we have partnered with others organizations in virginia for credit counseling. so we will have someone at our site and so somebody can either while they are waiting, the interminable wait to get the return done or after it's done to go meet with a credit counselor, they can look at the credit score. many of these people, again, i want to be able to buy a car or buy a house or whatever. ..

draw attention to. >> we heard a lot about the moment in our interviews and i talked talk about two things briefly, dignity and death. it's really upon us to treat the client as much dignity as possible. you've got heavy competition from h. and r. block and liberty taxes because they know how to treat people as customers. part of the reason people go to h. and r. block is because they feel so good to be there. so we need to make sure from the

moment people enter the door from how the office looks but this is a dignity enhancing moment because in corporations are so profoundly attached to how they are treated when they come in the door. the second, people want to clean up their desk so they can move ahead. they don't know how to. they have ideas about how they should be prioritized. counseling and help with understanding and what really counts for the credit score would be really thankful. >> considering the political incorporation what does it allow people the opportunity to vote is that standard protocol or is that an ad on that some communities would do?

>> it is a fabulous idea. a >> we provide opportunities to registered voters, open up accounts and it's definitely a priority. >> if people can't see me in the back -- >> in the recent research about how we can help those low income taxpayers to become aware online like my free taxes.com. >> it's hard to compete with those dancing tax men and women on the corner.

of course there's been a very vigorous campaign. the abcd organization that has the office for the tax preparation so it has become institutionalized in a way that sort of gets underneath your fingers. however again you've got this competition from h&r block and all of its competitors and the possibility of getting a refund early. if we could attack the peace and figure out how to make more pay and allowing the people to withdraw $500 bid year to avoid a financial cascade we do need to think more carefully about ways to not let that be the driver of which door you enter

when the tax refund is become available. >> there is a group of organizations that work together for online separation service that allows people to do their taxes for free and i wonder if you can talk about the supply and demand into the inclusion standpoint that is online services something that we are seeing from taxpayers at all levels. >> i know a lot of banks have started offering free tax preparation online. the problem that you run into is familiar with all of the tax codes and things that you can really claim under texas then you may incur some hurdles and things you could have received that you were not aware of so

it's just being familiar and well versed. are you really getting everything that you could. we've tried at various times to have the biggest site is self-directed tax that we have people there to sort of help the taxpayers ask questions and do the returns. it's a population that you really don't want to necessarily make do-it-yourself online tax return preparation available because it's hard and there's lots of things that are very subtle and turn on understanding what certain terms mean. they have a very specific meaning in the tax code that's different from its meaning in its colloquial meaning. i struggle with that as a service proprietor so we are

trying out of doing something where they can do self-directed and we can kind of supervise how they do the return. but i'm concerned about the fact they don't end up getting the maximum benefit out of that approach. >> a couple things i want to follow up with. a couple thoughts. one of the things you mentioned is turbotax. if anyone is interested in the whole tax fraud issue coming yesterday there was a forerunner the museum sponsored by the atlantic and it was one of the underwriters for that and just so you know the ceo was one of

the opening speakers and his point of view is for all of us that are in this tax fraud battle to make sure that we do not put the solution on the back of the lowest income. that's not going to get us out of the problem. the second thing andrea talked about hope. and we have had some of the best success partnering. if anyone is interested in using it we would be happy to help and my e-mail shown is coming out,

so they serve time for anybody that is eligible for a product can actually do those in the state. it is about 14 different software companies that can help with that. one of the questions i wanted to ask you my favorite stories from harlem and we had the taxpayer using turbotax and he got more angry and angrier as he was doing it and he said if you don't like this, don't do it. no, i've had some appeals to my tax for 20 years. is this all there is to that?

[laughter] >> the idea is that you can break the law it's intimidating to people. a lot of reason people go to a tax preparer is the trust them to get it right which makes the story all the more tragic. so they are getting paid quite well for their services but fear is very much a factor and a lot of our folks self titled as well and a lot of folks went to the one person in their network that is mastered turbotax and were paying $30 to help them through the process. so this is going on and we might as well capitalize on it by

coaching the coaches. i do think that there is just having returned from the mississippi delta offering products to their neighbors and engaging in the clearances and opportunity for exploitation is ripe among the vulnerable populations. >> the gentle man in a red tie. >> interviewing everyone for the buck did you get any sense that folks understood where they were in terms of the range permitted they talk about i have much more credit then i had the year

before. >> we devoted considerable time asking these questions and it was very interesting there was quite a discourse about this. first people don't realize how that works. they know you have to have kids to get it. people don't think i should work less because we should get the phaseout range. they benefit for working more and to see it as a motivation to work more hours and not less. they don't know how they are going to get there each year. the surprise cautions them

against pre- spending and that's a good thing. give in to the temptations of spending because you are not really sure. and that increases the sense that this is a wonderful. i guess from god as one person said. better than christmas. they are coming that line come in for an experience that is better than christmas. and it built in anticipation and sense of joy collecting the tax refund that most of us don't have. >> they understand the right thing that the more you need to

have children and the more you earn and get. >> you will see okay we are getting $3,000 they say what you mean, i'm sure i got 4,000. but when you point out to them the total amount of money they have in their household is more but you got a better job and so you earn to 3,000 more dollars it really doesn't matter to them whether they got the credit for not. they get the idea that it is better for them to be able to earn more. and none of them have that idea they just understand the people

that are earning less should be able to be helped the way they were helped when they were earning less. it was also mentioned i know that many of the challenges that we have are when parents are together and who titles first and i know that our team works really hard to help people with an injured spouse situation and i wanted to -- perhaps you might want to speak about how they help people write themselves from identity theft. if you have your identity

stolen, they will file a special number. we've had clients come in with those so they can file. the service we provide for the clients is the dueling parental attempt to file the child situation where they are able to help the custodial parent who is worried about having to get this filed and we had situations we tried to end the irs had walking centers in the usa bring all your paperwork you can prove the child lives with you but you have to go and do that. >> we have time for one or two more questions.

>> you research them than having a higher accuracy rate than others. is that others that were set aside in the private sector or individuals? >> the report looks at different preparers and the lowest accuracy rate overall was for unenrolled preparers that were not associated with the national change. so i can't remember off the top of my head but those are the types that we are thinking about when they have a copy and haven't gone through.

>> we can follow up with. >> the gentleman right here. >> thank you. great event. thank you all for stand for most so many things in my brain right now. i get excited about tax time and all this other good stuff. but for me one of the things that has come out about thinking about the importance of how that preparers in their role into some of roll into some of the fraudulent things you've talked about, that one of the things is that fee-for-service model and helping the consumers as i like to call them help them understand how much it is going to cost them into seeing that the cost is taking away from her

overall family budget. if any of you thought about showcasing the cost that they have which is zero versus the competitors and second in regards to the research, if there's anything you could lift up in regards to any change in behavior as far as those that understood they were getting the full refund. >> walking out the door with the refund means you're walking out with $400 less than you would be walking out a week from now. we try always to get that message across but it difficult because they might need that money that night because they need to go pay their payday loan. it is a very challenging

situation for us to be able to make that value proposition when they are really up against it. so what we do is try to get out there and do returns as early as you possibly can when they have a direct apposite but it's a very challenging thing and i would love to figure out a way to help migrate more people but then we need to be able to have them migrate. >> a good benefit of that is the flexible hours that's an incentive to work around schedules of someone who may have a couple jobs. another is direct deposit so it may not be automatic on a debit card but if you could get it in 72 hours you could buy savings

bonds so there are definitely incentives of getting the tax prepared at the site and i think we do a really good job of advertising those benefits and we do an annual report after each session to show how much money was the average return to show the benefit of the program. when you get that check from h. and r. block what you pay them is invisible to you. it is uninterpretable. you can't figure out from what they are supposed to tell you the people v.. so it's to make the invisible visible and advertise with great vigor the savings that you can get that you do have to confront

the fear of the irs. people say i go there because i have peace of mind and this audit protection feature that some of the tax preparer's offer is very valuable to people because they are so afraid of getting in trouble with the law and i think third what the site could do is they can marry the tax preparation with other services. so it becomes the place where you can figure out which depth to prioritize. if it becomes the place you are treated with just as much dignity as h. and r. block then you can compete in ways that make it beneficial for folks to go to the vitasite. >> i think that's about all our time. i want to thank our great panel. [applause]

also want to thank our host for your great work and all of you for coming. how fantastic the etc and vitasite and how they need to be protected and strengthened and how much hope there is for bipartisan effort. everybody would like to see some bipartisan efforts. thank you for coming.

a senate hearing yesterday looked at data security and retail and banking customers. the consumer protection heard from industry representatives and cyber security experts about what safeguards are needed to protect consumers privacy and the recent data breach at and some health insurance. this is one hour and 35 minutes.

>> [inaudible] i want to thank my colleagues and their level of interest on this topic and i would also like to thank the witnesses for joining us today. expertise is important as members of congress and unfortunately this is a very timely topic. the purpose of this hearing is in many ways somewhat narrow to examine the data security standard and the need for the preemptive and uniform federal data breach notification. we all know that we live in a world where consumers have embraced online products and services. my folks at home know they can

make purchases to determine their credit score to conduct banking and examine healthcare plans all from a mobile phone computer or tablet. that is true with consumers across of consumers across the country and increasingly around the globe. but the digital economy creates a risk where one bad actor can battle against the team of highly trained experts. the businesses have the tools and incentive to protect their customers from harm. for more than a decade the commerce committee in particular has been contemplating issues surrounding the data security notification. in 2004 the committee held its first hearing to examine the high-profile breach of the choice point. the recent data breach as well as the headline grabbing sony cyber attack from late last year

are the latest examples that highlight the ongoing serious cyber threats in america that face americans and businesses. just this morning we woke up to the news of what experts are calling the largest healthcare breach to date. the two still names, medical ids, social security number, street addresses and employment information including the income data. its most severe of a common occurrence in the digital society. as of 2015 the privacy rights clearinghouse have estimated 3400 breaches involving more than 932 million records that have been made public since 2005. the verizon 2014 data breach investigation report reviewed more than 63,000 security incidents and found 1367

confirmed data breaches in 2013 is a shy of the four breaches every day. while congress has developed a data security requirements for both financial institutions and companies that handle the health information to congress has been able to reach the data security and the notification standards. it's in a different state district territory laws that determine how the the businesses most notify consumers in the event of a breach and in addition this 12 states enacted a data practice. the need for the action becomes clear each day. last month president obama voiced his support for the data breach legislation with strong preemptive language.

in the predictable notice the support obama for bipartisan bicameral of almost bipartisan bicameral interest has renewed optimism among stakeholders that congress can develop with legislation in the near term. today we will focus our attention on the key questions and topics of the debate including what are the benefits of the national data breach notification standard commission of of a congress implement a basic security standard and to whom should the standard applied. should the federal standard preempt the state standards and what should be the trigger for the notification and the conditions that represent a potential harm to consumers. should there be exemptions and safe harbors and if so for who and what circumstances. within what time frame should the company be required to notify consumers and should they enact new or stronger penalties for the enforcement remedies and what lessons can we learn from states that implemented their own data breach notification standards? i'm confident our panel and

expertise can share valuable insight into the questions and other specific committee members may have and help us find a right balance. i will like to recognize senator blumenthal for him to deliver delivery an opening statement and i did indicate in public as we do in private i look forward to working closely with you in a very thoughtful and bipartisan way to see the subcommittee accomplish great things for this country. upon a critically important topic and i really look forward to his continued insight and thoughtful leadership.

i served on the subcommittee for two years now and it's critical to the consumer issues that affect everyday americans. we are in the general motors recall. every day the issue of the data breach is no less central to american lives even if it seems somewhat less spectacular. the 2014 was known as the year of the data breach and this issue was brought home just this morning when we read about the breach which is absolutely breathtaking in the scope and scale. not only breathtaking but mindbending and it's extent and

potential impact and it is heartbreaking for the consumers who may be affected. not only only birthdays come after us is and employment information but also social security numbers and of the income data that were taken from anthem and potentially the company said there is no evidence of that so far. this breach comes after j.p. morgan indicated a loss of personal information to hackers about 83 million households. of course in november the united states government said they had ties to the government or a destructive attack on sony. the attack would be comedy but it is literally no laughing matter to any of the other businesses including other

financial institutions on wall street, health insurers and others whose vital data may be taken and to quote the fbi agent that specializes in the division we are losing ground. we are losing ground in the battle with hackers. in december of 2013 we first learned about the targets data breach that affected credit card information, personal contact information for as many as 110 million consumers. they are potentially life-changing losses to consumers. target j.p. morgan they are not only the company but they failed their customers and consumers when the data breach

occurred. the fact of life is more than doing business for the companies. it is an invasion of their privacy. it's an invasion of consumer privacy and potential effect of identity and personal assets. so, the billions of dollars that could have been saved by consumers, creditors, banks and others, the companies and universities were collecting sensitive data and spend money and resources on protecting that information is one of the facts that brings us here today as the the attorney general i brought a number of enforcement cases against companies that violated connecticut the data breach law and they work with my colleagues including lisa madigan who is here today and i express a appreciation to her for this work in this area that i work with kelly i ayotte and this is hardly a partisan one and it is

a succinctly bipartisan involving stronger protection for sensitive consumer data and we recognize the states as laboratories of democracy and the great work that they have done in this area. let me conclude by saying. we have a lot of good work that should be done but one guiding principle is do no harm. that is to the state enforcers that every day are seeking to protect the citizen from the scourge and spreading problems of data theft in order for the consumers to trust retailers banks and online sales a need to know their data is secure without abuse, shopping online or bricks and mortar retailers are protecting their information and will do everything in their power to protect that data and

that is a reasonable expectation and they have the right to expect more than they are receiving for the insurers, banks, institutions and nonprofits that increasingly have the coin of the realm of the data about consumers. >> thank you senator blumenthal. mr. mallory duncan senior vice president general counsel for the federation and the chief information officer at dc according to say. the vice president for the policy of the information technology industry council and the honorable lisa madigan for

the state of illinois and finally mr. doug johnson senior vice president and advisor risk manager policy the american bankers association. >> thank you very much. ranking member blumenthal and members of the committee thank you for the opportunity to testify on this important issue. as the largest security software company in the world the global intelligence network is made up of millions of sensors that give a unique view of the entire internet threat landscape and we all have seen even this morning the recent headline about cyber attacks have focused mostly on data breaches across the spectrum of industries. these network intrusions that result in stolen data have deep and profound impacts for the individual that must worry about and clean up their identity for the organizations whose systems have been penetrated and for the government trying to establish

the right notification policies as well as detour and apprehend the perpetrators. the magnitude of theft that is personally identifiable information is unprecedented. over just the past two years alone a number of identities exposed in the network breaches is approaching 1 billion. and those are just the ones we know about. while many assume it is the result of sophisticated malware or research to state actors the reality is much more troubling. according to the report from the online trust a lion, 90% of last year's breaches could have been presented if they had to do is to cybersecurity practices. while the focus on the data breaches are put at risk and were intent we also must not lose sight of the other cyber attacks that are equally concerning and can have dangerous consequences. there are a wide set of tools available to the cyber attacker and the incidents we see today

range from confidence schemes to massive denial of service attacks to sophisticated and potentially destructive intrusions into critical infrastructure systems. of course they run the gamut and include highly criminal such as hacktivists. the data breaches are well documented well-documented but seems to get less attention are the causes of the data breach and what can be done to prevent them. targeted attacks are the single largest cause most of which rely on social engineering or simple terms tricking people into doing something they wouldn't do if they would do if they were fully aware of the consequences of their action. last year nearly 60% of the data breaches occurred in the network intrusions by unauthorized users. another major cause is the lack of basic computer hygiene practices. while the security .-full-stop most of the attacks often seek

to exploit known vulnerabilities, many organizations do not have up to date security or patch systems do not make full use of the system available to them or have security unevenly applied throughout their enterprise. so what can we do? cybersecurity is about managing risk assessing one's risk of developing the plan is essential for organizations there are guidelines including as you discussed yesterday to cybersecurity framework the guideline for small businesses the online trust alliance data protection readiness guide and many others. for the individual, we provide resources for managing the customers and others have many tips available on their website and in fact just this week they published the best practices for individual investors to secure their online accounts and in short, there is no shortage of available resources. strong security should include intrusion protection,

repetition-based security, behavioral-based blocking, data encryption and loss prevention tools and while the criminal's tactics are constantly evolving basic cyber hygiene is the simplest and most cost-effective first step. returning to the policy landscape, symantec supports as you said chairman, balance a thoughtful national standard for data breach notification is on three principles. first, the scope of any legislation should apply equally to the entities that collect retain or so significant numbers of records containing sensitive personal information. this covers both the government and private sector. second, implementing the security measures should that should be central to any legislation created new legislation shouldn't simply require notifications of consumers in the case of the breach that seek to minimize the likelihood of the breach in the first place. third, encryption or other proven security measures that render the data unusable at rest or in transit should be the

element to establish the risk-based rep told for the notification. this lessens the burden for consumers and for the breached organization. a semantic we are committed to improving online security across the globe and we will continue to work collaboratively with our partners on ways to do so. thank you again for the opportunity to testify today and i look forward to your questions. >> exactly five minutes, thank you very much. >> chairman, ranking member blumenthal, members of the subcommittee, thank you for this opportunity. data breaches needed to be correctly and forcibly addressed. they fundamentally affect the economy's push towards greater efficiency and cost effectiveness. by way of context, there's a long history of interception private communications by

individuals and governments from steaming open letters to tapping into telephone conversations. today we have supercomputers and the internet. together they are creating a public network with virtually no boundaries far more versatile and efficient in all the technology that's gone before. governments and trust them with critical infrastructure businesses with the most valuable intellectual property and millions of people type their deepest secrets into google knowing the system is vulnerable to intrusion both by government and by sophisticated actors. this interconnected technologies in many ways still having really commercially become just a quarter-century ago. so we are still discovering its capabilities and its limitations and risks. today we are here to address one of the most significant risks to emerge, the data breach. it's the congress's challenge to incentivize companies to manage

the risk in ways that preserve the innovation and benefits that this technology clearly offers. how can congress do that? there are three essential elements, uniform notice, expressed preemption and strong consensus law. let's recognize the data breach affects everyone. as the chairman referenced the report retailers suffered their share of breaches the living present. government agencies and currie slightly higher percentage, hotels and restaurants constitute 10% while financial institutions represent 34%. it's not because those with the most breaches of the weakest security. it's because bad actors are always looking for the biggest bang for the buck and no single set of data security standards is fully protected in the industry. in the complex economy coming each type of business is vulnerable to data breaches in a different way via to the theft of account numbers were cloudy that were intellectual property. congress needs to provide incentives for companies to

increase their security and nothing motivates like sunlight. requiring every company have the same public notice obligations will provide this needed light. uniform notice has two benefits. it can help individuals take steps to protect themselves but equally important, the consequences of requiring all companies publicly exposing the data breaches is a powerful incentive for them to improve security. members are some of the best retail companies in america. recent very public breaches and discussions of how to avoid them have engaged our members most senior executives. as a result members are investing in unique and tailored solutions in the effort to address this ever morphing problem. but the nation's economy is bigger than retail. congress needs to encourage disclosure and the incentive for the security that it brings across the board from all entities that handle sensitive information. preemption there are more than

50 jurisdictions with these walls. many have common elements that they are not the same. some come with different data sets and require state officials to be notified and so forth. midsized companies struggling with the consequences of the breach face the conflict in laws that have become little more than traps for the unwary. in the midst of the breach when a company should be focusing on securing its network and identify its customers they have diverted their limited resources to pay for law firms to clear them from the regulatory gotcha. we need a uniform preemptive federal law that would simplify the process for businesses and provide a consistent notices nationwide. but it must be real preemption otherwise the federal law becomes a 52nd set of requirements that companies have to follow and he you will have accomplished worse than nothing. finally it would not be appropriate to preempt the states only to adopt the weakest law. rather for the federal standards you should be looking well above

the media not the most successive perhaps but the language that reflects the strong consensus of the state law. we urge you to go further and establish the same notice obligations for all entities handling sensitive data. congress shouldn't permit the notice hold. situations where some entities are exempt from their known breaches. if we want meaningful incentives to increase the security everyone needs to have skin in the game. in closing, we be leave those three elements uniform notice, expressed preemption and a strong consensus law enforced by the federal authorities and the state ag are essential steps to properly enforce fully addressed the data breach conundrum that is plaguing the businesses and consumers. thank you. >> good morning, chairman, ranking member blumenthal and distinguished members of the committee and by panelists here,

thank you so much for the opportunity to testify today about the data breach into the notification legislation. it is an honor. i want to commend you for investing your time for the infrastructure protection. as the younger citizens. work on the decision will be critical to the youth. as the amount of data continues to increase exponentially primarily driven by the mobile and highly connected lifestyle, the work on the legislation will be critical. as internet connected devices increasing the number from 10 billion to the projected 50 billion by 2020 are impacting our economy by as much as $19 trillion according to many experts and your work on the legislation will be critical

catalyst to a power that connected innovation and wealth generation. as connected robots and three d. printing fundamentally change how we manufacture goods and supply-chain your work on the legislation will be critical to supporting the next generation innovation and leadership in the world. we are truly looking at some exciting times. i had the privilege and honor to serve as the vice president at brown university and i am a fiscal fellow and a senior member. i'm also a faculty member in both computer science and engineering. my area of expertise and research is in cybersecurity and aviation network security. i take great pride. the privacy rights clearinghouse as the chairman pointed out has reported that there've been over 932 million records compromised and order for 4,000 plus breaches in 2005. just yesterday as it was

mentioned and some reported a large breach and that may be impacting many people in this room since many rural employees are covered by some of the programs that anthem offers. we as individuals in a nation must have a laser focus on the area for the production of our consumers -- protection of our consumers. currently 47 states including rhode island, the district of columbia, guam and the virgin islands have enacted at the breach legislation. there are similarities in the law but no two are exactly alike. as a university with students from all 50 states we are impacted by all of them are create maintaining the necessary standards for each state challenging is very difficult. this can clear the value for the small organizations lacking the expertise to the specifics of the state law. this type of burden is in my view the breach notification is a national issue so i would

encourage you to consider the single national legislation. in my view such legislation should kerry and defined the rules and actions that are required in the case of a breach. it should identify the methods speed delivery and content of notifications. the limit for the breach notification may be unattainable for the small organizations nonprofits and educational institutions. it would make the compliance possible for all. it should also encourage organizations that collect the data to be transparent about the use of such data. consumers especially the young ones appear to be happy to give away their data and privacy to the services including social media sites. the act should define expectations of security for the organizations collecting and storing personally identifiable data given the highly publicized breaches that have been already mentioned, it is apparent that more work is needed no matter

what the size of the company certain expectations of security should be defined when the data is collected and stored. most importantly it should provide incentives to establish education to better combat the breaches created so it is necessary. it's important for us to double up the cyber expertise in the u.s.. the national security cannot be offshore. in conclusion, i applaud the efforts and appreciate this dialogue. i will have more details in my written testimony and standby to assist in any way that i can in cybersecurity and cybersecurity education is critical. national security cannot be offshore. thank you. >> good morning, chairman, ranking member, members of the subcommittee. my name is doug johnson, senior vice president of the american

bankers association. i currently lead the association's fiscal cybersecurity resiliency policy efforts at the association. concerns -- we share the concerns of congress about protecting consumers in this increasingly sophisticated world of electronic record-keeping. it's clear that they enjoy the efficiency and convenience of conducting transactions electronically. notwithstanding the recent breaches the payment system remains strong and functional and it's mandatory that we maintain that trust in the system so that it remains a system that our customers can essentially continue to trust. while the majority are conducted they will continue to occur. consumers have a right to swift accurate executive notifications of the creatures they also have a right to trust that whenever they conduct business as electronically the business is doing everything it can to prevent that the breaches

occurring in the first place. when mr. duncan mentioned the international symbol of private companies and police stations around the world other organizations such as the identity theft resource center noted that for the united states the business has reported over 30% of the breaches for 2014 while financial institutions represented 6% and while the numbers may differ and we do believe that the united states numbers are more appropriate to cite i believe the intent is the same and to ensure that we are protecting the customer data and i think that this is actually both of our rules. the banking industry supports the cyber security policy and we will continue to work with congress to achieve that goal. they acknowledge the leaders acknowledged the leaders in the pending against cyber threats. therefore from the financial service perspective it is critical that legislation takes

a balanced approach that builds upon that does not duplicate or undermine what is already in place and effective for the financial sector. the three key points that must be considered with regards to the data protection standards, first as others have noted we do need a national data standard. the standard for data security breach notification is of paramount support. currently 46 states, three u.s. territories and the district of columbia enacted the law governing the data security in some fashion. although some of them are similar many have been consistent and conflicting standards forcing businesses to comply with multiple regulations and including many consumers without proper recourse or protection. inconsistent state laws and regulations should be preemptive in favor of strong data protection.

any data protection notification requirement which recognizes this and the national data protection and notification requirements. some industries including financial services are already required to maintain protections and protects the consumer financial information and notify customers when the breach occurs in the systems. that put the customers at risk. we believe the extensive breach reporting requirements currently in place for the banks provide an effective basis for the national data breach reporting requirement for the businesses generally. finally, there must be a strong national data protection requirements associated with any data breach law. all parties must share the response abilities and cost for protecting consumers. the cost of the data breach should he formed by the fund by the entity that encourages the breach. any requirements must have strong data protection

requirements applicable to any party. i would be happy to answer any questions that you may have. hispanic attorney general. >> members of the subcommittee i appreciate having an opportunity to testify today. data security is one of the biggest challenges that we face as a nation. it is an ongoing struggle for all americans into the company's nonprofits and government agencies that hold personal information. while we reawakened many of the public bridges are not a new problem because of that ten years ago i joined 43 other attorneys general general concluded at the time of the attorney general blumenthal in the bipartisan call for the strong, meaningful national breach notification law and for over a decade of my office helped individuals cleanup from identity theft image and

investigated the major breaches. in 2005 i drafted a breach notification to ensure consumers are told when it's compromised and in 2006 i created an identity theft unit hotline to help consumers restore their credit when information was obtained and used without their authorization. so far we have helped over 37,000 people and a little over $27 million worth of fraudulent charges from their credit. at this point, and americans realized it isn't a matter of if that when they will be a victim of some sort of identity theft. the question now is what do we do to best assist them to prevent the data breaches and reduce identity theft? first i want you to recognize for the most part we already have the data breach notification in the country. as you are aware 47 states of the law requiring the companies to notify people in the financial information is compromised. many states are working to pass the second update to the law and in response to that revealed by

the almost 4500 publicly known bridges that have affected over 900 million records since 2005. in this environment, and americans need and expect more transparency of data breaches not less. last year i over 25 roundtables on the data breaches throughout illinois with over 1,000 residents including local government officials, law enforcement, small-business owners religious leaders, social service agencies as well as regular consumers and here is what they told me. first they are concerned by the increasing number of breaches and when the information is stolen they want to know. second, they want to know what they can do to protect themselves from identity theft and third of a want to know whether the entities are doing enough to protect their information. so in the week national law to restrict for most have long provided were not wait to meet the increasing expectation that

they be told when their information has been stolen. instead any definition of the protected personal information should be broad and include the growing types of sensitive information entities are collecting from individuals. they should be able to update the information in response to the new threats. whether the entities are doing enough to protect people's data unfortunately as you've already heard, and i can tell you from my own office investigations it has been revealed that entities too often fail to take the basic data security for caution. we found numerous instances where the entities allow the sensitive, personal data to be maintained failed to install security patches for known software vulnerability, collect sensitive data that wasn't but wasn't needed, retained the data longer than necessary and failed to protect against compromised wall -- log in credentials.

.. >> as a state official, i oppose federal legislation that limits our ability at the state level to respond to and to safeguard our residents. but if congress does preempt the states the preemption provision must be narrow. the law should preserve the states' ability to use their own consumer protection laws, and congress should give the states the right to enforce the federal

law. i'll be happy to answer any questions that you have. >> thank you very much. ms. weinman. >> thank you. chairman moran, ranking member blumenthal and senators of the subcommittee, thank you for the opportunity to testify today. my name is yale weinman, and i am the vice president for global privacy policy and the general counsel at the information technology industry council known as iti. prior to joining iti in 2013, i spent more than ten years at the federal trade commission, most recently as an attorney-adviser to commissioner julie brill. i began my career at the ftc in the enforcement division, insuring that companies subject to ftc data security consent orders were, in fact complying. the 59 technology companies that iti represents are leaders and

innovators in the information and communications technology sector. when consumer information is breached individuals may be at risk of identity theft or other financial harm. year after year identity theft tops the list of the number one complaint reported to the ftc. consumers can take steps to protect themselves from identity theft or other financial harm following a data breach. federal breach notification legislation would put consumers in the best possible position to protect themselves. i take this opportunity to outline three important principles in connection with federal data breach notification legislation. first is preemption. a federal breach notification framework that preempts the existing state and territory breach notification laws provides an opportunity to

streamline the notification process. complying with 51 laws, 47 states 3 territories and 1 district, each one with its own unique provisions, is complex and it slows down the notification process to consumers while an organization addresses the nuances in each of these 51 laws. complying with 51 different laws also results in notices across the country that are inconsistent and thus confusing to consumers. a federal breach notification law without state preemption would merely add to the mosaic resulting in a total of 52 different frameworks. the second principle is the timing of consumer notifications. an inflexible mandate that would require organizations to notify consumers of a data breach within a prescribed time frame

is counterproductive. following a breach, there is much to be done. vulnerabilities must be identified and remedied, the scope of the breach must be determined, cooperation with law enforcement is imperative and impacted consumers must be notified. premature notification could subject organizations to further attack if they have not yet been able to secure their systems further jeopardizing sensitive personal information. premature notification might interfere with law enforcement's efforts to identify the intruders. the hackers might coffer their tracks -- might cover their tracks more aggressively upon learning that the breach had been discovered. and notification to consumers before an organization has identified the full scope of the breach could yield to providing inaccurate and incomplete information. organizations have every incentive to thosefy impacted

consumers -- to notify impacted consumers in a timely manner, but a strict deadline does not afford the necessary for example about. flexibility. the third principle is determining which consumers should be notified. notifying individuals that their information has been compromised enables them to protect -- to take protective measures. it is not productive however, if all data breaches result in notifications. if inundated with notices, consumers would be unable to determine which ones warrant action. notification should be made to consumers if they are at a significant risk of identity theft or financial harm. a number of factors would be considered in making that determination including the nature of breached information as well as whether that information was up -- unreadable. unreadable information would not warrant a notification. upon receiving notice,

individuals can then take steps to help avoid being financially damaged. the three principles i have outlined today are included in the full set of principles that iti has developed in connection with federal data breach legislation, and i respectfully request that these be submitted for the record. 2014 has been referred to as the year of the data breach, and i think many of us would like to see 2015 as the year of federal data breach notification legislation. i'd be happy to answer any questions. thank you. >> thank you very much, and thank all of our witnesses. attorney general mad michigan, you -- madigan you seem to be in the minority, at least on this panel on this issue of preemption. how do you respond to the concern that's been raised particularly by mr. duncan or ms. weinman about 51 52 different sets of standards across the country, and is there a way to preempt state law but then continue to have states

involved in the enforcement of that new standard? >> senator to answer your second question first, of course there is, and it happens frequently at the federal level where you will set a national standard but still allow state attorneys general to enforce the law. and so, obviously if that's a what happens that is one of our most important concerns because there will be instances where there are significant data breaches. they may be smaller, they may be confined to one or only a few states, and it will not be a circumstance where the ftc, for instance, they're the ones with the enforcement authority, will look into it. in part, it's the same situation we have in terms of different jurisdictions at a state level versus a federal level even for criminal matter, you know? some of the u.s. attorneys' offices have thresholds. gotta be a big enough matter. we still need and want the ability, as i said, to safeguard

our own residents. in terms of, you know, the concern that i do appreciate of having, you know, as many as 51 different laws that organizations have to comply with in terms of notification, i would say two things. one, to some extent the concern is overblown. in a very real sense somebody mentioned it is a lawyer that sits down and determines what the notice has got to be and then produces a notice that can be used across the country. that certainly happened in terms of the target breach. i remember getting that notification, and there are some different provisions depending on what state. but it is, it's not impossible to do. it doesn't take such an enormous amount of time that the other issues that need to be contended with during the breach are ignored. so it is not an overall necessity, but i do think that the it is imperative -- i think everybody agrees that if you set a national standard, it cannot be a weak one. it has to be a higher one than some of the first generation

state notification laws, because we're seeing an increasing number of breaches with an in's cooing -- increasing amount of sensitive information that's being breached. so you're going to have to start to hook into the biometric data and things during the first generation very few if any, states considered. >> thank you very much. if -- is there any indication, this is a we for any of the panelists, is there any indication that from state to state depending upon the law that that law or the effectiveness of that law has a consequence such that there are fewer hackers? is there any suggestion that a state ladies courages -- law discourages hacking from taking place in that state? in other words, is it effective as a prevention measure, and is there any suggestion that a state law has increased the standards of businesses who operate in those states? is there a different level of compliance, and is there a different level of desire to

attack in a certain state because of state laws? mr. duncan. >> senator as i mentioned in my testimony, the very nature of this problem is that, is that it's interstate. if you imagine a situation with a small start-up they instantly have connectivity throughout the entire united states if they're selling merchandise. so it's the fact of notice regardless of which state it occurs in that drives the interest in trying to have greater standards. so it's not really a state issue. this is a, this is a national problem. >> well, but, you know, we often think of the states as laboratories to develop and i assume if we develop a national standard, that we will look at states to see what standards are there, what makes sense. but i just want to make certain there was no suggestion that a particular state has found a way to prevent or discourage this kind of behavior. and i think at least your answer mr. duncan is no. mr. johnson? >> yes, sir. i would echo that the answer is,

no. i think what it does is it points to the need to have really a data security standard that's attendant to any data breach standard. because if you don't have both pieces, you really don't have the ability to raise the bar from a security stand point, because i do not believe that a breach notification in and of itself motivates businesses to essentially, raise the cybersecurity bar. >> thank you, mr. johnson. let me ask you before my time expires, is there any developing insurance coverage market for data breach? your banks have been, have a standard in place today. is there insurance that covers the consequences of a data breach? >> yes, there is. it's maturing market. we actually have a captive insurance company that offers some of those policies as well. i think that it's a market that needs further refinement though. we as an industry are looking at that very carefully in a number of different fashions and, in fact working with treasury and

with the administration generally to try to figure out ways to improve the market and try to build insurance as a private incentive as opposed to building public incentives toward greater cybersecurity. >> thank you. senator blumenthal. >> thanks, mr. chairman. ms. madigan, again, thank you for being here. i want to follow up on a couple of questions that the chairman asked. you make the point that preemption has sometimes been narrow in our laws. in fact, that concept of narrow protection is that there should be preemption only of state laws that are inconsistent with federal law and then only to the extent of the inconsistency, and that's a quote from one of those statutes in graham-leech-bliley in the health information for economic and clinical health

act, also known as hitec. that principle has been adopted. has the experience been with that narrow approach to preemption that there are these horrible inconsistencies or confusion that our witnesses seem to raise as a specter of avoiding preemption? >> no, senator. the concern from the state level, as you're aware is that it took -- we're assuming that you guys will pass manager this year -- it took ten years for congress to pass a bridge notification law if you pass it now. and to the extent that there are new threats out will or, again threats that specifically target, you know a group of people consumers in our state, we need to be able to respond. or there is a rapidly changing area. again, we want to be able to

respond. and so i think that's the real concern. we have not seen significant problems where states both retain enforcement authority of a federal law and/or the preemption is narrow. in fact, i think it works best that way because, again, federal resources tend to go to larger issues whereas state resources go to some of the smaller issues. >> mr. duncan, i am troubled by failure of retailers to take responsible steps to protect their consumers. in fact, some of them i am told have actually blocked some of the new technology that could have been available. i don't want to call any out, but i'm happy to name them if you wish.

i'm disturbed that these major retailers have, in fact move offed to block innovations birdies abling their -- by discan abling their transaction list terminals that they offered as a feature to consumers for many years. mobile payment technologies like apple pay and google wallet. efforts are underway but they still not have been deployed as they should be. aren't you disappointed that retailers haven't done more to protect their consumers? >> it's not a matter of disappointment in terms of what retailers have dope in the past. -- have done in the past. i can tell you that i have sat in the board meetings of the national retail federation and i have heard the ceos of some of the best known companies in this country talk long and seriously about the steps they have to take to address this very serious problem -- >> i'm sure they've talked about it.

why haven't they done anything? >> we are also adopting new technologies that -- this is a this is a very complicated issue to address because there's so many ways as has been pointed out, that the bad actors can get in. so you have to develop very particularized systems that will effectively block that. and -- >> retailers disable their terminals, for example? >> there are some, there are some technologies that either are unproven, are extraordinarily expensive or that take control of the company's operations away from the company into someone else. each company has to make its own decision on that element but that's completely separate from a decision about how you secure the data in your files. >> you know, i'm struck that you have recommended to the panel that there be preemption not

only of state statutory law, but also common law. that's a pretty broad preemption, isn't it? >> the fact is if you do not have preemption that is strong and across the board, then ultimately experience has shown us that the courts will strike down the preemption and the proliferation of conflicting laws will reemerge. we have to have a very strong law, and it has to be a uniform law if it's to be effective. >> isn't that principle of preemption virtually unprecedented? >> no, i don't think so. >> else has it been adopted? >> >> well, let's look at the telemarketing sales rule that the ftc enforces. there essentially the same kind of approach was taken. all power was placed, essentially, on the rule with the ftc and you don't see individual actions under that rule or you don't -- >> well my time has expired. >> -- state attorneys general actions under that rule which we would support.

>> my time has expired but i would suggest that that approach to preemption is broader than this committee should consider and that a more narrow view of preemption such as attorney general mad can igan has suggested if there is to be any preedge at all is one that's more appropriate. thank you, mr. chairman. >> thanks, senator blumenthal. senator fischer. >> thank you, mr. chairman, and my thanks to you and the ranking member for holding this very timely hearing today. ms. mcguire, as you know, numerous reports have linked nation-state actors to cyber attacks. additionally some of the same countries implicated in these reports may require u.s. i.t. companies to turn over intellectual property including operating software source code in exchange for market access. are you concerned that such information in the hands of what we could call an irresponsible

actor could pose additional cybersecurity risks? >> thank you for the question. um we're concerned about having to turn over any of our intellectual property to any country. we believe that that is an infringement on our ownership of our intellectual property that we have clearly spent extensive resources to develop and that we should be allowed to protect it accordingly. certainly, if it is passed to the a third party or a second party, then it does expose us to potential additional vulnerabilities. so in short, we belief that we should not have -- we believe that we should not have to share our intellectual property. >> but there are instances, i believe, where companies are being pressured by foreign governments to share that property. do you know how prevalent that is?

>> there are some new requirements. actually, some not so new requirements in some countries. i can't tell you how prevalent it is, but we are certainly seeing a growth -- [laughter] in those kinds of requests from many different countries around the world. >> and how dangerous is that if we continue to see growth in that, the companies do that for increase in market access, for example? how dangerous is that to other countries -- other companies here in our country when that property is shared? wouldn't it put your security and other companies' security at risk? >> it potentially could put other organizations at risk. i'm not sure how that i can quantify how much but anytime you have to provide source code to another party it can provide

additional opening to risk. >> and also our federal data protection framework, it's largely based on who's collecting that information rather than tailoring enforcement based on what's being collected. so wouldn't it be better for consumers and businesses alike if we would apply a more uniform regime for all entities so that enforcement is based on the sensitivity of the information that's being collected? >> yes, that is our view, that it should be a risk-based application and threshold for what type of data potentially is breached. >> and for all the witnesses, if i could just ask a couple yes or no questions here. do you support a federal data breach notification standard that is consistent for all consumers? ms. mcguire, if you want to

start. >> yes. >> absolutely. >> yes. >> yes. >> yes, if it is strong and meaningful. >> i'll be the outlier and ask for further clarification of the question. when you say "consumers," are you referring to -- which particular type of data? is that your question, whether you don't want to distinguish between types of data? i think to a certain extent the sectoral approach that we have here in the united states has worked to a large extent with regard to financial data and health data. since the desire is to get federal breach noteification legislation across -- notification across the finish line in 2015 anything that could potentially slow that down is something that we should carefully consider. >> do you think it would be easier to get something across the finish line if exceptions are made or targeting made on

what type of data's collected then? >> i think, i think it would make it easier to get it across the finish line if entities that are already subject to day breach notification -- notification -- to data breach notification requirements in specialized areas remain intact. >> senator fischer, with all due respect, a sectoral-specific approach or exceptions are anathema to the kind of incentives we're going to the need in order to to to have effective protection for consumer, at least in view of the national retail federation. >> so we have disagreement. i'm over my time so thank you very much. >> senator schatz. >> thank you. ms. weinman, you and others have talked about the balance to strike in terms of overnotification. i think we all recognize that we don't want to be inundating consumers and others with notification of breaches if

they're not significant enough. and it would become meaningless. my question is, who determines whether there's a, quote, significant risk of identity theft? do you figure that gets enshrined in the statute? is that attorneys general to determine? is that the courts? individual companies make those determinations? i think that is one of the key issues here, is that, you know we can all agree in principle that we don't want to be overnotifying, but where that responsibility and authority resides is really key. >> thank you. um, i'm glad that we can all agree in principle that overnotification is not something that would be desirable. i think an organization that holds the data and has a sense of what information had been compromised, the extent to which it had been compromised would be in the best position to make that determination. >> but what standard would they

be held to? would it be under the law? or just their own judgment about whether this was going to be harmful to their consumers? or does this all get refereed in court? i mean that's the question is it not? >> well, i think the level of risk would be something that would be codified in a statute like significant risk of identity theft or financial harm. so i do think that would be in the letter of the law. >> ms. mcguire, you were talking about a risk-based analysis. i'd like you to elaborate there. >> so, um along the same lines of what kind of data has been breached, um and what the risk is to the consumer or the organization's data that almost might have been part of that. but as i stated in my um, statement, we believe that a component of that statute needs to be that the data has been either rendered unreadable or unusable via encryption or other

technologies so that, in fact if the data has been accessed, it is meaningless to the perpetrator. that is a key component -- >> so that's your bright line. >> -- of the statute. yes. >> okay. attorney general madigan. maybe take a half a minute to elaborate on that, and i have another question for you as well. >> with i don't think there's any such thing as overnotification going on at this point. notification keeps consumers alert to the possibility of id theft and they should be protecting themselves, and it certainly depends on what other information these criminals have access to in terms of what they could be using information we would deem not to pose any risk to them but it could potentially if it's combined with other information. so there's no overnotification going on at this point. >> well, i agree with you there may not be overnotification. but we don't want to create a scenario where i'm getting e-mails, you know, two or three times a week, and i don't know what to panic about and what to ignore. and i think that's the balance

to strike. i agree, though, that we're not there in reality -- >> at all. >> but if you could, again, articulate what would constitute a sufficiently strong standard to kind of satisfy your concerns. because i i respect that the california law and some other statutes are pretty good marks to make. i see a few heads nodding -- >> don't scare them. >> a few heads shaking and that's fine. but i'd like hear what you think would suffice in terms of being worth the trade-off in terms of preempting state laws. >> well, i think a strategy i've heard talked about here is you really should look at the state laws that are out there. so california probably at this point being one of the high marks. but i should say it's not just california. again, this is a bipartisan issue. texas, florida indiana if they don't already have have some of the most progressive notification laws in the country. and so you need to look and see what the changes have been from

the first generation of them such as illinois' where we were saying, you know, it's going to be your first name or your first initial and your last name along with, you know, unencrypted social security number, driver's license number credit or debit card number to now where we're moving to, as i said biometric data, e-mail addresses with log-in passwords. so as it changes, you really need to look and see what's the high water mark and make sure that that really is your floor. >> mr. johnson, i'll let you have the last word on this. what would, what would suffice as a strong enough standard that we would all feel comfortable preempting that the 50-odd state laws that we'd be looking at? >> graham-leech-bliley -- >> i'm sorry, one more time? >> graham-leech-bliley the federal law. i think what we're doing at the federal level is, has a standard associated with when a company makes evaluation such as your concern in terms of who has the

responsibility to make the determination as to when to notify of substantial harm. i think also the financial services companies even if the breach isn't occurring at the financial services company has a lot of experience in terms of dealing with those breaches as well. and they look at graham-leech-bliley from that perspective s. so i think that's what i would look to. >> thank you. >> senator blunt. >> thank you chairman. thank you for having this hearing. we had a similar hearing in this committee last march, and i think at that time all the panelists were for preemption, so attorney general madigan i often tend to be in favor of the underdog, but i seldom would imagine that you'd be the underdog on this issue you might be in terms of where other people are tending to wind up. i think a lot of the questions we would ask would be that i would ask have already been asked on the topic of

preemption, and we'll just see where that goes. i think the president, the attorney general have both taken a position on this since last marsha they agree with the idea -- since last march that they agree. senator carper and i are working on a bill and one of the things we have not tone in that legislation so far -- not done this that legislation so far is establish an arbitrary time frame. now, there's an argument about whether there should be a specific time frame established in the law as opposed to established by circumstances. so far i've stayed on the we need to have some flexibility in that time frame. but i'm not absolutely sure that i understand or the committee understands all of the impact that you can have here. i did notice in the anthem data breach this week they sent a general notice, and then i heard mr. schatz say basically that

he was becoming the victim of breach fatigue by being constantly notified that he could be in a group that information has been breached and many people, somebody many people in that group are the impact of that. we have not come up yet or i haven't yet looked at legislation with the idea that we need an arbitrary deadline. but i guess i have a couple of questions here for whoever wants to answer this question starting ms. weinman with you. and the question would be what would you perceive in terms of how the dead canline should be established -- deadline should be established or the criteria for what would be a reasonable response and your view on whether an arbitrary deadline is something that would be, should be included in a data breach notification. >> thank you.

i think an arbitrary deadline a specific time frame is not useful in that it sets an objective standard. each data breach incident is different. each incident requires special consideration to address vulnerabilities, cooperate with law enforcement. some breaches will require cooperating with many different types of law enforcement. so i don't think a specific day deadline is useful. that being said, a number of the states have deadlines that do not involve specific days, and i think that is the right approach to give sufficient flexibility. >> is there any is there any sort of -yard lines you'd look at -- guidelines you'd look at to determine whether a response is appropriate if the guideline becomes, the response needs to be in an appropriate time frame? what would be a triggering factor of whether the response was appropriately quick or not? >> well i think the buzz words

that we hear a lot is "without unreasonable delay," that type of construct i think, works well in this situation. and in examining whether the notification was done without unreasonable delay um, you would look at what the company had done up million -- up until that point when it decided to make that notification. so have they dotted all the is and crossed all the ts and closed the -- [inaudible] cooperated with law enforcement, listened to law enforcement if law enforcement asked them to in fact delay notification which is, in fact, sometimes the case. >> all right. so i'm down to a minute. anybody that feels that a guideline should be specific. anybody want to respond to that? anybody that -- >> so do not agree with ms. weinman and agree that there should be a standard for

reasonable notification. but i think it's important to recognize that there are different types of breaches. there's a difference between losing a laptop that has a lot of data on it and a network that's been penetrated. and that may require very different responses and very different investigation timelines. so i think that's an important criteria to consider. >> yes. >> i would agree with my esteemed colleagues here that there ought to be some flexibility there, because smaller organizations are simply not going to have the resources that bigger organizations can bring to bear. and so some flexibility would be very much essential. >> anybody? >> -- i think i'm out of time. i'm not a lawyer, but my one concern about reasonable response is it sounds like time in court for me to try to determine whether the response was reasonable or not and contend that it wasn't. but i'm out of time, chairman.

thank you for the time. >> thank you, senator blunt. we're honored to be joined by chairman thune, and i recognize him now. >> thank you, mr. chairman. thank you and senator blumenthal for holding this hearing and focusing a light on this issue. it's an issue that's important to our country and something that congress has been trying to fix for over a decade and hopefully this will be the year when we finally find the path forward that enables us to put in place a workable solution that protects consumers and addresses this very important issue which, again, we're reading about today. millions of americans impacted by yet another data breach. i want to ask, and senator blunt mentioned this because i think the question's been asked many times but perhaps not everyone has answered it, but ms. weinman, i'm just curious because you have extensive experience having worked at the ftc prior to your current position with iti, could you give us your sort of extra nation why you think a single federal law is so preferable for both businesses and consumers?

>> thank you. i have a chart with me that's 19 pages long that goes through the variances of the different state laws. that reason alone, i i think, lends lists to having one federal breach notification standard to enable companies to act quickly and provide the required notice. so i think it's both business-friendly, but more importantly, consumer-friendly. >> um, mr. duncan your testimony today highlighted the need for congress to enact a preemptive federal data breach notification law, and i agree that doing so would provide a great deal of clarity for companies including the retailers and merchants that you count as your membersment but it also would provide needed consistency, i think, for consumers which -- and that's an issue, you know, as i said before, congress has dealt with in the past. there have been shares legislative proposals -- various

legislative proposals that have called for not only uniform procedures but also security standards. and i appreciate some of your observations about the risks of ftc enforcement. but since that enforcement can already occur wouldn't retailers benefit from a federal law saying that reasonable data a security measures must take into account the size and scope of the organization and the sensitivity of the data collected? >> thank you, senator thune. the ftc effectively has a reasonableness standard either under deception or under unfairness right now. once you begin putting a lot of different factors into that standard then you essentially start the situation was it reasonable as to a as to b as to c, as to d and if a medium-sized company can't check the box on every single one of those factors then they're likely to be in very bad shape. that kind of standard works better when you're developing

guidance. and that's a big distinction between the glb standards that mr. johnson has talked about and a uniform national standard. if you've got an examiner sitting next to you and you can as iterative process work through each of those various elements that may work. but if you're trying to set one standard for every type of commerce and every type of business in the country, then having multiple components to that is going to make it impossible with any certainty for the average american company to respond to. >> so is good nrf support any type security requirement? >> sure. if there's a standard comparable to that that the ftc is currently enforcing which is a reasonable security standard and if that's coupled with a very, very robust notice requirement that we've testified in favor of, that would work. >> okay. i have a question for attorney general madigan. ms. mcguire, her testimony suggests that any notification

standard should minimize notifying individuals about breaches in which their personal information was rememberedderred unusable -- rendered unusable before it was stolen. ms. weinman suggests that the exposure of unreadable data would not result in risk, therefore, notice would not be appropriate. and i'm wondering kind of what your thoughts are in the wisdom of including usability reference in breach notice legislation and perhaps how the illinois state law approaches that issue. >> it's the right thing to do. i agree with both of them on that front. in illinois' law if the information is encrypted, you don't get notification of the breach. what we need to look to as we've seen this in some of the breaches taking place is encrypted information has been compromised, and the encryption key has also been stolen. in those circumstances when you can unencrypt then there should be notice. but if it's encrypted if it's unusable unreadable notification does not need to take place under illinois' law.

>> okay, great. mr. chairman, thank you. >> thank you. senator klobuchar. >> thank you very much, mr. chairman. i apologize for being late. we had a judiciary mark-up. it was very exciting. and now i'm here on a topic that's near and dear to our hearts in minnesota. as you know, one of our major retailers experienced a breach and i think there isn't a day that goes by that we don't hear about another cyber attack in local communities or on the national scene or even on the international scene. and, in fact, last night the media reported that anthem the nation's second largest health insurance insurer was breached and as as 80 million customers could have had their account information including names birthdays, addresses, social security numbers stolen. these cyber attacks are increasing in scope. i was sponsor of some of the bills that were out there in the last congress, and i hope given that we've already had hearings this congress -- and i appreciate senator thune's leadership, i'm one of the few

senators that are on both the judiciary committee and the commerce committee -- that we can move ahead in this area of cybersecurity. my first question, actually, was what i just raised, and i know it was just in the news. attorney general madigan welcome, i've worked with you in the past and appreciate your good work. with this disclosure, it's important to discuss what is and what isn't covered under the health insurance affordability and accountability act or hipaa. to your knowledge would the information impacted in the anthem breach be covered by hipaa? >> what i have heard so far is that they claim that medical information was not breached. so it will probably be that it falls under the various state breach notification laws to determine if the personal information definition is met of the various states. but i think it remains to be seen what the total extent of that breach is. >> uh-huh. i know, i think we don't know yet. and this your experience when -- in your experience when something like this happens not

the exact case, how are the agencies coordinated with the attorney generals whether it's the department of health and human services, the ftc to enforce these consumer protections, and do you think there's more that can be done there when it comes to coordination? >> well, we've certainly long had a very good working relationship with the ftc because we obviously, have similar jurisdiction over consumer matters. we probably do not have as much interaction with the other entities that are dealing with some of the health information. but in illinois the way our breach notification law works if that type of information is going, is taken, we want the ability to be able to make sure that people are notified. and, obviously, coordination, i think, helps everybody, particularly when we all have limited resources. but at the end of the day, our concern is all the same right? we're trying to protect individuals from any sort of identity theft financial damage that could occur because of it. so we are always looking to

cooperate whether it's at the state level or at the state and federal level. >> okay. mr. duncan, i'm going to focus on the retail issues as we're proud to have target and best buy in the state of minnesota two great company. last year many of my colleagues and the media have talked about the need to move to chip and pin technology similar to what we're seeing in europe, canada and elsewhere. and following the push for the change the industry made a voluntary commitment, as you know, to switch over to chip and pin cards and readers by the end of october 2015 which is this year. that's an important timeline, i think, for consumers, and we learned from the home depot data breach that impacted both canadians and americans that cards from canada were actually less valuable on the black market than american cards because they had chip and pin technology. and we tended to be a target because we've not improved that technology despite the work of companies like target who had

early on tried to, but as we know it's not universal across the country. mr. duncan, what percentage of your members have already adopted chip and pin payment technology and have the necessary technology to read cards at points of sale? >> um, this is a quickly-changing number. i have data from several months ago in which case it was in excess of a quarter of the nation's retail terminals were already outfitted for chip and pin. the concern that many of our members have is that the investment in pin and chip technology is extraordinarily expensive. it will cost between $25-$30 billion to reterminallize the entire country. it's worth it if you get an improvement in fraud reduction. unfortunately, many of the banks -- not all but many of the banks -- are not issuing pin and chip cards. they're only issuing chip and signature cards. of and as you know, a signature's a virtually

worthless security device. so retailers are being asked to spend tens of billions of dollars for security that's going to be illusory. >> so i know just talking to target and best buy that they're pretty committed to getting to this october deadline, which is great. but is the -- when you're talking about the 25% those are just ones that haven't done it yet but you expect a higher percentage to be there by october? >> lots of companies. it takes a great -- it's a huge effort to reterminallize a large operation, interconnected operation. >> uh-huh. >> but we expect a significant portion of the industry to be there. not 100%. it's impossible to do that in ten months. >> uh-huh. and so your point is that it's very important to have the full technology with the pin and chip -- >> if we're going to reduce, if we're going to spend the money to reduce fraud let's reduce fraud. let's do pin and chip. >> okay. any comments from anyone else about this? yes, mr. johnson. thank you, mr. duncan. >> yes, thanks for the opportunity, senator. i think one of the things when we have this conversation that we forget sometimes is the fact

that the card market is really two different markets to some degree. it's debit card market as well as the credit card market. and debit cards have pins. and so you've essentially got more than 50% of the card environment already that is pin-enabled. but what we've learned from the credit side is the fact that both at the retail side as well as our customer behavior that in the credit environment our customers prefer to use the signature. if they want to be protected by a pin, they can use their debit card. so they have effective choice to be able to really accomplish that. >> but is -- i think what mr. duncan said is that you get more protection in, certainly, this situation that we saw with the home depot where the canadian cards were less valuable because they had that full technology. i can imagine everyone would like ease. of it's just that if we know one technology protects better, it seems like we wouldn't just want it for debit card. and sometimes -- i just know

from having a bunch of cards in my purse, i don't really think through what kind of card it is if it's signature or not. >> i think that the most important thing here is to really work toward getting rid of static numbers. what we have in both the environment right now are credit card numbers and pins that are static numbers that make us vulnerable. and i think to the ebbs tent that we develop -- extent that we develop technologies such as tokennization where numbers are meaningless, if someone were to breach target and capture the numbers associated with those transactions or any retailer the numbers would be meaningless, because they'd only work for that one transaction. that's really what we need to be working toward is making those numbers absolutely worthless to the criminal. and that's what's going to really protect the customer at the end of the day. >> okay, very good. >> let me turn -- >> my last thing is just for the good of my hometown company

target did fix the breach and everyone can go shopping there. >> thank you. senator daines, we have a vote scheduled at 11:30. we had intended to take a second round, but that may not be possible based on the voting schedule. senator daines. >> all right. thank you, mr. chairman. this morning 80 million anthem health insurance customers woke up to learn that their personal identifiable information could have been stolen. in fact, we just received this over the fax machine, a notice from anthem that says to our members, and i'm just quoting from the letter that was sent out to their members, and it could be 80 million members. these attackers gained unauthorized access to anthem's i.t. system and have obtained personal information from our current and former members such as their names their birthdays, their medical ids, social security numbers street

addresses, e-mail addresses and employment information including income data. last year in the house i offered an amendment that would strengthen victim notification requirements, and i'm eager to work with the chairman on strengthening these requirements again in future legislation. and i've got a question for anyone on the panel here this morning in light of there's been a lot of discussion about past breaches, and now we have looks like this most recent significant and most serious breach. what is an appropriate notification time period like for these 80 million anthem customers? and we still don't know for sure when this occurred, but we're hearing it might have been last week. for these 80 million customers that are waking up this morning to hear and learn that their pii could have been stolen? >> senator, i would respond this

way: it sounds unusual and helpful that anthem has actually notified people even if we don't know the full extent of the breach as quickly as they have. because we are aware of situations where there are retailers who have waited months and months, some maybe as long as six months to notify people which is clearly too long to notify. we've had some extensive discussion about should there be a 30-day, you know hard deadline, should it be more flexible. i can tell you at the state level where there are some that have time frames, we've been very reasonable, basically, saying to do this as ebbs we dishesly as possible -- expeditiously as possible. and when we look into whether that has talkin' place we determine when did the breach take place when did the company know about it, did they have time to put in place a response to secure their system and, obviously, any exceptions that they need to continue to work with law enforcement. so a flexible deadline would be a good one, but it cannot be

that there is seemingly such a flexible deadline that you never have to notify or you can wait for months, because our goal is to let people know that their information is out there and that they may be a victim of some form of financial fraud or identity theft. >> yeah. prior to coming up on the hill, i spent 28 years in business. in fact half of that time with procter & gamble. we pride ourselves on good customer service. the other half of that time as part of a technology start-up, a cloud computing company that we took public. in fact oracle acquired us a couple years ago, a world class cloud computing company. i was the vice president of customer service working with literally millions of end users and thousands of customers who we were, we sold a b to c customer service cloud-based solution. when i was running customer service and looking out for customers and we had a problem, our policy was we'd notify our customers as soon as we were aware of the problem.

maybe not always understanding the magnitude of it, we believed we owed it to our customers to get back to them. and i'm frankly surprised to think we might be thinking in terms of 30 days or -- i think, frankly, that's unacceptable. the customers, the consumers of this country should be served better than that, and we should insure that when in particular we're dealing with pii iraq newsing -- recognizing that we don't know the scope of the problem at the time, but at least the customers ought to know there's a problem and we're working quickly hear to resolve that. i'd be happy, if there's any comments from the panel, please. >> senator we would support the kind of notice regime that's contained within the illinois law. it's less important as to what number of days are attached to it as long as you provide the time for law enforcement, for example, they may not want to notify because they want to set a trap for the people who have invaded it and have a way of catching them taking them off the street. so you've got to allow for that.

you clearly want to clean up the holes so that the people can't come back inside. once you've taken care of that you can -- 30 days 10 days, whatever, 40 days it doesn't matter. just a reasonable time period. i will say to the specific point that was made a moment ago one of our members had a breach which they initially interpreted to be a million card data that had been released. once they examined it, it turned out there were only 35,000. so the idea that you would have given notices to 965,000 more people unnecessarily is a pretty serious problem. and so you've got to get it right. there's no easy answer here here. >> go ahead. >> if i may comment. in terms of customer service i agree with you that quick notification is very important. but on the other hand, serious situations such as my other eminent panellests have -- panelists have pointed out some flexibility is necessary in this situation. one of the biggest arguments is loss of trust, and as we

noticed, anthem has been very quick at reaching out to people and, hopefully, they've learned from their past challenges that they've had and also from other well publicized breaches that have occurred. loss of trust is a very big detriment, and in current environment in an internet-enabled information-gathering session, people have the quickly respond. >> yeah. well, i would hope to continue to work on this issue of trying to establish what we think would be without unreasonable delay and trying to perhaps put better guardrail on that. because i think it's probably in the eye of the beholder sometimes. i can say my experience and years of working with, in a cloud-based commuting company that i just -- computing company that i just believe it's better to err on the side of the consumer and their protection, and i fully understand the fact that you can create maybe a bigger problem by notifying everybody without understanding what really has happened. but i think as we lean one way

or the other on this, i would urge us to lean towards a quicker response. defining that, i think, is better safe than sorry, particularly looking at as this notification went out, i mean, this is social security numbers this is personal income data this is perhaps private medical records. this is very very serious, and i think consumer has the right to know about that sooner than perhaps waiting a week as we try to walk the fine line here of law enforcement and not creating a mountain out of a molehill. but i tell you what, i think we should make this tighter. i had two days within an amendment i'd offered, and i hope we can work for something we can actually define. >> mr. dangerous, thank you very much -- mr. danes, thank you very much. the bell has rung indicating votes, and we will conclude this meeting momentarily. i'm not going to ask any additional questions but, dr. pendse, i would be glad to have you visit with my staff. you know kansas well. what small businesses should we be worried about? what innovators may be deterred

from greater innovation as a result of this kind of legislation? and i'd welcome your input -- >> absolutely. >> and then i'd be interested in hearing from any of the witnesses about graham-leech-bliley and its potential being used as a standard. i'd like to know whether the bankers are, if there is information that banks have that could be breached that is not covered by graham-leech-bliley and also the same kind of question related to hipaa. where this those two arenas -- in those two reap thats, health care and financial services, is there something we ought to be considering, a standard or a starting point as we look at broader breach opportunities, or is that a bad idea? senator blumenthal, anything to -- >> yeah. i agree with you that graham-leech-bliley offers a potential model here. mr. johnson, i gather you feel that the preemption language, you've said in your testimony i'm quoting the extensive breach reporting requirement currently in place for banks provides an

effective basis for any national data breach reporting requirement for businesses generally. i gather that you support the preemption model that's contained in graham-leech-bliley. >> that's correct. >> because i think that may provide some common ground here. and i invite the witnesses -- i know mr. duncan i apologize my time expired before you may have been able to provide a full answer to my question so i'd invite you to supplement your answer in writing if you wish, because i value your further comment. thank you, mr. chairman. >> if i may, senator blumenthal? i would emphasize the fact that graham-leech-bliley, essentially guidance it's perk story language. it says you should, you ought to, that differs quite a bit from the state laws that have a mandate and a requirement. we would favor a mandate and a requirement rather than something that's merely perk a story. >> and i was referring really to the preemption model there.

>> senator cloak chaff has cheeded her time at the earlier opportunity, but -- [laughter] >> oh! >> in the great tradition of senators, that's what we're expected to do. i think actually, senator daines followed up on the question that i had but i want to ask one more time. mr. duncan, a couple of different times, has established a matrix of what might go into a reasonable standard. is there anyone on the panel who's concerned about the congress pursuing as we look at this issue a reasonable standard sort of along the lines that have been outlined or as opposed to a specific notification period? >> we talking about time frame? >> we are. nobody has a problem -- nobody is proposing that we should include a specific time frame in any law that we require notification in?

>> senator, what i can tell you is the reasonable time frame such as what illinois has, we have seen it abused. and so the idea that you would put in a specific deadline maybe, you know, within the most experiod cent time but in, you know, no suckers less than. -- circumstances less than. put some sort of a line there. as i said, it could be six months at which point your information is long gone. it has long been purchased on the black market, and who knows what has been done with it or damage has been done to you. so you need to have further discussion about how do you try to better define what the timeline is going to be for notification. >> anyone else? thank you. >> thank you, senator blunt. senator daips also exceeded his time allotment, but i also noticed senator klobuchar was very effective by putting me in my place by saying something like the new kid on the block. [laughter] ..