Senate Homeland Security Subcommittee Hearing on Data Breaches
Senate Homeland Security Permanent Subcommittee on Investigations
“Examining Private Sector Data Breaches”
Thursday, March 7, 2019
Key Topics & Takeaways
- Federal Framework: Begor said a uniform law would make communication easier and provide clarity. Sorenson said it has not presented much of a challenge to Marriott, but can simplify protection efforts. Smith said uniformity would benefit the FTC, although 50 laws is not a difficult hurdle to overcome in his opinion. Gilligan said the controls and NIST report would help the framework implement guidelines for systems to protect against breaches. He also said the framework should have education efforts to teach best practices for those effected, to which Cackley agreed.
- Breach Notification Timeline: Begor and Sorenson said that their teams moved as quickly as possible, reported the breaches to the FBI following state laws, set up customer support services, and wanted accurate data.
- FTC Authority: Portman and Carper asked questions about the FTC being granted rulemaking and other authorities and how they would help against data misusage. Smith responded that because the FTC is the largest consumer protection agency, the increase in rulemaking power, jurisdiction, accountability, and ability to fine would provide a central agency the ability to properly protect consumer data in a more timely fashion, as well as oversee nonprofits and non-carriers. Cackley agreed with Smith’s statement and Gillgian said consolidation under one agency could provide for clarity.
- Mark W. Begor, CEO, Equifax Inc.
- Arne M. Sorenson, President and CEO, Marriott International Inc.
- Alicia Puente Cackley, Director, Financial Markets and Community Investment, U.S. Government Accountability Office (GAO)
- Andrew Smith, Direct, Bureau of Consumer Protection, U.S. Federal Trade Commission (FTC)
- John M. Gilligan, President and CEO, Center for Internet Security
Sen. Rob Portman (R-Ohio), Investigations Subcommittee Chairman
In his opening statement, Portman said the hearing would focus on concerns over personal information being gathered through various data breaches. He noted many recent breaches, including those of Google, Facebook, Uber, and the U.S. Government Accountability Office (GAO). Portman said Congress would continue to work towards passing legislation, such as S. 3707, the Public-Private Cybersecurity Cooperation Act, and S. 1281, the Hack Department of Homeland Security (DHS) Act. He said the Equifax and Marriott-Starwood data breaches would be closely examined, considering both companies failed to implement and practice basic cyber security rules. Portman said both companies failed to issue “timely” breach notices to consumers, to properly destroy stored data and archive communications, and preserve necessary documents. Portman said the U.S. should focus on future hacks, better protect consumer data, and provide prompt reporting practices.
Sen. Tom Carper (D-Del.), Investigations Subcommittee Ranking Member
In his opening statement, Carper said according to a 2017 Pew Research study, half of the nation believes their personal information is less secure than it was five years ago. He said with the increase in data breaches, such as Google, Sacs Fifth, T-Mobile, Equifax and Marriott-Starwood, the level of trust for consumers is decreasing. Carper asked Begor and Sorenson to address steps their companies are taking to address oversight of data breaches in efforts to fix their companies’ mistakes. He spoke about the need for cybersecurity to be “the” top priority for the CEO, board and rest of any business. Carper said companies need to concentrate on restructuring their IT, audit, communication, and patching systems. He said Equifax still needs to address concerns from their 2015 audit reports, such as prioritizing patching of security flaws and vulnerabilities and monitoring their company web traffic. Carper said data breaches will only continue, therefore one uniform federal law should address data sharing and cybersecurity practices for protecting against data breaches.
Mark W. Begor, CEO, Equifax Inc.
In his testimony, Begor shared his “personal” regret for the Equifax data breach, and said he is fully committed to addressing concerns moving forward. He said cyber crime is one of the nation’s greatest threats, as cyber criminals and bad actors are now more sophisticated, causing a tougher challenge for the U.S. to fight against attacks from these groups and other nation states. Begor said with no end in sight to attacks, it is the responsibility of the government, law enforcement, and the private sector to collaborate and cooperate to support partnerships and systems for prevention and protection. Begor said Equifax had the appropriate security systems in place and continues to take cybersecurity seriously. He said over the last eighteen months, Equifax has incrementally increased the amount of security and IT staff, and has doubled tech spending by 50%, with plans to continue increasing both. Begor said there is a need to use the Equifax data breach as an example to implement data sharing practices across industries, to diligently support consumers. He said since the breach, Equifax has invested $80 million to assist impacted consumers, offered free credit theft and monitoring services with a free extension of these services, and implemented a freeze/unfreeze button on any smartphone Equifax application. Begor stated Equifax and he are committed to continue being the most consumer-friendly credit bureau every step of the way, and prioritize support staff, tech and security investments to prevent future breaches.
Arne M. Sorenson, President and CEO, Marriott International Inc.
In his testimony, Sorenson discussed tackling data breaches across the private sector by enhancing measures to protect against breaches, specifically focused on the Marriott-Starwood data breach in 2018. He condensed the timeline of Marriott merging with Starwood, and apologized for the mistakes made which ultimately led to the Starwood data breach. Sorenson said when the breach occurred in September 2018, Marriott reported it to the FBI within days, and took precautionary steps to find accurate information and set up infrastructure for customer support, before notifying those affected by the breach. He said 380 million guest records and 23 million passport records were obtained, but no information being used or sold has been reported, according to dark web and cyber monitoring tools. Sorenson said the breach included guest names and addresses, and that social security numbers are not stored and a majority of the credit card numbers were encrypted and/or expired. He said Marriott is committed to working with Congress to protect and prevent future breaches.
Alicia Puente Cackley, Director, Financial Markets and Community Investment, U.S. GAO
In her testimony, Cackley spoke about her priorities to see internet privacy and data protections be implemented, such that the Federal Trade Commission (FTC) is granted oversight, rulemaking, and the ability to levy civil penalties on violators of data security. She said there is a need for a comprehensive law addressing the use, sale and disclosure of personal information, and oversight of companies who obtain such information by the FTC. Cackley referenced the FTC’s jurisdiction under Section 5 of the Federal Trade Commission Act, and how there is a need for the FTC to carry out a rulemaking and oversee regulations for the internet, more than the current oversight of financial privacy and child protection laws. Cackley said the GAO has done studies on data authority and has found most stakeholders support the FTC’s current approach of direct enforcement of unfair practice of data authority, while other stakeholders want the FTC to issue rules and enforce regulations. She suggested three areas of improvements for oversight; enhancing statues to protect and prohibit bad behaviors, rulemaking to provide clarity, and ability to levy civil penalties for violators. She said Congress should consider comprehensive legislation and should include the above recommendations, as well as ways to balance data protections and innovation.
Andrew Smith, Direct, Bureau of Consumer Protection, U.S. FTC
In his testimony, Smith focused on three areas for improvement; FTC enforcement, policy-making, and business education efforts. Smith said with the FTC being the leading data security enforcer, the jurisdiction should be broadened for the agency to enforce and protect again unreasonable practices and usage of data. He also said rulemaking would help provide clarity and certainty to safeguard against such practices from institutions. Smith said cyber security camps and web programs would also help educate the public and companies from poor cyber practices. He suggested comprehensive legislation would provide authority for the FTC to implement safe practices and increase jurisdiction for the FTC to oversee nonprofits and non-carriers. Smith said currently the FTC has no regulations for internet protections, other than those to address financial privacy and child protections.
John M. Gilligan, President and CEO, Center for Internet Security
In his testimony, Gilligan offered suggestions for implementation of controls to prevent major data breaches. He referenced reforms made during his tenure in the Airforce, in which the National Security Agency (NSA) identified weaknesses in the software used by the government and military, finding misconfigured software that was not properly enabled or patched led to vulnerabilities and exploitable areas for hacks. Gilligan said the Center for Internet Security recommends focusing on two studies, Sans Critical Security 20 Controls, and the National Institute of Standards and Technology 2014 Framework for Improving Critical Infrastructure Cybersecurity (NIST). He said factoring for the controls and using the framework would prevent 90% of data breach attempts, and would set the groundwork for a federal data security framework. Gilligan cited Equifax, saying they lacked five of the twenty controls. He said currently California, Ohio, Paraguay, the European Union (EU) standards organization, Atlantic Counsel, and Aerospace have adopted and endorsed these controls, and that the NIST framework could be charted for a single cyber guideline for implementation of appropriate controls.
Question & Answer
Sens. Rob Portman (R-Ohio), Tom Carper (D- Del.) and Maggie Hasan (D-N.H.) all directed questions to Equifax about their use of the apache struts software, their inventory systems, and testing for vulnerabilities. Begor and Equifax Chief Security Officer, Jameel Farsi, responded that there were controls in place that weren’t strong enough. They said that since the breach the company has increased IT security teams, tech spending, data sharing best practices, breach alerts, and set auto tools to manage patching on their systems, so the company is not reliant on one person or system but rather a secure web that checks redundancies. They also highlighted they have considered changing how they keep their inventory repository, as well as their ongoing communication with competitors about breach attempts and the IP addresses of the bad actors.
Sens. Jacky Rosen (D-Nev.), Portman and Hasan asked Equifax and Marriot about auditing measures, specifically about cyber certificates and merger practices. Begor and Farsi said the company’s systems weren’t utilized properly and since the breach the audit process has become more robust to constantly reference and update certificates, as well as continuing to hire more professionals and increase spending. They said it is a priority to build a multi-layer defense system that continuously works to patch vulnerabilities.
Breach Notification Timeline
Sens. Carper and Portman asked about notification timelines and being timelier. Begor and Sorenson responded that their teams moved as quickly as possible, reported the breaches to the FBI following state laws, set up customer support services, and wanted accurate data.
Sens. Josh Hawley (R- Mo.), Kamala Harris (D-Calif.), Carper and Rosen asked about how the breaches could have been orchestrated from foreign threats and how to protect Americans, while following global standards. Begor said he is committed to security for all. Sorenson said Marriott is in a different situation considering their global presence, but said Marriott has shared everything they know with the FBI and continues to monitor for customer data, especially pertaining to passports. He also stated he is not aware of the full effect on Americans by foreign threats. Smith said the European Union General Data Protection Regulation (EU GDPR) 72-hour notice should be used as a standard for notifications for a U.S. framework, or possibly a 30-45 day notification requirement.
Sens. Portman and Carper asked if data breach laws across all 50 states present a challenge and if there should be a uniform standard. Begor said a uniform law would make communication easier and provide clarity. Sorenson said it has not presented much of a challenge to Marriott, but can simplify protection efforts. Smith said uniformity would benefit the FTC, although 50 laws is not a difficult hurdle to overcome in his opinion. Gilligan said the controls and NIST report would help the framework implement guidelines for systems to protect against breaches. He also said the framework should have education efforts to teach best practices for those effected, to which Cackley agreed.
Sens. Portman and Carper asked questions about the FTC being granted rulemaking and other authorities and how they would help against data misusage. Smith responded that because the FTC is the largest consumer protection agency, the increase in rulemaking power, jurisdiction, accountability, and ability to fine would provide a central agency the ability to properly protect consumer data in a more timely fashion, as well as oversee nonprofits and non-carriers. Cackley agreed with Smith’s statement and Gillgian said consolidation under one agency could provide for clarity.
For more information about this hearing, click here.