>> i think some of that legislation is already in place with the gramm leach bliley act but more needs to be done and i think your description of the fiduciary relationship is absolutely correct. >> do you think that there is a relationship now? >> no, i don't think the companies feel they have an obligation to american consumers. >> i disagree with that. i wouldn't characterize -- >> you agree or disagree? >> i disagree. the are subject to a pervasive regulatory scheme and the statute here in the fair credit reporting act requires us to ensure the accuracy of information in credit reporting. >> your client is attempting that when the breach was made public weren't you trying to pass legislation that would less than the liability? it is unique among the statute in that it doesn't have a cap on class-action liabilities. all of these habitats. as a trade association we would continue to argue for the caps. >> here is my problem. >> if the bureau does their job right they facilitate commerce because when the lenders loaned money tloanmoney to people, theo get feedback. it is one assessmen

i think some of that legislation is already in place with the gramm-leach-bliley act. the description of the fiduciary relationship is absolutely correct. senator kennedy: do you think there is a relationship now? mr. rotenberg: i don't. i don't think the companies feel the have an obligation to american consumers. senator kennedy: would you agree with that? mr. smith: i would disagree. senator kennedy: you represent the industry. mr. smith: we are subject to a pervasive regulatory theme in the statute in the fair credit reporting act that requires us to ensure the accuracy of information and credit work. senator kennedy: you and your when the equifax breach was made public, weren't you trying to pass legislation that would lessen your clients response ability? mr. smith: there was legislation that would introduce a cap on potential liability for private actions. senator kennedy: do you think that was a goodthe fcr is uniqur credit rejection statutes. it doesn't have a cap on class-action liability. it credit opportunity. all of these. fcr he does not. senator kennedy:

given the credit bureaus are financial institutions under the gramm-leach-bliley act, how does data security, testing and oversight by regulators compare to that of traditional financial institutions? i look forward to hearing from our witnesses about what credit bureaus do to ensure security for the data they collect. who oversees credit bureaus to ensure they have adequate security measures in place? and what improvements could be made to the oversight of data security at the credit bureaus? there are also many concerns regarding company response to data breaches. the equifax breach has left more than 145 million consumers a little confused as to what can be done to mitigate damage to their identities and credit. we do know that starting in january, equifax will offer all customers the ability to lock or unlock their credit files for free. additional products have also been offered from equifax and the other credit bureaus for consumers to monitor or freeze their credit reports. many consumers remain confused about which options are best for them. but this hearing will hopefully provide so

we must thirdly examine if you're agencies and statutes like gramm-leach-bliley, the fair credit reporting act and udap are up to the job. in this era of big data, large-scale security breaches, unfortunately, are becoming all too common. by the increasing frequency and sophistication of cyberattacks, this clearly demands heightened vigilance and enhanced efforts to safeguard consumers. protecting consumers, obviously, starts with requiring effective measures to prevent data breeches in the first place. given the federal government's own poor track record when it comes to protecting personal information, witness the s.e.c. in the opm hacks as two recent examples. we must be cautious about attempts to never let a good crisis go to waste and impose a washington-force technology solution. that may be antiquated as soon as it is imposed. however, i do believe that we need to ensure we have a consistent national standard for both data security and breach notification in order to better protect our consumers, hold companies accountable and assure that this affair does not repeat itself. our comm