The government. It is critical that personal data is protected. Consumer impact in the breach is minimized and consumers ability to assess credit is not harmed. Credit bureaus play a valuable role in our Financial System by helping institutions assess a consumers ability to meet financial obligations. And also facilitating access to beneficial Financial Products and services. The inherent nate nature of the business as with most businesses in the digital age, requires utmost Data Security to ensure that sensitive Consumer Information is safeguarded. Two weeks ago, equifax testified about the message it used to protected consumer bases such as encryption. Former equifax ceo Richard Smith noted that while some of equifax s databases are encrypted at rest, the disputed portal that was compromise was not. Questions remain about the best ways to protect sensitive data, including are their Data Security industry standards and best practices that Credit Bureaus . Encryptions like addressed the employed to protect all data. What role do Financial Institutions and federal agencies play in Data Security at Credit Bureaus . Given that Credit Bureaus are Financial Institutions, how does Data Security, testing, and oversight by regulators compared to that of traditional Financial Institutions . I look forward to hearing from our witnesses about what Credit Bureaus due to ensure security for the data they collect. Who oversees Credit Bureaus to see the have Adequate Security measures in place . What improvements could be made to the oversight of Data Security of the Credit Bureaus . There are many concerns regarding Company Response to data breaches. The Equifax Breach has left more than 145 Million Consumers confused as to what can be done to mitigate damage to their identities and credit. We know that starting in january, equifax will offer all customers the ability to lock or unlock their credit files for free. Additional products have also been offered from equifax and the other bureaus for consumers to monitor or freeze their Credit Reports. Many consumers are main about which options are best for them. This hearing will hopefully provide some additional clarity. We have a shared interest on this committee in insuring that Credit Bureaus take the necessary measures to safeguard personal data and minimize risk of another massive data breach. Senator brown. Lawtor brown under current , whether we like it or not, Companies Like equifax can collect vast troves of personal information. That includes information plucked from our work histories, social media profiles, reward cards, track our purchases at the Grocery Store and information from cell phones tracking commutes. These companies are free to combine and sell the information to all sorts of Financial Institutions and other data mining firms who use it to make decisions about us, like what kind of car or job we might get. Corporations like equifax rarely have to tell us exactly why or how these decisions are made. They get to hide behind proprietary models and trade secrets. It seems our laws to protect big corporations use of peoples data a lot better than they actually protect people. As the recent breach demonstrates and Cyber Security measures at Companies Like equifax might work perfectly yet still do little to protect consumer data. 145 Million People had their private data exposed. It does not appear any sensitive corporate data was accessed because these businesses are not accountable to consumers and because consumers have no choice over who is collecting their information. Consumer protection is the much an afterthought. As we talk about the clearly inadequate protection for consumer data at equifax and those in place of the other reporting agencies, we cannot forget the real victims of this hack are the 145 Million People, 5 million in my state alone, who through no fault of their own have had their personal information compromised. I hope we dont just talk about how we strengthen Cyber Security. We need to do that of course, we need to explore how to restore peoples control over their own information. We need to examine whether the current model makes sense for American Consumers. We know the bureaus have a long history of consumer complaints and inaccurate reporting that has longterm effect on peoples ability to get a job or house. Rather than addressing these problems, the Credit Bureaus have spent millions acquiring other Data Collection companies and branching out into new lines of business. Despite their continued failure to provide accurate Credit Reporting Services or to protect all of the data they collect. These ceos have been rewarded with enormous salaries and bonuses. Sometimes they say they will give up their bonus as if thats a major concession. Now in an era of nonstop cyber threats, it seems like they made consumers even more vulnerable. Equifax made astounding amounts of money off the consumer data collected. It will hardly, unless things change, it looks like it will hardly pay a price for its recklessness. It is still collecting and storing data and in some cases we are giving tax dollars to do it. I look forward to the days we can talk on these matters. We will now turn to our witnesses. First we receive testimony from andrew smith, partner at. Ovington on behalf of the Computer Data industry association. Then we will year from mark rosenberg, president of the electronic privacy information center. Finally we will hear from mr. Jackrin,rn chris analyst in Cyber Security policy at the Congressional Research service. Each witnesses recognized for five minutes of oral remarks and questions. Ceed to mr. Smith, you may proceed. Thank you for the opportunity to appear before you. My name is andrew smith and a partner at the law firm of covington burling. Behalf of thee trade association of companies that provide businesses with the information and analytical tools necessary to manage risk and protect consumers. Ctias members include the three national Credit Bureaus. Youve asked us to discuss how Credit Bureaus protect consumer data. First and wanted to mention the Important Role played by the National DebtCredit Reporting. More than two thirds of our gdp comes from consumer spending, fueled by Consumer Credit. Credit reporting system that allows them to quickly and effortlessly open a bank account or purchase a cell phone. More than 40 of consumers move every year and the National Credit reporting system facilitates this mobility in addition to providing fast, fair, and impartial access to well priced insurance, apartment rental and other services. Congress years ago, enacted the fair Credit Reporting act to ensure that ensure fairness and impartiality to protect Consumer Privacy and fight for the continued development and vitality of the National Credit reporting system. The most recent revision to the comprehensive regulatory scheme was the addition of the kiev bdi the supervisory agency. This is the first agency to directly supervise a National Credit reporting system, not just examine Credit Bureaus, but the user Credit Reports and the companies that contribute information. Supervision of the Credit Reporting system began in earnest in early 2012 and according to the kiev db has produced a proactive the cfbd that has produced a proactive approach for many years to come. Bureaus are subject to federal and state laws requiring them to safeguard consumer data and because of the key role they play in the banking system, they are subject to very specific private Data Security requirements such as the payment card industry, Data Security standards. Credit bureaus are required by the required to maintain procedures that they only provide Credit Reports to legitimate people for legitimate purposes. These credential requirements go beyond contractual certification and include copperheads of Due Diligence of prospective customers as well as Continuous Monitoring of existing customers. They also require secure disposal of Credit Information. The ftc safeguards rule is andrred to by the chairman requires Financial Institutions including Credit Bureaus to develop and implement copperheads of Information Security programs. The laws of police 13 states similarly require companies to implement and maintain reasonable procedures to safeguard sensitive personal information. Almost every state requires that companies notify consumers when there is unauthorized access to acquisition of sensitive personal information. Because of their Important Role in the banking system, Credit Bureaus are also subject to private contractual Data Security requirements. Bureausthe credit handle credit card information, the Card Networks require that they comply with the payment card industry Data Security standards and validate such compliance by obtaining independent thirdparty audit of their security procedures. In addition because banks provide a great deal of sensitive customer information to the national Credit Bureaus, they are required by their regulators to conduct regular Information Security audits of the Credit Bureaus. These can include onsite inspections which might last for several days. Each of the three national Credit Bureaus is subject to these reviews each year. Dia shares with you the goal of ensuring businesses and consumers have confidence in the National Credit reporting system to keep data safe. Thank you for the opportunity to testify and we look forward to the dialogue. Thank you for the opportunity to speak with you today. My name is mark rosenberg. Nonprofitindependent Research Organization founded in 1994 to focus public attention on emerging privacy issues. I would like to begin by saying that the equifax data breach is one of the most serious in our nations history. Breachwith a 2015 data at the office of Personnel Management that impacted more than 22. 5 million federal employees, their families, and friends. Comes debt breach poses enormous challenges to the security of American Families and even to our nations security. , but is no simple solution in my testimony i will outline the steps that i believe congress can take to mitigate the risks that follow from the breach and reduce the danger and likelihood of future data breaches. The equifaxo say breach is remarkable because of its scope, the sensitivity of the data and the delay to fix a welldocumented security flaw. More than four months passed in the time equifax failed to install Critical Software updates. Is data that was disclosed precisely the information that individuals rely upon to open bank accounts, get car loans, seek employment and by cell phones. Names, homeludes addresses, birth date and drivers license information. This is also the data that criminals use to commit Identity Theft and financial fraud. Equifax is clearly responsible for this breach. The company was notified in march by both the Apache Software foundation and u. S. Cert of the need to make Critical Software changes. But it is also worth emphasizing that equifax chose to collect this personal data on American Consumers. Consumers are not provide this information to equifax. And the lax Security Strategy they followed meant that a single breach resulted in the release of 145 million Credit Reports of American Consumers. This caused him president did harm. When hackers get access to credit card numbers, consumers can cancel accounts and change the credit card numbers, but it is not so easy to change a Social Security number and i dont think its possible to change her date of birth. Equifaxs victims will be exposed to the ongoing risk of Identity Theft and financial fraud which is already in a problem for American Consumers. The ftc reported a most hundred thousand cases of Identity Theft in the u. S. In 2016. 29 of those involved tax fraud and the department of justice estimates the cost to the u. S. Economy at over 15 billion per year. Are inreporting agencies urgent need of reform. In my testimony ive outlined number of steps that i believe should be taken to establish accountability and transparency. Most simply, consumers need to be given greater control of the information about them that impacts their financial futures. This means for example that we should have the nationwide credit freeze or to say little bit more precisely, the disclosure Credit Reports should be on an option basis. We recognize the value of credit in the american economy, but it is the consumer who should decide when it is in their interest to disclose the information to a third party to obtain the car loan. They should not have to jump through hoops to put in the blocks and freezes to restrict access by others. They should make the affirmative decision. Credit monitoring should also be freely available. You should not have to pay to be told there is fraudulent activity on your account. That is the current problem of Credit Monitoring Services that require either a fee or limit the access to credit monitoring for 90 days. This makes no sense whatsoever. If there is a problem in the account, the consumer should be notified. We also think consumer should have more ready access to the contents of the Credit Report so that they know who is receiving the information and the impact the data might have. I have several other suggestions in my testimony which i will be pleased to provide to the committee. Thank you. Chairman crapo, Ranking Member brown and members of the committee. Thank you for the opportunity to testify. Inname im an analyst Cyber Security policy the Congressional Research service. In this role i research and issues issues and their of Data Security and management. My written statement goes in further detail. Will ony cyber Incident Response and options for congress for security. Increasingly used catchphrase is that today all companies are Technology Companies or all companies are data companies. This concept request reflects that data plays an Important Role in enabling the modern practices which allow companies to compete and fried thrive in the modern workplace. This also creates risk for corporate leadership to manage. Adequately controlling that risk is an objective of Cyber Security. Is an element of Cyber Security that involves risk m