funds from loss reserves, tax consequences, that's what have a tax code, et cetera, et cetera. it's part of what's being in business. .. >> goals are a way of helping to me sure that the public support for the housing system actually serves a public policy, which is to serve the american public. and what's really interesting is you go back to the 1930s when the current modern housing finance system was structured. it was not structured for the

wealthy, it was structured to make american society homeowners. and now we're in 2013, and it's only the wealthy who have access to the conventional market. and we need to be much more aggressive about thinking through one of the appropriate measures to use such that the government's backstop, whether it's fannie or freddie or private institutions, actually serve a public purpose which is to build home ownership across the income and across the racial spectrum in america. >> you know, i'm not as intelligence at the three of you to be able to remember all six questions david asked -- [laughter] >> that's why we're answering just one. >> but i think your question was, you know, with interest rates rising, is that going to create any urgency? i don't think it creates urgency around gse reform. rates are still incredibly low, and even if they go to 5 or 5.5, it's historically low. so i don't think that impacts affordability tremendously. it certainly impacts the monthly

payment. i don't think that's going to have anything to do with driving anyone to make a decision around gse reform, nor do i think it should because it's just the wrong reason to try to fix that system. we have to think through the right way to do it. >> i do think, though, bill, that there's a number of things that are occurring. the fed window is about to close making money -- well, not close, but making money more expensive. >> tapering, sure. >> a rather brilliant article from a writer who talked about on average there'll be 50-75 basis points increase if fannie and freddie were to disappear just alone. a brilliant author -- [laughter] >> not an economist. >> that's not an economist. i do think that if there isn't this affirmative obligation to really see to it that a broader spectrum of people have access just the supply and demand there's going to be less demand because there's not going to be a place to sell those loans. qm, you know, a tighter box.

a 5% down payment on top of what qm decided not to do, and who knows what will happen with qrm, the qualified residential mortgages, where the even greater standards welcome back added to that. we'll see -- will be added to that. we'll see. all of those are contributing to a more expensive environment for people at a time when real wages are not going up, the economy's stagnant. i'd be worried if i was in your industry, frankly, about just the demand for product and how affordable that's going to be. on the other question he mentioned, this was a good point, transparency and goals. i think that a's been one of the problems with the fannie/freddie goals, they have these goals on serving geographic areas on income and a special goal that combines the two. it would be better if that was more transparent about who's getting it. there's some discussion about whether the goals were padded. there probably was some padding, but it really did go to hoe and

moderate income -- low and moderate income people and underserved communities. there's no reason we can't be transparent on that. when we rename these organizations -- was it emerson and taylor? [laughter] i know, i know. but that we, we see to it that it's very clear about who they're serving, and it's transparent, quantifiable. i think that would be extremely valuable. >> frankly, i forget where we are in the questions, david. that was a lot to absorb. let me, while you're looking, let me throw out a question -- >> request the only other question was about the utility model. >> oh, yeah. so i have add occasion to think about, and there are scale economies and securitization which suggest that -- and let me step back. in the new system envisioned by the bipartisan policy center,

corker-warn orer, i think crapo-johnson, the delaney-carney bill that's been introduced in the house, the notion is you're going to have a new government guarantor called, you know, the federal mortgage insurance corporation, and then you'll have private parties taking first loss in front of the government guaranteement and -- guarantee. and the question is, so the question is a policy matter, and as a financial stability matter, does it really make sense to have a whole bunch of people competing for that first loss guarantor position? aren't they just going to drive credit standards down to try to make their capital go further, and respect we just -- isn't competition going to introduce, ultimately, instability back into the system and undercapitalization to the system? so wouldn't we with better off saying, okay, we're going to have a government guarantor that provides a guarantee that allows a 30-year fixed rate mortgage to survive?

and we're going to have a private company regulated as a public utility with a fixed rate of return on its equity and fixed leverage levels to provide the front end on the securitization, to provide pooling of loans from all over the country. maybe with affordability goals and regional and geographic diversification requirements. and with, and with, and setting standards for servicing of those loans. and so rather than have, you know, the wild west of competition this the private guarantor business, we have a front-endof regulated utility model for the guarantee. so capital, returns on equity and leverage levels are fixed. because there really are, there are scale economies in this business that ultimately will lead to fannie and freddie, to two entities doing this.

>> so, first, i want to thank all our panelists and ken for really letting us go. i know i kind of feel like that -- >> you're a challenge. >> i know. >> you're a challenge. >> i am. [laughter] i was drawn that way. but in any case, look, on we half of ncrc, i really appreciate all who came and for seem listening. i would say that there's at least three takeaways for me that stood out both in this panel and other panels. one is that we don't break something that we don't fix properly. we don't want to muck up a system of mortgage finance and end up with something that puts us in a much more precarious situation. there's no question that the whole system of housing finance, it really matters whether it's about building wealth or whether it's really stimulating, what did you say, jim, 18% of the economy? it's really important we get

this right. i think that's the way jim and mark zandi said it. so one takeaway. the other takeaway is whatever we do, we need to make sure that we have a system that insures that all creditworthy, working class americans who have the ability to pay on a mortgage, that they have access via the private market. and that, and that those that need help beyond that, that there be a fund funded like the trust fund in the capital markets fund, and that that ought to occur. and that third point is that some of that can occur right now. and the encouragement is given the new appointment, the approval by the senate of mel watt to now be the director of this agency and run the conservatorship, he is in a option to do things that could have an immediate impact and a very helpful impact. and, again, it's all about creditworthy borrowers being able to access mortgage products through the market. and fannie, it's funny, if you

were to talk to a lot of people, people think fannie and freddie are government agencies. they're government sponsored. they're shareholders that actually did pretty well. they're private companies. and it's like the only example, i love it, of republicans spending so much time trying to do away with a company and complaining they made too much money. it's like where else do you hear that, you know? but i appreciate the conversation and the contribution that all our panelists have made both on this panel and on the previous one, and i hope that we've advanced the understanding particularly for middle america of what's at stake here, because this is one of the singlemost important issues that gets talked a lot about in this town, in washington, d.c., but not a lot out there. and, but people feel impact already, the difficulty in getting access to mortgages, the constriction of the market. all this is related to this conversation. so we really do have to get this right so that people who are willing to work hard play by the

rules, pay their taxes, have access to decent quality, sustainable mortgages. so thank you very much for your attention, and thank you for all your help, everybody. [applause] >> thank you. [inaudible conversations] >> coming up on c-span2 this morning, a hearing examining recent consumer data breaches. and live at 10 a.m. eastern, the senate returns for work on the farm bill conference report. >> senior officials from target and nieman marcus testified today before the senate judiciary committee about the recent security breaches at their stores. the committee is examining ways to protect consumer financial information. live coverage starts at 10:15 a.m. eastern on c-span3.

>> federal marijuana policy is the topic of a house oversight subcommittee or hearing today. the director of the white house office of drug policy testifies at 1:30 p.m. eastern on c-span3. >> you're watching c-span2 with politics and public affairs. weekdays featuring live coverage of the u.s. senate. on weeknights watch key public policy events, and every weekend the latest nonfiction authors and books on booktv. you can see past programs and get our schedules at our web site, and you can join in the conversation on social media sites. >> the secret service's lead agent for cyber investigations testified monday about recent security breaches at target and nieman marcus stores. this hearing of the senate banking subcommittee on national security is an hour, 45 minutes.

>> i call to order this hearing of the national security and international trade and finance subcommittee. titled safeguarding consumers' financial data. i'm going to go ahead and introduce the two witnesses now and then make a brief opening statement, see if senator kirk is here, make an opening statement since we've got two panels. if my colleagues don't mind, we'll go straight then to let our witnesses give their presentations, because we've got, this is a subject that has generated an enormous amount of interest and very appreciative of both the panels. in the first panel, we're going to hear from mr. william bill noonan who is the deputy speciae agent in charge of secretf service's criminal investigation division, cyber operations.

in this position he oversees the service's cyber portfolio. he has over 20 years of federal government experience. throughout his career he has initiated and managed high profile transnational fraud informations which -- investigations which involve tho theft of data and intellectual property from financial institutions and government institutions. welcome. ms. jessica rich is director of the consumer protection be division at the ftc, she hasincl been director in charge of the division of financial practices and assistant director of the division of privacy and identity protection. she joined the ftc as a staff attorney more than 20 years ago. welcome, ms. rich. this is a subject that has garnered a lot of publicth attention recently, and i thinkl as somebody who spent still a longer career in technology than i have in government, this is a

area that i think is going to,e, we're going to see an thi exponential rise in consumer interest, press interest and others as we try to get our arms around a challenge that is onlyy going to grow in terms of all of our lives. in recent weeks we've heard of massive data breaches at target, nieman marcus, michael's and other retailers. for example, at target alone more than 40 million cards were compromised. were compromised. up to an additional 70 million other consumer information was taken. not only were the card sticking, but if the cards were not taken, data was compromised as well. we had to make clear that while we're talking about specific retailers, this is not a witchhunt about any particular retailer's actions or in actions.

,onestly, i think we will see and i know from my role in the intel community, this is a crime that have instantly to financial institutions, retailers, at a level that most americans would find rather confounding. i at one point had a much longer statement, but there are three areas i think we need to focus on. as we sort through this issue, we need to understand that we don't need another -- i do not need, at least, long-term fight between the bankers, retailers, and the card industry. many of us up here have gone through these challenges >> a repeated of that kind of delay in getting a solution serves no one. the hackers in russia, china,

ukraine, throughout the world are not waiting for america to get its act together on this issue. they are continuing to strike us every day. to better protect consumers, our financial institutions, the networks and merchants should work together to continue to innovate on antifraud technology. as i said, the public cannot afford a year or multiple years of legislative battles like we saw. every minute of every day the hackers and cyber thieves are attacking our vulnerabilities. second, somebody who spent a career in technology, in many ways this is fundamentally a technology problem. and technology can provide part of the solution. we've already seen data that shows the card system, protection system used in europe, the so-called chip and is pin system, is much more effective than what we have present in the united states in terms of the swipe system. in terms of preventing fraud at

point of sale. but we should not assume that any single technology is a silver bullet solution. technology, as we all know, will continue to evolve on a weekly, monthly basis, and we have to continue to stay ahead. matter of fact, we've seen in europe that while the chip and pin system dramatically decreased, for example, in the u.k. the amount of fraud and cyber theft at point of sale, we saw a dramatic increase then in online fraud and cyber attacks. so i hope we're able to discuss technology solutions not just chip and pin, but as we look, for example, on the online issue, i think there's enormous promise in this emerging field of tokennization which can provide a more encrypted solution set not just for point of sale, but for other solution sets. let me say, again, we're not here to endorse any specific

technology products or services, but, again, i think this is an area where we need great collaboration. third, government has a role to play. industry has a role to play. but as consumers, we need to be more vigilant as well. consumer financial exposure is more limited with credit cards. here is my personal debit card. i'll try to hold the numbers back a little bit. but i have to tell you, until a few weeks ago, i didn't realize that my debit card protections aren't as great as my credit card protections. i'll let the record show i did not show the numbers on the other side. but that even with debit card protections, there are -- with this challenge around debit card protections, we've got to see if we can, perhaps, look at raising those standards to at least equaling credit cards. debit cards' use is growing like mad. transactions tripling since

2003. and, again, i think we look, i think about my kids who have got debit cards and a lot, large portions of the underserved community use debit cards. they're going to be a fact of life, and we have to figure out a way to sort that through. and finally, i think while we talk about one of the most frightening things that i heard was i sorted through this and thinking about cards and protecting consumer privacy, in many ways we've focused so far on the challenge around protecting credit cards and debit cards. but the real potential exposure we have is that people can actually get into our bank accounts or online transactions that we all do more and more online banking and other services. that offers an area where there are very few protections at this point and almost unlimited liability for consumers. so one of the challenges we have is, yes, we've got a role for industry, we've got a role for government, but we all have a role as americans to headache

sure you take -- make sure you take that extra protection to occasionally change your pin number, never reveal your bank account information number, that you constantly report if you feel like there's been instances of fraud. this is a role that all americans are going to have to pay continued, increased vigilance in. with that, i'll ask for opening comments from my friend, senator kirk, and then we'll go to the witnesses. >> mr. chairman, i would just put a face to this crime that we're talking about. albert gonzalez, if you could hold that up. albert gonzalez was convicted in 2010 of stealing 40 million credit card records that he made so much money, he even bought his own italian island. now serving 20 years in prison. and that is in line with legislation that i'll be introducing that calls for a 25-year federal minimum mandatory for the theft of a

million records or more. just to say to ever do this in a massive scare good-bye, you're off to prison for a significant portion of your life. looking for bipartisan cosponsors. >> i think that the question of enforcement has got to be an area we focus on. i think there'll be some bipartisan interest. all right, with that, again, i look forward to a exciting and robust discussion, and mr. noonan, if you want to start, and then we'll go to ms. rich. >> good afternoon, chairman warner, ranking member kirk and distinguished members of the subcommittee. thank you for the opportunity to testify on behalf of the department of homeland security regarding the ongoing trend of criminals exploiting cyberspace to obtain sensitive financial and identity information as part of a complex criminal scheme to

defraud our nation's payment systems. our modern financial system depends heavily on information technology for convenience and efficiency. according toly, criminals -- accordingly, criminals motivated by greed have have adapted their methods are increasingly using cyberspace to exploit our nation's financial payment systems to engage in fraud and other illicit activities. the widely-reported data breaches of target and nieman marcus are just recent examples of this trend. the secret service is investigating the recent breaches, and we are confident we will bring these criminals responsible to justice. however, data breaches like the recent events are part of a long trend. in 1984 congress recognized the risks posed by increasing use of information technology and established 18us c-sections 1029 and 1030 through the comprehensive crime control act. these statutes define them as

federal crimes and explicitly assign the secret service authorities to investigate these crimes and support the department of homeland security's mission, through the efforts of highly trained special agents and the work of a growing network of of 33 electronic crimes task forces which congress has assigned the mission of preventing, detecting and investigating various forms of electronic crimes. as a result of our cyber crime investigations, over the past four years the secret services has arrested nearly 5,000 cyber criminals. in total, these criminals were responsible for over a billion dollars in fraud losses, and we estimate our investigations prevented over $11 billion in fraud losses. data breaches like the recently-reported occurrences are just one part of a complex scheme executed by organized cyber crime. these criminal groups are using increasingly sophisticated technology to conduct a criminal conspiracy consisting of five

parts. one, gaining unauthorized access to computer systems carrying valuable, protected information. two, deploying specialized malware to capture and exfiltrate this data. three, distributing the day to their criminal associates. four, engaging in sophisticated and distributed frauds using the sensitive information obtained. and, five, laundering the proceeds of their illicit activity. all five of these activities are criminal violations in and of themselves, and when conducted by sophisticated, transnational networks of cyber criminals, this scheme has yielded hundreds of millions of dollars in illicit proceeds. the secret service is committed to protecting our nation from this threat. we disrupt every step of their five-part criminal scheme through proactive criminal investigations. the defeat of these transnational cyber criminals through coordinated arrest and seizure of assets.

foundational to these efforts are our private industry partners as well as close partnerships with state, local, federal and international law enforcement. as a result of these partnerships, we are able to prevent many cyber crimes by sharing criminal intelligence regarding the plans of cyber criminals and minimizing financial losses by stopping their cyber criminal schemes. through the department's national cybersecurity and communications integration center, the nccic, the secret service also protects civil rights and civil liberties in order to allow organizations to reduce their cyber risks by mitigating technical vulnerabilities. we also partner with the private sector and academia to research cyber threats and publish information on cyber crime trends through reports like the insider threat study, the verizon data breach investigation report and the trust wave global security report. the secret service has a long

history of protecting our nation's financial system from threats. in 1865 the threat we were founded to address was that of counterfeit currency. as our financial payment system has evolved from paper to plastic, now digital information, so, too, has our investigative mission. the secret service is committed to protecting our nation's financial system even as criminals increasingly exploit it through cyberspace. through the dedicated efforts of our electronic crimes task forces ask by working in close partnership with the department of justice, in paragraph the criminal -- in particular the criminal division and the local attorneys' offices, the secret service will continue to bring criminals to justice. thank you for the opportunity to testify on this important topic, and we are looking forward to your questions. >> chairman warner, ranking member kirk and members of the subcommittee, i'm jessica rich, directer of the bureau of consumer protection at the

federal trade commission. i really appreciate this opportunity to present the commission's testimony on data security. in today's interconnected world, personal information is collected from consumers wherever they go. from the work lace to shopping for -- place to shopping for groceries, from our smartphones to browsing the web at home, virtually every action we take involves the collection of information, some of it very sensitive. many of these data uses have clear benefit, but the recent spate of data breaches are a strong reminder that they also create risks for consumers. hackers and others seek to exploit vulnerabilities to obtain and misuse consumers' personal information. and all of this takes place against a backdrop of the threat of identity theft, a pernicious crime that harms both consumers and businesses. the bureau of justice statistics estimates that over 16 million people were victims of identity theft in 2012 alone. the ftc is committed to protecting consumer privacy and data security in the private

sector. since our first day security case in 2001, the ftc's data security program has been a strong, bipartisan effort that includes law enforcement, education and policy initiatives. the ftc enforces several laws that protect consumer data. under the ftc act, the agency can take action against companies that engage in deceptive or unfair practices including deceptive or unfair data security pacts. the ftc also enforces several laws that require special protections in certain business sectors. in the credit reporting industry, among financial institutions and also among online services for our kids. in enforcing these laws and investigating potential data security failures, the commission recognizes that there's no such thing as perfect security and, instead, examines whether companies have undertaken reasonable procedures to protect consumer data from the risk of identity theft and other misuse.

since 2001 the ftc has used its authority to obtain settlements with businesses that failed to provide these protections. the ftc's best known case may be its 2006 action against choice point, a data broker that allegedly sold sensitive information about more than 160,000 consumers to thieves posing as choice point clients. the commission alleged that choice point failed to use reasonable procedures to screen prospective purchasers of data and ignored on security red flags resulting in at least 800 cases of identity theft. before choice point, the ftc brought actions alleging security failures to such companies as microsoft, petco and shoe warehouse. and after choice point, the ftc has wrought cases against tjx, lexus nexus, lifelock, cvs,

right-aid and htc. many of our cases spanning over the course of 14 years allege similar, commonly-known vulnerabilities and security failures. in addition to enforcement, the commission promotes strong data security through consumer education, business guidance and policy initiatives. for example, our web site contains guidance for consumers about what to do in the event of a breach. and perhaps our most important education piece is our guide to businesses about how to develop a strong data security program. sitting here today with my colleague from the secret service, i want to emphasize that data security is a shared responsibility among many different entities and people including the different law enforcement agencies that work in this area. the commission has a long history of working closely with other federal and state agencies on this important issue. for example, the ftc's lifelock case was a joint action with 35 state ags and ftc received

assistance from 39 state ags in its case against tjx. we also work jointly with the department of health and human services in our cases against cvs and rite-aid. the ftc coordinates with agencies such as the fbi and secret service. the goals of the ftc and the criminal agencies are complementary. criminal actions seek to puppish hackers and -- punish hackers and other criminals while ftc actions focus on shoring up security protections at companies to prevent intruders from getting inside in the first place. let me conclude with a final point on data security legislation. never has the need been greater. in its testimony, the commission reiterates its bipartisan support for federal legislation that would strengthen the ftc's existing authority governing data security and require companies to notify consumers when there has been a security breach. thank you for the opportunity to testify here today. the commission looks forward to continuing to work with congress

on this critical issue. >> are thank you. thank you both. also should point out that last week i asked a question of dni clapper. he had made an estimate that cyber attacks on our economy were in excess of $300 billion worth of damage, and that was a last year report. i asked him, he says that number has probably dramatically increased, and that was in public testimony last week. obviously, that goes beyond just the question of individual data breach, but this is an issue that, again, i believe is going to grow traumatically. i also understand, mr. noonan, that the secret service does not want to weigh in on specific technology solutions, chip and pin, the mv, tokennization, but we are going to need your cooperation at some point and guy dance on how working -- guidance on how working with industry in whatever standards come about that we've got the

most cutting edge technology. i guess one of -- my first question for you, mr. noonan, is why is it that the secret service or even security bloggers are oftentimes the first to though about these attacks? i understand, you know, we've got an industry pci standards that are set, but this news keeps floating out more -- the target breach, my understanding, originally quoted from a blogger. and one of these blogs, brian krebs first identified the malware back in 2011. why is it taking us so long to respond? and is that some constraint on you, or is that not enough aggressive action from industry? >> sir, first you got into the fact that sometimes the secret

service knows ahead of time about these breaches, and we're able to bring it to the attention of different victims. so the fact that we do -- it's through proactive investigations where we are out sometimes ahead determining and looking at data as it relates to financial industries. it's through partnerships that we have in the financial industries sector that is able sometimes to bring us data where we're able to go through and parse through that data, be able to find out where information is leaking into the criminal underground from. so, too, is the same way i believe that some journalists are able to get hold of some of that information as well. you also brought up the malware and the fact that it's been around since 2011. i think what we're discussing here is that it's the type of malware. so it's not necessarily the exact type of malware. malware can be molded and changed per attack. of course, these attackers are molding malware so it's not picked up through antivirus and through technical means that general i.t. security folks

would have. so these are very sophisticated criminal actors that aren't using just regular malware. they are modifying that malware for each particular high-tech attack when we're talking about attack of in this significance. >> i guess one of the things that i know my colleagues will want to press on too, this is both for you and ms. rich, how do you get the standard right on when it becomes the duty of the company or the financial institution to report an incursion? you know, particularly since this evolves all the time, and, you know, i know there are standards set, but that's got to be constantly evolutionary. do we have it right? do you need more tools? do we need to do this -- i believe we need to do in this collaboration with industries, setting a regulatory process that would be static in an area that's moved this quickly. like to get you both to move on this, and then i've got one last quick question for mr. noonan. ms. rich, do you want to start?

>> the commission sets federal standards for data security and breach notification. right now there are state laws requiring breach notification, but no standard at the federal level, and no civil penalties. and while we have tools and we're using them to enforce, to address data security failures by companies, it would be extremely helpful to have a federal law requiring data security, not just notification, with civil penalties. >> how do you make sure that laws can evolve quickly enough so you don't -- you think about nist or other standards that sometimes take seven years to evolve. this is a field that changes on a monthly basis. >> we believe that the legal requirements should require a process for developing appropriate data security so that the specific technical standards can evolve and perhaps be, be implemented through self-regulation or industry standards. but we do have one regulation in

the financial area that is already a model for this called the graham-leach-bliley safeguards rule that really sets forth a process. you have to put somebody in charge, you know? your chief technology officer. you have to do a formal risk assessment. you have to then implement safeguards in key areas of risk such as employee training, network and physical security service providers, etc., and it, it sets out a process like that. and we're able to use that as a tool for enforcement without mandating levels of encryption and things that change over time. >> will noonan could you add, and i want to be respectful of my colleagues' time, could you also identify for us we saw in the target public indications that it might have been from ukraine, but where some of this criminal activity seems to be generating from? and then we'll move to senator kirk. >> sure. many of these transnational cyber criminals are attacking us from eastern europe. i don't want to say it's one country versus another country.

whats it is, what we are seeing is largely the criminal, cyber criminal world is using the russian-speaking language -- i said the russian-speaking in the fact that they're using the russian language as an operational security. so that's the piece that the criminal underworld is using to hide themselves from u.s. law enforcement. >> real quick question for mr. noonan. you described that general origin of a lot of these attacks, could you describe your international cooperation with russian law enforcement on this issue? >> there have been many events where we have worked with russian law enforcement to some degree of cooperation. there is times that finish. >> vladimir putin is not exactly our best friend. could you just, could you give a grade to the level of cooperation we've received? >> yes, sir. we do most of our work true the office of -- through the office of international affairs and

through doj's computer hacking, computer crimes and intellectual property section. and generally the cooperation that we deal with with the russian authorities is generally through that mechanism. through the ccips notification process to get process taken care of in the russian federation. >> quick follow up would say have you had any extraditions from russia? >> negative, sir. we have not had any extraditions from russia. >> great. mr. chairman. >> senator warner. senator warren. of. >> thank you, mr. chairman, ranking member. thank you for holding in this hearing. all of us have constituents who are affected by these data breaches, and i think it's cheer that the data protections we have in place now are not enough. in 2012 16.6 million people, 7% of adult population in a single

year, were victims of identity theft. it's a huge number. so i'd like to get a better sense of how these laws are enforced. the ftc has authority to go after companies that engage in either desentive or un-- deceptive or unfair practices, so i want to break those two out if i can. ms. rich, can you describe what a company must do with regard to its data security standards for the ftc to bring a claim for desentive practices? -- deceptive practices? >> well, our deception authority focuses on making statements or mitting information that is material, and the finish so our cases in this area generally involve statements that can be express. you know, we encrypt our, you know, data to the highest levels of blah, blah, blah. or implied. we really care about your data

security, and the security of your data, and if you give data to us, you know, nothing bad will come of it. and we, if if those -- we look to see be those claims -- if those claims are true by asking a lot of questions, getting data, doing hearings with officials at companies and consulting with experts to determine whether those claims are true. >> okay. ms. rich, then let me just clarify this. if a company's security standards are inadequate but the company says nothing about them, then the ftc is powerless at least under its authority to go after deceptive practices, is that right? >> we have two prongs of our section five authority and the other is unfairness. >> i'm going to come to unfairness in just a minute. i just want to find out how helpful "desentive" is for a company that has totally inadequate data protection standards. and i just want to clarify, i think what you're saying to me

is if the be company never says they have great data protection standards, then the answer is under the deceptive prong the ftc has no authority to go after this company, is that right? >> that's absolutely right. and that's one of the reasons, one of the reasons that we're supporting general data security legislation. but let me say we do also have unfairness authority -- >> i'll come there. >> -- and we use our deception authority to hook at not just what's stated in a private policy, but what the company may claim in the context of its interaction with consumers including implied claims such as a seal. >> okay. but under your authority to go after deceptive practices, i understand that the ftc has settled about 30 data security cases since 2002. that would be about three per year. so i think it's fair to say

that's not very many given the number of data breaches that we've seen over the last decade. >> well, i would emphasize that there isn't strict liability for a breach. when a breach happens, we look at the underlying practices and not whether there was a breach and then we automatically bring a case. and i would also emphasize that we believe our 30 deception cases and our 20 unfairness cases provide very strong, general deterrence as well as specific deterrence especially given the kind of remedies we seek. and we do believe that our work in this area has brought a lot of attention to the need to secure data and has made a difference in raising the stakes. but we do need more tools. >> well, so let's talk about that just a little more. in addition to the 30 cases you've brought over the course of a decade under deceptive practices, i just want to ask

you about unfair practices. can you describe what a company must do with regard to data security standards for the ftc to bring a claim for unfair practices? >> well, we have a three-prong test that we need to meet to use our unfairness authority, and one of those is substantial injury. but in many of these breach and -- well, these data failure cases; again, it's not strict liability for a breach. we have met that standard, and we, therefore, have brought those cases. >> so i understand, and if i'm understanding this correctly, you're tribing a fairly -- describing a fairly demanding standard since as you say it's more than breach, more than the fact that people have been injured, more than the fact that a company had very lax standards. in fact, as i understand it, there's a great deal -- there's some question around the ftc's authority in this area which may be why you've used unfair practices in only 20 cases over

ten years. i just want to say i think this is a real problem that the ftc's enforcement authority in this area so limited. the ftc should have the enforcement authority it needs to protect consumers, and it looks like to me it doesn't have that authority right now. day security problems aren't going to go away on their own, so congress really needs to consider whether to strengthen the ftc's hand. thank you, mr. chairman. >> thank you, senator warren. interesting line of questions. i to think, you know, we oftentimes see you may have a series of players in an industry who are meeting those standards. the challenge is you may have that one weak link, and the whole industry sector could be infected because of the weak link. so i think there should be some more ability to collaborate here. senator johanns? >> thank you, mr. chairman. let me start out on the international front, if i could, and maybe follow up on senator kirk's questions a little bit.

available thatdata would illustrate to us what percentage of the tax -- of atta cks come from outside the united states? is that data available? either one of you. go ahead, mr. noonan. >> i'm certain that it is. i will have to respond back to you in writing. >> just for the purposes of the hearing, would it be the majority of the attacks, do you think echo >> i would say the majority of the significant attacks would be outside of borders? -- outside of borders. >> and to put a finer point on it, would the majority of the attacks come from eastern europe? the foreign tax? attacks? the foreign

>> yes, sir. terms of the cooperation that we get out of that part of the world, can you think of any case at all where there has been annex tradition -- been and extradition from eastern europe where a hacker was sent to the united states for prosecution, any case? >> yes, just recently we had a case out of romania. >> is that rare? >> with the remaining in authorities, we are working very closely with them at this point. -- with the romanian authorities, we are working very closely with them at this point. but the other countries in eastern europe, it could potentially be very rare, yes. >> what i'm trying to get at, and i'm not trying to be coy here is that it looks like parts of eastern europe are a sanctuary if you are a hacker. because the chances of being sent over here to face

prosecution and conviction and are probably nonexistent. would you agree with that statement? >> yes, i would agree. hat is k yes. >> that's kind of a bad deal, no matter how secure you are. because at the end of the day, if those folks aren't facing the possibility of prosecution, they're just going to keep going. >> however, we get some very strong partnerships with in some of the countries over in eastern europe which it's through those collaborative efforts that we're making gains against a number of the cybercriminals. so to say that we don't have cooperation in eastern europe is not 100% accurate. it's true, many of the different law enforcement authorities that we do have a strong collaborative effort in moving towards some of these cyber criminals, identified these actors are in learning more about their networks.

>> right. let me if i might focus on breach notification. because i think from the consumer standpoint that's critical. we, as consumers, we want to have the ability to trace a hacker to romania or whatever. but the one thing that we do have is we are given notification, is that we have the ability to stop using the card or tear it up or notify our creditors. we can be proactive. how, ms. rich, how important we get a breach notification is in our effort to protect consumers? >> i think that the very reasons you say, it's actually important which is why we support a law at the federal level with civil penalties. >> how do we do that -- and i don't want to get into a sensitive area, but this is a

sensitive area. as a former cabinet member i can tell you i know we had millions of records from citizens that contain sensitive information. social security number is, date of birth, residence address, on and on and on. i will also add that often times the federal government security system is not the best. i wish it was, but it's not the best. and it could be the health care law, it could be the va, it could be the department of agriculture, it could be a whole host of things. what mandate do we have on the federal government that is my information at whatever department has been compromised somebody will let me note that? >> you mean, what laws govern the federal government's

collection of information? >> yes. >> there are a number of laws that require data security among federal government agencies, as well as breach notification. i'm not completely familiar with the details of all of those, but i know that if any breach happens in my bureau, that, who we are supposed to report your. >> do you know of any breach notification requirements in the health care won't? >> are not familiar with all the details of health care law, but i did want to add on the point you were making about eastern europe, because there's always going to be criminals and they may be coming from countries where there's very difficult to trace, that's one this partnership is a joint effort among different approaches and different agencies, we can't discount criminal enforcement. it's very important that companies also shore up their systems as much as they can against attacks. we need to attack this problem from different angles.

>> thank you, mr. chairman. >> thank you, senator. senator tester. >> thank you, mr. chairman. as long as we're talking about breach, we will flesh it out a little bit more. the breach of into talking about with senator johanns was between a financial institution and the cardholder. is there any breach requirements between the retailer and the financial institution, or the retailer and your office, mr. neumann? or your office, ms. rich? >> there are state laws that require brief -- breach notification which may apply to retailers but there is no federal -- >> so there's no breach requirements across the board whether to the cardholder or between the retailer and the banks or the retailer and the investigator services, or the banks investigative service. no breach requirements across the board. >> again, not that i'm aware of.

>> pretty dumb when the breach happened on drug? >> the breach on target still an ongoing investigation. >> but when did it actually happened was when did the breach happened? when did the actual attack to their database happened? what they? >> again, it's an active investigation shall we can't necessarily get into the specifics. >> you can tell me how much time it was before you found out about it before you start your investigation or when the breach actually haven't? >> no, i can't at this point. >> it was a period of time though? it wasn't immediate? >> it's through proactive -- i get back in a moment if i can -- >> i don't want to put you on the spot. you can take the fifth if you want. it doesn't matter. >> november 27-december 15 enemy was an announcement on the 19th. >> there needs to be breach notification across the board because i think time is literally money in this situation. if there's a breach that happens

and that retailer withholds information or for some reason the bank institution they want -- i don't know why either one would want to, quite frankly. you guys need to know about it immediately so you can start finance with the bad guys are the did it if we're going to get to the bottom of it, right? >> yes, sir. >> mr. noonan come your testimony focused on the retail image as a point of entry for the criminals, and you highlighted investigation of a number of retailer networks or cybercriminals were able to install programs to be able to capture information from retailers. and it's already been talked about by the children. there were 40 million cards, 70 million personal, people will, personal information was given out. can you tell me why a retailer would be storing -- storing sensitive information on their own networks of? >> i don't know, i don't believe in this case information on the

cards were actually being stored on the network. >> so how did they get the information? >> the information was being collected as the data was going through the process. >> okay, i got you. i got you. so how did they get the 70 million? >> it was a heavy crude of collection time in which the data was being collected by the criminals. >> so the fact whether this was encrypted or not makes very little difference. i was under the assumption that this was on the database. the information was not encrypted. the folks who got into that database had encrypted information and took it out. >> there's more -- i think you're giving -- there's more to the investigation. again, this is an ongoing investigation. i can talk about the specifics of exactly how that was being done. >> okay. i want to talk will be about the enforcement that you have.

right now, i mean it's usually speaking come of all the things you have to deal with, do you have any tools to work with that really work? >> we are doing a lot in this area. this is one of our areas of priority. we are bringing enforcement, we are doing education. we are using -- >> i got you. i'm not being critical of the. i'm being critical of us. >> we do want more tools. >> when was the last time you were tools dealing with this issue were dealt with from a policy standpoint lacks i'm talking about, has there been a revamp of the tools dealing with data breaches in the last 10, 15, 20, 50 years of? >> we received, have received some new authority in this area, including we do have a data breach, law, for narrow classes of health, personal health records.

but for the most part, and gramm-leach-bliley was passed in 1999 or 2000, but it has been a while. >> we have some work to do, mr. chairman. thank you. >> receiving back 30 seconds. >> efficiency, baby. >> senator menendez. >> thank you, mr. chairman. i appreciate you holding this hearing. when these issues broke in december, senator schumer, myself and yourself signed a letter to the gym of the full committee asking for hearings, and i'm glad your subcommittee is leading on this and understand the chairman is going to broaden some of his call for hearings and include this topic. so this is extraordinarily important. ms. rich, i have two particular lines that i want to pursue. i think senator warren opened the door to something i think is incredibly important, which is what role should the ftc and the federal government create with standards? it seems to me that whatever

high standard exists in the marketplace readily available for technology is one that we would want to have companies follow in order to ensure the security of millions of americans private information. critical information to themselves, to their credit histories, to retailers, the banking institutions. and so if a company, if we set a standard that basically says, look what's of able in the marketplace, we can't expect the company that gets hacked and was already using the highest standards of able in the marketplace to be held responsible. but if, in fact, there was a standard that was available and the company or companies were not using that standard, then we have to question whether or not they made an investment decision not to go ahead and expand the resources for that higher standard. so it seems to me that part of the question is, and i know the

private sector has largely worked on creating its own standards, but is there a role for the ftc and the federal government to set a standard that says, look, whatever is existing in the marketplace that, in fact, can be achieved to get the highest protection available, should be the standard. and if you don't pursue that standard, then you are subject to consequences thereof. >> that's incredibly similar to the way we think about it now when we talk about having reasonable security. so reasonable security means you take into account what the risks are in your business, what the sensitivity of information you collect, how much information you collect, and the cost and availability of measures that are out there in the marketplace. so that's exactly how we analyze it. and the good -- >> the question is does the industry understand that they will be held to the standards. if i don't get the sense that

there is an obligation per se to be held to that higher standard. >> one of the limitations we have in our work is we don't have civil penalties or the kind of sanctions that are needed to provide the right incentives to focus on this issue. >> but if we -- i want to get to civil penalties in the moment. we sent a letter to your chairwoman and responded to in that respect. if we set a standard that leaves everybody has noticed, here's what we expect of you, if we don't send a standard to have a more more this process of designing what is the right skin or not. we should have input into that but it seems to me that we should be studying the standard. if we set a standard we have noticed, the essence of due process, notice of opportunity to be heard and then we go away with a standard. i would like to pursue with the agency whether or not such a standard is important, mr. chairman.

secondly, with reference to additional authorities, in my letter to chairwoman ramirez asking about the commission's efforts in the past i notice they were never civil penalties. even though there were very large breaches, not as large as this one but large for their time. it seems to me that she agreed that the authority to impose civil penalties would be a helpful tool to have in addition to current authorities like consumer restitution. i don't think that's something you want to lead against every company. i think that goes back to the standard to if you have a stand and pursuing the standard you shouldn't be subject to billy. -- subject to billy. it's very important to have civil penalties as an available remedy to make sure there's both specific and general deterrence when there's been a failure. >> okay. the reason if i can, mr. chairman, finally, you know,

your testimony reasserts the federal trade commission's long-standing assertion borne out through case history. let's section five of the ftc act covers instances where companies fail to adequate protect consumer data. this assertion is based on the commonsense premise that customers have an understanding that companies will take reasonable steps to protect their data, and failed to do so would be unknown or deceptive practices. >> however, companies have been challenging this assertion. so i think that if that's the case, that now they will challenge that assertion, it seems to me to call for not just voluntary efforts, but to create a standard and consequences of that stand back and give americans the best security that they can hope for. and i look forward to working with the committee and with the ftc in that regard. >> thank you, senator. one last comment. i know we have other questions,

but we have a second panel. unless anybody, make one comment and if anyone has a burning question, then we'll go to the second panel. following up on senator tester's comment, trying to get the notion of your obligation to disclose when you've been breached, i think sorting through is going to be a challenge because there are so many attacks every day. we've got a set of standards somewhere that -- you don't want to create the old homeland security color code system which everyone proceeded to ignore. there's got to be a materiality peace spend i agree with you. on the other hand, is a business with hold that information because it's in the heart of christmas shopping season and that might affect their bottom line, they need to be hung out to dry. >> amen. >> the other point, following up on senator menendez, earlier point you made to senator warren i thought was interesting,

companies in the past have in effect put a seal or put some kind of good housing people of approval that may or may not be valid really troubles me drilling. i think both the witnesses. we will move to the second panel. thank you both. >> thank you. >> [inaudible conversations] >> if the panel does not, i'm going to quit and start introducing your, even as you're getting in the process of being seated. i'm going to start introducing

you once my staff give me your introductions. gentlemen, thank you. first panel was focused on our government the witnesses. now we will focus more on industry and consumers. mr. james reuter, like the news agency, is executive vice president of firstbank located in lakewood colorado what has been since 1987. is also president of first data corp. which provides all i.t. and operational support services for more than 110 locations. hokum. mr. mallory duncan is executive vice president and general counsel of the national retail federation where he is responsible for strategically to sit and read for initiatives involving customer data privacy, bankruptcy, fair credit reporting, truth in lending.

he briefly worked for jcpenney and for the ftc. mr. troy leach is the chief -- let's see. let me do mr. edman brzezinski is a federal consumer program director and senior fellow for the u.s. pirg research groups biggest worked in a federal office of u.s. pirg since 99 and his ruggedness as an expert in a wide area of issues. emphasis on financial services, 19, credit card, credit report, privacy. thank you. and mr. troy leach is chief technology officer for the pci security standards council. this is industry council setting standards right now. he partners with industry leaders to develop competence of standards and study to secure payment, credit card data, supporting and research. has a long history working on i.t. issues. thank you all very much. you have a panel that is anxious to ask you questions for mr. reuter, why don't you start a google right down the line and get to question.

>> chairman warner, ranking member kirk and members of the subcommittee, my name is james reuter, president of the support services at firstbank in lakewood colorado. we are a 13 billion-dollar institution with over 115 locations. 2000 was serving colorado, arizona and california. my operation provides information technology, payment processing services, a 24 hour call center and electronic banking services for 115-firstbank location to a preacher the opportunity to be here and represent the aba. even with the recent breaches, our payment system remains strong and continues to support the $3 trillion that americans spent safely each year with the their credit and debit cards. and with good reason. customers can use these cards confidently because there banks protect them by investing in technology to detect and prevent fraud, re- issuing cards, and absorbing fraud losses. at the same time, these breaches

have reignited a long running debate over consumer data security policy. the banking industry recognizes the importance of a safe and secure payment system to our nation and its citizens. we thank the subcommittee for holding this hearing and welcome the ongoing discussion. let me be clear, protecting consumers -- customers is the banking industry's first priority. as the stewards of the direct customer relationship, the banking industry's overarching priority with breaches like that the target is to protect consumers and make them whole from any loss due to fraud. when a retailer like target -- having zero liability on fraudulent transaction, it is because our nation's banks are making customers all, not a retailer that suffered the breach. banks with the research and reimburse customers for unauthorized transactions and normally exceed legal requirements by making customers hold within days of the customer alerting them.

eon reimbursing customers for fraudulent purchases, banks often most we issued cards to affected customers. for our bank this cost is $5 per car. in the end, tanks receive pennies on the dollar for fraud losses and other costs incurred while protecting their customers. in fact, banks bear over 60% of reported fraud losses, yet have accounted for less than 8% of reported breaches since 2005. more needs to be done to stop this kind of fraud in its tracks. having a national data breaches standard is an important step in this direction. in many instances, the identity of the retailer that suffered the breach is either not known or often times intentionally not revealed by the sword. understandably, a retailer or other into the would rather pass the burden onto the affected consumers banks rather than taking the reputational hit themselves. in such cases, the bank is put

in the position of notifying their customers that their credit or debit card dated is at risk without being able to divulge where the breach actually occurred. often, customers as and better information line the banks of the breach itself and any inconvenience they are now suffering. consumers electronic payments are not confined by borders between states. as such, a national standard for data security and breach notification as contained in senate bill 1927, the data security act of 2014, is of paramount importance. it is critical that all players in the payment system, including retailers, must improve their internal security systems as the criminal threat continues to evolve. criminal element are growing increasingly sophisticated in their efforts to bridge the payment system. this disturbing evolution as demonstrated by the target breach will require enhanced attention, resources, and diligence on the part of all

payment system participants. let me make one final point. protecting the payment system is a shared responsibility. banks, retailers, processors and all participants in the payment system must share the responsibility of keeping the system secure. that possibility should not fall predominantly on the financial services sector. banks are committed to doing their share but cannot be the sole bearer of that responsibility. policymakers, card networks and all industry participants have a vital role to play in addressing the regulatory gaps that exist in our payment system, and we stand ready to assist in that effort. thank you. i would be happy to answer any questions you might have. >> mr. duncan, please your. >> thank you, senator warren, ranking member kirk, members of the subcommittee.

collectively, retailers spend billions of dollars safeguarding consumers of data inviting front. most of the use of data breaches we sensing whether readers you've heard about our banks and card companies about which avert less have been perpetrated by criminals. that companies are victims. we need to reduce fraud. that is, we should not be satisfied with deciding what to do after a data breach occurs, who to notify and how to assign liability. instead it's important to look at why such breaches occur and what the perpetrators get out of them. so we can find ways to reduce and prevent not only the breaches but the fraudulent activity that is often their goal. in its copperheads at 2013 data breach report, verizon rebuild a 37% of breaches happened at financial institutions, 24% at retail, and remained at others. it may be surprising to some given recent media coverage that more data breaches occur at financial institutions than at retailers, but the focus on banks because they have the most

sensitive financial information. still fraud is devastating for retailers in the united states. and it is rising. in 2012 is accounted for nearly 30% of credit and debit charges, but 47% of all fraud losses. who bears this cost? independent studies very. they see retailers there anywhere from 90% to 40% of the payment card fraud. we think a fair assessment is the retailers pay about half. why is card fraud increasing? these go where the rewards are plentiful and easiest to obtain. unfortunately our carpet system is outdated and ripe with opportunity for fraud. despite the billions of dollars spent by merchants in hope of becoming pci compliant, we still must accept fraud prone cars that are so attractive to data feeds. unlike the rest of the world, the u.s. card so use a signature and magnetic stripe for unification. what the card countries

effectively say to merchants is that even though the sensitive information a visibly printed on the card, even the security information can be lifted off a match strike by a sophisticated 12 euros, and even the signatures are worthless, form of identification, it is your responsibly to guard that information at all cost. retailers work very hard to do it at the request doesn't really make sense. what's needed is for the networks and banks to issue cards that are not so easily compromised. at a minimum we need to replace the signature and then, the signature with a pin and the magnet struck with the cheaper even that will be state of the art. it's technology that is three generations of affordable. but fraud dropped 70% when it's adopted in britain and fraud is going here because we have not. we must adopt both, in and get. and authenticate the cardholder and helps protect her an and the merchant of the chip authenticates the card to urban. together a great reduce fraud.

the banks know this, nations powerful. they promoted all over the world yet here in the is there proposing signature and chip card. chip and choice is one of them cutely calls a. it is an ineffective measure, locking the back are well in the front door open. y. adopt a halfway measure? merchants would still need to spend billions to install new equipment to read cards that what combined 1990s technology chips with 1960s relic signature in the face of 21st century threats. frankly, if congress is justly concerned about protecting our payment card systems against fraud, it ought to be oversight if any groups that essentially advancing this absurd solution. there are additional changes to the system that would be held and provide greater degree. point-to-point encryption is one but it relies on banks and networks being able to accept encrypted data and that has been a challenge. chips are more advanced but

their sophistication pales in comparison with the smartphone. today's smart phones are many computer they could enable state of the art fraud protection and the payment platform are open and competitive they will only get better. we let out a number of proposals in our written test and. it is important, however, that the federal law should handle the same type of sensitive consumer information such as payment card data, are subject to the same statutory rules and penalties with respect to notify consumers of a breach affecting that information. in closing, three brief points. first, retailers take the increasing incidence of payment card fraud very strictly. merchants already there at least an equal are often greater cost of fraud than any other participant in the payment card system. we did not design the system. we did not configure the card. we do not issue the card. we will work effectively to upgrade the system, but we cannot do it alone.

second, the vast majority of breaches or criminal activity. no system is as gullible to the most sophisticated and dedicated of thieves. consequently eliminating all fraud is likely to remain an aspiration but nevertheless we will do our part to achieve that goal. and last, it is long past time for this to adopt in and chip card technology. it is -- if the goal is to secure data and reduce fraud, we must at a minimum to both. thank you. >> mr. mierzwinski. >> take a, chairman, ranking member kirk, i'm edmund merson ski, i've been working on these issues for some time. and my views, i think, are somewhat in line with the margins but also somewhat not in mind with the merchant. first, the target breach if so, i want to make one point about that. the breach occurred with

information that allows fraud to take place on your existing accounts in the first 40 million consumers who were breached. the additional 70 million, the information that was collected allows phishing attacks to try to obtain more information to commit identity theft. but i think the biggest risk to customers of target is fraught on existing accounts. so the provision of credit monitoring, which they are getting for free, but is normally an overpriced junky product, really creates a false sense of security. it will not stop fraud on your existing accounts, and it won't stop identity theft but it will simply tell you when your experience account has changed. they could be because of identity theft or could be because of something else but it would after the fact. -- experience account. that's one issue i want to make about the target breach but the thing about target again is they are not at fault completely.

they are may be in violation addressing different stories on whether they were or the word, in violation of the current highest pci standard. we will know that more after they testify in the next two days. the weather not they were in violation of the pci standards, those standards are cobbled onto an obsolete technological platform. it's like they're trying to put disc brakes on a model t. air bags on edsel. i mean, the merchants are being asked constantly to add different bells and whistles to an obsolete system from the mid-20th century. so that's a problem i think the banks and the card industry have a lot to answer to with these problems. i want to make a couple of quick points that are all made in my testimony. first, i was encouraged, chairman kirk -- chairman warner, when you mentioned that debit card protections may be should interest we strongly support that idea all plastic

should be equal. is your liability promise the banks make is just a promise but it's not the law. i don't use credit cards. i never use debit cards. the other problem, of course, with a different part is you lose money account until the complete the reinvestigation. you could have other checks bounce. second in any reform should be technology neutral and technology forcing. you really should have a reform that encourages continuous increasing in the uses of better and better technology. and as mr. duncan pointed out, it should be on an open platform, and competitors should be allowed to come and. i think today if you look at the networks, the two big ones are a duopoly. they have all the standard characteristics of a duopoly. they seek excess rents if you don't like new technology. they don't like competitors. that's really been a problem. i think you should look at the pci standard setting body.

to americans of adequate input? to the regulators have enough review of it? you should not enact any new legislation that preempts state laws. if congress enacts a good in of law, it doesn't have to preempt state laws. the states will move on. they will do other things, but if congress doesn't enact a good enough law, in these states -- it needs states as first responders. after 2003 when the fact act commemorative. or acted not include adequate identity theft reforms, 46 states passed breach laws. 49 states gave consumers the right to freeze their credit report. so those were important things that the states did. whereas every bill that i've seen to some extent not only preempts any breach of law, which is their nominal purpose, but goes further and preempt any right of the stage to do anything in the future. that's really i think the wrong way to go.

another point that we make in our testimony is that if you do an act of regional, they should be on an acquisition standard. there shouldn't be a harm trigger. the company that didn't protect my information should not be allowed to decide whether or not to give me notice. one point that they don't make in my testimony but i've made in previous testimony before the commerce committee, and that is that a strong support any effort to increase ftc's authorities from including the right to impose civil penalties for a first violation. thank you for the opportunity. i hope to answer any questions you might have. >> thank you. my name is troy leach. i am the cto of the pci security standards council, global industry initiative focused on securing payment card data. our approach to an effective city program is people, process, and technology as key parts of data protection. our community of over 1000 of the world's leading businesses

tackle security challenges from simple issues, for example, the word password is the one of those commonly used passwords to really complicated issues such as proper encryption. we understand consumers are upset with the payment card data is put at risk. and the harm that is caused by the screechy. council was greeted as a forum for all stakeholders, banks, merchants, manufacturers and others to proactively protect consumer card data. our mantra is simple. if you don't need it, don't store. if it is needed, been protected through multilayered approach and devalue it to end of the tech dodges the reduce the incentive for criminals to steal. let me tell you how we do that. the data security standard is built on 12 principles. everything from strong access control, monitoring and testing networks, and you risk assessments, and much more. this stand is updated regularly to our global community. in addition we have a developed other standards that cover

payment software, point-of-sale devices and the secure manufacturing of cards. we do much more as well. we develop standards and guidance on emerging technology like tokenization, point-to-point encryption remove the amount of car did get consistent rendering it useless to cybercriminals. tokenization point-to-point encryption work in concert with other piece of standards offer additional protections. another technology, has widespread use in europe and other markets. it is an extra me effective method for reducing card fraud in face-to-face environment. that's why the pci council supports the deployment of chip technology. however, ev chip is only one piece of the puzzle. additional controls are needed to protect the integrity of payments online, on the telephone and in other channels. these controls include encryption, proper access, response from tampering, malware production, and more. these are all interest within the pci standards. used together, these can provide

strong protection for payment card data. effective security records more than just standards and technologies. without ongoing adherence and supporting programs, these are only tools and not solutions. the council makes it easy for businesses to choose products that have been lab tested and certified as secure. the council certification and training programs have educated tens of thousands of individuals including merchants, technology companies and governments. finally, we conduct global campaigns to raise awareness of payment card security. council welcomes committee's attention to this critical issue. the recent compromises underscore the imports of the multilayered approach. there are clear ways in which the government can help. for example, by leading a strong law enforcement efforts worldwide, particularly because of the global nature of this threat, and by encouraging stability for these crimes, promoting information sharing between the public and private sector, also merit your attention to the council is an active collaborator with government. we work with dhs and many other government entities.

we are ready and willing to do more. we believe that the government of standards to protect payment card data is something the private sector in something the private sector and he says specifically is uniquely qualified to do. the global reach, expertise and flex builder of the pci have made -- protecting consumers. the recent breaches underscore the complex natures of payment card security. multifaceted problems cannot be solved by a single technology, standard, mandate or regulation. it cannot be solved by single sector of society. this of society. business, standbys, policymakers and law enforcement must work together to protect the financial and privacy interests of consumers. today as this committee focus on recent data breaches we know that criminals are focused on inventing the next attack. there is no time to waste. pci council and business continued to provide multilayered security protection while congress leads efforts to combat cyber crimes which the missile. we thank the committee for taking leadership role in

seeking solutions one of the largest security concerns of our time. >> thank you all, gentlemen. i made this comment in my opening statement but it like to make it again. with you all sitting in front of me. it is my strong hope that as we approach this issue we recognize rather than pointing blame at each other, the only way this is going to work to protect consumers and give them the confidence they need is for the banking industry, the retail industry, the card industry at large to actually collaborate together. we do not need i don't believe another replay of a multi-year legislative battle here when the hackers are not going to take a timeout, and american consumers are going to be increasingly at risk. mr. leach, in the spirit of your comments, i want to do a lightning round here so i would

ask you to keep your comments as close to yes or no as possible. recognizing of course that there is not a single technology solution. but seeing a dramatic decrease in europe in terms of fraud at face-to-face transactions when it moved to the chip and pin system from what each of you think in terms of our country moving to the chip and pin as one step forward. >> we have embraced chip technology. in fact, the card networks have laid out a timeline that involves a pretty strong incentive for the industry by october 2015 to move there. and so speed let's get to everybody else. mr. duncan. >> mr. chairman, i take apart your comments about not pointing fingers at each grew. as i said in my testimony, if we're actually to effective protection, as you said, pin and

chip, if you listen to the response that was just given, it only mentioned the chip as i said, that's closing the back door and leaving the front door open. >> it sounds like you're saying yes to chip and pin. pin. >> yes, absolutely twofold chip and pin, not chip and signature but don't leave that as the ceiling to make sure you can get more. spent mr. leach speakers were supportive of chip technology as well but keep in mind that information speed as a loan, you want to make sure i'm getting -- chip is different than chip and pin. are you supported a chip and pin? >> with our support of chip and pin to any type of authentication add on is an important form of identification but it's important to keep in mind speakers i got a. i think that's great progress today. everybody agreeing. ..i did not realize my debit cad did not have the same protections. i think again about the fact

where the growth in debit cards is coming is with younger folks and the younger banking community who are potentially the most vulnerable. it would seem to me that equalizing cards on the same .tandard makes common sense give me a reason why not. as a practical matter, we invoke a zero liability policy. if you didon today, not authorize it, you are not responsible for it. >> i don't want to get you in trouble with the aba, but is that an endorsement of the equalization in truth in lending -- truth and reporting? >> i believe from the legislative perspective, the way we are all performing as banks, i'm not sure that additional legislation is needed, because we are adhering to a zero liability policy as a business practice. >> but there is no practical reason why you would want to

>> we believe it is a good idea. that the last word. >> just to follow up on the point i want to emphasize a ship technology is in the clear. we have -- we are supportive of that. >> i would ask the issue is the zero liability may not occur in all circumstances. may apply only to signature transactions, that is the question, debit or credit which confuses consumers, but that means using the pin, credit means it is still a debit card that you are using it on a signature based credit-card network and i would look at the zero liability contract and say what if i had two violations in a year do they honor the second one? some banks don't. >> i would like to hear more. last 1-on-1 to make is we have

focused on the challenges around the kinds. i would make a point that the cards do add an extra layer of protection because of the technologies that may not be fully up to snuff at this point versus what may be our real achilles heel which is everybody's movement towards online financial transactions, how many utility bills, i pay college tuition on line and from a certain sense if people can get into that personal data information that is something there are no limits on in terms of individual exposure, we are much more vulnerable, my time is expired but i would say a step forward, equalization, step forward but continuing again, the notion of recognizing other

abilities in online transactions putting a level of protection that needs a lot more study. >> following up with mallory, parliament has done a much better job in congress moving, i was struck by your comments that violence reduced in the u.k. by 70%. lots of friends in the u.k. you will see them, credit, debit card. disparage technological backwardness of the united states. and i ask you on behalf of retail federation how much would it cost members to move to a full u.k.-based shipment? >> we would have to replace all of the card readers in the stores, there are approximately 3 and a half million retailers

in the u.s. many of them are one store location, check out the place, others have a dozen on each floor. so if you multiplied that by 1,000 or more per unit you are talking several billion dollars in order to replace those and the some of those have time. >> in general i took from your testimony retail federation would support making that move? >> we absolutely would. some retailers have begun to install tin and cit readers in their facilities in hopes -- >> let's identify the heroes. who was the first that did that? >> can't tell you the first was but larger retailers experience clients, and the best buy. >> we dug into the data on the

u. k, when we saw that face-to-face transaction fraud dropped dramatically it was like squeezing a balloon and you saw online fraud in the u.k. shoot up 30%. >> thank you, mr. chairman. we understand why it works better. it seems we are years behind europe. adequate technology, technology we know is out there and technology in the united states. i was interested in your testimony, you said you think standards are best left to private organizations such as yours. that is what we have done and we are way behind in technology and have become the targets for data attacks from around the world. why should we leave this to

organizations like yours? >> a very fair question to ask. we look at standards, people, process and technology and recognize while we have not migrated to cit, monitoring tools and the u.s. the best in the world as well as looking at other technologies that are more cost-effective for merchants to move to. >> let me make sure i am following you, i thought i heard of this conversation that we were uniform, and the way we should go is to chip and in. there are other things we can do that i disagree with about why haven't we had a basic standard? >> that question is not for standards body like myself. and to develop secure standard from what we have today. >> your testimony is not just we have great standards if someone

wants to adopt them. your testimony as i understood it is standard should be left to private organizations. to stop organizations and develop in another way. that is the point i am pushing on. it sounds to me we need some pressure from the government to make sure the toughest standards are used. maybe i can ask the question of mr. reuter, why has cit and 10 not been adopted in the united states? >> i would like to comment on why the rest of the world is ahead of us on chip. the u.s. has a robust telecommunications system. years ago in other parts of the world, they did not have as robusta telecommunications system so as a result they deployed chip technology to solve that problem. it wasn't deployed by fraud measures. today as we have seen more

breaches and retailers we are embracing the c.h.i.p. technology in the united states. the reason i keep leaving out tin is one of my concerns is it is a static piece of information. the chip brings dynamic data to the transaction which is really what renders the compromise data usele useless. the pin is a static element. i appreciate and support the ongoing debate on chip and signature but i would hate for chip and signature and chip and pin but i would hate to deploy the deployment of cit technology on this one issue because it has the biggest impact on fraud. >> both parts of your question, make sure i understand your point. i understand you had reasons to go to cit early on but i you saying the banks have discovered chip and pin would be a more secure system or they had some reasons to know that for many years? >> we have been working toward chip technology and the card

network to lay out the time line. we are working towards 2011 there are 8 million retailers, 14,000. >> in 2011 they figured out chip and pin was a more secure system? >> more conversations before that but the actual time line was laid out. >> europeans and done more to protect themselves than we have. as to the question about cit and pin i asked mr. duncan to weigh in on that issue, whether cit and signature could be a better approach? >> signature is worthless. signature on the back of your card, if you use it a fee find their sending them far for them to copy. it is be essentially worthless. if you have security, you have to have a pin. as to the idea that there are different systems, we shouldn't use both imagine putting this between your house, one protection for the doors and open and the other protection

for the windows. this one works differently along the windows. if you want security need a whole system. it has to be pin and chip and i am clueless why anyone thinks otherwise. >> sounds to me like the banks delayed, retailers have delayed, the government has delayed and the price the consumer is at the data are being stolen. >> senator tester. >> thank you. i am getting conflicting data. a bank that employs some of my constituents in montana that has 7% of their debit cards, 7% of their debit cards, they were impacted by the recent breach, only 12,000 cards and in their particular case it cost $5 a card, $60,000 to replace them. that just replaced the cards,

didn't include additional class, monitoring fraud, when this breach happen by got a call from the credit union in the heart building, the credit union located in the heart building where we have an account, your account has been breached and we think it would be wise if you issue the new credit card, we are very appreciative of that and they did. get, so somebody from the credit union, costs $30 million, this recent breach on them. that doesn't include any of the fees because i asked the credit union, if this is used by somebody else and they bring up a charge, they said they would take care of it. the question in this particular case what do you think prospects

are for a particular bank or credit union will actually get reimbursed for fraud costs? >> our bank we reissued 60,000 cards and that came as a result, learning more about the breach but also customer demand and. and over a three week period. we invested quite a bit and when the dust settles we have the most pennies on the dollar. >> target said -- let me make the right quote here. make sure customers have zero liability. who is going to pay the bill? target or the banks? >> the banks shoulder their responsibility, reimbursed -- >> tiger reimbursed you? what has been your experience on view recovering fraud costs and other issues? >> my experience is we recovered very. pennies on the dollar.

>> the stock about the cards here. look. i'd love to pay in cash and checks that is not the way it works lot of times. so i end up using my credit card a lot like mr. mierzwinski, sorry about the pronunciation of the lessening, i use credit cards almost exclusively myself. if merchants, this is for you, mr. duncan, if you are concerned about fraud and they are concerned about fraud, which is preventing them from doing more identity checks when you go to the checkout line? they don't even ask to look at my signature anymore, they don't ask for credit card, they don't ask for anything. they take the credit card and

swiped it. what are merchants doing to improve point of sale? >> one thing we would like to do is to have a pin authentication. we don't think that would help. >> we don't right now. we could all agree there, we like to go that way. we had a breached. everybody at the table said they were concerned about it. if retailers are concerned how to stop the breach now. >> as i mentioned in my testimony, there is a lot of question, i mentioned in my testimony we spent billions widening a system where bad guys can't get in and pull out information. we encrypt the information. in terms of signature at the checkout, they told us we are not allowed to ask for

identification along with that. it was considered a hassle of the consumer and identification. some merchants do it anyway. >> they do it at all time. >> we are not allowed to do it. >> the cost of cit and pin. mr. duncan, you said $3 billion. and folks -- quite a bit for a machine. who would pay the $3 billion on the retail association? does that have impact on the support for cit and pin? >> we would have to pay for that equipment. we would improve security. clarify my statement, we would not reject the transaction based on the signature. looking at the driver's license

things that don't match you can't reject the transaction to be precise. >> that would be interesting to flesh that out too. that doesn't sound good to me but you can't ask for an opportunity to compare signatures. that is where the key is. if i lose mine and you pick it up and use it, they are going to know. >> if it faces permanent had riding would have to exhibitions action. >> thank you -- exactly, premed. used to be worse when i was left-handed. thank you, mr. chairman. >> senator menendez, you mentioned credit unions, we have lots of interest, testimony from credit unions and organizations who submit it for the record and i point out the second security check at the checkout think about how many transactions were

going and automated now. i am not sure it's interaction is going to be -- >> a lot of times don't take a car. they just swipe it. or goes to a grocery store and check out a person. it is true. don't have a lot of those. senator menendez. >> we had a big discussion on cit and pin technology which has been around more than a decade, widely used in western europe and other areas outside the united states. cautioned against adopting a similar standard by law locking in any specific technology. however, even if we don't adopt a federal legal standard that favors one technology over another, couldn't we still have a standard based on performance? in other words that what point should it be considered an unreasonable security risk for a company not to be using chip and tin technology or something that

performs the equivalent week? mr mierzwinski? >> senator, my testimony we definitely say we shouldn't adopt a specific standard but i certainly think from what i understand, i am not the world's biggest expert, cit and pin is a higher standard than chip and signature so if you have a technology forcing standards, a performance standard, that is a good way to go as long as it is an open standard that encourages more and better technology to come forward. >> what about the bank's and retailers? >> studying a specific technology standard i agree is not a good idea because of how quickly fraud steers keep changing and adapting but as far as setting standards we all did the best we can with the technology available i think that is fine. >> we would like our partners to do the right thing to adopt pin

and chip technology. as i mentioned earlier a number of retailers were beginning to explore mobile as a possibility and we would like to be careful congress does not do something that might slow down that transition to even more secure systems in the future. >> that is why i say not supporting a substandard, i get the sense everyone is worried what congress would do. we are worried what you all do. i sit here and listen to the banks say retailers should have more liability. i sit here and listen to retailers, banks have more liability. they only executed that where they are not getting screwed by financial data and consumers. we have to have a different paradigm how we get here. inseams to me as i was posing questions to the federal trade commission representative, creating some type of standard

that dozens of lock you into technology. and create a standard of responsibility is important for both the banks and retailers at the end of the day. i know the industry, the card industry likes setting its own standards. at some point there is a responsibility to consumers and the economy because it is not good for retailers, banks, when we have data breaches by the end of the day and card companies in terms of confidence in people who put it on their credit card. i would like to hear from mr. mierzwinski. you ask in your testimony whether federal regulators should have a greater role and security standards? your testimony you raise a question whether we should have a national standard that applies by force of law rather than

force a contract or consumer financial and payments. isn't that really part of the goal here? so we can have a standard that can be applied and ultimately make judgments? if you met that standard and there is a data breach there's nothing more you can do. you did all the things you could but if you don't have a standard we never know what is the right engagement by both the banks and retailers in protection of consumers. >> i understand you are conducting an ongoing series of hearings, the regulators are coming in and it is useful to ask them should there be a federal performance standard as you point out, federal performance standard that is enforceable by the regulators. should regulators have the authority to look at and maybe they do already and are doing something? they haven't told me about it. shouldn't they have the authority to determine whether any industry standards body, any

voluntary industry standards body is performing adequately to protect the safety and soundness of the financial system so i agree. >> we as a banking institution have to comply with a number of data security standards. it is not only something that is written and we have instant response but we are examined on a regular basis. as an industry that is why we are not opposed to setting standards we are obligated to follow standards today. >> that may be different from what the federal trade commission is doing more broadly but i appreciate that. may i have one final question? it goes to you, mr. mierzwinski, as a consumer advocate. we have seen an economy that is increasingly data driven in terms of companies collecting,

storing, processing even greater quantities of consumer information often against consumers's wishes without their knowledge. financial service industry for example we hear stories about lenders, data mining like social media to help inform underwriting decisions on consumer loans, company's aggregate more data the consequences of a breach or improper use, become greater as they expand beyond simple fraud to identity theft and other hardships. target experienced reaches of two kind of customer information, payment card, data and personal information like names, e-mail and phone numbers. what is the next breach involving information like purchase histories or social security numbers? mike question is are you concerned about the rise of big data and what can we do to give consumers greater control over is there data? reduce the chances of a breach and minimize the harm to consumers as the breach occurs and should be putting limits on

what companies can store without a consumer's affirmative often? >> you raise a question i could talk about for an hour or two. at the end of my testimony i referred to a recent federal trade commission comprehensive report on privacy and also to a large paper i have written on this very subject of big data being used for financial decisionmaking and as mr. duncan pointed out, much of the data that was collected is starting to be collected in mobile landscape and in addition to credit cards pokes -- in addition to personal information and kinds of things you buy with your cards we know where you are and what you are doing at any particular time and the new location will data is something congress should look at as well. i would be happy to talk about this internet ecosystem.

east to be you had a bank, merchant, credit bureau that had information about new and there were direct marketing companies to be short but they didn't have much information and weren't connected. there were hundreds of interconnected if not thousands of interconnected business to business companies on the internet, buying and selling information about you today, and auctioning you off in real time to the highest bidder. many of them are predatory lenders, the highest bidders, companies on the internet called regenerate recites. i'm encourage the committee to hold a hearing on lead generation. type i want a loan on the internet you are taken to a site that bids you out to the highest bidder. not the lowest bidder, the highest bidder. there's a lot of work that needs to be done, consumers need greater right to. there are bills that address part of it. i would be happy to talk about it. >> there is value even to consumers to have some degree of

information. by the same token i am increasingly concerned about the degree, the depth, breadth, the scope of where that information is and finding the right balance is incredibly important. i thank the chair for their indulgence. >> let me thank the witnesses and my colleagues. a couple closing comments. i would make my point for the third time. we are just the first in a series of hearings. the american public is concerned about this issue. and we can needed doing collaborative fashion and adversarial fashion, and congress for industry and consumer groups but you all collaborating together. it is terribly important. as we have seen today, across

the panel, there was a sense that we need to move aggressively to check and pin. i agree with mr. duncan, you have automated systems. a little bit in the sense that i think i want to reemphasize, i learned more, chipped and pin is not a declaration of victory. to the u.k. circumstance where the point to point fraud went down but online fraud went up and i think we have not seen the potential vulnerability we have for on land transactions, i was a technology guy where we have no consumer or financial protections at all in that space. mr. mierzwinski, you may have gotten a win today because they got to increase the truth in lending and, equalize all cards

to an equal standard so maybe we made progress as well. just close my comment with two points. i learned this notion of other things so there is encrypted data regardless of where your transaction takes place if something that we need to think through and i am sensitive to mr. duncan's members's concerns redone want to go out to buy a terminal that is going to be outdated. how do you keep that in an open system so it cannot be coddled on as something that makes an issue we didn't get to and senator menendez raised it near the end not just broadly about access to our data but how is it going to be kept secure? wherever it stands in the financial system, what are the

obligations to keep that information in a secure fashion? of project that will come back. i want to thank my colleagues, the first panel and the second panel. go back to general clapper's comment that his estimate was a $3 billion hit to the economy last year and it is dramatically going to be higher. we need to get ahead of this. i look forward to working to find those solutions. these letters will be added and the hearing is adjourned. [inaudible conversations] >> almost 10:00 a.m. in the nation's capital. the u.s. senate is about to gavel in for the day to finish work on a five year farm bill that passed in the house last

week. the measure authorizes nearly $1 trillion in agricultural programs of which about $756 billion would go towards nutrition assistance. the senate will recess for their weekly party meetings from 12:30 to 2:15 this afternoon and when they return they will take a vote on final passage of the farm bill. that vote is scheduled for 2:35 p.m. eastern. now live to the senate floor on c-span2. the president pro tempore: the senate will come to order. the chaplain retired admiral barry black will lead the senate in prayer. the chaplain: let us pray. eternal god, the fountain of every blessing, we lift our hearts in praise to you, for you have done marvelous things. you direct our steps each da