screeria -- nigeria. -

parliamentary elections, and later a house hearing on the tsa and airport security. today the house financial services committee held a hearing on protecting consumer' financial data, it's partly in response to high profile data breaches at banks and retailers.

congressman jeb hence erlg chairs this three-hour hearing. [ inaudible ]. financial data security in the age of computer hackers, given that the pa just turned on, it is a testament to the fact to members welcome home. i assume we have many of our colleagues who are furiously running from hvc-201 as we speak. for our witnesses and our the audience we have been no mads

since the beginning of the year. so you will notice a few changes in the room. this renovation was caused by an upgrade of the audiovisual systems, although i did not specifically request it i saw notice there are twice as many microphones in our hearing room as before. i wish to notify members that does not mean they can speak twice as long. that doesn't go along with the microphones. in addition you will notice that our witnesses are quite a ways away. that we have less room for the public, as hearing rooms are renovated they must be made and should be made compliant with the american -- americans with disabilities act. this room complies with that ada

statute, which means every rojas been enlarged, which means we have lost part of our gallery, but the overflow room is still alive and well. in addition for those who have ever moved into a new home or new apartment, there is such a thing known as a punch list. so for some of the subcommittees, you may be kicked out of this room over the next five to seven days as that punch list is attended to. another change in our committee room, if you will look over my left shoulder you will see our -- the portrait of our most recent chairman, spencer bachus. for those who have some tenure on the committee myself and the ranking peb to have barney over one shoulder and spencer over the other it kind of seems like old times.

we certainly know of barney's fears intellect and tenacity but i also hope that members will remember spencer's gentle and kind leadership of this committee and sometimes when emotions and passions start to run high let's remember the example he set for us with respect and decency and, yes, humor and somehow any moment i expect for these two to carry on one of their classic debates. we'll see if that actually happens or not. i believe that is all i need to say about the hearing room at the moment. in which case the chair now recognizes himself for three minutes for an opening statement. today's hearing we will be focused on protecting consumers and their private financial information in an age of

computer hackers. the world has experienced a technology revolution one that has brought remarkable benefits to consumers and the broader committee, but it has also increased some risk on consumers by making the theft of their personal financial information a profitable enterprise for cyber criminals and computer hackers. in the era of big data large scale security breaches are unfortunately all too common. every breach leaves consumers exposed and vulnerable to identity theft, fraud and a host of other crimes. we have certainly all read about the high profile headline grabbing breaches at target and home depot. according to the identity theft resource center there were 783 u.s. at that time at that breaches in 2014, an increase of more than 27% over the prior year. the center for strategic and international studies and mcafee security estimate that such attacks cost the u.s. economy

$100 well, billion with a b, annually. american consumers rightfully expect their personal information to be protected by their financial institutions by their retailers card networks, payment processors and, yes, by their federal government. consumers shouldn't be left to hope and pray their personal information will be safe every time they swipe their debit or credit card or enter their information online. they deserve pro teb. so today the committee will hear from representatives of organizations whose members constitute the major participants in the payment system. we welcome their expertise and insight. my hope is that this hearing affords members on both sides of the aisle an opportunity to better understand what security measures are currently am place to pre dent data breaches, how consumers are notified following a breach what times of emerging technologies will help reduce the frequency and severity of breaches and what steps are being taken by the merchant and

financial services communities to address the problem and where additional federal legislation may be warranted. i further hope that the committee will engage in a taughtful and constructive dialogue on a bipartisan basis and in that regard i wish to thank chairman nothing bauer and the gentleman from te, mr. carney by starting this bipartisan dialogue off on the right foot by introducing a bipartisan bill to address this important problem. i will now yield back the balance of my time and recognize the ranking member for three minutes. >> thank you, mr. chairman. americans are increasingly reliant on electronic means to communicate, shop, and panning their finances. while new technologies bring substantial opportunity, they also brick a range of new vulnerabilities for consumers. massive attacks on some of our

nation's largest retailers and financial institutions are impacting virtually every sector of our economy and our national security. consumers are not the only ones who pay the price of a breach. the most of recovering losses by retailers and card issuers can be extent sieve and weigh particularly heavy on small community banks and credit unions. we all know companies face a physical of challenges in determining how best to secure customers' financial and personally identifiable information. if addition we know that there are significant costs to complying with various state laws and providing notice after a breach. however, as we consider setting national standards for safe guarding consumer' personal information and ensuring timely notification, we must again acknowledge the good work of those states that for years have

been at the front lines of this fight. i believe that any federal preemption should compliment states' protections and ensure at a minimum that state attorneys generals continue to play an important role in enforcement and notification standards. in setting minimal standards we need to be careful not to hamstring our state and federal regulator's ability to continue adapting and strengthening protections for consumers. otherwise, we will limit regularitiers' ability it to keep up with technological change and we must preserve a private right of action for krrnss and financial institutions to ensure that affected entities and breach victims have legal recourse. further, consumers must be consistently provided with clear disclosures of the rights and remedies available to them so that they remain aware of the

various ways in which they can protect themselves from identity theft and from fraud and other cyber crimes. mr. chairman efforts to guard against cyber threats are critically important and shouldn't dee voluntarily of into the same partisan fault lines we have seen on far so many other issues before this committee, such as the baseless attacks on watch dogs like the cfpd and blocking efforts to reauthorize the charter of the ex port/import bank which expires in just 22 legislative days. with that i look forward to hearing from the witnesses today and i yield back the balance of my time. >> the chair now recognizes the gentleman from texas, mr. gnawing bauer, chairman of our financial institution subcommittee. >> thank you mr. chairman. we live in a world where a global marketplace is supported by global payment system, delivers payment services to consumers in the blink of an

eye, add midst amounts of sensitive consumer information is transferred and pro he is issed and stored in any one transaction. the security of the system is only as strong as its weakest link and today i look forward to learning more about the new payment technologies that continue to facilitate payment efficiency, speed and security. i'm hopeful we can have a robust policy discussion about what new data security standards are needed to level the playing field. this month congressman carney and i introduced a bipartisan legislation which builds on the work of senators aarper and blunt. our startering point was to look at the graham leach bilie. almost 16 years later this framework has worked very well. the data security standards in hr 2205 is based on certain core principles, first because we have a global payment system we need a national data is security standard and national breach notification standard. this standard minimize

regulatory requirements but carry with it strong federal enforcement mechanism. second the data security standard must be technology neutral and process specific sp. it must be -- must reasonably identify core elements in the absence of an ftc rule making. third is absolutely necessary, that the data security standard is scaleable based on the size of the business, scope of the operation and the type of information that it holds. legislation must recognize that the corner market could not and should not have the same standard as the largest retailer operating in 50 states. while i'm confident in our bipartisan legislation i'm hope to working with any member of interested groups to minimize unintended consequences and continue tayloring this legislation. we have shared interesting in seeing this legislation signed into law giving consumers the safest payment system possible. with that i want to thank our panel for being here in morning and i look forward to looking at based on -- based on looking at

the testimony that's been entered i think also going to be informative for our members and i think it's good that we have these different interests at the table today. mr. chairman i look forward to a very informative hearing. >> the chair now recognizes the swra from delaware mr. carney for two minutes. >> thank you, mr. chairman. mr. chairman over the last decade alone data breaches have compromised nearly a billion records containing sensitive consumer financial information. experts estimate that when data breach occurs in the united states it directly costs consumers an average of $290 per victim. studies show that cyber criminals are costing u.s. companies approximately $100 billion a year. the current patchwork of 47 state data breach laws is failing to prospecttect american cbs. that's why we've worked together to develop a security breach notification framework that all relevant stakeholders can operate within. we think consumers and the

companies that handle the personal financial data should know the rules of the road when it comes for the standard for protecting this at that time day. hr 2205 builds off the efforts by sfarts carper and blunt across the capitol. a strong national data preach standard a at that time at that speck writ program that's robust and scaleable and with the goal of protect itting cbs' personal information from breaches and sets a reasonable standard for accurate and timely notice to consumers when a breach occurs. importantly, the bills' requirements avoid a one size fits all approach, allows companies of varying sizes and complexity to find a program that is tailored an effective for his business. as with any comprehensive piece of legislation our bill can be improved. the example clarifying that the preemption provision was does not have unintended consequences outside this bill merits further attention. i look forward to look working with my colleagues to make

improvements to this legislation where necessary. the fact is though that the white house, congress and the private sector and consumers all agree that the status quo is not acceptable. and i'm encouraged that that committee is having this hearing today and that we're moving forward to protect consumers businesses and the american economy. i'd like to thank mr. nothing bauer for his liter shipd on this issue and i look forward to hearing the witness' testimony and feedback this morning in this hearing. >> swra yields back. indeed it is time to hear from our witnesses. we welcome each and every one of them to the panel. first the honorable tim pawlenty the president and chief executive officer of the financial services round table and former governor of the state of minnesota. mr. brian toj is the executive vice president of communications and strategic initiatives at the retail friday sliders association. mr. jason oxman is the chief executive officer of the electronic transactions

association. mr. steven or faye is the general manager at pci security standards council, last but not least ms. laura moy is a senior policy counsel at the open technology institute. several of you have testified before congress before i'm not certain of all of you, so we have a rather simple lighting system green means go yellow means hurry up because the red light is soon to follow. red means stop. the yellow light comes on with one minute to go. each of you will be recognized for five minutes to give an oral presentation of your testimony. without objection each of your written statements will be made a part of the record and since we are brand-new in our refurbished space, in the old hearing room you had to pull these microphones very close to you, i think now you can keep

them a somewhat comfortable distance from your mouth. governor pawlenty you are about to be our beginy pig on the new sound system. you are now recognized for your testimony. >> good morning, mr. chairman, rank member waters members of the committee. thank you for the opportunity to share a few thoughts with you this morning and that is the emerging growing and expo mention alley threatening cyber warfare that's taking place both commercially and otherwise across the globe and being visited upon american businesses and consumers in ways that i think deserve the congress' attention. just to give you a sense of a few measures 80% of the companies that were breached in 2014 did not know they were breached until somebody else told them, a third party told them. sometimes the government, sometimes a vendor but a third party. in the average length of time between the breach actually happening and the discover was months after the fact. in addition ear is another interesting fact. over half of the adult american

population had their personal data exposed last year according to a cnn published report. and the list goes on, including that we now know through public and confirmed reports that this is no longer college kids in their basements having some fun trying to get into some systems. these are nation state actors, including or semi-state nation actors including china north korea, iran russia former soviet union sponsored states and individuals and enterprises associated with them and very sophisticated international crime end cats. so if one of those entities trieng glats on a company it's likely not going to end well for that company or their customers. we need a more robust, more muscular response to these threats and the fact that this committee is paying attention to these issues, we appreciate it very much. mr. chairman thank you to the house for passing on more than one occasion threat information legislation, we hope the senate does the same and, again, we're

not talking about sharing personal information but that threat information sharing bill is very helpful to this cause and making the country more prepared to defend against these threats. as it relates to the financial service sector and the payment system our sector as the chairman mentioned has been dealing with these issues in a regulated context for quite some time, graham leach bliely passed in 1999 part of that act was to visit upon this industry data security standards an enforcement meck fichls including part of the examination process. that i think has served the friday well. as you look at the percent of breaches that have taken place in recent years or sector has the lowest breach incident rate still have a lot of work to do, but compared to other major sectors it's progress and that's because of some of the good work that's been ton. we're about to launch more secure domains which should help with these issues. we've been involved in an information sharing and analysis

center. the fsi sac and more. as it relates to the payment system, it's about to get a lot better. we're going to move as a next step to the chip enabled cards it's already happening the networks have said if you want to avoid fraud liability you've got to make this transition towards the end of 2015 some are saying we're not ready, but over the course of the next couple of years almost all cards are going to be chip cards and that's going to help. don't be focused just on that that's technology from the 1960s, magnetic strips were incented in the 1960s, pins were inn represented in the 1960s, chips for recently, but it's moving well beyond that discussion, the technologies that are coming forward and being actively considered include voice recognition, facial recognition bio metrics location confirmation, gesture recognition and a lot more. so this space is evolving extremely rapid and is going to continue to evolve as new technology emerges. as to the legislation that's

before you congressman nothing bauer, congressman cashy thank you very much, we strongly support hr 2205 and think it's an excellent piece of work may need some modifications as congressman carney mention approximated but it does some important things. it creates for all sectors not just healthcare or financial service, a data security standard which is really important and it's flexible. we're only as strong as the weakest link in the chain. if we've got strong standards but one of the other links in the chain don't the whole system is exposed. so thank you for putting the marker down on a strong national data security standard. we strongly support thachl another important piece of the bill is a university data breach note fik law. many states including my own have strong laws in this regard but as you think about cyberspace and how commerce gets conducted now it doesn't make a lot of sense to have 50 different standards, approaches, responses to a breach and the notification relating to it. in closing as you think about this we're not asking for any current state initiatives to be

dit luted we think if you set a standard, make it high and i'm out of time mr. chairman. again, thank you for the chance to be here this morning. thank you to congressman nag bauer and carney for their leadership on these issues. >> thank you governor. mr. dodge you are now recognized for five minutes for your testimony. >> thank you and good morning. chairman hensarling, ranking member waters, members of the committee my name is brine dodge. thank you for the opportunity to testify today about data security and the steps the retail industry is taking on this important issue and to protect consumers. the trade association of the world's largest and most innovative retail companies. retailers embrace technology to provide american consumers with unparalleled services and products. while technology presents great opportunities nation states criminal organizations and other bad actors are using it to attack businesses institutions and government's. as we have seen no organization is immune from attacks.

retailers understand at that defense against cyber attacks must be an ongoing effort. as readers in the retail community we are taking new and significant steps to enhance cyber security throughout the industry. so that end last year we formed the retail cyber intelligence sharing center in partnership with america's most recognized retailers. the study opens a information sharing between retailers law enforcement and other relevant stakeholders. also they have recently established a normal working relationship with the financial services i sac, a move that will among other things ensure collaboration on these issues. real applauds the house for passing cyber sharing legislation and hope the senate will take up and adopt hr 1560s flexible approach to electronic sharing. while i expect we will discuss many cyber security top picks today one area of security that needs immediate attention is payment card technology.

the magnetic stripe on cards is the chief vulnerability. retailers are estimated to be investing more than $8.6 billion to upgrade card terminals to accept chip terminals by later this year however they will not be issued with pins. chip and pin technology has bron to dramatically reduce fraud around the world. chip and signature technology falls short of providing american consumers the best security available today. retailers believe that the two factor authentication enabled through chip and pin will prevent cripple false from duplicating cards with ease and devalue the dat that retailers collect at the point of sale. ultimately these steps have been proven to substantially reduce the economic incentive for cyber criminals to launch these kinds of cyber attacks. before i discuss what rela believes important data breach policy conversations i will briefly highlight the significant data security and

data breach notification laws with which retailers comply. 47 states, the district of columbia, guam, port rio and virgin islands. retailers are subject to robust at that time at that security regulatory refresh seems. prosecuted more than 50 cases against businesses that it charged with failing to pain tan reasonable data security practices. these actions have created a common law of consent decrees that spell out the data security standards expected of businesses. inadequate data security express state data security laws. that can be used to enforce against what attorneys general team deem to be unreasonable data security practices. finally retailers voluntarily and by contract follow a variety of security standards including those maintained by pci, nis and iso. while retailers diligently ply

this this a carefully crafted federal data breach law can clear up regulatory confusion and better protect and notify customers. rela supports legislation that is practical and proportional and sets a single national standard. rela supports data breach legislation that creates a single national notification quickly providing affected individuals with actionable information. that ensures the targeted notice is required only when there is an actual risk of identity theft, economic loss or harm. it ensures that the responsibility to notice is that of the entity breached but provides flexibility for entities to contractually determine the notifying party. that establishes a precise and targeted definition for personal information. that recognizes that retailers already have robust data security obligations and that security must be able to adapt over time. i think the committee for inviting me today and look forward to answering your

questions. >> mr. oxman you are now recognized for five minutes for your testimony. >> thank you mr. chairman. thanks to you ranking member waters and the committee for the opportunity to be here. i'm the ceo of the electronic transaction association. we are the association of the payments industry. more than 500 member companies are focused on providing the world's most secure, reliable and functional payment systems to american merchants and consumers. electronic payments in the united states are largely invisible to consumers because simply put they just work. u.s. consumers carry 1.2 billion credit debit and prepaid cards in their wallets and they can use those cards to pay electronically at more than 8 million merchants in the united states. indeed eta member companies process more than $5 trillion in u.s. consumer spending every year. that means thousands of transactions are moving across our network every second. now, consumers enjoy a wide

variety of ways to pay electronically, in person, with a card or mobile device or watch or remotely via phone or over the internet. from the moment that a consumer initiates a payment the transaction is securely transmitted, authorized and processed within a matter of seconds. eta member companies take very seriously the obligation to protect the security of their customers' information. consumers in the united states choose electronic payments because they benefit from zero liability for fraud, making electronic payments the safest and most secure way to pay. today criminal fraud amounts to less than 6 cents of every $100 processed in transactions, it's a fraction of a tenth of 1%. now, even though fraud represents a tiny percentage of overall transaction volume we're deploying cutting edge technology and using self regulatory guidelines to bolster the fight against fraud. i'd like to highlight three

concrete steps our industry is taking to protect consumer information and prevent data breach. first, eta members are tee employing emv enabled chip cards to fight the number one cause of card fraud counter fit cards. counterfeit cards represent 2/3 of card present fraud in the u.s. today. chip cards prevent cards from being counterfeited. they don't some data breaches but to make it harder for criminals to reap the rewards of those data breaches. chip migration happening now in the united states it's the most complicated overhaul of our payments technology system in the 40 years since the magnetic stripe card was introduced. our banks need to replace more than 1 billion cards, merchants need to upgrade point of sale equipment at more than 10 million locations but we're working together and getting it done. second, our industry is deploying new token sfwlags technology that replaces card

information with a one-time use token. even if intercepted by cribbing nals these tokens cannot be used to generate fraudulent transactions. think of a toek en as a mathematical crypt owe gram that can't be reintroduced. one well known implementation of toek en zags is in mobile payments where the customer's phone or watch generates that token for use. tokens can also be used in card environments as well and we're working with our partners to deploy toek en zags technology at both brick and mortar and online retail. third, eta members are helping merchants secure the point of sale by deploying new en description technology, point to point en description is a way to secure all entry points against an attack, it denies cyber criminals the access they need to install malware and other cyber hacking tools. as our industry deploys all of these layered technology i also want to affirm eta's strong support for legislation that

creates uniform national data standards and data protection breach standards as well. such standards must be industry neutral, they must be preemptive of approach set out in hr 2205. which eta strongly supports. we applaud chair pan gnawing bauer and mr. carney for engaging in this important dialogue with this legislation. eta also supports legislation to promote information sharing sharing of information across government and across technology and manufacturing companies will support prevention of and investigation of breaches and ensure against cyber attacks. cyber criminals are increasingly sophisticated sophisticated, global in scope and we're working proactively to address every threat. we must not forget that these data breach of merchants and consumers make them victims of crime. we share a desire to stamp out fraud and we take seriously our

responsibility all you have our customers to do so. thank you for the opportunity to be here. i look forward to your questions, mr. chairman. >> mr. or figure you're now recognized four your testimony. >> my name is steven or faye i'm the general manager of the pci security standards council. i had the privilege of leading a talented and deeply committed membership organization that is responsible for the developing and maintaining of the global data security standards for the payment card industry. our approach combines people, process and technology. continuous effort in applying our standards is the best line of defense against organized crime, straighten had funded actors and criminals who threaten our way of life and attempt to undermine our confidence in the financial system. everyone has been victimized by these criminals and we know the very real harm caused by breaches.

developing standard to protect payment card data is something the private sector and specifically pchl ci is uniquely qualified to do. consumers are understandably upset when their payment card data is put at risk. the council was created to proactively protect consumers' payment card data. our community of over 1,000 of the world's leading businesses tackling data security challenges from simple issues for example, the word password is still one of the most commonly used passwords, and to complex issues like en description. our standards are a solid foundation for a multi-layered security approach. we aim to remove payment card data if it is no longer needed. simply put if you don't need it, don't store it. if it's needed then protect it and reduce the incentives for criminals to steal. here is how we do that.

the data security standard is built on 12 principles covering everything from logical to physical security and much more. it's updated regularly through feedback from our global community. we manage eight other standards that cover card production, pin entry devices payment applications and much, much more. we work on technologies, best practices and provide market guidance. we have laboratories that solutions that we list on our website. all of our information is free, our mission is to educate, empower and protect. now, our end game strategy is to devalue the data so that it is useless in the hands of the bad guys. we have three technologies that will allow us to do so. e mflt v at the point of sale, point to point en description and token zags. when bundled and implemented

properly the data becomes useless. then there's no reason to break in. that's why the council supports adoption of the vmv in the u.s. through organizations such as the migration forum and other standards and our standards support emv today in other worldwide markets, but emv chip is not a silver bullet. additional controls are needed to protect the integrity of payments online and in other channels. this includes en description tamper resistant devices, malware protection and more. all are vital parts of the pci standards, effective security requires more than just standards. for standards without supporting programs are just tools, not solutions. the council's training an certification programs have educated tens of thousands of security professionals and make it easier for businesses to choose products that have been lab tested, certified and as

secure. finally, we conduct global campaigns to raise appearance of payment card security. the committee's leadership on this critical issue is important and there are clearly ways in which the federal government can help. for example, by leading stronger cooperative law enforcement efforts, worldwide, by encouraging stiff penalties for these crimes and recent initiatives on information sarg are also proving to be invaluable. the council is an active collaborator with government, we work with dhs, treasury, secret service and many other government entities including global law enforcement such as inter poll and euro poll. in on collusion, payment card security is complex. silver bullet solutions do not exist. unilateral action is usually a disappointment. apply wranss, partnerships, information sharing and collaboration between the public

and private sector is critical. the pci council stands ready and willing to do more to combat global cyber crimes that threaten our way of life and confidence in the financial systems of the world. we thank the committee for taking a leadership role and seeking solutions to one of the largest security concerns of our time. thank you. >> thank you. ms. moy, you are now recognized four your testimony. >> thank you. thank you so much, mr. chairman. thank you. good morning rinking member waters and other members of the committee. thank you for your commitment to addressing data security and data breaches and for the opportunity to testify on this important issue. consumers today share tremendous amounts of information about themselves. consumers benefit from sharing information, but they can be harmed if that information is compromised. for the most part the states are k a tifl dealing with this issue in ways tailored to address the needs of their own residents but with a large body of common

elements. at least 29 states have introduced or are considering breach notification bills or resolutions this year alone. bills in 27 of those states would amend existing laws to account for changing needs and changing threats. only three states have no breach notification law on the books and two of those states have considered bills this year to change that. consumers would best be served by a federal bill on this subject that sets a floor for disparate state laws not a ceiling. to the extent congress considers broad pre sempgs any federal standards should strengthen or preserve important protections that consumers enjoy it the both the state and federal levels. because any broad leave pre semp testify bill would bring an end to the legislative activity taking place in state ledge lay tour it would also need to for quickly adjusting the law in the future to match developing technology and new threats.

unfortunately a number of recent legislative proposals would diminish consumer protections in a number of ways by replacing strong and broad state protections with a weaker federal standard. in addition a number of the bills do not provide the flexibility we need to make sure consumers personal information remains protected as the information landscape change. don't get me wrong many -- post of the bills we have seen would certainly offer some new benefits for consumers, but many consumer and privacy advocates, myself included question whether those new benefits joet weigh the potential harm to state jurisdiction and to consumers existing protections. i will therefore, focus today on four potential shortcomings of federal legislation that would need to be addressed in order to ensure that any new bill represents a net gain for all consumers. first, federal legislation should not ignore the serious physical, emotional and other nonfinancial harms that consumers could suffer as a result of misuses of that i

remember personal information. a bill that would reemt state laws and condition breach notification on demonstrated risk of financial harm could actually reduce consumer protections in 33 states and the district of columbia where the existing law either has no harm trigger or has one that is not limited to financial harm. second federal legislation should not eliminate data security and breach notification pro techs for types of data that are currently protected under state or federal law. some current legislative proposals feature a narrow class of protected information along with broad preemptions. such lengths lags would eliminate protections consumers currently rely on at the state and sometimes federal level. for example, many bills would eliminate protections in ten states for health information or eliminate medical protections for telecommunications, cable and satellite records. third, federal legislation should provide a means to expand the range of information covered by the bill as technology

develops. the ten state breach notification laws that now cover health information represent a clear trend as states are currently updating existing consumer protections to respond to the growing threat of medical identity theft. we can't always forecast the mention big threat years in advance, but unfortunately we know that there will be one. federal legislation on this topic must provide flexibility to meet new threat. whether by continuing to allow states to protect classes of information that fall outside the four corners of the bill or by establishing agency rulemaking authority on the definition of personal information. fourths and finally, federal legislation should include enforcement authority for state attorneys general. thousands of data breaches are reported each year. many of which affect only a small number of consumers. federal agencies are well-equipped to address large data security and breach notification cases but could be overwhelmed if they lose the

complimentary support of state ag's when it comes to handling smaller cases, providing guidance to small businesses and providing resources for local consumers. i and many of my fellow privacy stakeholders are not opposed to the legislation but any such legislation must strike a careful balance between pre emting existing laws and providing consumers with new pro techs. the open tech tolling institute appreciates your close examination of this issue and i'm looking forward to your questions. thank you. >> the chair now yields himself five minutes for questioning. so based on my unofficial survey of good folks if the fifth district of texas that i have the privilege of representing data breach although they don't typically use that phrase, certainly makes their top 20 anxiety list and probably their top ten when they think of identity theft other forms of

theft, privacy law, so it's a very serious matter, but as ms. moy was positing in her testimony there is a cost and a benefit associated with anything we do around here, so state the obvious, we are lawmakers and there is a law made about 15 years ago, graham leach bilie that dictated standards. there's been a lot of integration since graham leach bliely was written into law. so let's start with you, governor pawlenty. what exactly is broke? what needs fixing here? where does graham leach bliely work and where doesn't it work. >> mr. chairman if you just step back from how individuals might characterize it and ask them these questions how is the current system working? half of the american -- adult american population has their personal data he can pose nd one

year, it is not a stretch of the imagination among somebody could get into the electrical grid and shut it down in a big part of the country not for a day but months and months on end, you do that and lose electricity in your district, pressure for pipelines, points of sale goes down you can't transact anything electronically you are r. you've got a very dramatic impact on the country. so it requires i think a sense of urgency and a sense of understanding regarding the magnitude of the threat. as to graham leach bliely it works, it's flexible, makes accommodations for the size of the business, but it says begin the importance of this infrastructure to the country, if the payment system doesn't work, it's stalled or people lose confidence in it you're going to have a big piece of economy grind to a halt. there's trillions of dollars of payments that flow flew the northeastern united states per day. if that gets shut down or disrupted or interrupted you've got a material i would say bordering or existential let to the country. so this is an urgent deal, it is

growing in terms of its concern expo mention alley. graham leach bliely works, however, no institution is immune. we have some of our biggest institutions that have been breached, the best in the borld the nsa. breach by an insider threat. so there is much more work to be done on all fronts and we're the best of class financial services gets breached from times, we manage it people get their money back it's inconvenient, but the other sectors that decent have these kind of standards and capability need to up their game and you can help lead that effort. >> mr. oxman you in your testimony i think were lauding the element of the legislation mr. nothing a bauer, mr. carney about pre sempgs, national standards it seems to be an open question in ms. moy's mind regarding preemption and perhaps

national standards. why do you can consider preemption and national standards to be so important? >> mr. chairman, as a number of witnesses noted, we all share an interest in ensuring the consumers and merchants are protected, but when something does go wrong we also need to make sure that we get the word out as quickly and efficiently as possible and make sure those pro techs that are available under law quick kik in. the reason the cnns use electric trorng payments is because they are 100% protected against any liability for fraud, but we still need to get information out to them. there are 47 different regimes that companies have to subscribe to and it's not just the payments industry, it's every company in the country that has to subscribe to these 47 different regimes. they all appoint different time place and manner for the notification they all have different triggers for what kind of notification has to take place. some of them are even contradictory contradictory, there's one state that actually requires the breach notification consider include information detailed about the breach itself there's

another state that makes it illegal to include any information about the breach itself. so in some cases they're contradictory. if we had a uniform national standard it would allow everyone on the eco system to work together toward the same goal which is to provide the reasonable notice that needs to be provided as quickly as possible. >> in my remaining time governor pawlenty back to you. so our colleagues on the energy and kpers committee have reported a piece of legislation with regard to a national breach notification law that only impacts retailers. should this committee not act from your vantage point what does the world look like if that enc, energy and commerce bill, becomes law? >> mr. chairman, i know time is short. don't let the perfect get in the way of the good. we'd like to have the standards apply across the board otherwise their effect is diluted. we can be good but if our partner in payments has a flawed outdated weak system at a point of sale or in a back room at

fill in the blank retailer or different sector the whole cane of events gets compromised it's only as good as the whole chain. if you just do one piece you're missing a very important part or opportunity to up the game of the whole system. it's an eco system, it has to be addressed holistically or the whole system is compromised. >> my time has expired. chair recognizes its ranking member for five minutes. >> thank you very much, mr. mr. chairman. first i'd like to thank mr. carney and mr. nothing bauer for the work that we have done on this legislation. i believe that both sides of the aisle are concerned about getting a strong piece of legislation that will protect our consumers. this is a bipartisan issue and we should not spend a lot of time fighting about some aspects of this initiative but rather

we should work out whatever the differences may be. from what i can understand, there are those who believe that the federal law should be a floor rather than a ceiling, and there are those who believe that where you have states who have stronger laws, we should not pre emt those states. as i understand it despite the fact that we have varying laws in our states now, they all have similarities. and so rather than thinking about it this as states with such different laws that would somehow cause great complications, let's think about this in in terms of the fact that we want our state attorneys generals to be involved. we want them to be involved in enforcement. i think that's very important. so let us take a look at what i think is the biggest obstacle to us getting the best legislation

and deal with the preemption question. deal with the preemption question and think about states like california. ms. moy can you tell us, for example, my state, california what are we doing with the cyber security and is that stronger than what is being than what is being proposed here now? >> sure. yes, thank you. that's a good question and a good place to start, because california passed the first notification law years ago, and has really been a leader in this area. so thank you for your work on that. california for one thing, california recently passed a law to include log in and password for account authenticators. not just for financial accounts but other types of accounts as well. my e-mail account if my log in and password were breached. i would get a notification i would certainly want to because

there's a lot of information in there that while it may not lead to financial harm, could lead to -- certainly to emotional harm if that information were breached and misused. california also has a -- it has a reasonable security standard much like the federal standard right now, california does enforce that standard, has had a number of cases over the past few years and along with that, has some very rich guidance for businesses attempting to comply with the reasonable security standard. one thing i think california is strong on is the type of guidance that the state ag's office provides to the consumers. and the way the state ag's office interacts with consumers and businesses to provide that important guidance. >> thank you very much. i'm sure that none of us would want to interfere with state's abilities to have the strongest possible laws for cyber security. and so don't you think the

federal law should be a floor, and that we should certainly allow states that have tougher laws to be able to enforce those laws and that would require the attorneys generals to be involved. do you think that is the best way to approach this. you had mentions previously there is a discernible pattern among the states laws. i think that is the case. you look at the various breach notification laws, most of them cover a score of common information and have very similar requirements in terms of what ought to be provided in the notification, when the state ag and the consumer reporting agencies ought to be notified and in addition to that some states have added on to that, that's where for example some states like texas, and wyoming and just this year, hawaii

montana have add eded information to the application. they see a developing threat that must be addressed. >> we would not want texas to be preempted with the good law that they have particularly as it relates to medical information, would we? >> thank you very much i yield back. >> the chair understood the subtle point. the chair now recognizes another gentleman from texas the chairman of our financial institution subcommittee for five minutes. >> thank you, mr. chairman. i would note that if you let the federal standard be the floor and then all the states have an opportunity to start running up each other, we're right back

where we are now, and it defeats the purpose of having a federal standard. mr. dodge. in reading your testimony last night on our proposed security legislation there's a lot that i think you and i agree on. i'm hoping today that we can discuss some of the provisions where we maybe have a little bit of a difference of opinion. that we could have a better understanding of where everybody is on this issue. i look at page seven of your testimony, you state retailers support a carefully calibrated reasonable data security standard under hr 2205. we laid down a security standard that is process specific and based on certain key elements of data security programs that have worked well. to ensure the smaller retailers are not unduly burdened we calibrate the standard to match the size, scope of information that the entities hold.

if they don't apply to you, you don't necessarily have to implement them. so the question is can you identify the specific processes we've laid out in our carefully calibrated -- that aren't carefully calibrated and reasonable in your estimation? >> thank you for the question. i think, you know, first, it's important that we be having this debate about proper national data security standards to help businesses address this growing and sophisticated threat. it's the perspective of retailers that the baseline for the legislation you introduced, especially the data security standards within it were expressly written for the financial services community. the industries are very different. anybody who's ever filled out a mortgage understands that the information that a bank holds is very different from that of a retailer. if we were to pursue legislation that replicated the -- or shoe

horned the act to apply to the rest of the business community. we would be applying this law to industries beyond the retail industry, of course. well beyond us at high-tech internetapp makers big and small. we think that the history of enforcement to the federal trade commission provides a good standard that is very clear and strong for businesses to adapt to, to meet today's challenges, and it evolves in the future. we don't think you can regulate your way to security. that we need to employ layers of security, we need to start with the baseline that we believe is a strong standard emboldening the ftc, and look for other ways for us to work together. including advancing the security that's in that system today. >> now, you mentioned i think 50 ftc enforcement actions since

2001. if you believe that ftc is your enforcement agency do you support them giving ftc rule making authority to make a uniform standard? >> the ftc has enforced these cases under the unfair and deceptive practices act. we think that giving them the express authority from congress is the right way to go about it, and it would preserve that flexibility that they needed in order to adapt to the threats as they changed over time. >> the question is, would you support them promulgating standards that make sure that the playing field is level and that you are doing the things that are specifically necessary in your industry to have a uniform standard? >> we wouldn't support rule making, we think that's the

purpose of passing the law. we think congress has the privilege of defining the law, and then leave it to the agency to adapt over time. they have the flexibility under current law. >> isn't that what we're trying to do then? congress is trying to pass a uniform standard? >> exactly. and we believe that providing the ftc the authority to enforce data security laws based on the case law today the commonwealth based on the 50 cases provides them with would provide businesses not only with the clarity that they need on what the expectations are of government. but the flexibility for the enforcement agency in this case, the ftc, to evolve over time, to meet new threats. >> do your members take steps to protect the data? >> there's no more important relationship in the retail business than that which they maintain with their customers. >> a data breach would be a breach of trust with those consumers. they work extremely hard to

prevent breaches. >> if they're already doing it what's the objection to codifying the standards. >> they should be applied across the industry. >> you're speaking specifically about a law that was written for the financial services community? >> i'm talking about the bill -- >> it would be expanding under your legislation, to the rest of the business community. what we're saying is we should stick within the current regulatory structure as the ftc, the regulator for most industries in goba can remain -- >> we took principles from this, this is a uniform national federal standard. >> the time of the gentleman has expired. the chair now recognizes the gentleman from delaware mr. carnie. >> thank you, mr. chairman thank you to the panelists for coming today, i'd like to talk a little bit about this preempts

issue, i know it's a concern for many of the members and we've worked hard to try to address it. i said in my opening comments. the prevention provision should not have the unintended consequences outside the issues covered in the bill. we don't believe it affects the medical debt issue that was raised a moment ago with respect to california 37 we would be willing to make that plain. >> you said -- i thought i heard you say that we shouldn't have 50 different standards is not the answer. is that what you said or did i mishear your comments? >> so what i have said is that i think the best for consumers would be to create a floor not a ceiling, so that states can continue. >> set a national standard? >> right and then -- >> allow states -- >> to protect judicial categories -- >> my understanding is that 13 states now currently have data breach notification and standards like this, and that

our legislation, our federal legislation would be better than all of them except maybe one, which is massachusetts, and i've been talking to some of my colleagues from massachusetts. would you agree with that? >> i think also oregon has a pretty good standard. there are elements of other state laws you may not consider specific data laws. >> a pretty high standard? >> it is a pretty high standard, yes. >> that's the starting point for us. there's been some discussion about the standard energy in commerce. would you say it's a higher standard than what our bill would propose. >> our standard is a reasonableness standard. so i think the difference here is not only might there be a difference in what the language says in that bill i think, also, we would be looking to the common law of the ftc and others to flesh out what the specific

requirements are but it's really important as we're thinking about how strong the security standard is, to think about who has the enforcement power and who's going to be guiding the parties there. if the federal agencies are solely responsible for it even a strong standard might not provide a strong protection as a general reasonableness standard that allows state ag's to work on a piecemeal basis. >> you think the standard in our bill is pretty good, pretty high standard in terms of federal standard? you believe the states ought to have the flexibility to go beyond that. notwithstanding some of the issues that that might create in terms of having different standards. how about this enforcement question. have you looked at our bill in terms of the enforcement provisions in the bill, and how would you suggest they would be improved upon in your view. >> i can't -- i have looked at it, i'm not prepared to provide a detailed response, i would be happy to in writing if you

prethat. i do think the key issue with respect to enforcement, your bill would only facilitate enforcement by federal agencies -- >> whey heard you say is that allowing the state ag's some kind of role there would be an improvement? again, not having looked at the details there, not to put words in your mouth. >> yes yes, i believe that a very credible element here is that we must have enforcement. >> we are willing to try to improve the bill so we can get a greater consensus around we believe that -- i think as you said, a national standard is important to have. 50 different standards is not the way to go. it's got to be the high bar and one that's enforceable. would any of the other panelists like to comment on the conversation that we've just had about preemption about the

standard? >> i think the bill on a bipartisan basis really takes on this issue in the right way, that is to recognize that the act of legislating to unify 46 disparate regimes would be adding a 48th regime and wouldn't serve the purposes that the legislation seeks to undertake, which is to protect consumers financial information. and ta's perspective, the bill takes the right approach to ensure that the federal regime is operative and not interfered with. >> everyone agrees we need a higher standard and kind of one standard across the country. >> we fully agree there should be a national standard, we think the states deserve a tremendous amount of credit for having acted in the place where the federal government has not yet. that's why we believe as a broad concept, preemption should be

offered as a broad concept, state ag's should have the ability to play a role. >> the time of the gentleman is now expired. the gentleman from new jersey, mr. garrett, chairman of our capital markets committee. >> thank you, mr. chairman thank you for holding this hearing, an issue that hits home for a lot of folks. let me just start -- i have a couple questions, start at the basics, if i can. governor, i'll throw it to you. >> when there is a breach or someone does steal your card and they go to a retailer and buy a tv, and you find out that you didn't, so on and so forth. who actually is responsible for that. is it the -- does target have to pay the bill for that? does the bank that issued my -- well, my mastercard or if daze not that, is it the bank, or is it the visa or mastercard or discover that's paying for that.

>> the oversimplified versions. >> the consumer is made whole. and the issuing bank is the one that makes them whole. however, there's a secondary process managed and run by contract between the payment networks and various players in the payment system that gets resolved through a -- should we say contractual process between visa mastercard retailers the issuer which people take issue with how that works from time to time, that's how it gets sorted out after the fact. >> does anyone else want to give an over view. >> i would add to that. it's the merchant ultimately pays for fraud in the wake of a data breach should the data breach have occurred at a retailer, they pay a variety of fees, there's three real fees they pay total. the first one on every transaction ever processed, a component of it is prepayment of fraud should one occur.

and then post breach, there's a fee associated with issuing the cards and -- >> so that's where the banks end up having to pay the 15 bucks or whatever it is to sends me a new card. >> the merchant reimburses on those fees. >> i hear different stories on that. >> i've included a schedule in my written testimony. >> so i just got one of these cards that have the chip on it. and also, just to be clear on this putting this chip on the card may help to some degree as far as the lost card and the stolen card, as far as going to the retailer but as someone else on the panel said i know it was in the testimony. this chip does absolutely nothing with regard to when they steal that information and they use it online, is that correct? >> i think it's important to note, the chip the technology that's available in the united states today -- 1960s era

technology we introduced chip and pin technology more than an decade ago. you saw an uptick of the data breaches not at the store any more, but now online, is that correct? >> that's true fraud moved in two directions online and the united states. suddenly the united states had the weakest security in the world. it still does today. when chip only goes into effect later this year, the united states will still have the weakest technology. >> we can't solve all this stuff. the bottom line is doing the chip is not going to solve it entirely, also to the point, what seems to be a lot of discussion as far as the disclosure information. that doesn't do anything to -- actually, none of it -- that doesn't do anything as far as preventing the fraud in the first place that tells me as a consumer, you were robbed and this is who's going to pay for it. >> congressman, i couldn't

answer your specific question about the chip many you're absolutely right, the chip in the card prevents the card from being counterfeited, that is today the number one source of card fraud in the united states. it's about two thirds of card fraud at retail. it does not address the online issue. the online fraud issue is addressed by the other layers. >> the data that's on the card when i use this chip and put it through, has my number right on it, i don't know if you can see this. does the retailer keep that information? >> the retailer trans acts that information. >> if someone breaches into it -- >> they're instituting many -- all are moving toward it to make sure that that information -- >> it still is a target not to use that company, still a target for the hacker to go into the retail -- not just medical or whatever, the hospital keeps that information too i guess.

as a data source where they'll go try to breach and they won't be going to the retailer to use it, but they'll be doing it online, still a target, maybe even a larger target? is that true? now with the chip? is it a larger target because of in a as well? >> i think it's important that we recognize the chip technology is really designed to button down the point of sale to defend against counterfeit lost and stolen. it is one critical layer of security there are other technologies that have been referenced in testimony today. such as point to point encryption. >> if i may, may i just add a short comment in response to the point about notification? >> fine with me. >> sure. >> thank you. thank you so much. >> i just wanted to say, i think notification provides an important incentive for companies to keep information more secure. i can't remember whose written testimony it was.

companies do suffer reputational harm. i think it's important because that provides information to consumers who are considering where to vote with their wallet as they're determining which service to go with. >> i get that thanks. >> the time of the gentleman has expired. the chair recognizes the gentle lady from new york. >> thank you. thank you, chairman, and ranking member for putting this together. it's an incredibly important issue, because it affects everyone. consumers, government, retailers and financial institutions, and i also want to commend mr. carnie and mr. nugenbauer for putting this together. this bill would significantly strengthen the data security procedures for businesses, but in a way that is flexible and can evolve as a cyber threat

changes and evolves. i am still concerned about the scope of the state preempts in the bill and i want to keep working on the preemption enforcement. i have signed on to the bill as a co sponsor it is a serious good faith effort to tackle what is a critically important issue to our economy. i'd like to commend them for their hard work and leadership on this issue. and i look forward to working with them on the enforcement and provisions in it. my first question is to governor polente. i'd like to ask you about the standards that were put in place for the financial institutions. you mention they had worked well in the financial institutions, but i also want to know, have they proven to be overly burdensome for smaller banks and credit