unions. we all know companies face a number of challenges in determining how best to secure customers financial and personally identifiable information. in addition, we know that there are significant costs to complying with various state laws and providing notice after a breach. however, as we consider setting national standards for safeguarding consumers' personal information and ensuring timely notification, we have to acknowledge good work of those states that, for years, have been at the front lines of this fight. i believe that any federal preemption should compliment state's protections and ensure, at a minimum that state attorneys generals continue to play and important role in enforcement and notification standards. in setting minimum standards, we need to be careful not to hamstring our states and federal

regulators's ability to adapt and strengthen protections for consumers. otherwise, we'll limit regulators's ability to keep up with technology change and reserve a private right of action for consumers and for financial institutions to ensure that affected entities and breach victims have further recourse. further, consumers must be consistently provided with clear disclosures of the rights and remedies available to them so they are aware of the various ways in which they can protect themselves from identity theft and fraud and other cyber crimes. mr. chairman efforts to guard against cyber threats are critically important and shouldn't deval of into the same partisan fault lines seen on far too many other issues before this committee such as the basis attacks on watchdogs like the

cfpd and blocking efforts to reauthorize the charter of the import/export bank that expires in 22 legislative days. with that, i look forward to hearing from the witnesses today, and i yield back the balance of my time. >> the chair recognizes the gentleman from texas, chairman of our financial institutions subcommittee. >> thank you mr. chairman. you know we live in a world where a global market has a global payment system delivers payments to consumers in a blink of an eye, and immense amount of information is processed and stored into any one transaction. the security of the system is only as strong as its weakest link, and, today i look forward to learning more about the new payment technologies that continue to facilitate payment efficiencies, speed, and security. i hope to have a robust technology discussion about what new standards are needed to level the playing field.

this month the congressman carney and i introduced legislation to builds on the work of senators carper and blunt. the starting point was to lay out a robust data security frame work for the financial institutions. almost 16 years later, this frame work worked very well. the security standards is based on certain core principles. first, because we have a global payment system, we have a standard and breach notification standard. a standard must mip mize regulatory requirements, but must carry with it strong federal enforcement mechanisms. second, the security standard has to be technology neutral and process specific. it must be reasonably identify certain core elements in the absence of an ftc rule making. third, it is absolutely necessary that the data security is necessary based on size and scope of the operation and type of information that it holds. legislation must recognize at

the corner market cannot and should not have the same standard as the largest retailer operating in 50 states. while i'm confident in the bipartisan legislation, i'm open to working with any member of the interested groups, one to minimize consequences and tailering thisnapy legislation. we have shared interest in signing this into law, giving consumers the safest payment system possible. i thank the panel for being here this morning, and i look forward to looking at the testimony that's been entered, this is going to be a very informative session for our members, and i think it's good that we have these different interests at the the table today, and so mr. chairman, i look forward to a very informative hearing. >> gentleman yields back the chair recognizes the gentleman from delaware for two minutes. >> thank you mr. chairman. mr. chairman, over the last decade alone, data breaches compromised nearly a billion

records containing sensitive information. experts estimate when this occurs in the united states, it costs consumers app average of $290 per victim. studies show that cyber criminals cost u.s. companies approximately 100 billion a year. one thing is clear that the current patch work of 47 state data breach laws is failing to protect american consumers. that's why we have work together on a bipartisan effort to develop a data security breach notifyication frame work that all stake holders can operate within. we think consumers and the companies that handle personal financial data should all know the rules of the road when it comes to the standard for protecting this data. our bill hr2205, data security act, builds off the efforts by senators carper and blunt across the capitol. the bill implements a strong notification standard requiring companies to end act a program that is robust and scaleable with the goal of protecting consumers' personal information

from breaches setting a republican standard for timely notice to consumers when a breach occurs. importantly, the bill's requirement avoids a one size fits all allowing companies with varying sizes and complexity. as with any comprehensive piece of legislation our bill can always be improved. the example clarifying that the preemption prevision does not have consequences outside the issues covered in the bill and merits further attention. looking forward to working with my colleagues on both sides of the aisle to make improvements to this legislation where necessary. the fact is, though that the white house, congress, and the private sector and consumers all agree that the status quo is not acceptable, and i'm encouraged that this committee's having the hearing today and moving forward to protect consumers, businesses, and the american economy. i'd like to thank the leadership on the issue and look forward to hearing the witnesses' testimony

and feedback on the hearing this morning. thank you, i yield back. >> the gentleman yes back and indeed, it is time to hear from the witnesses. we welcome you all to the panel. first, the honorable tim pi palante, and former governor of the state of minnesota. mr. brian dodge executive vice president of communications and strategic initiatives at the retail industry leaders association. mr. jason oxman is the chief executive officer of the electronic transactions association. mr. steven is the general manager at pci security standards council and last but not least, laura, a senior policy counsel at the open technology institute. several of you have testified before congress before. i'm not certain of all of you, so we have a rather simple lighting system green means go.

yellow means hurry up because the red light is soon to follow. red means stop. the yellow light comes on with one minute to go. each of you will be recognized for five minutes for an oral presentation of your testimony. without objection, each of your written statements will be made a part of the record, and since we are brand new in our refurbished space in the old hearing room, you had to pull the microphones very close to you. i think now you can keep them a somewhat comfortable distance from your mouth. governor you will be the tester on the new sound system and you are recognized for your testimony. >> good morning, mr. chairman ranking member waters, members of the committee, thank you for the opportunity to share a few thoughts with you this morning about one of the most pressing issues facing our country, the emerging, growing, and threatening war fair takes place

commercially and otherwise upon the globe and visited upon american consumers and in ways that deserves the congresses' attention. to show you what we're up against, 80% of the companies breached in 2014 did not know they were breached until somebody else told them a third party told them sometimes the government, a vendor, but a thirty third party. the length of time between the breach and the discovery was months after the fact. another interesting fact over half the adult american population had their personal data exposed last year according to a cnn published report. and the list goes on including we know through public and confirmed reports that this is no longer college kids in their basements having fun trying to get into some systems. these are nation state actors including or semistate nation actors including china, north korea, iran, russia, former

soviet sovietupon sponsored states, and individuals and enterprises associated with them with sophisticated crime syndicates. if one of the entities focuses on a company it's not going to end well for the company or customers. we need a robust muscular response to the threats and the fact this committee's paying attention to the issues we appreciate it very much. mr. chairman thank you to the house for passing on more than one occasion threat information legislation and legislation that we hope the senate does the same, not sharing personal information, but the threat information sharing bill is helpful to the cause in making the country prepared to defend against threats. relating to the financial services sector and payments system, our sector, as the chairman mentioned dealt with the issues in a regulated context for quite some time. it was passed in 1999 part of the act, of course was to visit upon this industry, debt of

security standards and enforcement mechanisms including the examination process. that, i think, served the industry well. looking at the permit of breaches taking place in recent years, our sector has the lowest breach incident rate still have a lot of work to do but compared to other major sectors it's progress, and that's because of the good work that's been done since the act and otherwise. we're about to launch secure top level domains, dot-bank and dot-insurance, should help with the issues, involved with an analysis center, first in the country, most robust and more. as it relates to the payment system, it's about to get a lot better. we're going to move as a next step to the chip enabled cards that's already happening. the networks said look, if you want to avoid fraud liability, make the transition to the end of 2015 and some say look, we're not ready it will take longer, but over the course of next couple years, they will be chip cards that will help, but

don't be focused just on that. that's technology from the 1960s. magnetic strips were invented in the 19 60s. pins invented in the 19d60s, and chips more recently. it's moving beyond that discussion. new technologies considered include voice recognition, facial recognition, location, biomet biometrics and more. it's evolves rapidly and continues to evolve as new technology emerges. the legislation before you the congressmen, thank you very much. we strongly support hr2205 an excellent piece of work, may need modifyications as mentioned, but it does important things, creating for all sectors, not just the health care sector, but a data security standard which is really important, and it's flexible. we're only as strong as the weakest link in the chain we got strong standards but

another link in the chain don't the whole system's exposed, so thank you for putting the marker down on a strong standard. we strongly support that. another important piece of the bill is a uniform data breach notification law. many states, including my own, have strong laws in this regard, and thinking of cyberspace how congress is conducted now, it does not make sense for 50 standards and approaches, 50 responses to a breach in the notification relating to it. in closing, as you think about this, we're not asking for any current state initiatives to be diluted, but if you set a standard, set it high, nation leading. i'm out of time, mr. chairman, thank you for the chance to be here this morning and the leadership on the issues. we support what you are trying to do. >> we thank you, and mr. dodge, you are recognized for five minutes for the testimony. >> good morning. chairman ranking member waters, i'm brian dodge executive vice president with the retail

industry leaders association. thank you for the opportunity to testify today about data security and the steps the retail industry takes on this important issue to protect consumers. the trade association of the largest retail companies, and we embrace technology to provide american consumers with unparalleled services and products. while technology provides great opportunities, nation states criminal organizations and other bad actors use it to attack businesses, institutions, and governments. as we've seen, no organization's immune to attacks. retailers understand that defense against cyber attacks has to be an ongoing effort. as leaders in the retailer community, we take new and significant steps to enhance cyber security throughout the industry. to that end, last year the sharing center in partnership with america's most recognized retailers, the center opened a steady flow of information share between retailers law enforcement, and other relevant

stake holders. they've established a former working relationship with the financial services, a move that will, among other things ensure collaboration across the payment's ecosystem on the issues. we applaud the house for passing cyber legislation, and we hope the senate takes up and adopts hr1560's flexible approach to electronic sharing. while we expect we'll discuss many cyber security topics today, one area of the security that needs immediate attention is payment card technology. woefully outdated magnetic stripe technology used on cards today is the chief vulnerability in the payment's ecosystem. retailers are estimated to invest $8.6 billion for terminals to accept chip cards later this year but they will not be issued with pins. chip and pin technology has proven to reduce fraud when deployed elsewhere around the world. in contrast signature technology falls short of providing consumers the best

security available today. retailers believe the chip and pin prevent criminals from duplicating cards with ease, devalue the data that retailers collect at point of sale. ultimately, these steps have been proven to substantially reduce the economic incentives for cyber criminals to launch these cyber attacks. before i discuss what really is a data breach policy considerations, i will briefly highlight significant data security and data brief notification laws with which retailers currently comply. 47 states have adopted data breach notification laws. in addition, retailers are subject to robust data security regimes. the federal trade commission prosecuted more than 50 cases against businesses that charged with failing to maintain reasonable data security practices. these actions have created a

common law of consent decrees that clearly spell out the data security standards expected of businesses. in addition, inadequate data security measures for personal information leads to violations of expressed state data security laws. also, many states have so-called ftc acts, unreasonable data security practices. finally, retailers voluntarily and by contract follow a variety of security standards including those maintained by pci and iso. while retailers comply with the range of data breach notice and requirements, a carefully crafted federal data breach law clear of regulatory confusion can protect and notify customers better. they support legislation that's practice call and proportional and sets a single national standard. this supports data breach legislation that creates a single national notification center allowing businesses to focus on quickly providing affected individuals with actionable information that ensures that targeted notice is

required only when there's an actual risk of identity theft, economic loss, or harm. that ensures that the responsibility to notice is that of the entity breached but provides flexibility for entities to notify the party, establishes personal information, recognizes that retailers already have robust data security obligations and that security must be able to adapt over time. i thank the committee for invite inviting me today. i look forward to answering your questions. >> mr. oxman, you are recognized for five minutes for your testimony. >> thank you, mr. chairman ranking chairman waters i'm the ceo of the electronic transactions association. eta is the trade association or the payments industry, our more than 500 member companies are focused on providing the world's most secure, reliable and functional payment systems to american merchants and consumers. electronic payments in the

united states are largely invisible to consumers because simply put, they just work. u.s. consumers carry 1.2 billion credit debit, and prepaid cards in the wallets, use to pay electronic at more than 8 million merchants in the united states. indeed, eta companies process more than $5 trillion in u.s. consumer spending every year. that means thousands of transactions are moving across our network every second. now, consumers enjoy a wide variety of ways to pay electronically including in person with a card mobile device, or watch or remotely via phone or internet. from the moment a consumer initiates a payment the transaction is securely transmitted, authorized, and processed within a matter of seconds. eta member companies take very seriously the obligation to protect the security of the customers' information. consumers in the united states choose electronic payments

because they benefit from 0 liability for fraud, making electronic payments the safest and most secure way to pay. today, criminal fraud amounts to less than 6 cents of every $100 process the in transactions. it's a fraction of a tenth of 1%. even though fraud represents a tiny percent of overall transaction volume we deploy cutting edge new technology using self-regulatory industry guidelines to bolster the fight against fraud. i'd like to highlight three concrete steps the industry is taking to protect consumer information and prevent data breach. first, eta members are deploying emv enabled chip cards to fight the number one cause of card fraud, counterfeit cards, that represent two-thirds of card present fraud in the u.s. today. now chip cards prevent cards from being copied. they do not stop data breaches,

but they make it harder for criminals to reap rewards of those data breaches. chip migration happening now in the united states, it's the most complicated overhaul of our payments' technology system in the 40 years since the magnetic striped card was introduced. our banks need to replace more than 1 billion cards. merchants need to upgrade point of sale equipment at more than 10 million locations. we're working together and getting it done. second, our industry is deploying new tokenization technology replacing card information with a one-time use token. even if intercepted by criminals, the tokens cannot be used to generate fraudulent transactions. think of a token as a mathematic cryptogram that cannot be reproduced. one fgexample is a mobile transaction. tokens can be used in card environments as well and we're working with merchant partners

to apply token technology at both brick and mortar and online retail. third, eta members are helping merchants secure a point of sale by deploying new encryption technologies, point-to-point encryption is a way to secure all entry points against attack denying cyber criminals access needed to install malware and other cyber hacking tools. as our industry deploys all layers technologies, i want to affirm eta's strong support for legislation that creates uniform national data standards and data protection breach standards as well. such standards must be industry neutral, must be preemptive of state law, and this is the approach set out in hr 2205, which eta strongly supports. we applaud the chairman for engageing in the important dialogue with the legislation.

eta also supports legislation to promote information sharing. sharing of information across government and technology and manufacturing companies will support prevention of and investigation of breaches and ensure against cyber attacks. cyber criminals are increasingly sophisticated, global in scope and working proactively to address every threat. we must not forget data breaches of mothererchants and consumers make them victims of crime. we share a desire to stamp out fraud and take seriously our responsibility all of our customers to do so. thank you for the opportunity to be here, and i look forward to the questions, mr. chairman. >> mr. orfei, you are recognized for your testimony. >> thank you, sir. good morning, i'm steven orfei, general manager of the pci security standards counsel. i had the privilege of leading a talented and deeply committed membership organization that is responsible for the developing

and maintaining the global data security standards for the payment card industry. our approach combines people, process, and technology. continuous effort in applying our standards is the best line of defense against organized crime, state fund actor, and criminals who threaten our way of life and attempt to undermine our confidence in the financial system. everyone has been victimized by these criminals and we know the very real harm caused by breaches. developing standards to protect payment card data is something the private sector and specifically pci is uniquely qualified to do. consumers are understandably upset when payment card data is put at risk. the counsel was created to protect payment card data. our community of over 1,000 of the world's leading businesses

tackling data security challenges from simple issues. for example, the word "password" is still one of the most commonly used passwords and to complex issues like encryption. our standards are solid foundation for a multilayered security approach. we aim to remove payment card data if it is no longer needed. simply put, if you don't need it, don't store it. if it's needed protect it.incentives for criminal to sale. here's how we do that. the security standard is built on 12 principles, covering everything from logical to physical security and much more. it's updated regularly through feedback from our global community. we manage eight other standards that cover card production, pin entry devices, payment applications, and much, much more. we work on technologies, best

practices, and provide market guidance. we have laboratories that vet solutions that we list on our website. all of our information is free. our mission is to educate empower, and protect. now, our end game strategy is to devalue the data so it's useless in the hands of the bad guys. we have three technologies that will allow us to do so. emv at the point of sale. point-to-point encryption, and tokens. when bundled and implemented properly, the data becomes useless, and there's no reason to break in. that's why the counsel supports adoption of emv in the u.s. through organizations such as the emv migration form and other standards that support emv today and other worldwide markets. emv chip is not a silver bullet. additional controls are needed to protect the integrity of

payments on line and in other channels. this includes encryption tamper resistant devices, malware protection, network monitoring and more, all vital parts of the pci standards. effective security requires more than just standards for standards without supporting programs or just tools, not solutions. the training and certification programs educated tens of thousands of security professionals, making it easier for businesses to choose products that have been lab tested certified, and secured. finally, we conduct global campaigns to raise awareness of payment card security. leadership on the issue is important, and there are clear ways in which the federal government can help. for example, by leading stronger cooperationive law enforcement efforts, worldwide, and by encouraging stiff penalties for the crimes, and recent initiatives on information

sharing are also proving to be invaluable. the council is an active collaborator with government we work with treasury and secret service and other entities including global law enforcement, like interpol and europol. in conclusion, payment card security is complex. silver bullet solutions do not exist. unilateral action is usually a disappointment. alliances, partnerships, information sharing, and collaboration between the public and private sector is critical. the pci counsel stands ready and willing to do more to combat cyber crimes that threaten our way of life and confidence in the financial systems of the world. we thank the committee for taking a leadership role seeking solutions to one of the largest security concerns of our time. thank you.

>> thank you. >> thank you, thank you so much, mr. chairman, and good morning, ranking member waters and other members of the committee. thank you for the commitment to address security and data breaches and for the opportunity to testify on this important issue. consumers today share tremendous amounts of information about themselves. consumers benefit from sharing information. they can be harmed if that information is compromised. for the most part the states are actively dealing with the issue in ways tailored to address needs of their own residents. with a large body of common elements, at least 29 states have introduced or are considering breach notification bills or resolutions this year alone. bills in 27 of those states would applemend laws to account for changing threats. two states have no laws on books but considered bills this year to change that. consumers would therefore be best served by a federal bill on

the subject setting a floor for state laws, not a ceiling. to the extent congress seriously considers preemption, standards should strengthen or preserve protections that consumers currently enjoy at the state and federal levels. because any preemptive bill ends the rich legislative activity on the issue taking place in state legislatures, it would need to provide a similarly agile mechanism for quickly adjusting the law in the future to match developing technology and new threats. unfortunately, a number of recent legislative proposals diminish protections in a number of ways by replacing strong and broad state protections with a weaker federal standard. in addition a number of the bills do not provide flexibility needed to make sure consumers' personal information remains protected as the information land scape changes. don't get me wrong, many -- most of the bills seen would offer

new benefits for consumers. many consumers and privacy advocates, myself included question whether the new benefits outweigh the potential harm to state jurisdiction and to consumer existing protections. i'll focus on four potential shortcomings of federal legislation to be addressed to ensure any bill represents a net gain for all consumers. first federal legislation should not ignore the serious physical, emotional, and other nonfinancial harms that consumers could suffer as a result of misuses of their personal information. a bill that would both preempt state laws and condition breach notification, undemonstrated risk of harm could reduce consumer protections in 33 states, district of columbia, where the existing law has no harm trigger or one that's not limited to financial harm. second, federal legislation should not eliminate data security and breach notification

protections for types of data currently protected under state or federal law. some current legislative proposals feature a narrow class of protected information along with broad preemption. this eliminates protection consumers rely on at the state and sometimes federal level. for example, many bills would eliminate protections in ten states for health information or eliminate federal protections for telecommunications, cable, and satellite records. third, federal legislation should provide a means to expand the range of information covered by the bill as technology develops. the ten state breach notification laws cover health information represent a clear trend as states currently are updating existing protections to respond to the growing threat of identity theft. we can't forecast the next big threat years in advance, but, unfortunately, we know there will be one. federal legislation on the topic must provide flexibility to meet

new threats whether by continuing to allow states to protect classes of information that fall outside the four corners of the bill or by establishing rule making authority on the definition of personal information. fourth and finally, federal legislation should include authority for state attorney general, and thousands of cases reported each year, many protecting a small number of consumers. federal agencies are well equipped to have breach notification cases, but could be overwhelmed losing the support of state ags, especially when it comes to handling smaller cases providing guidance to small businesses, and providing resources for local consumers. i, and many of the fellow privacy stake holders are not unequivocally opposed to the legislation. any such legislation must strike a careful balance between preempting existing laws and providing consumers with new protections. the open technology institute,

therefore, appreciates the close examination of the issue, and i'm looking forward to your questions, thank you. >> the chair now yields himself five minutes for questioning. so based on my unofficial survey of the good folks in the fifth district of texas that i have the privilege of representing data breach, although they don't typically use that phrase certainly makes their top 20 ang anxiety list and top 10 thinks of identity theft, other forms of theft, privacy laws so it's a very serious matter but as was in her testimony there is a cost and a benefit associated with anything we do around here. to state the obvious we're lawmakers, and there was a law made about 15 years ago grahm-leech-bliley, that kick

stated standards. there's been a lot of innovation since the act was written into law. so, let's start with you governor. what exactly is broke? what needs fixing here? what is working or doesn't work? >> mr. chairman, thank you, a great question. if you step back on how individual characterize and answer these questions, how is the current system working. half the american population has personal data exposed in one year? that's not a stretch of the imagination to think someone could shut down the grid, for months on end. you do that, you lose electricity in the district whose pressure for gas pipelines, points of sales go down, can'telectron electronically electronically, and there's a substantial impact on the country.

that requires a sense of urgency and understanding the threat. the law works. it's flexible. it makes accommodations for the size of the business but given importance of this infrastructure to the country, if the payment system does not work, it stalls, people lose confidence if it there's a big piece of the economy grind to a halt. there's trillions of dollars of payments that flow through the united states per day. if that's shut down or interrupted, you got a material bordering on existential threat to the economy and country. this is urgent. it is growing in terms of concern exponentially. this law works, however, no institution is immune. we have some of the biggest institutions breached. the best in the world, the nsa, everybody, ten out of ten in terms of world class capabilities in this regard breached by an insider threat. there is much more work to be done on all fronts and we're the best of class. financial services gets breached

from time, we manage it, people get money back it's inconvenient, but the other sectors that do not have these standards and capabilities need to up their game, and you can help lead the effort. >> mr. oxman, you, in your testimony, i think, were lauding the elements of the legislation, and preemption national standards, an open question regard ing regarding preemption and national standards. why do you consider preemption and national standards to be important? >> yeah, mr. chairman, as a number of witnesses noted we all share an interest in ensuring the consumers and merchants are protected, but when something does go wrong, we also need to make sure that we get the word out as quickly efficiently as possible and make sure those protections that are available under law kick in. the reason the consumers use electronic payments is because

they are 100% protected against any liability for fraud. we still need to get information out to them. there are 47 different regimes that companies have to subscribe to, not just the payments industry, but every company in the country that subscribes to 47 different regimes. they all appoint different time, place, and manner for the notification. they all have different triggers for what kind of notification has to take place. some of them are even contradictory. there's one state that actually requires the breach notification including information detailed about the breach itself. there's another state that makes it illegal to include any information about the breach itself. in some cases, they are contradictory. if we had a uniform national standards, that allows everyone in the ecosystem to work together towards the same goal which is to provide reasonable notice that needs to be provided quickly as possible. >> in my remaining time governor, back to you the commerce committee reported a

piece of legislation with regard to a national breach notification law that only impacts retailers. should this committee not act from your vap taj point, what does the world look like if that enc, energy and commerce bill becomes law? >> mr. chairman, i know time is short. don't let the perfect get in the way of the good. we like to have standards applied across the board otherwise the effect is diluted. we can be really good but if our partner in payments has a flawed outdated, weak system at point of sale or in a back room at fill in the blank retailer or another sector, the whole chain of events is compromised. it's only as good as the whole chain, and if you just do one piece, you're missing a very important part or opportunity to up the game of the whole thing. it's a system that has to be addressed holistically or the system is compromised. >> my time expired. i recognize the ranking member for five minutes.

>> thank you very much, mr. chairman. first i'd like to thank you for the work done on this legislation. i believe that both sides of the aisle are concerned about getting strong piece of legislation that protect our consumers. this is a bipartisan issue and we should not spend a lot of time fieging about some aspects of this initiative, but rather we should work out whatever the differences may be. from what i can understand, there are those who believe that the federal law should be a floor rather than a ceiling. there are those who believe that where you have states who have stronger laws, we should not preempt those states. as i understand it, despite the fact that we have varying laws

in our state's now, they all have similarities and so rather than thinking about this with states with such different laws that somehow cause great complications, let's think about this in terms of the fact that we want our state attorneys generals to be involved. we want them to be involved in enforcement. i think that's very important. so let us take a look at what i think is the biggest obstacle to getting the best legislation and deal with the preemption question. deal with the preemption question and think about states like california. can you tell us for example, my state, california, what are we doing with the cyber security and is that stronger than what is being proposed here now? >> sure, yes. thank you. that's a good question and good

place to start because, you know, california passed the first breach notification law years ago. they have really been a leader in this area. thank you for your work on that. california, for one thing, california recently passed a law to include log-in and password for account authenticators, not just for financial accounts, but other types of accounts as well. for example, my e-mail account, if the log-in and password were breached, i get a notification, which i certainly want to because there's information in there, does not lead to financial harm, could lead to emotional harm if that information were breached, and if it was misused. california has a reasonable security standard like the federal standard right now. california does enforce that standard and has had a number of cases over the past few years and along with that, had rich guidance for businesses

attempting to comply with the reasonable security standards. one thing that i think california's also very strong on is the type of guidance that the state ag's office provides to the consumers and interacts with consumers and businesses to provide that important guidance. >> thank you very much. so i'm sure that none of us would want to interfere with states' abilities to have as strong as possible laws for cyber security and so ms. moy don't you think that perhaps the federal law should be a floor and that we should certainly allow states that have tougher laws to be able to enforce laws, and that would require the attorneys' generals to be involved? do you think that is the best way to approach this? >> i think from the consumers' perspective, that provides strongest protection. you mentioned previously there's

a pattern among various states' laws. that is the case. look at various breach notification laws of the states, most of them cover a core of common information and have very similar requirements in terms of what ought to be provided in the notification when the state ag and the skurm reporting agencies ought to be notified, and in addition to that, some states added on to that, and so that's where, for example, you see states like texas and wyoming and just this year, hawaii, montana, added medical information to the class of protected information in order to extend protection to categories where they see a developing threat that must be addressed. >> so we certainly would not want texas to be preempted with the good law they have relating to medical information, would we, ms. moy? >> i do think that it's important not to preempt the protections for information like

medical information and including other states, the very state of mr. chairman, texas. >> thank you very much and i yield back. >> the chair understood the subtle point. chair now recognizes another gentleman from texas the chairman of the financial institution subcommittee for five minutes. >> i thank you, mr. chairman. i note if you let the federal standard be the floor and all the states then have an opportunity to start running up each other basically, we're right back where we are now defeating the purpose of having a federal standard. mr. dodge in reading your testimony last night, on the proposed debt security legislation, there's actually a lot that i think you agree on, and i hope today that maybe we can discuss the provisions where we have a little difference of opinion, helps to have a better understanding where everybody is on this issue.

i look at page 7 of the testimony, and you say retailers support a recalibrated security standard. under hr2205, we laid out a security standard that's processed specific and based on key elements of programs that worked well under the program, and to ensure the smaller retailers, are not burdened we calibrate the standard to match the size scope and type of information those entities hold. there are requirements that say if they do not apply to you, you don't have to necessarily implement them. so the question is can you identify these specific processes we've laid out in our carefully calibrated -- that are not carefully calibrated in your estimation? >> thank you for the question, and i think, you know, figure, it's important we be having the debate about proper national data security standards to help

businesses address this growing and sophisticated threat. it's the perspective of retailers of the act, the baseline for the legislation you introduced that it especially, the data security standards within it were expressly written for the financial services community. industries are very different. anybody who filled out a mortgage understands that the information that a bank holds is very different from that of a retailer. if we were to pursue legislation that replicated or shoe horned the act to apply to the rest of the business community, we would be applying this law to industries beyond the retail industry of course, well beyond us in high-tech, interpret, app makers big and small, and we think the history of enforcement through the federal trade commission provides a standard that's clear and strong for businesses adapt to meet today's

challenges and that involves the future. you cannot regulate your way to security. we need to employee layers of security starting with the baseline that we believe is a strong standard emboldening the federal trade commission to enforce standards and look for other ways to work together like strengthening the system and enhance the security in the system today. >> now, you mentioned, i think 50 ftc enforcement actions since 2001. that would be 3.1 a year. if you believe that ftc is your enforcement agency, do you support, then, giving tfc, then, rule making authority to make a uniform standard? >> so the ftc enforced these cases under the unfair practices act or section 5 of the ftc act.

we think giving them expressed authority from congress is the right way to go about it preserving that flexibility that they needed in order to adapt to the threats as they change over time. >> yeah, well the question is would you support then, them promulgatinge inging standards that make sure the playing field is level and that you are doing the things that are specifically necessary in your industry to you know, have a uniform standard? >> we do not support rule making because we think that's the purpose of passing a low. we think congress has the privilege of defining the law and leave it to the agency to adapt it over time to have flexibility under current law. >> isn't that what we are trying to do, then congress is trying to pass a uniform standard? >> exactly exactly. we believe that providing the ftc authority to enforce data security laws based on the case law today, the common law based

in the 50 cases, provides them, businesses, not only with the clarity that they need on what the expectations are of government, but the flexibility for the enforcement agency in this case, the ftc, to evolve over time to meet new threats. >> yeah. so do your members take steps to protect consumers' data? >> absolutely. there's no more important relationship in the retail business than that that they build and maintain with the customers. obviously, a breach, a data breach is a breach of trust with those consumers. they work extremely hard to prevent data breaches. >> if they are already doing it, what's the objection to just codifying those are standards and reasonable and they should be applied across the industry? >> you're speaking specifically about a law that was written for the financial services community. >> i'm talking about the law for -- written for -- i'm talking about my bill. >> right. so that bill, which you would be expanding under your

legislation, exup and downpanding the bill to the rest of the business community. we say stick within the current regulatory structure that has the federal trade commission the regular industries. >> we took principles from this but this is not a rewrite, but this is a uniformed national federal standard. >> the time of the gentleman expired. the chair now recognizes the gentleman from delaware mr. carney. >> thank you mr. chairman and thank you to the panelists for coming today. i want to talk about preemption issue because it's a concern for many of the members, and we've worked hard to try to address it. i said in the opening comments that preemption provision in the bill should not have unintended consequences outside issues covered in the bill. we do not believe it affects the medical debt issue raised a moment ago with respect to california. we'd be willing to make that

plain plain. ms. moy, i thought i heard you say 50 different standards is not the answer. is that what you said? did i mishear your comments? >> so what i have said is that is that i think the best for consumers would be to create a floor, not a ceiling -- >> set a national standard and then -- >> right -- >> allow states to protect additional categories of information, for example, medical. >> so my understanding is that 13 states currently have data breach notifications in standards like this? our legislation our federal legislation would be better than all of them except one which is massachusetts, and i've been talking to some of my colleagues from massachusetts. would you agree with that? >> i think -- well, i think that also oregon has a pretty good standard, and i think that there are elements of other state laws that you might not consider specific data security laws, but you have elements -- >> so a pretty high standard. >> it is, yes.

>> that's the starting point for us. >> yes. >> there's been discussion about the standard in energy and commerce commerce. is that a higher standard than what our bill would propose, or -- >> well, so that standard is reasonableness standard that looking more like what the federal trade commission is currently doing so i think the difference here is not only might there be a difference in what the language says in that bill, i think, also, you know we'd be looking to the common law of the federal trade commission and others to flush out what the specific requirements are, but it's ralsalso really important thinking how strong the security standard is on who has the power and who is guiding the parties there. if the federal agencies are solely responsible for it even a strong standard might to the provide a strong protection as a general reasonableness standard allowing state ags to work on a piecemeal basis for those trying to comply. >> you think the standard in the

bill is pretty good? pretty high standard in terms of the federal standard, but you believe the states ought to have the flex theability to go beyond that, no with standing other issues. have you looked at the bill in terms of enforcement provisions in the bill, how do you suggest they are improved upon in your point of view? >> so i can't -- i have looked at it. unfortunately ly unfortunately, i'm not prepare for a statement, but i can in writing if you prefer. the key issue with respect to enforcement, i believe your bill would only facilitate enforcement by agencies, and i -- >> what i heard you say is that allowing the state ags a role there would be an improvement again, not having look at the details there? not to put words in your mouth. >> yes yes. i believe that a very critical

element here is we have to have enforcement authorities. >> i explore the issues because like i said in the opening statement, we are willing to try to improve the bill to get a greater consensus around. we believe that i think, as you said, a national standard this is not the way to go but it's got to be a high bar, and one that's enforceable. would any of the other panelists like to comment on the conversation that we've just had about preemption against the standard and enforceability of the standard? >> if i cutould, congressman. the bill takes on the issue in the right way, and that is to recognize that the act of legislating to unify state regems with a federal regime not preemptive adds a 48th regime and would not serve the purposes that the legislation seeks to

undertake, which is to protect consumers' financial information, and from eta's perspective, there's the right approach to ensure that that federal regime is operative and not interfered with. >> everyone agrees that we need a higher standard went one standard across the country? >> we fully agree there should be a national starp. we think that the states deserve a tremendous amount of credit for enacting where the federal government has not yet, and that's why we believe as a broad concept, preemption should -- strong law should offer preemption as a broad concept state ags play a role in the enforcement of it. >> thank you mr. chairman. >> the time of the gentleman expire, and the share recognizes the chair of new jersey, chairman of the capital market subcommittee. >> thank you mr. chairman. thank you for holing this hearing, an issue that really hits home for a lot of folks. i have to start with a couple questions, at the basics if i can, and governor throwing it

to you. when there is a breach or someone steals your card, and that goes to a retailer and buy a tv, and you find out so on and so forth. who actually is responsible for that? is it the -- does target pay the bill for that does the bank that issued my mastercard or if it's not that is it the bank or the visa, mastercard, or discover paying for that? >> the answer' complicated, but the simple version -- >> what i'm looking for. >> the consumer is made whole and issuing bank makes them whole. however, there's a secondary process managed and run by contract between the payment networks and various players in the payment system that gets resolved through a -- shall we say, contract process between

visa mastercard, the issuer, which people take issue with how that all works froimtm time to time, but that's sorted out after the fact. >> oh okay. anyone else? >> i would add to that, yes. it's the merchant who ultimately pays for fraud in the wake of a data breach, should that occurred at a retailer, and they pay a variety of fees, three total, first one on every interaction, the component is a prepayment of fraud or prepayment of the breach, should one occur and then post breach there's the fee associated with reissuing the cards and -- >> right where the banks pay the $15 whatever it is, to pay and send me a new card. >> but the mother chapter reinvests, and so i hear different stories on that. >> yeah. there's a schedule of the repayment in the written testimony. >> i'll take a look. i just got one of the cards with a chip on it. also, just to be clear on this

putting this chip on the card may help to some degree, as far as the lost card, stolen card, as far as going to the retailer, but as someone else on the pam said, it was in the testimony this chip does absolutely nothing with regard to when they steal that information and they use it online, is that correct? >> i think it's important to note that the chip the technology that's available in the united states today, predominantly magnetic strip, 19 60s technology, europe introduced something called chip and pin technology more than a decade ago. >> right. >> in europe, i understand you saw an uptick of the data breaches not on at the store anymore or retailers anymore, but on line? >> that's drew. fraud moved in two directions. it moved online. it moved to the united states. suddenly, the united states had the weakest security in the world. it still does today. when chip only goes into effect later this year united states

will still have the weakest card technology in the world. >> someone said, and maybe down here, you said we can't solve all this stuff, and putting the -- bottom line the chip is not going to solve it, but also to the point of what seems to be a lot of discussion in the bill as well as as far as the disclosure information that as ms. moy talked about and others as well that does nothing -- actually that does not prevent the fraud in the first place. captions copyright national cable satellite corp. 2008 captioning performed by vitac