subcommittee, i am jessica rich, director of the bureau of consumer protection at the federal trade commission. i appreciate this opportunity to present the commission's testimony on data security. in today's interconnected world, personal information is collected from consumers wherever they go. from the workplace to shopping for groceries, from our smartphones to browsing the web at home, virtually every action we take involves the collection of information, some of it very sensitive. many of these data uses have clear benefits, but the recent state of data breaches ours -- are a strong reminder that they also create risks for consumers. hackers seek to exploit vulnerability to obtain and misuse consumer personal information. all of this takes place in the backdrop of the threat of identity theft, a pernicious crime that harms both consumers and businesses. the bureau of justice statistics estimates that over 16 million people were victims of identity theft in 2012 alone.

the ftc is committed to protecting consumer privacy and data security in the private sector. since our first data security case in 2001, the ftc data security program has been a strong bipartisan effort that includes law enforcement to my education, and policy initiatives. several lawsces that protect consumer data. under the ftc act, the agency can take action against companies that engage in deceptive or unfair practices, including deceptive or unfair data security practices. the ftc also enforces several laws that require special protections of certain business sectors. the credit reporting industry, among financial institutions, and also among all mine services for our kids. in enforcing these laws and investigating potential data security failures, the commission recognizes that there is no such thing as perfect security and instead examines whether companies have

undertaken reasonable procedures to protect consumer data from the risk of identity theft and other bits use. since 2001, the ftc has used its authority to obtain settlements , 50 settlements with businesses that fail to provide protections. the best-known case may be 2006 action against a data broker that allegedly sold sensitive information about more than 160,000 consumers to thieves posing as choice point clients. the commission alleges choice point failed to use rosie just to screen or justice of consumer data and ignored obvious security red flags, resulting in at least 800 cases of identity theft. before choice point, the ftc brought actions alleging security failures by such companies as microsoft am the after that, and

to such companies as tjx, lexus, htc., rite-aid, and many cases of her 14 years alleged similar commonly known vulnerabilities and security failures. in addition to enforcement, the commission promotes strong data security through consumer education, business guidance, and policy initiatives. for example, our website contains guidance for consumers on what to do in the event of a breach. and perhaps our most important education is our guide to businesses about how to develop a strong data security program. sitting here today with my colleagues from the secret service, i want to emphasize that data security is a shared responsibility among many different entities and people, including the different law enforcement agencies that work in this area. the commission has a long history of working closely with other federal and state agencies on this important issue. for example, the ftc's case that

was a joint action with 35 state ag's, and we received assistance from 39 state agencies in the case against tjx. department ofhe health and human services in cases against cvs and rite-aid. we coordinate with the fbi and secret service. the goal of the ftc and criminal agencies are complementary. criminal actions seek to punish hackers and consumers that still consumer data, while our actions focus on shoring up security protections while companies prevent intruders from getting inside in the first place. the mcginn cleared as a final point on data security legislation, never has the need been greater. the commission reiterates its bipartisan support for federal legislation that would strengthen the ftc's existing authority of data security and require companies to notify consumers when there has been a

security breach. thank you for the opportunity to testify here today. the commission looks forward to continuing to work with congress on this critical issue. >> thank you. thank you, both. i would also like to point out that last week i asked a question at dni clapper. he had made an estimate that cyber attacks from -- on our economy were in excess of $300 billion worth of damage, and that was a last year report. asked him, and he says that number has probably dramatically increased. that was in public testimony last week. obviously, the goes beyond the question of individual data breach. but i believe this will grow dramatically. i also want to mention that the secret service does not want to weigh in on specific technology solutions, chip and pin and others, but we are going to need your cooperation at some point and guidance on how working with

industry and whatever standards come about, that we have got the cutting-edge technology. i guess my first question for n, why is it that evenecret service or security bloggers are often times the first to know about these attacks? gottenstand we have industry of standards that are set, but this news keeps floating out more. floated fromreach a blogger, i understand, and it was said that the malware involved in the target breach was identified back in 2011 here at why is it taking us so long to respond? is that a restraint on you or is it not enough aggressive action from the industry? first you got into the fact

that sometimes the secret service knows ahead of time about these breaches and we are able to bring it to the attention of different victims. so the fact that we do this is through proactive investigations where we are out sometimes ahead , determining in looking at data as it relates to financial industries. it is through partnerships we have in the financial industries sector that are able sometimes to bring us data where we are able to go through the data and be able to find out where information is leaking into the criminal underground from. a, too, is the same way believe that some journalists are able to get a hold of some of that information. you also brought up the malware and the fact that it has been around since 2011. i think what we're discussing here is the type of malware. so it is not necessary -- necessarily the exact type of malware. malware can be molded and changed project. these attackers are molded malware, so it is not the doctor

antivirus and technical means that general i.t. security folks will have. so these are very sophisticated are not actors that using regular malware. they're modifying that malware for each particular high-tech attack when we're talking about an attack of this significance. >> i guess one of the things, this is both for you and ms. rich, how do you get the standard right on when it becomes the duty of the company or the financial institution to report an incursion? you know, particularly since this involves all the time. we know there are standards set, but that is why we constantly evolutionary -- do we have it right? do we need more tools? or do we need collaboration and setting a regulatory process that would be static? let's move this quickly and and i have one less question.

>> well, what the commission supports our federal standards for both data security and breach notification. right now there are state laws requiring breach notification that no standard at the federal level and no civil penalties. while we have tools and we're using them to enforce, to address data security failures by companies, it would be extremely helpful to have a federal law requiring data security, not just notification, with civil penalties. >> how do you make sure that law will evolve quickly enough? sometimes standards take seven years to evolve, but this is a field that changes on a monthly basis. >> we believe that the legal requirements should require a process for developing appropriate data security so that the specific technical standards can evolve and perhaps be implemented through

self-regulation or industry standards. but we do have one regulation in the financial area that is comedy a model for this the safeguards rule that sets forth a process. you have to put somebody in charge, you know, your chief technology officer. you have to do a form risk assessment and then implement safeguards in key areas of risks such as employee training, network and physical security, service providers, etc. and it sets out a process like that weird we are able to use that as a tool for enforcement without mandating levels of encryption and things that change over time. >> i want to respect my colleagues time. could you also identify targets that could have been from the ukraine, but where in general these are from? >> many of these are national, and transnational.

cyber criminals are attacking us from eastern europe. i don't want to say this one country versus another country. ,hat we are seeing is that largely, the cyber criminal world is using russian speaking -- and i say russian speaking in that they are using the russian language as operational security. that is the piece that the criminal underworld is using to hide themselves from u.s. law-enforcement. >> a quick question for mr. noonan. russianribe the general cooperation with a lot of these attacks. you describe law-enforcement cooperation? >> there have been many of these instances where we have worked cooperation with law enforcement. >> but a mere is not our

greatest friend. could you tell us where you do your corporation -- vladimir putin is not our greatest friend. could you tell us where you do your corporation with? generally, the cooperation that we deal with through the russian authorities is through notification process to get a process taking care of in the russian federation. effects a quick follow-up, any extraditions from russia? >> no, sir, we have not had any extraditions from russia. >> senator warner. >> -- warren. >> all of us have constituents that are affected by these data breaches. i think it is clear that the data protections that we have in place now are not enough.

people, 16 .6 million seven percent of the adult , were victims of identity theft. it is a huge number. i would like to get a better sense of how these laws are enforced. to goc has authority after companies that have engaged in either deceptive or unfair practices. i want to break those, -- those two out, if i could. ms. rich, can you describe what is done in regard to data security standards for the ftc to bring a claim for deceptive practices? >> our deception authority focuses on making statements, or admitting information that is material. our cases in this area generally involve statements that can be expressed -- you know, we encrypt our data to the highest levels of block, block, block --

blah.h, blah, know,is implied -- you you give us your data security and we will encrypt it and make sure it is taking care of. we do hearings with officials at companies and we consult with experts to determine whether those claims are true. me just clarify this. if a companies security standards are inadequate, but the company says nothing about ftc is powerless, at least under its authority to go after deceptive cactuses. is that right -- deceptive practices. is that right? >> we had two prongs. and then practices also on fairness. >> i will get to fairness in a

second. for a company that has totally inadequate deception standards, i want to clarify. i think what you are saying to me is that if a company says deception data standards, then the answer is that under the deceptive prong, the ftc has no authority to go after this company. is that right? >> that is absolutely right. and that is one of the reasons we are supporting general data security legislation. but let me say, we do also have unfairness authority and we use our deception authority not to look -- to look at not just what is stated in a privacy policy, but what a company may claim in the context of its interaction with consumers, including implied claims. >> ok, but under your authority to go after deceptive practices, i understand that the ftc has settled about 30 data security since 2002.

that would be about three per year. it is fair to say that is not very many, given the number of data breaches that we seen in the past decade. >> i would emphasize that there is not strict liability for a breach. when a breach happens, we look at the underlying practices and not whether there was a breach and then we automatically bring a case. i would also -- i would also emphasize that we believe are 30 deception cases and 20 fairness cases provide general deterrence, and specific to turn, especially given the kind of ramifications we seek. -- the kind of remedies we seek. it has brought a lot of attention to the need to secure data and made a difference in raising the stakes, but we do need more tools. >> let's talk about that a little more. in addition to the 30 cases you've brought over the course deceptivee under

track kisses, i just want to ask about unfair practices. -- under deceptive practices, i want to ask about unfair practices. can you describe what a company when a claim of unfair practices is broad? >> we have a three-pronged test, and one of those is substantial injury. many of these data failure cases -- again, it is not strict liability for a breach. we have met that standard and, therefore have brought those cases. >> i understand. and if i'm understanding this correctly, you are describing a fairly demanding standard. it is more than breach, more than the fact that people have been injured, more than the fact that a company had very lax standards. as i understand it, there is some question around the ftc's whichity in this area,

may be why you have used unfair practices in only 20 cases over 10 years. i thinkant to say that this is a real problem, that the enforcement authority in this area is so limited. the ftc should have the enforcement authority it needs to protect consumers and it looks like to meet does not have that authority right now. are noturity problems going to go away on their own. congress needs to consider whether to strengthen the ftc's hand. thank you. >> that was an interesting line of questioning. -- you mayes see have a series of players in an industry that are meeting those standards. the challenges that you may have that one weak link and the whole industry could be infected because of the weak link. i think there should be more ability to collaborate here. let me start out on the

international front, if i could, and maybe follow-up on senator kirk's questions a little bit. available thatta would illustrate to us what percentage of the tax -- of atta cks come from outside the united states? is that data available? either one of you. go ahead, mr. noonan. >> i'm certain that it is. i will have to respond back to you in writing. >> just for the purposes of the hearing, would it be the majority of the attacks, do you think echo >> i would say the majority of the significant attacks would be outside of borders? -- outside of borders. >> and to put a finer point on it, would the majority of the attacks come from eastern europe? the foreign tax? attacks? the foreign

>> yes, sir. terms of the cooperation that we get out of that part of the world, can you think of any case at all where there has been annex tradition -- been and extradition from eastern europe where a hacker was sent to the united states for prosecution, any case? >> yes, just recently we had a case out of romania. >> is that rare? >> with the remaining in authorities, we are working very closely with them at this point. -- with the romanian authorities, we are working very closely with them at this point. but the other countries in eastern europe, it could potentially be very rare, yes. >> what i'm trying to get at, and i'm not trying to be coy here is that it looks like parts of eastern europe are a sanctuary if you are a hacker.

because the chances of being sent over here to face prosecution and conviction and are probably nonexistent. would you agree with that statement? >> yes, i would agree. >> that is kind of a bad deal, no matter how secure you are. because at the been -- the end if those folks are not facing the possibility of prosecution, they will just keep going. >> yes, however we do have some very strong partnerships with other countries over in eastern europe. and it is through those collaborative efforts that we are making gains against a number of the cyber criminals. to say that we do not have cooperation in eastern europe is not 100% accurate. >> right. >> it is true that many of the different law enforcement authorities, that we do have a collaborative -- strong collaborative effort in moving

toward identifying the these actors are and learning more about their networks. me focus on bridge -- because iification, think from the consumer standpoint, that is critical. as consumers, we want to have the ability to trace a hacker -- we won't have the ability to trace a hacker to romania or whatever. but the one thing we do have is if we are given notification, we have the ability to stop using the card, or tear it up, or .otify our creditors we can be proactive. , how important would you say breach notification is in our effort to protect consumers? >> i think for the very reasons you say it is extremely important, which is why we support a law at the federal level with severe penalties. >> how do we do that -- and i don't want to get into a

sensitive area, but this is a sensitive area. as a former cabinet member, i can tell you that i know we had millions of records from sensitivehat contain information. social security numbers, date of birth, resident's address, on and on. i will also add that oftentimes, the federal government security system is not the best. it is not the but best. and it could be the health care law, the v.a., the department of agriculture, a host of things. we have on the federal government that if my information at whatever compromisedas been somebody will let me know that? >> you mean, what laws federal

the -- governed the federal government's collection of information? >> yes. >> there are a number of laws that require data security among federal government agencies, as well as breach notification. i'm not completely familiar with the details of all of those, but i know that if any breach , who we arey bureau supposed to report it to. >> are there any breach notification requirements in the health care law? >> i'm not familiar with the details of the health care law. but i do want to add on the point you are making about eastern europe -- because there will always be criminals that may be coming from countries where there -- where it is difficult to trace, that is why there is this partnership, this joint effort among different approaches and agencies. we cannot just count on criminal enforcement. it is also important that companies shore up their systems as much as they can against attacks.

we need to attack this problem from different angles. >> think you, mr. chairman. >> senator tester. >> thank you for holding this hearing. as long as we are talking about breach, we will flash -- flesh it out a little bit more. the breach that you were talking about with senator johansson was between the financial institution and the coal -- the cardholder. breach between the retailer and a financial institution or the retailer and your office? mr. noonan? or your office, ms. rich? >> there are state laws that require breach notification that may apply to retailers. but there is no federal notification law. >> there is no federal requirement across the board for the retailer or the banks or the retailer and the investigative services or the banks and investigative services.

no breach requirement across the board? >> not that i'm aware of. >> can you tell me when the breach happened on target? >> that is still an ongoing investigation. >> but when did the breach actually happen? maybe that is an unfair question. when did the actual attack to the database actually happen? what date? >> it is an active investigation, so we cannot get into that. >> you cannot tell me how much time it was before you found out about it to be able to start your investigation into when the breach actually happened? >> no, i cannot at this point. >> it was not immediate. >> [indiscernible] >> i will not put you on the spot. you can take the fifth if you want. it does not matter. >> in the public, december 15th and then the 19th there was an announcement. >> there needs to be a breach notification because time is literally money in the

situation. there is a breach that happens and the retailer reveals the information, or for some reason the inking institution may want to hold that. i don't know why either one would want to, quite frankly. you guys need to know about it immediately, save can start finding out where the bad guys are that it is if we are going to get to the bottom of it, write? >> yes, sir. your program, focused on entry of criminals. and you highlighted investigation networks where cyber criminals were able to install programs to be able to capture information from retailers. and it has already been talked about by the chairman. , 70e are 40 million cards personaleople's information was given out. can you tell me why they would be storing sensitive information on their own networks?

believe in this case information on the cards were actually being stored on the network. >> how did they get the information? >> the information was being selected as the data was going through the process. >> ok, i got you. how did they get the 70 million? >> it was a heavy timeframe of collection time in which the data was being collected by the criminals. so whether this was encrypted or not makes very little difference. i was under the assumption that this was on a database. that the information was not encrypted. the folks i got into that database then encrypted the information and took it out. >> at think you're getting this from the media, perhaps. >> perhaps. [laughter] this is an ongoing investigation. i cannot talk about the specifics about how this was

being done. >> i want to talk a little bit about the enforcement that you have. right now, seriously speaking, of all the things you have to deal with, do you have any tools to work with that really work? >> we are doing a lot in this area. we are bringing enforcement, doing education. >> i'm not being critical of you . i'm being critical of us. >> we do want more tools. >> when was the last time your tools in dealing with this issue were dealt with from a policy standpoint? a revamp of your tools dealing with data breaches in the last 10, 15, 20, 50 years? >> we have received some new authority and this area -- in this area, including a data breach law for a narrow class of health entities, personal health

records. wasgramm-leach-bliley act passed in 1999 or 2000, but it has been a while. >> we have some work to do, mr. chairman. thank you. >> receiving back 30 seconds. senator mendez. >> i appreciate you holding this hearing. when these issues broke december, senator schumer and myself and do your self asked hearing.l this is extraordinarily important. rich, i have two particular lines that i want to pursue. i think senator war and open the door to something that i think is incredibly important, which is what role should the ftc and the federal government create

with standard? it seems to me that whatever high standard exist in the marketplace readily available for technology is one that we would want buddies to follow in order to be sure of the security of millions of americans private information. critical information to themselves, to their credit retailers, to banking institutions. standard that says, look at what is available in the expectlace -- we cannot a company that gets hacked and is already using the highest standards available in the market place to be held responsible. but if there was a standard available and that company or companies were not using that standard, then we have to question whether or not they made an in demand -- an investment decision not to go ahead and expand the resources for the higher standard. it seems to me that part of the

question is, and i know that the private sector is largely -- has largely worked on creating its own standards, but is there a role for the ftc and the federal government to set a standard that says, look, whatever is existing in a market place that can, in fact, be achieved to give the highest protection available should be the standard ? and if you don't pursue that standard, then you are subject to the consequences thereof. >> that is incredibly similar to the way we think about it now when we talk about having "reasonable security." reasonable security means that you take into account what the risks are in your business, what the sensitivity of the information you collect it, how much information you collect, -- the cost and available availability of the measures out there in the marketplace. analyze it.we >> does the industry understand they will be held to those

standards? theret get the sense that is an obligation per se to be held to that higher standard. >> one of the limitations we have in our work is we don't have civil penalties or the kind of sanctions needed to provide the right incentives to focus on this issue. >> i want to get to civil penalties in a moment. if we set a standard that at , hereeveryone has notice is what we expect of you, then -- and of course ryszard industry-standard -- industry input into that standard, but it seems to me that we have notice notice ofcess, opportunity to be heard, and then we go away. i would like to pursue with the agency whether or not the standard is important, mr.

chairman. secondly, with reference to additional authorities, in my letter to chairwoman mary meer as asking about the commission's efforts in the past -- chairwoman ramirez asking about the missions efforts in the -- it seemsced that to me that she agreed that having authority to impose civil penalties would be a good authority to have. don't think that is something you want to levy against every company. i think he goes back to a standard. if you are pursuing a standard, you are not held responsible. if you are not, then civil penalties may be available. >> it is very important to have civil penalties available as a remedy for specific deterrence when there has been a failure. your testimony reasserts the

federal trade commission's lone standing assertion borne out through case history. section five of the ftc act covers instances where a company fails to adequately protect consumer data. this assertion is based on the commonsense premise that customers have an understanding that companies will take reasonable steps to protect their data and failure to do so would be unknown fair or deceptive practices. however, companies have been challenging this assertion. is the that if that case, that they will now challenge that assertion, it seems to me to call for not just voluntary efforts, but to create a standard and consequences of that standard that can give americans the best security they can hope for. i hope to work with the committee and the ftc in that regard. >> thank you, senator.

one last comment. i know we have other questions, but we have a second panel. make one i will comment, and then if anyone's got a burning question. then we will go to the second panel. senator tester's comment, trying to get a notion of the obligation to disclose when you have been breached, i think sorting that through is going to be a challenge. there are so many attacks every day. you've got to set a standard somewhere that you have crossed a threshold. the concern i have is that you don't want to create the -- for member the homeland security colorcode system that everyone proceeded to ignore? be a materiality peace. >> i agree with you. if a business withholds that information because it is in the heart of christmas shopping season and it will affect their bottom line, it -- they need to be hung out to dry. >> a man. -- amen.

an earlier point that you made, senator menendez, where companies could have put a good housekeeping seal that may or may not be valid troubles me. we will move to the second panel. thank you both. >> thank you.

>> if the panel does not mind, i'm going to go ahead and start introducing you, even as you are getting in the process of getting seated. . will start introducing you gentlemen, thank you. focused onanel was our governmental witnesses. now we will focus more on industry and consumers. mr. james reuter. executive vice president of first bank located in colorado, where he's been since 1987. he is also the president of first data corp., which provides all i.t. and operational support services for 110 locations. duncan is executive vice president vice president and general counsel of the national retail federation where courtresponsible for

mating territory initiatives involving data privacy, bankruptcy, fair credit reporting, truth in lending. he previously worked for jcpenney and for the ftc. see.et'sleach admin or zeus came -- mr. is a recognized -- at on a wide-ranging wide range of issues. and mr. troy leach is the chief technology officer for the security standards council. this is the industry counsel for setting standards for now. he works to develop strategies to secure credit card data and works on i.t. issues.

gentlemen, thank you all very much. mr. reuter, why don't you start and we will go down the line. >> chairman warner, ranking member kirk, and members of the subcommittee, my name is james reuter, president of the support services at first bank in lakewood, colorado. inhave over 115 locations 2000 employees serving colorado, arizona, and california. my operation provides information technology, payment processing services, a 24-hour call center, and electronic banking services for 101st -- 115 first banking locations. i appreciate the opportunity to be here and to represent the aba. even with payment bridges, our payment system or main strong and continues to support the $3 trillion the -- that americans and each year with a credit and debit cards, and with good reason. customers can use these cards confidently because their banks protect them by investing in

technology to detect and prevent fraud, reissuing cards, and absorbing fraud losses. at the same time, these breaches have rignet at a long-running debate over consumer data security policy. the banking industry recognizes the importance of a safe and secure payment system to our nation and its citizens. we thank the subcommittee for holding this hearing and welcome the ongoing discussion. , protectingear customers is the banking industry's first priority. as the stewards of the direct customer relationship, the banking industry's overarching priorities with breaches like that of target is to protect consumers and make them whole from any loss due to fraud. banks swiftly research and reimburse customers for unauthorized transactions and

normally exceed legal requirements by making customers whole within days of customers alerting them. beyond reimbursing customers for fraudulent purchases, banks often must reissue cards for effective -- to affected customers. it is in -- it is at a cost of five dollars per card. in the end, things receive pennies on the dollar for fraud losses and other losses incurred while protecting their customers. in fact, banks bear over 60% of reported fraud losses, yet have accounted for over eight -- for less than a percent of breaches since 2005. more needs to be done to stop this kind of fraud in its tracks. at a national standard is an important step in this direction. in many instances, the identity of the retailer that suffer the bridge is either not known, or oftentimes intentionally not revealed by the source. understandably, a retailer or other entity would rather pass

the burden onto the affected consumers banks rather than taking the reputational hit themselves. in such cases, the bank is put in the position of notifying their customers that their credit or debit card data is at risk without being able to diebold where the breach actually occurred. to diebold where the breach actually occurred. often, customers blame the banks for the breach itself and any inconvenience they are now suffering. consumers electronic payments are not confined by borders between states. as such, a national standard for data security breach notification as contained in senate bill 1927, the daegis is 30 active truth out and 14 -- the data security act of 2014, is imperative. retailers must improve their internal security systems as the criminal threat continues to evolve. criminal elements are growing increasingly sophisticated in their efforts to breach payment systems.

this disturbing evolution, administered by the target enhancedill require attention, resources, and diligence on the part of all payment system participants. let me make one final point. protecting the payment system is a shared responsibility. thanks, retailers, processors, and all participants in the payment system must share the responsibility of keeping the system secure. that response ability should not all predominantly -- fall predominantly on the financial services sector. banks are committed to doing our share, but cannot be the sole bearer of that responsibility. policymakers, card networks, and all industry produced and have a vital role to play in addressing the regulatory gaps that exist in our payment system, and we stand ready to assist in that effort. thank you. i will be happy to answer any questions you might have. >> mr. duncan, please.

>> thank you, senator warner, ranking member kirk, members of the senate committee. electively, retailers spend billions of dollars collecting consumer data and fighting fraud. most of the data breaches we have seen are either at retailers that you've heard about, or at bank and card companies about which you have heard less have been perpetrated by criminals. the companies are victims. we need to reduce fraud. that is, we should not be satisfied with deciding what to do after a data breach occurs, who to notify and how to assign liability. instead it is important to look at why such breaches occur and what the perpetrators get out of them, so we can find ways to reduce and prevent not only the breaches, but the fraudulent act to the t that is -- the fraudulent activity that is often their goal. in the data breach report, 39% happenealed that at financial institutions, 24% at retail, and the remainder at others. it may be surprising to some given the recent media coverage

that it happens more at financial institutions and retailers, but these focus on banks because -- but the thieves focus on banks because they have the most sensitive information. in 2012, the u.s. accounted for nearly 30% of credit and debit charges, but 47% of all fraud losses. who bears these cost? independent studies very. retailers bear anywhere from nine percent to 40% of the payment card fraud costs. we think that a fair assessment is that retailers pay about half. why is fraud increasing? the thieves go where the rewards are plentiful and easiest to obtain. systemnately, our cart data is outdated and rife with opportunities for fraud. despite billions of dollars by merchants in helping to become pci compliant, we still have fraud prone cards that are attractive to thieves. unlike the rest of the world, the u.s. card still use a signature and magnetic stripe

for unification. on our system being so porous. even though the information is visibly printed on the car, even though security information can be lifted off a magnetic stripe by reasonably secured -- a 12-year-old, and even though security measures are virtually worthless, it is your response 32 guard that information at all costs. retailers work very hard to do it, but the request is not really make sense. what is needed is for the networks and banks to issue cards that are not so easily compromised. and at a minimum, we need to replace the signature and pin -- the signature with a pen and the magnetic stripe with a chip. even that won't be state of the art. it is three quarters of a old.ation but fraud dropped 70% when it was adopted in britain, and fraud is growing here because it has not been. we must adopted here. the pin authenticate the

cardholder and that helps protect the merchant. the chip protects the bank. together they greatly reduce fraud. the banks know this, nation is very powerful. they promote it all over the world, but here in the u.s. they are proposing signature and check cards. , as one of them cutely calls it. it is an ineffective half measure, the locking of the back door while leaving the front door open. why adopt a halfway measure? merchants would still need to that wouldipment combine 1990's technology with 1960's relic signature in the face of troy for sentry threats. the face of 21st century threats. if congress is really concerned about fraud, it ought to not fiercely consider this absurd solution. way to providene

security, but it relies on banks to protect their data. today's smart phones . . we lay out a number of proposals and are written testimony. it is important, however that the federal law should ensure that all entities handling the same type of sensitive consumer information, such as payment card data, are subject to the same statutory rules and penalties with respect to notifying consumers of a breach affecting that information. in closing, three brief points. first, retailers take increasing payment part -- payment card fraud very seriously. urchins already bear at least an equal if not often greater responsibility when there is fraud.

we did not design a system or issue the cards. we will work effectively to upgrade the system, but we cannot do it alone. second, the vast majority of breaches are criminal activity. no system is invulnerable to the most sophisticated and dedicated of thieves. consequently, eliminating all fraud is likely to remember -- remains an aspiration. nevertheless, we will do our part to achieve that goal. it is long past time for the u.s. to adopt pin in ship technology -- pin and chip technology. if the goal is to reduce fraud, we must in the minimum do both. x think -- >> thank you, chairman, and members of the committee. i have been working on these issues for some time. my views, i think, are somewhat in line with the merchant, but also somewhat not in line with the merchants.

itself,he target breach i want to make one point about that. withreach occurred information that allows fraud to take place on your existing accounts in the first 40 million consumers who were breached. the additional 70 million, the information that was collected allows phishing attacks to try to obtain more information to commit a density that. but i think the biggest risk to customers of target is fraud on existing accounts. the provision of credit monitoring, which they are giving for free, but is normally ,n overpriced junky product really create a false sense of security. it will not stop fraud on your existing accounts, and it will not stop i didn't eat that. it will simply tell you when your experience account has changed. it could be because of identity theft or something else, but it will be after the fact. that is 1.i wanted to make about

the target breach. is one thing i wanted to say about the target breach. and another thing about the target breach, they are not involved completely. i have seen different stories about whether they were or not in violation of the highest standards. we will know that when they testify in the next few days. but whether or not they were in violation of the pci standards, those standards were cobbled onto an obsolete technological platform. it is like trying to put disc t, airbags ondel edsel. constantly being asked to add different bells and whistles to an obsolete system from the mid-20th century. that is a problem that the banks and the card industry have a lot to answer to with these problems. i want to make a couple of quick points that are in my testimony. i was encouraged,

chairman warner, when you mentioned the debit card protections should be increased. we strongly support the idea that all plastic should be equal. the zero liability promise that banks make is just a promise. it is not the law. i only use credit cards. i never use debit cards. the other problem, of course, it with a debit card is that you lose money from your account until they complete their investigation. you could have other checks bounced. the second is technology neutral and technology forcing. you should have a form that encourages continuous increasing in the uses of better and better technology. and as mr. duncan pointed out, it should be on a -- an open and competitors should be allowed to come in. if you look at the networks, the two big ones are a duopoly. they have all of the standard characteristics of a duopoly. they seek excess rent and they don't like new technology and they don't like competitors.

that has been a problem. look at theshould pci standard setting body. to the merchants have adequate input into it? do the regulators or the ftc have enough review of it? you should not enact any new legislation that preempts state laws. if congress enacts a good enough to, it does not have preempts state laws. the states will move on. they will do other things. but if congress does not enact a good enough law, any of the states has first responders. my testimony will have -- has detail from 2003 when the fair credit reporting acted not include adequate identity theft reforms. for a six state passed breach laws. 49 states gave consumers the right to freeze their credit report. those were important things that the states did. whereas every bill that i've seen to some extent not only law, whichy breach

is their nominal purpose, but goes further and preempts any right of the states to do anything in the future. i think that is the wrong way to go. inther point that we make our testimony is that if you do and act a breach law, it should be on acquisition standard. this should not be a harm trigger. the company that did not protect my information should not be allowed to decide whether or not to give me notice. not make inat i do my testimony but i have made in previous testimony before the commerce committee is that i strongly support any effort to increase the ftc's authorities including the right to impose civil penalties for a first violation. thank you, and i look forward to any questions you might have. >> my name is troy leach. i am the cto of the pci security standards council, global industry initiative focused on security and payment card data. our approach to an effective security program is people, process, and technology as key

parts of data protection. our community of over 1000 of the world leading businesses tackles security challenges from simple issues, for example, the word password is still one of the most commonly used passwords to really competent issues, such as proper encryption. winter senate and tumors are upset when their data cards -- when data is put at risk -- we understand consumers are upset when their data is put at risk. we call on banks and merchants and others to proactively protect credit card data. remove cardholder data when it is no longer needed. protect iteded, then through a multilayered approach thatnnovative technology reduced incentive for criminals to steal it. let me tell you how we do that. the data security standard is built on 12 principles. everything from strong access to -- access control to monitoring networks, annual risk

assessments, and much more. this is regularly updated through feedback from our global community. standards thated cover payment software, point-of-sale devices, and secure manufacturing of cards. andeveloped standards guidance on emerging technologies like tokenization and .2 point encryption -- and point-to-point encryption. tokenization and point-to-point incursion work in concert with other pci standards to offer additional reductions. , ev chip, isology widely used in europe. it is extremely effective in reducing card fraud in face-to-face environment. that is why the pci council supports to plummet of the chip technology. however it is only one piece of the puzzle. implementation of the chip technology. however it is only one piece of the puzzle. need to include encryption, proper access,

malware encryption, and more. these are all addressed in the pci standards. used together, these can provide strong protection for payment -- payment card data. justt requires more than standards and technology. without ongoing adherence and supporting programs, these are only tools and not solutions. the council makes it easy for businesses to choose products that have been lab tested and certified as secure. the councils education and training programs have educated tens of thousands of individuals, including merchants, technology companies, and governments. we conduct campaigns to raise awareness about credit card security. the council welcomes the committees attention to this critical issue. the recent compromise underscored the need for a multilayered approach. there are clear ways the government can help. strongerle, by leading law enforcement efforts worldwide, particularly because of the low -- the global nature -- and threat, and bias

by instilling stiff penalties for these crimes. activencil is an collaborator with government. we work with mist, dhs, and many other government entities. and we are reduce you more. we believe the government of standards to protect credit card data is something that rabid sector, and pci specifically, is uniquely qualified to do. -- to protect the private sector, and pci specifically, is uniquely qualified to do. the recent breaches underscore of creditx nature card security. they cannot be solved by a single technology, standard, mandate, or regulation. he cannot be solved by a single sector of society -- business, policymakers, and law enforcement must work together to protect the interests of consumers. the committee focuses today on recent breaches, but we know terminals are focusing on the next attack. there is no time to waste. -- we know that criminals are focusing on the next attack.

there is no time to waste. congress must act to combat global cyber crimes that affect us all. we thank you for paying attention to one of the largest concert he issues of -- largest security issues of our time. >> i made this comment in my opening statement, but i would like to make it again with you sitting in front of me. it is my strong hope that as we approach this issue we recognize rather than pointing blame at way other that the only this is going to work to protect consumers and give them the havedence they need is to the banking and retail industry to collaborate together. we do not need another replay of a multiyear legislative battle when hackers are not going to take a timeout and american consumers are we going to be increasingly at risk.

mr. leach, in the spirit of your comments, i'm going to do a lightning round. i will ask you to keep your comments as close to yes or no as possible, recognizing of course, that there is not a single technology solution. c major medic decrease in europe in -- but seeing a dramatic decrease in europe in face-to-face transactions concerning fraud now that they have moved to the chip and pin method. what do you think of our country moving to that technology echo >> we have embraced the chip and pin technology. we have laid out a timeline that moves the industry thereby october of 2015. >> let's get there. heart chairman, i take to your comments about not pointing

fingers in each group. as i said in my testimony, if we are to have effective protection, it's got to be as you said, pin and chip. if you listen to the response that was just given, it only mentioned the chip. back door closing the and leaving the front door open. >> it sounds like you are saying yes to chip and pin. full chipsolutely to and pin, not chip and signature. but do not leave that as the ceiling. make sure you can get more. >> we are supportive of chip and pin technology as well. >> as i learn this, i want to make sure that i'm getting it. chip is different than chip and pin. are you supportive of chip and pin? >> we are supportive of chip and pin. in mind,ortant to keep though -- pre-k's i got it. i think that is great progress today. -- >> i got it. i think that is great progress today. i think we are all in agreement.

i did not realize my debit card did not have the same protections. i think again about the fact where the growth in debit cards is coming is with younger folks and the younger banking community who are potentially the most vulnerable. it would seem to me that equalizing cards on the same .tandard makes common sense give me a reason why not. as a practical matter, we invoke a zero liability policy. if you didon today, not authorize it, you are not responsible for it. >> i don't want to get you in trouble with the aba, but is that an endorsement of the equalization in truth in lending -- truth and reporting? >> i believe from the legislative perspective, the way we are all performing as banks, i'm not sure that additional legislation is needed, because we are adhering to a zero liability policy as a business

practice. >> but there is no practical reason why you would want to have a difference between different test of plastic. >> no. >> we believe it would be a good idea. >> i want to emphasize that chip technology is in the clear. we still need additional security protections to that. we are supportive. >> i would add, senator, that that zerohere is liability may not occur in all circumstances. it only -- it may only apply to notature transactions, pin-based transactions. that is the answer to the question debit or credit. debit means using a pin. credit means it's still a debit card, but you are using it on the signature-based credit card network. the zerolso look at liability contract and say, what if i had to violations in a year , do they honor the second one? to get some banks don't.

-- because some banks don't. >> interesting. i would like to get more on that. i have a question. we have focused on the challenges around the cards. i would make a comment, though, that the cards do add an extra layer of protection. because of some of the network and because of the technologies that may not even be fully up to snuff at this point, versus what achilles heel,al which is everyone moving toward online financial transactions. think about how many of us pay our utility bills or college tuition online. into the can get personal data information, that is something that there are no limits on, in terms of an exposure.'s we are much more vulnerable. expired, but i would say that chip and pin, a good step forward.

continuing the notion that mr. leach said, recognizing tokenization, and other abilities that are online transactions trying to put a level of protection is something that needs a lot more study. >> let me follow up with mallory. i agree with you that parliament has done a much better job than congress moving to chip and pin. i was struck by your comment that fraud was reduced in the u.k. by 70% by using chip and pin. for the love -- for those of friends in the u.k., -- for those of us with lots of friends in the u.k., you will see them pin out their card with the dispels the backwardness of the u.s. banking industry. how much would it cost your members to move to a full u.k. base chip and pin? senator, we would have to

replace all of the card readers in the store. there are approximately 3.5 billion retailers in the u.s.. many of them are just a one store location. others have a dozen on each floor. if you multiply that times approximately an average of 1000 or more per unit, several billions of dollars to replace those, and some amount of time. took fromgeneral, i your testimony that the retail federation would support making that move. >> we absolutely would. in fact, some retailers have already begun to install pin and chip readers in their facilities . >> let's identify the heroes. who was the first? >> i cannot tell you who the first was, but they tend to be larger retailers who experience more international clients, like home depot or best buy.

>> i'm very supportive of moving toward chip and pin. data on the u.k. when we saw chip and pin and face to face transaction fraud drop dramatically, it was like reading a balloon. you saw online fraud in the u.k. shoot up something like 30%. senator warren. >> i will just pick up on the same point about chip and pin. we understand why chip and pin works better. -- it seems that we are with we are years behind europe in developing adequate technology. the technology is out there, but applying it here in the united states. in yourteresting testimony, mr. leach, you said that you think that enters our best left to private organizations such as yours -- that standards are best left to private organizations such as yours. that is what we have done, and now we are way behind in technology and have become targets for data attacks from around the world.

to should we leave this organizations like yours? >> senator, that is a very fair question to ask. for us, we look at it as being people, processing, and technology. chick, not migrated to but we have advanced fraud monitoring tools, the best in the world, as well as looking at other measures that are more cost-effective, like tokenization. >> let me make sure i'm following you. i thought i had heard in this conversation that we were uniform in our agreement that the way we should go now is to chip and pin. and you are telling me we have other things we can do, which i'm not disagreeing with, but i'm asking the question -- why haven't we hit the basic chip and pin standard? that question is probably not for a standards body like myself. our role is to develop secure

standing with what we have today. >> fair enough, but your testimony was not just that we have great standards if someone wants to adopt them. your testimony, as i understood it, was that the standards should be left to private organizations and not the government to say you've got to meet the standards put out by the other organizations that we have developed in other ways. it sounds like to mean we may need some pressure from the government to make sure the toughest vendors are use. maybe i could ask the question, why hasn't not been adopted already in the united states? talk aboutlike to why the rest of the world is ahead of us on chip. robusts a very telecommunication system. years ago and other parts of the world they did not have as robust of a communication system. they deployed the technology to

solve that problem. it was not driven by fraud measures. has seen more breaches at retailers, we are embracing the chip technology here. the reason i keep living out pen data is it a static. the chip brings the compromised data useless. static element. i appreciate and support the ongoing debate on chip and would hate toi delay the deployment of chip technology on this one issue. it has the biggest impact on fraud. >> both parts of your question, let me make sure i understand your point. i understand you had reasons to go to chip early on. are you saying the banks have just now discovered that ship wouldn -- chip and pin

be the better solution? >> we have them working to were putting check technology and link out the timeline. 8ey are eight merely an -- million retailers. >> was only in 2011 that the banks figured out that it would be a more secure system? >> they were conversations before that. that is when the actual timeline was laid out. likes to europeans have done more to protect himself. to don't i invite mr. duncan andh in on t weathered ship signature would be a better approach. >> your signature is on the back of your card. if you lose it, there is a silver did -- there is an example there for them to copy. if you want security you have to have pin. areo the idea that there slightly different systems and

we should not use both, imagine putting up her color alarms in your house. you have one for protection in the doors and one for the window. why would you say this works differently? if you want security, you got to have a whole system. and ship.o have pin i'm flummoxed as to why anyone thinks otherwise. to me that the retailers have delayed, the retailer has delayed. >> thank you. i'm getting conflict and data here. employs of mythat constituents in montana that has 7% of their debit cards that were impacted by the recent breach. it was only 12,000 cards. in their particular case, it cost them about $60,000 to replace them.

it did not include any additional cost airing the cost of monitoring fraud. i got as breed happens, call from the credit union located in the heart building. it said your account has been breached. we think it would be wise if you issued a new credit card. we are very appreciative of that. they did. i actually visited was someone from the credit union. it cost about 30 million buck recent breach on them. that is not include any of the fees that were back there, because i asked the credit union. i said if this card is used somewhere else by somebody else charge, will up a i have to pay for it? they say they would keep -- they

said they would take care of it fo. the prospectsink are for a particular bank will get reimbursed for fraud cost? almost 65,000 cars. that came as a result of us learning more about the breach and customer demand. our call center, we took an extra 30,000 calls over 3000 -- three weeks. we have invested quite a bit. >> target has said they will customers were made hold and have zero liability. -- made whole and have zero liability. >> we has banks shoulder the responsibility. >> to target reimbursed you? .> no >> what has been your experience recovering fraud cosost?

we recover very little. pennies on the dollar. >> let's talk about the cards. i mean look. i love to pay in cash. i would rather pay in checks but that's not the way it works. up using my credit card a lot. i use credit cards almost exquisitely myself. and this is for you mr. duncan, our concerns about fraud -- are concerned about fraud, what is for venting them from doing more identity checks when you go to the checkout line? they do not even asked to look at my signature even more. they don't ask for a credit card. they do not ask for anything.

a take the credit card and swipe it. sometimes they just say you swipe it. are the merchant doing to help prove identity at point of sale? >> one thing we would like to do is have a pin identification. we think that would help. >> we don't right now. i think we can all agree there we would like to go that way. .e had a breach everybody at the table said they were concerned about it. the retailers are concerned, what are they doing to help stop the breach now? mentioned, there is a lot in your question. i mentioned we spend billions hardening the systems of the bad guys cannot get an ample information. we encrypt the information. in terms of signature at the checkout, card associations told us we are not allowed to ask for

identity information along with that. >> really? >> i guess they consider it a hassle of the consumer if we ask for additional information. some merchants do it anyway. >> they used to do it all the time. >> we are told we are not allowed to do it. >> that is interesting. i want to talk about the cost with the chip and pin. billion would3 cost the merchants, there are a lot of small merchant oaks out where-- folks out there that is quite a bit per machine. who would pay the $3 billion? would that be picked up by the retail association? for chip andupport pin? >> it will come out of the retailers bottom line. we would do it to improve security. they told us we may not reject a

transaction based on the signature. looking at a drivers license, you can still not reject it. >> it would be interesting to that outt -- flesh some more. you can ask for an opportunity. that is where the key is in a card. if i lose mine and you pick it up and use it, they are going to know. >> if it is a feminine handwriting, they would still have to accept the transaction. >> my handwriting used to be worse when i was left-handed. thank you very much. mention credit unions. we have lots of interest. we have testimony from credit unions and other organizations who have submitted for the record. thatld also point out second security check at the

checkout, the cow many transactions are automated now. think how many transactions are automated now. >> a lot of the times they didn't even take the card. >> or you go to the grocery store any checkout without a person. >> thank you. you have a big discussion on chip and pin technology that has been around more than a decade. it is widely used in western europe. i see several of you caution against adopting a similar standard bylaw that would lock in any specific technology. if we do not adopt a federal legal standard that favors one technology over another, couldn't we still have a standard a some performance? it bet point should considered and a reasonable security risk for a company not to be using chip and pin

technology or something that performs equivalently? senator, my testimony we definitely say we should not adopt a specific standard. i certainly think that i'm not the world's biggest expert that chip and pin is a higher standard and signature. if you have a technology forcing xander that it needs, that is a good way to go as long as it is an open standard that encourages more and better technology to go forward. what about the banks and the retailers? >> setting a specific technology standard is not a good idea because how quickly the fraudsters keep changing and adapting. as far as standard, we all do the best they can with the

technology. i think that is fine. we would like our partners to do the right thing and adopt chip and pin technology. earlier, a number of retailers are beginning to explore mobile as a possibility. we want to be careful congress would not do something that slowed down that transition to even more secure systems in the future. >> that is why i am saying not supporting a specific standard. i get the sense everybody is worried about congress will do. we are worried about you all will do. haves say retailers should more liability. i listen to retailers say banks should have more liability. screwed entity getting is consumers. a differentave paradigm as to how we get here. posing ato me as i was

question that creating some type of standard that does not necessarily lock you into a technology that may in time be a dinosaur but does ultimately create a standard of responsibility is important for both the banks and the retailers at the end of the day. know the card industry like setting its own standards. i understand why. at some point there is a responsibility to the consumers and the economy. it is not good for retailers, not good for banks, when we have data breaches. it is not good for the card companies in terms of confidence. i would like to hear, you ask whether the actual regulators should have a greater role in setting security standards.

you raised the question of whether we should have a by the forcedard of contract to all parties in the chain of possession of consumer financial data. isn't that part of the goal here? standard that a can be applied and we can ultimately make judgments? if there is a data breach, there's that the more you can do. he did all of the things you could. if you do not have a standard, we never know what is the right engagement by the banks and the retailers and protection of consumers. you areerstand conducting an ongoing series of hearings on thursday. the regulators are coming in. it is useful to ask them should there be a federal performance byndard that is enforceable the regulators? have thee regulators authority to look at, and maybe and to already,

determine whether any industry- standard body is performing adequately to protect the safety and soundness of the financial system? yes, i agree. institutionanking already have to comply with a number of data security standards. it is not only something that is written and we have instant response, but we are examined on a regular basis. that is why we are not opposed to setting standards we are already public -- standards. we are already obligated to follow standards today. >> i appreciate that. may i have one final question? it goes to you as a consumer advocate. have seen an economy that is increasingly data driven in storing andpanies

processing even greater quantities of consumer information, often against consumer wishes or even without their knowledge. financial service industry for example, we here at stories about data mining sources to form underwriting decisions. companies aggregate more data. the consequences of a breach become greater as it expands. reaches of atnce least two kinds of customer information. breaches of at least two kinds of customer information. what if the next breach involves information like purchase history or social security numbers? are you concerned about the rise of big data? what can we do to get consumers greater control over their data and reduce the chances of a

breach and minimize the harm to consumers if a breach occurs? should we be putting limits on what companies can store without a consumer's affirmative stance? >> you raise a question i could talk about for two hours. i hee end of my testimony, for to a recent federal trade commission comprehensive report on privacy and a paper i've written on this very subject of big data being used for financial decision-making. out, muchcan pointed of the big data that has been collected is now starting to be collected in mobile landscape as well. in addition to credit card information and virtual information about the kinds of things you buy with your cards, we now know where you are and what you were doing at any particular time. data is locational something i think congress should look at as well.

i would be very happy to talk to you about this internet ecosystem. andsed to be you had a bank a merchant and a credit bureau that have information about you. direct marketing companies but they did not have very and for much -- very much information. there are hundreds if not thousands of interconnected is this to business companies on the internet buying and selling information about you today and auctioning you off in real time to the highest at her. der. of them -- bider many of them are predatory businesses. i would urge the committee to hold a hearing on lead generation. you are taken to a site that just bids you out to the highest bidder. there is a lot of work that needs to be done. consumers need greater rights. there are some bills that are just parts of it. we would be happy to talk further on it.

>> i can see there can be some value to have some degree of information. i the same token, -- by the same token, i am concerned about the scope of where that information is in finding the right balance is incredibly important. i thank you for the indulgence. >> a couple of closing comments. we are just the first of what is going to be a series of hearings. the american public is very concerned about this issue. we can either do it in a collaborative fashion or we can do it in an adversarial fashion. i am not even saying congress versus industry and consumer groups. you all collaborating together. it is terribly important.

i think we have seen today across the panel there was a sense that we need to move aggressively to chip and pin. i cannot imagine chip and pin versus chip and a signature. it seemed like beta versus vhs. a little bit of that in the is not at chip and pin declaration of the early. u.k.nt that to the circumstance where they point- to-point fraud went down but online fraud went up. we have not seen the potential for mobility we have for online transactions. i was a technology guy. protection inumer that space at all. mr. mierzwinski, you may have gotten a win since they agreed

to put all cars to an equal standard. maybe we have made some small progress as well. i close out my comment with two points. if we think about this more holistically, i'm learning this notion of tokenization so there is encrypted data regardless of where your transaction take lace, is something we need to go through. you do not want to go out and buy a terminal that is going to be out dated six months or year from now. how you keep that in some sort of open system so it cannot be cobbled on. to aboutwe do not get whoever has the data, how will it be kept secure? were ever it's -- wherever it

stands, what are the obligations to keep that information in a secure fashion? comeic that we will back too. i want to thank my colleagues. i want to thank both the first panel and the second panel. this estimate was a $300 billion hit to our economy last year. it is a magically going to be higher. we need to get ahead of this. i look forward to working to find the solutions. thank you all. these letters will be added and the hearing is adjourned. [captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2014] >> on the next "washington debate overe raising the debt ceiling with peter welch. then, dana rohrabacher will take

questions about security at the winter olympics in sochi. will look at president obama's executive order to raise the minimum wage for federal contractors. our guest will be stan soloway, ceo of the professional services council. looking for your calls, tweets, and facebook comments. "washington journal" live on c-span at 7:00 a.m. eastern. a couple live events to tell you about on c-span3. the senate judiciary committee will hold a hearing on preventing cyber attacks and crimes, witnesses a clue -- witnesses include the head of the ftc and representatives from neiman marcus and target. live at 10:15. a house oversight subcommittee looks at federal marijuana

policy and states that have legalized marijuana possession. witnesses will include the white house deputy director for national drug control policy. >> the new c-span.org website makes it easy for you to find and watch all c-span's coverage of official washington. look on our homepage and a space called " federal focus." comprehensive coverage of houston said it -- house and senate debates, press briefings from the white house, capitol hill, the state department, and the pentagon. plus, supreme court oral arguments and appearances by the justices. watch live or on your own onedule, "federal focus" c-span.org, keeping tabs on what is happening in congress, the white house, and the courts.

>> treasury secretary jack lew said today the government could quickly default on its debt once the borrowing limit is reached later this month. he explained that tax refunds and other factors would force the government to spend its reserves faster that other times of the year. this is followed by a panel discussion on the debt ceiling. this is one hour and a half.

>> good morning everybody, i am jason, the president of the bipartisan policy center. i would thank you for coming out on this dreary morning for what i expect may be a sober conversation. and to save time, why doesn't everyone just insert their own super bowl metaphor now? [laughter] it is my great honor and privilege to introduce the country's 76th treasury -- -- treasury secretary mr. jack lew. he's an honest broker and a tough negotiator. he had a long career in washington from working with tip o'neill to president clinton, two tours of the office of management and budget, mostly -- he is liked and respected by everybody, which brings us to today. for the bipartisan policy center, congressional irresponsibility has been a cottage industry. we have received quite

substantial and deserved credit for putting out the same times for or seven the last several years. for everyone else in the country, this has become a pretty ridiculous and repetitive wound we have had on our economy. to help us understand where we're at today, it is my great pleasure to introduce mr. secretary. [applause] >> thank you. we have many distinguished renaccisenator pete jim -- pete domenici, bill hoagland, feel i have worked with. i am missing other people and i apologize. the bipartisan policy center has been at the forefront of shaping

public policy since it was started seven years ago. at a time when the nation critically needs a place for bipartisan discussion of complex issues, this has become that place on a broad range of important topics. a perfect example of that is the role that this organization has done to shed light on the importance of protecting the full faith and credit of the united states. i want to emphasize as the president of last week, this can and should be a breakthrough year for our economy. our economy ended 2013 strong and is poised for growth in 2014. the table is now set for us to build on the economic progress we have made over the last five years, and is incumbent on washington to be part of the solution, and to avoid the that has done so much to diminish economic

momentum. it was not that long ago that the worst recession since the great depression wreaked havoc. the commendation of a swift response beginning in 2008 and continuing with this administration. as well as the hard work, determination and resilience of american businesses, and workers, and through this we are coming back. the private sector has created a million jobs and -- 8 million jobs and our economy has been steadily expanding. the housing market is rebounding, manufacturing is on the upswing, the auto industry is surging, we are on a path towards becoming independent through energy. we have seen our deficits cut by more than half of the last five years. still, we're not where we want to be, and not where we need to be. we must continue to build on the progress we have made by doing all we can to help the economy grow faster, help businesses create more jobs, and help more americans acquire a basic level of economic opportunity and security. that is why the bipartisan

action in the house and senate to pass a budget at the end of last year, and an appropriations bill last month is so noteworthy. democrats and republicans found common ground, made compromises, and worked together to reach on agreement that gives our government running through the end of this fiscal year. realrael policy, -- it is policy instead of letting , us run on autopilot. the specter of another shutdown is behind us. with economic headwinds generated last year by the across board cuts, we see that cut down substantially, and sequestration has been reduced. importantly policy decisions bill alsonibus provided an opportunity to move forward with smart growth initiatives like early childhood education, and expanding the number of manufacturing centers. that translates into real opportunities for children to

start programs and for students in community colleges to develop the skills they need to develop cutting-edge technology. while this is a setup in the right direction, lawmakers have another refunds will be that they must meet. even though the house and senate approved the budget, passed a bill to keep the government running the they did not provide resources for the commitments they made. they passed a suspension of the debt limit that only goes to the end of this week. after that, in the absence of congressional action, the treasury will be worse to use extraordinary measures to continue to finance the government. in just a matter of days, the temporary extension of the debt limit will end, and the treasury department will have to start using extraordinary measures so the government can meet its obligations. at different times of the year these extraordinary measures provide a cushion that -- depending on variables that we cannot control. at some points in the year, there are large trust fund investments that can be be

deferred. providing a larger amount of our when capacity. that spending which varies from , month to month determines how quickly the headroom provided by extraordinary measures will last. unlike other recent times where we have had to use extraordinary measures to keep financing the government, this will only give us a brief span of time before we run out of borrowing authority. in february the same trust funds that were available last year are not available. at the beginning of tax season, borrowing capacity is depleted quickly. now we are likely to exhaust these measures by the end of the month. bpc came to the same conclusion. they will not last very long. after exhaust this borrowing capacity, we will be left with only the cash we have on hand, to any incoming revenues

meet our country's commitments. -- we will draw down our cash balance faster than it other times of the year. without borrowing authority, at some point very soon it would not be possible to meet all of the obligations of the federal government. given these realities, it is imperative that congress move right away to increase our borrowing authority. it would be a mistake to wait until the 11th hour to get this done. if house speaker john boehner -- as john boehner has said, not only should the u.s. not default on its debt, we should not even get close to defaulting. the fact is, delaying action on the debt limit can cause harm to rattlenomy, rasul -- financial markets, and hurt taxpayers. just think about it. around this time last year, we had a standoff, and we saw a consumer and business confidence dropping and investors and

market participants publicly question whether was too risky to hold u.s. debt. such a question should be unthinkable. the bottom line is, time is short. congress needs to act to expand the borrowing authority of our nation, and it needs to act now. it is important to remember that increasing the debt limit is congress's responsibility, and congress's alone. only congress has the power to extend the nation's borrowing authority. no congress in history is ever fail to meet this responsibility. still, some in congress have suggested that extending the borrowing authority would be tied to spending cuts. one republican said, the time to fight for spending cuts is not the debt ceiling time. it is about the filling obligations that have already -- that congress have a

lready made and paying the bills that have already been incurred. refusing to raise the debt ceiling as nothing to do with new spending. it is about the filling spending obligations. the truth is, the longer we wait, the greater the risks to come. i continue to urge congress to increase our borrowing authority and a timely manner and have provided updates as our ability -- on our ability to finance the government. whether it is the economic recovery, the financial markets, or the dependability of social security payments and military salaries, these are not things to put it risk. in the aftermath of last year's shutdown, lawmakers understood how much of an impediment washington had become too economic growth. there is no reason to repeat the mistakes of the past.

progress in washington around the budget on upon -- the budget on a farm bill can mark the beginning of a productive time. without the delays and political posturing that could snowball into a manufactured crisis that the american people so clearly want us to avoid. thank you, and i look forward to taking a few of your questions. [applause] >> we have time for a few questions, and please introduce yourself. senator conrad. >> welcome, mr. secretary, glad to have you here. we're so glad you are in that position. the question that comes to mind, what are the single most important things that congress could do right now to strengthen the economy, and improve job creation? >> i think that the first thing is just to make sure that we do

not have a repeat of the kinds of self-inflicted wounds we saw last year. we saw over the last two or three years, the economy picked up momentum and then things got jammed up in washington, and confidence went down and the markets became vulnerable. -- the markets became volatile. the very first thing that we could have congress do is do its business. piecebt limit is the last of air that has to happen for people to breathe a sigh of relief that we not we do see the kind here -- thathip causes anxiety not just here in the united states, but around the world. moving beyond that, and there are a number of things where there is a bipartisan consensus, where congress can move forward, and it would help the economy. i believe that immigration reform has a bipartisan consensus, and

it could very much help our economy. consensus bipartisan to make progress on infrastructure. i think skills training is another area where we go out and talk to employers in this country, as i did on friday in virginia, the question that you get asked is can we rely on the infrastructure, and can we rely on the fact that there will be generation after generation with workers with the skills we need? there's quite a lot to do to move the economy forward, and tax reform is the fourth item. in business tax reform, there is a convergence of thinking. i'm going to continue to be optimistic that there are things that not only congress could do, but there is a bipartisan consensus to move things along. >> governor keating? >> mr. secretary, demographics are destiny.

both of us who served on the onenici panel at the bpc, both sides of the issue, tax policy, regulatory policy, and the like, were stunned at what is coming. once again of the cliff, it is a chasm in terms of the next 15, 20 years in terms of debt and deficit. in part, on occasion, caused by a very good thing, that we are living a lot longer. how do we address that, and what are your thoughts on this very serious future challenge in the debt deficit categories? >> we look at demographics in the united states, and they are much more positive than in other parts of the world. we have more young workers than other countries do, we have the ability to grow with immigration reform, and we have a history of growing our population by being a magnet people who want a better life. and to build our economy.

when you look at these long-term trends, there is a need for bipartisan discussion about how we can deal with some of these , fair way. balanced that is how we have made progress -- social security and tax reform in the 1980's. it is going to take a bipartisan consensus, which frankly has been a little bit challenging to reach. when you look at the next 10 years, we are in a very good path. we have seen the deficit dropped dramatically, it is a very significant measure. the first step to dealing with the long term is to deal with the short term. we are on a path towards dealing with the next 10 years. i believe that when the time comes for bipartisan conversation, we can keep faith two social security and keep the program as we know it. keep medicare as an entitlement for senior citizens. and we can make the kind of policy that will make the difference.

we have had a challenge finding the space where you can have a balanced approach. balance means that you look at both sides of the equation. as we've said in the fiscal policy for a number of years, we need to balance revenue and spending, and that is where the difficulty has come in. i am not sure this is the year for long-term fiscal challenge to be dealt with, i believe that we have made so much progress in the short and medium term, we have a little time to deal with the longer-term. what we need is to develop a track record of being able to work together, develop some trust across the aisle. if we can get some of the other things i mentioned done over the next 18 months that would be , an excellent foundation to tackle the harder problems as we go forward. >> we have time for one more question. joe? >> mr. secretary, every time we have got around this bush the

last few years, you always heard the statement that the united states should not default on its debt, but -- and then the sentence continues. usually the condition is there are things that we ought to do, and that the debt limit should be a motivator. is it suitable for one side in that kind of discussion to hold open, just in case, the prospect of tanking the global economy and taking u.s. households down with it in purposes of negotiation? >> what we saw in 2011 was different from anything we have seen in the the previous 30 years we worked on these budget issues. we never seen the argument made that if "i do not get my way, we will default." that is not an acceptable way to deal with the debt limit. the president has to take a firm position that that cannot be the way we deal with it. we cannot have every year or every six months this

high-stakes threat that if you do not capitulate on a matter broad policy, then we are going to default. because one side is being responsible and says we cannot default and part of another side says we are -- we cannot. i think the president's position on this has been a practical one. he said if you split the parties -- if you flip the parties and have a democratic congress and a republican president, he would have just as strong a conviction to pay our bills. we saw the senate move forward with an innovation, the mcconnell rule, that made it a little bit easier for congress to deal with a couple of times, by putting it on the president to raise the debt limit and give congress the ability to object without blocking it. there are ways we can deal with us to have both sides the chance to have their views reflected. what we cannot deal, -- what we cannot do, we cannot accept the

notion that for the first time since 1789 that we would not pay our bills in full. it is unacceptable to leadership on either side, which is why i'm confident it will be addressed. hopefully will be addressed in a way that does not cause a -- cause the brinkmanship that does so much damage to our economy. >> i have a very big job in a very short time. i had the luxury of introducing the secretary to the united states senate republicans when they were getting ready to approve him for this job. that was a real pleasure then, and today it is again a thank you from me to you for all you do, and for what you have done, since you have become in this very high job that you have had. my job is to say thank you, mr.

secretary. [applause] >> it is a really great panel, so we want to jump right in. we have the full bios of everybody in your packet. for those of you from outside the room, they are on the bpc website, bipartisanpolicy.org. the seniorgh, treasury representative for the australian government here from the australian embassy. lindsey, paularry who now runsfratto hamilton place strategies. larry, i want to start up with a simple question, have the american

people gained anything from having the debt ceiling? >> it is a pleasure to be here today. i got the first question because i am the apostate on the panel. i think the answer is yes, and i think it is important to look at the history in order to understand what that is. as a way of introduction, i thought i would correct slightly something the secretary said about the shoe being on the other foot. the president was senator, he voted against the debt ceiling. he said "washington is shifting the burden of bad choices onto the backs of our children and grandchildren. america has a debt problem and a failure of leadership and deserves better." when one is in opposition, that is a natural position today take, and they think is important to put that into context as we consider why we have set it up that way. we have a basic set of rules, i

-- it grew out of the english civil war, came down to the constitution. it comes down to know congress being able to bind a future congress. having to take an affirmative step to do any kind of fiscal action. our founding fathers put up the -- put in article one, section eight, they picked out the most extreme case that they had, which was the country was at war. they said that the congress could only appropriate money to fund those armies for a maximum of two years. they had to come back even in that extreme situation, and a -- affirmatively vote for more money. i can understand that, and with the reading of history, we can all understand why that is important. that is where the debt ceiling comes from. that is the way it used to be.

in 1974, for very good reason, we did a budget reform, and we created a category of spending that was not subject to congressional vote. we now call it entitlements, nondiscretionary spending. every year we simply continue it. you can say that you are funding the actions of a past congress, but remember that the constitution, all supreme court rollings and -- all supreme court rulings and precedent is that there is still supposed to be an affirmative vote from the current congress to continue spending. we understand there is the convenience of the ruling class and we don't want to have to take off votes. look how far this has expanded. we have gone from automatic

social security increases, would -- which was set by a rule by congress, we now have the affordable care act an entitlement. all right, let's think about the insurance subsidies. we really do not know how much it will cost. we set the rule of, say individual has to pay, and then we have an unlimited -- not constrained by any noneconomic variables -- funding everything on top of it. i can see tangentially how that might reach out, but we have another entitlement in the bill just shows how far we pushed the concept. no need for congressional appropriation. it is the risk corridor. here we have congress not even saying how the risk is really going to be defined, entirely made up by the president, entirely up to the discretion of the president. that is non-discretionary spending. that is the essence of discretion.

if we are going to have an entitlement culture that now funds three quarters almost of the budget spending, and we will say congress has no say at all in funding those three quarters, we push the limit here. the ease andr convenience of governments. i think we are giving up something in the process. i think it is an inelegant way of doing it, but i think the right path is to have negotiations. the reason you have the debt ceiling and cliffs and any every president has negotiated with the congress and sometimes in a big way. reagan did