Racing dynasty. A Senate Committee heard from the Credit Reporting industry and Consumer Protection groups. The hearing is just under two hours. This committee will come to order. As a followup to our hearing on a equifax data breach. At the hearing members expressed interest in better understanding how Credit Bureaus of regulated, how they protect consumer data and whether there are gaps that Congress Needs to fill. I have long been concerned about the ever increasing amounts of big Data Collected by companies and by the government. It is critical that personal data is products. Consumers ability to assess credit is not harmed. Credit bureau plays a valuable role by helping assess an ability to meet financial obligations and also facilita facilitating to Financial Products and services. The inherent nature as with most businesses in this digital age requires utmost data zurt to ensure that sensitive Consumer Information is safeguarded. Two weeks ago equifact testified about the methods it uses such as incorruption at rest. Former equifax noted while some databases are incrypted at rest the disputed portal was not. Should tools like enkripgs containing Consumer Information. What role should they play at Credit Bureaus . Given Credit Bureaus are Financial Institutions how does Data Security, testing and oversight by regulators compare to that of traditional Financial Institutions . I look forward to hearing from our witnesses about what Credit Bureaus do for the data they collect. Who oversees to ensure they have Adequate Security measures in place and what could be made at the Credit Bureaus. There are also many concerns. The breach has left more than 145 Million Consumers a little confuse as to what can be done to mitigate damage to their identities and credit. We do know starting in january equifax will offer the ability to lock or unlock their credit files for free. Additional products have also been offered from the Credit Bureaus for consumers to monitor or freeze their Credit Reports. Many consumers remain confused about which options are best for them. This hearing will hopefully provide some additional clarity. We have a shared interest in ensuring that Credit Bureaus take the necessary measures to safeguard personal data and minimize risk of another massive data breach, senator brown. Thank you. Under current law, whether we like it or not companies can collect personal information that includes information plucked from our work histories, our social media profiles from reward files to track our purchases even information from our cell phones tracking our daily commutes. Generally they are combined to sell that information to all sorts of Financial Institutions in other data mining firms who use it to make decisions about us like what kind of car or job we might get. Corporations like equifax rarely have to tell us why or how these decisions are made. They get to hide behind trade secrets. It seems our laws protect use of peoples data a lot better than they actually protect people. As a recent breach demonstrates enhanced Cyber Security measures might work perfectly yet do little to protect consumers data. 145 Million People have had their private data exposed it doesnt appear any sensitive corporate data was accessed it is in place of those other Consumer Reporting agencies today. We cannot forget the real victims are 145 Million People, 5 million in my state alone through no fault of their own have had their personal information compromised. I hope at todays hearings we dont talk about how we strengthen Cyber Security. We need to do that but we need to explore how to restore control over their own information. We need to examine whether the current model makes sense for American Consumers. We know that have a long history of consumers complaints and inaccurate reporting that has effects on peoples ability to get a job or get a house. These ceos have been rewarded e with salaries and now with nonstop Cyber Threats it seems they made them more it is still collect and storing our data. In some cases we are giving tax dollars to do it. I look forward to your views. Thank you. First well hear from andrew smith then president of the privacy information center. Each witness is recognized for five minutes of oral remarks and well proceed to questions. You may proceed. Thank you. Members of the committee, thank you for the opportunity to appear before you. My name is andrew smith. Im appearing on behalf of the trade association of companies that provide businesses with tools necessary to manage risks and to protect consumers. It includes the three national Credit Bureaus. You asked us to discuss how they protect consumer data. I wanted to mention the Important Role played by the National Credit reporting system in our economy. More than twothirds comes from consumer spending. Its the National Credit reporting system that allows to open a bank account or purchase a cell phone. The National Credit reporting system facilitates this in addition to providing fast, fair and impartial access to well priced credit, apartment rental and other essential services. Nearly 50 years ago congress reported the act to ensure impash yaim to foster the continued development of National Credit reporting system. The most recent revision to this scheme was the addition of the cfpb. This is the first to directly supervise the National Credit reporting system not just examining Credit Bureaus but the companies that contribute information into the Credit Bureaus. The super vision of the Credit Reporting system began in early 2012 and has produced a proactive approach to compliance that will reap benefits for many years to come. With respect to Data SecurityCredit Bureaus are subject to federal and state laws requiring them to safeguard consumer data and because of the key role they play they are subject to very specific private security requirements such as Data Security standards. To begin Credit Bureaus are required to maintain procedure to make sure they only provide Credit Reports to legitimate people for legitimate services. The laws of at least 13 states require to maintain reasonable procedures to maintain sensitive personal information. Almost every state requires that companies notify consumers when there is acquisition of sensitive personal information. Because of their Important Role in the Banking SystemCredit Bureaus are also subject to private contractual. The card net wovgs require they comply with the payment card industry Data Security standards and obtain an independent Third Party Audit in addition because banks provide a great deal of Sensitive Information they are required by regulators to conduct regular security audits of the Credit Bureaus. They can include onsite inspections. To keep consumer data safe. Thank you for the opportunity to testify and we look forward to todays dialogue. Thank you. [ inaudible ] i would like to start by saying it is one of the most serious in nations history. It impacted more than 122. 5 million that effected family and friends. The breach poses enormous challenges there is no simple solution to mitigate the risks that reduce the danger and likelihood of future data breaches. I should also say its likely because of the sensitivity of the data and the delay to fix a well documented security flaw. More than four months passed from the time equifax failed to install Critical Software updates. The data that was disclosed is the information individuals rely upon to open bank accounts, get car loans, seek employment and buy cell phones. The data included names, Social Security numbers, birth dates, home addresses and drivers license information. This is tals data criminals use to commit Identity Theft and financial fraud. Equifax is clearly responsible for this breach. The company was notified in march by both the Apache Foundation of the need to make Critical Software changes. It is also worth on American Consumers. Consumers did not provide this information to equifax. It will cause unprecedented harm. Consumers can cancel accounts and change the credit card numbers. I dont think its possible to change your date of birth. It is already n an enormous problem for American Consumers. They reported almost 400,000 cases of Identity Theft in 201629 involved tax fraud and they estimate the cost to the committee at almost 15 billion a year. Credit reporting agency is an urgent need of reform. In my testimony i outlined a number of steps i believe should be taken consumers need to be given greater control that impacts their financial future. This means, for example, that we should have a nationwide credit freeze or to say a little bit more precisely the disclosure should be on an optin basis. It is the consumer who should decide when it is in their interest to disclose share information to a third party to obtain the car loan. They should not have to jump through hoops to restrict access by others. They should make the affirmative decision. Credit monitoring should also be freely available. You should not have to pay to be told there is fraudulent activity on your account. If theres a problem in the account the consumer should be notified. We also think consumers should have more ready access so they know who is receiving the information and the impact the data might have. I have several other suggestions in my testimony which i would be pleased to provide. Thank you. Thank you for the opportunity to testify. My name is chris and im at the Congressional Research service. In this role i research and analyze Security Issues including Data Security, protection and management. My written statement for the record goes into further detail but my testimony today will as an element of Cyber Security and options for congress to address Data Security. An increasingly used catch phrase is that today all companies are Technology Companies or data companies. This reflects Information Technology and data play an Important Role in modern Business Practices which allow them to compete and thrive in the marketplace. This also creates risk for corporate leaderships to manage. Adequately controlling that is an objective for Cyber Security. Managers must understand the vulnerabilities they have and answer kwenss of an incident. Incidence response discover information about it and mitigate about it. Staff is not limited to just i. T. Personnel. Communications staff to internal and external and legal teams and management and corporate boards who are accountable should all be included in response planning among others depending on the entity. There will be a delay between the discovery of an attack and public notification of that attack. This may be conducted by a business partner, government Response Teams and Law Enforcement. Determines how they will coordinate in the response and how they will share information is a factor which shall be determined between the planning and training phase. The entity can continue to mitigate its effects. It may be able to occur concurrently. I will know briefly present three option congress could consider. Congress could explicitly to examine Credit Reporting agencies. The dialogue created by the federal government and Credit Reporting agencies could lead to greater understanding of the Cyber Security risk faced by Credit Reporting agencies and allow for deficiencies prior to referral. Congress could regulate collection use and retention of data regardless of the type of entity. They have such data laws. They can accomplish requirements on how data must be stored and the consumers rights and collection to data about them. Congress could require Credit Reporting agencies to identify and disclose their data model. Elements how it is used and what other data the entity generates about the consumer will provide consumers with Additional Information that may effect their decision in the marketplace. Thank you for the opportunity to testify today and i look forward to your questions. Thank you very much. Before i begin my questions to just inform the senators, we have a vote at 10 30. Senator brown and i discussed it. We intend to keep the hearing running. First question i have is for the whole panel. Do you think we need to get rid of the Social Security number as a personal identifier and if so what viable alternatives do we have . How would we ensure it doesnt have the same draw backs as the Social Security number . I think if we eliminate the Social Security number as a personal identifier well have to have some other unique identifier that will allow businesses, Credit Bureaus to know who they are dealing with. My name is andrew smith. There are thousands of me, perhaps tens of thousands of me. When youre looking at a Bankruptcy Court record if theres no identifier how do you know which andrew smith it is . It plays a Critical Role in the economy, not authentication, not that i am who i say i am. As identifiers socials do have had a role to play, whether we need another identifier i think we are willing to work with you on that to try to get to the right result for consumers. Thank you for the question. I have spent many years before many congressional committees urging that limits be established on the use of a Social Security number but we never argued for replacing the Social Security number. The key point is that the ssn serves an important purpose in certain government management systems. That is what it was blishd for. The problem is that the ssn was adopted in the private sector and caused as an identifier for general purposes. This is contributed to Identity Theft and financial fraud. It is used both as a password and a tent kate to. When we talk about the Social Security number we would not say replace the nssn. As i describe in my testimony we would say limit the use of the ssn. It should only be available for lawful purposes. Thank you. The Social Security number is a piece of personal information. It may lead to reduced consequences that impact if there is a data breach however it would still remain personally identifiable identification that would provide increased Security Posture in case there were a breach. Thank you. And your testimony discusses inkripi enkripgs and other tools. Are there certain minimum standard that is should be employed across the board for personally identifiable identification . Are there measure that is may have been able to detected it sooner . In my testimony i discuss it as an element of Risk Management that a corporation may face in the conduct of their business. There are federal guidance that is created for the implementation of encryption. While these may exist a lot depends how it is implemented and the use cases of each individual company for where they apply that, how st