U.S. Sen. John Thune (R-S.D.), chairman of the Senate Committee on Commerce, Science, and Transportation, today convened a hearing titled, “Protecting Consumers in the Era of Major Data Breaches.” The hearing featured testimony from current and former officials who worked on Yahoo!’s response to the 2013 data breach, which affected all 3 billion user accounts and was just revealed last month. It also featured current and former CEOs of Equifax, which suffered a 2017 breach that reportedly affected approximately 145 million individuals and exposed sensitive personal and financial information.
During the hearing, Thune questioned Yahoo!’s former CEO Marissa Mayer on Yahoo!’s security collapses and its failure to effectively respond to those collapses in a timely matter. Thune also pressed Equifax’s former CEO Richard Smith and interim CEO Paulino Barros on Equifax’s known security vulnerabilities that led to its recent data breach and how the company is currently addressing these issues.
Thune’s opening statement (as prepared for delivery):
“Now that our executive session is complete, we turn to the issue of data breaches.
“Data breach is not a new issue for the Committee to explore.
“In fact, the Committee has been focused on the consumer impact of data breaches since before I was elected to the U.S. Senate.
“The September 2004 ChoicePoint breach, what many consider to be the first high-profile data breach of the modern era, prompted a number of investigations from this Committee, the FTC, and federal and state authorities.
“For those that don’t remember, ChoicePoint was a data aggregation company originally created by Equifax, who as fate would have it, is represented here today.
“In terms of the trajectory of congressional inquiry into major data breaches, you might say we have come full circle.
“In the intervening years, Congress, and this Committee in particular, have paid close attention to data breaches big and small.
“In addition, the Committee has entertained a variety of proposals to strengthen data security requirements for companies across the board, as well as to impose federal requirements for affected companies to notify their consumers following the discovery of a breach.
“Sadly, we are truly in the era of major data breaches.
“These include the large-scale breaches at Equifax and Yahoo! that we are examining today.
“While the Yahoo! breaches are larger in terms of affected consumers, the Equifax breach is potentially much more severe given the sensitive nature of the consumer information compromised.
“In fact, I have heard from many constituents in South Dakota who are concerned about the lasting effects of the Equifax breach.
“I have also heard complaints that it is difficult to set up a credit freeze, and questions about whether credit monitoring is an effective tool to prevent identity theft.
“The Equifax breach reportedly exposed the sensitive personal data of about 145.5 million U.S. consumers, including their names, social security numbers, birth dates, addresses, and in some cases, driver’s license numbers.
“Also exposed were the credit card numbers for more than 200,000 U.S. consumers and dispute documents containing personal identifying information for more than 180,000 U.S. consumers.
“Today, Equifax will have an opportunity to provide an update regarding the breach, as well as its much-criticized efforts to mitigate the harm and prevent anything like this from happening again.
“The Yahoo! breach we will discuss today compromised over 3 billion user accounts and followed a prior breach in which hackers stole similar types of information from at least 500 million users.
“The compromised data included names, telephone numbers, dates of birth, partial passwords, unencrypted security questions and answers, backup e-mail addresses, and employment information.
“The 3 billion figure constitutes the entirety of the Yahoo! Mail and other Yahoo!-owned accounts at the time of the breach.
“Today Yahoo! representatives will have an opportunity to provide an update regarding these breaches as well as efforts to mitigate the harm and ensure the security of consumer data going forward.
“The massive data breaches at Equifax and Yahoo! illustrate quite dramatically that our nation continues to face constantly evolving cyber threats to our personal data.
“Companies that collect and store personal data on American citizens must step up to provide adequate cybersecurity. And there should be consequences if they fail to do so.
“The Committee has made cybersecurity a priority, and I am hopeful that today’s hearing will help the Committee to better understand these challenges as it considers legislation to address data breach notification and data security issues.
“When there is risk of real harm stemming from a breach, we must make sure that consumers have the information they need to protect themselves.
“That is why I support a uniform Federal breach notification standard to replace the patchwork of laws in 48 states, in addition to the District of Columbia and three other territories.
“A single Federal standard would ensure all consumers are treated the same with regard to notification of data breaches that might cause them harm.
“Such a standard would also provide consistency and certainty regarding timely notification practices, benefiting both consumers and businesses.
“In order to ensure that businesses secure information appropriately, I have also advocated for uniform, reasonable security requirements to protect consumer data, based on the size and scope of the company and the sensitivity of the information.
“However, in this regard, the facts of the Equifax breach are particularly troubling.
“As a credit bureau, Equifax was already subject to the Safeguards Rule under the Gramm-Leach-Bliley Act, which is considered to be a stringent regulation.
“Nevertheless, the Equifax breach occurred and its implications on American consumers appear dire.
“Enhancing security and protecting the personal data of American consumers will continue to be a priority for this Committee.
“I want to thank all of the witnesses for appearing here today. I look forward to hearing your testimony.
“I will now turn to Senator Nelson for his opening remarks.”