schneier@schneier.com
Date: Wed, 15 Nov 2017 02:36:23 -0600
[Please read the entire testimony. I've just excerpted the main points.
PGN]
Bruce Schneier, CRYPTO-GRAM, November 15, 2017 schneier@schneier.com https://www.schneier.com https://www.schneier.com/crypto-gram.html
Last week, I testified before the House Energy and Commerce committee on the
Equifax hack. A link to the video is at the bottom of this section. And you
can read my written testimony below.
Testimony and Statement for the Record of Bruce Schneier Fellow and
Lecturer, Belfer Center for Science and International Affairs, Harvard
Kennedy School Fellow, Berkman Center for Internet and Society at Harvard
Law School
Hearing on "Securing Consumers' Credit Data in the Age of Digital Commerce"
Before the Subcommittee on Digital Commerce and Consumer Protection
Committee on Energy and Commerce United States House of Representatives
1 November 2017
2125 Rayburn House Office Building
Washington, DC 20515
1. The Equifax breach was a serious security breach that puts millions of
Americans at risk.
2. Equifax was solely at fault.
3. There are thousands of data brokers with similarly intimate information,
similarly at risk. Equifax is more than a credit reporting agency. It's a
data broker. It collects information about all of us, analyzes it all,
and then sells those insights. It might be one of the biggest, but there
are 2,500 to 4,000 other data brokers that are collecting, storing, and
selling information about us -- almost all of them companies you've never
heard of and have no business relationship with.
4. These data brokers deliberately hide their actions, and make it difficult
for consumers to learn about or control their data.
5. The existing regulatory structure is inadequate.
6. The market cannot fix this because we are not the customers of data
brokers.
7. We need effective regulation of data brokers.
8. Resist complaints from the industry that this is "too hard."
9. This has foreign trade implications.
10. This has national security implications.
11. We need to do something about it.
Yes, this breach is a huge black eye and a temporary stock dip for Equifax
-- this month. Soon, another company will have suffered a massive data
breach and few will remember Equifax's problem. Does anyone remember last
year when Yahoo admitted that it exposed personal information of a billion
users in 2013 and another half billion in 2014?
Unless Congress acts to protect consumer information in the digital age, these breaches will continue.
Hearing: https://energycommerce.house.gov/hearings/securing-consumers-credit-data-age-digital-commerce
Video of the hearing: https://www.youtube.com/watch?v=4_ydofXb7mU&feature=youtu.be
[Lots of references omitted, some of which have already been in RISKS.
PGN]