{"version":1,"type":"rich","provider_name":"Libsyn","provider_url":"https:\/\/www.libsyn.com","height":90,"width":600,"title":"CD160: Equifax Breach","description":"If you are an American adult, there is a good chance that criminals now have the ability to match your name and social security number, greatly increasing your risk of becoming a victim of identity fraud. In this episode, hear highlights from Congressional hearings about the Equifax breach that exposed the personal information of 145.5 million Americans as we explore the key role that credit reporting companies play in our society. Please Support Congressional Dish Click here to contribute using credit card, debit card, PayPal, or Bitcoin Click here to support Congressional Dish for each episode via Patreon Mail Contributions to: 5753 Hwy 85 North #4576 Crestview, FL 32536 Thank you for supporting truly independent media! Bills H.J.Res.111: Providing for congresional disapproval under chapter 8 of title 5, United States Code, of the rule... H.R. 624: Social Security Number Fraud Prevention Act of 2017 H.R. 2622 (108th): Fair and Accurate Credit Transactions Act of 2003 Additional Reading Blog Post: The USS senate is preventing companies like Equifax being held accountable for major screw-ups by Tim Fernholz, Quartz Media, October 24, 2017. Article: The IRS gave Equifax a $7.25 million contract, and a congressman thought it was a joke from The Onion by Aaron Mark, Slate, October 4, 2017. Article: Equifax suffered a hack almost five months earlier than the date it disclosed by Michael Ray, Anita Sharpe, & Jordan Robertson, Bloomberg Technology, September 19, 2017. Article: The Equifax data breach: What to do by Seena Gressin, Federal Trade Commission, September 8, 2017. Article: Wells Fargo uncovers up to 1.4 million more fake accounts by Matt Egan, CNN Money, August 31, 2017. Article: Wells Fargo forced unwanted auto insurance on borrowers by Gretchen Morenson, The New York Times, July 27, 2017. Blog Post: U.S. cities with the best & worst credit scores by Mike Brown, Lend EDU, April 12, 2017. Article: Two major credit reporting agencies have been lying to consumers by Gillian B. White, The Atlantic, January 4, 2017. Report: CFPB orders TransUnion and Equifax to pay for deceiving consumers in marketing credit cores and credit products, CFPB, January 3, 2017. Article: Class-action suits target Experian over T-Mobile breach by Andrew Blake, The Washington Times, November 11, 2015. Article: The long, twisted history of your credit score by Sean Trainor, Time, July 22, 2015. Publication: Data point: Credit invisibles by Kenneth P. Brevoort, Philipp Grimm, & Michelle Kambara, CPFB, May 2015. Blog Post: 4 things to do when your credit score reaches 'good' or 'excellent' by Simple.Thrifty.Living, Huffpost, April 14, 2015 Article: What's the difference between a fraud alert, credit freeze, & credit lock? by STAFF, Lexington Law, January 26, 2015. Article: Revealed: One in four of the UK's top companies pay no tax while we give them millions in credits by Alex Hawkes and Simon Watkins, The Mail, March 2, 2013. Article: The high cost of a 'free credit report' by Stephanie Clifford, The New York Times, August 4, 2008. Article: Credit scores - what you should know about your own by Malgorzata Wozniacka & Snigdha Sen, Frontline, November 23, 2004. Publication: An overview and history of credit reporting by Mark Furletti, Discussion Paper, June 2002. Article: Witness says credit bureaus invade privacy and asks curb by Roy Reed, New York Times, March 13, 1968. References Bill Actions Tracking: H.J.Res.111 Credit Report Website: https:\/\/www.annualcreditreport.com\/index.action Experian: ChoiceScore Info FTC Consumer Response Center: A summary of your rights under the Fair Credit Reporting Act Identity Theft Website: https:\/\/identitytheft.gov\/ Open Secrets: Experian Client Profile Summary Open Secrets: Trans Union Corp Client Profile Summary Senate Vote Summary: H.J.Res.111 Sound Clip Sources Senate Session: US senate approves disaster relief bill; Senate; October 24, 2017. 3:57:20 Sen. Sherrod Brown (OH): Studies show that Wall Street and other big companies win 93 percent of the time in arbitration. Ninety-three percent of the time in arbitration the companies win. No wonder they are fighting like hell. No wonder they have lobbied this place like we have never seen. No wonder every Wall Street firm is down here begging their Senators to stand strong with Wall Street and pass this CRA, pass this resolution to undo the rule stopping forced arbitration. 4:05:00 Sen. Mike Crapo (ID): The real issue is whether we will try to force the resolution of disputes in financial resolution into class action lawsuits. This is a question about whether we should force dispute resolution mechanisms into class actions. In fact, let me read the actual language of the rule that we are debating. It doesn\u2019t say anything about forced arbitration clauses. In fact, the rule doesn\u2019t stop arbitration clauses in contracts. It stops protections in arbitration clauses against class action litigation. Let\u2019s read what the actual rule says: The CFPB rule prohibits a company from relying in any way on a predispute arbitration agreement with respect to any aspect of a class action that concerns any consumer financial product or service. In other words, the entire purpose of this rule is to promote class action litigation and to stop arbitration resolution when there is a dispute. Hearing: Equifax Sen Banking Hearing; Senate Judiciary Committee, Subcommittee on Privacy, Technology, and the Law; October 4, 2017. Witness: Richard Smith: Former Chairman & CEO of Equifax 27:20 Sen. Chuck Grassley (IA): Additionally, we must appreciate that fact that not all data breaches are the same. The information and risk of harm can greatly vary from one breach to another. For example, the past breaches at Target and Neiman Marcus, which this committee held a hearing to examine, involved financial information such as credit and debit cards. Of course, this is information that absolutely must be protected and secured. If it falls in the wrong hands, it can create a lot of problems for individuals. But in the Equifax data breach, I think that\u2019s different. It\u2019s important that consumers and policymakers recognize this distinction because the threat landscape has changed. The information hackers obtained or gained access to in the Equifax breach is the most sensitive personal information used by thieves to commit identity theft. So, we should let that sink in very definitely. A credit card number or bank account information can be changed with a phone call, but you can\u2019t change your social security number and your date of birth. Anyone who\u2019s ever applied for a loan, a credit card, a job, or opened a bank account knows you have to provide a social security number, date of birth to verify your identity. Thus, if someone has this information they can do the same and take over your identity. They can become you. And you won\u2019t know it happened until it\u2019s too late. 38:30 Sen. Jeff Flake (AZ): In your testimony before the House yesterday, you stated that Equifax\u2019s \u201ctraditional business model is with companies, not with 400 million consumers.\u201d What portion of Equifax\u2019s business is consumer facing? Richard Smith: Mr. Chairman, roughly 10% of our revenues around the world come from what we call B to C\u2014business to consumer. Flake: That\u2019s 10%. Then, what is the main source of Equifax\u2019s revenue stream? Smith: The vast majority, the remaining, is largely doing analytics, insights, and providing solutions to banks, telecommunications companies, credit card issuers, insurance companies, and the like around the world. Flake: So, if only 10% of the revenue is consumer facing, what is the company\u2019s incentive for keeping consumer data secure when it has no meaningful interaction or limited meaningful interaction with the accountability of consumers? Smith: We are clearly viewed as a trusted steward of that information, and losing that information violates the trust and confidence not only of the consumer but also of the companies we do business with as well. 1:01:52 Sen. Patrick Leahy (VT): You spent a lot of money lobbying against as consumer-protection act that might require you to notify consumers immediately in such breaches. Are you still going to fight and still spend hundreds of thousands of dollars to stop that kind of a consumer-protection bill from going through? Richard Smith: Senator, I can tell you as a company we do have a government-relations team. In the scheme of things, it\u2019s relatively small. We\u2019re a company with expenses of well over $2 billion. I think our entire lobbying budget, which includes association fees, is a million dollars or less. Leahy: I could care less what your budget is for lobbying. The fact is you opposed legislation that might require notifying consumers, might actually give consumers the ability to respond when they\u2019ve been hurt. Are you going to\u2014is Equifax going to continue to fight consumers\u2019 right to know? Smith: One, I\u2019m unaware of that particular lobbying effort you\u2019re referring to. I can talk to the company, but I\u2019m unaware of that particular lobbying effort. Leahy: It was in your report that you have to file on your lobbying expenses. 1:03:30 Sen. Mazie Hirono (HI): Do consumers have the right to find out what kind of information data brokers like Equifax has on them? Richard Smith: Do they have the right? Hirono: Yeah, yes. Can they call Equifax up and say, what do you have on me? Smith: Every consumer has the right to a free credit report from us, from the industry, and that credit report would detail all the information that the credit file would have on them. Hirono: But that\u2019s just their credit, but you have a lot of other information on everybody besides just their credit information, do you not? Smith: Yes, we do. Hirono: So, if\u2014and my understanding is that you get all this information free. You don\u2019t pay anybody for the information you gather on 145 million people, which is more than one out of three people in our entire country. Smith: It\u2019s largely free. There are exceptions, obviously, but this business, as you know, we\u2019re 118 years old. We\u2019re part of a federally regulated ecosystem that enables consumers to get access to credit. Hirono: Yes. Smith: So that data\u2019s there, and it\u2019s used at their consent, by the way. Regardless of the type of data we have\u2014if it\u2019s your employment data or your income data or your credit data\u2014that data can only be accessed if you as a consumer give the consent for someone to access that. Hirono: How does one give consent\u2014 Smith: If you\u2014 Hirono: \u2014if you\u2019re selling the information that you have on them? Smith: So, if you as a consumer go to your bank and want to get a credit card, for example, when you sign a contract with the bank for the credit card, you\u2019re allowing the bank the access to approve your credit, in this particular case, to give you the best rate and the best line. 1:17:52 Sen. Richard Blumenthal (CT): Can you guarantee this committee that no consumer will ever be required to go to arbitration? Richard Smith: I cannot, sir. Blumenthal: Why? Smith: Well, one, I\u2019m no longer with the company. I can talk to the management team. Blumenthal: Well, that\u2019s what I mean by the designated fall guy. You know, you\u2019re here, you can\u2019t speak for the company. I\u2019m interested in looking forward. How will consumers be protected? Will arbitration be required of them? Will they be compensated for the sense of security that has been lost? Will there be a compensation fund? Will there be insurance against that kind of loss? And I\u2019m talking about a compensation fund that applies to them because of that loss of privacy. These kinds of questions, which you\u2019re unable to answer because you\u2019re no longer with the company, are as profound and important as any investigative effort looking back, and I recognize you\u2019re here without the authority to make these decisions, but I think someone from the company has to make them. Hearing: Equifax Senate Banking; Senate Banking Committee; October 4, 2017 Witness: Richard Smith: Former Chairman & CEO of Equifax 6:03 Sen. Sherrod Brown (OH): But security doesn\u2019t generate short-term profits. Protecting consumers apparently isn\u2019t important to your business model, so you gather more and more information, you peddled it to more and more buyers. For example, you bought a company called TALX so you could get access to detailed payroll information\u2014the hours people worked, how much they were paid, even where they lived\u20147,000 businesses. You were hacked there, too, exposing the workers of one proud Ohio company\u2014400,000 workers at Kroger\u2014and an unknown number of people\u2019s information to criminals who used it to commit tax fraud. 26:35 Sen. Ben Sasse (NE): Your organization has committed to providing identity-monitoring services for the next year, but I\u2019m curious about whether or not Equifax and your board have deliberated. Do you think your responsibility ends in one year, in two years, in five years, in 10 years; and if you think it ends at some point, have you tried to think about the goodwill and balance sheet impact of all this? How can you explain to an American whose identity might be stolen later because of this breach why your responsibility would ever end? Does it end? Richard Smith: I understand the question. And it extends well beyond a year, Senator. The first step we took was the five services we mentioned to the chairman a minute ago, which gets the consumer through one year. The ultimate control for security for a consumer is going to the lifetime lock. The ability for a consumer to lock down his or her file, determine who they want to have access for life\u2014 Sasse: But isn\u2019t this\u2014just to interrupt\u2014isn\u2019t that about people who might be breached in the future. I\u2019m talking about the 145 million whose data has already been stolen. Does your responsibility end, or what do you think your legal obligations are to them? Smith: I think the combination of the five services we\u2019re offering combined with the lifetime lock is a good combination of services. Sasse: I actually think the innovation of some of the stuff you proposed for the big three going forward is quite interesting, but why does any of that five really do much for the data that\u2019s already been stolen? Smith: Senator, again, the combination of the five offerings today plus the lifetime lock we think is the best offering for the consumer. Sasse: Okay, I don\u2019t think you\u2019ve really answered the question about whether or not you\u2019re exposure legally ends for the 145 million. 29:13 Sen. Ben Sasse (NE): I want to open, at least, the allegations that Equifax executives engaged in insider trading relating to knowledge of this cyber breach. One of the clearest times in definitions of insider trading occurs when a business executive trades their company stock because of confidential knowledge that they have gained from their job. I\u2019m sure you can imagine why Americans are very mad about the possibility that this occurred here. While insider trading is going to be discussed a lot more later in this hearing, I wish you could just very quickly give us a timeline of the first steps. When did Equifax first learn of the May 2017 breach, and when did you inform the FBI of that breach? Richard Smith: Thank you. I\u2019ll answer as quickly as I can. We notified the FBI cybersecurity forensic team and outside global law firm on August 2. At that time, all we saw was suspicious activity. We had no indication, as I said in my oral testimony, of a breach at that time. You might recall that the three individuals sold stock on August 1 and 2. We did not have an indication of a breach until mid- to late August. Sasse: So you\u2019re saying that those three executives\u2014Mr. Chairman, I\u2019ll stop\u2014you\u2019re saying those three executives had no knowledge of a breach on August 1 or 2. Smith: To the best of my knowledge, they had no knowledge and they also followed our protocol to have their stock sales cleared through the proper channels, which is our general counsel. 32:00 Sen. Jon Tester (MT): Let\u2019s fast forward to the 29th of July, and you learned for the first time that your company has been hacked\u2014don\u2019t know how big the hack is, but it\u2019s been hacked\u2014and it was preceded by this notification from US-CERT. Three days after, as Senator Sasse pointed out, you had three high-level execs sell $2 million in stock. That very same day, you notified the FBI of the breach. Can you tell me if your general counsel was held accountable for allowing this stock sale to go forward? Or did he not know about the breach. Richard Smith: Senator, clarification: On the 29th and 30th, a security person saw suspicious activity, shut the portal down on the 30th. There was no indication of a breach at that time. The internal forensics began on the 30th. On the 2nd we brought in outside cyber experts\u2014forensic auditors, law firm, and the FBI. The trades took place on the 1st and the 2nd. At that time, the general counsel, who clears the stock sales, had no indication\u2014or to the company\u2014of a security breach. Tester: Well, I\u2019ve got to tell you something, and this is just a fact, and it may have been done with the best of intentions and no intent for insider trading, but this really stinks. I mean, it really smells really bad. And I guess smelling bad isn\u2019t a crime. But the bottom line here is that you had a hack that you found out about on the 29th. You didn\u2019t know how severe it was. You told the FBI about the breach. On that same day, high-level execs sell $2 million worth of stock, and then you do some investigation, evidently, and you find out at the end of the month that\u2014or, at least, by the first part of September\u2014that this is a huge hack, and you finally notify the public. And as was pointed out already in this committee, these are people that didn\u2019t ask for your service. You\u2019ve gathered it. And now it\u2019s totally breached. And then, as Senator Sasse said, what\u2019s the length of exposure here, and you said, we\u2019ll be doing these five things. That\u2019s proactive, and I think we can all applaud those efforts. But I\u2019ve got to tell you, that doesn\u2019t do a damn thing for the people who have had their identity stolen and their credit rating stolen. So let me ask you this: So their credit rate goes up a little bit, and they go buy a house for 250,000 bucks on a 30-year note, and it costs them 25 grand. Are you liable for that? Smith: Senator, I understand your anger and your frustration. We\u2019ve apologized for the breach, we\u2019ve done everything in our power to make it right for the consumer, and we think these services we\u2019re offering is a right first step. 53:57 Sen. Elizabeth Warren (MA): In August, just a couple of weeks before you disclosed this massive hack, you said\u2014and I want to quote you here\u2014\u201cFraud is a huge opportunity for us. It is a massive, growing business for us.\u201d Now, Mr. Smith, now that information for about 145 million Americans has been stolen, is fraud more likely now than before that hack? Richard Smith: Yes, Senator, it is. Warren: Yeah. So the breach of your system has actually created more business opportunities for you. For example, millions of people have signed up for the credit-monitoring service that you announced after the breach\u2014Equifax is offering one year of free credit monitoring\u2014but consumers who want to continue that protection after the first year will have to pay for it, won\u2019t they, Mr. Smith. Smith: Senator, the best thing a consumer could do is get the lifetime lock. Warren: I\u2019m asking you the question. You\u2019re offering free credit monitoring, which you say is worth something, and you\u2019re offering it for only one year. If consumers want it for more than one year, they have to pay for it. Is that right? Smith: Yes, Senator. But the most, the best thing a consumer can do is the lock product. It\u2019s better than monitoring. Warren: Okay, but, they\u2019re going to have to pay after one year if they want your credit monitoring, and that could be a lot of money. So far, seven and a half million people have signed up for free credit monitoring through Equifax since the breach. If just one million of them buy just one more year of monitoring through Equifax at the standard rate of $17 a month, that\u2019s more than $200 million in revenue for Equifax because of this breach. But there\u2019s more. LifeLock, another company that sells credit monitoring, has now seen a 10-fold increase in enrollment since Equifax announced the breach. According to filings with the SEC, LifeLock purchases credit monitoring services from Equifax; and that means someone buys credit monitoring through LifeLock, LifeLock turns around and passes some of that revenue directly along to Equifax. Is that right, Mr. Smith? Smith: That is correct. Warren: That\u2019s correct. Okay. The second Equifax announced this massive data breach, Equifax has been making money off consumers who purchased their credit monitoring through LifeLock. Now, Equifax also sells products to businesses and government agencies to help them stop fraud by potential identity thieves. Is that right, Mr. Smith? Smith: Yes, Senator. There\u2019s one clarification. You\u2019d mentioned the LifeLock relationship\u2014 Warren: Uh-huh. Smith: \u2014which was accurate. At the same time, the majority of that revenue we normally generate is direct to consumer. We\u2019ve shut that down. We\u2019re no longer selling consumer product directly. Warren: I\u2019m sorry. My question is, every time somebody buys through LifeLock\u2014and they\u2019ve seen a 10-fold increase since the breach\u2014you make a little more money. We actually called the LifeLock people to find this out. So, I asked you the question, but I already know the answer. It\u2019s true. You\u2019re making money off this. So, let me go to the third one. Equifax sells products to businesses and government agencies to help them stop fraud by potential identity thieves, right? Smith: To the government, yes. Not to the business. Warren: You don\u2019t sell to businesses? Just small businesses? Smith: We sell business, but it\u2019s not to prevent fraud. That\u2019s not the primary focus or business. Warren: But to stop identity theft, you don\u2019t have any products that you\u2019re touting for identity-theft purposes? Smith: Senator, all I\u2019m saying is the vast majority we do for businesses is not fraud. Warren: Look, you\u2019ve got three different ways that Equifax is making money, millions of dollars, off its own screw up, and meanwhile, the potential costs to Equifax are shockingly low. Consumers can sue, but it turns out that the average recovery for data breaches is less than $2 per consumer, and Equifax has insurance that could cover some big chunk of any potential payment to consumers. So, I want to look at the big picture here. From 2013 until today, Equifax has disclosed at least four separate hacks in which it compromised sensitive personal data. In those four years, has Equifax\u2019s profit gone up? Mr. Smith? Smith: Yes, Senator. Warren: Yes, it has gone up, right? In fact, it\u2019s gone up by more than 80% over that time. You know, here\u2019s how I see this, Mr. Chairman. Equifax did a terrible job of protecting our data because they didn\u2019t have a reason to care to protect our data. The incentives in this industry are completely out of whack. Because of this breach, consumers will spend the rest of their lives worrying about identity theft. Small banks and credit unions will have to pay to issue new credit cards, businesses will lose money to thieves, but Equifax will be just fine. Heck, it could actually come out ahead. Consumers are trapped, there\u2019s no competition, nowhere else for them to go. If we think Equifax does a lousy job protecting our data, we can\u2019t take our data to someone else. Equifax and this whole industry should be completely transformed. Consumers\u2014not you\u2014consumers should decide who gets access to their own data. And when companies like Equifax mess up, senior executives like you should be held personally accountable, and the company should pay mandatory and severe financial penalties for every consumer record that\u2019s stolen. Mr. Chairman, we\u2019ve got to change this industry before more people are injured. 1:22:00 Sen. John Kennedy (LA): It just seems incongruent to me that you have my information\u2014you don\u2019t pay me for it; you don\u2019t have my permission \u2014 you make money collecting that information, selling it to businesses \u2014 and I think you do a service there; don\u2019t misunderstand me \u2014 and you also come to me\u2014you can\u2019t run your business without me; my data is the product that you sell \u2014 and you also offer me a premium service to make sure that the data you\u2019re collecting about me is accurate. I mean, I don\u2019t pay extra in a restaurant to prevent the waiter from spitting in my food. You understand my concern? Richard Smith: I understand your point, I believe, but another way to think about that is the monitoring part that you\u2019re referring to, Senator? Kennedy: Uh-huh. Smith: In the future, it\u2019s far less required if you as a consumer have the ability to freeze, or lock as we call it, and unlock your file. And that is free for life. Kennedy: But it\u2019s not just the freeze part. What if you had bad information about me? Have you ever\u2014has an agency ever had bad information about you, and you had to go through the process of correcting it? Smith: Yes, Senator. There\u2019s a process that if\u2014 Kennedy: It\u2019s a pain in the elbow, isn\u2019t it. I mean, the burden\u2019s kind of on \u2013 you have my data, which you haven\u2019t paid me for. You\u2019re earning a good living, which I don\u2019t deny you. I believe in free enterprise. I think this is a very clever business model you\u2019ve come up with. But you\u2019re earning your money by selling my data, which you get from me and don\u2019t pay me for, to other people, but if the data is wrong that you have about me, I would think you would want to make it as easy as possible to correct it, not as hard as possible. Smith: I understand your point, and it\u2019s an important point for the entire industry to make the process as consumer-friendly as possible if there\u2019s an error on your utility bill, if there\u2019s an error on your bank bill, your credit card statement, to work with consumers to make\u2014 Kennedy: Well, can you commit to me today that Equifax is going to set up a system where a consumer who believes that Equifax has bad information about him can pick up the phone and call a live human being with a beating heart and say, here\u2019s this information you have about me that you\u2019re selling to other people\u2014you\u2019re ruining my credit, and it\u2019s not true, and I want to get it corrected. How are you going to correct it, what information do you need from me to prove that it\u2019s incorrect, and when are you going to get back to me, and give me your name and phone number so I can call you. Smith: Senator, I understand your point. There is a process that exists today. More than half\u2014 Kennedy: Yeah, and it\u2019s difficult, Mr. Smith. Smith: Be more than happy to get the company to reach out to your staff, explain what we do, and what we\u2019re doing to improve that process. I hear you. Hearing: House Equifax CEO Hearing; House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection; October 3, 2017 Witness: Richard Smith: Former Chairman & CEO at Equifax 5:13 Rep. Jan Schakowsky (IL): The Equifax data breach was massive in scale: 145.5 million American victims as of yesterday. I would call it shocking, but is it really? We have these under-regulated, private, for-profit credit reporting agencies collecting detailed personal and financial information about American consumers. It\u2019s a treasure trove for hackers. Consumers don\u2019t have a choice over what information Equifax or, for example, TransUnion or Experian, have collected, stored, and sold. If you want to participate in today\u2019s modern economy; if you want to get a credit card, rent an apartment, or even get a job often, then a credit reporting agency may hold the key. Because consumers don\u2019t have a choice, we can\u2019t trust credit reporting agencies to self-regulate. It\u2019s not like when you get sick at a restaurant and decide not to go there anymore. Equifax collects your data, whether you want to have it collected or not. If it has incorrect information about you, it\u2019s really an arduous process\u2014I\u2019ve tried it\u2014to get it corrected. When it comes to information security, you are at the mercy of whatever Equifax decides is right; and once your information is compromised, the damage is ongoing. Given vast quantities of information and lack of accountability, a major breach at Equifax, I would say, would be predictable if not inevitable. I should really say breaches. This is the third major breach Equifax has had in the past two years. From media reports and the subcommittee\u2019s meeting with Equifax officials after the breach, it\u2019s clear to me that the company lacked appropriate policies and practices around data security. This particular breach occurred when hackers exploited a known vulnerability that was not yet patched. It was months later before Equifax first discovered the breach, and it was another several weeks before Equifax shared news with consumers, this committee, the Federal Trade Commission, and the Consumer Financial Protection Bureau. Senior officials at the company are saying they weren\u2019t immediately aware that the breach occurred, and yet, by the way, there were executives who sold over a million dollars in stock just days after the breach was discovered but, yet, not reported. And for a lot of Americans, that just doesn\u2019t pass the smell test. 22:45 Richard Smith: We know now that this criminal attack was made possible because of combination of human error and technological error. The human error involved the failure to apply a software patch to our dispute portal in March of 2017. Technological error involved a scanner which failed to detect that vulnerability on that particular portal. Both errors have since been addressed. On July 29 and July 30, suspicious activity was detected, and a team followed our security-incident protocol. The team immediately shut down the portal and began our internal security investigation. On August 2, we hired top cybersecurity, forensic, and legal experts, and at that time, we notified the FBI. At that time, to be clear, we did not know the nature or the scope of the incident. It was not until late August that we concluded that we had experienced a major breach. 47:53 Rep. Frank Pallone (NJ): All right, during your tenure at Equifax, you expanded the company\u2019s business into packaging and selling other people\u2019s data, and in that August 17 speech, you explained that having free data with a gross margin of profit of about 90% is\u2014and I quote\u2014\u201ca pretty unique model.\u201d And I get that this unique model is a good deal for Equifax, but can you explain how it\u2019s a good deal for consumers? Richard Smith: Thank you, Congressman. I think I understand the question. Our industry has been around for a number of years, as you know. In fact, Equifax is a 118-year-old company. We\u2019re part of a federally regulated ecosystem that enables consumers to get access to credit when they want access to credit and, hopefully, at the best rates available to them at that time. So we\u2019re very vital to the flow of economy, not just in the U.S. but around the world. Pallone: All right, I want to turn to what Equifax is offering consumers in the wake of this breach, specifically the free credit-lock service that is supposed to be introduced next year. We\u2019ve been told that this free credit-lock service could require consumers to consent to Equifax sharing or selling the information it collects from the service to third parties with whom the individual already has a business relationship for marketing or other purposes. Is that true? Smith: This product will be a web-enabled, mobile-enabled application that will allow a consumer at a time he or she, if they decide they want access to credit, can simply toggle on, toggle off that application to give the bank, credit card issuer, auto lender, access to their credit file to approve their loan. Pallone: Well, by agreeing to use the Equifax\u2019s lock service, will consumers also be opting in to any additional marketing arrangements, either via Equifax or any of its partners? Smith: Congressman, we\u2019re trying to change the paradigm. What I mean by that is, this will be in an environment viewed as a service, a utility, not a product. But we know cross-selling, upselling, or any products available to the consumer, when they go to get and sign up for the lock product, it\u2019s a service to them, and that\u2019s the only product\u2014this service they\u2019ll be able to get. Pallone: Will Equifax give consumers an easy and free method to choose not to share their data in this way, even if the consumer already has a business relationship with the third party? Smith: Yeah, Congressman, I\u2019d envision as this evolves over time, the consumer will have the ability to invite into their world who they want to have access and who they do not. It\u2019ll be their choice, their power, not ours, to make that decision. Pallone: Now, last week, the interim CEO announced that by January 31 of 2018 Equifax would make locking and unlocking of a person\u2019s Equifax credit report free forever. A credit-report lock is already included in TrustedID Premier and other services like credit monitoring and identity-theft insurance. Will that still end after one year? Smith: Congressman, a couple of differences. Number one, the product we offer today for consumers protects the consumer at the same-level protection they\u2019d get January 31. The difference is, today is a browser-enabled product, or service; the 31 of January it\u2019ll be an application, much simpler and easier for the consumer to use. The protection is largely the same. So they get this free service when they sign up for one year. At the end of the one year, effective January 31 of 2018, it goes into the new lock product. Pallone: I guess the difference, other than not expiring, between the credit-report lock that is part of TrustedID Premier and the credit-locking tool that will be available in January, why not just extend the freeze program? Smith: There\u2019s a difference between the freeze product, which came to pass with FACTA back in 2003, passed into law in 2004, that is now governed by state laws in all states, and it\u2019s a cumbersome process for a consumer. In many cases, some states require you to mail in your request for a freeze and that we must mail you a PIN, so your ability to get access to credit when you want credit is encumbered. A consumer could go to a car dealer or to a bank to get a credit card, forget his or her PIN on a freeze product, have to go back home, look for the PIN, mail the PIN in, so it\u2019s a cumbersome process. The lock product we\u2019re offering today is a big step forward; lock product for the 31 of January is an even further step forward. 53:00 Rep. Joe Barton (TX): Mr. Smith, what\u2019s the market value of Equifax? What\u2019s your company worth, or your former\u2014 Richard Smith: Congressman, last time I checked it\u2019s somewhere close to 13 billion. Barton: Thirteen billion. I\u2019m told by my staff that this latest data breach was about 143 million people. Is that right? Smith: We were informed yesterday from the company that is typical in a forensic audit, there was some slight movement and the numbers adjusted. Press release came out from the company last night. It\u2019s 145.5. Barton: A hundred\u2014well, okay, I appreciate your accuracy there. But under current law, you\u2019re basically required to alert each of those that their account has been hacked, but there\u2019s really no penalty unless there is some sort of a lawsuit filed and the Federal Trade Commission or state attorney general files a class-action lawsuit against your company. So you really only notify\u2014you\u2019re just required to notify everybody and say so sorry, so sad. I understand that your company has to stay in business, has to make money, but it would seem to me that you might pay a little bit more attention to security if you had to pay everybody whose account got hacked a couple thousand bucks or something. What would the industry reaction be to that if we passed a law that did that? Smith: Congressman, I understand your question. I think the path that we were on when I was there and the company\u2019s continued is the right path, and that\u2019s a path, a line that the consumers to control the power of who and when accesses a credit file going forward, taking the\u2014 Barton: Well, a consumer can\u2019t control the security of your system. Smith: That is true, sir, but they can control\u2014 Barton: And your security people knew there was a problem, and according to staff briefings that I\u2019ve been a part of, they didn\u2019t act in a very expeditious fashion until the system had already been hacked. And, I mean, you\u2019re to be commended for being here. I don\u2019t think we subpoenaed you. I think you appeared voluntarily, which shows a commendable amount of integrity on your part, but I\u2019m tired of almost every month there\u2019s another security breach, and it\u2019s okay, we have to alert you. I checked my file to see if I was one of the ones that got breached, and apparently I wasn\u2019t. I don\u2019t know how I escaped, but I didn\u2019t get breached, but my staff person did, and we looked at her reports last night, and the amount of information that\u2019s collected is way beyond what you need to determine if she (audio glitch) for a consumer loan. Basically, her entire adult history, going back 10 years, everywhere she\u2019s lived, her name, her date of birth, her social security number, her phone numbers, her addresses, her credit card, student loans, security-clearance applications for federal employment, car insurance, even employment history of jobs that she worked when she was in high school. That\u2019s not needed to determine whether she\u2019s worthy of getting a five-thousand-dollar credit card loan or something. And now it\u2019s all out in the netherworld of whoever hacked it. I can\u2019t speak for anybody but myself, but I think it\u2019s time at the federal level to put some teeth into this and some sort of a per-account payment\u2014and, again, I don\u2019t want to drive credit bureaus out of business and all of that, but we could have this hearing every year from now on if we don\u2019t do something to change the current system. 58:42 Rep. Ben Lujan (NM): Will Equifax be willing to pay for this freeze at Experian and TransUnion for consumers whose information was stolen? Richard Smith: You\u2019re referring to the freeze or the lock? Lujan: You said they\u2019re the same, so\u2026 Smith: Yeah, right now we offer a free lock product, as you know, for one year, and then a free lifetime lock product for life, starting January 31, 2018. Smith: And that also extends to Experian and TransUnion? Smith: No, sir, it does not. Lujan: Would Equif\u2014let me repeat the question. Will Equifax be willing to pay for that freeze, for that lock, at Experian and TransUnion for consumers whose information was stolen by it\u2014through Equifax? Smith: Congressman, the company\u2019s come out with what they feel is a comprehensive five different services today and a lifetime lock. I would encourage, to be clear, I would encourage TransUnion and Experian to do the same. It\u2019s time we change the paradigm, give the power back to the consumer to control who accesses his or her credit data. It\u2019s the right thing to do. Lujan: Okay, I\u2019m down to limited time, Mr. Smith. I apologize. I\u2019ll take that as a no that Equifax will not pay for Experian and TransUnion consumers. 1:26:09 Rep. Debbie Dingell (MI): Why do consumers have to pay you to access their credit report? Why should that data not be free? Richard Smith: Congresswoman, the consumer has the ability to access the credit report for free from each of the three credit reporting agencies once a year, and you combine that with the ability to lock your credit file for life for free. Again, it\u2019s a step forward. 2:00:40 Rep. Larry Bucshon (IN): Is it possible people who never signed up or used Equifax directly could have been impacted by the breach? Richard Smith: Yes, Congressman. Bucshon: Okay, so how does Equifax get the information on people who\u2019ve never directly associated with Equifax at all? I mean, I\u2019m not familiar with that. Smith: Yeah, we get it from banks, telecommunications companies, credit card issuers, so on and so forth. Bucshon: So just like we go to apply for a loan, they send you the information, because they want to get a data\u2014they want to get the information on my credit rating, for example. Smith Correct. As I define it, we are part of the federally regulated ecosystem\u2014 Bucshon: Yeah. Smith: \u2014that enables banks to loan money to consumers. Bucshon: Right. So, it\u2019s up to the banks, at that point, to notify the individual which credit agencies they\u2019re utilizing to assess their credit risk? Or is it up to the credit agencies? Smith: Traditionally, the contributors of data\u2014in that case, Congressman, the banks would give their data to all three. That\u2019s the benefit of the system is you get a holistic view of an individual\u2019s credit risk. Bucshon: Yeah. My point is, I guess, because a lot of people I talk to back in Indiana, southern Indiana, have no idea who Equifax is, right? And many of those people have applied for home loans and other things. And a matter of fact, probably at some point you have their information, but they may or may not have been notified who sent the information to them\u2014probably the bank or other agency\u2014and that\u2019s something I think that is also maybe an issue, that people don\u2019t understand or have not been told who is being used to assess their credit risk and, hence, something like this happens, they have no idea whether or not their information has been compromised. Smith: I understand your point. Bucshon: Yeah. 2:09:20 Rep. Gene Green (TX): Mr. Smith, Equifax customers or businesses who purchase data and credit reports on consumers, the American public is essentially Equifax\u2019s product. How many times per year on average does Equifax sell access to a given individual\u2019s credit file to a potential creditor, and how much do they make every time they sell it? Richard Smith: If I understand the question, Congressman, we take the data that is given to us by the credit ecosystem of the U.S., add analytics to it, and then when a consumer wants credit\u2014again, through a credit card, home loan, a car\u2014the bank then comes to us for that data and for that analytics, and we charge them for that. **Green: Okay. Well, the question was, how many times does Equifax receive payment for that individual credit file? Every time\u2014if my local car dealer contacts Equifax, and so they pay a fee to Equifax for that information. Smith: Yes, Congressman. If you as an individual want to go to that car dealership and get a loan for a car, they come to us or to competitors, and when they take your data, access your data, we do get paid for it, correct. 2:47:40 Richard Smith: If there\u2019s one thing I\u2019d love to see this country think about is the concept of a social security number in this environment being private and secure, I think it\u2019s time as a country to think beyond that. What is a better way to identify consumers in our country in a very secure way, and I think that way is something different than an SSN, a date of birth, and a name. 2:56:28 Rep. Jan Schakowsky (IL): What if I want to opt out of Equifax? I don\u2019t want you to have my information anymore. I want to be in control of my information. I never opted in, I never said it was okay to have all my information, and now I want out. I want to lock out Equifax. Can I do that? Richard Smith: Congresswoman, that requires a much broader discussion around the rules of credit reporting agencies because that data, as you know today, doesn\u2019t come from the consumer; it comes from the furnishers, and the furnishers provide that data to the entire industry. Schakowsky: No, I understand that. And that\u2019s exactly where we need to go, to a much larger discussion, because most Americans really don\u2019t know how much information, what it is that you have it, and they never said okay. Video: Circle Jerk, YouTube, December 3, 2015 Hearing: Credit Privacy Hearing; Senate Commerce, Science, and Transportation Committee; December 18, 2013 Witnesses: Tony Hadley: Senior VP of Government Affairs and Public Policy at Experian 47:13 Sen. Jay Rockefeller (retired) (WV): So, Mr. Hadley, what does your company\u2014or why does it single out and sell lists of economically vulnerable groups like immigrants, widows, and military personnel? 48:03 Tony Hadley: Thank you, Senator. We would be very concerned if lenders were using that information for scamming purposes, too. And we have processes and procedures in place to ensure that nobody gains access to that score for that purpose. Now\u2014 Sen. Jay Rockefeller: And how does that work? Hadley: We have an onboarding system by which we take on a client that gets our information to know who they are, and we also have a mail-piece review process to know what they\u2019re going to offer the consumer. And if it\u2019s anything that looks discriminatory or predatory, we will not provide our list to them. Now\u2014 Rockfeller: And this is your self-regulation. Hadley: This is our self-regulation under DMA standards. So if we were to violate that, we\u2019d be in violation of our self-regulatory standards as well as our contractual standards with our clients. Now, what\u2019s important here is that there are somewhere between 45 and 50 million Americans who are outside the mainstream of the credit markets in the United States. These are underbanked, underserved consumers who financial institutions cannot reach through credit scoring and credit report. They don't have financial identities or a big enough or even the presence of a credit file in order to bring them into the mainstream of financial markets. But that doesn't mean that they don't need access to financial services. So banks use this data to try to reach out to consumers who they can help to empower them, not to scam them. We don't want to do business with financial institutions who are trying to scam people, only to empower them. And this is their best way to find those individuals who are outside the mainstream\u2014immigrants; new to credit, like recent college graduates, exactly what we\u2019re talking about here\u2014to give them an offer, an invitation to apply, so that then they can make an eligibility determination regarding that application under the Fair Credit Reporting Act. But this is marketing literature, not eligibility determination. Rockefeller: Who\u2014 Hadley: Can I add to that for you? Rockefeller: Not entirely. Can you tell me which are the companies that buy this ChoiceScore product from you? We\u2019ve asked you that. Hadley: Yeah. They would be banks and financial institutions and members of the financial community. Rockefeller: That\u2019s what\u2019s called a general answer. Hadley: Yeah. I can't tell you who our clients are. That\u2019s a proprietary list of ours. It\u2019s like our secret ingredient. The ones who would want that most are our competitors. And our counsel has informed me that they don't believe that our ability to give that to you can be shielded from disclosure through the rules of the Senate. If we thought they could be\u2014for example, under a law enforcement action, where it could be shielded and protected from FOIA or other disclosures, we could do that, but not under the situation\u2014under the rules of the Senate. And we\u2019re very sorry about that, but we just simply can't do that. Our counsel won't let us. 1:25:49 Sen. Claire McCaskill (MO): The case, Mr. Hadley, of Experian and Superget. You purchased the company Court Ventures in 2012, in the spring of 2012. For more than a year after the time you purchased this company that had all this data, you were taking monthly wire transfers from Singapore, and your company did nothing. And as it turns out, those wire transfers were coming from a man in Vietnam who specialized in identity theft and was marketing the information that you owned to criminals to ruin people's lives. So my first question to you is, you were quoted as saying, \u201cWe would know who was buying this.\u201d You were getting wire transfers from Singapore on a monthly basis, and no one bothered to check to see who that was? Hadley: Now, I want to be clear that this was not Experian marketing data; this was Experian authentication data. So it\u2019s under a different company, a different use. So that\u2019s just\u2014I want you to know that it\u2019s not marketing data. McCaskill: I don't understand the distinction. I think it\u2019s a distinction\u2014 Jay Rockefeller: Nor do I. McCaskill: \u2014without a difference. I believe it was data that you owned, Experian owned. You\u2019d purchased this data from Court Scan, and they had, in fact\u2014 Hadley: No. Let me clarify. McCaskill: \u2014sold it to someone else. Hadley: Yeah, let me clarify that for you, because we\u2019ve provided a full response to that question to the Committee, and it\u2019s part of the eight submissions that we\u2019ve given. And I do have to say that it\u2019s an unfortunate situation, and the incident is still under investigation by law enforcement agencies. So I\u2019m really extremely limited in what I can say publicly about it, but I do want to say this. The suspect in the case obtained data controlled by a third party\u2014that was U.S. Info Search. That was not an Experian company\u2014through a company we bought, Court Ventures\u2014 McCaskill: Okay. Let\u2014 Hadley: \u2014prior to the time that we acquired that company. And to be clear, no Experian data was ever accessed in that deal. McCaskill: Well, I understand what you\u2019re saying. Here\u2019s what happened: You had U.S. Info Search\u2014 Hadley: No, we did not own\u2014 McCaskill: No, no; I\u2019m\u2014 U.S. Info Search existed, and Court Ventures existed. Hadley: And they had a partnership. McCaskill: \u2014they decided, for commercial reasons, to make more money, to combine their information. Hadley: To resell their information. McCaskill: And so they had a sharing agreement, those two companies, correct? Hadley: Right, right. McCaskill: Okay. So these two companies had a sharing agreement. Then you bought one of those companies. Hadley: Court Ventures. McCaskill: Correct. So now you owned it. Now you stood in their place. Are you a lawyer? Hadley: I\u2019m not a lawyer, but I understand we stood in their place, right. McCaskill: Are there any lawyers on the panel? Okay; she\u2019ll back me up. You stand in their place when you buy this. So now you\u2019re there. Now, you said in your earlier testimony, we would know who was buying this. So you now are part of their transactions. Hadley: During\u2014 McCaskill: And you were receiving the benefit of these monthly wire. Hadley: So, during the due-diligence process, we didn't have total access to all the information we needed in order to completely vet that. And by the time we learned about the malfeasance, I think nine months had expired. The Secret Service came to us, told us of the incident, and we immediately began cooperating with the Secret Service to bring this person to justice. McCaskill: Okay. Hadley: And we\u2019re continuing to cooperate with law enforcement in that realm. This was\u2014we were a victim and scammed by this person. McCaskill: Well, I would say the people who had all their identity stolen were the victims. Hadley: And we know who they are, and we\u2019re going to make sure that they\u2019re protected. There\u2019s been no allegation that any harm has come, thankfully, in this scam. McCaskill: Okay. Hadley: And we\u2019ve closed that down, and\u2014 Rockefeller: Let Senator McCaskill continue. Hadley: \u2014and we\u2019ve modified our processes to ensure that [unclear]\u2014 Rockefeller: Let Senator McCaskill continue. McCaskill: Okay. So let's talk about that process. This person got\u2014this man who they lured to Guam to arrest and who is now facing criminal charges in New Hampshire, they posed as an American-based private investigator. What is your vetting process when people want to buy your stuff? Hadley: That would\u2019ve been Court Ventures who would have vetted that prior to our acquisition. McCaskill: Okay, but I\u2019m talking about now, you. What is your vetting process? Hadley: Right now, before we would allow acc\u2014first, let me say that that person would have not gained access to Experian or this data if they had gone through our vetting processes prior to the acquisition. McCaskill: And what would\u2019ve stopped him? Hadley: We would\u2019ve known who that company is. We would\u2019ve had a physical onsite inspection of that company. We would\u2019ve known who that business is and what that business's record is. We would\u2019ve known exactly why they wanted that data and for what purposes. And that would have been enshrined in our contract. And we would\u2019ve known the kinds of systems they have in place to protect the data that they gained. Those are all incumbent upon us under the Gramm-Leach- Bliley Act and the FCRA. McCaskill: Well, listen, I understand that this was not a crime that began under your watch. Hadley: Thank you. McCaskill: But you did buy the company, and you did keep getting the wire transfers from Singapore, and the only reason you ever questioned them is because the Secret Service knocked on your door. I don't know how long those wire transfers from Singapore would\u2019ve gone on until you caught them. I don't have confidence that it would\u2019ve stopped at all. So I guess what my point is here, I maybe do not feel as strongly as others on this panel that behavioral marketing is evil. I believe behavioral marketing is a reality, and, frankly, the only reason we have everything we have on the Internet for free is because of behavioral marketing. So I don't see behavioral marketing as an evil into itself. What I do see is some desperate need for Congress to look at how consumers can get this information, what kind of transparency is there, and whether or not companies that allow monthly wire transfers into their coffers from Singapore from a criminal who is trying to rip off identity theft, whether or not they should be held liable for no due diligence on checking those wire transfers from Singapore until the Secret Service knocked on their door. And that\u2019s what I think we need to be looking at. And I don't think there\u2019s enough\u2014I mean, I know that some of my friends on the other side of the aisle, you say trial lawyers, and they break out in a sweat. But the truth is that if there was some liability in this area, it would be amazing how fast people could clean up their act. And, unfortunately, in too many instances there\u2019s not clear liability because we haven't set the rules of the road. Video: FreeCreditReport.com all 9 commercials, YouTube, October 3, 2009. Hearing: Credit Scoring System; House Financial Services Subcommittee on Oversight and Investigations; July 30, 2008. Witnesses: Thomas Quinn: Vice President of Global Scoring at Fair Isaac Business Consulting Stan Oliai: Experian Decision Analytics Consulting Senior Vice President Chet Wiermanski: Transunion Credit Services Analytical Systems Vice President Richard Goerss: Equifax Credit Services Chief Privacy Officer Evan Hendricks: Privacy Times Publisher and Editor 26:42 Thomas Quinn: A FICO score is a three-digit number ranging from 300 to 850, where the higher the score, the lower the risk. Lenders use the score, along with other information, to decision the request for credit, set the credit line and pricing terms. Creating the FICO score model requires two samples of credit reports, two years apart, for the same randomly selected depersonalized set of consumers provided by one of the national credit reporting agencies. Those credit factors found to be most powerful and consistent in predicting credit performance, individually and in combination, form the basis for the complex mathematical algorithm which becomes the score. The traditional FICO score model evaluates five broad types of data elements from the consumer credit report. These include, and listed in order of importance, previous credit payment history, about 35 percent contribution; level of outstanding debts, about 30 percent contribution; length of credit history, 15 percent contribution; pursuit of new credit, 10 percent contribution; and mix of type of credit, about 10 percent contribution. FICO scores were first introduced to the marketplace in 1989 and have been consistently redeveloped and updated throughout the years to ensure their predictive strength. 34:00 Stan Oliai: A credit score is a numerical expression of risk of default, based on a credit report. The score is produced by a mathematical formula created from a statistical analysis of a large representative sample of credit reports. The formula is typically called a \u201cmodel.\u201d The credit score is calculated by the model, using only information in the credit report. These reports include the following types of information: The credit account history\u2014such as was the account paid, was it paid on time, how long has the account been open, and what\u2019s the outstanding balance; the type of account\u2014is it a mortgage, is it an installment, is it revolving; the public record information\u2014liens, judgments, bankruptcies, for example; inquiries in the credit file that represent applications for new credit and other consumer-initiated transactions. A credit report does not include information such as income or assets. It also does not include demographic information such as race or ethnicity. Demographic factors are not used in the calculation of a credit score. 35:05 Stan Oliai: Regulatory oversight of credit scores is accomplished through routine bank examinations for compliance, with a number of laws that govern fair lending, such as the Equal Credit Opportunity Act. This makes sense because the lender chooses the scoring model to assist in this proprietary underwriting process. The lender is ultimately responsible for demonstrating to regulators that the scoring model it has chosen complies with the lending laws. 46:20 Chet Wiermanski: There is strong evidence to suggest that consumers would benefit from the increased reporting of nontraditional credit information. For example, consumers with thin credit files and, in particular, minorities, immigrants, young and old, all experience a net benefit from full-file reporting by energy companies and telecommunication providers. Consumers with impaired credit histories also obtain a net benefit from full-file reporting by these companies. We are presently engaged in a follow-up study to learn more about the impediments to full-file reporting faced by the utilities and telecommunication industry. It may be very well that Congress may have a role to play in removing roadblocks to encourage voluntary full-file reporting. 2:01:30 Richard Goerss: There are a lot of thing\u2014different activities\u2014that a consumer can do to protect themselves if they feel they are victims or might be victims of identity theft. Certainly, one of the things that they can do is to place a fraud alert on their credit file. They can receive a free disclosure of their credit file to see if there has been any inappropriate activity or inquiry to their credit file. They can provide an identity-theft report and identify the account information that they feel, or that they say, was opened fraudulently. And under the requirements of the FACT Act, the consumer reporting agencies are going to delete that information, and the consumer reporting agency that receives that identity theft with the information-removal request is going to refer it to the other two consumer reporting agencies, who are also going to remove that information. 2:24:30 Evan Hendricks: Right now, you take it for granted that we know about credit scores, but you have to remember it was, like, 12 years ago, in the mid-1990's, when credit scores started being widely used. They were a complete secret; the industry did not even acknowledge their existence. Then, when they found out about it and reporters like Michelle Singletary of the Washington Post started reporting on it, then they would not disclose the score to you. So, California led the way with a state law, and now we have the FACT Act, which means that you can get one\u2014you can buy a credit score for a fair and reasonable price. 2:54:55 Rep. Jackie Speier (CA): We call these credit reporting agencies or credit bureaus, which gives the average consumer the impression that they are dealing with some federal entity, when in fact they are not\u2014we heard this afternoon they\u2019re private or publicly traded companies\u2014and yet this information is so critical, and to Mr. Barrett's comments, who suggested that the consumer needs to be educated, needs to know what goes into their FICO score and what they can do to improve their FICO score, we can't give those kinds of answers, because, for all intents and purposes, it is a proprietary formula. It\u2019s sort of like secret sauce; we don't know what it is. Now, there\u2019s something wrong when the government can't articulate what should be considered in a FICO score. Cover Art Design by Only Child Imaginations Music Presented in this Episode Intro & Exit: Tired of Being Lied To by David Ippolito (found on Music Alley by mevio) ","author_name":"Congressional Dish","author_url":"https:\/\/congressionaldish.com","html":"