unmasking? thank you. gues guest: guest: i'm a little bit confused. somebody did something wrong, yes, that is it. but the question of, one that 702, what happens with evidence that is produced and when it ends up in criminal court, that is a potentially big problem for both sides. shows up in secret, that means the defendant's rights are not something they can stand up for, right? if michael flynn's rights were violated, we need to to sure he has the ability defend himself and potentially to challenge the government's ase on the basis of the constitutionality of the search. and e government shows up they announce or revealed they introduced or used evidence they collected unlawfully, that compromises the case there is integrity issue at the heart of question. we need to make sure if 702 up in court nding

used against defendants, it is properly noticed, defendants happened so they can say i had a right to privacy and you violated it by getting this. flip side, where the government doesn't have to use 702, ordinary powers like they don't have to. it was ase of flynn, if used secretly, that would be a massive problem, i tonight think hat happened with michael flynn. i don't know enough about flynn right now. waiting with baited breath right now. host: lisa, line for republicans, go ahead. caller: hi, good morning. i agree with your concerns about unfair government spying of process.ithout due i do -- don't think it is fair author hat trump has tearian tendencies on this topic, that remains to be seen, with it.ill do but i'd like to know what the been doing. have

can you talk about that? they e i've heard that also use technology sometimes to of people,hone calls suspects, let's say, locally, can you talk about that, please? you. guest: thank you, lisa. so the first part about trump, authortarian one thing or not, put out here, powers whoever comes next will have. enough for concern. it should be enough for concern of everybody and should one them prove to have authoritarian we don't want them have power this invasive and road without all checks and balances. with that said, local police lot to saye is not a about 702's relation to local police. that some ossible information is filtering down to issues, but that's

not necessarily where the biggest concerns lie. it is best ot identified with whether or not it shows up in court, with that aid, there are massive surveillance problems across this country that implicate ocal police or local law enforcement and i'll give you a couple different issues and move on then. stingrays, stingrays are very invasive technologies that don't have a whole lot of rules on the road right now. of now that a number localitys possess these devices. a t they do, pretend to be cell phone tower. when your phone is trying to connect to its provider, it goes accesss the closest one n. turns .hey connect with the stingray that provides surveillance that i think most people don't realize, these are not all the time.ing but whether or not you need a warrant to use it and need articulate who you are trying to find with it, those are big questions because don't have those rules in

place, tonight have protections, what a local know law enforce cemetery doing with he technology and that is just one. there are plenty other examples of spying tools being in the enforcement. host: back to capitol hill in the last minutes or so we have left. reauthorization moves forward, can you explain the spectrum of table?s on the is it possible the fisa amendment act could be reauthorized with no changes? if so, how long could that for, another n be five year? guest: we're looking at anything from four to six year reauthorization or outside that straight sunset or straight reauthorization. straight reauthorization without a sunset unlikely.rdinarily very few people are willing to champion that message, everybody is massive and different than all the other ones and that's, i think, one why everybody, even

people more hawkish than we are, of sunset.upportive i also don't think there are votes for straight and we've heard house judiciary chairman bob goodlet say he doesn't think the house of representatives would support straight don't think on, i they would. the question is what reforms come out of the process. ont: demand progress' letter this issue is available on their this issue is available on their

[inaudible conversations]

spread the committees will come to order today we receive testimony on the production of consumer data with the credit bureau. at equifax hearings we wanted understanding of how credit bureaus are regulated and protect data whether there are gaps have long been concerned about the increasing amounts of big data collected by companies and by government. is critical that personal data is collected consumer impact is minimized and it is not harmed. the credit bureaus play a valuable role to assess a consumer's ability and to

facilitate access as with most businesses requires the most data secure you that since the of consumer information is safeguarded? two weeks ago they talked about the methods they use to protect their consumer database as encryption and took it is a sham. richard smith noted while some of the database is ingrafted at rest but that portal that was compromised was the best ways to protect us is the data security industry standards and credit bureaus. end up with sensitive

consumer information and what rules the federal agencies play with data security and credit bureaus given that that is a financial institution how does data security and oversight compared to that of traditional financial institutions? i look forward to hearing from our witnesses to ensure they have those security measures in place to the oversight of data security at the credit bureau. the equifax breach of left with a 145 million consumers confused as to what can be done to mitigate damages to their identity and credit we feel starting in january equifax will offer all customers to unlock their

credit file for free. for consumers to monitor their credit reports. many rebated confused about which options are best but this hearing will hopefully provide additional clarity we have a shared interest to ensure the credit bureau takes the necessary measures to minimize the risk of another breach. >> under current law if we like it or not companies like equifax can collect personal information from the social media of profiles to track our grocery store purposes even to track our daily commutes. they are free to combine and sell the the information to other data mining firms use

to make decisions like what kind of car or job those like equifax rarely have to tell us how these decisions are made if they hide behind those pray for it -- for tight -- proprietary models. and if they protect people as a recent breach demonstrates the in late to work perfectly to protect consumer data with 145 million data have their data exposed it doesn't seem that corporate data. because consumers have no place over what is over their consumer protection as an afterthought. talk about those inadequate

protections we cannot forget 145 million people who through no fault of their own have the compromise we don't just talk about how we strengthestrengthe n cybersecurity and examined the effect of the credit bureau model to have a long history of consumer complaints with long-term effects to get a house in with those other data collection companies. and despite their continued failure to provide accurate

credit reporting services meant to give up the bonus to make the concession. and to make them even in more vulnerable and unless things change to pay a price for all of the recklessness and in some cases even giving tax dollars to do a pilot for word to what the witnesses have to say on these matters. >> first to give testimony of the consumer data industry association. with a private information

center. >>. >> each of those recognized for five minutes and then we will proceed to questions. >> to the ranking member brown they give for the opportunity to appear before you i am a partner end of the law firm i am appearing today on behalf of the consumer data industry which is a trade association and to protect consumers. our members include the three national credit bureaus. you have asked us to discuss

consumer protections but first important role played by in our economy two-thirds of gdp comes from consumer spending. with that credit reporting system to open a bank account or purchase a cell phone. more than 40% of consumers with that facilitates in addition to fasting and fair and impartial access to the apartment rental and other essentials services. and under the fair credit reporting act to the at impartiality. of consumer privacy. the most recent revision of this scheme was the addition of the supervisory agency. the first agency not just

examining credit bureaus but those that contributed into the credit bureaus. that continuous supervision begins in earnest in early 2012 have produced a proactive approach to compliance management for consumers for many years to come. credit bureaus are subject to federal and state laws and because of the key role they played the banking system also subject to very specific private data security requirements. credit bureaus are required to ensure they only provide credit reports to legitimate people for legitimate

purposes. it goes beyond contractual certification including due diligence from the customers with the continuous monitoring. also requiring disposal of credit reporting information. in addition the safeguard rule as referred to by the chairman to develop better implement comprehensive antiquity programs. and then to maintain reasonable procedures with sensitive personal information. those and notify consumers so because of their important role they are subject to private contract -- contractual data requirements. to handle credit card information required they

comply with that data security standards to invalidate such compliance with a third party audit of the security procedures to have a great deal less sensitive customer information they are required by the regulators to conduct regular information security. each of the three national credit bureaus each year. and to share that consumers in businesses with the national credit reporting system they give for the opportunity to testify will afford to today's dialogue. >>. >> thanks for the

opportunity to duty -- to speak with you today. we are in independent nonprofit research organization founded 1994 to focus public attention on privacy issues. arab light to begin to save the equifax data reach is one of the most serious in our nation's history. on par with the office of personnel management 22. 5 million the breach shows the security of american families and even our nation's security there is no simple solution but in my testimony today i outline the steps i believe congress can take with the data

breach. and to save it equifax preacher is remarkable and with the delay of that well-documented security flaw. more than four months past two installed critical software updates and precisely the information the individuals rely upon to open bank accounts and get car loans and vice telephones including social security numbers and driver's license information and also of the data that criminals use to commit identity theft and financial fraud. equifax is clearly responsible for their breach. and with hitachi software foundation and also worth

emphasizing equifax chose to collect the personal data because consumers did not provide this information to equifax. and alas security strategy with the 145 million credit reports to cause of unprecedented harm to have access to credit card numbers consumers can council -- cancel accounts and change numbers but it is not so easy to change your social security number i don't think it is possible to change your data curve. the victims will be exposed to lead in the theft and financial fraud which is already an enormous problem for american consumers. it is reported almost 400,000 cases of identity

theft in 2016. and that the cost of the economy per year. credit reporting agencies in need of reform. and with those steps that could be taken to establish accountability and transparency and with that information to impact the financial future. this means to have a nationwide credit freeze or more precisely in the disclosure of credit reports to beyond the optician basis to recognize the value of the american economy but the consumer should decide if it is there interest to disclose to a third party

they should not have to jump through hoops to put on the blocks in freezes to restrict access they should make the affirmative decision. and you should not have to pay to be told there is fraudulent activity on your account. that problem with credit monitoring services so this makes no sense whatsoever. so the consumer should be notified. and with the contents of the credit report. so they know who is receiving information and. >> chairman and credo and ranking member in the

committee thank you for the opportunity i am in adults of security policy and in this role of a research and analyze what the policy implicatiimplicati ons and management. but my testimony will have an element of cybersecurity. and to address data security. and increasingly used catch phrase that all companies are technology companies for all companies are dated companies this concept of the death play the important role to allow companies to complete -- compete and thrive in the marketplace. but this also creates risks for corporate leadership to adequately control the risk

is objective. the data security involves rich -- risk management managing the risks to repair security is the goal they need to understand the vulnerability is they have the consequences. cybersecurity to discover reformation about that. those that could craft that message in legal teams to help with those compliance requirements and with those corporations upon others depending on the entity. there would be a delay between the discovery of the attack in the public notification because

analysis needs to be conducted of how old they were breached or compromised. and with that business part and that forensic investigator and how they would share information with that phase. and for that extent of the breach but maybe they could ocher, currently. congress could consider data security they could explicitly for the safeguards rule as problem data via the ftc the dialogue created live credit reporting agencies come to a greater understanding to

allow for those to correct the security posture and congress could regulate the retention of data regardless of the type of affinity congress can establish what could be collected how that must we stored so congress did record to identify and disclose to consumers those elements the power is used will provide consumers with additional information that may affect the market place for go figure for the opportunity to testify today in the forge your question. >> i want to inform the

question -- the senators we have a vote and we will keep the hearing running so we will adjust our attendance in you can make plans accordingly. >> the question is for the whole panel i only have five minutes. this is each reach number there has been a lot of discussion around the security of the social security number that should be used as the identifier going forward to we need to get rid of it as a personal identifier? how can we ensure such has a drawback?. >> if we eliminate social

security number we will have to have some other unique identifier to allow those to know who they're dealing with. my name is andrew smith there are tens of thousands of me but if you look at a bankruptcy court record if there is no identifier how you know which one? with simple identification not authentication not that i truly am who i say i am benghazi identify your they do have a role to play whether we need another identifier we are willing to work with you on that to get to the right results for consumers. >> 84 the question many

committees urged the we have never argued for replacement the key point it serves the important purpose that is why it was established and that is where the legal authority exists. but the problem was adopted in the private sector to use as the identifier this is contributing to identity theft and financial fraud so when we talk about the social security number and as we described in the testimony to limit that use digital the be available the private sector. >> the social security number it could lead to do

consequences that would it constitutes some level of posture in case there were a breach. >> by your testimony discuss this encryption with data security. as a former ceo mention some of added is a group did well some of that is not our their standards that should be across the board to a identifiable information? maybe they could prevent that equifax breach?. >> so to eliminate that as risk-management that they may face with their conduct or their business there is federal guidance created of

the implementation and practices of the use of encryption of the data process. so what is implemented where they apply a the encryption and how those keys have legitimate access to continue to conduct business. . . . .

>> the ftc has law-enforcement authority and we feel as though we are not unsupervised with respect to the data security. we have our banking customers that are regularly auditing us and i say however if there are gaps in supervision we would be happy to talk with you about that. >> very quickly. >> to safeguard rules and important data security standards only applies right now after the fact. they can only act against a credit reporting agency once the breach occurs. we think they should have the ability before to inspect and determine compliance with standards. >> senator brown. >> you stated credit reporting systems provide critically important benefits and you went on to say indispensable to the

economy. i think we all agree with that, so my questions i will start with you and please give a yes or no on this. do you think the breach or the failure of the credit reporting agent the weather is e-echo fax or experience, do you think they could have a systematic impact on the u.s. financial system? >> any agency is hard to judge based on the categories of the agency itself, but it is a possibility that it could have an impact. one of the things we need to keep in mind according to the news report the credit reporting database wasn't in fact compromised. the compromise of the credit reporting database i would have to think about whether it would present --

>> that you're the one that starts off saying that the has benefits with a breach of 145 million you don't think it does have a systemic impact in the financial system? >> i think that the risk could be managed. >> is that a yes or no to the systemic impact? >> i am not prepared to say that they would have a systemic impact but i would like to think that through. >> how would you define systemic impact? >> 145 million sounds systemic. most of us or our family members have tried to fix inaccuracies that result in the three of the

most complained about from collecting new data or providing other services until they've met in accuracy metric in the consumer credit reporting and should consumers, second question, should consumers be allowed access to all of the data held by these three companies? >> i think both suggestions are very good. i think credit reporting agencies that provide data to others should be held to in accuracy standard because when they provide information that is incomplete or out of date people are wrongfully denied jobs and that is a problem but also to the second point, whatever information the credit reporting agencies know about us, we should have the right to know when the information is being made available for sale for

debate brokers and falls outside of the protection of the fair credit reporting act, we need to do much more to give consumers information and control without the personal information held by others. >> consumer advocates have called for the free security to be provided and instead they announced they are rolling out what are called creditwatch products which appear to give consumers fewer rights and less securities can credit freezes. are they offering so they have to sign forced arbitration agreements just like they had to in the first offer of credit monitoring products? >> if i can respond quickly to the issue of access, i want to remind the members of the committee that they do have access with consumer reporting agencies and they have free

access. those are two different phenomena but go ahead. >> with respect to the credit lock i am not so familiar with the different features nor do i know if they have an arbitration clause. generously offered to be included that. >> i don't think that the impetus would be to obtain a mandatory arbitration clause. they may be useful to consumers and i think that freezes more generally serve a specific need for a specific type of consumer there's a lot of tools consumers have that can protect themselves and the situations including obtaining a free credit report, placing a fraud alert on their credit report, obtaining credit

monitoring there's a lot of free credit on entering available, so i think consumers should understand and appreciate that before they place a credit freeze on their file. >> on the forced arbitration agreement, you represent them and they also rely on you for advice. are you willing to go back and say there's a strong sentiment in the public into the congress thaand the congressthat forced n agreement shouldn't be part of this credit will offer products? >> i will convey that message. i do think that there is a special circumstance when we are talking about credit monitoring and reporting products in that there is a statute called the credit repair organizations act which imposes particularly stringent penalties on companies so because of that i think some members of the committee are familiar with this because of

that they have a special role to play with these products but i will certainly convey the message. >> would you share with the committee wacommittee what messe conveyed to them, what forced arbitration? >> i will share that. >> thank you. gentlemen, regardless of what we've put into law and what rules are put in place if they are not followed, the possibilities of an additional breach continue and i'm just curious with regards to e-echo fax would be fair to say that the data that we have so far, does it point to basically human error having been the cause of the data breach? just a quick response from each? >> i think it understates the problem. we are talking about the breach that impacted 145 million records, a circumstance where the company was twice notified

and left the breach exposed over a four-month period. i didn't discuss in my testimony before a given in response to the breach of wasn't helpful to consumers so at almost every step, they did the wrong thing by consumers. >> i believe they said publicly that it was the result of human error with respect to the question i would add that they are investigating the breach and i would want to see what their conclusions are before we draw any policy choices based on the fact of the breach. >> is based on the amount of information that we have it is difficult to judge as to whether it came down to human error or some other so it's difficult to judge based on the information we have. >> even if let's assume there

was human error involved in recognizing the significant damage that has been caused, if we have within our ability the opportunity to lay out a plan which there is not just an auditable that a review process to get in place with the assurances of the follow-through, we are still talking about the protections we put in place for a legal entity that has been breached. what more can we do or what more should we be doing to prevent this break-in in the first place with regards to protections and also the consequences for entities throughout the world that actually cause these that are trying to get their hands on the data do we need to look at

additional federal authorization or institutions for the cyber community the same way the fbi was us to stopping the bank robberies of the 1920s and 1930s, do we need to be looking at something like that on a worldwide basis? >> i think this is a very important point. when the fair credit report act was passed in the 1970s, the primary concern was about the possible misuse of consumer data by the credit reporting agencies, and that was the problem congress sought to address that here we are almost 50 years later living in a world of constant cyber attacks and in my testimony this morning i tried to explain that the breach needs to be understood not just in terms of the misuse of personal data about the exploitation of the foreign adversaries and that is also the

reason we need to update our privacy laws and more incentives on companies to protect the data not just for misuse but also exploitation by the foreign governments. >> mr. smith. >> we think to the extent that there are gaps in the supers supervision of data security we want to talk with you about that and get to the right result. with respect to the professor's point, there is no doubt that this was a criminal hack from an unknown source that may have been from a foreign actor. when we think about the government relationship and these agencies there are first

rulemaking. we can see the examination space is the one we have the least government involvement so there's an opportunity for congress to guide how they want agencies. on the consequent side to the best that would be a conversation to have with law-enforcement agencies and officials on what authorities they think they need to go after them. >> i think it is important that we understand the standard of security that has to be imposed and we've got to be able to audit, follow-through with consequences and continued surveillance until we get down to the point that there are consequences for the bad guys involved, we are not going to make a major dent that we have to in cyber theft and i think we missed but sometimes.

we are goin not going after thes causing the problems elsewhere around the world as well. thank you mr. chairman. >> i sent from the testimony that, and you can come from this, there are two points that consumers should have one as they should have the legal right to withhold their credit score or they should know the credit information the agency has it that should be by law and not by deference to the agency is that your view? >> that is correct when the information is being provided in the credit report, presumably it is for the consumers benefit they are seeking the loan. they should know the information content in the report.

>> part of this is about changing the default right now the report is freely available to others in the fair credit regarding act that you have very little control over that we would say give them off in control. >> it's true once a year they can get a free copy of the credit report it's not all the information they have, they don't has received information. there's a lot of practices that are not covered and as a consequence, consumers don't have the full picture. >> so they could get the number whatever it is, 400 or 800 supplement information to that. if they were buying cell phone

information or something like that. that would fall outside of the credit report. >> so in order to give the customer or the citizen the full benefit of all information the agency has on them should be identifiable is that correct? >> if that's why we recommend a comprehensive approach based on this baseline to give more information about them that's being transferred to third parties. >> and i would also presume they have the right to deny access to certain information or in fact even to require that it be deleted from the credit bureaus files. >> i think many consumers would actually be surprised to know how many people, how many businesses get acces give accest reports without their knowledge. of those reports move very freely with little information being provided to consumers and i think that should change.

>> in the description of what took place, it appears that there was negligence on behalf of them being told by federal regulators to patch and not patch for several months. months. does anyone have the right to sue or enforce criminal or administrative we? >> i'm sure there will be lawsuits brought in a variety of different theories but as others have already pointed out, almost immediately the response was to deny the opportunity to pursue the legal remedies and that can't be the right response. >> with respect to regulatory agencies, the impression that i have in the discussion is that it's all sort of retrospective after the fact that they can go in and buy the a finding based upon the failure.

>> under the safeguards rule, they can inspect and i think saying chen but the fine would require subsequent violation of a settlement or the order in the company and the ftc under the safeguard rule wouldn't have the availability to inspect or prevent prior to the breach occurring. >> under the existing wall is there any way for appropriate federal agencies to levy a fine or some kind of significant penalty? >> i think for the ftc they would have to find a breach under the fair credit reporting act. under section five they have to have a consent order and any subsequent violation. it's not a very effective enforcement regime. >> icon per. thank you very much. >> thank you for being here this morning.

the breach is catastrophic for so many in south carolina if you think about the number of individuals impacted by the breach in my home state, 2.4 million have their personal information exposed, store when. we have about 5 million folks living in the state, that's about 48.76% of the state, that's the sixth highest number in the country. when you account for the fact that there are about 500,000 under the age of 14 that means that search is over 50% so over half of the adult population at least in the state have their information exposed. the negligence has been devastating for my constituents. but when you look at the geographic location of that

impact, the southeast region seems to have been impacted aggressively in high levels. georgia around 51%, virginia around 48.8% o, florida around 53.5%. i asked why south carolina and southeast region was so hard it and i hope they find an answer soon. my suspicion is that perhaps the location, the physical location may have played a role in that. why are the numbers so high so close to the physical headquarters? >> that will be difficult to judge a son of publicly available information that there might be business reasons why they would have additional information on people in the southeast region of the nation. they may have more business partners with businesses near their headquarters for the sharing of information. if need be that the population of the states are prime targets

for critic credits that the popn of the states may be more amenable to the credit reporting agency. >> thank you. >> it's complicated when a company is headquartered in new jersey, does business in south carolina and is preached in arkansas. the states have different walls on the books governing when and how companies must notify the public of a data breach. is the current state patchwork of regulatory approach is effective in protecting the public? >> i believe my colleagues would be in a better position to evaluate a state-by-state purgatory regime however the policy does provide a level of certainty for both businesses and consumers both for

businesses to provide as well as the consumers can expect to receive. however, with the wall will they be expected to do with that information do they get a letter in the mail saying that it was compromised and they are on their own or is there recourse to business or corporation that has the data and have a breach is provided to the consumer so that is a uniformity across the nation but also some teeth as it relates to what happens next once the consumer is informed. >> we see that now and some of them are with the preached consumer despite the government being preached pretty frequent frequently, some suggest we nationalize the credit reporting

agencies. such a move would kill innovation of 26 million. they take into account things like rent payment and utilities. who would benefit the most from such a change? >> user of information about rent and utility payments could expand access to mortgage credit for younger consumers who are new to credit and others without a traditional credit file so they are already able to collect this information and have built the systems necessary to do that and as you know, the credit bureaus have been successful in expanding access to folks who previously may not have had access but i think ultimately it's going to be their decision whether or not whether they

predicted the risk of default that they are trying to manage. >> they are represented today in home ownership they don't have traditional credit report information specifically people new to credit i think. >> so the number is up 16% who are today going to become credit visible and show the responsible pattern that would allow them to own a home. >> my state is 5 million so high 40% also. >> thank you so much for the conversation. i want to start with you. the supervision of credit

bureaus relates primarily to the accurate reporting that does not generally provide for in-house supervisors however in the wake director indicated the supervision may be assigned to re-sign the nationwide consumer reporting bureaus and monitor cybersecurity and data protection practices wouldn't you agree that this is an important development? >> when you look at the director's comments i think you are talking about the cnbc comments were something on television. he said initially the cfp b. doesn't have authority over data security in the seems as though the folks on the panel agree with that. whether there is an appropriate goal for the credit bureaus we want to talk with you about that and come up with the best results for consumers that maybe if there is such a role to be played or it could be that they

are. >> i spent the last eight years in nevada that of the highest identity theft rates in the country and i can tell you the breach that happened isn't equal to that which happened at a target store somewhere else. what happened with equiffax is there are identities being stolen if you've ever been the eye to the victim of identity theft, the rest of your life you are trying to reclaim your identity and it's not just clearing up your credit, it is addressing a somebody that has purchased a boat in your name or house, committed a crime in your name when you are showing up in court and trying to identify the person that committed your crime has stolen your identity. it is going to have a major impact on millions of americans

and that is why this is so egregious. then they have to succumb to years of trying to clear up all that data so my concern now is how do we address it and put limits on the data that we collect. i know we are talking about more cybersecurity production and making sure that there's oversight that it is going to happen again, so is there a limit to the data that we should be collecting besides all the other discussions we talked about today, so i'm curious to r thoughts on that. >> i think it would be a step in their direction to have supervisory authority through the cfp b. at the credit reporting agencies i think that makes a lot of sense. but of course that is only to

prevent against future data features and the question is what to do now for american consumers who come from the reality that others are in possession. we call these the authenticators here to establish the identity and commercial transactions and this is the reason we think we need to change the default on the credit freezes. people should know from this point going forward anytime anyone wants access to their credit report and people should know from this time going forward anytime there's suspicious activity on their credit reporting account. they shouldn't have to select a service or pay for the service. >> and i absolutely agree. i'm going to cut you off and i apologize. i absolutely agree because there's been talk about use of the social security number and limiting the private use. i don't know about you, but when you go to setup your house and set up your utilities they ask for your social security number, when you go to the doctor's

office they ask for your social security number. it's become prevalent as an identifier i don't know how you pull it back from the private sector and quite honestly, i don't know how you protect against anybody having access to it because i can tell you a bad guy is going to be able to go online and they are going to find it. so, more importantly, for mine really now shouldn't we be giving the consumer the absolute right to control their information and how it is being used? >> absolutely, senator. but if i can say on the social security number, we've made progress limiting its use. in fact with credit to senator collins and senator mccaskill, the social security numbers are now coming off the medical benefits id card because the use was contributing to identity theft among american seniors. we helped get the social security number off the state

drivers license, the social security numbers no longer published on the state voter rules of this is an issue that can be addressed, but congress will have to get behind an initiative that says we have to limit to th the use of the ssn. >> i appreciate the comments and with thisfor this, my time is u. senator kennedy. >> thank you mr. chairman. i'm sorry i missed the presentations. why should we not pass legislation that would establish that the bureaus have a fiduciary obligation to the people whose data they collect and are to profit off of? >> i think some of that legislation is already in place with the gramm leach bliley act but more needs to be done and i think your description of the fiduciary relationship is absolutely correct. >> do you think that there is a relationship now? >> no, i don't think the

companies feel they have an obligation to american consumers. >> i disagree with that. i wouldn't characterize -- >> you agree or disagree? >> i disagree. the are subject to a pervasive regulatory scheme and the statute here in the fair credit reporting act requires us to ensure the accuracy of information in credit reporting. >> your client is attempting that when the breach was made public weren't you trying to pass legislation that would less than the liability? it is unique among the statute in that it doesn't have a cap on class-action liabilities.

all of these habitats. as a trade association we would continue to argue for the caps. >> here is my problem. >> if the bureau does their job right they facilitate commerce because when the lenders loaned money tloanmoney to people, theo get feedback. it is one assessment there are others who don't use online lending. many online lenders don't use the client's product anymore they think that there are better ways to assess risk. i'm not saying they are right or wrong but i am saying that your

clients basically take my data, personal information about me without my permission and as a business model they sell it to businesses. i am not compensated. now if they lose my data or if someone submits to them via that is an erroitis an error that uny credit score, the bureaus have no obligation or interest rates now to work with me to try to get the credit score correct. have you ever have one of the bureaus get your credit score wrong and you call and try to get it fixed? have any of you? >> no i have not, senator. >> it's not an easy process.

and it would seem to me, and i am not trying to undermine the bureau, but it seems to me first of all that you could develop technology very easily that would allow people to go to an app on their phone to turn a credit freeze on and off free of charge. number two, you need to explain to the american people how you are protecting the data on which your clients are making a profit. most of the adults in louisiana had their data stolen by equif equifax. they have to go through a lot of trouble. some of them were going to have their identity stolen, and it is just not right. we are looking to you gentlemen to tell us what to do about it.

and counselor, i don't mean to pick on you and i understand you are representing your clients but they need to step up to the plate and suggests some meaningful reforms o were refors are going to be suggested to them. and my advice would be to step up to the plate and offer some specific things that you and your clients are going to do to improve the situation, not platitudes but specific suggestions because a lot of americans didn't know what a credit bureau was. they know now. i went over, i'm sorry mr. chair. >> thank you mr. chair. so, after hearing two weeks ago with the former ceo of equifax, there was a lot of agreement between democrats and republicans that consumers should be able to control their own data and without consumer control, credit reporting

companies really have no reason to treat us well. we are not their customers, we are just their products and it shows. a 24 study by the federal trade commission found one out of every five people have an error in their credit reports. meanwhile, over last year the consumer financial protection bureau has fielded hundreds of thousands of consumer complain complaints. the big three credit reporting agencies are now the three most complained about companies in the entire financial service industry. if you ran a restaurant and got your customers order on the 20% of the time and had the worst customer service in town coming in would be out of business in a week. credit reporting companies, not then they are getting bigger, richer and more powerful.

this market is clearly broken. fixing it starts with giving customers more control over their own data. so, i've introduced the three act with senator shots and more than a dozen other senators. our bill would let every consumer trees and downed trees access to their credit files for free. i want to ask do you think there would be a good idea to give consumers more control over their data? >> i think it's an excellent proposal and as you say i think the key to this industry is giving consumers greater control over the use of their personal data. it begins by moving to an opt in model allowing the consumer to decide in which circumstances it's in their interest for the credit report to be released to someone else. >> thank you. doesn't equifax do more than issue credit reports? they also sell your information to businesses that want to sell

something in terms back to the customer. the bill also makes clear no credit report agency can sell the data if your credit file is frozen. other legislative proposals note that it's rolling out right now they don't give customers that right so let me ask this, do you think consumers should have the right to freeze the data so that it stops a credit reporting agency from selling access to the consumer's data? >> absolutely. the model doesn't work unless consumers maintain control and so many problems in the industry result from the industry pushing burdens back onto the consumers to choose the freeze, to choose the monitoring service and it is entirely upside down and it's the reason we have record levels of identity theft today in the u.s.. >> i think that is a powerful

point. if companies don't pay us to sell our information to other people we shouldn't have to pay them to stop selling it. according to your testimony i think you mentioned this earlier he would go even further to make the position that any consumer's account is frozen until the credit reporting agency gets the explicit permission to on the freeze the accounts to share the data and they would have to opt in to sharing the data weather and opt out. what is the reason for that? it also makes it possible for people to purchase homes and cars but it's the consumer initiating the commercial transactions and who is seeking

the mortgage of baloney that the consumer should decide when to release the credit robert information to others and should know which information is contained in the report. they may be wrongfully denied a loan from a bank that they have provided accurate information you say we need to fix the credit reporting industry in order to protect our national security. about out of time but can you say a word about that? >> i mentioned earlier when the fair credit report act was passed in 1970 the concern was the misuse of personal data by the credit reporting agency. and that concern remains that what has changed now almost 50 years later is that it's the target of foreign adversaries and we have to realistically consider that people get access

to the personal data held by the companies and have interest to the nation. that is an additional reason to strengthen the privacy law. >> the credit report agency is a threat each of us personally but also to the national security. >> thank you mr. chairman gentlemen, thank you for being here. the one question when we have this discussion i want to start to ask them a question.

where are you on the option of the consumer being able to delete the presence of the existence in any of the big three credit reporting agencies do you think that is something they should be entitled to due? >> the country has a long tradition of expungement to the financial records to give people the opportunity to start over even after the bankruptcies so we've already recognized people should be given the opportunity to reapply for credit even after they've had those type of experience is. >> so if later they were seeking credit and have no reliable sources for showing credit worthiness, who is going to provide all the information that may be needed. i would say in those circumstances the absence of the

information could well be a factor but that is not a reason not to give the consumer to opportunity to delete the data. >> but at the end of the day the consumer needs to be fully aware that it's up to them it could be used for the information would likely result in no credit being extended. >> what happens if the consumer has disinformation and i decide i'm not going to pay one of them and i believe that from m my fil hell overthink the able to manage that credit risk to consumers delete accurate and relevant information and with respect to this fresh start id idea. one thing that the credit reporting agencies need to demonstrate is that they don't

make the problem to consumers problem in other words if you have a breach you should be treating the consumer it's not something that would require months of paperwork and hours of their time to clean up that it's the fact that you can point back to the breach and something i will be interested in how they handle it but i am concerned with the idea of just the aggregation of data that is used to predict how they may behave in terms of credit worthiness do you think that there is any credit to the fact we have less reliable information to move capital or provide resources to people who need it? >> i think it's important for businesses to have access to relevant consumer data.

i think they should be transparent about how the data is being used. >> would you consider that it is accurate and relevant for the financial service industry? >> it may or may not be. it is based on a wide variety of factors many of which are not even known to consumers, so we don't know how they are making determinations about us yet they are concerned i that they don't know everything about us when they make the decisions and that seems a little unfair. >> in my remaining time, i wasn't here but i think someone else answered the question what do you think what technologies or process out there are we using to get away from social security numbers as authentication methods are moving more to say wha but the d industry has done trying to come up with some sort of an identity

that will eliminate or substantially reduce what is a relatively easy thing to do and justhat is to get somebody's information and commit fraud. what's out there that we should be looking at an and as a mattef public policy that we should be promoting. >> my time is expired after this answer. >> i'm not aware of any particular products that could be used. one point to know in the us notf technology though is that there may be people, citizens, consumers that don't have access to something like a cell phone so they would be participating in the widespread use of technology and that is a consideration to making this policy. >> i think as a general matter if we have distributed and contextualized identity in other words the company learns only what it needs to learn to make a decision that is the best approach. today, we are at the opposite end of the spectrum is a can opd did identify that makes it possible for companies to learn

anything they want to about an individual. >> i think if we didn't have the social, we would need to invent it so we would need to come up with another unique identifier. as i said earlier with a name like andrew smith it is critically important people are able to distinguish between the thousands or tens of thousands of individuals simply to identify which one are you not necessarily to authenticate iem indeed who i say i am but just which one are you and it plays a critical role and it's not the social, then we need something else to fill that role. >> thank you mr. chairman. mr. smith come after the equifax breach, consumers learned the best way to protect himself from identity theft and fraud is to freeze their credit report but when they went to do that, they found a complicated process that required contacting each of the credit bureaus generating and remembering separate pin numbers for each and most infuriating,

paying $10 to each bureau to place a freeze not to mention the fee that they have to incur if they want to lift the freeze later. equifax's lapse in data security will be rewarded by hundreds of millions of dollars in revenue for the company that made the mistake so my question for you is simple. explain to me why equifax exterior on and trans union charged people to freeze their credit report when there was a mistake that is their fault. >> there are a lot of ways for consumers to protect themselves and freezing it is the right choice. >> in those instances why is it not free? >> right now we have a patchwork of laws and if we have a single national standard, i think that we would be happy to talk with you about how to get the results right.

>> when a mistake occurs in people are told to do a certain thing, that should be to freeze, shouldn't it? >> i don't know that everyone was told to freeze the report personally i don't think it is the right choice for everyone. >> all three made freezes available to those that say that they are identity theft victims. they also made the freeze available for the senior citizens and minors as far as the national freeze requirements, i think that y. is the general revenue off the mistakes of the organizations that you represent.

i saw the testimony. they are rolling out and they could take advantage for ex- ample on a mobile device but i don't know that any of them are available in the market now. let me ask you a question why do i have to pay for a freeze and i don't think you answered. >> they have to be implemented. >> but the question is why did the company that made the mistake at a profit by argued

charginchargingconsumers even is money, fine you should eat it because that would create an incentive to not screw up again. >> that only occurred after the ceo quits after great pressure. >> do you think it is a good idea for the credit bureaus to use tighter matching requirements for someone else's credit report are likely to be their own information? >> i think the matching algorithms are a tricky issue as i'm sure you've done some thinking about it and it is a question of probabilities and statistics, and i'm not sure that we necessarily want to legislate that, but matching is critically important. >> what is your error rate of the? >> we believe we did a similar

study and we believe that the rate from our study is less than 1% looking at the ftc study, we believe come into this is even at the low-end of the estimate you are talking one or 2 million individuals. it is to some extent the credit responsibility and as far as accuracy is concerned, the professor in his written testimony said you're never going to have perfect data security. the best we can do is try to

control. it is a process. >> i will just add i understand you are going to make mistakes. the basic question is who should incur the cost of the mistakes, you were the rest of the country. thank you. >> at the start of something we are codifying. you have to off out in other words i never gave permission but it does provide a service so that i don't have to aggregate all my credit information when i want to borrow something so i get that. but at the recent hearing just two weeks ago, we asked questions regarding the national standard on credit freezes and i think that the representative already got the protect act of you may be familiar with that they are proposing that creates a national standard harmonizing

the current 47 state laws on the issues. i would like to get all three of you to comment on do you agree that that would help the development of technologies such as those that could freeze and an freezi'm freeze without havio through the process and so somebody could actually open up and get the credit information they need and then opt out easily without having to have a lot of instruction is that something that might benefit us? >> as i said earlier its not the right choice for everybody necessarily that they are the right choice for some people in that the development of the national standard is something that we would welcome. with respect to this functionality i would ask you to consider whenever we legislate something like this questions come up to say what about the people who don't have smart phones what do we do about them? we have a lock and unlock functionality. with other people that don't have easy access to a telephone?

>> but just so i'm clear they wouldn't be in the system, i couldn't access their data unless they were to come back and do something like this on an 800 number when they needed. >> but do you think your self what to do this 800 number. that's going to prevent a security risk somebody else unlocks my credit when they are applying for the loan on a saturday afternoon. so i don't know what my pin number is. i forgot about that you have to reset and before you know it you're not going to get a new cell phone at the verizon store on a saturday afternoon you have to reset and go back to the store the next weekend and hopefully it will work out but there's a lot of friction in the system and these are difficult to administer and that's why they are not necessarily the right choice for everybody but some people who are not buying cell phones or renting

apartments. >> i think it is a good proposal and a step in the right direction. they've limited the access into the legislation to accomplish to simplify the process is to make it easier for people to make those decisions precisely so they can have the credit record information available. they have posed that they acquire information from however the information is that consumers and the relationship between the broker in the consumer is weaker.

the weakness is where the federal policy may be able to bridge the gap between the rights of the consumer and the data broker. >> the same thing. the social security number goes back to i think the 60s but in the last half-century the technology moved fairly rapidly forward. in the new technology isn't there a better and more secure way to match accounts or should although cyber attacks be the impetus to bring out more transitions without social security numbers? they seem to need t me to be thy grail in the access is that a reasonable direction?

is the target of identity thieves and if you are trying to make your industry more resilient against those attacks you have to reduce your dependency that if you replace this with another general-purpose identifier, that becomes the target. we don't have a common answer yohegave to the security issueso thank you mr. chairman. >> senator heitkamp. >> not to put or extend the discussion on when you can put a credit freeze on or put a lock and put a lock after identity theft, that's like saying to lock the door after the thief

went in your house. it's not responsive to what we are trying to get at. we understand the benefit of the aggregate of the data that is easier access to credit. no one is disagreeing. the question, you were asked about the fiduciary obligation. what responsibility does the aggregator have went something like this happens? when mr. smith was here, he said this happens all the time. and i'm asked in light of that, why do you seem so ill prepared? why did it take so long to come up with a response? how often does this happen and

what is the general response to the industry has? as a general matter how many times could a company like equifax, trans union or experion, how often would you experience a breach that would be reported to the fbi? >> i don't have those figures, i can find them. i would say based on my personal knowledge that none of the credit bureaus themselves have been breached. the companies in equifax's case, it was information outside of the consumer reporting agency database. we also know that the breach involving the data of t-mobile. so there are breaches that will occur and legal come up with a number for how frequently that the best of my knowledge, there's never been a security breach that a consumer reporting agency database.

>> they would basically go to, do have a fire drill do it in other words? do you have a system in place that will lockdown and protect data? >> i can't speak for any companies but those which i'm familiar have incident response plans. they call it a tabletop exercise. the stakeholders are around the

table emily went through with what were going to do with respect to the call centers. how are we going to the consumer notifications. >> but you have to agree that equity facts was ill-prepared. >> i don't know. i think this was an unprecedented breach. >> even if it's ten people, the response should be the same as if it were hundred 40 million people. >> rather than ten calls, ten calls you can handle, hundred 40 million? >> doesn't that beg the question of why people here are upset? you had senator kennedy basically say this is not data you won't. you do not have a relationship with the consumer other than an aggregator that provides that service. if i say i don't want your service i'll take responsibili

responsibility, i have to pay you so you're not collecting my data, correct? >> not collecting. this is a freeze. the data is still there but you frozen it and you have the right to unfreeze it. >> in europe across the e.u. there's a lot of privacy initiatives. the right to be forgotten. were getting close to that here. were much more open economy as it relates to this data aggregation, the more we do not fear response the closer we are to the pendulum that the senator talked about which is the potential that you're going to be out of business because every american will say we don't want your service. >> we need to ensure that consumers and businesses trust the credit reporting system. >> i think you have a serious trust problem today. the lack of coming forth with

solutions and the adversarial approach to what we have seen to this is not helping solve the problem so we look towards ongoing discussions. thank you senator donnelly. >> mr. smith, this is to all of you the department of veteran affairs secreted the choice program it is been helpful in increasing access and it led to delay payments and billing problems which in turn resulted in some adverse reaction to credit actions. it's really troubling that our veterans that had their credit harm through no fault of their own. we introduce the protecting veterans act to delay the

reporting to be a responsible medical debt to make it easier for this erroneous debt to be removed. medical debt can get expensive. what damage can it to to the vets credit when this is reported as i paid? >> we agree 100% that veteran shouldn't have the credit records tarnished and we understand that's what's happening here. were committed to working with you to solve that she is the national credit reporting system. institutionally we believe the folks best able to solve that issue are the virginia and private medical service providers and debt collectors who are furnishing this system. >> so i have your commitment on behalf of the trade association

an industry that you will work together with us to address these problems and adjust the difficulty of virginia reported medical debt. reports will get didn't. >> were talking because of virginia processing and inefficiencies they haven't paid. >> it's not a run is that my knee got worked on its the air that it the bill came to me. >> we need to fix that and were committed to fixing it. >> of the congress and then acted to set the rules of the road. despite the original act in many subsequent amendments we don't control our information controlled in the files of the credit boroughs. as reported and often sold to third parties such as

prescreened credit. the personal information may now be available to thieves in the dark wet. mr. smith, your the representative, should consumers have more control over this information? >> we talked about that today and the ability to remove yourself to selectively delete information, both select issues for the national credit reporting system. it would allow consumer to gain the system to hide unpaid debts presenting a real concern. >> if they want to get a mortgage. >> were talking about the selective deletion. the removal for the system is great until you need to rent an apartment or by cell phone or get a mortgage or car loan.

>> you can't do it if your information has been removed from the system. we're talking about is perhaps a freeze. we think the reason is the right choice for some consumers, not all ever willing to work. >> is an important that the consumer should be able to work and that's a decision they have made? >> absolutely. it's important to understand that if a consumer is making a significant decision like renting an apartment it makes sense to have the ability to know it's in the credit report and decide who's going to get access to that information. that would be common sense. >> thank you mr. chairman. >> thank all of you for being here today.

it seems is reflected in a lot of comments that the credit reporting agency model is one that is uniquely stacked against consumers. when there has been data breach or bed data. my question goes beyond the issue of the data breach to complaints we have heard over the years about credit reporting agencies collecting bed data that leads to a denial of a loan or mortgage payment. there's been discussion about how to allow that consumer to be made whole. my question on the front end terms of creating penalties or deterrence for those collecting the data the people's permissi permission, then have of the

burden the on the consumer on the other side. my question is, is there some kennedy turned that we could put in place so the burden and penalty for collecting and disseminating that data whether through breach with your denial of a credit reporting can actually address the problem on the front-end so there's more of a premium credit agency for happening in the first place. >> with respect to data accuracy, credit. 's have substantial duties and those are up front to ensure they have procedures in place to ensure. >> maximum accuracy. those that furnish it have to ensure the accuracy of the data. the credit bureaus in the people furnish are supervised for adherence to the standards.

right now -- were not unregulated. the statue gets longer every year. this more duties added in. >> my question is, what is the current penalty. in the event that bed data gets in? despite the systems is or penalty that has to be paid by the credit reporting agency? in other words, in addition to bringing the consumer whole. you get tonight the loan then you have to go through the hassle of getting it straightened out. maybe you get your loan but what can we do to put more veggie turn up front so we don't get to the point where thousands of people are wrongfully denied

alone and after a lot of work and cost maybe they get the loan. >> let me say that right now it's upside down. right now there's a problem the company's turnaround to charge the consumers to take advantage of the cools they need so that can't be right. what we need to do is increase the incentives for the companies to do a better job on data security and privacy protection. i can make a historical point, there's a deal at the heart of the fair credit reporting act when the fcr he was passed the ability for consumers to bring suit was preempted. was there information and some of this inaccurate incomplete is disparaging and inflammatory and causes commercial loss. before passage of this people could bring lawsuits for those farms, they can't now.

that means congress has to strengthen the penalties to maintain the incentives. >> so someone clicks bad data that harm some of which you agree that they should be of the have recourse through the courts? >> they do have recourse. this law provides for statutory penalties and private actions for the credit bureau behave lawfully. >> your association has been lobbying against the consumer protection boroughs protection that would allow people to bring lawsuits. you lobbying in favor of keeping mandatory arbitration. >> that's my understanding. doesn't that stacked the deck against the consumer? everybody has to go to mandatory arbitration as opposed to group together as consumers and bring a case, that stacks the deck in

favor of the big guys. >> with respect to the credit reporting system, there's no opportunity. you have no contract with that equity fax. see have no mandatory clause. >> if there's information in there that causes damage. >> information the credit report you consume and be member of a class because there's no mandatory arbitration clause. over talk about arbitration is where the consumer is purchasing a product from a credit bureau like a credit monitoring product for example. >> we did see in the case with echo facts that as a condition of getting protection from damaging information that echo facts breaches cost they were requiring people to relinquish their rights to go to court. they're insisting they sign

something. >> they backed off that. >> and there's other products where there is a contractual relationship where they are insisting on mandatory arbitration. they testified here, they have lots of products. >> and don't are consumers wronged in that process is that stacked against them to say they have to go through arbitration. >> of course i'll disagree with that. we think arbitration can be effective and given the statue called the credit repair organization and their special risks that are stacked it against the company. >> i can understand why equity fax would want to deny that it be more successful in recovering damages.

>> i'm going to wrap it up i will have to be fast because there's a second vote i need to get to. thank you very much for attending here today. had one question and i know you're here as experts on credit boroughs. do you know whether there is data required to be submitted by the credit paris to the federal government? does any federal government agency required them to submit data to them? >> i don't believe so. i know it's to the federal reserve board and i believe that data is purchased by those agencies and it's provided within the fair credit reporting act.

the instances i'm familiar it's in a diego get a format. >> i just have more questions. >> that i will wrap up thank you. >> for if americans can make cra's delete their credit files upon demand like the law requires medical records and don't go into so much of the medical records but if they could delete their credit files on demand with that create additional business risk? >> i don't know if it would create risk for reporting agencies that would give consumers more control of their information. i think there's a way to manage that. it's done currently with bankruptcy. >> would you say that consumer reporting agencies would not want americans to demand their credit files be deleted?

>> i expect that would be their position. they try to get as much information on consumers as they can. consumers have little information about what is being gathered. >> if they knew americans would request their data be deleted after a cyber security breach if they unsuccessfully tried to do that following the equity effects breach, would that create an incentives for these agencies to pay more attention in the first place? >> i'm sure it would. consumer reporting agencies have no legal right to obtain the information of consumers. the businesses have evolved over time. and are subject to regulation. they cannot claim that they have any right to access so ultimately it would be the consumer's decision whether or

not any company has the right to possess. >> so some claim that consumers would gain the system. is that right? >> right now the credit reporting agency largely game the system because they don't know the factors used to make decisions about them. for creditor employment or cell phone purchases. is very symmetric, this industry who has information about who and how it's used. >> currently my understanding is that rules for privacy are much stricter if that's the case and i think that's a case should reconsider single set of --

>> i think that the unfinished business. we had the moment where there's an opportunity to establish comprehensive privacy on the private sector. congress chose not to. there's a law for federal agencies. you have to have a different approach. i think there has been some benefit. they don't face the same levels of identity theft of financial throughout. >> tell me more about europe. they have stricter data privacy laws i assume they still have function credit markets. does that mean that these three agencies that he represents, echo facts, trans union, do they do business in those countries? >> i don't know about those specific firms. in others a vibrant market. the key is that there held to a higher standard. in the area breach notification

equity fax took more than six weeks when they learned of the breach to tell consumers what happened. under the are paying union privacy law the have 72 hours when they confront a problem like that. you can still operate your business or just held to a higher standard. >> with those three agencies are they profitable in your with a different business model. >> i know some operate in the u.k. we have a different group in europe is not necessarily the three were familiar with here. we know that equity fax is in the u.k., not sure about continental europe. >> could you give to the committee from those three clients specifically what they do in europe and how big of presence a half and how they're doing in terms of profitability in public plans about continuing? >> one thing i would say about

europe and the professor may disagree with that, i don't believe there's a right to be forgotten with respect to credit report information. there is guidance in the e.u. that i believe would not permit consumers to delete wholesale information because of the vital role they play in managing safety. >> i disagree, that's not correct. the regulation the new european law speak specifically of the right to raise your credit agencies a personal data. there subject to that. also consumers have a right to next donation of the basis of the decision. if a company has an automated process to decide if someone gets a loaner