NOTE: To view livestream of this hearing, please visit the executive session page for November 8, 2017.
U.S. Sen. John Thune (R-S.D.), chairman of the Committee on Commerce, Science, and Transportation, will convene a hearing titled “Protecting Consumers in the Era of Major Data Breaches,” at approximately 10:00 a.m. on Wednesday, November 8, 2017, in room Dirksen 106. The exact start time is contingent on the conclusion of an earlier and separate Commerce Committee business meeting that will be open to the public in the same hearing room.
“Massive data breaches have touched the vast majority of American consumers,” said Thune. “When such breaches occur, urgent action is necessary to protect sensitive personal information. This hearing will give the public the opportunity to hear from those in charge, at the time major breaches occurred and during the subsequent response efforts, at two large companies who lost personal consumer data to nefarious actors.”
The hearing will feature testimony from a current and a former official who worked on the response to Yahoo!’s 2013 data breach, which the company announced only last month affected all 3 billion user accounts, as well as the current and former CEO of Equifax, which suffered a 2017 breach reported to affect approximately 145 million individuals, including sensitive personal and financial information. Also testifying will be a witness with expertise on protecting financial data.
- Mr. Paulino do Rego Barros, Jr., Interim Chief Executive Officer, Equifax, Inc.
- Mr. Richard Smith, Former Chief Executive Officer, Equifax, Inc.
- Ms. Marissa Mayer, Former Chief Executive Officer, Yahoo!, Inc.
- Ms. Karen Zacharia, Deputy General Counsel and Chief Privacy Officer, Verizon Communications, Inc. (parent company of Yahoo! since 2017)
- Mr. Todd Wilkinson, President and Chief Executive Officer, Entrust Datacard Corp.
Wednesday, November 8, 2017
Committee on Commerce, Science, and Transportation
This hearing will take place in Dirksen Senate Office Building, Room 106. Witness testimony, opening statements, and a live video of the hearing will be available on www.commerce.senate.gov.
Chairman John Thune
Good morning. Now that our executive session is complete, we turn to the issue of data breaches.
Data breach is not a new issue for the Committee to explore. In fact, the Committee has been focused on the consumer impact of data breaches since before I was elected to the U.S. Senate.
The September 2004 ChoicePoint breach, what many consider to be the first high-profile data breach of the modern era, prompted a number of investigations from this Committee, the FTC, and federal and state authorities.
For those that don’t remember, ChoicePoint was a data aggregation company originally created by Equifax, who as fate would have it, is represented here today. In terms of the trajectory of congressional inquiry into major data breaches, you might say we have come full circle.
In the intervening years, Congress, and this Committee in particular, have paid close attention to data breaches big and small. In addition, the Committee has entertained a variety of proposals to strengthen data security requirements for companies across the board, as well as to impose federal requirements for affected companies to notify their consumers following the discovery of a breach.
Sadly, we are truly in the era of major data breaches. These include the large-scale breaches at Equifax and Yahoo! that we are examining today.
While the Yahoo! breaches are larger in terms of affected consumers, the Equifax breach is potentially much more severe given the sensitive nature of the consumer information compromised. In fact, I have heard from many constituents in South Dakota who are concerned about the lasting effects of the Equifax breach. I have also heard complaints that it is difficult to set up a credit freeze, and questions about whether credit monitoring is an effective tool to prevent identity theft.
The Equifax breach reportedly exposed the sensitive personal data of about 145.5 million U.S. consumers, including their names, social security numbers, birth dates, addresses, and in some cases, driver’s license numbers.
Also exposed were the credit card numbers for more than 200,000 U.S. consumers and dispute documents containing personal identifying information for more than 180,000 U.S. consumers.
Today, Equifax will have an opportunity to provide an update regarding the breach, as well as its much-criticized efforts to mitigate the harm and prevent anything like this from happening again.
The Yahoo! breach we will discuss today compromised over 3 billion user accounts and followed a prior breach in which hackers stole similar types of information from at least 500 million users.
The compromised data included names, telephone numbers, dates of birth, partial passwords, unencrypted security questions and answers, backup e-mail addresses, and employment information.
The 3 billion figure constitutes the entirety of the Yahoo! Mail and other Yahoo!-owned accounts at the time of the breach.
Today Yahoo! representatives will have an opportunity to provide an update regarding these breaches as well as efforts to mitigate the harm and ensure the security of consumer data going forward.
The massive data breaches at Equifax and Yahoo! illustrate quite dramatically that our nation continues to face constantly evolving cyber threats to our personal data.
Companies that collect and store personal data on American citizens must step up to provide adequate cybersecurity. And there should be consequences if they fail to do so.
The Committee has made cybersecurity a priority, and I am hopeful that today’s hearing will help the Committee to better understand these challenges as it considers legislation to address data breach notification and data security issues. When there is risk of real harm stemming from a breach, we must make sure that consumers have the information they need to protect themselves.
That is why I support a uniform Federal breach notification standard to replace the patchwork of laws in 48 states, in addition to the District of Columbia and three other territories.
A single Federal standard would ensure all consumers are treated the same with regard to notification of data breaches that might cause them harm. Such a standard would also provide consistency and certainty regarding timely notification practices, benefiting both consumers and businesses.
In order to ensure that businesses secure information appropriately, I have also advocated for uniform, reasonable security requirements to protect consumer data, based on the size and scope of the company and the sensitivity of the information.
However, in this regard, the facts of the Equifax breach are particularly troubling. As a credit bureau, Equifax was already subject to the Safeguards Rule under the Gramm-Leach-Bliley Act, which is considered to be a stringent regulation.
Nevertheless, the Equifax breach occurred and its implications on American consumers appear dire.
Enhancing security and protecting the personal data of American consumers will continue to be a priority for this Committee. I want to thank all of the witnesses for appearing here today. I look forward to hearing your testimony.
I will now turn to Senator Nelson for his opening remarks.
Thank you, Mr. Chairman, along with Senators Baldwin and Cortez Masto for calling for this hearing today.
Mr. Chairman, this is the latest edition in a long history of hearings we’ve held in this committee to discuss data security and breaches. Starting with the massive ChoicePoint breach in 2005, and continuing with Target, Neiman Marcus, Shapchat, Sony, Citigroup, CVS, South Shore Hospital, Heartland Payment Systems, and many, many others, the parade of high-profile data breaches seems to have no end.
Billions of consumers have had their sensitive personal data compromised, including Social Security numbers, drivers’ license numbers, addresses, and dates of birth. For years going forward, criminals can use this data to steal the identity of innocent consumers and create fake accounts in their names and commit other types of fraud.
On top of that, we also recently found out that the 2013 Yahoo breach compromised the personal data of three billion users, making it the biggest data breach in history.
Yet today, here we are once again dealing with the aftermath of the recent Equifax breach involving the personal information of nearly 145 million Americans. This most recent breach raises an even more troubling question. If a credit reporting agency that offers identity theft protection and credit monitoring services can’t safeguard their own data from hackers, then how can consumers trust any company to protect their information?
Sadly, that’s a question millions of Americans are now asking themselves as they struggle to figure out how to protect themselves in the wake of these massive breaches. This committee will, no doubt, once again, consider what it can do to make sure consumers are protected from these breaches. But if we are going to do anything meaningful, we must have the political will to hold these corporations accountable.
Over the years, the Federal Trade Commission has brought numerous enforcement actions against companies for lax data security practices. But industry has recently challenged the FTC’s well-established legal authority to bring such enforcement actions. Furthermore, this piecemeal, after-the-fact approach would be better served if the FTC were able to prescribe rules that require companies to adopt reasonable security practices in the first place. The FTC has already put forward rules that apply to financial institutions like Equifax. The agency should have similar authority for the rest of the commercial sector.
Only stiffer enforcement and stringent penalties will help incentivize companies to properly safeguard consumer information and promptly notify them when their data has been compromised.
Mr. Chairman, I strongly believe that without rigorous data security rules in place to hold companies accountable, it’s not a question of if we will have another massive data breach, but when. So, we can either take action to enact these common-sense rules or we can start planning for our next hearing on this issue, because it’s not going away on its own.
Witness Panel 1
Mr. Paulino de Rego BarrosInterim Chief Executive OfficerEquifax, Inc.
Mr. Richard SmithFormer Chief Executive OfficerEquifax, Inc.
Ms. Marissa MayerFormer Chief Executive OfficerYahoo!, Inc.
Ms. Karen ZachariaDeputy General Counsel and Chief Privacy OfficerVerizon Communications, Inc.
Mr. Todd Wilkinson