chat room. >> an official from the retail store target apologized at a senate panel for the credit card data breach that affected as many as 70 million american shoppers. that's next on c-span. . >> reaction to a congressional budget office report that says the health care law will reduce the work force by 2.4 million jobs, which you just saw. then a house panel damage u.s. marijuana policy. later a pentagon briefing alleged naval test cheating on a nuclear reactor training. next washington journal, we will talk to florida congressman about u.s. marijuana policy. then marilyn representative donna edwards will discuss the latest cbo report that the deficit will drop to 514 billion. this week's deadline on the debt limit.

richard carmona will give an update on the latest research to improve survival rates from ied's and mass shooting incidents. we will also take your phone calls and you can join the conversation on facebook and twitter. journal, live each morning at seven eastern on c-span. >> an executive from target said the company is investing $100 million to upgrade to a more advanced credit card system following the hacking of customer data. testifying before a senate committee, the target cfo was asked about the holiday season cyber theft that has exposed the personal or financial data of millions of u.s. shoppers. >> because of the time of the opening of the senate, we are starting a little bit late.

i apologize for that but i appreciate everybody who is here , from all over the state, including now snowing colorado. we're going to need to examine how we can protect americans, the growing danger of data breaches and cyber crime in the digital age. safeguarding american consumers and businesses from data breaches and cyber crimes has been a priority of this committee since >> i want to thank senator grassley for working with me very closely on this hearing. i hope we can continue working

together to advance the personal data privacy and security act i recently introduced to protect american consumers. you watch the news, you pick up the papers, you listen to the news, whatever. most americans, myself included, have been alarmed by the recent data breaches at target and nieman marcus and michaels stores. the investigations of these butr attacks are ongoing, they compromise the privacy and security of millions of american consumers, potentially putting one in three americans at risk of identity theft and other cyber crimes. i know my wife and i have been so in deciduous as checking our credit card bills, but that is the same with everybody.

i mention those three stores, those are all excellent stores. they are major parts of our economy. but we have to have faith in them. if we don't have faith in businesses ability to protect the personal information, the economic recovery is going to falter. in the digital age, major data breaches involving our private information are not uncommon. there have been significant data breaches involving sony, epsilon, coca-cola, also some federal government agencies, department of veterans affairs, energy, dated breaches of yahoo! and others.dge so it won't seem like we are singling out just a few

businesses, more than 662 million records have been involved in data breaches since 2005. agree, a cyber attack -- also for consumers who want to protect himself against further exposure, it is not like someone comes in and robs a store, you know where it happened and you have some general idea of where the perpetrator is. here, the perpetrator could be thousands of miles away in another country. american consumers deserve to know when their private information has been compromised. rely on being able to do a lot of our business electronically. but we should also remember that the businesses that suffer cyber

attacks are also often the victims of a cyber crime. a recent study found that data breaches involved in malicious cyber attacks are the most hostile he data breaches around the globe. cyberr capita cost of attacks in the united states was $277 per compromised record in 2013. times that by millions upon millions. ,he highest cost for any nation fragileou are in a economic recovery, this is a significant hindrance to recovery. so before the judiciary , symantec, and we will hear from the u.s. secret service, department of justice, federal trade commission. we are facing threats to our privacy and security unlike any

time before in our nation's own history. aboute also had hearings threats to our privacy by her own government agencies. i hope in this particular one we can get some good bipartisan , get some data privacy legislation on here. i think we will all be better for it. senator grassley. >> very important that we have this hearing. we have had well-publicized commercial data breaches. we are still learning about the details. this hearing will help bring more details out, i hope. it is clear that these and other breaches have intentionally impacted tens of millions of consumers nationwide. today's opportunity is to learn about the challenges that both industry and law enforcement face in combating cyber attacks from well-organized criminals.

the witnesses have the unique ability to provide us various important perspectives as we consider the government's role in securing sensitive data and crafting a breach notification standard. i hope to learn where the committee's expertise could be helpful in combating future attacks. furthermore, i would like to use this hearing to explore areas of common ground so that we can determine what might be accomplished quickly. it had been a couple of years since our committee has considered data security legislation. in that time we have learned a lot about the subject, thanks to broader cyber security conversations. the proposals offered by the administration and discussed in congress along with other government initiatives and be helpful for us to proceed as we consider what to do with this

legislation. when considering data security requirements, our approach should provide flexibility and also account for businesses of different sizes and different craftyes in a world of criminals, it seems to me that one-size-fits-all approach will not work or lease will not work for everybody. instead, let's see how the government can partner with private business to .trengthen data security an example may be the national institute of standards and technology cyber security framework am has received bipartisan support, and as far as the senate is concerned, unless it is bipartisan, it isn't going to go anywhere. that's not because there's something wrong with democrats or republicans. that is the institution itself. as we discussed the creation of

a federal breach notification standard, we must avoid the risk of consumer over notification, just as there is a potential for harm when a victim isn't notified of a breach, over notification can lead to harm and apathy. as time permits, i want to explore these and other issues toay, and will be available discuss things beyond the committee process, either with colleagues or with other people. if everyone works together, it seems to me we can tackled these problems and hopefully limit future attacks. chairman.in, mr. i ask unanimous consent to theude my full statement in record along with statements we received from these groups, the national business coalition on e-commerce and privacy, the payment card industry, the national association of federal credit unions come in the

american bankers association, national retail federation, and the retail industry leaders association. >> without objection that it be included in the record. matt asked the four witnesses to please stand and raise your right hand. let the record show that the all took thes oath. we will hear from each of the witnesses first and then we will ask questions. john mulligan is chief financial officer and executive vice

, thedent for target second-largest largest general merchandise retailer in the u.s. 1996.ned target in his responsibility includes financial planning and analysis, financial operations, tax .ssurance, investor relations he graduated from the university of wisconsin in 1988. 1996 he earned a masters of business administration degree from the university of minnesota. >> good morning, members of the committee. my name is john mulligan. i'm executive vice president and chief financial officer of target. i appreciate the opportunity to be here today to discuss important issues surrounding data breaches and cyber crime. as you know, target recently experienced a data breach is

altering from criminal attack on our systems. to begin, i want to say how deeply sorry we are for the impact this incident has had on our guest, your constituents. we know this breach has shaken their confidence in target and we are determined to work very hard to earn it back. target we take our responsibility to our guest very seriously. his attack has only strengthened our resolve. we will learn from this incident and as a result, we hope to make target and our industry war secure for consumers in the future. i would now like to blame events of the breach as i currently understand them. please recognize that i may not be able to provide specifics on certain matters because the criminal and forensic investigation or mains active and ongoing. we are working closely with the secret service and the department of justice on the investigation to help them bring to justice the criminals who committed this widespread attack business, american and consumers. on the evening of december 12, we were notified of the justice

department of suspicious activity involving payment cards used at target. we merely started our internal investigation. theecember 13, we met with justice department and the secret service. on december 14, we had an leadendent team of experts a thorough forensics investigation. on december 15, we confirm the had in our system am installed malware and potentially stolen guest payment card data. over the next two days we began notifying the payment card processors and card networks, preparing to notify our guests and equipping our call centers and stores with the necessary information and resources to address the concerns of our guests. our actions leading up to her a public announcement on december 19 and since have been guided by the principle of serving our guests. we have been moving as quickly as possible to ensure accurate and actionable information with the public.

we know that the breach affected two types of data. payment card data which affected proximally 49 million guest and certain personal data that affected up to 70 million guest. we believe the payment card data was accessed through malware placed on our point-of-sale registers. it is designed to capture the data that resided on the magnetic script -- magnetic strip. this focused on supporting our guests and strengthening security. in addition to the media steps i described, we are taking the following concrete actions. first am a we are undertaking and into inferencing review of our and our network and will make security enhancements as appropriate. fraud, we increased detection for our target red card guests. to date we have not seen any fraud on a proprietary credit and debit card do to this breach. we have seen only a very low amount of additional fraud on our target visa card. her, we are issuing new target credit and debit cards to any guest who requests one.

fourth, we are offering one year of free credit monitoring and identity theft protection to anyone who has ever shopped in our u.s. target stores. guess they have zero liability for any fraudulent charges on the cards arising from this incident. six, target has a -- is accelerating our investment in our target red card point-of-sale terminals. target has invested significant capital and resources in security technology, personnel, and processes. we had in place multiple layers of protection including firewalls, malware detection, intrusion set the texan and prevention capabilities and data loss prevention tools. in fortunate reality is that we suffered a breach. all businesses and their customers are facing increasingly sophisticated threats from cyber criminals. in fact, news reports have indicated several other companies have been subjected to similar attacks. to prevent this from happening again, none of us can go it

alone. we need to work together. updating payment card technology and strengthening protections for american consumers is a shared responsibility and requires a collective and coordinated response. on behalf of target him i am committing that we will be an active part of the solution. of you and allch of your constituents and our guests, i want to once again reiterate how sorry we are this happened and our ongoing commitment to making this right. thank you for your time today. click thank you very much, mr. mulligan. michael kingston is senior vice president and chief information officer for neiman marcus as well as chief information officer, he oversees approximately 500 professionals responsible for all aspects of information technology and security including technology strategies. information technology services for all neiman marcus clients, both its doors and website.

thank you for being here. please go ahead, sir. >> mr. chairman, senator grassley, members of the committee am a good morning. my name is michael kingston and i'm chief information officer at neiman marcus group. i want to thank you for your invitation to appear today to share with you our experiences regarding the recent criminal cyber security incident at our company. longersubmitted a written statement and appreciate the opportunity to make some brief opening remarks. we are in the midst of an ongoing forensic investigation and has revealed a cyber attack using very sophisticated malware . from the moment i learned there might be a compromise of payment card information involving our company, i have personally led the effort to ensure that we were acting swiftly month early, and responsibly to determine whether such a compromise had occurred, to protect our customers and the security of our systems, and to assist law

enforcement in capturing the criminals. isause our investigation ongoing, i may be limited in my ability to speak definitively or with specificity on some issues. there may be some questions i do not have the answers. nevertheless, it is important to us as a company to make ourselves available to you to provide whatever information we can to assist in your important work. our company was founded 107 years ago. one of our founding principles is based on delivering exceptional service to our customers and building long-lasting relationships with them that have spanned generations. we take this commitment to our customers very seriously. it is part of who we are and what we do daily to distinguish ourselves from other retailers. we have never before been subjected to any sort of significant cyber security intrusion, so we have been particularly disturbed by this incident.

through our ongoing for investigation, we have learned that the malware which penetrate our system was exceedingly sophisticated. a conclusion that the secret service has confirmed to read a recent report prepared by the secret service crystallized the problem when they concluded that a specific type of malware, comparable and perhaps even less sophisticated than the one in our case, according to our investigators had a zero percent ejection rate by antivirus software. able to capture payment card data in real-time, right after a card was swiped, and had sophisticated features that make it particularly difficult to detect, including some that were specifically customized to evade our multilayered security architecture that provided strong protection of our customers data in our systems. because of the malware's sophisticated anti-detection devices, we did not learn that we had a natural problem in our computer system until january 2

and it was not until january 6 when the malware output had been disassembled and decrypted enough that we were able to determine that it was able to operate in our systems. then, disabling it to ensure it was still not operating took until january 10. that day we sent our first notices to customers potential he affected and made widely reported public statements describing what we knew at that point about the incident. to january 2,ior despite our immediate efforts to have two separate firms of forensic investigators dig into attempt to in an define any data security compromise, no data security compromise in our systems had been identified. based on the current state of evidence and the ongoing investigation, it now appears that the customer information that was potentially exposed to malware was payment card information and transactions in

77 of our 85 stores between july and october of 2013, at different periods of time within this date range at each store. in, we have no indication our transactions on her website are in our restaurants and compromise. three, and data was not compromised, as we do not have been patently do not request pins. for, there's no indication that social security numbers or other personal information were exposed in any way. we have also offered to any customer who shops with us in the last year at either neiman marcus group stores our websites, whether they're card was exposed to the malware or not, when you're a free credit monitoring and identity theft insurance. we will continue to provide the excellent service to our customers that is our hallmark. i know that the way we responded to this situation is consistent with that commitment. your you again for

invitation to testify today and i look forward to answering your questions. >> thank you very much, mr. kingston. served asitness policy council in the consumer union washington office and is lead advocate for telecommunications media and privacy efforts. consumers union is a policy action and vision -- division of consumer reports. she graduated from the university of virginia with a from columbia school of law. we are glad to have you here. please go-ahead. thank you for the opportunity to testify before you today about these breaches. i service policy council of consumers union.

this past december at the height of the holiday shopping season, 40 million unsuspecting customers learned that criminals may have gained unauthorized access to their credit card and debit card information. subsequently, 70 million more learned that personal information such as names, addresses, and telephone numbers may have also fallen into the hands of suspected hackers. since then we have learned of similar breaches that other retailers. neiman marcus has confirmed unauthorized access to payment data and michaels has stated it is investigating whether a similar breach occurred. the press is reporting that the malware that was reportedly used in the neiman marcus and target breaches was sold to criminals overseas. what we have seen thus far may just be the tip of the iceberg. this is truly disturbing. as consumer reports and consumers union have reported who regularity, consumers have their data compromised in a large-scale security breach are more likely to become victims of identity theft or fraud.

although federal consumer protection lending laws and voluntary industry standards generally protect consumers from significant out-of-pocket losses, policymakers and consumers should take these threats seriously. there are practical and time-consuming concerns for tumors whose data has been breached. particular concern is debit cards. all consumers might not ultimately be held responsible if someone steals their debit card data or pin number, data thieves can still ink he out a consumer's bank account and set off a cascade of bounced checks and late fees which victims will have to settle down the road. datacan happen to that after it is stolen is disconcerting to say the least. sometimes it is resold to criminals outside the country. make counterfeit cards. the result is decreased consumer confidence in the marketplace and uncertainty with the realization that your private financial information is out

there in the ether for anybody to use for an unauthorized purpose. when consumers union learned of the breach, we urged them to investigate the matter and for increased public disclosure. just last week attorney general eric holder confirmed that the department justices also investigating the matter. we know that lawmakers have urged the federal trade commission to investigate as well and we are grateful of the federal agencies efforts and state attorneys general efforts so that we can figure out what happened and get to the bottom of this and figure out how to come up with a solution together to prevent these breaches from occurring in the future. we have also provided consumers with a number of tips including checking transaction data, notifying your bank immediately of any suspicious activity, replacing credit cards, debit cards and pin numbers. five election also security to block- fraud alerts

access to your credit report. target and affected retailers consumersffering credit monitoring which we would be happy to speak about and answer questions about as well. new technology uses multiple layers of security including computer chips in each card that stores and transmits encrypted eta -- encrypted data. what we have reported in the past is that when this technology has been adopted in europe, it has significantly decreased fraud. so we need a stronger commitment from all stakeholders to adopt this technology sooner rather than later. reinforce just how timely and relevant these issues are. we are appreciative of the to theee's efforts and chairman for introducing the data privacy and security act. we think that the sooner

consumers know their data has been compromise, the sooner they can take steps to protect himself. the committeeurge to consider shortening the time line for notification from 60 days to require more immediate notification. -- we would like to strengthen some provisions including those related to preemption. we want to make sure that any national standards offer strong, meaningful protection. we thank you for the opportunity to speak before you today and appreciate your interest in data security. we want to ensure that there is consumer confidence in the marketplace and we look forward to working with you and all interested parties. thank you very much. next thank you for what you said about our legislation. i'm hoping we can move it quickly.

the senior vice president of at symantec.on he drives development at mobilec and norton management. he was vice president of identity and authentication services before that. he obviously has a background in this field. please go-ahead. >> thank you, and good morning. thank you for the opportunity to testify today on behalf of symantec or operation. we are the world largest security software company with over 31 years of experience developing information security and management technology. our global intelligence network is made with millions of sensors all over the world and records thousands of events per second, and we maintain 10 security response centers that operate 24

by seven around the globe. this gives us a view of the entire internet landscape. at symantec, we also invest over $1 billion a year in research and development to help our customers stay ahead of the bad guys. the hearing today is critically important and will focus attention on what businesses and consumers can do to protect themselves from cyber attacks and data breaches. attacks on point-of-sale devices are not new. but it does appear the pace is increasing. it brings immediate attention and citizen concern, but it cannot be just about one or two high profile crimes. not just retailers but every organization with sensitive information is at risk because cyber crime is a big business. in 2013, we estimate the identities of over 435 million people were exposed. that number is rising as the reports surface. the cost is very real and is borne by both consumers and organizations.

in 2012, thehat global price tag of consumer cyber crime was $113 billion. it was found the average total cost per breach in 2012 was $5.4 million. the study also found that strong security before a breach and good incident management post breach can dramatically cut the cost of these incidents. these breaches are increasingly kospi targeted attacks which are up 42% year over year. some are direct attacks on the company servers where they search for undefended connections to the internet. all attacks have potentially won gold, to gain control of the user prof computer. -- have potentially one goal. in the case of a retailer, and can include compromising obtainf-sale systems to valuable consumer information. the best way to prevent the

attack starts with the basics. good cyber hygiene is simple and cost-effective. strong passwords, ubiquitous encryption are important element of any good security program. a modern security suite that is being fully utilized is essential. then security protection is much more than antivirus software. in the past, the same piece of malware would be delivered to thousands or even millions of computers and with easily block with signature-based systems. today cyber criminals can take the same malware and create unlimited unique variance they software.ast basic that is why modern security software does much more than look or known malware. it monitors your computer or mobile device, watching for unusual traffic had earns or processes that could be indicative of malicious behavior. basedvide behavior

security technologies that can identify more danced threats. the solutions put files in context using age, frequency, to --ons and other data of the computers trying to execute a file we have never seen anywhere in the world and it comes from an unknown source, there's a high probability that it is malicious and should be blocked. security should also be specific to the device being protected. point-of-sale system devices have advantages over other systems because the functions they need to perform can be narrowly defined. allowing these devices to only run approved applications will reduce the attack surface and render many streams of malware ineffective. ace -- towe released report that provides a room -- an overview of the methods that attackers may use and provides recommendations on how to protect the systems from attack.

andrtunately, data breaches cyber threats are part of our day-to-day lives. we will never be able to prevent every data breach or cyber attack. working together, industry and government can make it increasingly more difficult or cyber criminals to succeed. iq again for this opportunity to be here today and i'm happy to take any questions you may have. >> thank you very much. i think we are all united in the same thing. we all want to stop these attacks, number one. number two, as you just pointed out, we are always going to have these attacks, no matter what we do. the question is, can we successfully stop them and are we keeping up to date with the realities of today as compared to years ago. mr. mulligan, the data breach at target became front-page news

every day on and on. just going after your company, obviously, but it to placethe potential one in three americans at risk of fraud or identity theft, identity theft being part of -- probably one of the most difficult things one has to deal with. what do you find so far? are you any closer to finding who did it? tell us just briefly, what are the steps you are taking to prevent privacy -- protect privacy? >> as i said earlier, the intruder came in through a set of compromised vendor credentials and took two sets of data. the first set of data was malware was placed on our point-of-sale registers and there they grabbed payment card information in the time from it

being swiped by magnetic stripe and a time when encrypted it in our system. separately, they took information from certain personal data, name, address, phone number, e-mail address, for up to 70 million records. they encrypted that and removed it from our systems. we have an ongoing forensic investigation and end to end review of our intern network to understand what went on. thee then we have removed malware, close the point of entry, narrow the scope of who has access to our system. we have provided the malware to a security firm for their review , and we have the ongoing review where we will have additional learning and we are committed to taking additional actions. >> as i understand it, the justice department told you -- you said this, on december 12.

you remove the malware three days later on december 15, is that correct? >> that is correct. greg had you had any knowledge the malware was there before the department of justice gave you that notification? >> we did not. despite multiple layers of detection we had within our systems, we did not. >> a you had all your systems in but you found out about it from the department of justice. >> that is correct, mr. chairman. did the breach involved online purchases? >> that is my understanding. kingston, you testified breach at your company

would affect 1.1 million american consumers, is that correct? learned in our investigation is that this which was inserted into our systems by the criminals was operating in many of our stores at certain times between july and october of 2013. of account number numbers in our stores at that time that were exposed to the malware was 1.1 million accounts. believe because the malware was only operating at certain times that the number is actually less than that. >> when did you first find out ?bout it >> the first time we found out

about it was when our forensic investigation teams discovered it on january 2, 2014. when did you first receive information about it? x the forensic investigation firm first alerted us that there was some suspicious malware they had found as part of the investigation on our systems on january 1. you say that you first receive information december 17? >> on december 17, we were notified by our merchant mastercard had 122d in their fraud systems account numbers that had been fraudulently used, that were used prior to that at neiman marcus locations.

>> since january 1, have you any of your malware protection protocols or equipment? >> yes, we have. we have made a number of different changes. as i mentioned in my testimony, the malware unfortunately was by our antivirus systems which we maintain and keep up to date. since then we have shared the malware both with forensic investigation teams, the secret service and our antivirus company and they provided us with updated signatures so we can remove it and disable it. >> how has the cooperation been within law enforcement? with lawe been working enforcement all along the investigation and they have been very helpful and very cooperative eerie >> would you

say the same, mr. mulligan? >> i would, senator. we have a long relationship with law enforcement and our interactions throughout this time have been very productive. >> i want to associate myself with the remarks that the chairman made just before he asked questions. that is that i think we are all trying to find the same solution. this is not a case of a group of business people on one side and the government on the other side. we've got a major problem we have to deal with and it's going to take cooperation. the senator did not say it exactly that way, but i hope i -- thank you. as we have heard today, even companies with tremendous resources and multilayered -- by the way, i'm going to ask this, as we are heard today, even companies with tremendous resources and multilayered

security systems can be attacked and breached. this means smaller businesses are more vulnerable to similar attacks. one thing i have heard repeatedly is that businesses of all sizes need flexibility in creating and implementing their security programs. what works for one may not work for another. but companies must be proactive and guidelines for what they should be doing are held. so to you three, how can the government encourage the private sector just ring and data security that provides businesses that flexibility and guidance that they need as opposed to burdensome government regulations? >> we agree that this is an evolving threat and one that is well beyond retail and target to all industry. there were hundreds of breaches last year and we think therefore the solution needs to be a

combination of efforts across all participants in the space. a thing for payment card information, there are a number of disciplines in the payment card world and we need to work collectively to move to chip and pin technology. that would have rendered the account numbers that were taken far less useful. it is technology like that that is important and we are committed to moving forward and accelerating our efforts in that particular area. >> i think shedding light on the issue as the comedians doing today is extremely helpful, and we appreciate that. governmentthings the can do, there are a lot of actors in this ecosystem. technology companies, private ,ector, law enforcement government agencies, there are security experts. collectively all of those actors and stakeholders who have

intelligence and are able to share that with the community, if we can encourage more of that information sharing, i think it could help us try to keep up with this problem, which is continuing to evolve and continuing to become more sophisticated. >> i would agree with what mr. kingston said. it is definitely a shared goodnsibility to follow practices. we believe it would be helpful for the government to recommend in a very flexible way some preventative measures that companies can take to at least give a guideline on being able to protect our systems. good,ieve it is a flexible framework companies can them -- can used to guide into developing good security solutions. >> to the three of you again, and this gets back to some people who think this ought to

be government driven, and then there are people who think it is entirely industry, government stay out of it. the chairman and i have talked , and a partnership recently the national institute of standards technology was just mentioned here. for you three, if government is going to create federal data security standards, what role, if any, should the private sector have in that process? >> i think private industry and government have to work together here. i agree with what you have heard, it is a shared responsibility and communication between the private sector and public sector is important. we have had ongoing relationships and information sharing with law enforcement. that seems to happen more broadly between our organization and the government to find solutions here. >> mr. kingston? >> i think guidelines and

standards are always very helpful, particularly in this case. so i would encourage that all the stakeholders provide input into that. would agree and i think the key word here is flexibility. what we have to recognize is that this is kind of an ongoing war. the type of threats are changing all the time. -- whereechnology constantly raising the bar. whatever needs to develop needs to allow for that to happen rather than locking in at any particular time what might seem to be acceptable. but iid have a question want to make a statement that i hope we can avoid a situation where the government says you do something and you do it, and it is abiding by the regulations, and that may come up short of what we need to do. that is why cooperation is so important. >> i agree with that.

even with the expertise of the four of you here, you couldn't tell me specifically what would be the greatest threat we might face 18 months from now, because these things are evolving, just as our best intelligence agencies and others cannot either. but we want to give you a framework and we want to have our framework that protects theirers so they know rights are being protected, but also protect our businesses. the trusto maintain between both the businesses and the consumers for the good of our country. we have a fragile recovery, we are slowly recovering, but without that credibility, we cannot do it. i have to step out for a moment.

>> thank you very much, mr. chairman. mr.nt to begin by thanking mulligan and mr. kingston for to veryre, because up recently, companies would not step forward. companies would not make it public. i introduced the first data breach notification bill in 2003. i could not get any cooperation in that data breach. i have pulled the record and would like to introduce the particulars of what happened in 2003 into the record. that will be the order. i am a shopper at your institution, mr. kingston. i don't recall getting any notice that my data may have been breached. when what i have had notice? and i would have shopped during that period of time.

>> we have actually sent out a number of different notifications. i will start with the 10th of january, when we learned -- -- thedid not learn breach took place months before you actually learned that there was a breach? 6,it wasn't until january actually, that we learned that this very sophisticated malware that was put in our systems had the ability to scrape card data in our systems, and then we quickly put in actions to contain and eradicate that malware. then we immediately began notifying customers. >> and you said that 1.1 million customers had been affected? >> during that time, that is the weal number of accounts that transacted in our stores. >> can i assume that all 1.1 million were affected and noticed?

so somewhere in my records i should be able to find a record of having been noticed? have notified all customers who shopped in our stores or on our websites, which is a greater number of customers that were affected in this 1.1 million number. >> when did you do that? >> we did that on january 22. >> mr. mulligan, when did you notify your customers, and how many did you notice? to them as guests. on december 19, four days after we found the malware. for those we had e-mail addresses for, we notify them by e-mail. given the scope, we thought that fraud disclosure was the best path to go, so we had very broad disclosure through multitude of channels. >> but you did not notify individual customers?

have specific contact information. quick so you were depending on the public for your notice. -- iou explain to me why document cases going back to 2003 and 2002. nobody would notify. that would notify, and it was fiercely fought. companies did not want to notify their customers. i worked on that bill, it's not ofng to go anywhere because the notice provisions. here we are again with respect s. notice i believe that if somebody has an account, or uses their credit at your institution and their data is breached, they should be notified so they can protect themselves. do you want to respond to that? your viewe with

completely, senator. our focus has been on having accurate and actionable information, balanced with providing that notice as quickly as possible and ensuring we had the capability to respond to millions of requests for information. public that dissemination was appropriate and would let all of our guest know virtually immediately. we were on the front page of every newspaper in this country. quick here is the problem with that. the public notification is always vague. it is sort of nonspecific. you really don't know, and then you find out kind of brutally in other ways if you have money .issing you happen to be retail establishments. in 2003, a hacker broke into electronic records of the payroll facility for california state them ploy ease. some 265,000 social security

numbers were compromised. you said there was no compromise of social security numbers, but my point is, those people deserved to know that their data has been thethis big resistance out there in the in theial community 11-12 years i have worked on this. as far as i'm concerned, any bill that is forthcoming from this institution should provide notification of customers that their data may have been breached, so they can protect themselves. if anyone has a comment on that, if you disagree, please tell me. no comment? agree, senator, which is why we did exactly as you said, we had knew that criminal activity inside our systems and who the impact was, we reached out individually to customers and in fact reached

out to more customers him adjust to be cautious, because it is important to us. our primary concern is their privacy and information. all customers that shop the entire year at neiman marcus stores and websites were notified. >> i will go home and look for my notice. thank you very much. iswe agree that notification an extremely important aspect of this discussion. the sooner consumers are made aware, the sooner they can take actions to protect himself. >> thank you very much. senator hatch. retailersthat many are migrating toward secure point-of-sale terminals capable of processing chip and pin transactions. will only require chip and signature. why would that be the case, especially when a chip and pin credit car would be more secure for in-store purchases. anybody who cares to answer

that? is today theanding standards have been set for chip enabled card technology. the chip and pin standards have not been set yet. we are advocates of getting to chip and pin technology. we think that is the safer form. we also think taking the next epidemic or in in getting to a place where we have guest payment devices in retailers that can read chips and cards are issued with chips so we can begin to migrate away from magnetic strips. >> it is my understanding that chip and pin technology does not make online purchases more secure. europe confirm that as transition to chip and pin card, fraud losses from online transactions actually increased at a greater pace. as chip and pin cards make in-store transactions more secure in the united states, how

will you make online sales similarly secure, mr. mulligan? >> that is an excellent question, senator. --st, we need to not let making progress in stores makes a lot of sense and installing chip and pin technology there we think is important. as you said, the threat continues to evolve. there is a shared responsibility here, and continued to have all parties that ensure payment transactions are processed appropriately here in the u.s., be participants in moving that forward to find solutions to the online transactions. it is a topic where all interested parties in the payment space come together and discuss that so we can find solutions to online, but your point is right on. greg mr. kingston, you said the credit card information was

scrapped. what about information like birthdays and social security numbers? where the hackers able to get >> ourformation too investigation has shown no evidence that other personal was obtained. describeyou please both the advantages and disadvantages or shortcomings of chip and pin technology, as well as any alternatives that may exist that are not currently being considered? chip and pin technology itself is more than 20 years old. there more secure alternatives that we should be considering? >> i think we would agree with the other panelists that chip and pin is definitely a step in the right direction. it definitely adds three primary benefits to the ecosystem. .ne is more encryption

the credit card information would stay encrypted longer and it would make it more difficult for hackers to be able to obtain that information. that is a big in a fit of chip and pin. it makes it more difficult to duplicate the car. if the information is stolen, sometimes with the regular magstripe it is easy enough to go and create another card. because the chip in the card has a unique potential, it cannot be copied. of multiplehe risk cards being generated. third, it combines what is called to factor identification. the card is something you have in the pen is something you know. if someone was to steal your physical card, it would do no .ood unless they knew your pin deftly raises the bar on security. >> i have a related question about the so-called mobile wallet. companies like google are just

starting to roll out these type products. it allows you to pay by simply tapping your smart phone and it will be widespread in a few years. can you describe the security features of these payment platforms and whether chip and pin technology is compatible? >> we agree that mobile payments are certainly going to be the future. it is yet to determine which of those models that are out there will be the future. it is important to note that when you use a mobile device, basically there is a new opportunity for criminals to use that. there are a lot of technologies that can lock down those devices and keep that information safe. chip and pin would not apply in that case. it is really for cards when you .ave a swipe there are other ways using behavioral analysis to fingerprint some of these devices and recognize the user that can add security in the mobile payments ecosystem.

>> thank you very much. we certainly know that in minnesota, the home of target, and we also know that if these companies can see these kinds of data breaches, it can happen to anyone. as senator feinstein expressed, a lot of times when we have pushed these cyber bills, we get a lot of push back, and i think if anything, we have learned from this major, major breach that we can no longer do nothing. my first reaction is a prosecutor is to find the crooks who did this and punish them. i know that investigation is continuing. my second reaction is that we have to find a technical solutions and our laws have to be as sophisticated a