2.5 hours.

[inaudible conversations] good morning now the executive session is complete data reaches not a new issue we've been focused on the consumer that was before i was elected to the senate. the breach is what many would consider to be the high profile breach with a number of investigations from the federal and state authorities. this was originally created by equifax so in terms of the trajectory the major did

reach you could say we could come full circle. congress paid close attention to the dative breach to strengthen data security requirements as well as those to affect companies to notify a the discovery of a breach so in that era with a large scale breach but while larger with consumers equifax is more severe given the sensitive nature. we've heard from many constituents our concern of the lasting effects and i have heard complaints it is difficult to setet up the credit freeze if monitoring ispr the effective tool. the breach exposed those

consumers including names and social securityin numbers and a driver's license numbers also expose the credit card numbers from consumers and documents for more then 180,000 consumers so today to have an update regarding the of a breach to mitigate dow harm from happening again. will we will discuss today in was a prior w breach where similar information was stolen so the compromise data is names and telephone numbers and unscripted security questions theen answers but that 3 billion figure from the time of the breach today their representatives have the opportunity to mitigate the

harm going forward. so that illustrates quite dramatically the nation faces cyberthreats those that collect and store summer should have server security and consequences of the failed to do so i look forward to the hearing as it considers legislation to bed dative breach notification if there is a risk we must make sure consumers have the information they need to protect themselves that is why i support the standard with a patchwork of laws in addition to the district of columbia and three other territories progressing well federalte standard with regard to notification of those data breach and provide

consistency benefiting both consumers and businesses in order to ensure we have advocated for reasonable security requirements based on the size and scope of the sensitivity of the information. however in this regard the equifax breach is troubling it was already subject to the safeguard under the act that was considered to be as stringent regulation but it occurred so enhancing security will be a priority for thiss committee thanks to the witnesses for appearing in the above forward to your testimony.

>> thank you, mr. chairmann chairman and just as you stated is the history of hearings we have held for data security in preaches so several senators have asked hearing senator baldwin in particular so thank you for bringing this to the forefront. if you start with a massive breach from 2005 then continuing with saudi, city group, a cbs, south shore,

the parade of high profile data breach has no end and billions of insumers have had their to have personally identifiable information compromised including social security numbers, a driver's license, addresses and for years going forward criminals can use the data attu steal the identity of venice and consumers to create fakena accounts and i might point out right now we estimate $5 billion per year is stolen from the u.s. treasury just with fake federal income tax returns that they get a refund a unit on top of that we also

recently found out the 2013 yacht reach -- yahoo! breached 3 million users the biggest in history dealing in the aftermath of the equifax breach involving the personal identification informationon of 145 million americans. now the most recent is a more troubling question because of credit reporting agencies that offer the credit monitoring services cannot protect their own data and how do they trust any company to protect information? so let me say when you get up against the

sophistication of the state actors it will be hard to protect against them. >> so sadly the question millions of americans are asking, in the wake is what do we do? so this committee will consider what it will do to make sure consumers are protected. but if we do anything meaningful remus have the political will to hold these companies accountable to have to raise enforcement actions for lacks data security practices. the industry has recently

challenged the legal authority to bring such actions so this piecemeal after the fact approach would be better served if the ftc could prescribe rules toib prescribe companies to adopt reasonable security practices in the first place purport already put forward rules that apply to financial institutions like equifax. the agency should have a similar authority for the restr of the commercial sector. so at the end of the day it is deferring enforcement with the stringent penalties to incentivize to safeguard consumer information and notifyme consumers. i strongly believe without

rigorous data security rules in place not if but when. we can take action with common-sense rules are start planning for this issue. >> the also hope the hearing can informre those future actions. >> the panel has the executive office and from equifax next to him the former co pay equifax. then the former ceo at yahoo! corporate. the deputy general counsel chief privacy officer at verizon communications a

part of yahoo!. then we will ask you to proceed with comments starting a mile left to confine your all remarks at five minutes anything you want to add will be included in the written record. thanks for being here. >> good morning. to members of the committee thank you for the opportunity tof f be here for crow six weeks ago i was named chief executive officer of equifax and never expected to become ceo in this circumstance but i am honored to be in this position. speaking for everyone for those that have been

breachedac you can tell from an accident did not grow up in georgia and a native of brazil i had the privilege working most of my adult life in the u.s. and i children were born here. and engineer by training to spend a lifetime fixing complex business problems. said the first act was to address the consumer response so the engagement that they're working hard to fix the problem. lasso apologize to the american people but i promise each of you that equifax will be focused every day to provide support

for consumers to give them more control side like to review so the highest priority i have visited call centers and is spoken with the representatives i have taken calls from consumers and help to resolve their issues. with a social media will significantly improve the web site and the call centers to make it more consumer friendly. second to revise the corporate structure the chief security officer now reports directly to me.

so this is a response to the cybersecurity. third we are improving the security infrastructure. introducing the new vulnerabilities and with that accountability mechanisms. those that w are committed to thoseo solutions with cybersecurity and challenges we all face. and finally we promised to launch what gives the consumers the power to block access to their personal credit data. so we're on schedule and make itt they can extremely valuable. we have done a lot in a time butiod of this is just the beginning

so i remind me to everyday so with those capabilities requires a daily engagement and a lifetime i commitment. equifax has 10,000 people it is not well understood but helping consumers get the credit that they need. so to protect the data we do not meet those expectations. we are committed to working with consumers and congress and the regulators to restore public trust. this has been my focus with

the first six weeksks as ceo and every day. thank you for your attention and i welcome your questions. >> chairman and ranking member and honorable members of the committee i submitted my written testimony to this committee as well as others in the senate in the house and the written testimony goes into the record of the events when the breach occurred and i will answer any questions you may have. >> chairman, ranking member nonsense and distinguished members of the committee, things for the opportunity to appear before you today and have the honor of privilege of serving as the yahoo! chief executive

officer july 2012 through the sale of june this year. yahoo! is the victim of state-sponsored attacks resulting in the fact that we worked hard over the years and as ceo and want to sincerely apologize to each and every one of our users. when yahoo! learned of the attack in late 2014 they promptly reported to law enforcement notifying the users that have been directly impacted. working closely with law-enforcementhe we were able to identify and expose the hacker's responsible. we now know the russian intelligence officers in state-sponsored hackers were responsible on the yahoo! systems. forty-seven count indictment

charging for individuals with these crimes in the user's the other day the fbi praised yahoo! for our pro-active impeachment and november 2016 law enforcement provided us with data files and third-party claims. fromzing it was stolen the company in august 2013 and although yahoo! was working with experts the company promptly disclosed to notify the accusers and to secure all user accounts and personally when field about this and growing up in wisconsin i had my first computer in college. to see how that emerging technology could use the

world. that i was hired by google. then over thee next 30 years there worked my way up to software engineer. so in july 2012 i became ceo of yahoo!. i will always be grateful for that opportunity to lead yahoo! for the last five years my experience has shown me the amazing potential of the internet to change for the better. i am here today to discuss our efforts with the challenges of cybersecurity with those measures that yahoo! had in place to of finance so throughout my tenure we would protect our systems devoting substantial resources tuesday ahead of

the threats. then be roughly double the internal security staff with the leadership a and the team. in addition we also improve the system defense. of sophisticated protection we were extremely committed to those resources thanks for their tireless efforts to address yahoo! security unfortunately coming up against a barrage of attacks russian agents intruded on our systems. that change the playing field so dramatically even those of the most well defended so it's a global challenge no government

agency is in you. the attack shows that collaboration between public and private sector is essential against cybercrime and in addition as the doj exhibit it could be a deterrent. so to echo the words of the attorney general nomination stage attack is not a fair fight by workingt together we can help. thanks for the opportunity to address the community. >> chairman, ranking member and members of the committee, thank you for the opportunity to testify today. i am verizon chief privacy officer. with a certificate and longstanding driven to protect and safeguard

consumer data to build trust of mine in the increasingly connected world for a rise in recognizes consumer trust is a pre-requisite to compete in the digital economyy the nature has required it makes data security a top priority. verizon announced it entered the agreement to enter the operating business so now newo! is part of a company that consist of more then 50 digital and global brands including yahoo! news and sports and aol. in december 2016 and announced the dave del was stolen in two separate instances 2013 and 2014. well before verizonon

acquisition so at the time it disclosed more than 1 million of those 3 billion accounts were likely impacted. after verizon acquired it to give this team forensic experts used previously. based on the review we concluded all accounts were impacted by the security incident so bin yahoo! provided further notice beginning october 3rd october 3rd, 2017 less than one week. after the impacted accounts it did not include social security numbers or passwords and did not include financial information like payment card data or a bank accounts. ownough verizon did not

root -- yahoo! at the time we understood that they took action around the time of the announcement to protect the users accounts. they require a password changes if they had not been changed since 2014. they also invalidated in an -- an unscripted security questions and answers. they took these actions beyond what was impacted so this means they took steps to protect all users including those that were individuallyti notified. proactively enhancing security is a top priority. we track the evolution of attacks and leverage technologyll advances to apply more advanced protection so

as part of integrating with two strong existing security teams to examine those practices to apply the best practices and tools to create the advisory board consisting of the external security experts with the overalls approach for crow security has always been in horizons dna and for us to meet the security challenges of the future. we are weser focused on the needs of our customers we expect that will be secure. as a result we go to great lengths across the network and platforms and products with substantial resources to extend assets including those acquired with the transaction of yahoo! her call with the benefits of

resources with the highest level of accountability we will continue to strive to stay ahead of the ever revolving threat. thank you for the opportunity to testify a look forward tord answering question. >> chairman and ranking member and members of the committee thank you for the opportunity for these data reaches touching the vast majority what is necessary so almost 50 years we have provided solutions for a the identities with banking and government it is a foundational element the way they build their financial lives that value is the primary reason it is targeted that would be too significant data reaches.

with the evolving and sophisticated task with greater connectivity with every aspect. so 43 percent could all be traced to a malicious actor. to use this information to gain access and once compromised in is consumer identity. with those most recent breaches the most identifiable information for millions of american citizens for the focus is to examine the recent data reach to ensure the of safety with those options for the future for regarding those issues of consumer data to date they are

challenged by increasingly complex systems from other wellat organized groups. no system is free from vulnerabilities. so there are documented best practices. so it m is the result of common security mistakes. so today a substantial amount of the basis of identities and with driving responsible behavior writing in answer to the underlying consumer identities. it is critical to respond to recover quickly to ensure consumer data is no longer a risk.en

that provides a nine digit number or social securityed card is issued at birth in difficult to change so while we made substantial advances and the recommendation is with that framework that is through that given industry collaboration with those partnerships around the world that identity framework allows citizens to utilize the morsi to reduce the breach or compromise so it could minimize risk and allow a consumer to cover their identity. that system today is broken into the secure this time to leverage available

technologies and in the of previous t testimony with a public-private ecosystem to security identities with that self assessment. whether we drive that we to proceed now. so with that information that has already been compromised to have a more resilient identity. thank you for your time today.

>> we deeply value our security and with those cyberattacks there are persistent with that understanding of the facts. and to this day they have

not been able to identify that intrusion receiving files from law-enforcement we verify that it came from yahoo! we don't know how it was perpetrated. >> why the delay? and then to underestimate yahoo! did not know of the intrusion in 2013. it in a very short period of time that it was most likely from august of 2013 and notify law-enforcement and other users to take action

on the accounts at that time we estimated more than 1 billion users. there were recente amounts from those the nederlander with the company. >> the 500 million originally then jumped up at 3 billion. >> into calculate those. >> that 500 million number was the fall from 2014 to reach. >> in prior testimony with that vulnerability and compound it by that scandal should have detected the failure but didn't.

and that vulnerability could persist for several months without corrective action. so the company that holds the most sensitive information i hope you can understandon why this is so hard to distained. can you explain why there were not more redundancies built into theno system? you testified nore weaknesses have been addressed and also elaborate on how?. >> so to be certified with of protocol with that open sourceof software.

but that's scant did not find those portability's. it was human error along with technology error. >> so why wouldn't you have more redundancies built into the system? that just comes down to one employee? that is hard to fathom. >> that skinner did not work as well. and to identify the patch then to go back a week later with a scanner. >> so can you elaborate? on any further steps since the breach?.

>> we installed shortly after that scanning technology that new generations scanner with some process changes. >> so with those systems and our company a comprehensive talked to a review and we're strengthening all aspects of operation including our capabilities and dancing and updating the tools to make sure we have the stronger policies in place to have

more redundancy with the closed lips to make sure those actions. >> have you disposed of the data you no longer need?. >> so whatever is necessary spirit but including the encryption. >> so that would be displaced. >>. >> n we had these hearings before we will be having a lot of these hearings again at this point we are

wondering there is no such thingg as did the security. such as china or russia your companies cannot stand up against them. . . .

[inaudible]on on. [inaudible] [inaudible]

[inaudible] [inaudible] thank you senator. a couple of different things. first, your point that we have to work together is absolutely right. i think we need to work with industry and government to

tackle this problem. there's data security data breach legislation, legislation should all of the security teams to understand that security is instead a, sorry changing. the tools are getting better, the intelligence were gathering is changing so were trying to improve our security systems to improve and keep up. >> that's a good intention. but, it's going to take more. it's going to take an attitude change among companies such as yours that we have got to go to extreme limits to protect our

customers privacy. mr. smith, you all hold a lot of financial guillotine over a lot of your customers by virtue of what your credit rating is. so if your date is not protected house were to buy house and he's got it ready and has the down payment and that he cannot get a mortgage because now he is a black mark on his credit rating that is is not real, but has been placed there because of the data breach and the poor fellow can close on his house. this has huge consequences. what are you going to do about it? >> there's no doubt the security

data is the core value of our company. i also apologize deeply to the american public for the bridge that we had when we let the public down. i agree with the other panelists. the accommodation between public and private to address issues. my 12 years of meaning the company's an increase in cyber attacks is remarkable to see it's not unusual for us in any given year to see suspicious activity is unwanted attempted attacks. >> okay, but didn't you describe the faxes the victim? the company failed to secure the vulnerability that led to the breach.

was a colfax really the victim? >> i agree were victim of a criminal attack. >> do you consider this to be a victim? there's been many victims in the case of the breaches. the impact from hackers moving in and caused me to be a victim. >> well, deeply they had adequate security measures in place? >> based on my understanding were talking about patching security vulnerabilities in a timely way we seem the disc the

breach, this is what isaac just you. >> i don't understand your question. do consider them to have had appropriate security protocols. >> i would not recommend suggesting that was the protocol so, vehicle faxes not the victim, that support customers of the equity facts. >> i believe both are victims. >> this is a public-private partnership will i wonder if

also you could apply to if you could do user id numbers, and i'll ask mr. wilkinson to address this question also because in your testimony you talk about dynamic is a way to address this in the modern age knowledge shirts. >> some sort of digital identity that might last for three years. go to mr. wilkinson first and then back to mr. smith is a system working better for the consumer and brazil is against

this onslaught which mr. nelson described in his question is in the cases of a social security number you we can framework the there's many tools today that companies are using for these that help overcome the vulnerabilities we see. some of them have to be deployed as we talk about the results numbers as a primary form of identification. skies have additional examples of what we see other countries during that i want suggest best practices that would be

important for committees to look at. but our recommendation is moving from the situation the united states is no longer secure. this that was issued by the federal government is a providing a citizen with a digital identity that they can easily certain transactions, high security needs, digital requirements and it has a -- like. the way they avoid that is more secure in makes them more resilient than what they are today. >> in your view the consumer is better protected than this brazilian system? >> what do you say? i would agree.

that there's some digital multifactor authentication. >> as you suggest legislation and it might be all five members of the panel advocating legislation. in general over this legislation look like? >> the two key things data breach legislation or number one the net national framework so that we have one standard to comply with is were stopped funding to the data breach, number two, it's important etiquette standard) when we notify customers. it's important to notify customers, they really need but also make sure that were not notifying them so often about so

many things that they stepping attention. >> would anybody like to take issue with senator nelson's overall conclusion against the state actor like we have seen? i'm years company is unable to understand that without going. december disagree with that? no takers. thank you. >> thank you. >> thank you mr. chairman and thank you for having hearing that they could to the witnesses for being here. i think almost every american consumer at this point is where the of the unacceptable risks that are entailed in many of our business practices, risk to their privacy.

, information that they expect and reasonably anticipate will be safeguarded by companies that do business with them. and where their customers. the carfax breach expose the limits of the trade commissions need to protect consumers the trinidad negligence. under current law even some of the most egregious example can be met only with apologies and promises to do better next time. finds were other penalties, real deterrence that provide incentives to business executives to actually do better.

the real deterrence will, those penalties are imposed on executives like the ones before us today. the entities that holder data can be trusted to protect it, then the government needs the tools to not only go after hackers and thieves but also whole companies accountable. , since legislation in the data breach accountability enforcement active 2017, including nonprofits and can impose civil penalt penalties te sufficiently strong to motivate companies to implement strong security at the onset. this area truly an ounce of prevention is worth a pound of cure. in many instances there's no real cure.

when you were here last, i think it was as you are on the senate side at least we can be for the judiciary committee and i asked if you could commit and none of your consumers would never be required to go through arbitration. you said you are no longer with the company cannot guarantee small to ask and i appreciate you being here today. i have the same question, can you guarantee that no consumer will be required to go through arbitration services. >> senator, i understand the question on the arbitration that needs to be removed, arbitration is a tool used by the consumer

industry. we have you said to in the light of the law, will continue to go through the process and examine the use of this. >> i apologize for interrupting you but my time is limited as you understand. so, this is one of these yes or no answers. can you guarantee you will use arbitration? i understand all of on the on the one hand, on the other hand, sexually. consumers expect to have a right to go to court and have the rights vindicated there, can you guarantee that you will not force arbitration? >> i believe consumers have a choice with the product. >> but if they choose your products they will not be forced into arbitration.

>> to know the difference between a credit freeze in the credit lot? can you guarantee that the credit lot if you use them will be subject to consumer protection under the state laws were consumers live? >> we understand that we use freezing mark. at the end of the day for the consumer the same result will. the state law requires regulated process for the previous. >> credit freeze are regulated by credit locks. is it to avoid state oversight

and scrutiny. >> no. simple to use more access, easy-to-understand for the consumer. >> my time is expired. q hope will have a second. >> thank you mr. chairman. thank you for being here. to think consumers should be able to see the same information their pain uses the bank makes a credit decision. >> as we have is industry not done a good job representing the consumer how we play in this process is information is provided by the consumer in the process of acquiring the card, opening a credit card, most of the times the financials. >> when the bank evaluates my creditworthiness they get a bunch of data. i don't get to see what they're

looking at. to think i should be able to see what they're looking at when evaluating my credit worthiness? this is also probably a yes or no answer. >> you have access to credit report, most of the time is used to make a decision and the credit report is the same way score is the same as i have. >> the information so-called customer has is all that a bank is provided by a fax? >> i don't know what. >> you sound like you wanted to correct. >> if a consumer is going to a bank to apply for loan typically

the underwriter they have an access to get free i think what you're referring to is the banks don't just use like a standard fica score. that is not disclose about the individual consumer. >> are we are customers? the peoples who dad's preacher we are customers? i see that. >> we have customers and consumers. >> it seems to me there's a line on this which is to say not to excuse what happened but is different. incentives are different between the credit report agencies who have zero financial incentive to get it right.

you guys enter from the department of homeland security that there's a vulnerability, your scanner doesn't work, executives cash out their stock. then you have people lock their credit. you then start to promote through lifelock you have commercials with my foxing there's been a breach, you might want to use the product. lifelock subcontracts equity facts and you continue to be profitable on the other side for verizon and other companies, if you screw up with your customers there's a customer relationship sets freight. but in the case of the credit reporting that the foundational problem.

is there's no incentive on your side to do anything other than changes to solve the problem you cause. no incentive to spend the money it would take to transform the company to actually treat us like customers because their lenders. they're not the ones that got harmed through the breach. >> i think the biggest incentive we have this for consumers to keep the data. >> but that's not fiduciary. you have an earnings call and you're going to report that everything is fine. maybe even that you may more profit than usual i would be remiss if i did not mention because people back home were all of us live cannot understand

ceo of equity facts and yahoo walked away with $90,000,000.27 million and possibly a quarter million dollars in stocks. this is unfashionable. understanding say this is in the proxy separate the board is, i understand that but you people don't understand that. they shouldn't understand how you harm consumers and then walk away that small city or county uses for their annual operating budget. it's not fair and it's why we have an obligation to make a law. >> mr. by asking this question

so as this determines probability. it makes the decisions about how to invest in this case the data security based on events happened. my question is, before the breach has occurred at adequate facts and with both companies, what did you expect and say to executive committee and your board of directors. the probability of a preacher crying in was that probability today to calculated what they were and made decisions about them is what the, but the as is it was different prior to the

original breaches? >> we don't calculate the percentage probability, we have enterprise risk management for ten years as data security is the most high risk, high probability risk we have company. if we had cyber security event it be detrimental to the company. >> does that mean you would expect a breach? >> the probability of a breach is hot as. >> is a calculation different today is based on the changes you made at the company is it still the same probability of breach prior to the earlier

preachers? >> we believe today were better than what we were for one reason. you have to make significant investments is. >> so how much more money are you spending today to prevent a breach from happening. >> is a natural response there's been a significant more money in that process. >> what percentage increase has occurred as a result of what you've learned in. >> expect to have a specific spike on the cost. >> you spend 50% more today? 200%. >> four times more. >> and as a result is it less likely a data breach occurs the company then it occurred before?

what is the reduction the probability. >> i don't have a specific number. i can say we believe it's better today. >> what it be better if you're spending six times more? or is it technology out there that you could prevent it from happening? >> were being advised by specialist. >> would yahoo answer this question in the circumstances. >> we have one of the most valuable databases in the world because of the sheer number of users contained there is we describe this as an arm's race. hackers have become sophisticated. >> would you have predicted a breach? i assume the answer is normally would been doing more.

>> we did not correctly percentages for investment security we took efforts which included a factor of two, we empowered users to opt out of passwords star, increased encryption to thwart hackers, where reduce the bounty were outside developers could report vulnerabilities and we would work that calls for we hired outside teams to attack us and tell us where weaknesses were. and then ultimately identify when intrusions occurred. we took extensive actions. >> is the probability of a breach less today.

>> we don't calculate the probability of a breach. >> are customers more secure today than they were prior to the breach? >> west expectation is that the less expectation that their data is at risk for an early age? for all. >> verizon has always taken security very seriously. being that same focus and intensity that we brock turner our network what seems to be missing. >> which seems to be missing to the insurance that is the customer is and should have a sense that they are safer today than they are before. i don't have insurance that's the case. we ought to be concerned today about reach your goal and what i

hear is were taking tabs we to believe other companies in a similar business reach that would affect consumers if there is a breach reaches companies they is moldable to breaches us this is not limited to your company has been not limited to yahoo or fax. businesses just they're just as vulnerable as you have them? >> in addition in response to the breach we took significant steps causing users to reset passwords and changing correction asked in the access that internal employees have low systems. spot by all means we did respond to change a lot of and and therefore today is a customer i

should feel better than my dad a safe? >> there's no question that the users are better protected today's breaches because breaches were detected money necessary. >> are you spending all the money necessary to increase that protection? could they be safer if you did more? >> certainly during my tenure there is the case security and security. >> the security team value their job against any and all it is to defend against any and all attackers and that's what were trying to. >> and the company provides them with the resources. >> to any of you disagree that the federal trade commission has jurisdiction over a your data breaches and has the ability to regulate was to penalize if there are breaches question tcs smacked you agree that ftc's

your regulator? >> make sure the regulatory perspective is in place certainly. >> certainly for the yahoo accident telecom telecom saw it's a complicated question. >> thank you. in the absence of the chairman recognition senator. >> thank you. question i know mr. to start with the question of the panel will consist i identify few have any information today about who hack with facts, who possesses personal identifying information 145 million americans doing what you believe thing to do and i. can you identify patient if any

of you have that information today. >> known as. >> we engaged in the on august 2 it. >> in our experience once the breach has occurred state everyone owns the data because it's in the public thank you. >> thank you. the real nokia equifax breach compromise the personal financial 4,145,000,000 americans. i can't begin to know what we can't even begin to know what ramifications will have this really have individual to the families and individuals that are impacted. i think it's clear that a good for her needs to do more than have response to help victims respond to this breach right

here and now that you make a commitment right here now that equifax will notify every person who is impacted is breach? yes or no we. >> we have been working with consumers and have a social media or web-based to make sure social media work is active. is teamwork and i have a team working every day to make sure area. >> i know you backed it in areas were state laws and demands that you do so. i wrote doesn't are you going to reach out to check every individual is believed was impacted to let them know. >> we will execute morning to the long as accident if there's an absence of long, you want to anything? >> were actively engaged to make sure that the --

>> equifax have to go set up a poorly functioning website find out where they could go to the website if they were in fact. how many people have gone through this process? we. >> is we had's to 400 million individuals. >> you know how many individuals? >> 30,000,040. >> item 145 to center et cetera. >> you mentioned call sentence in your testimony, were faxes call centers? >> in florida and nevada las vegas it was the two major ones are like city is the one in las

vegas. >> any outside the united states? should. >> we use call centers in costa rica. >> another practical question. >> malaysia, india, most of the colors you are hearing u.s. is out of the search. i. >> tax credits now offering free credit blocking for credit monitoring but only a free credit report monitoring through january 31, 2000 need to offer you make a commitment that the facts will offer creep you free

credit monitoring for life? >> if you enroll in january you have another 12 months to use the product. the new product we put in place for consumers cannot credit file free will be available for life. >> and monitoring? i victims. >> victims of this breach only to be able to control ourselves from all three to the reports from all three credit agencies. the other. >> will you be offering rebates

is to the victims to cover their freezing crawford with the other reporting agencies? >> host: i believe the resolution is to be want to protect the consumer and sustainable. it has to be skillful an industry driven. we have a first step forward service to offer a service that consumers contact to lock and unlock the credit data for free. we want to make sure that we have a similar capacity to you your firm recently completed stock trades prior to the public

disclosure of the breach and hack special committee report on the words that none of the four executive circulation insider-trading. report failed to mention that equifax chief legal officer, john j kelly prove some of the stock sales on the same day the eye because the fbi company alerted that the company had a problem. weeks to it took mr. kelly two more weeks executive there were no longer allowed to sell stock. yet this is an appropriate. the report doesn't even mention history kelly said he still works for a quick five. both mr. do you believe mr. kelly's here to was appropriate? >> i think it's not my perspective to provide is it was

appropriate or not. the board has actively defined the correct form. the special committee continues to review the process to review the process is related to the cyprus the incident. >> only thing i would say what is there's a full investigation, you saw the report published earlier this week or last week. it's not unusual for us to engage outside forensic experts or the fbi we have three to 4 million's this suspicious activities in attendance. it's not an on you.

>> thank you. thank you for see. >> chair and recommending to the chair and ranking member holding her so her serve the facts and the concerns. there's about 3 million people in nevada million and 1.3 million are impacted by the breach. received 4000 letters conceived over four dozen letters cartilage. eleven to say no citizen has a say in the reporting practices to start. i did not true sacrifice to store information nor did my husband and children. yet it is there in the affected not do enough to protect her information. to data collected a lot of drill down into the data that was collected. we should be looking at that. the breach for my understanding

of the breach, the data that was collected as consumers needs of consumers, social security numbers, driver's license conversation true and credit card information, is that true? yes or no. >> in some cases, in some cases no. >> what other data you collect other than what i just identified? >> most of the data included your numbers excluding members, name,. >> what other data do you collect? the record that is providing if they could please provide me with that is curious, does yahoo collect driver's license number? >> that's knowledge. because to me the data breach. >> the data breach that happen at a factor physically.

real-time happens all the time it's getting crazy getting cleaned we have heard it, what i from from what i've heard security is cyber security is a challenge. all it's incumbent upon all of us included effectively curies to not only have the always evil sophisticated protect security ensuring that you are protecting has data. counseling enforcement should you should be held accountable to notify the consumer should be notified there should be restitution. because to me this is about the data. even those individuals that you work with those who credit locks increases their data was still breached, correct? because right, so it doesn't matter. social security number and i see mr. olson your audience is that correct isn't that correct? consumers. >> yes shouldn't outline consumers had no one at dinner

out with the data that i want to share with you. >> this is part of the way the economy works. as when a consumer goes. >> the consumer doesn't have a choice, so doesn't have a choice on the data as your collecting. i know i know it and quite frankly, the credit report sacred theology do not tell me all the data you're collecting on me. >> it's is was attorney general for eight years in nevada, identity theft and nevada the countries through the roof. still is what is egregious about what lives now for the rest of life, all the people i hear from the 1.3 million people whose identities are stolen they will have to clear the record for the rest of their life.

people can create crimes in their name. i've seen it. they're spending their lives clearing their record and their good name. so just that's why this is so egregious and you have an application to not only look at the data you're collecting there is but make sure you're protecting it restitution and you're doing everything you can still to bring restitution. mr. will talk about the data and social security numbers an idea that we have to look at it differently and identify the iis. we have anything specific on what we should be doing shared or like that that data that's been shared eclectic? is just to make his first bridge in the case of these breaches we of the items of personal information that was week. when you combine that with

others were getting very close states to the information that has been breached in some way so what are you trying to contact? in the case of financial card like the target breach from several years ago that we testified your all, that time i think there's a good point to consider in contrast with those. actual payment since the financial payment system is reasonably resilient. it was as consumers despite the fact it was a burden for consumers to have that fraud remediated folders and the ability to do commerce is relatively resilient in addition to liability is the shores of the financial cards, so looking

to some examples of the system is an example. identities are out there. i continue to reinforce that her position is that recently we believe a more resilient framework used to be brought forward. i know. >> i'm running out of time. throughout the i agree that identities are out there. tour kids, it's not too little and we need to look to the future protect their information. me something not static address we have to figure out how to address issues the different for you talk about the government coming up with something different. there should be a public-private partnership. we have to figure this out. choice were taking their data

and they have no choice. information or monetizing the monetizing it, then they can start killing dealing with the results of a breach. thank you. >> thank you mr. chair morning to thank you and good morning tour family is as this is a question to the payload most relevant although the most relevant example : spot we can call on is a response from the facts which is a major data breach. their state laws requiring public and private entities to notify people when their security breaches. the lowest these represent the most telecommunication required. companies i'm interested in what companies i will do consumers affect to help notify those affected stores sorrows is know

you stated that koufax has taken steps to further to consider is your satisfaction in your complaint. only after the seems to have come only after public outcry to the initial response. can each of you elaborate on what decisions union companies take into account when determining steps to remediate the damage done. >> will all is lost a research we took this very seriously the state requirement for your. >> i'm asking beyond that. so what you guys so what are you now deciding to do beyond that and what consideration are you making? >> one of my top priorities have been from security response. on the consumer we made our call

centers more scalable. you can get in and out and have access with a three-minute. >> prolapse i'm also talking about proactive efforts to notify consumers the on the requesting that state law gives you. >> we've been working with consumers to make sure that there using the services we provide for free. you free on them all introduce our locks free for life. >> in the process we did use was legal and acceptable. i think that is question. >> the other pets not my question. for what are the factors you're considering went to notify a consumer is?

>> @yahoo we take a proactive stance to the nature of our business which is to say that was very from state to state. frequently of his vacation was required we did it everywhere. accuracy and comprehensiveness are very important as well as analyze how data may have been misused and be swift in response. >> @verizon we look at what the law requires that the cap what the right thing for the custom customer. >> our company doesn't hold consumer information so applicable. >> i want to follow up

tomorrow's about the difference between credit lock and credit free services. placing the freeze on it is one of the best ways they can protect themselves. the facts will do freeze and at that point the company stated testimony mistress that will offer consumers the ability to lock the credit for free. you sure the legal differences between the credit lock in a credit freeze access and who has access to this report when it is frozen versus locked. >> is fundamentally there is no difference between a locking freeze. when you freeze you use a

regulatory process, you make a phone call and identify yourself. you could append and are ready to execute freeze. when he did the lock it's a simplicity of the process. financial institution try to get to your file for situations there frozen will as i. >> my time is up. there are experts who disagree the terms of your statement that there's no difference between freezing a lot. one thing i will follow up is the fees that koufax gets from helping consumers on fleecing or unlocking information. i thank you for your indulgence. >> i think the panels being here today question to start the question to you, to your

knowledge has any information breached, his driver's license, social security, birthdates and addresses, did any indication those customers any of those folks was his data was breeze has been misused? did you have any indication the release of their data to make other purchases. >> it's premature to make an assessment. >> what about in terms of yahoo and the data breach. did you have any indication that yahoo that an individual's data had been misused. was that a red flight? >> now. we saw no volume of reports. we did a lot of bands protection against threats to notify users if we saw information that their

account is being used by a state-sponsored attacker. >> so, in light of the fact that all the information was of the public domain, out there in general we would assume that, does it surprise you that none of this information has been used in a way that anybody can detect at this point. >> it would surprise me if it hasn't been recently given the time frame. >> it surprises me as well. terms of how. >> you talked about how individuals are contacted noting that yahoo has a direct communication through their e-mail accounts. are the data collected this not indicate any e-mail address or phone number could send out a

mass warning signal. so your customers have to opt in when you've been on social media telling them how to do that. i. would that change your profile and having more efficient and wider spread we to disseminate information to the information your collection? >> it frustrates us because we would like to have more with the consumer. you have improved significantly our website. it's more friendly, we have more phone numbers available test questions. a website our website has this as well. were proactively doing this through social media we want to

make sure we respond in direct to the right solutions. >> is people want to talk with you when they see something other credit report that they don't agree with. your company through the years has realize this is an enormous problem there's a false entry on their credit report. especially for next on the credit rating. i know it happens frequently and try to correct this problem will i would hope having myself try to do this for my own personal credit report and how frustrating it is to get through to will rise trying to get through line to register a complaint to work through the process, it's time-consuming and difficult is the i would assume

those processes are tightening up in light of a security breach receivers. in terms of consumer friendliness. >> it's one of the top concerns i have and how to talk with consumers with and have a better way to communicate. >> also interested in your proposal to like information as individual he said it would be onstream in january the customer could opt in or out, lock and unlock their own personal data. how does that work is in terms of your business framework? the consumer locks the data out are you blacked out that dad i in terms of like if somebody wants to purchase a home or

something? >> we need to make sure the consumer has power in their hand. >> may have locked file a block you should be the information to be. >> 's think his editor. next up was senator carter. >> thank you to our witnesses for being here today. i have questions about your filing your information. i've heard that it's personal identification information. who owns the information that you provide to your clients and customers? >> a according to the regulatory framework we own it. >> can they say we don't want you to have that information?

>> they have the opportunity today thomas from like the file. >> can i say that i don't want koufax to have that information. >> is the regulatory framework that we have today. they cannot exit out. . . . . i think it's not my

perspective as it is right or wrong from the perspective we work on it. >> who owns the credit card information that you have come about you at that point, correct? , do you think consumers should own their data? showed consumers own their own information? >> yes, ideally they should. >> should we be able to control our own information? >> they should control the information. >> but you're saying that it can be hacked by somebody with consumer control. >> nobody has access to the file. >> to say i don't want that

information to go to experience or trans union? need to understand how the economy will behave in that perspective. >> in the consumer dispute portaportal that wasn't addresso correct? >> correct is that if the answer is yes as you said it was with t the fact remain unencrypted, the results of an oversight or is that a decision that was made to manage the data? >> there are multiple tools they use. masking, firewalls, multiple layers. >> for the decision was made to leave its unencrypted. >> correct. >> the beach that you directed to encrypt such data.

>> we have done a top-down review of the security situation we used the companies to help us. >> yes or no question. the data remain unencrypted? yes or no data remains unencrypted. >> you don't know the reason is that correct? is one format of defens of formd we have several in place now that can prevent this. we have several different tools and encryptionen is one tool.

>> of the entire environment which the attack occurred is much different but the more moderatthat the moremoderate enh multiple layers of security encryption is only one of those levels of security. >> is a safe methodology to leave this unrest? >> i think we've spoken at the high value it can be used for today. the encryption is one of the tools, but certainly from our company's perspective it is to be used for the data of this type that is of a high value. >> so it is irresponsible to leave this. other segments of the industry of the payment payment ecosystee requirements on the requirements that require this credit card data and things like that to be

encrypted. when did you notify the other credit reporting agencies about the brief? >> we notified them and the public. >> september 7. >> we saw this activit solve the 29th and 30th of july on the seventh of september. >> so that's when the other agencies also received that information. >> yes. there've been multiple investigations. >> thank you senator. i think the panelists for being

here today. you were the ceo of th a data breach in all of human history. you testified here today that the 2014 breach wasas state-sponsored but you have not concluded that the 2013 was correct?nsored is that >> we have not been able to determine who perpetrated the breach. >> you testified today and you didn't learn either data breach until 2016 is that correct? >> i learned breaches at the scale reported in 2016. >> in december 2014 we saw the intrusion and 26 individuals all with connections of interest in russia with accounts compromised and we put in place a special notice for those that had to be

dismissed by a user action to to make sure they were aware that this had happened. >> is that correct you didn't learn of the 2013 breach until 2016? >> that's right. >> what information can you provide that supports the claim? the board formed an independent committee and have reported on the findings. those othose are the facts are l for your presence today and i represent 6.5 million hoosiers, 3.8 million jurors come to 60% of indiana's population are impacted by the koufax data breach -- equifax data breach.

many of these won't be discovered until years down the road. when she finds out the credit what does that koufax do to remedy the situation for that -- what does equifax to do? >> that was the idea behind the lifetime ability t to lock and unlock the file in the prior hearings. >> in the prophylactic it seems like a good thing to do.

i will say we've had these massive data breaches and to the basic sense of fairness that most americans at the top executives plead with tens of millionsh of dollars when i see the united states navy fire officers in the pacific on account of some sailors that died in the wake of the uss john mccain situation that they were separated because ofo a loss of confidence i think this is an issue that we collectively in congress need to start discussing more seriously if the free enterprise here in the united states are taken more seriously when things like this

happen. it offends the sensibilities of most within months somebody leaves with hundreds of millions of t dollars? >> i left with nothing except attention.sk i waved my bonus coming next year working for three months or six months for free as an advisor capacity. i've been talking about big business in this country and i would like to touch on one policy before he moved forward. the idea that the credit reporting agency moving forward will give the right to request

blocking access. can you pledge that five years from now. the industry can't charge to lock or unlock an unlimited number of times each year. it is free for life and we welcome the conversation with the rest of the industry. thank you mr. chairman for holding this hearing. we've had several larger commerce committee hearings on

cybersecurity certainly summon the energy committee and the armed services committee has had some. now it's time for us to be very serious about passing the legislation as we did out of the senate to help us fight the issue of cyber crime and help strengthen the critical infrastructure against the attacks. but these are not the only things being attacked. the power plants, pipelines, the whole variety of things and we continue to grow the economy of the internet of things. at the hearing we had yesterday i guess we also heard about how more devices and collectivity means more data for people to attack. i hope the committee will join in the efforts for cybersecurity

legislation i hope it isn't too soon to act. i want to bring up that there's 3 billion of the washingtonians impacted by the koufax according to my information. a patch was available that wasn't implemented like a basic hygiene issue is that correct? >> this correct. >> why can't he answer that question, because he doesn't know? >> he wasn't present ater the time. >> okay.at >> this is my understanding of what happens in a combination of the technology because he actually lives in this process. it wasn't implemented by an employee of the reason is i understand the dual role but we

have to do both. the issue of cybersecurity is here. it's a national security issue, it's a future issue on identity theft and the ability for individuals to protect things that we have to do both at the federal level of the game and make sure that we are making enough to help the critical infrastructure. what do we need to do to get people on the same page and fighting cyber criminvitingcybee we need to make sure everybody gets the hygiene of the day-to-day business and your home computer and everything else will be at the critical aspect of the world we now live in. so, i want you to know and be able to speak to the fact one individual failing to put a

patch in place caused such damage. firstrd is the security systems. we have done a comprehensive review in the process including the capabilities and tools making sure they protect the process much more up to speed up the stage. i understand the safeguards that we have and it provided the

scope that is ahead of that in manyst perspectives and definity welcomed the conversation. i would say that we need something more at this point in time. if on the hygiene issue one employee was missing something as m critical as this and put so much data at risk that we need something to make sure that this is implemented, does anybody else on the panel want to answer that question? >> what we are speaking about we were aware of it and march and this is a zero day vulnerability. they are serious and they have beeney for often as we would lie to speak about. when we become aware of these

threats come our need to react as quick and has to be conclusive. this is something that we will continue to see. it is an new and it is going to continue to happen. it is a concept that you continue to speak about as an important one because i liken it a little bit. just because that isn't going to protect you. that is my point exactly thank you so much for that. you just explained we have the national labs working day and night with an unbelievable amount of attacks happening every school day.

getting a skilled work force this committee at a hearing on that we need companies to follow a hygiene with great religious for. if the state actors continue, we need to do something that we need the companies to follow a hygiene and be religious about it. >> thank you senator cantwell. tos is the impacted is going have on my hundred 40 million americans in the case of the breach over 4 million in my state and i just want to expand a little bit before i have some questions to mr. wilkinson. i want to be clear this was a

vulnerability that was discovered and there was a patch created. the information went out and that means one of my understandings when this goes out the bad guys find out about them as well and they are broadcasting there is a vulnerability people can figure out pretty easily so at least some of the experts i talked to have said this is not a sophisticated hack. it was pretty simple because the roadmap was pretty much put out for folks to take. so we have had discussions about national or state actors involved, highly sophisticated networks. this was a roadmap for the bad guys and they jumped in andba gt in is that correct? >> it goes back to the discussion of when they create a roadmap as you said just why you say they needed to respond

quickly to close down those threats in the ecosystem is important. >> i want to paint a picture for the public the roadmap was put out for all the bad guys that want to do us harm and there is a f vulnerability. they have the most sensitive information and as we heard from testimony earlier we do not have a choice in the matter. companies can collect all this information and they don't even take the time to look at a roadmap that has been put out. i can't think of a definition of the negligence anywhere dan a company that has been interested in the most sensitive data and customers didn't have a choice to hold it. i didn't ask equifax to have that information, no one did that. you are holding the and don't te

the precautions when a roadmap has been put out. sometimes the criminal may wait before using the data. so it may be a while before we see it being used. i think it goes back to my original comment which is this type of data. we have to worry as you mentioned that there's free credit monitoring for one year.

only 12 months when we currently have to worry about the rest of our lives. [inaudible] the consumer can lock and unlock their file and it is free for life. >> that it is only with your company. this information can now be used with all of the other acts of credit reporting agencies. there's all sorts i of avenues w that you can basically use this information to create a false identity and you are saying your response as a company is you can lock your credit with us going

forward but you still have vulnerabilities with all of the other agencies. this is pretty simple if you are a bad guy just go to one of the others. if you are getting information of mine and i did not ask to have that information given i understand you make money when you provide information to financial institutions. today i don't understand why i don't have the ability individuals for any kind of agency.

this raises a host of major issues. without having access 140 million people with most private information there needs to be some strong liabilities. they need to be subjected to strict liability. mr. tremaine, the public wants us to do more to protect their

privacy. they adopt reasonable data securityiz protections. they proposethey propose peace n instrumental role in ensuring that they were in fact repealed. broadband providers like verizon argued that we needed a light touch in the regulatory framework like those governing websites. 3 billion account users have now

learned that light touch means hands off, no protection, free range. and now because of congressional action and show the most sensitive information into the reasonable data security protections and avoid the fighting consumers when the sensitive information has been compromised. you stated that verizon would support the national data security legislation. but actively and vigorously lobbied to eliminate the data security and privacy breach notification protections.

how are these consistent? >> they believe that there should be a framework when it comes to data security. we do support legislation in both of those areas and we would be happy as i said earlier to work with your office or other members of theou legislation, bt we do think that there should be one overarching framework. >> here's where we are. now we have nothing. so coming you repealed the law thadoes require that there be protections and now we have nothing. from my perspective, you didn't have to reveal one of comprehensive data security.

that is the problem that we have right now that we have very strong data security privacy protections on the books. at the senate and the house earlierer this year so as we sit here, we hear concerns about the need to have legislation. we have it and it was going to actually work in terms of ensuring that we would have the regulations that would be putnsn the books, but instead we don't have anything. do you think that it was in the

public interest t to eliminate e data security breach notificationat protections if yu could go back in time earlier this year would you still move comes protections on the book's? >> decide what, senator. we think there should be national data breach protection. >> you advocated protection. we had a stronger regime that was in place and was going to be made even stronger and that is in fact what the american people want. they want real accountability from the private sector in terms of the guarantee that there is security aroun around the data t goes to the very identity of who people are as citizens of the

country. and instead of toughening the law this year, there was a serious weakening as year after year goes by. they do not have specifically as the principled objective. the next up is the senator.

for the credit monitoring services, for example, equifax loss of social security numbers and dangers the well-being of the nation's veterans who receive the va disability benefits. if a veteran is not comfortable going online, he or she can manage the disability account by fax so for example, a veteran ken fax a request to change the bank account and they will be

made if the form includes a social security number that matches the name of the request or. this policy and processes likely created in the era when the social security number could serve as an effective authentication tool. obviously that is no longer the case. my question to you is simple. following the millions of social securitye numbers, but concrete steps t that the company take to notify government agencies into the united states department of veterans affairs of the need to strengthen the authentication policies to prevent the veterans from having their benefits to one. >> to make sure that we enhance the communication process and have solutions that would allow

the office to be informed about how to protect themselves using the services. >> when you went public with the information on the breach when did you contact the department of veterans affairs to inform them of the significance of the breach and what they would have to do to strengthen their process? i asked my people to make sure that they contacted the associations and they have done recently, a few weeks ago. >> so, was anythingo. done, you know, when the breach was known and when it became public? >> specific to the veterans? >> to the veterans department of yours and defense. >> not that i am aware of.

>> so, you just left the veterans exposed. >> i would like to know, so please find out and provide me with that information. so, the fact that the disability benefit is an urgent problem that can be financially devastating for veterans who need the funds to pay their rent and afford their groceries and keep the lights on even when a veteran notices the benefits was not received and contacts the da does represent a first step in what is a complex maze to get restored. thinking back to whenth this occurred you will see that they will be suffering because you didn't call the va or hopefully youu told them.

the financial institution where the money was sent erroneously that it received information they have to work out an agreement with the financial entity to return the funds back to the u.s. treasury department general fund. then they must get a confirmation from the treasury that fraudulent payment was actually recouped and then return them to the va before they would send the money back to the veteran. and in the best case scenario process can take weeks or months. my office has organizations of the need to notify the members of this danger and i'm working with them to strengthen authentication policy and proceduresth. however, given your role in the safeguard of the critical data, i would like the commitment to work with the va, the veteran service organizations and

individual veterans to provide valuable support and benefits such as unlimited, free credit freezes and monitoring for life. will you make that commitment on behalf of the men and women willing to lay down their lives to protect you and your family and business in this country? >> we have engaged with the department of defense. as my colleague just mentioned, that does not apply because they will go somewhere else. basically saying you will not make this commitment to the nation's veterans. the people who protect the ability to make money to protect

your freedom. >> it is a safer product than the monitoring that we have. i must say some of the testimony is pretty discouraging here. there were 46,800 new mexicans whose identity and possibly their credit worthiness was endangered by a plate and carelessness of equifax employees when you previously testified, you specifically said that the data was stored in plain text and has not been an

encrypted. it's an unacceptable practice for an organization with such power over the consumer's lives and painfully clear that americans cannot rely on the large companies that store their data to protect it. as a possible solution, congress should consider banning the s ue of unverified social security numbers and commerce. there is the potential for strong bipartisan support for this. socialrt security numbers were never intended to be used as universal online ids. i'm gladd to hear that the white house is looking at this and congress should also evaluate the possibility as well. innt that regard, the committee should take a closer look at the national institute of standards and technology as initiated in the trusted indemnities group to develop secure online ids and then the use of social security numbers. i look forward to working with others and building on the work

of this group is already undertaking. the following are yes or no questions for the the panels anm interested in banning the use of unverified social security numbers. is it necessary for online commerce to rely on the social security number or fax to become? >> please give me a yes or no it iifit's a simple question. >> it is a process that was developed in 1936. i think that we need to have a better imprint perspective when dealing with the commerce. >> so your answer is yes. >> today some sites do rely on it.

>> we did not need it for the conduct. >> very happy to work with this committee and others to come up with a list of social security numbers. >> it is a static identity as a basis for these that will never be secure in the future. >> do your businesses and other yes or no question to the businesses require a social security number before you will do business with them? most of the them we gave with entities that does require information. >> mr. smith.

the answer is no, but it is part of a typical way that we will go through a credit check for a new customer. >> we are focused inre the arean social security numbers. >> another question do you think the development of a security digital id can break the breaches and identity theft clacks >> yes. i think it is necessary but not necessarily sufficient. of the final one, do you think it is worthwhile to consider legislation to restrict the use of unverified social security numbers and other personal information while promoting the use of the digital identification? >> essentially anything that can move us forward in a static

number will be supported. i don't know that my opinion matters, but yes. a trusted group is comprised of a public-private partnership to promote the adoption of an easy to use digital identity and i will ask the fina a final quests wondering if you could work on this group but since i'm running out of time here will you commit to my office to improve the current working group and expand its efforts to. >> absolutely. >> thank you very much, mr. chairman. i really appreciate you holding this hearing. i knowi there was great interet

on both sides of the aisle. i've seen today, i've been here a long time but listening to a there is a lot of good ideas and hopefully we can find a bipartisan way to deal with the situation. >> thank you very much mr. chairman. i am the last one here to ask questions i would use this opportunity to welcome. i hope things have been going well from my home state here before us again and it's more than 2200 workers worldwide and 800 of them in the state, so thank you for being here. i will start with you. know much of the ground has been covered. in your testimony you mentioned the model of issuing the identities to citizens and in this model the government would provide consumers options to

access general certificate identification. they ensure the private partners can keep citizens information safe? >> brazil is a great example that i wouldn't necessarily promote the u.s. in terms of where the center why is, but certainly the framework they built for the identities we are proposing looking forward toy, e work for the identity going forward. they are doing good work and we would love to spend more time describing what it can look like in the future. >> thank you very much.

mr. smith appeared before us in the judiciary and i think i expressed my frustration i have with others about what went on but i thought i would focus with you on what's happening now. they've announced that it would be launching this act in january and allow them to lock and unlock the credit data while providing consumers with more control over their credit information as a positive step we don't want more avenues so are there additional cybersecurity challenges that come in to this technology.

this is a strict connection to the main file so has all of the securities f needs i've been working a lot on the issues. the manufacturers and software companies and i see this as kind of going hand-in-hand with the attack and i have seen some of my companies and others. we have individual hackers and state-sponsored attacks like we believe occurred in the 2016 election. in your experience, how did the state-sponsored attacks differ from those individuals.

they offer several companies trying to stitch together what they are actually seeking. he was a central figure in many of theseth investigations. they should be the targets and the sources of the issue. what do you think we should be

doing for the state-sponsored attacks that we should be doing out of congress. i think it is an aggressive pursuit of the hacking and i was pleased with the fbi and the department of justice's work to bring to the people that perpetrated the crimes against us and i think that we should be empowering the them logisticalld financially. one of the individuals in the case was apprehended in canada and has beeniv extradited to the

u.s.. >> i think on the election side, it's different. it is a lot of the same issues that the business is facing as well. we will keep the record open and allow for members to set it questions for the record from a couple of weeks but if you could respond as quickly as you can weevil get them included in the record. reminded members on both sides of the committee we have an interest in moving forward.

thank you again and with that, the hearing is adjourned.

[inaudible conversations]

the declining from the time of ruth bader ginsburg but was anti-semitic. basic health care and youth sports the court with another hebrew. they finished up work on the house gop bill and the senate released its own proposal. here are a couple headlines from "the wall street journal" writing the plan differs from the house on individual rate and timing of corporate rate cuts.

thethey aim to do by the end ofe year. on the marks for the tax cut and jobs act, the combination of years of efforts we've been at this for a long time and today's markets where we further the document as a chairman's mark