priorities. we had strong support from mayor gray and his entire administration as well as the city council and congresswoman norton. .. needed to move forward. we also had strong relationships and collaboration with the business community here in the district. business associations who represent the small business owners here. and we also have strong support from the federal government and especially gary cohen and his entire team. on october 1, we opened for business. as you know, it was reported that we were one of four states that opened on time and did not go down. and we have not gone down. we are fully open for business and we welcome everyone, every individual who lives in the district, every small business that is in the district and now i look forward to serving many

of you and your staff and it was a great pleasure to be designated as a provider of health benefits to all of you. we had very strong partnerships with our insurance industry. we have four major insurance companies selling to small businesses through d.c. health link. and i think that the best insurance companies in the nation, aetna, united, care first blue cross/blue shield and kaiser. they offer 267 different products to small businesses, something for everyone. if you want zero dediuctible plan, it's there. if you want a high deductible plan, it's there. it's all price points. our carriers offer nationwide position and provider networks and very robust local and regional networks.

and we are very proud to offer full employer and employee choice. so when a small business comes in and it's very easy to create an account at d.c. health link.com is our web address, when a small business comes in, the small business decides how much to contribute and what options to offer to employees. for the first time a small business can offer the types of option that's only in the past have existed for the large employers. a small business can pick what to contribute and pick a level of benefits like the gold level and employees have 112 different products to choose from. and the small business gets one invoice. we clearly say how much the small business has to contribute. and how much to withhold from the paychecks of employees. we also did not -- we decided to take advantage of the private market innovation.

so we did not negotiate rates or benefits. we let the insurance companies compete and boy did they compete. after we made all of their premiums tub lick, one company came back in lowering their rates twice. a company came in and lowered the rates one. and eye third company came in and lowered rates and offered additional products. [ no audio ] when insurance companies compete, small businesses and individuals benefit from that competition. i want to note that -- >> will you try to wrap up? >> i just want to note and thank d.c. chairman better of commerce and the hispanic chamber of commerce and the restaurant association of the metropolitan washington area. they have been our strong partners. and they are part of our success.

i look forward to answering any questions you may have. >> thank you very much. before i start my line of questioning, i'd like to submit for the record a letter from the state of minnesota, the governor mark dayton who was a member of the senate. he quotes, and i'll put the rest in the record, "mn surs focus is to create a minnesota made exchange that best provides for the needs of minnesotans. virtually every health care organization, business organization, respected expert strongly supported our state exchange and designing something that would work for us." he couldn't be here. minnesota couldn't testify. but they have some excellent information. let me, and i'd like to submit to that to the record with no option. let me respond in my time first to my good friend and ranking member's reference to my not

supporting senator enzy's amendment. he can certainly explain his amendment. i want to say the reason i voted against it and every member of the democratic caucus is because it would have eliminated the cap on lifetime limits. people could exceed their limits and would have knocked young adults off their parents' plans which is one of the strongest features of the affordable care act. i say senator enzy can defend himself and his rebuttal. his bill, which i voted against and many democrats did not keep the promise it gutted the bill. now i have a bill that will actually keep the promise and last week in the house of representatives both republicans and democrats overwhelmingly voted to support some version of the keep your promise bill that would extend that for a year. that would help you because you

could actually keep your plan. so i want to put that in my record. the first question is to you, when did you start your current business? >> i just started february. >> so you've been in business nine months. and you're just starting. i want to put into the record that not only if my bill could pass and i hope can you support it or a version of it, you can keep the plan that you want. but if you chose to go to another plan, if you make 2$27 thou,5 hun -- $27,500 a year, you'll save $596. if you make $32,000 a year, your annual cost of your premium, even in north carolina where the state itself chose not to help

you by setting up their own exchange, they let it be set up by the federal government. so your state made that decision, not us. you would save -- you would pay every year $919 and you'd save $4,257. if your business makes $35,000 in your first year and it goes up to 40 or $45,000, your premium, you would still save $2,823. so i'm sorry that your exchange is not working well. but there are some benefits that hopefully you can come to appreciate as we move forward. let me ask you, miss kaufman, you know, d.c. exchange has gotten some very good feedback. as you said, both bipartisan, republican and democrat. it's understood. what would you say are the two most important features that caused your exchange to be so beneficial to your small

businesses? was it the way it was designed? was it the cooperative nature? what was it? and what would you recommend to others trying honestly to fix this and to make it work for their small businesses? >> thank you, madam chair. there were several elements that were critical to us. we wanted to build the xlafrpg from the ground up, community based effort. priorities, policies that we adopted were very much stake holder driven. and the decisions we made reflect the stake holders who were involved in helping us build d.c. health link. the other pretty call part to us is the huge choices that are available to small businesses. 267 different products, everything, hmos, ppos, no deductible, high deductible, everything from all of the major insurance companies. and our value proposition is we

want to make it as easy as possible to small businesses to be able to offer coverage and offer small businesses the kind of clout they never had in the past. and that as well as the business community in the district stepping up to the plate, putting politics aside and helping us make hard decisions and helping us to build this, d.c. health link to provide service that's small businesses need and want and are desperate for in terms of affordability and predictability and an opportunity to offer great options to their workers. it took a village and the small business community was a part of it. >> thank you. >> madam chairman, back to the enzy proposal again, i heard your explanation. you voted against it because it

eliminated lifetime caps that was required under obama care and eliminated the 26-year-old coverage which was required under obama care. but that this is exactly the point. you didn't promise us that if we politicians like your policy, we're going to let you keep it. you said if you like your policy, can you keep it. there were a lot of people that wanted to buy policies that cost less and that didn't have lifetime caps lifted. there are a lot of people that wanted to buy that didn't cover their 26-year-old. you didn't let us do that. and that is the problem. we are smart people. we can make our own decisions. we don't need the government telling us what we have to have. and that is the biggest complaint i get from idahoans, from americans saying why are you politicians and washington, d.c. constantly telling us what

we should do for ourselves? and that's the basic problem of all of this. whenever you try to socialize in the industry, nationalize an industry like it's been done here, it's never worked. it's been in tried in all sorts of countries and it never works. it's not going to work here. well, let me go over a couple other points. first of all, i want to ask mr. knoll, i'm told that there are -- have been 150,000 small group plans that have been canceled in your state. is that true? >> sir, i'm not familiar with the number there. the department of insurance is the agency that handles the mechanisms for that. i'll be glad to provide that information to you. >> i got it. they said there is 150,000 small group plans that have been

canceled. on the other side of the ledger, through november 8th, 309 have signed up again. that's a big problem it seems to me. we have 150,000 canceled and 309 signed up. >> certainly with the small group, it's to note that the open enrollment period that affects individuals is not the same with small groups. there is a continuous open enrollment period available to small groups. they can sign up any time during the year. >> it's really encouraging to hear you were one of five that made the rollout work on october 1st. >> in the morning of october 1st, bloomberg news was reported we were one of four jurisdictions. >> four? >> that went live without a glitch. >> that is really good to hear that they were able to sign up.

they were able to get on and do what they wanted to do. that is a really good thing. what is the population of the district? >> we are a small population jurisdiction. about 640,000. >> i'm told that in the first month with you up and running, no glitches, everything is working good and that kind of population you had five enro enrollees in the first month. is that true? >> no, that's not true. >> what is the number? >> i can provide your office with the exact numbers. we did issue most recent numbers as of november 13th. we had close to 700 employer accounts created. in terms of individual who's completed their applications, both for premium reductions and full premiums, we were at about 1,350 for full price

applications. and close to 2,000 for reduced price. each application could be a familiar live ten. we only count applications. in terms of account holders who collected a plan, over 1100 account holders selected a health plan. and 565 account holders said they wanted to be invoiced to pay. now they're not required to pay until december 15th. so i just want to make sure that people who are residents of the district are reminded of that. we're not asking for people to pay early. we're just -- if they want coverage to be effective january 1st, they do have to make their payment by december 15th. >> so my calculations then is you're a little under 1% signed up of the population of the district. would that be fair? >> i can provide you better numbers. right now folks who are shopping and making decisions, there's a

lot of activity through dchealthlink.com. i'm encouraging small businesses to take their time selecting health insurance. it is not an easy decision. and if you're not not working with a broker who can help you through it, you really do have to take your time. i can tell you as a former insurance regulator myself, insurance is very complicated. consumers who get 150-page document which is their insurance contract which has the exclusions and what is included is very complicated. so although we've made it much easier through our web page to shop and compare apples to apples, we provide four-page coverage summaries that make it much easier than before. it is still not a quick decision. we encourage everyone to take their time. >> thank you. senator booker, let me welcome you to this committee.

let me welcome you to the united states senate. i look forward to your leadership. you've already been a champion of small business. you're a perfect person to join us in our effort to help them. >> thank you very much. >> thank you. this is such an important issue for the state of new jersey that i'm very grateful to have the opportunity. i want to thank all the panelists. i wish we had more time. i look forward to reading more of your testimony submitted into the record. mr. greenblatt, first of all, i appreciate your jersey connection, a guy who vacations in jersey and you have some jersey boy aura to you. i want to say to you first and foremost as the geologists say, you rock. and you rock not because of your

jersey connections, i feel the kinship of you and any the last month have come to washington. you goat go home, i think. i'm going to stick it out here and battle it out. you deal with prague in a tichl that i have to deal w i cut 25% of my employees as a mayor. the reason i had to cut so much is because health costs were going up, my taxpayers couldn't afford it. i have to balance a budget every year. so do you. the challenge that you have which i've seen working with local manufacturers in my city that i want to expand is that you said you export products to china, right? you're competing globally, right? i like you a lot. and when you compete globally, you're competing against countries in europe and asia and across the globe, right? and many of those countries have different health care systems and most of those countries, most of our competitor nations have much lower health care costs, right?

>> it's parts of the system. their taxes are 15%. our taxes are 40%. it makes it challenging to compete with canada. >> i want to compete with canada in every way except in toronto. their mayor has challenges there. so my point to you is that your pragmatism i love. because this is not about politics. it's not about the pugilism that is row found in washingtonment it's about solving problems, lowering costs, giving access and small business people like you want to keet with the big boys, right? >> absolutely. >> and what i see in my city is many folks have a hard time keeping employees who could he's gloi to other companies and have better insurance plans. you probably know of people that will go to companies and get less salary for better health insurance. >> i think that is one of our positive attribute that's we have such a good plan. >> so the key here, the goal here is to make sure that we take this variable which has made small businesses get so crushed in the past and helps

them be more competitive not only in keeping employees locally but also competing against other countries that have lower health care costs. they have lower health care costs. and you're competing against them because you internalize the costs and manufacture the companies don't. right? >> right. >> so that's the flag ma ticpra. i don't care about the next election, i care about solving the problems. they may not like politicians, but most people are saying fix this thing. so mr. hickey, who has no new jersey connection, i'm sorry -- you do, sir. in my last 90 seconds, sir, would you please -- you're well down the field. you have a functioning exchange. you heard the good jersey boy mr. greenblatt and mr. allen's problems. you could please tell us what the future could look like for them and how to solve the very real problems they brought up? >> number one, put together an

exchange board that is from both sides of the aisle. but as you say, they care about the people of new jersey. our board has people -- >> i don't know -- sorry to interrupt you, i don't know if you heard about my governor, he is quiet he and soft spoken, but did he not participate in the exchanges. we have one of the best local insurance based knowledge there is and we didn't engage in that, new jersey. we left it to the federal government. so we're way behind new kentucky. not a place we want to be in new jersey. but continue. >> and that board being made up of people even though they were vitriolic against the aca, once they got on that board, they said we have an obligation, a duty to the people of new mexico and we are going to make this work. >> right and left coming together. >> right. >> and we all came together. we have a great chairman. he is also a doctor. we all came together and we met and we met and we met and we resolved the issues. and we hired an excellent ceo and we hired a company of

previous private exchange ven r vendor, a shop in the box is what we call it. and it already works. and we knew it would work. and so that was -- >> and my time expired. people are hurting now. we have to fix this before the next election. i appreciate you showing us a way forward. >> thank you, mr. chairman dr. hickey. >> senator enzy? >> i didn't anticipate getting into my congressional review act, but since it's been brought up several times. i will. one of the reasons that it included some things that you would prefer not to have in it is when the federal register is published and says that there's going to be this huge kst and people losing their insurance even though the president promised that if they like their insurance they can keep it, your choice isn't to pick from the things in there. you have to reverse the whole regulation, the whole regulation would have made it possible for people to keep their insurance if they liked it. so you had -- also have a very limited time to be able to bring

up a congressional review act and have that kind of a forced eight-hour debate and up or down vote on regulation. they could have made it so that people could keep their insurance if they liked it provided it didn't have the two things. that's not how it works. there hasn't been any effort in the meantime to do that. now that it's been exposed. there is a tremendous effort and interest and senator johnson has a bill that would comply with what i think the chairman said would be acceptable to go ahead and fix it so that people who like their insurance could keep it. although, it should have been done three years ago. so the insurance companies would have had the opportunity to adjust to the time.

to have their stuff together for this particular time. i think it would have helped out businesses. there are three change that's i'd like to make in obama care and if we made those three changes, it would make more of a difference in jobs in the economy than the stimulus package did. one of those is to change the hours for part time from 30 to 40. and that is the standard by the small business administration. and this is the small business committee. so i would hope that we would do that. i had a ten step plan for fixing health insurance before the president ever became a senator. and one of the things is small business health plans. we had an opportunity to do that. that would allow small businesses to group together through their association, any association across state lines, nationwide so they'd have a big enough group they could infectively negotiate with any

insurance company. there is another proposal that would have allowed them to self-insure on those big groups. those would have provided a lot of advantages for small business. those are not available. small business owners of wyoming are asking me what can be done? wyoming didn't do an exchange. it's less populated than the district of colombia alom colum. we only have two insurance companies that are interested in serving there. we only had two provides providing prescriptions until we bid prescription part d. one of the things that surprised us, 48 companies wanted the business in wyoming. even though it is a small populated state. and what was the effect? before the law even went into effect it dropped prices by 25% and gave people choices.

we could have had that same thing here. but we don't. i want to thank you all for the testimony you had. i had some pretty specific questions that i would ask. just quickly, mr. allen, you mentioned that drugs cost 52% more because of the name brand requirement? could you give -- expand on that a little more? >> yes. >> the difference in premiums to go to the new policy that includes brand name drugs, the difference in the premium is 52.3%. >> and none of your employees are using brand new drugs? >> yes, i did a poll among my employees and not one single person is presently taking or plans to nay any pharmaceuticals that are available only as a

brad name product. >> thank you. i think there are a number of great examples there. i appreciated mr. greenblatt. sometimes can you use a little stability in what the prices are going to be. he's not getting that under the exchange. i thank the chair. >> and i thank the senator from wyoming. senator shaheen just to put for the record and the senator knows, there are 576,000 people in wyoming, less than in the district of columbia. one chose the exchange, one chose not. senator? >> thank you very much thank you for holding the hearing. thank you all for being here. i'm sorry i missed your spoken testimony this morning. but i do think it's very important for all of us to hear from small businesses and in new hampshire, 96% of our employers are small businesses. it is a foundation of our

economy. and the frustrations that you have shared are ones that i think everybody on this panel appreciates and shares in terms of how to make this law work and what we can do better. you know, one of the biggest concerns that i have heard from new hampshire small businesses is about the costs of health care and mr. greenblatt, you and senator booker engaged in a back and forth on that this morning. but small businesses currently in new hampshire pay 18% more than large businesses because of administrative costs. so finding a way to address the challenges that you face is going to be critical. and, you know, looking at what we can do to fix this legislation, i think, is very important. and in that vain, i offered a bill that would delay open enrollment in the individual market because that is the immediate problem that we're facing in new hampshire. and i did that because we want

to make sure that people have time to enroll. now fortunately with the shop exchanges, that's an on going opportunity. but new hampshire, like wyoming, like a number of other states, also has not chosen to do a state exchange. and so we are very much struggling with what's happening at the federal level. i wonder for mr. knoll and miss kaufman as you have participated in state exchanges that are working, if you could talk about the reaction of those businesses that have enrolled in the shop exchanges and the district of columbia and in kentucky. and how they're feeling at this point about the product that they're getting. mr. knoll, maybe you would go first. >> sure. as you're aware, the enrollment process in the small group

exchange, the shop exchange, is really a two-step process. the first step is the employer themselves will come to the exchange and shop and try to determine which plans they want to offer to their employees. once they go through that process and pick the plans that they want to offer, then the employees are given a 30-day open enrollment opportunity to go online and pick the one they want. so the -- it takes a little longer in the shop to really get to the point where you actually are enrolling. so that process has to be completed. that is the open enrollment period for the employees has to be completed. we had a participation requirement in kentucky that says that 75% of the employees have to participate.

if they don't, then the employer -- so that takes time. we've gotten to the point where now employers have selected plans and the open enrollment period is on going. employees can come in and choose. and then, you know, so what i'm trying to say is it's difficult to say how that's all going to happen. it's predicting the future. so we are very, very encouraged about the numbers. i mean we've had over 93 employers that have gotten to the point where their employees are now picking plans. >> great. thank you. >> thank you. [ no audio ] -- so this is the first time they can offer coverage to their workers and themselves because

if the workers aren't covered, it's likely the owner isn't covered either. so one small business was very excited about that. another small busy spoke to on october 1st said the owner said based on his quick review of all the products, he'll save 12%, at least 12%. at that point in time he has not made a decision of the products he wanted to offer. another small busy spoke to said they were very happy not to be paternalist paternalistic. they can let their employees decide which hmo or ppo or insurance company to select. anecdotally, small businesses i have been talked to have been very, very pleased with the product offerings, the range of offerings and the prices. >> thank you. >> thank you very much. senator johnson, thank you for joining us. >> thank you, madam chair. in solving any problem in negotiation, first thing you want to do is figure out what

can you agree on. there are a couple things i can agree on with you right off the bat. we need to fix this bill. and there's a lot to fix. secondly, it sounds certainly in your opening statement that you're giving states a lot of credit and we're having real problems on a federal level. i agree. the federal level i don't think has any capability of doing this. the states are far better, far better place to start solving this problem. i want to start my first question with mr. knoll. did kentucky need a 1600 page bill and 20,000 plus pages of regulation to do this small business exchange? quickly. you could have done it on your own, couldn't you? >> we tried to do it back in 1990, early 90s. >> you didn't need a federal bill, did you? did you really need a 1600 page bill and 30,000 pages, 20,000 pages to do this in new mexico? [ no audio ] >> we had a 60 page bill

creating the xhapexchange. >> again, i'll stipulate. another thung we agree on. i think small business exchange is a good idea. it is sharing the risk pool. >> right. we had a supportive republican governor doing it and a democratic legislature and they compromised on this bill. and we moved right out of the gate. i think states are a great place to start. >> you know, to paraphrase senator booker this is about solutions. it is really about recognizing reality. it's about telling the truth. in fact, the fact of the maer is the american people have not been told the truth. let us atalk about costs. we were guaranteed if you pass this law, the costs for an average family plan would be reduce by $2500 per year. miss salt der a great job. i want to ask you because you have the exact experience. if you have health care plan and

you add patient services, is that going to increase the cost or decrease it? >> if i have one now? >> yeah? >> it will increase. >> yeah. dr. hickey, if you add emergency hospital services to that, is that going to increase the cost or decrease it? >> they're automatically covered. >> again, if you -- in other words, if you add coverages to health insurance plan, is that going to increase the cost or decrease the cost? >> that generally will increase the costs but the state, again, coming back to the state, the state had the authority under the federal bill to decide what essential benefits were going to be covered. >> but again, i'm just talking about the truth of what promises were made here. we were promised that the health care law would actually decrease costs. but all of the added costs, all the added coverages, all the added mandates have increased costs, correct? >> sir, if i could point out to you that 25% of the premium that you pay today goes to cover the uninsured. and the services they get from wherever they get it from.

so that, i think, is where the opportunity once those people get covered the insurance companies will have a major opportunity to lower the costs. >> please let him answer. >> that's not what the business people are experiencing. >> please let him answer. >> i have limited time, i have to move quickliment i do want to talk about the other totally broken promise, the fraud. there is a massive fraud. if you like your health care plan you can keep it. and i do have that law. i appreciate senator enzy pointed that out if you like your health plan, can you keep it. the appreciate madam chair's attempt but her bill only covers those individuals participating in individual market where we are going to see, i believe, because of the increases in costs, 49%, 52% increase in insurance premiums, we're going to see a massive loss of employer sponsored coverage coming next year. and so i guess i would certainly encourage the madam chair to take a look at my bill which

actually is all inclusive. and it is not quite so onerous on or forcing insurance companies to do what they may not be able to do because of state regulators. i'd really like you to take a look at your law versus my law. i'd my law. i would love to work with you folks to actually start giving america the freedom and allow them to keep their ability to choose the type of health care plans they can afford that they want. thank you, madam chair. >> your bill guts the affordable care, mine fixes it. we'll talk about that later. >> thank you, madam chairman, first of all i want to give a quick update at one of our last hearings about obama care and small business. we had a very compelling witness, the owner of dot's diner. i followed up with him in response to his testimony. unfortunately it's gone from bad

to worse due to, he was forced to cancel policies he provided before, in particular, so that many of his employees could still be eligible for a subsidy on the exchange. now, he followed the law by giving 90-day notice. and he also asked and hired a consultant to come in and help his employees with the obama care exchange application. however, all the website problems have pretty much shut down their ability to purchase insurance on the federal exchange for now. the consultant is next coming in december 1st, which gives them two weeks to enroll. if his employees go to the individual market, they'll see an average premium increase of 54%. and if they can't get plans there on the exchange, they'll be 30 individuals who are previously happy with their employer based coverage who won't have any coverage.

so that's very real world but unfortunate update. in terms of questions, miss kaufman i wanted to ask you a few particularly based on congress and congressional staff going to the d.c. shop exchange under this special carve-out rule for congress. are there more than 50 members of congress or employees that will procure insurance on this d.c. shop exchange? >> i'm sorry, on all of the enrollment for employers is protected information and i'm not able to share with you any specific details about the congressional enrollment. >> based on the size of congress, 535 members, and the size of their employee base, would you expect that number to

be more than 50? >> more than 50 people enrolling? >> yes, i didn't understand your question. that's correct. the provision under the affordable care act that speaks of professional enrollment essentially overrides the small business size and that's how you're able to avail yourself of the same choices that small businesses have in the district. >> is there any other large employer, over 50, who gets the same treatment and gets to go to that exchange? >> at this time the congressional provision only applies to congress but in 2016 -- >> forget about the congressional provision. right now for '13, going into '14, there any other large employer who has that opportunity to go to the d.c. shop exchange or whose employees can? >> in the city we made a decision to limit the size of the small business market to up

to 50 workers. >> so congress is the only large employer who gets that special premium? >> it's a function of an one of the provisions in affordable care act. >> and is there any large employer who gets this huge subsidy well above the normal income base subsidies of obama care in that exchange? >> small businesses in the district are -- they also, many contribute 100% to the premium just as you've heard from other witnesses. small businesses, especially non-profits in the district provide platinum plus level of coverage to their workers and contribute 100% to the many -- many contribute 100% to the premiums so they do better than congress. >> depenthey have a clear distin between over 50 and under 50. are is there any other large employers, which means over 50,

who go to an exchange and go to the d.c. shop exchange at all or go there and contribute this subsidy? >> so, in the district, we do not allow larger employers to come in. in 2016, larger employers up to 100 can come in, starting in 2016. and then it will be a policy decision for the district whether or not to expand the d.c. health link to larger size employers. >> what in your opinion justifies this completely different and better treatment for congress? >> congress gets the same treatment as all small businesses in the district. you have the same -- >> congress isn't a small business. it's not under 50 employees. >> so by going through d.c. health link, you get access to everything that small businesses in the district get.

the broad choice -- >> my question. >> your time is up. >> justifies a completely different -- >> senator viter, your time is up. let me answer that question. the federal government is not a small business. the federal government is a large business and the federal government and congress employees, postal workers as you know very well because you've studied this issue very well, under the same as large businesses in america. and that insurance premium is shared between the worker and the government. their employer. now, that's not the subject of this hearing. we can talk about it. we've debated it. you've had ample time to debate it on the floor. let's take it to the floor. >> madam chair, can i briefly respond. >> no, you may not. >> can i briefly respond? >> i'll give you 20 seconds to respond because you have a lot of time on the floor on this issue and miss kofman has not. you can respond, miss kofman

does no have the time. >> congress is not a small business, it's a large employer and treated completely differently than any other large employer. and far better by being able to go to this exchange only large employer that's allowed to do that. by being able to get a huge subsidy, only large employer that's able to do that for this time period or any time soon. >> if your bill passes, the only large employer excuse me, welcome back. thank you very much. let's begin with our second panel.come if you'll briefly introduceu yourself. an would like to extend it for another 30 minutes. it's very important.me

most of the members have left it's vyfor senator vitter and myself. we'll get testimony on the record.rs if you would proceed, please.atr i'm sorry senator booker is also here. ceed, please -- i'm sorry, senator booker is also here. if you would introduce yourself briefly and begin. >> thank you, madam chair. good morning -- i guess it's afternoon by now, to you, chair landrieu. >> can you speak into your mike? it's uncomfortable but you've got to lean forward. >> okay. >> so thank you very much for inviting me here this morning. i'm fiphyllis borzi and here to

discuss the department of labor's activities related to communicating with small business about the opportunities and requirements that exist under the affordable care act. the department's employee benefits security administration is committed to helping small business and employees benefit from the law. the health insurance marketplace premium tax credit and notices to coverage options through marketplace are all designed to expand access to affordable health coverage. for small businesses, the small business health options program, the shop exchange, offers one shop stopping -- one stop shopping, sorry, to enable small businesses to find and compare private insurance options. it is administered by hhs and the states. the marketplaces will help individuals evaluate private

insurance options for coverage ee effective january 1st, 2015. the new fair labor standards act, gives employees information for coverage options available through the marketplace. and if applicable, information about their employer offered coverage. employers covered by the flsa are required to provide this key notice of coverage options to each employee, no later than october 1st, 2013. for all new employees hired after that date, employers have to provide the notice within 14 days of the employer's state date. although there's a statutory duty on employers to provide this notice, there is no fine or penalty under the statute for failing to do so. on may second the department issued technical release 2013-2 providing guidance on the coverage options notice and as well as model notices. we are increasingly using model

notices in an effort to be helpful to small businesses because a model notice makes the notice requirement far less burdensome. employers need to figure out for themselves how to comply with statutory requirements or hire somebody to help them. they worked with hhs and other sister agencies to develop the model notices and the model notice serves as compliance assistance tool for employers, but employers are not compelled to use the notices. there is one model notice and second one for employers who don't offer a health plan. these notices are posted on our website in multiple for mats for use by employers and also available in spanish. the two model notices make the process shopping for health care coverage easier for both employers and employees.

for example, the model notice for employers who offer health care coverage, deliberately contains more information that the minimum statutory requirements for this notice. why? because then employees will have more information about their coverage options inside and outside of the marketplace. this also creates efficiencies for employers because the extra information in the model notices matches exactly the marketplace employer coverage tool designed by hhs which is part of the single streamlined application for the coverage in the marketplace. this means that an employer who uses our model notice won't face additional requests for information from the marketplace about coverage with respect to the employee because the model notice satisfies both the flsa and hhs requirements. outreaching compliance assistance are very high priorities for epsa, we partner

with hhs, treasury, small business administration, using a multifacetted approach -- >> please try to wrap up. >> certainly, coordinated online information linked to other afgss and web nar trainings and compliance and participant assistance. we have benefit advisers available to small employers with compliance through the website and through our toll free hot line. i think i'll stop there. >> thank you very much. mr. cohen, please introduce yourself briefly and get into your testimony. >> thank you, chair landrieu and members of the committee. i'm gary cohen, serving as director of the center for consumer information and insurance oversight within the centers for medicare and medicaid services. thank you for your opportunity to discuss the many benefits the affordable care act provides. i was very pleased to hear from state partners from kentucky and new mexico and district of

columbia about the successes in building a small business marketplace at the state level. from the very beginning, we encouraged every state to set up their own marketplaces because we believe that the states were in the best position to create marketplaces in the way that vet the residents of their states. we have worked very closely every day with our state partners to help them stand up those exchanges and we take great pride in the success they've had. but i think it's also important to remember that the reforms of the afford anl care act are not just about the changes. they go beyond the exchanges to the entire small business market. as you noted, in your opening statement, madam chair, many small businesses that would like to offer health benefits to employees have faced significant challenges in the market as it exists today. premiums have been going up, double digit, 20 plus% every

year. small businesses have been charged 18% more for the same type of coverage that large employers pay. most importantly they were subject to wide variations and high volatility in premiums based on the type of work that the business did the health status and demographic characteristics of their employees. a small construction company would pay more than an accounting firm of the same size for coverage. small employers face significantly higher rates if they have older workers or more women in the workforce than others. because of the small risk pool, if even one employee became sick, rates for the entire company would skyrocket. the affordable care act is changing all of that and transforming this market. so most importantly, we're expanding the risk pool to all of the small business enroll ees in an entire state. we're spreading the risk among

all of those employers. we're saying that you can't charge more just because some people get sick or women. there are limits to how much more you can charge to people because of their age. because -- so the whole point of this, for the small business market to function more like a large group market has functioned. as you noted, where premiums have been significantly lower. in addition, what we've said, insurance should be real insurance, it shouldn't run out as soon as you have an illness that requires a hospital visit. it should provide the essential benefits that were determined by states and were pegged in most cases to what was prevalent in the small group market today. so these are not a whole bunch of new benefits that nobody had ever throughout about or wanted to have. this is what small businesses have today. that's the type of coverage that's real coverage so that

people don't find if they become sick and have to go to the doctor or hospital, you don't have that coverage. you don't have hospital coverage or prescription drug coverage. it's real coverage. >> now, in addition, the affordable care act created the small business health care tax credit to help smaller employers of 25 or fewer employees who insure -- who earn an average of less than $50,000 a year and if the employer pays at least 50% of the premium cost of their employees, they qualify for a tax credit. that has been in effect and hundreds and thousands of small businesses have already benefited from it. beginning in 2014. the tax credit increases to up 50% of the employer's contribution to their employer's health care cost. just want to touch very briefly on some things we've done to make sure that small businesses are aware of these benefits and options. in particular, we want to say, we have worked very closely with

the agent broker community and understand most small businesses do obtain coverage from a agent, using an agent or broker. we've done a series of many web nars and trainings for literally tens of thousands of agents and brokers who participated in those so they can understand how to participate in the shop exchange. and in addition, our regional offices have conducted many, many workshops and programs out across the country to inform small business about the benefit to the affordable care act. >> thank you very much. >> thank you very much. mrs. markowitz. >> chair landrieu and members of the committee, thank you for having me to discuss sba's efforts, i serve as agency's principle representative for illinois, indiana, michigan, minnesota, ohio and wisconsin. in this role i oversee sba

affordable care outreach through seven district offices in the midwest. america's 28 million small businesses are back bone of our economy, creating two out of every three new jobs and employeeing half of america's workforce. we're committed to providing entrepreneurs with the tools and resources they need to start and grow businesses. this includes an aggressive effort to ensure small business owners have the facts they need to make sound business decisions for businesses and employees. with the nationwide network of 68 district offices, sba is uniquely providing information on the affordable care act. we have participated in more than 1200 afford care act out reach events reaching over 68,000 small business owners and stake holders across the country. i have personally presented over health care forums and my team in region five participated in an additional 100 plus events throughout the midwest.

these events are often hosted in partnership with local chambers and other community organizations and enable sba so connect with a wide range of entrepreneurs. in conjunction with our federal partners at health and human services, the department of labor and other agencies, sba provides small business owners with the most updated information on the affordable care act. we continue to educate enprenewenpr enprenaurs and tax credits available for small businesses and enrollment details relative to the marketplace. i can't emphasize enough there's a great deal of misinformation about the health care law. in my travels i frequently meet with small business owners anxious and apprehensive about how the affordable care act may impact their business. when i speak at outreach events, many entrepreneurs often mistakingly believe they will be affected by the employer shared responsibility rules. i'm able to reassure them this is not the case.

in fact, 96% of all businesses and most of the businesses that i encounter in these sessions are too small to be impacted. of the remaining 4%, the vast majority already provide health care that meets the standards required by the law. when entrepreneurs have access to accurate information, they are able to have questions answered and letter better equipped to make decisions best for their unique business. sba promotes the benefits available to small businesses through the marketplace, whether it's a state-run exchange or federal program, they are designed to give small businesses with generally up to 50 full-time employees, the same purchasing power and options enjoyed by larger companies. while there's no requirement for employers to participate, the marketplace provides a tremendous opportunity for many small business owners who want to purchase quality affordable insurance for their employees. in addition to these efforts, they develop online and tool kit

that compliments our in person counseling activities and provides business owners with on demand access with the latest information about the affordable care act. we have created extensive online content at both sba.gov and businessusa.gov. they receive 2 million visitors per month. launched a direct e news letter which reaches more than 1 million subscribers. in participation with the small business majority, we have helped 35 affordable care one on one webnars for small businesses across the country. these popular online sessions reached 16,000 entrepreneurs and very well received. sba leverages are extensive resource partner network to help educate small businesses on affordable care act. earlier this year, we held a series of comprehensive web nar training for aur small business development centers and women's business centers and support counselors. working with 1 million entrepreneurs annually, they are

able to expand the affordable care act and in their communities. sba is committed to collaborating with federal partners and ensuring small business owners have the facts and resources this need to understand and benefit from the law. thank you for the opportunity to testify today. i look forward to your questions. >> thank you, our hearing has gone 15 minutes over time. but this is so important i want to continue the questioning. i think we've gotten a lot of valuable testimony on the record as we continue to try to fix and approve the affordable care act. let me ask all three briefly in my first question, we have the department of labor represented here, miss borzi, center for medicaid and medicare. the three of you are primarily responsible for helping implement the affordable care act at the federal level. there's undoubtedly justified criticism of what has happened

so far at the federal level and in those states where governors, mostly republican, but some democrats have refused to set up their own exchange and ask you to come in and do it. there's been some difficulties. so my question, what are you going to promise to do better? what are you working on specifically? i want 30 seconds each of you starting with you, mrs. mar markowitz and what can you learn to do a better job, starting with you? speako the >> .. what the sba is focused on is outreach. we continue more than ever to get the word out to small businesses. one of the biggest problems that we run into is a misinformation in the small business community -- >> which is purposely, i think in large measure. >> it is very prevalent. most of the rooms i walk into are filled with small businesses that are nowhere near the size that would be impacted by the

employer shared responsibility provision. and yet they are positive that they will be impacted by this. we cleared that up. >> just for the record, could you clear that up now, when you walk into a room, it's mostly filled with businesses that are of what size? >> well under 50 employees. >> are they affected at all? >> not at all. >> no business in america that is under 50 employees are affected at all by the employer shared responsibility? >> no, in fat, that in fact that represents 96% of all businesses and instead in addition to not being impacted by the employer share responsibility those 96% of businesses have access to new benefits and protections that they never have before. it can be a very negative perception of this act and they haven't begun to explore the benefits available to them because they are so confused by the misinformation. >> thank you. what we are doing and it won't surprise you is we are working hard to improve the on line experience and i'm pleased to

say that we have actually made significant improvements and i keep hearing every day more people are able to get through the application in a reasonable period of time and get involved in coverage and there's a story on nbc news today, the story about the health care.go outdated and i think it is. in terms of what i learned today i was really impressed by all the three states talking about the involvement of their stakeholder communities and i think we have done that but it's different at the federal level frankly but i think we need to work really hard to make sure we are working with the community the consumer community and small business community and so forth to make sure everybody gets the benefits of this law. >> ms. borzi? b. i have the same experience by colleagues have. i do a lot of small business roundtables and there's a lot of misinformation. not only did they not understand the employer responsibility penalty does not apply to them what i found a market will is

they don't understand the small business tax credit is already available and has been available since the law was signed. these are small businesses were trying to do the right thing by their employees which is give coverage. i know madam chair you are interested in the requirement that we administer. we are trying very hard to make sure that people understand that this can be an opportunity for small businesses to understand a little bit better about their responsibilities and i certainly will promise you that we will work closely with their staff and the staff and the other members of the committee to try to make the experiencexperienc e of having to fill out these forms clearer and easier. >> i appreciate that and my last few minutes i want to split the forms that the department of labor put out that i found very

confusing. newhart insurance marketplace coverage first of all it should have said and if you received this as an employer with under 50 people disregard it. it's not appropriate for you. over 50, this is -- so i'm going to submit something we have come up with that might be a more clear form and i hope that you all will work on that once the web site gets up and people can have a better walk-through experience because the consumer experience with this is extremely important. so thank you all very much and it will come back to senator johnson and then senator booker. >> thank you madam chair. mr. cohen and general what is happening to the premiums after taxpayer subsidies? what has happened to the insurance premiums of young healthy individuals under the affordable care at lenox b. i think they vary from state to state and even within region to

region. that'll think it's possible to make a broad general statement about that. >> i would like to enter into the record i guess the republican staff committee has put together a summary sheet of what has happened and for example the state of illinois somebody 27 years old and male experienced a 104% increase in female about 42%. >> could you clarify is that with subsidies or without? that's without subsidies that the bill has subsidies than that. so we won't be confused. >> the point being is the only only way that anybody is going -- not the only with the one that prevalent ways people will see their share of health premiums reduced is because taxpayers are going to subsidize their care. in wisconsin, let me finish manager appeared in wisconsin the cost of the male 27 years old will increase 125% and a female about 77%. a lot of that has to do really with the fact that we are

limiting the insurance premium rate on older sicker individuals and we are increasing the premiums making younger healthier people pick up that burden. isn't that correct? is in? is an redistribution? b. i think what we are hoping to do is increase the number of younger people who are actually covered because the rate is -- >> they are paying a lot more than they were currently paying an individual market. >> we are expanding the risk pool so we can spread their risk across the whole population that's the idea behind the law. >> mr. cohen let me ask you as an expert in cms when did you realize what the president was saying that if you like your health care plan you can keep your health care plan and if you like your doctor you can keep your document. did you believe that ever? >> the law provides issuers could continue grandfathered plants as long as they wanted to

into the future. the law was designed to enable what the president said to be true and it was up to the insurance industry to make decisions as they have in the past. >> let me explore that. my bill if you like your health plan you can keep it uses the exact same language in the bill. the problem with the grandfather clause in the affordable care acts as the i you can keep your plan as long as she totally change it. but we did is we took out these lines are totally change it. we didn't for some of those initial essential health benefits onto those plans so the fact of the matter is you can keep your plan unless he changed it. >> grandfather plants are not subject to the essential health care -- >> there are some things they are subject to. guaranteed issue. >> they are not. it's quite the opposite. you can add more people onto the grandfathered plan under the law. >> i'm not asking to add more people. >> guaranteed issue is what

you're talking about. >> lifetime maximums. we will get you the list of the changes required in that grandfather clause because we extract that in my bill. but anyway getting back to my question, did you believe that if people like their health care plan that would be up to keep it and nobody would lose their health care plan if they wanted at? >> i believe the law provided an opportunity for insurance companies to have grandfathered plants which promise to be true and that was also true that the large majority of americans who have employer-sponsored coverage were able to keep their plans. >> every american? for example did you realize that student risk pools, did you believe those would still be available after the implementation? before the affordable care at every american wasn't able to keep his or her health plan.

>> we are talking about the promise made if you like your health care plan you can keep it. i have a couple in wisconsin both cancer victims that have been dropped from a high-risk pool because it becomes obsolete january 1. you knew that as a health care expert, correct? b. the law does not require states to drop their high-risk pools or states to continue to high-risk pool so i don't think that was a requirement of the law. >> but you know those things would be gone. you really believed every american would be able to keep their health care plan and their doctor? >> there's nothing a lot that requires anybody to do that. >> i am asking if you believe that. >> i ate a leaf it's a private market solutions so it's not governed and mandated health care and it's up to insurance companies what products they offer. insurance companies were given the option the ability to maintain the existing plans if they do that and people able to

get those plans. >> are you surprised millions of americans are losing their health care plans? are you surprised by that? yes or no? >> i am not surprised around surprise. i didn't have an opinion as to what the market would do. i knew what the law provided. >> senator johnson thank you for sharing such clarifyinclarifyin g comments. senator booker. >> first of all i want to thank the chair. you held this hearing in a difficult time with a lot of political noise and nonsense in rancor and it reminds me of a great president who said it's not the man but that do are the could have been done or -- could've done better. it's not the man and the man in their arena. this time it's the women. thank you for holding this hearing to discuss practically what's going to help americans. i have a very simple question which is viewed by my first --

i want to form a new caucus already. what is going to go grow american businesses and help small businesses which as you rightly pointed out are the job creators right now. driving our economy right now. what was before, i don't want to go back. i'm not putting this country refers to go back to time and small businesses are getting crashed because they were losing good employees because they didn't have health insurance. small businesses were getting crashed because those that tried to step up to the plate and provide insurance in a globally competitive market were competing in countries who fix this problem with lower health care costs forcing small businesses to internalize this or prepare workers in the corner. we have got to figure out a way to fix this in a way that's going to grow and strengthestrengthe n small businesses. the idea itself is very good. we can find a way to create a

competitive business environment for small businesses so they don't have to worry about this fear. i agree with the ranking member. this is about freedom from fear and i know tons of businesses that lived in that fear. so i just, the one thing that has already been discussed, forget the rhetoric. practically you are seeing what i'm saying is that when you go around the state of new jersey there is so much confusion fueled by politicians and media folks about the facts. 96% of businesses are not affected here. and yet i have small businesses in new jersey you think somehow it's going to -- aren't even aware that there are federal subsidies to help them. and so in the state of mass confusion fueled by media and politicians please tell me from your experience what is the best

way to cut through all this -- that's a jersey term, and get to what the facts are. how can we get the truth to small businesses who need to be freed, liberated from fear and know how this actually could help them? anybody? >> well, thank you senator. you are about bringing things together. building bridges. >> this is true. you know it really is about outreach and education and bringing the focus onto the benefits available for the 96% of small businesses that are not only not affected by the employer shared responsibility but have all these benefits they can focus on because of the misinformation and that is what we as an agency are entirely focused on. we work with our partners and

hhs has been a great partner has had some other state partners. once the business gets rid of that fear that you alluded to which is very real they can focus on the fact that their tax credits. we are excited about exploring those for their business and they understand more about the broader reform and they can't be discriminated for having a diverse workforce for implying women, or sick or older employees. once a business finds out about the 80/20 rule and find the benefits are available to them because of this important reform they are excited about it and that is what we are doing creating more outreach and education. >> u.s. the relief even the excitement from real companies in utah nescafé are republican or democrat. i have seen with my eyes the relief businesses feel. could i ask you very pragmatically when you explain things is there anyone change practically that we could do here in washington besides listen to ourselves.

>> to help this bill get better than it is now? practically is there anything you could suggest that would help us committee? b. honestly what you are doing today is very helpful bringing the focus to the truth. i know hhs is working around-the-clock. in my outreach before the launch the focus on these businesses honest on the broader reform once they get to through the misinformation. after the lunch they surprisingly remained on that. they weren't focus on the web site issued by focused on the broader reform and how it impacts their business. the elephant in the room is the pricing and now that the launch has happened for the shop exchanges even though they may not be fully functional there is information. businesses can go away and do the analysis that will impinge libya research for their business. it's about information education outreach and getting the truth

out in cutting through the misinformation. >> just very quickly i would just add one of the reasons why the state's exchanges have been so successful frankly they have had resources available to do this outreach because under 1311 were able to give them granted we have been limited in terms of what we are able to do. >> why we limited? >> we don't have funding under the appropriation process to do as much outreach but to do as much outreach as we would like to do so that is one area we can work together in a bipartisan way just to get the facts out. that would be wonderful. >> ms. borzi the last word. speech is one thing. the thing that troubles businesses is uncertainty so there is lots of misinformation but there's also lots of uncertainty because we keep hearing it's going to be repealed and it's going to be changed and this is going to happen and that is going to happen. it's very important as all of us

go out to be able to say to small businesses this is what is going to happen because it's not just 96% of them are affected, it's that this fact can actually give you positive benefits like more choice, the ability to get coverage which you weren't able to get through your employees. >> thank you very much. this has been an excellent hearing and let me particularly thank senator booker. this has been an extraordinary first full hearing for you. >> you are his member your first. >> yes, you will remember this one and it's been an extra in a privileged to be here with you and senator johnson thank you for participating all the way to the end. i started this morning bye bye saying in a new this hearing would be full of a lot of strong opinions that i start this morning by saying as mark twain said that a lie and go halfway around the world before truth

gets out of bed and puts its boots on in the morning. this hearing was held to get the truth out about the benefits of the affordable care act, the small business and the challenges that are presented to us. as americans i think if we work together we can meet those challenges. the meeting is adjourned. lady bird johnson was the first wife of the president to become a millionaire by investing in and running radio tv stations in texas. what's your program saturday at 7:00 p.m. eastern on c-span and

live monday night at our series continues. >> during the president's historic trip to china mrs. nixon accompanied him. he noticed how mixes -- mrs. nixon was looking at a package of cigarettes that had pandas on them and she was admiring that. he said i understand you also admire the pandas at the zoo and she said yes i pay darling? he said we will make sure that you have pandas to go home with. it was important for her to uphold and support her husband. just tripping there would bring so much goodwill and it was as evidenced at the end of the trips were the news reports would come out and they would talk about the president but they would always say what a wonderful job pat nixon did. remarks now from fbi insider threat analyst kate randall. she spoke about the edward snowden case.

a conference hosted by the i.t. conference next. she described an array of factors that could lead i.t. to disclose classified information. [inaudible conversations] [inaudible conversations] my name is kate randall and i'm an analyst at the fbi.

in my bowl i handle insider threat incident response and provide analytical assistance to active fbi threat investigations. i also spearhead their indicator development program. within that program attracted grass to the extent of the incident or problem by breaking down critical components conducting research and applying advanced detection techniques against their datasets. i will have to preface my talk by saying that anything i'm about to say is my personal and professional opinion based off of my first-hand experience working this issue within the bureau. it doesn't necessarily reflect what the fbi's insider threat program is or is doing and doesn't reflect any policy or position of doj, fbi or u.s. government so if you disagree with anything i'm about to say don't hold that against the fbi and likewise if you are angered at the fbi for any number of reasons please don't hold that against me.

my chest is with this presentation are threefold. first i want to talk about the insider threat issue, but it is and what it means specifically highlighting how it is not a traditional cybersecurity or hacker problem. as i've interact with different enemies from government and industry academia and vendors i've seen there's a lot of inconsistencies and incongruence about about how t. about how to even define this issue so my hope for today is to provide a little bit more clarity about how to define this issue from the perspective of my own, someone who works these on a day-to-day basis. i wanted. i want to introduce multidimensional approach the concept of that, what it means him the necessity of incorporating something like that with an insider threat program and hopefully provide a few high-level examples of how one might try to implement some of these concepts within their own organizations. so the insider threat problem. i'm sure everyone here has heard of edward snowden, recent nsa

leaker, bradley manning video t. employee who leaked classified information from the wiki links web site and an fbi special agent who spied for their russian's for 20 years. not our finest moment and we are not too proud of that. these are showed me the most widely known insider threat cases but i think what is important is the issue itself is far more expansive and runs far deeper than any one of the single incidents are these isolated case studies. i think they are ever going to have any real chance at combating the insider threat problem we can't build our defense mechanism to get single case studies were specific actions. we can't just look at media activity because that is what bradley manning used. we can't only look at her system administrators who are proficient who are proven she's who are proficient users because experts note that a technical background. we really have to try to attack the issue from the root of the

problem and really understand what an insider threat means. along those lines, the core feature of an insider threat is betrayal. these are individuals who portrayed positions of trust and use their positions and legitimate access for illegitimate means. along that line the key factor is it is purposeful. there has been talk amongst the community about an accidental -- they are certainly utility and trying to create defense mechanisms against accidental insiders. what we doubt that the knucklehead problem. these are individuals who accidentally mishandle information or unwittingly caused damage to the organization. that is a fundamentally different problem than someone who is purposefully with malice and acting harm against your organization so for the purpose of this presentation and how i think the insider threat problem should be defined about really looking for the specific intent and malice.

though the insider threat issue has garnered a lot more support and a lot more noteworthy news in recent years because of some of the high-profile cases, it's one of the least the luminous problems that can have some of the highest impacts. the insider threats not only compromise sensitive government information that can have long-standing effects for a government or economy or international operations, they can also cause damage to the government, industry and it numbers and billions of dollars which i don't think anybody has that money to spare. the other key factor of the insider threat problem is that we really can't focus again on specific isolated situations. it's not about someone who is a spy for someone who prints a lot of data or in jack's mouth where into a system. in a way that those behaviors are enacted.

the insider threat problem as you can see can span from i.t. sabotage to fraud to workplace violence to unauthorized disclosure and the manifestations of that hundreds of thousands of different ways that a person can do that. if we solely focus on how a person is doing it without taking it back to the root of the problem we are probably not going to get anywhere. that is why think it's so important to really focus on what the heart of the issue is. in terms of how it happens, most people don't come into an organization with the intent to become a malicious actor. they are certainly people that can. hopefully those individuals can be mitigated at the forefront from secure hiring protocols and background investigations but most malicious insider started out just like everyone else. they evolve into malicious actors over time as a result of opportunities, triggered ms. factors and key

modifications -- key motivations. these are what we call motivators indicators. they exist at varying levels across the spectrum. it's about identifying what indicators, to what degree might cause someone to get to this point, the tipping point. basically what makes them go over to the dark side and that is what make the challenging problem because these risk factors exist all the time always for everyone. what is it that makes up for one person push them over the edge? the biggest thing that i want to stress today again is that this is not a typical cybersecurity problem. the insider threat by sheer definition goes against all traditional means of cybersecurity information assurance and data protection. where we protect her system networks and information from intruders and unauthorized activity. these are people who are within your organization and have

legitimate access to do the things they are doing. they're not locking the doors are setting up an alarm system to prevent a burglar from coming into their house. they are opening the door and shaking the guys hand and inviting him in for a beer and giving him the keys to your house wake on vacation. the fundamental difference between an insider threat and a typical hacker is we trust them with the most sensitive and proprietary information that our organizations hold and we trust that they will -- and as we all know and probably why you are here is they do. it's not a sole technical problem. insider threats can range in a spectrum of demographics tactical skill and subject matter expertise. so if you solely apply a technical response you are really not grasping the extent of the issue. there certainly insider threats that do have significant technical backgrounds that use technical backgrounds to penetrate and infiltrate the

systems and an act harms and steal information but that's only one component. there's a whole other sphere of different ways that these behaviors are manifested. when i first got into this business the most accurate yet depressing thing that someone told me about how to describe the incident of an insider threat problem is we are not looking for a needle in a haystack. we are looking for a needle in a stack of needles. i don't know how many people -- a pilot dadoes but it seems painful and pretty difficult in that highlights exactly what the problem is with the insider threat. these are people who look exactly like the person next to them. it's not necessarily about train to figure out what is wrong or what is different. it's about identifying what some of these indicators are red flags along the spectrum are trying to mitigate the exportation -- exploitation and incorporating monitoring or detection mechanism so you can see some of

these behaviors. it is clearly if they said a multidimensional problem so requires a multidimensional solution. if the goal of an insider threat program is to to detect deferred and distract you can take the twofold approach in how you combat these objectives. the first is and how you identify a problem. not only are insider threats themselves a multidimensional facet of the problem itself expands numerous subject matter sin incorporates numerous key players. it's not just a security or counterintelligence or information assurance problem. successful insider threat program implements the critical components from all of the key stakeholders and attacks the problem from all of these various perspectives to really get an understanding of what this problem is. and then second you can focus your efforts by looking at here people, your data and your threats.

knowing your people is the most critical aspect to any successful insider threat program and when we say no your people we really mean no your people. we are not talking about ip e-mail address usernames or work schedule. it's really about understanding who they are, what they do, who they interact with and what potential vulnerabilities they might have this says along that spectrum so that you can try to proactively prevent them from reaching the tipping point. in taking this approach we have come to adopt this threefold model and how you look at the whole person. it's a combination of cyber, contextual and social information that allows me to take the seat of a person and that is really where the power in attacking this issue comes from. cyberindicators being what you do on a system. your system activity or print behavior contextual being who

you are, your job role. taken to financial considerations you may have. how you react to different factors and stressors within your environment so you're coping mechanisms as they pertain to stress or your interactions with people in the workplace, getting a deeper understanding of who a person actually is. for cyberindicators again this is what people do on a system. this is helpful because it allows you to actually detect activity and interests or activities of concern. in order to do this obviously the first step is collecting information and people don't have robust insider threat programs you can set up audit logs from critical affectations and garner way to get an understanding of what you people are doing in the system. from their implement some already mechanisms because it's not just about having the information.

it's about identifying what is important. figuring out what activity might be of concern to you. it is most concerning to the annual budget report gets leaked to the media set up alerting mechanismmechanism s to detect any time somebody accesses the document or print that document or e-mail spec document. from there add more intelligence to those alert mechanism so if you're concerned about the bush report report being released at the meeting and 10,000 people have access to the budget report in on one day 9000 people print the budget report from personal experience it's a tough problem to deal with. you need to incorporate behavioral detection techniques. there's a huge fan of ways you can add intelligence to the alerting mechanisms. volumetric detection against yourself in smaller groups looking to see what might be different or what might be

applicable for a person, combining things together so if 9000 people print the budget document, i want to see who printed it and e-mailed it or who accessed it within a certain timeframe. just put in more context for things you are looking for. that is where you really get to the meat of the issue. contextual is who a person is. this is so important because you understand what your threats are. a lot of people don't think of it in this way because we want to trust the people next to us but they are our threats and when you're in a position of security or counterintelligence you want to mitigate those threats that you can't deny the threats sits among us. figuring out the best way to strike that balance between them. in identifying contextual risk factors that are commonly known

things you might want to gently want to gently look for. you want to look for those red flags that is manifested and exploited could lead someone to a tipping point. if you are looking for financial considerations, looking for individuals who might have some problems in their financial history or issues with their finances not because they are having issues with their finances but because if they were approached by a foreign intelligence service or competitor that could be catalysts enough to enable them to reach the tipping point. likewise for foreign nexus issues. if someone has strong ties to a foreign country it's not that we care that they are foreign. it's that they might have an allegiance to a country other than the united states which could then enable them to pass over the tipping point. it's about identifying some of these factors and thinking about the reasons why we are

interested in them in terms of how we protect our data and how to go about about that cliques within each agency organization they will be different ways you can tailor it to what is best for you and where you get this information from. some of the key ways to collect this information are background processes doing interviews normal security checks, self reporting mechanisms. basically anything you can do within the limitations of your own organization that can enable you to get at some of these static risk factors that might prove important. and then the psychosocial component, this is really the most underdeveloped components of the three spheres and in my opinion i think it holds the most significant. we recently conducted a study where we were trying to identify which psychosocial indicators were the most indicative of malicious insider behavior. one of the key findings from a

study which i think is one of the most interesting is that it really showed some of these more innate characteristics that might be the most diagnostic even across all three spheres. one of the indicators prevalent amongst the community's workplace disgruntlement. people who are angry to bad things. that is what we are told to look for it. i don't know if it's just the fbi but there are a lot of disgruntled people in the workforce in the government so it's really about again thinking about what are you really trying to look for? the premise behind that is that somebody might be upset enough at the workplace that they would enact harm. the true indicator behind that is the psychosocial indicator that is beneath the surface. you are looking for someone as a vengeful or retaliatory characteristics and that may manifest or be exploited as a result of a natural circumstances like workplace disgruntlement but the concept is to connect to people who work

in the same office that at the same exact levels of workplace disgruntlement but only one reaches the tipping point it becomes an insider threat. it's really getting out what to donate the surface level indicators. the large public that is as much easier to identify workplace disgruntlement than it is to try and identify personality features or characteristics of employees. so that is why this sphere is really a development in something that everybody sees the utility and collecting this information in figuring out a way to use this information because again it will prove that less valuable but it's about figuring out the best way to do it with the limitations, the feasible limitations comes illegal and sensitivity limitations within the environment. i think one of the best ways to do that as a starting point is to increase the training and awareness as a starting point within your organization's.

get people to understand what the true risk factors are and then enable and create some type of reporting mechanism, focused reporting mechanism so they have the ability to report these concerns should they see them. that obviously would enable, that would give us the opportunity to understand some of these things and figure out what the psychosocial indicators are. in addition to knowing your people from a cybercontextual cybersocial sphere you need to know your enemy. again it's a multidimensional report so you need a friday of perspectives. by knowing your enemy you are practically identifying the potential vulnerabilities which puts you at a much more effective position to defend against them. who is your enemy? is that a competitor or foreign intelligence service? what types of information that they be targeting?

how might they target these individuals and two by name by these high-value individuals within the organization? approach it from that perspective and put more stringent security monitoring on the people or things that your enemies might be most attracted to. also knowing your data, that same sense. one of the crown jewels of the organization, what is the most sensitive information that if compromise could be overwhelmingly damaging? in an ideal world we want to protect all of our information. we are all struggling with limited resources at this time so it's about starting by figuring out what is the most important information that i have an worse it's stored and what system? how does the system work likes to have access to it? breaking it down to that level is one of the best ways to start to protect information that is the most valuable within your organization. in implementing this

multi-dimensional approach the key factor is really aggregating disparate data sources and taking that information and funneling it in a central repository. robert hansen is obviously the poster boy if insider threats for the fbi. he certainly had numerous red flags and indicators and risk factors along the 20th spectrum that multiple peoplesoft. one person saw sexual deviants and another saw his history of security violations. another knew new about how sensitive his position was and what access to sensitive information he had. the problem is there was no one person person that sought with those things and when you take this approach with the red flags and indicators the red flags in isolation really don't mean much it's a combination of those red flags so that is why he went unnoticed for so long. no one person could see all of this information in one place

and make an objective obsessed -- meant assessment of this risk level. this is the last slight but i guess i will end with the unfortunate truth that there is no silver bullet. a lot of people are looking for the one thing you should be looking for, the one action, the one tool of technology that can solve this problem and unfortunately there is no silver bullet. i think if there is any silver bullet is the combination of all these different things. that is what's the most powerful in order to combat this problem. it's strictly not an easy task. there's a lot to look at and a lot to collect, lot of time and many resources put in place but it's such a large -- large and asked them to problem and can have some money damaging consequenconsequen ces that it's worth to the boding some resources. i know that my biggest pitch is

limited time and resources instead of putting all these resources into one aspect is about spreading that out and trying to get as much as you can across this sphere. as i have talked about over the last 20 minutes as the combination of information across this multi-dimensional spectrum that is going to give us any possible chance of combating the insider threat issue. that is all i have. [applause] questions? >> you mentioned the difficultdifficult y in developing the psychosocpsychosoc ial dimension. how much of what you have now for the industry has now is still anecdotal and how much of it is systematic studies? >> specifically for the psychosocial there has been a lot of research to look at some of the psychology.

there is a lot out there. the problem is there really are no studies or research that compare a look that great information to a comptroller compared to population to really see what is diagnostic because again what we are seeing he from the community is look for a narcissist, narcissism. i don't help anybody else has interacted with the fbi but finding a social agent who doesn't have a little bit of narcissism and them. i'm not saying it's not a good thing to be looking for but when you're in an insider threat program charged with proactively looking at here people if you start with narcissism you're not limiting your population by that much. similar with other risk factors as well and the same thing with the financial considerations and the foreign travel and foreign contacts. it's really about finding what is diagnostic. i had mentioned we conducted a study where we try to assess

some of the diagnostic features of those risk factors. we are in the process of drafting up those findings. prepublication review is a big thing so maybe in five years it will be out there. it's certainly something people realize the necessity of getting into it and i think in the next couple of years it's only going to garner more support. >> for the psychological indicators of someone turning, i can see there being a lot of potential data sources for intelligence from psychoevaluations and other interesting things, human resources and excuse my ignorance i don't know what the limitations or so i'm asking you what are the limitations in your ability to pool from those sources and utilize them for threat profiling? speaker1: of the biggest is

psychoevaluations. psychoevaluations are considered medical so they are protected under hit the loss and that has proved a huge barrier in all of the groups that i talked about how how to get that information. where i think the community is going is figuring out ways to take the diagnostic, that diagnoses and break them down so they are not clinical but you are still getting at the factors that are most important. again they are still alive -- to figure that out. you can't use clinical terms from the dsm. that is where you draw that line into medical territory. that is what one of the biggest challenges are. >> hi. he mentioned taking

reports from co-workers that observe things about people. is it of more value to have anonymous reports are to have the person named with the reporter is? >> a thing both prove beneficial actually. we certainly have a problem in that bureau. if there is large sense of camaraderie between her agents that might not enable someone to be more forthright when they are reporting something so an anonymous reporting system might work best in environment like that where you fear people want reported less it's anonymous. ideally you would like to know who is reporting it so you can then follow-up with them. i do think a critical aspect in any type of co-workers supervisor reporting mechanism is that nothing that is reported reported triggers any type of specific punitive action that's the biggest thing especially with some of the psychosocial

indicators and all of indicators. no one thing is meant to trigger anything so as the commendation of things. just because you have financial problems or your argumentative and abrasive in the workplace, that doesn't mean anything. it just means you might be a layer off and we might want to look into a little bit more. >> hi. a lease with human resources organization. my question is personality versus the narcissist's diagnosis that does not go to dsm because that is hip-hop but is personality at diagnoses wears these might not be? >> again we are still trying to figure out the best way to do that and there are limitations. in an ideal world we would like to -- clinical psychologist conduct tests on our employees and take that information and validate it and it's tested. as we just mentioned that is not a feasible option.

in my talks with other people within the community we have been throwing around the ideas of creating a reporting mechanism asking specific questions. not geared as if you think a person is narcissistic but asking about behavioral manifestations so if you are supervisor being able to answer a questionnaire that asks based on your knowledge on your interactions with her has a lease active argumentative or abrasive in the workplace? what are her and her actions like the co-workers basically getting at behavioral manifestations of the supervisors and necessarily providing his opinion, his psychological opinion of you but simply answering questions on things he has or has not observed in terms of what you have behaviorally after the workplace. i see that as being probably one of the most feasible ways to get at this problem because you

are taking out the clinical aspects. you are taking out any type of sensitivities of personality or psychology and solely linking how a person asked to what that might possibly mean. >> what do you go when someone goes critical in your indicators court? >> what do you mean when somebody goes critical? it's classified. i can't discuss that. we have a afraid of measures in place and a lot of other groups have similar measures. it's a struggle. that is one of the biggest struggles within the kmt is what you do. again even if somebody is 100% it doesn't mean they are malicious insider. it just means they have these risk factors. they could be further back on the spectrum and i think one of the things we try to promote

is the lines plugged into the h.r. department. it's not necessarily just about detecting that it's about to training. if someone triggers 100% thought we look at them and we can't determine that they have done anything about 100% no-space-on these risk factors. a person going through financial or marital problems are acting out in the workplace. we also like to use the analogy that is like rumble strips on the side of the red sea of a person going straight at some point they fare off. if we can identify when they start to tear off someone who who is 100% and push them back straight on the road by giving them resources through our h.r. department having our employee assistance program having somebody to talk to giving them financial help and things like that, that can also help to steer that.

>> can you speak to that data aggregation aspect of that? understand collecting data for multiple sources is getting how you get that data considering if you rely on your i.t. shop you are relying on the people that you are looking at. can you speak at all about that? >> yeah i mean you race a big problem which is something we deal with and every other program i have talked to deals with too. who watches the watchers which comes into play when you are getting this i.t. information or system information from your i.t. specialists. it's something that the community still struggles with. we have mechanisms in place to watch the watchers but it's a big problem. in terms of literally how you aggregate that data it takes a lot of building relationships with all of these other entities. that's nothing i'm saying is i talk to people within the community, that again is

a multidimensional problem. you have tons of stakeholders that you need to get information. it eats -- h.r. leads information for its counterintelligence information is a threat information of the personality involved with time to get that information proved pretty difficult. technically aggregating that within one central repository, that is kind of where it is if that answers your question. >> so, i would like to ask a question. there are studies out there to kind of bring forth these indicators. for example there are a lot of psychological studies that can be cited to profile or put that indicator in this

aspect rather than another one. can you shed light on that. >> yeah. there is certainly a lot of research out there. it's kind of oxymoronic but there's more research on the psychology side of things than there is on a lot of the cyberintellectual but we have more capabilities on the cybercontextual than the psychosocial. the research i'm aware of within the psychological community is there a lot of risk factors have been identified that solely focus on the bad population. these are the psychological elements of spies but again they have and compare that to try and understand what is diagnostic and again we get into the problems we discussed that we can't really attain the psychological characteristics from our employees to cut the ball of the sensitivities and issues involved.

there is a lot of research and it's about pushing it forward a little bit in terms of how to take that content and operationalize it. >> some of the characteristics he mentioned up there on the psychosocial or really cultural and there are cultural differences in the way people behave. do you take that into consideration when you do your analysis. >> again i'm not necessarily saying that we are doing all of this. it's in an ideal world. yeah that's an inherent issue when you delve into turning something that is so subjective trying to make it objected that they are inherent biases in terms of where you are getting this information from. if you are asking co-workers or supervisors to provide this information there's a bias there in terms of their opinion and as you mentioned but that they but that behavior might actually mean. if anyone is going to try to implement some of these indicators

operationally that is the key issue to keep in mind and i think where that ties and is the notion that there is no specific action from one of these things then you have to take all of this information with a grain of salt and ensure that you are not penalizing someone for enacting any type of punitive action on them solely because their supervisory ported that they were acting weird in the office which again could be a cultural difference. they are not talking to people because they don't feel comfortable with the cultural divide. it's tricky but if you implement something like this you have to be cognizant of how you use the information. >> just curious because of social media all over the place. how are you bringing

that data today or if you guys are bringing in that data today or in a programmed? >> social media information is simply something that is on everybody's radar. we are exploring it. that's the best i can say. [laughter] [inaudible] >> i am speaking from my experience with the fbi's insider threat programs are just looking at the fbi population, not anybody else and from my interactions with other groups, how they deal with their own employees. [inaudible] >> that is not my purview. i do know that with the

recent executive order and the note worthiness of the insider threat that the fbi does have a mission to reach out to industry. that is not something that i can speak about though, unfortunately. >> we have all these rules and regulations that we are supposed to share data. the only problem is when you share you become liable because it's how a person interprets what you are saying. is there anything in the standardization of an insider threat across the federal government and the dod so we could turn it around in give it to the commercial world, our mission partners quick. >> i think that is something we are still trying to put together. i am speaking from the fbi's program. what i know is between nci ex-and the fbi and the national task force who has the objective of

taking that executive order and breaking it down to the various government industry levels. again we can touch base off-line and make the point you in the direction of somebody who might be able to better answer that. yes, an unclassified e-mail. >> addressing the nonintentional insider threat in terms of knowledge from say things like e-mail fishing or dropped. [inaudible] >> we have -- we are addressing the issue. what i predominately focus on are those malicious insiders. we certainly have numerous processes in place to deal with spearfishing and individuals who are attacking our people that translates into the insider threat piece but i can't really touch base or talk about that

in this forum. ..