Chair good morning, now that our executive session is complete we turn to the issue of data breaches. This is not a new issue. The committee has been focused on the Consumer Impact since before i was elected to the senate. The september 2004 choice point breach was considered to be the first highprofile data breach in the modern era prompted investigations from this committee and state authorities. Choice point was a data Aggregation Company originally as fateby equifax who would have it is represented here today. In terms of the inquiry the major data breaches, we have come full circle. Congress and this committee paid close attention to data breaches big and small. The committee has entertained proposals to strengthen requirements for Companies Across the board and impose federal requirements for companies to notify consumers following discovery of the breach. We are in the air of major data breaches, including equifax and yahoo that we are examining. The yahoo breaches are larger, the fx Equifax Breach is more severe given the nature of the data compromised. I have heard many constituents who were concerned about the lasting effects of the Equifax Breach. I have heard complaints it is difficult to set up a credit freeze and questions about whether credit monitoring is an effective tool to prevent Identity Theft. TheEquifax Breach exposed sensitive personal data of 140 5. 5 u. S. Consumers including the names, Social Securitys, birthdates, addresses cut and driver license numbers. Were affected. Will have an opportunity to provide an update regarding the breach as well as its much criticized efforts to mitigate harm and prevent anything like this from happening. The yahoo breach compromised over 3 billion User Accounts and followed a prior breach in which hackers still information five from 500 million users. The data included names, dates of birth, partial passwords, unencrypted security questions and answers, and employment information. The figure constitutes the entirety of yahoo mail and other yahoo owned accounts at the time of the breach. Have representatives will an opportunity to provide an update regarding the breaches as well as efforts to mitigate harm and ensure security and consumer data Going Forward. The data breaches illustrate dramatically that our nation continues to face constantly evolving Cyber Threats to her personal data. Companies that collect and store personal data on american citizens must step up to provide adequate Cyber Security and there should be consequences if they fail to do so. The committee made Cyber Security a priority and i am hopeful todays hearing will help help the committee when there is a risk of real harm stemming from a breach we must make sure that consumers have the information protect themselves. That is why i support a uniform federal breach notification standard to replace the patchwork of laws and 48 states in addition to the district of columbia and three other territories. A single federal standard would ensure all consumers are treated the same with regard to notification of data breaches that might cause them harm. Such a standard would provide consistency and certainty regarding timely notification practices that a fitting consumers and businesses. Securere that businesses information appropriately, i have advocated for uniform reasonable security requirements to protect consumer data. Based on the size and scope of the company and the sensitivity of the information. However in this regard, the facts of the equifax reach are troubling. As a Credit Bureau equifax was subject to the safeguards rule under the act which is considered to be a stringent regulation. The Equifax Breach occurred and its implement could implications appear dire. Enhancing security, protecting the personal data of consumers will be a priority for this committee. I want to thank our witnesses for appearing here today and i look forward to hearing your testimony. I will turn to senator nelson for his opening remarks. Senator nelson thank you, mr. Chairman. , this is the latest edition and a long history of hearings that we have held on this committee to discuss Data Security and breaches. Several senators on this committee who have asked for this hearing. Senator baldwin in particular, alator cortez, thank you for l the more ringing this to the forefront. If you start with the massive point reache choice in 2005, and then continuing with target, neiman marcus, shape hat, sony, citigroup, cvs, south shore hospital, heartland payment systems, and many others, the parade of highprofile data breaches seems to have no end and billions of consumers have had their , personallyrsonal identifiable information socialised, including security numbers, drivers licenses, addresses, dates of birth. For years Going Forward, criminals can use this data to steal the identity of innocent consumers and create fake accounts in their names and commit other types of fraud and i might point out that right now, we estimate 5 billion a year is being stolen from the u. S. Treasury just on fake federal income tax returns of which they get a refund. And on top of that, we also recently found out the 2013 yahoo breach compromised the personal data, it is hard to believe, 3 billion users. That is the biggest aider breach in history data breach in history. Yet today here we are once again dealing of the aftermath of the breachifax reach involving the personal identification information of nearly 145 million americans. Raisesst recent breach and even more troubling question. Agencies reporting that offer Identity Theft protection and Credit Monitoring Services cannot even safeguard their own data from hackers, then how can Consumers Trust any company to protect their information . And let me say also, when you get up against the sophistication of state actors such as russia and china, it is going to be hard to protect against them. Sadly, the question that millions of americans are now asking is, as they struggle to figure out how to protect themselves in the wake of these massive breaches, what in the world do we do . Chairman, ise, mr. Going to again consider what it would do to make sure that but ifrs are protected, we are going to do anything meaningful, we must have the clinical will political will to hold these companies accountable. Over the years the federal trade commission has brought numerous Enforcement Actions against companies for lax Data Security practices. But industry has recently challenged the ftcs wellestablished Legal Authority to bring such actions. This piecemeal, afterthefact approach would be better served if the ftc were able to prescribe rules that require companies to a. Reasonable security practices to adopt reasonable security practices in the first case. Been pute already forward to agencies like equifax. The agency should have a similar authority for the rest of the commercial sector. And so, mr. Chairman, i think at the end, it is only stiffer enforcement and stringent penalties are going to be able help incentivize companies to properly safeguard their consumer information, and to notify help their consumers whey have been compromised. I strongly believe that without rigorous Data Security rules in place, it is not a question of anotherwe will have one, but when. We can either take i hope it can inform our future actions. It needs to be addressed. Congress needs to be heard from. Glad to have our panel with us this morning. On my left in your right is mr. B from equifax, and richard smith, the former ceo at equifax. Ms. Marissa mayer, former ceo of yahoo incorporated. Verizon, zachariah for a Parent Company of yahoo since 2017. Wilkinsons, wilkinson, president and ceo of entrusted data card. I will start with you mr. Barro s, and ask you to confine your oral remarks as close to five minutes as possible. Anything extra can be on the record. Barros good morning. Rankingman thune, member nelson, members of the committee. Thank you for letting me be here today. Six weeks ago i was named interim chief executive officer of equifax. I never expected to become ceo under the circumstances. But i am honored to be in this position. Speaking for everyone at equifax come i am determined to address all the issues from the breach so we can regain the confidence of the American People. Equifax is based in atlanta, you can tell from my accent, i did not grow up in georgia. I am a native of brazil. I have had the privilege of working most of my adult life in the u. S. My children were born here. Im an engineer by training and i have spent a lifetime confronting and fixing complex business problems. This is the mindset i bring to my new position. Was the act as ceo consumer response and call centers and the website. We are working hard to fix the problem. I apologized to the American People and they do so again here today. You and thech of American People, equifax will be focused every day on assessing security and providing better support for consumers. Leader in an industry giving consumers more control over personal private data. In answer to your questions i would like to review briefly the actions we have taken in the past six weeks. First, my highest priority has been to improve service for consumers. I visit call centers, have spoken with call center havesentatives, personally taken calls from consumers and help to resolve their issues. Expandeddia, we have communication. Website,mproved the have staffed the call centers and made it more consumer friendly. The result is a substantial collection it reduction in backlogs and delays. We have revised our corporate structure. The chief Security Officer now reports directly to me. Officerlso appointed an to perceive the response to this incident. Improvingare rapidly our security infrastructure. Were changing our networks, our vetting procedures, introducing new tools, and strengthening our accountability mechanisms. Fourth, we have committed to working with the entire industry to develop solutions to the growing Cyber Security and Data Protection challenges we all face. We promise to launch a new, easytouse app in january that will give consumers access to data free for life. Scheduled where confident consumers will find it extremely valuable. We have done a lot in a short period of time. But this is just beginning. I remind my team every day that there are not shortcuts. It is asumers longterm commitment. Equifax is made up of 10,000 talented and dedicated people. Our business is not well understood. But it is essential for the economy and for helping consumers obtain credit they need. Our top job must be to protect the data entrusted to us. Did not meet the publics expectations and now it is up to us to prove we can regain the trust. We are committed to working with consumers, customers, congress, and regulators to restore public trust. This is been my focus during my first six weeks as ceo. It will continue to be my focus every day at my new job. Thank you for your attention and i welcome your questions. Sen. Thune mr. Smith. Mr. Smith thank you. Thank you for the opportunity to testify before you today. I submitted my written testimony to the committee and other committees in the senate and house. I testified over the last three or four weeks. The written testimony is a record of the events of the breach at equifax is that occurred. I am here today to answer any questions you may have. Thank you. Sen. Thune thank you, ms. The ms. Mayer. Mayer thank you for the opportunity to appear before you today. I have the honor and privilege of serving as the yahoos chief executive officer from july 2012 through the sale of the business in june of this year. As you know, yahoo was a victim of criminal statesponsored attacks on its systems, resulting in the theft of certain user information. We worked hard over the years to earn our users trust. I want to sincerely apologize to each and every one of our users. Of this in learned late 2014, yahoo promptly reported it to Law Enforcement and notified the users at that time who had been directly impacted. Yahoo worked closely with a Law Enforcement, including the fbi, and were able to identify and expose the hackers responsible. We now know that russian Intelligence Officers and statesponsored hackers were responsible for highly complex and sophisticated attacks on yahoo systems. The department of justice and fbi had a 27 count indictment charging criminals with these fbi praiseddoj and yahoo for our cooperation and early proactive engagement with Law Enforcement. 2016, yahoo determined the user data was most likely stolen from the company in august of 2013. Although yahoo and its outside Forensic Experts were not able to identify it, the company disclosed to incident, notified the users believed to have been affected, and took steps to secure all User Accounts. I want to stress how seriously i cyberhe threat of attacks. After growing up in wisconsin i remember buying my first computer in college, developing a passion for Computer Science and writing code and seeing the potential to change the world. After college i was hired by a small start up named google as their 20th employee and first female engineer. I worked my way up from Software Engineer to part of the executive operating committee. In july 2012i became ceo of yahoo . I will always be grateful for and humbled by the opportunity to have led yahoo and its employees for the last five years. My friends from yahoo and google have shown me the potential of the internet to change our world for the better. However, they have reinforced the dangers of sire cybercrime. Our efforts to confront the challenges of Cyber Security, including security measures and defenses yahoo has in place, in hopes of further advancing protection and security. We protected our systems and users. We devoted substantial resources to security with a shared goal of heading staying ahead of the evolving threat. Joined yahoo we roughly doubled our internal security staff and made significant investment. In addition to improving our talent, we improved our security processes and system defenses. Yahoo had in place multiple layers of sophisticated protection. We were extremely committed to security. I want to thank all of our team members for their tireless efforts in addressing yahoos yahoo s security needs. Russian agents intruded on our system. The threat from statesponsored attacks has changed the Playing Field so dramatically that today, i believe all companies, vulnerable to these crimes. Cyber security is a global challenge. No company, individual or Government Agency is immune from these threat. The attacks on yahoo demonstrate the strong collaboration between the public and private sectors is essential in the fight against cyber crime. Aggressive pursuit of cyber criminals as the doj and fbi exhibited in the yahoo case, could be a meaningful deterrent in preventing future crimes like these. Of thee words investigator, a nation state attack is not a fair fight and not one you will win alone. We can Work Together to level the cyber Playing Field. Ms. Zacharia. Ms. Zacharia thank you for the opportunity to testify here today. My name is Karen Zacharia and i am verizons chief Security Officer. Verizon has a longstanding commitment to protecting and safeguarding consumer data and Building Trust online. Increasingly connected world, verizon recognizes Strong Security and Consumer Trust are prerequisites to compete in the 21st centurys digital economy. The nature of our business requires verizon made Cyber Security a top priority. In 2016 verizon announce it entered into an agreement to acquire yahoo s operating business. That closed in 2017. Yahoo is now part of a new company from verizon called oath. Including yahoo news, yahoos sports, tumbler and aol. In september and december of 2016, yahoo announced its user data was stolen and two separate incidents in 2013 and 2014. This happened well before the acquisition of yahoo . At the time of the december 2016 announcement, yahoo disclosed one billion of the 3 billion accounts existing at 2013 had likely been impacted. Verizon acquired yahoo , we obtain new information from a with party and reviewed it the same Forensic Experts yahoo had used previously. Notoncluded all accounts, just a subset, were impacted by the 2013 security incident. Yahoo provided further notices to the impacted users beginning october 3, 2017. When wen a week determined that the impacted User Accounts. The review confirmed the stolen information did not include Social Security numbers or passwords and clear text, and did not include sensitive Financial Information like payment card data or bank account information. Although verizon do not own yahoo s operation operating business at the time of the 2013 data theft, we understood yahoo took action a