We will receive testimony on the protection of consumer data at Credit Bureaus. At the equifax hearing members expressed interest in better understanding how Credit Bureaus are regulated, how they protect consumer data, and whether there are gaps that Congress Needs to fill. Ive long been concerned about the ever increasing amounts of big Data Collected by companies and by the government. It is critical that Personnel Data is protected. Consumer impact in thee vented of a breach is minuimized and consumers ability to access credit is not harmed. Credit bureaus play a valuable role in our Financial Institution by assessing a persons ability to meet financial obligations an also facilitating access to beneficial Financial Products and services. The inherent nature of the Credit Bureaus business, as with most businesses in this digital age, requires utmost Data Security to ensure that sensitive Consumer Information is safeguarded. Two weeks ago equifax testified about the methods it uses to protect its consumer databases such as encryption at rest and tokenization. Richard smith noted that while some of equifaxs databases encrypted at rest, the disputed portal that was compromised was not. Questions remain about the best ways to protect sensitive data, including there are Data Security industry standards and best practices at Credit Bureaus . Should tools like encript at rest be employed to protect all data containing sensitive Consumer Information . What role do financial rules and federal agencies play in Data Security at credit burrows . Given that Credit Bureaus are Financial Institution under the graham leech blyly act, how does Data Security, testing and oversight by regulators compare to that of traditional Financial Insurance stietions . I look forward to hearing from our witnesses about what Credit Bureaus do to ensure security for the data they collect. Who oversees Credit Bureaus to ensure they have Adequate Security measures in place, and wha what improvements could be made to the oversight of Data Security at Credit Bureaus. There are many things regarding Company Response to data breaches. The Equifax Breach has left more than 145 Million Consumers a little confused as to what can be done to mitigate damage to their identities and credit. We do know that starting in january equifax will offer all customers the ability to lock or unlock their credit files for free. Additional products have also been offered from equifax and the other credit burrows for consumers to monitor or freeze their Credit Reports. Many consumers remain confused about which options are best for them, but this hearing will hopefully provide some additional clarity. We have a shared interest on this committee and ensuring that Credit Bureaus take the necessary measures to safeguard personal data and minimize risk of another massive data breach. Senator brown. Under current law, whether we like it or not, Companies Like equifax can conduct vast trophies information, that means information plucked from our work histories, our social media profiles from reward cards to track our purchases at the dproshry store, even information from our kel phones tracking our daily commutes. Ninly 3 these companies are free to combine and sell that information to all sorts of Financial Institutions and other data mining firms who uses it to make decisions about us like what kind of car or job that we might get. Corporations like ek equifax rarely have to tillerson how, why these decisions are made. They goat hide behind proprietary models and trade secrets. It seems our laws protect big corporations ewing of peoples data a lot better than they actually protect people. As a recent breach, demonstrates enhanced cybersecurity measures at Companies Like equifax might work perfectly yet still do little to protect consume e everersss date at while 145 Million People have had their private data exposed, it doesnt appear that any sensitive corporate data was accessed because the businesses are not accountable to consumers and consumers have no choice over who is collecting their information, Consumer Protection is pretty much an afterthought. As we talk about the clearly inadd wait protections for consumer data at equifax and knows in place at the other consumer reporting agencies today, we cannot forget that the real victims of this hack are the 145 Million People, 5 million in my state alone that through no fauflt their own have had their personal information. We need to talk about how were going to zreng inningen cybersecurity but how to restore peoples control over their own information. We need to examine whether the current Credit Bureau model makes sense for consumers. We know theres a long history of consumer complaints in inaccurate reporting that has longterm affects on peoples akt to get a job or a house. Rather than addressing these problems they have spent millions acquire other Data Collection companies an branching out into new lines of business. Despite their continued failure, theres no other wordtor use, you their continued failure to provide accurate Credit Reporting Services or to protect all of the data that they collect, these ceos have been rewarded with enormous salaries an bonuses. Sometimes they come in front of utz and say theyre going gouf up their bonus as if thats a major concession. Now in an era of nooun nonstop Cyber Threats it seems theyve made consumers more vul aeshl. Equifax made astounding amounts of money off the consumer data it collected. It will hardly, unless things change, it looks like it will hardly pay a price for its recklessness. Its still collecting and storing our data in some case were giving some cases were giving each tax dollars do it. I look forward to todays witnesss foous foous views on these matters. Pu. Thank you, senator brown. Well now turn to our witnesses. First well receive testimony from mr. Andrew smith. On behalf of the Consumer Data Industry Association. Then we will hear from mr. Marc rotenberg, president of the electronic privacy information center. And finally we will hear from mr. Chris jaikaran, did i promouns that right . Jaikaran, thank you. Mr. Chris jaikaran analyst in cybersecurity policy at the Congressional Research service. Each witness is recognized for five minutes of oral remarks and then well proceed to questions. Mr. Smith, you may proceed. Thank you. Chairman crapo, Ranking Member brown and members of the committee, thank you for the opportunity to appear before you. My name is andrew smith and im a partner in the law firm of covington and berling. Im appearing today on behalf of the Consumer Data Industry Association which say trade association of companies that provide businesses with the information and analytical tools necessary to manage risk and to protect consumers. Cdias members include the three national Credit Bureaus. Equifax, experian and transunion. Youve asked us to discuss how credit burrows protect consumer data, but first i wanted to mention the Important Role played by the National Reporting system and our economy. More than two thifrds our gdp comes from Consumer Spending fueled by consumer credit. Its the National Credit reporting system that allows consumers to quickly and effortlessly open a bank account or purchase a cell phone. More than 40 of consumers move every year. And the National Credit reporting system facilitates this nobmoekt. In addition to providing fast, fair, impartial access to well priced car, amt apartment rental and other services. Nearly 15 years ago congress enacted the fair employment acts to protect Consumer Privacy and to foster the continued development and vi taltd of the National Credit reporting system. The most recent revision to this comprehensive regulatory scheme was the cfpb as a supervisory agency. This was not just examining Credit Bureaus but examining the users of Credit Reports and the companies that contribute information into the Credit Bureaus. The virtual continuous supervision of the Credit Reporting system ghan earnest in early 2012 and according to cfpb has a proactive approach that will reach benefits for consumers and lenders for many years to come. With respect to Data Security, Credit Bureaus are ubt to federal and state laws requiring them to safeguard consumer data and because of the key role they play in the banking system, they also are subject to very specific private Data Security requirements such as the payment card industry, Data Security standards. To begin, Credit Bureaus are required built fcra to maintain procedures 10 to sure that they only provide Credit Reports to legitimate people for legit plate purposes. These credentialing requirements go beyond contractual sirt if i occasions and include comprehensive Due Diligence of customers as well as Continuous Monitoring of existing customers. Fcra requires secure dispose afl Credit Report information. In addition, the ftcs safeguards role is referred to by chairman kraip crapo requires Financial Institutions, including credit burrows to develop and implement comprehensive and Information Security proper grams. The laws of at least 13 states similarly, i companies to implement and maintain reasonable procedures to safeguard sensitive personal information. Furthermore, almost every state requires that companies notify consumers when there is unauthorized access to or acquisition of sensitive personal information. Because of their Important Role in the banking system, Credit Bureaus are also subject to private contractual Data Security requirements. For example, because the Credit Bureaus handle credit card information, the card networks, visa, mastercard, et cetera, i that they comply with the payment card industry Data Security standards and validate such compliance by obtaining an independent thirdparty aud dift their security procedures. In addition because banks provide a great deal of sensitive custer information to the national Credit Bureaus, theyre required by their prudential regulators to conduct regular Information Security audits of the credit burrows. These audits can include onsite inspections which might last for several days. Each of the three national Credit Bureaus is subject to dozens of these bank reviews each year. Cdia shares with you the goal of ensuring that consumers and businesses have confidence in the ability of the National Credit reporting system to keep consumer data safe. Thank you for the opportunity to testify and we look forward to todays dialogue. Thank you. Mr. Roten brg. Chairman crapo, Ranking Member brown, thank you for the opportunity to speak with you today. Im mark rote ebberg, im president of the electronic privacy information center. We are an independent, Nonprofit Research organization founded in 1994 to focus public attention on emerging privacy issues. I would like to begin by saying that the equifax data breach is one of the most serious in our nations history. On par with a 2015 data breach at the office of Personnel Management that impacted more than 22. 5 million federal employees, their families, and friends. The Equifax Breach poses aenormous challenges to the security of American Families and even to our nations security. There is no simple solution, but in my testimony today i will outline the steps i believe that congress can take to mitigate the risks that follow from the breach and reduce the danger and likelihood of future data breaches. I should also say that the Equifax Breach is remarkable because of its scope, the sensitivity of the data, and the delay to fix a welldocumented security flaw. More than four months passed from the time equifax failed to install Critical Software updates. And the data that was disclosed is precisely the information that individuals rely upon to open bank accounts, get car loans, seek employment, and buy cell phones. The data included names, Social Security numbers, birth dates, home addresses, and drivers license information. This is also the data that criminals use to commit Identity Theft and financial froaud. Equifax is clearly responsible for this breach. The company was notified in march by both the Apache Software foundation and u. S. Certi sert to make Critical Software changes. But its worth emphasizing that equifax chose to elect this personal data on american consumers. Consumers did not provide this information to equifax. And the lacks Security Strategy that they followed meant that a single breach resulted in the release of 145 million Credit Reports on american consumers. The breach will cause unprecedented harm. When hackers get access to credit card numbers, consumers can cancel accounts and change the credit card numbers. But its not so easy to change a Social Security number. And i dont think its possible to change your date of birth. Equifaxs victims will be expose to the ongoing risk of Identity Theft and financial fraud which is already an enormous problem for american consumers. The ftc reported almost 400,000 cases of Identity Theft in 2016, 29 of those cases involve tax fraud and the department of justice estimates the cost to the u. S. Economy at over 15 billion per year. The Credit Reporting agencies are in urgent need of reform. And my testimony ive outlined a number of steps that i believe should be taken to establish accountability and transparency. Most simply, consumers need to be given greater control about the information about them that impacts their financial future. This means, for example, that we should have a nationwide credit freeze or to say a little bit more precisely, the disclosure of Credit Reports should be on an optin basis. We recognize the value of credit in the american economy. But it is the consumer who should decide when it is in their interest to disclose their information to a third party to obtain the car loan. They should not have to jump through hoops to put in blocks and freezes to restrict access by others. They should make the affirmative decision. Credit monitoring should also be freely available. You should not have to pay to be told that theres fraudulent activity on your account. But that is the current problem with Credit Monitoring Services that, i either a fee o limit the access to credit monitoring for 90 days. This makes no sense whatsoever. If theres a problem in the account, the consumer should be notified. We also think consumers should have more ready access to the contents of the Credit Report so they know whos receiving the information and the impac