[inaudible conversations] good morning now the executive session is complete data reaches not a new issue weve been focused on the consumer that was before i was elected to the senate. The breach is what many would consider to be the high profile breach with a number of investigations from the federal and state authorities. This was originally created by equifax so in terms of the trajectory the major did reach you could say we could come full circle. Congress paid close attention to the dative breach to strengthen Data Security requirements as well as those to affect companies to notify a the discovery of a breach so in that era with a large scale breach but while larger with consumers equifax is more severe given the sensitive nature. Weve heard from many constituents our concern of the lasting effects and i have heard complaints it is difficult to setet up the credit freeze if monitoring ispr the effective tool. The breach exposed those consumers including names and Social Securityin numbers and a drivers license numbers also expose the credit card numbers from consumers and documents for more then 180,000 consumers so today to have an update regarding the of a breach to mitigate dow harm from happening again. Will we will discuss today in was a prior w breach where similar information was stolen so the compromise data is names and telephone numbers and unscripted security questions theen answers but that 3 billion figure from the time of the breach today their representatives have the opportunity to mitigate the harm Going Forward. So that illustrates quite dramatically the nation faces cyberthreats those that collect and store summer should have Server Security and consequences of the failed to do so i look forward to the hearing as it considers legislation to bed dative breach notification if there is a risk we must make sure consumers have the information they need to protect themselves that is why i support the standard with a patchwork of laws in addition to the District Of Columbia and three other territories progressing well federalte standard with regard to notification of those data breach and provide consistency benefiting both consumers and businesses in order to ensure we have advocated for reasonable security requirements based on the size and scope of the sensitivity of the information. However in this regard the Equifax Breach is troubling it was already subject to the safeguard under the act that was considered to be as stringent regulation but it occurred so enhancing security will be a priority for thiss Committee Thanks to the witnesses for appearing in the above forward to your testimony. Thank you, mr. Chairmann chairman and just as you stated is the history of hearings we have held for Data Security in preaches so several senators have asked hearing senator baldwin in particular so thank you for bringing this to the forefront. If you start with a massive breach from 2005 then continuing with saudi, city group, a cbs, south shore, the parade of high profile data breach has no end and billions of insumers have had their to have personally identifiable information compromised including Social Security numbers, a drivers license, addresses and for years Going Forward criminals can use the data attu steal the identity of venice and consumers to create fakena accounts and i might point out right now we estimate 5 billion per year is stolen from the u. S. Treasury just with fake federal income tax returns that they get a refund a unit on top of that we also recently found out the 2013 yacht reach yahoo breached 3 million users the biggest in history dealing in the aftermath of the Equifax Breach involving the personal identification informationon of 145 million americans. Now the most recent is a more troubling question because of Credit Reporting agencies that offer the Credit Monitoring Services cannot protect their own data and how do they trust any company to protect information . So let me say when you get up against the sophistication of the state actors it will be hard to protect against them. So sadly the question millions of americans are asking, in the wake is what do we do . So this committee will consider what it will do to make sure consumers are protected. But if we do anything meaningful remus have the political will to hold these Companies Accountable to have to raise Enforcement Actions for lacks Data Security practices. The industry has recently challenged the Legal Authority to bring such actions so this piecemeal after the fact approach would be better served if the ftc could prescribe rules toib prescribe companies to adopt reasonable security practices in the first place purport already put forward rules that apply to Financial Institutions like equifax. The agency should have a similar authority for the restr of the commercial sector. So at the end of the day it is deferring enforcement with the stringent penalties to incentivize to safeguard Consumer Information and notifyme consumers. I strongly believe without rigorous Data Security rules in place not if but when. We can take action with commonsense rules are start planning for this issue. The also hope the hearing can informre those future actions. The panel has the executive office and from equifax next to him the former co pay equifax. Then the former ceo at yahoo corporate. The deputy general counsel chief privacy officer at Verizon Communications a part of yahoo . Then we will ask you to proceed with comments starting a mile left to confine your all remarks at five minutes anything you want to add will be included in the written record. Thanks for being here. Good morning. To members of the committee thank you for the opportunity tof f be here for crow six weeks ago i was named chief executive officer of equifax and never expected to become ceo in this circumstance but i am honored to be in this position. Speaking for everyone for those that have been breachedac you can tell from an accident did not grow up in georgia and a native of brazil i had the privilege working most of my adult life in the u. S. And i children were born here. And engineer by training to spend a lifetime fixing complex business problems. Said the first act was to address the consumer response so the engagement that theyre working hard to fix the problem. Lasso apologize to the American People but i promise each of you that equifax will be focused every day to provide support for consumers to give them more control side like to review so the highest priority i have visited call centers and is spoken with the representatives i have taken calls from consumers and help to resolve their issues. With a social media will significantly improve the web site and the call centers to make it more consumer friendly. Second to revise the Corporate Structure the chief Security Officer now reports directly to me. So this is a response to the cybersecurity. Third we are improving the security infrastructure. Introducing the new vulnerabilities and with that accountability mechanisms. Those that w are committed to thoseo solutions with cybersecurity and challenges we all face. And finally we promised to launch what gives the consumers the power to block access to their personal credit data. So were on schedule and make itt they can extremely valuable. We have done a lot in a time butiod of this is just the beginning so i remind me to everyday so with those capabilities requires a daily engagement and a lifetime i commitment. Equifax has 10,000 people it is not well understood but helping consumers get the credit that they need. So to protect the data we do not meet those expectations. We are committed to working with consumers and congress and the regulators to restore public trust. This has been my focus with the first six weeksks as ceo and every day. Thank you for your attention and i welcome your questions. Chairman and Ranking Member and honorable members of the committee i submitted my written testimony to this committee as well as others in the senate in the house and the written testimony goes into the record of the events when the breach occurred and i will answer any questions you may have. Chairman, Ranking Member nonsense and distinguished members of the committee, things for the opportunity to appear before you today and have the honor of privilege of serving as the yahoo chief executive officer july 2012 through the sale of june this year. Yahoo is the victim of statesponsored attacks resulting in the fact that we worked hard over the years and as ceo and want to sincerely apologize to each and every one of our users. When yahoo learned of the attack in late 2014 they promptly reported to Law Enforcement notifying the users that have been directly impacted. Working closely with lawenforcementhe we were able to identify and expose the hackers responsible. We now know the russian Intelligence Officers in statesponsored hackers were responsible on the yahoo systems. Fortyseven count indictment charging for individuals with these crimes in the users the other day the fbi praised yahoo for our proactive impeachment and november 2016 Law Enforcement provided us with data files and thirdparty claims. Fromzing it was stolen the company in august 2013 and although yahoo was working with experts the company promptly disclosed to notify the accusers and to secure all User Accounts and personally when field about this and growing up in wisconsin i had my first computer in college. To see how that emerging technology could use the world. That i was hired by google. Then over thee next 30 years there worked my way up to software engineer. So in july 2012 i became ceo of yahoo . I will always be grateful for that opportunity to lead yahoo for the last five years my experience has shown me the amazing potential of the internet to change for the better. I am here today to discuss our efforts with the challenges of cybersecurity with those measures that yahoo had in place to of finance so throughout my tenure we would protect our systems devoting substantial resources tuesday ahead of the threats. Then be roughly double the internal security staff with the leadership a and the team. In addition we also improve the system defense. Of sophisticated protection we were extremely committed to those resources thanks for their tireless efforts to address yahoo security unfortunately coming up against a barrage of attacks russian agents intruded on our systems. That change the Playing Field so dramatically even those of the most well defended so its a Global Challenge no Government Agency is in you. The attack shows that collaboration between public and private sector is essential against cybercrime and in addition as the doj exhibit it could be a deterrent. So to echo the words of the attorney general nomination stage attack is not a fair fight by workingt together we can help. Thanks for the opportunity to address the community. Chairman, Ranking Member and members of the committee, thank you for the opportunity to testify today. I am verizon chief privacy officer. With a certificate and longstanding driven to protect and safeguard consumer data to build trust of mine in the increasingly connected world for a rise in recognizes Consumer Trust is a prerequisite to compete in the digital economyy the nature has required it makes Data Security a top priority. Verizon announced it entered the agreement to enter the operating business so now newo is part of a company that consist of more then 50 digital and Global Brands including yahoo news and sports and aol. In december 2016 and announced the dave del was stolen in two separate instances 2013 and 2014. Well before verizonon acquisition so at the time it disclosed more than 1 million of those 3 billion accounts were likely impacted. After verizon acquired it to give this Team Forensic experts used previously. Based on the review we concluded all accounts were impacted by the security incident so bin yahoo provided further notice beginning october 3rd october 3rd, 2017 less than one week. After the impacted accounts it did not include Social Security numbers or passwords and did not include Financial Information like payment card data or a bank accounts. Ownough verizon did not root yahoo at the time we understood that they took action around the time of the announcement to protect the users accounts. They require a password changes if they had not been changed since 2014. They also invalidated in an an unscripted security questions and answers. They took these actions beyond what was impacted so this means they took steps to protect all users including those that were individuallyti notified. Proactively enhancing security is a top priority. We track the evolution of attacks and leverage technologyll advances to apply more advanced protection so as part of integrating with two strong existing Security Teams to examine those practices to apply the best practices and tools to create the Advisory Board consisting of the external Security Experts with the overalls approach for crow security has always been in horizons dna and for us to meet the security challenges of the future. We are weser focused on the needs of our customers we expect that will be secure. As a result we go to Great Lengths across the network and platforms and products with substantial resources to extend assets including those acquired with the transaction of yahoo her call with the benefits of resources with the highest level of accountability we will continue to strive to stay ahead of the ever revolving threat. Thank you for the opportunity to testify a look forward tord answering question. Chairman and Ranking Member and members of the committee thank you for the opportunity for these data reaches touching the vast majority what is necessary so almost 50 years we have provided solutions for a the identities with banking and government it is a foundational element the way they build their Financial Lives that value is the primary reason it is targeted that would be too significant data reaches. With the evolving and sophisticated task with greater connectivity with every aspect. So 43 percent could all be traced to a malicious actor. To use this information to gain access and once compromised in is consumer identity. With those most recent breaches the most identifiable information for millions of american citizens for the focus is to examine the recent data reach to ensure the of safety with those options for the future for regarding those issues of consumer data to date they are challenged by increasingly complex systems from other wellat organized groups. No system is free from vulnerabilities. So there are documented best practices. So it m is the result of Common Security mistakes. So today a substantial amount of the basis of identities and with driving responsible behavior writing in answer to the underlying consumer identities. It is critical to respond to recover quickly to ensure consumer data is no longer a risk. En that provides a nine digit number or Social Securityed card is issued at birth in difficult to change so while we made substantial advances and the recommendation is with that framework that is through that given Industry Collaboration with those partnerships around the world that identity framework allows citizens to utilize the morsi to reduce the breach or compromise so it could minimize risk and allow a consumer to cover their identity. That system today is broken into the secure this time to leverage available technologies and in the of previous t testimony with a publicprivate ecosystem to security identities with that self assessment. Whether we drive that we to proceed now. So with that information that has already been compromised to have a more resilient identity. Thank you for your time today. We deeply value our security and with those cyberattacks there are persistent with that understanding of the facts. And to this day they have not been able to identify that intrusion receiving files from lawenforcement we verify that it came from yahoo we dont know how it was perpetrated. Why the delay . And then to underestimate yahoo did not know of the intrusion in 2013. It in a very short period of time that it was most likely from august of 2013 and notify lawenforcement and other users to take action on the accounts at that time we estimated more than 1 billion users. There were recente amounts from those the nederlander with the company. The 500 million originally then jumped up at 3 billion. Into calculate those. That 500 million number was the fall from 2014 to reach. In prior testimony with that vulnerability and compound it by that scandal should have detected the failure but didnt. And that vulnerability could persist for several months without corrective action. So the company that holds the most Sensitive Information i hope you can understandon why this is so hard to distained. Can you explain why there were not more redundancies built into theno system . You testified nore weak