we certainly know that in minnesota, the home of target, and we also know that if these companies can see these kinds of data breaches, it can happen to anyone. as senator feinstein expressed, a lot of times when we have pushed these cyber bills, we get a lot of push back, and i think if anything, we have learned from this major, major breach that we can no longer do nothing. my first reaction is a prosecutor is to find the crooks who did this and punish them. i know that investigation is continuing. my second reaction is that we have to find a technical solutions and our laws have to be as sophisticated as the crooks who are breaking them,

and i started there. i start -- i thought i would start by following up what senator hatch talked about, which is new technology that i understand has been adopted in europe. is that true? yes. >> and is it true that in great britain, they have seen a major decrease in these kind of breach as? --they have seen a decrease a decrease. they have also seen a shift to the online channel. >> what is stopping our country when they are doing this in europe? i think they started using this kind of technology back in 2003. what has stopped it from being

rolled out on a major basis, and how can we change that? you know, there are many participants in the payment card world that will ensure that transactions are processed appropriately in the u.s. we put devices in our stores to read chips. cardtroduced a target visa with a chip in it, but without broad options there are not -- brought adoptions, there are not significant advantages for consumers. >> you mean other retailers? >> others having the ability to read the card as well as having cards issued with a chip on them. they need to move together simultaneously. we have been advocates of this. it is a shared responsibility. >> how does this affect the financial industry? >> they are the issuers of the cards, so again, in partnership

with them, we need to move together collectively so that the whole system is employing this technology. >> and with the new standard that is in development -- how long has it been in development? >> it has been in development for quite some time. it is due to be released. >> like 20 years? >> more like around a year time frame. >> ok. >> it is said to be released next week. >> that's good timing. set a standard for these companies or do we need to do something to get the new technology out there? >> i think the new standards does provide some guidelines and objectives for the companies to follow but it is not specific >> we arethe chip definitely supportive of chip

and pin technology and of any efforts to expedite wide adoption of this technology. >> i just want to go back quickly to something that was raised at the beginning about the time in between when it was and when the consumers found out about it. time inu give me the between a was confirmed and the time you notified customers? >> we were told on december 15 and we notified customers on december 19. itand by notified, you mean was released publicly. >> broad public notification, yes. notified about the malware and spend the next few days containing, disabling and removing the malware.

january 10, we started notifying the public and customers directly. >> to both companies have policies in place on how you would do this consumer notification? >> we have several crisis communication plans and we enacted them immediately upon finding the crisis. know, senatoryou leahy has a bill on some of these notification issues. i think some of the issues senator feinstein raised are worth discussing. we also have to realize that smaller retailers will have different situations than bigger retailers. we recently found out that hotel chains are being affected by this and we're going to have to put something in place.

senator hatchhy, has asked to make a small statement before i recognize you. >> thank you, senator. came up todayt starts out by saying that u.s. intelligence agencies will ask the obama administration to check the government network for malicious software related to the health care website. the u.s. affordable care act was bytten in part in belarus software developers under state control and makes it a potential target for cyber attack. u.s. health-care data is confounded by what they said was an internet data hijacking involving the belarusian state-controlled networks. i just bring that up because

this is a very serious discussion the goes far beyond maybe what the retail community .s concerned with >> thank you, senator lee. of you for joining us today. it is an important topic. i know it is important to each of you and to america's consumers. i generally trust that the marketplace will create the right kind of incentives for retailers to protect the personal data of their consumer base, but i think the creation of those incentives really the condition precedent that there be adequate notification procedures in place. in other words, consumers have to have received notification in order for any of this to work. they have to receive notification in order to take the steps they need to take to protect their identity.

they also need notification so that they can decide where to take their business. trust a particular business with their data am they are not going to shop there. considerors do you when deciding at what point to notify consumers or guests? there are some countervailing considerations. you don't necessarily want to notify immediately upon discovering that there is a problem. after 18 years, it almost rolls off my tongue without thinking about it. our view is that there is a balance to be struck here. certainly, speed is very important to let consumers know what is going on. balancing that is looking

through the lens of our guests to ensure that we provide accurate information so that we can understand what happened and actionable information so they can understand what to do about it. balancing those two factors is the lens we look through that ultimately led us to our timeframe. i would also add that for us in , ensuring that we had the appropriate ability to respond to our guests as we knew the questions were going to come, ensuring that our call center staff was prepared and in our stores were able to provide that information. a large training element also went on to make sure we could handle their questions and concerns appropriately. all of that came together and balanced our decision-making quite quickly. cause -- itould could cause problems if you notified too soon before you know the nature of the threat and what you are going to do about it? >> we believe it is important to provide accurate information

wants notification is made about what has gone on and helping our consumers understand what to do about it. >> thank you. mr. kingston, one potential legislative response to all of this could involve establishing security of national standard. perhaps standards that are already excepted within the industry. i'm always a little concerned about creating a new federal regulatory authority in part because sometimes when you establish something like that it quickly becomes ineffective, especially in an area like this were technological advances can a codifiedy render national security standard irrelevant or outdated. there is also, i think, some risk that if we create a national security standard, that would be seen not just as a

floor, but as a floor and a ceiling, and you could see some people complying with that and that creates an easy target for would-be thieves. what the security standards are because they are codified in law. do you see some risks in legislation the codifies a national security standard? >> i think there is inherently going to be risk for some of the reasons that you stated, senator. i think the thing we have to keep in mind is that the cyber security threat landscape astinues to evolve every day it becomes more and more complicated. theoon as we establish standards, which are helpful, but as soon as we establish them , as you pointed out, that gives the whole world the opportunity to come up with ways to defeat those standards. i think it is obviously healthy to be able to communicate to

people what some of the standards and practices are, but i agree, i think there is a risk there as well. nodding.you do you have something to add? >> i think it is not only that the cyber threats are evolving, our environments are changing so quickly. if we look at what a company infrastructure looked like five years ago, it was pretty much contained in their data centers and devices. today, it is everywhere. it is in our data centers, in the cloud, on mobile devices. so threats are floating, but are the attack surfaces. we need to be able to adjust because the environments change. >> thank you, senator lee. senator franklin? >> thank you. first of all, chairman leahy has

a bill i am cosponsor of that standards thate i think you can write in a flexible manner. i see you nodding. as some of you may know, i am chair of the subcommittee on privacy and the law. i think the people have a fundamental right to privacy and part of that is knowing that your sense of information is protected and secure, and when millions of consumers have their data stolen, we have a big problem and we need to fix it. minnesotans shop at target all the time, as do millions of other americans. minnesotans shop at neiman marcus, too, and we need to get to the bottom of these breaches. but what is clear to me is that we are not just dealing with a problem at target and neiman marcus. or michaels, for that matter. we are dealing with a systemic problem. a big part of the problem, as we

discussed, is the security of our credit and debit cards. the u.s. has one fourth of the worlds card transactions, and yet we are victims to half of all card fraud. two weeks ago, i wrote to each of the nation's largest credit and debit card companies and asked what they were doing to make our cards safer. their responses are due tomorrow. the federal government has a role to play here, too. congress has passed laws that promote data security. right now, there is no federal law setting out clear security standards at merchants and data no federald there's law requiring companies to tell customers when their data has been stolen. i am glad to say that chairman leahy has a bill that would fix this problem. i am glad to be a cosponsor. i think it contains enough aexibility that it is not

signal of how to overcome that to criminals. first, i want to get a handle on how the breaches occurred. i understand target has spent considerable resources on data security systems. but in january 17, an article in the new york times states that your systems at target were astonishingly open and particularly vulnerable to attack. i know you have had independent audits before, couple of them, saying that you had passed muster and were among the best in the industry. can you respond to these charges? >> over the past several years, we have spent hundreds of

millions of dollars to improve malware detection, intruder protection and prevention, data loss prevention tools, multiple layers of firewalls, but beyond that, as you said we have ongoing assessments and third parties coming in doing penetration testing's of our systems, benchmarking us against others, assessing if we are in compliance with our own processes and control standards. and we have hundreds of team members responsible for this. go so far as training 300 thousand team members annually on security. significantsted resources. >> it is kind of spy versus spy is what we are talking about. testimony your oral that you are for -- and senator hatch brought this up i'm a that .ou are for the smart chip mr. roche, visa and mastercard

are pushing the rollout smart chip cards in the u.s. in 2015.r of i wish that could be hurried. understanding is that these cards may not require pins for every transaction, and this is surprising to me because, as we heard from you, the incidence of fraud is far higher for signature debit transaction span four pin transactions. and maybe this is a question for ms. derek shani. is there a reason that visa and mastercard don't want to put the pin in their? >> we are aware of the promises that have been made to implement the technology by 2015. the answer comes down to money. it is expensive to update the

technology at the point-of-sale. we would be supportive of efforts to encourage widespread adoption of these technologies and we think more of a push would be a good thing. >> can you follow up on that? in particular, do visa and mastercard have a reason. >> chip and pin we think is the best and most secure solution. i think the chip on its own still provides more security, running encryption and protection from cloning of the cards. we still think that is the best way to go. in -- senatornk franken, i believe you will chair as i need to leave. and senator durbin is next. >> senator durbin, and i will move over to the chair. >> i believe in the early bird rule.

>> it is not the early bird. >> thank you very much. senator franken, if i could just follow-up on the line of questioning that senator franken was on. it is very helpful when you take of time to share the details these incidents. as we in congress work hard to strike the right balance between a robust marketplace where we all benefit from the ease and convenience of using credit cards and debit cards, but we also try to make sure we are sufficiently protected in our privacy and against theft. these are delicate choices we have to make, and i think this has been very helpful for us to better understand what is possible, what is desirable, and what the cost and impact would be. , doesould just continue the consumer even believe that the deadline is reasonable?

>> i think we're more supportive of having it being expedited even more quickly. >> so you think it is possible to be expedited more quickly, it is just a matter of cost? will cannot speak for everything it would take to be implemented, but we would like to see it happen more quickly. >> and if i understand you correctly, chipless pin is now possible or at least in his -- pin is possible in debit card cases. do you believe that should be enabled for credit cards as well? >> that is an interesting question. we have spoken about the differences between debit card protections and credit card elections, and i think it would be a good thing -- you are less protected under a debit card. i think it would be a good thing for debit card technology to come in line with credit card protection. >> do you have the option

currently to input a pin? >> we do not use pin pads in our stores currently and we do not require pins. >> just tell me understand why not. we areink the issue that talking about here is that there are a lot of different technologies that are available, and this is something that right now in the industry consumers don't actually have a lot of these cards in their wallet. i am a consumer, i have several cards in my wallet and none of them have chips on them. while it is an option, it is not something that has been widely adopted in the industry at this point. >> my specific question is about pins rather than chips, but i and her stand your point about the trajectory of that adoption. it is not easily predictable. a broader question, if i might. you testified that reef notification standards are not

enough. federal legislation is needed to ensure pre-breach security measures. can you grade the efficiency of the cyber security measures currently in place and give us some insight into how the compliance factor weighs into cyber security? >> it is a great question, and i think there are a lot of companies that have put in very effective security solutions and some that have a ways to go. i think the trick is here that we have focused very much on chip and pin. dot companies really need to is look at a very layered security at every part of their ecosystem. but stronger measures in place so that bad people cannot get into the network. the more we can encrypt the data , the more it is of no value to them.

antivirus is a great foundational technology, but there are things we can do on top of that to stop the emerging threat. it is really about using a layered security approach and we think any legislation should reflect those layers. >> my last question, if i might. help us understand the key impediments that your companies face in trying to achieve this sort of more robust cyber security. we want to make sure that our data is protected and that we are not subject to vast amounts of fraud. involved in creating stronger cyber security measures? >> we agreed. layers of protection are important across the entire

enterprise. this is an evolving threat, and we think one of the keys going forward is again, shared responsibility to share information across the industry, not just across retail, but across the industry. we have a long history of doing that. we all want to understand the evolving threat and respond to it as we design security systems and protocols. >> i talked about the importance of all the actors in the ecosystem being able to share intelligence. attacks are very sophisticated. things that have not been seen before or done. that is one thing, and i think the other thing that is really important is that all of the actors he able to adopt these technologies at the same time. consumers obviously have to be technology,t the companies and private sector institutions as well. >> enqueue. i do think there is a strong

federal role in ensuring privacy and security. thank you. >> we actually are using the early bird rule, and you are the late bird. so we go to senator blumenthal. senator blumenthal. >> thank you. thank you all for being here. not easy to be the face of the industry which really bears the responsibility here for what i see as a record of failure. not directedent is at target or at neiman marcus. it is directed at an industry, and i think you deserve a lot of credit for coming here today and representing that industry, and also for the steps you have taken in the wake of reaches that certainly victimized you measures include

credit monitoring, insurance, --sures that i thought sought for others in this toustry and in other worlds adopt voluntarily while i was attorney general in the state of connecticut and literally had to bludgeon and pummeled them into doing, not physically, but legally. commend you for appearing here and for the proactive steps you have taken. but, i have introduced a bill that i think builds on the very measures that senator leahy and senator rockefeller have introduced to establish standards so that there will be in effect a bar that everybody has to follow, a standard of , because this information

is not yours. it is entrusted to you. up along to the consumers, and that kind of basic principle is legislation,f this a standard of care applied industrywide and enforcement. rights are not real unless they are enforceable, so enforcement by the ftc but also theonsumers themselves, steps for consumers to take if they are victimized as your stores might be victimized by hackers, a standard of care enforceable by a right of action, and a clearing house so that you can share the kind of information everyone has shared here this morning that is so important for you to be able to exchange amongst yourselves to be flexible and raise that bar. and i agree that the standard flexible. right now, we are talking about

chip and pin, but the threats are emerging and evolving, and so does the standard, and it is specific. here withnow, i sit the attitude of most of your consumers, which is that half the fraud occurs in the united states, but only a quarter of the credit card use. something is wrong with this picture. in the continuing series of significant, even sensational , an indictment of the american retailing industry in its failure to protect consumer information. we are talking here, after all, not about some sort of science-fiction technology. we are talking about something that is widely used in europe and could easily have been imposed here earlier.

my question to you, in light of your very welcome and , andtant recommendation you have had the good sense to make it simple and a graph that is understandable to rudimentary , would your recommendations have helped to prevent this kind of massive information breach at neiman marcus and target. am unable toi speak to specifics of the incident. these were very sophisticated hackers and they were very well resourced. thever, we do believe that chip and pin, layered security approach is, all of these things would contribute to more safety.

>> that is basically a yes. it would have helped prevent. i am not asking you to go into details, but you also recommend the chip and pin or something like it. would it have been any kind of help to prevent this massive breach? , were ask you gentlemen you in the process of adopting ,ome of these recommendations and if not then, are you now? , as i said in my opening statement, we actually do have a multilayered security architecture and had it prior to these attacks at neiman marcus. many of the --

>> was this information encrypted? >> during processing, the information was encrypted, during processing. many of the technologies being discussed here today by the , network monitoring for suspicious traffic, these are all technologies we have deployed and utilized at neiman marcus. unfortunately, the sophistication of this particular attack was able to evade detection of all those best practices, and i think what we have learned, or what is important here, is the just having tools and technology is not enough in this day and age. these attackers are very sophisticated and they have figured out ways around that. it is often how you are deploying those technologies and what else are you doing, which goes back to making sure that we are sharing intelligence as much

as we can so we can try to stay these attacks. >> thank you. my time has expired, so you may be spared, mr. mulligan, an answer to that question, but i told like to ask both of you provide perhaps some detailed theer in writing to question about whether you are presentyond your practices and procedures to adopt these steps that symantec has represented, not saying they are the only solutions, but just a kind of benchmark, and if you could provide that in writing, i would appreciate it. i also want to say that my bill would provide for mandatory notification, and i want to thank you for the notification steps you did take. .oth of your companies took

thank you very mr. chairman and senator durbin. >> just one -- i know mr. mulligan did not answer this, but target 10 years ago implemented the technology, and found that -- so a few others .ere doing that they abandoned that, but that is something i want to find out from the banks and the credit card issuers and debit card issuers about how fast they can go to this technology, because right now it is october 2015. senator parada. >> thank you. following what appears to be the protocol on this side of the table, it would certainly be happy to defer to senator durbin. >> i would like to defer to everyone except senator

whitehouse. >> i am the chair of this committee, and i will determine -- but that is about right. >> i would like to thank target a neiman marcus for coming here today because i think all of us shop at both of these establishments. there has been a discussion about by 2015 visa and mastercard using the power of their -- their power to require that merchants and banks agree to issue cards, and you all have readers that will read cards with chips in them. mr. kingston and mr. mulligan, both of you were that deadlineet ?ith the chip technology >> senator, we have been proponents of chip and pin, as

you just heard, for a very long time. our stores have guessed payment devices and we are accelerating to get those in our stores by the fourth quarter this year and in the products we offer will have the chips in them early next year. >> are you also prepared to adopt the pin portion? >> we are advocates for the pin as the industry in total becomes capable of handling that for credit card transactions. that is aocates of double authentication. >> what about you? >> neiman marcus is certainly willing and will consider anything that is going to make this process and consumer includingn safer, chip and pin. as i pointed out earlier, at neiman marcus, we do not use pin pads today. as a practical martyr -- as a

practical matter, it is important to understand that while i think the industry would be safer with that, there is a lot of work to do to make that happen. the pin pads have to be able to process this. there are software changes that will have to happen, and of course, all of the integration with the other actors such as banks and merchant processors, and finally, getting all the cards with chips in consumer hands. think we are very supportive of considering those and other technology capabilities that will make us safer, but i think we all need to understand that there is a lot of work involved in doing that. >> what i heard is that target is prepared to establish chip and pin technology but you are raising some concerns. does that mean that at neiman marcus you would not be able to meet a 2015 deadline with both of these factors.

>> we want to develop a safer partnership and move as quickly as we can to do that. >> would federal legislation help if we were to say -- because right now, it is just visa and mastercard saying here's what's going to happen in the arena. would federal legislation that says here is what we would like to see? i think weagain, have to consider that. it is something that is a law we have to do. obviously, we will follow the law. thet may be coming down pike, but of course we would have to have all the parties at the table so we can proceed in a reasonable weighing. cost was mentioned, and i don't know within the nonfederal to bethis cost was going borne by target, neiman marcus, and all the other retailers and

financial institutions? responsibility and a shared interest in payment processing, and the cost -- a court -- a portion of the costs will be borne by all parties. >> including consumers? >> no, including all companies involved in payment processing. >> so what would be involved in this technology? perhaps you can enlighten us on that? >> we think it is very important for cost not to be borne by the consumer. consumers have lost this information through no fault of their own. i think it is important to remember that. >> do you have any idea what the cost of putting in place chip and pin -- >> i would be happy to look into it and get back to you. i don't have figures at this time. >> i know i am running out of time, but one of the areas i was very interested in was the

prevention side of things. you mentioned that one of the first lines of defenses for the consumers to use -- is for consumers to use certain kinds of pins and all of that. how do we get this information out to consumers so that, as you say, they are the first-line of defense in terms of prevention? what can we do to enable consumers to know that they can take some of these prevention elements into their own hands and protect themselves now go >> i think there are things consumers can do around stronger passwords, watching their bills. i think we all share the responsibility to try to get that communication out. i think consumer reports makes excellent recommendations directly to consumers. hasbetter business bureau good recommendations. i think it is basically getting the news out there to keep them protected. >> i think that is a very

important aspect. for a lot of consumers, and i am one of them, i am trying to simplify my life by using very few passwords. you are suggesting the opposite. i think that information needs to get out and have consumers adopt the kind of suggestions you are putting forth. thank you. >> senator durbin? >> inc. you very much, mr. chairman. i want to -- thank you very much, mr. chairman. think back to the time we publicly asked about something known to retailers across the united states, and that was the amount being charged on it each transaction by the card issuers and banks when retailers used the card. what the federal reserve reported to us was the average was $.44 on transactions. the actual cost to the card

was seven the bank cents. we ask for them to come up with a reasonable fee, and the federal reserve came up with $.24. was one penny24 for fraud protection. it is ironic or at least coincidental that just weeks passed andlaw was signed by the president that we had an announcement by fisa that they were finally adopting a roadmap for chip card technology in the united states. they had a dedicated source that they represented to the federal reserve was going to be an anti-fraud effort. we are moving in that direction, albeit slowly. had --ronic that we have i have had a chip card in my wallet with american express for years. it is clear that it is fair.

it has been around for a while. let me go to a study that came out recently in 2012. there were about 5.3 billion dollars in credit and debit card fraud loss in the united states in 2012. 1/5 of the payment card fraud losses concert -- occurred with debit cards. said card issuers for 60% of the debit card fraud losses. merchants 38%. cardholders two percent. of theligan, in light fact that fraud losses were divided among merchants, banks and cardholders, do you agree it is a shared responsibility to support this move toward new technology? it is asolutely agree shared responsibility. have an interest in

ensuring that consumers have trust in the system we have been using every day. we are currently looking to accelerate our investment to bring devices into our stores more quickly. wakes you and i had a brief conversation yesterday. we discussed the card reader that retailers are responsible for paying for. can you give me an idea of what the cost is of a card reader today versus chip and pin? i don't know the incremental costs. i can tell you that the total investment for us is about $100 million. that is split equally between our point-of-sale system and re-issuing the cards with the chips in them, so about 50-50. >> let's get back to the original point. retailers and customers in many cases are paying an additional one cent on every transaction for anti-fraud measures.

issuing ain fact, antifraud have technology. so it isn't as if we aren't thisg already to move technology forward. >> the contractual arrangements create processes for the banks and those cards. >> and there is consideration for the impact of new card technology on smaller retail -- retailerstens and establishments, which is something we need to be sensitive to. but we also need to be aware of the current money if they are alleging to the fed that they are using this money for anti-fraud purposes. well?describe that >> perfectly, yes. >> there are lots of legislative proposals designed to address

data breach. i would also address the underlying issue, the collection of personally identifiable information and practices guarding their retention by large corporations. that is largely unregulated. we had a hearing a week or two ago hear about the national security agency connecting -- a week or two ago here about the usingal security agency our phone numbers and whether that was a breach of privacy. do you believe congress should consider proposals that covers the collection and retention of personally identifiable information by credit entities? we think of this as a separate issue. but you have touched on a lot of important things. there are a lot of threats out there, and we are very glad that

you have brought attention to this important issue and to the issue of data privacy in general. we are talking about how much regulation there should be on personal information collected by a private sector entity. >> any data breach legislation should include proactive measures that companies can take to protect this information. that should include anything personal about myself, my credit card information, my financials. --ing that security into and and two and is important. i think it is also important that if we are -- and two and is important. i think it is also important that they are fully aware of how we are going to use it and then, is no longer is no longer needt is eliminated. it is all these different layers, but it is definitely

about giving guidelines on thistive measures to keep information safe. >> so i guess i am trying to sort out, who do we trust when it comes to privacy? clearly, there is skepticism that if the government is collecting information about us, it has more power than most to misuse it. on -- but weinding are finding on the private side that the collection of personal information can this information safe. >> so i be abused as well if we are dealing with malware and hackers that can get into the system. i think it is incumbent on us to try to establish a standard so that americans feel confident that their personal information is being protected in a reasonable fashion. thank you. >> thank you, senator durbin. whitehouse. >> thank you, chairman. and thank you to all the witnesses. let me ask mr. mulligan from target, clearly you have a robust i.t. department. correct? >> yes.

>> and clearly you had robust internet security. >> i hope for folks watching that this is an object lesson to the vulnerability we all have to a whole variety of internet penetrations. i think that target is an extraordinarily well-respected retailer and does a very , and if abusiness company like that can be hacked without knowing it, the wrong reaction is to say well, target must've done something wrong. the right reaction is to say my gosh, are we being hacked and do we not know it, to?

i think we need to pay a lot more attention in that regard. as dangerous as this privacy breach was, as likely as it is to lead to criminal activity in the form of identity fraud, we can thank god that's you provide a vital retail service but you're not running the electric did -- electric grid or the servers behind all the banks and their financial systems. of our critical infrastructure run by the private sector that are facing very much the same threats. if you are not doing critical infrastructure but you have intellectual property that is an important part of your business model, you should be watching out for that to come in because aree are folks already who trying to break into american

computers, steal our intellectual property and give it to our competitors to see competitive advantage. this is a larger window, this problem. i just wanted to make that point. i am sorry it was you, but i am very gratified that you have had andcourage to come here make this more transparent, and i will close with my appreciation to symantec. came very close to getting a very comprehensive piece of cyber legislation through the senate not too long ago. some of the u.s. security providers, particularly symantec, mcafee and others were very helpful in classified, private briefings, walking senators through the scale and scope of the problems so that momentum could be developed towards legislation. unfortunately, the u.s. chamber of commerce saw things otherwise

and found ways to defeat the progress we had made, but i hope we can nevertheless continue to go forward because this is a continuing threat. i am seeing and knowledge. -- a nod. this is a continuing threat. growing.uing and we are continuing to take steps to make the ecosystem safer. >> thank you. i would like to thank this panel of witnesses. inc. you for your testimony and your answers. you are dismissed. i would now like to call our second panel of witnesses. [captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2014] >> i am going to ask you to stand, so you might as well not sit down.

i would like to ask the witnesses to raise their right hands. do you swear that you're testimony will be the truth, the whole truth, nothing but the truth? thank you, you may be seated. chairwoman ramirez has been chair of the federal trade commission since 2010 and was appointed to the ftc in march of 2013. prior to this, ms. ramirez was a law firm in los angeles where she focused her work on matters of intellectual property, antitrust, and trademark issues. the deputy special agent in charge of the secret

service's criminal investigation division, cyber operations. over 20 years of experience. he has initiated and managed a number of high-profile fraud investigations. ms. rahman is the assistant attorney general at the department of justice. she has worked in the criminal , where shence 2008 served as the chief of staff. she served in the attorney's office for the district of maryland. thank you all for joining us. foreach have five minutes any opening remarks you would like to make. i would like to recognize the ranking member who has something to say. >> this won't take more than 45

seconds. i would also like an answer in writing, but also i wanted to point out to very significant things that i wanted to discuss. one is unrelated to this hearing, the chairwoman ramirez, i sent you a letter on the gas in the midwest. i have not gotten an answer yet. if you could answer that, i would appreciate that. morning -- thee morning washington times said companys a belarus involved in writing some of the software for the health care reform act. and the extent to which that could be indicative of somebody health cares to our system.

>> mr. chairman, ranking member grassley and members of the committee. thank you for the opportunity to appear before you to discuss the federal trade commission status security enforcement program. i am pleased to be testifying here this morning with my colleagues from the justice department and the secret service. we live in an increasingly connected world and with -- in which vast amounts of consumer data is connected. as target and other retailers remind us, this is susceptible to compromise by those who seek to exploit our vulnerabilities. this takes place against the background and threat of identity theft, which has been the ftc's top complaint for the last 13 years. therding to estimates at

bureau of justice, this crime affected a staggering seven percent of people in the u.s. age 16 and older. the commission is here today to reiterate its bipartisan and unanimous call for federal data security legislation. for data the need security been greater. congress needs to act. we support legislation that would strengthen existing data security standards and require companies to notify consumers when there has been a breach. should give the ftc authority to seek penalties where warranted to help ensure that ftc actions have the appropriate deterrent effect. it should also provide andmaking authority jurisdiction over nonprofits, which have been the source of a large number of reaches. tos would enable the ftc

protect consumers more effectively. authority,xisting the ftc has devoted substantial resources to encouraging encourage companies to make data security a priority. we have brought civil actions against companies we allege that consumer data at risk. we have brought these cases under theauthority fair credit reporting act. in all of these cases, the touchstone of the commission's approach has been reasonableness. a company's data security measures must be reasonable in light of sensitivity and vulnerability of the information it holds. clearmmission has made that it does not require perfect security and the fact that a breach occur does not mean that a company has violated the law.

significantly, a number of enforcement actions have involved large breaches of payment card information. ftcexample, in 2008, the alleged that t.j. maxx permitted hackers to obtain information about tens of millions of credit and debit cards. to resolve these allegations, the retailer agreed to institute a comprehensive security program and submit to a series of security audits. at the same time, the justice department successfully prosecuted the hacker behind the t.j. maxx and other breaches. well,s case illustrates the ftc and criminal authorities shared goals. this ensures that the front end that businesses do not put a customer data at risk and helps ensure that cyber criminals are caught and punished. securityoach to data

serves the best interest of the consumers, and to that end, the ftc, the justice department and the consumer services department have worked together. in addition to enforcement work, the ftc offers guidance to consumers and businesses. the ftc has posted information online about steps they should take to protect themselves. these materials are in addition to other resources we have for id theft victims, including an id theft hotline. we have recently conducted workshops on mobile security and emerging forms of id theft such as child id theft and senior id theft. thelosing, i want to thank committee for holding this hearing and for the opportunity

>> thank you. madame chairman, gentlemen. >> good afternoon phrrbgs chairman and distinguished committee.the thank you for the opportunity to estify on behalf of the department of homeland security trends of ing criminals in cyber space to our nation's payments system. system depends heavily on technology. criminals motivated by greed have adapted their methods and increasingly are cyberspace to exploit the payment systems to engage in and other elicit activities. the secret service is investigating these breaches and will confident that we bring the criminals responsible to justice. breaches like

these recent events are part of a long trend. 1984 congress recognized the and established 18 u.s.c. 1039 and 1030 through the comprehensive crime control act. of computers suse as federal crimes and explicitly assigned the secret service to crimes.ate these the secret service investigates the efforts hrough of highly trained special agents network of 33 which congresses assigned the mission of investigating electronic crimes. a result of our cyber crime investigations, over the past secret service has arrested nearly 5,000 cyber criminals.

were responsible for over a billion dollars in investigate and they prevented over $11 billion in fraud losses. pwraerbs are just one part of a complex criminal scheme organized cyber crime. hese criminal groups are using increasingly sophisticated technology. gaining unauthorized access aring protected information, two, deploying specialized alware to get date tafplt three, distributing or selling the data to the associates. four, engaging in sophisticated and distributed frauds using the sensitive information. five, laundering the activity.of this all five are criminal violations in and of themselves. by sophisticated this ational networks

scheme has yielded hundreds of millions of dollars. secret service is protecting our nation. scheme through a criminal investigations and defeat these transnational cyber criminals through coordinated arerts and seizure of assets. foundational to these efforts a private industry partners as well as our close partnerships with state, local, international law enforcement. as a result of these able to pre we are srebt many cyber crimes by regarding elligence the plans of cyber criminals and losses. g financial >> through the security the secret center, service also quickly shares while protecting civil rights and liberties in organizations to educe risks

>> the secret service has a long history of protecting the financial system of threats n 1985 the threat we ddressed was that of counterfeit currency. as our payment system has paper to plastic, now digital so too has the mission. the secret service is permitted even as t the system criminals exploit it through cyberspace. through efforts and working in close partnership with the department of justice in divisionr the criminal and local u.s. attorneys the secret service will continue to bring them to justice. thank you for your opportunity

testify on this important topic and we look forward to questions. >> thank you. afternoon, mr. chairman and members of the committee. thank you for being able to appear to discuss the department of justices sight against cyber crime. dramatically ed over the last decade and our nfrastructure has suffered intrusions. the recent sports about the target data breaches at which the justice department is investigating alongside the ecret service has underscored that cyber crime agency real threat. personal and financial information and they sensitive corporate and military data. he justice department is

vigorously responding to this threat through the work of the criminal divisions computer property intellectual section which partners with officest u.s. attorneys cross the country as part of a network of 300 cyber crime prosecutors. have maden the f.b.i. it a top priority working through task forces in its 56 offices and continuing to strengthen the investigative force.ask every day our prosecutors and strive to hold account criminals to be able to identify these criminals wherever they and break up the networks ask bring them though justice. developing meaningful partnerships to strengthen our fight and capacity to protect. we use our tools responsibly and with the important long established legal afeguards that protect against

abuse. as just one example of work, ust last week, the u.s. attorneys office in atlanta and guilty i. announced the plea of a russian citizen who dmitted to developing and distributing malware called spy eye. that hacked network omputers by surreptitiously infecting computers enabling to remotely control the computers control ommand and servers. that way the criminals were able o steal personal and financial information such as credit card and mation and user names passwords. they sold the software including specially-tailor made this who n turn used to it infect 1.4 million computers around the world. of our recent

successes against cyber criminals. others include, for example, a year sentence handed down in september to romanian cyber led a multi-million data. scheme to hack into n 88 month sentence to a russian hacker who sold credit card information to purchases round the world and the indictment last year of a china-based manufacturer of wind turbines who stole trade secrets from an american company causing losses.00 million in we must own sure the statutes we technology up with so we can keep pace with cyber criminals. proposing tration is several statutory provisions to keep federal criminal laws up to date. recommend the establishment of a strong uniformed federal standard

equiring certain types of businesses to report data breaches. should be able to require prompt notices and notify breaches vernment of so that law enforcement can pursue and catch the perpetrators. rely on cutors also them to tes to bring justice. the most important is the computer fraud and abuse act. the administration proposed several revisions in may 2011 to support nue changes like those to keep federal criminal law up to date. working ook forward to with congress to address the insiders such as bank employees or government mployees who access computers in violation of their and then steal or use the information. proposal toe have a address the proliferation which

in at greater in my testimony. i we're committed to using the full investigative tools and laws available to us to fight these crimes and to do so and responsibly. thank you for the opportunity to discuss the department's work and i look forward to answering questions. >> thank you all. to the senator be e i'm chairing this i'll here until the end so i can my questions at the end. senator. very good. thank you very much. today.you all for coming i think we all know why we're here with the breaches we've seen and we just heard about the panel at target and neiman marcus. there any other similar breaches that have occurred? are u see industries that more targeted than others and

think how successful has your agency been in getting extradited from foreign countries and what hallenges do you see when dealing with extradition issues? so, let me start by answering your initial question. can't speak about any particular companies or breaches relatingse information to non-public investigations. i can tell you we have been active. our 50th data ed case.ity we believe that the action has spent an important signal to the marketplace. based on the information that we ave available to us, which includes the verizon data breach which was referenced, by those indications it's clear

hat companies need do a lot more and they continue to make asic mistakes when it comes to data security. it is an area where the federal believes there needs to be congressional action. n particular, a strong federal law that imposes robust security and data also for breach notification. > this is what we've been talking about earlier with the standards and taking this out with a chip and pin and those things. that we talked about? we don't the f.t.c. technologies but a processed approach. they're constantly changing and evolving. we recommend a processed based approach for attacking the problem. >> the extradition question, the reason i asked that we already

that a young russian of the to be a co-author malware and there is no shortage internationally. >> i'll defer that question to colleagues, the criminal authorities who are dealing with those issues. one of you point out our extraordinary challenges and that some of the most notorious hackers are living halfway across the world. with mes in countries which we don't have extradition relationships. we hat is a challenge that have in tphaupl of these cases. e try 0 be as creativity as we can to ensure that we are able and we the wrong doers have had specific case. the case that i just mentioned my opening statement is an example of a discuss. hacker pleaded guilty just last week and we had numerous such successes.

it just takes patience. has had a et service unique success in this field. able to arrest and extradite a number of cyber criminals involved with the help of the department of justice, the ffice of international affairs and the state department. the dave anda few, busters intrusion happened in 2007. we were successful in arresting arrested e actually the person.dicted in the case in 2007 we were extraditing sergei. other re a number of successes we've had, high value hackers nd high value that have been attacking our

infrastructure with assistant of international law enforcement and relationships e've been able to arrest those people and bring them to justice. >> one of the things we talked was the time between the companies confirming the breaches and then letting know and how quickly they can find out what their policies are. assume, mr. ramirez, you would wanted to that to happen as soon as possible. questions i want to know having been in the law enforcement there is this thing to catch people. when a data breach is this big you come down on the side of public know immediately. how do you strike that balance with putting information out then also trying to find the perpetrators and not tipping them off? anyone can answer. >> let me -- if i may start off discussion on this point, balancing is exact lit right word. view a company should as fy affected consumers

reasonably practicable as possible. time for ld be enough a company to assess the relevant reech and examine what took place and which customers were affected but we think that customers are notified we onably promptly and believe that the outside limit to be 60 days. at the same time i will also note that when the f.t.c. is issues, we do e oordinate very closely with colleagues at the department of justice, security service and f.b.i., and so if there's a need for there to be due to the needs of these criminal investigations e think that is also appropriate. >> okay. >> yes, ma'am. t's a coordinated effort actually between the secret service and our law enforcement office ass. attorneys well. but it's important to take what

an investigation as far as the pieces of that and share it t that and infrastructure. we use integration center and we take information that we learned from the malware and hacking we share that who does reverse engineering and to the greaterat infrastructure. e also partner through our forces in task crime which we're able to put it out to your trusted partners that infrastructure as well as we also partner in the lane of financial services. ner to get that information out. >> going back to your original

that the we do believe administration data breach does llow the flexible that would allow us to delay notification increments. there may be an undercover investigation that is necessary can be ther things that taken immediately after a breach and certain circumstances where is yed notification appropriate. we believe that prompt is fication to consumers important and law enforcement is important. much. nk you very >> thank you, senators. again, chairman. to me address myself briefly the two law enforcement here. es who we have the theft of intellectual american rom corporations purely across cyber

networks by hacking into exfill e networks and traiting their data has been on multiple occasions as the greatest wealth in nsfer of history. has any indictment yet resulted conduct? oreign hackers, purely through cyber networks hack into american corporations and exfilltraiting it for competitive purposes. >> i will say that the theft you described is one that we are aware of and we are focused on. last year-- >> has there been an indictment in such a case? >> last year in a similar case indictment and about five executives. chinese corp important

race. >> how did they steal it? was it through cyber hack? > a combination but also an insider at the american company. >> yep. >> but i think that kind of case where it shows we are willing to indictment a chinese company and including the ls insider showed our resolve to issues.he bottom of the >> the numbers involved show hope ng but resolve and i that they'll be more attention paid to this. i say this with full of how very, very challenging and difficult these cases are. forensic point of view and locating the foreign defend point of view and interference intelligence and diplomatic relations point of view, from a security point of view. i mean there's a whole array of reasons that these are immensely complicated cases. when we are on the losing end of

on multiple occasions that is the greatest transfer of wealth in history, one case that wasn't case because it involved a human as well just isn't an adequate response. improve your s to game on that and if you're getting pushback from the communities and from the state department and harder.ople, push back because i think an indictment has a clarifying effect. other thing that has come up eshreupblgt has been that races man of the prop committee which is also chairman of your prop race has put in a equirement that the department f justice provide a multi-year strategic plan for cyber within 120 days.

that's not a long window. it is going to require the d.o. the f.b.i. and the secret folks within bly ema and homeland security and o.m.d. without whom no budget is possible, sion to get together and start to 3, re out what we look like 4, 5 years out, ten years out in terms of the structure. have the f.b.i. deeply involved and the secret service deeply involved in this. we have two different seconds of he department of justices separately involved in this. the different programs that we and the different strategies seem to be changing or so as i nths pursued this. i think a lot of that is and reflects a adaptation to od

an emerging threat. a long way we're from having a clear sense of cyber law enforcement structure should look like. we're still, i think, evolving it's been hard for me to find anyplace in which the hinking about what it should look like 3, 4, 5 years out is taking place. give me a moment on what you are doing right now day spond to the 120 requirement for a multi-year plan. ic >> we're very aware of the 120 thankfully ent and before that requirement was put into place we have been endeavoring for several months through the exercise of utting on paper a strategy for the justice department cyber program. that involves some of the issues you already touched on which is integrate all of our various capabilities.

think a way that the response and thes are dividing now, which are the criminal division and national security division and bi work well together and the reason why is that we communicate on a daily basis and hourly on how to respond to particular threats. together i am certain that we be able to comply with the 120 day requirement and working work and we'll continue to to meet that deadline. >> good. well i'm very glad that you work well together. i would hazard the thought that working well together and having the proper administrative structure are two different as tions and i would offer an example the challenge of get the civil bott net properly capability integrated into the criminal and security andional this. ligence elements of

>> i think it's a bigger challenge than just having together. well >> i agree with you, senator. capabilities that we used in the take down that was civil authority but the division along with the u.s. attorney's office used those authorities and we were do so because of the specific way that it was structured. on our list of priorities. is now that everyone different and behind them are individuals. getting used both on those individuals and finding ays, creative ways, to dismantle them. >> my concern is it's my after the ng the ad , the group -- hoc group that had gotten to accomplish it disint

greated back into their back origin riginal positions and there isn't a robust and integrated on going administrative structure integrating those takedowns. more episodic. award from the attorney general and way delighted that it happened, but of it went -- disintegrated. thank you. >> thank you for your continued security.cyber .have a question for you can walk me through how a about l could go arvesting the data on a magnetic stripe card and how they go about using and selling

data once it's stolen? >> yes, sir. f we're talking about the intrusions that we're here today to discuss, it's generally -- t's not one criminal we're talking about. we're talking about a sophisticated network of cyber criminals. use the analogy sometimes the oceanson the grounds 11." >> they'll have their person people for access and bullet controlling the proof hosting system. they'll have people that are the on extracting from the network and a le sellers and use it on street level through either making counter fit credit cards

buying goods and then money laundering system in this. i think it's important to nderstand that we're not talking about currency here. in the criminal underground they're moving it back and forth virtual currency which is hard for u.s. law enforcement nd others to be able to trace and track those finances. > i agree with that description. ed a al eplt /* /* often the that sold information is then in carding sights around the and to other criminals who may use it for their own inancial profit and for other services. that is another chain in the threats that we are seeing.

it sounds like there's real ustification for putting the senator's bill -- this is about crime.nated and organized right now the information most ards in the united stateses static. it stays the same until the card is cancelled. mean for in a criminals wanting to make counterfeit cards? it easier?e >> your question is static data across? >> yeah. >> right. understand that the mag stripe data is roughly technology. i would agree it is perhaps a to le more easy for them utilize and put on readily

stripe cards etic that are available in the industry today. >> we've been talking today bout going to the m. v.technology. there with a pin. both agree here that >> thank you. company has poor can --y practices, they the commission has used this. theauthority admirably in past. there is no comprehensive federal law that sets up a data security standard for