great technology companies down because of quality of life but our energy deposits and fut future sources will be in places along ways from urban area. senator dorgan sees that. the contact tower program and airport improvement program are critical to states like montana. we're concerned that the proposed changes will harm the program specifically. i encourage you to undertake consultation with all stake holders. what specific remedies, can the faa provide to rural airports as it considers reforming the air traffic control program? >> you've asked a very important question and it is something

that as we have this longer term discussion of investment and structure that we do drn that everyone understands that the program, aviation system and the grant program and aviation structure in the united states has always been about achieving twin objectives. first is to have an efficient system that serves the largest number of passengers and second is too provide a level of access to communities throughout the country. and in previous reauthorizations

that has always been matter of great debate as you well know between members of congress about how to achieve that balance. that challenge and issue does not go away under any structure, nor does any structure alone deal with what those issues are. what you're raising is a important public policy request, where are we going with respect to ensuring a modernization of that system, while at the same time ensuring some level of access. and that debate i think is >> let me give -- i was part of building a great technology company in montana and had a great airport, the boseman airport. i was in tokyo and bouncing across the water a lot thanks to connectivity with airlines. i want to step back and ask, as you look at global systems, a great airline like united airlines, in the air traffic control systems used by other countries, what do you see from some of these countries? something we can learn to apply best practices and improvements in our system going forward that will make the u.s. system better.

i realize there's scalize questions but can you share questions how we can make our system better based on what other countries are doing? >> yeah, sure, i would be happy to, senator, thank you. what we're looking for in this opportunity is to provide logical improvements which improve throughput or reduce time travelers sit on a runway waiting to take off, reduce the instances of circling airports waiting to land, reduce congestion, reduce fuel burn and we believe that technology is absolutely scaleable. it is true -- let's you've nav canada, among the best jobs in the world and they have the most advanced techology and happiest air traffic controllers, all true things. even happier than yours and they are pretty happy. someone mentioned these were the unsung heroes, we sing their praises daily because they are very professional.

and thanks for it. although it is indeed smaller, air transport has handled sectorally and you know from your own history, technology scales magnificent. and i think there are tremendous opportunities. we certainly as we fly around the world there are some systems better than others and some foreign countries that handle it well and others that don't. but we're very focused on not only maintaining where we are and where we are in safety for sure, but in improving the efficiency of this system because this system so -- even though we're a global carrier, this system disproportionately affects our operational customer satisfaction of fuel burn. if we get it right and have an opportunity to get it right, we can have a huge step forward in the efficiency of this system in the value of this system to the united states and the economy to consumers, this is a tremendous opportunity for us.

this is the system we focus on the most because this is where we actually have not only a vast majority of our assets and our flights, but also this is an opportunity for the united states of america, where we are citizens and in the united airlines is a citizen of the united states to provide the best air traffic control system in the world. >> i'm out of time and will say the nighting public, you can see all of the traffic in the air at any given time is humbling. and grateful for what we have here with 130 million, number used there, i believe it was. >> 132 million. >> these are impressive numbers

and keeps us aware of the system here today. >> to address the first question -- >> if you look what the faa tried to do, to shut them down because they didn't have funding, majority of those more contract hours but more faa towers, majority of them were in rural america. that is one of our biggest concerns about status quo. >> thanks for looking out for rural america. >> thank the senator from montana for looking out for rural america and i think he and i would probably both agree at the end of this we would like to see more direct flights to and from, is that right? >> i appreciate i think we've run out of questioners and i do appreciate very much the panel great remarks today, different perspectives, this is the senate's first foray into the issue of reform and we have to figure out a way as we move towards reauthorization of doing what's best. we all have the same goal in mind as was pointed out. sometimes maybe slightly

different perspectives on how best to get there but i think one of the things raised, is going to be an important one. and i think that's something in the current budgetary environment that we find ourselves in today is increasingly challenging. so i think there's an openness to look at models that might better cope with that issue as well asome other issues that were raised today. thank you all very much and the hearing record will stay open for two weeks for members to submit questions and you can respond in a timely way to the questions, it will be most appreciated. this hearing is adjourned. if you missed any of the hearing on modernizing the air traffic control system, you can watch this any time online, thank you all very much and the hearing record will stay open for two weeks for members to submit questions and you can

respond in a timely way to the questions, it will be most appreciated. this hearing is adjourned.

here are some of our featuredt 1200

congressman of texas chaired the hearing. maxine waters of california is the ranking member. the hearing's about three hours. financial data security in the age of computer hackers given that the p.a. just turned on.

it is a testament to members welcomed home. i assume we have many of our colleagues who are furiously running from hvc 201 as we speak. since the beginning of the year. so you will notice a few changes in the room. it was caused by an upgrade of the audio-visual systems. although i did not specifically request it i now notice there are twice as many microphones in our hearing room as before. i wish to notify members that does not mean they can speak twice as long. that does not go along with the microphones. in addition, you notice our witnesses are quite a ways away,

that we have less room for the public as hearing rooms are renovated, they must be made and should be made compliant with the americans with disabilities act. this room complies with that ada statute, which means every row has been enlarged, which means we have lost part of our gallery, but the overflow room is still alive and well. in addition for those who've moved into a new home or new apartment, there is such a thing known as a punch list. for some, you may kicked out of the room in the next five to seven days as the punch list is attened to. another change in our committee room. if you will look over my left shoulder, you will see our -- the portrait of our most recent chairman, spencer baucus. for those with tenure on the committee, myself and the ranking member, to have barney over one shoulder and spencer

over the other, it seem like old times. we certainly know of barney's fierce intelligence, but i hope people remember spencer's gentle and kind leadership of this committee and sometimes when emotions and passions start to run high, let's remember the example he set for us respect and decency and, yes, humor, and somehow in any moment, i expect for these two to carry on one of their classive debates. we'll see if that actually happens or not. i believe that is all i need to say about the hearing room at the moment. in which case the chair now recognizes himself for three minutes for an opening statement.

today's hearing will be focused on protecting consumers and their private financial information in an age of computer hackers. the world has experienced a technology revolution, one that's brought remarkable benefits to consumers and the broader economy, but it's also increased some risk on consumers by making the theft of their personal financial information a profitable enterprise for cyber criminals and computer hackers. in the era of big data, large scale security breaches are unfortunately all too common. in every breach, consumers are exposed and vulnerable to theft, fraud, and a host of other crimes. we have certainly all read about

the high profile headline grabbing breaches at target and home depot. according to the identity theft resource center, there were 783 data breaches in 2014, and increase of more than 27% over the prior year. the center for strategic and international studies estimate that such attacks cost the u.s. economy $100 billion, billion with a b, annually. american consumers rightfully expect their personal information to be protected by their financial institutions, by their retailers, card networks, payment processers, and, yes, by their federal government. consumers should not be let to hope and pray their personal information is saved every time they swipe their debit or credit card and enter information online. they deserve protection, so, today, the committee will hear from representatives of organizations whose members

constitute the major participants in the payment system. we welcome their expertise and insight. my hope is that this hearing affords members on both sides of the aisle an opportunity to better understand what security measures are currently in place to prevent data breaches. our consumers are notified following a breach, what types of emerging technologies will help reduce frequency and severity of breaches, and what steps are taken by the merchant and financial services communities to address the problem and where additional federal legislation will be warranted. i hope we engage in a thoughtful, constructive dialogue on a bipartisan basis,

and on that regard, i thank the chairman and mr. carnrgs ey for starting this dialogue, by introducing the bill to address this important problem. it will now yield back the balance of my time and recognize the ranking member for three minutes. >> thank you, mr. chairman. americans are increasingly reliant on electronic means to communicate, shop, and manage finances, while new technologies bring stop sign opportunity, they bring a range of new vulnerables, massive attacks on our nation's largest retailers and financial institutions are impacting virtually every sector of our economy and our national security. consumers are not the only ones who pay the price of a breach. the cost of recovering losses by retailers and card issuers can be extensive and weigh particularly heavy on small community banks and credit unions. we all know companies face a number of challenges in determining how best to secure customers financial and personally identifiable information.

in addition, we know that there are significant costs to complying with various state laws and providing notice after a breach. however, as we consider setting national standards for safeguarding consumers' personal information and ensuring timely notification, we have to acknowledge good work of those states that, for years, have been at the front lines of this fight. i believe that any federal preemption should compliment state's protections and ensure, at a minimum, that state attorneys generals continue to play and important role in enforcement and notification standards. in setting minimum standards, we need to be careful not to hamstring our states and regulators's ability to adapt

and strengthen protections for consumers. otherwise, we'll limit regulators's ability to keep up with technology change and reserve a private right of action for consumers and for financial institutions to ensure that affected entities and breach victims have further recourse. further, consumers must be consistently provided with clear disclosures of the rights and remedies available to them so they are aware of the various ways in which they can protect themselves from identity theft and fraud and other cyber crimes. mr. chairman, efforts to guard against cyber threats are critically important and shouldn't deval of into the same partisan fault lines seen on far too many other issues before this committee such as the basis attacks on watchdogs like the cfpd and blocking efforts to reauthorize the charter of the

import/export bank that expires in 22 legislative days. with that, i look forward to hearing from the witnesses today, and i yield back the balance of my time. >> the chair recognizes the gentleman from texas, chairman of our financial institutions subcommittee. >> thank you, mr. chairman. you know, we live in a world where a global market has a global payment system, delivers payments to consumers in a blink of an eye, and immense amount of information is processed and stored into any one transaction. the security of the system is only as strong as its weakest link, and, today, i look forward to learning more about the new payment technologies that continue to facilitate payment efficiencies, speed, and security. i hope to have a robust technology discussion about what new standards are needed to level the playing field. this month, the congressman carney and i introduced legislation to builds on the work of senators carper and blunt. the starting point was to lay out a robust data security frame

work for the financial institutions. almost 16 years later, this frame work worked very well. the security standards is based on certain core principles. first, because we have a global payment system, we have a standard and breach notification standard. a standard must mip mize regulatory requirements, but must carry with it strong federal enforcement mechanisms. second, the security standard has to be technology neutral and process specific. it must be reasonably identify certain core elements in the absence of an ftc rule making. third, it is absolutely necessary that the data security is necessary based on size and scope of the operation and type of information that it holds. legislation must recognize at the corner market cannot and should not have the same standard as the largest retailer operating in 50 states. while i'm confident in the bipartisan legislation, i'm open to working with any member of the interested groups, one to minimize consequences and tailering this legislation.

we have shared interest in signing this into law, giving consumers the safest payment system possible. i thank the panel for being here this morning, and i look forward to looking at the testimony that's been entered, this is going to be a very informative session for our members, and i think it's good that we have these different interests at the the table today, and so, mr. chairman, i look forward to a very informative hearing. >> gentleman yields back, the chair recognizes the gentleman from delaware for two minutes. >> thank you, mr. chairman. mr. chairman, over the last decade alone, data breaches compromised nearly a billion records containing sensitive information. experts estimate when this occurs in the united states, it costs consumers app average of

$290 per victim. studies show that cyber criminals cost u.s. companies approximately 100 billion a year. one thing is clear that the current patch work of 47 state data breach laws is failing to protect american consumers. that's why we have work together on a bipartisan effort to develop a data security breach notification frame work that all stake holders can operate within. we think consumers and the companies that handle personal financial data should all know the rules of the road when it comes to the standard for protecting this data. our bill, hr2205, data security act, builds off the efforts by senators carper and blunt across the capitol. the bill implements a strong notification standard requiring companies to end act a program that is robust and scaleable with the goal of protecting consumers' personal information from breaches setting a republican standard for timely notice to consumers when a breach occurs. importantly, the bill's requirement avoids a one size fits all allowing companies with varying sizes and complexity. as with any comprehensive piece

of legislation, our bill can always be improved. the example clarifying that the preemption prevision does not have consequences outside the issues covered in the bill and merits further attention. looking forward to working with my colleagues on both sides of the aisle to make improvements to this legislation where necessary. the fact is, though, that the white house, congress, and the private sector and consumers all agree that the status quo is not acceptable, and i'm encouraged that this committee's having the hearing today and moving forward to protect consumers, businesses, and the american economy. i'd like to thank the leadership on the issue and look forward to hearing the witnesses' testimony and feedback on the hearing this morning. thank you, i yield back. >> the gentleman yes back, and, indeed, it is time to hear from the witnesses. we welcome you all to the panel.

first, the honorable tim palante, and former governor of the state of minnesota. mr. brian dodge, executive vice president of communications and strategic initiatives at the retail industry leaders association. mr. jason oxman is the chief executive officer of the electronic transactions association. mr. steven is the general manager at pci security standards council, and last but not least, laura, a senior policy counsel at the open technology institute. several of you have testified before congress before. i'm not certain of all of you, so we have a rather simple lighting system, green means go. yellow means hurry up because the red light is soon to follow. red means stop. the yellow light comes on with one minute to go. each of you will be recognized

for five minutes for an oral presentation of your testimony. without objection, each of your written statements will be made a part of the record, and since we are brand new in our refurbished space, in the old hearing room, you had to pull the microphones very close to you. i think now you can keep them a somewhat comfortable distance from your mouth. governor, you will be the tester on the new sound system, and you are recognized for your testimony. >> good morning, mr. chairman, ranking member waters, members of the committee, thank you for the opportunity to share a few thoughts with you this morning about one of the most pressing issues facing our country, the emerging, growing, and threatening war fair takes place commercially and otherwise upon

the globe and visited upon american consumers and in ways that deserves the congresses' attention. to show you what we're up against, 80% of the companies breached in 2014 did not know they were breached until somebody else told them, a third party told them, sometimes the government, a vendor, but a third party. the length of time between the breach and the discovery was months after the fact. another interesting fact, over half the adult american population had their personal data exposed last year according to a cnn published report. and the list goes on including we know through public and confirmed reports that this is no longer college kids in their basements having fun trying to get into some systems. these are nation state actors including or semistate nation actors including china, north korea, iran, russia, former sovietupon sponsored states, and individuals and enterprises associated with them with sophisticated crime syndicates. if one of the entities focuses

on a company, it's not going to end well for the company or customers. we need a robust, muscular response to the threats, and the fact this committee's paying attention to the issues, we appreciate it very much. mr. chairman, thank you to the house for passing on more than one occasion threat information legislation and legislation that we hope the senate does the same, not sharing personal information, but the threat information sharing bill is helpful to the cause in making the country prepared to defend against threats. relating to the financial services sector and payments system, our sector, as the chairman mentioned, dealt with the issues in a regulated context for quite some time. it was passed in 1999, part of the act, of course, was to visit upon this industry, debt of security standards and enforcement mechanisms including the examination process. that, i think, served the industry well. looking at the permit of breaches taking place in recent years, our sector has the lowest breach incident rate, still have a lot of work to do, but compared to other major sectors, it's progress, and that's because of the good work that's

been done since the act and otherwise. we're about to launch secure top level domains, dot-bank and dot-insurance, should help with the issues, involved with an analysis center, first in the country, most robust, and more. as it relates to the payment system, it's about to get a lot better. we're going to move as a next step to the chip enabled cards that's already happening. the networks said, look, if you want to avoid fraud liability, make the transition to the end of 2015, and some say, look, we're not ready, it will take longer, but over the course of next couple years, they will be chip cards that will help, but don't be focused just on that. that's technology from the 1960s. magnetic strips were invented in the 19 60s. pins invented in the 1960s, and

chips more recently. it's moving beyond that discussion. new technologies considered include voice recognition, facial recognition, location, biometrics and more. it's evolves rapidly and continues to evolve as new technology emerges. the legislation before you, the congressmen, thank you very much. we strongly support hr2205, an excellent piece of work, may need modifications as mentioned, but it does important things, creating for all sectors, not just the health care sector, but a data security standard, which is really important, and it's flexible. we're only as strong as the weakest link in the chain, we got strong standards, but another link in the chain don't, the whole system's exposed, so thank you for putting the marker down on a strong standard. we strongly support that. another important piece of the

bill is a uniform data breach notification law. many states, including my own, have strong laws in this regard, and thinking of cyberspace, how congress is conducted now, it does not make sense for 50 standards and approaches, 50 responses to a breach in the notification relating to it. in closing, as you think about this, we're not asking for any current state initiatives to be diluted, but if you set a standard, set it high, nation leading. i'm out of time, mr. chairman, thank you for the chance to be here this morning and the leadership on the issues. we support what you are trying to do. >> we thank you, and mr. dodge, you are recognized for five minutes for the testimony. >> good morning. chairman, ranking member waters, i'm brian dodge, executive vice president with the retail industry leaders association. thank you for the opportunity to testify today about data security and the steps the retail industry takes on this important issue to protect

consumers. the trade association of the largest retail companies, and we embrace technology to provide american consumers with unparalleled services and products. while technology provides great opportunities, nation states, criminal organizations and other bad actors use it to attack businesses, institutions, and governments. as we've seen, no organization's immune to attacks. retailers understand that defense against cyber attacks has to be an ongoing effort. as leaders in the retailer community, we take new and significant steps to enhance cyber security throughout the industry. to that end, last year, the sharing center in partnership with america's most recognized retailers, the center opened a steady flow of information share between retailers, law enforcement, and other relevant stake holders. they've established a former working relationship with the financial services, a move that will, among other things, ensure collaboration across the payment's ecosystem on the issues.

we applaud the house for passing cyber legislation, and we hope the senate takes up and adopts hr1560's flexible approach to electronic sharing. while we expect we'll discuss many cyber security topics today, one area of the security that needs immediate attention is payment card technology. woefully outdated magnetic stripe technology used on cards today is the chief vulnerability in the payment's ecosystem. retailers are estimated to invest $8.6 billion for terminals to accept chip cards later this year, but they will not be issued with pins. chip and pin technology has proven to reduce fraud when deployed elsewhere around the world. in contrast, signature technology falls short of providing consumers the best security available today. retailers believe the chip and pin prevent criminals from duplicating cards with ease,

devalue the data that retailers collect at point of sale. ultimately, these steps have been proven to substantially reduce the economic incentives for cyber criminals to launch these cyber attacks. before i discuss what really is a data breach policy considerations, i will briefly highlight significant data security and data brief notification laws with which retailers currently comply. 47 states have adopted data breach notification laws. in addition, retailers are subject to robust data security regimes. the federal trade commission prosecuted more than 50 cases against businesses that charged with failing to maintain reasonable data security practices. these actions have created a common law of consent decrees that clearly spell out the data

security standards expected of businesses. in addition, inadequate data security measures for personal information leads to violations of expressed state data security laws. also, many states have so-called ftc acts, unreasonable data security practices. finally, retailers voluntarily and by contract follow a variety of security standards including those maintained by pci and iso. while retailers comply with the range of data breach notice and requirements, a carefully crafted federal data breach law clear of regulatory confusion can protect and notify customers better. they support legislation that's practice call and proportional and sets a single national standard. this supports data breach legislation that creates a single national notification center allowing businesses to focus on quickly providing affected individuals with actionable information that ensures that targeted notice is required only when there's an actual risk of identity theft, economic loss, or harm.

that ensures that the responsibility to notice is that of the entity breached but provides flexibility for entities to notify the party, establishes personal information, recognizes that retailers already have robust data security obligations, and that security must be able to adapt over time. i thank the committee for inviting me today. i look forward to answering your questions. >> mr. oxman, you are recognized for five minutes for your testimony. >> thank you, mr. chairman, ranking chairman waters, i'm the ceo of the electronic transactions association. eta is the trade association or the payments industry, our more than 500 member companies are focused on providing the world's most secure, reliable, and functional payment systems to american merchants and consumers. electronic payments in the united states are largely invisible to consumers because simply put, they just work. u.s. consumers carry 1.2 billion credit, debit, and prepaid cards in the wallets, use to pay

electronic at more than 8 million merchants in the united states. indeed, eta companies process more than $5 trillion in u.s. consumer spending every year. that means thousands of transactions are moving across our network every second. now, consumers enjoy a wide variety of ways to pay electronically including in person with a card, mobile device, or watch or remotely via phone or internet. from the moment a consumer initiates a payment, the transaction is securely transmitted, authorized, and processed within a matter of seconds. eta member companies take very seriously the obligation to protect the security of the customers' information. consumers in the united states choose electronic payments because they benefit from 0 liability for fraud, making electronic payments the safest and most secure way to pay. today, criminal fraud amounts to less than 6 cents of every $100 process the in transactions.

it's a fraction of a tenth of 1%. even though fraud represents a tiny percent of overall transaction volume, we deploy cutting edge new technology using self-regulatory industry guidelines to bolster the fight against fraud. i'd like to highlight three concrete steps the industry is taking to protect consumer information and prevent data breach. first, eta members are deploying emv enabled chip cards to fight the number one cause of card fraud, counterfeit cards, that represent two-thirds of card present fraud in the u.s. today. now chip cards prevent cards from being copied. they do not stop data breaches, but they make it harder for criminals to reap rewards of those data breaches. chip migration happening now in the united states, it's the most complicated overhaul of our

payments' technology system in the 40 years since the magnetic striped card was introduced. our banks need to replace more than 1 billion cards. merchants need to upgrade point of sale equipment at more than 10 million locations. we're working together and getting it done. second, our industry is deploying new tokenization technology replacing card information with a one-time use token. even if intercepted by criminals, the tokens cannot be used to generate fraudulent transactions. think of a token as a mathematic cryptogram that cannot be reproduced. one example is a mobile transaction. tokens can be used in card environments as well, and we're working with merchant partners to apply token technology at both brick and mortar and online retail. third, eta members are helping

merchants secure a point of sale by deploying new encryption technologies, point-to-point encryption is a way to secure all entry points against attack, denying cyber criminals access needed to install malware and other cyber hacking tools. as our industry deploys all layers technologies, i want to affirm eta's strong support for legislation that creates uniform national data standards and data protection breach standards as well. such standards must be industry neutral, must be preemptive of state law, and this is the approach set out in hr 2205, which eta strongly supports. we applaud the chairman for engaging in the important dialogue with the legislation. eta also supports legislation to promote information sharing. sharing of information across government and technology and manufacturing companies will support prevention of and investigation of breaches and

ensure against cyber attacks. cyber criminals are increasingly sophisticated, global in scope, and working proactively to address every threat. we must not forget data breaches of merchants and consumers make them victims of crime. we share a desire to stamp out fraud and take seriously our responsibility all of our customers to do so. thank you for the opportunity to be here, and i look forward to the questions, mr. chairman. >> mr. orfei, you are recognized for your testimony. >> thank you, sir. good morning, i'm steven orfei, general manager of the pci security standards counsel. i had the privilege of leading a talented and deeply committed membership organization that is responsible for the developing and maintaining the global data security standards for the

payment card industry. our approach combines people, process, and technology. continuous effort in applying our standards is the best line of defense against organized crime, state fund actor, and criminals who threaten our way of life and attempt to undermine our confidence in the financial system. everyone has been victimized by these criminals, and we know the very real harm caused by breaches. developing standards to protect payment card data is something the private sector and specifically pci is uniquely qualified to do. consumers are understandably upset when payment card data is put at risk. the counsel was created to protect payment card data. our community of over 1,000 of the world's leading businesses tackling data security challenges from simple issues. for example, the word "password" is still one of the most commonly used passwords, and to complex issues like encryption. our standards are solid foundation for a multilayered security approach.

we aim to remove payment card data if it is no longer needed. simply put, if you don't need it, don't store it. if it's needed, protect it. reduce the incentives for criminal to sale. here's how we do that. the security standard is built on 12 principles, covering everything from logical to physical security and much more. it's updated regularly through feedback from our global community. we manage eight other standards that cover card production, pin entry devices, payment applications, and much, much more. we work on technologies, best practices, and provide market guidance. we have laboratories that vet solutions that we list on our website. all of our information is free. our mission is to educate, empower, and protect.

now, our end game strategy is to devalue the data so it's useless in the hands of the bad guys. we have three technologies that will allow us to do so. emv at the point of sale. point-to-point encryption, and tokens. when bundled and implemented properly, the data becomes useless, and there's no reason to break in. that's why the counsel supports adoption of emv in the u.s. through organizations such as the emv migration form and other standards that support emv today and other worldwide markets. emv chip is not a silver bullet. additional controls are needed to protect the integrity of payments on line and in other channels. this includes encryption, tamper resistant devices, malware protection, network monitoring and more, all vital parts of the pci standards.

effective security requires more than just standards for standards without supporting programs or just tools, not solutions. the training and certification programs educated tens of thousands of security professionals, making it easier for businesses to choose products that have been lab tested, certified, and secured. finally, we conduct global campaigns to raise awareness of payment card security. leadership on the issue is important, and there are clear ways in which the federal government can help. for example, by leading stronger cooperationive law enforcement efforts, worldwide, and by encouraging stiff penalties for the crimes, and recent initiatives on information sharing are also proving to be invaluable. the council is an active collaborator with government, we work with treasury and secret service and other entities

including global law enforcement, like interpol and europol. in conclusion, payment card security is complex. silver bullet solutions do not exist. unilateral action is usually a in conclusion, payment card security is complex. silver bullet solutions do not exist. unilateral action is usually a disappointment. alliances, partnerships, information sharing and collaboration between the public and private sector is critical. the pci council stands ready and willing to do more to combat global cyber crimes that threaten our way of life and confidence in the financial systems of the world. we thank the committee for taking a leadership role and seeking solutions to one of the largest security concerns of our time. thank you. >> thank you. ms. moy, you are now recognized for your testimony. >> thank you. thank you so much, mr. chairman. thank you. good morning ranking member waters and other members of the committee.

thank you so much for your commitment to addressing data security and data breaches and for the opportunity to testify on this important issue. consumers today share tremendous amounts of information about themselves. consumers benefit from sharing information, but they can be harmed if that information is compromised. for the most part the states are actively dealing with this issue in ways tailored to address the needs of their own residents, but with a large body of common elements. at least 29 states have introduced or are considering breach notification bills or resolutions this year alone. bills in 27 of those states would amend existing laws to account for changing needs and changing threats. only three states have no breach notification law on the books and two of those states have considered bills this year to change that. consumers would therefore be best served by a federal bill on this subject that sets a floor for disparate state laws not a ceiling. to the extent congress considers

broad preemption, any new federal standards should strengthen or at least preserve important protections that consumers enjoy it the both the state and federal levels. because any broad preemptive bill would bring an end to the legislative activity taking place in stitt legislatures it would also need to provide a similarly agile mechanism for quickly adjusting the law in the future to match developing technology and new threats. unfortunately a number of recent legislative proposals would diminish consumer protections in a number of ways, by replacing strong and broad state protections with a weaker federal standard. in addition, a number of the bills do not provide the flexibility we need to make sure consumers' personal information remains protected as the information landscape changes. don't get me wrong, many -- most of the bills we have seen would certainly offer some new benefits for consumers, but many consumer and privacy advocates, myself included, question whether those new benefits

outweigh the potential harm to state jurisdiction and to consumers' existing protections. i will, therefore, focus today on four potential shortcomings of federal legislation that would need to be addressed in order to ensure that any new bill represents a net gain for all consumers. first, federal legislation should not ignore the serious physical, emotional and other nonfinancial harms that consumers could suffer as a result of misuses of that i remember personal information. a bill that would reinstate laws and condition breach notification on demonstrated risk of financial harm could actually reduce consumer protections in 33 states and the district of columbia where the existing law either has no harm trigger or has one that is not limited to financial harm. second, federal legislation should not eliminate data security and breach notification protections for types of data that are currently protected under state or federal law. some current legislative

proposals feature a narrow class of protected information along with broad preemptions. such legislation would eliminate protections consumers currently rely on at the state and sometimes federal level. for example, many bills would eliminate protections in ten states for health information or eliminate federal protections for telecommunications, cable and satellite records. third, federal legislation should provide a means to expand the range of information covered by the bill as technology develops. the ten state breach notification laws that now cover health information represent a clear trend as states are currently updating existing consumer protections to respond to the growing threat of medical identity theft. we can't always forecast the next big threat years in advance, but unfortunately we know that there will be one. federal legislation on this topic must provide flexibility to meet new threats. whether by continuing to allow states to protect classes of information that fall outside the four corners of the bill or by establishing agency rulemaking authority on the definition of personal

information. fourth and finally, federal legislation should include enforcement authority for state attorneys general. thousands of data breaches are reported each year. many of which affect only a small number of consumers. federal agencies are well equipped to address large data security and breach notification cases but could be overwhelmed if they lose the complementary support of state a.g.'s when it comes to handling smaller cases, providing guidance to small businesses and providing resources for local consumers. i and many of my fellow privacy stakeholders are not opposed to the legislation, but any such legislation must strike a careful balance between preempting existing laws and providing consumers with new protections.

the open technology institute appreciates your close examination of this issue and i'm looking forward to your questions. thank you. >> the chair now yields himself five minutes for questioning. so based on my unofficial survey of good folks in the fifth district of texas that i have the privilege of representing, data breach, although they don't typically use that phrase, certainly makes their top 20 anxiety list and probably their top ten when they think of identity theft, other forms of theft, privacy law, so it's a very serious matter, but as ms. moy was positing in her testimony there is a cost and a benefit associated with anything we do around here, so state the obvious, we are lawmakers and there is a law made about 15 years ago, graham leach blilie that dictated standards. there's been a lot of innovation since graham-leach-bliley was written into law. so let's start with you,

governor pawlenty. what exactly is broke? what needs fixing here? where does gramm-leach-bliley work and where doesn't it work. >> mr. chairman, if you just step back from how individuals might characterize it and ask them these questions, how is the current system working? half of the american -- adult american population has their personal data exposed in one year, it is not a stretch of the imagination to think somebody could get into the electrical grid and shut it down in a big part of the country not for a day or for a month but months on end. you lose that and lose electricity in your district lose pressure for national gas pipelines, points of sales go down-u can't transact anything electronically, you've got a very not existential but very dramatic impact on the country. so it requires i think a sense of urgency and a sense of understanding regarding the magnitude of the threat. as to gramm-leach-bliley, it works, it's flexible, makes accommodations for the size of

the business, but it says given the importance of this infrastructure to the country, if the payment system doesn't work, it's stalled or people lose confidence in it you're going to have a big piece of economy grind to a halt. there's trillions of dollars of payments that flow flew the northeastern united states per day. if that gets shut down or disrupted or interrupted you've got a material i would say bordering or existential let to the country. so this is an urgent deal, it is growing in terms of its concern exponentially. gramm-leach-bliley works, however, no institution is immune. we have some of our biggest institutions that have been breached, the best in the world, the nsa. breach by an insider threat. so there is much more work to be done on all fronts and we're the best of class, financial services gets breached from times, we manage it, people get their money back, it's

inconvenient, but the other sectors that don't have these kind of standards and capability need to up their game and you can help lead that effort. >> mr. oxman, you in your testimony i think were lauding the element of the legislation mr. luetkemeyer, mr. carney about preemption, national standards it seems to be an open question in ms. moy's mind regarding preemption and perhaps national standards. why do you can consider preemption and national standards to be so important? >> mr. chairman, as a number of witnesses noted, we all share an interest in ensuring the consumers and merchants are protected, but when something does go wrong we also need to make sure that we get the word out as quickly and efficiently as possible and make sure those protection that's are available under law kick in. the reason the consumers use electronic payments is because they are 100% protected against any liability for fraud, but we still need to get information out to them.

there are 47 different regimes companies have to subscribe to and it's not just the payments industry, it's every company in the country that has to subscribe to these 47 different regimes. they all appoint a different time, place and manner for the notification, they all have different triggers for what kind of notification has to take place. some of them are even contradictory, there's one state that actually requires the breach notification include information detail about the breach itself, there's another state that makes it illegal to include any information about the breach itself. so in some cases they're contradictory. if we had a uniform national standard it would allow everyone on the ecosystem to work together toward the same goal which is to provide that reasonable notice that needs to be provided as quickly as possible. >> in my remaining time, governor pawlenty, back to you. so our colleagues on the energy and commerce committee have reported a piece of legislation with regard to a national breach notification law that only impacts retailers.

should this committee not act, from your vantage point what does the world look like if that enc, energy and commerce bill, becomes law? >> mr. chairman, i know time is short. don't let the perfect get in the way of the good. we'd like to have the standards apply across the board, otherwise their effect is diluted. we can be really good but if our partner in payments has a flawed, outdated weak system at a point of sale or in a back room at say, fill in the blank retailer or a different sector the whole chain of events gets compromised. so it's only as good as the whole chain. and if you just do one piece you're missing a very important part or opportunity to up the game of the whole system. it's an ecosystem, it has to be addressed holistically or the whole system is compromised. >> my time has expired. the chair now recognizes the ranking member for five minutes. >> thank you very much, mr. mr. chairman. first i'd like to thank mr. carney and mr. nagebauer for the

work they've done on this legislation. i believe that both sides of the aisle are concerned about getting a strong piece of legislation that will protect our consumers. this is a bipartisan issue and we should not spend a lot of time fighting about some aspects of this initiative, but rather we should work out whatever the differences may be. from what i can understand, there are those who believe that the federal law should be a floor rather than a ceiling, and there are those who believe that where you have states who have stronger laws, we should not preempt those states. as i understand it despite the fact that we have varying laws in our states now, they all have similarities. and so rather than thinking about this as states with such

different laws that would somehow cause great complications, let's think about this in terms of the fact that we want our state attorneys generals to be involved. we want them to be involved in enforcement. i think that's very important. so let us take a look at what i think is the biggest obstacle to us getting the best legislation and deal with the preemption question. deal with the preemption question and think about states like california. ms. moy, can you tell us, for example, my state, california, what are we doing with the cyber security and is that stronger than what is being proposed here now? >> sure. yes. thank you. that's a good question and a good place to start because, you know, california passed the first breach notification law years ago and has really -- has really been a leader in this --

in this area. so thank you for your work on that. california -- for one thing california recently passed a law to include log-in and password for account authenticators. so not just for financial accounts but for other types of accounts as well. for example, my e-mail account if my log-in and my password were breached i would get a notification, which i certainly would want to because there's a lot of information in there that while it might not lead to financial harm could lead to -- certainly to emotional harm if that information were breached and if it were misused. california also has a -- it has a reasonable security standard, much like the federal standard right now, but california does enforce that standard and has had a number of cases over the past few years, and along with that has some very rich guidance for businesses attempting to comply with the reasonable security standard. one thing i think california is also very strong on is the type of guidance that the state

a.g.'s office provides to kurmtz consumers and the way the state a.g.'s office interacts with consumers and businesses to provide that important guidance. >> thank you very much. i'm sure that none of us would want to interfere with states' abilities to have the strongest possible laws for cyber security. and so don't you think that perhaps the federal law should be a floor, and that we should certainly allow states that have tougher laws to be able to enforce those laws and that would require the attorneys generals to be involved. do you think that is the best way to approach this? >> i do think from the consumers' perspective that would provide the strongest protection. and you had mentioned previously there is a discernible pattern among the states' laws. i think that is the case. you look at the various breach

notification laws of the states, most of them cover a core of common information and have very similar requirements in terms of what ought to be provided in the notification, when the state a.g. and the consumer reporting agencies ought to be notified, and then in addition to that some states have added on to that. that's where for example, you see some states like texas and wyoming and just this year hawaii, montana have added medical information to the class of protected information. in order to extend protection to categories where they see a developing threat that must be addressed. >> so we certainly would not want texas to be pre-empted with the good law that they have particularly as it relates to medical information, would we, ms. moi? >> i do think it's important not to pre-empt the -- not to pre-empt the protections for pieces of information like medical information. including other states. the very state of mr. chairman

texas. >> thank you very much. and i yield back. >> the chair understood the subtle point. the chair now recognizes another gentleman from texas. the chairman of our financial institution subcommittee mr. neugebauer, for five minutes. >> thank you, mr. chairman. i would note that if you let the federal standard be the floor and then all the states have an opportunity to start running up each other, we're right back where we are now, and it defeats the purpose of having a federal standard. mr. dodge, in reading your testimony last night on our proposed security legislation there's a lot that i think you and i agree on. i'm hoping today that we can discuss some of the provisions where we maybe have a little bit of a difference of opinion. in hopes that we could have a better understanding of where everybody is on this issue. i look at page seven of your testimony, you state retailers support a carefully calibrated

reasonable data security standard, under hr 2205. we laid down a security standard that is process specific and based on certain key elements of data security programs that have worked well. under graham-leach-bliley. to ensure the smaller retailers are not unduly burdened, we calibrate the standard to match the size, scope and type of information that those entities hold. there are some process requirements that say if they don't apply to you you don't necessarily have to implement them. so the question is, can you identify the specific processes we've laid out in our carefully calibrated -- that aren't carefully calibrated and reasonable in your estimation? >> thank you for the question. i think, you know, first, it's important that we be having this debate about proper national data security standards to help businesses address this growing and sophisticated threat. it's the perspective of retailers that the graham leach

bliely act that is the baseline for the legislation you introduced, especially the data security standards within, it were expressly written for the financial services community. the industries are very different. anybody who's ever filled out a mortgage, understands that the information that a bank holds is very different from that of a retailer. if we were to pursue legislation that replicated the -- or shoehorned the act to apply to the rest of the business community, we would be applying this law to industries beyond the retail industry, of course. well beyond us at high-tech internet app makers big and small. we think that the history of enforcement to the federal trade commission provides a good standard that is very clear and strong for businesses to adapt to, to meet today's challenges, and it evolves in the future. we don't think you can regulate your way to security.

that we need to employ layers of security, we need to start with the baseline that we believe is a strong standard, emboldening the ftc, and look for other ways for us to work together. including strengthening the payment system by advancing the security that's in that system today. >> now, you mentioned i think 50 ftc enforcement actions since 2001. if you believe that ftc is your enforcement agency, do you support them giving ftc rule making authority to make a uniform standard? >> the ftc has enforced these cases under the unfair and deceptive practices act. we think that giving them the express authority from congress is the right way to go about it, and it would preserve that flexibility that they needed in

order to adapt to the threats as they changed over time. >> the question is, would you support them promulgating standards that make sure that the playing field is level, and that you are doing the things that are specifically necessary in your industry to have a uniform standard? >> we wouldn't support rule making, we think that's the purpose of passing the law. we think congress has the privilege of defining the law, and then leave it to the agency to adapt over time. they have the flexibility under current law. >> isn't that what we're trying to do then? congress is trying to pass a uniform standard? >> exactly. and we believe that providing the ftc, the authority to enforce data security laws based on the case law today, the commonwealth based on the 50 cases provides them with, would provide businesses not only with the clarity that they need, on

what the expectations are of government. but the flexibility for the enforcement agency, in this case, the ftc, to evolve over time, to meet new threats. >> do your members take steps to protect consumers' data? >> there's no more important relationship in the retail business than that which they maintain with their customers. >> a data breach would be a breach of trust with those consumers. they work extremely hard to prevent breaches. >> if they're already doing it, what's the objection to codifying the standards. and they are reasonable and should be applied across the industry. >> you're speaking specifically about a law that was written for the financial services community. >> i'm talking about the bill -- i'm talking about my bill. >> gramm-leach-bliley which you would be expanding to the rest of the business community. what we're saying is, we should stick within the current regulatory structure, as the ftc, the regulator for most

industries and g.o.b.a. can remain -- >> we took principles from this, but this is a gramm-leach-bliley. this is a uniform national standard. >> the time of the gentleman has expired. the chair now recognizes the gentleman from delaware, mr. carney. >> thank you, mr. chairman, thank you to the panelists for coming today, i'd like to talk a little bit about this preempts issue, i know it's a concern for many of the members, and we've worked hard to try to address it. i said in my opening comments. the prevention provision should not have the unintended consequences outside the issues covered in the bill. we don't believe it affects the medical debt issue that was raised a moment ago with respect to california. we would be willing to make that plain. miss moy i thought i heard you say that we shouldn't -- that 50

different standards is not the answer. is that what you said or did i mishear your comments? >> so what i have said is that i think the best for consumers would be to create a floor not a ceiling, so that states can continue. >> set a national standard? >> right, and then -- >> allow states -- >> to protect additional categories of information, for example -- >> my understanding is that 13 states now currently have data breach notification and standards like this, and that our legislation, our federal legislation would be better than all of them except maybe one, which is massachusetts, and i've been talking to some of my colleagues from massachusetts. would you agree with that? >> i think also oregon has a pretty good standard. i also think there are elements of other state laws you may not consider specific data laws -- >> a pretty high standard? >> it is a pretty high standard, yes. >> that's the starting point for us. there's been some discussion about the standard energy in commerce.

would you say it's a higher standard than what our bill would propose. >> our standard is a reasonableness standard. that looks more like what the federal trade commission is currently doing. so i think the difference here is not only might there be a difference in what the language says in that bill, i think, also, we would be looking to the common law of the ftc and others to flesh out what the specific requirements are, but it's really important as we're thinking about how strong the security standard is, to think about who has the enforcement power and who's going to be guiding the parties there. if the federal agencies are solely responsible for it, even a strong standard might not provide a strong protection, as a general reasonableness standard that allows state a.g.s to continue to work on a piecemeal basis with entities that are trying to comply. >> you think the standard in our bill is pretty good, pretty high standard in terms of federal standard? but you believe the states ought to have the flexibility to go beyond that. notwithstanding some of the issues that that might create in terms of having different

standards. how about this enforcement question. have you looked at our bill in terms of the enforcement provisions in the bill, and how would you suggest they would be improved upon in your view. >> i can't -- i have looked at it. unfortunately, i'm not prepared to provide a detailed response on the enforcement provision so i would be happy to in writing if you would prefer that. but i do think the key issue with respect to enforcement is i believe your bill would only facilitate enforcement by federal agencies. >> so what i heard you say is that allowing the state a.g.s some kind of role there would be an improvement? again, not having looked at the details there, not to put words in your mouth. >> yes, yes, i believe that a very credible element here is that we must have enforcement. >> i explore these issues because as i said in my opening statement mr. neugebauer and i are trying to improve the bill

so we can get a greater consensus around. we believe that i think as you said that a national standard is important to have that 50 different standards is not kind of the way to go. it's got to be a high bar and one that's enforceable. would any of the other panelists like to comment on the conversation that we've just had about preemption about the standard? and the enforceability of that standard. >> if i could congressman carney, i think the bill on a bipartisan basis really takes on this issue in the right way, and that is to recognize that the act of legislating to unify 47 disparate state regimes with a federal regime that is not pre-emptive would merely be adding a 48th regime and wouldn't serve the purposes that the legislation seeks to undertake, which is to protect consumers' financial information.

and from eta's perspective the bill takes the right approach tone sure the federal regime is operative and not interfered with. >> everyone agrees we need a higher standard and kind of one standard across the country. >> we fully agree there should be a national standard, we think the states deserve a tremendous amount of credit for having acted in the place where the federal government has not yet. that's why we believe as a broad concept, preemption should be offered as a broad concept, state ag's, should have the ability to play a role. in the enforcement of it. >> thank you, mr. chairman. >> the time of the gentleman is now expired. the chair now recognizes the gentleman from new jersey mr. garrett, chairman of our capital market subcommittee. >> thank you, mr. chairman. thank you for holding this hearing. an issue that really hits home for a lot of folks. i'll start with the basics if i can. and governor, i'll throw it to you. when there is a breach or someone does steal your card and they go to a retailer and buy a

tv and you find out you that didn't -- so on and so forth. who actually is responsible for that? is it the -- does target have to pay the bill for that? does the bank that issued my -- well, my mastercard or if it's not that is it the bank or is it the vooza or mastercard or discover that pays for that? >> it's complicate bud the oversimplified version -- >> that's what i'm looking for. the oversimplified version. >> the consumer is made whole. and the issuing bank is the one that makes them whole. however, there's a secondary process managed and run by contract between the payment networks and various players in the payment system that gets resolved through a -- should we say contractual process between visa, mastercard, retailers, the

issuer which people take issue with how that works from time to time, that's how it gets sorted out after the fact. >> does anyone else want to give an overview. >> i would add to that. it's the merchant ultimately pays for fraud in the wake of a data breach, should the data breach have occurred at a retailer, they pay a variety of fees, there's three real fees they pay total. the first one on every transaction ever processed, an interchange fee. a component of it is prepayment of fraud or prepayment of a data breach should one ever occur. and post-breach there's a fee associated with reissuing the cards and -- >> so that's where the banks end up having to pay the 15 bucks or whatever it is to sends me a new card. >> the merchant reimburses on those fees based on -- >> really? because i hear different stories on that. >> i've included a schedule in my written testimony. >> so i just got one of these cards that have the little chip on it. and also, just to be clear on this, putting this chip on the card may help to some degree as far as the lost card or the stolen card, as far as going to the retailer, but as someone

else on the panel said, i know it was in the testimony. this chip does absolutely nothing with regard to when they steal that information and they use it online, is that correct? >> i think it's important to note, the chip, the technology that's available in the united states today is predominantly magnetic stripe. 1960s era technology. in europe they introduced the chip and pin technology more than a decade ago. >> you saw an uptick of the data breaches not at the store any more, but now online, is that correct? >> that's true, fraud moved in two directions, online and the united states. because suddenly the united states had the weakest security in the world. it still does today. when chip only goes into effect later this year, the united states will still have the weakest card technology in the world. >> somebody said and maybe down here you said that all -- we can't solve all this stuff. and putting -- the bottom line

is doing the chip is not going to solve it entirely but also to the point of what seems to be a lot of the discussion in the bill as well as far as the weakest technology. >> we can't solve all this stuff. the bottom line is, doing the chip is not going to solve it entirely, also to the point, what seems to be a lot of discussion as far as the disclosure information. that doesn't do anything to -- actually, none of it -- that doesn't do anything as far as preventing the fraud in the first place, that tells me as a consumer, you were robbed and this is who's going to pay for it. >> congressman, i couldn't answer your specific question about the chip many you're absolutely right, the chip in the card prevents the card from being counterfeited, that is today the number one source of card fraud in the united states. it's about two thirds of card fraud at retail. it does not address the online issue. the online fraud issue is addressed by the other layers. >> the data that's on the card when i use this chip and put it through, has my number right on it, i don't know if you can see this. does the retailer keep that information?

>> the retailer trans acts that information. >> if someone breaches into it -- >> they're instituting many -- all are moving toward it to make sure that that information -- >> it still is a target, not to use that company, still a target for the hacker to go into the retail -- not just medical or whatever, the hospital keeps that information too i guess. as a data source, where they'll go try to breach, and they won't be going to the retailer to use it, but they'll be doing it online, still a target, maybe even a larger target? is that true? now with the chip? is it a larger target because of in a as well? >> i think it's important that we recognize the chip technology is really designed to button down the point of sale to defend against counterfeit lost and stolen. it is but one critical layer of security there are other technologies that have been referenced in testimony today. such as point to point encryption.

and tokenization that will protect that data from the cyber breach you're referencing, congressman. >> if i may, may i just add a short comment in response to the point about notification? >> fine with me. >> sure. >> thank you. thank you so much. >> i just wanted to say, i think notification provides an important incentive for companies to keep information more secure. i can't remember whose written testimony it was. companies do suffer reputational harm as a result of reporting breaches. i think it's important because that provides information to consumers who are considering where to vote with their wallet as they're determining which service to go with. >> i get that, thanks. >> the time of the gentleman has expired. the chair recognizes the gentle lady from new york. the ranking member of capital market subcommittee. miss maloney. i think the button hadn't been pushed. >> thank you. thank you, chairman, and ranking member for putting this together. it's an incredibly important issue, because it affects everyone. consumers, government, retailers and financial institutions, and

i also want to commend mr. carney and mr. nugen baugher for putting this together. this bill would significantly strengthen the data security procedures for businesses, but in a way that is flexible and can evolve as a cyber threat changes and evolves. i am still concerned about the scope of the state pre-emption in the bill and i want to keep work on the pre-emption and enforcement provisions in the bill. i have signed on to the bill as a co-sponsor because it is a serious good faith effort to tackle what is a critically important issue to our economy. i'd like to commend mr. neugebauer and mr. carney for their hard work on this sxish look forward to working with them particularly in the

enforcement provisions in it. my first question is to governor pawlenty. i'd like to ask but the data security standards that gramm-leach-bliley put in for the financial institutions. you mentioned they had worked well for the financial institutions but i also wanted to know have they proven to be overly burdensome for smaller banks and credit unions? >> congresswoman maloney, no. the standards have been flexible. i think congressman neugebauer and congressman carney have done a good job in doing the same thing in their bill, which is to say, we're going to have standards and we're going to allow them to be scaled. i think that's a good model. >> in other words, they've worked well and not been too burdensome for smaller financial institutions and they won't be too burdensome for smaller retailers.

>> i'd also like to know your feelings about the -- having a minimum or a floor standard. i know that california/oregon have a standard that's higher. i think it's important you have to have a floor. do you think it should be a floor or should it be a ceiling and why? >> another great question. right now we have nothing. >> right. >> something is better than nothing. >> absolutely. >> and so floor would be progress, but ceiling, if it's set high -- i would just encourage you. in minnesota when i was governor we pass what'd we thought were nation-leading protection standards and notification standards. you wouldn't want a bill that undercuts the 13 or so states that have done this. if you're going to set it, set it high. cess it aspirationally. i think that would be the best place to be and it would serve the country best. think about the way people place data centersar, where they store

data, how they store data. it doesn't sync with the way we know cyber commerce gets done. >> as a governor, you know how valuable the creativity of the state system is to come out with solutions that are adopted in this area, it seems to evolve every day with new technologies, new ways to threaten consumers and really the security of our information. i'd like to ask steven orfe, given your experience, what would you say are the most important aspects of a company's data security plan and other -- what is the most important thing that a company could do to protect their customers, to protect their company against data breaches? >> thank you, congresswoman, for that question. i think what's most important is the pci standard is in our view the best defense against cyber criminal attacks.

it really becomes a question of vigilance. and being methodical and disciplined in your approach. and looking at and paying special attention to the fundamentals, doing the blocking and tackling, looking at the physical. it's day in and day out. it needs to be 24/7. it needs to be built into the dna of an organization from the ceo right down to the working level. >> okay, thank you, and you mentioned in your testimony mr. oxman that you thought that sharing information was so important. and can you just expand on that? on what we need to do additionally, and expanding information in this area? >> thank you, congresswoman maloney. the issue is companies are barred from sharing cyber threat information with each other. and in some cases with the government, the house fortunately passed a measure that we support that will

eliminate those impediments to that kind of important information sharing. we support that legislation, we hope the senate will move forward on it, and we need to make sure that companies can, without liability, share information on each other. and with the government to prevent future threats. >> thank you, my time has expired. >> the chair recognizes the gentleman from missouri, mr. liukinmeyer. chairman of our housing and insurance subcommittee. >> thank you, mr. chairman. i'm curious, i want to approach this from a different angle this morning, from a standpoint of, when we have a data breach whose fault is it? if someone's at fault, there's going to be some liability. it would seem to me, my experience has been from the financial institutions i've been aware of and i appreciate the governor's description a minute ago of who winds up paying the bill on this. but generally the banks wind up, with the financial institution issue, the cards are

initially the ones that wind up footing most of the bill. in our area we had a supermarket that had issued debit cards. the information was accessed and suddenly everybody in the whole area, the whole region actually their information was broached. as a result there was a tremendous cost to the financial institutions. it would seem to me as a regulator you would look at this as a liability exposure for the bank from the standpoint of what you're going to have to incur by all of these retailers not having adequate protections. from mr. dodge's perspective it looks like -- i would think the regulators would ask the financial institutions to force the retail folks to have a policy in place insurance policy in place that would protect them against a data breach so that the banks would

not be the fallback position for a data breach. governor, would you like to comment on my thought process? am i off on that? >> i think you've connected the dots correctly. on your last point about cyber insurance, that's an evolving area there's some who think traditional insurance covers, it there are some disputes about that, some uncertainty about how you underwrite it when you can't debt your arms around the magnitude of it and what it looks like in the future. that's an evolving and developing space, one that is -- >> how do the standards fit into that situation? >> the standards fit into that because i think if you set standards like the financial service sector has on other sectors and we get more resilient, better systems as a result of that you decrease risk, you derisk the system. that's good for financial institutions. it's good for the payment system. and frankly it's good for everybody involved. i will say to the chairman's point on the energy and commerce bill that's a bill that says have reasonable standards. we're going to get a standard one way or another in this country because everybody's suing everybody.

over time the courts are going to develop a standard that says be reasonable. it's a ten-year pathway. it's too slow and too vague. or a hodgepodge of standards some of which will be great, some not so great. so congress can play a really important role here bringing this debate forward more quickly and a more of lafl of rigor. >> mr. dodge would you like to comment on my question? >> first, the suggestion that banks are not reimbursed in the wake of a data breach is simply not true. there's three ways we pay, the fees they pay on every transaction, after a breach through the contracts they sign with the card networks there's a formula for reimbursement. >> they still suffer a loss, mr. dodge. >> but my point is, if the banks have an issue with that, it's their facilitator which in this case is visa and mastercard. retailers sign those contracts.

and if there's a suggestion there's been a violation of those contracts there is certainly the legal avenue for resolving it. >> my question though was with regards to the exposure, liability exposure that a bank would have with regards to the situation such that if you had lots of retailers as this seems to be almost an epidemic, every day and every week you have another entity that's been breached. if that is the case pretty soon institutions are going to have a lot of liability sitting there. if you do commercial lending to retailers i see that as a problem that's going to have to be fixed. i would assume you would have protection against the breach? >> as governor pawlenty said it's an insurance market but many retailers are buying that kind of insurance. there's no question about that. but the level of standard, the suggestion that there's no standards on retailers is belied by the fact that there's 50 cases where some of which were

retailers, many were not, where strong enforcement was brought down by the federal trade commission. enforcement includes not only substantial fines but the prospects of consent decrees that allow the federal trade commission to take up residence for the business for 20 years. strong standards retailers abide by today. >> i've just got a few seconds left. one comment. mr. orfe i'm disappointed you gave everybody my password to my computers. but with that i yield back. thank you. >> thank you, sir. >> the gentleman yields back and better put a fraud alert on all of his credit cards. the chair now recognizes the gentleman from mr. california mr. sherman. >> governor pawlenty, i do weird things that cause my credit card company to get very concerned. like i buy gasoline in los angeles and a day later i buy gasoline in washington. so of course their computers flip out. you'd think they would send me

an e-mail, but they don't. they either call me, usually at the worst possible time, or if they're too latzy to do that they freeze the account and force me to call them. is this entirely because they're not handling it right, or is there something in our statutes that we could do to facilitate or prod credit card companies to check with their cardholders by e-mail rather than by telephone? >> congressman, great question. i've had some interesting experience with cards myself personally, so -- >> you engage in similar unusual activity? >> well, i'm not admitting to unusual activities, sir. anyhow, as to the contact -- >> another guy going to iowa. >> i think the concern you raise is a good one but it is being

addressed in real time by technology. the controls you can now set on many cards and it's advancing by the day and month, are getting really good. on one card i have, i can get a text or e-mail alert if it goes over a certain amount, any transaction, i can get a text or e-mail alert. if it goes over a certain number of transactions per month. i can get a text or e-mail alert if it goes over a certain amount, and soon i think i'm going to be able to get an alert if -- >> i'm not looking for more alerts. i'm simply looking for them to contact me by e-mail rather than by phone or freezing my account without telling me about it. >> the short answer i think is if you can't many cards already do or will soon offer you the chance to be in the driver's seat as to exactly how you want to get that message. >> i'm sure your members are aware of e-mail -- i mean, we're talking about how to upgrade to technology, and e-mail is -- >> if you can't, i can recommend a card that will get it to you. >> not with the united airlines miles. basic economic theory is you

that apply liability against the entity that should be investing in safety measures. so that you get that entity to spend the appropriate amount of money on safety measures. retailers ought to be spending more on safety to protect consumers and to protect the entire business system from the extraordinary costs that happen every time somebody hacks into one of these accounts. but retailers face no liability except the reputational liability which ms. moy referenced. but then we have these less known about data breaches where the media doesn't know or barely reports to the general public some of the data breaches. is it problematic that consumers at some stores may have their data hacked, but they never hear

about it? and does this mean that the merchant that has mishandled the data faces no liability and no reputational risk? ms. moy, in order to have that reputational risk do we have to do more to make sure that every data breach is known by the public? >> yes, i think we do. i think there are a couple ways to do that, one is to make sure as i mentioned multiple times, the bill is written in such a way that it covers classes of information that entities may hold. consumers consider personal they would want to be notified about, but currently may not be notified about, for example, e-mail address and password, that's one a lot of retailers hold, it's one that could be breached, if my e-mail address and password are breached, i would certainly like to know about it, and another thing that could be done is begin, providing the state ag's with the authority to enforce is

really important, because they will help work to make sure that these breaches are notified, and in particular, many states have a threshold for notification of state ag's, that's much lower than what we've seen in a lot of federal legislations. a lot of the proposals, many states have a threshold of 1,000, for example. i believe that just a couple months ago, the massachusetts state a.g.'s office appeared at another hearing on breach notification and data security and they said that the average breach -- the size of the average breach was about 74 consumers. so it's really important that we have state a.g.s working to ensure consumers are notified. >> congressman, if i could just jump in on that. >> i'll add another question. let you jump in on both. we're proposing legislation.

is the work of the state a.g.s and the states enough to prod retailers to spend enough on safety? >> to your question about liability, retailers face considerable liability. there's reputational harm, you cited that, but under the enforcement available to the ftc's current authority and what we've endorsed for stronger authorities and at the state level there's enforcement liability and the prospects of consent decrees that could take -- allow the ftc to take up residence in a business for 20 years. >> i'll see if the governor can just chime in. do the retailers face enough reputational and financial liability to spend enough on safety, or do we need to do more? >> congressman, i would respond with a rhetorical question. how's the current system working? not so good. >> the verizon report says there was 2100 breaches last year, 277 were financial institutions, 166

were merchants. there are 1,000 times more merchants. the standards that are applied to the financial industry are not perfect. >> the time of the gentleman has expired. the chair recognizes the gentleman in michigan. mr. huizenga chairman of the monetary policy and trade subcommittee. >> thank you mr. chairman. i appreciate the opportunity to spend a little time with you all. mr. orfe, over here, hiding back here. real quickly, while we're on the breaches, i'd be remiss to say that mr. garrett's credit card has now purchased three things online, and is available widely on a russian website. but the -- in all seriousness, though, i mean that is the concern all of us have, right? when we're calling in somewhere or buying something online in a very transient kind of economy that we have, i think we all have a legitimate and serious concern. i'm curious, have you evaluated

how many breached companies are in compliance with your pci standards at the time of their breach? or have they had those standards and it's caused them to take action? or did they have them already and they still were breached? >> what i would reference is the verizon report, which is an objective third party that looks the data for breaches for the past ten years. and the findings there's two significant data points i would give you congressman. one is that 99.9% of the breaches that have occurred were preventable and covered by the pci standard. the second point is, i think that the pci standard has done a very effective job and there hasn't been one single compromise where the merchant or the entity was found in compliance. >> i'm a former state legislator

as well, and governor, good to see you again. i like you had those situations where we're sitting in the state capitals, we go, what in the world is washington trying to do to us now? yet at the same time, i understand when you have states doing various actions and not coordinating, and oftentimes that's someone like the council of state governments and alec and other organizations like that are trying to get states to harmonize oftentimes. but what i'm struggling with on this, and miss moy, you had mentioned this earlier, as did my friend mr. neugebauer, how does setting a national floor but then allowing states to maintain a patchwork of other requirements, how is that different from what we have now? i think mr. oxman, you said we'd go from 47 regimes to 48.

help me out somebody with what we do on this. i'd like to hear from governor pawlenty. >> congressman. i would think about this, you know, i'm a big fan of the 10th amendment, i'm a big fan of states' rights, i'm a big fan of laboratories of democracy for public policy at the state level. i believe in all of that profoundly. but i've come to think of this issue as a threat to the national security and critical infrastructure of the united states of america. not just in the payment space but in the ability to do most of what we do. i think it rises to the level of being worthy of being viewed in that light and setting the table nationally, because it does threaten our ability to function. it presents. taken to any sort of reasonable extension an existential threat to our economy and to our nation's security. i could walk you through the scenarios and they don't take a lot of imagination but i think

if you view it in that light it rationalizes an aggressive and muscular federal involvement. >> that's what i struggle with as well. we can have a debate on this later on whether this is commerce clause or how this is affected. miss moy, you want to quickly brief us. >> thank you. most states certainly with breach notification, there's a common core of elements across the 47 plus three territories laws, and then there are some additional elements above that. i think it's really important for example, i believe in your own state, there's a harm trigger for the breach notification law that is broader than just applying to financial harm. it's really important that we take that into account as governor pawlenty has said. if we're going to set a pre-emptive federal standard let's set it high. let's not reduce productions like those in your own for consumers who are benefiting. >> i would agree, i think it would have to be high, and somebody help me out on what mr. sherman has said. he doesn't want more notifications.

now, i'm a little confused how if you have an e-mail breach how are they supposed to notify you through e-mail. if that's been breached. but what of this cry wolf over overnotification? is that a real concern? >> congressman, we think that it is. we think it's important. i align myself with the most recent points made by the governor. we agree entirely on this. we think it's important the consumers be able to get information quickly, information they can take action on, in order to protect themselves from financial harm. a standard beyond financial harm would subject customers to repeat notifications. and the worst case scenario is the customer would stop paying attention to those notifications and not take action to protect him or herself from something that could put them at risk. >> ti could add a brief point to, that which is i think in order to determine the answer to that we should really look to the state a.g.s who have a ton of contact with consumers who are suffering from breaches and in the words of illinois attorney general state a.g. --

i'm sorry. attorney general lisa madigan consumers may be fatigued over data breaches but they are not asking tore less informed about them. >> the time of the gentleman has expired. the chair now recognizes the gentleman from massachusetts, mr. capuano. >> thank you, mr. chairman. i can barely see you guys. you kind of moved everybody apart but we'll try to communicate. mr. chairman, i'd like to submit a letter from the massachusetts attorney general wort ford rop. >> without objection. >> thank you, mr. chairman. did anybody at this table think that five or ten years from now that data security the issues and challenges you face will be the exact same you that face today? does anybody believe that to be true? >> technology is changing so quickly, congressman, i think it's highly unlikely that the issues will be exactly the same. >> yeah, i think it's highly unlikely. i mentioned in my written testimony the example of several apps that now exist that allow you to photograph your physical keys to your house and your car. >> that's great. well, thank you.

i don't think so either. but then again, i don't know much about technology. i struggle with a cell phone. that's life. but the one thing i do know is something's going to be changing. and i guess i raise the issue because to advocate for a congressional solution with no ability to change a year, two three, four years when the problems change, except to come back to congress, you are sitting here today because the congress is last to the issue. states are first to the issue. like in most issues. the federal government is oftentimes the last one to the fight. because we're the biggest, we're the most diverse, and that's the way it always has been. and yet you're advocating for a situation that we have one great let's assume it's a fantastic law that has no ability to be upgraded through regulation which is why we have regulatory

bodies, because they can act quicker than us except to come back to us and ask us to do this all over again which in and of itself to me is the main problem here. but the other issue i it's all part of associations, that you must live in the general washington area, at least have an apartment here. do you think that the federal government, the epa should tell the state of maryland that they have to live only to federal standards on their drinking water? that the state of maryland would be totally preempted from saying no, no, no, we like a little less arsenic in the drink water than the federal government requires. you think the state of maryland should be told sorry, you can't do that? >> congressman, i spent seven years in the great commonwealth of massachusetts. i had the pleasure of living there for a very long time. i think you raise a very

important question. that is how can we bring uniformity to an issue with nationwide implications, and indeed international implications. without interfering with the power of the commonwealth. >> not just the power, the responsibility. i like the idea. i'm very happy we're talk ug about federal standards. i've gotten in trouble on a regular basis because heck, i'm a liberal democrat. i'm all for federal regulations. my friends over there know. regulate everything. don't worry about it. but then again. i didn't know some of my friends on the other side want to join the socialist party. you know. welcome. bernie sanders has cards. you can sign up. that's my problem. i love the idea of creating standards. but i like two other things. i like flexibility in that. let's be honest. most members of congress, we are not technologically capable. all of us fumble with our cell phones. i call my staff all the time.

i kick the damn things. i drop them. this is broken seven times because i throw it. and i know none of you have ever done that because you're technologically capable. we need flexibility. we need the ability to move quickly. whatever the threat is today is going to change tomorrow. that's the only thing i know. >> that's right. and i would submit the eta on behalf of the payments industry supports the approach thain in this bill because it has the exact flexibility that you're talking about. it doesn't dictate the federal standards and in fact makes it very clear it's not up to the federal government to dictate how we protect data security but it is a requirement to is that the security be implemented. >> we also need somebody who knows what they're talking about. not necessarily the united states congress. and number two, i really don't see why you would want to take away the ability of the states to be more flexible than anybody else. holding to a minimum standard, absolutely, totally agree. we have the same issue on everything that we do. every financial issue that we deal with, we deal with this issue. how much of a federal standards,

including, you know, we deal with insurance every day. insurance is totally regulated at the state level, and every time we come close to thinking about the federal government, everybody gets worked up because the states do it. i strongly suggest if the concept is right, the approach needs to be significantly exchanged on those issues to provide flexibility, number one, and to maintain the state's ability to do with as they see fit. >> i thank you, gentleman. and now the gentleman from wisconsin, mr. duffy is recognized. >> thank you, mr. chairman. and it's nice to see that we're making news today. my good friend. also great officials of you throwing your flip phone around the capitol. he was a state legislator. i was not governor, but i was a former hockey player like yourself. do you agree with mr. dodge that the banks don't pay any fees on the data breach? i haven't heard a response to that claim? >> the banks, again the system

of how this is all sorted out is complicated. but it's certainly true that the issuing banks pay in all sorts of ways, if there's a breach of the cards. as well as making the consumer whole through a complicated series of transactions. >> okay. just to be clear, does the whole panel support federal preemption? is that -- does anyone disagree with that concept? i think i heard everyone say they agree. >> only if it's a high standard for consumers. >> i just want to understand. talking about when the card is present, what percentage of the fraud comes from a fraudster who steals data and reproduces cards and makes purchases as opposed to, you know, the guy who had his wallet lifted and someone goes in and uses actually the card? >> the majority of it, excuse me, congressman, the majority is people scraping cards and using counterfeit cards.

and the people who do lost and stolen. that's a minority of the transaction, not counting the online stuff. >> so when we talk of chip versus chip and pin, if we at least get to chip, we're going to address a vast majority of the fraud taking place right now when the card is present? is that fair to say? >> in a static world, it would have an effect. but we don't live in a static world. there's a single line of defense between the fraudsters and their ability to commit fraud. they'll focus all their energy on breaking the chip. we've seen examples already. we've simply argued that one of the baseline tactics of cyber hygiene is two-factor authentication. we should require that at the point of sale as well. >> more pocket thieves out there? >> no, no. i'm saying fraudsters will develop new and innovative ways to crack the chip and commit fraud. >> congressman, duffy, if i may, the chip will defend against

counterfeit loss and stolen at the point of sale. it will buckle down on the physical environment. the fraud will then move to the card present in the environment. it's what we observe in the european communities that have chip technology. now the chip technology, you cannot clone it. so what we'll see is, it will migrate. >> so how far away are we from tokenization for online purchases? >> it's a technology that's been around for ten years. and now the acquiring community and technology vendors, the price point has come down. point to point encryption coupled with tokenization, is how we get to devaluing the data so it's useless. >> so with the card not present for online purchases, the technology is there but not implemented yet? >> apple pay has what i call an early stage version of tokenization, and it's had other breach issues. but it's one of the first tokenization platforms to come to market.

>> i want to be clear. so when we have a chip, does a retailer, are they able to maintain data about the card in their data base, if you just have a chip card? as opposed to a magnetic strip? >> again, congressman, the chip is just going to work at the point of sale. >> listen, we've heard about the retailers with data breaches. if we migrate to the exclusive use of chips, does that mean that retailers are no longer keeping personal consumer data in their data bases? >> no, sir. >> which means they're not at risk to have breaches any longer? >> no, it's just taking off the threat at the point of sale. it's a critical layer but not a silver bullet. >> on the back end. >> the information could be replaced by tokenization. could be protected by point to point concern. >> what recommendation on how

long retailers are keeping financial information about consumers? how long should a retailer keep that information? >> it's really not necessary to keep that information. >> so -- >> congressman, if i could just jump in. >> sure. >> many f retailers have >> many retailers have instituted encryption, so if it was acquired, it would be in a format where it would be useless to a criminal. further, they have no desire to keep information they don't need -- >> but do they need any information, is my question? could actually retailers after 30 days wipe those data bases clean so you don't have, you know, six months of consumer data, or a year of consumer data. you might only have 15 days or 30 days of consumer data. isn't that really one of the risks that we have so much data being collected and stored, not just from the government but from retailers. >> the information is designed to give them what they really want.

corporations want receiptless returns. the element of consumers have voluntarily said we want to be able for you to have this information. >> i don't know that i've ever been asked. their service is offered to me and that information is kept on my card. and i do think there's a consumer protection issue here when we're not asked. it's just given to us. >> time of the gentleman has expired. chair now recognizes the gentleman from texas. >> thank you, chairman and ranking member waters for holding this important hearing today. and thank you to our panelists for your testimony. mr. chairman before asking my questions, i request consent that my statement be made a part of today's record? >> without objection. >> my first question is to the honorable tim pawlenty and miss

laura moy. how can a federal data security standard that creates a floor provide for more consumer financial security, while at the same time providing certainty to industries that would need to implement such a standard across all 50 states? >> congressman, thank you for your question. for certain sectors, not including financial services and health care and a couple others, they don't have standards currently, other than in the 13 states or so where they have them. so by congress creating a floor or a ceiling, but we hope a high standard that is for the whole country, you will lift the game and the expectations and the legal responsibilities for those sectors in those places that don't have a standard currently. and again, this is migrated to international proportions. and i think if the members of this committee knew that russia