murderer and should be arrested for murder. there are no limits to dissent. i think the peace movement should have the anger of the vietnamese women whose child was burned by napalm, dropped by american planes, way up there in the sky. that's the anger that peace movement should reflect. the peace movement has got to go into the streets, and it's got to use the tactic of disruption. because the american people are drunk with apathy. >> and on sunday at 7:00 p.m. eastern on "oral histories," we continue our series on photo journalists with diana walker, former "time"i magazine white house photographer. >> i felt that i should accept their offers to be behind the scenes. every time they offered it. because any time you see the president of the united states behind the scenes, you learn something about the president. and you see something. and it is important -- i can be

there for you. you can't be there. and everything i see is important. >> american history tv. all weekend, every weekend, only on c-span3. sunday night on "after words." >> over 90% of sexual harassment cases end up in settlements. and what does that mean? that means that the woman pretty much never works in her chosen career ever again. and she can never talk about it. she's gagged. now how else do we solve sexual harassment suits? we put in arbitration clauses in employment contracts, which make it a secret proceeding. so, again, nobody ever finds out about it if you file a complaint. you can never talk about it. ever. nobody ever knows what happened to you, and in most cases you're also terminated from the company, and the predator, in many cases, is left to still work in the same position in which he was harassing you. so this is the way our society

has decided to resolve sexual harassment cases. to gag women so that we can fool everyone else out there that we've come so far in 2017. >> former fox news host, gretchen carlson, talks about sexual harassment in her new book, "be fierce: stop harassment and take your power book." she's interviewed by sally quinn. watch "after words" on c-span 2's book tv. >> earlier this week, the senate banking committee held a hearing on potential legislative responses to the equifax data breach, which made vulnerable the personal and financial information of more than 143 million consumers. we heard testimony from representatives of the credit reporting industry and consumer protection groups. this is almost two hours. >> as a followup to our hearing

on the equifax data breach, we hear testimony on protection of consumer data. members expressed interest in better understanding how credit bureaus are regulated, how they protect consumer data, and whether there are gaps that congress needs to fill. i've long been concerned about the ever increasing amounts of big data collected by companies and by the government. it is critical that personal data is protected. consumer impact in the event of a breach is minimized, and consumers' ability to access credit is not harmed. credit bureaus play a valuable role in our financial system by helping financial institutions assess a consumer's ability to meet financial obligations. and also facilitating access to beneficial financial products and services. the inherent nature of the credit bureau's business, as with most businesses in this digital age, requires utmost data security to ensure that

sensitive consumer information is safeguarded. two weeks ago, equifax testified about the methods it uses to protect its consumer databases, such as encryption at rest and tokenization. former equifax ceo, richard smith, noted that while some of equifax's databases are encrypted at rest, the disputed portal that was compromised was not. questions remain about the best ways to protect sensitive data. including are there data security industry standards and best practices at credit bureaus. should tools like encryption at rest be employed to protect all data containing sensitive consumer information. what role do financial institutions and federal agencies play in data security at credit bureaus? given the credit bureaus are financial institutions under the gramm-leach-bliley act, how does data security, testing and oversight by regulators compare to that of traditional financial institutions?

i look forward to hearing from our witnesses about what credit bureaus do to ensure security for the data they collect. who oversees credit bureaus to ensure they have adequate security measures in place? and what improvements could be made to the oversight of data security at the credit bureaus? there are also many concerns regarding company response to data breaches. the equifax breach has left more than 145 million consumers a little confused as to what can be done to mitigate damage to their identities and credit. we do know that starting in january, equifax will offer all customers the ability to lock or unlock their credit files for free. additional products have also been offered from equifax and the other credit bureaus for consumers to monitor or freeze their credit reports. many consumers remain confused about which options are best for them. but this hearing will hopefully provide some additional clarity.

we have a shared interest on this committee in ensuring that credit bureaus take the necessary measures to safeguard personal data and minimize risk of another massive data breach. senator brown. >> thank you, chairman crapo. under current law, whether we like it or not, companies like equifax can collect vast trophies of personal information. that includes personal information plucked from our work histories, our social media profiles from reward cards that track our purchases at the grocery store, even information from our smartphones tracking our daily commutes. generally these companies are free to sell that information to all sorts of financial institutions and other data mining firms who use it to make decisions about us, like what kind of car or job that we might get. corporations like equifax rarely have to tell us exactly why or how these decisions are made. they get to hide behind proprietary models and trade secrets.

it seems our laws protect big corporations' use of people's data a lot better than they actually protect people. as a recent breach demonstrates, enhanced cyber security measures at companies like he cequifax m work perfectly yet still do little to protect consumers' data. 145 million people have had their private data exposed. it doesn't appear that any sensitive corporate data was accessed. because these businesses are not accountable to consumers, and because consumers have no choice over what is -- over who is collecting their information, consumer protection is pretty much an after thought. as we talk about the clearly inadequate protections for consumer data at equifax and those in place at the other consumer reporting agencies today, we cannot forget that the real victims of this hack are the 145 million people, 5 million in my state alone. through no fault of their own, have had their personal information compromised.

i hope at today's hearing we don't just talk about how we strengthen cyber security. we need to do that, of course. but we also need to explore how to restore people's control over their own information. we need to examine whether the crept credit bureau model makes sense for american consumers. we know the credit bureaus have a long history of consumer complaints and inaccurate reporting that has long-term effects on people's ability to get a job or get a house. rather than addressing these problems, the credit bureaus have spent millions acquiring other data collection companies and branching out into new lines of business. despite their continued failure, there's no other word to use, their continued failure to provide accurate credit reporting services, or to protect all of the data that they collect, these ceos have been rewarded with enormous salaries and bonuses. sometimes they come in philosophy us and say they're going to give up their bonus, as if that's a major concession. now in an era of nonstop cyber threats, it seems like they made

consumers even more vulnerable. equifax made astounding amounts of money off of the consumer data it collected. it will hardly, unless things change, it looks like it will hardly pay a price for its recklessness. it's still collecting and storing our data. in some cases we're giving -- some cases, we're giving even tax dollars to do it. i look forward to today's witnesses' views on these matters. thank you. >> thank you, senator brown. we'll now turn to our witnesses. first we will receive testimony from mr. andrew smith, partner at coughington and burrelling on behalf of the consumer data industry association. then we will hear from mr. mark rotenberg, president of the electronic privacy information center. and finally, we will hear from mr. chris jaikaran. did i pronounce that right? mr. chris jaikaran, analyst in cyber security policy at the congressional research serviceful. each witness is recognized for

five minutes of oral remarks and then we will proceed to questions. mr. smith, you may proceed. >> thank you. chairman crapo, ranking member brown and members of the committee, thank you for the opportunity to appear before you. my name is andrew smith, and i'm a partner in the law firm of covington and burrelling. i'm appearing today on behalf of the consumer data industry association, which is a trade association of companies that provide businesses with the information and analytical tools necessary to manage risk and to protect consumers. cdi a's members include the three national credit bureaus, equifax, ex person and transunion. you've asked us to discuss how credit bureaus protect consumer data. first, i wanted to mention the important role played by the national credit reporting system in our economy. more than two-thirds of our gdp comes from consumer spending, fueled by consumer credit. it's the national credit reporting system that allows consumers to quickly and effortlessly open a bank account

or purchase a cell phone. more than 40% of consumers move every year. and the national credit reporting system facilitates this mobility. in addition to providing fast, fair and impartial access to well-priced credit, insurance, apartment rental and other essential services. nearly 50 years ago, congress enacted the fair credit reporting act to ensure the fairness and impartiality of credit reports to protect consumer privacy and to foster the continued development and vitality of the national credit reporting system. the most recent revision to this comprehensive regulatory scheme was the addition of the cfpb as a supervisory agency. this is the first agency to directly supervise the national credit reporting system. not just examining credit bureaus, but also examining the users of credit reports and the companies that contribute information into the credit bureaus. the cfpb's virtual continuous supervision of the credit reporting system began in earnest in early 2012, and,

according to the cfpb, has produced, and i quote, a proactive approach to compliance management that will reap benefits for consumers and for lenders for many years to come. with respect to data security, credit bureaus are subject to federal and state laws requiring them to safeguard consumer data, and because of the key role they play in the banking system, they also are subject to very specific private data security requirements. such as the payment card industry data security standards. to begin, credit bureaus are required by the fcra to maintain procedures to ensure that they only provide credit reports to legitimate people for legitimate purposes. these credentialing requirements go beyond contractual certifications and include comprehensive due diligence of perspective customers, as well as continuous monitoring of existing customers. the fcra also requires secure disposal of credit report information. in addition, the ftc's safeguards rule, as referred to

by chairman crapo, under the grand leech bliley act, requires financial institutions, including credit bureaus, to develop and implement comprehensive information security programs. the laws of at least 13 states similarly require companies to implement and maintain reasonable procedures to safeguard sensitive, personal information. furthermore, almost every state requires that companies notify consumers when there is unauthorized access to or acquisition of sensitive personal information. because of their important role in the banking system, credit bureaus are also subject to private contractual data security requirements. for example, because the credit bureaus handle credit card information, the card networks, visa, mastercard, et cetera, require that they comply with the payment card industry data security standards. and validate such compliance by obtaining an independent, third party audit of their security procedures. in addition, because banks provide a great deal of sensitive customer information to the national credit bureaus,

they're required by their prudential regulators to conduct regular information security audits of the credit bureaus. these audits can include onsite inspections, which might last for several days. each of the three national credit bureaus is subject to dozens of these bank reviews each year. cdia shares with you the goal of ensuring that consumers and businesses have confidence in the ability of the national credit reporting system to keep consumer data safe. thank you for the opportunity to testify, and we look forward to today's dialogue. >> thank you. mr. rotenberg. >> members of the senate banking committee, thank you for the opportunity to speak with you today. my name is marc rotenberg, president of the electronic privacy information center. we are an independent, nonprofit, research organization founded in 1994 to focus public attention on emerging privacy issues. i would like to begin by saying that the equifax data breach is

one of the most serious in our nation's history. on par with a 2015 data breach at the office of personnel management that impacted more than 22.5 million federal employees, their families and friends. the equifax breach poses enormous challenges to the security of american families, and even to our nation's security. there is no simple solution, but in my testimony today, i will outline the steps i believe that congress can take to mitigate the risks that follow from the breach and reduce the danger and likelihood of future data breaches. i should also say that the equifax breach is remarkable, because of its scope, the sensitivity of the data, and the delay to fix a well-documented security flaw. more than four months passed from the time equifax failed to

install critical software updates. and the data that was disclosed is precisely the information that individuals rely upon to open bank accounts, get car loans, seek employment and buy cell phones. the data included names, social security numbers, birth dates, home addresses, and driver's license information. this is also the data that criminals use to commit identity theft and financial fraud. equifax is clearly responsible for this breach. the company was notified in march by both the apache software foundation and u.s. cert of the need to make critical software changes. but it's also worth emphasizing that equifax chose to collect this personal data on american consumers. consumers did not provide this information to equifax. and the lax security strategy that they followed meant that a

single breach resulted in the release of 145 million credit reports on american consumers. the breach will cause unprecedented harm. when hackers get access to credit card numbers, consumers can cancel accounts and change the credit card numbers. but it's not so easy to change a social security number, and i don't think it's possible to change your date of birth. equifax's victims will be exposed to the ongoing risk of identity theft and financial fraud. which is already an enormous problem for american consumers. the ftc reported almost 400,000 cases of identity theft in the united states in 2016. 29% of those cases involved tax fraud. and department of justice estimates the cost to the u.s. economy at over $15 billion per year. credit reporting agency is in urgent need of reform.

in my testimony, i've outlined a number of steps that i believe should be taken to establish accountability and transparency. most simply, consumers need to be given greater control about the information about them that impacts their financial future. this means, for example, that we should have a nationwide credit freeze, or to say a little bit more precisely, the disclosure of credit reports should be on an opt-in basis. we recognize the value of credit in the american economy. but it is the consumer who should decide when it is in their interest to disclose the information to a third party to obtain the car loan. they should not have to jump through hoops to put in blocks and freezes to restrict access by others. they should make the affirmative decision. credit monitoring should also be freely available. you should not have to pay to be told that there is fraudulent

activity on your account. but that is the current problem with credit monitoring services that require either a fee or limit the access to credit monitoring for 90 days. this makes no sense whatsoever. if there's a problem in the account, the consumer should be notified. we also think consumers should have more ready access to the contents of the credit report. so they know who is receiving the information and the impact that the data might have. i have several other suggestions in my testimony which i would be pleased to provide for the committee. thank you. >> thank you. mr. jaikaran. >> chairman crapo, ranking member brown and members of the committee. thank you for the opportunity to testify in the consumer data security and credit bureaus. my name is chris jaikaran, and i'm an analyst and cyber security policy at the congressional research service. in this role, i research and analyze cyber security issues and their policy implications. including issues of data security, protection and

management. my written statement for the record goes into further detail, but my testimony today will address data security as an element of cyber security and risk management. cyber incident response and options for congress to address data security. an increasingly used catch phrase amongst industry analysts is that today all companies are technology companies. or all companies are data companies. this concept reflects the information technology and data play an important role in enabling the modern business practices, which allow companies to compete and thrive in the marketplace. however, this reliance on i.t. and data also creates risks for corporate leadership to manage. adequately controlling that risk is an objective of cyber security. data security is an element of cyber security that involves risk management. absolute security is not obtainable. so managing the risks, which would impair security, is the goal. in order to evaluate risk, managers need to understand the

threats their enterprise may face, the vulnerabilities they have, and the consequences of an incident. cyber security incident response describes activities to confirm an attack, discover information about it and mitigate against it. for incident response, staff is not limited to just i.t. personnel. communication staffer that are able to draft messages to both internal and external stakeholders, legal teams who can help with reporting and compliance requirements, and management and corporate boards who are accountable for the operations of a corporation should all be included in response planning, among others, depending on the entity. there will be a delay between the discovery of an attack and the public notification of that attack, because analysis of what transpired will need to be conducted. this analysis will inform the entity of how they were breached and what data or systems were compromised. this type of analysis may be conducted by the entity itself, a business partner of the entity, government response teams and law enforcement. with a variety of potential forensic investigators,

determining how they will coordinate in their response, and how they will share information among one another is a factor which should be determined during the planning and training phase. with information on how the breach happened and the extent of the breach, the entity can proceed to mitigate its effects. these phases need not occur in succession, but may be able to occur concurrently. i will now briefly present three options congress could consider to address data security. congress could explicitly authorize a federal regulator to examine credit reporting agencies for their adherence to the safeguards rule, as promulgated by the federal trade commission. dialogue created by the federal government and credit reporting agencies could lead to greater understanding of the cyber security risk faced by credit reporting agencies and allow for deficiencies to correct their security posture prior to referral for enforcement action. congress could regulate the collection use and retention of data, regardless of the type of entity that houses that data. the european union and canada

have such data laws. congress can establish requirements on what data may be collected, how data must be stored, and the consumer's rights to collection and data about them. congress could require credit reporting agencies or any entity that profits from consumer data to identify and disclose their data model for consumers. elements such as where data is acquired, how it is used, and what other data the entity generates about the consumer will provide consumers with additional information that may affect their decision in the marketplace. thank you for the opportunity to testify today. and i look forward to your questions. >> thank you very much. before i begin my questions to just inform the senators, we have a vote at 10:30. senator brown and i have discussed it, and we intend to keep the hearing running. so we will adjust our attendance at the vote, and you can make your plans accordingly. but the hearing will continue to proceed during the vote. first question i have is for the

whole panel. i'm going to ask you to be concise. i only have five minutes in my questioning, as does each of the other senators. but this is for each of the members of the panel, if you have an opinion on this. there has been a lot of discussion surrounding the social -- the security of the social security number. and whether it should be used as an identifier going forward. do you think we need to get rid of the social security number as a personal identifier? and if so, what viable alternatives do we have? how would we ensure that such an alternative doesn't suffer from the same draw backbacks as the l security number. mr. smith, do you want to start? >> i think that if we eliminate the social security number as a personal identifier, we're going to have to have something -- some other unique identifier that will allow businesses, credit bureaus, others to know who precisely they're dealing with. so my name is andrew smith. there are thousands of me, perhaps tens of thousands of me.

when you're looking at a bankruptcy court record, if there's no identifier on there, how do you know which andrew smith it is? so socials right now, and other identifiers, play a critical role in the economy, just simple identification, right? not authentication, not verification. not that truly am who i say i am. but as identifiers, socials have had a role to play. whether we need another identifier, i think that we're willing to work with you on that to try to come -- to try to get to the right result for consumers. >> mr. rotenberg. >> thank you for the question. i've spent many years before many congressional committees urging that limits be established on the use of the social security number. but we have never argued for replacing the social security number. the key point is that the ssn serves an important purpose in the management of certain government record systems. that's what it was established for, and that's where the legal

authority exists the problem is that the ssn was adopted in the private sector, and used as an identifier for general purposes. this is actually contributed to identity theft and financial fraud. it's an imperfect identifier. it's used both as a password and as an authenticator. it was intended for neither. so when we talk about the social security number, we would not say replace the ssn. as i describe in my testimony, we would say limit the use of the ssn. it should only be available in the private sector for lawful purposes. >> thank you. mr. jaikaran. >> the social security number is a piece of personally identifiable information. so limiting its use in the private sector may lead to reduced consequences that impact, if there is a data breach. however, whatever replaces it would likely still remain personally identifiable information that would constitute some level of increased security posture around that data. in case there were a breach. >> thank you. and this question is also for

you, just for you, mr. jaikaran. your testimony discusses encryption and other tools that can be used in providing data security. equifax's former ceo mentioned that some of their data is encrypted at rest. while some of it is not. are there certain minimum data security tools or standards that should be employed across the board for data sets containing personally identifiable information? are there measures that if in place may have been able to prevent the equifax breach or detect it sooner? >> so in my testimony, i discussed cyber security as a element of risk management. understanding the entire risk that an enterprise or corporation may face in their conduct of their business. there are federal guidance that is created for the implementation of encryption, and there are industry best practices on the use of encryption for data at rest, data in motion, or data in process. while these may exist, a lot depends on how it is implemented and the use cases of each individual company.

for where they apply that -- where they apply that encryption, how strictly they apply it, and how the keys are managed within that enterprise to allow those with legitimate access to continue to be able to conduct the business while still restricting access to those that don't. >> all right. thank you very much. and i just have about 45 seconds left. so mr. smith and mr. rote en berg, very briefly, under the current legal framework, the ftc has enforcement authority over its safeguards rules for data security but no regulatory agency currently examines or supervises data security. as is the case with banks. do you think there is a gap in this framework, and do we need a credit bureau o-- an agency to e set up or authorized to examine for data security? >> so as you noted, the ftc has law enforcement authority, and we feel as though we are not unsupervised with respect to data security. we do, as i said earlier, have our bank customers who are

regularly auditing us. i would say, however, that if there are gaps in supervision, that we would be happy to talk with you about that. and to come up with the most sensible result for consumers. >> all right. thank you, mr. rotenberg, very quickly. >> safeguards rules and important data security standard. but it only applies right now after the fact. the ftc can only act against a credit reporting agency once the breach occurs. we think they should have the ability before the breach to inspect and determine compliance with standards. >> thank you. senator brown. >> thank you, mr. chairman. mr. smith, in your testimony you stated the credit reporting system, quote, provides critically important benefits, and you went on to say it's indispensable to the economy. i think we all agree with that. so my questions are this. and i'll start with you, mr. jaikaran. and please give a yes or no on this, if possible. do you think that the breach or failure of a nationwide credit reporting agency, whether it's equifax or transunion or ex person, do you think that a breach or failure of one of those agencies could have a

systematic -- or i'm sorry, could have a systemic impact on the u.s. financial system? >> a breach of any agency is difficult to judge, depending on the categorization of the agency itself. but it is a possibility that it could have impacts on the financial system. >> mr. rotenberg, could it? >> i think the answer is clearly yes. >> mr. smith? >> i think that with respect to the equifax incident, one of the things that we need to keep in mind is that according to the news reports, the credit reporting database was not, in fact, compromised. a compromise of a credit reporting database, i would have to think about whether it would present -- >> but you're the one that started off by saying it provides critically important benefits that's indispensable to the economy and a breach of 145 million, you don't think does have a systemic impact on the u.s. financial system? >> i think that the risk would be able to be managed by banks. but i do think that it's going to be something that would need to be actively managed, because

what it would -- what it would -- >> is that a yes or no to systemic impact? could be managed. a lot of things could be managed. does that have a systemic impact on the financial system? as the -- >> i'm not prepared to say it would have a systemic impact. but i would like to think that through. >> okay. could you in the next week let me know if that's a yes or no? >> sure. how would you define systemic impact. >> well, i'm asking you to. >> okay. >> 145 million sounds systemic to me. a number of one fifth that does. mr. rotenberg, most of us, or our family members, have faced challenges for decades trying to fix inaccuracies in their credit rating -- their credit reports. these inaccuracies result in ex which fax for transunion or ex person being three of the most complained about companies to the cfpb. do you think it would make sense to prevent these consumer reporting agencies from collecting new personal data or providing other services until they have met an accuracy metric in their consumer credit

reporting, and should consumers -- second question, related -- should consumers be allowed access to all data held by these three companies? >> senator, i think both suggestions are very good. i think credit reporting agencies which provide personal data to others should be held to an accuracy standard. because, of course, when they provide information that's inaccurate, incomplete or out-of-date, people are wrongfully denied credit. they're wrongfully denied jobs. and that's certainly a problem. but also to your second point, whatever information the credit reporting agencies know about us, i think we should have the right to know. particularly now when this information is being made available for sale for data brokers and oftentimes falls outside the protections of the fair credit reporting act. i think we need to do much more to give consumers information and control about their personal information held by others. >> thank you. and mr. smith, consumer advocates have called for free security freezes to be provided

by equifax and transunion, experian. instead they have what they call credit lock products, which appear to give consumers fewer rights and less security than credit freezes. are cras offering credit locks so consumers have to sign forced arbitration agreements? just like they had to on equifax's first offer of credit monitoring products? >> so can i respond really quickly to the issue of access? i wanted to remind the members of the committee that consumers do have access to all of the information on file with -- about them with consumer reporting agencies, and they have -- they have free access to that through annualcreditreport.com, as well as through other mechanisms. >> to access and correcting are two different phenomenon, but go ahead. >> yeah. and with respect to the credit locks, i'm not so familiar with the different features of the credit locks, nor do i know whether they have an arbitration

clause. >> you do know they did, though, on the first round of credit monitoring products, that they -- let's say, quote, unquote, be generously offered. they included that, as you know. >> yes. >> they backed off under public pressure, as you know. >> that i know. i don't think that the impetus for offering credit locks would be to provide -- would be to obtain a mandatory arbitration clause from consumers. i do think that these credit locks may be useful to consumers. i think that freezes more generally serve a specific need for a specific type of consumer. there are a lot of other tools that consumers have that can protect themselves in these situations, including obtaining a free credit report, placing a fraught alert on their credit report, obtaining credit monitoring. there's a lot of free credit monitoring available. so i think consumers should understand and appreciate that before they place a credit freeze on their file. but credit freezes do have their place. >> i don't want to debate that. but i'll close with on the forced arbitration agreement, you were their lawyer.

you represent them. they also rely on you for advice. are you willing to go back to them and say that there is strong sentiment among the public and this congress that forced arbitration agreements should not be part of this credit -- this credit lock offer products? >> yes. i'll convey that message. i do think that there is a special -- there's sort of an exigent circumstance when talking about credit monitoring and other credit report related products. and there is a statute called the credit repair organizations act which imposes particularly stringent penalties on companies, any company that is found to be a credit repair organization. and so because of that -- and i think some members of the committee are probably familiar with this, because of that, arbitration clauses have a special role to play with these products. but i will certainly convey the message. >> would you share with the committee exactly what message you conveyed to them on forced arbitration? >> i will share that. >> thank you. senator rounds. >> thank you. gentlemen, regardless of what we

put into law, regardless of what rules are put in place, if they're not followed, the possibilities of an additional breach continue. i'm just curious, with regard to equifax, would it be fair to say that the data that we have so far, the information that we have so far, does it point to basically human error having been the cause of the data breach? like, just a quick response from each. >> senator, i think human error understates the problem. we're talking about a breach that impacted 145 million records. a circumstance where the company was twice notified by two leading authorities and left the breach exposed over a four-month period. i didn't discuss in my testimony this morning, but even the response to the breach was not helpful to consumers. so at almost every step, they did the wrong thing by

consumers. >> i believe that equifax has said publicly that it was the result of human error. with respect to the question about human error. i would add, though, that the ftc and cfpb are investigating the breach, and i would want to see what their conclusions are before we draw any broader -- before we make any policy choices based on the fact of this breach. >> mr. jaikaran? >> based on the amount of information that we have regarding this particular breach, it is difficult to judge as to whether the breach came down to human error or some other reason within the company. so it's difficult to judge at this point based on the information we have. >> even if -- let's assume that there was human error involved in this. and recognizing the significant damage that's been caused. if we have within our abilities the opportunity to lay out a plan in which there is not just an audible, but a review process

could be placed in place with assurances of the follow-through, we're still talking about the protections that we put in place for a legal entity that has been breached by thieves. what more can we do, or what more should we be doing to prevent this break-in the first place with regard to protections and also the consequences for entities throughout the world that actually caused these breaches, that are actually overtly out trying to get their hands on the data. do we need to look at additional federal authorizations or institutions that would be literally for the cyber community, the same as the fbi was when it came to stopping the bank robberies of the 1920s and 1930s?

do we need to be looking at something like that on a worldwide basis? >> senator, i think this is a very important point. when the fair credit reporting act was passed in 1970, the primary concern was about the possible misuse of consumer data by the credit reporting agencies. and that was the problem that congress sought to address. but here we are almost 50 years later, living in a world of constant cyberattack. and in my testimony this morning, i tried to explain that the equifax breach needs to be understood, not just in terms of the misuse of personal data, but actually the exploitation of foreign -- by foreign adversaries. and that is also the reason, sir, why i think we need to update our privacy laws, put more incentives on companies to protect this data, not just for misuse, but also from exploitation by foreign governments. >> mr. smith? >> we think that to the extent

that there are gaps in supervision of data security, that we are -- that we want to talk with you about that. we want to get to the right result. with respect to professor rotenberg's point, there's no doubt that this was a criminal hack, that it was from an unknown source, that it may have been from a foreign actor. and that's something that i think is hopefully the ftc and cfpb and the other continued investigations will reveal. and if there are policy implications from that, hopefully we can have that discussion then. >> mr. jaikaran? >> so when we think about the government relationship with these agencies, there are kind of three buckets that we can put them in. first is rule-making, which the federal trade commission did with the safeguards rule. next is examination and the third is enforcement, which the ftc maintains. in this space, we can see that the examination space was the one that we had the least government involvement. so i think there presents an opportunity for congress to create further guidance on how they want agencies to act with regard to that. concerning the consequences

side, to the best of my knowledge, that has not been placed for this breach and that would be a conversation to have with law enforcement agencies and officials on what authorities they think they need in order to go after the criminals here. >> see, i think it's important that we recognize that there is a standard of security which has to be imposed, and we've got to be able to audit it, follow through, and with consequences. but also with a continued surveillance. but until we get down to the point where there are actually consequences for the bad guys involved, we're not going to make the major dent that we have to in terms of cyber theft elsewhere. and i think we missed that sometimes. we're focusing on the people who are trying to provide services. we're not focusing on going after the guys who are actually causing the problems for everybody else. not just in the united states, but elsewhere around the world, as well. thank you, mr. chairman. >>el senator reed. >> thank you, mr. chairman. mr. rotenberg, my sense from

your testimony is that, and you can confirm this. there are two points that consumers should have legal rights. and one is that they should have the legal right to withhold or divulge their credit score. or they should know the credit information that an agency has. and that should be by law, not by deference of the agency. is that your view? >> yes, that's correct, senator. when the information is being provided in the credit report, presumably it's for the consumer's benefit. they're seeking a loan, they want to buy the car. they need the mortgage. they should know when that's happening, and they should know the information that's contained in the report. >> and that should be by statute, not by deference. >> yes. a part of this is about changing the default. right now your credit report is freely available to others within the structure of the fair credit reporting act. but you have very little control over that. we would say give the consumer opt-in control.

>> and miss smith indicated that consumers once a year have access to all information that a credit bureau has. is that -- >> well, it's true. once a year they can get a free copy of their credit report. it's not all the information they have. they don't know who has received the information. and as i said, this is also rapidly evolving industry. there are a lot of related practices that are not covered by the fcra and as a consequence, consumers don't have the full picture. >> so essentially they could get the number, whatever it is, 400 or 800 -- >> yes. >> and supplement all the information to that number. but if as senator brown suggested, the agency was also buying cell phone information or something like that, that's not -- >> that would fall outside of the credit report. >> so that in order to give a customer the full benefit -- citizen the full benefits that all information of the agency has on them should be -- identifiable information should

be discloseable. is that correct? >> yes, senator. that's why we recommended a comprehensive approach based on a federal baseline. it would give consumers more information about them that's being transferred to third parties. >> and i would also presume that you would suggest that they have the right to deny access to certain information. >> absolutely. >> or, in fact, even to require that information be deleted from the credit bureau's files. >> i think many american consumers would actually be surprised to know how many people, how many businesses get access to their credit reports without their knowledge. those reports move very freely with very little information being provided to consumers. and i think that should change. >> in the description of what took place, it appears that there was negligence on behalf of equifax. being told by the federal regulator to make a match and not making a patch for several months. who -- does anyone have the

right to sue or to enforce criminal or administratively? >> well, i'm sure there will be lawsuits brought. and there are a variety of different theories. but as others have already pointed out, almost immediately equifax's response was to try to deny consumers the opportunity to pursue their legal remedies. and that can't be the right response. >> but with respect to regulatory agencies, the impression that i have from the discussion is that it's all sort of retrospective after the fact. that they can go in and make a judgment. could the ftc levy a fine based upon failure to solve? >> actually, no. under the safeguards rule, they can inspect and they can i think sanction, but i think a fine would require subsequent violation of the settlement or order with the company. and the ftc under the safeguards rule currently would not have the ability to inspect or

prevent prior to the breach occurring. >> so is there any -- under existing law, is there any way for an appropriate federal agency to levy a fine or some type of significant penalty on the company to deter or to -- >> i think for the ftc to levy a fine, they would have to find a breach under the fair credit reporting act under section 5 of the ftc act, they have to have a consent order and then a subsequent violation. it's not a very effective enforcement regime. >> i concur. thank you very much. >> senator scott. >> thank you, sir. good morning to the panel. thank you all for being here this morning. the equifax breach is still catastrophic for so many in south carolina. if you think about the numbers of individuals impacted by the breach in my home state of south carolina, 2.4 million south carolinians had their personal information exposed.

stolen through the equifax breach. we only have about 5 million folks living in the state. that's about 48.76% of the state. that's the sixth-highest number in the country. when you account for the fact that there are about 500,000 south carolinians under the age of 14, that means that the number surges over 50%. so over half of the adult population at least in the state had their information exposed. equifax's negligence has been devastated for my constituents. but when you look at the geographic location of that impact, the southeast region seems to have been impacted aggressively, in high levels. georgia, around 51.6%. virginia, around 48.8%. florida, around 53.5%. i asked equifax why south carolina and the southeastern

region was so hard hit. i hope they find an answer soon. my suspicion is that perhaps the location, the physical location of equifax, may have played a role in that. mr. jaikaran, why are the numbers so high, so close to the physical headquarters of equifax? >> so that would be difficult to judge based on publicly available information. but there might be some business reasons why equifax would have additional information on people in the southeast region of the nation. they may have more business partners with businesses near their headquarters. so there is greater opportunity for sharing of information. it may be that the population of those states are prime targets for credit. so just the population of the states. the sample pool may be more amenable to a credit reporting agency. >> thank you. things get complicated when a company is headquartered in new jersey, does business in south

carolina, and is breached in arkansas. these states have very different laws on the books governing when and how companies must notify the public of a data breach. back to you, mr. jaikaran. is our current state-by-state patchwork of regulatory approaches effective in protecting the public? >> i believe my colleagues at the government accountability office or gao would be in a better position to evaluate the state-by-state regulatory regime we have today. however, as a broader data breach notification policy, that does provide a level of certainty for both businesses and consumers if there was a federal rule or federal law on the data breach notification that is expected, both for businesses to provide, as well as what consumers can expect to receive. something that must be considered when developing a data breach notification rule, however, or law, is that what will consumers be expected to do with that information? do they just get a letter in the

mail saying that their data was compromised and they're on their own, or is there some recourse that the corporation that had the data and then had it breached must provide to the consumer because the data was compromised. >> so not simply a uniformity across the nation, but also some teeth as it relates to what happens next, once the consumer is informed. >> we see that across state laws now. some are just a simple notification and some of them are similar relationship that the corporation must have with the breached consumer. >> thank you. >> mr. smith. despite the federal government also being breached pretty frequently, unfortunately, some have suggested that we nationalize the credit reporting agencies. such a move would kill innovation. the same innovation that is opening up the market of 26 million credit invisible americans. i think fannie and freddie should consider new credit reporting models that take into account things like rent payment and utilities.

who would benefit the most from such a change, mr. smith? >> so use of information about rent and utility payments by fannie and freddie could expand access to mortgage credit, for younger consumers, recent immigrants, consumers who are new to credit and others without a traditional credit file. so the national credit bureaus are already able to collect this information from landlords and utilities and have built the systems necessary to do that. and as you know, the credit bureaus over the last 50 years have been successful in expanding access to credit to folks who previously may not have had that access. but i think ultimately, it's going to be fannie's and freddie's decision whether or not these utility and rent payments are actually predictive of the risk of default that they're trying to manage. >> we certainly understand that freddie and fannie will have to make their own decisions. but the question was, who benefits from it. it sounds to me that the population who benefits the most with those folks who disproportionately represented

today in home ownership. >> yeah, folks who are credit worthy, but we can't tell, because they don't have extra additional credit report information. specifically people who are new to credit, i think. >> senator brown, i know i thin thinking about in south carolina, the number is about 16% of south carolina krians whe credit worthy enough to allow them to own a home. >> my state is 5 million out of 11.6. senator cortez? >> thank you. gentlemen, thank you so much for the conversation, mr. smith, i wanted to start with you, as you note in your testimony, the cfpb's supervision of credit bureaus relates primarily to the accurate reporting of credit data, and it does not provide for -- director cordery has been

assigned at the big three credit reporting bureaus and monitor data security and credit protection practices. would you agree this is an important development? >> when you look at the director's comments, i think you're talking about his cnbc or something comments on television. he said initially that the cfpb doesn't have authority over data security. and it seems as if the folks on the panel agree with that. whether there is an appropriate role for a supervise in the data security bureaus. it may be that if there is such a role to be played that the cfpb isn't the best person for the role, or it could very well be that they are. >> let me put this in context, because prior to my role here, i spent the last eight years as attorney general of nevada. nevada had one of the highest

identity theft rates in the country. and let me tell you, the breach that happened at equifax is not the same as what happened at a target store. what happened at equifax, what happens is now is there a chance for millions of americans identity to be stolen. and the rest of your life, you're trying to get back your identity. it's somebody that has purchased a house in your name, purchased a boat in your name, or when u you're show up in court and find out that a person who committed a crime has stolen your identity. this is lifelong and it's going to have a major impact on millions of americans and that's why this is so egregious, so we have to do a better job of protecting people's data and information, because you're collecting it without their approval, then they have to

succumb to years of trying to clear up all of that data. so my concern now is how do we address it? how do we put limits on what we, the data we collect? i know we're talking about more cyber security protection, and making sure there's oversight over the companies, but if there's human error, whatever occurred, it's going to happen again, so is there some limit to the data we should be collecting, in addition to all the things we talked about today. >> i think it would be a step in the right direction, to have supervisory authority by the cfpb. but the question is what to do now for american consumers who confront the reality that others are in possession. we call these the authenticators, this is the information that is used to establish your identity in

commercial transactions, and this is the reason that we need to change the default on credit freezes, people should know at this point going forward, any time anyone wants access to their credit report, and people should know from this time going forward, any time there's suspicious activity on their credit reporting account. they shouldn't have to select a service or pay for the service. >> i absolutely agree. >> it should be built in the industry. >> i'm going to cut you off because i only have so much time. i absolutely agree. because there's been talk about limiting the use of a social security number. i don't know about you, but when you go to set up your house and set up your utilities they ask for your social security number. when you go to your doctor's office, they ask for your social security number. this number has been so prevalent in society, that i don't know how you protect against anybody having access to it. because i can tell you a bad guy

is going to be able to go online, and if it's already been used and out there, they're going to find it. so more importantly, for my purpose, and i think of all of our purposes, shouldn't it be now giving the consumer the absolute right to control their investigation and how it's being used? >> absolutely, senator, i think that's key, but if i could say briefly on the social security number, we have actually made some progress limiting its use, in fact with credit to senator collins and senator mccaskell, the number is now coming off the medical benefits id card, because it's use there was contributing to identity theft among american consumers. we helped to get the social security number off the state driver's license, the social security number is no longer published in voter registration logs. >> i appreciate the comments,

and my time is up, thank you. >> senator kennedy? >> thank you, mr. chairman, gentlemen i'm sorry i missed your presentations. why should we not pass legislation that would establish that the bureaus have a fiduciary obligation, to the people whose data they collect and earn a profit off of? >> i think you should, senator, i think some of that legislation is already in place with the act. but i think more needs to be done and i think your description of the fiduciary relationship is absolutely correct. >> do you think there's a fiduciary relationship now? >> no, i don't. i don't think the companies feel they have an obligation to american consumers and -- >> do you ygentlemen agree with that? >> no, i disagree with that. >> i'm sorry, you disagree or agree? >> i disagree. and i represent the industry, we're subject to a pervasive

regulatory scheme in this statute here the fair credit reporting act, that requires us to ensure the accuracy of information in credit reports that requires us to do --- >> when the equifax breach was made public,s weren't you. >> that would introduce a cap on potential liability for private actions, that cap would have been -- >> do you think that was a good idea? >> the fcra is unique among consumer credit protection statues, in that it doesn't have a cap on fair credit reporting. all of these have caps. fcra does not. >> do you believe your clients should have caps, counselor. >> as a trade association, we would continue to argue for caps. >> is that a yes? >> that's a yes. >> here's my problem.

>> here's my problem, if the bureaus do their jobs right, they facilitate commerce. because when lenders loan money to people, the lenders want to get paid back. and what your clients offer is one assessment of the risk that the lenders are taking. it's just one assessment. there are others who don't use -- many online lenders don't use your data anymore. i'm not saying they are right or wrong, i'm saying that your clients, basically take my data, personal information about me without my permission, and as a business model, they sell it to businesses. i'm not compensated.

now if they lose my data as equifax did, or if someone submits to them data that is in error, that undermines my credit score, the bureaus have no obligation or interest right now to work with me to try to get the credit score correct. have you ever had one of the bureaus get your credit score wrong and you called and tried to get it fixed? have any of you? >> no, i have not, senator. >> no, senator. >> well, it not an easy process. >> well, so -- >> and it would seem to me, i'm not trying to undermine the bureaus, but it seems to me first of all, that you could develop technology very easily that would allow people to go to an app on their phone to put a

credit freeze on and off, free of charge. that ought to be a minimum. number two, you need to explain to the american people how you're protecting their data on which your clients are making -- most of the clients in louisiana had their data stolen by equifax. and they had to go to a lot of trouble to go freeze credit, some of them are going to have their identities stolen. and it's just not right. it's just not right. and we're looking to you gentlemen to tell us what to do about it. and counselor, i don't mean to pick on you and i understand you're representing your clients, but your clients need to step up to the plate here and suggest some meaningful reforms or some reforms are going to be suggested to them. okay? and my advise to you would be to

step up to the plate and offer specific things that you and your clients are going to do to improve this situation. not platitudes, not bromides, specific suggestions. because a lot of americans didn't know what a credit bureau was. they know now. i went over, i'm sorry, mr. chairman. >> thank you, senator warren? >> thank you, mr. chairman, so at the hearing two weeks ago with theequifax, there was a lot of agreement between democrats and republicans that consumers should be able to control their own data. and without consumer control, credit reporting companies really have no reason to treat us well. we are not their customers, we are just their products. and it shows. a 2012 study by the federal trade commission found that one out of every five people had an error in their credit reports.

meanwhile, over last year, the consumer financial protection bureau as fielded hundreds of thousands of consumer complaints. and the big three credit reporting agencies are now the three most complained about companies in the entire financial services industry. you know, if you ran a restaurant and got your customers orders wrong 20% of the time, and had the worst customer service in town, you would be out of business in a week. but credit reporting companies, not them. theyer a getting bigger, they're getting richer and they're getting more powerful. this market is clearly broken. and fixing it starts with giving customers more control over their own data. so mr. rotenberg, i have introduced the free act with senator shots and more than a dozen other senators.

our bill would let every consumer freeze and unfreeze access to their credit files for free. so i want to ask, do you think that would be a good idea to give consumers more control over their data? >> senator, warren, i think it's an excellent proposal. and as you say, i think the key to this industry is giving consumers greater control over their personal data. it begins by moving to an ogden model, giving consumers the ability to decide if the information in their credit report should be released to someone else. >> companies like equifax do more than issue credit reports, they also sell your information to businesses that want to sell something in turn back to the customer. our bill also makes clear that no credit reporting agency can sell your data if your credit file is frozen. other legislative proposals and the new lock that equifax is

rolling out right now, don't give customers that right. so let me ask this part, two you think that consumers should have the right to freeze the data so that it stops a credit reporting agency from selling access to the consumer's data? >> absolutely, senator. the model doesn't work unless consumers maintain control and so many problems of the industry result from the industry pushing the burdens back on to the consumers to choose the freeze, to choose the monitoring service, to inspect their credit reports, it's entirely upside down and it's the reason that we have record levels of identity theft today in the u.s. >> thank you, i think that's a powerful point. you know, if companies like equifax don't pay us to sell information to other people, we shouldn't have to pay them to stop selling it. according to your testimony, your saying, and i think you mentioned this earlier, mr.

rottenberg, you would go even further, you would make the default position that a consumer's account is frozen until the credit reporting agency gets the consumer's explicit permission to unfreeze the account to share the data. in other words, consumers would have to opt in to sharing their data, rather than opt out. and what's the reason for that? >> senator, i think it's just common sense. no one is objecting to the provision of credit to american consumers, it's obviously critical for our economy and makes it possible for people to purchase homes and cars and even cell phones. but it's the cominsumer who's initiating the transaction, it's the consumer who's seeking the mortgage or the loan, the consumer should decide when to release that credit record to others. and they should know what's contained that credit report. they may where denied credit but for the fact that the credit

reporting agency has reported accurate information. >> so powerfully important that we be able to protect our own privacy, that we be able to make sure that it's accurate. in your testimony, though, you raised one more point. you said we need to fix credit reporting industry in order to protect our national security. i'm about out of time, but could you just say a word about that? >> i mentioned that when the fair credit reporting act was passed in 1970, the concern was the misuse of personal data by the credit reporting agency. that concern remains, but what has changed almost 50 years later, is that data is now the target of foreign adversaries and we need to realistically consider that the people that get access to our personal data held by these companies are adverse to our nation. that's an additional reason to strengthen these privacy laws. >> you know the credit reporting agency is a threat to each of us personally, but it is also a

threat to our national security. we need to give consumers more control over their data and reform this industry and that's what we're trying to do with the free act. thank you. >> senator tillis. >> thank you mr. chairman, gentlemen, thank you for being here, one question, when you have something like the breach at equifax, congress has never seen a legitimate problem that needs to be dealt with, an opportunity to overreact. and so one of the things that i'm concerned with, is when we have this discussion, i want to start with something simple and then maybe i can build on things to the extent time allows, when we had the equifax ceo in here, i tried to ask him the question of the lock, they're calling it lock for life, versus delete. mr. rottenberg, where are you on the option of the consumer being able to delete any presence for their existence in any of the big three credit reporting agencies, do you think that's

something they should be entitled to do? >> i do, senator, in fact this country has a long history of expungement of their financial records to give consumers the opportunity to start over even after bankruptcy. so we recognize that people should be given the opportunity to reapply for credit even after they have had those types of experiences. >> if they delete it and then later they were seeking credit and they had no reliable sources for showing credit worthiness, who is it on to provide all the information that may be needed to underwrite a loan or get a credit card or other financial instrument? >> under those circumstances, of course the absence of the background information could well be a factor in the credit determination, but that's not a reason not to give the consumer the opportunity to delete the data if the consumer chooses to do so. >> but at the end of the day, the consumer needs to be aware

that the absence of information would likely result in no credit being extended. >> here's another concern, senator. is that what happens if the consumer selective lly deletes information. so i have three credit cards, and i decide i'm not going to pay one of them. how will a bank -- if i'm able to delete accurate information. the fcra already allows for that, any information that's derogatory in your credit record comes off after seven years. >> one thing that -- we discussed this with the breach, i think one thing that the credit reporting agencies need to demonstrate is that they don't make their problem the consumer's problem. in other words if you have a breach, then you should be trading that ctrad treating that consumer like you'll move heaven and earth to

clean up the problem. i m concerned with the idea of just thing a gacey of data that's used to predict out cohorts may, you know, behave in terms of credit worthiness. that if we continue to reduce the base, do you think there's any threat to the fact that we have less reliable information to move capital or to provide resources to people who need it? >> i think it's important for businesses to have access to relevant and accurate consumer data. i think they should be accountable and transparent about how that data is being used. >> would you consider the selective deletion of credit data as being accurate and relevant data for the financial services industry? >> it may or may not be. the credit decision is based on

a wide variety of factors, many of which by the way are not even known to consumers. so we don't know how they're making determinations about us, yet their concern if they don't know everything about us when they make their decisions and that just seems a little unfair. >> i wasn't here, i think someone else answered the question, but what do you think is the -- what technologies or maybe what processes out there are we using to get away from social security numbers as authentication methods and moving more to say what the card industry is using, trying to come up with some sort of an identity, that will actually eliminate or substantially reduce what is a relatively easy thing to do, that is to get somebody's relevant information in committing fraud?

what in terms of public policy shouldpromoting? >> i'm not aware of any token products that could be used. one interesting thing to note is there may be people, citizens, consumers that don't have access to things like a cell phone, so they would be barred from participating in the widespread use of technology, and that's one thing to consider in engl h establishing public policy. >> today we're at the other end of the spectrum to -- >> i think if we didn't have the potenti social we would need to come up with another unique identifier. with a name like andrew smith,

it's critical that people would be able to distinguish between the thousands of people named andrew smith, not necessarily to authenticate that i am who i say i am, but which one are you? if not the social, then we need something else to fill that role. >> thank you, senator. >> mr. smith, after the equifax breach, consumers learned that the best way to protect themselves from identity theft and fraud was to freeze their credit record. but when they went to do that, they found a complicated process that required contacting each of the credit bureaus which meant remembering separate information for each. and paying 10 bucks, not to mention the fees that they have to incur if they want to lift the freeze later. eckquifa

equifax's lapse in data security will be worth hundreds of -- my question is very simple. explain to me why equifax, experian and transunion have to pay to freeze the credit report. >> for certain consumers, freezes are the right choice. >> those instances, why is it not free? if the consumer -- >> right now we have a patch work of laws and if we are to have a single national standard, i think that, you know, we would be happy to talk with you about how to get that right. >> a patch work of laws, what does that have to do with anything. i'm asking you when a mistake occurs and 144 million people are told to do a certain thing, that certain thing should be free, shouldn't it? >> i don't know that everyone

was told to freeze their credit report, personally i don't think it's the right choice for everyone. >> but it's the right choice for some number of millions of americans, is it not? >> i believe this all three of the national credit bureaus make freezes available for free for nose who a those who are -- as for as national freeze requirement, i think that -- >> i'm not asking you about a requirement, i'm asking you why you generate revenue off of the mistakes of the organizations that you represent? >> well, the why is because freezes cost money. and also the state laws -- >> but the locks are free, roogt? >> locks, i don't know, i'm afraid. >> you're the counsel for this organization? >> these are new products. i'm the counsel for the trade association, but i know that there are all kinds of new products that credit bureaus and others are rolling out that can take advantage of for example

apps on a mobile device and lock and unlock. but i don't know that those -- any of those products are necessarily in the market now. >> i don't understand what you're saying and i don't think it's because i don't understand this area, i think it's because i don't understand what you're saying because at a common sense level, i want you to try to explain to somebody you went to high school with, right? who says you got a gig with the cras, how is that going? let me ask you a question, why do i have to pay for a freeze? >> and the answer is because freezes cost money. freezes have to be implemented by the credit bureau. >> why did the company who made a mistake make a profit off the consum consumer, even if the freezes cost money, fine, you should eat it. because that would create an incentive -- >> i think equifax is providing

freezes for free. >> that only occurred after the ceo quit and -- >> i thought the freezes were offered right up front. >> nope. do you think it's a good idea for credit bureaus to use tighter matching requirements so that the trade lines on someone's credit report are more likely to be their own information? >> i think matching algorithms are their own issue. i'm sure you've done some thinking about it and it's really a question about stat it is -- matching is critically important for accuracy. >> what is your error rate roughly? >> we believe that our error rate, the ftc did a study in 2012, and we did a similar study, we believe that the error rate from our study is less than 1%. looking at the ftc's study. and this is an appendix of the ftc's study. we believe that the error rate

is about 2%. error is an important concept here, though. it has to be an error that moves the needle, that would have an effect on the consumer, so they get my date of birth wrong, that's not necessarily an error. >> so you're talking about even after the low end of the errs mat, you're talking about a million, 2 million individuals. >> and that's not acceptable. >> whose responsible is that? >> well, it is a lot of people's responsibility, but it is to some extent the credit bureau's responsibility. as far as accuracy is concerned. professor rottenberg wrote in his report, there's always going to be security breaches, the best we can do is try to control them up front. accurate si is the same way, it's a process. >> i understand that you're going to make mistakes, the basic question is who should incur the costs of those mistakes, you guys or the rest of the country?

thank you. >> senator purdue. >> thank you, chair. it's a very complicated conversation, let me start with something we are working on to codify something across 47 states. right now if you want to, you have to opt out, basically. in other words i never gave permission to anybody to get that data. although it does provide a service, so i don't have to aggregate all my credit information when i go borrow something. so i get that. at the equifax breach hearing just a few weeks ago, we asked questions about a national standard on credit freezes and i think representative mchenry already has a protect act. it creates a national standard for credit freezes harmonizing the 47 state laws on the issue. do you agree that that would help and allow the development of technology such as apps that could freeze and unfreeze without having to go through the

process, so someone could actually open up, get the credit information they need and then opt out easily, without having to have a lot of instruction? is that something that might benefit us here? >> so as i have said earlier, freezes aren't the right choice for everybody, necessarily, but they are the right choice for some people and that, you know, the development of a national standard is something that we would welcome. with respect to this lock and unlock functionality, i would ask you to consider whenever we legislate something like this, the question would come up, what about the people who don't have smart phones, what are we going to do about them? we're going to have a lock and unlock functionitfunctionality. >> but they would not be, just so i'm clear, they would not be any system, i couldn't access their data unless they were to come back and do something like this. so an 800 number or whatever, when they needed it.

>> so you think, let's do an 800 number, that's going to create a security risk that someone else unlocks my credit when they're applying for an unlock on a saturday afternoon. i don't ghoe wh't know what my d before you know it, you're not going to get that new cell phone as a verizon store on a saturday afternoon. you're going to have to go back to the verizon store the next weekend, and hopefully it will work out. these freezes and locks are difficult to administer, and that's why they're not necessarily the right choice for everything. but they are for some people what are not buying things. >> i'm frankly a little confused by mr. smith's excellentcomment. most of what he's describing are things that the industry has created in giving the consumer

the ability to access the freeze and what legislation would accomplish is to sich apply tmp process, precisely so they can have the credit information available when they need it to be made available. >> regarding any congressional action in this space, it's an interesting public policy question. because there is these -- there are these groups of data brokers who have this information and they have their business relationships with those that they acquire information from, and those that they sell the information to. however the information is the consumer's. and the relationship between the data broker and the consumer a little bit different in terms of who they are selling the data to and who they are acquiring from. there's a link in that space where federal policy may be able to bridge the gap between the consumer and the credit bureau. >> let's talk about social

security numbers for a minute. adoption of social security -- in the last half century, our technology has moved fairly rapidly forward. is there a better way? isn't there a better more secure way to match people with accounts, touches tokenization, or should all these cyber attacks be the impetus to planning out credit futures. social security numbers seem to be the holy grail here beyond what the average person would want. is that a reasonable direction? >> i think the key is to limit the use of the ssn, but not replace it. in other words it is the weak leak in the information industry. it is the target of identity thieves and if you're trying to make your industry more resilience against those attacks, you have to reduce your dependency on the ssn. but if you replace the ssn with another general purpose identifier, that becomes the

target. so we need a more distributed approach to identification, not an approach to failure. that's what the ssn has become. >> we have to engage on this, but we don't have a common answer yet to this security issue. thank you, i'm out of time. >> mr. chairman, just to -- not to put -- extend the discussion on when you can put a credit freeze on or put a lock on. it's interesting, mr. smith, you said you can put a lock on after you've been a victim of identity theft. that's kind of like saying, lock the door after the thief went in your house. it's just not -- it's not responsive to what we're frying to get at here, which is we understand the benefit of an aggregator of data that gives us easier access to credit. i think no one's disagreeing with that. the question is, and you were

asked about fiduciary obligations and the question really is, what responsibility does that aggregator have when something like this happens? now when mr. smith was here, the previous mr. smith, that equifax -- >> no relation. >> i figured that. he said this happens all the time. we're hit all the time. and i asked, well in light of that, then why did you seem so ill prepared when you were actually breached? why did it take you so long to come up with a response to the breach? so i've got a series of questions on how often does this happen, and what is the general response that -- the industry has? so as a general matter, how many times per year on average would a company like equifax, transunion or exp eshserian, hog

before a breach would be reported to the fbi? >> i would say from my personal knowledge, none of the credit bureaus themselves have been breached. now the companies in equifax's case, it was information that was outside of the consumer reporting agency database. we also know of a breach at experian involving t-mobile. so there are breaches that occur, and we'll come up with a number as to how freely they occur, but to the best of my knowledge, there's never been a breach of a consumer reporting agency database. >> and that's splitting hairs for the consumers, i don't think there's any doubt about it. >> it's an important policy -- after the investigations conclude that the consumer reporting agency wasn't

breached, after equifax was subjected this announcement of eattack. >> let's say that you reported to the fbi, what is the typical guidelines or strategies that any of these credit agencies, any of them would basically go to, do you have like a fire drill, in other words? do you have a system in place that will lock down and protect data? >> right, so now of course i can't speak for any particular company, but the companies with which i'm familiar with incident response plans, and they have a table top exercise, where all the stake holders are at the table and we run through what's the public statement going to be, how do we inform law enforcement, how are we going to do the consumer notifications. that kind of staff. >> but you have to agree that equifax was pretty ill prepared? >> i don't know, i think this

was an unprecedented breach. >> even if it's ten people, the response should be the same as if it were 140 million people. >> except, think about your call center for example. so rather than ten calls, ten calls you can handle, 140 million on one day? >> doesn't that beg the question of why people here are upset? i mean you had senator kennedy basically say, look, this is not data that you own. you do not have a relationship with the consumer other than an aggregate for that provides tha service, if i say i don't want your service, i'll aggregate my own data, i'll take responsibility, i have to pay you so that you're not collecting my data, correct? >> not collecting, this is a freeze, right? the data is still there, but you've frozen it and you have the right to unfreeze it. >> in europe, all across the eu,

there's a whole lot of privacy initiatives, the right to be forgive forgotten. we have been a much more open economy when it relates to this kinding e aggregation, the potential that you guys are going to be out of business because everyone american is going to say we don't want your service. >> no, absolutely, we need to ensure that consumers and businesses trust the national credit reporting system. >> and i think you have a serious trust problem today. and i think the lack of coming forth with solutions and the adversarial kind of approach that we have seen to this is not helping to solve the problem. so we look forward to ongoing discussions. enter as do question. >> thank you, mr. smith. >> thank you. senator donnelly? >> mr. smith, this is actually

to all of you, in 2014, the department of veterans affairs created the choice program to allow vets to receive medical care in nonva facilities. it's been helpful in increasing access. however, issues with the implementation of the program led to delayed payments and billing problems. which in turn resulted in some vets receiving adverse actions on their credit reports from debt collection efforts. adverse credit actions make it more difficult and expensive for them to get a mortgage, to buy a car and it's really troubling that our veterans have had their credit harmed through no fault of their own. we have -- to make it easier for this erroneous debt to removed from credit reports. medical debt can -- what damage

can it do to the vets' credit when this is reported as unpaid? >> we agree with you 100% that veterans shouldn't have their credit records tarnished by backlogs and inefficiencies in va's payment system and we understand that's what's happening and we're committed to working with you to solve that issue through the national credit reporting system. i think institutionally, we believe that the folks who are best able to solve that issue are the private -- are the va and the private medical service providers and the debt collectors who are furnishing this eroanous -- we're committed to working with your office. >> i have your commitment on behalf of the trade association and on behalf of the industry that you will work together with us to address these problems and to address the reporting of va related medical debta our vets won't get dinged on their credit reports. >> what we're talking about

because of va's processing inefficiencies, they just haven't paid the bill. >> it's not erroneous that my knee was worked on, it's eroanous to me that the va doesn't pay it. >> yeah, we kneed need to fix td we're committed to working with you to fix that. >> congress enacted the fair credit reporting act in 1970 to set the rules of the road. despite the original act and the many consistent amendments, we still don't control our information contained in the files of the credit bureaus, it's reported without any consumer permission, as has been noted by many, it's also sold to third parties, with prescreened credit and insurance offers and the personal information may now be available to thieves on the dark web after equifax. mr. smith, you're the representative for the association, should consumers have more control over their information? >> well, so we have talked

little bit about that today. the ability to remove yourself from the system, the ability to selectively delete information. i think both of those present issues for the national credit reporting system. the selective deletion would allow a consumer to gain a system, to hide unpaid debts from potential creditors presenting a real concern for the safety and soundness. >> that comes out if they apply for something. if they want to get a mortgage, then the mortgage company -- >> i'm talking about the selective deletion, but the removal from the system. the removal from the system is great until you kneed to rent an apartment or buy a cell phone, or get a mortgage or buy a car. >> then you can opt in, right? >> not if your investigation is removed. what you're talking about is perhaps a freeze. and i think we are -- we think that a freeze is the right choice for some consumers, not for all consumers. >> isn't it appropriate that the

consumer ought to be able to make that decision, even if it makes it a little bit harder to get an apartment, that's a decision that they have made? >> i think it's important for the consumer to understand, if the consumer is making a major decision, have them have the eight to decide who's going to get access to that information, that would be common sense. it. >> thank you, mr. chairman. >> thank you. senator, van holland? >> thank you, mr. chairman, and thank all of you for being here today. it does seem as reflected in amount of comments today and in the earlier hearings we had, the credit reporting agency model is one that is in some ways uniquely stacked against consumers when there's been your data breach or bad data put in.

and my question is a little -- goes beyond the issue of the data breach to lots of complaints we have heard over the years about credit reporting agencies collecting bad data, that then goes to lead to a denial of a loan or a mortgage payment. and there's been a lot of discussion about how to sort of allow that consumer to be made whole. my question is, on the front end, in terms of creating penalties or deter rants and have the burden be on the consumer. my question to all of you is to there some kind of deterrent that we put in place so that the burden and the penalty for collecting and disseminating that data, whether it's through a breach, or whether it's

through denial of a credit reporting card, that can actually address this problem on the front end, so there's more of a premium for a credit reporting agency to prevent that from happening in the first place? >> i would like to start in responding to that, so with respect to data accuracy. credit bureaus have substantial duties with respect to data accuracies and those are up front to ensure that they have procedures in place to ensure the maximum possible accuracy of the data, the companies that furnish data into the credit bureaus are now required to have written policies and procedures to ensure the accurate sky cy o data. a so i think that that -- so we do have, we're not unregulated, we do have the statute and it gets longer every year, and there is more and more duties added to

the credit bureaus. >> last the penalty in the event that bad data gets in, despite all the systems that are put in place, is there a penalty that has to be paid by the credit reporting agency. i'm not talking about after the fact. in addition to just bringing the consumer whole. let's say you're a consumer, right? >> right. >> you get denied a loan, then you've got to go through the incredible hassle of getting all this straightened out. at the end of the day, maybe you get your loan, but what can we do to put a deterrent up front so that we never get to the point that thousands of people are wrongfully denied a loan and after a whole lot of work and costs, maybe they get the loan, so i'm interested in your thoughts. >> let me say, senator, right now i think it's upside down, in other words right now when there's a problem, the companies turn around and charge the consumers to take advantage of the tools they need to correct the problem. it so that can't be right.

i think what we do need to do is increase the incentives for the companies to do a better job on data security and on privacy protection. to make one more historical point, there is a deal at the heart of the fair credit reporting act. when the fcra was passed by congress in 1970, the ability for consumers to bring opportunity in state tort-emptp this information inaccurate and incomplete. before passage of the fcra, people could bring lites for that harm, and they can't now under the fcra which means that congress has toinse inseptembi incenti incentives. >> do you think they should be able to have recourse through the courts? >> and they do have recourse and

remember this law provides for statutory penalties in private actions where the credit bureau behaved willfully. >> let me ask you, because my time is running out here. your association has been lobbying against the consumer protection bureaus' provision that would allow people to bring lite lawsuits. in other words you've been lobbying towards keeping mandatory arbitration? >> yes, sir. >> you mentioned 143 million people, if everybody's got to go to arbitration, instead of being able to come together and bring a case, that definitely stacks the deck in favor of the big guys instead of those what have been harmed. >> you have no contract with equifax, so you have no mandatory arbitration clause with equifax, correct? >> but this is a separate issue

that was just raised by another witness, in other words if there is information in there that causes me damage? >> information in the credit report? >> yes, that causes me damage. you can sue and you can be a member of a class because there is no mandatory arbitration clause in that context. what we're talking about in arbitration, where the consumer is purchasing a product from one of the credit bureaus, like a credit mortoner service dpramfo example. >> we did see in equifax initially, in the event that equifax breaches a cause, that people were relinquishing their rights to go to arbitration. and there are other equifax products where there is a contractual relationship where they are insisting on mandatory a arbitration, isn't that the case? >> they testified here they have lots of products where they

insist -- >> the products sold to consumers. >> if a consumer is wrong in that context, isn't the deck stacked against them that they have to go through mandatory arbitration? >> we think that arbitration can be affective. we also think that given the statue called the credit repair organizations act. that there are special risks for credit monitoring products that have stacked the deck against the company. it. >> i understand why equifax would want to deny that particular kind of recourse, because it can be more successful in recovering people's damages. >> hold on one second. i'm going to wrap it up. i'm going to have to be very fast, because there is a second vote that i'm going to have to

get to. so thank you very much for attending here today. i just have one question, and i know that you're here as experts on credit bureaus. i just want to know if you know. whether there is data that is required to be submitted by the credit bureaus to the federal government. does any federal government agency require credit bureaus to submit data to them? >> i don't believe that -- i know that data is provided to the federal reserve board and to the fcpb by fred bucredit bureai believe that that data is purchased by those agencies and that is provided within the strictures of the fair credit reporting act. and it's identified in an aggregated format. >> that does it then. >> can i have some more questions? thank you. oh, okay and then i will wrap

up. if americans could make cras delete their credit files upon demand, like the law requires for medical records, and i know you have some thoughts there, but don't go into medical records, if they could delete their credit files, could that create a risk for credit reporting agencies? >> i don't know if it would create a risk for consumer reporting a agencies, it would give consumers more control over their credit reports. >> would you say that consumer reporting agencies would not want americans to demand that their credit files be deleted? >> i'm certain or expect that would be their position. they try to get as much information about consumers as they can. and of course consumers have very little information about what is being gathered.

>> so if cras allow consumers to delete their data and they have unsuccessfully tried to do that following the equifax breach as we all know. would that create an incentive for these agencies to pay more attention to cyber security in the first place? >> i'm sure it would, and consumer reporting agencies have no legal right to obtain the information of american consumers, as business has evolved over time, they have selected data but i don't think credit reporting agencies can claim they have any right to access our personal data. so ultimately it would be the consumer's decision, whether any company has is right to collect our data. >> so consumers could game the system, is that right? >> right now, the credit reporting agencies largely game the system because consumers dompblts kn

don't know the factors that are used to make decisions about them for employment and even for cell phone purposes. so it's very asymmetric, this industry who has information about who and how that information is used. >> speaking of asymmetric, currently my understanding is that rules for privacy are much strict for government agencies than they are in the private sector. if that is the case, should we consider a separate set of privacy standards for both public and private? >> i think that's the unfinished business for credit reporting agencies in the united states. we had a moment to establish a comprehensive law for private agencies. europe took a different approach, they established comprehensive law for private -- >> tell me more about europe. my understandi ining is europea

countries have strict ter data privacy laws and i assume they still have functioning credit markets? >> theyagencies, these three agencies you represent. do they do business in those countries? >> i don't know about those specific firms, i do know there's a vibrant credit market across the european economy. the key is they're held to a higher standard. for instance in the area of breach notification, equifax took more than six weeks after they learned about the breach to tell americans what happened. under the new european privacy laws, they have 72 hours to con front a problem like that. you can still operate the buer r rows you're just held to a higher standard. >> are they profitable in europe with a different model, one with

stricter privacy laws? >> i know that some operate in the uk, we have a different group of credit reporting agencies in europe. and it's not necessarily the three that we're familiar with here. we know that equifax is in the uk, not sure about continental europe. >> could you give to the committee, from those three clients specifically, what they do in europe and their profitability, how big a presence they have, market share, like you know in the u.s., and how they're doing in europe in terms of profitability and any public plans they have about continuing? >> one thing i would say about europe, though, and professor rottenberg may disagree with this. i don't believe there's a right to be forgotten with respect to credit reporting information. there's a balance for collecting such information and a balancing with this right to be forgotten. so there's guidance under the --

in the eu that i believe would not permit consumers to just delete wholesale information from credit reporting agencies because of the vital role that they play in managing safety and soundness. >> actually if i may disagree, that's not correct. the general data protection regulation, the new european law speaks specifically about the right -- they're subject to controls of public data. lost under the european laws, consumers have a right to an explanation about the basis of the decision, if the company has an automated process, under the european law, consumers get to know the factors that were made to make the determination, i think we need to move to that approach in the united states. that would make the countries more accountable and make the decisions about american consumers fairer and more

transparent. >> we do have requirements that when you take adverse action based on consumer report information that you notify the consumer and in the case of where a credit score is used, you have to have the key factors that affected that score. >> thank you and i have one last question. i apologize and i know i committed to the chair to keep it as close to five minutes. let me ask mr. smith, if the -- how much would the 145 million americans, 5 million in many state, how much would those victims of the equifax -- the equifax problem be entitled to? >> first you're assuming there would be a cause of action under the fair credit reporting act. there would be no action under the fair credit reporting act. because it was not the credit reporting database that was compromised. were there to be a breach of the credit reporting database, i

believe the figure was -- a million? the cap was either 500,000 or a million, but it was consistent with all of the other consumer protection statutes. >> sounds like they have a loophole to close. thank you all. members may have a question for you. we encourage them to get them in writing to each of you and please, within the next seven days answer as quickly as you can. i think the meeting is adjourned.