was described as critical and easily exploitable. The information was pushed out through multiple security information sharing channels including by the u. S. Computer Emergency Readiness Team to equifaxs chief Security Officer. For some period of time between march and august of 2017, the hackers were able to sit on equifaxs system and siphon out 145 million records without being detected. How did this go unnoticed . Further, is there a process in place to raise flags or alarms when massive amounts of data are pulled out of the equifax system . Then there are questions about equifaxs response for consumers that we need answers to. Why was the consumer facing website created on a separate domain from the main equifax website . Did anyone raise concerns about creating more consumer confusion with a separate website . Are consumers able to sign up for the products offered by equifax today . How many consumers have placed a fraud alert on their account or frozen their credit . On top of all the other issues, multiple times equifax tweeted the wrong url, directing consumers to the wrong website to check if they were part of a breach. Talk about hamhanded responses this is unacceptable. I have to agree with the interim ceo when he said there is insufficient support for consumers. Its important that, as congress does its work on Public Policy issues, that the federal trade commission and other agencies, including Law Enforcement agencies, continue their work, especially in light of recent reports that indicated there are markers of nationstate activity involved with this hack. But today, mr. Smith, i and the rest of the committee and congress and the country expect the answers. After all, the buck does stop with you as ceo. And i thank you for being here. And i return the balance of my time. Thank you very much. The gentleman yields back. The chair now recognizes the gentleman from new jersey, the chairman or the Ranking Member of the house. Thank you, mr. Chairman. While i understand that Law Enforcement and internal investigations into this incident are still ongoing, i expect to get more information today on what happened and why it took so long to inform the public. Most importantly, we want answers for consumers because equifaxs response to this breach has been unacceptable. So too has been equifaxs ongoing lax attitude when it comes to protecting consumer data. Its been four weeks since the breach was made public and at least ten weeks since it was discovered by equifaxs employees, yet equifaxs Customer Service has been confusing and unhelpful. Equifax even tweeted a link to a fake website. Many of the remedies now offered to consumers were not offered up front or in good faith. They were forced out of the company only after public outcry and are still inadequate. Its hard to imagine that anyone at equifax thought it was a good idea to offer only one year of credit monitoring with an arbitration clause at first to boot. Free and comprehensive monitoring and Identity Theft protection should be offered for far longer than a year. Most recently equifax added lifetime credit locks to its offering, which consumer advocates suggest are weaker than credit freezes. Regardless, a lock or a freeze at only one Credit Bureau is almost useless. Equifax should work with the other Credit Bureaus to immediately create a free, quick and easytouse freeze and unfreeze, onestop shop. Because credit freezes or locks may not work for everyone, Going Forward equifax should do more than credit locks. It should give consumers more control over how their data is used and stored. In addition if equifax wants to stay in business, its entire Corporate Culture needs to change to one that values security and transparency. After all, this is not equifaxs first data breach in the past year. Consumers do not have any say in whether or not the equifax collects and shares their data. And thats what makes this breach so concerning. This is unlike other breaches at stores such as target and michaels where consumers could make a choice and change their Shopping Habits if they were upset with how the companies protected data. Thats simply not the case with equifax. While data breaches have unfortunately become commonplace its long past time for congress, beginning with this committee, to act. Since at least 2005 this subcommittee has been considering data breach legislation but its never become law. And its time we change that. Yesterday Ranking Member schakowsky and i reintroduced the secure and protect americas data act. The bill would require enforceable. Robust Data Security practices and meaningful notice to consumers. It would give additional protections to consumers after a breach. Of course, breaches will continue to occur. But they occur more often when there is no accountability and no preventive meshuresasures are in place. We need to start somewhere. Mr. Smith, i read your oped in usa today last month and the sue ceos oped in the wall street journal last week. I appreciate that youre soriry but my question is what now. I yield back. I thank the committees leadership for organizing this important hearing. 145,500,000, a million americans 145. 5 Million People at risk because of equifaxs failure. Now, mr. Smith, the American People deserve answers, and i hope you are prepared to provide them. Not just about what caused the breach, but what equifax is doing to prevent this from happening again. And to ensure that those who were harmed are made whole. I worry that your job today is about damage control. To put a happy face on your firms disgraceful actions and then depart with a golden parachute. Unfortunately, if fraudsters destroy my constituents savings and Financial Futures there is no golden parachutes awaiting them. We have questions and its our expectation that you have concrete answers. We need to Work Together to hammer out real solutions. I recently took a step in that direction by introducing the the free credit freeze act to allow consumers to protect themselves by freezing and unfreezing their credit at no charge. It is unconscionable that equifax failed so spectacularly to protect peoples most sensitive personal data. Its even more reprehensible that the same Company Profits from the pain that they have caused. And i certainly hope that we can get some assurances from the committees leadership that we will have a markup and a hearing on legislation to ad