[House Hearing, 115 Congress] [From the U.S. Government Publishing Office] SECURING CONSUMERS' CREDIT DATA IN THE AGE OF DIGITAL COMMERCE ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON DIGITAL COMMERCE AND CONSUMER PROTECTION OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION __________ NOVEMBER 1, 2017 __________ Serial No. 115-70 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Printed for the use of the Committee on Energy and Commerce energycommerce.house.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 27-917 PDF WASHINGTON : 2018 ----------------------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. COMMITTEE ON ENERGY AND COMMERCE GREG WALDEN, Oregon Chairman JOE BARTON, Texas FRANK PALLONE, Jr., New Jersey Vice Chairman Ranking Member FRED UPTON, Michigan BOBBY L. RUSH, Illinois JOHN SHIMKUS, Illinois ANNA G. ESHOO, California MICHAEL C. BURGESS, Texas ELIOT L. ENGEL, New York MARSHA BLACKBURN, Tennessee GENE GREEN, Texas STEVE SCALISE, Louisiana DIANA DeGETTE, Colorado ROBERT E. LATTA, Ohio MICHAEL F. DOYLE, Pennsylvania CATHY McMORRIS RODGERS, Washington JANICE D. SCHAKOWSKY, Illinois GREGG HARPER, Mississippi G.K. BUTTERFIELD, North Carolina LEONARD LANCE, New Jersey DORIS O. MATSUI, California BRETT GUTHRIE, Kentucky KATHY CASTOR, Florida PETE OLSON, Texas JOHN P. SARBANES, Maryland DAVID B. McKINLEY, West Virginia JERRY McNERNEY, California ADAM KINZINGER, Illinois PETER WELCH, Vermont H. MORGAN GRIFFITH, Virginia BEN RAY LUJAN, New Mexico GUS M. BILIRAKIS, Florida PAUL TONKO, New York BILL JOHNSON, Ohio YVETTE D. CLARKE, New York BILLY LONG, Missouri DAVID LOEBSACK, Iowa LARRY BUCSHON, Indiana KURT SCHRADER, Oregon BILL FLORES, Texas JOSEPH P. KENNEDY, III, SUSAN W. BROOKS, Indiana Massachusetts MARKWAYNE MULLIN, Oklahoma TONY CARDENAS, California RICHARD HUDSON, North Carolina RAUL RUIZ, California CHRIS COLLINS, New York SCOTT H. PETERS, California KEVIN CRAMER, North Dakota DEBBIE DINGELL, Michigan TIM WALBERG, Michigan MIMI WALTERS, California RYAN A. COSTELLO, Pennsylvania EARL L. ``BUDDY'' CARTER, Georgia JEFF DUNCAN, South Carolina 7_____ Subcommittee on Digital Commerce and Consumer Protection ROBERT E. LATTA, Ohio Chairman GREGG HARPER, Mississippi JANICE D. SCHAKOWSKY, Illinois Vice Chairman Ranking Member FRED UPTON, Michigan BEN RAY LUJAN, New Mexico MICHAEL C. BURGESS, Texas YVETTE D. CLARKE, New York LEONARD LANCE, New Jersey TONY CARDENAS, California BRETT GUTHRIE, Kentucky DEBBIE DINGELL, Michigan DAVID B. McKINLEY, West Virgina DORIS O. MATSUI, California ADAM KINZINGER, Illinois PETER WELCH, Vermont GUS M. BILIRAKIS, Florida JOSEPH P. KENNEDY, III, LARRY BUCSHON, Indiana Massachusetts MARKWAYNE MULLIN, Oklahoma GENE GREEN, Texas MIMI WALTERS, California FRANK PALLONE, Jr., New Jersey (ex RYAN A. COSTELLO, Pennsylvania officio) GREG WALDEN, Oregon (ex officio) (ii) C O N T E N T S ---------- Page Hon. Robert E. Latta, a Representative in Congress from the State of Ohio, opening statement..................................... 1 Prepared statement........................................... 3 Hon. Janice D. Schakowsky, a Representative in Congress from the State of Illinois, opening statement........................... 5 Hon. Greg Walden, a Representative in Congress from the State of Oregon, opening statement...................................... 7 Prepared statement........................................... 9 Hon. Frank Pallone, Jr., a Representative in Congress from the State of New Jersey, opening statement......................... 10 Prepared statement........................................... 11 Witnesses Francis Creighton, President and Chief Executive Officer, Consumer Data Industry Association............................. 13 Prepared statement........................................... 15 Answers to submitted questions............................... 120 James Norton, Adjunct Lecturer, Johns Hopkins University Zanvyll Krieger School of Arts and Sciences............................ 36 Prepared statement........................................... 38 Answers to submitted questions............................... 130 Bruce Schneier, Fellow and Lecturer, Belfer Center for Science and International Affairs, Harvard Kennedy School, and Fellow, Berkman Center for Internet and Society at Harvard Law School.. 44 Prepared statement........................................... 46 Answers to submitted questions \1\........................... 133 Anne P. Fortney, Partner Emeritus, Hudson Cook, LLP.............. 55 Prepared statement........................................... 57 Answers to submitted questions............................... 136 Submitted Material Statement of Jeff Greene, Senior Director, Global Government Affairs and Policy, Symantec Corporation, November 1, 2017, submitted by Mr. Harper........................................ 108 Letter of November 1, 2017, from the Electronic Frontier Foundation to Mr. Latta and Ms. Schakowsky, submitted by Mr. Harper......................................................... 116 ---------- \1\ Mr. Schneier did not answer submitted questions for the record by the time of printing. SECURING CONSUMERS' CREDIT DATA IN THE AGE OF DIGITAL COMMERCE ---------- WEDNESDAY, NOVEMBER 1, 2017 House of Representatives, Subcommittee on Digital Commerce and Consumer Protection, Committee on Energy and Commerce, Washington, DC. The subcommittee met, pursuant to call, at 10:32 a.m. in Room 2123, Rayburn House Office Building, Hon. Robert E. Latta (chairman of the subcommittee) presiding. Members present: Representatives Latta, Harper, Burgess, Lance, Guthrie, McKinley, Kinzinger, Bilirakis, Bucshon, Mullin, Walters, Costello, Walden (ex officio), Schakowsky, Cardenas, Dingell, Matsui, Welch, Kennedy, Green, and Pallone (ex officio). Also present: Representatives Barton, Cramer, and Duncan. Staff present: Kelly Collins, Staff Assistant; Zack Dareshori, Staff Assistant; Melissa Froelich, Chief Counsel, Digital Commerce and Consumer Protection; Adam Fromm, Director of Outreach and Coalitions; Ali Fulling, Legislative Clerk, Oversight and Investigations/Digital Commerce and Consumer Protection; Elena Hernandez, Press Secretary; Paul Jackson, Professional Staff, Digital Commerce and Consumer Protection; Bijan Koohmaraie, Counsel, Digital Commerce and Consumer Protection; Katie McKeogh, Press Assistant and Digital Coordinator; Alex Miller, Video Production Aide and Press Assistant; Madeline Vey, Policy Coordinator, Digital Commerce and Consumer Protection; Everett Winnick, Director of Information Technology; Greg Zerzan, Counsel, Digital Commerce and Consumer Protection; Michelle Ash, Minority Chief Counsel, Digital Commerce and Consumer Protection; Jeff Carroll, Minority Staff Director; Lisa Goldman, Minority Counsel; Caroline Paris-Behr, Minority Policy Analyst; Tim Robinson, Minority Chief Counsel; and C.J. Young, Minority Press Secretary. Mr. Latta. Well, good morning. I would like to call the Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection to order. And I also wanted to thank our witnesses for being here this morning. And I recognize myself for a 5-minute opening statement. OPENING STATEMENT OF HON. ROBERT E. LATTA, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF OHIO One month ago, this subcommittee was the first to hear testimony from former Equifax CEO Richard Smith about how his company's failure to protect against a known security data vulnerability led to the exposure of over 145 million Americans' sensitive information. Today, we continue our investigation into the Equifax breach. We will focus on: helping the public get answers; how is the industry responding to this breach; what the industry response has been to this breach; has the cybersecurity landscape changed as a result of the breach; and what laws and regulations govern the protection of individuals' information collected by businesses. On Friday, our full committee chairman, Greg Walden, raised questions about how the actions taken by businesses that use personal data affect security, privacy, and individuals' online identities. The Equifax data breach was a stark demonstration of the responsibility that credit bureaus and all companies have when holding millions of Americans' sensitive information. In fact, Congress has recognized the sensitivity of this data and specifically enacted laws regarding the credit bureaus' business model. Today, we are looking for answers about how best to secure consumers' credit data in order to protect against another breach of this magnitude. We want to shine a light on security practices and understand a path forward to restore confidence to U.S. consumers. For example, lenders, including banks and retailers, use credit reports and related data to evaluate the likelihood that borrowers will repay their loans. This credit information assists consumers in accessing credit, buying a house, or securing a job. However, consumers may not know or understand what data has been collected on them and how it is being used by the credit reporting industry and their paying customers, including the Federal Government. Today, we hope to shed light on these questions and provide more information for those consumers. With regard to Equifax, the subcommittee has taken a comprehensive review of the circumstances surrounding the breach. For example, it came to our attention last month that the Internal Revenue Service had awarded a no-bid contract to Equifax. On October 10, Ranking Member Schakowsky and I, along with Chairman Walden and Ranking Member Pallone, sent a bipartisan letter to the IRS Commissioner raising questions about the IRS decision to award a contract to Equifax for identity verification services in the aftermath of the Equifax breach. That contract has since been rescinded. We also sent a bipartisan letter on October 16 to the General Services Administration about the agency's consideration of data security practices when vetting vendors, like Equifax, and awarding Government contracts. We are looking forward to the GSA's response. Chairman Walden and I remain committed to working in a bipartisan fashion to get answers for the American public and to hold Equifax accountable. When former CEO Richard Smith came to Washington last month, he said, quote, ``The breach occurred because of both human error and technology failures.'' These quote/unquote ``errors'' and ``failures'' allowed criminals to access over 145 million Americans' data. As a result, names, addresses, birth dates, and full nine-digit Social Security numbers were exposed and certain drivers licenses, credit cards, and credit dispute information were taken. If your credit card information is stolen, you can contact Visa or MasterCard, and they will reissue a new card and a credit card number. If your Social Security number is stolen, it is much, much more complicated to get a new number. A Social Security number is intrinsically tied to each and every one of us. According to the FTC, there were nearly 400,000 identity- theft complaints in 2016, which amounts to 13 percent of all consumer complaints received. Nearly 30 percent of consumers reported that their data was used to commit tax fraud in 2016. Consumers also reported that their stolen data was used for credit card fraud, rising to more than 32 percent in 2016 from nearly 16 percent in 2015. In the aftermath of the Equifax breach, months later, consumers may still be confused about how best to protect themselves. This subcommittee and agencies like the Federal Trade Commission have been providing useful information to consumers in the aftermath of the Equifax breach, but the post- breach consumer protection responses from Equifax have yet to be reassuring. Data collected and stored by credit bureaus must be protected and safeguarded at all times, and when a breach happens, consumers need swift and concrete answers from the company affected. There are important questions about the best ways to protect sensitive data, including cybersecurity standards, trends, best practices, and emerging threats, particularly with respect to known cybersecurity vulnerabilities. There are also important questions about the regulatory landscape in which the credit bureaus operated before this massive breach, especially the legal and regulatory framework for credit bureaus, including the safeguards framework in the Gramm-Leach-Bliley Act and consumer protections contained in the Fair Credit Reporting Act. Also, what is the relationship between data breaches and the incidence of identity theft and fraud? Data breaches may have become so commonplace that data experts and security experts have expressed concerns about breach fatigue. Congress cannot afford to be lax or idle in its oversight of these critical issues. The testimony today is an important step toward answering the many questions that consumers are looking for, and I look forward to hearing from our witnesses today. [The prepared statement of Mr. Latta follows:] Prepared statement of Hon. Robert E. Latta One month ago, this subcommittee was the first to hear testimony from former Equifax CEO Richard Smith about how his company's failure to protect against a known data security vulnerability led to the loss of over 145 million Americans' sensitive information. Our investigation continues into the Equifax breach and today's hearing is another step to get answers for the public about:what the industry response has been to this breach, if the cybersecurity landscape has shifted as a result of the breach, and what laws and regulations are at issue. On Friday, our Full Committee Chairman Greg Walden authored an op-ed in which he raised questions about how actions taken by businesses built around individual's data affect security, privacy, and individual's online identities. All of these issues are critically important to understand in our digital economy and I look forward to working with the chairman and my fellow subcommittee chairman on these issues in the coming months. The Equifax data breach was a stark demonstration of the responsibility that credit bureaus and all companies have when holding millions of Americans' sensitive information. In fact, Congress has recognized the sensitivity of this data and specifically enacted laws regarding the credit bureau business model. Today, we are looking for answers about how best to secure consumers' credit data in order to protect against another breach of this magnitude. We want to shine a light on security practices and understand the path forward to restore confidence to U.S. consumers. Credit bureaus prepare credit reports based upon individuals' financial transactions history to provide such reports to third parties. For example, lenders, including banks and retailers, use credit reports and related data to evaluate the likelihood that borrowers will repay their loans. This credit information assists consumers in accessing credit, buying a house, or securing a job. However, consumers may not know or understand what data has been collected on them and how it's being used by the credit reporting industry and their paying customers, including the Federal Government. The subcommittee has taken a comprehensive review of the circumstances around the breach. For example, it came to our attention last month that the Internal Revenue Service had awarded a no-bid contract to Equifax. On October 10th, Ranking Member Schakowsky and I, along with Chairman Walden and Ranking Member Pallone, sent a bipartisan letter to IRS Commissioner John Koskinen raising concerns about the IRS's decision to award a contract to Equifax for identity verification services in the aftermath of the Equifax breach. The contract has since been rescinded. We also sent a bipartisan letter on October 16th to the General Services Administration about the agency's consideration of data security practices when vetting vendors like Equifax and awarding Government contracts. We look forward to GSA's response. I thank my colleagues across the aisle for working together on this serious matter. Chairman Walden and I remain committed to working in a bipartisan fashion to get answers for the American public and to hold Equifax accountable. When former CEO Richard Smith came to Washington last month, he said quote: ``the breach occurred because of both human error and technology failures.'' These quote-unquote ``errors'' and ``failures'' allowed criminals to access over 145 million Americans' data. As a result, names, addresses, birthdates, and full nine- digit Social Security numbers were exposed. And certain driver's license, credit card, and credit dispute information were taken. If your credit card information is stolen, you can contact Visa or MasterCard and they'll reissue you a new card and credit card number. If your Social Security number is stolen, it's much, much more complicated to get a new number. A Social Security number is intrinsically tied to each and every one of us. According to the FTC, there were nearly 400,000 identity theft complaints in 2016, or 13 percent of all consumer complaints received, with 29 percent of consumers reporting that their data was used to commit tax fraud in 2016. Consumers also reported that their stolen data was used for credit card fraud; rising to more than 32 percent in 2016 from nearly 16 percent in 2015. In the aftermath of the Equifax breach, months later, consumers may still be confused about how best to protect themselves. All of this is disconcerting, and frankly unacceptable. This subcommittee, and agencies like the Federal Trade Commission, have been providing useful information to consumers in the aftermath of the Equifax breach. But the post-breach consumer protection responses from Equifax have yet to be reassuring. Data collected and stored by credit bureaus must be protected and safeguarded at all times, and when a breach happens consumers need swift and concrete answers from the company affected. Our subcommittee members continue to ask whether consumers can be confident in the security of their data. There are important questions about the best ways to protect sensitive data, including cybersecurity standards, trends, best practices and emerging threats particularly with respect to known cybersecurity vulnerabilities. There are also important questions about the regulatory landscape in which the credit bureaus operated before this massive breach. For example, what is the legal and regulatory framework for credit bureaus, including the safeguards framework in the Gramm-Leach-Bliley Act and consumer protections contained in the Fair Credit Reporting Act? Finally, what is the relationship between data breaches and incidence of identity theft and fraud? Data breaches may have become so commonplace that data security experts have expressed concerns about ``breach fatigue.'' Though there may be fatigue, Congress cannot afford to be lax or idle in its oversight over these critical issues. I look forward to the testimony of the panel. Mr. Latta. And the Chair now recognizes the ranking member of the subcommittee from Illinois for 5 minutes. The gentlelady is recognized. Ms. Schakowsky. I thank you, Mr. Chairman. Before I give my opening remarks, I must mention that I actually considered raising a point of order against the subcommittee accepting testimony from James Norton at the hearing today. I want to make perfectly clear that I am not objecting to anything that Mr. Norton might say, but this committee has rules of order, and they need to be followed. James Norton was not listed on the memorandum that was distributed by the committee, and we found out that he was going to testify last night and saw testimony very late last night. While I understand that another witness was unable to make the hearing today because of illness, this last-minute replacement is really not respectful to the members of the subcommittee. It is disrespectful to the other witnesses on the panel. It is disrespectful, I believe, to the millions of Americans that are concerned about the security of their credit information. And it violates the committee's rules. So Mr. Norton is here and ready to testify, and I appreciate that he was able to prepare so quickly. I will not be objecting today, but I do want to make it clear that violations of the committee rules are not acceptable and that I will object if this happens again. I want to also say that I appreciate the bipartisan way in which we have been able to work together. The rules are important. So if I could begin---- Mr. Latta. Thank you very much. And the lady is recognized for 5 minutes. Thank you. OPENING STATEMENT OF HON. JANICE D. SCHAKOWSKY, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS Ms. Schakowsky. Thank you. So today we continue our conversation on data security in the wake of the Equifax data breach. In our October 3rd hearing with former Equifax CEO Richard Smith, I asked him if I, as a consumer, can opt out of Equifax. After all, I never opted in. Equifax collects my data--that is, like, 1,500 pieces of information on each individual--whether I want it to or not, and now my data is at risk because Equifax failed to adequately protect it. Mr. Smith essentially said, ``No, you can't opt out. That's not how it works.'' This is incredibly frustrating for consumers, including the 145.5 million victims of the Equifax breach. That is about half the population. We have little power to protect their sensitive personal information, as credit reporting agencies and data brokers go under-regulated and under-scrutinized. I venture to say a lot of people didn't even know about Equifax until the breach came out. We need to change that power balance by strengthening consumer protections around credit data. I don't buy the narrative that the Equifax breach happened because of a single careless employee. The system in place at Equifax allowed for a known and well-publicized security vulnerability in the Apache Struts software to go unpatched for months. After the breach was discovered, Equifax took nearly 6 weeks to notify consumers. Congress, the Federal Trade Commission, and the Consumer Financial Protection Bureau were not notified. The website set up for consumers was a mess. Equifax tweeted links to a fake website. And the company is only providing 1 year of free credit monitoring services. We are awaiting clarification from Equifax on the credit lock service that it promised to offer at our last hearing. Those failures should not be a surprise. What incentive does Equifax have to protect consumer data on the front end when consumers aren't its real customers? I have not heard a parade of companies saying that they will refuse to provide Equifax with consumer data or refuse to use its services. This market is failing American consumers, and that is why Congress and consumer watchdogs must step in. I welcome the CFPB Director, Richard Cordray's call for embedded regulators at the credit reporting agencies. I look forward to the results of investigations into the breach, such as the investigation at the Federal Trade Commission. State attorneys general are also pursuing legal action against the company. And, ultimately, we need stronger legislation. Last month, I joined several other members of this subcommittee in introducing the Secure and Protect Americans' Data Act. Our bill establishes data security requirements to protect consumers' personal information. That includes special requirements for data brokers like Equifax that collect consumer data often without the consumers' knowledge. And it empowers the Federal Trade Commission to enforce those regulations with civil penalties. Our bill requires timely notification to State and Federal law enforcement agencies and to consumers when a data breach occurs. Finally, our bill requires meaningful remedies for breach victims. Victims would be entitled to 10 years of free credit monitoring or quarterly credit reports. And our bill enables breach victims to control access to their personal information and credit reports at no charge. Our legislation would be a good first step, but I am interested in further action the Congress could take. In written testimony, Mr. Schneier calls for making credit freezes the default so that consumers are opting in to have their data shared rather than paying to opt out. I expect the industry to engage with these ideas, given the problems consumers face. Old excuses that this is too big a change from the status quo don't cut it anymore. On October 12, the Democratic members of the subcommittee requested a hearing with current Equifax employees. We also called for advancing bipartisan data security legislation through the committee by the end of this year. And, Chairman Latta, I repeat that call today. Our subcommittee has been bipartisan in demanding answers for breach victims. We should now be bipartisan in pursuing action. I stand ready to work with you on real solutions to protect American consumers. And thank you for the latitude you have given me, and I yield back. Mr. Latta. Well, thank you very much. The gentlelady does yield back. And the Chair now recognizes the chairman of the full committee, the gentleman from Oregon, for 5 minutes. OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF OREGON Mr. Walden. I thank the chairman. And thank you for your leadership on this and many other issues that we have successfully moved through. This morning, we are here to discuss the topic of protecting America's data in the digital age. The advent of new technologies has reduced barriers and eased the ability of consumers to access credit and make needed purchases in ways unimaginable not very long ago. In literally minutes, using one's phone, Americans can procure a loan to purchase a refrigerator, a car, or even a home. The most remarkable thing about this is how unremarkable it has become. As with any invention, the technological innovations that have facilitated access to credit bring with them new perils. As this committee explored in our hearing last month, Equifax, the credit reporting agency entrusted to safeguard the most important financial data of millions of Americans, instead allowed hackers to access that information through their failure to implement a software patch that had been brought to their attention by the Department of Homeland Security. There is no excuse for that. And, in fact, consumers all over America now are trying to figure out what do they do next. We had a conversation of that in my own household this weekend. A relative of mine and we have been breached. Everybody is going, ``Now what do I do? And why do I have to pay? And what do I have to sign up--where do I go?'' This has to get fixed. Enough. Consumers are the one that are getting taken to the woodshed here. Companies are making billions of dollars off of our data, and we have had it. And we want to do the right thing; we don't want to do what Government often does, which is completely overreact and create a whole new regulatory regime that doesn't work. But let the message go out: This is serious stuff, and consumers are dramatically affected. They are inconvenienced, and it becomes costly to them. Unfortunately, the Equifax incident was only one example of the keepers of sensitive data failing to do their duty. For millions of current and former U.S. Government employees, including many people in this room, the Federal Office of Personnel Management similarly failed to live up to its trust to protect their most sensitive data. The OPM breach allowed hackers to access data used by the U.S. Government to determine whether a security clearance could be granted, including the consumer credit information, demonstrating that even the Government struggles to protect its most sensitive data. These incidents and others like them demonstrate the challenges of protecting consumer information in this digital age. We know it is not easy. They also remind us of how high the stakes are and how critically important it is that Americans know that when they fill out an application to obtain credit they are not exposing their most personal information to bad actors all over the world. There are a host of laws on the books already that require compliance--let's not lose sight of that--and that furnishers of consumer credit informations are required to take steps to secure the data already under the law. The Gramm-Leach-Bliley Act prohibits financial institutions from disclosing nonpublic information without the consumers' consent. That is a law. The Fair Credit Reporting Act deems the unauthorized disclosure of consumer reports to be, quote, ``an unfair or deceptive act or practice.'' That is a law. The Dodd-Frank Act created an entirely new Federal bureaucracy, the Consumer Financial Protection Bureau, and charged it, among other duties, with the task of protecting consumer financial information. Despite these new and sweeping powers, the Bureau seemed completely unaware that a company had failed to implement the necessary software patch that could have saved Americans' data from hackers. As I noted at the Equifax hearing last month, you can't fix stupid. But, surely, we can do better. Despite all these existing laws and authorities, Equifax allowed the most sensitive consumer credit information of 145 million Americans to be exposed. Equifax's entire business model is predicated on collecting, maintaining, and securing individuals' private financial transaction history. It failed, and now Equifax must face serious consequences. All of us, I am sure, are interested in any insights our witnesses can provide into how, despite these policies and procedures, incidents like the Equifax breach still happen. There are longstanding Federal, State, and private data security standards and requirements for protecting Americans' sensitive financial data. I am interested in learning more about any gaps or areas for improvement. The instantaneous ability to obtain credit is a remarkable blessing in the electronic age, but it doesn't work when your data are stolen and sold on the dark net. Our ability to obtain credit is only as strong as our data protection. So I appreciate our witnesses today. And I especially appreciate our substitute witness, who at the last minute made accommodations to share your knowledge with us. Thank you. I am sorry the witness that we had scheduled had to leave, violently ill. And so we appreciate, on short notice, your ability to come and help inform us in our work. [The prepared statement of Mr. Walden follows:] Prepared statement of Hon. Greg Walden This morning we are here to discuss the topic of protecting Americans' data in the digital age. The advent of new technologies has reduced barriers and eased the ability of consumers to access credit and make needed purchases in ways unimaginable even a few generations ago. In literally minutes, using only one's phone, Americans can procure a loan to purchase a refrigerator, a car, or even a house. The most remarkable thing about this is how unremarkable it has become. As with any invention, the technological innovations that have facilitated access to credit bring with them new perils. As this committee explored in our hearing last month, Equifax, a credit reporting agency entrusted to safeguard the most important financial data of millions of Americans, instead allowed hackers to access that information through their failure to implement a software patch that had been brought to their attention by the Department of Homeland Security. Unfortunately, the Equifax incident was only one example of the keepers of sensitive data failing to do their duty. For millions of current and former U.S. Government employees, including many people in this room, the Federal Office of Personnel Management similarly failed to live up to its trust to protect their most sensitive data. The OPM breach allowed hackers to access data used by the U.S. Government to determine whether a security clearance should be granted, including consumer credit information, demonstrating that even the Government struggles to protect its most sensitive information. These incidents and others like them demonstrate the challenges of protecting consumer information in the digital age. They also remind us of how high are the stakes, and how critically important it is that Americans know that when they fill out an application to obtain credit they are not exposing their most personal information to the world. There are a host of laws on the books that require the compilers and furnishers of consumer credit information to take steps to secure that data. The Gramm-Leach-Bliley Act prohibits financial institutions from disclosing nonpublic information without the consumer's consent. The Fair Credit Reporting Act deems the unauthorized disclosure of consumer reports to be an ``unfair or deceptive act or practice.'' The Dodd Frank Act created an entirely new Federal bureaucracy, the Consumer Financial Protection Bureau, and charged it, among other duties, with the task of protecting consumer financial information. Despite these new and sweeping powers, the Bureau seemed completely unaware that the company had failed to implement the necessary software patch that could have saved Americans' data from hackers. As I noted at the Equifax hearing last month, ``you can't fix stupid.'' But surely we can do better. Despite all of these existing laws and authorities, Equifax allowed the most sensitive consumer credit information of 145 million Americans to be exposed. There is no excuse. Equifax's entire business model is predicated on collecting and maintaining individual's private financial transaction history. It failed, and now Equifax must face serious consequences. All of us, I am sure, are interested in any insights our witnesses can provide into how, despite these policies and procedures, incidents like the Equifax breach still happen. There are long-standing Federal, State and private data security standards and requirements for protecting Americans' sensitive financial data. I am interested in learning about any gaps or areas for improvement. The instantaneous ability to obtain credit is a remarkable blessing that remains all too unavailable for most people living in less technologically advanced places. But for the companies and networks that make this privilege possible comes great responsibility. Our ability to obtain credit is only as strong as our data protection. In the cyber world foxes are always trying to break into the henhouse. It is our duty, and the duty of the possessors of sensitive consumer information, to make sure we have a strong fence. I look forward to hearing from our witnesses. Mr. Walden. And, with that, Mr. Chair, I yield back the balance of my time. Mr. Latta. Well, thank you very much. The gentleman yields back the balance of his time. The Chair now recognizes the ranking member of the full committee, the gentleman from New Jersey, for 5 minutes. OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE IN CONGRESS FROM THE STATE OF NEW JERSEY Mr. Pallone. Thank you, Mr. Chairman. I am glad we are holding this hearing, and I hope the committee will focus on how the practices of the credit reporting and data collection industries affect consumers. But today's hearing should not take the place of additional hearings on the data breach at Equifax. Too many questions remain unanswered, and that is why every Democratic member of this subcommittee wrote to you, Mr. Chairman, requesting additional hearings with current Equifax executives. The Equifax breach exposed more than 145 million Americans to lifelong threats resulting from their personal information being exposed. Equifax says that it is, and I quote, ``taking responsibility for its failures,'' but Equifax is only providing victims with protections for 1 year. It refuses to give people meaningful control over how Equifax shares and sells the personal information that it collects. And that is not taking responsibility; it is taking advantage, in my opinion. Consumer reporting agencies collect vast amounts of personal information on almost every American, including children. And this is the information that determines whether someone gets a job or a new home or can afford medical care. And these companies are data brokers, too, selling all of that information to advertisers and others. You and I are not their customers. We are the product. These companies make their money selling our information to other companies, often without our knowledge and certainly without our approval. So they have no reason to limit the information they collect, to limit sharing or selling of that information, or to properly secure it. Cyber attacks happen on an hourly basis, with more than 1,100 this year alone. Consumer reporting agencies and data brokers make rich targets for hackers because of the sensitivity and quantity of information they hold. And those companies know it. In fact, it was reported that Equifax was warned by a security researcher in late 2016 that Equifax was vulnerable to attack, but Equifax did nothing and had no incentive to do anything. Right now, there are gaping holes in the laws and regulations when it comes to collecting and securing our personal information. The bill that Ranking Member Schakowsky and I introduced, the Secure and Protect Americans' Data Act, would close some of these loopholes. It would provide the Federal Trade Commission with the authority to assign monetary penalty against companies that fail to protect personal information or who fail to provide timely and meaningful notice to consumers that their information has been stolen. It would also give additional protections to victims after a breach. The bill would require that companies that failed to secure individuals' personal information provide free credit freezing or locking to a victim for at least 10 years after a breach. So we all need to reexamine this industry's approach to consumer protection, including on issues like forced arbitration and the Federal Government's examination or auditing of these companies. We should also look at freezing credit reports by default, ensuring the data that is collected is actually correct, and give people control over their own personal information. Now, in our hearing and again today, on the Equifax breach, Chairman Walden said that, and I quote, ``we can't fix stupid.'' But we have seen over and over again that breaches are not the result of stupidity. They happen because these companies choose not to invest in security. And, ultimately, it is the American people that pay the price for that choice. [The prepared statement of Mr. Pallone follows:] Prepared statement of Hon. Frank Pallone, Jr. I'm glad we are holding this hearing, and I hope the committee will focus on how the practices of the credit reporting and data collection industries affect consumers. But today's hearing should not take the place of additional hearings on the data breach at Equifax. Too many questions remain unanswered. And that's why every Democratic member of this subcommittee wrote to you, Mr. Chairman, requesting additional hearings with current Equifax executives. The Equifax breach exposed more than 145 million Americans to lifelong threats resulting from their personal information being exposed. Equifax says that it is ``taking responsibility'' for its failures. But Equifax is only providing victims with protections for 1 year. It refuses to give people meaningful control over how Equifax shares and sells the personal information that it collects. That's not ``taking responsibility.'' It's taking advantage. Consumer reporting agencies collect vast amounts of personal information on almost every American, including children. This is the information that determines whether someone gets a job or a new home, or can afford medical care. And these companies are data brokers too, selling all of that information to advertisers and others. You and I are not their customers. We are the product. These companies make their money selling our information to other companies, often without our knowledge and certainly without our approval. So they have no reason to limit the information they collect, to limit sharing or selling of that information, or to properly secure it. Cyberattacks happen on an hourly basis, with more than eleven-hundred this year alone. Consumer reporting agencies and data brokers make rich targets for hackers because of the sensitivity and quantity of information they hold. And those companies know it. In fact, it was reported that Equifax was warned by a security researcher in late 2016 that Equifax was vulnerable to attack. Equifax did nothing and had no incentive to do anything. Right now, there are gaping holes in the laws and regulations when it comes to collecting and securing our personal information. The bill that Ranking Member Schakowsky and I introduced, the Secure and Protect Americans' Data Act, would close some of those holes. It would provide the Federal Trade Commission with the authority to assign monetary penalties against companies that fail to protect personal information or who fail to provide timely and meaningful notice to consumers that their information has been stolen. It would also give additional protections to victims after a breach. The bill would require that companies that failed to secure individuals' personal information provide free credit freezing or locking to a victim for at least 10 years after a breach. We also need to reexamine this industry's approach to consumer protection, including on issues like forced arbitration, and the Federal Government's examination or auditing of these companies. We should also look at freezing credit reports by default, ensuring the data that is collected is actually correct, and give people control over their own personal information. In our hearing on the Equifax breach, Chairman Walden said that we ``can't fix stupid,'' but we have seen over and over again that breaches are not the result of stupidity. They happen because these companies choose not to invest in security. Ultimately, it's the American people that pay the price for that choice. Thank you, I yield back. Mr. Pallone. I yield the remainder of my time to Congresswoman Matsui. Ms. Matsui. Thank you, Ranking Member Pallone. And I am very pleased to cosponsor the Secure and Protect Americans' Data Act that you introduced with Ranking Member Schakowsky. The need for data security and breach notification requirements are not new. California passed notification legislation a decade and a half ago. But 15 years later, many Americans don't know what happens to their online data, as the Equifax breach has shown us. In an event that sensitive personal data maintained on an information system is breached, there is no comprehensive Federal law that will protect consumers. That is absolutely unacceptable. Consumers deserve to know more about how their information is held once it is entered online. It may be that a comprehensive profile of my constituents' online activity could be compiled without them having any knowledge of how or for what purpose that data is being used. Consumers deserve a Federal backstop when that data is compromised. I look forward to working with the committee on ideas to best provide that certainty to Americans. Thank you, and I yield back. Mr. Pallone. Thank you. And I yield back, Mr. Chairman. Mr. Latta. Thank you very much. The gentleman yields back the balance of his time, and this now concludes our Member opening statements. The Chair reminds Members that, pursuant to committee rules, all Members' opening statements will be made part of the record. Additionally, I ask unanimous consent that the Energy and Commerce Committee members not on the Subcommittee on Digital Commerce and Consumer Protection be permitted to participate in today's hearing. Without objection, so ordered. Again, I want to thank our witnesses for being with us today and taking time to testify on this very important matter before the subcommittee. Today's witnesses will have the opportunity to give 5-minute opening statements, followed by a round of questions from our members. Our witness panel for today's hearing will include: Mr. Francis Creighton, who is the president and CEO of the Consumer Data Industry Association; Mr. James Norton, adjunct lecturer at the Johns Hopkins University; Mr. Bruce Schneier, who is the adjunct lecturer in public policy at the Harvard Kennedy School; and Ms. Anne Fortney, who is partner emeritus at Hudson Cook. And, again, I would like to again thank Mr. Norton for his last-minute replacement of Mr. Greene, who informed the subcommittee that he was unable to testify because of illness. So we appreciate it. And before we get started, again, our witnesses will have 5 minutes. If you would like to pull the microphone up close and press the button. And, Mr. Creighton, you are recognized for 5 minutes. Thanks again for your testimony today. STATEMENTS OF FRANCIS CREIGHTON, PRESIDENT AND CHIEF EXECUTIVE OFFICER, CONSUMER DATA INDUSTRY ASSOCIATION; JAMES NORTON, ADJUNCT LECTURER, JOHNS HOPKINS UNIVERSITY ZANVYLL KRIEGER SCHOOL OF ARTS AND SCIENCES; BRUCE SCHNEIER, FELLOW AND LECTURER, BELFER CENTER FOR SCIENCE AND INTERNATIONAL AFFAIRS, HARVARD KENNEDY SCHOOL, AND FELLOW, BERKMAN CENTER FOR INTERNET AND SOCIETY AT HARVARD LAW SCHOOL; AND ANNE P. FORTNEY, PARTNER EMERITUS, HUDSON COOK, LLP STATEMENT OF FRANCIS CREIGHTON Mr. Creighton. Thank you. When I took this position with CDIA back in May, I was excited to come here because I wanted to work on an issue I am passionate about: How do we bring more people out of the financial shadows and into the regulated financial system? Consumer reporting is one of the best ways to achieve that goal, and I am excited to have the opportunity to tell that story. But the news that was revealed on September 7 changed that conversation. The scale of the criminal attack at Equifax is breathtaking, and, like you, I want to better understand what happened and make sure it never happens again. But in the wake of the attack, we have heard a number of statements that go beyond making sure this doesn't happen again, that somehow the credit reporting system is unregulated and that consumers are getting ripped off. Nothing could be further from the truth. First, this industry is highly regulated. My written statement goes into more detail, but we are subject to the Fair Credit Reporting Act, one of the most important and strongest consumer protection statutes on the books today. FCRA subjects reporting companies to comprehensive regulatory and consumer protection regimes. The FCRA protects privacy, includes criminal penalties for people who abuse the system, mandates the accuracy and completeness of consumer reports, and makes the process transparent for consumers. On data security, the nationwide consumer reporting agencies are subject to the FTC's safeguards rule as nonbank financial institutions under the Gramm-Leach-Bliley Act. We are also regulated and face enforcement by the State attorneys general, contractual obligations from our financial institution customers, make sure we meet the requirements of the Federal Financial Institutions Examination Council. At every level, this is a well-regulated industry. If in the course of the investigation we find a regulatory gap in a particular area, we pledge to work with you to address it. Protecting consumer data is the most important thing we do. It is not just good for business; it is the right thing to do. But if this were just a question of regulation, that would be one thing, but since the hack, we have heard people suggest that maybe we don't need a consumer reporting system at all. Our credit reporting system today is the envy of the world. It is one of the main reasons American consumers have such a diverse range of lenders and products from which to choose. This stands in stark contrast to many other financial systems, including those in developed nations. American consumers have access to the most democratic and fair credit system ever to exist. Individual consumers have the liberty to access credit anywhere in the country, from a wide variety of lenders, based solely on their own personal history of how they personally have handled credit. So when a family tries to buy a house for the first time, they can access the right mortgage for their own personal needs. A young person who comes here to work on the Hill and has to buy a car to get to work can go to an auto dealer and drive off the lot the same day even if she or he has never been to this area. A young family can access credit through a mainstream financial institution rather than depending upon shadowy lending services. Without access to a full credit report, lenders, landlords, community banks, credit unions, insurance companies, and others won't know how a consumer has handled their obligations in the past unless those service providers know the customer personally. Credit reports are also a check on human bias and assumptions. They provide lenders with facts that contribute to equitable treatment for consumers. CDIA members establish an accountable and colorblind system for judging creditworthiness. Without this system, subjective judgments could be based on factors other than the fact of creditworthiness. Today's credit reporting system has made it possible for middle-class consumers to get credit at rates that previously were reserved only for the wealthy. Credit reporting companies are innovating to solve the problem of the unbanked, thin-file, and credit-invisible consumers who have not had a chance to participate in the mainstream financial system. This is a system that works whether you are at a global bank or at a community-based credit union, because companies share critical information across the system to benefit everyone. In one sense, lenders take their sensitive customer information and share it with a trusted third party so that another financial institution, potentially a competitor, can use that information to make a more informed lending decision. This results in lower prices, more choices for consumers, and a safer and sounder financial system. Our individual credit reports tell the story of our individual choices. They are neither positive nor negative. They are our best attempt at an accurate portrait of what we individually have done. And they offer the tools lenders and others need to make judgments about how a particular person will handle his or her obligations in the future. Thank you for having me here today. I look forward to your questions today and in the future. [The prepared statement of Mr. Creighton follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mr. Latta. Again, thank you very much for testifying before us today. And, Mr. Norton, you are recognized for 5 minutes. STATEMENT OF JAMES NORTON Mr. Norton. Thank you, Chairman Latta, Ranking Member Schakowsky, and members of the subcommittee. Thank you very much for inviting me to testify before you today. My name is James Norton, and I am the founder and president of Play-Action Strategies, a homeland security consulting firm here in Washington, DC. I am also a member of the Johns Hopkins University faculty, teaching graduate courses on homeland security and cybersecurity. Previously, I served in multiple positions at the Department of Homeland Security under President George W. Bush, including as Deputy Assistant Secretary of Legislative Affairs. I was a member of the Department's first team tasked with confronting the then-nascent cybersecurity threat. My testimony will focus on how attacks like the one that led to the Equifax breach fit into the larger cybersecurity context and what can be done to strengthen cybersecurity protections on the front end. Today, cybersecurity threats are pervasive, and any company or institution that houses large amounts of personal data is a potential target. Each year, hackers and other bad actors launch millions of attacks on cyber infrastructure maintained by governments, businesses, and individuals. Current cyber threats take many forms and target a range of vulnerabilities, increasing the complexity of cybersecurity missions. Attacks like the Equifax breach, the WannaCry ransomware attack, and the Yahoo breach in 2013-2014 are more widespread and complex than earlier intrusions, demonstrating that bad actors are becoming more sophisticated in their efforts. So far, cybersecurity protections have largely failed to keep pace. While security frameworks like those laid out in the Gramm- Leach-Bliley Act and the Fair Credit Reporting Act are important guideposts and should be maintained, lawmakers should resist the temptation to put in place rules and regulations that requires companies and institutions to take specific federally prescribed actions to address cybersecurity issues resulting in limited flexibility for private-sector companies to respond to emerging threats. Instead, I would encourage officials to commit themselves to working collaboratively with businesses and consumers to share best practices and raise awareness about the scope and sophistication of cyber threats. To help meaningfully address cybersecurity challenges, I offer the following recommendations for the subcommittee: The Federal Government should take the lead in convening relevant stakeholder meetings to develop and share best practices, including an examination of how efforts currently underway within the Federal Government and in the private sector can be adapted for applications in other sectors, as well as help businesses better understand the national security threat with the intelligence that is available to the Government. Government officials and private-sector leaders must make a more concerted effort to ensure that consumers and even other businesses, especially small-business owners, are aware of the threat and the tools that are publicly available in the marketplace to reduce the vulnerability. Businesses must encourage a path to integrate cybersecurity into their companies' culture through regular training and updates, which obviously was lacking with Equifax. I thank the committee for holding this important hearing, and I look forward to your questions. Thank you. [The prepared statement of Mr. Norton follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mr. Latta. Thank you very much for your testimony. And, Mr.--I want to make sure I am pronouncing your name-- it is ``Schneier''? ``Schneier''? Mr. Schneier. Rhymes with ``frequent flyer.'' Mr. Latta. OK. Ms. Schakowsky. I said it wrong too. I added a D. So ``Schneier,'' right? Mr. Latta. We apologize. We want to make sure we get it right. You are recognized for 5 minutes. Thank you very much for testifying today. STATEMENT OF BRUCE SCHNEIER Mr. Schneier. Thank you for having me. I am Bruce Schneier. I am a fellow and lecturer at the Harvard Kennedy School. I am associated with the Berkman Center at Harvard. I also work for IBM. I am speaking for none of them. And, actually, it is probably best if we just don't tell IBM that I am here. The Equifax breach was bad. We have heard a lot of the details. This was very sensitive information about half of our country. And Equifax security really was laughably bad, both before, during, and after the attack. This is also not the first time. There is a Forbes article that outlines breach after breach from Equifax. So the question I ask is, what is going on? We have this large data-broker industry whose job is to collect information about us to sell to other people. We are talking about financial information, but it is actually much more than that: information about our interests, about what we do, about what we do on the internet, things we buy, places we go. It is thousands and thousands of data points about all of us, some of them very intimate, that are wanted by others and are collected, sorted, collated, and sold without our knowledge and consent. And the market can't fix this. A couple of people have said that we are not the customers. And that is correct; we are not Equifax's customer. Chairman Walden said, you know, there is no excuse for stupid. There actually is an excuse for what Equifax did. If you are the CEO of Equifax--and he was here--and your choice is to either save 5 percent on your budget by having lax security and taking the chance or spending the money, you are going to take the chance. You are rewarded by coming in under budget. As long as your customers don't complain--and none of them did-- that is not a problem. Because we are the product, we are not protected. And that is why this is not something that a market can fix. The CEO left with an $18 million pension. He did OK. His decision was arguably the correct one in this environment. All right. So what should we do here? There is a 2014 FTC report on data brokers. It is worth picking up and reading again. It talks about more transparency and more customer control over their data. I would like it if you would fund research into the actual harms that come from these breaches. One of the problems in lawsuits from customers is that proving harms is hard. If you were the victim of identity theft in 6 months, was it because of Equifax or because of half a dozen other breaches? You don't know. And without that direct connect, courts will throw out cases. I would like to see a nationwide credit freeze, where credit information is given upon permission. There is no reason why my credit should be given out without my permission. If I am applying for a car or I am applying for a mortgage, I am going to know, so I should be able to do that. I would like some kind of data minimization. We talked about opt out. Be careful, though. Opt out often doesn't mean opt out. In many of these cases, when you opt out, you opt out your data being given away--not being collected, not being stored. You will be just as vulnerable when there is a breach if you opted out as if you opted in. So be careful what ``opt out'' means. I would like the FTC to set minimum security standards, financial and nonfinancial. And avoid questioning if this is too hard. Right now, a lot of these companies operate in Europe. The regulations are much more stringent. Starting next year, we are going to see the GDPR, the generalized data protection regulations, even more stringent. And they can do things there they can bring here. So a couple of final points. This has some real foreign trade implications. Right now, there are safe harbor rules that allow us, U.S. companies, to collect data on Europeans. If we show that we are incompetent at it, those rules are going to be dropped, and we are going to have a lot of problems for our U.S. companies doing business overseas. And this has national security implications as well. Someone mentioned that China went after the Office of Personnel Management. They are after data on U.S. citizens. North Korea funds a lot of their stuff using cyber crime. Russia wants our data. The data of all of us, of all of you, are in these databases, and foreign governments want it. To the extent we don't protect it, we are making it easier for them. If you had half a dozen people standing behind you constantly, taking notes on everything you did, you would notice that, and there would be a law immediately making that illegal. That is what happens today. There are something like 2,500 to 4,000 data brokers, and they are in your computer secretly taking notes, collecting data on everything you do, everything all of us do. That is a massive industry, and it is invisible. We need to make it visible, and we need to institute some controls. This is not something the market can fix, because we are its product. Thank you. [The prepared statement of Mr. Schneier follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mr. Latta. We appreciate your testimony this morning. And, Ms. Fortney, you are recognized for 5 minutes. STATEMENT OF ANNE P. FORTNEY Ms. Fortney. Thank you. Good morning. I am Anne Fortney. Thank you for the opportunity to appear before you today. I am the partner emeritus at Hudson Cook law firm. My career involved more than 40 years' experience with consumer reporting and the credit industry, including service as the Associate Director for Credit Practices at the Federal Trade Commission and as in-house counsel at a retail creditor. I also served as a lawyer consulting clients on compliance. Consumers today are understandably very worried about the security of their personal information held by large corporations, including credit bureaus. Some background may be helpful in understanding the benefits of the system, the legal protections, and, I think most importantly, the ways in which consumers can personally manage their financial information. Our consumer reporting industry evolved over many years in order to meet the needs of banks and commerce so that companies could provide to consumers the products and services they want and need. In the late 19th century, creditors came together to share customer payment information. These voluntary information exchanges then became credit bureaus. Today, there are four principal credit reporting agencies, but there are also consumer reporting agencies that deal in information other than credit. These deal in information relating to medical payments, landlord/tenant experience, check-writing histories, employment, and insurance claims. Each kind of consumer reporting agency developed because industry members agreed to report their information voluntarily to a centralized system in order to serve the respective needs. Consumer reporting agencies today maintain large databases on consumers, including personal identifying and sensitive financial information. By engaging in credit transactions, consumers create their credit histories at credit reporting agencies. Consumers don't specifically opt in to having this data maintained and used, but they benefit from the totality of credit reporting agencies' information when lenders use it to verify their identity as well as determine their eligibility for credit. Despite the clear benefits of the system, the disclosure and use of information in these databases pose risks to consumers. Congress has enacted laws to protect consumers' sensitive information while also assuring that the data is available to meet the needs of commerce. My written statement summarizes these laws, and, believe me, they are extensive. In addition, Federal and State officials oversee the collection, use, and security of consumers' nonpublic data through bank supervision and legal enforcement. We may focus on big data when there is a security breach, but companies holding consumers' personal data work continuously to secure the data by monitoring, detecting, evaluating, and addressing security threats. And there are millions of such threats. They perform this monitoring to comply with Federal and State laws, but they also do it because the data and the integrity of their data is essential to their business. It is not an area where they cut costs. Despite best efforts, however, data breaches can and do occur. When measured against the volume of potential data security threats, these breaches are very, very infrequent. But when it is my data that is involved, I am less concerned about whether the system otherwise works so well. I think that is how we all feel. But I know I can protect myself against inaccurate data and the risk of identity theft. Hereis how: First, I monitor my credit report information through a credit monitoring service. I check my credit report and review it for any suspicious activity. I accept my bank's offers for my free credit score. I read my credit card billing statement when it arrives, and I notify the card issuer if I don't recognize the charges. I also read my checking account statement and contact the bank if there is check fraud. Like everyone, I lead a busy life, but these simple measures do not take much time, they are free, and they make me feel secure. I also know what to do if I am worried about being a victim of identity theft. I can place fraud alerts on my credit report at the three largest credit bureaus. I can get a free report if I do so. These alerts reduce the likelihood that someone can misuse my information to open a fraudulent credit account. I can also block the reporting of credit information that has been the result of identity theft. I can go to credit bureaus' websites to learn how to take these steps and to learn more about how to keep my data secure. I can also go to the FTC's website for identity privacy and online security. It contains a wealth of useful information about privacy and identity theft. The website will also tell me what to do if I become a victim of identity theft. In sum, there is a tradeoff between consumers' right to privacy of their personal information and the commercial needs and benefits of that information. Our laws reflect that balance in the tradeoff. But we consumers are not powerless in our ability to monitor and control the accuracy, confidentiality, and security of our information. Thank you. [The prepared statement of Ms. Fortney follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mr. Latta. Well, thank you very much for your testimony today. And, again, we appreciate all of our witnesses for being with us today. And that will conclude the witnesses, and we will start with our Members' questioning. And I will start with my 5 minutes. Mr. Creighton, if I could start with you, considering the size and scope of the Equifax breach, consumers are confused and rightfully skeptical about what they should be doing to protect themselves. Could you briefly--and briefly because I have limited time--what should we tell our constituents about how the credit reporting industry is securing your sensitive data? And, trust me, we are all hearing it from our constituents from phone calls when we are back home. So thank you very much for being here. Mr. Creighton. Sure. And I hear it too. Obviously, this impacts us, everyone here on the panel, as much as it impacts you. What is the industry doing to protect our data? The same thing every company that has sensitive information is doing: They are monitoring their systems. They are learning from every breach that happens, not only in our industry but across the economy. We are fighting this war on a daily basis. We are getting attacked nonstop, from nation-states, as one of the other witnesses was mentioning, from criminals, and from many others. What do we do? We monitor. We test our system. We try to do data minimization and encryption, inside and while the data is in transit, to make sure that if, in fact, somebody is in the system the information is not usable if they are in there and to try to keep them out of the system in the first place. Taking care of consumers' sensitive personal information is the most important thing that we do. In this case, we failed. But it is still the entire industry's number-one priority. Mr. Latta. Thank you very much. Mr. Norton, Equifax is subject to Federal data security standards. Other industries are subject to Federal and State security standards. However, breaches continue in all the sectors. When companies are evaluating how to protect individuals' data from cyber criminals or nation-states, are there best practices to follow? And, most importantly, how effective are the regulations that are out there in policing companies' cybersecurity practices today? Mr. Norton. Well, I think it is obvious by the number of attacks we have seen every day, every week, every year that we are not doing enough. So I think that is pretty clear, that, you know, the larger corporations, whether it is Equifax, Home Depot, or Target, they have all been exposed and they have all been attacked because they all are targets because they have a large amount of information on their systems. I think partnerships through places like Department of Homeland Security, Department of Commerce are important to establish. I think real-time information needs to be exchanged a lot faster than it is right know. I think we need to almost indoctrinate some of the business partners with the Federal Government in terms of allowing them to get some of this sensitive information and create that culture that I don't think really exists, you know, at a lot of C-suites right now. Mr. Latta. Let me ask you about what you just said. OK, exchanging that data in real time, that real-time data, how would you describe that, and how should that be done? Mr. Norton. Well, I think that you need, you know, certainly, somebody that is at a senior level within--a CEO--so let's use States, for example. After the 9/11 attacks, a lot of Governors stood up homeland security apparatuses at the State level and they had homeland security advisers, and I think you need a similar model at the CEO level, where the CEO has a cybersecurity--not just an adviser but somebody that is at a senior level that can be in the meeting not once a month, not every 6 months, not every quarter, but every day, and they can get briefed every day on these threats. Any company that has large amounts of personal information, like we were talking about earlier, like Equifax, or large amounts of other types of IP, you know, for example, companies that have, you know, high-end, valuable assets that might be for sale, again, would be something that would be attacked. So I think all these things need to be considered and need to be part of that exchange in terms of the day-to-day threat information. And if DHS or other agencies, you know, need more funding or they need to continue to stand up, then that is an area that I think the subcommittee could definitely support. Mr. Latta. Thank you. Ms. Fortney, given your experience at the FTC and in your legal practice, what potential consequences do you see for Equifax given the regulatory environment? And, again, what laws and regulations are at play in this situation? Ms. Fortney. The first thing we need to do is find out exactly what happened. And the FTC has announced--they took the extraordinary step to announce that they were conducting what is usually a nonpublic investigation. We don't know exactly what has happened. The fact that there has been a security breach in general doesn't mean that there is a violation of the law. From what we have read--and all I know is what I have read in the press--Equifax did not take appropriate measures to prevent the breach. The Fair Credit Reporting Act, if there is any credit reporting information that is involved, would come into play. There are civil penalties, as well as the FTC's authority to prevent future violations. The Gramm-Leach-Bliley rules also require Equifax to safeguard the data on consumers that it holds, and there can be penalties there as well. I understand that there is some confusion in terms of whether a violation of the rule itself would result in penalties, but I think the FTC also has authority under other laws. In addition, the FTC has taken the position that their authority to address unfair, deceptive acts or practices can come into play when there is a serious security breach. Mr. Latta. Thank you very much. My time has expired, and the Chair recognizes the ranking member of the subcommittee, the gentlelady from Illinois, for 5 minutes. Ms. Schakowsky. Thank you. Mr. Schneier, you recommended that Congress move forward with legislative proposals to make a credit freeze the default, effectively blocking access to consumer credit reports except when the consumer permits access for the specific purpose. You believe this step would protect consumers' privacy and make consumer information more secure. Is that correct? Mr. Schneier. I think it will prevent the breaches. It is not going to do anything to make Equifax's databases more secure. It is not going to do anything to make our data less vulnerable, but it will make it less useful. And that, I think, is something that is real important. Ms. Schakowsky. Well, let me ask you this. You said that we, the public, are not the customer of Equifax or the data reporting agencies. We are, in the sense that--I am sort of galled by the idea that I have to pay for the credit report. Actually, I did also go for the one free, and somehow I must have pushed a button that, then, $10 a month was charged in the future. I finally called them and said, ``How did that happen?'' You know, I don't exactly know. So we do pay a small amount every month. So they still do charge us for our--you know, except for the one free. Who are, then, the customers? I have gotten a--what do you call it--preapproved credit cards in the mail. I didn't ask for that. I am not seeking a loan. So who are the customers, then, of these CRAs? Mr. Schneier. The customers are those who want to give you offers. And, certainly, anybody who sent you a preapproved credit card got that data. And they get data in very different ways. There was something I wrote about, and I don't remember the details, but one lender was asking for people who had defaulted on loans so they can sell them basically fraudulent products. The FTC did slap a fine on them, but those are the sort of things that are happening. And the way to think of it is that we are not their customers. And they deliberately make it hard--those credit freezes and credit scores, they are deliberately deceptive. To get the free one, you have to navigate a very complex route, and occasionally you get taken. There are a lot of things these companies do---- Ms. Schakowsky. [Inaudible.] The score, you know? Mr. Schneier. That is right. Ms. Schakowsky. So the score isn't free, in some cases. Mr. Schneier. That is right. Just the data is, so you can look at it. Ms. Schakowsky. Right. Mr. Schneier. And, in some cases, there are things they can do to make things easier, and they don't. So, for example, if I log into my network at Harvard, this phone will make a noise and will tell me. So if someone else does it, I will know that. And you can get an app from some banks that, if your credit card is used in a physical location you are not, like in California today, you would be alerted. You are not near your card. And that is sort of a customer-service type of thing. There is no reason in the world why the credit agencies can't do that same thing: When someone wants my credit, I get an alert. You know, retailer I like? Yes. You know, Russian scammy bank? No. I mean, I should be able to do that. But that is a feature that is not going to be offered to the product. As the product, we are supposed to, you know, shut up and do what we are told. And if you complain, there are going to be difficult avenues and you are going to get scammed. Ms. Schakowsky. So I think people need to understand this is not just, I am applying to refinance my mortgage or I want to get a car. This is, my information is now a product that they can sell to others. Is that right? Mr. Schneier. And it is more than financial information. You have to understand, it is our browsing habits, it is our reading habits, it is the things we do, it is the details of our life. I mean, you have to assume that that will be purchased by somebody who wants to use it against you. And I think all of our Government officials should be concerned about that. Do we want our browsing habits in the hands of opposition research? Kinda not. Ms. Schakowsky. Have we seen any international reaction to this Equifax breach? You talked about the problems that we may incur if our partners around the world think that we can't protect data. Mr. Schneier. I haven't heard anything about Equifax specifically, but certainly there is agitation in Europe. A lot of these safe harbor agreements are very tenuous. And they are right now protecting American companies to store Europeans' data, but I think we can lose them at any time, especially as Europe is getting much more regulatory. The GDPR is coming, and it is going to be enforced starting in March, and all the U.S. companies are preparing for that. Ms. Schakowsky. So there is personal and international consequences for consumers and for business. Mr. Schneier. I think there is. I worry about how the U.S. will look in the world market if we show that we can't secure the data of Canadians and British and Europeans. Ms. Schakowsky. Thank you. Mr. Latta. Thank you very much. The gentlelady yields back, and the Chair now recognizes the gentleman from Mississippi, the vice chairman of the subcommittee, for 5 minutes. Mr. Harper. Thank you, Mr. Chairman. And thank you to each of you being here. Particularly, Mr. Norton, I want to thank you. On such short notice, I am sure you had other things you might have preferred to do. But the information that each of you are providing is very important. Who knows, Mr. Schneier? Maybe we will get back to just writing letters. You know, maybe that is going to be the solution to protect our personal information on some of this. You know, this is still just an unbelievable event that has raised this to a new level. And, Mr. Creighton, I know that-- you know, we can talk about this. When I questioned the former CEO of Equifax, you know, he said, that is the number-one issue, which you restated, which is to protect that personal information, which was done very poorly. So there are so many issues here, but do all three--and this is for you, Mr. Creighton--do all three major credit reporting agencies provide the same information to every lender, merchant, et cetera? If not, why is that not the case? Mr. Creighton. Different bureaus may have different institutions furnishing information into them. When a lender asks for information, they will provide the information that they have, but not every bureau has exactly the same information that every other bureau does. It is one of the reasons why Fannie Mae and Freddie Mac, for example, require that their lenders collect all three credit reports and merge them into one package, to make sure they are getting full coverage. Mr. Harper. So you could request three or four credit reports from different CRAs, and they could have variations based upon that technique. Mr. Creighton. Well, for example, if you are an auto dealer, a small auto dealer in a particular region, you might only be working with one credit bureau. Mr. Harper. Got it. Now, do credit reporting agencies separate their credit reporting and noncredit reporting activities and businesses? Mr. Creighton. Yes. This is an important point. The credit file is distinct from any other business that they have. The credit file is governed by the Fair Credit Reporting Act. And the credit file is only certain kinds of information. It is not the web browsing and all of that other information. What is in the credit file? Who are you? Who are you, personally? Do you exist? That is, you know, basically public information. Do you have any judgments again you, like a bankruptcy? Do you have credit available? With whom do you have that credit available? How much credit do you have? What is your balance? Do you pay on time? Functionally, that is what is in the credit report. Mr. Harper. OK. Thank you for that. And, Mr. Norton, can you talk to us for just a minute and explain a little bit about NIST, the National Institute of Standards and Technology, and their cybersecurity framework and its importance for today's, you know, hearing? Mr. Norton. Yes, absolutely. And, you know, NIST several years ago took an important step, providing voluntary guidance for not only Federal agencies and State and local governments but also for the private sector to start to build out a framework to start to talk about, you know, how do you secure the enterprise---- Mr. Harper. So when did they start this? Mr. Norton. I don't know the exact date. I think it was a few years ago. Mr. Harper. OK. Was Equifax a voluntary participant in this? Mr. Norton. I don't know if they were. I am not sure. Mr. Harper. Can you find that out for us and let us know that? Mr. Norton. Sure. Mr. Harper. And go ahead and explain this a little bit more, the cybersecurity. Mr. Norton. But I think to your point that, you know, it was publicly available information, it was something that the Government was, you know, certainly promoting, in terms of this NIST standard, I think that, you know, having these standards are very important. I think, you know, the threat still, necessarily, hasn't been digested by the private sector. And I think that is part of, you know, a role that the Government could play, in terms of briefing not only on the standards and the voluntary compliance that they should really look at and think about doing but also understanding what are these attacks, why are they a target, not just, you know, the bigger nation-states but the smaller gangs and the different organizations that are out there that, you know, are certainly targeting these things for money, essentially, and to sell this data. Mr. Harper. You know, listening to each of your testimonies, you know, I know Mr. Schneier mentioned that, you know, CEOs willing to take a chance, I don't know if that is going to be the case on the Equifax deal. I think it was just pure negligence. Somebody--multiple people dropped the ball on an easy--you know, this was not a complicated fix. And I know we will find out more when FTC gets through with this and we get through with all the investigation that is there. But, you know, constant upgrades of cyber defenses are necessary. They only have to be, you know, correct one time. And, obviously, this, they were in a big way. So, Mr. Norton, do you believe that security standards will stop the data breaches as we have now? Mr. Norton. You know, I think that it is certainly an important part of it. I think that having cybersecurity as a one-person position within a business is not cybersecurity. That is just having one person. I think you need to have a larger enterprise strategy and plan, and it has to flow up from the CEO all the way down to the lowest employee. If you look at attacks like OPM was mentioned and others, it is really the training is an issue, where all employees need to be trained on cybersecurity. They need to understand exactly what these threats are. Because at your desktop is really the front door of a business, and when you get, you know, a phishing email or a phishing attack and you click on that link, you have just opened the door. Mr. Harper. And maybe not giving an $18 million bonus to somebody who totally failed in their number-one responsibility. I yield back. Mr. Latta. Thank you very much. The gentleman yields back, and the Chair recognizes the gentleman from California for 5 minutes. Mr. Cardenas. Thank you, Chairman Latta. I appreciate this opportunity for us as Congress to discuss this very, very critical issue that faces hundreds and hundreds of millions of Americans every single day. In discussions of data breaches and breach legislation, there has been a tendency to focus on financial harms to consumers. Credit reports include a lot of nonfinancial information, and certainly these companies hold a significant amount of personal information outside of the credit report that is not financial. Mr.--I am sorry if I pronounce your name wrong-- ``Schneer''? Mr. Schneier. ``Schneier.'' That is all right. Nobody has gotten it right today. Mr. Cardenas. OK. ``Schneier.'' OK. Are you concerned about repercussions of a breach beyond financial harms, and if so, can you give us some examples? Mr. Schneier. So, yes, I think the nonfinancial harms are considerable. I mean, just thinking of the OPM breach would be an example of just nonfinancial data in the hands of the Chinese Government, and that would be a problem. So, depending on who stole the Equifax data--we actually don't know if it was criminals or a government right now--the harms can be considerable. And the swap between financial and nonfinancial is fuzzy. If you call your bank or your broker or your insurance company and don't remember your account, they are going to ask you a bunch of questions like where did you live, which of these cars do you own. You have all had that experience. That is nonfinancial data, and that is going to be used to authenticate you to a financial institution. So even nonfinancial data has very serious financial ramifications because it is our secondary authenticator. Mr. Cardenas. So, in some cases, somebody might know the name of our favorite pet. Mr. Schneier. Favorite pet is actually surprisingly easy. Those secret questions turn out to be very insecure. And this is, sort of, again, you are looking at this tradeoff in security and convenience. What these companies want--I mean, what the credit card companies want--is for it to be really easy for you to get a new card, so they make that application super-easy. If they made it more secure, made it harder for somebody else to get a card in your name, it would be harder for you to get a card, and the companies don't want that. So they are making a tradeoff based on their bottom line, not based on your security, to maximize their profits. And that is often ease of use, ease of access, making things easier. Mr. Cardenas. Can you give us an example of how nonfinancial information can lead to financial harm to an individual that their information has been breached or gotten into the wrong hands? Mr. Schneier. So I just talked about nonfinancial information being used as a financial authenticator. You can certainly see personal embarrassment leading to all sorts of problems. I mean, lots of instances of that, especially, you know, people who are more marginalized. We see a lot of threats against women based on exposing personal information that is stolen from accounts. And, I mean, that is something that is a real problem and hard to deal with. I pulled up to--I talked about something Equifax did. It wasn't in my testimony, and I want to mention it, that in 2012 they sold lists of people who were late on their mortgage payments to a discount loan company. That was one of their products. They were fined by the FTC for that. But those are the sorts of practices you see from these companies. Mr. Cardenas. So companies like Equifax, they have dual or more than one role out there in the world? Or they see themselves as being involved in businesses beyond just holder of information or reporting of our ability to pay, so to speak? They are actually brokering information out there? Mr. Schneier. If you go out to their website and look under ``business products,'' which is different from the credit stuff, and they ask things that are optimized for restaurants, for the travel industry, for--and I forget the whole list of industries that they are selling data to. That data is nonfinancial data. It is data about us, slicing and dicing us in different categories, so we can be better marketed to. Mr. Cardenas. So, basically, when an American puts their house up for sale and you see a sign out front, that is pretty cut and dry that you have hired somebody to broker for you, to actually do something for you, something so personal as we are going to sell our home. But are you telling me that, unbeknownst to a bunch of American citizens, that companies like Equifax are actually having signs out on their personal information and using it and making money off of it, unbeknownst to the average American? Mr. Schneier. And that is the business model. The data- broker business model is they collect information, either--they will buy it. They will buy it from the Government. You know, States will sell them driver's license information. They will get it from companies. They will get it from wherever they can. They will correlate it. They will make inferences based on it. I mean, we are hearing about how some of that was used to target ads in the last election. And then they will sell that to people who want it. Mr. Cardenas. OK. Well, I yield back my time. Thank you, Mr. Chairman. Mr. Latta. Thank you very much. The gentleman yields back, and the Chair now recognizes the chairman emeritus of the full committee, the vice chairman, the gentleman from Texas. Mr. Barton. Thank you, Chairman Latta. And I was here at the gavel. I had to go run to a quick meeting, but I appreciate being allowed to ask questions at your hearing. The current system is not working. I was here for Gramm- Leach-Bliley. I have been on this committee 33 years. We have all these--as the first gentleman said, in your testimony, it is a heavily regulated industry. You are right about that. But when it comes to data breaches, all that is required is disclosure. There is no real penalty. Eventually, if it happens repeatedly at the same institution, the FTC has some authority to impose some fines. But all these laws that we have passed merely require that you have to inform the customer, the consumer, of how their data may be used, and if it is breached, you have to inform them that it is breached. That is pretty much it. And I don't think that works. And if you listen to the opening statements on both sides of the aisle this morning, you know, Mr. Pallone's, Chairman Walden's, the chairman, Mr. Latta, they are all pretty strong on condemnation of what is happening. I think that we are going to have to change the law and that we are going to have to do more than require disclosure. I believe we are going to have to, on first offense, allow for some fines to be levied, some real penalties. I would prefer that it be on a per-consumer basis. That may or may not be workable. So I guess I will go to Ms. Fortney. Do you agree or disagree that we need to change the law and put some real teeth into what happens when there is a breach? Ms. Fortney. I think the answer depends on whether the problem with Equifax was a systemic problem or whether Equifax was an outlier. I think that the law currently exists in ways that consumers can be protected. I think the FTC has indicated that they will use their authority, not just under Gramm-Leach- Bliley but also under Section 5 of the Federal Trade Commission Act, to redress consumers who have been harmed by security breaches and by other data practices that are unfair to the consumer. Mr. Barton. Do you support that they be allowed to do that at a first offense? Ms. Fortney. The FTC on their website says that they have brought--sorry, their testimony said they have brought 60 cases against companies under Section 5 of the FTC Act based on unfair, deceptive practices involving data and data security. Mr. Barton. Mr. Creighton, your testimony, I thought, was thoughtful. I thought it was well done. My question to you would be, if we did impose or give some authority to levy fines or a reimbursement to each consumer whose data is breached, would that destroy the credit industry as it is today? Or would it, if it was done appropriately and at the appropriate level, would it perhaps strengthen it because it would give them an incentive to really protect consumer data so that we don't have all these breaches? Mr. Creighton. The incentives already exist for us to protect the data. You know, if you add penalties and everything else, it is not going to change our practices. Our practices are to protect the data today. So, I mean---- Mr. Barton. Then why do we have thousands of breaches or hundreds of breaches a year? Mr. Creighton. It is true. Look, in the Government, you have an incentive to protect your data also, and yet we have seen breach after breach after breach, including personal information for, as the chairman said, people in this room, sensitive market-moving information at the Securities and Exchange Commission. We have seen that over and over and again there. Those incentives need to be aligned, I would argue, more directly with where our incentives are, which is to protect the data. Yes, breaches happen, and every one of them is a problem. But there are different scales of breaches. You know, is a lost cell phone that has some data on it considered a breach that automatically is going to result--or do you have to look at what is the consumer harm? Mr. Barton. Well, my time has expired. I will just make this editorial comment. In the Equifax case, people at Equifax knew they had a problem with their system and they didn't do anything to fix it. They didn't do anything to fix it. But if they would have known, if we don't get this fixed, we are going to pay $1,000 per consumer or $100 or maybe even $50, plus some of the things that Ms. Schakowsky and Mr. Pallone were talking about, I believe they would have fixed it or tried to fix it sooner rather than later. Thank you for your courtesy, Mr. Chairman. I appreciate it. Mr. Latta. Well, thank you very much. The gentleman's time has expired, and the Chair now recognizes the gentlelady from Michigan for 5 minutes. Mrs. Dingell. Thank you, Mr. Chairman. I guess I am sort of, even before I begin, reacting to ``if Equifax is an outlier.'' I have been hacked so many times in the last--the OPM, the Yahoo account, the Equifax, the Target, the Sears, the Home Depot. You can tell I have a lot of credit. But I have also been hacked more than that. I have a permanent--but I also will tell you that I think it is very complicated to put these credits--and you talk about it very easily, and that is what I do want to talk about, is I think it is very complicated for the average consumer, who, by the way, has no idea what is happening. Mr. Chairman, I thank you for studying this, because I think it is hard for people to get a sense of how much of their information is held by companies, because it is not tangible. People don't understand what you are holding. You can't hold it. You can't touch it. And we really only think about it after it has been stolen or floating around the internet. So when it has been stolen, like someone like me, 10, 15, 20 times, you think about it. But I think young people, in particular, don't understand what information they are giving away or what is out there. We have spent a lot of time talking about the legal issues faced, but, for me, it comes down to the question, do Americans really know when they are giving their personal information away? Do they know the consequences? And how can we improve transparency? ``Transparency'' is a buzzword that we are all talking a lot about right now, but I think there is a shocking lack of transparency when it comes to how consumers' data is used and sold. So I want to talk about that a little more, and I want to talk about who is even holding it. Mr. Creighton, I was just interested in your organization. The companies you represent possess a huge amount of granular personal information on us. It is collected without ever really asking. And we are all supposed to trust that it is going to be kept safely, just like the Equifax was. But I couldn't even figure out who is holding my data that is part of you. I know who the Equifax and Experians of the world are, but I couldn't find who your other members are. There is no mention of your member companies on your website, and a Google search turned up nothing. And I went and looked at your 990, and it has only got your board members. So this is a yes-or-no question, a friendly yes-or-no, but I want to know: Why should the American people trust an organization like yours to keep their information safe if we don't even know who has it and how they are using it? Mr. Creighton. First of all, thank you for your comments about the website. We are in the process of redoing it, and I think you will see a lot more information when it rolls out later this year. Mrs. Dingell. I am a Dr. Google in this committee. I Google a lot. Mr. Creighton. Good. Well, I think you will be more pleased in the future when you see the website. It has been a priority of mine since I have taken this position. Our association represents the main large credit bureaus. We also represent a series of specialty and other credit bureaus that hold other kinds of information that specifically work with a particular industry--for example, the mortgage industry. We also represent a series of background screening companies that are in our association because they are working mainly on public documents, on public files, which are really the basis, the foundation on which the credit report is built. And so that is the core of our membership, are the bureaus and the special---- Mrs. Dingell. I really think that--I have a lot more questions for you, but I have a minute left. But I do hope that you will make public who your companies are and why they are collecting it. And maybe someday somebody could explain--I understand there are other websites that do this too. I do Credit Karma almost every other day. It is free. Why should the American consumer, my other colleagues on both sides, have to pay for their own credit data when you can go to a site like Credit Karma or others--I don't want to--you know, there are other sites out there. But I think we should look at how people have free access. But I want to go to Mr. Schneier in the very short time that I have left. Mr. Schneier, do you think the American consumers can take proactive steps to protect their data, financial or otherwise, if they don't even know who owns it? Mr. Schneier. There is ``can,'' and there is ``can.'' So Ms. Fortney gave a really nice list of ``here are all the things that you could do to protect yourself.'' And I am listening to that list, and I am thinking, no way in the world can I go home at Thanksgiving and tell my relatives--because they are going to be a lot harder than you are--that they should do all of that. I can't expect people to become experts in this, to take the time. And it is not just we don't know who has it; it is that it is being made deliberately hard to figure it out, to take these steps. So, no, I don't. Mrs. Dingell. Do you think that we should find a simpler way to tell consumers who is collecting their data, what kind of data they have, and take these privacy notices--which, actually, somebody read the other day, and we found some--and make it in simple language, a couple sentences? Mr. Schneier. More transparency and more control cannot hurt. Mrs. Dingell. Thank you. Mr. Latta. Thank you very much. The gentlelady's time has expired, and the Chair now recognizes the chairman of the Health Subcommittee of Energy and Commerce, the gentleman from Texas, for 5 minutes. Mr. Burgess. Thank you, Mr. Chairman. And I can't help but observe, I feel like this is Groundhog Day. The previous Congress, I was chairman of this subcommittee, and for 2 years we worked on data breach notification. And we actually got a bill through the subcommittee and the full committee. It never saw time on the floor. It did become controversial before it passed out of the full committee. And I can't help but think, had those requirements been in place, at least the length of time between discovery of a breach and notification of the person who was breached, I think that would have been helpful. But I am always struck when we have these discussions--and I realize this is not a law enforcement panel in front of us, but do any of you know, is anybody trying to catch the thief here, or the thieves? Mr. Creighton. Thank you for asking that. We have to, as a society, come to terms with the fact that we have people attacking our systems every day. If this were a physical bank and there were 200 North Koreans who were storming in and taking money out of the accounts, there would be a national response. At what point are companies able to compete against nation-states who are attacking our systems? I don't know that this breach was a nation-state attack. I don't know one way or the other. But at what point are American companies expected to fight back against countries that are attacking them? Mr. Burgess. Well, then that brings up--and this is really a question for anyone on the panel. I am also concerned--I mean, Equifax obviously did not cover themselves in glory in this story, but in some ways they are a victim too. Their business was damaged by someone who came in--it wasn't Frank and Jesse James storming the Northfield bank, but they were damaged by this activity. And if we were ever able to catch the thief, are there sufficient criminal penalties to act as a deterrent? Does anyone know that? Mr. Schneier. So, it depends. Our laws are very, very nation-specific, and the internet is very international. So a lot of cyber crime comes out of Southeast Asia and Sub-Saharan Africa and Eastern Europe and places where we just do not have efficient enforcement and there is really jurisdictional arbitrage going on by cyber criminals. And so, you know, enforcement works, but it really has limitations here. And that is why we really want to do what we can on the front end, because catching the bad guys, it is not going to work if it is a, you know, criminal organization in a country we just have no jurisdiction over. Mr. Burgess. But assuming we do stumble upon a bad guy, the proverbial guy in the basement who is doing bad things and hacking into things where they shouldn't, do we ever punish people like that? Mr. Schneier. Yes, all the time. Mr. Burgess. And what is the range--do you know what the range of punishments are? Mr. Schneier. I have no idea, but I am sure it is not pretty. Mr. Burgess. Do you feel it is a sufficient deterrent? Mr. Schneier. You know, that is probably a more complicated question I don't know enough to answer. Mr. Burgess. Yes. And I don't know that any of us do. But I do worry that--again, Equifax is a poor example, but sometimes it does seem like we victimize the victim in some of the things that we do in punishing people who were the recipients of the breach, not the perpetrator of the breach. Mr. Creighton, let me ask you--and I think, Mr. Schneier, you brought this up also. There is a great commercial out, where someone who--they get in a cab, and they have left--``Oh, my gosh, I left my debit card at the restaurant,'' and she doesn't think it is a big deal. Her companion has a near panic attack and meltdown. ``Oh, my gosh, this is terrible. You left your card.'' And it turns out the person who left the card went on her phone and froze the debit card. That seems like a very good approach if you knew that someone was accessing--so I guess let me ask you, Mr. Creighton, as a data broker, is there any way to notify people that their data is being accessed? Is there a system or could there be a system in place where--is there an app for that? Mr. Creighton. First of all, we represent the credit bureaus, not the data brokers. Mr. Burgess. OK. I beg your pardon. Mr. Creighton. But, yes, and those are coming online now and were coming on line in advance of the breach. TransUnion has their lock system up right now. It is free for everybody. It is at base, just like Mr. Schneier is discussing, where you can turn it on and turn it off. Equifax has announced in this room that they will be offering a similar product that they are engineering now at the end of January. And Experian's is coming on line as well. The point is to give the consumers that ability to easily go back and forth to lock their credit. It is different legally from a freeze, but it is meant to achieve the same goal without all of the cumbersome regulatory burdens that exist from the State governments. Mr. Burgess. Mr. Schneier? Mr. Schneier. I don't know anything about those. I like hearing that. I mean, the devil is in the details, so we would have to see the details, but that all sounds good. I mean, that is really what we want. You want the user to get control. And I know when someone accesses my credit because I want them to; I am applying for something. Those feel like good things. And if they are simple to use, that feels like a really big step. It is not going to protect my data, but it is going to make it harder to monetize. Mr. Burgess. Which would be a good thing. Thanks, Mr. Chairman. I will yield back. Mr. Latta. Thank you very much. The gentleman yields back, and the Chair recognizes the gentlelady from California for 5 minutes. Ms. Matsui. Thank you, Mr. Chairman. And thank you for the witnesses here today. I find that every time we come to the hearings like this, I feel like the problem gets bigger and bigger, because the solutions are very disparate, and it is, kind of, very confusing, and there is not the simple solution that all of us want because we are all really very busy. This commercial practice of collecting, aggregating, using, and selling consumer information has become functionally ubiquitous. Companies and data brokers maintain databases full of sensitive and personal consumer information. These are natural targets for cyber thieves. But it is possible that an attacker can compromise one device using a known vulnerability and move readily within an information system to gain access to personal information. Mr. Schneier, regardless of the method of attack, how would consumers benefit from comprehensive Federal standards that establish reasonable information security practices? Mr. Schneier. I mean, again, I think want to say the devil is in the details, right? You know, I want someone like the FTC to have some broad authority to figure it out. I mean, I don't think we can sit here and say, you know, here is what we should do. There was a point made in that corner of the room that legislating the details will always lag technology. And I really think you have to start looking at what are the results we want. So I like the idea of, you know, a fine if data is breached. Let the companies figure out what to do, let the market work on the technical security solutions, but we want this particular outcome. Ms. Matsui. Right. Mr. Schneier. So those are the sort of mechanisms that I think will work best here. Ms. Matsui. OK. But I think the problem is also--the fact is we want to know, I think, that there is a Federal standard, whatever that is. Because right now everything is just all over the place. Mr. Schneier. Yes. I agree there has to be a Federal standard. And this is also what is going to be needed when we start dealing with international agreements. Ms. Matsui. Right. Mr. Schneier. What is the U.S. standard, and how can we assure the U.S. companies' European customers that we are not going to lose their data? Ms. Matsui. So you feel that this is going to be a necessary step anyway. Is that correct? Mr. Schneier. My guess is we are going to have to do this-- -- Ms. Matsui. OK. Mr. Schneier [continuing]. That the world is moving that way. Europe is turning into the regulatory powerhouse---- Ms. Matsui. Sure. Mr. Schneier [continuing]. And they are going to be leading us more and more. Ms. Matsui. Because we are reacting more than---- Mr. Schneier. Yes. We are not going to like it, but I think we are going to be stuck with it, just because there is such a huge market. Ms. Matsui. OK. Now, with all the consumer data that companies collect, we must keep pace with the evolving threat. Each year, we continue to see an increase in the variety, number, and damage caused by cyber attacks, yet relatively unsophisticated methods, such as phishing or emails with malware, remain some of the most common forms of attack. We have recently seen a decrease in zero-day vulnerabilities and an increase in simple exploits used to carry out attacks. Mr. Schneier, how can both business and individuals better protect themselves against new applications of old exploits? Mr. Schneier. Well, so this is the definitive problem, that people are your weakest link. And we are certainly finding, you know, from nation-states on down, that the vector of going to the people--you know, Equifax was a vulnerability in the system. We talked about that. It is in many more cases that someone will get a person to do something. So tax fraud is a huge crime right now, and that basically involves convincing someone in HR to mail you a copy of everyone's W-2 and you file fake tax returns in all their names and you get the money. This is huge now, and it didn't exist 5 years ago. Ms. Matsui. Right. Mr. Schneier. And there are tech solutions that deal with this. And the problem is, as Mr. Norton talks about, is getting companies to use them, to make the purchase, to make things more inconvenient, for security. Ms. Matsui. How do we do that anyway? Mr. Schneier. That has to be incentives. The penalty for getting it wrong has to be more than the penalty for doing it right. Ms. Matsui. OK. Mr. Schneier. And that wasn't the case for Equifax. Ms. Matsui. OK. I am also concerned about the question of who owns our user-generated data. You know, in 2014, agriculture technology providers and a coalition of major farm organizations came together to agree on data privacy and security principles to cover the massive data sets generated by innovation such as precision agriculture. These principles covered issues such as how data gathered from the farm is protected and shared. These principles also recognized that farmers owned the information generated by their farming operations, generally required farmers to be notified that their data is being collected, and required disclosure over how the data is used. But today's consumer has considerably less information over how, when, and what information is shared about them. And I guess, Mr. Schneier, I am asking you this question, but somebody else can answer it too: Shouldn't consumers also have clarity over when and how their data is used? Mr. Schneier. Yes. Mr. Creighton. The Fair Credit Reporting Act goes into great detail about the seven permissible purposes that can be used for specifically credit reporting data. The other kinds of data that you are talking about, that is a different question. But in the credit reporting space, the Fair Credit Reporting Act is very firm about what exactly the information can be used for. Ms. Matsui. And when and how? Mr. Creighton. And when and how, yes. And by whom, yes. Ms. Matsui. All right. I see my time has expired. Thank you very much. Mr. Latta. Thank you. The gentlelady's time has expired, and the Chair now recognizes the gentleman from New Jersey for 5 minutes. Mr. Lance. Thank you, Mr. Chairman. Good afternoon to the panel. Thank you for joining us today. I am appalled by the scale and the impact of the Equifax breach. Equifax blatantly mishandled consumers' most personal information. Constituents have called my office in New Jersey, concerned about their online security. And many were affected and their personally identifiable information compromised. And, Mr. Norton, many organizations and individuals do not have up-to-date security or properly patched operating systems or software. What are some basic practical steps people can take immediately or in the short term to protect their computer systems? Mr. Norton. Absolutely. Thank you. You know, something as simple as changing your password, you know, once a week or once a month and taking those logical steps; making sure that you have, you know, appropriate software security that is publicly available in the marketplace for your home computers; that you are aware of your devices and you have passwords on, you know, all of your devices; that you are constantly aware of, you know, information that you have that is out there. I mean, cybersecurity really requires a lot of individual vigilance, which is a big change, I think, for a lot of consumers at home who are, you know, in the marketplace and they have their information online and they become very used to just processing things online, as we talked about in this hearing. I think one of the challenges, though, is that we haven't actually put a value on loss of data, what does it mean to lose your individual person's piece of data, outside of just getting, you know, a piece of credit reporting for a year, you know, what is the other value of that. And I think that is another discussion or a large discussion that you are obviously having here, but I think it is an important one, and it goes to, you know, potential penalties or things that could motivate companies to then, you know, have larger enforcement and larger strategies within their businesses. So I think there is that, as well. Mr. Lance. Thank you. Would anyone else on the panel like to comment? Mr. Schneier. The unfortunate thing is that most of our data is not under our control. So what can you do to protect your data at Equifax? Nothing. What could you have done to protect your data at the OPM? Nothing. What can you do to protect your data at Google? Kind of nothing. We are forced to trust these entities. These companies have our data. Our pictures are stored on Flickr, and our email is on Gmail, and our computers really have very little right now. In some ways, that is a security bonus, because most of us aren't very good at securing our machines. But it does mean that these breaches become bigger and more catastrophic because we have too much there. I mean, there are things we can do around the edges--good password management, have antivirus. I mean, I can rattle through the tips. But, by and large, the security of our data is not under our control. Mr. Lance. Thank you very much. Ms. Fortney, are you aware of the Consumer Financial Protection Bureau's bringing any enforcement actions against a credit bureau? Ms. Fortney. The Bureau does supervise the agencies. They have brought enforcement actions, not in the area of data security, but they have brought enforcement actions against the credit bureaus. And I think they are also involved in the ongoing investigations that are the result of the Equifax breach. Mr. Lance. Thank you. Mr. Creighton, what is the credit lock product that the major credit bureaus are proposing, and how are they different from credit freezes? Mr. Creighton. Thank you. That is an important question. First of all, the bureaus are responding to consumer demand, as Mr. Schneier was saying, that they want more access to their information and how they can control it. And, right now, State law mandates, in most States, a freeze. Those freezes are different in every single State, and they are often PIN-based. And so what happens is that you put a freeze on your account, you get a PIN. If you are like me, you then lose that PIN. And when you go back---- Mr. Lance. Or like me. Yes. Mr. Creighton. Right. And when you go back and you try to get a new iPhone, as has been reported this week, people don't realize that that is a credit transaction, they don't have their PIN, they can't turn it off, it takes 3 days, and they have missed the window to order the new iPhone. Now, the lock product functionally works the same way. It is app-based. And it allows a consumer to turn it to red, ``I don't want any new offers of credit,'' and when I do want an offer of credit, I flip it to green. Mr. Lance. I see. Mr. Creighton. But it doesn't contain the same legal strictures that happen as a result of State law. Mr. Lance. Well, thank you very much. This is very interesting, and I hope that we are able to pursue it further. And, Mr. Chairman, I yield back 10 seconds. Mr. Latta. Thank you very much. The gentleman yields back, and the Chair now recognizes the gentleman from Indiana for 5 minutes. Mr. Bucshon. Thank you, Mr. Chairman. I want to make a couple of quick comments, and then I will have a few questions. First of all, I think it is important, potentially, to understand that we authorize a lot of people to get our data unsuspectingly. And, I mean, for this card, for example, here-- I don't want to hold--it is just a card that goes to a grocery store, right? That gives you your discount. All that data is collected. You have authorized it, when you signed up to the card, you have authorized it to be sold for any reason. Same thing is true on your emails. Same thing is true everywhere. You know, I used a search engine yesterday. I have a piano I want to sell. Today, on my Instagram, an add for a piano came across my Instagram, OK? I have used credit agencies because I have some rental property. Mostly, the people have to authorize you to get their information. So there are protections there where they have to authorize it. The point I am making is that this is a really complicated problem. We are talking about a breach. That is not that complicated, because we had human error that didn't patch. That is pretty straightforward. But we do have a larger problem with data, we have a larger problem with internet, that all of us are working to figure out how do we best protect the consumer. I do have concerns about these long legal-department- generated authorizations that are attached to all of these things. And I do think we may have to look at that area and make consumers more aware of what they are actually authorizing. I mean, what do you do? You go and start an email account, and you get to the end, and it says, you know, unless you agree to these things, you can't start it, I mean, you can't do it. And most of us just click--I mean, does anyone here just click ``agree'' without reading it? Right. I mean, we all do. But that is actually a legal document that is very long that has specific legal ramifications that seem simple but aren't. I mean, you know, you do a search engine on a piano, and the next day on your Instagram account you have piano ads. I mean, that is kind of spooky. Everyone is concerned about the NSA. I am more concerned--I am concerned about that, but this type of thing. So the question I have, you know, Mr. Creighton, first of all, it has been about 3 months since the Equifax breach, yet still thousands of Americans are unaware if their data has been stolen. Do you think that--you know, 48 States have conflicting State notification laws that have played in this issue. And do you believe that a uniform Federal law on notification might address the difficulties with Americans receiving notification? Mr. Creighton. Consumers would benefit from a national data breach notification. Mr. Bucshon. OK. So the answer is, yes, they would? Mr. Creighton. Yes, sir. Mr. Bucshon. The other thing is, when we had the Equifax CEO here, honestly, in fairness to him, I thought he was a genuine witness. You know, there were issues, but I think his testimony was genuine. But there were flaws in their system of reporting within their company; I understand that. But, you know, one thing that was brought up is--I represent a rural area of the United States. And he was talking about getting online and going to their website and seeing all the things that you can do to protect yourself and all that. I think we all have to recognize the fact that even in the United States--I mean, I think the penetrance of internet access in my district may be about 65 percent of the people, believe it or not, maybe 70 percent. That leaves 30 percent, 35 percent of the people out there that they just can't pull up a website and see. I mean, how can we address notification or this type of thing or best practices in an age where--I think all of us mentioned, ``Well, their websites show us this,'' right? But 30, 35 percent of the people I represent may not have internet access. Mr. Creighton. Congressman, it is a big problem. And reaching rural consumers is one of the big challenges. That is why, when we talk about the lock product, for example, it doesn't mean we aren't still obligated to offer the freeze product, because you have to maintain call centers and other things so that people have access. But the credit reporting system serves probably your consumers, your constituents, better than anybody else. A rural consumer generally has one physical bank near them, right? But in today's world, you, as a consumer, even a rural consumer, can access the entire world of credit available to you. If you are getting a mortgage, you don't---- Mr. Bucshon. Right. I get all that. What I was trying to get at is that I think we have to recognize that not everyone out there that has had their data breached because they have gone to their local bank to get a loan can be notified that they have been compromised by telling them to go to a website. I mean, I don't know how else we address that. I addressed this same question with the CEO of Equifax. And we are advancing, I think, a lot in consumer access to information. But one area, I just think people have to recognize, across rural America, necessarily, people don't have access to that information. We need to do a better job. I yield back. Mr. Latta. Thank you. The gentleman's time has expired, and the Chair now recognizes the gentleman from Oklahoma for 5 minutes. Mr. Mullin. Thank you, Mr. Chairman. And thank you to the witnesses for being here. Mr. Norton, I kind of want to start with you. Just in your opinion, does the current Federal regulatory structure, does it have enough safety safeguards in it for the consumer? Mr. Norton. You know, I think it is a matter of corporate responsibility and whether or not they are, you know, making the appropriate investments. And, clearly, they are not, from the top down. I think that is why we are seeing these things. Mr. Mullin. And that leads me to my next point. As a manufacturer, if you manufacture a product, and even if the product is misused--like, inside my district, we had a gas can company that essentially went out of business because of all the litigations about, you know, the problems with the gas can. And what was happening was people were literally pouring the gas right out of the gas can on a fire and they were catching fire. Obviously not the smartest thing to do, right? But they were still open for lawsuits. They still had a responsibility, for whatever reason, to the consumer, even though the product was obviously being misused, outside its manufacture and design. We had these websites--and, Mr. Schneier, you brought this up--that you are vulnerable. I don't care what you do, you are vulnerable. Where does the responsibility lie? Is it just on the consumer? Either one of you guys can answer this. Is it just on the consumer? Mr. Norton. No. Absolutely, I think that it is--consumers certainly can help drive the market and change the market, and hearings like this will help, I think, drive corporations to accept further responsibility. I think it goes back, again, to not putting a value on data, as an individual. Companies have put a value on it, but we haven't put a value on it, in terms of loss of data, as the individual. Mr. Mullin. But, as Mr. Schneier said, we can safeguard ourselves--there is a huge difference between a manufacturing product being misused by the person holding the product versus a consumer that has no idea what has happened to their data. They are letting it be sold, it is going out there without our intention. So we are not even not using it within the manufacturer's instructions; it is the manufacturer--I am breaking it down to layman's terms. It is the holding company that has our information that isn't safeguarding it to begin with. And we are the ones paying for it. Where do the responsibilities lie? Mr. Schneier. I think your analogy is good, that we definitely have consumer misuse, but you actually have fundamentally unsafe products. Mr. Mullin. Right. Mr. Schneier. And, in those cases, you really need to hold the designers, the manufacturers, the data holders, the app makers, the system makers responsible to some degree, that we cannot have a system where you have to be an expert in order to survive in the 21st century. I mean, I don't want to be an expert in gas cans to be able to use that product. And maybe I am going to do something stupid, but I would like it if the system prevents me, as much as possible, from doing something stupid. And---- Ms. Fortney. I would like to---- Mr. Schneier [continuing]. That is sort of a way of thinking about regulation. Mr. Mullin. Ms. Fortney? Ms. Fortney. I would like to address that. I think, first of all, there are consequences for companies that do not secure consumers' data, and there are penalties that can attach. There is an enforcement regime by the Federal Trade Commission, the Consumer Financial Protection Bureau. In addition, I think the question is, what should consumers do when they have the information that their data is being used and that it could be breached? Because I think, no matter what we do, no matter what security procedures are there, given the many, many attempts from all over the world to access data that is being held in any type of large database in the United States, there is the risk of a breach. And I do think that what consumers need to do is really know more about what they can do to protect themselves. We are talking about notice here, and one of the notices that we haven't really focused on is a notice required under the Gramm-Leach-Bliley Act---- Mr. Mullin. But we are talking--we are talking about notices. That is not good enough. There is a difference. They enter in that business taking a risk, the same thing as a manufacturer enters a business in taking a risk too. Ms. Fortney. Right. Mr. Mullin. We don't see insurance policies paying off to those consumers that were breached by Equifax. Whereas, with a manufacturer, if something happens, you see insurance companies. That is why they have insurance. They are stepping up and taking responsibility for it. We are not seeing that in the digital world. We are seeing it as, ``Well, that is the risk of being online.'' And I take that risk seriously. But it seems like there is a disconnect. ``Well, we know it is going to be breached. There are cyber issues going on out there.'' But that is the business that they are in.A consumer ought to feel safe about doing business with that person, not always constantly being concerned. All of us up here have had our credit card stolen. I am currently, right now, on my fifth credit card with this one company this year alone because it has been---- Mr. Schneier. What is the number? Mr. Mullin. Evidently it is out there someplace. But we are just looking at how--I am not looking to put more regulations or more burdens on the companies, but there has to be a sense of responsibilities for the consumer to feel safe, because just notifications is being reactive, not proactive. Ms. Fortney. Yes, but I began my remarks by saying there are penalties for breaches. And then the next question is, what can consumers do once there has been a breach? And I think there are remedies available. Mr. Mullin. I am out of time. I apologize, Mr. Schneier. I would love to hear your response on it, but I am out of time on it. Mr. Chairman, I yield back. Mr. Latta. Well, thank--I am sorry? Ms. Schakowsky. Can I ask another question? Mr. Latta. The gentlelady is recognized for one other question. Ms. Schakowsky. Oh--sorry. Sorry. Mr. Latta. OK. Just wanted to make sure. I thought you may have coordinated there. The Chair now recognizes for 5 minutes the gentleman from Texas. Mr. Green. Thank you, Mr. Chairman. I want to thank the chairman and ranking member for holding this hearing. I appreciate the time of our witnesses. While the recent data breach at Equifax is bad enough on its own right, it also has shone a light on several larger problems. The first is the lack of knowledge or control over who collects information on us and what information they collect and what they do with it. In 2014, the FTC issued a report recommending Congress enact legislation to make the data-broker industry more transparent following the Equifax breach. It is a good time to take a closer look at these issues. Mr. Schneier, in your testimony, you state that the data brokers collect information on everything that we do on the internet. Can you elaborate on the scope of the information, such as what kinds of data are collected and how many of our transactions on- and offline are recorded or collected by data brokers? Mr. Schneier. So that is hard, because it is collected in secret, and we actually don't know. We see shadows of it. We see shadows of it in the lists that they sell. And this is data brokers writ large. This is not credit bureaus specifically. So you will see them selling lists of, you know, seniors who have debt problems; or, you know, people who have particular medical conditions; or interest groups of, sort of, any unimaginable distinctions. And you often can go and look at the different types of lists that are sold. But the industry is really so opaque that we don't know. We just know that it is all being--whatever can be collected is being collected. We really don't know how it is being used. You know, we are hearing a lot about some big-data analytics were used in the last election. We don't know the details of that. It is a very opaque industry. It makes your question much harder to answer than it should be. Mr. Green. OK. In the FTC's 2014 report, one of the FTC's recommendations was the creation of a website to let consumers see what information data brokers have on them and to opt out of having it shared in the future. Mr. Schneier, can you talk a little bit about this particular suggestion and what the obstacles would be to create such a website? Mr. Schneier. The obstacles would be that the companies don't want to do that and that, if they did it, it would be kind of horrific. This is a story from Europe, because Europe has laws that require some kind of disclosure. And Max Schrems, who is a law student, sued--successfully in a European court--Facebook to get all the data Facebook had on him. And he got a stack of paper 1,000 sheets high of all the data Facebook had on him. And Facebook has that data times everybody who is on Facebook. Mr. Green. OK. You mentioned that data brokers operating in Europe can and do follow the EU's more stringent privacy laws. Can you compare for us the difference between the scope of personal data collected in the European Union versus the United States, particularly regarding our online activities? Mr. Schneier. So I am not an expert, and I would hesitate to do that. That is an important question to ask, and there are people who are doing that research. Europe has rules about what can be collected and under what circumstances, how it can be stored, how it can be used, and how it must be deleted. You might have heard about the right to be forgotten, which is a contentious European law. European law is very complicated here, and it is still under a lot of change. So that is an important question. I really want you to find someone who is an expert in that to talk to that. Mr. Green. Well, it seems just common sense that data knows no boundaries. They don't know the borders of the United States or Europe. It seems like our country should partner with the EU and other countries to see if we can coordinate our regulations on this. Because I think, if you heard the questions earlier and listened to them, our data should be our data, and we should be able to have control over who looks at it, instead of just deciding that maybe ``I think I need a new car'' and send me something. But I think that is what we need to do. Mr. Chairman, thank you all for holding the hearing, and it brings up a lot of issues we need to deal with. Thank you. Mr. Harper [presiding]. The gentleman yields back. The Chair will now recognize Mr. Bilirakis from Florida for 5 minutes. Mr. Bilirakis. Thank you. Thank you, Mr. Chairman. I appreciate it. I thank the panel for their testimony today. Mr. Creighton, some consumers have suggested to me to minimize the identifiable data collected, like using partial Social Security numbers or partial driver's license identification. Is this possible for CRAs to do? And would it help better protect consumers from bad actors not authorized to use such data? Mr. Creighton. Social Security numbers are used as identifiers, and they are important identifiers. They are not used, necessarily, by financial institutions to authenticate a consumer, but they are used to identify them. And that is important because you have a lot of people in this country, a shocking number, really, when you look at it, who have similar names, similar dates of birth, similar Social Security numbers. Having the full 10-digit Social Security number is going to be helpful for making sure that we have the right person that we are able to match. And we have an obligation under the Fair Credit Reporting Act to make sure that we are matching the correct data with the correct person. Mr. Bilirakis. How about using the driver's license identification? Wouldn't that suffice? Mr. Creighton. Well, not everyone has a driver's license, first of all. And, you know, whether we like it or not, the Social Security number has, in effect, in the United States, become a universal identifier. And it is the one piece of information that crosses over many different databases, particularly in the Government. Mr. Bilirakis. And you think you have to use all nine numbers as opposed to---- Mr. Creighton. Yes. I mean, now, there are a number of statutes around the country where the minimization of the Social Security number has led to issues. For example, on credit reports today, it is much harder to know what all the liens and judgments you may have against you are, because in certain courts you no longer have full Social Security numbers and so we can't do the full match. And since we can't do the full match, we have just taken off a lot of that data. That degrades the entire credit reporting system. It is a little bit less complete because of that. And that is problematic, because if you are a lender, in order to make a safe and sound lending decision, you should know the full set of obligations that a consumer has. Mr. Bilirakis. Thank you. Mr. Norton, are there one or two recommendations you can make for the small- to medium-size companies with limited resources that are most effective in limiting vulnerabilities to criminal hacking? Mr. Norton. Yes, absolutely. I think that small businesses, obviously, are the most at risk, number one, because they do have those limited resources. Typically, a small business could be, you know, just a handful of people, and, you know, what kind of investment do they need to make internally? And I think just starting that conversation amongst the small businesses is an important step and just saying, OK, look, we have X number of computers, X number of people that can access our database. So I think, just internally, alone, starting there and saying, OK, do we have, you know, the appropriate passwords, you know, do we need some type of encryption on our network that can be publicly available and brought in the marketplace, you know, do we have a point person within the business, and even if the business has three people, somebody that is responsible for that, and just kind of having those access controls I think is a good starting place for small businesses. And then the larger businesses, I would say it is a very similar model, in terms of maybe you are getting to 50 or 100 but, again, starting to carve out, you know, as they look at their outyears and starting to develop a strategy of, OK, you know, in this calendar year, whenever their fiscal year starts, this is how much money we are going to start to invest in this particular area, which is just as critical as keeping the lights on or paying the gas bill or paying employees' salaries. It has to become part of the day-to-day culture. And I think that is an important conversation they need to have just to start to secure themselves. Mr. Bilirakis. Thank you very much. My third question, again, for Mr. Norton or Ms. Fortney. Is there a legitimate worry about criminals using consumers' data to establish a Social Security Administration online account in their name and claiming their benefits? Where or how does a victim go about to protect oneself in that scenario? You both can answer the question. I do have some time. Ms. Fortney. I assume that there are protections there, but this is not an area where I have worked. I focus primarily on credit reporting, the credit industry, and other aspects of data security. I would like for Mr. Norton to address it. Mr. Bilirakis. Yes, please. Mr. Norton. Of course, there are some, you know, steps you can take in terms of, if you believe you have been a victim of, you know, some sort of fraud, contacting the Social Security Administration and letting them know. And I believe there are some things you can fill out to let them know. I think it is also not the easiest process in the world. I think that is one of the challenges for the individual consumer, is the fact that, what does somebody do? You know, you can't really necessarily go down to a police station and fill out a police report just the same way as if somebody robbed your home and took your TV and a couple other things. This is a very different problem, and I think that that is part of the challenge here. And it is just like we were discussing earlier. Not everybody can go online and fill out paperwork or, you know, have the ability to even call. And so doing things in a more efficient way and finding ways for, you know, kind of, one point of entry, not 19 Government agencies for the individual consumer and individual small business, I think would be another important step for this subcommittee to help for the consumers. Mr. Bilirakis. OK. Thank you very much, Mr. Chairman. I will yield back. Mr. Harper. The gentleman yields back. The Chair now recognizes the gentleman from Pennsylvania, Mr. Costello, for 5 minutes. Mr. Costello. Thank you. I would like to ask my questions and then offer some observations so that each of you can think it through. Ms. Fortney, in your written testimony, you mentioned the updates that were made to the FCRA in 2003, which included new measures to protect consumers from identity theft and other unauthorized use of the data they have on file with the CRAs. Do you believe extended fraud alerts are a sufficient recourse option for consumers who wish to remain credit-active but want to opt in? Second, are you aware of any backlogs or delays in the process related to extended fraud alerts? And, if so, do you have any suggestions on how to streamline consumers' access to these and other protections available? And then the next question to all witnesses: What would be the most effective means of reducing the administrative burden so victims of data breaches can protect themselves from credit fraud without facing impediments to obtaining credit if and when they need it? And then, finally, Mr. Schneier, you state, ``Congress should not create a new national identifier to replace Social Security numbers. That would make the system of identification even more brittle.'' I would like you to elaborate on that. Many of my constituents who were impacted by the Equifax data breach have shared with me numerous frustrations they continue to face both in dealing with the immediate aftermath of the breach and in trying to find the best path forward to prevent the fraudulent use of the information that was compromised. What I find frustrating is that so much of this burden falls on the consumers. In the case of the Equifax breach, nearly 50 percent of the U.S. population can be considered a victim. With half our Nation directly impacted by this breach and millions more affected by other recent data breaches, it is astounding to me and my constituents that so much of the burden remains on consumers and that they have to deal with it themselves, first by determining whether they were impacted, then by figuring out what makes the most sense in terms of monitoring or freezing their credit and dealing with all the administrative hurdles and potential barriers to credit that go along with it. I would imagine many people might not know where to start or become so frustrated in trying to stay ahead of identity theft that they give up trying and instead resort to dealing with fraud if and when it occurs instead of using the resources that may be available to protect them against further harm. And, with that, the questions that I asked, if all of you would answer. Ms. Fortney. OK. Thank you. First of all, fraud alerts are a useful tool for someone who thinks they might be a victim of identity theft or might become a victim of identity theft. In order to get a fraud alert, the consumer goes on the website of one of the three major credit bureaus, puts in the necessary information, and does get the alert. There is not an inquiry into the request for an identity theft report or anything of that kind. So I think it is a relatively streamlined process. I think the other thing to keep in mind is that, when we are looking here at credit reporting data--because Equifax is a credit bureau--we need to focus on the fact that there are a lot of provisions in the Fair Credit Reporting Act that were enacted in 2003 to prevent identity theft. There are certain rules in terms of address discrepancies. There are rules that require furnishers to identify the consumers before they provide the information. So I think there are a lot of protections in the Fair Credit Reporting Act because we are focusing, in the case of Equifax, primarily on data that involved the credit bureau. Mr. Schneier. I am going to quickly address your Social Security number question. Mr. Creighton is right that a Social Security number is actually a pretty good identifier. Name and birth date is terrible, too many duplicates. We have learned that from attempts to purge voter rolls. And a Social Security number is something everybody has. Where it fails as an authenticator, where it fails is that knowledge of it proves that you are you. It is a public number and shouldn't be treated as a secret or any kind of authenticator. So I don't think we need to replace it. I think it works just fine as long as we recognize its limitations. We are much better off, instead of one large authentication system, where a failure in it is a catastrophic failure, to have multiple context-specific authentication systems. Just like you have a dozen cards in your wallet, they do different things, there is no real reason why it can't just be one card except---- Mr. Costello. Do you find that implementable? Do you find that implementable for---- Mr. Schneier. Yes, I think we can. I mean, you will see it--you see it on your phone. You have lots of different authenticators. Again, there are many different sites. They all work through your phone. Industry does figure this out. It is complicated, but, yes, I do think it is doable. Mr. Creighton. Congressman, your second question was can we be more helpful to consumers who want to lock their credit or freeze their credit or something like that. And these new products that are coming on the market now--TransUnion already has it; the other two bureaus have them coming out now--that allow people, on an app-based system, to lock and unlock their credit. Mr. Costello. Right. Mr. Creighton. The other thing is more and more credit card companies are including your credit score on their statements. And that is a good way for you to just check and make sure that there are no changes from month to month that you weren't expecting. Mr. Costello. Thank you. Mr. Harper. The gentleman yields back. The Chair now recognizes the gentlelady from California, Mrs. Walters, for 5 minutes. Mrs. Walters. Thank you, Mr. Chairman. Last month, this subcommittee began an investigation into the Equifax breach that resulted in the theft of 145 million Americans' personal and financial information. Equifax failed in their legal obligation to protect consumers. Today, we continue our work to ensure the consumers' information is secure and that companies are taking adequate security measures to protect their sensitive data. It is vital that we confront these security challenges so that our digital e-commerce continues to develop and helps fuel the American economy. Ms. Fortney, we have discussed the regulatory framework. Do you believe the regulatory framework for CRAs is sufficient to protect U.S. consumers from data breaches and satisfy consumers' privacy concerns? Ms. Fortney. Yes, I do. And I can say that having worked with the Fair Credit Reporting Act for more than 40 years. I have seen this act amended by Congress several times as new concerns arise. And, as we mentioned, in 2003, because people were becoming increasingly concerned about identity theft, new provisions were put in the act. The act imposes really strict requirements on consumer reporting agencies with respect to the accuracy of the information, the provision of credit reports to people who only have very definite permissible purposes. The act provides for notice to consumers when the information has been used on them in a way that is adverse to their interests. I could go on and on. My written statement has many, many protections here. I think the question really is, is there anything in the Fair Credit Reporting Act or other law that resulted in the Equifax breach? In other words, was there any deficiency in any of these laws? And I think we don't know the answer to that because we don't know exactly what the circumstances were that led to the Equifax breach. What we do know is that, by and large, we have one of the, if not the most robust systems of credit reporting and consumer reporting generally in the world. We have one of the strongest economies in the world. You start taking away some of the benefits, if you start over-regulating this industry and you start allowing people to remove information from the system, the system is not going to work as well. And I think all you have to do is compare our system to that of other countries, including developed countries, that don't have credit reporting systems that are as comprehensive, and I think you will see there are a lot more benefits to consumers. Mrs. Walters. This question is for you, again, the next one. What level of responsibility should lenders, banks, credit unions, insurers, et cetera, demand from CRAs when they are the purchasers of a credit reporting product? Ms. Fortney. What measures should they demand? Mrs. Walters. What level of responsibility should lenders demand from CRAs? Ms. Fortney. Again, the level of responsibility is in the Fair Credit Reporting Act, has been for many years, and that is that the consumer reporting agency that is providing the credit report must identify the recipient of that report, must be able to authenticate that this is somebody who has a permissible purpose under the statute to receive the report. And I think that is something that has been at the heart of the Fair Credit Reporting Act from the beginning. Mrs. Walters. OK. Mr. Creighton, is there any type of financial or personal data that is illegal or impermissible for CRAs or data furnishers to collect and possess? Mr. Creighton. Oh, there are multiple. I mean, you can really only collect certain kinds of data at credit reporting bureaus, not referring to the larger data brokers. It is basically just, you know, your identifying information; whether there are any public liens or judgments against you, like a bankruptcy; do you have credit, from whom, how much; your balance; and do you pay on time. And that is all regulated by the Fair Credit Reporting Act. After that, you are outside of the Fair Credit Reporting Act, and so you are in a different regulatory scheme. But the Fair Credit Reporting Act, as I said in my testimony, is a very important and very strong consumer protection statute that has criminal penalties, it has transparency requirements. It is probably the model on which you are all going to work from if you do go down the path for other data broker information. Mrs. Walters. OK. Thank you. And I yield back the balance of my time. Mr. Harper. The gentlelady yields back. The Chair will now recognize Ranking Member Schakowsky for a followup question. Ms. Schakowsky. Thank you. Mr. Schneier, you were just shaking your head on the idea that I think that Mr. Creighton was saying, that it is very strictly regulated, what kind of information that they could have. I just wondered if you wanted to add something else. Mr. Schneier. So, I mean, I am thinking of the data brokers writ large. I mean, yes, the credit bureaus are regulated, what they can collect, but the data brokers can collect everything. I mean, Google knows what kind of porn we all like, because that is how we search it, and they can collect that. So, as you move out from the very narrow place we have regulated, all bets are off. And I think we really need to look at how this bigger industry is moving and not just credit bureaus. Ms. Schakowsky. OK. So I understand, I think, what your association does. But Equifax has a business outside of being a credit reporting agency. So what I am trying to understand, does your trade association then deal with the rest of that? And are they not also a data broker? Mr. Creighton. Yes, they are. Not all of my members are data brokers. What we do specifically at CDIA is the--we are, essentially, the Fair Credit Reporting Act association. So we represent the credit bureaus inside the companies. That is really, very narrowly, what we do, is the Fair Credit Reporting Act-governed databases that they have, the companies that do it, the credit bureaus. Ms. Schakowsky. The databases. But those same companies-- well, first of all, even under their credit reporting data function, they can sell to advertisers who offer credit, right? Mr. Creighton. Some offers of credit, yes. Prescreened, firm offers of credit. That is correct. Ms. Schakowsky. OK. But I don't want those cards. Mr. Creighton. You can opt out, though. Ms. Schakowsky. This is--excuse me? Mr. Creighton. You can opt out of prescreened offers. That is an option that you have as a consumer, to opt out of prescreened offers. Ms. Schakowsky. Who knows that? Mr. Schneier. Yes, good luck figuring out how. Ms. Schakowsky. I am sorry? Mr. Schneier. Good luck figuring out how. Ms. Schakowsky. Yes. I mean---- Ms. Fortney. Every prescreened solicitation contains a notice that the Federal Trade Commission has determined must be placed there--it must be clear and conspicuous--telling consumers that receive these prescreened offers that they have received the offer because of prescreening and telling them how to opt out. Ms. Schakowsky. You know, I will tell you--and maybe it is like those security, you know, 12-, 10-point, 8-point notices that we all get and that we all press ``agree.'' I mean, really--and I think that is just--and I heard your whole list of things that we can do to protect ourselves. And I am sure you are in the 1 percent that actually can do that. This is really a lot of work for people who even have the ability on the computer. But I wanted to ask you something else. So, to the extent, though, that Equifax is a data broker, you have no relationship to them? Mr. Creighton. No. We are specifically representing them on the credit bureau part of the---- Ms. Schakowsky. OK. I want to quote what you said at the very beginning. You said, ``The scale of the criminal act at Equifax was unprecedented.'' I checked back with the record. Mr. Creighton. ``Breathtaking,'' I think---- Ms. Schakowsky. So what do you mean? What is the criminal act? Mr. Creighton. Well, information on 145 million people was released. It was not information from the credit bureau. It was not the credit file information. That database is about 220 million people. It was not that file. It was a file that they had that included other kinds of information that they collected in other ways. Ms. Schakowsky. So what law did they break? Mr. Creighton. Well, under the Federal Trade Commission Act, they probably committed a--I mean, we should let the investigation play itself out so that we know. But I would suggest that they probably have UDAP problems. And then they also have--I mean, I would defer to counsel who might know better---- Ms. Schakowsky. Well, I want to, you know, home in on---- Mr. Creighton. Look, I mean, they are going to have---- Ms. Schakowsky. You said very unequivocally, ``The scale of the criminal act at Equifax was unprecedented''--``criminal act at Equifax.'' Mr. Creighton. So I am talking about the---- Ms. Schakowsky. I mean, I tend to feel that that is true. But, as an expert on this, I want to know---- Mr. Creighton. Right. No, I was referring specifically to the hackers being criminals. Right? I mean, let's remember that whoever broke into this system did not do it legally. They were criminals who broke into Equifax. And we don't know what their motives were, but they were criminals who did this. It was a criminal hack, it was a criminal attack on an American company, is the point I was trying to make. Ms. Schakowsky. OK. Thank you. I yield back. Mr. Harper. Seeing that there are no further witnesses wishing to ask questions, I want to thank each and every one of you for taking the time to be here today. Before we conclude, I would like to include the following documents to be submitted for the record, by unanimous consent: one, the written statement of Jeff Greene, Senior Director of Global Government Affairs and Policy, Symantec; and a letter from the Electronic Frontier Foundation. [The information appears at the conclusion of the hearing.] Mr. Harper. Pursuant to committee rules, I remind members that they have 10 business days to submit additional questions for the record. I would ask that witnesses submit their response within 10 business days upon receipt of the questions. Without objection, this subcommittee is adjourned. [Whereupon, at 12:44 p.m., the subcommittee was adjourned.] [Material submitted for inclusion in the record follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] [all]