Oct 30, 2017
If you are an American adult, there is a good chance that
criminals now have the ability to match your name and social
security number, greatly increasing your risk of becoming a victim
of identity fraud. In this episode, hear highlights from
Congressional hearings about the Equifax breach that exposed the
personal information of 145.5 million Americans as we explore the
key role that credit reporting companies play in our society.
Please Support Congressional Dish
- Click here to contribute using
credit card, debit card, PayPal, or Bitcoin
- Click here to support Congressional
Dish for each episode via Patreon
- Mail Contributions to: 5753 Hwy 85 North #4576 Crestview, FL
Thank you for supporting truly independent media!
- Blog Post: The USS senate is preventing
companies like Equifax being held accountable for major
screw-ups by Tim Fernholz, Quartz Media, October 24, 2017.
- Article: The IRS gave Equifax a $7.25 million
contract, and a congressman thought it was a joke from The
Onion by Aaron Mark, Slate, October 4, 2017.
- Article: Equifax suffered a hack almost five
months earlier than the date it disclosed by Michael Ray, Anita
Sharpe, & Jordan Robertson, Bloomberg Technology, September 19,
- Article: The Equifax data breach: What to
do by Seena Gressin, Federal Trade Commission, September 8,
- Article: Wells Fargo uncovers up to 1.4
million more fake accounts by Matt Egan, CNN Money, August 31,
- Article: Wells Fargo forced unwanted auto
insurance on borrowers by Gretchen Morenson, The New York
Times, July 27, 2017.
- Blog Post: U.S. cities with the best & worst credit scores
by Mike Brown, Lend EDU, April 12, 2017.
- Article: Two major credit reporting agencies
have been lying to consumers by Gillian B. White, The Atlantic,
January 4, 2017.
CFPB orders TransUnion and Equifax to pay for deceiving consumers
in marketing credit cores and credit products, CFPB, January 3,
- Article: Class-action suits target Experian
over T-Mobile breach by Andrew Blake, The Washington Times,
November 11, 2015.
- Article: The long, twisted history of your credit score
by Sean Trainor, Time, July 22, 2015.
- Publication: Data point: Credit invisibles by
Kenneth P. Brevoort, Philipp Grimm, & Michelle Kambara, CPFB,
- Blog Post: 4 things to do when your credit
score reaches 'good' or 'excellent' by Simple.Thrifty.Living,
Huffpost, April 14, 2015
- Article: What's the difference between a
fraud alert, credit freeze, & credit lock? by STAFF,
Lexington Law, January 26, 2015.
- Article: Revealed: One in four of the UK's
top companies pay no tax while we give them millions in credits
by Alex Hawkes and Simon Watkins, The Mail, March 2, 2013.
- Article: The high cost of a 'free credit
report' by Stephanie Clifford, The New York Times, August 4,
- Article: Credit scores - what you should know
about your own by Malgorzata Wozniacka & Snigdha Sen,
Frontline, November 23, 2004.
- Publication: An overview and history of credit
reporting by Mark Furletti, Discussion Paper, June 2002.
- Article: Witness says credit bureaus invade
privacy and asks curb by Roy Reed, New York Times, March 13,
Sound Clip Sources
- 3:57:20 Sen. Sherrod Brown (OH):
Studies show that Wall Street and other big companies win 93
percent of the time in arbitration. Ninety-three percent of the
time in arbitration the companies win. No wonder they are fighting
like hell. No wonder they have lobbied this place like we have
never seen. No wonder every Wall Street firm is down here begging
their Senators to stand strong with Wall Street and pass this CRA,
pass this resolution to undo the rule stopping forced
- 4:05:00 Sen. Mike Crapo (ID): The
real issue is whether we will try to force the resolution of
disputes in financial resolution into class action lawsuits. This
is a question about whether we should force dispute resolution
mechanisms into class actions. In fact, let me read the actual
language of the rule that we are debating. It doesn’t say anything
about forced arbitration clauses. In fact, the rule doesn’t stop
arbitration clauses in contracts. It stops protections in
arbitration clauses against class action litigation. Let’s read
what the actual rule says: The CFPB rule prohibits a company from
relying in any way on a predispute arbitration agreement with
respect to any aspect of a class action that concerns any consumer
financial product or service. In other words, the entire purpose of
this rule is to promote class action litigation and to stop
arbitration resolution when there is a dispute.
Hearing: Equifax Sen Banking Hearing;
Senate Judiciary Committee, Subcommittee on Privacy, Technology,
and the Law; October 4, 2017.
- Richard Smith: Former Chairman & CEO of Equifax
- 27:20 Sen. Chuck Grassley (IA):
Additionally, we must appreciate that fact that not all data
breaches are the same. The information and risk of harm can greatly
vary from one breach to another. For example, the past breaches at
Target and Neiman Marcus, which this committee held a hearing to
examine, involved financial information such as credit and debit
cards. Of course, this is information that absolutely must be
protected and secured. If it falls in the wrong hands, it can
create a lot of problems for individuals. But in the Equifax data
breach, I think that’s different. It’s important that consumers and
policymakers recognize this distinction because the threat
landscape has changed. The information hackers obtained or gained
access to in the Equifax breach is the most sensitive personal
information used by thieves to commit identity theft. So, we should
let that sink in very definitely. A credit card number or bank
account information can be changed with a phone call, but you can’t
change your social security number and your date of birth. Anyone
who’s ever applied for a loan, a credit card, a job, or opened a
bank account knows you have to provide a social security number,
date of birth to verify your identity. Thus, if someone has this
information they can do the same and take over your identity. They
can become you. And you won’t know it happened until it’s too
- 38:30 Sen. Jeff Flake (AZ): In your
testimony before the House yesterday, you stated that Equifax’s
“traditional business model is with companies, not with 400 million
consumers.” What portion of Equifax’s business is consumer facing?
Richard Smith: Mr. Chairman, roughly 10% of our
revenues around the world come from what we call B to C—business to
consumer. Flake: That’s 10%. Then, what is the
main source of Equifax’s revenue stream? Smith:
The vast majority, the remaining, is largely doing analytics,
insights, and providing solutions to banks, telecommunications
companies, credit card issuers, insurance companies, and the like
around the world. Flake: So, if only 10% of the
revenue is consumer facing, what is the company’s incentive for
keeping consumer data secure when it has no meaningful interaction
or limited meaningful interaction with the accountability of
consumers? Smith: We are clearly viewed as a
trusted steward of that information, and losing that information
violates the trust and confidence not only of the consumer but also
of the companies we do business with as well.
- 1:01:52 Sen. Patrick Leahy (VT): You
spent a lot of money lobbying against as consumer-protection act
that might require you to notify consumers immediately in such
breaches. Are you still going to fight and still spend hundreds of
thousands of dollars to stop that kind of a consumer-protection
bill from going through? Richard Smith: Senator, I
can tell you as a company we do have a government-relations team.
In the scheme of things, it’s relatively small. We’re a company
with expenses of well over $2 billion. I think our entire lobbying
budget, which includes association fees, is a million dollars or
less. Leahy: I could care less what your budget is
for lobbying. The fact is you opposed legislation that might
require notifying consumers, might actually give consumers the
ability to respond when they’ve been hurt. Are you going to—is
Equifax going to continue to fight consumers’ right to know?
Smith: One, I’m unaware of that particular
lobbying effort you’re referring to. I can talk to the company, but
I’m unaware of that particular lobbying effort.
Leahy: It was in your report that you have to file
on your lobbying expenses.
- 1:03:30 Sen. Mazie Hirono (HI): Do
consumers have the right to find out what kind of information data
brokers like Equifax has on them? Richard Smith:
Do they have the right? Hirono: Yeah, yes. Can
they call Equifax up and say, what do you have on me?
Smith: Every consumer has the right to a free
credit report from us, from the industry, and that credit report
would detail all the information that the credit file would have on
them. Hirono: But that’s just their credit, but
you have a lot of other information on everybody besides just their
credit information, do you not? Smith: Yes, we do.
Hirono: So, if—and my understanding is that you
get all this information free. You don’t pay anybody for the
information you gather on 145 million people, which is more than
one out of three people in our entire country.
Smith: It’s largely free. There are exceptions,
obviously, but this business, as you know, we’re 118 years old.
We’re part of a federally regulated ecosystem that enables
consumers to get access to credit. Hirono: Yes.
Smith: So that data’s there, and it’s used at
their consent, by the way. Regardless of the type of data we
have—if it’s your employment data or your income data or your
credit data—that data can only be accessed if you as a consumer
give the consent for someone to access that.
Hirono: How does one give consent—
Smith: If you— Hirono: —if you’re
selling the information that you have on them?
Smith: So, if you as a consumer go to your bank
and want to get a credit card, for example, when you sign a
contract with the bank for the credit card, you’re allowing the
bank the access to approve your credit, in this particular case, to
give you the best rate and the best line.
- 1:17:52 Sen. Richard Blumenthal (CT):
Can you guarantee this committee that no consumer will ever be
required to go to arbitration? Richard Smith: I
cannot, sir. Blumenthal: Why?
Smith: Well, one, I’m no longer with the company.
I can talk to the management team. Blumenthal:
Well, that’s what I mean by the designated fall guy. You know,
you’re here, you can’t speak for the company. I’m interested in
looking forward. How will consumers be protected? Will arbitration
be required of them? Will they be compensated for the sense of
security that has been lost? Will there be a compensation fund?
Will there be insurance against that kind of loss? And I’m talking
about a compensation fund that applies to them because of that loss
of privacy. These kinds of questions, which you’re unable to answer
because you’re no longer with the company, are as profound and
important as any investigative effort looking back, and I recognize
you’re here without the authority to make these decisions, but I
think someone from the company has to make them.
Hearing: Equifax Senate Banking; Senate
Banking Committee; October 4, 2017
- Richard Smith: Former Chairman & CEO of Equifax
- 6:03 Sen. Sherrod Brown (OH): But
security doesn’t generate short-term profits. Protecting consumers
apparently isn’t important to your business model, so you gather
more and more information, you peddled it to more and more buyers.
For example, you bought a company called TALX so you could get
access to detailed payroll information—the hours people worked, how
much they were paid, even where they lived—7,000 businesses. You
were hacked there, too, exposing the workers of one proud Ohio
company—400,000 workers at Kroger—and an unknown number of people’s
information to criminals who used it to commit tax fraud.
- 26:35 Sen. Ben Sasse (NE): Your
organization has committed to providing identity-monitoring
services for the next year, but I’m curious about whether or not
Equifax and your board have deliberated. Do you think your
responsibility ends in one year, in two years, in five years, in 10
years; and if you think it ends at some point, have you tried to
think about the goodwill and balance sheet impact of all this? How
can you explain to an American whose identity might be stolen later
because of this breach why your responsibility would ever end? Does
it end? Richard Smith: I understand the question.
And it extends well beyond a year, Senator. The first step we took
was the five services we mentioned to the chairman a minute ago,
which gets the consumer through one year. The ultimate control for
security for a consumer is going to the lifetime lock. The ability
for a consumer to lock down his or her file, determine who they
want to have access for life— Sasse: But isn’t
this—just to interrupt—isn’t that about people who might be
breached in the future. I’m talking about the 145 million whose
data has already been stolen. Does your responsibility end, or what
do you think your legal obligations are to them?
Smith: I think the combination of the five
services we’re offering combined with the lifetime lock is a good
combination of services. Sasse: I actually think
the innovation of some of the stuff you proposed for the big three
going forward is quite interesting, but why does any of that five
really do much for the data that’s already been stolen?
Smith: Senator, again, the combination of the five
offerings today plus the lifetime lock we think is the best
offering for the consumer. Sasse: Okay, I don’t
think you’ve really answered the question about whether or not
you’re exposure legally ends for the 145 million.
- 29:13 Sen. Ben Sasse (NE): I want to
open, at least, the allegations that Equifax executives engaged in
insider trading relating to knowledge of this cyber breach. One of
the clearest times in definitions of insider trading occurs when a
business executive trades their company stock because of
confidential knowledge that they have gained from their job. I’m
sure you can imagine why Americans are very mad about the
possibility that this occurred here. While insider trading is going
to be discussed a lot more later in this hearing, I wish you could
just very quickly give us a timeline of the first steps. When did
Equifax first learn of the May 2017 breach, and when did you inform
the FBI of that breach? Richard Smith: Thank you.
I’ll answer as quickly as I can. We notified the FBI cybersecurity
forensic team and outside global law firm on August 2. At that
time, all we saw was suspicious activity. We had no indication, as
I said in my oral testimony, of a breach at that time. You might
recall that the three individuals sold stock on August 1 and 2. We
did not have an indication of a breach until mid- to late August.
Sasse: So you’re saying that those three
executives—Mr. Chairman, I’ll stop—you’re saying those three
executives had no knowledge of a breach on August 1 or 2.
Smith: To the best of my knowledge, they had no
knowledge and they also followed our protocol to have their stock
sales cleared through the proper channels, which is our general
- 32:00 Sen. Jon Tester (MT): Let’s
fast forward to the 29th of July, and you learned for the first
time that your company has been hacked—don’t know how big the hack
is, but it’s been hacked—and it was preceded by this notification
from US-CERT. Three days after, as Senator Sasse pointed out, you
had three high-level execs sell $2 million in stock. That very same
day, you notified the FBI of the breach. Can you tell me if your
general counsel was held accountable for allowing this stock sale
to go forward? Or did he not know about the breach. Richard
Smith: Senator, clarification: On the 29th and 30th, a
security person saw suspicious activity, shut the portal down on
the 30th. There was no indication of a breach at that time. The
internal forensics began on the 30th. On the 2nd we brought in
outside cyber experts—forensic auditors, law firm, and the FBI. The
trades took place on the 1st and the 2nd. At that time, the general
counsel, who clears the stock sales, had no indication—or to the
company—of a security breach. Tester: Well, I’ve
got to tell you something, and this is just a fact, and it may have
been done with the best of intentions and no intent for insider
trading, but this really stinks. I mean, it really smells really
bad. And I guess smelling bad isn’t a crime. But the bottom line
here is that you had a hack that you found out about on the 29th.
You didn’t know how severe it was. You told the FBI about the
breach. On that same day, high-level execs sell $2 million worth of
stock, and then you do some investigation, evidently, and you find
out at the end of the month that—or, at least, by the first part of
September—that this is a huge hack, and you finally notify the
public. And as was pointed out already in this committee, these are
people that didn’t ask for your service. You’ve gathered it. And
now it’s totally breached. And then, as Senator Sasse said, what’s
the length of exposure here, and you said, we’ll be doing these
five things. That’s proactive, and I think we can all applaud those
efforts. But I’ve got to tell you, that doesn’t do a damn thing for
the people who have had their identity stolen and their credit
rating stolen. So let me ask you this: So their credit rate goes up
a little bit, and they go buy a house for 250,000 bucks on a
30-year note, and it costs them 25 grand. Are you liable for that?
Smith: Senator, I understand your anger and your
frustration. We’ve apologized for the breach, we’ve done everything
in our power to make it right for the consumer, and we think these
services we’re offering is a right first step.
- 53:57 Sen. Elizabeth Warren (MA): In
August, just a couple of weeks before you disclosed this massive
hack, you said—and I want to quote you here—“Fraud is a huge
opportunity for us. It is a massive, growing business for us.” Now,
Mr. Smith, now that information for about 145 million Americans has
been stolen, is fraud more likely now than before that hack?
Richard Smith: Yes, Senator, it is.
Warren: Yeah. So the breach of your system has
actually created more business opportunities for you. For example,
millions of people have signed up for the credit-monitoring service
that you announced after the breach—Equifax is offering one year of
free credit monitoring—but consumers who want to continue that
protection after the first year will have to pay for it, won’t
they, Mr. Smith. Smith: Senator, the best thing a
consumer could do is get the lifetime lock.
Warren: I’m asking you the question. You’re
offering free credit monitoring, which you say is worth something,
and you’re offering it for only one year. If consumers want it for
more than one year, they have to pay for it. Is that right?
Smith: Yes, Senator. But the most, the best thing
a consumer can do is the lock product. It’s better than monitoring.
Warren: Okay, but, they’re going to have to pay
after one year if they want your credit monitoring, and that could
be a lot of money. So far, seven and a half million people have
signed up for free credit monitoring through Equifax since the
breach. If just one million of them buy just one more year of
monitoring through Equifax at the standard rate of $17 a month,
that’s more than $200 million in revenue for Equifax because of
this breach. But there’s more. LifeLock, another company that sells
credit monitoring, has now seen a 10-fold increase in enrollment
since Equifax announced the breach. According to filings with the
SEC, LifeLock purchases credit monitoring services from Equifax;
and that means someone buys credit monitoring through LifeLock,
LifeLock turns around and passes some of that revenue directly
along to Equifax. Is that right, Mr. Smith? Smith:
That is correct. Warren: That’s correct. Okay. The
second Equifax announced this massive data breach, Equifax has been
making money off consumers who purchased their credit monitoring
through LifeLock. Now, Equifax also sells products to businesses
and government agencies to help them stop fraud by potential
identity thieves. Is that right, Mr. Smith? Smith:
Yes, Senator. There’s one clarification. You’d mentioned the
LifeLock relationship— Warren: Uh-huh.
Smith: —which was accurate. At the same time, the
majority of that revenue we normally generate is direct to
consumer. We’ve shut that down. We’re no longer selling consumer
product directly. Warren: I’m sorry. My question
is, every time somebody buys through LifeLock—and they’ve seen a
10-fold increase since the breach—you make a little more money. We
actually called the LifeLock people to find this out. So, I asked
you the question, but I already know the answer. It’s true. You’re
making money off this. So, let me go to the third one. Equifax
sells products to businesses and government agencies to help them
stop fraud by potential identity thieves, right?
Smith: To the government, yes. Not to the
business. Warren: You don’t sell to businesses?
Just small businesses? Smith: We sell business,
but it’s not to prevent fraud. That’s not the primary focus or
business. Warren: But to stop identity theft, you
don’t have any products that you’re touting for identity-theft
purposes? Smith: Senator, all I’m saying is the
vast majority we do for businesses is not fraud.
Warren: Look, you’ve got three different ways that
Equifax is making money, millions of dollars, off its own screw up,
and meanwhile, the potential costs to Equifax are shockingly low.
Consumers can sue, but it turns out that the average recovery for
data breaches is less than $2 per consumer, and Equifax has
insurance that could cover some big chunk of any potential payment
to consumers. So, I want to look at the big picture here. From 2013
until today, Equifax has disclosed at least four separate hacks in
which it compromised sensitive personal data. In those four years,
has Equifax’s profit gone up? Mr. Smith? Smith:
Yes, Senator. Warren: Yes, it has gone up, right?
In fact, it’s gone up by more than 80% over that time. You know,
here’s how I see this, Mr. Chairman. Equifax did a terrible job of
protecting our data because they didn’t have a reason to care to
protect our data. The incentives in this industry are completely
out of whack. Because of this breach, consumers will spend the rest
of their lives worrying about identity theft. Small banks and
credit unions will have to pay to issue new credit cards,
businesses will lose money to thieves, but Equifax will be just
fine. Heck, it could actually come out ahead. Consumers are
trapped, there’s no competition, nowhere else for them to go. If we
think Equifax does a lousy job protecting our data, we can’t take
our data to someone else. Equifax and this whole industry should be
completely transformed. Consumers—not you—consumers should decide
who gets access to their own data. And when companies like Equifax
mess up, senior executives like you should be held personally
accountable, and the company should pay mandatory and severe
financial penalties for every consumer record that’s stolen. Mr.
Chairman, we’ve got to change this industry before more people are
- 1:22:00 Sen. John Kennedy (LA): It
just seems incongruent to me that you have my information—you don’t
pay me for it; you don’t have my permission — you make money
collecting that information, selling it to businesses — and I think
you do a service there; don’t misunderstand me — and you also come
to me—you can’t run your business without me; my data is the
product that you sell — and you also offer me a premium service to
make sure that the data you’re collecting about me is accurate. I
mean, I don’t pay extra in a restaurant to prevent the waiter from
spitting in my food. You understand my concern? Richard
Smith: I understand your point, I believe, but another way
to think about that is the monitoring part that you’re referring
to, Senator? Kennedy: Uh-huh.
Smith: In the future, it’s far less required if
you as a consumer have the ability to freeze, or lock as we call
it, and unlock your file. And that is free for life.
Kennedy: But it’s not just the freeze part. What
if you had bad information about me? Have you ever—has an agency
ever had bad information about you, and you had to go through the
process of correcting it? Smith: Yes, Senator.
There’s a process that if— Kennedy: It’s a pain in
the elbow, isn’t it. I mean, the burden’s kind of on – you have my
data, which you haven’t paid me for. You’re earning a good living,
which I don’t deny you. I believe in free enterprise. I think this
is a very clever business model you’ve come up with. But you’re
earning your money by selling my data, which you get from me and
don’t pay me for, to other people, but if the data is wrong that
you have about me, I would think you would want to make it as easy
as possible to correct it, not as hard as possible.
Smith: I understand your point, and it’s an
important point for the entire industry to make the process as
consumer-friendly as possible if there’s an error on your utility
bill, if there’s an error on your bank bill, your credit card
statement, to work with consumers to make—
Kennedy: Well, can you commit to me today that
Equifax is going to set up a system where a consumer who believes
that Equifax has bad information about him can pick up the phone
and call a live human being with a beating heart and say, here’s
this information you have about me that you’re selling to other
people—you’re ruining my credit, and it’s not true, and I want to
get it corrected. How are you going to correct it, what information
do you need from me to prove that it’s incorrect, and when are you
going to get back to me, and give me your name and phone number so
I can call you. Smith: Senator, I understand your
point. There is a process that exists today. More than half—
Kennedy: Yeah, and it’s difficult, Mr. Smith.
Smith: Be more than happy to get the company to
reach out to your staff, explain what we do, and what we’re doing
to improve that process. I hear you.
Hearing: House Equifax CEO Hearing; House
Energy and Commerce Subcommittee on Digital Commerce and Consumer
Protection; October 3, 2017
- Richard Smith: Former Chairman & CEO at Equifax
- 5:13 Rep. Jan Schakowsky (IL): The
Equifax data breach was massive in scale: 145.5 million American
victims as of yesterday. I would call it shocking, but is it
really? We have these under-regulated, private, for-profit credit
reporting agencies collecting detailed personal and financial
information about American consumers. It’s a treasure trove for
hackers. Consumers don’t have a choice over what information
Equifax or, for example, TransUnion or Experian, have collected,
stored, and sold. If you want to participate in today’s modern
economy; if you want to get a credit card, rent an apartment, or
even get a job often, then a credit reporting agency may hold the
key. Because consumers don’t have a choice, we can’t trust credit
reporting agencies to self-regulate. It’s not like when you get
sick at a restaurant and decide not to go there anymore. Equifax
collects your data, whether you want to have it collected or not.
If it has incorrect information about you, it’s really an arduous
process—I’ve tried it—to get it corrected. When it comes to
information security, you are at the mercy of whatever Equifax
decides is right; and once your information is compromised, the
damage is ongoing. Given vast quantities of information and lack of
accountability, a major breach at Equifax, I would say, would be
predictable if not inevitable. I should really say breaches. This
is the third major breach Equifax has had in the past two years.
From media reports and the subcommittee’s meeting with Equifax
officials after the breach, it’s clear to me that the company
lacked appropriate policies and practices around data security.
This particular breach occurred when hackers exploited a known
vulnerability that was not yet patched. It was months later before
Equifax first discovered the breach, and it was another several
weeks before Equifax shared news with consumers, this committee,
the Federal Trade Commission, and the Consumer Financial Protection
Bureau. Senior officials at the company are saying they weren’t
immediately aware that the breach occurred, and yet, by the way,
there were executives who sold over a million dollars in stock just
days after the breach was discovered but, yet, not reported. And
for a lot of Americans, that just doesn’t pass the smell test.
- 22:45 Richard Smith: We know now that
this criminal attack was made possible because of combination of
human error and technological error. The human error involved the
failure to apply a software patch to our dispute portal in March of
2017. Technological error involved a scanner which failed to detect
that vulnerability on that particular portal. Both errors have
since been addressed. On July 29 and July 30, suspicious activity
was detected, and a team followed our security-incident protocol.
The team immediately shut down the portal and began our internal
security investigation. On August 2, we hired top cybersecurity,
forensic, and legal experts, and at that time, we notified the FBI.
At that time, to be clear, we did not know the nature or the scope
of the incident. It was not until late August that we concluded
that we had experienced a major breach.
- 47:53 Rep. Frank Pallone (NJ): All
right, during your tenure at Equifax, you expanded the company’s
business into packaging and selling other people’s data, and in
that August 17 speech, you explained that having free data with a
gross margin of profit of about 90% is—and I quote—“a pretty unique
model.” And I get that this unique model is a good deal for
Equifax, but can you explain how it’s a good deal for consumers?
Richard Smith: Thank you, Congressman. I think I
understand the question. Our industry has been around for a number
of years, as you know. In fact, Equifax is a 118-year-old company.
We’re part of a federally regulated ecosystem that enables
consumers to get access to credit when they want access to credit
and, hopefully, at the best rates available to them at that time.
So we’re very vital to the flow of economy, not just in the U.S.
but around the world. Pallone: All right, I want
to turn to what Equifax is offering consumers in the wake of this
breach, specifically the free credit-lock service that is supposed
to be introduced next year. We’ve been told that this free
credit-lock service could require consumers to consent to Equifax
sharing or selling the information it collects from the service to
third parties with whom the individual already has a business
relationship for marketing or other purposes. Is that true?
Smith: This product will be a web-enabled,
mobile-enabled application that will allow a consumer at a time he
or she, if they decide they want access to credit, can simply
toggle on, toggle off that application to give the bank, credit
card issuer, auto lender, access to their credit file to approve
their loan. Pallone: Well, by agreeing to use the
Equifax’s lock service, will consumers also be opting in to any
additional marketing arrangements, either via Equifax or any of its
partners? Smith: Congressman, we’re trying to
change the paradigm. What I mean by that is, this will be in an
environment viewed as a service, a utility, not a product. But we
know cross-selling, upselling, or any products available to the
consumer, when they go to get and sign up for the lock product,
it’s a service to them, and that’s the only product—this service
they’ll be able to get. Pallone: Will Equifax give
consumers an easy and free method to choose not to share their data
in this way, even if the consumer already has a business
relationship with the third party? Smith: Yeah,
Congressman, I’d envision as this evolves over time, the consumer
will have the ability to invite into their world who they want to
have access and who they do not. It’ll be their choice, their
power, not ours, to make that decision. Pallone:
Now, last week, the interim CEO announced that by January 31 of
2018 Equifax would make locking and unlocking of a person’s Equifax
credit report free forever. A credit-report lock is already
included in TrustedID Premier and other services like credit
monitoring and identity-theft insurance. Will that still end after
one year? Smith: Congressman, a couple of
differences. Number one, the product we offer today for consumers
protects the consumer at the same-level protection they’d get
January 31. The difference is, today is a browser-enabled product,
or service; the 31 of January it’ll be an application, much simpler
and easier for the consumer to use. The protection is largely the
same. So they get this free service when they sign up for one year.
At the end of the one year, effective January 31 of 2018, it goes
into the new lock product. Pallone: I guess the
difference, other than not expiring, between the credit-report lock
that is part of TrustedID Premier and the credit-locking tool that
will be available in January, why not just extend the freeze
program? Smith: There’s a difference between the
freeze product, which came to pass with FACTA back in 2003, passed
into law in 2004, that is now governed by state laws in all states,
and it’s a cumbersome process for a consumer. In many cases, some
states require you to mail in your request for a freeze and that we
must mail you a PIN, so your ability to get access to credit when
you want credit is encumbered. A consumer could go to a car dealer
or to a bank to get a credit card, forget his or her PIN on a
freeze product, have to go back home, look for the PIN, mail the
PIN in, so it’s a cumbersome process. The lock product we’re
offering today is a big step forward; lock product for the 31 of
January is an even further step forward.
- 53:00 Rep. Joe Barton (TX): Mr.
Smith, what’s the market value of Equifax? What’s your company
worth, or your former— Richard Smith: Congressman,
last time I checked it’s somewhere close to 13 billion.
Barton: Thirteen billion. I’m told by my staff
that this latest data breach was about 143 million people. Is that
right? Smith: We were informed yesterday from the
company that is typical in a forensic audit, there was some slight
movement and the numbers adjusted. Press release came out from the
company last night. It’s 145.5. Barton: A
hundred—well, okay, I appreciate your accuracy there. But under
current law, you’re basically required to alert each of those that
their account has been hacked, but there’s really no penalty unless
there is some sort of a lawsuit filed and the Federal Trade
Commission or state attorney general files a class-action lawsuit
against your company. So you really only notify—you’re just
required to notify everybody and say so sorry, so sad. I understand
that your company has to stay in business, has to make money, but
it would seem to me that you might pay a little bit more attention
to security if you had to pay everybody whose account got hacked a
couple thousand bucks or something. What would the industry
reaction be to that if we passed a law that did that?
Smith: Congressman, I understand your question. I
think the path that we were on when I was there and the company’s
continued is the right path, and that’s a path, a line that the
consumers to control the power of who and when accesses a credit
file going forward, taking the— Barton: Well, a
consumer can’t control the security of your system.
Smith: That is true, sir, but they can control—
Barton: And your security people knew there was a
problem, and according to staff briefings that I’ve been a part of,
they didn’t act in a very expeditious fashion until the system had
already been hacked. And, I mean, you’re to be commended for being
here. I don’t think we subpoenaed you. I think you appeared
voluntarily, which shows a commendable amount of integrity on your
part, but I’m tired of almost every month there’s another security
breach, and it’s okay, we have to alert you. I checked my file to
see if I was one of the ones that got breached, and apparently I
wasn’t. I don’t know how I escaped, but I didn’t get breached, but
my staff person did, and we looked at her reports last night, and
the amount of information that’s collected is way beyond what you
need to determine if she (audio glitch) for a consumer loan.
Basically, her entire adult history, going back 10 years,
everywhere she’s lived, her name, her date of birth, her social
security number, her phone numbers, her addresses, her credit card,
student loans, security-clearance applications for federal
employment, car insurance, even employment history of jobs that she
worked when she was in high school. That’s not needed to determine
whether she’s worthy of getting a five-thousand-dollar credit card
loan or something. And now it’s all out in the netherworld of
whoever hacked it. I can’t speak for anybody but myself, but I
think it’s time at the federal level to put some teeth into this
and some sort of a per-account payment—and, again, I don’t want to
drive credit bureaus out of business and all of that, but we could
have this hearing every year from now on if we don’t do something
to change the current system.
- 58:42 Rep. Ben Lujan (NM): Will
Equifax be willing to pay for this freeze at Experian and
TransUnion for consumers whose information was stolen?
Richard Smith: You’re referring to the freeze or
the lock? Lujan: You said they’re the same, so…
Smith: Yeah, right now we offer a free lock
product, as you know, for one year, and then a free lifetime lock
product for life, starting January 31, 2018.
Smith: And that also extends to Experian and
TransUnion? Smith: No, sir, it does not.
Lujan: Would Equif—let me repeat the question.
Will Equifax be willing to pay for that freeze, for that lock, at
Experian and TransUnion for consumers whose information was stolen
by it—through Equifax? Smith: Congressman, the
company’s come out with what they feel is a comprehensive five
different services today and a lifetime lock. I would encourage, to
be clear, I would encourage TransUnion and Experian to do the same.
It’s time we change the paradigm, give the power back to the
consumer to control who accesses his or her credit data. It’s the
right thing to do. Lujan: Okay, I’m down to
limited time, Mr. Smith. I apologize. I’ll take that as a no that
Equifax will not pay for Experian and TransUnion consumers.
- 1:26:09 Rep. Debbie Dingell (MI): Why
do consumers have to pay you to access their credit report? Why
should that data not be free? Richard Smith:
Congresswoman, the consumer has the ability to access the credit
report for free from each of the three credit reporting agencies
once a year, and you combine that with the ability to lock your
credit file for life for free. Again, it’s a step forward.
- 2:00:40 Rep. Larry Bucshon (IN): Is
it possible people who never signed up or used Equifax directly
could have been impacted by the breach? Richard
Smith: Yes, Congressman. Bucshon: Okay,
so how does Equifax get the information on people who’ve never
directly associated with Equifax at all? I mean, I’m not familiar
with that. Smith: Yeah, we get it from banks,
telecommunications companies, credit card issuers, so on and so
forth. Bucshon: So just like we go to apply for a
loan, they send you the information, because they want to get a
data—they want to get the information on my credit rating, for
example. Smith Correct. As I define it, we are
part of the federally regulated ecosystem—
Bucshon: Yeah. Smith: —that
enables banks to loan money to consumers. Bucshon:
Right. So, it’s up to the banks, at that point, to notify the
individual which credit agencies they’re utilizing to assess their
credit risk? Or is it up to the credit agencies?
Smith: Traditionally, the contributors of data—in
that case, Congressman, the banks would give their data to all
three. That’s the benefit of the system is you get a holistic view
of an individual’s credit risk. Bucshon: Yeah. My
point is, I guess, because a lot of people I talk to back in
Indiana, southern Indiana, have no idea who Equifax is, right? And
many of those people have applied for home loans and other things.
And a matter of fact, probably at some point you have their
information, but they may or may not have been notified who sent
the information to them—probably the bank or other agency—and
that’s something I think that is also maybe an issue, that people
don’t understand or have not been told who is being used to assess
their credit risk and, hence, something like this happens, they
have no idea whether or not their information has been compromised.
Smith: I understand your point.
- 2:09:20 Rep. Gene Green (TX): Mr.
Smith, Equifax customers or businesses who purchase data and credit
reports on consumers, the American public is essentially Equifax’s
product. How many times per year on average does Equifax sell
access to a given individual’s credit file to a potential creditor,
and how much do they make every time they sell it? Richard
Smith: If I understand the question, Congressman, we take
the data that is given to us by the credit ecosystem of the U.S.,
add analytics to it, and then when a consumer wants credit—again,
through a credit card, home loan, a car—the bank then comes to us
for that data and for that analytics, and we charge them for that.
**Green: Okay. Well, the question was, how many times does Equifax
receive payment for that individual credit file? Every time—if my
local car dealer contacts Equifax, and so they pay a fee to Equifax
for that information. Smith: Yes, Congressman. If
you as an individual want to go to that car dealership and get a
loan for a car, they come to us or to competitors, and when they
take your data, access your data, we do get paid for it,
- 2:47:40 Richard Smith: If there’s one
thing I’d love to see this country think about is the concept of a
social security number in this environment being private and
secure, I think it’s time as a country to think beyond that. What
is a better way to identify consumers in our country in a very
secure way, and I think that way is something different than an
SSN, a date of birth, and a name.
- 2:56:28 Rep. Jan Schakowsky (IL):
What if I want to opt out of Equifax? I don’t want you to have my
information anymore. I want to be in control of my information. I
never opted in, I never said it was okay to have all my
information, and now I want out. I want to lock out Equifax. Can I
do that? Richard Smith: Congresswoman, that
requires a much broader discussion around the rules of credit
reporting agencies because that data, as you know today, doesn’t
come from the consumer; it comes from the furnishers, and the
furnishers provide that data to the entire industry.
Schakowsky: No, I understand that. And that’s
exactly where we need to go, to a much larger discussion, because
most Americans really don’t know how much information, what it is
that you have it, and they never said okay.
Video: Circle Jerk, YouTube, December
Hearing: Credit Privacy Hearing; Senate
Commerce, Science, and Transportation Committee; December 18,
- Tony Hadley: Senior VP of Government Affairs and Public Policy
- 47:13 Sen. Jay Rockefeller (retired)
(WV): So, Mr. Hadley, what does your company—or why does
it single out and sell lists of economically vulnerable groups like
immigrants, widows, and military personnel?
- 48:03 Tony Hadley: Thank you,
Senator. We would be very concerned if lenders were using that
information for scamming purposes, too. And we have processes and
procedures in place to ensure that nobody gains access to that
score for that purpose. Now— Sen. Jay Rockefeller:
And how does that work? Hadley: We have an
onboarding system by which we take on a client that gets our
information to know who they are, and we also have a mail-piece
review process to know what they’re going to offer the consumer.
And if it’s anything that looks discriminatory or predatory, we
will not provide our list to them. Now—
Rockfeller: And this is your self-regulation.
Hadley: This is our self-regulation under DMA
standards. So if we were to violate that, we’d be in violation of
our self-regulatory standards as well as our contractual standards
with our clients. Now, what’s important here is that there are
somewhere between 45 and 50 million Americans who are outside the
mainstream of the credit markets in the United States. These are
underbanked, underserved consumers who financial institutions
cannot reach through credit scoring and credit report. They don't
have financial identities or a big enough or even the presence of a
credit file in order to bring them into the mainstream of financial
markets. But that doesn't mean that they don't need access to
financial services. So banks use this data to try to reach out to
consumers who they can help to empower them, not to scam them. We
don't want to do business with financial institutions who are
trying to scam people, only to empower them. And this is their best
way to find those individuals who are outside the
mainstream—immigrants; new to credit, like recent college
graduates, exactly what we’re talking about here—to give them an
offer, an invitation to apply, so that then they can make an
eligibility determination regarding that application under the Fair
Credit Reporting Act. But this is marketing literature, not
eligibility determination. Rockefeller: Who—
Hadley: Can I add to that for you?
Rockefeller: Not entirely. Can you tell me which
are the companies that buy this ChoiceScore product from you? We’ve
asked you that. Hadley: Yeah. They would be banks
and financial institutions and members of the financial community.
Rockefeller: That’s what’s called a general
answer. Hadley: Yeah. I can't tell you who our
clients are. That’s a proprietary list of ours. It’s like our
secret ingredient. The ones who would want that most are our
competitors. And our counsel has informed me that they don't
believe that our ability to give that to you can be shielded from
disclosure through the rules of the Senate. If we thought they
could be—for example, under a law enforcement action, where it
could be shielded and protected from FOIA or other disclosures, we
could do that, but not under the situation—under the rules of the
Senate. And we’re very sorry about that, but we just simply can't
do that. Our counsel won't let us.
- 1:25:49 Sen. Claire McCaskill (MO):
The case, Mr. Hadley, of Experian and Superget. You purchased the
company Court Ventures in 2012, in the spring of 2012. For more
than a year after the time you purchased this company that had all
this data, you were taking monthly wire transfers from Singapore,
and your company did nothing. And as it turns out, those wire
transfers were coming from a man in Vietnam who specialized in
identity theft and was marketing the information that you owned to
criminals to ruin people's lives. So my first question to you is,
you were quoted as saying, “We would know who was buying this.” You
were getting wire transfers from Singapore on a monthly basis, and
no one bothered to check to see who that was?
Hadley: Now, I want to be clear that this was not
Experian marketing data; this was Experian authentication data. So
it’s under a different company, a different use. So that’s just—I
want you to know that it’s not marketing data.
McCaskill: I don't understand the distinction. I
think it’s a distinction— Jay Rockefeller: Nor do
I. McCaskill: —without a difference. I believe it
was data that you owned, Experian owned. You’d purchased this data
from Court Scan, and they had, in fact— Hadley:
No. Let me clarify. McCaskill: —sold it to someone
else. Hadley: Yeah, let me clarify that for you,
because we’ve provided a full response to that question to the
Committee, and it’s part of the eight submissions that we’ve given.
And I do have to say that it’s an unfortunate situation, and the
incident is still under investigation by law enforcement agencies.
So I’m really extremely limited in what I can say publicly about
it, but I do want to say this. The suspect in the case obtained
data controlled by a third party—that was U.S. Info Search. That
was not an Experian company—through a company we bought, Court
Ventures— McCaskill: Okay. Let—
Hadley: —prior to the time that we acquired that
company. And to be clear, no Experian data was ever accessed in
that deal. McCaskill: Well, I understand what
you’re saying. Here’s what happened: You had U.S. Info Search—
Hadley: No, we did not own—
McCaskill: No, no; I’m— U.S. Info Search existed,
and Court Ventures existed. Hadley: And they had a
partnership. McCaskill: —they decided, for
commercial reasons, to make more money, to combine their
information. Hadley: To resell their information.
McCaskill: And so they had a sharing agreement,
those two companies, correct? Hadley: Right,
right. McCaskill: Okay. So these two companies had
a sharing agreement. Then you bought one of those companies.
Hadley: Court Ventures.
McCaskill: Correct. So now you owned it. Now you
stood in their place. Are you a lawyer? Hadley:
I’m not a lawyer, but I understand we stood in their place, right.
McCaskill: Are there any lawyers on the panel?
Okay; she’ll back me up. You stand in their place when you buy
this. So now you’re there. Now, you said in your earlier testimony,
we would know who was buying this. So you now are part of their
transactions. Hadley: During—
McCaskill: And you were receiving the benefit of
these monthly wire. Hadley: So, during the
due-diligence process, we didn't have total access to all the
information we needed in order to completely vet that. And by the
time we learned about the malfeasance, I think nine months had
expired. The Secret Service came to us, told us of the incident,
and we immediately began cooperating with the Secret Service to
bring this person to justice. McCaskill: Okay.
Hadley: And we’re continuing to cooperate with law
enforcement in that realm. This was—we were a victim and scammed by
this person. McCaskill: Well, I would say the
people who had all their identity stolen were the victims.
Hadley: And we know who they are, and we’re going
to make sure that they’re protected. There’s been no allegation
that any harm has come, thankfully, in this scam.
McCaskill: Okay. Hadley: And
we’ve closed that down, and— Rockefeller: Let
Senator McCaskill continue. Hadley: —and we’ve
modified our processes to ensure that [unclear]—
Rockefeller: Let Senator McCaskill continue.
McCaskill: Okay. So let's talk about that process.
This person got—this man who they lured to Guam to arrest and who
is now facing criminal charges in New Hampshire, they posed as an
American-based private investigator. What is your vetting process
when people want to buy your stuff? Hadley: That
would’ve been Court Ventures who would have vetted that prior to
our acquisition. McCaskill: Okay, but I’m talking
about now, you. What is your vetting process?
Hadley: Right now, before we would allow
acc—first, let me say that that person would have not gained access
to Experian or this data if they had gone through our vetting
processes prior to the acquisition. McCaskill: And
what would’ve stopped him? Hadley: We would’ve
known who that company is. We would’ve had a physical onsite
inspection of that company. We would’ve known who that business is
and what that business's record is. We would’ve known exactly why
they wanted that data and for what purposes. And that would have
been enshrined in our contract. And we would’ve known the kinds of
systems they have in place to protect the data that they gained.
Those are all incumbent upon us under the Gramm-Leach- Bliley Act
and the FCRA. McCaskill: Well, listen, I
understand that this was not a crime that began under your watch.
Hadley: Thank you. McCaskill: But
you did buy the company, and you did keep getting the wire
transfers from Singapore, and the only reason you ever questioned
them is because the Secret Service knocked on your door. I don't
know how long those wire transfers from Singapore would’ve gone on
until you caught them. I don't have confidence that it would’ve
stopped at all. So I guess what my point is here, I maybe do not
feel as strongly as others on this panel that behavioral marketing
is evil. I believe behavioral marketing is a reality, and, frankly,
the only reason we have everything we have on the Internet for free
is because of behavioral marketing. So I don't see behavioral
marketing as an evil into itself. What I do see is some desperate
need for Congress to look at how consumers can get this
information, what kind of transparency is there, and whether or not
companies that allow monthly wire transfers into their coffers from
Singapore from a criminal who is trying to rip off identity theft,
whether or not they should be held liable for no due diligence on
checking those wire transfers from Singapore until the Secret
Service knocked on their door. And that’s what I think we need to
be looking at. And I don't think there’s enough—I mean, I know that
some of my friends on the other side of the aisle, you say trial
lawyers, and they break out in a sweat. But the truth is that if
there was some liability in this area, it would be amazing how fast
people could clean up their act. And, unfortunately, in too many
instances there’s not clear liability because we haven't set the
rules of the road.
Hearing: Credit Scoring System; House
Financial Services Subcommittee on Oversight and Investigations;
July 30, 2008.
- Thomas Quinn: Vice President of Global Scoring at Fair Isaac
- Stan Oliai: Experian Decision Analytics Consulting Senior Vice
- Chet Wiermanski: Transunion Credit Services Analytical Systems
- Richard Goerss: Equifax Credit Services Chief Privacy
- Evan Hendricks: Privacy Times Publisher and Editor
- 26:42 Thomas Quinn: A FICO score is a
three-digit number ranging from 300 to 850, where the higher the
score, the lower the risk. Lenders use the score, along with other
information, to decision the request for credit, set the credit
line and pricing terms. Creating the FICO score model requires two
samples of credit reports, two years apart, for the same randomly
selected depersonalized set of consumers provided by one of the
national credit reporting agencies. Those credit factors found to
be most powerful and consistent in predicting credit performance,
individually and in combination, form the basis for the complex
mathematical algorithm which becomes the score. The traditional
FICO score model evaluates five broad types of data elements from
the consumer credit report. These include, and listed in order of
importance, previous credit payment history, about 35 percent
contribution; level of outstanding debts, about 30 percent
contribution; length of credit history, 15 percent contribution;
pursuit of new credit, 10 percent contribution; and mix of type of
credit, about 10 percent contribution. FICO scores were first
introduced to the marketplace in 1989 and have been consistently
redeveloped and updated throughout the years to ensure their
- 34:00 Stan Oliai: A credit score is a
numerical expression of risk of default, based on a credit report.
The score is produced by a mathematical formula created from a
statistical analysis of a large representative sample of credit
reports. The formula is typically called a “model.” The credit
score is calculated by the model, using only information in the
credit report. These reports include the following types of
information: The credit account history—such as was the account
paid, was it paid on time, how long has the account been open, and
what’s the outstanding balance; the type of account—is it a
mortgage, is it an installment, is it revolving; the public record
information—liens, judgments, bankruptcies, for example; inquiries
in the credit file that represent applications for new credit and
other consumer-initiated transactions. A credit report does not
include information such as income or assets. It also does not
include demographic information such as race or ethnicity.
Demographic factors are not used in the calculation of a credit
- 35:05 Stan Oliai: Regulatory
oversight of credit scores is accomplished through routine bank
examinations for compliance, with a number of laws that govern fair
lending, such as the Equal Credit Opportunity Act. This makes sense
because the lender chooses the scoring model to assist in this
proprietary underwriting process. The lender is ultimately
responsible for demonstrating to regulators that the scoring model
it has chosen complies with the lending laws.
- 46:20 Chet Wiermanski: There is
strong evidence to suggest that consumers would benefit from the
increased reporting of nontraditional credit information. For
example, consumers with thin credit files and, in particular,
minorities, immigrants, young and old, all experience a net benefit
from full-file reporting by energy companies and telecommunication
providers. Consumers with impaired credit histories also obtain a
net benefit from full-file reporting by these companies. We are
presently engaged in a follow-up study to learn more about the
impediments to full-file reporting faced by the utilities and
telecommunication industry. It may be very well that Congress may
have a role to play in removing roadblocks to encourage voluntary
- 2:01:30 Richard Goerss: There are a
lot of thing—different activities—that a consumer can do to protect
themselves if they feel they are victims or might be victims of
identity theft. Certainly, one of the things that they can do is to
place a fraud alert on their credit file. They can receive a free
disclosure of their credit file to see if there has been any
inappropriate activity or inquiry to their credit file. They can
provide an identity-theft report and identify the account
information that they feel, or that they say, was opened
fraudulently. And under the requirements of the FACT Act, the
consumer reporting agencies are going to delete that information,
and the consumer reporting agency that receives that identity theft
with the information-removal request is going to refer it to the
other two consumer reporting agencies, who are also going to remove
- 2:24:30 Evan Hendricks: Right now,
you take it for granted that we know about credit scores, but you
have to remember it was, like, 12 years ago, in the mid-1990's,
when credit scores started being widely used. They were a complete
secret; the industry did not even acknowledge their existence.
Then, when they found out about it and reporters like Michelle
Singletary of the Washington Post started reporting on it, then
they would not disclose the score to you. So, California led the
way with a state law, and now we have the FACT Act, which means
that you can get one—you can buy a credit score for a fair and
- 2:54:55 Rep. Jackie Speier (CA): We
call these credit reporting agencies or credit bureaus, which gives
the average consumer the impression that they are dealing with some
federal entity, when in fact they are not—we heard this afternoon
they’re private or publicly traded companies—and yet this
information is so critical, and to Mr. Barrett's comments, who
suggested that the consumer needs to be educated, needs to know
what goes into their FICO score and what they can do to improve
their FICO score, we can't give those kinds of answers, because,
for all intents and purposes, it is a proprietary formula. It’s
sort of like secret sauce; we don't know what it is. Now, there’s
something wrong when the government can't articulate what should be
considered in a FICO score.
Design by Only Child Imaginations
Music Presented in this Episode