Karen Zacharia of Verizon. Photo credit: Diego Radzinschi/ALM.

Behind the massive breaches at Yahoo Inc. and Equifax Inc., U.S. lawmakers grilled executives from these companies on Capitol Hill Wednesday about what's being done to protect consumers from future incursions.

When in came to Yahoo, the focus for the U.S. Senate Commerce Committee was primarily on the August 2013 breach that impacted all of its approximately three billion users. Yahoo, which was acquired by Verizon Communications Inc. this year, was represented at the hearing by former Yahoo CEO Marissa Mayer and Verizon deputy general counsel and chief privacy officer Karen Zacharia.

Equifax's former CEO Richard Smith and interim CEO Paulino do Rego Barros Jr., meanwhile, were questioned about the cybersecurity incident announced earlier this year that affected more than 145 million U.S. consumers.

The company reps outlined the steps that have been taken by their respective companies to protect consumers, from improving processes to pouring resources into systems and personnel tasked with thwarting these breaches. But senators questioned whether these efforts are enough.

Attitude Change

After questioning Mayer, who was reportedly subpoenaed to appear before Congress, about what, if anything, could have been done differently to prevent the breaches at Yahoo, Sen. Bill Nelson pressed Zacharia about what steps Verizon plans to take going forward to better protect consumers.

To begin with, according to Zacharia, collaboration between companies like Verizon and government officials is needed to really get a handle on this issue. “Verizon, for example, has long believed that there should be national data security and data breach legislation and we would be happy to work with any of the senators here on what that legislation should look like,” she said.

Asked later by Sen. Roger Wicker about what this legislation would look like, Zacharia listed two requirements: First, there should only be one standard to comply with when there's a breach, she said. And secondly, Zacharia added, this standard needs to improve customer notifications “to make sure that we're not notifying them so often and about so many things that they stop paying attention.”

Security teams also have to understand that “security isn't static,” Zacharia told Nelson. “The attackers are getting better, the tools are getting better, the intelligence that we're gathering is changing. And so, as that's happening, we have to make sure that we're changing our security systems to improve and keep up.”

Nelson responded that while companies' intentions are good around cybersecurity, this problem requires more. “It's going to take an attitude change among companies such as yours, [an understanding] that we've got to go to extreme limits to protect our customers' privacy,” he said.

Conflicting positions?

In her opening remarks, Zacharia noted that “proactively enhancing our security is a top priority.” But this didn't sit well with Sen. Ed Markey, because of the company's role, which he called “instrumental,” in ensuring the Federal Communications Commission's internet privacy rules were repealed.

These rules, which were repealed earlier this year, would have required broadband providers to provide oversight of data security practices and to implement best practices for data security, Markey pointed out.

“Your testimony states that security has always been in Verizon's DNA … but Verizon actively and vigorously lobbied to eliminate these data security and privacy breach notification protections,” Markey said. “How are these two positions consistent?”

Zacharia reiterated that the company supports the idea of an overarching framework when it comes to data security and privacy, but the FCC's framework “was not that,” she said.

“Well, here's where we are, now we have nothing,” Markey responded. “As we sit here, we hear concerns about the need to have legislation. We had it. And it was going to actually work.”

Equifax CLO John Kelley … Again

Former Equifax CEO Smith has testified a number of times about the breach that was announced in September. With each visit to lawmakers, a theme in the questioning has emerged: the role of chief legal officer John Kelley III in the cybersecurity disaster.

Equifax's security department first became aware of suspicious activity on July 29, and in the following days, Smith previously testified, Kelley was informed of this activity, the FBI was notified of the incident and four executives, after receiving approval from Kelley's office, sold shares in Equifax.

The timeline has raised questions from more than a few members of Congress, and Wednesday's hearing was no different.

A special committee formed by Equifax's board of directors, in a Nov. 3 report, said the four executives had “received clearance from the appropriate legal department personnel prior to trading” and that neither Kelley nor his designated preclearance officer had reason to believe the executives in question had knowledge of the security incident.

What the report failed to mention, according to Sen. Tammy Baldwin, is that Kelley approved these stock sales around the same date the FBI was notified of the breach on Aug. 2 and that it then took almost two weeks, until Aug. 15, to impose a trading blackout.

“This is totally inappropriate,” Baldwin said. “Do you believe Mr. Kelley's failure to act was appropriate?” she asked both Barros and Smith.

Barros responded that it's “not my perspective to provide,” though he added that the special committee is continuing to review various aspects of the breach.

Smith, however, said it's “not an unusual step” for Equifax to notify the FBI of an incident. “It is not unusual for us to engage outside counsel, outside forensic experts—in this case Mandiant—or the FBI,” he said, adding that the company deals with millions of instances of suspicious activity in any given year.

Karen Zacharia of Verizon. Photo credit: Diego Radzinschi/ALM.

Behind the massive breaches at Yahoo Inc. and Equifax Inc., U.S. lawmakers grilled executives from these companies on Capitol Hill Wednesday about what's being done to protect consumers from future incursions.

When in came to Yahoo, the focus for the U.S. Senate Commerce Committee was primarily on the August 2013 breach that impacted all of its approximately three billion users. Yahoo, which was acquired by Verizon Communications Inc. this year, was represented at the hearing by former Yahoo CEO Marissa Mayer and Verizon deputy general counsel and chief privacy officer Karen Zacharia.

Equifax's former CEO Richard Smith and interim CEO Paulino do Rego Barros Jr., meanwhile, were questioned about the cybersecurity incident announced earlier this year that affected more than 145 million U.S. consumers.

The company reps outlined the steps that have been taken by their respective companies to protect consumers, from improving processes to pouring resources into systems and personnel tasked with thwarting these breaches. But senators questioned whether these efforts are enough.

Attitude Change

After questioning Mayer, who was reportedly subpoenaed to appear before Congress, about what, if anything, could have been done differently to prevent the breaches at Yahoo, Sen. Bill Nelson pressed Zacharia about what steps Verizon plans to take going forward to better protect consumers.

To begin with, according to Zacharia, collaboration between companies like Verizon and government officials is needed to really get a handle on this issue. “Verizon, for example, has long believed that there should be national data security and data breach legislation and we would be happy to work with any of the senators here on what that legislation should look like,” she said.

Asked later by Sen. Roger Wicker about what this legislation would look like, Zacharia listed two requirements: First, there should only be one standard to comply with when there's a breach, she said. And secondly, Zacharia added, this standard needs to improve customer notifications “to make sure that we're not notifying them so often and about so many things that they stop paying attention.”

Security teams also have to understand that “security isn't static,” Zacharia told Nelson. “The attackers are getting better, the tools are getting better, the intelligence that we're gathering is changing. And so, as that's happening, we have to make sure that we're changing our security systems to improve and keep up.”

Nelson responded that while companies' intentions are good around cybersecurity, this problem requires more. “It's going to take an attitude change among companies such as yours, [an understanding] that we've got to go to extreme limits to protect our customers' privacy,” he said.

Conflicting positions?

In her opening remarks, Zacharia noted that “proactively enhancing our security is a top priority.” But this didn't sit well with Sen. Ed Markey, because of the company's role, which he called “instrumental,” in ensuring the Federal Communications Commission's internet privacy rules were repealed.

These rules, which were repealed earlier this year, would have required broadband providers to provide oversight of data security practices and to implement best practices for data security, Markey pointed out.

“Your testimony states that security has always been in Verizon's DNA … but Verizon actively and vigorously lobbied to eliminate these data security and privacy breach notification protections,” Markey said. “How are these two positions consistent?”

Zacharia reiterated that the company supports the idea of an overarching framework when it comes to data security and privacy, but the FCC's framework “was not that,” she said.

“Well, here's where we are, now we have nothing,” Markey responded. “As we sit here, we hear concerns about the need to have legislation. We had it. And it was going to actually work.”

Equifax CLO John Kelley … Again

Former Equifax CEO Smith has testified a number of times about the breach that was announced in September. With each visit to lawmakers, a theme in the questioning has emerged: the role of chief legal officer John Kelley III in the cybersecurity disaster.

Equifax's security department first became aware of suspicious activity on July 29, and in the following days, Smith previously testified, Kelley was informed of this activity, the FBI was notified of the incident and four executives, after receiving approval from Kelley's office, sold shares in Equifax.

The timeline has raised questions from more than a few members of Congress, and Wednesday's hearing was no different.

A special committee formed by Equifax's board of directors, in a Nov. 3 report, said the four executives had “received clearance from the appropriate legal department personnel prior to trading” and that neither Kelley nor his designated preclearance officer had reason to believe the executives in question had knowledge of the security incident.

What the report failed to mention, according to Sen. Tammy Baldwin, is that Kelley approved these stock sales around the same date the FBI was notified of the breach on Aug. 2 and that it then took almost two weeks, until Aug. 15, to impose a trading blackout.

“This is totally inappropriate,” Baldwin said. “Do you believe Mr. Kelley's failure to act was appropriate?” she asked both Barros and Smith.

Barros responded that it's “not my perspective to provide,” though he added that the special committee is continuing to review various aspects of the breach.

Smith, however, said it's “not an unusual step” for Equifax to notify the FBI of an incident. “It is not unusual for us to engage outside counsel, outside forensic experts—in this case Mandiant—or the FBI,” he said, adding that the company deals with millions of instances of suspicious activity in any given year.