Join book tv for the miami book fair, live from miamidade ook college on cspan 2. Equifax hters that reported a drop. Recently, lawmakers heard from current and former c. E. O. s to talk about ways they are trying to protect consumers. This hearing is more than two hours. Good morning. Now that our executive session is complete, we turn to the issue of data breach. It is not a new issue to explore. Usedommittee has been folk on this. September 2004 choice point breach what many consider to be the data breach prompted investigations from this committee. For those who dont remember, choice point was a Company Originally created by equifax. N terms of the trajectory of inquiry, we have come full circle. We have paid attention. The committee has entertained to strengthen requirmements and impose requirements to notify their companies. Sadly, we are truly in the era of major data breaches and this is at equifax and yahoo . The equifax is potentially much more severe given the nature of the information compromised. I heard about the lasting effects of the Equifax Breach. I heard complaints it is difficult to set up the credit freeze and whether it is an effective tool. The breach reportedly exposed the personal data of 145 Million Consumers including names, birth dates and drivers license numbers. The credit card numbers of 200,000 u. S. Consumers and dispute documents containing identifying information from consumers. Today equifax will have an update regarding the breach and prevent anything like this from happening again. He breach compromised over three billion. He compromised data included personal information backed up email. The three billion figure constitutes the yahoo mail at the time of the breach. Today, yahoo representatives will have an update regarding these breaches and ensure the security of the data Going Forward. The our nation continues to face constantly evolving cyberthreats to our personal data. Companies that store and collect data must step to provide adequate Cyber Security. The Committee Makes this a priority and im hopeful this will help the committee to better understand these challenges to address data breach notification. When there is a risk of real harm stemming from a breach, we must make sure that consumers have the information they need to protect themselves. I support a federal standard to replace the patch work of laws n 48 states in addition to the district of columbia and three other territories. This would ensure all consumers are treated the same. Such a standard would provide timely noiks practices benefiting consumers and businesses. In order to ensure that businesses secure information appropriately, i have advocated for reasonable security requirements based on the size and scope of the company and the sensitivity of the information. However, in this regard, the facts of the Equifax Breach are particularly troubling. Equifax was already subject to the safeguard rule which is considered to be a stringent regulation. Nevertheless, the Equifax Breach occurred. And in handling security and handling the consumers. So i want to thank all of our witnesses for appearing here today and i look forward to hearing your testimony. I turn to senator nelson for his opening remarks. Senator nelson this as you stated is the long history and tradition of hearings we held on this hearing to discuss data scurelt and breaches. I want to thank several senators on this committee that have asked for this hearing. Enator baldwin, senator cortez thank you for all the more bringing this to the forefront. So if you start with the massive each of the choice point breach in 2005 and then and nuing with target neem cti group, Heartland Payment Systems and many, many others, the parade of high profile data breaches seems to have no end and billions of consumers have had their sensitive personal, personally identifiable information compromised, including Social Security numbers, drivers licenses, addresses, dates of birth. That offer Identity Theft protection and Credit Monitoring Services cant safeguard their own data from hackers, than how can Consumers Trust any company to protect their information. And let me say also, when you get up against the sophistication of state actors, such as russia and china, its going to be hard to protect against them. So sadly, the question that millions of americans are now king is, as they struggle to figure out how to protect themselves in the wake of these massive preaches, what in the world do we do . So this committee, mr. Chairman, is going to again consider what it would do to make sure that consumers are protected. But if were going to do anything meaningful, we must have the political will to hold these companies accountable. Over the years, the federal trade commission has brought numerous Enforcement Actions against companies for lax Data Security practices. But industry has recently challenged the f. T. C. s well challenged Legal Authority to bring such actions. This piecemeal after the fact approach would be better served if the f. T. C. Would prescribe rules that Companies Adopted reasonable practices in the first place. The f. T. C. Have brought rules that apply to Financial Institutions like equifax. The institution should have the authority for the rest of the commercial sector. I think at the end of the day, it is only stiffer enforcement and stringent penalties are going to be able to help incentivize to help safeguard their Consumer Information and notify their consumers when they have been compromised. I strongly believe that without rigorous Data Security rules in place, it is not a question of if, that we will have another one, but when. We can either take action with commonsense rules or start planning for our next hearing on this issue. Senator thune thank you, senator nelson and i hope the hearing can inform our future acks. It needs to be addressed. And Congress Need to be heard from. Glad to have our panel with us this morning. Interim chief executive information at equifax and former c. E. O. Of equifax. Former c. E. O. Of yahoo and the deputy general counsel for rizon communications, parent company. And and the chief and executive officer of entrust data. Well ask you to proceed with your comments and start on my left with you and ask if you can to confine your oral remarks close to five minutes at possible. But anything you want to add will be included in the written record of the hearing. Thank you for being here. Good morning. Chairman thune, Ranking Member nelson, members of the committee, thank you for the opportunity to be here today. Six weeks ago i was named executive officer of equifax. I never to become c. E. O. Under the circumstance, but im honored to be in this position. Speaking for everyone at equifax, im determined to issue the issues so we can regain the confidence of the American People. Equifax and you can tell from my accent that i did not grow up in georgia. Im a native of brazil. I worked the most in my adult life and im an engineer by training and have spent a lifetime of confronting and fixing complex business problems. This is the mindset. My first act was to address our consumer response in the call centers and our website. Our engagement was and we are working hard to fix the problem. I apologize to the American People and i do so here today. But i promise each of you and the American People that equifax will be focused on strengthening security and providing data support for consumers. And we will give consumers more control. Reduction in delays and back logs. Second, we have revised our corporate structure. The chief securities officer now reports directly to me. I have appointed a chief Information Officer who will respond to the cybersecurity incident. Third, we are improving our infrastructure. We have further hardening our networks and changing our procedures and detection tools and strengthening our mechanisms. Fourth, we have committed to working with the entire industry to develop solutions to the growing cybersecurity and Data Protection services we all face. And finally, we promise to launch a new easy to use app in january that will give consumers access to personal credit data for free and for life. We are only scheduled with the development of the app and we are confident that the consumers will find it extremely valuable. We have done a lot in a short period of time, but this is just the beginning. I remind my team every day that there are no short cuts. Strengthening the companys Security Capabilities and ensuring the consumers requires both. I have a longterm commitment and i pledge this is how we continue to proceed. He can which fa fax has 10,000 talented people and it is essential for the economy and helping consumers with the credit they need. Our top job must need be the entrusted data. And now its up to us that we need to regain the trust. We are committed to working with consumers, customers, congress and regulators on these issues and restore public trust. This has been my focus as first six weeks as c. E. O. Thank you for your attention and elcome your questions. Senator thune mr. Smith. Thank you mr. Chairman, thank you for the opportunity to testify before you today. I submitted my written testimony as well as to other committees in both the senate and the house and i have testified before over the past three, four weeks. That written testimony is the record of the events of the breach at equifax that occurred and im here today tore answer any questions you may have. Senator thune thank you, mr. Smith. Chairman thune, Ranking Member nelson and distinguished members of the committee, thank you for the opportunity to appear before you today. I have the honor and privilege of serving as yahoo s executive office since 2012. Yahoo is a victim of criminal tatesponsored attacks on user information. We earned our users trust. These attacks happened during my tenure and i apologize. When yahoo learned about the attacks, yahoo prompted to Law Enforcement and notified users who were directly impacted. We worked closely with Law Enforcement and f. B. I. Who were able to identify the hackers response i will for these attacks. We now know the russian Intelligence Officers were responsible for highly and sophisticated attacks. The department of justice and f. B. I. Charged four individual with these crimes against yahoo . And the d. O. J. And yahoo thanked us for our early engagement. Law enforcement provided yahoo with data files with dueser data. It was most likely stolen from the company in august of 2013. Although yahoo and its forensic reports didnt i identify, the company notified the users to be affected and took steps. I want to stress how serious the threat of cyberattacks and how personally i feel about these potential rifpks. After growing up in wisconsin i remember buying my first computer in college and seeing the potential of how this technology could change the world. By college i was hired google and first woman engineer. There over the next 13 years, i worked from Software Engineer and becoming a member of the executive committee. I became a c. E. O. Of yahoo . Im humbled by the opportunity to lead them. My expense from yahoo and google we have changed our world for the better and reinforced the potential dangers by cyber crime. I will discuss with the committee our efforts to the security measures and defenses yahoo has in place in advancing Consumer Protections community. We worked hard from the top down and bottom up to protect our systems and users. E devote the resources to go against these threats. We roughly doubled our internal security staff and made significant efforts. Improved our security processes. Yahoo had in place multiple place layers of protection. We were extremely committed to security and invested tremendous resources. I thank our members for their effort in addressing yahoo s security. While all of our measures have designed against the attacks, russian agents intruded in our systems. The threat have changed the Playing Field that today i believe all Companies Even the most well defended ones could fall victim. I will close that cybersecurity is a global challenge. No company, individual or even Government Agency is immune from these threats. The attacks on yahoo demonstrates that the collaboration is essential in the fight against cyber crime. Adepress i have pursuit of cyber criminals as the d. O. J. And f. B. I. Exhibited could be a meaningful deterrent in preventing future crimes. E acting assist ant general, our nations state attack is not a fair fight by working together we can help level the cyber field. Thank you for addressing the committee today. Chairman thune and Ranking Member nelson and members of the committee. Thank you for the opportunity to testify today. Im verizons chiefs privacy officer. Verizon has a significant and long standing commitment to safeguard consumer data. In an increasing connected world, verizon recognizes that this is prereck which sits to compete. The very nature of our business has required that verizon makes Data Security a top priority. N july 25, 2016, versong announced it acquired yahoo s operating business. That closed on june 13, 2017. Yahoo is part of a new company. It consists of 20 digital and mobile bands and yahoo news and yeah who supports. In september and december of 2016. Yahoo announced data was stolen in 2013 and 2014. These incidents happened before the ack acquisition. Yahoo disclosed one billion of the three billion accounts had likely been impacted. After verizon acquired yahoo , we acquired new information and reviewed it with the assistance of the same outside forensic experts. Based on that review, we concluded that will those accounts were impacted by the 2013 security incident. Yahoo provided individual notice beginning on october 3, 2017, less than a week we determined the scope of the impacted User Accounts. The review confirmed that the tolen information did not have stolen security numbers or Financial Information like bank account information. Although verizon did not own yahoo s operating business or during the incident response, we understood that yahoo took action to protect its users account. Yahoo required password changes where passwords had not been changed since 2014. They invalidated and answers so they could not be used to access accounts. Yahoo took those actions. This means that yahoo took steps in 2016 to protect all users including the additional User Accounts that were notified in october of 2017. Provide actively enhancing our ecurity is a evolution and gather intelligence, leverage to make improvements to our systems and provide more protection. As part of integrating, we are combining two strong existing security teams. We are examining the tools of each team and examining the best tools and practices. We are in the process of creating an Advisory Board that will have experts. And it will have an overall approach to security. And we remain committed to continuous improvement. At verizon, we are laser focused on our customers and we know that their information will be secure. As a result, we go to Great Lengths to integrate security across our plaintiffs and products. We are defending our companies assets and customers including those with the yahoo transaction. With the benefit of verizons benefit and resources and commitment of the accountability, we will continue strive ahead of an evolving landscape. Thank you for testifying today. I look forward to answering your questions. Chairman thune, ranking to er nelson, thank you discuss the major data breach and urge actions to protect national information. We have provided secure and digital identities that are used around the world in banking. Identity is a foundational element of our commerce system and the ways they build their financial lives. This information is targeted and we see more sophisticated attacks. Incredibly complex world. It starts with the secure identity. This will become more critical as we drive toward connectivity linking our lives to a connected system. According to the 2017 investigations report, 4 of all breaches can betraysed and able to compromise and gain access to data. The primary target is consumer identities. The information stolen has contained personally identifiable information, and the focus of this hearing is to examine the events and identify steps that could have been taken and determine if there are options to further safeguard. Regarding the issues of steps, today organizations are challenged by increasingly complex states and attacks from nation states. This could bring experts and no system is free of vulnerable systems. There are documented best practices and numerous security tools to mitigate common attacks and major breaches are from stolen credentials. And today, a substantial amount of p. I. I. That is the basis of secure transactions has been stolen and could be used to defraud consumers. We need to find a balance between responsible iffer behavior and underlying security identities. It will be critical to implement the system that can respond to compromise to ensure consumer data is no longer at risk. The federal government provides a ninedigit number, our Social Security card. This is issued at birth and difficult to