Press Releases

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, issued the following statement today after the Special Counsel announced the indictment of 13 Russian nationals and three Russian companies for criminally interfering with the 2016 U.S. presidential election:

“The Senate Intelligence Committee, as a part of our bipartisan investigation into Russia's interference in the 2016 election, has been focused on uncovering and exposing the role that social media disinformation played in that effort.

“I'm glad to see that work vindicated today by the Special Counsel’s indictment of the ‘Internet Research Agency,’ the Russian troll farm that was a key component of Russia’s attempts to interfere in the U.S. elections in 2016, and which continues to spew divisive and false content aimed at undermining the United States. With this indictment, the Special Counsel and his team have taken an important step to hold Russia accountable.

“As we heard this week from the nation’s top intelligence officials, Russia is still using social media to attack our democratic institutions and sow division amongst Americans. In Tuesday’s hearing, I was frustrated to hear that there is still no one leading a coordinated, organized effort within the intelligence community to monitor and combat Russian disinformation campaigns on social media. As Vice Chairman of the Senate Intelligence Committee, I will continue pressing the nation’s intelligence leaders and the social media companies to be far more aggressive and proactive in responding to this threat.

 

“While platforms like Facebook and Twitter are allowing Americans to communicate and share ideas in ways unimaginable just a decade ago, we’re also learning that we each bear some responsibility for exercising good judgment and a healthy amount of skepticism when it comes to the things we read and share on social media.”

Sen. Warner has been a leader in recognizing the challenges posed by Russian use of social media. While companies like Facebook and Twitter initially denied that Russia used their platforms to influence the 2016 election, Warner publicly and privately pressed the companies to conduct thorough internal investigations of Russian misinformation and disinformation. In September, Facebook announced that the Internet Research Agency purchased approximately $100,000 worth of advertisements in connection with the 2016 election. Later estimates from the company found that as many as 150 million Americans may have been exposed to content from the Internet Research Agency. Twitter has also announced that at least 1.4 million people on Twitter engaged with content created by Russian trolls during the 2016 presidential election, and Google has uncovered evidence of Russian ad purchases and other activity on its platforms such as YouTube.

Russian use of misinformation and disinformation was the prime topic of the very first public hearing held by the Senate Intelligence Committee as part of its investigation. On March 30, 2017 – almost one year ago – the Committee held an open hearing on “Disinformation: A Primer in Russian Active Measures and Influence Campaigns.” On November 1, 2017, the Senate Intelligence Committee held a public hearing with the top legal officials from the three companies on “Social Media Influence in the 2016 U.S. Elections.”

In October, Sen. Warner introduced  bipartisan legislation, the Honest Ads Act, to help prevent foreign interference in future elections and improve the transparency of online political advertisements.

###

WASHINGTON — U.S. Sens. Mark R. Warner (D-VA) and Elizabeth Warren (D-MA) introduced today the Data Breach Prevention and Compensation Act to hold large credit reporting agencies (CRAs)—including Equifax—accountable for data breaches involving consumer data. The bill would give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs, impose mandatory penalties on CRAs to incentivize adequate protection of consumer data, and provide robust compensation to consumers for stolen data.

In September 2017, Equifax announced that hackers had stolen sensitive personal information – including Social Security Numbers, birth dates, credit card numbers, driver’s license numbers, and passport numbers – of over 145 million Americans. The attack highlighted that CRAs hold vast amounts of data on millions of Americans but lack adequate safeguards against hackers. Since 2013, Equifax has disclosed at least four separate hacks in which sensitive personal data was compromised.

“In today’s information economy, data is an enormous asset. But if companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place,” said Sen. Warner. “This bill will ensure that companies like Equifax – which gather vast amounts of information on American consumers, often without their knowledge – are taking appropriate steps to secure data that’s central to Americans’ identity management and access to credit.”

“The financial incentives here are all out of whack – Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach,” said Sen. Warren. “Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax – and provides robust compensation for affected consumers – which will put money back into peoples’ pockets and help stop these kinds of breaches from happening again.”

The Data Breach Prevention and Compensation Act would establish an Office of Cybersecurity at the FTC tasked with annual inspections and supervision of cybersecurity at CRAs. It would impose mandatory, strict liability penalties for breaches of consumer data beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised and another $50 for each additional PII compromised per consumer. To ensure robust recovery for affected consumers, the bill would also require the FTC to use 50% of its penalty to compensate consumers and would increase penalties in cases of woefully inadequate cybersecurity or if a CRA fails to timely notify the FTC of a breach.

The Data Breach Prevention and Compensation Act is supported by cybersecurity experts and consumer groups:

“U.S. PIRG commends Senators Warren and Warner for the Data Breach Prevention and Compensation Act. It will ensure that credit bureaus protect your information as if you actually mattered to them and it will both punish them and compensate you when they fail to do so,” said U.S. PIRG Consumer Program Director, Ed Mierzwinski.

"This bill establishes much-needed protections for data security for the credit bureaus. It also imposes real and meaningful penalties when credit bureaus, entrusted with our most sensitive financial information, break that trust," said National Consumer Law Center staff attorney, Chi Chi Wu. 

"Senator Warner and Senator Warren have proposed a concrete response to a serious problem facing American consumers,” said Electronic Privacy Information Center President, Marc Rotenberg.

"This bill creates greater incentive for these companies to handle our data with care and gives the Federal Trade Commission the tools that it needs to hold them accountable,” said Director of Consumer Protection and Privacy at Consumer Federation of America, Susan Grant.

Sen. Warner has been a leader in calling for better consumer protections from data theft. Following the Equifax data breach, Sen. Warner asked the Federal Trade Commission (FTC) to examine whether credit reporting agencies such as Equifax have adequate cybersecurity safeguards in place for “the enormous amounts of sensitive data they gather and commercialize.” He slammed the credit bureau for its cybersecurity failures and weak response at a Banking Committee hearing with Securities and Exchange Commission (SEC) Chairman Jay Clayton last year. Similarly, in the aftermath of the 2013 Target breach that exposed the debit and credit card information of 40 million customers, Sen. Warner chaired the first congressional hearing on protecting consumer data from the threat posed by hackers targeting retailers’ online systems. Sen. Warner has also partnered with the National Retail Federation to establish an information sharing platform that allows the industry to better protect consumer financial information from data breaches.Warner, Warren Introduce Legislation to Hold Credit Reporting Agencies like Equifax Accountable for Data Breaches 

To view a fact sheet about the legislation, click here. The bill text can be found here.  

 

###

WASHINGTON – U.S. Sens. Mark R. Warner and Tim Kaine (both D-VA) urged Federal Communications Commission (FCC) Chairman Ajit Pai to delay a planned December 14th vote to roll back net neutrality rules until an investigation can be completed into reports that internet “bots” – automated computer programs designed to pose as people – filed hundreds of thousands of comments to the FCC during the net neutrality policymaking process.

“A free and open Internet is vital to ensuring a level playing field online, and we believe that your proposed action may be based on an incomplete understanding of the public record in this proceeding,” the Senators wrote in a letter to Chairman Pai. “In fact, there is good reason to believe that the record may be replete with fake or fraudulent comments, suggesting that your proposal is fundamentally flawed.”

“Without additional information about the alleged anomalies surrounding the public record, the FCC cannot conduct a thorough and fair evaluation of the public’s views on this topic, and should not move forward with a vote on December 14, 2017,” the Senators continued.

“The FCC must invest its time and resources into obtaining a more accurate picture of the record as understanding that record is essential to reaching a defensible resolution to this proceeding,” the Senators concluded.

In addition to Sens. Warner and Kaine, the letter was signed by Sens. Maggie Hassan (D-NH), Jeanne Shaheen (D-NH), Sherrod Brown (D-OH), Bernie Sanders (I-VT), Ed Markey (D-MA), Catherine Cortez Masto (D-NV), Sheldon Whitehouse (D-RI), Tammy Duckworth (D-IL), Michael Bennet (D-CO), Richard Blumenthal (D-CT), Elizabeth Warren (D-MA), Gary Peters (D-MI), Patty Murray (D-WA), Amy Klobuchar (D-MN), Ron Wyden (D-OR), Tammy Baldwin (D-WI), Mazie Hirono (D-HI), Chuck Schumer (D-NY), Jack Reed (D-RI), Ben Cardin (D-MD), Dianne Feinstein (D-CA), Jeff Merkley (D-OR), Kirsten Gillibrand (D-NY), Angus King (I-ME), Al Franken (D-MN), and Cory Booker (D-NJ). 

The full text of the letter appears below. A copy of the letter is available here.

 

December 4, 2017

 

The Honorable Ajit Pai

Chairman

Federal Communications Commission

445 12th Street Southwest

Washington, DC 20554

 

Dear Chairman Pai:

 

We are deeply concerned by your recently released proposal to roll back critical consumer protections by dismantling the Federal Communications Commission’s (FCC) current net neutrality rules. A free and open Internet is vital to ensuring a level playing field online, and we believe that your proposed action may be based on an incomplete understanding of the public record in this proceeding. In fact, there is good reason to believe that the record may be replete with fake or fraudulent comments, suggesting that your proposal is fundamentally flawed.

 

To this end, we request a thorough investigation by the FCC into reports that bots may have interfered with this proceeding by filing hundreds of thousands of comments. Furthermore, an additional 50,000 consumer complaints seem to have been excluded from the public record in this proceeding, according to Freedom of Information Act (FOIA) requests filed by the National Hispanic Media Coalition.  Without additional information about the alleged anomalies surrounding the public record, the FCC cannot conduct a thorough and fair evaluation of the public’s views on this topic, and should not move forward with a vote on December 14, 2017. 

 

New York Attorney General Eric Schneiderman has spent the past six months conducting an investigation into the fraudulent comments, and found that “hundreds of thousands” of comments may have impersonated New York residents, a violation of state law. He further asserts that the FCC has not cooperated with requests for additional data and information. Data scientist Jeff Kao has also run an analysis of the public record, and estimates that over a million comments filed in support of repealing net neutrality may have been fake. These reports raise serious concerns as to whether the record the FCC is currently relying on has been tampered with and merits the full attention of, and investigation by, the FCC before votes on this item are cast. 

 

A transparent and open process is vitally important to how the FCC functions. The FCC must invest its time and resources into obtaining a more accurate picture of the record as understanding that record is essential to reaching a defensible resolution to this proceeding.  As a result, we are requesting that you delay your planned vote on this item until you can conduct a thorough review of the state of the record and provide Congress with greater assurance of its accuracy and completeness.  

 

Thank you for your immediate attention to this matter.

 

Sincerely,

 

 

###

 

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Ranking Member of the Senate Banking Subcommittee on Securities, Insurance and Investment, today pressed Uber CEO Dara Khosrowshahi on the company’s recent disclosure that hackers accessed the personal information of 57 million users last year.  Uber paid the hackers $100,000 to pledge to destroy the data – which included the names and driver’s license numbers of 600,000 drivers, and names, phone numbers, and email addresses of millions of riders – and did not disclose the hack to regulators or users until last week.

Warner posed the following questions to Khosrowshahi: 

  1. According to reports, Uber’s systems were breached after the attackers discovered log-in credentials to an AWS account used to handle payments. Why weren’t more robust access management mechanisms, including strong multi-factor authentication, enabled to prevent unauthorized access to passenger and driver data?
  2. Who conducted the initial investigation for Uber that successfully identified the hackers? What “assurances” were provided by the hackers to prove they did, in fact, delete the compromised data? 
  3. Unlike ransomware payments, in which payment is made to recover or regain access to inaccessible data or systems, it appears the motivation behind this payment was principally to prevent the public or authorities from learning of the breach. What rationale was provided by senior executives for covering up this breach?
  4. Uber has alleged that it was required to provide information relating to the breach and subsequent cover-up to prospective investors. Can you explain why Uber chose not to disclose the breach to drivers and users prior to, or at least at the same time as, a prospective investor?
  5. Reports indicate that Uber successfully “tracked down the hackers and pushed them to sign nondisclosure agreements.” While some information necessary to accomplish this could certainly have been gleaned from traditional digital forensic tools, these reports – combined with Uber’s past pattern of conduct – raise serious questions about how Uber was able to track down the criminals who breached Uber’s systems and blackmailed the company, and whether these actions might have constituted violations of the Computer Fraud and Abuse Act. As you know, no private right exists for companies to “hack back” those who compromise their systems. In the process of tracking down these hackers, did Uber or any authorized party acting on its behalf engage in unauthorized access of third party systems?
  6. Uber’s decision to identify the responsible parties and commit them to a non-disclosure agreement thwarts law enforcement’s ability to bring criminal hackers to justice. To the extent Uber had lawfully acquired information enabling it to identify the hackers who had compromised its systems, ensure they would abide by agreements to delete the data and not to disclose the breach, and transfer them $100,000, it conceivably had enough information at hand to assist law enforcement in the apprehension of these criminals. Why did Uber choose not to provide relevant forensic information to law enforcement and has this information been provided to law enforcement in the last week?

Sen. Warner is a former technology executive and the co-founder of the Senate’s bipartisan Cybersecurity Caucus. Sen. Warner is working to finalize bipartisan legislation to create a comprehensive, nationwide and uniform data breach standard, requiring timelier consumer notification for breaches of financial data and other sensitive information, and setting national data-protection standards for companies handling sensitive personal information. 

A PDF of the signed letter is available here.

 

 

###

Today, U.S. Sens. Mark R. Warner (D-VA), Amy Klobuchar (D-MN) and Claire McCaskill (D-MO) led a group of 15 Senators in urging the Federal Election Commission (FEC) to take immediate action to improve transparency for political advertisements online. Today is the final day of a month-long comment period considering whether the FEC should update rules that currently exempt many online ads from the requirements applied to political ads that air on television and radio.

WASHINGTON, DC – U.S. Senator Amy Klobuchar (D-MN), Ranking Member of the Senate Rules Committee, U.S. Senator Mark Warner (D-VA), Vice Chairman of the Select Committee on Intelligence, and U.S. Senator John McCain (R-AZ), Chairman of the Senate Committee on Armed Services today introduced the Honest Ads Act to help prevent foreign interference in future elections and improve the transparency of online political advertisements.

 “Online political advertising represents an enormous marketplace, and today there is almost no transparency. The Russians realized this, and took advantage in 2016 to spread disinformation and misinformation in an organized effort to divide and distract us,” Senator Warner said. “Our bipartisan Honest Ads Act extends transparency and disclosure to political ads in the digital space. At the end of the day, it is not too much to ask that our most innovative digital companies work with us by exercising additional judgment and providing some transparency.” 

 “First and foremost this is an issue of national security – Russia attacked us and will continue to use different tactics to undermine our democracy and divide our country, including by purchasing disruptive online political ads. We have to secure our election systems and we have to do it now – the next election is only 383 days away,” Senator Klobuchar said. “This bipartisan legislation would help protect our democracy by updating our laws to ensure that political ads sold online are covered by the same rules as TV or radio stations – and make them public so Americans can see who is trying to influence them.”

 “In the wake of Russia’s attack on the 2016 election, it is more important than ever to strengthen our defenses against foreign interference in our elections,” said Senator McCain.“Unfortunately, U.S. laws requiring transparency in political campaigns have not kept pace with rapid advances in technology, allowing our adversaries to take advantage of these loopholes to influence millions of American voters with impunity. Our bipartisan legislation would address this serious challenge by expanding landmark campaign finance law to apply to internet and digital communications platforms that command a significant audience. I have long fought to increase transparency and end the corrupting influence of special interests in political campaigns, and I am confident this legislation will modernize existing law to safeguard the integrity of our election system.”

Russia attempted to influence the 2016 presidential election by buying and placing political ads on platforms such as Facebook, Twitter and Google. The content and purchaser(s) of those online advertisements are a mystery to the public because of outdated laws that have failed to keep up with evolving technology. The Honest Ads Act would prevent foreign actors from influencing our elections by ensuring that political ads sold online are covered by the same rules as ads sold on TV, radio, and satellite.

The Honest Ads Act enhances the integrity of our democracy by improving disclosure requirements for online political advertisements by:

  • Amending the Bipartisan Campaign Reform Act of 2002’s definition of electioneering communication to include paid Internet and digital advertisements.
  • Requiring digital platforms with at least 50,000,000 monthly viewers to maintain a public file of all electioneering communications purchased by a person or group who spends more than $500.00 total on ads published on their platform. The file would contain a digital copy of the advertisement, a description of the audience the advertisement targets, the number of views generated, the dates and times of publication, the rates charged, and the contact information of the purchaser.
  • Requiring online platforms to make all reasonable efforts to ensure that foreign individuals and entities are not purchasing political advertisements in order to influence the American electorate. 

Companion legislation to the Honest Ads Act is being introduced today in the House of Representatives by Reps. Derek Kilmer (D-WA), Mike Coffman (R-CO).

“The 2016 elections exposed glaring holes in our ability to police foreign intervention in US elections, and this bill is an appropriate, bipartisan disclosure remedy,” said Trevor Potter, president of Campaign Legal Center (CLC), and a former Republican Chairman of the Federal Election Commission. “Voters have a right to be fully informed about who is trying to influence their vote, particularly foreign powers whose motives are contrary to American interests. The Honest Ads Act gives voters, journalists, and law enforcement officers important tools to help root out illegal foreign activity. The transparency this bill aims to provide in the 2018 elections and beyond will protect and enhance the integrity of our elections, which are the most fundamental component of American self-governance.”

“Ensuring transparency and accountability remain encoded into our democracy in the 21st century has taken on new importance and relevance in the wake of the 2016 election. We hope this bill, which merits serious consideration, catalyzes an overdue public debate and substantive action in Congress and the Federal Election Commission to create platform parity for political ad disclosure across TV, radio, print and Internet companies. Opacity by design is not an acceptable status quo for the technology giants that shape public knowledge and discourse with limited accountability,” said Alexander B. Howard, Deputy Director of the Sunlight Foundation.

“The bipartisan introduction of the Honest Ads Act is an important step toward bringing American campaign finance law into the internet age, by ensuring that online political advertisements are subject to the same kind of disclosure rules that already exist for ads on television and radio,” said Lawrence Norden, Deputy Director of the Brennan Center’s Democracy Program. “At a time when hostile foreign powers are trying to exploit loopholes in our campaign laws to manipulate American elections, it is especially important for Congress to come together across partisan lines to strengthen our democracy.  The Brennan Center applauds Senators Klobuchar, Warner and McCain for reaching across partisan lines to introduce this significant bill.”

“Americans have a right to know who is using political advertising to influence their votes and their views. As technology changes and political advertising shifts to online platforms, our transparency laws should keep pace. The recent revelations of Kremlin-connected influence operations on Facebook and Twitter underscore how important it is for Congress to take meaningful action. The HONEST Act is a critical step forward in enhancing the transparency of online political advertising. Common Cause commends Senators Klobuchar, Warner and McCain for their strong bipartisan leadership in introducing this important bill to bolster the integrity of our democracy,” said Karen Hobert Flynn, President of Common Cause.

As Ranking Member of the Senate Rules Committee with oversight jurisdiction over federal elections, Klobuchar has introduced legislation to improve the security of U.S. election systems and make commonsense improvements to election administration. She and Senator Roy Blunt (R-MO) introduced the bipartisan Stop Foreign Donations Affecting Our Elections Act to strengthen disclosure by requiring federal campaigns to use existing credit card verification protocols to help verify that online credit card donations come from U.S. sources. Klobuchar and Senator Lindsey Graham (R-SC) also introduced bipartisan legislation to help states block cyber-attacks, secure voter registration logs and voter data, upgrade election auditing procedures, and create secure and useful information sharing about threats. In June, Klobuchar introduced the Helping State and Local Governments Prevent Cyber Attacks Act to help combat foreign interference by providing state and local governments with the information and resources they need to keep our elections secure and improve voter confidence. 

As vice chairman of the Senate Select Committee on Intelligence, Sen. Warner has been at the forefront of the Committee’s ongoing bipartisan counterintelligence investigation into Russian interference in the 2016 U.S. presidential election. Warner also is the co-founder of the Senate’s bipartisan Cybersecurity Caucus. In addition, Sen. Warner is working to finalize bipartisan legislation to create a comprehensive, nationwide and uniform data breach standard, requiring timelier consumer notification for breaches of financial data and other sensitive information, and setting national data-protection standards for companies handling sensitive personal information.  

Senator McCain has been a champion of campaign finance reform for decades. As a lead author of the Bipartisan Campaign Reform Act of 2002, he has long advocated of transparency in the American electoral process.  

###

“The SEC’s disclosure, which comes not even two weeks after Equifax revealed that it had been hacked, shows that government and businesses need to step up their efforts to protect our most sensitive personal and commercial information. Information has become one of our country’s most valuable resources, and control of that information comes with significant responsibility. The SEC should not retreat from its important market oversight role in order to limit its exposure to sensitive information.”

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), a member of the Banking, Budget and Finance committees and cofounder of the bipartisan Senate Cybersecurity Caucus, today asked the Federal Trade Commission to examine the recent cyber hack of credit reporting agency Equifax. Last week, Equifax publically disclosed a breach which exposed sensitive personal information of 143 million Americans.

Sen. Warner requested an FTC investigation into the lapse in Equifax cybersecurity practices, and questioned the company’s widely-panned response to consumers potentially impacted by the breach. His letter asks the FTC to examine whether credit reporting agencies such as Equifax have adequate cybersecurity safeguards in place for “the enormous amounts of sensitive data they gather and commercialize.” 

Sen. Warner has been a leader in calling for better consumer protections from data theft. In the aftermath of the Target breach that exposed the debit and credit card information of 40 million customers, Sen. Warner in 2014 chaired the first congressional hearing on protecting consumer data from the threat posed by hackers targeting retailers’ online systems. Sen. Warner also partnered with the National Retail Federation to establish an information sharing platform that allows the industry to better protect consumer financial information from data breaches.

Sen. Warner has been working to develop bipartisan legislation to create a comprehensive, nationwide and uniform data breach standard requiring timely consumer notification for breaches of financial data and other sensitive information. 

The text of the letter is below and can be found here

September 13, 2017

 

The Honorable Maureen K. Ohlhausen

Acting Chairwoman

Federal Trade Commission

600 Pennsylvania Avenue, NW

Washington, D.C. 20580

 

Dear Acting Chairwoman Ohlhausen,

 

I write you in the wake of reports that one of the nation’s three major credit reporting agencies has suffered one of the largest, and potentially most impactful, breaches in recent history. According to reports, Equifax in May of this year experienced a breach affecting as many as 143 million consumers, with highly sensitive information such as Social Security numbers, driver’s license records, birthdates, addresses, and credit histories potentially at risk. This information – critical to opening a new bank account or taking out a loan – will expose Americans to identity theft, tax fraud, extortion, and other risks.

 

By streamlining and routinizing the collection of consumer reports and credit history, the Fair Credit Reporting Act in part enshrined the nation’s major credit reporting agencies’ role as arbiters of Americans’ access to credit, and even employment and residential opportunities. At the same time, Congress sought to ensure that these firms “exercise their grave responsibilities” with a “respect for the consumer’s right to privacy,” including through “reasonable procedures…with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information[.]”  And Congress directed the Federal Trade Commission (“Commission” or “FTC”) to enforce key aspects of the law, including by treating violations of the FCRA as unfair or deceptive practices under the Commission’s Section 5 authority. 

 

Today’s digital economy, in which data increasingly represents a key input, has only amplified the reach of these firms, and provided them with incentives to collect and centralize ever-growing amounts of sensitive personal information, and to commercialize this data in opaque ways. The volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize. 

 

As someone who has worked for several years with stakeholders and a bipartisan group of lawmakers on legislation to establish a comprehensive, nationwide and uniform data breach standard, I recognize Congress’s unfinished work in this area. I am hopeful that this recent development will help galvanize action among my colleagues in Congress to safeguard American consumers and our nation’s economic security.

 

At the same time, aspects of this breach raise questions about the data security practices of Equifax that implicate the Federal Trade Commission’s existing authority. In particular, press reports and cybersecurity experts have identified a number of security lapses, including in the days following Equifax’s disclosure of the breach, that potentially indicate a pattern of security failings.

 

While the precise details of the “website application vulnerability” exploited in the Equifax breach are not yet known, experts have pointed to a wide range of other lapses by Equifax – including in the wake of the breach – that indicate exceptionally poor cybersecurity practices. For instance, experts have pointed to an exceedingly broad attack surface, with thousands of domains and subdomains managed by Equifax across hundreds of network hosts. And security experts have identified a range of antiquated, unpatched, or otherwise vulnerable systems maintained by Equifax.

 

Equifax’s post-breach actions also raise serious concerns about the company’s data security practices. For instance, Equifax chose to register a new domain, Equifaxsecurity2017.com – but not in its own name. Reports also catalogued a litany of security mistakes, including use of potentially insecure content management software and improperly configured web encryption.  These, and other lapses, resulted in a range of popular web browsers flagging Equifax’s site as a potential phishing or scam site. 

 

Equally alarming have been Equifax’s procedures for handling customer inquiries. In order for a concerned consumer to determine if they may have been impacted, Equifax requires the consumer to submit their last name and six digits of their Social Security number. The security of this procedure is as questionable as its efficacy: researchers noted that entering the last name “Test” and the Social Security numbers “123456” returned a confirmed breach.

 

Similarly alarming, when concerned consumers elect to place a credit freeze with Equifax – something the Commission encourages them to do – the PIN that Equifax assigns to that consumer is a simple, non-unique timestamp (formatted as, for instance, “0910170930” for a user that submitted a request at 9:30AM on the 10th of September). Separately, experts have noted that Equifax’s central website, where American consumers go to set up credit account monitoring, features cross-site scripting vulnerabilities that would enable an attacker to execute malicious code to, for instance, redirect submitted form data (such as the Social Security number the Equifax site requests) to an attacker. 

 

Taken as a whole, and given past breaches by other major credit bureaus, these lapses may potentially represent a systemic failure by firms currently incentivized to collect and store highly sensitive identification and financial data for Americans. The volume and sensitivity of the data involved – information critical to identity management and access to consumer credit – distinguishes this breach from many other breaches of consumer data. And in contrast to other breaches, where consumers might respond to the perceived lack of data security by taking their business elsewhere, those affected by last week’s breach in most cases do not have a direct consumer relationship with Equifax.

 

The implications of a breach of this magnitude are sobering, as this identifying data forms the basis for consumer credit and other financial transactions. Congress foresaw this threat in 1970, noting that failures of this industry could “undermine the public confidence which is essential to the continued functioning of the banking system.”  In ways similar to the financial service industry’s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.

 

I respectfully request that you respond to the following questions:

 

  1. 1.      Equifax is currently under a consent decree with the Commission for violations of the Fair Credit Reporting Act related to improper handling of consumer information.  Does that consent decree provide the Commission with additional remedies in the context of Equifax’s data security practices? 

 

  1. 2.      Given the current inability of consumers to cease doing business with a credit reporting agency which displays an arguably cavalier attitude toward cybersecurity, should the Fair Credit Reporting Act be amended to provide the Commission authority to issue rules requiring credit reporting agencies to establish a way for consumers to “opt out” of having their information stored by a particular credit reporting agency? 

 

  1. 3.      In many cases, Equifax collects and maintains sensitive information about consumers as a service to other businesses. Under state data breach notification statutes, a breached service provider need only inform the business it provides service to about the breaches it suffers, and has no obligation to provide public notice that it incurred the breach. In recent breach incidents involving third-party service providers, some companies (e.g., Heartland, Experian, Anthem, etc.) have provided public notice that their breach affected consumers. Would the FTC support legislation that requires all entities suffering a breach of security that creates a significant risk of financial harm, to make public notice of that breach in order to ensure a more timely and effective form of notice? 

 

  1. 4.      Do you interpret the Fair Credit Reporting Act to include heightened data security standards and/or requirements, given Congress’s unique concern about the “confidentiality, accuracy…and proper utilization” of this highly sensitive data? 

 

  1. 5.      The Commission has suggested that consumers place a credit freeze with the three major credit bureaus.  Does the Commission consider a timestamp to be a sufficiently strong PIN for unfreezing a consumer’s account?

 

  1. a.      Has the Commission issued guidance to credit reporting agencies on adequate security and data protection measures associated with credit freezes? 
  2. b.      Should this guidance be updated in light of security concerns with the site Equifax maintains to process credit monitoring and freeze requests?

 

  1. 6.      Should Congress limit the ability of credit reporting agencies to sell data outside specific contexts, such as credit, banking, and employment inquiries?

 

  1. 7.      Does the Commission hold lapses in data security practices in response to a breach to a higher standard than data security practices related to the breach itself?

 

  1. 8.      Do adequate incentives to use reasonable data security practices, or penalties to deter unreasonable data security practices, exist to counter-balance the profit incentives to collect, centralize, and maintain large quantities of highly sensitive personal information of American consumers?

 

The American people deserve to know that their government is serious about learning from and responding to this truly concerning incident, and that it is taking all appropriate steps to help ensure it cannot happen again. Your response will be critical to this process, and I look forward to receiving that within the next two weeks. If you should have any questions or concerns, please contact my office.

 

As always, I appreciate your service in this important role. Thank you for your timely consideration of this matter.

 

Sincerely,

 

 

MARK R. WARNER

United States Senator 

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), a former technology executive, Vice Chairman of the Senate Intelligence Committee, member of the Senate Banking Committee, and cofounder of the bipartisan Senate Cybersecurity Caucus, released the following statement on today’s announcement from credit reporting firm Equifax that a data breach could have potentially affected 143 million consumers in the United States:

“The recent news that one of the largest credit reporting agencies and data brokers in the U.S. suffered a breach involving over 143 million Americans is profoundly troubling. While many have perhaps become accustomed to hearing of a new data breach every few weeks, the scope of this breach – involving Social Security Numbers, birth dates, addresses, and credit card numbers of nearly half the U.S. population – raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans. It is no exaggeration to suggest that a breach such as this – exposing highly sensitive personal and financial information central for identity management and access to credit– represents a real threat to the economic security of Americans.”

Sen. Warner has been a leader in calling for better consumer protections from data theft. In the aftermath of the Target breach that exposed the debit and credit card information of 40 million customers, Sen. Warner in 2014 chaired the first congressional hearing on protecting consumer data from the threat posed by hackers targeting retailers’ online systems. Sen. Warner also partnered with the National Retail Federation to establish an information sharing platform that allows the industry to better protect consumer financial information from data breaches.

Sen. Warner has been working to develop bipartisan legislation to create a comprehensive, nationwide and uniform data breach standard requiring timely consumer notification for breaches of financial data and other sensitive information.

 

###

Sen. Warner Pushes FTC to Protect Children's Data Security with Internet-connected “Smart Toys”

In second letter to agency, Warner highlights high-profile examples of smart toys that have jeopardized privacy of children and their parents

May 22 2017

U.S. Sen. Mark R. Warner (D-VA) today sent a letter to the Federal Trade Commission (FTC) asking the agency about its efforts to protect children’s privacy following several high-profile instances of children’s data being hacked.

Following Cyber Attack at OPM, Warner & Collins Introduce Bipartisan Bill to Improve Government Cybersecurity

The FISMA Reform Act would Strengthen DHS Authority to Prevent and Block Cyber Attacks on .gov Networks

Jul 22 2015

Following the recent cyber-attack at the Office of Personnel Management which compromised the personal information of at least 22 million individuals, U.S Sens. Warner, Susan Collins (R-ME), Dan Coats (R-IN), Barbara Mikulski (D-MD), all members of the Senate Intelligence Committee, and Kelly Ayotte (R-NH) and Claire McCaskill (D-MO), members of the Senate Homeland Security and Governmental Affairs Committee, introduced bipartisan legislation today that strengthens the Department of Homeland Security’s authority to protect federal civilian networks.

Warner Asks IRS to Work with OPM to Protect Hack Victims

Expresses concern that federal employees could be vulnerable to tax-related identity theft; 2.9 million incidents of tax-related ID theft occurred in 2013

Jun 23 2015

Sen. Warner today called on the Internal Revenue Service to work with the Office of Personnel Management to protect federal employees from tax-related identity theft following a pair of security breaches of OPM’s personnel database that exposed the personal information of millions of current and retired federal employees.

Warner Questions OPM's Handling of Credit Monitoring Contract

OPM hack victims have complained about accessibility and quality of service provided by credit monitoring contractor CSID; Senator also raises concerns that contract was not properly awarded by OPM

Jun 19 2015

Sen. Warner today wrote to Office of Personnel Management (OPM) Director Katherine Archuleta, raising concerns about the performance of the contractor OPM hired to provide credit monitoring services and identity theft protection for victims following the data breach at the agency affecting at least 14 million federal employees.
The Senate Select Committee on Intelligence today passed the bipartisan Cybersecurity Information Sharing Act of 2014 by a vote of 12-3. The bill includes an amendment by Sen. Mark R. Warner (D-VA) that would require the Intelligence Community to produce a comprehensive accounting of the threat from cyberattacks and cybercrime.