Transcripts For CSPAN3 Former Equifax CEO Before Senate Judi

CSPAN3 Former Equifax CEO Before Senate Judiciary Panel - Part 1 October 20, 2017

It was mr. Smiths third such questioning in a weeks time. And most of the subcommittees inquiries focused on the speed of the Credit Reporting agencys response to the knowledge its data servicers had been infiltrated by nefarious forces. This is about an hour and 40 minutes. Jo this hearing of the subcommittee on privacy, technology, and law, will come to order. Were here to examine per sis sent cybersecurity concerns in the data broker industry. This is not the first time our subcommittee has gathered to do so after a cybersecurity breach last august, we held a hearing to ask the question how secure is consumers data in the hands of data brokers. The answer, not very secure. The industry immediately responded by committing to take serious Security Issues and pledging to dedicate resources toward Data Protection measures. Yet here we are two years later in the wake of what we now know as the largest breach of private consumer data. Were trying to figure out how it happened once again. It happened because data brokers have created an industrywide culture that appears not to prioritize the security of consumers information. Traditional broker who is make a profit by buying and selling information to companies have direct interaction with consumers, very or little assurance to seeking trust and security is apparently treated as an expenditure that ought to be minimized. This of course is unacceptable. Today we ask another question how do data brokers prioritize the security of consumers data . We have now seen over and oh how easy it is for hackers to breach data brokers systems due to a lack of proper security. Last week equifax said they were breached. Hackers were able to access equifaxs database through a Software Vulnerability that equifax failed to resolve despite having been alerted to the vulnerability and its potential for criminal exploitation by dhs. The hackers continuously accessed system undetected for a period of over four months. By the time any step were taken, 145. 5 million americans personal identifying information had been stolen including the data of nearly 3 million americans im sorry 3 million arizonans. We will now further ask what did equifax due to prioritize a security of consumer data. Well hear from rick smith, former ceo of equifax. Ill let him describe the details of breach. These details are important. We must examine them if were going to learn from this incident. Im also pleased to welcome to the committee Jamie Winterton from Arizona State university and tyler moore from the university of tulsa who will be on the second panel. Its my hope that this hearing will finally provide answers to the subcommittee questions regarding industrywide security practices and identifying ways in which data brokers can truly prioritize the security of sensitive consumer data. Now senator franken, if youll give your opening statement, well go from there. Thank you, mr. Chairman, for holding todays very important hearing. You and i were here two years ago assessing the security risks of vast databases of Consumer Information like those compiled by data brokers like equifax. We spoke of such company as being forget target for cyber criminals and discussed lack of accountability that data brokers have to american, whose Sensitive Information they collect, analyze, and share on a massive scale. We also talked about the worst case na worstcase scenario, what happens when theres an unprecedented breach on a company that trades on the information op people with whom they have no direct relationship or no particular set of obligations. Unfortunately, we all know were here today again because that worstcase scenario is our new reality. Because of the gross failures of equifax as well as a lack of safeguards protecting our privacy and security, 145 million americans including over 2 million minnesotans, are facing the risk of Identity Theft for the rest of their lives from tax fraud and medical Identity Theft to even drivers license theft, threats of individuals Financial Security and frankly their livelihoods are too numerous to count and will persist for decade ts. To make matters worse, the americans who could be hit the hardest are the ones who may be least able to bear such a burden. According to a department of justice survey, the average victim of Identity Theft loses 1,343 dollars in stolen assets and expenses. Thats money out of americans pockets for exfaxs failures and a significant burden for most americans. And lets not forget or downplay what this breach means for our National Security. Whether there was a Foreign Government behind the breach of equifax, no doubt a Foreign Government could use the information to target american for blackmail or influence future elections. Mr. Smith i know youre about to tell us how sorry you are and im sure that youve had a lot of sleepless nights in recent months. But as a business that has consistently operated with little or no regard for the wellbeing of American Consumers, im wondering whether you and the rest of equifaxs leadership foresaw is gravity of a breach and failed to take proper precautions, because you simply dont care. And because you dont have the care. Equifax wont be losing any business as a result of its failures. American consumers are not able to walk away and take their business or their personal information elsewhere. And thats because those consumers arent your customers. Theyre your product. And youve been treating them as such for years. Perhaps thats why in february of this year the cfpb reported that the three Credit Bureaus were ranked numbers two, three, and four in the agencys Consumer Complaint database, trailing only wells fargo. According to the 2012 ftc report, one in five Credit Reports contains an error. But for years consumers have struggled to meaningfully correct that information. And just this year, equifax settled with the cfpb for ripping off consumers over its website, claiming to, quote, offer, quo, free Credit Scores when in actuality they were signing up for a 16 a month subscription service. Mr. Smith, your disregard for your customers was particularly evident in the first days following the disclosure of the breach when equifax attempted to force harmed individuals into arbitration and insisted on charging consumers to freeze their credit. Practices that were changed only after Massive Public outcry. So todays hearing is an opportunity to get to the bottom of equifax didnt do what it should have done but also to think carefully about the future of data brokers and the Credit Reporting industry more broadly. Can data brokers with massive troves of data ever fully guarantee the security of that data . And if not, should such entities even exist . And if they must, how do we secure both transparency and accountability from the companies that trade on the most intimate details of our lives. I look forward to the testimony of our three witnesses. Thank you, mr. Chairman. Thank you, mr. Franken. Senator franken, before swearing in the witness, well turn to chairman grass lley. Thank you. For the audience, i dont normally attend all the subcommittee meetings. I have great confidence in our chairman and Ranking Members. But this is such an important one i wanted to be here to say a few words and then i have to go back to the Budget Committee meeting. Chairman flake, i know this isnt an unfamiliar subject to you monopoly in the last congress you held a hearing and a subcommittee examining the data broker Industry Security standards for protebing personal information. I appreciate your hard work and the bipartisan approach that you and senator franken have taken in examining this eschew over a long period of time. Todays hearing continue as committees longstanding history involving our committee and data breach and Data Security. Weve held hearings to examine past data breaches and spent years working on legislation to establish a uniform national day the security and breach notification standard. Our progress in congress has been slowing criminal hackers, continuing to find ways to break into even the most secured systems so, they seem to be even its hard for congress to keep up with them. Unfortunately, data breaches and cyberattacks are going to happen. Its a matter of when, not if. Most iowans i hear from recognize this fact, but recognizing reality doesnt mean that we must accept it and give up. We all must work to prevent future attacks and limit the harm from those that do occur. Additionally, we must appreciate the fact that all not data breaches are the same. The information and risk of harm can greatly vary from one breach to another. For example, the past breaches at target and neimanmarcus, which this Committee Held a hearing to examine, involved Financial Information such as credit and debit cards. Of course this is information that absolutely must be protected and secured. If it falls in the wrong hands, it can create a lot of problems for individuals. But in the equifax data breach, i think thats different. Its important that consumers and policymakers recognize this distinction because the Threat Landscape has changed. The information hackers obtained or gained access to in the Equifax Breach is most sensitive personal information used by thieves to commit Identity Theft. So we should let that sin income very definitely. A credit card number or a bank casualty information can be changed with a phone call, but you cant change your Social Security number and your date of birth. Anyone whos ever applied for a loan, a credit card, a job, or opened a bank account knows you have to provide a Social Security number and date of birth to verify your identity. Thus, if someone has this information they can do the same and take over your identity. They can become you and you wont know what happened until its too late. Granted, it may be months or even years before a consumer suffers Identity Theft if at all as a result of the Equifax Breach. Yet no one will be able to prove their identity was stolen due to this particular breach. We live in a world of data breaches so good luck locating your Identity Thefts source. The status quo has changed with respect to protecting individuals from Identity Theft. Most americans are clearly now at risk of real harm and not mere nuisance. What can and should we do . Its long past time for uniform National Data security and breach notification standard. Ive been working with senator feinstein and a Bipartisan Group of senators on this issue. I remain committed to getting a good bill put together and over the finish line, but thats just one step. This breach should be a wakeup call to the new Identity Theft Threat Landscape that we now face. All of us policymakers, business and consumers must start thinking differently than we have in the past. We need to look at ways to empower consumers, to limb or prevent Identity Theft from occurring in the first place. One tool thats been found to be effective is credit freezes. But credit freezes are costly and can be difficult for consumers to control. In the age of smartphones and other devices where consumers can turn things on and off with the tap of a button, this shouldnt be the case. I look forward to learning more about the tools available to help consumers and the security threats faced by industry and consumers in light of this breach. So, mr. Chairman, thank you again for holding this hearing. I encourage all of us to figure out ways to Work Together to strengthen the ability of consumers for protect and control access to their Credit Information and identity. Thank you. Thank you, mr. Chairman. Mr. Smith, will you stand to be sworn in . Do you affirm the testimony you are about to give before the committee will be the truth, the whole truth, and nothing but the truth . I do. Thank you. Mr. Rick smith is the former chairman and ceo of equifax. Before joining equifax, mr. Smith spent 2 years at General Electric and in top positions in the companys insurance, leading, and Asset Management departments. Your testimony will be entered into the record in its entirety. I ask that youd summarize your testimony in five minutes or less. Please proceed. Thank you. Thank you, mr. Chairman, mr. Chairman flake, Ranking Member franken, and the honorable members of the subcommittee. Thank you for the opportunity to testify before you today. As the chairman mentioned my name is rick smith and for the past 12 years ive had the honor to be the chairman and ceo of equifax. Ive submitted written testimony earlier, which goes into much greater detail than i will today. I look forward to answering any questions that you may have. As you might guess over the past month or so ive talked to many consumers and read their letters, and i understand how frustrated and fearful Many Americans are about the breach that happened at equifax. This is my third hearing in two days, and in each of these hearings i have said that theres no doubt that this criminal attack happened on my watch, and the responsibility as ceo of the Company Stops with me, and i take full responsibility for letting that breach occur. I want to say to every person in this room and every american that i am truly sorry for the breach that occurred at equifax and everyone at equifax is deeply committed to making things right. Americans have the right to know how this happened. Im prepared to testify today about what i learned and what i did about the incident in my role as ceo and chairman of the board and also what ive learned about the incident since being briefed by the companys investigation, which is ongoing. We now know that this criminal attack was made possible by a combination of a human error and a technological error. The human error involved the failure to apply a Software Patch to our dispute portal in march of 2017. The technological error involved a scanner which failed to detect the vulnerability on this particular portal which had not been patched. Both errors have since been addressed. On july 29th and july 30th, suspicious activity was deteched. We followed our security Incident Response protocol at the time. The team shut down the portal and began our internal secure investigation. On august 2nd we hired top cybersecure, forensic, and legal experts and we notified the fbi. At that time, we did not know the nature or the scope of the incident. It was not until late august that we concluded that we experienced a major breach. Over the weeks leading up to september 7th our team continued to work around the clock to make things right. We took four steps to protect the consumer, first was determining when and how we notify the public. Relying on the advice of our experts that we needed to have a plan in place as soon as we announced. Number two, helping consumers by developing a website, staffing up massive call centers, and Offering Free Services to all americans. Number three, preparing for an increased cyberattacks, which were advised would occur shortly after the notification of a breach. And finally, number four, continuing to coordinate with the fbi and the criminal investigation of the hackers and notifying other federal agencies, federal and state agencies at the same time. In the rollout of our program, mistakes were made for which, again, i deeply apologize. I regret the frustration that Many Americans felt when our websites and call centers were overwhelmed in the early weeks. Its no excuse, but it certainly did not help that two of our larger call centers were shut down for days by Hurricane Irma. Since then, however, the company has dramatically increased it capacity. I can report to you today that weve handled more than 420 million visits to our websites and wait times at our call cents have been substantially reduced. At my direction, the Company Offered a broad package of services to all americans, all of them free to help protect consumers. In addition, we developed a new Service Available in january 31st of 2018 that will give all consumers the power to control access to credit data by allowing them to lock and unlock their credit files when they want. This is free and its free for life. Putting the power to control access to credit data in the hands of the American Consumer is a powerful first step. Weve all painfully learned Data Security is in fact a National Security problem. And butting consumers in control of their credit data is just a First Step Towards a longterm solution of m

© 2025 Vimarsana