[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
EXAMINING THE EQUIFAX DATA BREACH
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
OCTOBER 5, 2017
__________
Printed for the use of the Committee on Financial Services
Serial No. 115-46
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
______
U.S. GOVERNMENT PUBLISHING OFFICE
30-242 PDF WASHINGTON : 2018
HOUSE COMMITTEE ON FINANCIAL SERVICES
JEB HENSARLING, Texas, Chairman
PATRICK T. McHENRY, North Carolina, MAXINE WATERS, California, Ranking
Vice Chairman Member
PETER T. KING, New York CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma BRAD SHERMAN, California
STEVAN PEARCE, New Mexico GREGORY W. MEEKS, New York
BILL POSEY, Florida MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri WM. LACY CLAY, Missouri
BILL HUIZENGA, Michigan STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin DAVID SCOTT, Georgia
STEVE STIVERS, Ohio AL GREEN, Texas
RANDY HULTGREN, Illinois EMANUEL CLEAVER, Missouri
DENNIS A. ROSS, Florida GWEN MOORE, Wisconsin
ROBERT PITTENGER, North Carolina KEITH ELLISON, Minnesota
ANN WAGNER, Missouri ED PERLMUTTER, Colorado
ANDY BARR, Kentucky JAMES A. HIMES, Connecticut
KEITH J. ROTHFUS, Pennsylvania BILL FOSTER, Illinois
LUKE MESSER, Indiana DANIEL T. KILDEE, Michigan
SCOTT TIPTON, Colorado JOHN K. DELANEY, Maryland
ROGER WILLIAMS, Texas KYRSTEN SINEMA, Arizona
BRUCE POLIQUIN, Maine JOYCE BEATTY, Ohio
MIA LOVE, Utah DENNY HECK, Washington
FRENCH HILL, Arkansas JUAN VARGAS, California
TOM EMMER, Minnesota JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York VICENTE GONZALEZ, Texas
DAVID A. TROTT, Michigan CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia RUBEN KIHUEN, Nevada
ALEXANDER X. MOONEY, West Virginia
THOMAS MacARTHUR, New Jersey
WARREN DAVIDSON, Ohio
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
TREY HOLLINGSWORTH, Indiana
Kirsten Sutton Mork, Staff Director
C O N T E N T S
----------
Page
Hearing held on:
October 5, 2017.............................................. 1
Appendix:
October 5, 2017.............................................. 63
WITNESSES
Thursday, October 5, 2017
Smith, Richard F., Adviser to the Interim Chief Executive Officer
and Former Chairman and Chief Executive Officer, Equifax....... 5
APPENDIX
Prepared statements:
Smith, Richard F............................................. 64
Additional Material Submitted for the Record
Waters, Hon. Maxine:
Letter to Chairman Hensarling................................ 85
Ellison, Hon. Keith:
Letter from Consumers Union.................................. 72
Maloney, Hon. Carolyn:
Letter to TransUnion and Experian............................ 80
Letter from Experian......................................... 82
Messer, Hon. Luke:
Equifax Privacy Notice....................................... 84
Smith, Richard F.:
Written responses to questions for the record submitted by
Ranking Member Waters...................................... 87
Written responses to questions for the record submitted by
Representative Ellison..................................... 94
Written responses to questions for the record submitted by
Representative Heck........................................ 95
Written responses to questions for the record submitted by
Representative Meeks....................................... 99
Written responses to questions for the record submitted by
Representative Sinema...................................... 100
Report of the Special Committee of the Board of Directors of
Equifax, Inc............................................... 101
EXAMINING THE EQUIFAX DATA BREACH
----------
Thursday, October 5, 2017
U.S. House of Representatives,
Committee on Financial Services,
Washington, D.C.
The committee met, pursuant to notice, at 9:19 a.m., in
room 2128, Rayburn House Office Building, Hon. Jeb Hensarling
[chairman of the committee] presiding.
Present: Representatives Hensarling, Royce, Lucas, Pearce,
Posey, Luetkemeyer, Huizenga, Duffy, Stivers, Hultgren, Ross,
Pittenger, Wagner, Barr, Rothfus, Messer, Tipton, Williams,
Poliquin, Love, Hill, Emmer, Zeldin, Trott, Loudermilk, Mooney,
MacArthur, Davidson, Budd, Kustoff, Tenney, Hollingsworth,
Waters, Maloney, Velazquez, Sherman, Meeks, Capuano, Clay,
Lynch, Scott, Cleaver, Ellison, Perlmutter, Himes, Foster,
Kildee, Delaney, Sinema, Beatty, Heck, Vargas, Gottheimer, and
Gonzalez.
Chairman Hensarling. The committee will come to order.
Without objection, the Chair is authorized to declare a
recess of the committee at any time, and all members will have
5 legislative days within which to submit extraneous materials
to the chair for inclusion in the record.
The hearing is entitled ``Examining the Equifax Data
Breach.''
I now recognize myself for 3-1/2 minutes to give an opening
statement.
On September 7, Equifax announced what it called a, quote,
``cybersecurity incident'' at its business that potentially
affects 145 million U.S. consumers--nearly half of all
Americans. In other words, if you are hearing my voice, you are
either the victim of the breach or you know someone who is.
That is how massive this breach was.
The criminals got basically everything they need to steal
your identity, open credit card accounts in your name, and
cause you untold frustration and financial calamity. This may
be the most harmful failure to protect private consumer
information the world has ever seen.
The company's response to this breach has left much to be
desired. For weeks, Equifax failed to disclose the breach to
consumers and its shareholders. It provided confusing
information about whether people were victims of the breach or
not.
And, beyond belief, senior executives sold their Equifax
shares after the company knew of the breach and before the
company disclosed the breach. I trust the Justice Department
and Securities Exchange Commission (SEC) will get to the bottom
of this.
Clearly, action by the Federal Trade Commission, the
Consumer Financial Protection Bureau, and potentially other
regulators is required. Congress must ensure that Federal law
enforcement and Federal regulators do their jobs so justice can
be served and victims are made whole.
We must thoroughly examine if our agencies in statutes like
Gramm-Leach-Bliley, the Fair Credit Reporting Act, and UDAAP
are up to the job.
In this era, big data, large-scale security breaches
unfortunately are becoming all too common. By the increasing
frequency and sophistication of cyber attacks, this clearly
demands heightened vigilance and enhanced efforts to safeguard
consumers.
Protecting consumers obviously starts with requiring
effective measures to prevent data breaches in the first place.
Given the Federal Government's own poor track record when it
comes to protecting personal information witness the SEC and
the Office of Personnel Management (OPM) hacks as two recent
examples.
We must be cautious about attempts to never let a good
crisis go to waste and impose a Washington-forced technology
solution that may be antiquated as soon as it is imposed.
However, I do believe that we need to ensure we have a
consistent national standard for both data security and breach
notification in order to better protect our consumers, hold
companies accountable, and assure that this affair does not
repeat itself.
Our committee passed such legislation nearly 2 years ago,
the bipartisan Data Security Act. The need to revisit that
legislation and, where necessary, improve upon it should be
obvious to all. The status quo is clearly failing consumers and
leaving them extremely vulnerable.
So I look forward to working with members of both sides of
the aisle and working with the Administration to ensure that
Americans across the country will be protected and will no
longer have to lose sleep over the kind of breaches that we are
discussing today.
I yield back the balance of my time.
I now recognize the Ranking Member of the Committee, the
gentlelady from California, for 3 minutes.
Ms. Waters. Thank you, Mr. Chairman.
The massive breach at Equifax and the company's subsequent
failures are a lapse on a scale we have never seen before.
Equifax's failure to safeguard consumer data is all the more
egregious because the impacted customers never chose to do
business with Equifax.
And because of the broken business models of our country's
credit reporting agencies, these consumers can't end their
relationship with Equifax. They can't shop around for a better
deal. They are literally stuck with this company.
So I am very interested in what Equifax will do moving
forward to provide full redress for all of those who have been
harmed. I am also interested in why Equifax has sent this
committee a witness today without the authority to commit
Equifax to future action.
The members of this committee need to hear not just about
what has happened but also about what Equifax plans to do
moving forward. I already know that this hearing won't answer
all of the questions, and I and other members would like to
know more.
This is why committee Democrats are requesting a minority
day hearing to get more answers to the questions surrounding
not only this breach but also its impact on consumers and
solutions for consumers moving forward.
For example, I, for one, would like to make sure that
credit reporting agencies do not inappropriately profit off of
this incident by exploiting consumers' legitimate fears. Now is
not the time to focus on how to sell consumers more products.
Now is the time to fix what has been broken.
But this breach and Equifax's woeful response are just the
tip of the iceberg. The whole credit reporting system needs a
complete overhaul. That is why I introduced H.R. 3755, the
Comprehensive Consumer Credit Reporting Reform Act. This
legislation would, among other things, shift the burden of
removing credit report mistakes to credit reporting agencies
and away from consumers.
And my bill would also shrink the importance of credit
reports in our lives by limiting the use of credit reports in
employment checks and limiting when CRAs can collect
information on consumers. It is time to end the strangledhold
that Equifax, TransUnion, and Experian have on our consumers'
lives.
Mr. Chairman, I yield back.
Chairman Hensarling. The gentlelady yields back.
The Chair now recognizes the gentleman from Missouri, Mr.
Luetkemeyer, the Chairman from our Financial Institutions
Subcommittee for 1-1/2 minutes.
Mr. Luetkemeyer. Thank you, Mr. Chairman.
Mr. Smith, I know you have sat before several committees
this week, and I trust you have heard the anger from Congress
and the American people. This is not just incompetence on the
part of you and your company but also negligence and disregard
for the law and for consumers.
There is a failure on the part of you, your board, and your
senior management, and your failures have impacted more than
one-third of the American people. What is most egregious to me
is that the American people's data had potentially been
compromised, had to wait more than a month to find out about
it.
The American public deserves better. They deserve prompt
notification so they can safeguard their identity. They deserve
a system that effectively and efficiently notifies them, not
one that has slowed down because of turf wars, regulatory
complex, or fear of litigation.
I believe it is now time to move forward, and we need to
find solutions to this problem. I hope that if one good thing
comes from this yet another major data breach, it is that the
American consumers can finally get a system that works for
them.
I Chair the Financial Institutions Subcommittee that is
going to have oversight over this data breach and a security
informational-type of bill, and I can assure you we are going
to try and look very thoroughly at this incident as others drum
up some ways to protect the American consumers.
Mr. Chairman, with that, I yield back.
Chairman Hensarling. The gentleman yields back.
The Chair now recognizes the gentleman from Missouri, Mr.
Clay, the Ranking Member of the Financial Institutions
Subcommittee for 1 minute. Apparently he is not here.
We then will go to the gentleman from Michigan, who also
appears not to be here.
The gentleman from Minnesota, Mr. Ellison, is recognized
for 1 minute.
Mr. Ellison. I would like to thank the Chair and Ranking
Member for this important hearing.
A lot has been said about the Equifax breach and a lot of
the same things will be repeated today, but there are a few
things that I think we have to bear in mind: One is that
Equifax and two other big players in this industry of credit
reporting dominate basically the whole field.
As members of this committee know, I have been quite
concerned about market concentration. I believe Equifax is just
too big. It needs to be reduced in size. We need to increase
competition and we need--and if Equifax had to worry about a
real competitor, I believe they would be better at safeguarding
the data of consumers.
It is the fact that markets have concentrated it so high
that other than TransUnion and Experian, Equifax doesn't have
to worry about much competition--that they can be lax with the
data of people.
I look forward to the gentleman talking about some issues
that I think are very important. I know that there has been
some movement in the area of--well, I will leave that to you
for the rest of the questioning.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentlelady from New York, Mrs.
Maloney, Ranking Member of the Capital Markets Subcommittee for
1 minute.
Mrs. Maloney. Mr. Smith, Equifax was not just a breach of
security. It was not just a massive, huge database breach. It
was a breach in the trust of the American people in your
company.
We have the best markets in the world, and I believe that
our markets run more on trust than it does on capital. So a
breach of trust is something our markets cannot tolerate.
I join my colleagues in being committed to finding
procedures going forward that this does not happen again, and
that the law is enforced against those who breach and break the
law.
Chairman Hensarling. The time of the gentlelady has
expired.
Today we will receive the testimony of Mr. Richard Smith,
who is the former CEO and Chairman of Equifax and adviser to
the interim CEO. Prior to September 26 of this year, Mr. Smith
had been the Chairman and Chief Executive Officer at Equifax
since 2005. Before joining Equifax, Mr. Smith held various
management positions at General Electric where he worked for 22
years.
Without objection, the witness' written statement will be
made part of the record.
Mr. Smith, you are now recognized for 5 minutes to give an
oral presentation of your testimony. Thank you.
STATEMENT OF RICHARD F. SMITH
Mr. Smith. Thank you. Thank you Chairman Hensarling,
Ranking Member Waters, and the honorable Members of the
committee. Thank you for allowing me to come before you today
to testify. Again, I am Rick Smith, and for the past 12 years,
I have had the honor of serving as Chairman and CEO of Equifax.
Over the past month or so, I have had the opportunity to
talk to many American consumers and read their letters, those
impacted and not impacted alike, and understand their anger and
frustration that we have caused at Equifax.
This criminal attack on our data occurred on my watch, and
I take full responsibility for that attack as the CEO. I want
every American and everyone here to understand that I am deeply
apologetic and sorry that this breach occurred; and that, I
also want the American public to know that Equifax is committed
to dedicate our energy and time going forward to making things
right.
Americans have a right to know how this happened, and today
I am prepared to testify about what I learned and what I did
about this incident while CEO of the company, and also what I
know about the incident as a result of being briefed by the
company's ongoing investigation.
We now know that this criminal attack was made possible by
a combination of a human error and a technological error. The
human error involved the failure to apply a patch to a dispute
portal in March 2017. The technological error involved a
scanner that failed to detect the vulnerability on this
particular portal that had not been patched. Both errors have
since been addressed.
On July 29 and 30, the suspicious activity was detected. We
followed our security incident response protocol at that time.
The team immediately shut down the portal, and they began their
internal security investigation.
On August 2, we hired top cybersecurity forensic and legal
experts. We also notified the Federal Bureau of Investigation
(FBI). At that time, we did not know the nature or the scope of
the incident. It was not until late August that we concluded
that we had experienced a major data breach.
Over the weeks leading up to September 7, our team
continued working around the clock to prepare to make things
right. We took four steps to protect consumers: First,
determining when and how to notify the public, relying on the
advice of our experts that we needed to have a plan in place as
soon as we announced; No. 2, helping consumers by developing a
website, staffing up massive call centers, and offering free
services not only to those impacted but to all Americans; No.
3, preparing for increased cyber attacks, which we were advised
are common after a company announces a breach; and finally, No.
4, continuing to coordinate with the FBI in their criminal
investigation of the hackers while at the same time notifying
Federal and State agencies.
In the rollout of our remediation program, mistakes were
made for which I am, again, deeply apologetic. I regret the
frustration that many Americans felt when our websites and our
call centers were overwhelmed in the early weeks. It is no
excuse, but it certainly did not help that two of our larger
call centers were shut down due to Hurricane Irma.
Since then, however, the company has dramatically increased
its capacity. And I can report to you today that we have had
over 420 million U.S. consumers visit our websites and that our
call times, our wait times at the call centers have been
reduced substantially.
At my direction, the company offered a broad package of
services to all Americans, all of them free, aimed at
protecting the consumers. In addition, we developed a new
service available on January 31 of 2018 that will give all
consumers the power to control access to their credit data by
allowing them to lock and unlock access to their data for free
for life, putting the power to control access to credit data in
the hands of the American consumer. I am looking forward to
discussing in as much detail as you would like that service
offering during my testimony.
As we have all painfully learned, data security is a
national security problem. Putting consumers in control of
their credit data is a first step toward a long-term solution
to the problem of identity theft.
But no single company can solve a larger problem on its
own. I believe we need a private-public partnership to evaluate
how to best protect Americans' personal data going forward, and
I look forward to being a part of that dialog.
Chairman Hensarling, Ranking Member Waters, and honorable
Members of the committee, thank you again for inviting me to
speak today. I will close again by saying how sorry I am that
this breach occurred on my watch.
On a personal note, I want to thank the many hardworking
and dedicated employees that I worked with so tirelessly over
the past 12 years. Equifax is a very good company with
thousands of great people trying to do what is right every day.
I know they will continue to work tirelessly as we have over
the past few months to right the wrong.
Thank you.
[The prepared statement of Mr. Smith can be found on page
64 of the Appendix.]
Mr. Sherman. Mr. Chairman, point of order.
Chairman Hensarling. The gentleman from California will
state his point of order.
Mr. Sherman. I would request that the witness be sworn.
Chairman Hensarling. It has not been the practice of the
committee to swear in witnesses, as you know. The witness has
to sign before coming here that the testimony will be truthful.
That should be sufficient.
The Chair yields himself 5 minutes for questions.
Mr. Smith, I know this is your fourth appearance before
Congress, but I think you know it speaks to the gravity of the
situation, the number of our constituents which are impacted
and, frankly, the number of committee jurisdiction lines that
this crosses.
Since you have testified three other times, I will attempt
to plow a little new ground. As you know, there is a lot of
focus on--I guess to use your phrase--once the nature and the
scope of the breach was realized, this still took approximately
a month before people were notified of the breach.
Did someone in law enforcement ask Equifax to delay
notification to the public?
Mr. Smith. Mr. Chairman, as I mentioned in my written and
oral comments, we were in communication routinely throughout
the process with the FBI, but they did not necessarily dictate
the flow of communication to the public.
Chairman Hensarling. OK. Were there outside data security
consultants that advised the company to delay notification for
a month?
Mr. Smith. Mr. Chairman, we worked very closely with
Mandiant--that may ring a bell. Mandiant is viewed as, if not
the leading, one of the leading cyber forensic firms in our
country--and our outside counsel, global law firm King &
Spalding. And, yes, they both, in tandem with our team, managed
the flow of communication externally.
I would say, Mr. Chairman, one thing--
Chairman Hensarling. I am sorry. Did they advise you to
delay it for approximately 4 weeks?
Mr. Smith. They guided us in our announcement on the 7th.
The 4 weeks--Mr. Chairman, it wasn't until around the 24th that
we really realized the size of the breach, and even that
continued to develop from the 24th of August until the time we
went public on the 7th.
And as you may have seen, the company came out, I think it
was this Monday, with continued evidence on 2.5 million more
consumers. So it was a very fluid process of understanding the
scope, the size, and the nature of the breach.
Chairman Hensarling. Mr. Smith, I am led to believe the
Apache Struts CVE-20175638 vulnerability was first publicized
in early March, at which point it was immediately categorized
as a critical vulnerability by numerous cybersecurity
authorities. What do you believe is a reasonable amount of time
for a critical vulnerability patch to be pushed out and
implemented on all affected applications?
Mr. Smith. Yes. Our policy, our program at the time was
within 48 hours and we did that. We were notified--
Chairman Hensarling. I am sorry. You did do that?
Mr. Smith. Yes.
Chairman Hensarling. So what happened?
Mr. Smith. So on the 8th of March we were notified, as you
mentioned. On the 9th of March, following the standard
protocol, the communication was disseminated to those who
needed to know about the patch.
Two things happened, Mr. Chairman: One was a human error,
an individual who was responsible for what we call the patching
process did not ensure that there was communication and closed-
loop communication to the person who needed to apply the patch.
That was error number one.
Error number two was on the 15th of March, we used a
technology called a scanning technology, which looks around the
systems for vulnerabilities. That scanner, for some reason, did
not detect the Apache vulnerability. So we had a human error,
as I alluded to in my oral testimony, and a technological
error, both resulting in the fact that it was not patched.
Chairman Hensarling. Mr. Smith, once Equifax chose to
notify the public--there are currently roughly 47-odd State
breach notification laws, as you are well aware. So I know we
have a patchwork. But under what breach notification regime did
you notify the public?
Mr. Smith. Well, Mr. Chairman, we were mindful of the State
laws and trying to abide by all the State laws, while at the
same time following the recommendation of Mandiant, making sure
we had clear and accurate understanding of the breach. And as I
mentioned earlier, that took weeks.
It was very difficult to retrace the footprints of these
criminals, where they had been, what they had done. We had to
recreate inquiries, we being Mandiant and the security team and
our outside legal adviser. That took a long time.
Chairman Hensarling. Mr. Smith, you are located in Georgia,
correct? Was that a Georgia regime notification that you
followed? You didn't follow the 47-odd State notification
regimes, did you?
Mr. Smith. Yes, sir, we are headquartered and domiciled in
Atlanta, Georgia. My point was we were aware of and mindful of
all State laws for breach notification while also making sure
we had an accurate and clear understanding of what data had
been compromised, and that was not until late in August.
Chairman Hensarling. My time has expired.
The Chair now recognizes the Ranking Member for 5 minutes.
Ms. Waters. Thank you very much, Mr. Chairman.
Mr. Smith, I appreciate your being here today. But I want
to understand what capacity you are in today. Are you a
volunteer? A paid adviser? Do you play any role in the company?
Would you please make that clear to me?
Mr. Smith. Yes. Congresswoman, I am the former Chairman and
CEO, 12 years in that role. Today I am sitting here as the
former CEO but also someone who has agreed to work with the
board.
Ms. Waters. Are you a volunteer?
Mr. Smith. Yes, I am not paid.
Ms. Waters. You are not paid. And so you came today to try
and perhaps explain what has taken place. But do you have the
ability to talk about what happens going forward and how we can
correct the mishaps, the errors, the problems of Equifax? Are
you empowered to do that today?
Mr. Smith. Congresswoman, I have the ability to talk
looking forward from my perspective as an individual who was a
CEO for 12 years.
Ms. Waters. But if you make a commitment here today, are
you bound by any commitment you make for the company today?
Mr. Smith. No. Commitments will have to be made by the
company themselves.
Ms. Waters. And so your capacity today is simply to try and
explain and take responsibility rather than how we go forward
for the future. Is that right?
Mr. Smith. That is largely correct, Congresswoman. I do
have views, again, on paths forward, and I am prepared to
discuss those. But commitments will have to be made by the
company themselves.
Ms. Waters. Well, that creates a little bit of a problem
for us today. We have such limited time to deal with so many
problems. And while I appreciate your taking responsibility and
apologizing, your being here today doesn't do much for us in
terms of how we are going to move forward and correct the
problems of Equifax.
Our consumers are at great risk. As a matter of fact, I
have not been able to freeze my credit with Equifax. I can't
get through. And you are talking about the improvements that
you have made. Are you close enough with the company to know
exactly what has been done to be available to consumers?
Mr. Smith. Congresswoman, yes, I have an understanding that
what has been done to make this service level to consumers
better. I mentioned in my comments, they have staffed up
dramatically on the call centers.
I am told--it is a few days old now--that the backlog of
consumers trying to get through and secure their free services
has now been emptied and that the flow is now almost
instantaneous.
Ms. Waters. I am not sure about that, and I worry about
that.
In addition, I will tell you what else I worry about. How
long will consumers be able to get what you describe as free
service from Equifax? Is there a time that is going to kick in
where they are going to be charged for trying to straighten out
whatever problems have been created because of this serious
hacking that has been done?
Mr. Smith. The company has offered five services to every
American, not just those impacted.
Ms. Waters. How many?
Mr. Smith. Five different services--I can walk through
those, if you are interested--which give protection to the
consumer and, again, not just those impacted but any U.S.
consumer.
Ms. Waters. For how long?
Mr. Smith. For 1 year from the time they sign up followed
by, in January 2018, under my watch, we started developing this
product which is the ability for a consumer to control access
to their data for life.
They will have the ability to lock access and unlock when
he or she chooses versus us being able to do that on their
behalf. And that will be free for life, starting in January
2018. It will be enabled as an application on one's cellphone,
for example, so very easy for a consumer to use.
Ms. Waters. OK. I might have missed part of that. But if
one's identity has been stolen, and usually it takes a long
time to unravel that, are you going to provide service and
protection and assistance to the consumer until that is taken
care of?
Mr. Smith. Yes, Congresswoman. Again, the product we have
today, one of the five services we offer today is the ability
to lock your access to your file. It will be enhanced in
January with easier user interface. That is the most secure way
we have to prevent someone from--preventing identity fraud by
accessing your credit file. You, as a consumer, determine who
accesses it, who does not, and when.
Ms. Waters. OK. But I am clear. I think what you have said
is when one find's oneself in that position that Equifax will
provide them with the service and assistance in perpetuity?
Mr. Smith. For life.
Ms. Waters. Thank you. I yield back the balance of my time.
Chairman Hensarling. The gentlelady yields back.
The Chair now recognizes the gentleman from Missouri, Mr.
Luetkemeyer, Chairman of our Financial Institutions
Subcommittee.
Mr. Luetkemeyer. Mr. Smith, thank you.
You know, we have--I had a long meeting this past week with
some experts in data security and how they can be protected.
And one of the comments that was made was that when it comes to
information technology budgets, the average company only spends
6 percent on security. Do you know off the top of your head
roughly what your company spent for security out of their
information technology budget?
Mr. Smith. Congressman, I do. I think what you are
referring to is there is a benchmark on a percent of the IT
budget that--
Mr. Luetkemeyer. Right.
Mr. Smith --is directed towards security, and 6 percent is
the average. IBM, who creates a benchmark, views 10 percent, 14
percent as being best in class. We are in the 12 percent range.
Mr. Luetkemeyer. OK. Have you put in place or are you aware
of new protocols that you have got in place to make sure this
never happens again, your company?
Mr. Smith. Yes. We have implemented multiple protocols over
the years, and at the time of the breach step one was the
forensic review, step two was remediation plans for short term,
medium term, and long term. We have implemented those to make
sure we are more secure. We have also engaged a world-class
consultant to come out and rethink everything we have done for
a long-term plan.
Mr. Luetkemeyer. OK. As a result of this breach, the
exposure is ginormous here, quite frankly. It could, I would
imagine, bankrupt your company if something--if this was--for a
number of reasons here. Do you have an insurance policy to
cover this kind of a breach?
Mr. Smith. Yes. I have discussed that in the past. We do
have a tower of insurance coverage that is common in our world.
It is cybersecurity, general liability insurance.
Mr. Luetkemeyer. OK. So basically the company is protected.
Is that right?
Mr. Smith. Well, there are limits--
There are limits to any coverage you have and limits here
as well. I have not disclosed those limits.
Mr. Luetkemeyer. OK. In your testimony, both written
testimony and your verbal testimony a minute ago, you talked
about new security processes and you were talking here,
creating a public-private partnership to begin a dialog on
replacing Social Security numbers as a touchstone for identity
verification in this country.
Can you explain what you believe is a public-private
partnership with regards to this?
Mr. Smith. Yes, Congressman. There are two thoughts there:
One, the rise and the intensity and severity of cybersecurity
incidents around the country and the world is running at a pace
that has never been seen before. And I am convinced there is
more we can do in public-private partnership to get ahead of
the curve on cybersecurity, not just reacting to it.
Number two is, the more I reflect, think, and talk to
experts in the area of cybersecurity, I am convinced there is
an opportunity for this partnership between public and private
to rethink the concept of a Social Security number, name, date
of birth as being the most secure way to identify consumers in
the U.S.
It is an instrument that was introduced, as you well know
far better than I, back in the 1930s. I think it is time we
think about a new way to identify consumers.
Mr. Luetkemeyer. The Chairman did a good job of discussing
the notification problems with regards to this situation. Can
you tell me, what do you believe is a better way to notify the
individuals? A minute ago you said you basically knew on the
24th that individual data had been breached, and it wasn't
until the 7th, which is 2 weeks later, that you really made a
notification to the individuals.
Even if you can't get your systems up and running so you
can take phone calls, don't you think it would be better to
have at least notified the individuals, if not by just a public
declaration saying, hey, we have been breached, millions of
people's information could have been breached; therefore, all
of you who are in our systems need to take precautions and let
them on their own take whatever precautions they can rather
than wait to find out if they had been hacked or if their
information has been breached? Don't you think there would be a
better way to go about it?
Mr. Smith. Congressman, I can reassure you that we took a
lot of time to think about the notification process. I will
make one point of clarification. On the 24th, the knowledge we
had surrounding the breach was still fluid. It was fluid
through the 7th. In fact, it was fluid--the forensics did not
conclude until Monday of this week.
The other thing I will say is that Mandiant, the
cybersecurity forensic experts, recommended that we really
prepare ourselves for significant increase, cyber attacks, when
you went live with an announcement.
So between the 24th and the 7th, a lot of energy was spent
securing wherever we could secure our facilities to give us the
best protection against cyber attacks. And also, as you
mentioned, Congressman, we had to standup the environment call
centers, train people, staff people, pull together the product,
the service offering, so a lot of work was being done over
those 2 weeks.
Chairman Hensarling. The time of the gentleman has been
expired.
The Chair wishes to advise all members, there is currently
a vote taking place on the floor, over 10 minutes left in the
vote. We will clear one more member and then declare a recess
pending end of votes.
The Chair now recognizes the gentlelady from New York, Mrs.
Maloney, Capital Markets Subcommittee Ranking Member.
Mrs. Maloney. Thank you.
Mr. Smith, as you well know, Americans rely on the three
credit bureaus, a select group of companies to safeguard some
of our most sensitive information. And it is because these
credit bureaus hold this key personal information that we
subject your companies to very rigorous data security
standards.
The credit bureaus are subject to the Federal Trade
Commission's (FTC's) safeguards rule, which is intended to
ensure the security and confidentiality of the information. So
we have a law in place that protects--supposedly--against
exactly what happened here.
And now we will see if the FTC is willing to enforce it.
And if they are not, then we will know that Equifax is clearly
above the law. The safeguards rule requires, among other
things, that Equifax have an information security program in
place that can identify reasonably foreseeable risk to the
security of your data and can protect against these risks.
This risk was obviously reasonable, foreseeable, because
the Department of Homeland Security literally sent you and the
other credit bureaus notice warning you about the exact
vulnerability that the hackers exploited. And yet, your
security program did not protect against this obviously
foreseeable announced risk.
So in my mind, this is the most open and shut violation of
the safeguards rule that I have ever seen in the history of
this country. So my question to you, Mr. Smith, is, do you
believe that Equifax violated the FTC's safeguard rule?
Mr. Smith. Congresswoman, I understand your point, and it
is my understanding we were in compliance with the safeguards
rule and that the safeguards rule does not prevent 100 percent
against data breaches.
Mrs. Maloney. How in the world could you let this happen
when you were warned by the Homeland Security Department?
My second question, the safeguard rule also requires you to
have a patch management system, essentially a system in place
to patch security flaws as soon as a fix for the flaw is
released. But you have testified that your patch management
system failed in this case, even though there was a patch
released almost immediately.
Equifax did not implement the patch like it was supposed
to. Now, I wrote to the other two credit bureaus a letter about
their information security programs to make sure that their
systems were fully protected. And one of them wrote me back,
Experian. They wrote me a very detailed response, which I would
like to submit to the record along with my letter--
Chairman Hensarling. Without objection.
Mrs. Maloney --in which they explained that their patch
management system functioned correctly. And when they got the
notice from Homeland Security they immediately implemented the
security patch. They also stated that their patch management
system will literally shut down. It won't even work. It shuts
down automatically if a patch isn't implemented immediately.
So my question is, why didn't your patch management system
automatically shut down your systems when the security patch
wasn't implemented? Why was this flaw allowed to go unpatched
for months before you noticed it?
Mr. Smith. Congresswoman, a patch has to be identified. We
are routinely notified from--
Mrs. Maloney. It was identified by the Homeland Security
Department when they notified you. You already testified that
your person failed to implement it.
Mr. Smith. Yes. I was referring to, it has to be identified
by us not by the outside, either a software manufacturer or, in
this case, Department of Homeland Security. As I said in my
oral testimony--
Mrs. Maloney. My time is almost up and I have one more
question and I think it is important. You may not know this,
Mr. Smith, but it is actually considered best practices in a
company with lots of sensitive, personal information to have
their chief information security officer have independent
business lines that report directly to the CEO and to the board
of directors.
But at Equifax, you were using an outdated corporate
governance model and had your chief information security
officer reporting to the general counsel, not directly to the
CEO, and board.
So my question is, why was your chief information security
officer not reporting directly to you and the board? And why
were you using an old model? Was it because you don't think
that information security was important enough to be reported
directly to you?
Mr. Smith. Congresswoman, I don't believe it matters where
the chief information security officer reports. It was a
priority for me. It was a priority for the board. It is a
priority for the company. Having--
Mrs. Maloney. But it wasn't reported to you or the board.
It went to the counsel.
Mr. Smith. It did not hinder our ability--
Mrs. Maloney. And it violated best practices for security
companies.
Chairman Hensarling. The time of the gentlelady has
expired. There is one vote pending on the floor. The committee
stands in recess pending conclusion of that vote.
[Recess.]
Chairman Hensarling. The committee will come to order.
The Chair now recognizes the gentleman from New Mexico, Mr.
Pearce, Chairman of our Terrorism and Illicit Finance
Subcommittee for 5 minutes.
Mr. Pearce. Thank you, Mr. Chairman.
And thank you, Mr. Smith, for being here today.
To get the playing field level underneath us, you would
describe the processes at Equifax with regard to outside hacks
to be very engaged and pretty professional. We had a human
mistake, more or less. Is that kind of correct?
Mr. Smith. Congressman, I would say, obviously, we
committed two very unfortunate errors, the one you mentioned,
which--
Mr. Pearce. I am asking about the overall culture and the
approach to security, understanding that you have got a lot of
critical data here.
Mr. Smith. Yes. I would describe the culture and the focus
as one that put a top priority on security, yes.
Mr. Pearce. How much of your time in your 12 years did you
spend each day, you say, on cybersecurity?
Mr. Smith. Congressman, when I first came here we had no
cybersecurity organization. I made it a priority 12 years ago
to engage consultants to help us scope it out. We went from
basically no people to 225.
Mr. Pearce. So how much time--how knowledgeable are you on
the subject?
Mr. Smith. We had routine reviews.
Mr. Pearce. No. You. You, you personally.
Mr. Smith. That is what I am saying.
Mr. Pearce. So you had routine reviews.
How many times had the Apache Struts been fixed? How many
times had it been patched underneath your watch?
Mr. Smith. Well, we have vulnerabilities in general terms
across software. The Apache Struts, the best of my knowledge,
this particular open source software, there was one
notification on March 8.
Mr. Pearce. So is the firm still using that software?
Mr. Smith. It was deployed in two locations. It has been
patched.
Mr. Pearce. But it is still using it? I am not that savvy
on all the cyber crimes, but when I hear the Secretary of the
Treasury say that 50 percent of his time every day is spent on
cyber threats, I was trying to get some sense from you how much
of your time every day, because this is probably one of the
more critical things. And when I didn't get a very solid
answer, then I tend to fall on the side that says that there is
a little bit of a lax culture here.
I just Googled Apache Struts to--I just opened the first
website, and it talks about something that came out open-
source. It was pretty good, but they lost their way about 3 or
4 years ago. To be using a piece of software that the first
Google result says 3 out of 5 stars, we probably ought to be
looking at better alternatives out there.
And then you have these patches that come out and no one
actually responds to them or they--so who made that decision?
Where in the hierarchical scheme did that decision not to
implement the patch that was suggested, where did that decision
come in?
Mr. Smith. Again, on the 8th of March, the notification
came out, as you alluded to from the Department of Homeland
Security. A security team sends out a communication to the
organization. The patching process, to be clear, to your
question, was owned by the chief information officer. It was
under his--in his organization.
Mr. Pearce. Where in this--surely somebody more than just
an agent at the field level was tasked with being sure that we
don't have any vulnerabilities. Surely it was not that low. So
has that decisionmaking stream been made public?
Mr. Smith. The owner of the process for patching was a
direct report to--
Mr. Pearce. No. I am talking about internally in Equifax.
Don't worry about who out there, outside, because you are the
one responsible. So is that decision scheme, is the decision
process made public, and can we know who? Can we get that
information?
Mr. Smith. Congressman, let me clarify now, if I may. The
owner of the process internal to Equifax for the patching, in
this case, of Apache Struts or any software that needs to be
patched, was an individual who was a direct report to the chief
information officer. He is no longer with the company.
Mr. Pearce. OK. I am about out of time.
Now, your assertion that this is just human error overlooks
the fact that you had unencrypted information. Anybody that
gets in can read it. It is not encrypted. Is that industry
standards that we don't encrypt personally identifiable
information (PII)?
Mr. Smith. Congressman, that is not correct. We use
tokenization. We use encryption. We use masking.
Mr. Pearce. Your testimony a couple days ago answered that
you have a lot of information that was just in plain text. I
think those all indicate--and the fact that we haven't
identified the process--indicate a culture internally that was
very lax, in my opinion.
Thank you, Mr. Chairman. I yield back.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentlelady from New York, Ms.
Velazquez.
Ms. Velazquez. Thank you, Mr. Chairman.
Mr. Smith, in your testimony you stated that you are deeply
sorry that this event occurred and that you and the Equifax
leadership team have worked tirelessly over the last 2 months
to make things right. However, according to an article in
Fortune Magazine published on September 26, you are retiring
with a payday worth as much as $90 million.
So my question to you, sir, do you believe it is right for
you to walk away with a payday worth $90 million when the lives
of more than 145 million hardworking Americans had been
potentially compromised?
Mr. Smith. Congresswoman, one, again, I do deeply apologize
for the breach to those American consumers.
I have heard of this article. I can't reconcile that
number. Let me be very clear. I was--
Ms. Velazquez. How much are you getting in your retirement
package?
Mr. Smith. When I retired, I did announce my retirement.
And at that time--so I also told the board back in early
September, mid-September that I would not take a bonus going
forward. I also told the board that I would be an adviser,
unpaid, helping the board and helping the management team for
as long--and I asked for nothing beyond what was disclosed in
the proxy, and that is a pension that I have accumulated over
my career, and that is some equity that I have earned in the
past.
Ms. Velazquez. So you told the Ranking Member that you are
here in your capacity as an adviser to Equifax now?
Mr. Smith. Unpaid.
Ms. Velazquez. OK. And so are you advising Equifax to set
up a compensation fund for impacted consumers to help them
rebuild their lives?
Mr. Smith. Congresswoman, the advice I gave to the board
and the management has been followed, and that was to offer
five free services for 1 year followed by the ability to lock
and prevent identity theft against their credit file for life.
Ms. Velazquez. But that is not a compensation fund?
Mr. Smith. Correct.
Ms. Velazquez. So, Mr. Smith, as Ranking Member of the
House Small Business Committee, I am concerned about the impact
this historic breach will have on our country's 29 million
small businesses. As you know, the availability of business
credit is often inextricably tied to owner's personal credit
score.
Last week, Senator Shaheen and I wrote a letter requesting
information about Equifax efforts to help small business
clients, but we haven't received any response.
So what steps is Equifax taking to educate small businesses
and what does it means for their businesses?
Mr. Smith. Congresswoman, I understand the question. If we
have not responded to your letter, I will make sure that the
company does respond in writing to your request.
Specifically to your question, however, if a small
businessman or woman was also the proprietor of that company,
as an individual, they would be covered by what we are doing
for them going forward, offering this free lock product for
life. Number two, to clarify if I may, small businesses in
America are very important customers of ours.
Ms. Velazquez. I know that.
Mr. Smith. And we have told them and others through
different functions that they have not been compromised. The
data we have on small businesses was not compromised.
Ms. Velazquez. They were not compromised?
Mr. Smith. If you are an individual, again, as I said, as a
proprietor, you are covered by the services we are offering for
free. The small business database that we manage was not
compromised.
Ms. Velazquez. So let me ask you, how is Equifax working
with lenders to establish a safe way to check credit scores for
borrowers seeking a small business loan?
Mr. Smith. Again, Congresswoman, if you were a proprietor
of that small business, you have the ability to access all the
free services that we just discussed.
Ms. Velazquez. So, this past Monday, it was announced that
approximately 2.5 million additional U.S. consumers have been
potentially impacted by the breach. Can you assure us that
there will be no more discovery of even more consumers who have
been potentially impacted as a result of this breach?
Mr. Smith. It is my understanding that the press release
that came out from the company on Monday not only said 2.5
million consumers were impacted additionally but also that the
forensic review by Mandiant was now complete.
Ms. Velazquez. I yield back.
Chairman Hensarling. The time of the gentlelady has
expired.
The Chair now recognizes the gentleman from Michigan, Mr.
Huizenga, Chairman of our Capital Markets Subcommittee.
Mr. Huizenga. As the Chairman had indicated, I Chair the
Capital Markets, Securities, and Investments Subcommittee,
where the Securities and Exchange Commission falls under that
purview.
You obviously know that, under Sarbanes-Oxley, you have
certain duties and responsibilities as a CEO, not just in the
running of the company, but in the paperwork filing that has to
be filed with organizations like the SEC.
Was data security ever an area you listed as a deficiency
in regards to any of these Sarbanes-Oxley requirements?
Mr. Smith. Congressman, I don't recall it ever being
described as a deficiency or filed as a deficiency. It is
routinely communicated in Ks and Qs and other means.
Mr. Huizenga. But you had internal controls?
Mr. Smith. Yes.
Mr. Huizenga. All right. And presumably you do your
analysis on that?
Mr. Smith. Yes.
Mr. Huizenga. So data security was never a part of that?
Mr. Smith. Not that I--as far as a control issue?
Mr. Huizenga. Well, as a control issue or as an area of
concern.
Mr. Smith. It is always viewed as an area of risk for the
company. I don't ever recall it being communicated as an area
of concern or the lack of controls.
Mr. Huizenga. Well, under SEC rules, when you have a
material change in the condition of your company, you have to
file a form commonly known as 8-K. That 8-K form is there
regarding financial condition or prospects and when significant
events have occurred. When did you file that 8-K?
Mr. Smith. I don't recall.
Mr. Huizenga. According to my information, it was September
7.
Mr. Smith. That makes sense. That is the day we went public
with the release on the breach itself.
Mr. Huizenga. OK. I heard in earlier testimony that you had
not been directed by the FBI to withhold information from the
public or to slow-walk or to do anything, right? This was not a
directive from either the Federal Government through the FBI or
any other law enforcement agency or any of your consultants?
Mr. Smith. Maybe two different questions there. The FBI
specifically involved from the second and the very fluid series
of communication through, in fact, today even.
Mr. Huizenga. But, no, they did not--
Mr. Smith. Not the FBI. You said the consultants. The
consultants did guide us on the communications.
Mr. Huizenga. Did those same consultants tell you you
better file that 8-K?
Mr. Smith. The 8-K, as you mentioned, was filed on the 7th.
Mr. Huizenga. On the 7th, but you discovered this in July.
Mr. Smith. Congressman, in all due respect, we did not
discover it in July. In July, the 29th and 30th, someone on the
security team noticed what they described as suspicious
activity. And to put it in perspective, we as a company see
millions of suspicious activities against our data from outside
every year.
Mr. Huizenga. So you had an indicator--let's call it an
indicator--July 29th. You hired a consultant, based on your
previous testimony, August 2, correct?
Mr. Smith. That is correct.
Mr. Huizenga. OK. So why did it take a month plus, 5 weeks,
to file a form with the SEC. And, coupled with that, when did
you let your board know about this?
Mr. Smith. I will answer both of those, if I may.
So, as I talked about in the written testimony and the
oral, from the 2nd of August, when Mandiant, the cybersecurity
forensic firm, was hired and King & Spalding was hired, a
global law firm, very fluid. They had to rebuild the footsteps
of the criminals, where they had been. They had to rebuild the
inquiries. It wasn't until late August that there became an
indication of a significant--
Mr. Huizenga. OK. So let's even take that. It still then
took 2 weeks for you to file an 8-K, which, in the meantime,
you had executives that sold shares. You had the public
thinking nothing was wrong--buying and selling shares of
Equifax. Would a reasonable shareholder have gotten some of
this information and said, ``Hey, wait a minute, there is
something going on at Equifax, maybe I am not going to purchase
that stock''? That seems like that would be a reasonable step
for an investor.
Mr. Smith. And, Congressman, if I may, let me address the
point you made on the sale. The sale of the three individuals,
individuals, two of them, was back on August 1st.
Mr. Huizenga. Got it. Regardless, I know it was prefiled. I
am not saying that there was necessarily insider information or
something nefarious with that. What I am pointing out to you is
that, even though your own executives, if they didn't know that
this was going on and an 8-K has not been filed, it seems to me
that you got the public both coming and going, that you have
not only the data, but also the fact that you falsely put your
stock out there at a particular price.
So, Mr. Chairman, my time is expired.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from California, Mr.
Sherman.
Mr. Sherman. Mr. Chairman, I will renew my request that the
witness be sworn. When John Stumpf was here his company had
adversely affected only 3 or 4 million consumers. We swore in
that witness. That is the precedent of this committee in
situations like this.
Chairman Hensarling. The Chair has already spoken to the
matter.
Mr. Sherman. Mr. Smith, you have made a point that you are
an unpaid volunteer for your company. I want to thank you for
that service. Aside from $90 million, you are uncompensated. I
know you have disputed the $90 million figure. So I would ask
you to respond for the record in detail how much you have made,
pension, stock options, and salary, from Equifax during your
term there, and we will see whether the reports of $90 million
are accurate.
Timeline. There is the period from March to July when you
should have noticed or your company should have noticed the
problem, should have paid attention to the Homeland Security
advisory, et cetera, but on--so that is one part of the
timeline. Another part starts on July 1, when your chief
information officer told you about the attack and that the
website was shut down.
Now, there are those in this committee room who have said
that the company didn't act immediately on that on July 31.
That is not entirely true. In just one day, August 1st, three
of your executives sold $2 million of their stock. That shows
an immediate action right after the CIO report. Does your
company have any policies on allowing executives to sell stock,
getting legal advice before they do so, et cetera, or is it up
to each executive to decide how to obey the security laws?
Mr. Smith. Congressman, let me address both. One, there was
never a report issued on the 31st, just to be clear. That was a
verbal communication between--
Mr. Sherman. Right. But you were told, and the website was
shut down. Something pretty significant happened because, the
next day, three of your executives sold $2 million worth of
stock. Please answer the question whether your company has a
policy of getting approval and legal review before your
employees sell stock.
Mr. Smith. Yes, there is a clearing process.
Mr. Sherman. And how would you pass that clearing process,
selling the stock just the day after the chief information
officer tells the CEO that there has been this data breach?
Mr. Smith. There is a clearing process required for any
section 16 officer. These three were section 16 officers. They
all followed the process. The chief--
Mr. Sherman. And you don't think the process is broken when
it approves the sale of 2 million stocks within 24 hours of
when the CEO gets a report of the most enormous data breach--
what turned out to be the most important data breach we have
had in your industry?
Mr. Smith. Congressman, I have no indication the process
was broken. These three individuals who sold had no knowledge--
to the best of my knowledge, had no knowledge--
Mr. Sherman. Just your luck.
Now, the initial response of Equifax was to have a website
advertised as your way to help consumers. And then, in the
website, you tricked consumers--this was the plan--tricked
consumers into foregoing their right to sue. Whose idea at the
company was it to do that?
Mr. Smith. The arbitration clause is what you are referring
to.
Mr. Sherman. Exactly.
Mr. Smith. That was never intended--when we found out the
arbitration clause was in there, within one day, we took it
down.
Mr. Sherman. You just found out--somehow it popped in, and
you didn't know it was there?
Mr. Smith. It is a standard clause in products where
consumers have options to buy product. It was never intended to
be in there for the free service. It was removed within 24
hours.
Mr. Sherman. After a huge outcry, including many members of
this committee.
Now, you have put out press releases telling people that
they may be among the 143 million people. Is it the intention
of Equifax to send a notice to those whose data were
compromised, or is it up to them to go to your difficult-to-use
over-burdened website to find out?
Mr. Smith. We followed what we thought was due process. We
sent out press releases, set up a website.
Mr. Sherman. How about noticing? Are you going to give
notice to the 143 million people? Are you going to send them a
letter?
Mr. Smith. No, sir.
Mr. Sherman. Are you going to send them an email?
Mr. Smith. No, sir.
Mr. Sherman. So everybody out there figures there is a two-
thirds chance they weren't affected, and they may do nothing,
and you have exposed their data, and you won't give them a
notice, not even an email.
Mr. Smith. 420 million U.S. consumers have come to our
website.
Mr. Sherman. 420 million U.S. consumers. That is more than
the number of people in the country.
Mr. Smith. Because they have come multiple times.
Mr. Sherman. Which means that many haven't come at all. You
won't notify people. I yield back.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentlelady from Missouri, Mrs.
Wagner, Chairman of our Oversight and Investigations
Subcommittee.
Mrs. Wagner. Thank you, Mr. Chairman.
Mr. Smith, forgive me if I appear a little bit more
disturbed or harsh than some of my colleagues, but this issue
hits very, very close to home for me. This past year, my tax
identity was stolen, and to be frank with you, it has been a
complete and utter nightmare. For me this isn't just another
data breach. It is a breach of trust.
When we learned that our tax identity was stolen, guess who
we turned to for help? That is right: The credit reporting
agencies. So, although giving a free year of credit monitoring
is a good step, the first step I should say, I don't have much
confidence, to be perfectly honest, in the product, sir.
In addition, as the Chairman of the Oversight and
Investigations Committee, I will be closely monitoring the
additional facts that come out regarding this case, especially
those concerning the sale of stocks by executives at Equifax.
Although none of us should, I should say, prejudge before
knowing all the facts, and I am sure that the SEC and DOJ will
get to the bottom of this. Let me start by asking you this,
briefly, Mr. Smith, what would you tell people like me, people
who have previously experienced identity theft of some kind and
turned to Equifax for help? What do you say to these people who
feel completely at a loss for what to do next? How can anyone
possibly ever trust--and we have talked about trust here at the
committee--this company again, and be confident that they can
be protected in the future, please?
Mr. Smith. Thank you, Congresswoman.
And we are a 118-year old company, and protecting and being
a trusted steward of our data is paramount to our ability to
gain trust, have trust with consumers and companies around the
world. What I would tell consumers is, first, please go to our
website, take advantage of the five offerings that we have
offered for a year for free. And, second, January 31, when the
new lifetime lock product becomes available for free for life,
I would strongly recommend that every American go get that
product as well.
Mrs. Wagner. I recently read comments from the Consumer
Financial Protection Bureau (CFPB) Director Richard Cordray
where he stated his intention to provide accountability
concerning the data breach.
As you know, the CFPB began supervising credit reporting
agencies on behalf of consumers, I believe, in 2012, but not
its cybersecurity systems, which has been left to the FTC. What
interactions, sir, did you have with the CFPB prior to the
breach regarding cybersecurity?
Mr. Smith. Congresswoman, I can't recall--obviously, we
have been in communication with the CFPB since they have been
our regulator, and I personally have been involved in those
communications--
Mrs. Wagner. Prior to the breach, sir?
Mr. Smith. I can't recall. I was not personally involved
with the CFPB regarding cybersecurity myself.
Mrs. Wagner. Wow. What interactions have you had with them
since the breach then?
Mr. Smith. I have not had interaction with the CFPB since
the breach.
Mrs. Wagner. Wow. Mr. Smith, I did want to take an
opportunity to ask you some questions that I have been hearing
from my constituents back home. Can you detail what categories
of consumer information were accessed during the months-long
breach?
Mr. Smith. Yes, I will give that a shot. We try to be very
clear in the series of press releases we have had in the past
that the consumers' core credit file, which is their credit
history with us, was not compromised. We talked about a
database we have, where someone asked on small businesses, we
have a database on small business; that was not compromised.
Mrs. Wagner. What kind of personal identification
information specifically?
Mr. Smith. So, as we have disclosed in press releases, date
of birth, name, Social Security number. I think there were
200,000, 209,000 credit cards that were compromised. There is a
document, Congresswoman, called a dispute document, where a
consumer could dispute that they paid an obligation, take a
picture of that, for example, upload that into the system. That
was another example that was compromised.
Mrs. Wagner. Let me ask you this, Mr. Smith, what sort of
financial products, for instance, could be opened in my
constituents' names if those pieces of data that you just
named, for instance, were part of the breach?
Mr. Smith. Congresswoman, if the consumer takes advantage
of the free service and locks their file, no one has access to
that file.
Mrs. Wagner. I thought my file was locked before, after my
tax returns were breached, when I reached all of you, so,
again, my trust in the product is at an all-time low.
I have several more questions. I will submit them for the
record.
Mrs. Wagner. I thank the Chairman, and I yield back.
Chairman Hensarling. The gentlelady yields back.
The Chair now recognizes the gentleman from New York, Mr.
Meeks.
Mr. Meeks. Thank you, Mr. Chairman.
Mr. Smith, I agree with the Ranking Member when she
initially said, you know, I am here; I am going ask you
questions, but I don't know. You know, you are unpaid. You say
you are no longer really with the company. You are an unpaid
adviser. I don't know what we are going to do with reference to
the future. So I am here. I am going to ask you questions. I
don't know whether--how long you are going to be advising them
for free or whatever that deal is.
But I know that, when a consumer has a problem, they can't
just get out of it in the way that some kind of measly
explanation or something of that nature and it is all over
with. And you have an extra--or Equifax, your former employer,
has a, because of the nature of the business in which they are
in, they have a special responsibility in regards to cyber
incidents. And I think that it is probably a problem--it is
definitely, clearly, a problem with Equifax but probably a
bigger problem across the board with all public companies.
There was a PricewaterhouseCoopers survey that found 23
percent of corporate directors did not discuss crisis planning
with management and that 38 percent of directors did not
discuss their management testing of these crises. And
consistent with this data, it seems that Equifax's board and
management failed to plan for this crisis, given the company's
numerous gaffes, as you have admitted to. Equifax's failure to
quickly respond to Homeland Security Department's warning, the
company's delayed notification to the public, and the company's
arbitration clause misstep, which you acknowledged today and
yesterday at the hearing, are just a few examples of Equifax's
lack of preparation.
So what I am trying to find out then is, prior to this
breach, did Equifax ever adopt a written breach response plan
that included a formal process for notifying the public and
regulators, or did Equifax merely formulate a cyber crisis plan
post the breach?
Second, prior to the breach, did Equifax ever test a crisis
plan in anticipation of a cyber breach because you knew the
significance of the data that you were here to protect?
And, finally, if you say that there is, can you share with
this committee the documents with evidence of Equifax's former
cyber crisis response plan?
Mr. Smith. Congressman, I understand your question, and,
yes, we did have and do have written documentation on crisis
management, including cyber, obviously being one of the top
crises we could face as a company and have faced. So we can
reach out to management, have them provide you that crisis
management documentation. We will do that.
Mr. Meeks. And now was there any--my other two questions,
was there a written breach response as opposed to the plan of
what you would do, something that you say, and did you test it,
a crisis plan in anticipation of a breach so that if--like a
fire drill, if something should happen, this is what we are
going to do, have a plan, have you done that, was that done?
Mr. Smith. Yes, Congressman, it has been done. The real-
life challenge is, when you look at the size of this breach and
the fact that we offered it to every American that was a victim
or not a victim, the sheer scale of trying to stand up the
environment from a technology perspective, hire thousands of
people that take weeks to train. You can't just hire 2,000
people, 3,000 people, and expect them to be trained and
impactful day one.
As I mentioned in my oral testimony, the team has gotten
better each and every day from a technological perspective in
the web environment and from the call centers. But, again, I do
apologize. You mentioned a few of the things where we made
mistakes early on, but, yes, we do have and have practiced--
Mr. Meeks. Let me disagree with you. For example, the kind
of information that you were to protect, you have to make sure
that each and every individual that you hire is prepared. It is
like information that we have at the CIA or some other places,
protected documents. They can't hire somebody and say: Oh, well
we could take a chance and maybe they will learn while they are
on the job, and if something happens, it will be OK, and we
will just excuse it.
You have got to be sure that you are putting individuals in
and have a plan that is going to protect folks because of the
nature of the information of which you are given and because of
the numbers of people that are dependent upon you to protect
their information.
Mr. Smith. I understand your point.
Mr. Pearce [presiding]. The gentleman's time has expired.
The Chair now recognizes the gentleman from Wisconsin, Mr.
Duffy.
I would recognize the gentleman from Kentucky, Mr. Barr.
Mr. Barr. Mr. Smith, a representative from your company, I
think, put it well. He said: Americans expect their mortgages
to be approved on time, their auto loan applications to be
accepted while they are at the dealership, and the retail
credit approved while they are at the counter. Disrupting the
miracle of instant credit would hurt the economy.
Can you assess for us the extent to which this breach and
this painful experience for the American people, how this may
very well disrupt that miracle of instant credit?
Mr. Smith. Congressman, if we were to get to the point
where we allowed consumers, for example, to opt out of the
credit system, that would be devastating to the economy. If we
don't allow consumers that ability to instantly lock and unlock
at the point of underwriting, to your example, that could be
devastating for the flow of credit in our economy.
So the intent of the lifetime product that we are going to
roll out January 31st gives that consumer the ability--gives
them the security level that he or she deserves with the
ability to instantly turn on and turn off access to the credit
so that flow is uninterrupted.
Mr. Barr. Can you tell me about credit freezes as a
solution or maybe not the best solution to problems like this?
And what we are talking about here is a consumer telling a
credit bureau to not release a credit report unless the
consumer contacts the bureau in advance to say otherwise.
Mr. Smith. The credit freeze itself, Congressman, was
something that was born out of regulation in 2003, put into law
in 2004, and it is oftentimes confused with a credit lock. So
if I may just spend a second and talk about both.
A credit freeze, from a consumer's perspective, largely
provides the same amount of protection as a credit lock would.
However, States dictate different means of communicating
between the consumer and the credit reporting agency that
oftentimes can be cumbersome, require phone calls into call
centers, can require mailing things back and forth. So that
flow that you talked about, a flow of credit, can be disrupted.
The idea of the lock is to make it far more user-friendly,
where you can be on your smartphone and literally toggle on to
unlock, toggle off to lock. It is far less cumbersome than the
freeze.
Mr. Barr. So, as we look at data security, you talked about
the many different State laws that you have to navigate. Tell
us your view after this painful experience what you think would
be a solution. Would a national uniform breach notification
rule be better for the American consumer? That is what a lot of
us are thinking in the aftermath of this breach.
Mr. Smith. I have not given that much thought, Congressman,
but I will.
Mr. Barr. What about fraud alerts under the Fair Credit
Reporting Act, are they sufficient?
Mr. Smith. I think the most--they do add value. Fraud
alerts do add value. Clearly, the monitoring of those alerts
gives consumers peace of mind. I think the most significant
step forward, Congressman, is this concept where consumers can
control who accesses their credit data with a lock, and I think
the next step forward there would be to not only have Equifax
offer that solution, but imagine a consumer being able to lock
and unlock for free-for-life access to all three credit
reports, Experian's, TU's, and ours. That gives them the
ultimate protection.
Mr. Barr. You went over this a little bit about the steps
that you took after learning of the breach and why it took a
while for you to notify the American people about the breach,
but why did it take so long? I think the average American would
expect a more expeditious notification of the compromise of
their personal identifiable information.
Mr. Smith. Congressman, we were driven by a couple of
thoughts. One was making sure we were as accurate as possible
in who was impacted and who was not. And that just took time.
As I alluded to in the oral testimony, that developed over the
weeks of mid to late August.
Number two, as I mentioned, Mandiant, the cyber forensic
examiner, who is viewed as world class in what they do, had
advised us to expect an increased frequency of cyber attacks,
and we had to develop plans to make sure we were prepared for
those attacks.
Mr. Barr. My time is expiring. Can I just ask you if one of
my constituents approaches me with a problem, will you commit
to me to working with my office to help any of my constituents
whose identification has been compromised?
Mr. Smith. Congressman, I will ensure the company does
that.
Mr. Barr. Thank you.
I yield back.
Chairman Hensarling [presiding]. The time of the gentleman
has expired.
The Chair wishes to alert all members that votes are
currently taking place on the floor. The Chair intends to
recognize one more member and then go into recess.
The Chair now recognizes the gentleman from Massachusetts,
Mr. Capuano, for 5 minutes.
Mr. Capuano. Thank you, Mr. Chairman.
Mr. Smith, I want to join my colleagues in saying I don't
have a clue why somebody who doesn't work for the company is
here. Is there anybody in the audience that you know of that
currently works for Equifax and has the authority to change
internal company policies? Is there anyone in the audience that
you know of that has that ability?
Mr. Smith. No, Congressman.
Mr. Capuano. No. Well, this is great. Thank you for coming.
I appreciate it very much. So, therefore, from this point
forward, don't take it personal because I know you can't do
anything about it, but I will use you because I am hoping that
maybe one or two people back in the company are watching. Maybe
not. Probably not because they don't care. But we will find
out.
Is it fair and accurate to say that, at any given moment,
Equifax has the financial records of approximately 200 million
Americans? That is a rough number. Does that sound right?
Mr. Smith. Congressman, if I may, there are 10,000 people
back working at Equifax that do care.
Mr. Capuano. Fine. Just answer my question. You can defend
the company when they put you back on the payroll. Since you
don't represent them, how would you know? So how many average
Americans--
Mr. Smith. I spent 12 years there.
Mr. Capuano. Say again?
Mr. Smith. I spent 12 years there. That is how I know.
Mr. Capuano. OK. We will get to that in a minute.
Mr. Smith. But to answer your question, yes, it is over 200
million U.S. consumers.
Mr. Capuano. So 200 million. And your accuracy rate is
about 95 percent. Is that--I read that--is that a fair number?
Mr. Smith. How are you defining ``accuracy''?
Mr. Capuano. No errors of significant numbers.
Mr. Smith. You are referring to the credit file itself?
Mr. Capuano. Yes.
Mr. Smith. There was an independent study done a number of
years ago. PERC did the study and found that if you defined an
error as something that has a negative influence on a
consumer's ability to get a loan, either yes goes to no, no
goes to yes, interest rate goes up, over 99.9 percent--over 99
percent.
Mr. Capuano. Well, I used 95 percent because that is what I
read, but the numbers will be close. So you have 200 million
records. You get a 95 percent accuracy rate, which means a 5-
percent error rate, which means, at any given moment, there are
10 million Americans who you have financial records on and you
had 500 service reps. That is 20,000 customers with a problem
that your company created per service rep.
Now, you get 145 million--you are ramping up; you are going
to hire, give or take, 3,000 service reps--145 million, that
leaves 48,000 people with a problem you created--not you, your
former company--created per service rep, 48,000. Do you think
that is good?
Mr. Smith. Two points of clarification. I disagree with
your math, in all due respect. The math we have is 99 percent.
Number two is most of the disputes--if you have an issue with
your credit file, we have an online electronic--
Mr. Capuano. Let's talk about that for a minute. Let's talk
about--I am sure, since you were the CEO in 2014, you are
familiar with the case of Miller v. Equifax?
Mr. Smith. Vaguely.
Mr. Capuano. You have heard of that case, I am sure.
Mr. Smith. Vaguely, yes.
Mr. Capuano. And that is a case where the judge found, we
didn't find it--as a matter of fact, congratulations on that
case because that case was actually determined that you didn't
have to pay an $18 million penalty; you only had to pay a
million and a half dollar penalty because that is the most the
Constitution allowed, and the judge found that your actions
were reprehensible. Those are her words, not mine. And it
stated very clearly here that your own expert testified that it
is Equifax's policy to investigate and correct files only after
a lawsuit is filed, which is why I wanted to talk to somebody
in the company to see if they are willing to change that, but
since there is nobody here, I guess not.
I just wondered, do you think that is OK? You thought--
apparently, you thought that was a good policy in 2014?
Mr. Smith. Congressman, if a consumer has a dispute on
something on his or her credit file, we take that seriously.
They have the ability to communicate with us directly
electronically or over the phone. We work with the furnisher,
the banks, the--
Mr. Capuano. In this particular case, you just ignored it.
You didn't do anything about it, and the only reason there was
a lawsuit is because two people with the same name of Miller,
their records got combined, and you refused, after you were
proven repeatedly for years, to do anything about it. And it
happens all the time.
Every one of us gets complaints from our constituents that
your company--not just you; the other two are no different--
that your industry treats them like dirt. They can't get
student loans. They can't get auto loans. They can't get ATM
cards because you won't do anything by your own policies
admitted by your own people who used to work for the company
that says we don't do anything until you file a lawsuit.
So, here, in my last 13 seconds, I am going to speak to
America, and I am going to say for the 145 million people: File
a lawsuit and maybe you will get some equity. Otherwise, they
are going to keep doing to you what they have been doing to you
forever.
Chairman Hensarling. The time of the gentleman has expired.
Votes are pending on the floor. The committee stands in
recess.
[Recess.]
Chairman Hensarling. The committee will come to order.
Without objection, I recognize the Ranking Member for 1
minute.
Ms. Waters. Thank you very much, Mr. Chairman.
Pursuant to clause 2(j)(1) of rule XI and clause (d)(5) of
rule III of the rules of this committee, I am submitting for
your consideration a letter signed by all of the Democrats of
the Financial Services Committee notifying you of our intent to
hold a Democratic hearing, also known as a minority hearing, on
the Equifax data breach. I look forward to working with you to
determine the date, time, and location of such a hearing.
Chairman Hensarling. The demand being properly supported by
the majority and minority members, the additional hearing day
will be scheduled with the concurrence of the Ranking Member,
and members will receive notice once the new hearing day is
scheduled.
I now recognize the gentleman from California, Mr. Royce,
Chairman of our Foreign Affairs Committee.
Mr. Royce. Mr. Chairman, thank you.
And I thank Mr. Smith for being here today.
Now, since September the 7th, my office--I am sure all of
these offices--have received a lot of angry and anxious phone
calls and emails by our constituents. I think one of the things
that really stands out is, how could a company that deals in
data not protect that data?
I think the answer lies in what your company did not do.
You did not protect their personal information. You did not
encrypt that data. You did not patch a vulnerability that you
were alerted to on March the 8th. You did not disclose the
breach to the public until 117 days after it occurred. And
then, on top of it, the insider trading allegations only add
fuel to that fire.
So let me turn to my questions. Before September 7, who
else outside the company and your hired legal counsel and the
FBI, who else was made aware of the breach? Was the FTC
notified?
Mr. Smith. Congressman, at the appropriate time, all
outside constituents were notified, including the FTC.
Mr. Royce. Well, let me ask you this, Mr. Smith: According
to media reports, LifeLock executive Fran Rosch was notified
before the hack actually became public. According to that
individual, he got a call while vacationing in Maine. And I
just ask, are you aware of this? Do you know who called Mr.
Rosch to give him the heads-up?
Mr. Smith. No, sir, I am not aware of that.
Mr. Royce. Well, according to Bloomberg, armed with
information only a handful of people had at the time, Mr. Rosch
mobilized the rapid response team. He knew the company would
receive an onslaught of calls and signups in the coming days,
and I will quote from Bloomberg: He was right. In fact, the
phones were ringing off the hook. He bragged that it was bigger
than the Anthem breach, bigger than anything they had ever seen
before, a tenfold increase in LifeLock customers.
And here's the kicker. Quote from him: ``Most are paying
the full price rather than discounts,''--I think that means
most were paying $30 instead of $10--``it is a really
incredible response from the market,'' unquote.
I will tell you what is incredible here: That actually your
company profited off the relationship with LifeLock, which is a
company to which you provide credit monitoring services. Here
is the point I would like to make: LifeLock gets this heads-up.
Did Credit Karma or Intersections or the other competitors, did
they get similar notice, that you are aware?
Mr. Smith. Again, Congressman, I am unaware of the LifeLock
discussion, let alone anyone else.
Mr. Royce. Well, it is fair to say I think that LifeLock
benefited from both the breach and the foreknowledge of it.
LifeLock's parent company, Symantec, has seen its stock rise by
more than 10 percent since the breach was made public.
Mr. Smith, do you or any current executives at Equifax own
stock in Symantec?
Mr. Smith. I do not, sir.
Mr. Royce. Well, what I would like to know is, if you could
provide a list of any executives who do, because someone
notified them in advance. Someone in the company gave them a
heads-up so that they had an opportunity to get the phone banks
ready and in advance of anybody else start calling about their
service and at a price $29.99 instead of the $9.99 discount
that obviously was of great benefit to that company. Somebody
tipped them off on the inside, and I think it would behoove
Equifax to find out who that is. And if you could start by
finding out which executives own stock, that might help us get
to that answer.
Mr. Smith. Congressman, your source was Bloomberg. Is that
correct?
Mr. Royce. That is correct.
Mr. Smith. We will look into that.
Mr. Royce. Very good. I appreciate it.
Yesterday, in the Senate, the question was asked if we had
seen any evidence--
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from Georgia, Mr.
Scott.
Mr. Scott. Thank you very much, Mr. Chairman. Good to have
you, Chairman.
First of all, I want to make a couple of points very clear.
I represent the great State of Georgia. I love Georgia. When
this news first came to me, my staff reported it, I immediately
wanted to do all I could to make sure that we would be able to
make sure that Equifax would be standing tall, that they would
be clean. That is my objective as the Congressman from Georgia
because, as you said, you represent a legacy of our great
State. You are a 128-year-old company. You employ 30,000
people, many of whom are my constituents, many of whom who work
and toil in the vineyards at your company, and they are great
people doing a great job.
It is important for the American people to know that what
we have before us is a despicable, a shameful situation for 145
million American citizens to lose the privacy of their Social
Security numbers and all of that, but let it be known that it
is the top management--it is you--who is responsible for this.
Now, what I want to do is to be at the front of this spear,
to make sure that Equifax regains the confidence and trust of
the American people. So my comments here to you, Mr. CEO, are
going to be geared to that.
First of all, I want to call, Mr. Chairman, and be the
first one to call for an investigation by the Justice
Department, by the CFPB, and certainly by the SEC. Now, Mr.
Smith, you are leaving this company, but there are others who
are going to be there, and we have to make sure that Equifax
comes out clean and standing tall.
Now, what disturbs me perhaps more than anything was the
timeline. You said that you became knowledgeable about this
breach on July the 31st, but here is what happened: On August
1st, your executives sold $2 million worth of stock. And not
only that, Mr. CEO, former CEO, it was your chief financial
officer who led that charge to sell that stock. Now, nobody is
going to tell me you are getting information on July 31st and
here they go dumping their stock less than 24 hours later. That
has to be investigated and cleared if we are going to get the
confidence of the American people back. So it is this insider
trading; anybody can see that. And I am sure and I hope that
your successor--the guy who is going to be taking your place, I
hope he is listening. That would be the first thing.
And then the second thing, we need to make sure that these
guys who sold that stock, who made $653,000 in savings from
that stock with that inside information, that they pay that
money back and that they are fired. 143 million people losing
this is no justification. We have got to make sure and you have
got to make sure that we clean this mess up.
Now, I want to talk about the other way in which we can do
this. You mentioned numerous times that it wasn't the intent of
Equifax to include the arbitration piece. Well, now some have
it; some don't. That is the next thing that needs to be done.
No more of this arbitration clause. When you do things like
that, the public will take notice. Our job is to clean this
mess up and make sure we bring Equifax back standing tall. We
owe that to the American people.
Now, the other thing that I would like finally is my staff
informed me that most mortgage lenders pull all three reports
from the big three credit reporting agencies: Equifax,
TransUnion, and Experian. So, when you talk about this new free
lifetime lock product, it is not going to be effective unless
everybody does it.
I wish I had more time, but we are going to clean this mess
up, and we are going to restore the integrity and trust of the
American people.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from Illinois, Mr.
Hultgren.
Mr. Hultgren. Thank you, Mr. Chairman.
I know most of us have been hearing from our constituents.
I certainly have. Marty from Wauconda, Illinois, wrote me,
said: Equifax has jeopardized my private information, which I
never gave them. Why should I have to do all of the work to
monitor my credit? They should have done it for me or pay me to
do all this of signing up and freezing my credit reports. They
should pay me for my time. Should someone go to jail for this?
Do you agree?
James from Spring Grove said: This company, Equifax's
careless actions have caused the loss of personal information
on a scale never seen before, not due to some new or
sophisticated hacking technique, but because they failed to
patch their servers for a known problem. Combined with the
careless handling of highly sensitive personal information and
the likely criminal sales of stocks prior to reporting the
breach, their action went far beyond carelessness to
negligence. Legislation should be put forward to increase
regulations on these entities, not decreased legislation that
is proposed. Equifax must be held accountable and liable for
all damage caused by their breach, and all credit reporting
firms must be held to much higher standards of information
security.
John from Auburn said: In the last 6 months, my private
personal information has been lost twice, once by Home Point
Financial, my mortgage company, and then again by Equifax. Both
companies are offering a limited subscription to identity
protection companies. HPF is offering a free year's
subscription to protect my ID owned by Experian. Equifax is
offering a 1-year member to TrustedID Premier, an Equifax
subsidiary, which they acquired in 2013. Seems like a twisted
marketing campaign to me, he said. Home Point Financial claims
to have lost Social Security numbers, birth dates, driver's
license numbers. Many of these lost numbers cannot be changed.
What good is a 1-year membership? This data is lost and
valuable until I pass away. Is it ethical that a company that
loses all my personal data also conveniently owns a service
that sells a product and wants me to pay to help protect me
from its eventual use? It is time that all these companies are
held liable and forced to offer lifetime memberships. Please
help us, all of us. This is out of control.
Many other constituents, again concerned, talked with
parents of young people whose information has been compromised.
Mr. Smith, when this committee sends questions for the
record, of which there will be many, will the response to our
questions come from you or from Equifax?
Mr. Smith. They will come from the company, Congressman.
Mr. Hultgren. And how should we respond in getting those
answers from Equifax?
Mr. Smith. I will make sure someone from the company
reaches out to your staff.
Mr. Hultgren. That would be great.
Equifax has been investigating the breach now for over 2
months. Has the identity of the hackers been determined?
Mr. Smith. No, Congressman, it has not. As you know, we are
engaged with the FBI, and the FBI is running that investigation
for us.
Mr. Hultgren. Do you have an opinion of whether it will
eventually be determined who did it?
Mr. Smith. I do not.
Mr. Hultgren. Did outside data security consultants tell
Equifax it should delay notifying the public, and if so, why,
when, and for how long? What changed that allowed Equifax to
notify the public in September?
Mr. Smith. Again, it was trying to balance--it was a team
effort, and it relied upon the input from our outside forensic
examiner, a global law firm that we talked about, and our team.
It was trying to balance accuracy, clarity, transparency with
the urgency of contacting the consumers.
Mr. Hultgren. Was an event like this in the scope and scale
contemplated by your security staff in a preventable sense? Did
a playbook exist for responding to a material breach of
Equifax's PII database?
Mr. Smith. Yes. There was a crisis management process that
we have had in place for quite some time, and a data breach is
one of the crisis examples that we practice routinely.
Mr. Hultgren. It just doesn't appear like you were ready
for it, and that is our question, of the incredible delays. You
have heard from my constituents. This is just a small sampling
of incredible frustration, fear that their information has been
compromised, and they don't know if it is ever going to change.
Echoing what one of them said, this is information you can't go
back and change. You can't go back and get a new birth date or
a new Social Security number.
If Equifax had wished to notify the public within let's say
1 week of discovering the breach, would it have been capable of
doing so? Could it have had both the resources and the plan in
place to do so? Why or why not?
Mr. Smith. Congressman, we moved with haste. As I mentioned
in my oral testimony and the written testimony, it wasn't until
late August that we got a sense for the size and scope of the
breach, and even that was continuing to move. We moved as
quickly as possible thereafter.
Mr. Hultgren. Has there been any uptick in identity theft
or fraud since the breach?
Mr. Smith. Not that I am aware of.
Mr. Hultgren. Would you expect something like that to
occur, and why might there not be an uptick yet?
Mr. Smith. If consumers take advantage of the services that
we are offering, Congressman, to lock their file, that will
give them great protection.
Mr. Hultgren. Obviously, there is a concern when still
those kinds of same entities are involved.
My time has expired. I yield back.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from Illinois, Mr.
Foster.
Mr. Foster. Thank you, Mr. Chairman.
What I would like to talk about are things that Congress
should have done or can do at this point that would have
prevented this. And, what that means is that you would have
needed a team of really smart highly motivated people looking
every day for any security flaw, which you obviously did not
have in place.
And one way to make that happen is by making it a
requirement that you actually carry enough insurance to make
customers whole when this thing happens. It is my understanding
that statutory damages for a breach like this are roughly
$1,000 per person, which means that the total potential
liability for 140 million people is $140 billion, more than 10
times the market capitalization of Equifax. You clearly can
never self-insure, or at least a company with your business
model could never self-insure.
On the other hand, some of these have settled for a lot
more--a lot less, just a few dollars per person for some data
breach instances. So it is not clear what it should be.
My first question is, what would you personally for
yourself or one of your family want as remuneration for having
your private information up for sale on the dark web?
Mr. Smith. Congressman, the suite of services we are
providing for free in some cases--
Mr. Foster. No. I am saying if I came up to you and said,
``I want to publish your information on the dark web,'' would
you do it for $1,000, personally, just personally or on behalf
of members of your family?
Mr. Smith. No, sir.
Mr. Foster. No, you would not. OK. $10,000? $100,000?
Everyone has that number, but it is well north of a few dollars
per person. OK. But that is sort of what is happening. Without
even having a negotiation, we are having this pain inflicted on
people.
Let's just stick with the $1,000 a person, just the
statutory number on there. Oh, plus punitive damages. And so,
now, if Congress were to require that any company like yours
that held information for people without asking them
necessarily to opt in, that you had a requirement that you
would hold enough insurance to make them whole if there was a
massive data breach, that would be a very expensive insurance
policy, correct? Right?
Now, you indicated earlier that you had not disclosed how
much insurance against data breach you are actually carrying.
Is that correct? And you don't intend to tell us that?
Mr. Smith. That is correct.
Mr. Foster. That is correct. OK. Is it fair to say that it
is not enough to cover $140 billion, $1,000-per-customer type
liability? Is it less than that? Are you comfortable saying
that?
Mr. Smith. Yes, it is less than that.
Mr. Foster. OK. And so it is likely that many customers may
end up getting less than they think really their actual damages
are.
Have you thought through, say, how much per hour the
average customer would charge someone to just sit on hold
waiting to try to get attention to getting their credit
unfrozen?
Mr. Smith. Remember, Congressman, one of the offers we have
to consumers is an insurance policy. You are aware of that? We
offer five different services for free. One is, if a consumer
has lost expenses in trying to get their credit repaired,
trying to take time off of work, up to a million dollars.
Mr. Foster. OK. But I am trying to understand under what
conditions you would have assembled a team, either yourself or
an insurance carrier, assembled a team that would have
prevented this. If you would have tens of billions of dollars
of coverage on this, I imagine that would have funded a very
aggressive team of people who would, every time a patch came
out, they would say, oh, boy, let's go and try to figure out if
you have applied that patch. And they would be looking at your
source code for everything that an insurance company that was
offering that kind of coverage would demand. And I was
wondering if you think there is a possible way that we can
actually prevent this in the future.
Mr. Smith. Congressman, we have notifications routinely
every year for patches. This is a very unfortunate mistake. I
mentioned the mistake; I apologized for it. The insurance
approach is not the solution. It is preventing the human error
and the technological error that occurred.
Mr. Foster. But there will always be human errors, and what
you need is a red team who sits there and looks for human
errors and flags them immediately. And this has to be a very
expert team. Nothing short of that is going to rapidly catch
the kind of human errors that will naturally happen. So,
anyway, this is one of the things I am looking at, because it
is the only free market solution that I think has a chance of
preventing this in the future. Thank you.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from Colorado, Mr.
Tipton.
Mr. Tipton. Thank you, Mr. Chairman.
Mr. Smith, I appreciate you being here. I did want to
follow up on some previous questions that I had heard. The
question was around whether or not you had protocols in place
to be able to actually address whether or not the information
was being reported properly internally, but then also to the
government entities that are responsible for oversight.
And I did not hear you respond to the answer whether or not
you have written protocols in place to be able to have a
timeline to be able to make sure that the governing bodies
overseeing you are notified in a timely manner. Would you
address that?
Mr. Smith. Yes, Congressman. Thank you for that question.
Yes, there were protocols in place. The protocols started with
when the security individual saw suspicious activity. Protocol
No. 1, he or she shut down the particular portal, started the
internal investigation, followed by the traditional protocol
that they followed, which is to notify and engage outside cyber
forensic auditor Mandiant, engage outside counsel to help us
with the investigation, and then protocols followed throughout
all the way to the time of notifying the regulators, AGs, and
the consumers.
Mr. Tipton. Looking forward, to try and be a little more
solutions-oriented--I understand and appreciate the comments
that you have made regretting what took place--are there
protocols, are there actions that this Congress might be
taking, in terms of some of the regulatory bodies, to be able
to incentivize earlier action, earlier notification, not only
to the governing bodies but also to the consumers as well that
we ought to be looking at?
Mr. Smith. Congressman, the one thing I mentioned before I
would love to see both Congress and companies tackle is the
concept of, is there a better way to identify consumers in
America other than SSN? It is unfortunate the number of
breaches that have occurred over the years has exposed so many
SSNs that we are all vulnerable to that. So I would love to see
us engage in that discussion.
Mr. Tipton. Well, in terms of internally, there are some
independent--I believe The Wall Street Journal had noted
independent groups that analyzed the vulnerability of you, of
Equifax, in terms of what you are going to be dealing with.
Do you look at that sort of analysis, and who is
responsible for identifying that and taking it seriously, to
see that patches aren't needed, but we are being proactive to
make sure that the breaches do not take place?
Mr. Smith. Yes. We routinely bring in outside consultants,
advisers to help us check, double-check, rethink tactical steps
we can take as we have taken since the breach as well as long-
term strategical steps we can take to make sure we are more
secure.
Mr. Tipton. Great. Thank you.
Mr. Chairman, those are the questions that I had. I yield
back.
Chairman Hensarling. The gentleman yields back.
The Chair now recognizes the gentleman from Maryland, Mr.
Delaney.
Mr. Delaney. Thank you, Mr. Chairman.
Thank you, Mr. Smith, for being with us here today.
I have a couple of questions about how you interacted or
how your board interacted around this matter generally. So it
says in your testimony that you became aware of the information
on August 11, but that you notified the lead member of the
board of directors, Mark Feidler, on August 22. Did you have
any conversations with other board members before that?
Mr. Smith. Let me clarify, if I may. The first debriefing I
had of any significance was on the 17th of August. That
included Mandiant.
Mr. Delaney. Got it. Sorry. But between the 17th and the
22nd, did you speak to any other board members?
Mr. Smith. On the 22nd of August was the first discussion
with the lead director.
Mr. Delaney. What about other board members?
Mr. Smith. The 24th and 25th, we had two board meetings
where the entire board was updated.
Mr. Delaney. Is it normal to wait this long to convene your
board when a matter of this scale has occurred?
Mr. Smith. The data was fluid, moving, developing each and
every day, and I felt that was an appropriate timeline.
Mr. Delaney. Under the Sarbanes-Oxley requirements for
public companies as it relates to their internal controls, was
cybersecurity or data breaches ever considered as part of the
board of directors and the audit committee?
Mr. Smith. In what way?
Mr. Delaney. Well, I ran two public companies, and I used
to have to sit down with my management team and get
certificates where they would assure me that things were being
done in accordance with our procedures. And then the audit
committee would review these things so that they could do their
job under the requirements of the law.
So, in that process, I assume you engaged in a similar
process at your company.
Mr. Smith. We had two ways to engage as it relates to
security with the board of directors. One was at the entire
board level routinely through a device we call ERM, enterprise
risk management. At the top of that list was cybersecurity.
Also go through deep dives with the board of directors on
security risks.
The second means of communicating with the board was
through a committee we have called the Technology Committee.
The Technology Committee is comprised of individuals, some of
which have a deep understanding of security. They would go into
details of our security efforts as well.
Mr. Delaney. If you were to put the board's time in a pie
chart representing 100 percent of the time they spent on
matters related to the company, what percentage of their time
would you say was spent on thinking about cybersecurity risk
and data breaches?
Mr. Smith. I would be guessing if I were to make that--take
a stab at that.
Mr. Delaney. Did you regularly have full discussions around
the board table about this potential risk? You identify it as a
risk factor in your financial statements--I mean, in your 10K.
Mr. Smith. Absolutely.
Mr. Delaney. So would you say 5 percent, 10 percent, 15
percent, 1 percent?
Mr. Smith. Congressman--
Mr. Delaney. You chaired the board so you have a sense as
to what occurred in the board meeting. I assume you set the
agenda. So, on the agenda, was there a regular item about
cybersecurity or data breaches in every board meeting?
Mr. Smith. Not in every board meeting, but routinely
throughout the year, through committee meetings and through
board meetings, the board was apprised.
Mr. Delaney. Which committees had responsibility for this?
The Audit Committee?
Mr. Smith. As I just mentioned, the Technology Committee.
Mr. Delaney. The technology. So the Audit Committee didn't.
Mr. Smith. The Audit Committee would have purview as well.
The entire board would have a view. But the Technology
Committee--we are a technology company--
Mr. Delaney. Right.
Mr. Smith. --was responsible for oversight of security and
technology at the board level.
Mr. Delaney. Would the technology company make a
presentation at every board meeting?
Mr. Smith. Yes.
Mr. Delaney. Were there discussions about the technology
budget at the board level, about whether it was adequate in the
area of cybersecurity?
Mr. Smith. The Technology Committee, Congressman, would
approve the technology budget every year.
Mr. Delaney. Got it. And they bring it to the board for
approval, or they just do it at the committee level?
Mr. Smith. Yes.
Mr. Delaney. In your opinion, how mindful was the board
before this event occurred as to the likelihood of a risk like
this?
Mr. Smith. Very mindful.
Mr. Delaney. So you would say that your board spent
considerable time trying to get to the bottom of--
Mr. Smith. The board understands, Congressman--it is a data
company, to your point--that data security is the number one
risk we have and took that very seriously.
Mr. Delaney. And as part of the disclosure statements that
you received as a CEO, where your direct reports would certify
that things were being done correctly, did one of those
certificates include some mention of the cyber risk and the
data breach, the potential for data breach and assurances that
the systems were in place?
Mr. Smith. We disclose in every K and every Q that security
is a risk and one risk we face.
Mr. Delaney. Got it. Got it. And have you had other
significant events in the company where you notified your board
of these problems the day they happened?
Mr. Smith. Have we ever notified the board of a security
risk in the past?
Mr. Delaney. So let's say you had analyst expectations as
to your earnings and realized during the quarter you were going
to miss them, would you call the board, your lead director that
day and notify them, or would you wait 4 or 5 days?
Mr. Smith. If there were risks to our financials to a
particular quarter, we would notify the board.
Mr. Delaney. Sooner than 5 days?
Mr. Smith. We have never had to do that in my time there.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from North Carolina,
Mr. Pittenger.
Mr. Pittenger. Thank you, Mr. Chairman.
Mr. Smith, we are addressing a very egregious concern in
our country. Obviously, we have major threats, national
security threats affecting our financial systems, our
infrastructure, our government. The private sector spends
hundreds of millions of dollars every year regarding
cybersecurity measures, as well as energy companies and other
institutions.
Today, we are aware that not just the 143 million
consumers' personal information was exploited, but in addition,
there are now another 2-1/2 million people that have been
affected by this initial account. Can you assure us that the 2-
1/2 million are the last Americans whose data has been
compromised?
Mr. Smith. Congressman, can you repeat that last part of
your question? I missed that.
Mr. Pittenger. Can you assure that the 2-1/2 million
additional people who have been reported that their data has
been compromised, is that the last?
Mr. Smith. I am sorry. I missed that.
Yes, it is my understanding from Mandiant, the forensic
experts, that, one, movement from the time you announce to the
final conclusion is not unusual.
And number two is, while I have not had a chance to read
the press release myself, it is my understanding that, on
Monday, when it came out from the company, it said that the
forensic review is, in fact, complete.
Mr. Pittenger. Yes, sir. Prior to the security breach, did
Equifax, in your opinion, have preventive measures in place to
combat a data breach of this magnitude?
Mr. Smith. Well, obviously, a breach of this magnitude
would not have occurred if everything was in place.
Mr. Pittenger. Elaborate with us on additional measures
that you believe could be put in place at this time.
Mr. Smith. Congressman, many have. From the time of the
announcement, actually before the announcement, we engaged
experts to help us increase monitoring, penetration techniques,
what they call white-labeling of IP addresses. A variety of
things were put in place before the announcement on September
7. Those continue. We had 30-day plans, 60-day plans, 90-day
plans. And as I was getting ready to step aside, we engaged a
topnotch consulting firm to help us rethink our entire strategy
for security.
Mr. Pittenger. Do you actively engage in testing these
databases for vulnerabilities?
Mr. Smith. Yes, we do.
Mr. Pittenger. Do you use third party, or do you do this
in-house?
Mr. Smith. As I was just mentioning, we do both.
Mr. Pittenger. OK. Could you please explain the process or
standards by which Equifax has stored consumers' personal
information?
Mr. Smith. Could you say that again, please?
Mr. Pittenger. I would like you to explain the process or
the standards by which Equifax has stored consumers' personal
information.
Mr. Smith. Standards. I would say there are a variety of
techniques used, from a security perspective. There are layers
of security techniques we use. There is--I think it was
mentioned or asked earlier.
Mr. Pittenger. Is there an encryption procedure in place?
Mr. Smith. That is where I was going. There is encryption.
There is tokenization. There is masking. There are layers and
different ways to secure that data.
Mr. Pittenger. Do you feel like that there was adequate
encryption in place? Could you have done more to prevent what
occurred?
Mr. Smith. If we could have prevented the human error, if
we could have prevented the scanner from not finding this, that
would have stopped this issue, yes.
Mr. Pittenger. So there was a thorough encryption process
in place, in your opinion?
Mr. Smith. Again, there are different techniques used in
different areas, and encryption is only one of them.
Mr. Pittenger. Moving forward, how do you and the rest of
the leadership at Equifax plan to regain the trust of our
consumers?
Mr. Smith. By making it right for the consumers.
Mr. Pittenger. Well, I thank you for coming. This no doubt
is probably the hardest time in your life, but it is a much
harder time for the American people whose data was exploited,
and we are here on their behalf.
Mr. Smith. I agree. Thank you.
Mr. Pittenger. I yield my time.
Chairman Hensarling. The gentleman yields back.
The Chair now recognizes the gentleman from Missouri, Mr.
Clay, for 5 minutes.
Mr. Clay. Thank you, Mr. Chairman.
And, Mr. Smith, thank you for being here. More than 2-1/2
million Missourians had their information exposed in the
Equifax breach, and they will likely be impacted by it for
years to come.
Can you share with this committee and the American public
what types of activity that these people can expect whose
identity has been compromised and tell them what kind of
activity they can expect from the thieves that took their
personal information? Because most Americans have never had
identity theft occur to them. Can you give us some examples of
what they can expect over the next year?
Mr. Smith. Congressman, I would answer that two ways. One,
we have offered a comprehensive suite of services free to all
Americans to protect their identity, to your point. That is
those five different things we talked about earlier. The
important point there is I have offered that--or we have
offered that to every American.
So, regardless of them being impacted by our breach or
not--they could have been impacted by the OPM breach. They
could have been impacted by the Anthem breach, Home Depot. We
are covering all Americans with a suite of products.
Mr. Clay. But describe for this committee and the American
public the hellish nightmare they are about to go through when
they find out that the IRS, that someone has filed taxes in
their name to get a refund by the IRS, or that someone has
gotten a credit card in their name.
Mr. Smith. So, Congressman, one of the products we are
offering, as we talked about, is the lock. If a consumer takes
that lock, locks access to their file, no one can open up a
credit card in his or her name, as an example.
Mr. Clay. Equifax has offered consumers a year free of
credit monitoring services, free credit freezes now, and a
promise to provide a better product in several months described
as, quote, ``lock,'' unquote on consumers' credit reports.
At an Energy and Commerce Committee hearing held earlier
this week, you stated that credit freezes and credit locks are,
quote, ``virtually, if not exactly, the same,'' end quote. If
the protections these products afford to consumers are the
same, what is the need for the new term?
Mr. Smith. Congressman, lock was introduced through
regulation in 2003 and 2004. What I was referring to in the
quote you mentioned is the protection to the consumer is
largely the same. The difference is the ability to freeze and
unfreeze can be very cumbersome and is dictated at the State
level. The lock product coming out in January 2018 will be very
user-friendly. A consumer can lock and unlock from their
iPhone. That is the difference.
Mr. Clay. OK. So, because security freezes are covered by
State law, if something goes wrong, for example, if credit
accounts are fraudulently accessed, will consumers be protected
from financial liability?
Mr. Smith. Congressman, again, locking or freezing protects
the consumer from someone accessing their credit file to access
credit, to rent an apartment. It is a secure way to protect
their credit file.
Mr. Clay. OK. Yes, but I am talking about the activity that
occurs when they are compromised, when their identity is
compromised. What kind of comfort can you give these people?
Can you tell them anything, that your company will work with
them to resolve this or what?
Mr. Smith. Yes. Again, we are working with consumers
impacted and not impacted. We are offering five different
products today for free, followed by the lifetime ability to
lock and unlock your file for free. That should give them
comfort, an ability to stop people from opening and accessing
their credit file.
Mr. Clay. OK. Do you agree that steering consumers into a
product that is covered by a contractual agreement with your
company when the product you say is the same that is already
covered by many State laws raises some concerns?
Mr. Smith. No, sir, I do not. The freeze is still our
product. The way a consumer gets access to freezing and
unfreezing is set by State law.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentlelady from Utah, Mrs.
Love.
Mrs. Love. Thank you.
Estimates are that about 60 percent of adults, U.S.
population, is affected by the breach. If you extrapolate the
information to Utah, that is about 1.43 million Utahns that are
potentially affected.
So my question is, what sort of financial products could be
opened in my constituents' names if their data was part of the
breach?
Mr. Smith. Congresswoman, two things: One, if you are
interested, we have the data of those that were a victim of the
criminal hack by State level. If that would be interesting to
you, we can get that to your staff.
Mrs. Love. I would love that. That would be great. But I am
still asking what type--if they were affected, what type of
products could be opened in their names?
Mr. Smith. Well, if they signed up for, as many, many have
since the breach, with the lock product, the ability to lock
their file so no one can access it, so no one can open a credit
card, get a car loan, get a home equity loan, get a mortgage,
the lock prevents that from happening.
Mrs. Love. So, if they didn't get a lock and they are
still--if they didn't get a lock, so that means credit cards
could be opened in their name, other things could be opened. I
just want to get a list of things that they need to look out
for.
Mr. Smith. We monitor. We are offering a monitoring service
as well. So, if you are a victim of the criminal attack, we
will send you notifications if there is suspicious activity on
your file.
Mrs. Love. Have there been any upticks in identity theft or
fraud since the breach?
Mr. Smith. It was asked earlier. Not that I am aware of,
no.
Mrs. Love. Not that you are aware of, OK.
Mr. Smith. You mean since the breach?
Mrs. Love. Yes.
Mr. Smith. Yes, not that I am aware of.
Mrs. Love. How would you know? How do you know?
Mr. Smith. We have fraudulent flags on files.
Mrs. Love. OK. And when would you expect to see an uptick?
Because usually some of these things take time. So, if there
were to be some upticks, when would you expect to see some of
those?
Mr. Smith. It depends. There are some out there that say
that the Social Security numbers, which is the piece of the PII
that we focus the most on here, have been out in the public
domain hacked in the past for quite some time.
Mrs. Love. OK. So, for my constituents that were impacted,
how long should they expect to remain concerned about the
potential impact on their credit files or identity?
Mr. Smith. They should always be vigilant and looking at
the monitoring products that we offer. And, again, I go back,
the first thing they should do is lock their file. If they lock
their file, they are going to rest better.
Mrs. Love. OK. So, in terms of--I am trying to--what I am
trying to do is to give a clear vision to people who are
watching what they need to do. I understand locking their file,
and some people who are watching that today can do that. But in
the meantime, I need to give them things to look out for, what
to look out for either before they do that or, over the years
what they need to be aware of.
Mr. Smith. Maybe I will try to answer it this way: If the
consumers in Utah or anywhere in America take advantage of the
free service, whether you are a victim or not, of the five
offerings we have--one is monitoring of all three credit
bureaus' files. That is the first thing they should do. We do
that for them for free. The second thing is access your credit
file through us to look at it for suspicious activity. Three is
we offer a dark web scanning service. We go out there for you
and scan the dark web for activity. Four is we have the ability
to lock the product for free. And there is a fifth one. I
forget what the fifth one is.
Those five products should give the U.S. consumer, the Utah
consumer far more comfort, followed by January of next year the
lifetime lock.
Mrs. Love. So can you explain, and I may have missed this,
can you explain the difference between a credit lock and a
credit freeze?
Mr. Smith. Yes. The credit freeze was enacted as part of
FACTA back in 2003, passed into law at the State level. Each
individual State passed it into law 2005--2004. The difference
is the ability and the means by which a consumer communicates
to us, TransUnion, and Experian, versus the lock, which will be
an application enabled on and off, much more user-friendly,
much quicker for the consumer.
Mrs. Love. OK. And I just want to reiterate one more thing
that was brought up by the Ranking Member, that you are
committing to work with people who may have been or have been
affected or may have had their identity taken and used for
their lifetime?
Mr. Smith. Yes. We are offering every citizen, American
citizen a lifetime lock, the ability to lock and unlock for
life.
Mrs. Love. OK. Thank you. I yield back.
Chairman Hensarling. The gentlelady yields back.
The Chair now recognizes the gentleman from New Jersey, Mr.
Gottheimer.
Mr. Gottheimer. Thank you, Mr. Chairman.
And, Mr. Smith, thank you for being here today.
As a former Microsoft executive, I have an appreciation for
corporate integrity and where the buck stops. I get that issues
come up all the time. It is how you handle them, of course,
when they do come up.
And it seems to me your response has been more of an
Equiscam than an Equifix on too many of these accounts that
have been brought up today. And if you are going to take 4 to 5
weeks to tell consumers what happened, I just don't understand
where the gap was in terms of putting information together so
that you can respond well.
One, and if you can help me here, out of the 145 million
consumers impacted, only 7.5 million have signed up for
monitoring services is my understanding. Why do you think only
10 percent have, and why not just auto-opt everyone in since
you have their information?
Mr. Smith. It is illegal. It requires the consent of the
consumer.
Mr. Gottheimer. Can you reach out--since you know their
addresses and information and many of their emails, since,
obviously, we know that you have them, why not reach out to
them and send them a letter and say, ``Would you be interested
in this''?
Mr. Smith. I may have mentioned in my oral testimony,
Congressman, that the awareness is at record highs for
breaches. Over 400 million consumers have come to visit. They
know.
Mr. Gottheimer. Couldn't you send out or would you be
against sending a letter to them to give them information so
they know, so hopefully we can get more people signed up?
Mr. Smith. Again, I think they do know.
Mr. Gottheimer. I am sorry, is that a no, you are not
willing to do that?
Mr. Smith. I was going to answer.
Mr. Gottheimer. Please.
Mr. Smith. So we sent the press release out to notify. We
set up the website. Phone numbers. We followed State law where
that was required for local advertisement to create the
awareness.
The 2.5 million that was mentioned earlier that the company
released of additional victims of this crime, on Monday, those
individuals, because of the fear of false positives, were
notified via email or will be notified via email.
Mr. Gottheimer. So the rest, the 143 or 144 million plus,
you will not be willing to reach out to?
Mr. Smith. We follow the process that is legal, acceptable,
and common for this size, yes.
Mr. Gottheimer. Thank you for your answer.
What is being done to resolve the problems with your
website--I am sure you have read about them, heard about them,
I have experienced them--to make them more stable, eliminate
bad and confusing links, and to make essential information more
accessible? And also I know people got emails saying, ``Sorry,
we can't get to this for a few weeks.'' I think you have caught
up there is my understanding. But what do you do about the
website crashing?
Mr. Smith. Yes, it has come a long way. Again, the volume
was overwhelming, as I noted in my oral testimony early on.
They have taken the right steps to fix that experience. It is
my understanding that the experience at the call centers and
the website are far, far better today than they were September
7.
Mr. Gottheimer. Yes. And I think we should keep bringing
them to your attention because when they crash, you know,
people get even more anxiety. So, if you can please--there are
a lot of resources out there that can help you with that.
Can you verify for me that the arbitration clauses or other
legal liability limitations are not being included in Equifax's
offerings of credit monitoring, credit freezes, credit locks,
and identity theft insurance?
Mr. Smith. Congressman, the arbitration clause is a
standard clause in products that we sell to consumers, and
consumers have the right not to buy a product from us, but go
somewhere else to get that product. The intent was never to
have the arbitration clause apply to the free offerings. We
were made aware of that and, within 24 hours, took that
arbitration clause off.
Mr. Gottheimer. Good. Thank you.
Equifax is claiming, as you have talked about, to provide a
million dollars in insurance coverage for identity theft to
affected consumers, but the coverage has numerous limitations
and exceptions, and the timeframe for covered loss can be
unclear to some people.
Does Equifax believe that this insurance is in lieu of
reimbursing customers for their actual losses, and can you make
clear to people the limitations of the insurance, because I
know that it doesn't cover everything?
Mr. Smith. That is correct. It is expenses incurred. I
think, again, the five services we are offering upfront,
combined with the lifetime ability to lock your file, are the
right steps for the company to take for the consumers.
Mr. Gottheimer. Yes. I think that this is a big issue
because you see a lot of these insurance companies and they
provide this coverage, but it really doesn't cover what people
think. And so, as liability occurs, there are holes.
I am sure you have heard about the phone call wait times. I
know one of my constituents wrote in they were on the phone an
hour the other day, and others have called in about it being 45
minutes. How are we doing there? What has the improvement been?
Mr. Smith. It has been dramatic. We have gone from 500 call
center people to over I think it was 2,700 was the last number
I have heard of trained people to handle those phone calls.
Mr. Gottheimer. Do you know the wait time now?
Mr. Smith. It has come down significantly. I don't have the
exact number. I saw the data earlier in the week, Congressman.
Mr. Gottheimer. Is that information you can get to us, just
a sense of where you are now, average waits?
Mr. Smith. Yes.
Mr. Gottheimer. It seems to me it shouldn't be more than a
couple minutes--obviously, there is huge capacity out there to
add bodies and given how people have huge anxiety over this
issue.
I think that is the key here in my 8 seconds. People can't
feel like this is an Equiscam. They have to feel like you are
fixing things for them and making their lives better, given
that their credit is hugely up for question now in front of
many eyes. So thank you so much for your time.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from Arkansas, Mr.
Hill.
Mr. Hill. I thank the Chairman.
Thank you, Mr. Smith, for coming in today. I appreciate
your chance to visit with the committees on Capitol Hill about
this important issue.
This is something my family understands. We have had the
pleasure of being in the OPM breach, the IRS breach, and
couldn't file our returns on time a year ago. And now I see we
are gratified to receive your email about also being in the
Equifax breach. So I can feel the frustration for a lot of
Americans.
And in Arkansas, according to our attorney general, Leslie
Rutledge, 1.2 million people in Arkansas, some 40 percent of
the population of the State, are covered by the announced
breach by Equifax. So we do appreciate our chance to sit down
and ask the hard questions that we are being asked by our
constituents.
I want to follow up on some of the line of questioning and
start out just talking about the management practices at
Equifax, if I could. Did you have a weekly executive management
meeting with your top officers, your direct reports?
Mr. Smith. Are you referring to post-breach?
Mr. Hill. No, just generally. As a general practice at
Equifax, did you have an executive management meeting with your
direct reports on a regular basis? Maybe I shouldn't have said
weekly. But did you?
Mr. Smith. Yes, Congressman. We had routine operating
mechanics to run the company. Some might be weekly. Some might
be every other week. Some might be monthly. Some might be
quarterly.
Mr. Hill. Right. It is a mix, and I am sure a mix of levels
of people in the company came, depending on the topic. But in
your direct report meetings, would Mr. Gamble be in those
meetings at that smaller group on whatever frequency it was?
Mr. Smith. It would depend on the meeting itself, but
largely, yes. He would be involved in many of the meetings we
had as a CFO.
Mr. Hill. And Mr. Loughran, who is the president of
information systems, as well, would he have been in that
meeting?
Mr. Smith. Again, I have got 12 to 13 direct reports--
Mr. Hill. Is he one of them? Is he a direct report?
Mr. Smith. Yes. So the three you are probably going to, and
Rudy Ploder would be the third.
Mr. Hill. Right.
Mr. Smith. All three are direct reports to me. All three
would be in most of the meetings we would have at the--
Mr. Hill. And then Mr. Kelley as well, as the chief legal
officer?
Mr. Smith. Again, there are 13 or 14 individuals, yes.
Mr. Hill. I am just curious. In that meeting of your
trusted advisers at the top echelon of the company, between
March 8 and the end of July, did this topic come up among that
group?
Mr. Smith. No, sir, it did not.
Mr. Hill. And in that period between March 8 and end of
July, when did you really feel or you were told that it was a
serious business challenge?
Mr. Smith. It wasn't until--the detailed review we had is
noted I think in written testimony on the 17th of August with
the cybersecurity forensic team Mandiant, the outside legal
team of King & Spalding, my team. It was the 17th of August was
the first deep dive.
Mr. Hill. Let me turn and talk about the section 16
officers in the company. I am sure the people we just talked
about are all section 16 officers. The chief legal officer, the
CFO, yourself, the president of information systems, Mr.
Loughran, are all section 16 officers.
Mr. Smith. That is correct.
Mr. Hill. And your 12b5-1 plan, I assume that is all
holdings, and then any in-the-money options would be covered by
somebody's preplan to sell stock?
Mr. Smith. The 10b5-1 plan?
Mr. Hill. Yes.
Mr. Smith. Yes.
Mr. Hill. Both your personal holdings and then any in-the-
money options that were in the money at the time of a filing,
of an open period?
Mr. Smith. You are referring to me?
Mr. Hill. Well, no, just your plan as a corporate officer
in the plan.
Mr. Smith. Some officers may have had a 10b5-1 plan; others
may not have.
Mr. Hill. But it wasn't a requirement by the general
counsel that everybody have one?
Mr. Smith. No. The requirement was that the general
counsel, as a clearing process, that he has to approve before a
16b officer can sell stock.
Mr. Hill. How many days a quarter do you think you had
available for trading under those plans?
Mr. Smith. It tends to be the first 30 days after the
earnings call. We wait a day or two. Thirty-day window. The
general indication is to sell it sooner in the opening versus
later.
Mr. Hill. Can you think of a time when your general counsel
canceled that window due to a material or nonpublic information
effect while you were CEO? In other words, you couldn't use the
window because people in the group had material or nonpublic
information.
Mr. Smith. There were a few times, yes.
Mr. Hill. Did you have a lead director since you were the
chairman? In your public company board, did you have a lead
director?
Mr. Smith. Similar. We called it a presiding director.
Mr. Hill. Right. And when did that person find out about
this?
Mr. Smith. The 22nd of August.
Mr. Hill. OK. Thank you. My time has expired.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from Minnesota, Mr.
Emmer.
Mr. Emmer. Thank you, Mr. Chair.
And thank you, Mr. Smith, for sitting through this again
today.
Obviously, you have heard this over and over today and in
your prior three congressional hearings. I, like most people,
am very concerned about the timeline of events. I appreciate
the what I take is a sincere apology of yourself on behalf of
Equifax and the acknowledgement of both the human error that
you point out from last March and the error in technology, the
scanning process that didn't work.
But the timeline of the discovery of the issue, the sale of
the company stock by three top executives, and the disclosure
of the breach to the impacted American consumer, which, in
Minnesota's case, I believe we have a little over 2 million
that have been identified at this point, raise serious
potential ethical and legal questions.
I wanted to start by echoing what our Chairman, Jeb
Hensarling, said at the outset of this hearing, and that is
that the company and I would say current and former executives
like yourself I would hope are going to continue to cooperate
to the fullest extent with the FBI, the SEC, any agency that is
investigating this, so that the truth can actually get out into
the light and people can know exactly what happened.
I know you can't commit on behalf of the company, but I am
sure that you can commit on your own behalf, that even in your
current capacity, you are going to continue to cooperate to the
fullest extent.
Mr. Smith. Absolutely.
Mr. Emmer. I wanted to talk a little bit about the area,
because today it is about Equifax, but I don't know that people
are talking about the--even though we all know it, it seems to
be unspoken that this is such a fast-changing environment. I
was in a business that will go unnamed in Minnesota, and they
have this huge investment in technology. They take you into the
back room, and they have got these TV screens, flat screens all
around the room, and they are showing you in real time all of
the attacks that are coming in by the second and the minute.
I don't think it is just about Equifax. This is a huge
issue. You look, in 2014, the U.S. Postal Service had a breach
that exposed personal data on almost a million employees, and
they had to shut it down. The IRS, in 2015, had almost three-
quarters of a million people affected by a breach. The Office
of Personnel Management had one in June 2015. And even the SEC
just last year had the breach of the EDGAR online filing
system.
So this isn't just about Equifax; this is a much bigger
issue. And in the short time that I have left, there are two
areas that I would like to talk to you about. One is I get
worried in this place that the snap reaction of elected
officials is more regulation, more stuff that you have to
comply with, which I suspect takes resources away from the
stuff you are trying to do to keep up with the ever-changing
technology and the way the bad guys are trying to breach these
systems. I would like you to talk about that for a second
before we talk about rethinking Social Security numbers and
dates of birth for identification.
Mr. Smith. Congressman, I share your views there. It is
amazing. There was a recent publication that came out, I think
it was last week. It talked about in 2016 alone, over 4 billion
pieces of consumers' information were hacked in 1 year alone.
It is at a rate that I have not seen in my career. It is
accelerating, if nothing else, and it is a real issue that I
think, again, public-private partnerships can work on. If
regulation can prevent a breach like this occurring again, I am
all for it. This was not an issue, in my humble opinion, that
more regulation would have addressed.
Mr. Emmer. As you go forward into the next stage of your
career with this experience that you now have, would you give a
word of caution to those of us who are looking at this that, be
very careful about if there is magic regulation because of the
compliance costs that come with it and how that could
negatively impact your ability or others' ability to keep up
with the technology?
Mr. Smith. Yes. I mean, oftentimes, we are all in a
reactionary environment, and the first thing we think about
sometimes is that regulation is the issue. I think there are a
lot of things that the public-private together can do. You
mentioned one of them, which is to think about the identifier
that we use for the American public, and is there a solution
beyond SSN.
Mr. Emmer. All right. Thank you very much.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentlelady from Arizona, Ms.
Sinema.
Ms. Sinema. Thank you, Mr. Chairman.
I am deeply troubled by the Equifax data breach that
compromised the personal information of over 145 million
Americans. Every American should take precautionary measures to
ensure his or her financial security. Arizona seniors are
particularly at risk and especially now. We must make sure
safeguards are in place to protect them from financial fraud.
So I have been working with Congressman Bruce Poliquin of
Maine to pass H.R. 3758, the Senior Safe Act. This bipartisan
legislation ensures that financial institutions have the
regulatory flexibility needed to report suspected instances of
financial abuse of seniors.
Every Arizonan deserves to have confidence that his or her
data will be kept safe when applying for a credit card,
accessing a small business loan, or buying a home. And today's
hearing is an important step in finding out what went wrong and
what must be done to protect consumers.
Mr. Smith, thank you for being here today. By your account,
it took Equifax 40 days to let the American people know via a
press release about a data breach that had lasted for 77 days.
Additionally, hackers exploited the failure of Equifax IT staff
to patch software for the 65 days leading up to the breach.
That adds up to 182 days of Equifax failing to put Arizona
families first.
Your testimony before this committee seeks to detail the
internal deliberations and legal consultation leading up to the
press release on September 7, but it does not excuse the end
result.
An Arizonan whose name, address, and Social Security number
was taken on day 1 of the breach, under your watch, was left
vulnerable and in the dark about the data breach for 117 days.
That is disgraceful and unacceptable.
More than most, Arizonans value privacy. We value the
independence to make our own financial decisions for our
families and our economic futures. But instead of taking every
precaution to secure our personal data, Equifax jeopardized our
privacy and made millions of Arizonans significantly more
vulnerable to identity theft and financial fraud. And now we
must take every step possible to minimize the damage and better
address future data breaches.
It is believed that for the vast majority of Americans,
this data breach was limited to their credit header data.
Credit header data includes things like name, address, date of
birth, known as NADOB data, as well as addresses, aliases, and
Social Security numbers.
So my first question to you, Mr. Smith, is while this
information alone is highly compromising, it does not include
Americans' most private financial information. Are you aware of
attempts by these intruders to broaden the scope of the data
breach to capture private financial information? If so, were
any of those attempts successful? And if not, why do you think
hackers opted to forego the more private financial data?
Mr. Smith. Congresswoman, there are millions of attempted
or suspicious attacks each and every year across a wide array
of our data assets. We have no knowledge through the forensic
audit done by Mandiant that any of the core credit, as you
refer to it, data was compromised.
As to why, that goes back to the written and oral testimony
I gave, which is the Apache Struts software had sat in a
different environment, completely outside of the core credit
file, that was not patched. That is why they were able to
penetrate that environment.
Ms. Sinema. Mr. Smith, your testimony stated that it took
the Equifax IT staff 76 days to notice suspicious activity
after the breach began. Could you tell me exactly how were the
intruders blending in with normal network traffic, while
simultaneously stealing this data from Americans, and what do
you think took the IT staff so long to notice the breach?
Mr. Smith. They were fairly sophisticated, they being the
criminal hackers. They moved about the system without moving
large--what we define, in our environment, as large files. So
the files themselves in size were not suspicious.
They were also clever enough not to move at speeds--we have
velocity indicators throughout the environments that would look
for things that are moving at very high speeds. They were
sophisticated enough to do neither.
Ms. Sinema. Thank you.
While the Equifax breach was significant, it is important
to note it was still only the fifth largest data breach in the
U.S., and all five of the largest data breaches have happened
within the last 5 years in our country.
And we as a community here in Congress must recognize that
these data breaches here are increasingly frequent, and they
undermine the trust that Americans place in the marketplace and
their government.
Whether it is Equifax or the Office of Personnel
Management, Americans deserve to have institutions--both public
and private--that work in good faith to safeguard their data
from those who would harm them.
And I would urge that Congress should recognize that
cybersecurity is not a niche issue to be left to the next
generation. We must find real bipartisan solutions that give
Americans the opportunity to succeed.
Thank you, Mr. Chairman. I yield back my time.
Chairman Hensarling. The gentlelady's time has expired.
The Chair now recognizes the gentleman from Ohio, Mr.
Davidson.
Mr. Davidson. Thank you, Mr. Chairman.
Thank you for your testimony. Thank you for your sincere
apology. We recognize that all these companies are staffed by
humans, and humans fail, as does technology. However, we also
recognize a high duty of care responsible for a fiduciary.
I was a little concerned that I was tracking correctly the
way that your reporting structure is on the board and the
attention given to governance. Does IT report up through your
CFO, or is that a direct report to you as the CEO?
Mr. Smith. It is a direct report to me.
Mr. Davidson. OK. Within the IT, you emphasized that you
are a technology company. What is the structure like within IT?
Is there an information security officer that stays in the IT
channel, or is that broken out separately?
Mr. Smith. The chief security officer, global security
officer is a direct report into the general counsel of the
company. The general counsel reports directly to me.
Mr. Davidson. OK. So you feel that your governance
structure was adequate?
Mr. Smith. I am not sure I understand the question.
Mr. Davidson. So given that this error happened, you
mentioned that you had some closed-loop system failures, where
you had things that are supposed to happen but you didn't have
a closed-loop system to make sure they did happen. Do you feel
there was any failure in governance? Was the structure part of
the issue at all?
Mr. Smith. I don't believe so. I don't think structure
determines success or failure of a process or of a business. It
is people and technologies doing the right thing. So having the
chief security officer report into technology, report into me,
report into CFO, I am not sure would change the outcome of what
we just experienced.
Mr. Davidson. OK. Well, that is a little concerning, but
that is your philosophy.
On trading, so when you look at--aside from the
cybersecurity concerns, which have been covered extensively, I
was really planning to go down a similar path to my colleague,
Mr. Hill, who talked about how trades for board members,
executives within the company are approved, what is the timing
like for that?
And I also noted that you said that there were times where
because shareholders of record inside the company had
information that was nonpublic and material that those trades
were suspended. And I can't think of a more public time where
it would probably have been appropriate to suspend a trade than
while you had a breach of this. Was that an error, an omission,
or do you feel that the governance worked correctly in that
instance as well?
Mr. Smith. Congressman, let me be very clear, if I may.
There is a process to clear trades. It goes through the general
counsel. I am not involved in that process. These three
individuals that traded, it is my understanding they had no
knowledge of the breach.
You remember, back to the timeline we talked about earlier,
it was the 31st was when the portal was shut down. We hired the
forensic auditors and the law firm on the 2nd. It wasn't until
later in mid-August that we had indication that something was
going on that involved large amounts of data and PII.
These guys traded the 1st and 2nd of August. They followed
the process, the protocol that we had in place at that time.
Mr. Davidson. OK. So based on the knowledge that your
counsel had, I assume it reviews these sorts of things, would
it have been part of the procedure to say, hey, we have just
had some very substantial material information that is
nonpublic.
Isn't there a clear concern--4 days of testimony here, I am
sure you are going to keep talking about this for a long time--
that given the amount of material information that was
nonpublic, that executives and board members should not be
trading in these shares?
Mr. Smith. Congressman, again, clarification: The 31st of
July, the only indication we had there was a suspicious
incident, no knowledge of a breach until weeks and weeks later.
Number two, it should be noted, this is a topic that is of
priority for the board of directors, and there is investigation
currently going on by the independent board of directors.
Mr. Davidson. Do you think it was a mistake to not cancel
pending trades even if they had been ordered before the
discovery of this nonpublic information given that they were
actually going to occur in that period?
Mr. Smith. Congressman, on the 1st and 2nd of August we had
no idea, other than a suspicious incident in a dispute portal.
Mr. Davidson. Mr. Chairman, my time has expired. I yield
back.
Chairman Hensarling. The gentleman yields back.
The Chair now recognizes the gentleman from Colorado, Mr.
Perlmutter. The gentleman passes at the moment.
The gentleman from Tennessee, Mr. Kustoff, is now
recognized for 5 minutes.
Mr. Kustoff. Thank you, Mr. Chairman.
Thank you, Mr. Smith, for being here today.
If I could, Mr. Smith, I think, from my standpoint in
listening to others question you today, really the most glaring
problem is the length of time between when this breach occurred
to when the public was notified. And I have heard your
explanations this morning.
To that end, on September 7, when Equifax claimed that they
recently discovered a, quote/unquote, ``cybersecurity
incident'' involving consumer information, but, of course, you
knew back in July. So if I can, let me back it up for just a
moment.
From a governance standpoint, did Equifax have a pre-
existing plan in place for contingency such as this, for a
breach such as this?
Mr. Smith. If I may, before I answer the question, point of
clarification. I was not aware in July there was a breach. I
was not aware until mid-August, as I have said before, and then
not until late August that there was a breach, and even that
data continued to evolve until September 7 and, again, until
Monday of this week.
To answer your question specifically, Congressman, yes
there was a crisis management written protocol in place, and it
applied to many crises, including a data breach.
Mr. Kustoff. Did it anticipate a breach as big as this
breach?
Mr. Smith. No. The crisis management protocol that we have
in place is a breach in general. It doesn't specify you react
differently if it is 145 million versus 5 million.
Mr. Kustoff. Did Equifax, in fact, use that protocol for
this breach?
Mr. Smith. Yes.
Mr. Kustoff. Was it executed properly?
Mr. Smith. Not without issue, as we talked about, but that
is because the system, the people were overwhelmed on the sheer
volume.
Mr. Kustoff. So I understand it, the website that you have
set up to provide consumers information about the breach, which
is EquifaxSecurity2017.com, in fact, that domain name was
secured on or about August 22. Does that sound about right?
Mr. Smith. That sounds about right.
Mr. Kustoff. All right. So that website, in some form or
fashion, was ready to go some 2 weeks prior to the
announcement. Is that right?
Mr. Smith. Yes, Congressman, that is approximately right.
And remember, the thing we talked about is, one, the data was
still moving. It was fluid. We were wanting to be as accurate
and as transparent as possible on the data; two, we talked
about Mandiant, the cybersecurity forensic team had recommended
that we prepare for increased cyber attacks post announcement;
and third was we had to stand up the environment you are
referring to so consumers can get access to free services.
Mr. Kustoff. I do want to follow up, at the beginning, this
morning, Chairman Hensarling asked you about law enforcement.
As I understand it, the FBI is involved. They are leading the
investigations. Is that correct?
Mr. Smith. That is correct.
Mr. Kustoff. Is the Secret Service also involved?
Mr. Smith. Not to my knowledge.
Mr. Kustoff. Are there any other law enforcement agencies
involved in the investigation?
Mr. Smith. There may be. I have been so focused on the FBI.
Mr. Kustoff. I note that law enforcement, including the
FBI, there may possibly be other law enforcement, there were
other agencies that are involved in the investigation. Is there
any law enforcement agency or any agency whatsoever that
recommended to you or to Equifax that you not disclose this
breach until when you disclosed it in September?
Mr. Smith. To the best of my knowledge, no. They were
involved starting August 2. We communicated with them routinely
throughout the process. We made them aware in September. We
planned on going live on September 7.
Mr. Kustoff. You mentioned earlier that you hired Mandiant
on or around August 2. That is right?
You mentioned King & Spalding who you have hired for legal
purposes. Have you also hired a PR crisis team?
Mr. Smith. Yes, Congressman, we did.
Mr. Kustoff. And who is that?
Mr. Smith. In fact, we hired two, a company called Edelman,
well-known crisis management team at the tactical level to help
us understand, track a variety of input from different sources,
social media, broadcast media, regulators, State AGs, so on and
so forth; and then a crisis management, kind of a strategic
consultant as well.
Mr. Kustoff. You mentioned King & Spalding. Have you
inquired of King & Spalding or any other law firm concerning
bankruptcy protection for Equifax?
Mr. Smith. No, sir.
Mr. Kustoff. No bankruptcy protection whatsoever?
Mr. Smith. Have I consulted a law firm--
Mr. Kustoff. Or anyone else concerning bankruptcy
protection for Equifax.
Mr. Smith. No, sir.
Mr. Kustoff. Let me ask it another way: Has anybody at
Equifax sought advice for bankruptcy protection for Equifax?
Mr. Smith. Not that I am aware of.
Mr. Kustoff. That is all that I have. I yield back.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from Maine, Mr.
Poliquin.
Mr. Poliquin. Thank you, Mr. Chairman. Appreciate it.
Thank you, Mr. Smith, for being here. I know you have been
on the Hill for quite some time, and a lot of these questions
have been asked before. But this is so important because it
goes central to our economy. It really does.
Here we are on a new pro-growth agenda for this country
where we want to have lower taxes and fewer regulations and
trade that is fair and energy prices that are lower and stable
and then something like this happens.
Now, I know you folks got hacked, and I know you are doing
the best you can with it. But the results of this might not be
felt for quite some time. Think about this, about a third of
our country, 40 percent of our country--I don't know what it
is--60 percent of our adults, 145 million people, Mr. Smith,
145 million, and criminals now have the Social Security
numbers, their addresses, their birth dates.
When my mom who is 89 had to go in and sign up for
Medicare, what do you need? You need a Social Security number.
And this is really, really serious stuff. I accept your
apology. I hope the American people do. I don't know if they
will. But we have a population of about 1.3 million people. I
am guessing about .5 million got affected by this.
Now, I am also very concerned about the perception of
wrongdoing when it comes to our securities laws. You are a
publically traded company, your Equifax is. That means folks in
Maine and rural Maine that I represent who are saving for
college or saving for their retirement, little savers, small
investors, the little guy, they can buy some of your shares in
the open market and take a bet that your growth is going to
reward them and take a bet on the U.S. economy.
And then all of a sudden we have material here--if you
believe it. I don't know there is an investigation, I am sure,
that is going on--that says that in late July you folks knew
about a breach, and a breach which is central to your business.
My gosh.
You folks collect all the sensitive information and you
sell it to banks and automobile dealers and what have you to
make sure they get accurate credit reports and money can flow
through the economy and families can buy homes and get
mortgages and buy cars and businesses can grow.
This is really serious stuff. So any breach of that
information in your business plan is central to your success as
a company and therefore it affects the stock price. So now we
see information--if it is true. I don't know--that you had
folks on the inside.
And it is really hard, Mr. Smith, for me to accept the fact
that you had about a dozen people reporting to you and they
didn't know what the heck was going on when something is so
central to your business plan.
It looks like some of these folks acted--three in
particular have been mentioned today--acted to sell their stock
before the breach was announced, about a month before, to
escape loss in the stocks that they own which is the stock in
your company.
If that is the case, the little guy gets screwed. Because
the guys on the inside who know this information avoid the
loss, but the little folks that I represent up in Maine--and
they are hardworking, and they save every penny and they are
worthy of all the income they have--they have invested in your
company. They have invested in America. They have invested in
our economy, and they get screwed.
I have got a question for you. Now, I may be wrong about
this, Mr. Smith, but the information I have that is public, it
says that you own about 285,000 shares of Equifax. Is that
true?
Mr. Smith. Yes, I believe that is right.
Mr. Poliquin. OK. Fine. And given the--roughly, the market
value of that of your outstanding price per share, it is about
28 million bucks or something. Do you or did you sell any of
your stock between the time when the breach was learned on the
inside and when you announced it to the public when everybody
else in America had that information?
Mr. Smith. No, sir.
Mr. Poliquin. OK. Here is one of the other things that
drives me crazy: Confidence. We have business--out of 15-year
business confidence at a 15-year high. We have consumers who
are confident about the new direction for a growing economy
with more jobs and fatter paychecks. And then something like
this happens, which shakes our confidence.
Now, I know that Kyrsten Sinema mentioned this, and I want
to support it also and ask everybody in our conference,
Republicans and Democrats, to support a way for Congress to
help, and that is called the Senior Safe Act.
We think it is a good idea if seniors who are very
vulnerable to this sort of identity theft and fraud are able to
go to their bank tellers and their insurance agents and those
who plan for their retirement and say, we suspect fraud here of
all types. We want to speak up to the authorities and not be
liable for doing so. That is a great bill.
Thank you, Mr. Smith, for being here. I appreciate your
time.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from Pennsylvania,
Mr. Rothfus.
Mr. Rothfus. Thank you, Mr. Chairman.
Mr. Smith, when I first heard about the breach, I was
obviously very concerned, like all Americans were. Equifax,
which is tasked with guarding millions of Americans' sensitive
and personal data, has violated the trust of the American
people. It is not acceptable, and I commend the Chairman for
convening today's hearing so that we can understand what went
wrong and how we can prevent it from happening in the future.
My constituents in western Pennsylvania sent me here to be
their voice, so I would like to share some of their thoughts on
this situation. David from Allegheny County, Pennsylvania,
wrote to us, quote, ``I am more than a bit angry about the
Equifax data breach. While I understand that crime will always
be a part of life, I am outraged by Equifax's response to the
situation. They have allowed my personal information be
compromised and made available. This has the potential to
impact my wife and I for the rest of our lives.''
Robert in Cambria County, Pennsylvania, wrote, quote,
``Equifax must be held severely accountable for the massive
data breach affecting nearly every adult American, including my
entire family. They must answer for their weak and seemingly
disingenuous initial response and notification regarding the
breach.''
And Alan, also from Allegheny County, described his
interactions with Equifax as, quote, ``an endless, circular
conversation,'' and added, quote, ``frankly, I am rather tired
of this ongoing fiasco.''
These are real people whose concerns need to be addressed.
Hardworking Americans are scared and they deserve answers, and
they need to be made whole.
I understand that--we talked about a little bit of a
timeline here. Equifax discovered the breach on July 29 and
notified the FBI 2 days later. Mandiant was brought in a few
days after that to investigate, but Equifax did not notify the
public for over a month.
I understand from your testimony that this delay was partly
due to a concern that public notification would invite more bad
actors to compromise your systems. With that said, it is still
concerning that more than a month elapsed between discovery of
the breach and public notification.
I am curious as to whether there was a specific event or
fact that finally led Equifax to make the disclosure. For
example, September 7 was the date that it was disclosed. Did
you know something on September 7 that you did not know on
September 6?
Mr. Smith. Congressman, a point of clarification. So we did
not--we were not aware of a breach of any sort back in the July
timeframe you mentioned. Again, at that time it was--
Mr. Rothfus. Well, you noticed activity on July 29 that was
suspicious?
Mr. Smith. We notice suspicious activity on our databases
around the world to the tune of millions per year. So what we
saw--thought we saw in late July was nothing we haven't seen
before. Suspicious activities, unfortunately, in this
environment are very common.
Mr. Rothfus. But a couple days later you are already
engaging outside vendors?
Mr. Smith. Which that, in itself, was not unusual.
Mr. Rothfus. What did you know on September 7 that you did
not know on September 6?
Mr. Smith. I don't have that specific answer. I can tell
you this: The timeframe between mid to late August and
September 7, as I mentioned before, was very fluid. As we just
saw on Monday's announcement this week, that picture continued
to develop as we found 2.5 million more consumers that were
impacted and announced on this Monday. So it was an ever-
evolving set of facts.
Mr. Rothfus. You testified that the data was not encrypted
on your database. Is there a reason for that?
Mr. Smith. Again, there are different levels of security in
different environments: Encryption is one, tokenization is one,
masking is one, firewalls are one, encryption at rest is one,
encryption in motion is another technique. So there is no one,
single technique that protects the consumers' data.
Mr. Rothfus. A lot of people are watching at home wondering
if their data was compromised in the breach. Many Americans are
still wondering whether their personal information that is
currently being housed at Equifax is safe. Is their information
currently safe today?
Mr. Smith. We have no knowledge that any other information
we have in our database in the U.S., around the world was
compromised. It was limited to this one dispute portal we have
talked about now for a number of days.
Mr. Rothfus. Is there a reason that you are choosing not to
disclose the scope of insurance coverage?
Mr. Smith. Yes, there is.
Mr. Rothfus. Could you share that with us?
Mr. Smith. I prefer not to. And the reason being,
Congressman, is when you disclose a number it puts a target out
there for others, for lawsuits, and so on and so forth.
Mr. Rothfus. That is going to be disclosed in discovery,
and you already have lawsuits out there.
Mr. Smith. Yes.
Mr. Rothfus. But you are choosing not to--
Mr. Smith. Correct.
Mr. Rothfus. I yield back, Mr. Chairman.
Chairman Hensarling. The gentleman yields back.
The Chair now recognizes the gentleman from North Carolina,
Mr. Budd.
Mr. Budd. Thank you, Mr. Chairman, and Mr. Smith.
So I think what has infuriated the people I serve in North
Carolina is they really didn't volunteer to have their data
stored at your company. They didn't say Equifax, here, take my
data. So there is an element, and it is a major one at your
company, and it is a trust element, and that has really been
shattered.
But let me shift over to a personnel topic. So why were the
chief security officer and the chief information officer
allowed to retire instead of resigning or being fired? I
believe you, yourself, resigned.
Mr. Smith. It is semantics. They are out of their job now.
The day we announced they are stepping down, they are no longer
effective. They are individuals who can add an advisory
capacity for smooth transition between themselves and the two
announced interim individuals we have at the CIO level and the
chief security officer level.
And then if those individuals are replaced with full-time
people, which they will be at some point in time, they can add
value there. So it is nothing more than having them assist in a
smooth transition.
Mr. Budd. Beyond just semantics, what was the total cash
value of their retirement packages, if you don't mind?
Mr. Smith. I don't know specifically. We can get that
information to you.
Mr. Budd. If you would, please.
So did the chief security officer and the chief information
officer undergo any financial repercussions as a result of
their retirement other than foregone future salary?
Mr. Smith. They lost their jobs, and there is no bonus.
Mr. Budd. So just foregone future salary and no bonus,
correct?
Mr. Smith. Yes, correct. And no severance for either one.
Mr. Budd. Did the discussion to allow them to retire
instead of terminating their employment, did it increase or
decrease the size and scope of their severance package with the
company? You said there was no severance package.
Mr. Smith. Correct.
Mr. Budd. In general, does an employee at the Equifax
Corporation who retires have access to more benefits, receive a
better separation agreement than someone who resigns or is
fired?
Mr. Smith. Not to my knowledge.
Mr. Budd. Well, so it is more likely than not--did Equifax
not punish the individuals responsible but actually rewarded
them through this decision by not firing anybody?
Mr. Smith. No, sir. They are both out of a job.
Mr. Budd. Chairman, I yield back.
Chairman Hensarling. The gentleman yields back.
The Chair now recognizes the gentleman from Indiana, Mr.
Messer.
Mr. Messer. Mr. Smith, thank you for being here. You know,
I admire your stamina in sitting through this, but I have to
tell you, the more I hear about this, the madder I get. So
excuse my tone as I go through this.
Have you had an opportunity to log onto the Equifax page
and do this process of determining whether you were part of the
breach?
Mr. Smith. Absolutely.
Mr. Messer. I did it.
Mr. Smith. Right.
Mr. Messer. So in that, I had to give my birth date
multiple times, had to give parts or all of my Social Security
number, four or five times. I answered a question or two wrong,
so I had to call into the web pages--I mean call into your
calling service, and I had to give my Social Security another
time.
Has it crossed your mind that given the recent breach and
the fact that you guys have disclosed personal information for
140 million Americans that people might be a little
uncomfortable giving you their Social Security number again
seven or eight times to find out whether they were impacted?
Mr. Smith. Congressman, I have talked to a number of people
myself, and I share your frustration. I share their
frustration. We have tried to improve that process as much as
we can, but we have to validate you are who you are before we
can offer you the product.
Mr. Messer. Well, it is frustrating to a lot of people, and
obviously you haven't built a great record as an organization
on trust.
Will Equifax profit from the new data now being provided by
tens of millions of Americans to your website? Will Equifax be
able to take that information now that I have entered it again
and use it commercially for itself or for partners?
Mr. Smith. The intent of this service is a service. It is a
utility. It is to offer you this service for free, not sell,
cross sell, up sell you as a consumer.
Mr. Messer. So looking here, this is the privacy notice you
have to click on when you sign onto the web page. It says here,
I think, in these two columns here, that this information can
be used for joint marketing with other financial companies, for
affiliates, everyday business purposes, for marketing purposes
by, it looks to me like Equifax and the company that is doing
this for you. Is that--
Mr. Smith. Congressman, if you are a consumer that comes in
and gets a free service from us, our intent is to have that in
an environment where we don't cross sell, up sell you.
Mr. Messer. Well, the form says you will. So am I to
believe you or the form?
Mr. Smith. Excuse me?
Mr. Messer. The form here says you will. So am I to believe
you or the form?
Mr. Smith. I am not sure what form you are referring to.
Mr. Messer. This is the privacy notice. So, again, will
Equifax have the opportunity to use the information provided by
consumers in their operations of commerce, therefore make a
profit on it?
Mr. Smith. I will say it one more time. The intent is when
you come to us to get a free service, we are not going to cross
sell or up sell you.
Mr. Messer. With all due respect, there is a phrase, the
road to hell is paved with good intentions. I think your
intentions were probably fine as 140 million people lost their
information. It looks to me, based on this form, that you guys
have the ability to do that.
I want to ask you this question: Have you ever met anybody
who had their identity stolen, Mr. Smith?
Mr. Smith. Yes.
Mr. Messer. It is a pretty miserable experience, isn't it?
Mr. Smith. Yes.
Mr. Messer. It destroys their life. So as we talk about big
numbers like 140 million people, almost 4 million people in
Indiana, it is really important to remember that these people
are real people that have had their lives put at risk.
Mr. Smith. Congressman, I couldn't agree more. I have
talked to people at my church that work for us, Equifax
employees, people in the community, my three daughters, my
wife, my family. I understand the anger and frustration they
are going through.
Mr. Messer. And I am glad you appreciate that frustration.
We will return to this in just one quick second.
As we have gone through this, you have said you have these
five services you are going to provide. When it comes to real
compensation for people who have had their identity stolen, the
reality is they are not going to get much from you. Is that
fair?
Mr. Smith. What they are going to get, Congressman, is
these five free services plus the sixth service, the lock and
unlock for life.
Mr. Messer. But if their identity is stolen, the
compensation for you won't be much. You said earlier you won't
throw out a number. I can give you a number. Total assets of
your company are about 6.6 billion based on your annual report.
Is that right?
Mr. Smith. Approximately.
Mr. Messer. Roughly that. So if you take 147 million
people, that is about $47 per person, if you liquidate. If 1
percent of those people have some kind of damage, you have got
about $4,700 that you would have to even compensate them
anyway.
I want to ask you this though, because you mentioned how
frustrated you were, and I will leave you on this. This is
where I think a lot of American people struggle. You would
consider this a pretty major business screwup, right?
Mr. Smith. It is a breach obviously that we are very, very
sorry for.
Mr. Messer. 147 million people.
And you mentioned--let me use your phrase--the folks that
you found most directly responsible for that, they lost their
job, no bonus, no severance, right? Is that what happened to
the people that you held responsible for this? That is your
words.
Mr. Smith. My words are, I am ultimately responsible, and I
stepped down.
Mr. Messer. So does it seem fair to you that you would get
a $40 million to a $90 million bonus as you exit after you
presided over potentially the biggest business screwup in
modern history where 140 million Americans had their personal
information stolen?
Mr. Smith. Congressman, the only thing I have walked away
with is all disclosed in the proxy. It was my pension and prior
compensation. I have asked for no more.
Mr. Messer. Yes. The American people are frustrated. And
again, I appreciate you being here, but they have a right to be
frustrated. It doesn't seem fair.
Chairman Hensarling. The time of the gentleman has expired.
The Chair now recognizes the gentleman from Georgia, Mr.
Loudermilk.
Mr. Loudermilk. Thank you, Mr. Chairman.
Mr. Smith, thank you for being here. I am impressed that
you are here, considering that you are no longer in your
previous position. I don't know that you would have had to have
been here. I appreciate your attendance here because I know
this is difficult. It is a difficult time for 147 million
Americans as well.
A couple questions regarding some of the things you said
earlier. Where I want to be focused is how do we prevent
something like this from happening again? I spent 30 years in
the IT business, and security was always at the forefront of
things we were working on. And so I am very interested in what
transpired to cause the problem, how can we avoid this in the
future.
First of all, you had mentioned in a couple of instances,
as you were addressing some of the members asking questions
here, that you complied with all the State laws regarding
notification. And you mentioned State laws earlier regarding
cybersecurity.
Is it State laws that govern our cybersecurity policy? Is
there not a Federal law that governs that? And if there are,
why is that not applicable?
Mr. Smith. Congressman, the only point of clarification,
the only thing we are trying to be mindful of there was as we
learned and gained more insight on the size and scope and
nature of the breach is making sure we balance our desire for
accuracy, completeness of the picture with the State laws of
communication. That is what I was referring to.
Mr. Loudermilk. OK. I understand. But are there Federal
laws that are applicable in this instance, or is cybersecurity
pretty much governed by State law?
Mr. Smith. I am not sure what you are saying. It is not
governed by State law. The State law was just the communication
I was referring to.
Mr. Loudermilk. OK. So the actual applying of the patch,
from what I understood in your previous testimony and you
answering questions, was you were notified of the
vulnerability. A patch was provided. It was communicated that
that patch should be applied, but somewhere that did not
happen. I guess, it was the human error was the individual who
was to apply the patch to that portal did not follow through.
Is that correct?
Mr. Smith. It is a little bit more than that. It was an
individual in the IT organization who received notification
from security. That individual was responsible for the patching
process and never ensured that the proper person was
communicated to and did not close that loop.
Mr. Loudermilk. Is there a level of oversight that should
be there? Quite often when I was in the military, and worked in
communications and intelligence, we always had two-person
integrity. There was always somebody looking over the shoulder
to make sure that a process was completed.
And same thing when I was working with many governments and
their IT is that especially with the security patch, that there
was always someone else to come back through and make sure that
it was applied. Was that process not in place?
Mr. Smith. Yes. To clarify, this individual owned the
communication and the patching process to ensure it was not
closed. He did neither. Second, the closed-loop process was
also the scanner we talked about. And the scanner, which is
applied, I believe it was March 15, to look across the
environment for this vulnerability did not find this
vulnerability, and that is currently under investigation as to
why.
Mr. Loudermilk. OK. That was--it kind of hit my next
question, is that being under investigation as to why that did
not happen, and is there some liability on some individuals
that potentially were nefarious in this process?
Mr. Smith. The individual who I just discussed that was
responsible for the patching process is no longer with the
company.
Mr. Loudermilk. All right. Thank you, Mr. Chairman. I yield
back.
Chairman Hensarling. The gentleman yields back.
The Chair now recognizes the gentlelady from New York, Ms.
Tenney.
Ms. Tenney. Thank you, Mr. Chairman. And thank you for
having this very important meeting, as we have over 145 million
U.S. consumers who have been affected by this.
And I thank you, Mr. Smith, for being here and being
willing to answer these questions.
You know, everybody is really angry. Our constituents are
calling us. People are concerned about the security breach.
Social Security numbers, birth dates, addresses, driver's
license numbers, credit card numbers for up to 200,000
consumers and all kinds of data has been breached. And it
took--I know you have discussed this over and over--but 6 weeks
to notify regulators.
My first question on this is, did you or your firm notify
the credit bureaus before you announced this breach so they
could prepare for what our consumers are trying to find answers
to? And many State laws also require this. Did your company
actually do that? Did you notify those credit bureaus that were
your customers?
Mr. Smith. Let me make sure I understand the question,
Congresswoman. Did we notify specifically TransUnion and
Experian who--
Ms. Tenney. Right. Prior to the date that the breach was.
So it took 6 weeks before the actual patch was discovered and
released. That is when you got your--I don't know--I can't
remember the dates on--my colleagues asked you when you got
your crisis management team, when you lawyered up, when you got
everybody ready before you actually disclosed that. But when
did you actually notify your customers, the credit bureau
customers who relied on you for your information?
Mr. Smith. Again, I think I understand the question. So it
was in late August, not late July, that the picture started to
come together that we had a data security issue. We went live
on September 7.
To answer your question specifically, we did not go to
TransUnion or Experian before the release went out on September
7.
Ms. Tenney. So they didn't have any knowledge of this
happening, so they weren't able to prepare when this was to
come later on, as your company did?
Mr. Smith. It was not public at that time.
Ms. Tenney. Right. Let me ask you, so you described the
suspicious activity and the patches and millions of patches
occur. Is there a priority or a way that your team identifies
what patches are more important, more valuable, more vulnerable
than others? Is there some protocol in place for that?
Mr. Smith. Yes, there is. Let me clarify though, if I may.
Ms. Tenney. OK.
Mr. Smith. It is not millions and millions of patches per
year. What I was referencing is, in any given year, it is not
unusual to have millions of suspicious or potential attacks.
Specific to patches, patches and the requirement for
patches are very common, and they are stratified in different
categories, from critical to high, to medium, to low risk. And
the protocol internally for the amount of time required or
allowed to apply the patch depends on the criticality of the
issue itself.
Ms. Tenney. So what would you rate this patch that was what
was--did not get--
Mr. Smith. It was critical.
Ms. Tenney. It was critical. And that didn't--when was the
actual date that you discovered that patch?
Mr. Smith. Again, March 8 we were notified by CERT of the
need to patch on the 9th. The email went out to the teams to
apply the patch. And as we talked about before, there was a
human error. The individual did not communicate and close the
process. And on the 15th of March, the scanning device did not
find the vulnerability.
Ms. Tenney. But that is in March. Did you notify the credit
bureaus or the other customers? How many customers do you have
on your--do you know--the confidential data is actually on your
site--do you have--in control of? How many people, would you
say, actual individuals are on the site that would be
vulnerable, not just--
Mr. Smith. The total credit population in the United States
is roughly 230 million, 240 million people.
Ms. Tenney. So that many people were affected by this?
Mr. Smith. No, Congresswoman. The number we disclosed was
145.5 million. The services we are offering are to all
Americans, but at this 145.5 were impacted.
Ms. Tenney. OK. Well, let me just go quickly, because I
decided to go look onto your site, as my colleague pointed out.
It is ironically called TrustedIDPremier.com. And I went to
this and put my own information, and it said I may have been
breached.
And it does send me to another--I have to go through some
protocols, re-enter more digits, my Social Security number, my
name, and then it reveals to me that, nonetheless, please enter
more personal information.
If people listening to this and my constituents go on to
make sure--to find out if they have had their data breached,
will they be vulnerable if they re-enter this on this website?
Mr. Smith. We have taken many steps since the breach to
make sure that site is very secure.
Ms. Tenney. So this is secure? They can go re-enter their
data, and it will be secure?
Mr. Smith. Yes.
Ms. Tenney. Thank you.
Chairman Hensarling. The time of the gentlelady has
expired.
The Chair now recognizes the gentleman from Colorado, Mr.
Perlmutter.
Mr. Perlmutter. Mr. Smith, thank you for your testimony
today. Thanks for lasting so long.
Just a few questions for you. And I do have some sympathy
for the attack, the breach. Whether it is Anthem, BlueCross, or
Lowe's, or Home Depot, or JPMorgan Chase, or personnel
department, the Democratic National Committee, lots of hacks
have occurred, and everybody needs to stay vigilant to that.
My questions to you, sir, are going to be more--credit
reporting agencies are not everybody's best friends. You have a
job where you try to actually say, this guy is a good credit
risk, this gal is not a good credit risk, whatever.
And we had--and it may have been you and executives from
Experian and TransUnion a few years ago, and there was a
question about whether or not the algorithms that are the basis
for people's credit reports were going to be disclosed to us as
Members of Congress.
And I think the testimony was that those were proprietary
and patentable and were key pieces of information for the
different organizations. Were you one of the ones that
testified for us?
Mr. Smith. Congressman, I was not. You may be referring to
the most common credit score in the industry is the score
called the FICO score.
Mr. Perlmutter. Right.
Mr. Smith. That may be who you are referring to.
Mr. Perlmutter. So we wanted to get information at that
point about how a FICO score was calculated, is it fair to
whoever is getting their credit score, credit report, and we
were told, no, that is proprietary information. Do you know
whether in this hack how you guys developed the FICO score was
stolen?
Mr. Smith. Congressman, we are a reseller, if you will, in
some cases of that FICO score, and there is no indication that
we housed FICO scores that were hacked in any way.
Mr. Perlmutter. OK. So the algorithm is that proprietary
information, to your knowledge, wasn't part of this theft?
Mr. Smith. Yes. The algorithm is developed and controlled
and owned by another company called Fair Isaacs.
Mr. Perlmutter. And your company doesn't have how that
algorithm is created or developed?
Mr. Smith. That is correct.
Mr. Perlmutter. OK. I was asked by somebody from the Energy
Committee, and I know you may have testified earlier today, do
you know whether there was a foreign actor who was the
perpetrator of this hack?
Mr. Smith. We have engaged the FBI, and the FBI is
continuing their investigation.
Mr. Perlmutter. There were some statements you made that
there was a clever kind of ability to get around some of the
safeguards you all had in terms of the speed or the volume or--
Mr. Smith. Uh-huh.
Mr. Perlmutter. Is there a concern on your part or anybody
at the company's part that this was an inside job?
Mr. Smith. I have no indication of that at all.
Mr. Perlmutter. So, when somebody comes in and hacks, it is
like they are trying to break into the bank. And your bank
housed a lot of information, if you will. And you had some
safeguards. You got the patch, so there is a vulnerability that
they were able to get inside the bank. But then they were able
to avoid a number of the different kinds of defenses you had
within the bank. Did I mishear your testimony?
Mr. Smith. That is correct.
Mr. Perlmutter. So in this investigation, are you doing an
internal investigation on top of the FBI investigation? How is
that proceeding?
Mr. Smith. Yes. If I understand your question, there is the
forensic investigation which was done on the data that was
compromised. It was done by an independent firm called
Mandiant.
There is an internal investigation being done by outside
counsel to look at all the processes internally and the
individuals involved internally, if that answers your question.
And then there is the FBI investigation as well.
Mr. Perlmutter. All right. Last question, just what I was
looking at, there are 100 lawsuits, class-action suits, a
variety of suits. You were asked by Mr. Rothfus whether you had
insurance for this, are you self-insured. You didn't want to
give us an amount. Do you have insurance for this?
Mr. Smith. We have cyber insurance, yes.
Mr. Perlmutter. OK. And is there a self-insurance? Do you
have self-insurance? Do you have money in reserve for something
like this?
Mr. Smith. There is a retention that we have and then on
top of that is a stack of participants up to a limit.
Mr. Perlmutter. And my last question, do you still retain
shares in the company?
Mr. Smith. Absolutely.
Mr. Perlmutter. OK. Thank you.
Chairman Hensarling. The time of the gentleman has expired.
There are no more members in the queue.
I would like to thank the witness for his testimony today.
The Chair notes that some Members may have additional
questions for this panel, which they may wish to submit in
writing. Without objection, the hearing record will remain open
for 5 legislative days for Members to submit written questions
to these witnesses and to place their responses in the record.
Also, without objection, Members will have 5 legislative days
to submit extraneous materials to the Chair for inclusion in
the record.
I would ask Mr. Smith that you please respond as promptly
as you are able. This hearing stands adjourned.
[Whereupon, at 1:44 p.m., the committee was adjourned.]
A P P E N D I X
October 5, 2017
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]