today on c-span, lawmaker discussion about protecting consumer personal information against cyber that. then testimony with representatives which are get in nieman marcus about cyber crime against their companies. then worldwide security threats to the united states. later, the director of the cbo the economy and the impact of the health care law. >> watch our program on first lady laura bush today at 7:00 a.m. eastern on c-span -- 7:00 p.m. today on c-span. monday night our series continues. >> i think it is all an evolutionary process. you grow into this role. that you never get comfortable if you're always pushing for change and growth in the issues you care about. you're never done. a point in time

are you think i am here and i can do this the same way all the time. it is always changing. >> michelle obama monday night at 9:00 eastern. also on c-span radio and c- span.org. next, a hearing on protecting consumer data and privacy with william noonan, a secret service lead agent for cyber investigations. he testified on the security reaches at target and nieman marcus and their impact on consumers. from a subcommittee, this is just under one hour. >> i call to order this hearing of the national security and international trade and finance subcommittee. titled -- safeguarding

consumer's financial data. i will introduce the two witnesses now and make a brief opening statement. we have two panels. if my colleagues do not mind, we will go straight to them to let witnesses give resin stations. the subject has generated an enormous amount of interest. i am very appreciative of both panels. in the first panel, we will be hearing from the deputy special agent in charge of secret service's criminal investigation division, cyber operations, and he oversees the service's ciber portfolio. he has over 20 years of government experience here at he has done transnational fraud negotiations. welcome. rnment experience here e has done transnational fraud negotiations. welcome. ms. jessica rich is the director

of the bureau of consumer protection at the ftc pg has held a number of senior positions, including associate director in charge of the division of financial practices and assistant director of the division of privacy. she joined the ftc staff more than 20 years ago. welcome. this is a subject that has garnered a lot of public attention recently, and i think a longerdy who spent career in technology than i have in government, this is an area that i think is going to -- we're going to see an exponential rise in consumer interest, ands others as we try to get our arms around a challenge that is only going to grow in terms of our -- all of our lives. we have heard of massive data weeks atin recent

target, neiman marcus, michael's, and other retailers. at target alone, more than 40 million cards were compromised. up to an additional 70 million other consumer information was taken. not only were the card sticking, but if the cards were not taken, data was compromised as well. we had to make clear that while we're talking about specific retailers, this is not a witchhunt about any particular retailer's actions or in actions. ,onestly, i think we will see and i know from my role in the intel community, this is a crime that have instantly to financial institutions, retailers, at a level that most americans would find rather confounding. i at one point had a much longer statement, but there are three areas i think we need to focus on.

as we sort through this issue, we need to understand that we don't need another -- i do not need, at least, long-term fight between the bankers, retailers, and the card industry. many of us up here have gone through these challenges, rightfully felt, around the interchange bottles, but a repeat of that kind of delay in getting a solution serves no one . china,kers in russia, ukraine, throughout the world, are not waiting for america to get its act together on this issue. they are continuing to strike as everyday. to better protect consumers, our financial institutions, networks, and merchants should work together to continue to innovate on anti-fraud technology. as i said, the public cannot multiple yearsr

of legislative battles like we saw over interchange fees. every minute of every day, the hackers and the cyber thieves are attacking our vulnerabilities. second, somebody who spent a career in technology, in many ways this is fundamentally a technology problem. and technology can provide part of the solution. you have already seen data that shows that the card protection system used in europe, so-called system, is much more effective than what we have presently in the united states in terms of the swipe system in terms of riveting fraud at point-of-sale. but we should not assume that any single technology is a silver bullet solution. technology, as we know, what continue to evolve on a weekly, monthly, basis, and we have to to continue to stay ahead. we have seen in europe that while the chip and pin system

dramatically decrease, for example, in the u.k., the amount of fraud and tiber theft at point-of-sale, we saw a dramatic increase then in online fraud and cyber attacks. discusse we are able to technology solutions, not just ship and pin,, but as we look at the online issue, there is this emerging field which can provide a more encrypted solutions sets, not just for point of sale, but .or other solutions again, we are not here to endorse any specific technology products or services. but i think this is an area where we need great collaboration. to play.t as a role industry has a role to play. but as consumers, we need to be more vigilant as well. consumer financial exposure is more limited with credit cards.

here is my personal debit card. i will try to pull the numbers back a little bit. but until a few weeks ago, i did not realize that my debit card protections are not as great as my credit card protections. i will let my record show that i do not show the numbers on either side. but even with the debit card protections, there are -- with this challenge, we have got to look at perhaps raising those standards to equaling credit cards. debit card use has been growing like mad. sincections tripling 2003. again, i think about my kids who have got debit cards and large portions of the underserved community use debit cards, and that will be a fact of life and we have to figure out a way to act swiftly. finally, as we talk about one of the most frightening things that i heard as i sorted through

this, thinking about cards and protecting consumer privacy, in many ways we have focused so far on the challenge around protecting credit cards and debit cards am a but the real potential exposure we have is that people can actually get onliner bank accounts or transactions that we all do more and more online banking and other services. that offers an area where there are very few protections at this point and almost unlimited liability for consumers. so one of the challenges we had is, yes, we have a role for industry and for government, but we all have a role as americans to make sure you take that extra protection to occasionally makee your pin number and sure you never reveal your bank account information number, that you constantly report if you feel like there has been an instance of fraud. this is a role that all americans will have to play, continued vigilance and. with that, i will ask for comments from senator kirk.

just. chairman, i would put a face to this crime we're talking about. -- albert dollars gonzales was convicted in 2010 of stealing 40 million credit card records. he made so much money off of this that he even bought his own italian island off the profits. now serving 20 years in prison. that is in line with the legislation i will be introducing that calls for a 25-year federal minimum this kind of theft or just to say goodbye, you are off to prison for a significant torsion of your life. i am looking for bipartisan cosponsors. >> i think the question of enforcement has got to be an area we focus on. i think there will be bipartisan

support. all right, with that, i look forward to an exciting and robust discussion. >> good afternoon, chairman, ranking member, and distinguished members of the subcommittee. thank you for the opportunity to testify on behalf of the department of homeland security regarding the exploitation of cyberspace to obtain sensitive and financial identity information to defraud our nation's payment systems. our modern financial system depends heavily on information technology for convenience and efficiency. accordingly, criminals motivated by greed have adapted their methods and are increasingly using cyberspace to exploit our nation's financial payment systems to engage in fraud and other illicit activities. the widely reported data

breaches of target and neiman marcus are just recent examples of this trend. the secret services investigating the recent breaches, and we are confident we will bring these criminals responsible to justice. however, data breaches like the recent events are part of a long trend. in 1980 four, congress recognized the risks posed by increasing use of information technology and established eight and 1030.ections 1029 these statutes define device fraud and misuse of computers as federal crime and assign the secret service authorities to investigate these crimes. in support of the mission to safeguard cyberspace, the secret crimee investigates cyber through our highly trained special agents in the work of a growing network of 33 electronic crimes task force is which congress has assigned the detecting preventing,

, and investigating various forms of electronic crimes. crimeesult of our cyber investigations, over the past four years, the secret service has arrested nearly 5000 cyber criminals. in total, these criminals were risk route -- were responsible for over $1 billion in fraud losses. over -- we have prevented $11 billion in fraud losses. data breaches like the recently reported occurrences are just one part of a complex scheme executed by organized cyber crime. these criminal groups are using increasingly sophisticated technologies to conduct a criminal conspiracy consisting of five parts. accessining unauthorized to computer systems carrying valuable project and. two, employing specialized malware to capture this data. three, distributing or selling the sensitive data to criminal associates. four, engaging in sophisticated -- distributive

frauds using the sensitive information. five, laundering the proceeds of their illicit activity. all five of these activities or criminal violations in and of themselves. -- thisducted, they are scheme has yielded hundreds of millions of dollars in illicit proceeds. the secret service is committed to protecting our nation from this threat. we disrupt every step of their five-part numeral scheme through proactive criminal investigations. the defeat of these transnational cyber criminals through arrest and seizure of assets. foundational to these efforts are private industry partners, as well as close partnerships with state, local, federal, and international law enforcement. theseesult of partnerships, we are able to prevent many cyber crimes by sharing criminal intelligence. and minimizing financial losses i stopping the cyber criminal

schemes. through the department national cyber security and communications integration center, the secret service also quickly shares technical cyber security information while protecting civil rights and civil liberties to allow organizations to reduce their cyber risks by mitigating technical vulnerabilities do it we also partner with the private sector and academia to research cyber threats and look for trends to reports like the insider threat study, the verizon data breach investigation report, and the global security report. the secret service has a long history of protecting our nation's financial system from threats. in 1865, the threat we were was connectedress currency. as our financial payment system has evolved from paper to plastic, now digital information, so has our investigative mission. the secret service is committed to protecting our nation's

financial system even as criminals increasingly exploit it to cyberspace. through the dedicated effort of taskforces and by working with the department of justice, the criminal division and the global u.s. attorneys offices, the secret service will continue to bring cyber criminals that perpetrate major data breaches to justice. tonk you for the opportunity testify on this important topic, and we're looking forward to your questions. >> chairman warner, ranking member kirk, and members of the subcommittee, i am jessica rich, director of the bureau of consumer protection at the federal trade commission. i appreciate this opportunity to present the commission's testimony on data security. in today's interconnected world, personal information is collected from consumers wherever they go. from the workplace to shopping for groceries, from our smartphones to browsing the web at home, virtually every action we take involves the collection of information, some of it very

sensitive. many of these data uses have clear benefits, but the recent state of data breaches ours -- are a strong reminder that they also create risks for consumers. hackers seek to exploit vulnerability to obtain and misuse consumer personal information. all of this takes place in the backdrop of the threat of identity theft, a pernicious crime that harms both consumers and businesses. the bureau of justice statistics estimates that over 16 million people were victims of identity theft in 2012 alone. the ftc is committed to protecting consumer privacy and data security in the private sector. since our first data security case in 2001, the ftc data security program has been a strong bipartisan effort that includes law enforcement to my education, and policy initiatives. several lawsces that protect consumer data. under the ftc act, the agency can take action against companies that engage in

deceptive or unfair practices, including deceptive or unfair data security practices. the ftc also enforces several laws that require special protections of certain business sectors. the credit reporting industry, among financial institutions, and also among all mine services for our kids. in enforcing these laws and investigating potential data security failures, the commission recognizes that there is no such thing as perfect security and instead examines whether companies have undertaken reasonable procedures to protect consumer data from the risk of identity theft and other bits use. since 2001, the ftc has used its authority to obtain settlements , 50 settlements with businesses that fail to provide protections. the best-known case may be 2006 action against a data broker that allegedly sold sensitive information about more than 160,000 consumers to thieves

posing as choice point clients. the commission alleges choice point failed to use rosie just to screen or justice of consumer data and ignored obvious security red flags, resulting in at least 800 cases of identity theft. before choice point, the ftc brought actions alleging security failures by such companies as microsoft am the after that, and to such companies as tjx, lexus, htc., rite-aid, and many cases of her 14 years alleged similar commonly known vulnerabilities and security failures. in addition to enforcement, the commission promotes strong data security through consumer education, business guidance, and policy initiatives. for example, our website contains guidance for consumers

on what to do in the event of a breach. and perhaps our most important education is our guide to businesses about how to develop a strong data security program. sitting here today with my colleagues from the secret service, i want to emphasize that data security is a shared responsibility among many different entities and people, including the different law enforcement agencies that work in this area. the commission has a long history of working closely with other federal and state agencies on this important issue. for example, the ftc's case that was a joint action with 35 state ag's, and we received assistance from 39 state agencies in the case against tjx. department ofhe health and human services in cases against cvs and rite-aid. we coordinate with the fbi and secret service. the goal of the ftc and criminal agencies are complementary. criminal actions seek to punish

hackers and consumers that still consumer data, while our actions focus on shoring up security protections while companies prevent intruders from getting inside in the first place. the mcginn cleared as a final point on data security legislation, never has the need been greater. the commission reiterates its bipartisan support for federal legislation that would strengthen the ftc's existing authority of data security and require companies to notify consumers when there has been a security breach. thank you for the opportunity to testify here today. the commission looks forward to continuing to work with congress on this critical issue. >> thank you. thank you, both. i would also like to point out that last week i asked a question at dni clapper. he had made an estimate that cyber attacks from -- on our economy were in excess of $300 billion worth of damage, and that was a last year report.

asked him, and he says that number has probably dramatically increased. that was in public testimony last week. obviously, the goes beyond the question of individual data breach. but i believe this will grow dramatically. i also want to mention that the secret service does not want to weigh in on specific technology solutions, chip and pin and others, but we are going to need your cooperation at some point and guidance on how working with industry and whatever standards come about, that we have got the cutting-edge technology. i guess my first question for n, why is it that evenecret service or security bloggers are often times the first to know about these attacks? gottenstand we have industry of standards that are set, but this news keeps

floating out more. floated fromreach a blogger, i understand, and it was said that the malware involved in the target breach was identified back in 2011 here at why is it taking us so long to respond? is that a restraint on you or is it not enough aggressive action from the industry? first you got into the fact that sometimes the secret service knows ahead of time about these breaches and we are able to bring it to the attention of different victims. so the fact that we do this is through proactive investigations where we are out sometimes ahead , determining in looking at data as it relates to financial industries. it is through partnerships we have in the financial industries sector that are able sometimes to bring us data where we are able to go through the data and

be able to find out where information is leaking into the criminal underground from. a, too, is the same way believe that some journalists are able to get a hold of some of that information. you also brought up the malware and the fact that it has been around since 2011. i think what we're discussing here is the type of malware. so it is not necessary -- necessarily the exact type of malware. malware can be molded and changed project. these attackers are molded malware, so it is not the doctor antivirus and technical means that general i.t. security folks will have. so these are very sophisticated are not actors that using regular malware. they're modifying that malware for each particular high-tech attack when we're talking about an attack of this significance. >> i guess one of the things, this is both for you and ms. rich, how do you get the standard right on when it

becomes the duty of the company or the financial institution to report an incursion? you know, particularly since this involves all the time. we know there are standards set, but that is why we constantly evolutionary -- do we have it right? do we need more tools? or do we need collaboration and setting a regulatory process that would be static? let's move this quickly and and i have one less question. >> well, what the commission supports our federal standards for both data security and breach notification. right now there are state laws requiring breach notification that no standard at the federal level and no civil penalties. while we have tools and we're using them to enforce, to address data security failures by companies, it would be extremely helpful to have a

federal law requiring data security, not just notification, with civil penalties. >> how do you make sure that law will evolve quickly enough? sometimes standards take seven years to evolve, but this is a field that changes on a monthly basis. >> we believe that the legal requirements should require a process for developing appropriate data security so that the specific technical standards can evolve and perhaps be implemented through self-regulation or industry standards. but we do have one regulation in the financial area that is comedy a model for this the safeguards rule that sets forth a process. you have to put somebody in charge, you know, your chief technology officer. you have to do a form risk assessment and then implement safeguards in key areas of risks such as employee training,

network and physical security, service providers, etc. and it sets out a process like that weird we are able to use that as a tool for enforcement without mandating levels of encryption and things that change over time. >> i want to respect my colleagues time. could you also identify targets that could have been from the ukraine, but where in general these are from? >> many of these are national, and transnational. cyber criminals are attacking us from eastern europe. i don't want to say this one country versus another country. ,hat we are seeing is that largely, the cyber criminal world is using russian speaking -- and i say russian speaking in that they are using the russian language as operational security. that is the piece that the criminal underworld is using to hide themselves from u.s.

law-enforcement. >> a quick question for mr. noonan. russianribe the general cooperation with a lot of these attacks. you describe law-enforcement cooperation? >> there have been many of these instances where we have worked cooperation with law enforcement. >> but a mere is not our greatest friend. could you tell us where you do your corporation -- vladimir putin is not our greatest friend. could you tell us where you do your corporation with? generally, the cooperation that we deal with through the russian authorities is through notification process to get a process taking care of in the

russian federation. effects a quick follow-up, any extraditions from russia? >> no, sir, we have not had any extraditions from russia. >> senator warner. >> -- warren. >> all of us have constituents that are affected by these data breaches. i think it is clear that the data protections that we have in place now are not enough. people, 16 .6 million seven percent of the adult , were victims of identity theft. it is a huge number. i would like to get a better sense of how these laws are enforced. to goc has authority after companies that have engaged in either deceptive or unfair practices. i want to break those, -- those

two out, if i could. ms. rich, can you describe what is done in regard to data security standards for the ftc to bring a claim for deceptive practices? >> our deception authority focuses on making statements, or admitting information that is material. our cases in this area generally involve statements that can be expressed -- you know, we encrypt our data to the highest levels of block, block, block -- blah.h, blah, know,is implied -- you you give us your data security and we will encrypt it and make sure it is taking care of. we do hearings with officials at companies and we consult with experts to determine whether those claims are true. me just clarify

this. if a companies security standards are inadequate, but the company says nothing about ftc is powerless, at least under its authority to go after deceptive cactuses. is that right -- deceptive practices. is that right? >> we had two prongs. and then practices also on fairness. >> i will get to fairness in a second. for a company that has totally inadequate deception standards, i want to clarify. i think what you are saying to me is that if a company says deception data standards, then the answer is that under the deceptive prong, the ftc has no authority to go after this company. is that right? >> that is absolutely right. and that is one of the reasons we are supporting general data security legislation. but let me say, we do also have

unfairness authority and we use our deception authority not to look -- to look at not just what is stated in a privacy policy, but what a company may claim in the context of its interaction with consumers, including implied claims. >> ok, but under your authority to go after deceptive practices, i understand that the ftc has settled about 30 data security since 2002. that would be about three per year. it is fair to say that is not very many, given the number of data breaches that we seen in the past decade. >> i would emphasize that there is not strict liability for a breach. when a breach happens, we look at the underlying practices and not whether there was a breach and then we automatically bring a case.

i would also -- i would also emphasize that we believe are 30 deception cases and 20 fairness cases provide general deterrence, and specific to turn, especially given the kind of ramifications we seek. -- the kind of remedies we seek. it has brought a lot of attention to the need to secure data and made a difference in raising the stakes, but we do need more tools. >> let's talk about that a little more. in addition to the 30 cases you've brought over the course deceptivee under track kisses, i just want to ask about unfair practices. -- under deceptive practices, i want to ask about unfair practices. can you describe what a company when a claim of unfair practices is broad? >> we have a three-pronged test, and one of those is substantial injury.

many of these data failure cases -- again, it is not strict liability for a breach. we have met that standard and, therefore have brought those cases. >> i understand. and if i'm understanding this correctly, you are describing a fairly demanding standard. it is more than breach, more than the fact that people have been injured, more than the fact that a company had very lax standards. as i understand it, there is some question around the ftc's whichity in this area, may be why you have used unfair practices in only 20 cases over 10 years. i thinkant to say that this is a real problem, that the enforcement authority in this area is so limited. the ftc should have the enforcement authority it needs to protect consumers and it looks like to meet does not have that authority right now. are noturity problems

going to go away on their own. congress needs to consider whether to strengthen the ftc's hand. thank you. >> that was an interesting line of questioning. -- you mayes see have a series of players in an industry that are meeting those standards. the challenges that you may have that one weak link and the whole industry could be infected because of the weak link. i think there should be more ability to collaborate here. let me start out on the international front, if i could, and maybe follow-up on senator kirk's questions a little bit. available thatta would illustrate to us what percentage of the tax -- of atta cks come from outside the united states? is that data available? either one of you.

go ahead, mr. noonan. >> i'm certain that it is. i will have to respond back to you in writing. >> just for the purposes of the hearing, would it be the majority of the attacks, do you think echo >> i would say the majority of the significant attacks would be outside of borders? -- outside of borders. >> and to put a finer point on it, would the majority of the attacks come from eastern europe? the foreign tax? attacks? the foreign >> yes, sir. terms of the cooperation that we get out of that part of the world, can you think of any case at all where there has been annex tradition -- been and extradition from eastern europe where a hacker was sent to the united states for prosecution, any case? >> yes, just recently we had a

case out of romania. >> is that rare? >> with the remaining in authorities, we are working very closely with them at this point. -- with the romanian authorities, we are working very closely with them at this point. but the other countries in eastern europe, it could potentially be very rare, yes. >> what i'm trying to get at, and i'm not trying to be coy here is that it looks like parts of eastern europe are a sanctuary if you are a hacker. because the chances of being sent over here to face prosecution and conviction and are probably nonexistent. would you agree with that statement? >> yes, i would agree. >> that is kind of a bad deal, no matter how secure you are. because at the been -- the end if those folks are not facing the

possibility of prosecution, they will just keep going. >> yes, however we do have some very strong partnerships with other countries over in eastern europe. and it is through those collaborative efforts that we are making gains against a number of the cyber criminals. to say that we do not have cooperation in eastern europe is not 100% accurate. >> right. >> it is true that many of the different law enforcement authorities, that we do have a collaborative -- strong collaborative effort in moving toward identifying the these actors are and learning more about their networks. me focus on bridge -- because iification, think from the consumer standpoint, that is critical. as consumers, we want to have the ability to trace a hacker -- we won't have the ability to trace a hacker to romania or whatever. but the one thing we do have is if we are given notification, we

have the ability to stop using the card, or tear it up, or .otify our creditors we can be proactive. , how important would you say breach notification is in our effort to protect consumers? >> i think for the very reasons you say it is extremely important, which is why we support a law at the federal level with severe penalties. >> how do we do that -- and i don't want to get into a sensitive area, but this is a sensitive area. as a former cabinet member, i can tell you that i know we had millions of records from sensitivehat contain information. social security numbers, date of birth, resident's address, on and on. i will also add that oftentimes,

the federal government security system is not the best. it is not the but best. and it could be the health care law, the v.a., the department of agriculture, a host of things. we have on the federal government that if my information at whatever compromisedas been somebody will let me know that? >> you mean, what laws federal the -- governed the federal government's collection of information? >> yes. >> there are a number of laws that require data security among federal government agencies, as well as breach notification. i'm not completely familiar with the details of all of those, but i know that if any breach , who we arey bureau supposed to report it to. >> are there any breach

notification requirements in the health care law? >> i'm not familiar with the details of the health care law. but i do want to add on the point you are making about eastern europe -- because there will always be criminals that may be coming from countries where there -- where it is difficult to trace, that is why there is this partnership, this joint effort among different approaches and agencies. we cannot just count on criminal enforcement. it is also important that companies shore up their systems as much as they can against attacks. we need to attack this problem from different angles. >> think you, mr. chairman. >> senator tester. >> thank you for holding this hearing. as long as we are talking about breach, we will flash -- flesh it out a little bit more. the breach that you were talking about with senator johansson was between the financial institution and the coal -- the cardholder. breach between the retailer and a financial

institution or the retailer and your office? mr. noonan? or your office, ms. rich? >> there are state laws that require breach notification that may apply to retailers. but there is no federal notification law. >> there is no federal requirement across the board for the retailer or the banks or the retailer and the investigative services or the banks and investigative services. no breach requirement across the board? >> not that i'm aware of. >> can you tell me when the breach happened on target? >> that is still an ongoing investigation. >> but when did the breach actually happen? maybe that is an unfair question. when did the actual attack to the database actually happen? what date? >> it is an active investigation, so we cannot get into that. >> you cannot tell me how much time it was before you found out about it to be able to start your investigation into when the

breach actually happened? >> no, i cannot at this point. >> it was not immediate. >> [indiscernible] >> i will not put you on the spot. you can take the fifth if you want. it does not matter. >> in the public, december 15th and then the 19th there was an announcement. >> there needs to be a breach notification because time is literally money in the situation. there is a breach that happens and the retailer reveals the information, or for some reason the inking institution may want to hold that. i don't know why either one would want to, quite frankly. you guys need to know about it immediately, save can start finding out where the bad guys are that it is if we are going to get to the bottom of it, write? >> yes, sir. your program,

focused on entry of criminals. and you highlighted investigation networks where cyber criminals were able to install programs to be able to capture information from retailers. and it has already been talked about by the chairman. , 70e are 40 million cards personaleople's information was given out. can you tell me why they would be storing sensitive information on their own networks? believe in this case information on the cards were actually being stored on the network. >> how did they get the information? >> the information was being selected as the data was going through the process. >> ok, i got you. how did they get the 70 million? >> it was a heavy timeframe of collection time in which the data was being collected by the criminals.

so whether this was encrypted or not makes very little difference. i was under the assumption that this was on a database. that the information was not encrypted. the folks i got into that database then encrypted the information and took it out. >> at think you're getting this from the media, perhaps. >> perhaps. [laughter] this is an ongoing investigation. i cannot talk about the specifics about how this was being done. >> i want to talk a little bit about the enforcement that you have. right now, seriously speaking, of all the things you have to deal with, do you have any tools to work with that really work? >> we are doing a lot in this area. we are bringing enforcement, doing education. >> i'm not being critical of you

. i'm being critical of us. >> we do want more tools. >> when was the last time your tools in dealing with this issue were dealt with from a policy standpoint? a revamp of your tools dealing with data breaches in the last 10, 15, 20, 50 years? >> we have received some new authority and this area -- in this area, including a data breach law for a narrow class of health entities, personal health records. wasgramm-leach-bliley act passed in 1999 or 2000, but it has been a while. >> we have some work to do, mr. chairman. thank you. >> receiving back 30 seconds. senator mendez. >> i appreciate you holding this

hearing. when these issues broke december, senator schumer and myself and do your self asked hearing.l this is extraordinarily important. rich, i have two particular lines that i want to pursue. i think senator war and open the door to something that i think is incredibly important, which is what role should the ftc and the federal government create with standard? it seems to me that whatever high standard exist in the marketplace readily available for technology is one that we would want buddies to follow in order to be sure of the security of millions of americans private information. critical information to themselves, to their credit retailers, to banking institutions.

standard that says, look at what is available in the expectlace -- we cannot a company that gets hacked and is already using the highest standards available in the market place to be held responsible. but if there was a standard available and that company or companies were not using that standard, then we have to question whether or not they made an in demand -- an investment decision not to go ahead and expand the resources for the higher standard. it seems to me that part of the question is, and i know that the private sector is largely -- has largely worked on creating its own standards, but is there a role for the ftc and the federal government to set a standard that says, look, whatever is existing in a market place that can, in fact, be achieved to give the highest protection available should be the standard ? and if you don't pursue that standard, then you are subject to the consequences thereof.

>> that is incredibly similar to the way we think about it now when we talk about having "reasonable security." reasonable security means that you take into account what the risks are in your business, what the sensitivity of the information you collect it, how much information you collect, -- the cost and available availability of the measures out there in the marketplace. analyze it.we >> does the industry understand they will be held to those standards? theret get the sense that is an obligation per se to be held to that higher standard. >> one of the limitations we have in our work is we don't have civil penalties or the kind of sanctions needed to provide the right incentives to focus on this issue. >> i want to get to civil penalties in a moment.

if we set a standard that at , hereeveryone has notice is what we expect of you, then -- and of course ryszard industry-standard -- industry input into that standard, but it seems to me that we have notice notice ofcess, opportunity to be heard, and then we go away. i would like to pursue with the agency whether or not the standard is important, mr. chairman. secondly, with reference to additional authorities, in my letter to chairwoman mary meer as asking about the commission's efforts in the past -- chairwoman ramirez asking about the missions efforts in the -- it seemsced that to me that she agreed that having authority to impose civil penalties would be a good authority to have.

don't think that is something you want to levy against every company. i think he goes back to a standard. if you are pursuing a standard, you are not held responsible. if you are not, then civil penalties may be available. >> it is very important to have civil penalties available as a remedy for specific deterrence when there has been a failure. your testimony reasserts the federal trade commission's lone standing assertion borne out through case history. section five of the ftc act covers instances where a company fails to adequately protect consumer data. this assertion is based on the commonsense premise that customers have an understanding that companies will take reasonable steps to protect their data and failure to do so would be unknown fair or

deceptive practices. however, companies have been challenging this assertion. is the that if that case, that they will now challenge that assertion, it seems to me to call for not just voluntary efforts, but to create a standard and consequences of that standard that can give americans the best security they can hope for. i hope to work with the committee and the ftc in that regard. >> thank you, senator. one last comment. i know we have other questions, but we have a second panel. make one i will comment, and then if anyone's got a burning question. then we will go to the second panel. senator tester's comment, trying to get a notion of the obligation to disclose when you have been breached, i think sorting that through