of poison pills in it. you know, for example, it indicated that even in the next six-month if iran were to conduct a long range ballistic missile test, or to be seen as supporting directly or indirectly ask of terrorism, then we would be free no longer to implement our pledge that we wouldn't impose new sanctions during the six-month period. to me, that's not reasonable. ..

some real poison pills in it. it's good that the senator has stepped back. it's bare and it sends a message, but i don't think the message has to be brought to a vote. >> i agree and i just wanted to add i know we are on capitol hill and there are many staffers from the republican democratic sides. congress has already played an important role. iran is at the table in large part because of the sanctions booted into play the european union. so the congress has done a very effective job sending the signal

and enhancing our leverage that we might look to the history to just recall how america has built with different crises in the past with the president in support. when president jefferson dealt with in the 19th century or theodore roosevelt in the japanese war of 1905. franklin roosevelt in trying to negotiate to pretend before the second cold war these are all examples went on an exceedingly important vital national security issue the interest of the president to lead. congress always has the final say. president wilson founpresident t after the peace conference in 1920. if the congress is able to negotiate they would need to come back to the congress because some of those sanctions can't be lifted without the congress agreeing so they will play an important role that the

table one american, and he's done a very good job of positioning us at the table. >> because we are running out of time i want to ask two more questions together and if you could respond to them. the one question is more of a technical question that has a significant presence. should we recognize the right to enrichment? that's been controversial. the second question is what should iran do to avoid military action while it is still an option on the table flex >> on the right to enrich, the administration hasn't recognized the right to enrichment. it doesn't believe there is such a right. the nonproliferatio nonprolifern

its article protects the right of the compliant from the parties to engage in the nuclear energy from peaceful purposes. it doesn't talk about enrichment per se. it's a dual use technology that can be used for weapons production. and clearly iran because of its infractions regarding safeguard obligations has at least a temporary forfeited even the npt article for right to pursue the nuclear energy. even in the joint plan of action there is no recognition of the rights to enrich, that there is a kind of understanding in an otherwise acceptable deal they are can be a mutually defined enrichment program but not as a question of legal rights that as

a cluster of the -- successful negotiating options. >> i cannot improve on his answer he knows the subject backwards and forwards i just wanted to take a swing at the last question to avoid the use of military force and i think it's obvious to everybody that iran is facing a fateful choice and they are going to have to choose if they want to be reintegrated in the rest of the world. in construction in the apparatus to support the program it's our job and the job of the administration to begin dismantle it and that the key issue. i must say a lot of people, myself included, have been very impressed by the foreign minister, they are different than any other iranian leaders

that we have seen since the revolution of 1978 and 79. think of it as a possibility for the era of security if iran can become a peaceful nation it's part of the middle east and it's a natural leader and always has been, that it now needs to demonstrate that it's going to live peacefully and if we cannot rely on words or verification we have to rely on the actual deed to december and dismantle their program and that is the challenge that they face. the question is how can they avoid the use of force by doing the right thing, by becoming a peaceful state, by acting like every, like almost every other state in the world. we are transparent, we told the truth about the national security apparatus and they have

to negotiate on a fair basis. i think if they can do that you've seen the president and secretary of state are willing to meet them halfway. i hope we can get behind the president and hope that the iranians can meet the challenge. what they think nick and bob for sharing their expertise with us this morning. an extremely good seminar on the iran nuclear issue. join me in expressing our appreciation for them. [applause]

[inaudible conversations] as we leave this discussion a quick reminder if you missed any of it you can watch them in its entirety at the c-span video library. go to c-span.org. the january jobs numbers were released this morning showing employers added 113,000 jobs last month. the associated press writing that hirin hiring this week in y for the second month likely

renewing the concern the economy might be slow going after a strong finish last year. people began looking for work in january and decided they were optimistic about finding work. some people found jobs reducing the unemployment rate to 6.6% and that is the lowest since october of 2008 and that story from the associated press today. we could hear more about the report from president obama today during his appearance in lansing michigan speaking at an event hosted by michigan state university where the president will also sign the farm bill passed in the senate earlier this week. the president is expected to talk about what that means for jobs and innovation. michigan democratic senator debbie stabenow is the chair of the agriculture committee and you can see the remarks live beginning at 2:10 eastern on the companion network c-span.

>> on the challenge protecting credit cards and debit cards but the potential exposure we have is that people can actually get into our bank accounts or online transactions that we all do more and more online banking and other services. that offers an area where there were very few protections at this point and almost unlimited liability for consumers. >> personal information is collected from consumers wherever they go from the workplace to shopping for groceries from smart phones to browsing the web at home virtually every action involves the collection of information, some of it. sensitive. many of the uses have clear benefits but the recent data breach or is our stronger and also create the risk for

consumers. >> where we are out sometimes ahead determining and looking at the data as it relates to the financial industries and through partnerships that we have in the financial industry sector is able sometimes to bring us the data we are able to go through to be able to find out where information is leaking into the criminal underground. so too is the same way some journalists are able to get some of that information.

senior officials from the government's lead agency is investigating cybercrime testified on capitol hill early this week the secret service had a cyber agent made his third appearance before congress and n the recent security breaches that target at nieman marcus. he noted the trails on others by using magnetic strips on par credit cards for just 1970s technology. congressman lee terry of nebraska is the chair of the hearing. [inaudible conversations] >> so good morning, everyone. and we have an impressive two panels to testify this morning. the first our government witnesses. we have the chair i will introduce you each as we go down, but i want to thank all of you for being here and the way we do it some of you have and ht

testified before us before and others have. each side has basically ten minutes of opening statements and then we get right into your testimony. so i will begin my opening statement at this time, and i want to thank everyone for being here and today we are turning our focus over to an important issue that has affected nearly one quarter of american consumers. a string of recent data breaches at nationwide retailers which resulted in the loss of consumer payment card data, personal information for millions of consumers. millions of consumers are seeking answers to questions about their personal and financial security. i'm grateful that both target and nieman marcus for agreeing to appear before the subcommittee today. it is my hope that they will people to give the subcommittee as a clear view as possible as what transpired, what was being

done to protect consumer information before the breaches, what steps have been mitigated in the wake of these breaches and what's more is being done and can be done to prevent such breaches in the future. we will also hear from public and private entities that participate in developing security standards, protecting security data and taking enforcement actions against the criminals that perpetrate these crimes. our objective today is not for cast blame or point fingers. don't blame the home owner whose home is broken into and never the less, to ensure the breaches like this do not become the new norm. it's to protect the crimes to different degrees including the cooperation of government entities and there is more that can be done which is the reason for convening this hearing here today. already the u.s. accounts for

47% of the fraud, credit and debit losses worldwide white only accounting for 30% of the transactions. we need to be realistic and recognize there is no silver bullet that is going to fix this issue overnight. if we are to seriously address the problems surrounding the consumer data security it will take thoughtful and deliberate actions in all stages of the payment chain. i don't believe we can solve the problem by cockfighting detailed technical standards or with overlaying the cumbersome mandates. flexibility and nimbleness are all attributes that absolutely are necessary in cybersecurity. cybersecurity. that run contrary to the government's abilities. we must encourage the private sector to keep improving on its consensus driven standards which are built to adapt over time by changing the threats to the data security. while i have more of a

statement, i would like to yield to mr. olson the remainder of the time. >> thank you mr. chairman and into the witnesses for coming. as you all know, the data breaches are a very serious matter. and let's remember on this issue that regardless of the three ventures taken to protect the data, the bad guys are always trying to find new ways to grab that data. we have the right 24 hours a day seven days a week 365 days a year, 366 on leap year. as you see they can access the data in less time it takes to swipe a credit card. it's a tough battle. but it's a battle that we have to fight. a battle that we have to win. as you say in houston is not an

option. with that i yield back to before the discussion. >> thank you mr. chairman. i welcome the very distinguished panel. the issue of that data security has been prominent in the public debate dating back to at least 2,005 with 160,000 records acquired by the hackers in the choice point to data breach. over the last eight years, 660 million records have been made public through the various data breaches. the data breaches occur not just in the commercial settings but also hospitals, educational institutions, banks and insurance companies. there is no doubt that every american could be at risk of a data breach.

since the last hearing in july we have learned that several additional data breach incident that occurred in 2013. the data breach incidents at target, and nieman marcus and michaels are recent reminders that the dangers the data breaches present to our economy. in our hearing last july, the subcommittee examined at a hearing of the data breach notification. and what to do when the data security has been compromised. while that issue is still of a paramount concern, he will if not more attention should be given how to protect the data breaches from occurring in the first place. major credit card carriers have created a data security standard for businesses that accept payment cards, corporate payment card industry standards. i look forward to examining the best practices for today's economy and for the safety of the american people. since the choice point data breach, technology has evolved considerably. while the data tactics have also

evolved, so has the potential to provide greater security for americans at risk of the breach. i am pleased to have before us today a distinguished panel from the public and private sector with expertise and personal experience in these issues and i look forward to examining the issues before us today. >> the ranking member schakowsky is recognized for her five minutes. >> i'm happy that we are having this important hearing on the data security. i think it is a great concern to the public who is probably watching carefully what happens here. as we discussed previously, i hope and expect that we will work together to address these issues. i think all of the witnesses for being here but i would like to take a moment to pay special attention and give a special thanks to my friend, the illinois attorney general lisa mulligan who has been at the forefront since taking office in

2003 leading several efforts of the state level to defend against cyber crime and prosecute those responsible. she is also leading an investigation into the target and nieman marcus and michaels data breaches, and i look forward as we all do to gaining from her perspective about how we can better protect the data and inform consumers in the future. the threat of the data breaches isn't new and of the clearing house has identified over 650 million records containing the consumer's personal information that has been compromised through thousands of data breaches since 2005. nonetheless the recent attacks at some of the countries most popular retail stores have given us all the renewed motivation to address the data security into the breach notification. i think every one of the witnesses today and every member of the subcommittee wants to make sure that we do everything we can to reduce the risk of the future massive data breaches, tens of billions of dollars each

year on the loss of cyber fraud and identity theft, threatening the consumer credit and distorting law enforcement resources from the target of breach alone could cost as much as $18 billion the analysts suggested the company itself could be on the hook for more than $1 billion in th and the ct from fraud and there are homeland security efforts i hope that we will hear about today. it's important to know that there is no foolproof regulatory scheme that were encryption program to prevent, to totally prevent the data breaches. they are incredibly innovative and as soon as we invent and implement the new technologies they are looking for the new vulnerabilities. the protection of the consumer data doesn't mean that we shouldn't do anything. there is currently no comprehensive federal law that requires companies to protect the consumer data nor is there a

federal requirement of the companies inform their customers in the event of a data breach. ideally that is critical for subcommittee move forward with legislation. the consumers are informed as soon as possible after the cipher theft is discovered that legislation should be technology neutral in my view allowing the ftc and other regulatory agencies to update the requirements at the speed of innovation. in the 111th congress i was one of four original cosponsors of hr 2221, the data accountability trust act offered by mr. rush. the bill was bipartisan and the chairman emeritus was a cosponsor. the bill had two major provisions and on and one, an ey holding the data containing personal information had to adopt what we said was a reasonable and appropriate security measure to protect such data and number two, the same

entity had to notify the effect of consumers in the event of a breach. the basic requirements should be the basis for the data security and breach legislation coming out of this committee. i want to thank the witnesses for appearing today and i look forward to hearing from them about how we can better protect against cyber theft in the future and ensure that consumers are informed as soon as possible when those protections fail. and i yield back. >> you are recognized for five minutes and control your time. spec the recent data theft of the consumer information and well-known companies are a reminder of the challenges we face today with additional economy. we are well aware of the benefits and instant communication and commerce. the evolution and technology iny allows consumers to purchase the goods and services.

despite the convenience is a deficiency of the unfortunate reality is technology also facilitates the ability of criminals to commit identity theft and other serious crimes that can potentially injure far more consumers. what was eliminated as the paper fraud in the dumpster. today india boasts transactions thathat they conduct are transmitted, restored in a connected environment with every citizen as some digital footprint low-profile. the most sophisticated terminals are successful in infiltrating the databases they certainly can gain access to the data on the millions of individuals. as long as the risk is efficient to attract criminals and the problem will not go away. congress recognized the input of protecting the information is the crime of identity theft and financial fraud became more pervasive in the economy. it is the reason that we enacted

the law specifically to address the sensitive consumer data that can be used by criminals for identity theft or financial fraud including the grant of each brightly act of the financial institutions and hippa. we've also empowered the ftc to address the data breaches to section five under which they settled 50 data security cases. federathe federal government ist the only layer of protection. the handful of state law mandates security for the data of the citizens in the private sector has developed extensive standards to the pci security council at the preachers, identity theft, financial fraud continue protecting virtually every sector from the federal government to the merchants, banks and universities and hospitals. we must consider whether the current multilayered approach to the data security state industry self-regulation can be more

ineffective or whetheeffective o approach the issue differently. in short the title of today's hearing is an appropriate question to ask can the data breaches be prevented. this is the right venue to discuss with the businesses can reasonably do to protect the data equally important we need to find ways to minimize or eliminate the ability of criminals to commit fraud with the data that they acquire. they are to have a piece of mine is that the government law-enforcement officials and private industry are doing necessary to protect the public from future breaches and i will yield the balance of my time. we are pleased to have you here. the privacy data security is something that we are hearing about more and more from our constituents. who owns the virtual view which is you and your presence online. who has the rights to that. and i hope that from listening

to you all and talking with you today we can gather some information to add to the work that we have been giving in our bipartisan privacy data security working group here at the committee. what our constituents want t wao do is figure out how to build out this toolbox that will allow them to protect themselves online. they want to know what you're doing to provide the assurance of the data security. what are those particles? a want to know what the process will be. and kind of a standard business process for the data breach notification. what are the expectations and then they want both the private sector and the government to meet and fulfill those expectations. so, you have experienced some lessons learned and you have made some mistakes.

you are learning from those mistakes and we are looking at how we take the rules on the books in the physical space and apply that to the virtual space and encourage the commerce and the interaction transaction and movement of data and commerce. i will yield back the balance of my time. >> mr. johnson you are recognized for ten seconds. >> as a 30 year it professional myself for coming to the congress including the director of the special operations command, i can tell you i understand the complexities of the data security and how complex it is. i'm looking forward to hearing from you today on what we can do to position both our commercial sector and our public sector to handle this problem. >> that concludes our time and

now i will recognize that before i officially recognized mr. waxman, the ranking member of the full committee that made a surprise announced wednesday and stunned all of us that he is going to conclude his time with congress at the end of the session and i just want to thank him for his 40 years of service to the united states congress and to the people of california and the united states and a job well-done. well done. we may not agree on everything, but you are passionate and zealous and you are very involved and you command respect from everybody, henry. and you are recognized for five minutes. >> thank you for your kind words and for holding this hearing today. this must be the first of a series of troubling cyber attacks on retailers that are going to tell us today about their experience and we want to

evaluate how businesses and government can better protect the security of consumers personal information. .. who stayed at hotels under various brand names including hilton, marriott, sheraton and westin.

given these constant security threats i hope that today's hearing will provide us with the facts necessary to chart a path forward where consumers can be more confident that companies will keep their data safe. the unprecedented scope and scale of these breaches is alarming. it affects the confidence of consumers who rely on retailers, banks, and payment card processors and networks to safeguard their personal information including their credit card and debit card information. millions of americans have had to contend with fraudulent charges on their financial statements, identity theft keeps in which criminals open phony accounts in their names, and the fear and uncertainty how criminals may use their information next. there are many unanswered questions about these recent attacks including how they were carried out and of course it who

is responsible. these breaches also raise important questions about how well the industry polices itself. whether these companies responded to early warnings and whether they notified consumers in a timely manner. we also need to understand the appropriate federal role in both data security and breach notification. nearly all u.s. states and territories now have laws that require notice for their own residents when the data breach occurs. the effectiveness of these laws vary greatly but several are quite strong insuring that consumers receive, prompt, adequate, and clear netification when their personal information is breached and providing them with resources to protect their financial well-being. they could be a model for a minimum federal requirement. after the fact breach notification is only after of what is needed. the private sector must also

take stronger steps to safeguard personal information. there could be a federal role in insuring their proactive. there will always be bad actors that will try to compromise large databases and obtain financial information that can be leveraged for financial gain. we need effective law enforcement to stop them. we need to make sure that companies are doing enough to prevent breaches because consumers are paying the price. protecting consumer data needs to be priority number one. i look forward to the witnesses testimony and and to our discussion today of this important topic. i thank the witnesses for being here. i want to apologize in advance because there is another subcommittee that's meeting simultaneously with this one and i have to be at that subcommittee as well. but we're looking forward to your testimony. in the short time i have left is anybody on the majority wish to take the 47, 6, 5, 4 second.

if not, mr. chairman. >> you said majority? were you talking -- >> did i say majority? i'm always looking to the future, mr. chairman. and i thank you for your kind words and i, of course, i'm going to be here until december. so, we'll all be able to work together some more. thank you. >> very good. thank you, henry. time to introduce our first panel. edith ramirez is the chairwoman --, edith ramirez, chairwoman, federal trade commission. thank you for your second appearance before this committee. lisa madigan, attorney general for the state of noil. thank you for coming. william noonan, deputy special agent criminal investigation division, cyber operations, united states secret service and i said it all in one breath. mr. noonan thank you for your appearance here today.

lawrence zelvin, director national cyber communications integration center, department of homeland security. we always go from my left to right. so we'll start with chairman ramirez. you are now recognized for your five minutes. >> thank you. chairman terry, ranking member schakowsky and members of the committee. thank you for the opportunity to appear before you to discuss the federal trade commission's data security enforcement program. we live in an increasingly-connected world which vast amounts of consumer data is collected. as recent breaches at target and other retailers remind us, this data is susceptible to compromise by those that seek to exploit security vulnerabilities. this takes place against the background of the threat of identity theft which has been the ftc's top consumer complaint for the last 13 years. according to estimates of the bureau of justice statistics in

2012 this crime affected a staggering 7% of all people in the united states, age 16 and older. the commission is here today to reiterate its bipartisan and unanimous call for federal data security legislation. never has the need for such legislation been greater. with reports of data breaches on the rise, congress needs to act. we support legislation that would strengthen existing data security standard and require companies in appropriate circumstances to notify consumers when there is a breach. legislation should give the ftc authority to seek civil penalties where warranted to help insure that ftc actions have an appropriate deterrent effect it should alsofied rule-making authority under the administrative procedure act and jurisdiction over non-profits which have been the source of a large number of breaches. such provisions would create a

strong, consistent standard and enable the ftc to protect consumers more effectively. using its existing authority the ftc has devoted substantial resources to encourage companies to make data security a priority. the ftc has brought 50 civil actions against companies we alleged put consumer data at risk. we have brought these cases under our authority to combat deceptive and unfair commercial practices as well as mortar getted laws such as the gramm-leach-bliley act and the fair credit reporting act. in all these cases the touchstone of the commission's approach has been reasonableness. a company's data security measures muse be reasonable in light of sensitivity and volume of consumer information it holds, the size and complexity of its data operations and cost of available tools to improve security and reduce vulnerabilities. the commission has made clear that it does not require perfect

security an the fact that a breach occurred does not mean that a company has violated the law. significantly a number of ftc enforcement actions have involved large breaches of payment card information. for example, in 2008, the ftc settled allegations that security deficiencies of retailer tjx permitted hackers to obtain information about tens of millions of credit and debit cards. to resolve these allegations, tjx agreed to institute a comprehensive security program and to submit to a series of security audits. at the same time, the justice department successfully prosecute ad hacker behind the tjx and other breaches. as the tjx case illustrates well the ftc and criminal authorities share complimentary bowls. ftc actions help insure on the front end that businesses do not put customers data at

unnecessary risk while criminal enforcers help insure cyber criminals are caught and punished this dual approach to data security leverages government resources and best service the interests of consumers to. that end the ftc and criminal enforcement agencies have worked together to coordinate our respective data security investigations. the ftc appreciates the work of our fellow law enforcement agencies at the federal and state level. in addition to the commission's enforcement work the ftc offers guidance to consumers and businesses. for those consumers affected by recent breaches the ftc has posted information online about steps they should take to protect themselves. these materials are in addition to the large stable of other ftc resource we have for i.d. theft victims including an i.d. theft hotline. we also engage in extensive policy initiatives on privacy and data security issues. for example we recently conducted workshops on mobile security and emerging forms of i.d. theft such as child i.d.

theft and senior i.d. theft. in closing, i want to thank the committee for holding this hearing and for the opportunity to provide the commission's views. data security is among the commission's highest priorities and we look forward to working with congress on this critical issue. thank you. >> thank thank you. chairman. now, gentle laid city from illinois, miss madigan, you're recognized for five minutes. >> thank you, chairman terry. ranking member schakowsky and members of the subcommittee i appreciate the opportunity to testify on this important issue. addressing data breaches and preventings them is critical to our financial security and our economy. over the past decade we face ad epidemic of data breach that is affected almost every american and inflicted billions dollars of damage to our economy. they have become accustom to their occurrence but the recent target breach is a wake-up call that the government and private

sector snead to take meaningful actions to curb this growing problems. i will explain the impact data breaches have on consumers, role states play responding to breaches the data security lapses we've seen in the private second and steps private sector and government can take to prevent future breaches. since 2005 there have been over 4,000 data breaches nationally and 733 million records compromised of the amount of money lost because of identity theft is also sobering. in 2012 it was $21 billion. over the last year alone the number of complaints my office received on data breaches has jumped more than a thousand percent. the consumers are harmed primarily two ways. dosed to likelihood of unauthorized charges on their exists accounts and second they're more likely to become victims of more costly identity theft. they must constantly monitor their financial accounts for unauthorized charges. when they discover them, it

notify debit and credit card issueser and closing at and wait forges new cars to arrive. for consumers with automatic bill pay alerting companies about the new account numbers to prevent late fees. those are the easy situations. victims of identity theft can spend months reporting instances fraud to credit card companies and credit bureaus. identity theft take as variety of forms. while it most mom commonly after affects consumers financial accounts. identity thieves use consumer information to open utility accounts and obtain medical treatment and prescription drugs. all of these things can happen simply because a consumer shared their sensitive data in the usual course with a business, medical provider or the government. the states have been inundated with consumers who need help from identity theft damage. i create ad identity theft unit and hotline back in 2006.

since then we've received more than 40,000 requests for assistance and helped remove $26 million worth of fraudulent charges for illinois residents n addition to this direct consumer assistance, my office also conducts investigations of data breaches. to confirm that companies complied with state laws by notifying consumers of breaches within a reasonable time and to insure that companies suffering breaches took reasonable steps to protect their consumer sensitive data from disclosure. my office along with the connecticut ag's office is currently leading multi-state investigations into breach that is affected millions of target and neiman marcus and michaels customers. during prior breach investigations we have found instances where companies failed to take basic steps to protect consumer data. so the notion that companies are already doing everything they can to prevent preaches is false. we have found repeated instances where breaches occurred because companies allowed consumer data to be maintained unencrypted, failed to install security patches for known software vulnerabilities and retained

data for longer than necessary. the recent breaches of also led to discussions about security technology that was available but not deployed for reasons that allegedly range from high cost and increased check out times to disputes between banks and retailers. frankly it is negligent that the united states is behind the rest of the world when it comes to the security of our payment networks. and it is the main reason that u.s. consumers information is targeted by criminals. it is past time for the private sector to take data security seriously. consumers are rapidly losing confidence in company's ability to safeguard their personal information. based upon our experiences a the state level, i recommend that congress take the following actions. first, pass data security and breach notification legislation that does not preempt state law. second, congress should also recognize that the federal government should as sis the private sector in the same manner it already does in other critical areas. congress should give an agency responsibility and authority to investigate large, sophisticated

data breaches in a manner similar to ntsb investigations of aviation accidents. finally, please remember that states have been on the front lines of this battle for a decade. illinois residents appreciate the important role my office plays and they're not asking for our state law whackenned by preemption but they are panicked and they are angered. the companies are not doing more to protect their personal and financial information and prevent these breaches from occurring in the first place. i'm happy to answer any questions you have. thank you. >> thank you, general madigan. now mr. noonan, you are recognized for your five minutes. >> good morning, chairman terry. ranking member schakowsky and distinguished members of the subcommittee. thank you for the opportunity to testify on behalf of the department of homeland security regarding the ongoing trend of criminal exploiting cyberspace to obtain sensitive financial and identity information as part after complex criminal scheme to defraud our nation's payment systems. our modern financial system

depends heavily on information technology for convenience and efficiency. accordingly criminals motivated by greed have adapted their methods and are increasingly using cyberspace to exploit our nation's financial payment systems to engage in fraud and other illicit activities. the widely reported data breaches of target and neeleman marcus are just recent examples of this trend. the secret service is investigating these data breaches and we're confident we'll bring the criminals responsible to justice. however data breaches like these recent events are part of a long trend n 1984 congress recognized risks posed by increasing use of information technology and established 11 usc, sections 1029 and 10:30 through the comprehensive crime control act. they define misuse of computers as federal crimes and explicitly assigned the secret service authority to investigate these crimes. in support of the department of homeland security's mission to

safe garth cyberspace the secret service investigates cybercrime through efforts of our highly trained special agents and work of growing network of 33 electronic crimes task forces which congress assigned the mission of preventing, detecting and investigating various forms of electronic crimes. as a result of our cybercrime investigations over the past four years the secret service has nearly arrested 5,000 cyber criminals. in total these criminals were responsible for over a billion dollars in fraud losses and we estimate our investigations prevented over $11 billion in fraud losses. the data breaches like the recent reported occurrences are just one part of a complex criminal scheme executed by organized cybercrime. these criminal groups are using increasingly sophisticated technology to conduct a criminal conspiracy consisting of five parts. one, gaining unauthorized access to computer systems carrying

valuable, protected information. two, the deploying specialized malware to exfiltrate the data. three, distributing or selling the sensitive data to the criminal associates. four, engaging in sew fits indicated and distributed frauds using the sensitive information that was obtained. and five, laundering the proceeds of their illicit activity. all five of these activities are criminal violations in and of themselves and when conduct the by sophisticated transnational networks of cyber criminals, this scheme has yielded hundreds of millions of dollars in illicit proceeds. the secret service is committed to protecting the nation from this threat. we disrupt every step of their five-part criminal scheme through proactive criminal investigations and defeat these transnational cyber criminals through coordinated arrests and seizure of assets. foundational to these efforts are the private industry partners as well as close partnerships that we have with state, local, federal, and

international law enforcement. as a result of these partnerships we are able to prevent many cybercrimes by sharing criminal intelligence regarding the plans of cyber criminals and minimizing financial losses by soing their criminal scheme. through our department's national cybersecurity and communications integration center, the secret service also quickly shares technical cybersecurity information while protecting civil rights and civil liberties in order to allow organizations to reduce their cyber risks by mitigating technical vulnerabilities. we also partner with the private sector and academia to research cyber threats and publish information on cybercrime trend. through reports carnegie mellon insider threat study. the verizon data breach study and the trust wave global security report. the secret service has a long history of protecting our

nation's financial system from threats. in 1865 the threat we were founded to address was that of counterfeit currency. as our financial payment system has evolved from paper to plastic, now digital information so too has our investigative mission. the secret service is committed to protecting our nation's financial system even as criminals increasingly exploit it through cyberspace. through the dedicated efforts of our electronic crimes task forces and by working in close partnerships with the department of justice, in particular, the criminal division and the local u.s. attorney's offices, the secret service will continue to bring cyber criminals that perpetrate major data breaches to justice. thank you for the opportunity to testify on this important topic and we look forward to your questions. >> thank you, mr. noonan. mr. zell vin, you're recognized for your five minutes. >> chairman terry, ranking member schakowsky, ranking members of the subcommittee.

thank you for the opportunity to be here before you today. in my brief opening comments i like to highlight the dhs or mkic's role preventing responding to mitigating cyber incidents and discuss our activities during the recent point of sale compromises. i have hope my remarks will increase the maintaining close partnerships with to reduce continuing have aniabilities protect against future attacks and mitt bate the consequences of incidents that already have occurred. the importance of leveraging these complimentary missions has been consistently demonstrated over the last several years and increasingly critical part of the broader framework used by the government and private sector to cooperate responding to malicious cyber activity as you well the know the nation's economic vitality and national security depend on a secure cyberspace where reasonable risk provisions can be made and flow of goods and cyber transactions

can be made safely and reliably. so we can discover, address, and mitigate cyber threats and vulnerabilities. it is increasingly clear no single country, agency, company or individual than effectively respond to the ever rising threats of malicious cyber activity alone. effective responses require whole nation effort including close coordination among the ncic, secret service, department much justice to include the federal bureau of investigation, intelligence community, agencies such as department of treasury, private sector entities simply critical to these efforts and state, local, tribal, territorial an international governments. in carrying out the particular responsibilities the ncic promotes cybersecurity which enables diverse partners to quickly share cybersecurity information which protect individual privacies civil rights and civil liberties. as you may know the ncic is a civilian organization that

provides around the clock center where key government and private sector international partners work collaboratively together in fiscal and virtual environments. ncic is comprised four branches. u.s. cert. industrial control system. the national coordinating center for communications and options integration component n response to the recent retailer compromises the ncic leveraged the resources an cable of u.s. cert whose mission focus on computer network defense that includes protection mitigation, response and recovery activities in the executing the anything they regularly publishes technical and non-technical information products assessing characteristics of malicious cyber activity around improving the ability of organizations and individuals to -- risk. when appropriate all ncic components have on aisle capability that is can as sis owners and operators at their facilities n addition, u.s.

cert's global partnership with two other cert worldwide work with analysts across international borders to develop a comprehensive picture of malicious cyber activity and mitigation options. they can share machine readable formats using structured threat known as sticks which is being implemented a utilized in some of the recent point of sale ises ncic analyzed data provided by secret service and other technical data and used finding in part to create information sharing products the first product which is publicly available found on the u.s. cert web site provides non-technical overview of risk of point of sale systemses along with recommendations how businesses and individuals can better protect themselves and mitigate their losses in the event a incident already occurs. other products are more limited in distribution they're met for cybersecurity professionals in that they provide detailed technical analysis and mitigation recommendations to better enable expert to protect,

discover, respond and recover from events. as a matter of strategic intent the ncic goal is always to share information as broadly as possible which clouds delivering products tailored to specific audience. these efforts insure actually details associated with major cyber incidents are shared with the right partners so they can protect themselves, their families, their businesses and organizations quickly an accurately. in the case of the point of sale compromises we're especially benefited by the close coordination of financial services information sharing and analysis center for fsisac in particularly they payments processing information sharing counsel is particularly useful they provide a form for sharing information about fraud, threats, vulnerabilities and risk mitigation in the payments industry. in conclusion i want to again highlight that we at dhs and ncic to enhance security across cyber base and information technology enterprise. well which use the taskses with ever mindful to respect privacy, civil liberties and law. i look forward for the

opportunity to speak with you today and appreciate your questions. >> thank you, mr. zell vin. that begins your questions with the end of your testimony. each member has five minutes for questions. and i get to go first. january is second. so -- jan is second. mr. noonan, you mentioned that part of the secret service's job is to investigate when a breach has occurred like this. have you, is the secret service, or are you involved in a, in investigation into what happened at both target and neiman marcus and other entities? >> yes, sir. so we are involved in the criminal investigation of the target breach as well as the neiman marcus case. >> and so far what have you been able to find out that you can communicate to us? >> what we can determine at this

point is that the criminal organizations that were look at and pursuing are highly technical, sophisticated criminal organizations that study their targets and use sophisticated tools to be able to compromise those various systems. >> and the breach at target and neiman marcus, we've read through the news reports, was from a sophisticated criminal entity as you mentioned your investigation. does your investigation also then go into how they exploited each of those major retailers data? >> yes, sir. >> and what did you find out? >> it is still an ongoing coordination, investigation which we're working on right now. however we do know that the malware in, at this point in our investigation is not the same

criminal tools being used at either one of those locations. >> so there are, distinct separate attacks. >> yes, sir. >> by separate, distinct different criminal organizations? >> we're working on that part right now, sir. >> okay. in your investigations do you assess whether each of the, say, target, neiman marcus's cyber standards or their cyber plans were adequate or inadequate or vulnerable? >> the secret service does a criminal investigation and again we're continuing to go after the criminal organization that is perpetrating these. the, both neiman marcus and target do use a robust security plans in their protection of their environment and it comes back to the criminal actors and in going after the pot of gold or the, whatever they can monetize. so as good as security factors

are, these criminal organizations are looking at ways to go around whatever security apparatuses have been set up. so these were very sophisticated, coordinated events. it was not necessarily from a singular actor. it's, coordination of -- >> okay. >> piece that is were used to do these intrusions. >> mr. zellvin, you also have, is your organization ncic, have you looked at or assessed cybersecurity at entities that have been hacked? >> mr. chairman, we have not. we've been working closely with the secret service on identifying the malware that had been used in these incidents, doing analysis and sharing that with our partners across both the public and private sector but i can tell you that the malware as we've seen it as bill has said is incredibly

sophisticated and could be challenging even the most robust security. >> what makes it specifically more sophisticated than what we've seen before? mr. noonan. >> sure, sir. what we've seen actually in the development of the malware is that it is not an off the shelf type of malware that is utilized. what makes these targeted attacks unique is that the criminals are modifying and molding specific types of malware to fit whatever network or intrusions set they're going after. >> so it was specifically designed for that, for target? and a different one specifically designed for neiman marcus? >> whatever security platforms are available. yes, sir. >> wow that is interesting. . .

business community wants to go that way we look forward to working with them. >> you would be the umbrella organization to help? inequities are public-private partnerships and we have worked with them for quite some time, so it's a model that we are accustomed to using. >> there may be a few people in this audience that doesn't know what a isac is. can you tell what the advantage is?

to make information sharing and analysis centers are predominantly around the infrastructures of transportation, energy, finance, health. there is a member of then and it allows us in a public and private way to get up to thousands of companies in sharing information in both directions. so it is a growing community that allows us to get the cyber professionals and to talk to people that d do that work dep depends. it's my pleasure to recognize the ranking member of the subcommittee is schakowsky. >> let me say to mr. zelvin i'm sure that the chair would agree and appreciate our visit that we did this week in preparation for the hearing ended the very impressive work that you're doing. i wanted to ask the attorney

general madigan a couple questions. you eluted to the illinois law and other personathe personal in protection act that five followed the choice point for each in the 2005. ibb viewer here talking about that as well. i believe you were here talking about that as well. >> we require financial institutions and operators, government agencies to discuss the data breaches and the wall saves in the most expedient time possible and without unreasonable delay is. how does your office determine what that is? >> in every circumstance we are going to look at what is taking place but we are also going to be cognizant of what the company or the entity needs to do with ensuring that they have maintained the integrity of the

system and they put security in place and if they are ongoing investigations we certainly don't want to compromise those so we will wait in terms of requiring the notification but as we have learned over the years and there are studies and reports that demonstrate the sooner an individual is notified that their information has been compromised, the less likely they are to face any sort of unauthorized charges or using the full account takeover which will cost them a lot of money so it is a case-by-case basis and obviously the sooner we can make sure that consumers are notified, the better off everybody is in terms of the damage that is going to be done to them individually and the loss to the economy. >> so the language is kind of general but you make a decision on a case-by-case basis in terms of notification. >> we work with the companies to see where they are in the process once we are alerted to

the fact there have been breaches taken place and we are always aware of the work other law enforcement agencies are doing in terms of the criminal investigations. the investigations we do are to make sure -- >> have you found companies that have not used the most expedient time possible or unreasonable delay is? >> we always look at it and there are questions really on any side because i think there's a great concern many companies legitimately have about the hit it's going to take to their public image so there have been times people could move faster and we work with them to make sure that they actually get out that notice. we have not find anybody for that. >> you mentioned preemption and i want to ask how important it is that illinois and other

states maintain the right to require the disclosure of the data breaches as quickly as possible and other enforcement mechanisms. >> i think every state official would say it's very important. obviously over the last ten years the state has been able to be as we like to say and you can appreciate the laboratories of innovation when we see people coming to us because they are victims of identity theft we need to respond by making sure they were notified and the personal information accessed and compromised and we needed to be able to respond to make sure companies were going to be putting in place stronger security measures. it's a protection for the personal data and yet you cited that as a problem. who should do that then? >> you have a number of states putting the requirement in the

security and i'd have to say looking back over the investigations we have done in the data breaches it clearer that that has to be done because we like to talk about the best practices but the reality is often times when we are doing the investigations, we repeatedly see the information that is personal and sensitive financial information is being maintained. we have seen situations where literally the information is obtained because the documentation was sent this information is thrown into a dumpster and people have used that for a list of purposes. so there is a minimum standard and i think that as the chairman did a good job explaining on the case-by-case basis and the sensitivity of information we have to have increasing standards required. >> my time is up by look forward to working with all of you to figure out what is the

appropriate congressional response. >> we now recognize the chairman emeritus for your five minutes. >> i want to thank the ranking member for holding this hearing and this is i think a potentially very important hearing because this is one of the few things that republicans and democrats both agree on as a problem and i think we may be able with your leadership to reach agreement on what a solution might be said this is one of those days that something might actually happen as a result of the congressional hearing. i'm the cochairman of the privacy caucus in the house along with the congresswoman diana degette and is schakowsky and most of the members of the subcommittee are members. the gentle lady to my right is the chairwoman of a task force that mr. kerry and mr. upton have put together on privacy. so you have lots of people here that are listening closely to what you folks say.

my question is a general question and i'm going to start with the chairwoman of the general trade commission. do you think it's possible to legislate and eliminate or at least severely restrict the data theft? >> there is no perfect solution but it's clear to me that the congressional action is necessary and i think it would be helpful if there were a robust federal standard when it comes to data security as well as a robust standard on the breach notification and i think it is time for the congress to act. do the other panel members agreed? i thought you might disagree. >> as long as you don't completely preempt us to >> mr. noonan? >> from the law-enforcement approach we believe any notification perhaps to law enforcement jurisdiction would

assist in this effort as well. as we work across the nation and the globe strengthening the ability of information sharing it is often difficult to get the companies to share information with us because there is no statutory basis and they tend to be on the conservative side. promoting in establishing the adoption of the cyber security standards would be very helpful codifying the authorities to help secure the critical infrastructure and the national data breach reporting. we can't understand if we don't know about them so those are some of the things that would be helpful. >> the instance with neiman marcus and target also occurred when a criminal came into their

store and used a credit card that in fact it -- infected system at the point of purchase. if we went to some sort of -- is it possible in the koran technologcurrenttechnology to pe of theft -- i see a lot of blank looks. >> at the breaches that we are talking about in neiman marcus and target is done by people infiltrating the system in the computer network. >> i thought they came in with a card. it's difficult to decide and again these are very complex of the gated criminals and they have inserted the code into the system that was able to collect. >> abated by penetrating thetheg the system from outside through

a computer link not t buy a car that they insert. >> the investigation at this point is indicating its from transnational criminals from outside of the borders of the united states. >> i would hope since everybody agrees this is a problem and the federal government should legislate we can come up with the best practice set of recommendations to present to the committee and then let us only in the way that we can, and we will try to move on something hopefully in this congress. with that i am going to yield back 34 seconds to the chair. >> thank you very much. the chair recognizes the dean of the congress mr. dingell of michigan. >> you are always courteous and i commend you for holding this important hearing. i think that we can all agree the breaches that target in

neiman marcus were tragic. we had a duty to protect consumers from events like this in the future. we must pass the data security legislation. it's proposed similar legislation and the congress must act and we must ensure such legislation makes its way through. what a way to beat coke may wish to share with us and all of my questions this morning will be addressed to the chair. the written testimony indicates the commission enforces the federal data security statement statutes such as gramm leach bliley, fair credit reporting act, privacy protection act.

do any of these require the entity whose collection of personal identification has been breached to notify customers yes or no? that is needed i would assume? >> absolutely. >> now sell early -- similarly to notify the federal trade commission or the law enforcement in general of such a breach yes or no? madam chair should the congress enact a federal data security breach notification in the law yes or no? >> yes. >> under such, should the ftc entities be exempt from the breach notification if they are already in compliance with the

gabl, yes or no? >> no. >> should such be administered by one federal agency or by certain kinds of a collage of agencies? >> one agency. >> now, that should be the federal trade commission because of its long expertise, do you agree? >> i would agree. >> should the federal data security breach and notification law prescribe requirements for the data security with a reasonable standard already employed at the commission yes or no? >> yes. >> should they be expanded? >> should that be expanded? >> there should be a robust

federal standard. >> i would ask you to contribute to the record information on that view if you please. i ask unanimous consent that be inserted at the appropriate time. >> without objection. >> madam chair should such a law content requirement and timeliness requirements, yes or no? >> yes. >> wouldn't work very well without that, right? >> in the data breach in the comprehensive security breach notification law required them to a breach to provide free credit monitoring services to be affected to consumers for the time, yes or no? >> yes, with limited exceptions. >> do you have the authority to do that now? >> no. i think it would be appropriate

in the requirement with limited exceptions. >> madam chairman, i note -- was asked this, should the violation of the law be treated as a violation of a federal trade commission promulgated under the federal trade commission act, yes or no? >> yes. >> would you please submit additional comments on that point to the director? >> absolutely. >> now should such be enforceable by the state attorneys general of yes or no? >> yes. >> should such data security and breach notification law, yes or no? >> if the standards are robust enough, yes. >> what you submit additional information please? >> yes. >> given advances in the criminal ingenuity which seems to be moving forward almost with the speed of light as potential

in the future should any statutory definition of the term personal information be included in a comprehensive federal data security breach notification? to be sufficiently broad to protect the consumers best yes or no? >> yes. >> i want to thank you for your kindness to me this morning. i urge the committee to work with the federal trade commission to address the comprehensive federal data security and breach notification legislation. i believe this should be done in a bipartisan fashion and i think that the democrats and republicans can work together on this purpose. i would note such legislation for the data theft and hopefully it will serve to reduce it and better protect consumers. again i think you missed or transfer your courtesy to me and

i appreciate holding this hearing. thank you for your courtesy. >> well done and actually entertaining. so thank you mr. dingell. you are now recognized for five minutes. >> thank you mr. chairman i think i want to start with you for a moment. you said in your testimony never has the need for legislation been greater. so taking that statement it could mean the companies who suffered the breaches did not use reasonable measures to protect consumer data. so, if that is your statement, then is th it's the ftc involven the forensic investigation regarding the target of neiman marcus, adobe, the hotel chains, all of these breaches?

>> i'm afraid i can't discuss any particular companies or whether the ftc is involved in any particular investigation but let me explain what i meant by that statement i meant it as a general statement reflecting what we are seeing in the marketplace, and that is that the companies continue to make very basic mistakes when it comes to the data security. and our role at the ftc is to protect consumers and make sure the companies take reasonable and appropriate measures to protect the consumer information to the >> let me stop you right there. you are saying that's not due to these -- this group but the cause in general so you are basically working your testimony with me on this. it's not that these specific breaches show that there has never been a greater need. you need to submit a bit of classification.

i want to move on. i have three minutes and 14 seconds and about five pages of questions. so submit it. i would also like for you to talk about or submit to us what is the reasonable standard you have reference to the there aree several different kinds but i have not seen a reasonableness standard in writing. so what are you referencing? >> we take a process-based approach to this question and technology is changing very rapidly. the threats companies face are also evolving rapidly so we think the appropriate way to proceed in this region to focus on whether companies are looking very closely at the threats onto which their businesses are exposed and whether they are setting reasonable program, security programs putting those in place. if i ma made it is a very fact specific inquiry had a reasonableness standard. >> i can appreciate that but i

think to use the term repeated repeatedly, we need to know what your definition of reasonableness would be. but we come to you mr. zelvin. we hear the chair man say you're not doing this or that. how quickly do the cyber criminal methods involve? you send out updates, daily, weekly, monthly. how quickly is the evolution of this? >> the evolution is incredibly fast and we are learning with each incident of the complexity so they are moving very quickly into sophisticated and we are in the chase to keep up with them. >> back to you. the company simply come and i'm quoting you, fell to the

employee available cost effective security measures to minimize or reduce the date of risk. i want you to give examples of the kind of measures the companies failed to use because you hear from mr. zelvin how quickly this evolution is taking place, and the need for flexibility and then we hear you saying you have to do this and we have taken these efforts so we are looking at what legislation would look like. we have to realize that it's got to be nimble. you are saying you want something but then you are not giving us specific examples of what you think people have failed to do. i hope you are understanding we have a bit of a gap.

go ahead. >> i think the approach recommended for legislation is one of reasonableness and we think that is inappropriately flexible standard that will allow for nimble action is to give you an example in the experience to companies continue to make very simple mistakes when it comes to data security. we also have data that corroborates and includes the verizon data breach security report that mr. newman referenced in his remarks, to give you a few examples this can stand the mistakes that include the routine on the strong passwords, failure to encrypt personal information and to update security patches so it's these mistakes that we encounter frequently. >> so it is in the consumer and not company failures.

>> of the gentlemathe gentlemant for his five minutes. >> thank you mr. chairman. the technology that we use is not the best. is that true chair man ramirez. the technology is now being used in europe and it had better success preventing fraud and theft, right? >> we don't recommend any particular technology we think the technology ought to be neutral and that being said we certainly would support any steps that are taken after the payment card system and to protect or better protect consumer information. >> are we still using the 1970s technology, general madigan is that your understanding? >> that is accurate and so that puts us behind virtually every

other country in the world in terms of the security of the payment system. >> so there is a part of ability on the card issuer to update the technology of the standards that are being employed in europe; is that correct? >> that is correct and when you look at the amount of the fraud losses that the other countries were in the technology used, you can see there are levels of fraud that have decreased significantly around 50% said the chip and pin technology won't completely eliminate the fraud of breaches but it should curb the amount that we currently see. >> what i understand now is the site and mastercard have the chip and pin technology for the payment cards. do you think it would be problematic if visa and he burkd decided to abandon the chip card given that the pins enhance

security? >> i think it makes sense to use them and people can obviously pained debate could change their pin if they change their password. >> you have a responsibility for maintaining the system and obviously it is an extraordinarily important to our merchants and to our banks and consumers. >> would you pull the mike a little closer? >> short. >> the secret service doesn't have a metric to measure here in the united states it isn't readily used however the secret service does support any technology which would insist in the security of that. >> the chip and pin technology that is deployed in europe has been much more successful in reducing fraud. >> it could give another level of security which again makes it more difficult for criminals to get at the data. i am not saying that it's the

solution. of course there is not a 100% solution, technological soluti solution. >> is the better technology than the 1970s era of the magnetic swipe card; correct? >> that is a 30 year technology. >> how about you? >> i agree with mr. noonan and the other panelists there are other challenges as well using their phones for payment you are using your computer and laptop per payment so having that extra security on the card itself would be helpful but we have to look at other things as well. >> going back to you, chair ramirez there would be a standard that we can't pick winners and losers on technology so what would be sort of a concrete step that congress would take that would be practical and effective in improving the status quo? >> i think the congress taking action alone would be an

important statement but we advocate a reasonable standard tof the reasonablestandard to bg the lines of what the ftc has in place with the safeguards rule and i would be happy to work with the committee on these issues and my staff is available to do that. >> it sounds like as a legislative body we can prescribe what the technology is we have to let the industry figure that out and at least set a higher standard about on the other hand you need some flexibility if the steps are being taken or not taken that could enhance security for consumers and merchants. >> i think of what to do but he is what the buddy is important and that is one of the reasons we are requesting the ftc have rulemaking authority to implement legislation to take into account an evolution in changes when it comes to technology. >> would this be helpful on the privacy breaches as well if these are going in to get monetary value but they are in

enough with social security numbers and things that can be used in identity theft so the better security would have not only helped with the economic loss but to the identity theft assault general madigan i will ask you and then -- >> absolutely. obviously what we see is when people's personal information is taken its used to commit identity theft but it can certainly be used not just in the financial identity theft but other types of identity theft. >> i see my time is up. mr. tran van, this is a great panel. >> we now recognize the gentleman from new jersey the vice chair. >> thank you mr. chairman. mr. zelvin, the recent wall street journal article reported the software virus injected into target's payment devices couldn't be detected by any known antivirus software; is that accurate?

>> is. >> can you elaborate on that? >> most of the systems use signature-based so they are known problems and there is a technical formula we put into the machine that says you told me to look for this and in some cases there were intrusion prevention systems that prevented that malicious event from getting to the endpoint and in this case it looks like the criminals have modified it was a standard attack for the point-of-sale modified in such a way that it was undetected. >> thanthank you very much. you stated that they have observed a marked increase in the quantity and complexity of cyber crimes targeting the private industry and critical infrastructure. over the decades long trend of the criminal data breaches. can you give examples of how these criminals and their tactics have evolved? and i presume the criminals are not necessarily residents or citizens of the united states.

>> we are talking about a network of transnational cyber criminals. over time we can look back at the data breaches at t.j. maxx and dave and busters and the ones that happened in 2006 and the next time that cyber criminals attacking the databases on the unencrypted data which is credit card payment. that got changed and morphed into funny 07 where the focus ended up going towards credit card processing companies but they were looking at the credit card data when it was unencrypted at that time. so encryption modification has been made through the system and information is encrypted as it goes through the systems. today we have seen the change now they are looking at where the thing is and how to get around it so where they are attacking now is that the

point-of-sale way or to the back of the house server if you will that has not been encrypted. >> thank you. madam chair, you answered the chair emeritus regarding preemption. i didn't understand your question answers. my fault, not your fault. can you explain your views on preemption? and i come at this having a minority leader in the state senate and i certainly belief in a robust democracy in washington and at the state capitals. if you could elaborate briefly on the preemption issue. >> i believe it is appropriate that provided the standard set is sufficiently strong and provided the states have come

current ability to enforce. >> on current ability. so this would not mean that states would not have a significant responsibility in this very complicated and difficult issue. >> the states do tremendous work in this area and it's vital to have jurisdiction to and for the law. >> attorney general madigan, it's a pleasure to meet you and although i do not know you, the new yorker magazine has come into our house forever and your husband is a brilliant cartoonist and my wife and i and joy his work. could you comment on the preemption issue? >> and can you move the microphone a little closer? >> in terms of preemption, i would conquer with what the chair has said as long as the federal legislation has a strong enough standard and of the states maintain the ability to enforce as we do any number of areas already, we understand that it's potentially reasonable

to say we are going to preempt you in a certain manner. and in fact in the 2005 congress received a letter from the national association of attorneys general requesting notification be put in place at the national level and so as long as we still maintain the ability to respond to our consumers and this is looked at in some ways potentially others as a floor and not a ceiling, we understand the role. >> let me say i believe the committee will in a bipartisan capacity work on this issue to conclusion and this is the committee in th and the congrest deals on these important nonpartisan or bipartisan issues and i have every confidence that we will meet the challenge working with the distinguished panel and i look forward to

being involved in the greatest extent possible. >> thank you. i recognize the gentle and from kentucky for five minutes. >> thank you mr. chairman and i want to thank everyone for coming today. i have a business background and i know that anytime you have an issue with your customers it takes a long time to build trust so the incentives are for business is to protect the data as much as they can do the same timbut at thesame time i workedl store in high school and we had nowhere about data everyone has to deal with now. i want to talk to the agent dividend. you testified they first discovered the criminals unauthorized access. why is that? are they not paying attention? >> no sir. for law enforcement and the secret service is a result of the proactive approach we are working with sources and

gathering information and working with partners in the financial services sector receiving the data and a lot of times we can see a point of compromise where the retailer may not necessarily see compromised data that is out in the world and we can go to the victim company and make notification and advise them they have a leak. it doesn't mean it's necessarily that company is credit card processing company. it could be their bank or a host of other systems in the name company that is a point for us to go to the potential victim and say please look at your data into c. if you have -- you noticed the breach first and typically law-enforcement who is monitoring this may see these transactions or is it all of a

sudden they start getting calls from a lot of their credit card companies from a lot of customers to take i've got these churches that aren't mine and then it finally figures out what is in, and with these people and they went to a certain store? do do you find it going for monitoring or is that people reporting they get something done to them and you find a commonality? >> to answer the question, both. >> i don't think there is a typical but we do work with the banking community as the banking investigators look at anomalies and find those anomalies obviously they are getting calls from their consumers seeing there is a problem and they will notice an anomaly as well as we are also out in targeting different criminals. targeting the different criminals we are able to see different things happening in the criminal underground and that is another effective tool we have at our disposal to be

proactive. sometimes it's a notification that you have to realize under that approach sometimes we are stopping the occurrence from actually occurring so we might go to a potential victim company to allow them to note is been compromised and in doing so we stopped them from losing a single dollar. >> as a result of the approach that is a method in which law enforcement as a tool for consumers. they are out there in front looking for that type of behavior. >> you mentioned they were leveraged according to efforts to secure against these attacks. it is a provided technical information on how to preserve the system's? >> reducer, and it's the most important part of what we do so it's not necessarily about putting them out but preventing them from happening to begin with and this is another great example of these companies have

a compromise and our responsibility is to assist them and let the community know what to look for the vacanc vacancy s on their syste system to take if and prevent it from happening to them as well. >> you described a product you disseminated that includes technical analysis and recommendations regarding the recent point-of-sale tax. can you describe what you mean by mitigation recommendations and tell us who develops those recommendations? >> we work with our cross-section across the nation and with technical experts from the managed security services, so we can just the nation as a whole and then we put out recommendations in some cases it is as simple as changing your passwords but there is also catching the system. if you do some of the routine hygiene you are in a better place. they are using firewalls and restricting internet access and disabling remote access. some of these things are common

sense as we discovered that regardless we want to get as much information as we can to help people defend their networks. >> there is a little strip of tapes that say if broken to keep people from -- in your testimony the one thing i want to point out and i've got about -- i'm about out of time but no individual is immune to the threat surgery but he has to be vigilant because nobody is impervious to cyber threats, right? >> that would be correct and i would be happy to elaborate. i'm out of time. >> now the gentleman from texas mr. olson for five minutes. >> welcome to the witnesses. to combine that information with my career as a naval officer we are engaged in com that.

its warfare. in combat first delay on the battlefield. a witness on the second panel named for separate phases of the attack. infiltration, access to data, propagation and find out the aggregation for the big package into the next filtration given the light market. all steps have to happen for the breach to occur. it seems like the public sector to focus on the next filtration. the private sector on the first step if we are closing the door after the cows have gotten out of hand not an effective way to fight the battle. my question is first off how can

you tell the public sector the end kick helped with all of the phases of the attack not just infiltration is seems like you did outstanding work. >> thank you congressman. where i try to focus our efforts is getting at that first phase of the adversaries actions. we do not want to be the responders we want to be the prevention mechanisms and protection mitigation but unfortunately a lot of times the discovery is that they've already happened so we are hoping to learn from the experience of one or a few to protect the many. i would like to highlight that if a control system is doing more with the u.s. we are giving more experimentation to see if we can crack into the boxes and we worked with the private sector are very closely to see whervery closely to see wherethd close those doors.

>> just by having some doubt on the future damages -- >> in our investigation we are polling evidence out of the crime that happened, but the proactive approach to that is information sharing. as we are seeing different tactics and trends happening in these intrusions we are taking that information and sharing that with our partners at the electronic crimes task force internationally as well as taking the information and pushing extremist or zelvin's group and that information is being pushed out to the sector. so by observing the evidence and sharing what we are finding in these different intrusion we are better protecting the bigger infrastructure if you will.

>> any comments on the law-enforcement? >> one of the things i would say in the last race once is is from our perspective there is an enormous amount of work that needs to be done to educate the public how to protect themselves and to so many people have adopted new technology they are not putting in place the safeguards and monitoring their accounts and putting in place transaction alerts so that when these types of breaches occur they can minimize the damage that they have to their finances. >> any comments? >> i will say i agree with attorney general madigan. the issue is a complex one that requires multifaceted solution that includes company is taking appropriate and reasonable measures to protect the information and also of course the consumers being educated about what they can do to protect information.

the main point why i believe the action is needed today is that the breaches remind us of how important it is, how important the issue is and given the amount of information that is being collected from can rumors and used and maintained this is critically important. >> one final question for you. we went to texas and passed the bar but i am concerned why did you invest with target but not neiman marcus? >> thanks for the clarification. >> the chair recognizes the chair from texas. >> thank you mr. chairman. we are not quite yet at a place to move down this and i'm glad we are having this hearing, but often when "the new york times" gets ground up in congress sometimes we react in ways that i think are inappropriate to the

challenge and i want to talk about that for just a second. typically we regulate when there is a market failure is the reason the government would come in and regulate is because we don't think private actions can respond to a particular concern or threat in an appropriate way. i understand the potential justification for the notification because sometimes someone might not know their material had been stolen so i was and regulating with respect to the notification. but why is it the case that consumers can't figure out if they are not happy with target or neiman marcus or whoever it is that they wouldn't migrate somewhere else, why is it that the consumers won't analyze the risk of the data being stolen and respond appropriately to step in to regulate. >> i don't believe the burden should be placed on the consumers when it comes to this issue. >> we do that in so many other places if you think your material is going to be stolen you can buy a home security system.

we have lots of places there are private property and we allow consumers to step in an and dece if they want to pay $60, 200 or thousand dollars a month for their own security. >> i think that consumers do have a role to play. as i mentioned there are steps they can take to be vigilant in this area that i believe in double it is to protect consumers and when you look back at the data that is available out there and it's also consistent with our experience with the site specifically the data breach report that studies what is happening and that information tells us companies continue to make fundamental mistakes when it comes to security. they are not taking the reasonable steps we need to in order to protect the information they collect and use and retain. >> i appreciate that is there

and consumers may not choose to pick verizon as a direct result we ought to make sure attorney general do you have the data that tells you when folks call him how much they are prepared to pay for protection that is they call and say my data is stolen do you know how much they are prepared to pay for incident? fifty cents for $5 million to protect the data, do you have an analysis -- you said that they are panicked and angered and i would assume they are prepared to take their hard-earned money. do you have any data with respect to that? >> we have had a $26 million of the fraudulent and i can tell you based on the 34,224 people we have had to work through to do that with on average these individuals have lost or have had a $762 in fraudulent accounts removed. i haven't asked them how much they would like to pay for

security. they feel as if they are having to pay the price simply for engaging in everyday activities whether it commercial activity or interacting in the government or being provided medical services. >> do you think if we had on the path you are proposing that they wouldn't do that? that they wouldn't be borne by consumers? might it not be an idea we should consider to pay for that directly so they can see the cost and then respond appropriately as opposed to removed from the bills or have thwouldhave the federal governmk the cost so they don't really know the risk they are presented by the use of their own data? >> i'm not sure the scheme you're trying to propose here. but you are correct if we are going to update credit card technology to adopt the chips and pens the consumers are going

to pay an increased cost if the retailers are going to pay in terms of increased costs and fees other banking institutions, so consumers will pay and hopefully we will be able to improve our security. >> should there be private rights of actions associated as well? >> we have been able to handle these at the state level. >> you said every other country in the world is ahead of us. surely you don't mean niger. >> there may be several countries -- >> i came back from europe and i think our system is good. they are comfortable doing business across asia, europe and north america so i think our system may not be as dire as it has been suggested this morning so i yield back. >> the gentleman from ohio mr. johnson for five minutes. >> thank you mr. chairman and i

again want to thank you folks for being here today. i am very concerned about the increase and the sophistication of the sniper attacks. and just to get your opinion, how does the increasing level of collaboration among the cyber criminals that you referenced increase the potential harm to companies and consumers? >> the increasing collaboration between the criminals increases their capabilities so when we said there is collaboration between the groups they are loosely affiliated groups doing this. i've used the analogy of oceans 11 of what this group and network does, so they have groups that will do infiltration in the system to gain access and

other people that will define the malware and that map the network to find exactly how to get through the networks. there is ex- filtration that occurs as well and monetization so the data that is stolen has beat -- of course there is money laundering, the movement of money so when you bring together a coordinated group of sophisticated criminals, it does -- they will find the edge of the stands and perpetrate the system. >> once we identify who these folks are perpetrating these attacks, first of all our day stateside, are they overseas for the most part cracks >> the majority are transnational criminals. >> so outside of the united states. >> to what degree do we have the authority to go after those

folks when we identify them and do you know of any ongoing action to shut them down? >> the secret service has a unique history of success in this area. we brought different perpetrators to justice. we go back and talk about the vacation as well as many others, but in the investigation we were successful and we arrested domestically in this case alberto gonzales sentenced to 20 years in prison here in the united states and also in the summer of 2012 we arrested demetrius and vladimir responsible also in that investigation over in the netherlands. we were able to bring to justice alexander in the dave and buster's case where he was sentenced to seven years in prison domestically. we also were able to pick up three different romanian hackers

responsible for the subway sandwich shop intrusions that occurred in 2008 and we brought them to justice where the main leader was sentenced to 15 years in prison. we have a rich history of being able to effectively identify who the targets are, have been arrested and work with our international partners. we have a host of international officers and working groups and i think it comes back to that relationships we've built internationally in assistin assn bringing these different actors to justice. >> most of the developed nations that have a high degree of sophistication within their networks are vulnerable to these as well so how robust are the agreements with other nations to go after the criminals that might reside? >> we have many different agreements with other countries in europe and we have been

working successfully partnering with those and we work closely with the british or the national crime agency in the netherlands with the high-tech crime unit in germany. we have working groups in ukraine as well as an office we established not long ago so it is in that host of relationships and in the law that we are enforcing with them that we are able to get success in those areas. >> mr. zelvin, you testified that no country industry community or individual is immune to the threat of a cyber attack. does this mean in your opinion that you believe no one can be impervious to cyber attacks? >> i think it's like trying to prevent automobile deaths. you can do a lot of things ultimately people will still

pass. ultimately i believe there are vulnerabilities that will be exploited by the very sophisticated actors. >> at this time the gentleman from mississippi esther harper. >> thank each of you for being here. let me start with you agents new name. this is an ongoing and this negation but do you have an early indication without revealing anything you should end as to how you this might have been prevented? >> i don't think it comes back to how it could have been prevented. the important part is we know this is a sophisticated criminal group. we have a plan that's the important take away. that response plan is what something every company should also think of. we shouldn't think that if this is going to happen.

we should think when this potentially may happen to them. so the response plan is one that you incorporate law-enforcement and we've brought back the information sharing peace if you don't incorporate law-enforcement to help you mitigate the problem and then share that information with the whole of the government with the infrastructure that better protected infrastructure that isn't necessarily a good plan and we would like to see companies have robust forensic companies have signed so that when an intrusion does happen they are able to go in and effectively mitigate it so there is no longer any bleeding that were to occur. additionally the council is important for them to have and a plan for notification to victims. of thosthose are the important e away as we see. >> are you satisfied in these cases that the response has been satisfactory? >> yes sir.

>> chairwoman if i may ask you a few questions. is there overlap between the safeguard rules and the pci data security standards and do the incorporate provisions of the safeguard rule or do they go beyond the safeguard rules? can you shed a little light on that? >> i'm happy to speak to this. the way the ftc approaches its data security workforce is that we again impose a reasonableness standard so we do not mandate or prescribe any specific standards for technology. but we think that as a matter of course, the company should look to the relevant industry standards, best practices evaluating what measures they should have. >> whether that data security standards meet a needed a reasoe standard for the purpose of such in the act? >> every case is a specific one so we cannot comment on the hypotheticals that i can tell

you a company should be looking to the industry standards that can be very valuable and that would be certainly one factor that we would examine invoking. >> you make the point that the fact the breach occurs is something they violated the law and they need not have perfect security yet we have been told it is not likely any companies such as the standard that suffers the breach would be found to be 100% compliant at the time of the breach. while they provide an admirable push to keep the companies vigilant would there be problems with making the federal statement enforced by the ftc if it is setting up the business is to fail because it results in possible fines and violations of the standards? ..