[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
SECURING CONSUMERS' CREDIT DATA IN THE AGE OF DIGITAL COMMERCE
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON DIGITAL COMMERCE AND CONSUMER PROTECTION
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
NOVEMBER 1, 2017
__________
Serial No. 115-70
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
27-917 PDF WASHINGTON : 2018
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON ENERGY AND COMMERCE
GREG WALDEN, Oregon
Chairman
JOE BARTON, Texas FRANK PALLONE, Jr., New Jersey
Vice Chairman Ranking Member
FRED UPTON, Michigan BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois ANNA G. ESHOO, California
MICHAEL C. BURGESS, Texas ELIOT L. ENGEL, New York
MARSHA BLACKBURN, Tennessee GENE GREEN, Texas
STEVE SCALISE, Louisiana DIANA DeGETTE, Colorado
ROBERT E. LATTA, Ohio MICHAEL F. DOYLE, Pennsylvania
CATHY McMORRIS RODGERS, Washington JANICE D. SCHAKOWSKY, Illinois
GREGG HARPER, Mississippi G.K. BUTTERFIELD, North Carolina
LEONARD LANCE, New Jersey DORIS O. MATSUI, California
BRETT GUTHRIE, Kentucky KATHY CASTOR, Florida
PETE OLSON, Texas JOHN P. SARBANES, Maryland
DAVID B. McKINLEY, West Virginia JERRY McNERNEY, California
ADAM KINZINGER, Illinois PETER WELCH, Vermont
H. MORGAN GRIFFITH, Virginia BEN RAY LUJAN, New Mexico
GUS M. BILIRAKIS, Florida PAUL TONKO, New York
BILL JOHNSON, Ohio YVETTE D. CLARKE, New York
BILLY LONG, Missouri DAVID LOEBSACK, Iowa
LARRY BUCSHON, Indiana KURT SCHRADER, Oregon
BILL FLORES, Texas JOSEPH P. KENNEDY, III,
SUSAN W. BROOKS, Indiana Massachusetts
MARKWAYNE MULLIN, Oklahoma TONY CARDENAS, California
RICHARD HUDSON, North Carolina RAUL RUIZ, California
CHRIS COLLINS, New York SCOTT H. PETERS, California
KEVIN CRAMER, North Dakota DEBBIE DINGELL, Michigan
TIM WALBERG, Michigan
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
EARL L. ``BUDDY'' CARTER, Georgia
JEFF DUNCAN, South Carolina
7_____
Subcommittee on Digital Commerce and Consumer Protection
ROBERT E. LATTA, Ohio
Chairman
GREGG HARPER, Mississippi JANICE D. SCHAKOWSKY, Illinois
Vice Chairman Ranking Member
FRED UPTON, Michigan BEN RAY LUJAN, New Mexico
MICHAEL C. BURGESS, Texas YVETTE D. CLARKE, New York
LEONARD LANCE, New Jersey TONY CARDENAS, California
BRETT GUTHRIE, Kentucky DEBBIE DINGELL, Michigan
DAVID B. McKINLEY, West Virgina DORIS O. MATSUI, California
ADAM KINZINGER, Illinois PETER WELCH, Vermont
GUS M. BILIRAKIS, Florida JOSEPH P. KENNEDY, III,
LARRY BUCSHON, Indiana Massachusetts
MARKWAYNE MULLIN, Oklahoma GENE GREEN, Texas
MIMI WALTERS, California FRANK PALLONE, Jr., New Jersey (ex
RYAN A. COSTELLO, Pennsylvania officio)
GREG WALDEN, Oregon (ex officio)
(ii)
C O N T E N T S
----------
Page
Hon. Robert E. Latta, a Representative in Congress from the State
of Ohio, opening statement..................................... 1
Prepared statement........................................... 3
Hon. Janice D. Schakowsky, a Representative in Congress from the
State of Illinois, opening statement........................... 5
Hon. Greg Walden, a Representative in Congress from the State of
Oregon, opening statement...................................... 7
Prepared statement........................................... 9
Hon. Frank Pallone, Jr., a Representative in Congress from the
State of New Jersey, opening statement......................... 10
Prepared statement........................................... 11
Witnesses
Francis Creighton, President and Chief Executive Officer,
Consumer Data Industry Association............................. 13
Prepared statement........................................... 15
Answers to submitted questions............................... 120
James Norton, Adjunct Lecturer, Johns Hopkins University Zanvyll
Krieger School of Arts and Sciences............................ 36
Prepared statement........................................... 38
Answers to submitted questions............................... 130
Bruce Schneier, Fellow and Lecturer, Belfer Center for Science
and International Affairs, Harvard Kennedy School, and Fellow,
Berkman Center for Internet and Society at Harvard Law School.. 44
Prepared statement........................................... 46
Answers to submitted questions \1\........................... 133
Anne P. Fortney, Partner Emeritus, Hudson Cook, LLP.............. 55
Prepared statement........................................... 57
Answers to submitted questions............................... 136
Submitted Material
Statement of Jeff Greene, Senior Director, Global Government
Affairs and Policy, Symantec Corporation, November 1, 2017,
submitted by Mr. Harper........................................ 108
Letter of November 1, 2017, from the Electronic Frontier
Foundation to Mr. Latta and Ms. Schakowsky, submitted by Mr.
Harper......................................................... 116
----------
\1\ Mr. Schneier did not answer submitted questions for the
record by the time of printing.
SECURING CONSUMERS' CREDIT DATA IN THE AGE OF DIGITAL COMMERCE
----------
WEDNESDAY, NOVEMBER 1, 2017
House of Representatives,
Subcommittee on Digital Commerce and Consumer
Protection,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 10:32 a.m. in
Room 2123, Rayburn House Office Building, Hon. Robert E. Latta
(chairman of the subcommittee) presiding.
Members present: Representatives Latta, Harper, Burgess,
Lance, Guthrie, McKinley, Kinzinger, Bilirakis, Bucshon,
Mullin, Walters, Costello, Walden (ex officio), Schakowsky,
Cardenas, Dingell, Matsui, Welch, Kennedy, Green, and Pallone
(ex officio).
Also present: Representatives Barton, Cramer, and Duncan.
Staff present: Kelly Collins, Staff Assistant; Zack
Dareshori, Staff Assistant; Melissa Froelich, Chief Counsel,
Digital Commerce and Consumer Protection; Adam Fromm, Director
of Outreach and Coalitions; Ali Fulling, Legislative Clerk,
Oversight and Investigations/Digital Commerce and Consumer
Protection; Elena Hernandez, Press Secretary; Paul Jackson,
Professional Staff, Digital Commerce and Consumer Protection;
Bijan Koohmaraie, Counsel, Digital Commerce and Consumer
Protection; Katie McKeogh, Press Assistant and Digital
Coordinator; Alex Miller, Video Production Aide and Press
Assistant; Madeline Vey, Policy Coordinator, Digital Commerce
and Consumer Protection; Everett Winnick, Director of
Information Technology; Greg Zerzan, Counsel, Digital Commerce
and Consumer Protection; Michelle Ash, Minority Chief Counsel,
Digital Commerce and Consumer Protection; Jeff Carroll,
Minority Staff Director; Lisa Goldman, Minority Counsel;
Caroline Paris-Behr, Minority Policy Analyst; Tim Robinson,
Minority Chief Counsel; and C.J. Young, Minority Press
Secretary.
Mr. Latta. Well, good morning. I would like to call the
Energy and Commerce Subcommittee on Digital Commerce and
Consumer Protection to order. And I also wanted to thank our
witnesses for being here this morning. And I recognize myself
for a 5-minute opening statement.
OPENING STATEMENT OF HON. ROBERT E. LATTA, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF OHIO
One month ago, this subcommittee was the first to hear
testimony from former Equifax CEO Richard Smith about how his
company's failure to protect against a known security data
vulnerability led to the exposure of over 145 million
Americans' sensitive information.
Today, we continue our investigation into the Equifax
breach. We will focus on: helping the public get answers; how
is the industry responding to this breach; what the industry
response has been to this breach; has the cybersecurity
landscape changed as a result of the breach; and what laws and
regulations govern the protection of individuals' information
collected by businesses.
On Friday, our full committee chairman, Greg Walden, raised
questions about how the actions taken by businesses that use
personal data affect security, privacy, and individuals' online
identities. The Equifax data breach was a stark demonstration
of the responsibility that credit bureaus and all companies
have when holding millions of Americans' sensitive information.
In fact, Congress has recognized the sensitivity of this data
and specifically enacted laws regarding the credit bureaus'
business model.
Today, we are looking for answers about how best to secure
consumers' credit data in order to protect against another
breach of this magnitude. We want to shine a light on security
practices and understand a path forward to restore confidence
to U.S. consumers.
For example, lenders, including banks and retailers, use
credit reports and related data to evaluate the likelihood that
borrowers will repay their loans. This credit information
assists consumers in accessing credit, buying a house, or
securing a job. However, consumers may not know or understand
what data has been collected on them and how it is being used
by the credit reporting industry and their paying customers,
including the Federal Government. Today, we hope to shed light
on these questions and provide more information for those
consumers.
With regard to Equifax, the subcommittee has taken a
comprehensive review of the circumstances surrounding the
breach. For example, it came to our attention last month that
the Internal Revenue Service had awarded a no-bid contract to
Equifax. On October 10, Ranking Member Schakowsky and I, along
with Chairman Walden and Ranking Member Pallone, sent a
bipartisan letter to the IRS Commissioner raising questions
about the IRS decision to award a contract to Equifax for
identity verification services in the aftermath of the Equifax
breach. That contract has since been rescinded.
We also sent a bipartisan letter on October 16 to the
General Services Administration about the agency's
consideration of data security practices when vetting vendors,
like Equifax, and awarding Government contracts. We are looking
forward to the GSA's response.
Chairman Walden and I remain committed to working in a
bipartisan fashion to get answers for the American public and
to hold Equifax accountable.
When former CEO Richard Smith came to Washington last
month, he said, quote, ``The breach occurred because of both
human error and technology failures.'' These quote/unquote
``errors'' and ``failures'' allowed criminals to access over
145 million Americans' data. As a result, names, addresses,
birth dates, and full nine-digit Social Security numbers were
exposed and certain drivers licenses, credit cards, and credit
dispute information were taken.
If your credit card information is stolen, you can contact
Visa or MasterCard, and they will reissue a new card and a
credit card number. If your Social Security number is stolen,
it is much, much more complicated to get a new number. A Social
Security number is intrinsically tied to each and every one of
us.
According to the FTC, there were nearly 400,000 identity-
theft complaints in 2016, which amounts to 13 percent of all
consumer complaints received. Nearly 30 percent of consumers
reported that their data was used to commit tax fraud in 2016.
Consumers also reported that their stolen data was used for
credit card fraud, rising to more than 32 percent in 2016 from
nearly 16 percent in 2015.
In the aftermath of the Equifax breach, months later,
consumers may still be confused about how best to protect
themselves. This subcommittee and agencies like the Federal
Trade Commission have been providing useful information to
consumers in the aftermath of the Equifax breach, but the post-
breach consumer protection responses from Equifax have yet to
be reassuring.
Data collected and stored by credit bureaus must be
protected and safeguarded at all times, and when a breach
happens, consumers need swift and concrete answers from the
company affected. There are important questions about the best
ways to protect sensitive data, including cybersecurity
standards, trends, best practices, and emerging threats,
particularly with respect to known cybersecurity
vulnerabilities.
There are also important questions about the regulatory
landscape in which the credit bureaus operated before this
massive breach, especially the legal and regulatory framework
for credit bureaus, including the safeguards framework in the
Gramm-Leach-Bliley Act and consumer protections contained in
the Fair Credit Reporting Act.
Also, what is the relationship between data breaches and
the incidence of identity theft and fraud? Data breaches may
have become so commonplace that data experts and security
experts have expressed concerns about breach fatigue.
Congress cannot afford to be lax or idle in its oversight
of these critical issues. The testimony today is an important
step toward answering the many questions that consumers are
looking for, and I look forward to hearing from our witnesses
today.
[The prepared statement of Mr. Latta follows:]
Prepared statement of Hon. Robert E. Latta
One month ago, this subcommittee was the first to hear
testimony from former Equifax CEO Richard Smith about how his
company's failure to protect against a known data security
vulnerability led to the loss of over 145 million Americans'
sensitive information.
Our investigation continues into the Equifax breach and
today's hearing is another step to get answers for the public
about:
what the industry response has been to this
breach,
if the cybersecurity landscape has shifted as a
result of the breach, and
what laws and regulations are at issue.
On Friday, our Full Committee Chairman Greg Walden authored
an op-ed in which he raised questions about how actions taken
by businesses built around individual's data affect security,
privacy, and individual's online identities. All of these
issues are critically important to understand in our digital
economy and I look forward to working with the chairman and my
fellow subcommittee chairman on these issues in the coming
months.
The Equifax data breach was a stark demonstration of the
responsibility that credit bureaus and all companies have when
holding millions of Americans' sensitive information. In fact,
Congress has recognized the sensitivity of this data and
specifically enacted laws regarding the credit bureau business
model.
Today, we are looking for answers about how best to secure
consumers' credit data in order to protect against another
breach of this magnitude.
We want to shine a light on security practices and
understand the path forward to restore confidence to U.S.
consumers.
Credit bureaus prepare credit reports based upon
individuals' financial transactions history to provide such
reports to third parties.
For example, lenders, including banks and retailers, use
credit reports and related data to evaluate the likelihood that
borrowers will repay their loans.
This credit information assists consumers in accessing
credit, buying a house, or securing a job.
However, consumers may not know or understand what data has
been collected on them and how it's being used by the credit
reporting industry and their paying customers, including the
Federal Government.
The subcommittee has taken a comprehensive review of the
circumstances around the breach.
For example, it came to our attention last month that the
Internal Revenue Service had awarded a no-bid contract to
Equifax.
On October 10th, Ranking Member Schakowsky and I, along
with Chairman Walden and Ranking Member Pallone, sent a
bipartisan letter to IRS Commissioner John Koskinen raising
concerns about the IRS's decision to award a contract to
Equifax for identity verification services in the aftermath of
the Equifax breach. The contract has since been rescinded.
We also sent a bipartisan letter on October 16th to the
General Services Administration about the agency's
consideration of data security practices when vetting vendors
like Equifax and awarding Government contracts. We look forward
to GSA's response.
I thank my colleagues across the aisle for working together
on this serious matter. Chairman Walden and I remain committed
to working in a bipartisan fashion to get answers for the
American public and to hold Equifax accountable.
When former CEO Richard Smith came to Washington last
month, he said quote: ``the breach occurred because of both
human error and technology failures.''
These quote-unquote ``errors'' and ``failures'' allowed
criminals to access over 145 million Americans' data.
As a result, names, addresses, birthdates, and full nine-
digit Social Security numbers were exposed.
And certain driver's license, credit card, and credit
dispute information were taken.
If your credit card information is stolen, you can contact
Visa or MasterCard and they'll reissue you a new card and
credit card number.
If your Social Security number is stolen, it's much, much
more complicated to get a new number.
A Social Security number is intrinsically tied to each and
every one of us.
According to the FTC, there were nearly 400,000 identity
theft complaints in 2016, or 13 percent of all consumer
complaints received, with 29 percent of consumers reporting
that their data was used to commit tax fraud in 2016.
Consumers also reported that their stolen data was used for
credit card fraud; rising to more than 32 percent in 2016 from
nearly 16 percent in 2015.
In the aftermath of the Equifax breach, months later,
consumers may still be confused about how best to protect
themselves.
All of this is disconcerting, and frankly unacceptable.
This subcommittee, and agencies like the Federal Trade
Commission, have been providing useful information to consumers
in the aftermath of the Equifax breach.
But the post-breach consumer protection responses from
Equifax have yet to be reassuring.
Data collected and stored by credit bureaus must be
protected and safeguarded at all times, and when a breach
happens consumers need swift and concrete answers from the
company affected.
Our subcommittee members continue to ask whether consumers
can be confident in the security of their data.
There are important questions about the best ways to
protect sensitive data, including cybersecurity standards,
trends, best practices and emerging threats particularly with
respect to known cybersecurity vulnerabilities.
There are also important questions about the regulatory
landscape in which the credit bureaus operated before this
massive breach.
For example, what is the legal and regulatory framework for
credit bureaus, including the safeguards framework in the
Gramm-Leach-Bliley Act and consumer protections contained in
the Fair Credit Reporting Act?
Finally, what is the relationship between data breaches and
incidence of identity theft and fraud?
Data breaches may have become so commonplace that data
security experts have expressed concerns about ``breach
fatigue.''
Though there may be fatigue, Congress cannot afford to be
lax or idle in its oversight over these critical issues.
I look forward to the testimony of the panel.
Mr. Latta. And the Chair now recognizes the ranking member
of the subcommittee from Illinois for 5 minutes. The gentlelady
is recognized.
Ms. Schakowsky. I thank you, Mr. Chairman.
Before I give my opening remarks, I must mention that I
actually considered raising a point of order against the
subcommittee accepting testimony from James Norton at the
hearing today.
I want to make perfectly clear that I am not objecting to
anything that Mr. Norton might say, but this committee has
rules of order, and they need to be followed. James Norton was
not listed on the memorandum that was distributed by the
committee, and we found out that he was going to testify last
night and saw testimony very late last night.
While I understand that another witness was unable to make
the hearing today because of illness, this last-minute
replacement is really not respectful to the members of the
subcommittee. It is disrespectful to the other witnesses on the
panel. It is disrespectful, I believe, to the millions of
Americans that are concerned about the security of their credit
information. And it violates the committee's rules.
So Mr. Norton is here and ready to testify, and I
appreciate that he was able to prepare so quickly. I will not
be objecting today, but I do want to make it clear that
violations of the committee rules are not acceptable and that I
will object if this happens again.
I want to also say that I appreciate the bipartisan way in
which we have been able to work together. The rules are
important.
So if I could begin----
Mr. Latta. Thank you very much. And the lady is recognized
for 5 minutes. Thank you.
OPENING STATEMENT OF HON. JANICE D. SCHAKOWSKY, A
REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS
Ms. Schakowsky. Thank you.
So today we continue our conversation on data security in
the wake of the Equifax data breach.
In our October 3rd hearing with former Equifax CEO Richard
Smith, I asked him if I, as a consumer, can opt out of Equifax.
After all, I never opted in. Equifax collects my data--that is,
like, 1,500 pieces of information on each individual--whether I
want it to or not, and now my data is at risk because Equifax
failed to adequately protect it.
Mr. Smith essentially said, ``No, you can't opt out. That's
not how it works.'' This is incredibly frustrating for
consumers, including the 145.5 million victims of the Equifax
breach. That is about half the population. We have little power
to protect their sensitive personal information, as credit
reporting agencies and data brokers go under-regulated and
under-scrutinized. I venture to say a lot of people didn't even
know about Equifax until the breach came out.
We need to change that power balance by strengthening
consumer protections around credit data. I don't buy the
narrative that the Equifax breach happened because of a single
careless employee. The system in place at Equifax allowed for a
known and well-publicized security vulnerability in the Apache
Struts software to go unpatched for months.
After the breach was discovered, Equifax took nearly 6
weeks to notify consumers. Congress, the Federal Trade
Commission, and the Consumer Financial Protection Bureau were
not notified.
The website set up for consumers was a mess. Equifax
tweeted links to a fake website. And the company is only
providing 1 year of free credit monitoring services. We are
awaiting clarification from Equifax on the credit lock service
that it promised to offer at our last hearing.
Those failures should not be a surprise. What incentive
does Equifax have to protect consumer data on the front end
when consumers aren't its real customers? I have not heard a
parade of companies saying that they will refuse to provide
Equifax with consumer data or refuse to use its services. This
market is failing American consumers, and that is why Congress
and consumer watchdogs must step in.
I welcome the CFPB Director, Richard Cordray's call for
embedded regulators at the credit reporting agencies. I look
forward to the results of investigations into the breach, such
as the investigation at the Federal Trade Commission. State
attorneys general are also pursuing legal action against the
company. And, ultimately, we need stronger legislation.
Last month, I joined several other members of this
subcommittee in introducing the Secure and Protect Americans'
Data Act. Our bill establishes data security requirements to
protect consumers' personal information. That includes special
requirements for data brokers like Equifax that collect
consumer data often without the consumers' knowledge. And it
empowers the Federal Trade Commission to enforce those
regulations with civil penalties.
Our bill requires timely notification to State and Federal
law enforcement agencies and to consumers when a data breach
occurs.
Finally, our bill requires meaningful remedies for breach
victims. Victims would be entitled to 10 years of free credit
monitoring or quarterly credit reports. And our bill enables
breach victims to control access to their personal information
and credit reports at no charge.
Our legislation would be a good first step, but I am
interested in further action the Congress could take. In
written testimony, Mr. Schneier calls for making credit freezes
the default so that consumers are opting in to have their data
shared rather than paying to opt out.
I expect the industry to engage with these ideas, given the
problems consumers face. Old excuses that this is too big a
change from the status quo don't cut it anymore.
On October 12, the Democratic members of the subcommittee
requested a hearing with current Equifax employees. We also
called for advancing bipartisan data security legislation
through the committee by the end of this year. And, Chairman
Latta, I repeat that call today. Our subcommittee has been
bipartisan in demanding answers for breach victims. We should
now be bipartisan in pursuing action. I stand ready to work
with you on real solutions to protect American consumers.
And thank you for the latitude you have given me, and I
yield back.
Mr. Latta. Well, thank you very much.
The gentlelady does yield back.
And the Chair now recognizes the chairman of the full
committee, the gentleman from Oregon, for 5 minutes.
OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF OREGON
Mr. Walden. I thank the chairman. And thank you for your
leadership on this and many other issues that we have
successfully moved through.
This morning, we are here to discuss the topic of
protecting America's data in the digital age.
The advent of new technologies has reduced barriers and
eased the ability of consumers to access credit and make needed
purchases in ways unimaginable not very long ago. In literally
minutes, using one's phone, Americans can procure a loan to
purchase a refrigerator, a car, or even a home. The most
remarkable thing about this is how unremarkable it has become.
As with any invention, the technological innovations that
have facilitated access to credit bring with them new perils.
As this committee explored in our hearing last month, Equifax,
the credit reporting agency entrusted to safeguard the most
important financial data of millions of Americans, instead
allowed hackers to access that information through their
failure to implement a software patch that had been brought to
their attention by the Department of Homeland Security. There
is no excuse for that.
And, in fact, consumers all over America now are trying to
figure out what do they do next. We had a conversation of that
in my own household this weekend. A relative of mine and we
have been breached. Everybody is going, ``Now what do I do? And
why do I have to pay? And what do I have to sign up--where do I
go?'' This has to get fixed. Enough.
Consumers are the one that are getting taken to the
woodshed here. Companies are making billions of dollars off of
our data, and we have had it. And we want to do the right
thing; we don't want to do what Government often does, which is
completely overreact and create a whole new regulatory regime
that doesn't work. But let the message go out: This is serious
stuff, and consumers are dramatically affected. They are
inconvenienced, and it becomes costly to them.
Unfortunately, the Equifax incident was only one example of
the keepers of sensitive data failing to do their duty. For
millions of current and former U.S. Government employees,
including many people in this room, the Federal Office of
Personnel Management similarly failed to live up to its trust
to protect their most sensitive data. The OPM breach allowed
hackers to access data used by the U.S. Government to determine
whether a security clearance could be granted, including the
consumer credit information, demonstrating that even the
Government struggles to protect its most sensitive data.
These incidents and others like them demonstrate the
challenges of protecting consumer information in this digital
age. We know it is not easy. They also remind us of how high
the stakes are and how critically important it is that
Americans know that when they fill out an application to obtain
credit they are not exposing their most personal information to
bad actors all over the world.
There are a host of laws on the books already that require
compliance--let's not lose sight of that--and that furnishers
of consumer credit informations are required to take steps to
secure the data already under the law. The Gramm-Leach-Bliley
Act prohibits financial institutions from disclosing nonpublic
information without the consumers' consent. That is a law. The
Fair Credit Reporting Act deems the unauthorized disclosure of
consumer reports to be, quote, ``an unfair or deceptive act or
practice.'' That is a law.
The Dodd-Frank Act created an entirely new Federal
bureaucracy, the Consumer Financial Protection Bureau, and
charged it, among other duties, with the task of protecting
consumer financial information. Despite these new and sweeping
powers, the Bureau seemed completely unaware that a company had
failed to implement the necessary software patch that could
have saved Americans' data from hackers.
As I noted at the Equifax hearing last month, you can't fix
stupid. But, surely, we can do better. Despite all these
existing laws and authorities, Equifax allowed the most
sensitive consumer credit information of 145 million Americans
to be exposed. Equifax's entire business model is predicated on
collecting, maintaining, and securing individuals' private
financial transaction history. It failed, and now Equifax must
face serious consequences.
All of us, I am sure, are interested in any insights our
witnesses can provide into how, despite these policies and
procedures, incidents like the Equifax breach still happen.
There are longstanding Federal, State, and private data
security standards and requirements for protecting Americans'
sensitive financial data. I am interested in learning more
about any gaps or areas for improvement. The instantaneous
ability to obtain credit is a remarkable blessing in the
electronic age, but it doesn't work when your data are stolen
and sold on the dark net. Our ability to obtain credit is only
as strong as our data protection.
So I appreciate our witnesses today. And I especially
appreciate our substitute witness, who at the last minute made
accommodations to share your knowledge with us. Thank you. I am
sorry the witness that we had scheduled had to leave, violently
ill. And so we appreciate, on short notice, your ability to
come and help inform us in our work.
[The prepared statement of Mr. Walden follows:]
Prepared statement of Hon. Greg Walden
This morning we are here to discuss the topic of protecting
Americans' data in the digital age. The advent of new
technologies has reduced barriers and eased the ability of
consumers to access credit and make needed purchases in ways
unimaginable even a few generations ago.
In literally minutes, using only one's phone, Americans can
procure a loan to purchase a refrigerator, a car, or even a
house. The most remarkable thing about this is how unremarkable
it has become.
As with any invention, the technological innovations that
have facilitated access to credit bring with them new perils.
As this committee explored in our hearing last month, Equifax,
a credit reporting agency entrusted to safeguard the most
important financial data of millions of Americans, instead
allowed hackers to access that information through their
failure to implement a software patch that had been brought to
their attention by the Department of Homeland Security.
Unfortunately, the Equifax incident was only one example of
the keepers of sensitive data failing to do their duty. For
millions of current and former U.S. Government employees,
including many people in this room, the Federal Office of
Personnel Management similarly failed to live up to its trust
to protect their most sensitive data.
The OPM breach allowed hackers to access data used by the
U.S. Government to determine whether a security clearance
should be granted, including consumer credit information,
demonstrating that even the Government struggles to protect its
most sensitive information.
These incidents and others like them demonstrate the
challenges of protecting consumer information in the digital
age. They also remind us of how high are the stakes, and how
critically important it is that Americans know that when they
fill out an application to obtain credit they are not exposing
their most personal information to the world.
There are a host of laws on the books that require the
compilers and furnishers of consumer credit information to take
steps to secure that data. The Gramm-Leach-Bliley Act prohibits
financial institutions from disclosing nonpublic information
without the consumer's consent.
The Fair Credit Reporting Act deems the unauthorized
disclosure of consumer reports to be an ``unfair or deceptive
act or practice.''
The Dodd Frank Act created an entirely new Federal
bureaucracy, the Consumer Financial Protection Bureau, and
charged it, among other duties, with the task of protecting
consumer financial information.
Despite these new and sweeping powers, the Bureau seemed
completely unaware that the company had failed to implement the
necessary software patch that could have saved Americans' data
from hackers.
As I noted at the Equifax hearing last month, ``you can't
fix stupid.'' But surely we can do better.
Despite all of these existing laws and authorities, Equifax
allowed the most sensitive consumer credit information of 145
million Americans to be exposed.
There is no excuse.
Equifax's entire business model is predicated on collecting
and maintaining individual's private financial transaction
history. It failed, and now Equifax must face serious
consequences.
All of us, I am sure, are interested in any insights our
witnesses can provide into how, despite these policies and
procedures, incidents like the Equifax breach still happen.
There are long-standing Federal, State and private data
security standards and requirements for protecting Americans'
sensitive financial data. I am interested in learning about any
gaps or areas for improvement.
The instantaneous ability to obtain credit is a remarkable
blessing that remains all too unavailable for most people
living in less technologically advanced places. But for the
companies and networks that make this privilege possible comes
great responsibility.
Our ability to obtain credit is only as strong as our data
protection. In the cyber world foxes are always trying to break
into the henhouse. It is our duty, and the duty of the
possessors of sensitive consumer information, to make sure we
have a strong fence.
I look forward to hearing from our witnesses.
Mr. Walden. And, with that, Mr. Chair, I yield back the
balance of my time.
Mr. Latta. Well, thank you very much.
The gentleman yields back the balance of his time.
The Chair now recognizes the ranking member of the full
committee, the gentleman from New Jersey, for 5 minutes.
OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF NEW JERSEY
Mr. Pallone. Thank you, Mr. Chairman.
I am glad we are holding this hearing, and I hope the
committee will focus on how the practices of the credit
reporting and data collection industries affect consumers.
But today's hearing should not take the place of additional
hearings on the data breach at Equifax. Too many questions
remain unanswered, and that is why every Democratic member of
this subcommittee wrote to you, Mr. Chairman, requesting
additional hearings with current Equifax executives.
The Equifax breach exposed more than 145 million Americans
to lifelong threats resulting from their personal information
being exposed. Equifax says that it is, and I quote, ``taking
responsibility for its failures,'' but Equifax is only
providing victims with protections for 1 year. It refuses to
give people meaningful control over how Equifax shares and
sells the personal information that it collects. And that is
not taking responsibility; it is taking advantage, in my
opinion.
Consumer reporting agencies collect vast amounts of
personal information on almost every American, including
children. And this is the information that determines whether
someone gets a job or a new home or can afford medical care.
And these companies are data brokers, too, selling all of that
information to advertisers and others.
You and I are not their customers. We are the product.
These companies make their money selling our information to
other companies, often without our knowledge and certainly
without our approval. So they have no reason to limit the
information they collect, to limit sharing or selling of that
information, or to properly secure it.
Cyber attacks happen on an hourly basis, with more than
1,100 this year alone. Consumer reporting agencies and data
brokers make rich targets for hackers because of the
sensitivity and quantity of information they hold. And those
companies know it. In fact, it was reported that Equifax was
warned by a security researcher in late 2016 that Equifax was
vulnerable to attack, but Equifax did nothing and had no
incentive to do anything.
Right now, there are gaping holes in the laws and
regulations when it comes to collecting and securing our
personal information. The bill that Ranking Member Schakowsky
and I introduced, the Secure and Protect Americans' Data Act,
would close some of these loopholes.
It would provide the Federal Trade Commission with the
authority to assign monetary penalty against companies that
fail to protect personal information or who fail to provide
timely and meaningful notice to consumers that their
information has been stolen. It would also give additional
protections to victims after a breach. The bill would require
that companies that failed to secure individuals' personal
information provide free credit freezing or locking to a victim
for at least 10 years after a breach.
So we all need to reexamine this industry's approach to
consumer protection, including on issues like forced
arbitration and the Federal Government's examination or
auditing of these companies. We should also look at freezing
credit reports by default, ensuring the data that is collected
is actually correct, and give people control over their own
personal information.
Now, in our hearing and again today, on the Equifax breach,
Chairman Walden said that, and I quote, ``we can't fix
stupid.'' But we have seen over and over again that breaches
are not the result of stupidity. They happen because these
companies choose not to invest in security. And, ultimately, it
is the American people that pay the price for that choice.
[The prepared statement of Mr. Pallone follows:]
Prepared statement of Hon. Frank Pallone, Jr.
I'm glad we are holding this hearing, and I hope the
committee will focus on how the practices of the credit
reporting and data collection industries affect consumers. But
today's hearing should not take the place of additional
hearings on the data breach at Equifax. Too many questions
remain unanswered. And that's why every Democratic member of
this subcommittee wrote to you, Mr. Chairman, requesting
additional hearings with current Equifax executives.
The Equifax breach exposed more than 145 million Americans
to lifelong threats resulting from their personal information
being exposed. Equifax says that it is ``taking
responsibility'' for its failures. But Equifax is only
providing victims with protections for 1 year. It refuses to
give people meaningful control over how Equifax shares and
sells the personal information that it collects. That's not
``taking responsibility.'' It's taking advantage.
Consumer reporting agencies collect vast amounts of
personal information on almost every American, including
children. This is the information that determines whether
someone gets a job or a new home, or can afford medical care.
And these companies are data brokers too, selling all of that
information to advertisers and others.
You and I are not their customers. We are the product.
These companies make their money selling our information to
other companies, often without our knowledge and certainly
without our approval. So they have no reason to limit the
information they collect, to limit sharing or selling of that
information, or to properly secure it.
Cyberattacks happen on an hourly basis, with more than
eleven-hundred this year alone. Consumer reporting agencies and
data brokers make rich targets for hackers because of the
sensitivity and quantity of information they hold. And those
companies know it. In fact, it was reported that Equifax was
warned by a security researcher in late 2016 that Equifax was
vulnerable to attack. Equifax did nothing and had no incentive
to do anything.
Right now, there are gaping holes in the laws and
regulations when it comes to collecting and securing our
personal information. The bill that Ranking Member Schakowsky
and I introduced, the Secure and Protect Americans' Data Act,
would close some of those holes. It would provide the Federal
Trade Commission with the authority to assign monetary
penalties against companies that fail to protect personal
information or who fail to provide timely and meaningful notice
to consumers that their information has been stolen. It would
also give additional protections to victims after a breach. The
bill would require that companies that failed to secure
individuals' personal information provide free credit freezing
or locking to a victim for at least 10 years after a breach.
We also need to reexamine this industry's approach to
consumer protection, including on issues like forced
arbitration, and the Federal Government's examination or
auditing of these companies. We should also look at freezing
credit reports by default, ensuring the data that is collected
is actually correct, and give people control over their own
personal information.
In our hearing on the Equifax breach, Chairman Walden said
that we ``can't fix stupid,'' but we have seen over and over
again that breaches are not the result of stupidity. They
happen because these companies choose not to invest in
security. Ultimately, it's the American people that pay the
price for that choice.
Thank you, I yield back.
Mr. Pallone. I yield the remainder of my time to
Congresswoman Matsui.
Ms. Matsui. Thank you, Ranking Member Pallone. And I am
very pleased to cosponsor the Secure and Protect Americans'
Data Act that you introduced with Ranking Member Schakowsky.
The need for data security and breach notification
requirements are not new. California passed notification
legislation a decade and a half ago. But 15 years later, many
Americans don't know what happens to their online data, as the
Equifax breach has shown us.
In an event that sensitive personal data maintained on an
information system is breached, there is no comprehensive
Federal law that will protect consumers. That is absolutely
unacceptable.
Consumers deserve to know more about how their information
is held once it is entered online. It may be that a
comprehensive profile of my constituents' online activity could
be compiled without them having any knowledge of how or for
what purpose that data is being used. Consumers deserve a
Federal backstop when that data is compromised.
I look forward to working with the committee on ideas to
best provide that certainty to Americans.
Thank you, and I yield back.
Mr. Pallone. Thank you.
And I yield back, Mr. Chairman.
Mr. Latta. Thank you very much.
The gentleman yields back the balance of his time, and this
now concludes our Member opening statements. The Chair reminds
Members that, pursuant to committee rules, all Members' opening
statements will be made part of the record.
Additionally, I ask unanimous consent that the Energy and
Commerce Committee members not on the Subcommittee on Digital
Commerce and Consumer Protection be permitted to participate in
today's hearing.
Without objection, so ordered.
Again, I want to thank our witnesses for being with us
today and taking time to testify on this very important matter
before the subcommittee. Today's witnesses will have the
opportunity to give 5-minute opening statements, followed by a
round of questions from our members.
Our witness panel for today's hearing will include: Mr.
Francis Creighton, who is the president and CEO of the Consumer
Data Industry Association; Mr. James Norton, adjunct lecturer
at the Johns Hopkins University; Mr. Bruce Schneier, who is the
adjunct lecturer in public policy at the Harvard Kennedy
School; and Ms. Anne Fortney, who is partner emeritus at Hudson
Cook.
And, again, I would like to again thank Mr. Norton for his
last-minute replacement of Mr. Greene, who informed the
subcommittee that he was unable to testify because of illness.
So we appreciate it.
And before we get started, again, our witnesses will have 5
minutes.
If you would like to pull the microphone up close and press
the button.
And, Mr. Creighton, you are recognized for 5 minutes.
Thanks again for your testimony today.
STATEMENTS OF FRANCIS CREIGHTON, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, CONSUMER DATA INDUSTRY ASSOCIATION; JAMES NORTON,
ADJUNCT LECTURER, JOHNS HOPKINS UNIVERSITY ZANVYLL KRIEGER
SCHOOL OF ARTS AND SCIENCES; BRUCE SCHNEIER, FELLOW AND
LECTURER, BELFER CENTER FOR SCIENCE AND INTERNATIONAL AFFAIRS,
HARVARD KENNEDY SCHOOL, AND FELLOW, BERKMAN CENTER FOR INTERNET
AND SOCIETY AT HARVARD LAW SCHOOL; AND ANNE P. FORTNEY, PARTNER
EMERITUS, HUDSON COOK, LLP
STATEMENT OF FRANCIS CREIGHTON
Mr. Creighton. Thank you.
When I took this position with CDIA back in May, I was
excited to come here because I wanted to work on an issue I am
passionate about: How do we bring more people out of the
financial shadows and into the regulated financial system?
Consumer reporting is one of the best ways to achieve that
goal, and I am excited to have the opportunity to tell that
story.
But the news that was revealed on September 7 changed that
conversation. The scale of the criminal attack at Equifax is
breathtaking, and, like you, I want to better understand what
happened and make sure it never happens again.
But in the wake of the attack, we have heard a number of
statements that go beyond making sure this doesn't happen
again, that somehow the credit reporting system is unregulated
and that consumers are getting ripped off. Nothing could be
further from the truth.
First, this industry is highly regulated. My written
statement goes into more detail, but we are subject to the Fair
Credit Reporting Act, one of the most important and strongest
consumer protection statutes on the books today. FCRA subjects
reporting companies to comprehensive regulatory and consumer
protection regimes. The FCRA protects privacy, includes
criminal penalties for people who abuse the system, mandates
the accuracy and completeness of consumer reports, and makes
the process transparent for consumers.
On data security, the nationwide consumer reporting
agencies are subject to the FTC's safeguards rule as nonbank
financial institutions under the Gramm-Leach-Bliley Act. We are
also regulated and face enforcement by the State attorneys
general, contractual obligations from our financial institution
customers, make sure we meet the requirements of the Federal
Financial Institutions Examination Council.
At every level, this is a well-regulated industry. If in
the course of the investigation we find a regulatory gap in a
particular area, we pledge to work with you to address it.
Protecting consumer data is the most important thing we do. It
is not just good for business; it is the right thing to do.
But if this were just a question of regulation, that would
be one thing, but since the hack, we have heard people suggest
that maybe we don't need a consumer reporting system at all.
Our credit reporting system today is the envy of the world. It
is one of the main reasons American consumers have such a
diverse range of lenders and products from which to choose.
This stands in stark contrast to many other financial
systems, including those in developed nations. American
consumers have access to the most democratic and fair credit
system ever to exist. Individual consumers have the liberty to
access credit anywhere in the country, from a wide variety of
lenders, based solely on their own personal history of how they
personally have handled credit. So when a family tries to buy a
house for the first time, they can access the right mortgage
for their own personal needs. A young person who comes here to
work on the Hill and has to buy a car to get to work can go to
an auto dealer and drive off the lot the same day even if she
or he has never been to this area. A young family can access
credit through a mainstream financial institution rather than
depending upon shadowy lending services.
Without access to a full credit report, lenders, landlords,
community banks, credit unions, insurance companies, and others
won't know how a consumer has handled their obligations in the
past unless those service providers know the customer
personally.
Credit reports are also a check on human bias and
assumptions. They provide lenders with facts that contribute to
equitable treatment for consumers. CDIA members establish an
accountable and colorblind system for judging creditworthiness.
Without this system, subjective judgments could be based on
factors other than the fact of creditworthiness.
Today's credit reporting system has made it possible for
middle-class consumers to get credit at rates that previously
were reserved only for the wealthy. Credit reporting companies
are innovating to solve the problem of the unbanked, thin-file,
and credit-invisible consumers who have not had a chance to
participate in the mainstream financial system.
This is a system that works whether you are at a global
bank or at a community-based credit union, because companies
share critical information across the system to benefit
everyone. In one sense, lenders take their sensitive customer
information and share it with a trusted third party so that
another financial institution, potentially a competitor, can
use that information to make a more informed lending decision.
This results in lower prices, more choices for consumers, and a
safer and sounder financial system.
Our individual credit reports tell the story of our
individual choices. They are neither positive nor negative.
They are our best attempt at an accurate portrait of what we
individually have done. And they offer the tools lenders and
others need to make judgments about how a particular person
will handle his or her obligations in the future.
Thank you for having me here today. I look forward to your
questions today and in the future.
[The prepared statement of Mr. Creighton follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Latta. Again, thank you very much for testifying before
us today.
And, Mr. Norton, you are recognized for 5 minutes.
STATEMENT OF JAMES NORTON
Mr. Norton. Thank you, Chairman Latta, Ranking Member
Schakowsky, and members of the subcommittee. Thank you very
much for inviting me to testify before you today.
My name is James Norton, and I am the founder and president
of Play-Action Strategies, a homeland security consulting firm
here in Washington, DC. I am also a member of the Johns Hopkins
University faculty, teaching graduate courses on homeland
security and cybersecurity.
Previously, I served in multiple positions at the
Department of Homeland Security under President George W. Bush,
including as Deputy Assistant Secretary of Legislative Affairs.
I was a member of the Department's first team tasked with
confronting the then-nascent cybersecurity threat.
My testimony will focus on how attacks like the one that
led to the Equifax breach fit into the larger cybersecurity
context and what can be done to strengthen cybersecurity
protections on the front end.
Today, cybersecurity threats are pervasive, and any company
or institution that houses large amounts of personal data is a
potential target. Each year, hackers and other bad actors
launch millions of attacks on cyber infrastructure maintained
by governments, businesses, and individuals.
Current cyber threats take many forms and target a range of
vulnerabilities, increasing the complexity of cybersecurity
missions. Attacks like the Equifax breach, the WannaCry
ransomware attack, and the Yahoo breach in 2013-2014 are more
widespread and complex than earlier intrusions, demonstrating
that bad actors are becoming more sophisticated in their
efforts. So far, cybersecurity protections have largely failed
to keep pace.
While security frameworks like those laid out in the Gramm-
Leach-Bliley Act and the Fair Credit Reporting Act are
important guideposts and should be maintained, lawmakers should
resist the temptation to put in place rules and regulations
that requires companies and institutions to take specific
federally prescribed actions to address cybersecurity issues
resulting in limited flexibility for private-sector companies
to respond to emerging threats. Instead, I would encourage
officials to commit themselves to working collaboratively with
businesses and consumers to share best practices and raise
awareness about the scope and sophistication of cyber threats.
To help meaningfully address cybersecurity challenges, I
offer the following recommendations for the subcommittee:
The Federal Government should take the lead in convening
relevant stakeholder meetings to develop and share best
practices, including an examination of how efforts currently
underway within the Federal Government and in the private
sector can be adapted for applications in other sectors, as
well as help businesses better understand the national security
threat with the intelligence that is available to the
Government.
Government officials and private-sector leaders must make a
more concerted effort to ensure that consumers and even other
businesses, especially small-business owners, are aware of the
threat and the tools that are publicly available in the
marketplace to reduce the vulnerability.
Businesses must encourage a path to integrate cybersecurity
into their companies' culture through regular training and
updates, which obviously was lacking with Equifax.
I thank the committee for holding this important hearing,
and I look forward to your questions. Thank you.
[The prepared statement of Mr. Norton follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Latta. Thank you very much for your testimony.
And, Mr.--I want to make sure I am pronouncing your name--
it is ``Schneier''? ``Schneier''?
Mr. Schneier. Rhymes with ``frequent flyer.''
Mr. Latta. OK.
Ms. Schakowsky. I said it wrong too. I added a D.
So ``Schneier,'' right?
Mr. Latta. We apologize. We want to make sure we get it
right.
You are recognized for 5 minutes. Thank you very much for
testifying today.
STATEMENT OF BRUCE SCHNEIER
Mr. Schneier. Thank you for having me.
I am Bruce Schneier. I am a fellow and lecturer at the
Harvard Kennedy School. I am associated with the Berkman Center
at Harvard. I also work for IBM. I am speaking for none of
them. And, actually, it is probably best if we just don't tell
IBM that I am here.
The Equifax breach was bad. We have heard a lot of the
details. This was very sensitive information about half of our
country. And Equifax security really was laughably bad, both
before, during, and after the attack. This is also not the
first time. There is a Forbes article that outlines breach
after breach from Equifax.
So the question I ask is, what is going on? We have this
large data-broker industry whose job is to collect information
about us to sell to other people. We are talking about
financial information, but it is actually much more than that:
information about our interests, about what we do, about what
we do on the internet, things we buy, places we go. It is
thousands and thousands of data points about all of us, some of
them very intimate, that are wanted by others and are
collected, sorted, collated, and sold without our knowledge and
consent.
And the market can't fix this. A couple of people have said
that we are not the customers. And that is correct; we are not
Equifax's customer.
Chairman Walden said, you know, there is no excuse for
stupid. There actually is an excuse for what Equifax did. If
you are the CEO of Equifax--and he was here--and your choice is
to either save 5 percent on your budget by having lax security
and taking the chance or spending the money, you are going to
take the chance. You are rewarded by coming in under budget. As
long as your customers don't complain--and none of them did--
that is not a problem. Because we are the product, we are not
protected. And that is why this is not something that a market
can fix.
The CEO left with an $18 million pension. He did OK. His
decision was arguably the correct one in this environment.
All right. So what should we do here? There is a 2014 FTC
report on data brokers. It is worth picking up and reading
again. It talks about more transparency and more customer
control over their data.
I would like it if you would fund research into the actual
harms that come from these breaches. One of the problems in
lawsuits from customers is that proving harms is hard. If you
were the victim of identity theft in 6 months, was it because
of Equifax or because of half a dozen other breaches? You don't
know. And without that direct connect, courts will throw out
cases.
I would like to see a nationwide credit freeze, where
credit information is given upon permission. There is no reason
why my credit should be given out without my permission. If I
am applying for a car or I am applying for a mortgage, I am
going to know, so I should be able to do that.
I would like some kind of data minimization. We talked
about opt out. Be careful, though. Opt out often doesn't mean
opt out. In many of these cases, when you opt out, you opt out
your data being given away--not being collected, not being
stored. You will be just as vulnerable when there is a breach
if you opted out as if you opted in. So be careful what ``opt
out'' means.
I would like the FTC to set minimum security standards,
financial and nonfinancial.
And avoid questioning if this is too hard. Right now, a lot
of these companies operate in Europe. The regulations are much
more stringent. Starting next year, we are going to see the
GDPR, the generalized data protection regulations, even more
stringent. And they can do things there they can bring here.
So a couple of final points.
This has some real foreign trade implications. Right now,
there are safe harbor rules that allow us, U.S. companies, to
collect data on Europeans. If we show that we are incompetent
at it, those rules are going to be dropped, and we are going to
have a lot of problems for our U.S. companies doing business
overseas.
And this has national security implications as well.
Someone mentioned that China went after the Office of Personnel
Management. They are after data on U.S. citizens. North Korea
funds a lot of their stuff using cyber crime. Russia wants our
data. The data of all of us, of all of you, are in these
databases, and foreign governments want it. To the extent we
don't protect it, we are making it easier for them.
If you had half a dozen people standing behind you
constantly, taking notes on everything you did, you would
notice that, and there would be a law immediately making that
illegal. That is what happens today. There are something like
2,500 to 4,000 data brokers, and they are in your computer
secretly taking notes, collecting data on everything you do,
everything all of us do.
That is a massive industry, and it is invisible. We need to
make it visible, and we need to institute some controls. This
is not something the market can fix, because we are its
product.
Thank you.
[The prepared statement of Mr. Schneier follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Latta. We appreciate your testimony this morning.
And, Ms. Fortney, you are recognized for 5 minutes.
STATEMENT OF ANNE P. FORTNEY
Ms. Fortney. Thank you.
Good morning. I am Anne Fortney. Thank you for the
opportunity to appear before you today.
I am the partner emeritus at Hudson Cook law firm. My
career involved more than 40 years' experience with consumer
reporting and the credit industry, including service as the
Associate Director for Credit Practices at the Federal Trade
Commission and as in-house counsel at a retail creditor. I also
served as a lawyer consulting clients on compliance.
Consumers today are understandably very worried about the
security of their personal information held by large
corporations, including credit bureaus. Some background may be
helpful in understanding the benefits of the system, the legal
protections, and, I think most importantly, the ways in which
consumers can personally manage their financial information.
Our consumer reporting industry evolved over many years in
order to meet the needs of banks and commerce so that companies
could provide to consumers the products and services they want
and need. In the late 19th century, creditors came together to
share customer payment information. These voluntary information
exchanges then became credit bureaus.
Today, there are four principal credit reporting agencies,
but there are also consumer reporting agencies that deal in
information other than credit. These deal in information
relating to medical payments, landlord/tenant experience,
check-writing histories, employment, and insurance claims. Each
kind of consumer reporting agency developed because industry
members agreed to report their information voluntarily to a
centralized system in order to serve the respective needs.
Consumer reporting agencies today maintain large databases
on consumers, including personal identifying and sensitive
financial information. By engaging in credit transactions,
consumers create their credit histories at credit reporting
agencies. Consumers don't specifically opt in to having this
data maintained and used, but they benefit from the totality of
credit reporting agencies' information when lenders use it to
verify their identity as well as determine their eligibility
for credit.
Despite the clear benefits of the system, the disclosure
and use of information in these databases pose risks to
consumers. Congress has enacted laws to protect consumers'
sensitive information while also assuring that the data is
available to meet the needs of commerce. My written statement
summarizes these laws, and, believe me, they are extensive.
In addition, Federal and State officials oversee the
collection, use, and security of consumers' nonpublic data
through bank supervision and legal enforcement. We may focus on
big data when there is a security breach, but companies holding
consumers' personal data work continuously to secure the data
by monitoring, detecting, evaluating, and addressing security
threats. And there are millions of such threats. They perform
this monitoring to comply with Federal and State laws, but they
also do it because the data and the integrity of their data is
essential to their business. It is not an area where they cut
costs.
Despite best efforts, however, data breaches can and do
occur. When measured against the volume of potential data
security threats, these breaches are very, very infrequent. But
when it is my data that is involved, I am less concerned about
whether the system otherwise works so well. I think that is how
we all feel.
But I know I can protect myself against inaccurate data and
the risk of identity theft. Hereis how:
First, I monitor my credit report information through a
credit monitoring service. I check my credit report and review
it for any suspicious activity. I accept my bank's offers for
my free credit score. I read my credit card billing statement
when it arrives, and I notify the card issuer if I don't
recognize the charges. I also read my checking account
statement and contact the bank if there is check fraud. Like
everyone, I lead a busy life, but these simple measures do not
take much time, they are free, and they make me feel secure.
I also know what to do if I am worried about being a victim
of identity theft. I can place fraud alerts on my credit report
at the three largest credit bureaus. I can get a free report if
I do so. These alerts reduce the likelihood that someone can
misuse my information to open a fraudulent credit account.
I can also block the reporting of credit information that
has been the result of identity theft. I can go to credit
bureaus' websites to learn how to take these steps and to learn
more about how to keep my data secure.
I can also go to the FTC's website for identity privacy and
online security. It contains a wealth of useful information
about privacy and identity theft. The website will also tell me
what to do if I become a victim of identity theft.
In sum, there is a tradeoff between consumers' right to
privacy of their personal information and the commercial needs
and benefits of that information. Our laws reflect that balance
in the tradeoff. But we consumers are not powerless in our
ability to monitor and control the accuracy, confidentiality,
and security of our information.
Thank you.
[The prepared statement of Ms. Fortney follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Latta. Well, thank you very much for your testimony
today.
And, again, we appreciate all of our witnesses for being
with us today.
And that will conclude the witnesses, and we will start
with our Members' questioning. And I will start with my 5
minutes.
Mr. Creighton, if I could start with you, considering the
size and scope of the Equifax breach, consumers are confused
and rightfully skeptical about what they should be doing to
protect themselves.
Could you briefly--and briefly because I have limited
time--what should we tell our constituents about how the credit
reporting industry is securing your sensitive data? And, trust
me, we are all hearing it from our constituents from phone
calls when we are back home.
So thank you very much for being here.
Mr. Creighton. Sure. And I hear it too. Obviously, this
impacts us, everyone here on the panel, as much as it impacts
you.
What is the industry doing to protect our data? The same
thing every company that has sensitive information is doing:
They are monitoring their systems. They are learning from every
breach that happens, not only in our industry but across the
economy. We are fighting this war on a daily basis. We are
getting attacked nonstop, from nation-states, as one of the
other witnesses was mentioning, from criminals, and from many
others.
What do we do? We monitor. We test our system. We try to do
data minimization and encryption, inside and while the data is
in transit, to make sure that if, in fact, somebody is in the
system the information is not usable if they are in there and
to try to keep them out of the system in the first place.
Taking care of consumers' sensitive personal information is
the most important thing that we do. In this case, we failed.
But it is still the entire industry's number-one priority.
Mr. Latta. Thank you very much.
Mr. Norton, Equifax is subject to Federal data security
standards. Other industries are subject to Federal and State
security standards. However, breaches continue in all the
sectors.
When companies are evaluating how to protect individuals'
data from cyber criminals or nation-states, are there best
practices to follow? And, most importantly, how effective are
the regulations that are out there in policing companies'
cybersecurity practices today?
Mr. Norton. Well, I think it is obvious by the number of
attacks we have seen every day, every week, every year that we
are not doing enough. So I think that is pretty clear, that,
you know, the larger corporations, whether it is Equifax, Home
Depot, or Target, they have all been exposed and they have all
been attacked because they all are targets because they have a
large amount of information on their systems.
I think partnerships through places like Department of
Homeland Security, Department of Commerce are important to
establish. I think real-time information needs to be exchanged
a lot faster than it is right know. I think we need to almost
indoctrinate some of the business partners with the Federal
Government in terms of allowing them to get some of this
sensitive information and create that culture that I don't
think really exists, you know, at a lot of C-suites right now.
Mr. Latta. Let me ask you about what you just said. OK,
exchanging that data in real time, that real-time data, how
would you describe that, and how should that be done?
Mr. Norton. Well, I think that you need, you know,
certainly, somebody that is at a senior level within--a CEO--so
let's use States, for example. After the 9/11 attacks, a lot of
Governors stood up homeland security apparatuses at the State
level and they had homeland security advisers, and I think you
need a similar model at the CEO level, where the CEO has a
cybersecurity--not just an adviser but somebody that is at a
senior level that can be in the meeting not once a month, not
every 6 months, not every quarter, but every day, and they can
get briefed every day on these threats.
Any company that has large amounts of personal information,
like we were talking about earlier, like Equifax, or large
amounts of other types of IP, you know, for example, companies
that have, you know, high-end, valuable assets that might be
for sale, again, would be something that would be attacked.
So I think all these things need to be considered and need
to be part of that exchange in terms of the day-to-day threat
information. And if DHS or other agencies, you know, need more
funding or they need to continue to stand up, then that is an
area that I think the subcommittee could definitely support.
Mr. Latta. Thank you.
Ms. Fortney, given your experience at the FTC and in your
legal practice, what potential consequences do you see for
Equifax given the regulatory environment? And, again, what laws
and regulations are at play in this situation?
Ms. Fortney. The first thing we need to do is find out
exactly what happened. And the FTC has announced--they took the
extraordinary step to announce that they were conducting what
is usually a nonpublic investigation.
We don't know exactly what has happened. The fact that
there has been a security breach in general doesn't mean that
there is a violation of the law. From what we have read--and
all I know is what I have read in the press--Equifax did not
take appropriate measures to prevent the breach.
The Fair Credit Reporting Act, if there is any credit
reporting information that is involved, would come into play.
There are civil penalties, as well as the FTC's authority to
prevent future violations.
The Gramm-Leach-Bliley rules also require Equifax to
safeguard the data on consumers that it holds, and there can be
penalties there as well. I understand that there is some
confusion in terms of whether a violation of the rule itself
would result in penalties, but I think the FTC also has
authority under other laws.
In addition, the FTC has taken the position that their
authority to address unfair, deceptive acts or practices can
come into play when there is a serious security breach.
Mr. Latta. Thank you very much.
My time has expired, and the Chair recognizes the ranking
member of the subcommittee, the gentlelady from Illinois, for 5
minutes.
Ms. Schakowsky. Thank you.
Mr. Schneier, you recommended that Congress move forward
with legislative proposals to make a credit freeze the default,
effectively blocking access to consumer credit reports except
when the consumer permits access for the specific purpose.
You believe this step would protect consumers' privacy and
make consumer information more secure. Is that correct?
Mr. Schneier. I think it will prevent the breaches. It is
not going to do anything to make Equifax's databases more
secure. It is not going to do anything to make our data less
vulnerable, but it will make it less useful. And that, I think,
is something that is real important.
Ms. Schakowsky. Well, let me ask you this. You said that
we, the public, are not the customer of Equifax or the data
reporting agencies. We are, in the sense that--I am sort of
galled by the idea that I have to pay for the credit report.
Actually, I did also go for the one free, and somehow I must
have pushed a button that, then, $10 a month was charged in the
future. I finally called them and said, ``How did that
happen?'' You know, I don't exactly know.
So we do pay a small amount every month. So they still do
charge us for our--you know, except for the one free.
Who are, then, the customers? I have gotten a--what do you
call it--preapproved credit cards in the mail. I didn't ask for
that. I am not seeking a loan. So who are the customers, then,
of these CRAs?
Mr. Schneier. The customers are those who want to give you
offers. And, certainly, anybody who sent you a preapproved
credit card got that data.
And they get data in very different ways. There was
something I wrote about, and I don't remember the details, but
one lender was asking for people who had defaulted on loans so
they can sell them basically fraudulent products. The FTC did
slap a fine on them, but those are the sort of things that are
happening.
And the way to think of it is that we are not their
customers. And they deliberately make it hard--those credit
freezes and credit scores, they are deliberately deceptive. To
get the free one, you have to navigate a very complex route,
and occasionally you get taken. There are a lot of things these
companies do----
Ms. Schakowsky. [Inaudible.] The score, you know?
Mr. Schneier. That is right.
Ms. Schakowsky. So the score isn't free, in some cases.
Mr. Schneier. That is right. Just the data is, so you can
look at it.
Ms. Schakowsky. Right.
Mr. Schneier. And, in some cases, there are things they can
do to make things easier, and they don't. So, for example, if I
log into my network at Harvard, this phone will make a noise
and will tell me. So if someone else does it, I will know that.
And you can get an app from some banks that, if your credit
card is used in a physical location you are not, like in
California today, you would be alerted. You are not near your
card.
And that is sort of a customer-service type of thing. There
is no reason in the world why the credit agencies can't do that
same thing: When someone wants my credit, I get an alert. You
know, retailer I like? Yes. You know, Russian scammy bank? No.
I mean, I should be able to do that.
But that is a feature that is not going to be offered to
the product. As the product, we are supposed to, you know, shut
up and do what we are told. And if you complain, there are
going to be difficult avenues and you are going to get scammed.
Ms. Schakowsky. So I think people need to understand this
is not just, I am applying to refinance my mortgage or I want
to get a car. This is, my information is now a product that
they can sell to others. Is that right?
Mr. Schneier. And it is more than financial information.
You have to understand, it is our browsing habits, it is our
reading habits, it is the things we do, it is the details of
our life.
I mean, you have to assume that that will be purchased by
somebody who wants to use it against you. And I think all of
our Government officials should be concerned about that. Do we
want our browsing habits in the hands of opposition research?
Kinda not.
Ms. Schakowsky. Have we seen any international reaction to
this Equifax breach? You talked about the problems that we may
incur if our partners around the world think that we can't
protect data.
Mr. Schneier. I haven't heard anything about Equifax
specifically, but certainly there is agitation in Europe. A lot
of these safe harbor agreements are very tenuous. And they are
right now protecting American companies to store Europeans'
data, but I think we can lose them at any time, especially as
Europe is getting much more regulatory. The GDPR is coming, and
it is going to be enforced starting in March, and all the U.S.
companies are preparing for that.
Ms. Schakowsky. So there is personal and international
consequences for consumers and for business.
Mr. Schneier. I think there is. I worry about how the U.S.
will look in the world market if we show that we can't secure
the data of Canadians and British and Europeans.
Ms. Schakowsky. Thank you.
Mr. Latta. Thank you very much.
The gentlelady yields back, and the Chair now recognizes
the gentleman from Mississippi, the vice chairman of the
subcommittee, for 5 minutes.
Mr. Harper. Thank you, Mr. Chairman.
And thank you to each of you being here. Particularly, Mr.
Norton, I want to thank you. On such short notice, I am sure
you had other things you might have preferred to do. But the
information that each of you are providing is very important.
Who knows, Mr. Schneier? Maybe we will get back to just
writing letters. You know, maybe that is going to be the
solution to protect our personal information on some of this.
You know, this is still just an unbelievable event that has
raised this to a new level. And, Mr. Creighton, I know that--
you know, we can talk about this. When I questioned the former
CEO of Equifax, you know, he said, that is the number-one
issue, which you restated, which is to protect that personal
information, which was done very poorly.
So there are so many issues here, but do all three--and
this is for you, Mr. Creighton--do all three major credit
reporting agencies provide the same information to every
lender, merchant, et cetera? If not, why is that not the case?
Mr. Creighton. Different bureaus may have different
institutions furnishing information into them. When a lender
asks for information, they will provide the information that
they have, but not every bureau has exactly the same
information that every other bureau does.
It is one of the reasons why Fannie Mae and Freddie Mac,
for example, require that their lenders collect all three
credit reports and merge them into one package, to make sure
they are getting full coverage.
Mr. Harper. So you could request three or four credit
reports from different CRAs, and they could have variations
based upon that technique.
Mr. Creighton. Well, for example, if you are an auto
dealer, a small auto dealer in a particular region, you might
only be working with one credit bureau.
Mr. Harper. Got it.
Now, do credit reporting agencies separate their credit
reporting and noncredit reporting activities and businesses?
Mr. Creighton. Yes. This is an important point. The credit
file is distinct from any other business that they have. The
credit file is governed by the Fair Credit Reporting Act.
And the credit file is only certain kinds of information.
It is not the web browsing and all of that other information.
What is in the credit file? Who are you? Who are you,
personally? Do you exist? That is, you know, basically public
information. Do you have any judgments again you, like a
bankruptcy? Do you have credit available? With whom do you have
that credit available? How much credit do you have? What is
your balance? Do you pay on time? Functionally, that is what is
in the credit report.
Mr. Harper. OK. Thank you for that.
And, Mr. Norton, can you talk to us for just a minute and
explain a little bit about NIST, the National Institute of
Standards and Technology, and their cybersecurity framework and
its importance for today's, you know, hearing?
Mr. Norton. Yes, absolutely. And, you know, NIST several
years ago took an important step, providing voluntary guidance
for not only Federal agencies and State and local governments
but also for the private sector to start to build out a
framework to start to talk about, you know, how do you secure
the enterprise----
Mr. Harper. So when did they start this?
Mr. Norton. I don't know the exact date. I think it was a
few years ago.
Mr. Harper. OK. Was Equifax a voluntary participant in
this?
Mr. Norton. I don't know if they were. I am not sure.
Mr. Harper. Can you find that out for us and let us know
that?
Mr. Norton. Sure.
Mr. Harper. And go ahead and explain this a little bit
more, the cybersecurity.
Mr. Norton. But I think to your point that, you know, it
was publicly available information, it was something that the
Government was, you know, certainly promoting, in terms of this
NIST standard, I think that, you know, having these standards
are very important. I think, you know, the threat still,
necessarily, hasn't been digested by the private sector. And I
think that is part of, you know, a role that the Government
could play, in terms of briefing not only on the standards and
the voluntary compliance that they should really look at and
think about doing but also understanding what are these
attacks, why are they a target, not just, you know, the bigger
nation-states but the smaller gangs and the different
organizations that are out there that, you know, are certainly
targeting these things for money, essentially, and to sell this
data.
Mr. Harper. You know, listening to each of your
testimonies, you know, I know Mr. Schneier mentioned that, you
know, CEOs willing to take a chance, I don't know if that is
going to be the case on the Equifax deal. I think it was just
pure negligence. Somebody--multiple people dropped the ball on
an easy--you know, this was not a complicated fix. And I know
we will find out more when FTC gets through with this and we
get through with all the investigation that is there. But, you
know, constant upgrades of cyber defenses are necessary. They
only have to be, you know, correct one time. And, obviously,
this, they were in a big way.
So, Mr. Norton, do you believe that security standards will
stop the data breaches as we have now?
Mr. Norton. You know, I think that it is certainly an
important part of it. I think that having cybersecurity as a
one-person position within a business is not cybersecurity.
That is just having one person. I think you need to have a
larger enterprise strategy and plan, and it has to flow up from
the CEO all the way down to the lowest employee.
If you look at attacks like OPM was mentioned and others,
it is really the training is an issue, where all employees need
to be trained on cybersecurity. They need to understand exactly
what these threats are. Because at your desktop is really the
front door of a business, and when you get, you know, a
phishing email or a phishing attack and you click on that link,
you have just opened the door.
Mr. Harper. And maybe not giving an $18 million bonus to
somebody who totally failed in their number-one responsibility.
I yield back.
Mr. Latta. Thank you very much.
The gentleman yields back, and the Chair recognizes the
gentleman from California for 5 minutes.
Mr. Cardenas. Thank you, Chairman Latta. I appreciate this
opportunity for us as Congress to discuss this very, very
critical issue that faces hundreds and hundreds of millions of
Americans every single day.
In discussions of data breaches and breach legislation,
there has been a tendency to focus on financial harms to
consumers. Credit reports include a lot of nonfinancial
information, and certainly these companies hold a significant
amount of personal information outside of the credit report
that is not financial.
Mr.--I am sorry if I pronounce your name wrong--
``Schneer''?
Mr. Schneier. ``Schneier.'' That is all right. Nobody has
gotten it right today.
Mr. Cardenas. OK. ``Schneier.'' OK. Are you concerned about
repercussions of a breach beyond financial harms, and if so,
can you give us some examples?
Mr. Schneier. So, yes, I think the nonfinancial harms are
considerable. I mean, just thinking of the OPM breach would be
an example of just nonfinancial data in the hands of the
Chinese Government, and that would be a problem. So, depending
on who stole the Equifax data--we actually don't know if it was
criminals or a government right now--the harms can be
considerable.
And the swap between financial and nonfinancial is fuzzy.
If you call your bank or your broker or your insurance company
and don't remember your account, they are going to ask you a
bunch of questions like where did you live, which of these cars
do you own. You have all had that experience. That is
nonfinancial data, and that is going to be used to authenticate
you to a financial institution. So even nonfinancial data has
very serious financial ramifications because it is our
secondary authenticator.
Mr. Cardenas. So, in some cases, somebody might know the
name of our favorite pet.
Mr. Schneier. Favorite pet is actually surprisingly easy.
Those secret questions turn out to be very insecure.
And this is, sort of, again, you are looking at this
tradeoff in security and convenience. What these companies
want--I mean, what the credit card companies want--is for it to
be really easy for you to get a new card, so they make that
application super-easy. If they made it more secure, made it
harder for somebody else to get a card in your name, it would
be harder for you to get a card, and the companies don't want
that.
So they are making a tradeoff based on their bottom line,
not based on your security, to maximize their profits. And that
is often ease of use, ease of access, making things easier.
Mr. Cardenas. Can you give us an example of how
nonfinancial information can lead to financial harm to an
individual that their information has been breached or gotten
into the wrong hands?
Mr. Schneier. So I just talked about nonfinancial
information being used as a financial authenticator. You can
certainly see personal embarrassment leading to all sorts of
problems. I mean, lots of instances of that, especially, you
know, people who are more marginalized. We see a lot of threats
against women based on exposing personal information that is
stolen from accounts. And, I mean, that is something that is a
real problem and hard to deal with.
I pulled up to--I talked about something Equifax did. It
wasn't in my testimony, and I want to mention it, that in 2012
they sold lists of people who were late on their mortgage
payments to a discount loan company. That was one of their
products. They were fined by the FTC for that. But those are
the sorts of practices you see from these companies.
Mr. Cardenas. So companies like Equifax, they have dual or
more than one role out there in the world? Or they see
themselves as being involved in businesses beyond just holder
of information or reporting of our ability to pay, so to speak?
They are actually brokering information out there?
Mr. Schneier. If you go out to their website and look under
``business products,'' which is different from the credit
stuff, and they ask things that are optimized for restaurants,
for the travel industry, for--and I forget the whole list of
industries that they are selling data to. That data is
nonfinancial data. It is data about us, slicing and dicing us
in different categories, so we can be better marketed to.
Mr. Cardenas. So, basically, when an American puts their
house up for sale and you see a sign out front, that is pretty
cut and dry that you have hired somebody to broker for you, to
actually do something for you, something so personal as we are
going to sell our home.
But are you telling me that, unbeknownst to a bunch of
American citizens, that companies like Equifax are actually
having signs out on their personal information and using it and
making money off of it, unbeknownst to the average American?
Mr. Schneier. And that is the business model. The data-
broker business model is they collect information, either--they
will buy it. They will buy it from the Government. You know,
States will sell them driver's license information. They will
get it from companies. They will get it from wherever they can.
They will correlate it. They will make inferences based on it.
I mean, we are hearing about how some of that was used to
target ads in the last election. And then they will sell that
to people who want it.
Mr. Cardenas. OK.
Well, I yield back my time. Thank you, Mr. Chairman.
Mr. Latta. Thank you very much.
The gentleman yields back, and the Chair now recognizes the
chairman emeritus of the full committee, the vice chairman, the
gentleman from Texas.
Mr. Barton. Thank you, Chairman Latta. And I was here at
the gavel. I had to go run to a quick meeting, but I appreciate
being allowed to ask questions at your hearing.
The current system is not working. I was here for Gramm-
Leach-Bliley. I have been on this committee 33 years. We have
all these--as the first gentleman said, in your testimony, it
is a heavily regulated industry. You are right about that. But
when it comes to data breaches, all that is required is
disclosure. There is no real penalty. Eventually, if it happens
repeatedly at the same institution, the FTC has some authority
to impose some fines.
But all these laws that we have passed merely require that
you have to inform the customer, the consumer, of how their
data may be used, and if it is breached, you have to inform
them that it is breached. That is pretty much it. And I don't
think that works.
And if you listen to the opening statements on both sides
of the aisle this morning, you know, Mr. Pallone's, Chairman
Walden's, the chairman, Mr. Latta, they are all pretty strong
on condemnation of what is happening. I think that we are going
to have to change the law and that we are going to have to do
more than require disclosure. I believe we are going to have
to, on first offense, allow for some fines to be levied, some
real penalties. I would prefer that it be on a per-consumer
basis. That may or may not be workable.
So I guess I will go to Ms. Fortney.
Do you agree or disagree that we need to change the law and
put some real teeth into what happens when there is a breach?
Ms. Fortney. I think the answer depends on whether the
problem with Equifax was a systemic problem or whether Equifax
was an outlier.
I think that the law currently exists in ways that
consumers can be protected. I think the FTC has indicated that
they will use their authority, not just under Gramm-Leach-
Bliley but also under Section 5 of the Federal Trade Commission
Act, to redress consumers who have been harmed by security
breaches and by other data practices that are unfair to the
consumer.
Mr. Barton. Do you support that they be allowed to do that
at a first offense?
Ms. Fortney. The FTC on their website says that they have
brought--sorry, their testimony said they have brought 60 cases
against companies under Section 5 of the FTC Act based on
unfair, deceptive practices involving data and data security.
Mr. Barton. Mr. Creighton, your testimony, I thought, was
thoughtful. I thought it was well done.
My question to you would be, if we did impose or give some
authority to levy fines or a reimbursement to each consumer
whose data is breached, would that destroy the credit industry
as it is today? Or would it, if it was done appropriately and
at the appropriate level, would it perhaps strengthen it
because it would give them an incentive to really protect
consumer data so that we don't have all these breaches?
Mr. Creighton. The incentives already exist for us to
protect the data. You know, if you add penalties and everything
else, it is not going to change our practices. Our practices
are to protect the data today. So, I mean----
Mr. Barton. Then why do we have thousands of breaches or
hundreds of breaches a year?
Mr. Creighton. It is true. Look, in the Government, you
have an incentive to protect your data also, and yet we have
seen breach after breach after breach, including personal
information for, as the chairman said, people in this room,
sensitive market-moving information at the Securities and
Exchange Commission. We have seen that over and over and again
there. Those incentives need to be aligned, I would argue, more
directly with where our incentives are, which is to protect the
data.
Yes, breaches happen, and every one of them is a problem.
But there are different scales of breaches. You know, is a lost
cell phone that has some data on it considered a breach that
automatically is going to result--or do you have to look at
what is the consumer harm?
Mr. Barton. Well, my time has expired. I will just make
this editorial comment. In the Equifax case, people at Equifax
knew they had a problem with their system and they didn't do
anything to fix it. They didn't do anything to fix it. But if
they would have known, if we don't get this fixed, we are going
to pay $1,000 per consumer or $100 or maybe even $50, plus some
of the things that Ms. Schakowsky and Mr. Pallone were talking
about, I believe they would have fixed it or tried to fix it
sooner rather than later.
Thank you for your courtesy, Mr. Chairman. I appreciate it.
Mr. Latta. Well, thank you very much.
The gentleman's time has expired, and the Chair now
recognizes the gentlelady from Michigan for 5 minutes.
Mrs. Dingell. Thank you, Mr. Chairman.
I guess I am sort of, even before I begin, reacting to ``if
Equifax is an outlier.'' I have been hacked so many times in
the last--the OPM, the Yahoo account, the Equifax, the Target,
the Sears, the Home Depot. You can tell I have a lot of credit.
But I have also been hacked more than that. I have a
permanent--but I also will tell you that I think it is very
complicated to put these credits--and you talk about it very
easily, and that is what I do want to talk about, is I think it
is very complicated for the average consumer, who, by the way,
has no idea what is happening.
Mr. Chairman, I thank you for studying this, because I
think it is hard for people to get a sense of how much of their
information is held by companies, because it is not tangible.
People don't understand what you are holding. You can't hold
it. You can't touch it. And we really only think about it after
it has been stolen or floating around the internet. So when it
has been stolen, like someone like me, 10, 15, 20 times, you
think about it. But I think young people, in particular, don't
understand what information they are giving away or what is out
there.
We have spent a lot of time talking about the legal issues
faced, but, for me, it comes down to the question, do Americans
really know when they are giving their personal information
away? Do they know the consequences? And how can we improve
transparency?
``Transparency'' is a buzzword that we are all talking a
lot about right now, but I think there is a shocking lack of
transparency when it comes to how consumers' data is used and
sold. So I want to talk about that a little more, and I want to
talk about who is even holding it.
Mr. Creighton, I was just interested in your organization.
The companies you represent possess a huge amount of granular
personal information on us. It is collected without ever really
asking. And we are all supposed to trust that it is going to be
kept safely, just like the Equifax was.
But I couldn't even figure out who is holding my data that
is part of you. I know who the Equifax and Experians of the
world are, but I couldn't find who your other members are.
There is no mention of your member companies on your website,
and a Google search turned up nothing. And I went and looked at
your 990, and it has only got your board members.
So this is a yes-or-no question, a friendly yes-or-no, but
I want to know: Why should the American people trust an
organization like yours to keep their information safe if we
don't even know who has it and how they are using it?
Mr. Creighton. First of all, thank you for your comments
about the website. We are in the process of redoing it, and I
think you will see a lot more information when it rolls out
later this year.
Mrs. Dingell. I am a Dr. Google in this committee. I Google
a lot.
Mr. Creighton. Good. Well, I think you will be more pleased
in the future when you see the website. It has been a priority
of mine since I have taken this position.
Our association represents the main large credit bureaus.
We also represent a series of specialty and other credit
bureaus that hold other kinds of information that specifically
work with a particular industry--for example, the mortgage
industry.
We also represent a series of background screening
companies that are in our association because they are working
mainly on public documents, on public files, which are really
the basis, the foundation on which the credit report is built.
And so that is the core of our membership, are the bureaus
and the special----
Mrs. Dingell. I really think that--I have a lot more
questions for you, but I have a minute left. But I do hope that
you will make public who your companies are and why they are
collecting it.
And maybe someday somebody could explain--I understand
there are other websites that do this too. I do Credit Karma
almost every other day. It is free. Why should the American
consumer, my other colleagues on both sides, have to pay for
their own credit data when you can go to a site like Credit
Karma or others--I don't want to--you know, there are other
sites out there. But I think we should look at how people have
free access.
But I want to go to Mr. Schneier in the very short time
that I have left.
Mr. Schneier, do you think the American consumers can take
proactive steps to protect their data, financial or otherwise,
if they don't even know who owns it?
Mr. Schneier. There is ``can,'' and there is ``can.''
So Ms. Fortney gave a really nice list of ``here are all
the things that you could do to protect yourself.'' And I am
listening to that list, and I am thinking, no way in the world
can I go home at Thanksgiving and tell my relatives--because
they are going to be a lot harder than you are--that they
should do all of that. I can't expect people to become experts
in this, to take the time.
And it is not just we don't know who has it; it is that it
is being made deliberately hard to figure it out, to take these
steps. So, no, I don't.
Mrs. Dingell. Do you think that we should find a simpler
way to tell consumers who is collecting their data, what kind
of data they have, and take these privacy notices--which,
actually, somebody read the other day, and we found some--and
make it in simple language, a couple sentences?
Mr. Schneier. More transparency and more control cannot
hurt.
Mrs. Dingell. Thank you.
Mr. Latta. Thank you very much.
The gentlelady's time has expired, and the Chair now
recognizes the chairman of the Health Subcommittee of Energy
and Commerce, the gentleman from Texas, for 5 minutes.
Mr. Burgess. Thank you, Mr. Chairman.
And I can't help but observe, I feel like this is Groundhog
Day. The previous Congress, I was chairman of this
subcommittee, and for 2 years we worked on data breach
notification. And we actually got a bill through the
subcommittee and the full committee. It never saw time on the
floor. It did become controversial before it passed out of the
full committee. And I can't help but think, had those
requirements been in place, at least the length of time between
discovery of a breach and notification of the person who was
breached, I think that would have been helpful.
But I am always struck when we have these discussions--and
I realize this is not a law enforcement panel in front of us,
but do any of you know, is anybody trying to catch the thief
here, or the thieves?
Mr. Creighton. Thank you for asking that.
We have to, as a society, come to terms with the fact that
we have people attacking our systems every day. If this were a
physical bank and there were 200 North Koreans who were
storming in and taking money out of the accounts, there would
be a national response. At what point are companies able to
compete against nation-states who are attacking our systems?
I don't know that this breach was a nation-state attack. I
don't know one way or the other. But at what point are American
companies expected to fight back against countries that are
attacking them?
Mr. Burgess. Well, then that brings up--and this is really
a question for anyone on the panel. I am also concerned--I
mean, Equifax obviously did not cover themselves in glory in
this story, but in some ways they are a victim too. Their
business was damaged by someone who came in--it wasn't Frank
and Jesse James storming the Northfield bank, but they were
damaged by this activity.
And if we were ever able to catch the thief, are there
sufficient criminal penalties to act as a deterrent? Does
anyone know that?
Mr. Schneier. So, it depends. Our laws are very, very
nation-specific, and the internet is very international. So a
lot of cyber crime comes out of Southeast Asia and Sub-Saharan
Africa and Eastern Europe and places where we just do not have
efficient enforcement and there is really jurisdictional
arbitrage going on by cyber criminals.
And so, you know, enforcement works, but it really has
limitations here. And that is why we really want to do what we
can on the front end, because catching the bad guys, it is not
going to work if it is a, you know, criminal organization in a
country we just have no jurisdiction over.
Mr. Burgess. But assuming we do stumble upon a bad guy, the
proverbial guy in the basement who is doing bad things and
hacking into things where they shouldn't, do we ever punish
people like that?
Mr. Schneier. Yes, all the time.
Mr. Burgess. And what is the range--do you know what the
range of punishments are?
Mr. Schneier. I have no idea, but I am sure it is not
pretty.
Mr. Burgess. Do you feel it is a sufficient deterrent?
Mr. Schneier. You know, that is probably a more complicated
question I don't know enough to answer.
Mr. Burgess. Yes. And I don't know that any of us do. But I
do worry that--again, Equifax is a poor example, but sometimes
it does seem like we victimize the victim in some of the things
that we do in punishing people who were the recipients of the
breach, not the perpetrator of the breach.
Mr. Creighton, let me ask you--and I think, Mr. Schneier,
you brought this up also. There is a great commercial out,
where someone who--they get in a cab, and they have left--``Oh,
my gosh, I left my debit card at the restaurant,'' and she
doesn't think it is a big deal. Her companion has a near panic
attack and meltdown. ``Oh, my gosh, this is terrible. You left
your card.'' And it turns out the person who left the card went
on her phone and froze the debit card.
That seems like a very good approach if you knew that
someone was accessing--so I guess let me ask you, Mr.
Creighton, as a data broker, is there any way to notify people
that their data is being accessed? Is there a system or could
there be a system in place where--is there an app for that?
Mr. Creighton. First of all, we represent the credit
bureaus, not the data brokers.
Mr. Burgess. OK. I beg your pardon.
Mr. Creighton. But, yes, and those are coming online now
and were coming on line in advance of the breach. TransUnion
has their lock system up right now. It is free for everybody.
It is at base, just like Mr. Schneier is discussing, where you
can turn it on and turn it off.
Equifax has announced in this room that they will be
offering a similar product that they are engineering now at the
end of January. And Experian's is coming on line as well.
The point is to give the consumers that ability to easily
go back and forth to lock their credit. It is different legally
from a freeze, but it is meant to achieve the same goal without
all of the cumbersome regulatory burdens that exist from the
State governments.
Mr. Burgess. Mr. Schneier?
Mr. Schneier. I don't know anything about those. I like
hearing that. I mean, the devil is in the details, so we would
have to see the details, but that all sounds good.
I mean, that is really what we want. You want the user to
get control. And I know when someone accesses my credit because
I want them to; I am applying for something. Those feel like
good things. And if they are simple to use, that feels like a
really big step. It is not going to protect my data, but it is
going to make it harder to monetize.
Mr. Burgess. Which would be a good thing.
Thanks, Mr. Chairman. I will yield back.
Mr. Latta. Thank you very much.
The gentleman yields back, and the Chair recognizes the
gentlelady from California for 5 minutes.
Ms. Matsui. Thank you, Mr. Chairman.
And thank you for the witnesses here today.
I find that every time we come to the hearings like this, I
feel like the problem gets bigger and bigger, because the
solutions are very disparate, and it is, kind of, very
confusing, and there is not the simple solution that all of us
want because we are all really very busy.
This commercial practice of collecting, aggregating, using,
and selling consumer information has become functionally
ubiquitous. Companies and data brokers maintain databases full
of sensitive and personal consumer information. These are
natural targets for cyber thieves. But it is possible that an
attacker can compromise one device using a known vulnerability
and move readily within an information system to gain access to
personal information.
Mr. Schneier, regardless of the method of attack, how would
consumers benefit from comprehensive Federal standards that
establish reasonable information security practices?
Mr. Schneier. I mean, again, I think want to say the devil
is in the details, right? You know, I want someone like the FTC
to have some broad authority to figure it out. I mean, I don't
think we can sit here and say, you know, here is what we should
do.
There was a point made in that corner of the room that
legislating the details will always lag technology. And I
really think you have to start looking at what are the results
we want. So I like the idea of, you know, a fine if data is
breached. Let the companies figure out what to do, let the
market work on the technical security solutions, but we want
this particular outcome.
Ms. Matsui. Right.
Mr. Schneier. So those are the sort of mechanisms that I
think will work best here.
Ms. Matsui. OK. But I think the problem is also--the fact
is we want to know, I think, that there is a Federal standard,
whatever that is. Because right now everything is just all over
the place.
Mr. Schneier. Yes. I agree there has to be a Federal
standard. And this is also what is going to be needed when we
start dealing with international agreements.
Ms. Matsui. Right.
Mr. Schneier. What is the U.S. standard, and how can we
assure the U.S. companies' European customers that we are not
going to lose their data?
Ms. Matsui. So you feel that this is going to be a
necessary step anyway. Is that correct?
Mr. Schneier. My guess is we are going to have to do this--
--
Ms. Matsui. OK.
Mr. Schneier [continuing]. That the world is moving that
way. Europe is turning into the regulatory powerhouse----
Ms. Matsui. Sure.
Mr. Schneier [continuing]. And they are going to be leading
us more and more.
Ms. Matsui. Because we are reacting more than----
Mr. Schneier. Yes. We are not going to like it, but I think
we are going to be stuck with it, just because there is such a
huge market.
Ms. Matsui. OK.
Now, with all the consumer data that companies collect, we
must keep pace with the evolving threat. Each year, we continue
to see an increase in the variety, number, and damage caused by
cyber attacks, yet relatively unsophisticated methods, such as
phishing or emails with malware, remain some of the most common
forms of attack. We have recently seen a decrease in zero-day
vulnerabilities and an increase in simple exploits used to
carry out attacks.
Mr. Schneier, how can both business and individuals better
protect themselves against new applications of old exploits?
Mr. Schneier. Well, so this is the definitive problem, that
people are your weakest link. And we are certainly finding, you
know, from nation-states on down, that the vector of going to
the people--you know, Equifax was a vulnerability in the
system. We talked about that. It is in many more cases that
someone will get a person to do something. So tax fraud is a
huge crime right now, and that basically involves convincing
someone in HR to mail you a copy of everyone's W-2 and you file
fake tax returns in all their names and you get the money. This
is huge now, and it didn't exist 5 years ago.
Ms. Matsui. Right.
Mr. Schneier. And there are tech solutions that deal with
this. And the problem is, as Mr. Norton talks about, is getting
companies to use them, to make the purchase, to make things
more inconvenient, for security.
Ms. Matsui. How do we do that anyway?
Mr. Schneier. That has to be incentives. The penalty for
getting it wrong has to be more than the penalty for doing it
right.
Ms. Matsui. OK.
Mr. Schneier. And that wasn't the case for Equifax.
Ms. Matsui. OK.
I am also concerned about the question of who owns our
user-generated data. You know, in 2014, agriculture technology
providers and a coalition of major farm organizations came
together to agree on data privacy and security principles to
cover the massive data sets generated by innovation such as
precision agriculture. These principles covered issues such as
how data gathered from the farm is protected and shared. These
principles also recognized that farmers owned the information
generated by their farming operations, generally required
farmers to be notified that their data is being collected, and
required disclosure over how the data is used. But today's
consumer has considerably less information over how, when, and
what information is shared about them.
And I guess, Mr. Schneier, I am asking you this question,
but somebody else can answer it too: Shouldn't consumers also
have clarity over when and how their data is used?
Mr. Schneier. Yes.
Mr. Creighton. The Fair Credit Reporting Act goes into
great detail about the seven permissible purposes that can be
used for specifically credit reporting data. The other kinds of
data that you are talking about, that is a different question.
But in the credit reporting space, the Fair Credit Reporting
Act is very firm about what exactly the information can be used
for.
Ms. Matsui. And when and how?
Mr. Creighton. And when and how, yes. And by whom, yes.
Ms. Matsui. All right.
I see my time has expired. Thank you very much.
Mr. Latta. Thank you.
The gentlelady's time has expired, and the Chair now
recognizes the gentleman from New Jersey for 5 minutes.
Mr. Lance. Thank you, Mr. Chairman.
Good afternoon to the panel. Thank you for joining us
today.
I am appalled by the scale and the impact of the Equifax
breach. Equifax blatantly mishandled consumers' most personal
information. Constituents have called my office in New Jersey,
concerned about their online security. And many were affected
and their personally identifiable information compromised.
And, Mr. Norton, many organizations and individuals do not
have up-to-date security or properly patched operating systems
or software. What are some basic practical steps people can
take immediately or in the short term to protect their computer
systems?
Mr. Norton. Absolutely. Thank you.
You know, something as simple as changing your password,
you know, once a week or once a month and taking those logical
steps; making sure that you have, you know, appropriate
software security that is publicly available in the marketplace
for your home computers; that you are aware of your devices and
you have passwords on, you know, all of your devices; that you
are constantly aware of, you know, information that you have
that is out there.
I mean, cybersecurity really requires a lot of individual
vigilance, which is a big change, I think, for a lot of
consumers at home who are, you know, in the marketplace and
they have their information online and they become very used to
just processing things online, as we talked about in this
hearing.
I think one of the challenges, though, is that we haven't
actually put a value on loss of data, what does it mean to lose
your individual person's piece of data, outside of just
getting, you know, a piece of credit reporting for a year, you
know, what is the other value of that. And I think that is
another discussion or a large discussion that you are obviously
having here, but I think it is an important one, and it goes
to, you know, potential penalties or things that could motivate
companies to then, you know, have larger enforcement and larger
strategies within their businesses. So I think there is that,
as well.
Mr. Lance. Thank you.
Would anyone else on the panel like to comment?
Mr. Schneier. The unfortunate thing is that most of our
data is not under our control. So what can you do to protect
your data at Equifax? Nothing. What could you have done to
protect your data at the OPM? Nothing. What can you do to
protect your data at Google? Kind of nothing. We are forced to
trust these entities.
These companies have our data. Our pictures are stored on
Flickr, and our email is on Gmail, and our computers really
have very little right now. In some ways, that is a security
bonus, because most of us aren't very good at securing our
machines. But it does mean that these breaches become bigger
and more catastrophic because we have too much there.
I mean, there are things we can do around the edges--good
password management, have antivirus. I mean, I can rattle
through the tips. But, by and large, the security of our data
is not under our control.
Mr. Lance. Thank you very much.
Ms. Fortney, are you aware of the Consumer Financial
Protection Bureau's bringing any enforcement actions against a
credit bureau?
Ms. Fortney. The Bureau does supervise the agencies. They
have brought enforcement actions, not in the area of data
security, but they have brought enforcement actions against the
credit bureaus. And I think they are also involved in the
ongoing investigations that are the result of the Equifax
breach.
Mr. Lance. Thank you.
Mr. Creighton, what is the credit lock product that the
major credit bureaus are proposing, and how are they different
from credit freezes?
Mr. Creighton. Thank you. That is an important question.
First of all, the bureaus are responding to consumer
demand, as Mr. Schneier was saying, that they want more access
to their information and how they can control it. And, right
now, State law mandates, in most States, a freeze. Those
freezes are different in every single State, and they are often
PIN-based. And so what happens is that you put a freeze on your
account, you get a PIN. If you are like me, you then lose that
PIN. And when you go back----
Mr. Lance. Or like me. Yes.
Mr. Creighton. Right. And when you go back and you try to
get a new iPhone, as has been reported this week, people don't
realize that that is a credit transaction, they don't have
their PIN, they can't turn it off, it takes 3 days, and they
have missed the window to order the new iPhone.
Now, the lock product functionally works the same way. It
is app-based. And it allows a consumer to turn it to red, ``I
don't want any new offers of credit,'' and when I do want an
offer of credit, I flip it to green.
Mr. Lance. I see.
Mr. Creighton. But it doesn't contain the same legal
strictures that happen as a result of State law.
Mr. Lance. Well, thank you very much. This is very
interesting, and I hope that we are able to pursue it further.
And, Mr. Chairman, I yield back 10 seconds.
Mr. Latta. Thank you very much.
The gentleman yields back, and the Chair now recognizes the
gentleman from Indiana for 5 minutes.
Mr. Bucshon. Thank you, Mr. Chairman.
I want to make a couple of quick comments, and then I will
have a few questions.
First of all, I think it is important, potentially, to
understand that we authorize a lot of people to get our data
unsuspectingly. And, I mean, for this card, for example, here--
I don't want to hold--it is just a card that goes to a grocery
store, right? That gives you your discount. All that data is
collected. You have authorized it, when you signed up to the
card, you have authorized it to be sold for any reason. Same
thing is true on your emails. Same thing is true everywhere.
You know, I used a search engine yesterday. I have a piano
I want to sell. Today, on my Instagram, an add for a piano came
across my Instagram, OK?
I have used credit agencies because I have some rental
property. Mostly, the people have to authorize you to get their
information. So there are protections there where they have to
authorize it.
The point I am making is that this is a really complicated
problem. We are talking about a breach. That is not that
complicated, because we had human error that didn't patch. That
is pretty straightforward. But we do have a larger problem with
data, we have a larger problem with internet, that all of us
are working to figure out how do we best protect the consumer.
I do have concerns about these long legal-department-
generated authorizations that are attached to all of these
things. And I do think we may have to look at that area and
make consumers more aware of what they are actually
authorizing.
I mean, what do you do? You go and start an email account,
and you get to the end, and it says, you know, unless you agree
to these things, you can't start it, I mean, you can't do it.
And most of us just click--I mean, does anyone here just click
``agree'' without reading it? Right. I mean, we all do. But
that is actually a legal document that is very long that has
specific legal ramifications that seem simple but aren't.
I mean, you know, you do a search engine on a piano, and
the next day on your Instagram account you have piano ads. I
mean, that is kind of spooky. Everyone is concerned about the
NSA. I am more concerned--I am concerned about that, but this
type of thing.
So the question I have, you know, Mr. Creighton, first of
all, it has been about 3 months since the Equifax breach, yet
still thousands of Americans are unaware if their data has been
stolen. Do you think that--you know, 48 States have conflicting
State notification laws that have played in this issue. And do
you believe that a uniform Federal law on notification might
address the difficulties with Americans receiving notification?
Mr. Creighton. Consumers would benefit from a national data
breach notification.
Mr. Bucshon. OK. So the answer is, yes, they would?
Mr. Creighton. Yes, sir.
Mr. Bucshon. The other thing is, when we had the Equifax
CEO here, honestly, in fairness to him, I thought he was a
genuine witness. You know, there were issues, but I think his
testimony was genuine. But there were flaws in their system of
reporting within their company; I understand that.
But, you know, one thing that was brought up is--I
represent a rural area of the United States. And he was talking
about getting online and going to their website and seeing all
the things that you can do to protect yourself and all that. I
think we all have to recognize the fact that even in the United
States--I mean, I think the penetrance of internet access in my
district may be about 65 percent of the people, believe it or
not, maybe 70 percent. That leaves 30 percent, 35 percent of
the people out there that they just can't pull up a website and
see.
I mean, how can we address notification or this type of
thing or best practices in an age where--I think all of us
mentioned, ``Well, their websites show us this,'' right? But
30, 35 percent of the people I represent may not have internet
access.
Mr. Creighton. Congressman, it is a big problem. And
reaching rural consumers is one of the big challenges. That is
why, when we talk about the lock product, for example, it
doesn't mean we aren't still obligated to offer the freeze
product, because you have to maintain call centers and other
things so that people have access.
But the credit reporting system serves probably your
consumers, your constituents, better than anybody else. A rural
consumer generally has one physical bank near them, right? But
in today's world, you, as a consumer, even a rural consumer,
can access the entire world of credit available to you. If you
are getting a mortgage, you don't----
Mr. Bucshon. Right. I get all that. What I was trying to
get at is that I think we have to recognize that not everyone
out there that has had their data breached because they have
gone to their local bank to get a loan can be notified that
they have been compromised by telling them to go to a website.
I mean, I don't know how else we address that. I addressed
this same question with the CEO of Equifax. And we are
advancing, I think, a lot in consumer access to information.
But one area, I just think people have to recognize, across
rural America, necessarily, people don't have access to that
information. We need to do a better job.
I yield back.
Mr. Latta. Thank you.
The gentleman's time has expired, and the Chair now
recognizes the gentleman from Oklahoma for 5 minutes.
Mr. Mullin. Thank you, Mr. Chairman.
And thank you to the witnesses for being here.
Mr. Norton, I kind of want to start with you. Just in your
opinion, does the current Federal regulatory structure, does it
have enough safety safeguards in it for the consumer?
Mr. Norton. You know, I think it is a matter of corporate
responsibility and whether or not they are, you know, making
the appropriate investments. And, clearly, they are not, from
the top down. I think that is why we are seeing these things.
Mr. Mullin. And that leads me to my next point. As a
manufacturer, if you manufacture a product, and even if the
product is misused--like, inside my district, we had a gas can
company that essentially went out of business because of all
the litigations about, you know, the problems with the gas can.
And what was happening was people were literally pouring the
gas right out of the gas can on a fire and they were catching
fire. Obviously not the smartest thing to do, right? But they
were still open for lawsuits. They still had a responsibility,
for whatever reason, to the consumer, even though the product
was obviously being misused, outside its manufacture and
design.
We had these websites--and, Mr. Schneier, you brought this
up--that you are vulnerable. I don't care what you do, you are
vulnerable. Where does the responsibility lie? Is it just on
the consumer? Either one of you guys can answer this. Is it
just on the consumer?
Mr. Norton. No. Absolutely, I think that it is--consumers
certainly can help drive the market and change the market, and
hearings like this will help, I think, drive corporations to
accept further responsibility. I think it goes back, again, to
not putting a value on data, as an individual. Companies have
put a value on it, but we haven't put a value on it, in terms
of loss of data, as the individual.
Mr. Mullin. But, as Mr. Schneier said, we can safeguard
ourselves--there is a huge difference between a manufacturing
product being misused by the person holding the product versus
a consumer that has no idea what has happened to their data.
They are letting it be sold, it is going out there without our
intention. So we are not even not using it within the
manufacturer's instructions; it is the manufacturer--I am
breaking it down to layman's terms. It is the holding company
that has our information that isn't safeguarding it to begin
with. And we are the ones paying for it. Where do the
responsibilities lie?
Mr. Schneier. I think your analogy is good, that we
definitely have consumer misuse, but you actually have
fundamentally unsafe products.
Mr. Mullin. Right.
Mr. Schneier. And, in those cases, you really need to hold
the designers, the manufacturers, the data holders, the app
makers, the system makers responsible to some degree, that we
cannot have a system where you have to be an expert in order to
survive in the 21st century.
I mean, I don't want to be an expert in gas cans to be able
to use that product. And maybe I am going to do something
stupid, but I would like it if the system prevents me, as much
as possible, from doing something stupid. And----
Ms. Fortney. I would like to----
Mr. Schneier [continuing]. That is sort of a way of
thinking about regulation.
Mr. Mullin. Ms. Fortney?
Ms. Fortney. I would like to address that.
I think, first of all, there are consequences for companies
that do not secure consumers' data, and there are penalties
that can attach. There is an enforcement regime by the Federal
Trade Commission, the Consumer Financial Protection Bureau.
In addition, I think the question is, what should consumers
do when they have the information that their data is being used
and that it could be breached? Because I think, no matter what
we do, no matter what security procedures are there, given the
many, many attempts from all over the world to access data that
is being held in any type of large database in the United
States, there is the risk of a breach. And I do think that what
consumers need to do is really know more about what they can do
to protect themselves.
We are talking about notice here, and one of the notices
that we haven't really focused on is a notice required under
the Gramm-Leach-Bliley Act----
Mr. Mullin. But we are talking--we are talking about
notices. That is not good enough. There is a difference. They
enter in that business taking a risk, the same thing as a
manufacturer enters a business in taking a risk too.
Ms. Fortney. Right.
Mr. Mullin. We don't see insurance policies paying off to
those consumers that were breached by Equifax. Whereas, with a
manufacturer, if something happens, you see insurance
companies. That is why they have insurance. They are stepping
up and taking responsibility for it. We are not seeing that in
the digital world. We are seeing it as, ``Well, that is the
risk of being online.'' And I take that risk seriously.
But it seems like there is a disconnect. ``Well, we know it
is going to be breached. There are cyber issues going on out
there.'' But that is the business that they are in.A consumer
ought to feel safe about doing business with that person, not
always constantly being concerned.
All of us up here have had our credit card stolen. I am
currently, right now, on my fifth credit card with this one
company this year alone because it has been----
Mr. Schneier. What is the number?
Mr. Mullin. Evidently it is out there someplace.
But we are just looking at how--I am not looking to put
more regulations or more burdens on the companies, but there
has to be a sense of responsibilities for the consumer to feel
safe, because just notifications is being reactive, not
proactive.
Ms. Fortney. Yes, but I began my remarks by saying there
are penalties for breaches. And then the next question is, what
can consumers do once there has been a breach? And I think
there are remedies available.
Mr. Mullin. I am out of time. I apologize, Mr. Schneier. I
would love to hear your response on it, but I am out of time on
it.
Mr. Chairman, I yield back.
Mr. Latta. Well, thank--I am sorry?
Ms. Schakowsky. Can I ask another question?
Mr. Latta. The gentlelady is recognized for one other
question.
Ms. Schakowsky. Oh--sorry. Sorry.
Mr. Latta. OK. Just wanted to make sure. I thought you may
have coordinated there.
The Chair now recognizes for 5 minutes the gentleman from
Texas.
Mr. Green. Thank you, Mr. Chairman. I want to thank the
chairman and ranking member for holding this hearing.
I appreciate the time of our witnesses.
While the recent data breach at Equifax is bad enough on
its own right, it also has shone a light on several larger
problems. The first is the lack of knowledge or control over
who collects information on us and what information they
collect and what they do with it.
In 2014, the FTC issued a report recommending Congress
enact legislation to make the data-broker industry more
transparent following the Equifax breach. It is a good time to
take a closer look at these issues.
Mr. Schneier, in your testimony, you state that the data
brokers collect information on everything that we do on the
internet. Can you elaborate on the scope of the information,
such as what kinds of data are collected and how many of our
transactions on- and offline are recorded or collected by data
brokers?
Mr. Schneier. So that is hard, because it is collected in
secret, and we actually don't know. We see shadows of it. We
see shadows of it in the lists that they sell.
And this is data brokers writ large. This is not credit
bureaus specifically.
So you will see them selling lists of, you know, seniors
who have debt problems; or, you know, people who have
particular medical conditions; or interest groups of, sort of,
any unimaginable distinctions. And you often can go and look at
the different types of lists that are sold.
But the industry is really so opaque that we don't know. We
just know that it is all being--whatever can be collected is
being collected. We really don't know how it is being used. You
know, we are hearing a lot about some big-data analytics were
used in the last election. We don't know the details of that.
It is a very opaque industry. It makes your question much
harder to answer than it should be.
Mr. Green. OK.
In the FTC's 2014 report, one of the FTC's recommendations
was the creation of a website to let consumers see what
information data brokers have on them and to opt out of having
it shared in the future.
Mr. Schneier, can you talk a little bit about this
particular suggestion and what the obstacles would be to create
such a website?
Mr. Schneier. The obstacles would be that the companies
don't want to do that and that, if they did it, it would be
kind of horrific.
This is a story from Europe, because Europe has laws that
require some kind of disclosure. And Max Schrems, who is a law
student, sued--successfully in a European court--Facebook to
get all the data Facebook had on him. And he got a stack of
paper 1,000 sheets high of all the data Facebook had on him.
And Facebook has that data times everybody who is on Facebook.
Mr. Green. OK.
You mentioned that data brokers operating in Europe can and
do follow the EU's more stringent privacy laws. Can you compare
for us the difference between the scope of personal data
collected in the European Union versus the United States,
particularly regarding our online activities?
Mr. Schneier. So I am not an expert, and I would hesitate
to do that. That is an important question to ask, and there are
people who are doing that research.
Europe has rules about what can be collected and under what
circumstances, how it can be stored, how it can be used, and
how it must be deleted. You might have heard about the right to
be forgotten, which is a contentious European law.
European law is very complicated here, and it is still
under a lot of change. So that is an important question. I
really want you to find someone who is an expert in that to
talk to that.
Mr. Green. Well, it seems just common sense that data knows
no boundaries. They don't know the borders of the United States
or Europe. It seems like our country should partner with the EU
and other countries to see if we can coordinate our regulations
on this.
Because I think, if you heard the questions earlier and
listened to them, our data should be our data, and we should be
able to have control over who looks at it, instead of just
deciding that maybe ``I think I need a new car'' and send me
something. But I think that is what we need to do.
Mr. Chairman, thank you all for holding the hearing, and it
brings up a lot of issues we need to deal with. Thank you.
Mr. Harper [presiding]. The gentleman yields back.
The Chair will now recognize Mr. Bilirakis from Florida for
5 minutes.
Mr. Bilirakis. Thank you. Thank you, Mr. Chairman. I
appreciate it.
I thank the panel for their testimony today.
Mr. Creighton, some consumers have suggested to me to
minimize the identifiable data collected, like using partial
Social Security numbers or partial driver's license
identification.
Is this possible for CRAs to do? And would it help better
protect consumers from bad actors not authorized to use such
data?
Mr. Creighton. Social Security numbers are used as
identifiers, and they are important identifiers. They are not
used, necessarily, by financial institutions to authenticate a
consumer, but they are used to identify them.
And that is important because you have a lot of people in
this country, a shocking number, really, when you look at it,
who have similar names, similar dates of birth, similar Social
Security numbers. Having the full 10-digit Social Security
number is going to be helpful for making sure that we have the
right person that we are able to match.
And we have an obligation under the Fair Credit Reporting
Act to make sure that we are matching the correct data with the
correct person.
Mr. Bilirakis. How about using the driver's license
identification? Wouldn't that suffice?
Mr. Creighton. Well, not everyone has a driver's license,
first of all. And, you know, whether we like it or not, the
Social Security number has, in effect, in the United States,
become a universal identifier. And it is the one piece of
information that crosses over many different databases,
particularly in the Government.
Mr. Bilirakis. And you think you have to use all nine
numbers as opposed to----
Mr. Creighton. Yes. I mean, now, there are a number of
statutes around the country where the minimization of the
Social Security number has led to issues. For example, on
credit reports today, it is much harder to know what all the
liens and judgments you may have against you are, because in
certain courts you no longer have full Social Security numbers
and so we can't do the full match. And since we can't do the
full match, we have just taken off a lot of that data.
That degrades the entire credit reporting system. It is a
little bit less complete because of that. And that is
problematic, because if you are a lender, in order to make a
safe and sound lending decision, you should know the full set
of obligations that a consumer has.
Mr. Bilirakis. Thank you.
Mr. Norton, are there one or two recommendations you can
make for the small- to medium-size companies with limited
resources that are most effective in limiting vulnerabilities
to criminal hacking?
Mr. Norton. Yes, absolutely. I think that small businesses,
obviously, are the most at risk, number one, because they do
have those limited resources. Typically, a small business could
be, you know, just a handful of people, and, you know, what
kind of investment do they need to make internally?
And I think just starting that conversation amongst the
small businesses is an important step and just saying, OK,
look, we have X number of computers, X number of people that
can access our database. So I think, just internally, alone,
starting there and saying, OK, do we have, you know, the
appropriate passwords, you know, do we need some type of
encryption on our network that can be publicly available and
brought in the marketplace, you know, do we have a point person
within the business, and even if the business has three people,
somebody that is responsible for that, and just kind of having
those access controls I think is a good starting place for
small businesses.
And then the larger businesses, I would say it is a very
similar model, in terms of maybe you are getting to 50 or 100
but, again, starting to carve out, you know, as they look at
their outyears and starting to develop a strategy of, OK, you
know, in this calendar year, whenever their fiscal year starts,
this is how much money we are going to start to invest in this
particular area, which is just as critical as keeping the
lights on or paying the gas bill or paying employees' salaries.
It has to become part of the day-to-day culture. And I think
that is an important conversation they need to have just to
start to secure themselves.
Mr. Bilirakis. Thank you very much.
My third question, again, for Mr. Norton or Ms. Fortney. Is
there a legitimate worry about criminals using consumers' data
to establish a Social Security Administration online account in
their name and claiming their benefits? Where or how does a
victim go about to protect oneself in that scenario?
You both can answer the question. I do have some time.
Ms. Fortney. I assume that there are protections there, but
this is not an area where I have worked. I focus primarily on
credit reporting, the credit industry, and other aspects of
data security. I would like for Mr. Norton to address it.
Mr. Bilirakis. Yes, please.
Mr. Norton. Of course, there are some, you know, steps you
can take in terms of, if you believe you have been a victim of,
you know, some sort of fraud, contacting the Social Security
Administration and letting them know. And I believe there are
some things you can fill out to let them know.
I think it is also not the easiest process in the world. I
think that is one of the challenges for the individual
consumer, is the fact that, what does somebody do? You know,
you can't really necessarily go down to a police station and
fill out a police report just the same way as if somebody
robbed your home and took your TV and a couple other things.
This is a very different problem, and I think that that is part
of the challenge here.
And it is just like we were discussing earlier. Not
everybody can go online and fill out paperwork or, you know,
have the ability to even call. And so doing things in a more
efficient way and finding ways for, you know, kind of, one
point of entry, not 19 Government agencies for the individual
consumer and individual small business, I think would be
another important step for this subcommittee to help for the
consumers.
Mr. Bilirakis. OK.
Thank you very much, Mr. Chairman. I will yield back.
Mr. Harper. The gentleman yields back.
The Chair now recognizes the gentleman from Pennsylvania,
Mr. Costello, for 5 minutes.
Mr. Costello. Thank you.
I would like to ask my questions and then offer some
observations so that each of you can think it through.
Ms. Fortney, in your written testimony, you mentioned the
updates that were made to the FCRA in 2003, which included new
measures to protect consumers from identity theft and other
unauthorized use of the data they have on file with the CRAs.
Do you believe extended fraud alerts are a sufficient
recourse option for consumers who wish to remain credit-active
but want to opt in?
Second, are you aware of any backlogs or delays in the
process related to extended fraud alerts? And, if so, do you
have any suggestions on how to streamline consumers' access to
these and other protections available?
And then the next question to all witnesses: What would be
the most effective means of reducing the administrative burden
so victims of data breaches can protect themselves from credit
fraud without facing impediments to obtaining credit if and
when they need it?
And then, finally, Mr. Schneier, you state, ``Congress
should not create a new national identifier to replace Social
Security numbers. That would make the system of identification
even more brittle.'' I would like you to elaborate on that.
Many of my constituents who were impacted by the Equifax
data breach have shared with me numerous frustrations they
continue to face both in dealing with the immediate aftermath
of the breach and in trying to find the best path forward to
prevent the fraudulent use of the information that was
compromised. What I find frustrating is that so much of this
burden falls on the consumers.
In the case of the Equifax breach, nearly 50 percent of the
U.S. population can be considered a victim. With half our
Nation directly impacted by this breach and millions more
affected by other recent data breaches, it is astounding to me
and my constituents that so much of the burden remains on
consumers and that they have to deal with it themselves, first
by determining whether they were impacted, then by figuring out
what makes the most sense in terms of monitoring or freezing
their credit and dealing with all the administrative hurdles
and potential barriers to credit that go along with it.
I would imagine many people might not know where to start
or become so frustrated in trying to stay ahead of identity
theft that they give up trying and instead resort to dealing
with fraud if and when it occurs instead of using the resources
that may be available to protect them against further harm.
And, with that, the questions that I asked, if all of you
would answer.
Ms. Fortney. OK. Thank you.
First of all, fraud alerts are a useful tool for someone
who thinks they might be a victim of identity theft or might
become a victim of identity theft. In order to get a fraud
alert, the consumer goes on the website of one of the three
major credit bureaus, puts in the necessary information, and
does get the alert. There is not an inquiry into the request
for an identity theft report or anything of that kind. So I
think it is a relatively streamlined process.
I think the other thing to keep in mind is that, when we
are looking here at credit reporting data--because Equifax is a
credit bureau--we need to focus on the fact that there are a
lot of provisions in the Fair Credit Reporting Act that were
enacted in 2003 to prevent identity theft. There are certain
rules in terms of address discrepancies. There are rules that
require furnishers to identify the consumers before they
provide the information.
So I think there are a lot of protections in the Fair
Credit Reporting Act because we are focusing, in the case of
Equifax, primarily on data that involved the credit bureau.
Mr. Schneier. I am going to quickly address your Social
Security number question.
Mr. Creighton is right that a Social Security number is
actually a pretty good identifier. Name and birth date is
terrible, too many duplicates. We have learned that from
attempts to purge voter rolls. And a Social Security number is
something everybody has.
Where it fails as an authenticator, where it fails is that
knowledge of it proves that you are you. It is a public number
and shouldn't be treated as a secret or any kind of
authenticator. So I don't think we need to replace it. I think
it works just fine as long as we recognize its limitations.
We are much better off, instead of one large authentication
system, where a failure in it is a catastrophic failure, to
have multiple context-specific authentication systems. Just
like you have a dozen cards in your wallet, they do different
things, there is no real reason why it can't just be one card
except----
Mr. Costello. Do you find that implementable? Do you find
that implementable for----
Mr. Schneier. Yes, I think we can. I mean, you will see
it--you see it on your phone. You have lots of different
authenticators. Again, there are many different sites. They all
work through your phone. Industry does figure this out. It is
complicated, but, yes, I do think it is doable.
Mr. Creighton. Congressman, your second question was can we
be more helpful to consumers who want to lock their credit or
freeze their credit or something like that. And these new
products that are coming on the market now--TransUnion already
has it; the other two bureaus have them coming out now--that
allow people, on an app-based system, to lock and unlock their
credit.
Mr. Costello. Right.
Mr. Creighton. The other thing is more and more credit card
companies are including your credit score on their statements.
And that is a good way for you to just check and make sure that
there are no changes from month to month that you weren't
expecting.
Mr. Costello. Thank you.
Mr. Harper. The gentleman yields back.
The Chair now recognizes the gentlelady from California,
Mrs. Walters, for 5 minutes.
Mrs. Walters. Thank you, Mr. Chairman.
Last month, this subcommittee began an investigation into
the Equifax breach that resulted in the theft of 145 million
Americans' personal and financial information. Equifax failed
in their legal obligation to protect consumers.
Today, we continue our work to ensure the consumers'
information is secure and that companies are taking adequate
security measures to protect their sensitive data. It is vital
that we confront these security challenges so that our digital
e-commerce continues to develop and helps fuel the American
economy.
Ms. Fortney, we have discussed the regulatory framework. Do
you believe the regulatory framework for CRAs is sufficient to
protect U.S. consumers from data breaches and satisfy
consumers' privacy concerns?
Ms. Fortney. Yes, I do. And I can say that having worked
with the Fair Credit Reporting Act for more than 40 years. I
have seen this act amended by Congress several times as new
concerns arise. And, as we mentioned, in 2003, because people
were becoming increasingly concerned about identity theft, new
provisions were put in the act.
The act imposes really strict requirements on consumer
reporting agencies with respect to the accuracy of the
information, the provision of credit reports to people who only
have very definite permissible purposes.
The act provides for notice to consumers when the
information has been used on them in a way that is adverse to
their interests.
I could go on and on. My written statement has many, many
protections here.
I think the question really is, is there anything in the
Fair Credit Reporting Act or other law that resulted in the
Equifax breach? In other words, was there any deficiency in any
of these laws? And I think we don't know the answer to that
because we don't know exactly what the circumstances were that
led to the Equifax breach.
What we do know is that, by and large, we have one of the,
if not the most robust systems of credit reporting and consumer
reporting generally in the world. We have one of the strongest
economies in the world. You start taking away some of the
benefits, if you start over-regulating this industry and you
start allowing people to remove information from the system,
the system is not going to work as well.
And I think all you have to do is compare our system to
that of other countries, including developed countries, that
don't have credit reporting systems that are as comprehensive,
and I think you will see there are a lot more benefits to
consumers.
Mrs. Walters. This question is for you, again, the next
one. What level of responsibility should lenders, banks, credit
unions, insurers, et cetera, demand from CRAs when they are the
purchasers of a credit reporting product?
Ms. Fortney. What measures should they demand?
Mrs. Walters. What level of responsibility should lenders
demand from CRAs?
Ms. Fortney. Again, the level of responsibility is in the
Fair Credit Reporting Act, has been for many years, and that is
that the consumer reporting agency that is providing the credit
report must identify the recipient of that report, must be able
to authenticate that this is somebody who has a permissible
purpose under the statute to receive the report. And I think
that is something that has been at the heart of the Fair Credit
Reporting Act from the beginning.
Mrs. Walters. OK.
Mr. Creighton, is there any type of financial or personal
data that is illegal or impermissible for CRAs or data
furnishers to collect and possess?
Mr. Creighton. Oh, there are multiple. I mean, you can
really only collect certain kinds of data at credit reporting
bureaus, not referring to the larger data brokers. It is
basically just, you know, your identifying information; whether
there are any public liens or judgments against you, like a
bankruptcy; do you have credit, from whom, how much; your
balance; and do you pay on time. And that is all regulated by
the Fair Credit Reporting Act.
After that, you are outside of the Fair Credit Reporting
Act, and so you are in a different regulatory scheme.
But the Fair Credit Reporting Act, as I said in my
testimony, is a very important and very strong consumer
protection statute that has criminal penalties, it has
transparency requirements. It is probably the model on which
you are all going to work from if you do go down the path for
other data broker information.
Mrs. Walters. OK. Thank you.
And I yield back the balance of my time.
Mr. Harper. The gentlelady yields back.
The Chair will now recognize Ranking Member Schakowsky for
a followup question.
Ms. Schakowsky. Thank you.
Mr. Schneier, you were just shaking your head on the idea
that I think that Mr. Creighton was saying, that it is very
strictly regulated, what kind of information that they could
have. I just wondered if you wanted to add something else.
Mr. Schneier. So, I mean, I am thinking of the data brokers
writ large. I mean, yes, the credit bureaus are regulated, what
they can collect, but the data brokers can collect everything.
I mean, Google knows what kind of porn we all like, because
that is how we search it, and they can collect that.
So, as you move out from the very narrow place we have
regulated, all bets are off. And I think we really need to look
at how this bigger industry is moving and not just credit
bureaus.
Ms. Schakowsky. OK.
So I understand, I think, what your association does. But
Equifax has a business outside of being a credit reporting
agency. So what I am trying to understand, does your trade
association then deal with the rest of that? And are they not
also a data broker?
Mr. Creighton. Yes, they are. Not all of my members are
data brokers. What we do specifically at CDIA is the--we are,
essentially, the Fair Credit Reporting Act association. So we
represent the credit bureaus inside the companies. That is
really, very narrowly, what we do, is the Fair Credit Reporting
Act-governed databases that they have, the companies that do
it, the credit bureaus.
Ms. Schakowsky. The databases. But those same companies--
well, first of all, even under their credit reporting data
function, they can sell to advertisers who offer credit, right?
Mr. Creighton. Some offers of credit, yes. Prescreened,
firm offers of credit. That is correct.
Ms. Schakowsky. OK. But I don't want those cards.
Mr. Creighton. You can opt out, though.
Ms. Schakowsky. This is--excuse me?
Mr. Creighton. You can opt out of prescreened offers. That
is an option that you have as a consumer, to opt out of
prescreened offers.
Ms. Schakowsky. Who knows that?
Mr. Schneier. Yes, good luck figuring out how.
Ms. Schakowsky. I am sorry?
Mr. Schneier. Good luck figuring out how.
Ms. Schakowsky. Yes. I mean----
Ms. Fortney. Every prescreened solicitation contains a
notice that the Federal Trade Commission has determined must be
placed there--it must be clear and conspicuous--telling
consumers that receive these prescreened offers that they have
received the offer because of prescreening and telling them how
to opt out.
Ms. Schakowsky. You know, I will tell you--and maybe it is
like those security, you know, 12-, 10-point, 8-point notices
that we all get and that we all press ``agree.'' I mean,
really--and I think that is just--and I heard your whole list
of things that we can do to protect ourselves. And I am sure
you are in the 1 percent that actually can do that. This is
really a lot of work for people who even have the ability on
the computer.
But I wanted to ask you something else. So, to the extent,
though, that Equifax is a data broker, you have no relationship
to them?
Mr. Creighton. No. We are specifically representing them on
the credit bureau part of the----
Ms. Schakowsky. OK. I want to quote what you said at the
very beginning. You said, ``The scale of the criminal act at
Equifax was unprecedented.'' I checked back with the record.
Mr. Creighton. ``Breathtaking,'' I think----
Ms. Schakowsky. So what do you mean? What is the criminal
act?
Mr. Creighton. Well, information on 145 million people was
released. It was not information from the credit bureau. It was
not the credit file information. That database is about 220
million people. It was not that file. It was a file that they
had that included other kinds of information that they
collected in other ways.
Ms. Schakowsky. So what law did they break?
Mr. Creighton. Well, under the Federal Trade Commission
Act, they probably committed a--I mean, we should let the
investigation play itself out so that we know. But I would
suggest that they probably have UDAP problems. And then they
also have--I mean, I would defer to counsel who might know
better----
Ms. Schakowsky. Well, I want to, you know, home in on----
Mr. Creighton. Look, I mean, they are going to have----
Ms. Schakowsky. You said very unequivocally, ``The scale of
the criminal act at Equifax was unprecedented''--``criminal act
at Equifax.''
Mr. Creighton. So I am talking about the----
Ms. Schakowsky. I mean, I tend to feel that that is true.
But, as an expert on this, I want to know----
Mr. Creighton. Right. No, I was referring specifically to
the hackers being criminals. Right? I mean, let's remember that
whoever broke into this system did not do it legally. They were
criminals who broke into Equifax. And we don't know what their
motives were, but they were criminals who did this. It was a
criminal hack, it was a criminal attack on an American company,
is the point I was trying to make.
Ms. Schakowsky. OK.
Thank you. I yield back.
Mr. Harper. Seeing that there are no further witnesses
wishing to ask questions, I want to thank each and every one of
you for taking the time to be here today.
Before we conclude, I would like to include the following
documents to be submitted for the record, by unanimous consent:
one, the written statement of Jeff Greene, Senior Director of
Global Government Affairs and Policy, Symantec; and a letter
from the Electronic Frontier Foundation.
[The information appears at the conclusion of the hearing.]
Mr. Harper. Pursuant to committee rules, I remind members
that they have 10 business days to submit additional questions
for the record. I would ask that witnesses submit their
response within 10 business days upon receipt of the questions.
Without objection, this subcommittee is adjourned.
[Whereupon, at 12:44 p.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]