a public-private ecosystem is built upon good security governance, secure identities and constant self-assessment of

one of those. whether we drive adoption through incentives or directors can we need to proceed net but i urge you, your colleagues and the ministers not to let 2014 expire without adoption of measures that will better protect our economy and our security posture. thanks for your time this afternoon and for your attention to this important matter of cybersecurity. >> thank you very, very much. because of the unusual circumstances and with the permission of my distinguished ranking member, the first question from our cycle come from senator mccaskill. >> thank you. i adore you. [laughter] i wanted it on the record. both of you. i adore both of you. [inaudible] >> i believe that ultimately the market is more effective at controlling behavior than the government. so let me start with a question that i don't think has fully been answered.

mr. mulligan or ms. richey, or can any of you shed light on exactly how much fraud has resulted from this breach? >> are you speaking specifically to our britches because yes. to the target reach. >> i'll start. i can only speak to about 15% of the cards that were taken were target branded product cards. the other 85% are third parties that we don't have visibility. what i can tell you what we have seen, two of the card products, one is a branded debit card, the other is a proprietary card, a card that can only be used at poker. we've not seen any incremental fraud on those two particular cards. we have a decent product that can be used broadly just like anywhere else. ..

>> dollar wise? >> i don't have those dollars available right -- >> does anybody? >> we can get those for you. of course, you have to realize we're still in relatively early stages, but we could provide those. >> what i'm trying to figure out here is how much fraud there was and who's holding the bag on the fraud. because i think people don't understand -- i mean, i don't think people understand that visa doesn't necessarily hold the bag on any of it, that most of this debit card fraud ends up with a local bank, that a lot of the costs associated with this breach, in fact, the majority of them fall to credit unions and

local banks as opposed to target. of the $61 million that you have said it cost your company, mr. mulligan, how much of that was marketing to try to reassure your customers that you were -- and you are the good guys, by the way. i'm not trying to say you're not. but how much of that 61 million was market as opposed to actual loss that you suffered? >> for the $61 million that we recorded in the fourth quarter, any marketing expenses that we undertook would have been recorded in the normal course of our business. the $61 million was related to response cost, credit monitoring, activities such as that. >> well, the credit monitoring that you're offering to your customers, that, in fact, is marketing. >> we viewed that as a way to pond and help our guests for what we know is a difficult time for them. provide them not only credit monitoring, but identity theft protection and insurance. >> i think it's terrific you're doing it, and i think it was

smart for you to do it, and it was a wise corporate t decision, but it was an optional activity to try to repair the damage as a result of the breach. >> yes, we were focused on our guests, absolutely. >> okay. and those are costs that are not optional to the credit unions, correct? that's them having to reissue the cards and bearing the cost of doing that. >> so the payment card industry has collectively determined that, importantly, consumers don't bear any of the fraud related to this type of act tft. there are commercial arrangements that underpin that. those arrangements provide both for the revenues that companies like target pay in, also for the remediation in situations like this. >> but the point i'm trying to make here is that i think it is confusing to the consuming public where this loss falls and where the costs are absorbed. i know that we -- there's $10 billion in more revenue to retailers as a result of the government getting involved in

interchange fees. because interchange fees were $19 billion before the durbin amendment, and now tear $10 billion -- they're $10 billion, less than $10 billion. so there was $10 billion extra that flowed to retailers as a result of those prices coming down. and i'm not saying that was a good or bad thing. i guess what i'm trying to get at here is that i think it's very important that the risks be borne by those who must engage in the activity to protect. because if the risk goes somewhere else, it lessens the incentive to protect. now, i'm not going to argue that you all have had a terrible thing happen to your company and that you are working hard to recover from it and you have been damaged, but there are many instances where people think there's been a breach. i think most americans thought you guys were covering most of the cost of this. i don't think that they realized that most of the dimes were being paid by somebody else in

the first place. so i think a clarification of where the risk falls is important for us if we're going to do anything as a government, because it's going to be much better to ahine those risks -- align those risks with incentives in the free market. >> i was just going to saf that if there's -- say that if there's any lack of clarity about who's bearing the loss here in the committee, the financial institutions would make their customers whole as we know with the zero liability polls -- policies, and then the payment networks, both visa and mastercard, do have a program to shift the costs back to the merchant if the merchant is shown to have been out of compliance with our industry standards. >> okay. >> however, that program covers only a portion of their costs, and the reason for that is just as you said, to balance the incentives so that each party is incented to reduce the risk and protect the consumer. >> i'd love to get into the

weeds with that if you would help us with that information, ms. richey. >> you mean right now? >> no, i mean later. [laughter] no, no, no, no. i'm done. i'm done. no, i mean later. i mean, i want to understand how these risks are being shifted in the marketplace. thank you. >> thank you. what i'm going to do is recognize senator thune and just for the committee's information we will recess for votes, and we have four votes scheduled, i believe? five votes scheduled. so we will work that out. but i just wanted the committee to know we'll go to senator thune, then we'll take as short a recess as we can, come back and conclude the hearing. >> thank you, mr. chairman. mr. mulligan, we know the target breach affected two types of data. one was the payment card data of approximately 40 million target shoppers and other perm data of -- personal data of up to 70

million customers. what steps have you taken to provide your customers the assurance that their personal information's going to be protected going forward? >> senator, immediately upon identifying the malware, we removed it from our system, we closed the portal that created the access point in the first place, we've narrowed the scope of who has access to our systems. we also began an investigation and hired a third party adviser to do an end-to-end review. not just forensics, but a review of our entire data security, technology processes and controls. from that we will have additional learnings, and we've already taken steps that we've learned from there. we've enhanced our data segmentation, hardened our perimeter, and we've increased malware detection with something called white listing. we accelerated the investment in that. and that, essentially, allows only the programs we want to run on our point of sale terminals to run.

we've spent $100 million to complete the installation of guest payment devices this year and roll out the cards in early next year. so we've taken many steps, and we will continue to have learnings and expect to continue to pick changes. >> okay. ms. ramirez, you state in your testimony that, and i quote, although most states have breach note few case laws in place, having a strong and consistent national requirement would simplify compliance by businesses while insuring all consumers are protected, end quote. i agree with that statement. and i'm wondering maybe if you can elaborate on the advantages of a count national requirement for -- consistent national requirement for breach notification. >> we see a need for legislation for various reasons, and i think that's one. i think it's very critical that there be comprehensive federal legislation in this area, and we think that if that legislation and the standards that are set if that are sufficiently strong,

that in that instance the federal standards should preempt state breach notification laws. >> okay. and several of you, i think, have testified to the advantages of having a federal standard. i'm just wondering if you'd like to underscore the value of what is a patchwork right now of state laws. >> i'm sorry, if i may add one more point that i want to make sure is also clear in terms of our position at the ftc, it's also critical that states be permitted to enforce in this area, that there be concurrent jurisdiction on the part of the ftc as well as the states. >> are right, okay. anybody else want to comment on the value of having a national -- >> just a couple quick comments. we talked about transparency on the panel, and transparency's absolutely critical. but having a common breach standard would make it easier to ago regate the data from a national perspective. and also we know from these crimes that they most often have a multistate impact and very

often international impact and having that federal government involved in breach notification seemed to make a lot of sense to centralize that. >> anybody else? >> i would just say that a single standard would ease the way for getting the notification out faster and spending less time and money on lawyers and more on informing consumers. >> dr. loh, you're here today because the university of maryland experienced a security attack which exposed the names and social security numbers and dates of birth of more than, as you note in your testimony, 300,000 members of your community. in your testimony today, you state that the university of maryland experienced a second breach on march 15th, but that this time that breach resulted only in one senior university official having their data breached. and the question is, why is that? was that officially the only target of that breach, or was it

because of steps taken after the first breach? >> they actually had unlawful access to far more information that was breached the first time, but we don't call it a breach because -- except for that one individual, it was not made public, it was not circulated. and, again, i want to thank the fbi for their very expeditious and effective intervention that resulted in the successful mitigation within 36 hours. the reason we're not saying something more is because the information is still -- the investigation is still proceeding, but it is the case that no other information was made available. the fact that one senior university official's name, id, everything was put on the web and was put on the web with site was simply because, well, the intruder wanted the show how clever he or she was and wanted the world to know. >> i just have one last

question, mr. chairman, and that has to do, again, i want to come back to ms. ramirez. you tiffed today that -- testified today that your role is to protect consumers, insure companies take reasonable measures to protect consumer information and that to do that the ftc uses both its unfairness and deception authority, deception authority being relatively clear cut. and in that case you've got if a company acts deceptively regarding a security measure that's taken, but a good number of the ftc's actions in data security have come under its unfairness authority which some have argued provides less guidance to companies regarding which practices cross the line. because most of these cases are resolved with consent decreases, it doesn't produce a record and precedential value. so the question is short of regulations, should the ftc make public the rationale that they use to determine what is unfair so the companies have better

guidance? >> senator, i have to disagree with the critiques that have been made of the ftc in this arena. i think that we have provided good guidance. the approach that we take when we exercise, frankly, both our deception authority and our unfairness authority in this area is one of reasonableness. as a law enforcer, what we really do is driven by the specific facts of a given case and the documents that are part and parcel of our cop sent de-- consent decrees demonstrate and explain the bases for our allegations and also what we believe are remedies and actions that companies should undertake. so in our view, we have provided guidance and the actions that we've taken really go to very basic and fundamental failures on the part of companies that we think are unreasonable and, therefore, that would be a violation of our section five authority. so i do take issue with that.

we provide a great deal of guidance as part of our outreach and educational effort, and i believe companies can discern the process we take where we urge companies to do a very thorough risk assessment based on the type of information that they collect and that they use and that they then in turn develop a program that would be able to address any risks to which that information might be exposed. of we also think it's absolutely critical to have one person at least who it would be in charge of any big security program. >> is that guidance made public in. >> absolutely. >> all right. mr. chairman, i see we're out of time, and we have to run and vet, so yield back. thank you. >> that is what we will do. we are going to recess for a little while. i don't have a time certain. my guess is it'll be 40 minutes or so, but i don't know exactly depending on how many actual votes we have on the floor. there's a little bit of

conflicting information whether we have four or five votes. but nonetheless, probably just for even's benefit we'll probably try to start as we are doing our last vote on the floor, because members can vote and then come back here. so we're trying to do that. so with that, what we'll do is we'll take the recess now, and we'll reconvene subject to the call of the chair. thank you. [inaudible conversations] >> have you all been nice to mr. mulligan? okay. my staff, as you know, have prepared a report analyzing data breach at your company, and we do a lot of all rights. and it's very interesting. a lot of reports. and it's very interesting. one has nothing to do with you or the question, and i shouldn't even be saying it, but be i'm chairman, so i can say what i want. [laughter] a lot of moving companies if you

want to move, you seen a contract. they put your stuff in the moving van, and then they take it about two miles and park in an alley and call you up and say the price has just tripled. and, you know, you say, well, that doesn't happen in measuring. point is -- in america. point is, it does. and it's very disturbing. it's very disturbing. so that's why we focus a lot on these kinds of things. it's in the that we're nasty. richard, you're not nasty, are you? senator blumenthal? you're not nasty. >> uh -- >> you're smart. >> ask my wife, mr. chairman. [laughter] never. >> that's right. my granddaughter and his -- >> wife. >> -- wife are together at school. >> your granddaughter and my wife -- your granddaughter and my daughter were together at

school. >> yes. at different levels. >> right. [laughter] >> anyway, mr. mulligan, we've prepared this report, and i want to know if you read report. >> i have. i had a chance to review it last night. >> you did last night. we walked through the steps attackers had to go through in order to hack your company. and then it explains how target could have prevented the breach be you had stopped the takers -- if you had stopped the attackers from completing even just one of the steps. let me give you a few examples. you could have prevented the breach if one of your vendors, a small pennsylvania company called fazio. >> my understanding it's fazio. >> fazio. will you acknowledge that poor vendor security was a factor in this attack? >> yes. >> and once the attackers had gotten into your network, you

did not stop them from gaining access to your company's highly sensitive consumer data. will you acknowledge that target failed to properly monitor your computer network for the intruders? >> senator, it's my understanding we did have proper segmentation in place. as recently as two months prior to the attack, we were found to be pci compliant, but your question is an excellent one, how they migrated from the outerpost portion of our network to our point of sale data is an excellent question, and i don't have the answer to that. >> okay. and who is "they"? >> how the intruder, excuse me. >> okay. chairwoman ramirez, i congratulate the federal trade commission for its recent announcement of its 50th data security case. the ftc has been successful in pursuing data security cases using the authority under section five of the ftc act. as you know, senator feinstein,

nelson and i have introduced day security legislation, and senator pryor has in previous years all to no avail so far. legislation the ftc has consistently called for. can you talk about why you see the need for such legislation? why isn't your existing authority under the ftc act enough? >> chairman, thank you for your question. and, again, i want to thank you for the leadership in this area, for your relationship -- leadership in this area. the ftc has undertaken critically important work in this arena, but i think that our experience and what we see happening in the marketplace really does show that companies are continuing to underinvest when it comes to data security. and that's why we believe that more needs to be done in this area and why we think that congress absolutely needs to take action to have a comprehensive, federal comprehensive legislation that addresses the issues of data

security. and in particular we want to highlight things that we think are critically important relative to enforcement authority on the part of the ftc, and that is that we feel it's critical that the ftc have civil penalty authority so that there can be appropriate deterrence. we also feel that it's important that any legislation have apa rulemaking authority so that the agency can have the flexibility to implement any legislation and to adapt to changing technology in this arena. and then in addition, we feel it's also important for the ftc to have jurisdiction over nonprofits. currently, we do not have jurisdiction over nonprofits, and we cosee that university -- do see that universities and other nonprofits are falling victim to intrusions and that it's important for the nonprofit sector also to have reasonable security measures in place so that americans can be, their

information can be protected. >> but they will look precisely at that point and tell you that self-regulation works. >> we believe that self-regulation is an important element of all of this. data security is a complicated issue, and in order to really address it effectively, we need to do it in a multipronged way. so we believe that self-regulation that is robust and where you have backup enforcement by the ftc, for instance, that that would be a good and important complement to the civil law enforcement that we undertake. >> but in essence -- >> but it's, in my mind it's not enough. >> it's not enough. >> that's correct. >> yeah. but whether it's cybersecurity, whether it's this, whether it's almost anything else, self-regulation always solves the problem when the -- we had as you know recently a water spill in charleston, in west virginia. nine states and nine counties

just couldn't drink water including my house. and it was not a pleasant experience. and i found out that rather quickly that there is no regulation, they're under no federal regulation, no state regulation. they can do exactly as they please. and so one of the people who was really trapped by this when is my sort of chief of staff, my west virginia operations has two young chirp. children. and i talked to her this morning, and she said, and she'd just been on a trip to understood ya, in fact, to look at -- to understood ya, in fact, to look at water, new ways of doing water. that two more leaks had been discovered. on that river just causing one to be blindingly angry and infuriated ott ourselves for

allow -- at ourselves for allowing that to happen. i was a governor for eight years, i never did anything antibiotic. every time i drove into charleston which i did hundreds and hundreds and hundreds of times, i always came directly towards those tanks that held all this toxic stuff which leaked. and i said that doesn't look very good to me, it looks kind of crummy. it's sort of like the pictures in seattle before the, everything went wrong. everything looked fine, but if you knew that there was a lot of mud there, your mind would lead you to other kinds of conclusions, but your mind doesn't choose to dwell on things which aren't of the moment. and so, you know. anyway, so i'm encouraging increasing, increasing hostility towards giving the ftc -- i'm hearing this from others -- authority to address consumer protection issues like data breaches. that's a common complaint from some.

and it reaches ears easily because people like to hear about the federal government not being able to do its work or failing to do its work. unlike years past when this committee routinely gave the ftc the tools it needs to do the job, i'm now constantly hearing about the dangers of an overzealous ftc overregulating and overburdening american businesses a lot. hearing it a lot. and -- in this committee. my data breach bill which is 1976 gives your agency basic rulemaking authority to set data security standards just as congress did in the graham-leech-bliley and the children's on lewin privacy law -- online privacy laws. i don't think that's a controversial idea, but some people do. chairwoman ramirez, can you explain, please, to these kept you cans through me how the ftc

goes about setting these rules so that, one, i can be satisfied that you're not out to ruin industry for the pure pleasure of doing it, but you're trying to do your job. how the commission has a cowerful and dlubtive process -- careful and deliberative process, and then can you explain how these rules will help protect consumers from data breaches. >> i'd be happy to. let me just say that, first of all, the call for legislation in this area is a bipartisan call. the commission unanimously supports enactment of federal legislation in this area and supports the pieces of the legislation that i've outlined. leapt me also say -- let me also say that in response to the critics of the ftc, i believe that none who looks closely at the work that we undertake can see that we do our work in a

very balanced way and that we absolutely want to be, our job is to protect american consumers fundamentally, but we absolutely do listen to the concerns of industry. and i think when you look at, certainly, the body of case work that we have in this area, the 50 data security cases that you mentioned, i think people will see exactly what the basis for these are and, in fact, actions that we took were justified. in response to your specific question about how we employ apa rulemaking authority, in my initial remarks, i referenced the spam act which is one example of the situation and legislation where we were given rulemaking authority. any rule that the agency would undertake would go through a notice and comment period, so stakeholders of would have an opportunity to give input. any rule that we ultimately would impose would, it would be based on this evidentiary record

that would be developed over the course of rulemaking process. and the reason that we asked for that is that it's critical that the ftc have flexibility in this arena to implement any legislation and two main issues, i think, are the ones that i want to highlight. one is that we have the recognize technology is just moving very rapidly. so a decade ago no one would have predicted that spatial recognition technology would be so readily available, for example, or that geolocation information would be so obtainable today. so it's critically important that there be flexibility that's embedded in any legislation to allow the ftc to adapt any rule to emerging and evolving technology. by the same token, it can also be to the benefit of businesses the grant the ftc that flexibility because we may be able to lift certain requirements that may no longer be necessary over time, and that certainly happened in connection

with our implementation of the can spam act. so it really would be to the advantage of everyone, consumers as well as the community, the grant us that flexibility. >> i thank you. i'm well other my time. over my time. and it's time for senator klobuchar. >> thank you very much, mr. chairman. thank you for holding this important hearing and for working on some important legislation. ..

and working with the justice department on that. number two, how we prevent this going forward. and one of the things that i found pretty shocking was that in america we have 25% of credit card transactions in the world, but we 50% of the world's fraud. some of the other countries have moved to the chip and p.i.n. technology. i know that target tried some of this technology. maybe you can talk about that a few years back but it wasn't adopted by other companies. so i think i would start with that. what do you think we need to do to stop this from happening in terms of adopting some of the technology, and how long do you think it will take when we already have parts of the world

that are already adopting this, it's curly the standard in europe? so maybe we could hear from you, ms. richey, first. >> we do believe that businesses are for the united states to join most of the rest of the countries of the world in adopting a chip technology to control fraud in the face-to-face environment. we set out a roadmap for emv chip adoption. we announce that in august 2011 with the idea that it would take probably around four to seven years to get to a critical mass of chip adoption based on our experience in other countries. i'm encouraged by the level of enthusiasm towards the chip project that we're seeing in the wake of these recent events. i'm hopeful that by our liability shift date in 2015, october 2015, that we will see substantial adoption both the merchant and the issuing bank

side. >> do you think it would be better to have the pen rather than signatures? would that be safer? >> safe is an interesting word. >> would that lead to less broad? >> it might initially did to less fraud. it does reduce lost and stolen fraud. so if can -- p.i.n. does nothing to prevent the criminal from counterfeiting a card unfortunately, and about 70% of fraud that occurs in physical location, brick-and-mortar stores, is counterfeit, not lost and still. we believe the bigger problem is counterfeit. it's also easier for the criminal to accomplish because they can do it by stealing data, not by having to take possession of thousands or millions of physical plastic cards. so we believe the best thing for the industry to do is to focus on chip, and that trying to change the environment between p.i.n. signature and no

cardholder verification, which is our current methodologies would just slow things down and increase the cost. so, therefore, we are saying the issuer could have a choice based on their own risk profile, whether to issue with chip and p.i.n. or chip and signature, and similarly in the merchant environment where today but two-thirds of the merchants don't currently deployed p.i.n. >> i mentioned, mr. mulligan company want to address this, the target try to go with the chip technology. what happened? >> we did. a little more than 10 used the wicked is what we call guest payment devices to read chip cards and we introduced our target visa card actually with chips enable in it 10 years ago. the real benefit for consumers comes with wide adoption. when those cards are widely used and they're widely read throughout the economy and we see that in other geographies. after we went about three years by ourselves, we determined that it didn't make much sense for us

to continue, given that there was no real benefit to consumers broadly. we have continued to support, and argues chip and p.i.n. but we agreed moving to least chip enabled technology as a positive step forward. >> are you speeding up your adoption? >> we have accelerated that. it's a $109 investment. we will have the devices in september and we will issue chip enabled cards and read them early next year. >> mr. wagner, as a subsidiary of data card, how does your company use the transition to chip cards and have entrusted data card been involved in making like addition to the finance and payment networks on implementing new cards and security methods? >> data card is, in fact, the world leader and equipment to the financial transaction cards from both magnetic stripe, e.g., a place and will. were a big supporter of the amt technology. one of the things and combine security, it's clear the chip and p.i.n. is a more secure way

to do it. there's also balance that needs to be considered. when you consider for security perspective chip and p.i.n. is a more secure way to go about it. either is better than the current environment. >> if i could ask one more question of chair ramirez. many of the large data breaches and hacking operations are from people outside the u.s. there's no shortage of crimes that they could be charged with but it can be very hard to bring them into our cards because operate largely overseas -- in our courts. i stand business weekly has identified a ukrainian operation that could be responsible. again in the investigation is underway. this is just what we read in business weekly. can you discuss and work with law enforcement on investigations? i know i asked this of the justice department in the judiciary hearing, but what steps do you think we can be taken to make it easier to get these international hackers into a courtroom to stop the?

>> as to your specific question, i do have to defer to the criminal law enforcement authorities to get into the details of that, but i will say that the ftc works very closely in terms of our own work in parallel with our criminal law partners in these areas. we, of course, our focus on the front end, how retailers and other businesses are protecting consumer information. but again we work in parallel with and i think our efforts are complementary with of course the efforts of criminal law enforcers who are seeking to locate and punish perpetrators. let me also add we do a tremendous amount of work on the international front, working with civil law enforcement agencies around the world to address these issues. that is a significant part of her own engagement, and we use authority that's been given to us by congress under the safe

web act to be able to pursue civil law enforcement where needed, and so we do want to partner with other law enforcers because we have to these days. >> do you think we should be doing more as we negotiate, as we work with these other countries as part of security agreements, in terms of trying to come up with some international standards? it seems more and more of these cases are outside of our borders in terms of who is perpetrating the. >> absolutely i think increase the we need to be working with international partners around the world, and we absolutely have to focus on that set of issues as well. >> thank you very much. >> thank you. senator pryor. >> thank you, mr. chairman. and let me follow up on that if i can, chairwoman ramirez. with the ftc working with other agencies, other federal and state and other law enforcement agencies generally, plus the

international community, is there a formal process there? i mean, do you have these former relationships we sit down every day or every week or every month with these folks? or isn't more on a case-by-case ad hoc basis because we do work regularly with sister agencies. because operate on a case-by-case basis. we do also have specifically criminal liaison unit because it's part of our over all enforcement work. we do partner with u.s. attorneys offices. we also do close work with the department of main justice and then also with the fbi, secret service. so specifically on these issues, it tends to be in conjunction with specific investigations. on the more global level, we do work through multilateral organizations as well as through specific bilateral relationships that we have with counterpart

law enforcers around the globe who also of consumer protection authority. and then we also do engage with, where necessary, where appropriate, with criminal authorities around the world as well. >> one reason i ask is, might expect with law enforcement is that sometimes they will form what is sometimes called task force is, you know, where they will have molded agency or multijurisdictional but i didn't know if the ftc serves on like a task force type setting where you have regular meetings where people are focused on this, trying to find solutions, target some of this off before it starts. are you all involved anything like that? >> it really is more on a case-by-case basis. again our focus is on the civil law enforcement side and on the front end, but we absolutely will cooperate very closely where it's necessary. and we do stay in close contact

with domestic criminal law enforcers. >> let me go down to the other end of the table there. mr. wagner, i know in both the rockefeller bill and also the to me bill, they use the word reasonable policies, reasonable is the keyword. policies to to ensure consumers private data is protected. and, obviously, reasonable is a little elastic am a little situational and that may be the best word to use but could you please speak to that and kind of talk about what principles are contained within the kind of concept of reasonable? >> well, the key principles that we would espouse are those information security governance competitive the risk that enterprise has around information security at a high level, at a corporate and a, understand which information assets have value in making sure

that's not just an assessment of value to your organization but as we're seeing the effects can be ecosystem wide so making sure those asymmetric value to get considered at the risk officer level, at the corporate level so it can be dealt with. >> does anybody else on the panel want to comment on reasonable and what that means in the context of what you do? >> well, there are a whole set of well-known security standards applicable is on an industrywide basis or broadly across all industries. and i believe that many of them have very specific things that need to be done, but at the same time they are flexible. so the introduce -- develop custom and practice of the trade that you would want to look at this on the risks that you've identified as to whether the measures that you took were in accordance with those standards. >> is that a good standard, a good starting point? >> i believe so, yes.

>> did you have something? >> yes. the word reasonable is what caught my attention, section two of the bill, requiring reasonable measures and procedures for information security. even though it's only been about five weeks since our major data breach, i've already asked what the essence of the cost to have quote reasonable defenses and reasonable perimeter defenses, penetration testing and protection of sensitivity -- sensitive information. they can range from a few million dollars to as high as 30-$50 million. figures from other studies say that at least in academic settings, his approximate $100 per every identity stolen. so we had 310,000 stolen. the cost, as a rough estimate, is 310,000 times $100. so the question, i think that

mr. mulligan raised, which i thought was an excellent question, who shares in the responsibility for protection? it would bankrupt most universities to spend 20, $30 million in cybersecurity protection, especially when there's no 100% guaranteed anyway. is this something that should be shared more widely between private business, universities, and the federal government? to take one example, social security numbers. why don't we devalue social security numbers? why not require financial institutions not to use social to the numbers so that there is no longer the incentive to steal social security numbers? if one doesn't do that, one shifts all of those costs to, at least in this case, to higher education institutions. and so it's a balancing between

risks and costs. and all i can tell you is that the costs can be staggering. and even then, although the experts that we retain our telling us there's no 100% guaranteed. >> i wanted to add a few words again from the perspective of the federal trade commission on this issue. we do believe that reasonable this is the right approach. given the different types of companies that we have jurisdiction over across many industries, we think it is critical to have flexibility and again to victory fact specific approach. at the same time we certainly understand the challenges that dr. loh has identified. going back to your questions qun about certain things the federal government can do, one area where we have been produced bring in a task force has been in connection with identity theft. and that's part of the task force it was set up under the bush administration, we have made a number of different federal agencies have made recommendations about how to

deal with issues and things such as social security numbers to minimize, again, the risks of id theft. so i do think again this is a coveted question and there are many things with the government can play an important role. to me, data security legislation is one step and that everybody think there are other things that need to be examined in the way personal information is being utilized. >> thank you, mr. chairman. thank you. >> thank you, senator pryor. that philosophically and realistically, that was an interesting discussion. because, and he gets back to something that i talk about as often as i can. unless this country is willing to get serious about infrastructure, from which i'm

cybersecurity, to 200,000 pounds water tankers crossing 75,000 macs bound bridges all over west virginia in so that they can build a fracking platform, if we don't have the infrastructure which is research, which is an ice age, which is cancer institute, which is also i'm is, which is everything, plus the hard stuff, the roads. i mean, we've been through, we have a lot of pipelines in west virginia. nobody knows where they are. they carry gas, but somebody goes in to build a house and breaks through five layers of pipelines that nobody knew where there. at some point there's no sense of forgiveness runs dry. that if we are going to be a

serious country, and continue to be a serious country, we have to do infrastructure. we have no choice. if you said, senator rockefeller, are you for raising the gas tax? i would say yes. i believe in user fees. i always have. if you have an objective that you want, you want to build roads and bridges, then you do that thing which is necessary to make it happen. if you choose not to, you are ideological pure, you'll probably win your next election, and your state declines further away. or people, young people make the conclusion as they have, some of them already are on our water spill, the toxic water spill for which there was no federal, no state regulations whatsoever, of

which i was partly responsible because i was governor or eight years, and i told you i kept looking at these tanks and wondering what they were doing there, but did nothing about it. if you don't take responsibility for your future, you have no future. and that gets to the very bottom of what divides this congress. it's not republicans and democrats. roy blunt and i have been friends for years. i cut him to do something which he didn't want to do, but for which he has forgiven me for getting him to do it because he finds it's not that undoable. plus, he likes me and i like him. okay, so things work. but you have to be willing to raise taxes. to pay for things where we are eons behind. stem, modern bridge structures.

the list is endless, and nih, nist. you want a good way to find out where a good standard is, you go to an isg. that's what the cyber people want to go. they will do it but it will cost. and so did doctor low who runs a university which does not have, you know, endless amounts of money, i'm full of sympathy but i can't, i can't walk away as a senator from being part of the solution to this problem. and that's what we are doing here, we are walking away year after year from being part of the solution to the problem. if you want good infrastructure, you got to pay for it. if you're going to pay for it,

you got to raise taxes. in the question is how do you raise taxes. then you get into the 1% versus -- and that becomes a lot of talk to the point is you either get the infrastructure or you don't. and if you don't, your future is dim. it was her interesting when the president called accurately russia an important regional power. mr. putin must have been unhappy at that. but it was accurate because the size of his economy and because of what he has not done, and they have not done over the years in projecting power, projecting toughness and all the rest of the. they have not built things up. my son-in-law lives there. he knows. you can't escape that. so that's my little editorial. but to me it's the way we improve this country, the way we

help doctor low, the way we help everybody is that we're in this together, that we have to share responsibility, that we don't point fingers. we are all to blame. we are in the habit of being comfortable. we are in the habit of thinking that the world is as it was 30 years ago. that's a stupid and trivial thing to say but it's just totally true. it is totally true. so i'm try to make life tougher on us. i'm not running for reelection so it's easy for me to talk like that, but if i were running for reelection i would talk like that. i would talk like that, or else i don't belong in this job, or shouldn't run for the job. so that's just my thought. i've got over my time, and senator markey has been here. he doesn't like it is ago for over a minute and a half. but i'm just going to ask my question and hope for roy and

ed's forbearance. mr. mulligan, according to press her according to press her ports attacks can access to the target network to the pennsylvania thing which we discussed already. does target require any particular level of security of its third-party vendors? >> we do this the inherent risks of our third-party vendors and rate them on a risk scale and determine which of those we need to review, which of those we don't. we have a process for doing so. >> i'm not sure what the answer is. >> we do. we have standards, send it to come and we have an autocross to ensure they are meeting them spent a lot of people have audit practices. not all of them are enforced. that's a high bar question, i admit. >> we have a process we we routinely review the inherent risk and those with high-risk we if i would periodically.

those with a low risk we deem, we don't evaluate. >> give any third party vendors have access to targets point-of-sale systems? and if so, what a cutie standards applied to the? >> anyone has access to a point is a networks, this seems to be standard would apply. two-factor authentification as required by pci and beyond that anyone whether our own team members or if we have technology contractors working on them, they would apply similarly. >> senator markey, we have the rhetoric of attention and auditing, but not necessarily the fact of. one can still get away with rhetoric in this country. one can get on the evening news with, brilliantly, sculpted rhetoric. it doesn't mean you're doing anything. i just threw that your directi direction.

>> you are not a media town so i'm not accusing you of being that kind of person. i would if i knew my audience better because i would have fun doing it and you would have fun squashing me. at the same time of the breach, who at target was ultimately responsible for the company's data security? >> senator, we have multiple teams that work in data security. at the time of the breach, various element reported to several different executives. >> now you see, that worries me. that worries me. you had a former ceo, beth jacob, and i want to make sure she doesn't get run over by a bus in this discussion. it's true that target data security response those have been divided up as you indicated among a variety of staff, and not under a chief information security officer. but what i'm obviously getting at in the future is at some

point the ceo and the board of directors have to accept responsibility is what's happening. that's wh why mention this one h the data bridges yet reported to the sec. i also did it, and there was no law, i just called mary schapiro was at the time and she said, sure, i'll do it. i did the same thing with coal mines. we have a lot of coal mine disasters in west virginia. so anytime somebody is killed or there's a coal mine disaster, that has to be reported. because that's helpful to investors and shareholders about their decisions. but i believe in responsibility. i think it has to come down to a point, a source point. and i think that has to be the board of directors and the ceo. and then you can scatter responsibility however you want. i've talked to long.

and now have to figure out who got here first. i think, roy, did you get your first? roy was here first. senator blunt, i'm sorry. >> the chairmen and our good friends and thing he talked me into doing was co-chairing with him and effort to be sure we understood what all the alternatives are out there at a staff level on health care. and whether i wanted to know it or not, i needed to know it. and once again, he figured out something that was better for me that i probably thought it would be. but thank you all for being here. it's been a long afternoon, people coming and going. i may very well ask a quick and that's already been asked, but as a golfer, even if everything has been said, everybody hasn't said it yet, it still okay to repeat it. i just sort of, there are, whenever we set this hearing, i think there were 46 different requirements to comply. there may have been more than that by the time we get to the

end of the hearing, but there were at least that many. and my question simply, my first question still is a yes or no question. do you believe that a uniform national standard for data breach notification would benefit consumers? and just yes or no is all i would like to have spent all start. yes. >> dr. loh? uniform standard of notification speak with yes. >> yes. >> yes. >> yes. >> and a yes. >> that's what i think, to come and hopefully we can figure out how to do that. and i think the attorney general recently called for that, that uniform standard as well, and it's something that hopefully this congress can accomplish. one of the questions the chairman asked was, and maybe what you're into, mr. mulligan. the time of the breach, was there more than, worked their multiple breaches of data in what happened at target in the

last part of last year? >> we had one bridge of our systems, center, and two types of data was removed. .. that overlapped and likely more than that.

>> so in the, where you had the breach of information but you didn't know who that related to, is there any way you -- who could you have notified there if you wanted to notify a individual customer that their card had information had been shared in ways you wouldn't have want 9 and stolen in effect from them or you? >> given the nature of our breach, senator, we felt the best way to notify customers was very broad public disclosure. we did so on december 19th, through the media. through our website. through social media. we did so again on january 10th through personal data. in both cases we augmented public disclosure through emailing. we emailed about 17 million guests and in the second case about 47 million guests. >> how did you know who those

47 million were? >> we had their e-mail addresses. >> that was for everybody in that particular file or everybody that had shopped within a window of time or how do you know that? >> for the 70 million records, those were individuals we had accurate email addresses for. >> 47 million emails out of 70 million? >> correct. >> i see. mr. richie, what did the chairman say, does visa, a level of security was asked about the company. i thought of a question then. does your company require any level of security for the merchants who use visa and are you changing what that level of security is? >> yes, we do require a level of security. it's the level embodied in the pci data security standards and we also require for large merchants that they provide us a validation by an independent

security assess sore once each year they are in compliance. for smaller merchants we require self-assessment questionnaire administered bit merchant bank that acquires, set them up to accept payments. that is what we have in place today. the pci council administers that standard and review it periodically and promote improvements to it. >> have you given a notice of a new level of standard that you want merchants to have by sometime in 2015? >> there are two different things going on here. there are security standards how they secure the date in their environment. >> right. >> the other is devalue the data in their environment, no longer have valuable data, no longer targeted by thieves. the standard for october 2015 for these em v-chip cards where the card actually send a one-time use signal so that even if you steal all the data, relative to the card, it can't be reused to commit fraud.

so the standard for 2015 is to implement the emv standard by placing emv terminals in the stores and, outfitting them with the proper technology on the back end. failing which the merchant would be liable for the fraud if a chip card, em v-chip card is used in that terminal. that is that standard. >> my last question for you and anybody else who wants to answer it is. do you believe there is any benefit in congress in the law trying to specify exactly what the card standard should be? if we said in law you would have to have a chip in the card, have to have a chip and pin number in the card, is that in your view a good thing or unhelpful thing? >> generally speaking i would say that our success across the world has been through this liability shift mechanism. it allows the flexibility in different merchant environments for them to move in that direction. >> so liability shift means if

they don't secure things as you, they would have a higher level of liability as a merchant? >> right. and that allows them to set the pace of their transition according to their environment and risk in their environment. so we believe that should be effective. we've seen it over and over again across the world. i hesitate, naturally we'd like to bet out of business of having to administer this ourselves but when we have seen the few governments that have tried to mandate technologies in other parts of the world they tend to have unintended consequences and actually make it more difficult to move forward with new types of technology that can leapfrog current technologies. so that would be my hesitation. >> anybody disagree with that? my sense of this has been that was, the thieves, hackers would always be more nimble than the congress and we prove that on a regular basis, our lack of

nimbleness. if you are too specific in law, all you do is create a road map as to what you have to do if you want to break the code but, what were you going to say, miss ramirez? >> i was going to agree with what miss richiey testified to. we believe a flexible approach is the right way to go here. >> thank you, mr. chairman. >> thank you very much. ah, you made it back. >> i made it back, mr. chairman. i have a reprieve on my provide ing -- presiding because i felt this committee hearing was so important. >> i have the pleasure of putting you in front of senator markey and watching him fume. senator blumenthal was here and is recognized. >> i was here before, and thank you, mr. chairman. thank you. and thank you for your leadership in convening this hearing. thank you to the panel. you know i feel that this afternoon is in a certain way a

missed opportunity for all of us because we've been bouncing in and out because of other vote schedules and i think panel's contribution could be very useful and could be more useful and will submit additional questions for the record you could address. speaking of missed opportunities, the report done by the majority staff of this committee i think performs an extraordinary service and provides on a excellent backdrop and summary and analysis of what happened here and it uses the term, opportunities, missed opportunities, is the way i would interpret them that very unfortunately were failed here and it brings home to me one of the truths that i think maybe senator blunt woos al lewding

to, best technology in the world is useless unless there is good management. here to be quite blunt, there were multiple warnings from the company's anti-intrusion software. they were missed by management. maybe because of lack of training. perhaps simply a sense of confidence or come place ends -- complacesnse, the need for action were missed. that has created enormous costs. the one of the lessons of this incident for me is that, better management has to come with better technology. do any of you disagree? is? i take it by your silence you're agreeing. the other area that has not been

explored so far is the notification here. and, and the, breach occurring 11/12, november 12 inn hth, happened well before there was notification to consumers, december 19th i think it was. and the question that arises i think in the mind of a lot of consumers and justifiably is, was there timely enough, quick enough, fast enough notification here and what can be done to improve that pace in the future? so let me ask mr. mulligan first and happens the others, what you think about the timeliness of notification? >> senator, first, we, excuse

me, identified the malware on your system on the morning of december 15th. from that moment forward we were very focused on public notification. >> but should you have discovered it earlier? >> that is a reasonable question, senator. one, the report as you indicated is very well-done. it is asking a lot of hard questions -- >> in my view, let me just state very simply, there should have been earlier discovery. whether you could have prevented the intrusion and stopped it early, that may be a subject of debate but certainly it should have been discovered and notified earlier. >> we're certainly going back to understand that, senator. as the alerts were surfaced, our team assessed them. they assessed hundreds of alerts he have day and make judgments based upon those. given the circumstances we were in we identified the malware on the morning of december the 15th and provided public notice four days later. we were very focused.

your point is exactly right on speed and doing so quickly and we balanced that insuring we could provide accurate information to our guests an respond to their questions, given the volume we knew were coming in both our call centers and our stores. >> miss ramirez. >> to our perspective reasonable, prompt notice is quite critical but we understand it is very important for companies who have been about victims after breach to be able to assess what transpired and as i think as mr. mulligan has noted it is critical that consumers received accurate information as well. we understand that can take time from our perspective. ultimately notice should happen reasonably promptly in our view. at very outside should be 60 days at the very outside. of course it is critical that the consumers have an opportunity to be able to take steps to protect themselves if their information has been exposed. >> i want to thank all of you

for your answers. my time has expired and i'm going to yield to senator markey before he truly starts fuming with good reason. and i want to follow up on this question of notification because anybody can be a victim of hacking or intrusion but no one is should, in any way delay notification to consumers once it's happened. even when there is something less than complete certainty, a warning to consumers can save, literally hundreds of millions, if not billions of dollars, and the ultimate cost often is born by those consumers in identity theft. senator mccaskill earlier was talking about who is bearing the cost and suffering and pain resulting from identity theft? consumers bear it, even if they get money. even if they're told by monitoring, even if they get

insurance. i want to thank you all for your cooperation. i know target has crop rayed with my office around this committee and i i want to thank you for the contribution that you made here today and before now. thank you, mr. chairman. >> thank you, senator blumenthal. thank you, i don't know how you pulled it off but you got a leave of absence and i've been here 29 years and first person who has ever gotten that. so you clearly care and so we're grateful for your coming back. but now we're treated to the one and only great mr. edward markey. >> thank you, mr. chairman. dr. loh, the university of maryland decided to provide five years of credit protection to those impacted by the data breach at your school. how did you determine that five years was an appropriate time period? >> well, as you know we announced it within 24 hours. notified everybody within about four or five days and very

quickly, of course the way most students communicate is by social media. >> but why the five-year period -- >> and so, what they were complaining was that we initially offered one year and they said one year is not adequate. >> and what was your conclusion? >> my conclusion is, well, i think they're right. it is going to cost more money but it is the right thing to do. >> why is that the right thing to do? >> i'm sorry? >> why is it the right things to do? >> why is it the right thing to do? after all it did happen. it is our responsibility to provide the maximum protection possible of our sensitive data. we did not do it. i think we have very strong defenses but they were penetrated in a very sophisticated way but that is no defense. so we decided to up it from one year to five years. >> mr. mulligan, target has offered victimized consumers just one year of credit monitoring service. my concern is the same as dr. loh's and students of

university of maryland, one year is too brief a period of time given the compromise of this information. so why did you choose one year and not have a longer period of time, even though as dr. loh said, it costs more money but, it is consistent with the risks that the consumer now runs? >> we certainly evaluated this. not having experience we reached out to other entities that had similar experiences. our understanding at the time we made the offer that was one year was appropriate, would provide appropriate coverage. we're certainly not dogmatic about that. we have not received the same feedback from our guests. we issued millions of access codes to our coverage and have not received that feedback, but certainly if we did we would reconsider that. importantly part of our coverage is you have access to a fraud specialist ongoing beyond that one year. that goes on forever. >> my concern is of course this information has been compromised and sitting out there and one

year is just arbitrary period of time to select to say it can't be used in a way that comes back to haunt the individuals whose information has been compromised and i just think that more lengthy period of time makes more sense. i think, university of maryland reached the correct decision. i also understand that the credit monitoring target is tracking only one credit report. experion and not the credit files maintained by transunion and equifax. why do you believe that one bureau monitoring is good enough? wouldn't free monitoring of all three reports provide consumers with better protection following the breach? >> here again, we reached out to several other entities who had similar situations. we understood experion is well-established company. they had a product we felt was, would work very well for our consumers, our guests because it offered in addition identity

theft protection, identity theft insurance and additionally the ongoing, access to the fraud specialists which we felt was particularly important. so we went with their particular product. >> yeah. again, i would suggest you look, perhaps, to a broader group of companies here that would be helpful. credit monitoring may also provide consumers with a false sense of security because these services monitor only attempts to open new lines of credit. they do not watch for day-to-day, unauthorized charges on your credit cards. so tell us what target is doing to help consumers with that problem? >> that's an excellent question and as we communicated to our guests we talked consistently about the need to monitor your exists accounts. we understand this has impacted them. we've tried to find resource, tools, communication. we provided one spot on our website which has all the information we provided to them. we provided emails and

additional information to our red cardholderses all with the focus to keep them informed about the information we have. >> thank you. and let me move to you, miss mulligan, mr. wagner, rather, if i could, what steps are you taking to insure better ways of insuring data security keep up with new payment technologies? >> well as the testified, emv technology is a major improvement for payment securities but that is something that data card is very interested in supporting global. from an end perspective our commitment is to help our customers have the identity technologies that they need to, you know, provide strong layer of security in their defense mechanisms. one of the things that is really key to understand is that the malware has changed the way it operates in the last several

years. idea of being somewhat on the network, being abe to overtake a network credential and move freely inside the corporate network as if you have a ticket to disneyland is different security risk we were dealing four or five years ago. to educate the industry and get governance, processes in place that help companies understand their risk and provide tools to mitigate the risk is what entrust is trying to do. >> what i would suggest is this, okay? it doesn't make any sense for the congress to mandate specific technologies. what it does make sense to do, however, is to say to industries, that you have to keep up with the changes. and if you don't keep up with the changes, then you're liable. so to say that any of this is a surprise is just to say that you're not keeping up with what's going on.

and so the chairman here could call a hearing of the five or six smartest young geeks in america and they could explain it to this committee right now but the truth is that the five or six smartest geeks in each one of your company should be have that meeting right now with the ceos. these are the changes and these are the recommendation that is we make and in order to provide the extra protection because the law requires us to keep up. okay? so you keep saying we're surprised at the changes means that you haven't kept up but it doesn't mean that younger people in your own organizations have kept up. and so in and of itself is no excuse, okay? it just isn't. and the congress shouldn't require a specific technology but should require a standard, you know. if you don't have a radio on your, on your boat in 1900,

you're not derelict. you don't have one on your boat in 2020, i mean in 1920, now you got a problem. it evolved. there are two-way radios now. you don't have one, you can't say, oh, my god i didn't have one when i bought the boat, okay? that is not an excuse. you have to have note ad guy named marconi came along in the interim and young people have the devices and there was a storm coming and you can't exempt yourself from the liability. that is kind of the challenge here. that's why senator blumenthal and i have introduced legislation to give the federal trade commission much greater authority so that they can require these security measures to be put in place and that, consumers receive immediate notification as well of any breach that occurs and i think it's important for us to, to act

this year because this has been occurring over and over and over and over -- tj maxx is in my congressional district, my old congressional district and they had a similar breach in 2007. so it's not as though this doesn't keep happening over and over again. it is that we keep treating it as though it is a huge surprise that it's going to happen, i think we need to put in place the highest possible standards. that's why senator blumenthal and i introduced the legislation to help to accomplish that goal and that's why senator rockefeller, chairman rockefeller, is having these hearings because we ultimately have to deal with the issue. i thank you, mr. chairman. >> very good questioning. i'd like to be a part of the bill. >> your staff was the first group of human beings on the planet to receive a copy of the bill. >> good. but see you raise a very important point and that is that we measure everything based upon

what it was and that absolves us of the responsibility of saying what it might become and important question whether you're talking about national security, anything, corporate security, what is might become. and that why we're constantly surprised. you know, the painful memory of the boston marathon, i'm not sure what the teaching of that was because that was kind of a traditional, a traditional act. did we have something we should have known that had, there had been advances in technology or in technique or in dispersion or whatever, that we missed? but regardless what the answer to that is, you're basically right. this job is not to say exactly what it should be this month the next month, the next month. it should be the highest possible, practice tickable, the

highest possible standard, that will reach many people who will object. >> may i just say that's a good example where the russians had given information about these suspects. >> and that is correct. >> so the technology had worked in fact in gathering the information but the human judgment then in terms of what to do with the information, you know. so here, the technology is something that now is available to deal with the threats and it is there and available and younger people of course are familiar with it but it just becomes in most instances, do you want to spend the money? >> yeah. >> do you want to spend the money to keep up with this technological arms race that you necessarily have to because it is concomitant with the electronic era that each of these companies are embracing. so you can't think of that as a loss that you now have to suffer because you have to build in the security. you have to think of it as a necessary investment you have to

make. >> we're not accustomed to that. >> we're not. >> pattern of thought but your suggestion that we need to be and that is what nist is there for. you missed my speech on spending money on infrastructure. and i will not pain you with repeating it but you already agree with it. look, does -- >> does that mean we're passing a transportation bill out of this committee this year? >> no. don't tease me with that. the, this has been a very interesting and a very frustrating hearing for a couple of reasons. one, it is a very complicated subject. i mean we have, you know, the ftc, the president of the university of maryland, this vast institution, my former chief of staff carrie yates got her degree from magna cum laude did i you will bring great

experience to this. but we are under the stricture of the sense of time is running out on us and are we going to have the time to energize people as senator markey hasn't indicated, young people are already knowledgeable. the question will they be energized to go into these fields? will they be energized to go work in the university of maryland to help you or at your firm mr. mulligan, to help you? i think it also, also makes the point i made earlier. at some point there is more reason therefore to have a point of responsibility. ultimately, whether you're a senator, whether you're a president of a company, pa president of a university or playing first for the boston red sox, it's not just holding on to your job but it's how you do it, how people assess it,

with a hard eye, that makes the difference. accountability is everything. we have tended to forget that in this country because somehow america always muddles through. america is not now muddling through. and it is not a pretty sight. you have been fantastic. you've been alert. you've been helpful. you put up with our absences. we had nine votes. that is not a lot of fun for us, but we got nine judges, did we not? and, then that's a wonderful thing, for america. so i want, i want to profoundly thank you, each one of you, for being here and for being here this long. mr. broussard, i'm feeling guilty about you. you haven't talked enough. would you like to talk for two or three minutes? [laughter] >> i will decline your very kind

invitation. >> why? it is perfect opportunity. nobody will get up and leave while you're talking. say something that is on your heart that you want to say? >> i will say very briefly, senator, i think the government has really been out front of the bulk of industry and the non-private, the non-public sector, in identifying the significance of cybersecurity and in prodding business and non-profit sector to try to accelerate the pace of the commitment that they're showing. you have done it in this committee, the fbi, the dhs, the white house. there are various government agencies that have really advanced the ball and i think it is incumbent upon the bulk of business and the non-private sector to try to follow the lead that has been set. >> yep. we've got to get our act together, no question and we're all part of it. part of the future. part of the wrongs of the

present. part of the forgetfulness of the past. we're taking too much comfort in the past. i have nothing wise to say so i will end this hearing. i have don't tend to bang a gavel and i think that is a sort of showmanship. i say it at an end and you are free. so you have our great gratitude. thank you so much. no, i mean, this is all good for you. >> the u.s. senate is about to gavel in for the day to wrap up work on a bill providing $150 million in economic assistance to ukraine and imposing sanctions on russia. senators will take votes on that bill starting at noon eastern.

they will also take a vote on the nomination of maria sweet to be administrator of the small business administration. to live coverage of the u.s. senate here on c-span2 the presiding officer: the senate will come to order. the chaplain dr. barry black will lead the senate in prayer. the chaplain: let us pray. o god, we would rest in you for you alone can bring order to our world. reveal yourself to our senators, guiding them on the path of peace. may they place behind them disappointed hopes,

as they lean on you for comfort and strength. rebuke their doubts. strengthen the good in them so that nothing may hinder the outflow of your power in their lives. direct them to make a commitment to work together for your glory. we pray in your great name. amen. the presiding officer: please join me in reciting the pledge of allegiance i pledge allegiance to the flag of the united states of america, and to the republic for which it stands, one nation under god, indivisible, with liberty and justice for all.

the presiding officer: the clerk will read a communication to the senate. the clerk: washington d.c., march 27, 2014. to the senate: under the provisions of rule 1, paragraph 3, of the standing rules of the senate, i hereby appoint the honorable john walsh , a senator from the state of montana, to perform the duties of the chair. signed: patrick j. leahy, president pro tempore. mr. reid: mr. president? i move to proceed to calendar number 333. the presiding officer: the clerk will report the motion. the clerk: motion to proceed to the consideration of calendar number 333, h.r. 3979, an act to amend the internal revenue code of 1986, and so forth and for other purposes. mr. reid: i would note the

absence of a quorum. the presiding officer: the clerk will call the roll. quorum call:

mr. reid: mr. president? the presiding officer: the majority leader. mr. reid: i ask unanimous consent the call of the quorum be terminated. the presiding officer: without objection. mr. reid: mr. president, i have said often that people who work in the capitol are some of the most intelligent men and women anyplace in the world. they come here, as i explained to a group of people from nevada this morning, dedicated to public service. they are not here to see how much money they can make. they're here to change people's lives. and today, the senate is losing one of its brightest and most seasoned minds. a lawyer by prayed, pete robinson came to the senate in 2002. i knew pete because he had worked in the house previously when i served over there.

i knew him as someone -- i always admire people who are good runners, and i saw pete outrunning and i was amazed at his gratefulness and speed. i did a lot of running. i wasn't very grateful -- graceful and didn't have a lot of speed but i did a lot of running. he was the captain of his high school cross country team. he was a good athlete, which i admire very much. but from the moment he came here to the senate, the office of parliamentarian became a better place. he was as close to being indispensable as anyone. he has an incredible work ethic, tremendous experience having been a parliamentarian in the house and here, having been in the private sector, a great memory and has made the senate function like it should, and not many people can make that claim,

especially today. he will be missed. i will miss him personally. i loved to joke with him and talk to him about his running days like i talk about my running days as if we were out still both running, but that's what life's all about. you look back at the things that you did and i'm sure, just like the presiding officer, the things you do as a younger man become better every day, and that's the way i look back on my athletic endeavors in that regard. but maybe i wasn't as good as i thought i was, but that didn't matter at the time. it made me feel good. that's what this is all about, to try to build character. so pete is going to be missed in retirement, but he is going to have plenty to do. he has lots of hobbies, an avid

garner, a good cook. some say an amateur chef. i won't go that far but he is a good cook, as i understand it. he can make his own furniture, and he is going to keep busy feeding and furnishing his wife connie, their daughter, son, and grandson with the good things he has learned. we will truly miss him, and i appreciate his courtesy all the time to me, and as far as i know to everyone else. mr. president, following my remarks and those of the republican leader, the senate will be in a period of morning business until 10:30, with republicans controlling the first half, the majority the final half. following that morning business, the senate will proceed to h.r. 4152. at noon, there will be up to three roll call votes on the menendez-corker substitute, passage of the ukraine bill, confirmation of maria sweet to be administrator of the small business administration. last night i filed cloture on john owens to be a circuit

judge. it will be on that motion to proceed to a legislative vehicle for unemployment insurance. under the rule, the first cloture vote would be tomorrow morning. mr. president, i note the absence of a quorum. the presiding officer: the clerk will call the roll. quorum call:

mr. mcconnell: mr. president? the presiding officer: the republican leader. mr. mcconnell: i ask that further proceedings under the quorum call be dispensed with. the presiding officer: without objection. mr. mcconnell: i'd like to say

a word about our longtime colleague, peter robinson, who is retiring this week. peter joined the office of the senate parliamentarian in 2002 and quickly distinguished himself as a standout talent. he brought a remarkable breadth of knowledge to a job that really requires it. and a legendary facility for reading and digesting complex legislation in record time. his colleagues describe him as a kind of genius actually, somebody who can remember not only where he read something but the exact page he read it on. according to senate legend, one staffer actually showed up one day asking for the software program that he just assured peter had been using to analyze complex bills. he was that fast, he was that good. peter has got all sorts of interests and hobbies so i'm

he'll make very good use of his retirement but he'll be missed around here. pete's colleagues will miss his profession a.m. skill and mastery of precedent and procedure but they'll also miss the good humor, the ek wan anymorety that has made him such an invaluable and respected member of the senate family over the years. so we wish peter all the best. the presiding officer: the majority leader. mr. reid: i ask unanimous consent christopher sharp, a fellow in senator murray's office be granted floor privileges during the remainder of this session. the presiding officer: without objection. mr. reid: today is an important day for ukraine. and for all nations who support international law, democracy and decency. today the senate will pass a bipartisan bill to provide aid to stabilize the ukraine and for

those russian leaders who played a role in the destabilization of ukraine, this contains much-needed repercussions against them. remember russia is run by an 80ic arcky. one of the 80 ig,a -- oleic,a is the -- oligarchs is the president of that, putin, it's a reality check the senate will not stand idly by while russia plays the role of a schoolyard bully. it seems president putin does not understand the way the world works today. it's almost as if putin yearns for the days of joseph stallen. -- joseph stalin. the world has changed since stalin was around and it's changed for the better. the cold war is over, along with fixtures like the iron curtain, and brinksmanship. yet it's almost -- putin is living in a time warp.

russia's place in the world is transformed, it does not wield the global power it once did. the rest of the world has changed since stalin's area with other countries emerging in leading roles but the united states of america remains a beacon of hope to the whole world. our political power and our influence are strong because we stand for freedom, democracy and democratic prosperity. yet russia, on the other hand, led by this man who yearns for stalin is a nation of immense resources and potential for good and they've chosen to wield its influence solely for self-interest. earlier this week president obama said the following about russia quote -- "he -- quote -- "russia is threatening its immediate neighbors not out of strength but out of weakness. the fact that russia felled compelled to violate international law indicates less influence, not more.

president obama is absolutely correct. instead of using its influence to bring stability to neighboring countries, he has instead played the role of an antagonist. look at crimea and the country of georgia. for what does russia stand? for what does president putin stand? as the world gets closer and closer to looking at putin, it doesn't like what we see. the product of putin's two decades of leadership seem to be a disregard for national international law, more corruption and increased suppression of human rights. while countless of his own citizens have rallied in the streets pleading for more freedom, putin and his cronies have concerned themselves with getting rich perks not only with power but with money. these ole ig,a have been -- oligarchs have been ruthless. the president of russia has displayed a penchant for action bully. he imprisons political rivals,

locks them up. he seizes wealth from russians who displeased him. they don't say or do exactly what he wants, he puts them in jail and takes their wealth. he single-handedly rolled back progress and equality. endorsed the persecution of his country's gay and lesbian community. he's invaded a nation for choosing democracy. are these abts of a statesman? no, they're acts of a bully. i believe that few -- i'm sorry, few were deluded by the fake veneer of putin's sochi show. in fact, all we saw in putin's russia isn't working. i say every time i get on the floor if he so likes the vote that took place in crimea, why doesn't very a vote of the people in chechnya? everyone knows why. i say to mr. putin operating by

intim gaition and dlij revenues -- belligerence won't work. nations should work together. he has a choid to come back and honor international law or continue to isolate russia. russian troops continue to mass at the border of ukraine. but he should understand this, the consequences for his continued bullying will not end. certainly not with this bill. his chest thumping aggression is leading russia into irrelevance. my colleagues and i will continue to strength strengthen ukraine's government and its 46 million people. the bill before the senate isolates putin and his inner circle. what we're doing today is just the beginning. i'm proud of my senate colleagues will join in standing up for the people of ukraine. that's what we're doing.

mr. mcconnell: mr. president? the presiding officer: the republican leader. mr. mcconnell: i want to start by acknowledging the majority leader's candor yesterday in outlining his party's agenda for the rest of the year. in admitting that he actually asked his political arm, the senatorial campaign committee to come up with it. maybe he didn't intend to admit his agenda is actually a political gambit or that it basically has one intent, to bail out imperilled democrats,

democrats desperate from distract how obamacare is devastating the middle class but it slipped out anyway. but that wasn't the only freudian slip we heard at yesterday's press conference. here's a quote. when we play the political games we're playing here one of the the majority leader's top lieutenants said, middle-class families feel they are detached -- that we are detached from their priorities. boy, i couldn't agree more with that. maybe this is why even the press isn't taking this -- quote, unquote -- "agenda seriously. "the new york times" reported helping struggling americans is not really the point of democrats' agenda. and that a main goal is actually just to motivate the democratic base. and drive turnout in places they need to win no in november. thetimes also noted that the show votes associated with the democratic agenda will timed to coincide with campaign style trips by the president. and according to "the washington

post," democrats hope to use the votes as fodder -- fodder -- in hopes of staving off potential losses in several states. look, it doesn't get any more cynical than that. to demonstrate such a total, total lack of seriousness in such troubling times for the middle class. at this point, washington democrats are in the sixth year, the sixth year, of trying to fix the economy. and the middle class continues to suffer. it's just not working. so as i've been saying for months now this presents washington democrats with a choice. one option they have is to try something different. that means coming to the middle and working with us on bipartisan solutions that can create jobs, increase take-home pay and give a leg up to the middle class. the other option is to double down on failed ideology and political gimmicks -- gim,ics, the kind of things that get the left-wing base all

excited. in short, washington democrats have a choice between helping the middle class and pleasing the left. so when they release a poll-tested, campaign-crafted obamacare distraction agenda packed to the brim with lefty show votes, i think middle-class families can tell whose side washington democrats are really on. it's certainly not their side. the people we represent all deserve better than this. they are really, really hurting. and all washington democrats seem to have for them is a bunch of show votes. how will the show votes help our constituents? how will they help the people writing to me about the impact of obamacare on them and their families? one woman from louisville has been in the high risk pool for people with preexisting conditions. she had been battling cancer for years and that in 2012 her cancer moved into her liver,

pelvis, lung, and diaphragm. just imagine hearing devastating news like that. now imagine hearing a year or so later you're going to lose the insurance you liked, too. insurance that had helped you manage your cancer treatment and worse, that your new obamacare plan was going to classify your chemo medicine as a specialty drug that costs more than $1,000 for a three-week supply. obamacare this constituent wrote is about as helpful in saving my life as a wet paper sack to help cover me from the rain. she contacted me because she wanted me to know that obamacare stories like hers are anything but lies despite what some in the chamber might imply. does anyone really think constituents like her care about some show vote? what she needs is relief from obamacare. so does another kentuckian who

wrote from henderson county, that's because his premium will jump $400 a month to over $1,100 a month under obamacare. americans he wrote were told we could keep our existing policy if we chose. not only was this a lie, it's a lie that will cost me an additional $700 a month. how is a political show vote going to help him? of course, it isn't and there's respect a thing the democratic party's political arm can do to fix these problems. kentuckians and countless americans suffering under obamacare need real solutions, not gimmicks. not base-pleasing ideology. solutions is what is needed. look, washington democrats forced america's middle class to enter this impossible situation. they basically blocked every reasonable attempt to reform this law or to change