these. daniel allen and her book, cuz, accosta and his book deep in the shado shadows. on sunday our live coverage starts at 3:00 p.m. eastern with carroll anderson and her book white rage, the unspoken truth of our racial divide. bloodlines, the true story of a drug cartel and battle of horse

racing dynasty. a senate committee heard from the credit reporting industry and consumer protection groups. the hearing is just under two hours. this committee will come to order. as a follow-up to our hearing on a equifax data breach. at the hearing members expressed interest in better understanding how credit bureaus of regulated, how they protect consumer data and whether there are gaps that congress needs to fill. i have long been concerned about the ever increasing amounts of big data collected by companies and by the government. it is critical that personal data is products. consumers ability to assess

credit is not harmed. credit bureau plays a valuable role by helping assess an ability to meet financial obligations and also facilita facilitating to financial products and services. the inherent nature as with most businesses in this digital age requires utmost data zurt to ensure that sensitive consumer information is safeguarded. two weeks ago equifact testified about the methods it uses such as incorruption at rest. former equifax noted while some databases are incrypted at rest the disputed portal was not.

should tools like enkripgs containing consumer information. what role should they play at credit bureaus? given credit bureaus are financial institutions how does data security, testing and oversight by regulators compare to that of traditional financial institutions? i look forward to hearing from our witnesses about what credit bureaus do for the data they collect. who oversees to ensure they have adequate security measures in place and what could be made at the credit bureaus. there are also many concerns. the breach has left more than 145 million consumers a little confuse as to what can be done to mitigate damage to their

identities and credit. we do know starting in january equifax will offer the ability to lock or unlock their credit files for free. additional products have also been offered from the credit bureaus for consumers to monitor or freeze their credit reports. many consumers remain confused about which options are best for them. this hearing will hopefully provide some additional clarity. we have a shared interest in ensuring that credit bureaus take the necessary measures to safeguard personal data and minimize risk of another massive data breach, senator brown. >> thank you. under current law, whether we like it or not companies can collect personal information that includes information plucked from our work histories, our social media profiles from reward files to track our purchases even information from our cell phones tracking our

daily commutes. generally they are combined to sell that information to all sorts of financial institutions in other data mining firms who use it to make decisions about us like what kind of car or job we might get. corporations like equifax rarely have to tell us why or how these decisions are made. they get to hide behind trade secrets. it seems our laws protect use of people's data a lot better than they actually protect people. as a recent breach demonstrates enhanced cyber security measures might work perfectly yet do little to protect consumers data. 145 million people have had their private data exposed it doesn't appear any sensitive corporate data was accessed it

is in place of those other consumer reporting agencies today. we cannot forget the real victims are 145 million people, 5 million in my state alone through no fault of their own have had their personal information compromised. i hope at today's hearings we don't talk about how we strengthen cyber security. we need to do that but we need to explore how to restore control over their own information. we need to examine whether the current model makes sense for american consumers. we know that have a long history of consumers complaints and inaccurate reporting that has effects on peoples ability to get a job or get a house.

these ceos have been rewarded e with salaries and now with non-stop cyber threats it seems they made them more -- it is still collect and storing our data. in some cases we are giving tax dollars to do it. i look forward to your views. >> thank you.

first we'll hear from andrew smith then president of the privacy information center. each witness is recognized for five minutes of oral remarks and we'll proceed to questions. you may proceed. >> thank you. members of the committee, thank you for the opportunity to appear before you. my name is andrew smith. i'm appearing on behalf of the trade association of companies that provide businesses with tools necessary to manage risks and to protect consumers. it includes the three national

credit bureaus. you asked us to discuss how they protect consumer data. i wanted to mention the important role played by the national credit reporting system in our economy. more than two-thirds comes from consumer spending. it's the national credit reporting system that allows to open a bank account or purchase a cell phone. the national credit reporting system facilitates this in addition to providing fast, fair and impartial access to well priced credit, apartment rental and other essential services. nearly 50 years ago congress reported the act to ensure impash y'aim -- to foster the continued development of national credit reporting system.

the most recent revision to this scheme was the addition of the cfpb. this is the first to directly supervise the national credit reporting system not just examining credit bureaus but the companies that contribute information into the credit bureaus. the super vision of the credit reporting system began in early 2012 and has produced a proactive approach to compliance that will reap benefits for many years to come. with respect to data security credit bureaus are subject to federal and state laws requiring them to safeguard consumer data and because of the key role they play they are subject to very specific private security requirements such as data security standards. to begin credit bureaus are required to maintain procedure

to make sure they only provide credit reports to legitimate people for legitimate services. the laws of at least 13 states require to maintain reasonable procedures to maintain sensitive personal information. almost every state requires that companies notify consumers when there is acquisition of sensitive personal information. because of their important role in the banking system credit bureaus are also subject to

private contractual. the card net wovgs require they comply with the payment card industry data security standards and obtain an independent third party audit in addition because banks provide a great deal of sensitive information they are required by regulators to conduct regular security audits of the credit bureaus. they can include on-site inspections. to keep consumer data safe. thank you for the opportunity to testify and we look forward to today's dialogue.

>> thank you. [ inaudible ] i would like to start by saying it is one of the most serious in nation's history. it impacted more than 122.5 million that effected family and friends. the breach poses enormous challenges there is no simple

solution to mitigate the risks that reduce the danger and likelihood of future data breaches. i should also say it's likely because of the sensitivity of the data and the delay to fix a well documented security flaw. more than four months passed from the time equifax failed to install critical software updates. the data that was disclosed is the information individuals rely upon to open bank accounts, get car loans, seek employment and buy cell phones. the data included names, social security numbers, birth dates, home addresses and drivers license information. this is tals data criminals use to commit identity theft and financial fraud. equifax is clearly responsible for this breach. the company was notified in

march by both the apache foundation of the need to make critical software changes. it is also worth on american consumers. consumers did not provide this information to equifax. it will cause unprecedented harm. consumers can cancel accounts and change the credit card numbers. i don't think it's possible to change your date of birth.

it is already n an enormous problem for american consumers. they reported almost 400,000 cases of identity theft in 201629% involved tax fraud and they estimate the cost to the committee at almost $15 billion a year. credit reporting agency is an urgent need of reform. in my testimony i outlined a number of steps i believe should be taken consumers need to be given greater control that impacts their financial future. this means, for example, that we should have a nationwide credit freeze or to say a little bit more precisely the disclosure should be on an opt-in basis.

it is the consumer who should decide when it is in their interest to disclose share information to a third party to obtain the car loan. they should not have to jump through hoops to restrict access by others. they should make the affirmative decision. credit monitoring should also be freely available. you should not have to pay to be told there is fraudulent activity on your account. if there's a problem in the account the consumer should be notified. we also think consumers should have more ready access so they know who is receiving the information and the impact the data might have. i have several other suggestions in my testimony which i would be pleased to provide.

>> thank you. >>. >> thank you for the opportunity to testify. my name is chris and i'm at the congressional research service. in this role i research and analyze security issues including data security, protection and management. my written statement for the record goes into further detail but my testimony today will as an element of cyber security and options for congress to address data security. an increasingly used catch phrase is that today all companies are technology companies or data companies. this reflects information technology and data play an important role in modern business practices which allow

them to compete and thrive in the marketplace. this also creates risk for corporate leaderships to manage. adequately controlling that is an objective for cyber security. managers must understand the vulnerabilities they have and answer kwenss of an incident. incidence response discover information about it and mitigate about it. staff is not limited to just i.t. personnel. communications staff to internal and external and legal teams and management and corporate boards who are accountable should all be included in response planning among others depending on the

entity. there will be a delay between the discovery of an attack and public notification of that attack. this may be conducted by a business partner, government response teams and law enforcement. determines how they will coordinate in the response and how they will share information is a factor which shall be determined between the planning and training phase. the entity can continue to mitigate its effects. it may be able to occur concurrently. i will know briefly present three option congress could consider. congress could explicitly to examine credit reporting

agencies. the dialogue created by the federal government and credit reporting agencies could lead to greater understanding of the cyber security risk faced by credit reporting agencies and allow for deficiencies prior to referral. congress could regulate collection use and retention of data regardless of the type of entity. they have such data laws. they can accomplish requirements on how data must be stored and the consumers rights and collection to data about them. congress could require credit reporting agencies to identify and disclose their data model. elements how it is used and what other data the entity generates about the consumer will provide consumers with additional information that may effect their decision in the

marketplace. thank you for the opportunity to testify today and i look forward to your questions. >> thank you very much. before i begin my questions to just inform the senators, we have a vote at 10:30. senator brown and i discussed it. we intend to keep the hearing running. first question i have is for the whole panel. do you think we need to get rid of the social security number as a personal identifier and if so what viable alternatives do we

have? how would we ensure it doesn't have the same draw backs as the social security number? >> i think if we eliminate the social security number as a personal identifier we'll have to have some other unique identifier that will allow businesses, credit bureaus to know who they are dealing with. my name is andrew smith. there are thousands of me, perhaps tens of thousands of me. when you're looking at a bankruptcy court record if there's no identifier how do you know which andrew smith it is? it plays a critical role in the economy, not authentication, not that i am who i say i am. as identifiers socials do -- have had a role to play, whether we need another identifier i think we are willing to work with you on that to try to get to the right result for

consumers. >> thank you for the question. i have spent many years before many congressional committees urging that limits be established on the use of a social security number but we never argued for replacing the social security number. the key point is that the ssn serves an important purpose in certain government management systems. that is what it was blishd for. the problem is that the ssn was adopted in the private sector and caused as an identifier for general purposes. this is contributed to identity theft and financial fraud. it is used both as a password and a tent kate to. when we talk about the social security number we would not say replace the nssn. as i describe in my testimony we would say limit the use of the ssn. it should only be available for

lawful purposes. >> thank you. >> the social security number is a piece of personal information. it may lead to reduced consequences that impact if there is a data breach however it would still remain personally identifiable identification that would provide increased security posture in case there were a breach. >> thank you. and your testimony discusses inkripi enkripgs and other tools. are there certain minimum standard that is should be employed across the board for personally identifiable identification? are there measure that is may have been able to detected it sooner? >> in my testimony i discuss it as an element of risk management

that a corporation may face in the conduct of their business. there are federal guidance that is created for the implementation of encryption. while these may exist a lot depends how it is implemented and the use cases of each individual company for where they apply that, how strictly they imply it to allow those with legitimate access to conduct the business while restrict access to those that don't. >> thank you very much. i just have about 45 seconds

left. do you think there's a gap in this frame work and do we need a credit agency to be set up or authorized to examine for data security? >> so as you noted the law enforcement authority and we feel as though we are not unsupervised with respect to data security. we do have our bank customers who are regularly auditing us. i would say however if there are gaps in super vision we would be happy to talk with you about that and come up with a result about consumers. >> okay. thank you. >> the safeguards rules an important data security standard. it only applies after the fact. it can only act once the breach occurs. we think they should have the ability to inspect and determine compliance with standards. >> thank you, senator brown. >> thank you.

in your testimony you stated the credit reporting system provides critically important benefits. i think we all agree with that. so my questions are there. i'll start with this. please give a yes or no on this, if possible. do you think the breach or failure whether it is experion or equifax could have a systemic impact on the u.s. financial system? >> a breach of any agency is difficult to judge depending on the cat gorization of the agency itself. it could have financial impacts. >> the answer is clearly yes. >> mr. smith? >> i think with respect to the equifax incident is that the credit reporting database was

not in fact compromised. i would have to think about whether it would present -- >> so you're the one that started off by saying it provides critically important benefits, the breach of 145 million you don't think has a systemic impact? >> i think the risk would be able to be managed but i think it would be something that would need to be actively managed. >> is that a yes or no to systemic impact? it could be managed. a lot of things managed -- >> i'm not prepared to say it would have a systemic impact but i would like to think that through. >> could you in the next week let me know -- >> how would you define if it's a systemic impact? >> 145 million sounds systemic to me. one fifth that does.

most of us or our family members have faced -- these result expe three of the most complained about companies to the cfpb. would it make sense to prevent the consumer reporting agencies from collecting new personal data or providing other services until they've met an accuracy metric in their consumer credit reporting and should consumers second question related -- should consumers be allowed access to all the data held by the three companies? >> senator, i think both suggestions are very good. i think credit reporting agencies which provide personal data to others should be held to an accuracy standard. because, of course, when they provide inaccurate, incomplete or out of date information people are wrongfully denied credit and jobs. that's certainly a problem. also to your second point, whatever information the credit reporting agencies know about us, i think we should have the

right to know. particularly now when this information is being made available for sale for data brokers and oftentimes falls outside the protections of the fair credit reporting act. i think we need to do much more to give consumers information and control about their personal information held by others. >> thank you. mr. smith, consumer advocates have called for free security freezes to be called for by equifax. they're rolling out credit locks which appear to give consumers less rights than contract freezes. are cras offering credit locks so they have to sign for arbitration clauses. >> i wanted to remind the members of the committee that consumers do have access to all

of the information on file with -- about them with consumer reporting agencies, and they have -- they have free access to that through annual credit report.com as well as other mechanisms. >> access and correcting are different. but go ahead. >> they can dispute anything that's incorrect. with respect to credit locks, i am not so familiar with the different features of credit locks nor do i know if they have arbitration clauses. >> they did in the first round. they included that, as you know. they backed off it under public pressure as you know. >> that i know. i don't think the impetus for covering credit locks would be to obtain a mandatory arbitration clause from consumers. i do think that these credit locks may be useful to consumers. i think that freezes more generally serve a specific need for a specific type of consumer. there are a lot of other tools that consumers have that can

protect themselves in these situations, including obtaining a free credit report, placing a fraud alert on their credit report, obtaining credit monitoring. there is a lot of free credit monitoring available. so i think consumers should understand and appreciate that before they place a credit freeze on their file. but credit freezes do have their place. >> i don't want to debate that. i will close with on the forced arbitration agreement, you are their lawyer, you represent them. they also rely on you for advice. are you willing to go back to them and say that there is strong sentiment among the public and this congress that forced arbitration agreements should not be part of this credit lock offered products? >> yes, i will convey that message. i do think that there is a special -- there is a sort of an exigent circumstance when we are talking about credit monitoring and other credit report related products in that there is a statute called the credit repair organizations act which imposes particularly stringent penalties on companies, any company,

that's found to be a credit repair organization, and so, because of that -- and i think some members of the committee are probably familiar with this, because of that arbitration clauses have a special role to play with these products but i'll convey the message -- >> would you share with the committee exactly what message you conveyed to them on forced arbitration? >> i will share that. >> thank you. senator rounds. >> thank you. gentlemen, regardless of what we put into law, regardless of what rules are put in place, if they're not followed, the possibilities of an additional breach continue. i am just curious, with regard to equifax, would it be fair to say that the data that we have so far, the information that we have so far, does it point to basically human error, having been the cause of the data breach? like just a quick response from each. >> senator, i think human error

understates the problem. we're talking about a breach that impacted 145 million records, a circumstance where the company was twice notified by two leading authorities and left the breach exposed over a four-month period. i didn't discuss in my testimony this morning, but even the response to the breach was not helpful to consumers. so at almost every step they did the wrong thing by consumers. >> i believe that equifax has said publicly that it was the result of human error. with respect to the question about human error. i would add, though, that the ftc and cfpb are investigating the breach, and i would want to see what their conclusions are before we draw any broader -- before we make any policy choices based on the fact of this breach. >> mr. jaikaran. >> based on the amount of information that we have regarding this particular breach it's difficult to judge as to whether the breach came down to human error or some other reason

within the company. it's difficult to judge at this point based on the information we have. >> even if -- let's assume that there was human error involved in this, recognizing the significant damage that's been caused, if -- if we have within our abilities the opportunity to lay out a plan in which there is not just an auditable but a review process to be placed in place with assurances of the follow-through, we're still talking about the protections that we put in place for a legal entity that has been breached by thieves. what more can we do or what more should we be doing to prevent this break-in in the first place with regard to protections and also the consequences for entities throughout the world

that actually caused these breaches, that are actually overtly out trying to get their hands on the data? do we need to look at additional federal authorizations or institutions that would be literally for the cyber community the same as the fbi was when it came to stopping the bank robberies of the 1920s and 1930s? do we need to be looking at something like that on a worldwide basis? >> senator, i think this is a very important point. when the fair credit reporting act was passed in 1970, the primary concern was about the possible misuse of consumer data by the credit reporting agencies. and that was the problem that congress sought to address. here we are almost 50 years later living in a world of constant cyberattack. in my testimony this morning i tried to explain that the equifax breach needs to be

understood not just in the terms of the misuse of personal data but also the exploitation by foreign adversaries. that's also the reason, sir, why i think we need to update our privacy laws, put more incentives on companies to protect the data not just from misuse but also from exploitation by foreign governments. >> mr. smith. >> we think that, to the extent that there are gaps in supervision of data security, that we are -- we want to talk with you about that and get to the right result. with respect to professor rotenberg's point there is no doubt that this was a criminal hack, that it was from an unknown source, that it may have been from a foreign actor. and that's something that i think is hopefully the ftc and cfpb and the other continued investigations will reveal. if there are policy implications from that, hopefully we can have

that discussion then. >> mr. jay kieikaran. first is rule-making, next examine and the third is enforcement. in this space we could see that the examination space was the one that we had the least government involvement. so i think there presents an opportunity for congress to create further guidance on how they want agencies to act with regard to that. concerning the consequences side, to the best of my knowledge attribution still has not been placed for this breach. that would be a conversation to have with law enforcement agencies and officials on what authorities they think they need in order to go after the criminals here. >> i think it's important that we recognize that there is a standard of security which has to be imposed and we've got to be able to audit it, follow through, and -- with consequences but also with a continued surveillance. but until we get down to the point where there are actually consequences for the bad guys involved, we're not going to

make the major dent that we have to in terms of cyber theft elsewhere. i think we miss that sometimes. we're focusing on the people who are trying to provide services, we're not focusing on going after the guys who are actually causing the problems for everybody else, not just in the united states but elsewhere around the world as well. >> thank you, mr. chairman. >> senator reed. >> thank you, mr. chairman. mr. rotenberg, my sense from your testimony is that -- and you can confirm this -- there are two points that consumers should have legal rights, and one is that they should have the legal right to withhold or divulge their credit score, or they should know the credit information that an agency has and that should be by law, not by deference of the agencies. is that your view? >> yes. that's correct, senator. when the information is being provided in the credit report,

presumably it's for the consumer's benefit, they are seeking the loan, they want to buy the car, they need the mortgage. they should know when that's happening and they should know the information contained in the report. >> that should be by statute, not deference. >> yes. part of this is about changing the default. right now your credit report is freely available to others within the stricture of the fair credit reporting act, but you have very little control over that. we would say give the consumer opt-in control. >> mr. smith indicated that consumers once a year have access to all the information that a credit bureau has. is that -- >> well, it's true, once a year they can get a free copy of their credit report. it's not all the information they have. they don't know who has received the information. and as i said, this is also rapidly evolving industry. there are a lot of related practices that are not covered by the fcra. as a consequence, consumers don't have the full picture. >> so essentially they could get the number, whatever it is, 400,

800. >> yes. >> and supplemental information to that number. but if, as senator brown suggested, the agency was also buying cellphone information or something like that, that's not -- >> that would fall outside of the credit report. >> so that, in order to give the -- a customer the full benefit -- citizen the full benefits that all information of the agency has on them should be -- identifiable information should be disclosable. is that correct? >> yes, senator. that's why we recommended a comprehensive approach based on a federal baseline. it would give consumers more information about them that's being transferred to third parties. >> and i would also presume that you would suggest that they have the right to deny access to certain information. >> absolutely. >> or even to require that information be deleted from the credit bureau's files. >> i think many american consumers would actually be surprised to know how many people, how many businesses, get

acceleration to their credit reports without their knowledge. those reports move very freely with very little information being provided to consumers, and i think that should change. >> in the description of what took place, it appears that there was negligence on behalf of equifax, being told by a federal regulator to make a patch and not making the patch for several months. who -- does anyone have the right to sue or to enforce criminal or administratively? >> i am sure there will be lawsuits brought. and there are a variety of different theories. but as others have already pointed out, almost immediately equifax's response was to try to deny consumers the opportunity to pursue their legal remedies, and that can't be the right response. >> but with respect to regulatory agencies, the impression that i have from the discussion is that it's all sort of retrospective after the fact, that they can go in and make a

judgment. could the ftc levy a fine based upon failure to follow? >> actually, no. under the safeguards rule they can inspect and they can, i think, sanction, but i think a fine would require subsequent violation of the settlement or order with the company. and the ftc under the safeguards rule currently would not have the ability to inspect or prevent prior to the breach occurring. >> so is there any -- under existing law, is there any way for appropriate federal agency to levy a fine or some type of significant penalty on the company to deter or to -- >> i think for the ftc to levy a fine they'd have to find a breach under the fair credit reporting act. under section 5 of the ftc act they have to have a consent order and subsequent violation. it's not a very effective enforcement regime.

>> i concur. thank you very much. >> senator scott. >> thank you, sir. good morning to the panel. thank you all for being here this morning. the equifax breach is still catastrophic for so many in south carolina. if you think about the numbers of individuals impacted by the breach in my home state of south carolina, 2.4 million south carolinans had their personal information exposed, stolen through the equifax breach. only 5 million people are living in the state. that's 48% of the state, the sixth highest number in the country. when you account for the fact that there are about -- 500,000 south care linians under the age of 14 that means the number surges over 50%. over half of the adult population at heileast in the se had their information exposed. equifax's negligence has been

devastating for my constituents. when you look at the geographic location of the impact, the southeast region seems to have been impacted aggressively, in high levels. georgia, around 51.6%. virginia, 48.8%. florida, around 53.5%. i ask equifax, why south carolina and the southeastern region, was so hard hit? i hope they find an answer soon. my suspicion is that perhaps the location, the physical location, of equifax may have played a role in that. mr. jaikaran, why are the numbers so high so close to the physical headquarters of equifax? >> that would be difficult to judge based on publicly available information, but there might be some business reasons why equifax would have additional information on people in the southeast region of the

nation. they have more business partners with businesses near their headquarters, so there is a greater opportunity for sharing of information. it may be that the population of those states are prime targets for credit, so just the population of the states, the sample pool, may be more amenable to a credit reporting agency. >> thank you. things get complicated when a company is heatquartered in new jersey. does business in south carolina and is breached in arkansas. the states have different laws on the books governing when and how the companies must notify the public of a data breach. back to you, mr. jaikaran. is our current state by state patchwork of regulatory approaches effective in protecting the public? >> thank you, senator. i believe my colleagues at the gao would be in a better position to evaluate the state by state regulatory regime we have today. as a broader data breach

notification policy that does provide a level of certainty for businesses and consumers if there was a federal law on the data breach notification that is expected for businesses to provide as well as what consumers can expect to receive. something to be considered when developing a rule, however, or law, is that what will consumers be expected to do with that information? do they just get a letter in the mail saying that their data was compromised and they're on their own or is there some recourse the business or the corporation that had the data and that had it breached must provide to the consumer because the data was compromised. >> it's not simply a uniformity across the nation but also some teeth as it relates to what happens next once the consumer is informed. >> we see that across state laws now, some of them are just a simple notification and some are some relationship that the corporation must have with the breached consumer. >> thank you. mr. smith, despite the federal government also being breached,

pretty frequently, unfortunately, some have suggested that we nationalize the credit reporting agencies. such a move would kill innovation. the same innovation that is opening up the market of 26 million credit invisible americans. i think fanny and freddie should consider new credit reporting models that take into account things like rent payment and utilities. who would benefit the most from such a change, mr. smith? >> so, use of information about rent and utility payments by fannie and freddie could expand access to mortgage credit for younger consumers, recent immigrants, consumers new to credit and others without a traditional credit file. so the national credit bureaus are already able to collect this information from landlords and utilities and have built the systems necessary to do that. as you know, the credit bureaus over the last 50 years have been successful in expanding access to credit to folks who

previously may not have had that access. but i think ultimately it's going to be fannie's and freddie's decision whether or not these utility and rent payments are actually predictive of the risk of default that they're trying to manage. >> we certainly understand that freddie and fannie have to make their own decision. the question was who benefits from it. sounds like the population that benefits the most are the folks disproportionately represented today in home ownership. >> folks who are credit worthy but we can't tell because they don't have traditional credit report information. specifically people who are new to credit, i think. >> the number, senator brown, i know you were thinking about south carolina when i was talking there, the number is about 16% of south care linians who is credit invisible would become visible and show the responsible pattern to allow them to own a home. thank you. >> my state is 5 million out of 11.6. it's mid, high 40% also. senator cortez masto.

>> thank you, gentlemen, thank you so much for the conversation. mr. smith, i want to start with you. as you note in your testimony, the cfpb's supervision of credit bureaus relates primarily to the accurate furnishing and reporting of credit data and the cfpb does not generally provide for inhouse supervisors, in the wake of the breach direct cordray recommended that they be reside at the big three credit reporting bureaus, monitor cybersecurity and data protection practices. would you agree this is an important development? >> well, so when you look at director cordray's comments, i think you're talking about his cnbc or something comments on television. he said initially that the cfpb doesn't have authority over data security. it seems as though the folks on the panel agree with that. whether there is an appropriate role for a supervisor for data security at the credit bureaus,

we want to talk with you about that and come up with the best result for consumers. it may be that, if there is such a role to be played, the cfpb is not the best person for the role or it could be that they are. >> thank you. mr. rotenberg, do you think this would be helpful? let me put this in context. prior to my role here i spent the last eight years as attorney general of nevada with one of the highest identity theft rates in the country. i can tell you, the breach that happened with equifax is not equal to the breach that happened at a target store somewhere else. what happened with equifax is now -- there is a potential of millions of americans' identities being stolen. if you have ever been the victim of identity theft, the rest of your life you are trying to reclaim your identity. it's not just clearing up your credit. it is addressing somebody who has purchased a boat in your name, purchased a house in your name, committed a crime in your name when you're showing up in court and trying to identify that that person who committed

the crime has stolen your identity. this is life-long. and it's going to have a major impact on millions of americans, and that's why this is so egregious, and we have to do a better job of protecting individuals' data and information, because you're collecting it without their approval. and then you're -- then they have to succumb to years of trying to clear up all of that data. my concern now is how do we address it? how do we put limits on what we -- the data we collect? i know we are talking about more cybersecurity protection, making sure there is oversight over the companies. if there is human error, whatever occurred, it's going to happen again. is there some limit to the data that we should be collecting besides all of the other discussion that we talked about today? and so, mr. rotenberg, i am curious your thoughts on that. >> senator, to your first point,

i think it would be a step in the right direction to have supervisory authority at the cfpb at the credit reporting agencies. i think that makes a lot of sense. that's only to prevent against future data breaches. and the question is what to do now for american consumers who confront the reality that others are in possession -- we call these the authenticators, the information that's used to establish your identity in commercial transactions. and this is the reason that we think we need to change the default on credit freezes. people should know from this point going forward anytime anyone wants access to their credit report. and people should know from this time going forward anytime there is suspicious activity on their credit reporting account. they shouldn't have to select a service or pay for the service. >> i absolutely agree. >> it should be built into the industry. >> i'm going to cut you off. i apologize. because i only have so much time. i agree. there has been use of the social security number and limiting it

in private use. i don't know about you, but when you set up your house and you set up your utilities they ask for your social security number. at your doctor's office they ask for it. this number has become so prevalent as an identifier, i don't know how you pull it back from the private sector. quite honestly, i don't know how you protect against anybody having access to it. because i can tell you a bad guy will be able to go online and if it's already been used and out there, they're going to find it. so more importantly, for my purpose, and i think all of our purposes, really shouldn't it be now giving the consumer the absolute right to control their information and how it's being used? >> absolutely, senator. i think that is key. if i could say briefly on the social security number we have actually made some progress limiting its use. in fact, with credit to senator collins and senator mccaskill. the number is coming off the

medical benefits i.d. card. its use there was contributing to identity theft among american seniors. we helped to get the social security number off the state driver's license, the social security number is no longer published in the state voter rolls. this is an issue that can be addressed but congress will have to get behind an initiative that says to the private sector we have to limit the use of the ssn. >> thank you. i appreciate the comments. my time is up. >> senator kennedy. >> thank you, mr. chairman. gentlemen, i am sorry i missed your presentations. why should we not pass legislation that would establish that the bureaus have a fiduciary obligation to the people whose data they collect and earn a profit off of? >> i think you should, senator. i think some of the legislation is already in place but i think more needs to be done.

i think your description of a fiduciary relationship is absolutely correct. >> do you think there is a fiduciary relationship now? >> i don't. i don't think the companies think they will an obligation to the american consumers. >> do you gentlemen agree with that? >> i disagree. >> you represent the bureau? >> i represent the industry. we are subject to a pervasive regulatory scheme. this statute here, the fair credit reporting act, that requires us to ensure the accuracy of information in credit reports that requires us to -- >> your clients attempting when the equifax breach was made public, weren't you trying to pass legislation that would lessen your clients' liability? >> there was legislation that had been introduced that would introduce a cap on potential liability for private actions. that cap, though -- >> dwas that a good idea? >> the fcra is unique in that it

doesn't have a cap on class action liability. truth in lending. equal opportunity. fair debt collection, efta. they all have caps. fcra does not. >> you still believe your client should have caps, counselor? >> as a trade association, we would continue to argue for caps. >> is that a yes? >> that's a yes. >> okay. here is my problem. if the bureaus do their jobs right, you -- they facilitate commerce because when lenders loan money to people, the lenders want to get paid back. and what your clients offer is one assessment of the risk that the lenders are taking. it's just one assessment. there are others who don't use online lending, many online lenders don't use your client's

product anymore. they think there are other ways, better ways, to assess risk. i not saying they are right or wrong. i am saying that your clients basically take my data, personal information about me, without my permission and, as a business model, they sell it to businesses. i am not compensated. now, if they lose my data, as equifax did, or if someone submits to them data that is in error, that undermines my credit score, the bureaus have no obligation or interest right now to work with me to try to get the credit score correct. have you ever had one of the bureaus get your credit score wrong and you called and tried to get it fixed? have any of you?

>> no, i have not, senator. >> no, senator. >> well, it's not an easy process. >> well -- >> and it would seem to me that -- i am not trying to undermine the bureaus, but it seems to me, first of all, that you could develop technology very easily that would allow people to go to an app on their phone to put a credit freeze on and off. free of charge. that ought to be a minimum. number two, you need to explain to the american people how you're protecting their data on which your clients are making a profit. most of the adults in louisiana had their data stolen by equifax. and they have had to go to a lot of trouble to go freeze credit. some of them are going to have their identities stolen.

and it's just not right. it's just not right. and we're looking to you gentlemen to tell us what to do about it, and counselor, i don't mean to pick on you, and i understand you're representing your clients, but your clients need to step up to the plate here and suggest some meaningful reforms, or some reforms are going to be suggested to them. and my advice to you would be to step up to the plate and offer specific things that you and your clients are going to do to improve this situation. not platitudes, not bromides, specific suggestions. because a lot of americans didn't know what a credit bureau was. they know now. i went over. i am sorry, mr. chairman. >> thank you. senator warren. >> thank you, mr. chairman. so, at the hearing two weeks ago with the former ceo of equifax, there was a lot of agreement

between democrats and republicans that consumers should be able to control their own data. and without consumer control, credit reporting companies really have no reason to treat us well. we are not their customers, we are just their products. and it shows. a 2012 study by the federal trade commission found that one out of every five people had an error in their credit reports. meanwhile, over last year the consumer financial protect bureau has fielded hundreds of thousands of consumer complaints. and the big three credit reporting agencies are now the three most complained about companies in the entire financial services industry. you know, if you ran a restaurant and got your customers' orders wrong 20% of the time and had the worst customer service in town, you would be out of business in a

week. by credit reporting companies, not them. they're getting bigger, they're getting richer and they're getting more powerful. this market is clearly broken. and fixing it starts with giving customers more control over their own data. so mr. rotenberg, i have introduced the free act, with senator schatz and more than a dozen other senators. our bill would let every consumer freeze and unfreeze access to their credit files for free. so i want to ask. do you think that would be a good idea to give consumers more control over their data? >> senator, warren, i think it is an excellent proposal. as you say, i think the key to this industry is giving consumers greater control over the use of their personal data. it begins by moving to an opt-in model allowing the consumer to decide in which circumstances it's in their interest for their credit report to be released to someone else. >> thank you.

companies like equifax do more than issue credit reports. they also sell your information to businesses that want to sell something in turn back to the customer. our bill also makes clear that no credit reporting agency can sell your data if your credit file is frozen. other legislative proposals and the new lock that equifax is rolling out right now don't give customers that right. so let me ask this part. do you think that consumers should have the right to freeze the data so that it stops a credit reporting agency from selling access to the consumer's data? >> absolutely, senator. the model doesn't work unless consumers maintain control. so many problems of the industry result from the industry pushing the burdens back onto the consumers to choose the freeze, to choose the monitoring service, to inspect their credit

reports. it's entirely upside down, and it's the reason that we have record levels of identity theft today in the u.s. >> thank you. i think that's a powerful point. you know, if companies like equifax don't pay us to sell our information to other people, then we shouldn't have to pay them to stop selling it. according to your testimony, you were saying -- and i think you mentioned this earlier, mr. rotenberg -- you would go even further. you would make the default position that a consumer's account is frozen until the credit reporting agency gets the consumer's explicit permission to unfreeze the account to share the data. in other words, consumers would have to opt in to sharing their data rather than opt out. what's the reason for that? >> senator, i think it's just common sense. no one is objecting to the provision of credit to american consumers. it's critical for our economy, it makes it possible for people

to purchase homes and cars and even cellphones, but it's the consumer who is initiating the commercial transaction, it's the consumer who is seeking the m t mortgage or loan. the consumer should decide when to release the credit record information to others and should know, by the way, what information is contained in the credit report. they may be wrongfully denied for a loan because the credit reporting agency provided inaccurate information. >> powerfully important that we protect our own privacy and be able to make sure it's accurate. if your testimony you say we need to fix credit reporting industry in order to protect our national security. about out of time but could you say a word about that. >> very briefly, senator, i mentioned earlier that when the fair credit reporting act was passed in 1970 the concern was the misuse of personal data by the credit reporting agency. that concern remains. but what has changed now almost

50 years later is that data is now the target of foreign adversaries and we have to realistically consider that the people who get access to our personal data held by these companies have interests adverse to our nation. that's an additional reason to strengthen these privacy laws. >> thank you very much. the credit reporting agency is a threat to each of us personally but it is also a threat to our national security. we need to give consumers more control over their data, need to reform this industry, that's what we're trying to do with the free act. thank you very much. thank you chairman. >> senator tillis. >> thank you for being here, gentlemen. when you have something like the breach at equifax congress has never seen a legitimate problem that needs to be dealt with, an opportunity to over react. one of the things i am concerned with is when we have this discussion -- i want to start with something simple and maybe

i can build on things to the extent time allows. when we had the equifax ceo in here, i tried to ask him the question of the lock, they're calling it lock for life, versus delete. mr. rotenberg, where are you on the option of the consumer being able to delete any presence of their existence in any of the big three credit reporting agencies, is that something they should be entitled to do? >> i do, senator. this country has a long tradition of expungement of financial records to give people the opportunity to start over even after bankruptcy. so we have already recognized that people should be given the opportunity to, you know, reapply for credit even after they've had those type of experiences. >> so if they delete it and then later they were seeking credit and they had no reliable sources for showing credit worthiness, who is it on to provide all the information that may be needed to underwrite a loan or get a

credit card or some other financial instrument? anybody on the panel is welcome to opine. >> i would just say in those circumstances, of course, the absence of the background information could well be a factor in the credit determination, but that's not a reason not to give the consumer the opportunity to delete the data if the consumer chooses to do so. >> at the end of the day the consumer needs to be aware it could be on them to produce information to be used as a basis for -- the absence of information would likely result in no credit being extended. >> here is another concern, senator, is that what happens if the consumer selectively deletes information. i have three credit cards. i have decided i am not going to pay one of them and i delete that trade line from my file. how will a bank be able to manage that credit risk if consumers can delete accurate and relevant information? and with respect to the fresh start idea, the fcra allows for that. information -- any information that's derogatory in your credit record comes off after seven

years. >> one thing that, on -- when we discussed this with the breach, one thing that the credit reporting agencies need to demonstrate is that they don't make their problem the consumer's problem. in other words, if you have a breach, then you should be treating that consumer like you'll move heaven and earth to clear up their problem. it shouldn't be something that requires months of paperwork and hours of their time to clean up if in fact you can point it back to the breach. that's something i will be interested in seeing how equifax handles it. i am concerned, mr. rotenberg, with the idea of -- just the aggregation of data that is used to predict now cohorts may, you know, behave in terms of credit worthiness. that, if we continue to reduce the base, do you think there is any threat to the fact that we have less reliable information to move capital or to provide

resources to people who need it? >> i think it's important for businesses to have access to relevant and accurate consumer data. i think they should be accountable and transparent about how that data is being used. >> would you consider the selective deletion of credit data as being accurate for the financial services industry? >> it may or may not be. the credit decision is based on a wide variety of factors many of which, by the way, are not even known o to consumers. >> the -- one other in my remaining time. i wasn't here. i think someone else answered the question. but what do you think is the -- what technologies or maybe what processes out there are we using to get away from social security numbers as authentication methods and moving more to say,

what the card industry has done with tokenization, trying to come up with some sort of an identity that will actually eliminate or substantially reduce what is a relatively easy thing to do, and that's to get somebody's indicative information and commit fraud? what's out there that we should be looking at and that as a matter of public policy should be promoting? go right down the line. my time has expired after this answer. >> i am not aware of any particular token products that could be used. one point of note, there may be people in the sample size, citizens, consumers, who don't have access to something like a cellphone. so they would be barred from participating in the widespread use of technology. that's one consideration to make when establishing public policy. >> i think, as a general matter, if we have distributed and contextualized identity, in other words, the company learns only what it needs to learn to make a decision, that's the best approach. today we are at the opposite end of the spectrum with an

open-ended identifier that makes it. for companies to learn just about anything they want to about an individual. >> i think that, if we didn't have the social we'd need to invent it. if we take away the social we need to come up with another unique identifier. with a name like andrew smith it's critically important that people are able to distinguish which one are you. not necessarily to authenticate that i am indeed who i say i am but which one are you. and the social plays a critical role there. and we need -- if not the social, then we need something else to fill that role. >> thank you. >> mr. smith, after the equifax breach, consumers learned that the best way to protect themselves from identity theft and fraud was to freeze their credit report, but when they went to do that they found a complicated process that required contacting each of the three credit bureaus, generating

and remembering separate p.i.n.s for each and, most infuriating, paying $10 to each bureau to place the freeze not to tension the fe -- mention the fees they incur if they want to undo the freeze later. equifax's lapse will be rewarded by hundreds of millions of dollars in revenue to the company that made the mistake. my question is simple. explain to me why equifax, experian and transunion charge people to freeze their credit report when there is a mistake that is their fault. >> well, so there are a lot of ways for consumers to protect themselves. and for certain consumers freezes are the right choice. >> so, in those -- hold on. in those instances why is it not free? if the consumer -- >> we have a patchwork of laws right now. and if we were to have a single national standard, i think that, you know, we would be happy to

talk with you about how to get that result right for the consumer. >> the patchwork of laws. what does it have to do with anything? i am asking you, when a mistake occurs and 144 million people are told to do a certain thing, that certain thing should be free, shouldn't it? >> i don't know that it -- that everyone was told to freeze their credit report, personally, i don't think it's the right choice for everyone. i do think that the -- >> if it's the right choice for some number of millions of americans, is it not? >> i believe all three of the bureaus make freezes free to individuals who say they are identity theft victims. i believe they also make freezes available for free to senior citizens and to minors. as far as a national freeze requirement, i think that -- i think that -- >> i am not asking you about a requirement. i am asking you why you generate revenue off of the mistakes of the organizations that you represent. >> the why is because freezes cost money. and also, the state laws --

>> the locks are free, right? >> locks i don't know. i am afraid -- i saw the testimony -- >> you are the counsel of the organization? >> these are new products. i am a counsel for the trade association. i know that there are all kinds of new products that credit bureaus and others are rolling out that can take advantage of, for example, apps on a mobile device and lock and unlock. i don't know that any of the products are necessarily in the market now. >> i don't understand what you're saying. i don't think that it's because i don't understand this area. i think it's because i don't understand what you're saying because, at a common sense level -- i want you to try to explain to somebody you went to high school with, right, who says oh, you got a gig with the cras. good for you. how is that something? why do i have to pay for a freeze? i don't think you answered. >> freezes cost money. freezes have to be implemented by the credit -- >> the question is why did the

company that made the mistake make a profit off of that mistake? why are you charging consumers, even if the freezes cost money. fine. you should eat it because that would create an incentive to not screw up again. >> i thought equifax was providing freezes for free. >> the question is why not all three and as a matter of course. that only occurred after the ceo quit and under great pressure. >> i thought they offered freezes for free up front. >> nope. i want to ask you a couple of questions related to bill i have introduced. do you think it's a good idea for credit bureaus to use tighter matching requirements? >> i think matching algorithms are a tricky issue. i am sure you have done some thinking about it. it's a question of probabilities and statistics. i am not sure that we necessarily want to legislature that. matching is critically important for accuracy. >> what's your error rate,

roughly? >> we believe -- the ftc did a study in 2012. we did a similar study. we believe the error rate, from our study, is less than 1%. looking at the ftc's study, we believe -- this is in an appendix to the ftc study, based on their data we believe the error rate is about 2%. now, error is an important concept here, though, it has to be an error that moves the needle, that would have an effect on the consumer. so they get my date of birth wrong. that's not necessarily an error. if it's -- >> you're talking about -- even at the low end of the estimate you are talking about a million, two million individuals -- >> absolutely. and that's not acceptable. >> whose responsibility is that? >> well, it is a lot of people's responsibility, but it is to some extent the credit bureau's responsibility. as far as accuracy is concerned, accuracy -- professor rotenberg in his written testimony said

you're never going to have perfect data security, there will always be breaches. the best we can do is to try to control them up front. accuracy is the same way. it's a process. >> i am over time. i will add that i understand you're going to make mistakes. the basic question is who should incur the cost of the mistakes, you guys or the rest of the country? thank you. >> senator perdue. >> thank you chair. thank you, guys, for being here. it's a complicated conversation. let me start with something we are working on to codify something across 47 states. right now, if you want to, you have to opt out, basically. in other words, i never gave permission to anybody to get that data though it does provide a service so that i don't have to aggregate all my credit information when i want to borrow something. so i get that. at a recent -- at the equifax breach hearing just i think two weeks ago, we asked questions regarding the need for a national standard on credit freezes, and i think representative mchenry has already got a protect act you

may be familiar with that they're proposing, creates a national standard for credit freezes harmonizing the current 47 state laws on the issue. i will start -- i would like to get all three of you to comment on -- do you agree that that would help allow the development of technology such as apps that could freeze and unfreeze without having to go through the process, so somebody could actually open up, get the credit information they need, and then opt out easily without having to have a lot of instruction? is that something that might benefit us here? >> so, as i said earlier, freezes are not the right choice for everybody necessarily, but they are the right choice for some people. and that, you know, the development of a national standard is something that we would welcome. with respect to this lock and unlock functionality, i would ask you to consider that whenever we legislatu-- legisla something like this questions come up and say what about people who don't have smartphones? what do we do about them?

you can dial an 800 number. what about people who don't have easy access to the telephone. >> they would -- just so i am clear, they would not be in the system. in other words, i couldn't access their data unless they were to come back and do something like this. an 800 number or whatever. when they needed it. >> correct. you think, let's do an 800 number. that's going to present a security risk that someone else unlocks my credit when they are applying for an auto loan on saturday afternoon. that means a p.i.n. so i don't know what my p.i.n. is. i have forgotten it. then you have to reset your p.i.n. before you know it, you're not going to get the new cellphone at the verizon store saturday afternoon. you have to reset your pin. you have to go back to the store next weekend and hopefully it will work out. see, there is a lot of friction in the system. these freezes and locks are difficult to administer. and that's why they're not necessarily the right choice for

everybody. but for some people who aren't credit active and buying cellphones for renting apartments. >> i think it's a good proposal. i think it's a step in the right direction. i am frankly a little confused by mr. smith's comments. most of what he's describing are the difficulties the industry has created in giving consumers the ability to select the freeze to limit the access by others. the legislation would simplify that process, make it easier for people to make those decisions precisely so they can have the credit record information available when they need it to be made available. regarding any congressional action in the space, it's an interesting public policy question because there is these -- there are groups of data brokers who have the -- this information and they have their business relationships with those that they acquire information from and those they sell the information to. the information is the consumers'. the relationship between the data broker and the consumer is

weaker compared to who they are selling data to and who they are acquiring it from. the weakness in the link is a space where federal policy may be able to bridge the gap between the rights of the consumer and rights of the data broker or the rights of the data broker relative to the consumer of their own data. >> thank you. let's talk about social security numbers. adoption of social security numbers as a method goes back to the '60s. in the last half century our technology has moved rapidly forward. is there not a better way of matching people to accounts such as tokenization or should all the cyberattacks -- should all the cyberattacks be the impetus to start planning out what transition to credit future without social security number? social security number seems to be the holy grail that's the access beyond what any reasonable person would want. is that a reasonable direction? >> senator, i think the key here is to limit the use of the ssn

but not rheplace it. it the weak link in the information industry. it is the target of identity thieves. if you are trying to make your industry more resilient against those attacks you have to reduce dependency on the ssn. if you replace it with another general purpose identifier that becomes the target. we need a more distributed approach to identification, not a single point of failure. that's what the ssn has become. >> we have to engage on this. we don't have a common answer yet to the security issue. i am out of time. thank you, mr. chairman. >> senator heigtkamp. >> thank you, mr. chairman. not to put a -- not to extend the discussion on when you can put a credit freeze or lock on. it's interesting you said -- mr. smith, you said you can put a lock on after you have been a victim of identity theft.

that's like saying lock the door after the thief went in your house. i mean, it's just not -- it's not responsive to what we're trying to get at here, which is we understand the benefit of an aggregator of data that gives us easier access to credit. i think no one is disagreeing with that. the question is -- and you were asked about fiduciary obligations. the question really is, what responsibility does that aggregator have when something like this happens. now, when mr. smith was here, the previous mr. smith, equifax -- >> no relation. >> yeah. i figured that. he said this happens all the time. you know, we're hit all the time. and i asked, well, in light of that, then why did you seem so ill prepared when you were actually breached. why did it take you so long to come up with a response to the breach. so i am -- i have got a series of questions on how often does

this happen and what is the general response that the industry has. so, as a general matter, how many times per year, on average, would a company like equifax, transunion or experian experience, how often would you experience a breach that would be reported to the fbi? >> so, unfortunately i don't have those figures. we can find them. i would say that, based on my personal knowledge, that none of the credit bureaus themselves have been breached. now, the companies, in equifax's case it was information that was outside of the consumer reporting agency database. we also know of a breach at experian involving data of t-mobile. so there are breaches that occur, and we'll come up with a number for how frequently they occur. but to the best of my knowledge there has never been a security breach of a consumer reporting

agency database. >> that's splitting a hair for the consumers. i don't think there is any doubt about it. >> well, but it's an important policy point, i think, because if the ftc and cfpb conclude that the consumer reporting agency database wasn't breached after equifax was subjected to this punishing attack, that might inform our policy choices. >> the next question i have is, after -- say that you report it to the fbi. what is the typical guidelines or strategies that any of these credit agencies -- any of them would basically go to? do you have like a fire drill, in other words? do you have a system in place that will lock down and protect data? >> right. so now, of course, i can't speak for any particular company, but the companies with which i am familiar have incident response plans. they call it a table-top

exercise. all the stakeholders are around the table and we run through what's the public statement going to be. what to we do with respect to call centers, inform law enforcement. how do we do the consumer notifications. >> you would have to agree that equifax was pretty ill prepared. >> i don't know. i think this was an unprecedented breach. so -- >> even if it's ten people that -- the response should be the same as if it were 140 million people. >> think about your call center, for example. rather than ten calls -- ten you can handle. 140 million? on one day? >> doesn't that beg the question of why people here are upset? you had senator kennedy basically say, look, this is not data that you own. you do not have a relationship with the consumer other than an aggregator that provides that service. if i say, i don't want your service, i'll aggregate my own

data. i'll take responsibility. i have to pay you so that you aren't collecting my data. correct? >> it's not collecting. this is a freeze, right? the data is still there, but you have frozen it. and you have the right to unfreeze it. >> you know, in europe all across the eu, there is a whole lot of privacy initiatives. the right to be forgotten. you know, we're getting close to that here. we have been a much more open economy as it relates to this kind of data aggregation. the more we do not see a response, the closer we are to that pendulum that senator telis talked about, the potential that you guys will be out of business because every american is going to say, we don't want your service. >> absolutely. we need to ensure that consumers and businesses trust the national credit reporting system. >> i think you have a serious trust problem today. and i think the lack of coming

forth with solutions and the adversarial approach that we've seen to this is not helping to solve the problem. so we >> thank you, mr. chairman. mr. smith, this is actually to all of you. in 2014 the department of veteran's affairs created the choice program to allow vets to receive medical care in non-va facilities. led to delayed payments and billing problems. which in turn resulted in some vets receiving adverse actions on their credit reports from debt collection efforts. adverse credit actions make it more difficult and expensive for them to get a mortgage, to buy a car and it's really troubling that our veterans have had their credit harmed through no fault of their own.

to make it easier for this erroneous debt to be removed in credit reports. medical debt can obviously get expensive. what damage can it do to the vet's credit when this is reported as unpaid? >> we agree with you 100% that veterans shouldn't have their credit records tarnished by backlogs and inefficiencies in va's payment system and we understand that's what's happening and we're committed to working with you to solve that issue through the national credit reporting system. i think institutionally, we believe that the folks who are best able to solve that issue are the private -- are the va and the private medical service providers and the debt collectors who are furnishing

this essentially erroneous information into the system. but we're committed to working with you and your office. >> i have your commitment on behalf of the trade association and on behalf of the industry that you will work together with us to address these problems and to address the reporting of va related medical debt that our vets don't get dinged on our credit reports. >> erroneous, right? >> what we're talking about because of va's processing inefficiencies, they just haven't paid the bill. >> it's not erroneous that my knee was worked on, it's erroneous that the bill came to me. >> yeah, we need to fix that and we're committed to working with you to fix that. >> congress enacted the fair credit reporting act in 1970 to set the rules of the road. despite the original act and the many consistent amendments, we still don't control our information contained in the files of the credit bureaus,

it's reported without any consumer permission, as has been noted by many, it's also sold to third parties, with prescreened credit and insurance offers and the personal information may now be available to thieves on the dark web after equifax. mr. smith, you're the representative for the association, should consumers have more control over their information? >> well, so we have talked little bit about that today. the ability to remove yourself from the system, the ability to selectively delete information. i think both of those present issues for the national credit reporting system. the selective deletion would allow a consumer to game the system, to hide unpaid debts from potential creditors presenting a real concern for the safety and soundness. >> that comes out if they apply for something. if they want to get a mortgage, then the mortgage company -- >> i'm talking about the selective deletion, but the removal from the system. the removal from the system is great until you kneed to rent an apartment or buy a cell phone, or get a mortgage or buy a car.

>> then you can opt in, right? >> not if your information has been removed from the system what you're talking about is perhaps a freeze. and i think we are -- we think that a freeze is the right choice for some consumers, not for all consumers. >> isn't it appropriate that the consumer ought to be able to make that decision, even if it makes it a little bit harder to get an apartment, that's a decision that they have made? >> i think it's important for the consumer to understand, if the consumer is making a major decision, have them have the ability to know what's in the credit report and make the affirmative decision to decide who's going to get access to that information. so that would be common sense. >> thank you, mr. chairman. >> thank you.

senator, van holland? >> thank you, mr. chairman, and thank all of you for being here today. it does seem as reflected in amount of comments today and in the earlier hearings we had, the credit reporting agency model is one that is in some ways uniquely stacked against consumers when there's been your data breach or bad data put in. and my question is a little -- goes beyond the issue of the data breach to lots of complaints we have heard over the years about credit reporting agencies collecting bad data, that then goes to lead to a denial of a loan or a mortgage payment. and there's been a lot of discussion about how to sort of allow that consumer to be made whole. my question is, on the front end, in terms of creating

penalties or deterrent and have the burden be on the consumer. my question to all of you is to there some kind of deterrent that we put in place so that the burden and the penalty for collecting and disseminating that data, whether it's through a breach, or whether it's through denial of a credit reporting card, that can actually address this problem on the front end, so there's more of a premium for a credit reporting agency to prevent that from happening in the first place? >> i would like to start in responding to that, so with respect to data accuracy. credit bureaus have substantial duties with respect to data accuracies and those are up front to ensure that they have procedures in place to ensure the maximum possible accuracy of the data, the companies that furnish data into the credit bureaus are now required to have written policies and procedures to ensure the accuracy of that data.

the people who furnish the data into the bureaus are all supervised right now. so we do have -- we're not unregulated. we do have this statute and it gets longer every year. and there is more and more duties added to the credit bureaus. >> my question is, what is the current penalty in the event that bad data gets in? despite all the systems in place, is there a penalty that has to be paid by the credit reporting agency? i'm not talking about after the fact. in addition to just bringing the consumer whole. in addition to just bringing the consumer whole. let's say you're a consumer, right? >> right. >> you get denied a loan, then you've got to go through the incredible hassle of getting all this straightened out. at the end of the day, maybe you get your loan, but what can we do to put a deterrent up front so that we never get to the

point that thousands of people are wrongfully denied a loan and after a whole lot of work and costs, maybe they get the loan, so i'm interested in your thoughts. >> let me say, senator, right now i think it's upside down, in other words right now when there's a problem, the companies turn around and charge the consumers to take advantage of the tools they need to correct the problem. so that can't be right. i think what we do need to do is increase the incentives for the companies to do a better job on data security and on privacy protection. to make one more historical point, there is a deal at the heart of the fair credit reporting act. when the fcra was passed by congress in 1970, the ability for consumers to bring suit in state tort law was preempted because their information and some of this inaccurate and incomplete is disparaging and defamatory and

causes commercial loss. before passage of the fcra, people could bring lawsuits for that harm. they can't now under the fcra, which means that congress has to pass the incentives. >> if someone collects bad data that harms somebody, would you agree that should be able to have recourse through the courts. >> they do have recourse. remember this law provides for statutory penalties in private actions where the credit bureau behaved willfully. >> let me ask you, because my time is running out here. your association has been lobbying against the consumer protection bureaus' provision that would allow people to bring lawsuits. in other words you've been lobbying towards keeping mandatory arbitration? >> yes, sir. >> doesn't that stack the deck against the consumer? you mentioned 143 million

people. if everybody's got to go to mandatory arbitration as opposed to grouping together, that definitely stacks the deck in favor of the big guys instead of the person who's been harmed. >> you have no contract with equifax, so you have no mandatory arbitration clause with equifax, correct? >> but this is a separate issue that was just raised by another witness, in other words if there is information in there that causes me damage? >> information in the credit report? >> yes, that causes me damage. >> you can sue and you can be a member of a class because there is no mandatory arbitration clause in that context. what we're talking about in arbitration, where the consumer is purchasing a product from one of the credit bureaus, like a credit monitoring product, for example. >> but we did see in the case of equifax, at least initially, as

a condition of getting protection from damaging information that equifax breaches caused that they were initially requiring people to relinquish their rights. >> and they backed off. >> there are other equifax products where there is a contractual relationship where they are insisting on mandatory arbitration, isn't that the case? >> they testified here they have lots of products where they insist -- >> the products sold to consumers. >> if a consumer is wrong in that process, doesn't it stack the deck against them to say that they have to go through mandatory arbitration? >> of course i'm going to disagree with that. we think that arbitration can be effective. we also think that given the statue called the credit repair organizations act. that there are special risks for credit monitoring products that have stacked the deck against the company. >> i understand why equifax would want to deny that particular kind of recourse, because it can be more successful in recovering people's damages.

>> hold on one second. i'm going to wrap it up. i'm going to have to be very fast, because there is a second vote that i'm going to have to get to. so thank you very much for attending here today. i just have one question, and i know that you're here as experts on credit bureaus. i just want to know if you know. whether there is data that is required to be submitted by the credit bureaus to the federal government. does any federal government agency require credit bureaus to submit data to them? >> i don't believe that -- i know that data is provided to the federal reserve board and to the cfpb by credit bureaus. and i believe that that data is

purchased by those agencies and that is provided within the strictures of the fair credit reporting act. and it's identified in an aggregated format. >> that does it then. >> can i have some more questions? thank you. oh, okay and then i will wrap up. if americans could make cras delete their credit files upon demand, like the law requires for medical records, and i know you have some thoughts there, but don't go into medical records, if they could delete their credit files, could that create a risk for credit reporting agencies? >> i don't know if it would create a risk for consumer reporting a agencies, it would give consumers more control over their credit reports.

>> would you say that consumer reporting agencies would not want americans to demand that their credit files be deleted? >> i'm certain or expect that would be their position. they try to get as much information about consumers as they can. and of course consumers have very little information about what is being gathered. >> so if cras knew that americans could delete their data and they have unsuccessfully tried to do that following the equifax breach as we all know. would that create an incentive for these agencies to pay more attention to cyber security in the first place? >> i'm sure it would, and consumer reporting agencies have no legal right to obtain the information of american consumers. the businesses have evolved over time. they've collected a lot of data. they're subject to regulation. but i don't think the

credit reporting agencies can claim they have any right to access our personal data. so ultimately it would be the consumer's decision, whether any company has is right to collect our data. >> so some cras claim that consumers could game the system, is that right? >> right now, the credit reporting agencies largely game the system because consumers don't know the factors that are used to make decisions about them for employment and even for cell phone purposes. so it's very asymmetric, this industry who has information about who and how that information is used. >> speaking of asymmetric, currently my understanding is that rules for privacy are much stricter at government agencies than the private sector. should we consider a separate set of privacy starndards for

both public and private? >> i think that's the unfinished business for credit reporting agencies in the united states. we had a moment to establish a comprehensive law for private agencies. europe took a different approach, they established comprehensive privacy protection for the private sector. they don't face the same levels of identity fraud. >> tell me more about europe. my understanding is european country have stricter data privacy laws and i assume they still have functioning credit markets, right? >> they do. >> do these three agencies, these three agencies you represent. do they do business in those countries? >> i don't know about those specific firms, i do know there's a vibrant credit market across the european economy. the key is they're held to a higher standard. for instance in the area of breach notification, equifax took more than six weeks after they learned about the breach to tell americans what happened.

under the new european privacy laws, they have 72 hours to con front a problem like that. so you can still operate your business. you're just held to a higher standard. >> are they profitable in europe with a different model, one with stricter privacy laws? >> i know that some operate in the uk, we have a different group of credit reporting agencies in europe. and it's not necessarily the three that we're familiar with here. we know that equifax is in the uk, not sure about continental europe. >> could you give to the committee, from those three clients specifically, what they do in europe and their profitability, how big a presence they have, market share, like you know in the u.s., and how they're doing in europe in terms of profitability and any public plans they have about continuing?

>> one thing i would say about europe, though, and professor rottenberg may disagree with this. i don't believe there's a right to be forgotten with respect to credit reporting information. there's a balance for collecting such information and a balancing with this right to be forgotten. so there's guidance under the -- in the eu that i believe would not permit consumers to just delete wholesale information from credit reporting agencies because of the vital role that they play in managing safety and soundness. >> actually if i may disagree, that's not correct. the general data protection regulation, the new european law speaks specifically about the right to i raise -- erase your

right -- they're subject to controls of public data. lost under the european laws, consumers have a right to an explanation about the basis of the decision, if the company has an automated process, under the european law, consumers get to know the factors that were made to make the determination, i think we need to move to that approach in the united states. that would make the countries more accountable and make the decisions about american consumers fairer and more transparent. >> we do have requirements that when you take adverse action based on consumer report information that you notify the consumer and in the case of where a credit score is used, you have to have the key factors that affected that score. >> thank you and i have one last question. i apologize and i know i committed to the chair to keep it as close to five minutes. how much would the 145 million americans, 5 million in many state, how much would those victims of the equifax -- the equifax problem be entitled to?

>> first you're assuming there would be a cause of action under the fair credit reporting act. right now based on news reports there would be no action under the fair credit reporting act. because it was not the credit reporting database that was compromised. were there to be a breach of the credit reporting database, i believe the figure was -- a million? the cap was either 500,000 or a million, but it was consistent with all of the other consumer protection statutes. >> okay, sounds like they have a loophole to close. thank you all. members of the committee may have questions for you. we encourage them to get them in writing quickly to each of you and please answer as quickly as you can, including some mr. smith i asked you for. i thank the chairman and the

meeting is adjourned.

coming up later today, first at noon eastern national economic council director gary cohn will speak. national security advisor hr mcmaster will join sarah sanders at today's white house briefing. he'll preview the president's

upcoming trip to asia. then congressional democrats hold a news conference on the republican's tax plan. he's been called one of the premier clhroniclers of our age. michael lewis will be our guest sunday on "in depth." >> what all the books have aside is they're interesting characters to me in interesting situations. so the trick is that if you can attach the reader to the character at the beginning of the book, they'll follow that character anywhere. trust me that there is no one in america who would want to read my description of collateralized debt obligations. so it's a very, very powerful

device that is, you know, the origins of literature. >> mr. lewis is the author of several books including "liar's poker," "moneyball," "the big short." we'll take your calls, tweets and facebook questions. watch sunday live in noon to 3:00 p.m. eastern on book tv on c-span 2. sunday night on q & a, r ron churnow. >> he was a perfect leading man for a musical. grant moves to a very different

kind of beat. he was plain and laconic and the charisma of grant was that he had no charisma. you know, the drama very often is he was not dramatic in different situations. he's no less fascinating, but he's kind of no less deep than hamilton but a very subtle character. in that respect reminded me much more of george washington, that george washington had a similarly kind of reserved and enigmatic quality to grant. >> sunday night at 8 eastern on c-span's q & a. british prime minister theresa may answered questions in parliament yesterday about allegations of sexual harassment against parliament, the terrorist