1 00:00:00,080 --> 00:00:03,240 Speaker 1: Former Equifax CEO Richard Smith made his first appearance at 2 00:00:03,240 --> 00:00:06,360 Speaker 1: a House committee today, the first of four appearances before 3 00:00:06,400 --> 00:00:09,800 Speaker 1: congressional committees this week. His appearance came a day after 4 00:00:09,840 --> 00:00:12,760 Speaker 1: Equifax revealed that the hack affected two and a half 5 00:00:12,880 --> 00:00:16,639 Speaker 1: million more Americans than first believed, making a total of 6 00:00:16,680 --> 00:00:20,200 Speaker 1: one five and a half million Americans whose social Security 7 00:00:20,280 --> 00:00:25,159 Speaker 1: numbers and other personal information was stolen. Smith apologized for 8 00:00:25,239 --> 00:00:28,080 Speaker 1: failing to live up to his responsibility of safeguarding the 9 00:00:28,120 --> 00:00:31,120 Speaker 1: personal information of Americans and said the hack was the 10 00:00:31,160 --> 00:00:35,440 Speaker 1: result of both human and technological errors. Republican Gene Walden 11 00:00:35,479 --> 00:00:38,600 Speaker 1: of Oregon wanted to note why Equifax did not patch 12 00:00:38,640 --> 00:00:42,239 Speaker 1: it software when the Department of Homeland Security alerted the 13 00:00:42,280 --> 00:00:47,520 Speaker 1: company on March eight to flaws in its software. Human error? 14 00:00:48,440 --> 00:00:51,839 Speaker 1: Was the individual who was responsible for communicating in the 15 00:00:51,960 --> 00:00:56,480 Speaker 1: organization to apply the patch did not? So does that 16 00:00:56,560 --> 00:00:59,840 Speaker 1: mean that that individual knew that the software was there 17 00:01:00,600 --> 00:01:04,000 Speaker 1: and it needed to be patched and did not communicate 18 00:01:04,080 --> 00:01:06,679 Speaker 1: that to the team that does the patching. Is that 19 00:01:06,800 --> 00:01:08,840 Speaker 1: the heart of the issue here, That is my understanding, sir. 20 00:01:09,600 --> 00:01:13,560 Speaker 1: That was about two months before hackers began accessing americans 21 00:01:13,600 --> 00:01:17,919 Speaker 1: personal information on Equifax's servers, my guess are Craig Newman, 22 00:01:18,040 --> 00:01:21,440 Speaker 1: a partner at Patterson Bell Nap, and David Stone, a 23 00:01:21,480 --> 00:01:24,960 Speaker 1: partner at Stone and Magnanini. Craig, I want to start 24 00:01:25,040 --> 00:01:30,920 Speaker 1: with that information that we just heard from a question 25 00:01:31,040 --> 00:01:37,320 Speaker 1: by Walden of Oregon. Why wasn't it fixed and why 26 00:01:37,520 --> 00:01:41,200 Speaker 1: isn't there Why shouldn't there be more people involved when 27 00:01:41,319 --> 00:01:46,800 Speaker 1: something comes in from Homeland Security saying there's a problem, well, June, 28 00:01:47,000 --> 00:01:52,080 Speaker 1: it was a software vulnerability that Department of Homeland Security 29 00:01:52,160 --> 00:01:56,440 Speaker 1: knew about and issued an alert in early March. This 30 00:01:56,560 --> 00:02:01,200 Speaker 1: kind of vulnerability, it's the basic blocking and tackling of cybersecurity, 31 00:02:01,200 --> 00:02:05,840 Speaker 1: cyber hygiene, and what is clear from the testimony today 32 00:02:06,000 --> 00:02:08,240 Speaker 1: is that there was a big ball drop and the 33 00:02:08,280 --> 00:02:11,880 Speaker 1: company admitted they got the Department of Homeland Security alert, 34 00:02:12,360 --> 00:02:16,720 Speaker 1: they had the vulnerability, um they had scanning software in 35 00:02:16,760 --> 00:02:19,519 Speaker 1: place that didn't pick up the vulnerability, and they didn't 36 00:02:19,520 --> 00:02:23,720 Speaker 1: patch it until late in the game, after they already 37 00:02:23,800 --> 00:02:29,080 Speaker 1: knew that they had been breached. David, the timeline here 38 00:02:29,120 --> 00:02:31,960 Speaker 1: is hacker seemed to have first entered a system on 39 00:02:32,080 --> 00:02:36,399 Speaker 1: May and they were in the system until July, when 40 00:02:36,480 --> 00:02:43,280 Speaker 1: suspicious activity was first detected by Equifax's security department. Does 41 00:02:43,320 --> 00:02:48,040 Speaker 1: that show a problem with the Equifax system if it 42 00:02:48,320 --> 00:02:51,840 Speaker 1: took that long to see that there was suspicious activity? 43 00:02:52,040 --> 00:02:55,760 Speaker 1: He explained different reasons for why why it took so 44 00:02:55,880 --> 00:02:58,800 Speaker 1: long and how it's hard to find these things. So 45 00:02:59,160 --> 00:03:02,639 Speaker 1: it definitely, it definitely shows a problem. I mean, the 46 00:03:02,880 --> 00:03:05,240 Speaker 1: biggest issue in this case, and and we're learning more 47 00:03:05,280 --> 00:03:08,000 Speaker 1: every day, is you know, what did they know and 48 00:03:08,080 --> 00:03:10,440 Speaker 1: when did they know it? And we now know that 49 00:03:10,520 --> 00:03:15,400 Speaker 1: they knew about this weakness through the government agency, uh, 50 00:03:15,480 --> 00:03:18,839 Speaker 1: you know, in March nine, and yet they didn't even 51 00:03:18,960 --> 00:03:22,440 Speaker 1: detect that anything was going on until July twenty nine. 52 00:03:23,040 --> 00:03:25,280 Speaker 1: They had scanning equipment that should have picked it up, 53 00:03:25,440 --> 00:03:28,680 Speaker 1: it didn't pick it up. They had people working that 54 00:03:28,720 --> 00:03:31,400 Speaker 1: we're supposed to patch it that didn't patch it. And 55 00:03:31,680 --> 00:03:34,840 Speaker 1: I think, you know, the the the admission in his 56 00:03:35,000 --> 00:03:39,360 Speaker 1: testimony before Congress that it was both human error and 57 00:03:39,560 --> 00:03:44,200 Speaker 1: technology failures is a really significant thing, specifically for the 58 00:03:44,280 --> 00:03:46,800 Speaker 1: lawsuits that are going on now, one of which our 59 00:03:47,040 --> 00:03:50,240 Speaker 1: firm has brought against this company, because they had an 60 00:03:50,280 --> 00:03:53,760 Speaker 1: obligation to protect not only their customers who we represent, 61 00:03:54,200 --> 00:03:58,560 Speaker 1: but everybody who's personal information was entrusted to them. There's 62 00:03:58,560 --> 00:04:02,480 Speaker 1: another couple of bags. Craig that the members of the 63 00:04:02,520 --> 00:04:07,040 Speaker 1: committee were very critical of Equifax as security department July 64 00:04:07,200 --> 00:04:11,320 Speaker 1: twenty nine learns of suspicious activity, the former CEO isn't 65 00:04:11,320 --> 00:04:15,080 Speaker 1: informed of that until July one, and then the company 66 00:04:15,160 --> 00:04:20,360 Speaker 1: notifies the FBI on August two. Is that delay in 67 00:04:20,400 --> 00:04:26,120 Speaker 1: itself a problem? Delays in and of itself during the 68 00:04:26,240 --> 00:04:30,000 Speaker 1: data breach June are really difficult to say, Well, this 69 00:04:30,080 --> 00:04:32,000 Speaker 1: is too long, this is too short of the time. 70 00:04:32,040 --> 00:04:36,200 Speaker 1: This obviously was a very very significant breach. And Smith 71 00:04:36,240 --> 00:04:39,839 Speaker 1: took a lot of heavy fire and grilling today over 72 00:04:40,160 --> 00:04:43,240 Speaker 1: the timing and is specifically, he was asked, you know, 73 00:04:43,360 --> 00:04:46,000 Speaker 1: when did you know about it? Why were these delays 74 00:04:46,400 --> 00:04:50,080 Speaker 1: um in informing not just senior leadership but the board, 75 00:04:50,520 --> 00:04:53,120 Speaker 1: And you know, he came back to the response that, 76 00:04:53,480 --> 00:04:55,800 Speaker 1: you know, look, we were working with the FBI, we 77 00:04:55,800 --> 00:04:59,680 Speaker 1: were working with our outside data security forensics folks, and 78 00:04:59,760 --> 00:05:01,960 Speaker 1: this is the best we could do. And that was 79 00:05:02,040 --> 00:05:06,200 Speaker 1: really the refrain we heard most of the three hours 80 00:05:06,200 --> 00:05:10,760 Speaker 1: of this testimony today. And David, so when you look 81 00:05:10,800 --> 00:05:13,440 Speaker 1: at this whole this whole thing that went on today, 82 00:05:13,440 --> 00:05:18,159 Speaker 1: there was there were also questions about the higher ups 83 00:05:18,640 --> 00:05:22,440 Speaker 1: who had bought, who had sold stock during the time, 84 00:05:22,480 --> 00:05:26,800 Speaker 1: and that apparently had been approved by the lead council 85 00:05:26,839 --> 00:05:33,920 Speaker 1: at Equifax. What kind of investigations are going on about that. Well, 86 00:05:33,960 --> 00:05:36,320 Speaker 1: there there are a number of investigations going about and 87 00:05:36,360 --> 00:05:40,440 Speaker 1: about that, both by state attorney generals and the federal government. 88 00:05:40,600 --> 00:05:44,640 Speaker 1: And I think there's also some securities actions that either 89 00:05:44,680 --> 00:05:47,400 Speaker 1: have been filed or will be filed, because the question 90 00:05:47,560 --> 00:05:51,200 Speaker 1: is is this insider trading? Did they delay telling the 91 00:05:51,240 --> 00:05:55,640 Speaker 1: public before they could sell this stock? They're they're taking 92 00:05:55,640 --> 00:05:58,200 Speaker 1: the position that they knew there had been a breach, 93 00:05:58,279 --> 00:06:00,880 Speaker 1: but they didn't know what it was. And during those 94 00:06:00,920 --> 00:06:04,599 Speaker 1: three days between you know, July twenty nine and August two, 95 00:06:04,839 --> 00:06:07,839 Speaker 1: you know, they sold significant amounts of stock. So I 96 00:06:07,839 --> 00:06:10,479 Speaker 1: don't think we know the facts yet, but but the 97 00:06:10,560 --> 00:06:15,480 Speaker 1: chronology is is very troubling. Craig. Another thing that Republican 98 00:06:15,560 --> 00:06:19,159 Speaker 1: Jeane Walden of Oregon said, when you're looking forward to 99 00:06:19,200 --> 00:06:21,719 Speaker 1: see what can be done in the future to to 100 00:06:21,800 --> 00:06:24,040 Speaker 1: stop this from happening, he said, I have colleagues that 101 00:06:24,120 --> 00:06:27,080 Speaker 1: say we can double the fines, triple the fines. How 102 00:06:27,120 --> 00:06:30,040 Speaker 1: does that happen? How and how do we pass a 103 00:06:30,160 --> 00:06:34,839 Speaker 1: law that fixes stupid which he apologized for but still 104 00:06:34,839 --> 00:06:38,440 Speaker 1: said it. And the question is how do you deal 105 00:06:38,520 --> 00:06:44,679 Speaker 1: with these kinds of agencies that have this amount of information. Well, look, 106 00:06:44,960 --> 00:06:50,000 Speaker 1: Walden and Representative gun three asked exactly the right question today, 107 00:06:50,080 --> 00:06:53,520 Speaker 1: and they took a step back and said, look, you've 108 00:06:53,600 --> 00:06:56,279 Speaker 1: you've taken the drubbing today. We get that, but let's 109 00:06:56,360 --> 00:06:59,800 Speaker 1: let's look at the bigger picture and what could you, 110 00:07:01,279 --> 00:07:05,520 Speaker 1: as the CEO and Equifax have done differently looking at 111 00:07:05,560 --> 00:07:09,200 Speaker 1: retrospect And both times he was asked the question, he said, 112 00:07:09,760 --> 00:07:12,600 Speaker 1: you know, I really haven't had much time for reflection. 113 00:07:12,760 --> 00:07:15,720 Speaker 1: It's a question that I'm going to be thinking about 114 00:07:15,760 --> 00:07:18,720 Speaker 1: it a later date. But that's really the key question 115 00:07:18,800 --> 00:07:22,520 Speaker 1: in this entire breach from a broader perspective, you know, 116 00:07:22,880 --> 00:07:26,840 Speaker 1: what can we learn about it collectively to ensure that 117 00:07:26,880 --> 00:07:29,720 Speaker 1: this doesn't happen again and the companies really have an 118 00:07:29,760 --> 00:07:34,520 Speaker 1: incentive to practice the best in cyber hygiene. In about 119 00:07:34,600 --> 00:07:38,840 Speaker 1: thirty seconds, David, what's your best suggestion, I'm putting you 120 00:07:38,880 --> 00:07:42,520 Speaker 1: on the spot. I know, well, look, I mean I 121 00:07:42,600 --> 00:07:46,160 Speaker 1: think yes, finding these companies, you know, having them have 122 00:07:46,320 --> 00:07:49,080 Speaker 1: some skin in the game is critical, but I think 123 00:07:49,080 --> 00:07:51,960 Speaker 1: at the bottom line is that you need belts and suspenders. 124 00:07:51,960 --> 00:07:55,320 Speaker 1: You need multiple systems in place so you don't have 125 00:07:55,360 --> 00:07:59,360 Speaker 1: a situation where one person in a company's failure to 126 00:07:59,440 --> 00:08:02,240 Speaker 1: tell other people to make a patch can result in, 127 00:08:02,360 --> 00:08:06,200 Speaker 1: you know, hundred and forty five million people having their 128 00:08:06,320 --> 00:08:10,960 Speaker 1: personal information breached. That was certainly a surprising Thank you 129 00:08:11,000 --> 00:08:14,000 Speaker 1: both for being on Bloomberg Law. That's David Stone, a 130 00:08:14,040 --> 00:08:17,119 Speaker 1: partner at Stone and Magnanini, and Craig Newman, a partner 131 00:08:17,120 --> 00:08:19,240 Speaker 1: at Patterson Bell Nap. That's it for this edition of 132 00:08:19,280 --> 00:08:22,560 Speaker 1: bloom Bloomberger Law. We'll be back again tomorrow and hope 133 00:08:22,600 --> 00:08:25,000 Speaker 1: you will be as well. Thanks to my producer David 134 00:08:25,040 --> 00:08:29,080 Speaker 1: Suckerman and my technical director Charlie Bohmer. Coming up next 135 00:08:29,120 --> 00:08:32,360 Speaker 1: Bloomberg Markets with Carol Master and Corey Johnson. I'm June 136 00:08:32,400 --> 00:08:33,960 Speaker 1: Grolso this is Bloomberg