food shipped. the food for peace program and the mcgovern dole food for education managed by usda. due to the cargo preference requirement, 50% of the food shipped must be on u.s. flag vessels. we reviewed the shipping history for crs food assisted programs in the fiscal years fy 2013, foirn, 2015, we went through the bills of lading and conducted analysis and we learned that programs during that time period accounted for about 10% of all the food shipped for slau and usaid and we discovered that over the period u.s. flag carriers were 18% to 51% more expensive per melt trick ton than foreign carriers. and u.s. flag carriers were 80

to 162% more per metric ton than foreign flag carriers for usda programs. if u.s. flag carriers had matched the average foreign flag rate in each these years, we would have spent 23.8 mmm less for shipping. and we did a little back of the envelope map and we think that comes out to about $500,000 in food'd they'd we could have helped. extra money spent on shipping is money not spent feeding hungry people. i'm not qualified to judge whether the cargo preference requirement achieves the necessary national security objective of maintaining sea lift with the goal tied to that capacity. however, we at cathly relief services deeply appreciate the service and sacrifice of

mariners who have helped deliver food aid for the last 60 years. we welcome their contribution that did do not diminish the program's ability. surely there are other ways of supporting the mariners and maintaining our nation's sea lift capacity without penal lizing vulnerable and hungry people. short of eliminating the cargo preference requirement, we do have some specific recommendations that could be considered to reduce its unintended negative consequences. i'd be happy to discuss these or any other issues of interest to the committee. thank you so much for this opportunity. >> that is some of the best testimony we've had before our committee and i rest my case with the three of you testifying. so i'm going to defer my questioning time to senator cardin who is going to defer his time to senator cain who showed up late, as usual. the late as usual part say joke. >> i would agree with our chairman, i thought your testimonies were very specific and we appreciate that very much. i might have a few questions for the record, but we're going to

be tight on time so we'll give senator kaine to question. >> i was a 10:00 scholar coming in late for panel two but good testimony. i want to direct my questions to mr. okeefe. in your experiences in working with the food for peace program, i would love to hear your view kind of assessment of potential aspects of in-kind food aid relative to the benefits of the cash-based assistance. so, you know, we have been in -- per suing a different direction and a couple years into that if you could share your perspectives are we balancing it right now that would be helpful. >> absolutely. thank you, senator. so, in our assessment, cash say very important tool to have in our toolbox and we deeply have appreciated the additional flexibility that the program has granted and the efsp program authorized by this committee as

part of the global food security act. we still need in-kind food aid in very specific situations. in ethiopia for example where the need is huge, in-kind food aid is critical. in south sudan where i was two years ago visiting and sought dysfunction of markets rrts overall lk of food available and the unbelievable need, we need to bring in food assistance from outside. in terms of cash assistance over the last year, crs is providing $77 million of cash market-based assistance of the type we have been discussing in this hearing. that's doubled since fy '16 and we anticipate it will continue to grow. senator coons for example from northern nigeria of the safe program is an extent one similar to one we're also doing. but we are -- the one thing i wanted to add to that is in that conflict situation where we --

we're able to track and monitor the food distributions through this market-based system, in other words ksh on a card that's used to buy food in a store, we can monitor through the internet who is buying at what store in realtime. when -- in place where's we can't actually go safely. so it allows us to extend further than we might normally be able to do because of just serious security situations. so the balance i think is getting better, certainly, and cash is a critical tool in our toolbox. >> and do you think the balance is getting better and, you know, in the usaid family regional leaders have the tools they need to decide how to adjust that balance to, you know, properly account for what's going to be best in any circumstance? >> i think that there's still situations where the right tool is not always available at the right time and so -- but i don't

have an aggregate sense worldwide of whether -- of kind of what's holding that up. i can say for us at catholic relief services having the ability to macon contact specific recommendations based on the market and the people who we are assessing is absolutely critical. which is why we've been advocating for increased flexibility. >> i could ask my other two witnesses whether you have any significant difference of opinion about what mr. okeefe said about this balance between cash and direct food aid. >> i completely agree. things have changed dramatically over the past 15, 20 years. i've studied u.s. food aid programs, especially thanks to esfp, there's credibly greater flexibility afforded to humanitarian agencies and they're using it quite well and i applaud usaid. but those are binding constraints. they really slow delivery and they cost money. groups are being very efficient and creative, but we could do

better. >> mr. ma lito. >> geo has consistently called on aid and choose the right modality for it. cash is often the right option but sometimes because of droughts and conflict it's actually bringing commodities. and then the commodities can be brought in from the u.s. or locally regionally. but the key is to know the underlying problem first. the problem is if you were actually to provide cash in a situation where there's a shortage of food, you could get inflation in which case you'd drive more people into hunger. >> the last question i'll ask with 30 seconds left is are we doing enough through usaid, our ngo community to promote the growth of the agricultural sector of economies that are hard hit? i mean, obviously i see a real correlation between strong agriculture and reduction in hocker, a hunger. and that's something other agencies can address are we doing enough there? >> we can do more, but the

addition of the -- crs has a build, grow sort of recover, build, grow view of ago tooult culture where we are helping people to move up the market chain of involvement. and the u.s. government has placed the food for peace development program which helps the poor communities, farmers to become market ready. and then feed the future program which helps those who are already beginning to participate in the market to engage and earn more income and then become fully self-sufficient and leaders in their community. having all those tools in place is very important. they're not mutually exclusive. they don't overlap completely and we need the food for peace development program as a key part of our agricultural strategy. the resources are never enough. they are not enough and i think we could all agree to that. thank you. >> thank you. thank you very much. senator young. >> thank you, chairman and mr. ranking member for holding this important hearing. i'd like to direct my questions to you, mr. ma lito.

so appreciative of gao and all the important reports you produce and more importantly the recommendation us make to various agencies. as of yesterday, department of state had 119 open recommendations, 20 of which were priority recommendations that are still open. and usaid had 42 open recommendations, 11 of which are priority. 20 of those recommendations relate directly to food assistance and five of those are priority. so it's really important to my mind that these recommendations are addressed on account of efficiency and effectiveness. it's my belief that if they were adopted, the efficiency and effectiveness of our food assistance programs could certainly improve. do you share that view, sir? >> very much so, senator. over the last ten years there have been a number of closed recommendations for aid and food

aid and that has improved the program but the remaining ones should also be closed. >> so i want to commend the agency for closing those, but there's still a lot of important work do. >> exactly. >> on february 16 i introduced s 418 it's a department of state accountability act of 2017 and it would, i congress to receive a report from agencies like state and aid about each of these open recommendations. we want them to identify an implementation timeline for each outstaid standing gao recommendation or an kpa nation as to high they don't intend to implement. seems reasonable. i was able to work with the chairman and his staff to get that included in the department of state authorities bill and then there was a variant of the legislation we include in this year's national defense authorization act. i'm working on broader legislation, senator coons is actually an original cosponsor

of this legislation that would, i all federal agencies to report on outstanding recommendations from the ig and the gao as part of their annual budget justification. do you believe this type of legislation would improve the efficiency and effectiveness of agencies across our federal government? >> so gao cares very deeply on our recommendations. we strife for at least 80% of our recommendations to be closed. so any effort on the part of congress to improve the visibility and awareness and even pressure on the agencies to close a recommendations is wem welcome. >> thank you. >> thank you so much. senator coons. >> thank you, mr. chair mapp. thank you to a again withinly excellent panel providing detail and thorough testimony on some of the maddening ongoing restrictions on effectiveness and efficiency in u.s. food aid and some of the genuinely

inspiring efforts we are making jointly to meet a hungry world. let me ask dr. baird a question if i might about the maritime security program. we've explored it a little bit but there's a lot of other issues. the maritime security program is designed 10 to surety department of defense has on-demand access to southeasterly capacity during times of war and national emergency. you noted in your written testimony that the department of defense has never mobilized a mayorer in or ves fret the nonmsp cargo preference fleet spt there any evidence that you've come across in your many years of working in this field to support the idea that cargo preference is necessary for our military sea lift capacity? >> thank you for the question, senator coons. no. simple answer is no, as you alrea already know. the military readiness of the cargo preference fleet is quite low. we have a large fleet that is militarily ready but it's in the ready reserve fleet, in the military sea lift command, and

in the maritime security program which is essentially a call option on up to 60 ships, each made $5 million a year for being prepared to mobilize for the pentagon if and when needed. the pentagon has never needed even in vent times of war to activate that whole set of those three types of resources, ready reserve fleet, military sea lift command and msp. cargo preference does not enhance military readiness. we have plenty of readiness through other mechanisms. >> thank you. i'll ask one other question, if i might. our friend and colleague from maryland former senator mckuls sky very pointedly asked me if we were to shift to a predominantly cash-based system of food assistance, wouldn't that undermine the coalition of groups? shippers, maritime unions, commodity groups that have historically advocated actively for title two in kind donations

leading to a reduction in overall food aid assistance thus actually leading to fewer hungry people getting fed? would any of the three of you care to comment on that assertion? >> senator coons, it's certainly true that there's been an unusual alliance of shippers, fgos and a few millers processors over the years to support title two. this committee and the congress have advanced alternative mechanisms that prove much more eefficient. the emergency food security program in particular. if title two were to go away, and i am a fan of title two, but if it were to go away and there were to be augmentation of the efsp budgets were rewould see enhancement in the service of emergency effective populations around the world. the title two is declining steadily, keep in mind as i testified earlier, we have a 76% decline in inflation adjusted terms in u.s. food aid programs

since the heyday in the 1960s. so that coalition isn't maintaining the real purchasing power of the programs. >> when you say 76%, you mean of those dollars dedicated to purchasing u.s. commodities and shipping them overseas. >> actually the overall budget has declined by 76% in inflation adjusted terms. and the mar ghan differ rent eights in car iers has grown. so the decline in true commodity terms is steeper still. >> mr. okeefe. >> thank you, senator, for that question and it's obviously an incredibly important one. and i think we, as a country, must do the right thing for the people who are trying to serve and continue to find ways to flern what we're doing and to improve it and we're certainly committed to that at catholic relief services. the caution just is, my understanding in europe and

drdr. dr. barrett and mr. mow lito may know more. but when they went from an in-kind cash system the total amount of resources went down enough to -- that the efficiency gain did not kind of keep up. and so i just think that has to be thought through. >> i don't think that's a good excuse for doing things that are ineffective or inefficient, but i think maintaining political support for helping hungry people is something we have to exercise care about. the last thing i'll say, in terms of the farmers, i do think that farmers here understand farmers overseas and the ones i've talked to don't understand the dynamics and i think senator corker you made this point very clearly in your meeting with the tennessee farmer association, they don't understand how it works and that the kind of ineffectiveness at an aggregate level. but it does mean something to them at a human level that things that they produce end up

in the mouths of people who need it. and i just think that that's something that we should not toy with. that's rule, human and american. >> i too have spoke tont farm bureau in my state about this issue. there's a deep and deserved pride in america's agricultural community and families in being the most productive farmers on earth, in feeding a hungry world. but when they hear about the numbers and inefficiency of how we currently do it, farmers tend to be pretty thiftty people, it makes them crazy and concerned that we'd be more efficient. so i'm determined to work with all of you to sustain our support for u.s. food assistance. u.s. programs to efficiently meet the needs of a hungry world rather than celebrating efficiency that leads to fewer being fed. thank you, mr. chairman. >> we have about 30 seconds left on the first vote. there are three votes. i'm going close out the meeting as soon as senator markey finishes but i'm going to close it out now for my participation.

>> i want to thank the three witnesses for being here. it's been outstanding. the record will remain open until the close of business monday. i assume senator markey won't launch a nuclear war or do anything of that short while we're going to vote, but please enjoy your time, sir, and i'm going to announce the meeting adjourned as soon as you finish. thank you for being here. >> i appreciate that. thank you so much. i think you can trust me with my finger on the button, but i'm not sure. i think we need a hearing on all the people have their finger on the button. so just one question, mr. okeefe. catholic charities, how account u.s. food aid programs better compliment other umantarian response efforts so that u.s. assistance also address dollars the root cause of food and security, political conflict, violence, other issues? how can we do that? >> thank you so much, senator. catholic relief service disease think a lot about this very important question, particularly those of us in the humanitarian

sector worked very closely together a year ago to prepare for the world humanitarian support summit and developed a whole set of system reform that we look to drive forward. the most important thing for us is to continue to increase resources that go to hungry people, to address both the emergency needs and the kind of creative waves wa creative ways that we've been discussing in this hearing, to expand the feed for peace development of forts for allowing people at the bottom of the income scale to develop the capacity to begin to connect with markets and have a pathway to stain ability and then through food the future continue to expand particular ket-based ways to get millions of farmers and people self-sufficient and addressing their own concerns about malnutrition, income, and other food security challenges. so the tools, i think, are coming into focus and it's a

question of expanding them. and then the last thing i'll say is just, you know, so many -- and this was alluded to earlier. so most problems we face are at their core political and so we sometimes feel like we are picking up the pieces of problems that are outside of our hands. the people need this assistance but it's -- we need to find political solutions to these conflicts. >> thank you for that excellent answer and thank you all so much for your testimony here today. we're in something that's annual event, the budget, with ten, 20 were 30 votes maybe today. so we apologize to you just for the way in which today is going to be conducted. but it doesn't in any way reduce the thanks that we have for you and impressive nature of your testimony. thank you so much. this hearing is adjourned. >> thank you.

>> house ways and means chair kevin brady speaks to real clear poll licks tuesday about the congressional efforts to reform the tax code. that's live at 8 oo:00 eastern on c-span 2. and later in the morning, health and public safety officials testify on the recent response to hurricanes in the u.s. and what the government is doing to prepare for other potential natural disasters. that's being held by the house energy and commerce skub u subcommittee on oversight and investigations. watch it live 10:00 a.m. eastern here on c-span 3. >> thursday, we're live in topeka, kansas, for the next stop on the c-span bus 50 capitals jury. lieutenant-governor jeff kuhlier will be our guest on the bus

starting at 8:45 a.m. eastern. >> the senate banking committee recently held a hearing to look at potential legislative responses to the equifax date a breach which exposed the personal and financial information of more than 143 million consumers. the witnesses were asked how to give consumers more control of their personal information and how it's accessed. this hearing is just under two hours. >> this committee will come to order. as a follow-up to our hearing on the equifax date' breach, today we will receive testimony on the

protection of consumer data at credit bureaus. at the equifax hearing members expressed interest in better understanding how credit bureaus are regulated, how they protect consumer data, and whether there are gaps that congress needs to fill. i've long been concerned about the ever increasing amounts of big data collected by companies and by the government. it is critical that personnel data is protected. consumer impact in thee vented of a breach is minuimized and consumer's ability to access credit is not harmed. credit bureaus play a valuable role in our financial institution by assessing a person's ability to meet financial obligations an also facilitating access to beneficial financial products and services. the inherent nature of the credit bureau's business, as with most businesses in this digital age, requires utmost data security to ensure that sensitive consumer information is safeguarded.

two weeks ago equifax testified about the methods it uses to protect its consumer databases such as encryption at rest and tokenization. richard smith noted that while some of equifax's databases encrypted at rest, the disputed portal that was compromised was not. questions remain about the best ways to protect sensitive data, including there are data security industry standards and best practices at credit bureaus? should tools like encript at rest be employed to protect all data containing sensitive consumer information? what role do financial rules and federal agencies play in data security at credit burrows? given that credit bureaus are financial institution under the graham leech blyly act, how does data security, testing and oversight by regulators compare to that of traditional financial insurance stietions? >> i look forward to hearing

from our witnesses about what credit bureaus do to ensure security for the data they collect. who oversees credit bureaus to ensure they have adequate security measures in place, and wha what improvements could be made to the oversight of data security at credit bureaus. there are many things regarding company response to data breaches. the equifax breach has left more than 145 million consumers a little confused as to what can be done to mitigate damage to their identities and credit. we do know that starting in january equifax will offer all customers the ability to lock or unlock their credit files for free. additional products have also been offered from equifax and the other credit burrows for consumers to monitor or freeze their credit reports. many consumers remain confused about which options are best for them, but this hearing will hopefully provide some additional clarity. we have a shared interest on this committee and ensuring that

credit bureaus take the necessary measures to safeguard personal data and minimize risk of another massive data breach. >> senator brown. >> under current law, whether we like it or not, companies like equifax can conduct vast trophies information, that means information plucked from our work histories, our social media profiles from reward cards to track our purchases at the dproshry store, even information from our kel phones tracking our daily commutes. ninly 3 these companies are free to combine and sell that information to all sorts of financial institutions and other data mining firms who uses it to make decisions about us like what kind of car or job that we might get. corporations like ek equifax rarely have to tillerson how, why these decisions are made. they goat hide behind proprietary models and trade secrets. it seems our laws protect big

corporations ewing of people's data a lot better than they actually protect people. as a recent breach, demonstrates enhanced cybersecurity measures at companies like equifax might work perfectly yet still do little to protect consume e everers's's date at 'while 145 million people have had their private data exposed, it doesn't appear that any sensitive corporate data was accessed because the businesses are not accountable to consumers and consumers have no choice over who is collecting their information, consumer protection is pretty much an afterthought. as we talk about the clearly inadd wait protections for consumer data at equifax and knows in place at the other consumer reporting agencies today, we cannot forget that the real victims of this hack are the 145 million people, 5 million in my state alone that through no fauflt their own have had their personal information.

we need to talk about how we're going to zreng inningen cybersecurity but how to restore people's control over their own information. we need to examine whether the current credit bureau model makes sense for consumers. we know there's a long history of consumer complaints in inaccurate reporting that has long-term affects on people's akt to get a job or a house. rather than addressing these problems they have spent millions acquire other data collection companies an branching out into new lines of business. despite their continued failure, there's no other wordtor use, you their continued failure to provide accurate credit reporting services or to protect all of the data that they collect, these ceos have been rewarded with enormous salaries an bonuses. sometimes they come in front of utz and say they're going gouf up their bonus as if that's a major concession. now in an era of nooun nonstop cyber threats it seems they've made consumers more vul aeshl.

equifax made astounding amounts of money off the consumer data it collected. it will hardly, unless things change, it looks like it will hardly pay a price for its recklessness. it's still collecting and storing our data in some case we're giving -- some cases we're giving each tax dollars do it. i look forward to today's witness's foous foous views on these matters. pu. >> thank you, senator brown. we'll now turn to our witnesses. first we'll receive testimony from mr. andrew smith. on behalf of the consumer data industry association. then we will hear from mr. marc rotenberg, president of the electronic privacy information center. and finally we will hear from mr. chris jaikaran, did i promouns that right? >> jaikaran, thank you. mr. chris jaikaran analyst in cybersecurity policy at the congressional research service. each witness is recognized for five minutes of oral remarks and

then we'll proceed to questions. mr. smith, you may proceed. >> thank you. chairman crapo, ranking member brown and members of the committee, thank you for the opportunity to appear before you. my name is andrew smith and i'm a partner in the law firm of covington and berling. i'm appearing today on behalf of the consumer data industry association which say trade association of companies that provide businesses with the information and analytical tools necessary to manage risk and to protect consumers. cdia's members include the three national credit bureaus. equifax, experian and transunion. you've asked us to discuss how credit burrows protect consumer data, but first i wanted to mention the important role played by the national reporting system and our economy. more than two thifrds our gdp comes from consumer spending fueled by consumer credit. it's the national credit reporting system that allows consumers to quickly and effortlessly open a bank account or purchase a cell phone. more than 40% of consumers move

every year. and the national credit reporting system facilitates this nobmoekt. in addition to providing fast, fair, impartial access to well priced car, amt apartment rental and other services. nearly 15 years ago congress enacted the fair employment acts to protect consumer privacy and to foster the continued development and vi taltd of the national credit reporting system. the most recent revision to this comprehensive regulatory scheme was the cfpb as a supervisory agency. this was not just examining credit bureaus but examining the users of credit reports and the companies that contribute information into the credit bureaus. the virtual continuous supervision of the credit reporting system ghan earnest in early 2012 and according to cfpb

has a proactive approach that will reach benefits for consumers and lenders for many years to come. with respect to data security, credit bureaus are ubt to federal and state laws requiring them to safeguard consumer data and because of the key role they play in the banking system, they also are subject to very specific private data security requirements such as the payment card industry, data security standards. to begin, credit bureaus are required built fcra to maintain procedures 10 to sure that they only provide credit reports to legitimate people for legit plate purposes. these credentialing requirements go beyond contractual sirt if i occasions and include comprehensive due diligence of customers as well as continuous monitoring of existing customers. fcra requires secure dispose afl credit report information. in addition, the ftc's safeguards role is referred to by chairman kraip crapo requires

financial institutions, including credit burrows to develop and implement comprehensive and information security proper grams. the laws of at least 13 states similarly, i companies to implement and maintain reasonable procedures to safeguard sensitive personal information. furthermore, almost every state requires that companies notify consumers when there is unauthorized access to or acquisition of sensitive personal information. because of their important role in the banking system, credit bureaus are also subject to private contractual data security requirements. for example, because the credit bureaus handle credit card information, the card networks, visa, mastercard, et cetera, i that they comply with the payment card industry data security standards and validate such compliance by obtaining an independent third-party aud dift their security procedures. in addition because banks provide a great deal of sensitive custer information to the national credit bureaus, they're required by their prudential regulators to conduct

regular information security audits of the credit burrows. these audits can include on-site inspections which might last for several days. each of the three national credit bureaus is subject to dozens of these bank reviews each year. cdia shares with you the goal of ensuring that consumers and businesses have confidence in the ability of the national credit reporting system to keep consumer data safe. thank you for the opportunity to testify and we look forward to today's dialogue. >> thank you. mr. roten brg. >> chairman crapo, ranking member brown, thank you for the opportunity to speak with you today. i'm mark rote ebberg, i'm president of the electronic privacy information center. we are an independent, nonprofit research organization founded in 1994 to focus public attention on emerging privacy issues. i would like to begin by saying that the equifax data breach is one of the most serious in our

nation's history. on par with a 2015 data breach at the office of personnel management that impacted more than 22.5 million federal employees, their families, and friends. the equifax breach poses aenormous challenges to the security of american families and even to our nation's security. there is no simple solution, but in my testimony today i will outline the steps i believe that congress can take to mitigate the risks that follow from the breach and reduce the danger and likelihood of future data breaches. i should also say that the equifax breach is remarkable because of its scope, the sensitivity of the data, and the delay to fix a well-documented security flaw. more than four months passed from the time equifax failed to install critical software updates. and the data that was disclosed

is precisely the information that individuals rely upon to open bank accounts, get car loans, seek employment, and buy cell phones. the data included names, social security numbers, birth dates, home addresses, and driver's license information. this is also the data that criminals use to commit identity theft and financial froaud. equifax is clearly responsible for this breach. the company was notified in march by both the apache software foundation and u.s. certi sert to make critical software changes. but it's worth emphasizing that equifax chose to elect this personal data on american consumers. consumers did not provide this information to equifax. and the lacks security strategy that they followed meant that a single breach resulted in the release of 145 million credit

reports on american consumers. the breach will cause unprecedented harm. when hackers get access to credit card numbers, consumers can cancel accounts and change the credit card numbers. but it's not so easy to change a social security number. and i don't think it's possible to change your date of birth. equifax's victims will be expose to the ongoing risk of identity theft and financial fraud which is already an enormous problem for american consumers. the ftc reported almost 400,000 cases of identity theft in 2016, 29% of those cases involve tax fraud and the department of justice estimates the cost to the u.s. economy at over $15 billion per year. the credit reporting agencies are in urgent need of reform. and my testimony i've outlined a

number of steps that i believe should be taken to establish accountability and transparency. most simply, consumers need to be given greater control about the information about them that impacts their financial future. this means, for example, that we should have a nationwide credit freeze or to say a little bit more precisely, the disclosure of credit reports should be on an opt-in basis. we recognize the value of credit in the american economy. but it is the consumer who should decide when it is in their interest to disclose their information to a third party to obtain the car loan. they should not have to jump through hoops to put in blocks and freezes to restrict access by others. they should make the affirmative decision. credit monitoring should also be freely available. you should not have to pay to be told that there's fraudulent activity on your account. but that is the current problem

with credit monitoring services that, i either a fee o limit the access to credit monitoring for 90 days. this makes no sense whatsoever. if there's a problem in the account, the consumer should be notified. we also think consumers should have more ready access to the contents of the credit report so they know who's receiving the information and the impact that the data might have. i have several other uses is in my testimony which i'd be pleased to provide for the committee. >> thank you. mr. jaikaran. >> chairman crapo, ranking member brown and members of the committee, thank you for the opportunity to testify on consumer data security and the credit bureaus. i'm krition jaikaran and i'm an april list in cybersecurity policy at the congressal research service. in in role i research and an lice cybersecurity issues and their policy impla occasions including issues of data security, protection, and management.

my rin statement for the record goes into further detail '. but my testimony today will address data security as an element of cybersecurity and risk management. cyber incident response, and options for congress address data security. an increase creasingly used catchphrase is that today all companies are technology companies or, all temperatures companies are data companies. this concept reflects that information technology and data play an important role in enabling the modern business practices which allow companies to compete and thrive in the marketplace. however, this reliance on i.t. and data also create risks for corporate leadership to manage. adequately controlling that risk is an objective of cybersecurity. data security is an element of cybersecurity that are involves risk management. absolute security is not obtainable, so managing the risks which would impair security is the goal. in order to evaluate risk, managers need to understand the threats their enterprise may

face, the vul nernlts they have and the cons sense consequences of an incident. sooip cybersecurity instant response describes an attack, driver information about it and mitigate against it. for incident response, staff is not limited to just i.t. personnel. communication staff that are able to craft messages to both internal and external stakeholders, legal teams who can help with reporting and compliance requirements ar and management and corporate boards who are accountable for the corporation should all be included in response planning, among others depending on the entity. there will be a delay between the discovery of an attack and the public notification of that attack because analysis of what transinspired will needing to conducted. this analysis will inform the entity of how they were breached and what data or systems were compromised. this type of analysis may be conducted by the entity itself, a business partner of the entity, government response taims teams, and law enforcement. with a variety of potential frans economy investigators determining how they will coordinate in their response and how they will share information

among one another say factor which should be determined during the planning and training phase. within information on how the breach happened and the extent of the breach, the entity can proceed to mitigate its effects. these phases need not occur in succession but may be able to concur currently. >> i will know now briefly present three options congress could consider. they could explicitly authorize a federal regulator to the agencies for adhere raens to the rules. the the dialogue creted by the federal government and credit reporting agency cos lead to greater understanding of the cybersecurity risk faced by credit reporting agencies and allow for those withdy efficiencies to correct their security posture prior to referral for enforcement action. congress could regulate the collection, use, and retention of data regardless of the type of entity that how'ses that data. the european union and canada have such data laws. congress can establish

requirements on what data may be collected, how data must be stored, and the consumer's rights to collection and use of data about them. congress could, i credit reporting agencies or any entity that frosts consumer data to identify and disclose their model for consumers. how it is use and what other data the entity generates about the consumer will provide consumers with additional information that may affect their decision in the marketplace. thank you for the opportunity to testify today. and i look forward to your questions. >> thank you very much. before i begin my questions to just inform the senators, we have a vote at 10:30. senator brown and i've discuss today and we intend to keep the hearing running so we'll adjust our attendance at the vote and you can make your plans accordingly. but the hearing will continue to proceed during the vote. first question i had is for the whole panel. and i ask you to be concise i

only have five minutes in my questioning as zoo does each of of the other senators. and but this is for each of the members of the panel if you have an opinion on this. there's been a lot of discussions surrounding the social -- the security of the social security number. and whether it should be used as an identifier going forward. do you think we need to get rid of the social security number as a personal identifier and, is f so r what viable alternatives do we have? how would we ensure such an alternative doesn't suffer from the same drawbacks as the social security number. mr. smith, you want to start? >> i think that if we eliminate the social security number as a personal identifier, we're going to have to have some other unique identifier that will allow businesses, credit bureaus, others to know who precisely they're dealing with. so my name is andrew smith. there are thousands of me, perhaps tens of thousands of me. when you're looking at a bankruptcy court record, if there's no identifier on there,

how do you know which andrew smith it is? so socials right now, and other identifiers, play a critical role in the economy just simple identification, right? not authentication, not verification, not that i truly am who i say i am. from that perspective socials are terrible. but as identifiers, social do -- have had a role to play. whether we need another identifier, i think that we're willing to work with you on that to try to come -- to try to get to the right result for consumers. >> thank you for the question. i've spent many years before many congressional committees urging that limits be established on the use of the social security number. but we have never argued for replacing the social security number. the key point is that the ssn serves an important purpose in the management of certain government record systems, that's what it was established for and that's where the legal authority exists. the problem is that the ssn was

adopted in the private sector and used as an identifier for general purposes. this is actually contributed to identity theft and financial fraud. it's an imperfect identifier. it's used both as a password and as an ow authenticate ter, it was intended for neither. when we talk about the social security number, we would not say replace the ssn as i describe in my testimony, we would say limit the use of the ssn. it should only be available in the private sector for lawful purposes. >> thank you. mr. jaikaran. >> the social security number say piece of personally identifiable information. so limiting it's use in the private sector may lead to reduced consequences that impact if there's a data breach. however, whatever replaces it would likely still remain personal identifiable information that would constitute some level of increased security posture around that data in case there were a breach. >> thank you. and this question is also for you, just four mr. jaikaran. your testimony discusses encryption and other tools that

can be used in providing data security. equifax's former ceo mentioned that some of their date is encrypted at rest while some of it is not. are there certain minimum security data sools tools or standards that should be employed across the boyd? are there meng e measures that are if in place play have been able to prevent the equifax breach or detected it sooner? >> so in my testimony i discussed cybersecurity as an element of risk management. understanding the entire risk that an enterprise or corporation may face in their conduskt thafr business. there are federal guidance that is created for the implementation of encryption and there are industry best practices on the use of encryption for data at rest, dat in motion, or data in process. while these may exist, a lot depends on how it is implemented and the use cases of each individual company. for where they apply that -- where they apply that

encryption, how strictly they apply it, and how the keys are managed within that enterprise to allow those with legitimate access to be able to continue to conduct the business while still restricting access tho those that don't. >> thank you very much. >> i just have about 45 seconds left so mr. smith and mr. rotenberg, very briefly, under the current legal framework the ftc has authority over its safeguard rule for data security but no regulatory agency currently examines or support advises credit bureaus for data security sas the case with banks. do you think there's a gap in this framework and do we need a credit bureau -- an agency to be set up or authorized to examine for data security? >> so as you noted, the ftc has law enforcement authority and we feel as though we are not unsupervised with respect to data security. we do, as i said earlier, have our bank customers who are regularly auditing us. i would say, however, that if

there are gaps in supervision that we'd be happy to talk with you about that and come up with the most sensible result for consumers. >> thank you mr. rotenberg very quickly. >> safeguard rules an important data standard but it only applies right now after the fact. the ftc can only act against a credit reporting agency once the breach occurs. we think they should have the ability before the breach to spekt inspect and determine compliance withstand ards. >> thank you. senator brown. >> thank you, mr. chairman. mr. smith, in your testimony you stated that the credit reporting system, quote, provides critically important benefits and you went on to say it's indispensable to the economy. i think we all agree with that so my questions are this, and i'll start with you are are mr. j jaikaran and please give a yes or no. do you think that the breach or failure of a credit reporting agency, do you think that a breach or failure of one of the agency cos have a systemic or could have a systemic impact on

the u.s. financial system? >> a breach of any agency is difficult to judge depending on the categorization of the agency itself. but it is a possibility that it could have impacts on the financial system. >> mr. rotenberg? >> i think the answer is clearly yes. >> mr. smith. >> i think that with respect to the equifax -- with respect to the equifax incident, one of the things that we need to keep in mind is that according to news reports the credit reporting database was not, in fact, compromised. a compromise of a credit reporting database, i'd have to think about whether it would -- whether it would present -- >> so you're the one that started off by saying it provides critically important benefits fits, it's indispensable, the breach of 145 million you don't think has a systemic impact on the u.s. financial system? >> i think that the risk would be able to be managed by banks but i do think that it's going to be something that would need to be actively managed because what it would present -- >> is that a yes or no so to

systemic impact? could be manage the, a lot of things could be managed. does that have a systemic impact on the financial system. >> i'm not prepared to say it would have a systemic impact but i'd like to think that through. >> okay. could you in the next week let me know if that's a yes or no. >> sure. how would you define systemic impact. >> i'm asking you to. 145 million sounds systemic to me, number of one fifth that does. mr. rotenberg, most of us or our family members have faced challenges for decades trying to fix inaccuracies in their credit reports, these inaccuracies results in czech fax, transunion or experian being three of the most complained about companies. do you think it would make sense to prevent these consumer reporting agencies from collecting new personal data or providing other services until they have mate an accuracy metric in their consumer credit reporting and should consumers

second question related should consumers be allowed access to all the data held by these three companies? >> senator, i think both suggestions are very good. >> i think credit reporting agencies which provide personal data to others should be held to an accuracy standard because, of course, when they provide information that's inaccurate, incomplete, or out of date, people are wrongfully denied credit, they're wrongfully denied jobs and that's certainly a problem. but also to your second point, whatever information the credit reporting agencies know about us, i think we should have the right to know. particularly now when this information is being made available for sale for data brokers and often times falls outside the protections of the fair credit reporting act. i think we need to do much more to give consumers information and control about their personal information held by others. >> thank you. and mr. smith, consumer advocates have called for free security freezes to be provided by equifax and transunion and

expeerionian and instead the companies have announced they're rolling out what are called credit lock products which appear to give consumers fewer rights an less security than credit freezes. are cras offering credit locks so consumers have to sign forced arbitration agreements just like they had to on equifax's first offer of credit monitoring products? >> so i can respond really quickly to the issue of access? i wanted to remind the members of the committee that consumers do have access to all of the information on file with -- about them with consumer reporting agencies and they have -- they have free access to that through annual credit report.com as well as other mechanisms. >> access in correcting are two different phenomena, but go ahead. >> and with respect to the credit locks, i'm not so familiar with the different features of the credit locks nor i do know whether they have an arbitration clause. >> you do know they did on the

first round of credit monitoring products that they, let's say, quote unquote generously offered that they included that as you know. >> yes. >> they backed off it under public pressure as you know. >> that i know. i don't think that the empoe tus for offering credit locks could be to obtain a mandatory arbitration clause from consumers. i do think that these credit locks may be useful to consumers. i think that freezes more generally serve a specific need for a type of consumer. there are a lot of other tools that consumers have that can protect themselves in these situations including obtaining a free credit report, placing a fraud alert on their credit report, obtaining credit monitoring. there's a lot of free credit monitoring available. so i think consumers should understand and appreciate that before they place a credit freeze on their file the but credit freeze do have their place. >> i don't want to debate that but i'll just close with on the forced arbitration agreement, you were their lawyer, you represent them, they also rely on you for advice.

are you willing to go back to them and say that there is strong sentiment among the public and this congress that forced ash administration agreements should not be part of this credit -- this credit lock offer products? >> yes, i'll convey that message. i do think that there is a special -- there's a sort of an eggs generality circumstance in that there's a statute called the credit repair organizations acts which imposes particularly stringent penalties on companies, any company that's found to be a credit repair organization. and so because of that, and i think some members of the committee are probably familiar with this, because of that arbitration clauses have a special role to play with these products. but i will certainly convey the message that -- >> would you share with the committee exactly what message you conveyed to them on forced arbitration? >> i will share that. >> thank you. >> thank you. gentlemen, regardless of what we've put into law, regardless

of what are rules are put in place, if they're not followed, the possibilities of an additional breach continue. i'm just curious, with regard to equifax would it be fair to say that the -- that the data that we have so far, the information that we have so far does it point to basically human error? having been the cause of the data breach? like just quick response from each. >> senator, i think human error understates the problem. we're talking about a breach that impacted 145 million records. a circumstance where the company was twice notified by two leading authorities and left the breach exposed over a four-month period. >> i didn't discuss in my testimony this morning, but even the response to the breach was not level to consumers. so it almost every step they did the wrong thing by consumers. >> i believe that equifax has

said publicly that it was the result of human error. with respect to the question about human error, i would add, though, that the ftc and cfpb are investigating the breach and i would want to see what their conclusions are before we -- before we draw any broader -- before we make any policy choices based on the faskt this breach. >> mr. jaikaran. >> based on the amount of information that we have regarding this particular breach, it is difficult to judge as to whether the breach came down to human error or some other reason within the company. so it's difficult to judge at this point based on the information we have. >> even if -- let's assume that was there human error involved in this, recognizing the significant damage that's been caused, if -- if we have within our abilities the opportunity to lay out a plan in which there is not just an audit able bable bu

review process to be placed in place with assure rans of the follow through, we're still talking about the protections that we put in place for a legal entity that has been breached by thieves. what more can we do or what more should we be doing to prevent this break-in in the first place with regard to protections and also the consequences for entities throughout the world that actually cause these breaches that are actually overtly out trying to get their hands on the data? do we need to look at additional federal authorizations or institutions that would be literally for the cyber community, the same as the fbi was when it came to stopping the bank robberies of the 19 twenties and 1930s, do we need to be looking at something like

that on a worldwide basis? >> senator, i think had is a very important point. when the fair credit reporting act was passed in 1970, the primary concern was about the possible misuse of consumer data by the credit reporter agencies. and that was the problem that congress sought to address. but here we are almost 50 years later living in a world of constant cyberattack the. and in my testimony this morning i tried explain gnat equifax breach needs to be understood, not just in terms of the misuse of personal data, but actually the exploitation of -- by foreign adversaries. and that's also the reason, sir, why i think we need to update our privacy laws, put more incentives on companies to protect this data, not just from misuse, but also from exploitation by foreign governments. >> mr. smith. >> we think that to the extent that there are gaps in

supervision of data security that we're -- that we want to talk with you about that. we want to get to the right result. with respect to professor rotenberg's point, there's no doubt that this was a criminal hack, that it was from an unknown source, that is it may have been from a foreign actor, and that's something that i think is hopefully the ftc and cfpb and other continued investigation dollars will reveal and if there are policy implications from that hopefully we can have that discussion then. >> mr. jaikaran. >> when we think about the government relationship with these agencies there are three ducts we could put them in. first is rule making, next is examination, and the third sen force meant which the ftc maintains. in this zais space we conseech that the agency space was the one that we had the least government involvement. so i think there presents an opportunity for congress to create further guidance on how they want agencies to act with regard to that. concerning the consequences side, to the best of my

knowledge attribution has not been placed for this breach and that would be a conversation to have with law enforcement agencies and officials on what authorities they think they'd need in order to go after the criminals here.