but hopefully, we all understand that asking for all the e-mails, the ones that you seem to be least willing to put first are the ones that probably have no 6103. they're very quick to go through and somebody simply looks and goes oh, she's talking to an outside entity. by definition there can't be any 6103 there. right? >> correct. all the ones that are easy are easy. the ones that are difficult are difficult. there are more of the difficult ones than we would all like. >> of course, the ones that was gentleman was asking for before he had to leave were the ones that were not being given, which by definition very often are ea easy? >> right. i would just note for the record that all the woman from califor

ms. speier, for five minutes. ms. speier: madam speaker, thank you. last week, as the world watched in disbelief, the trial of brigadier general sinclaire concluded much as it began, flawed and unjust. even with the world watching, the military once again demonstrated its outright incompetence at administering justice. brigadier general sinclaire walked out of the court a free man even though he had plead guilty to these charges. he plead guilty to an inappropriate relationships with his accuser, an inappropriate relationship with

another female army captain, an inappropriate relationship with a female army major, possessing and displaying pornographic images and videos on his computer in afghanistan. he plead guilty to using a government-issued travel card for personal purposes for a trip to tucson, arizona, and a trip to fort hood, texas, to see his mistress. he plead guilty to attempting to start an inappropriate relationship with a female army lieutenant. sexually explicit communications with a female army major, requesting and receiving nude photos and a sexually explicit video of her. he plead guilty to vulgar language to describe female staff officers, impeding an investigation and adultery with his accuser. again, these aren't the charges the judge found sinclaire

innocent of, but all of the charges sinclaire plead guilty to. his punishment, no demotion in rank, no forced retirement, no jail time. instead, a small fine that he will pay with his generous taxpayer-funded pension and a potent message to those that are thinking of coming forward. you will be dragged through the mud and you will be punished, not the perpetrator. a civilian would have been fired. the misuse of government funds and the gross misconduct by general sinclaire, who plead guilty to all of those charges, should have been more than enough to fire him. you know, i would like to say i was shocked by this unconscionable decision, but after working on this issue for three years, i have learned this pattern is the rule, not the exception. whether the army intended it or not, this was a high-profile

test case for whether the military can hold its highest officers accountable for committing serious offenses. it failed. the military seems to be determined to make our point for us. the current military system of justice is incapable of meeting out justice in an impartial and effective way. when sinclaire was challenged his staff for his conduct and remarks towards women, the general replied, i'm the general. tiff, de-- er, exme epletive, deleted, i want. he's right. even violent crimes against women are condoned and at times even celebrated. in 2010, a skit was performed

for general sinclaire's benefit where a soldier wore a wig and dress as a female officer and offered to perform oral sex for the general. this skit was performed in front of the general's wife and more than 500 people, and yet this gross performance of general sinclaire's sexual misconduct was no cause for concern at the time. until these cases are taken out of the chain of command, the reality and perception will continue to be that the military justice system is tainted under command influence and is inherently unjust. the american people look at how this case was handled and see that a commanding officer, without legal expertise and a built-in conflict of interest is not competent to prosecute serious crimes. it should now be clear to everyone in congress that the military is incapable of holding perpetrators

accountable. it is our duty to reform the system, which we created in the first place, not the commanders. whose legal training and built-in conflict of interests have proven to be so ineffective. this case is an embarrassment to the military, but frankly it's an embarrassment to congress. when will we be willing to say enough and do our duty to protect our serviceed 35 years d

brought to you today as a public service by your local cable or satellite company. >> recent security breaches at target and the university of compromised the financial data of their customers and student. the senate commerce committee had a hearing on these computer executives atith

target and the university of maryland president. members also questioned the head of the federal trade commission and an executive from visa. this is just over two hours. >> this is in order. it is. this is the era of big data. you knew that, senator mccaskill? that is not news to you. not,er we like it or companies are collecting reams of information about us as we go about our daily lives. crazy, when they talk about people having an invasion of privacy, if it could happen, but it has happened. that is that you keep people

scared, and now people are reacting to it, saying, we have got to get rid of this thing. we are not necessarily an intelligent congress when it comes to our security. are tracking they us as we visit websites, stores, as we purchase products, where the information may be mundane, but a lot of it is highly sensitive. in may have to deal with health, family problems, whatever, and i think we can all agree that if target or any other company is going to collect detailed information about its customers, they need to do everything possible to protect them from identity thieves, because what is, in fact, what everybody was fearing about the nsa, which has never come out to be true has come to be true about the american private sector. that is the irony of the whole thing. with, youis rocked

know, terrible things that could nsa, exceptthe nothing terrible has happened, but some terrible things are happening elsewhere, so it is now well-known that target cell well short in doing this. is, protecting their customers. last november, december, cyber thieves were able to infect their credit card terminals with a malicious software, lupe their computer servers, access a staggering amount of consumer information, which they can pick and choose from, and then sell them for something called a prophet. there has been a lot of anxiety recently about this type of information. i am making my point again. i like making this point. what they have been collecting on citizens about the terrorist threat, but the truth is, why did companies like target collect vastly more pieces of sensitive information that the government does, and they spend

much less time and much less money protecting their sensitive data than the government does. you cannot penetrate the firewalls, all the firewalls around the nsa. senator thune, welcome. so we learned yesterday that federal agents notified more than 3000 companies last year that their computer systems had been hacked. i am certain there are many more breaches that we never hear about. in my zeal a number of years if theysked the sec would sort of make it a requirement that whenever somebody was hacked into, that sec,o be recorded at the put on their website, for the advantage of the shareholders, is that is the type of information that they need to know if they are going to buy or best,that is haphazard or

so target is going to tell us today that they take data security very seriously and that they have followed their industry's data security standards, but the fact remains it was not enough. the credit card numbers of 40 million people and the e-mail addresses of nearly 70 million people were potentially stolen under their watch. my staff has carefully analyzed what we know at this point about the target .reach in a new report, they identify opportunities they had to prevent this from happening. it is a very interesting chart of where they could have, and i will hold it up and ask unanimous consent that this be made a part of the record of this hearing, and anybody who wants one of these is welcome to have it. i hope people at the press table have it. it is increasingly frustrating to me that organizations are resisting the need to invest in their security systems.

must be a clarion call to businesses, both large and small, at it is time to invest in some changes. well, i am disappointed that many companies have failed to take responsibility for their data security weaknesses, and i am just as disappointed by congress and our failure to create standards to protect consumer information. if you can imagine having stores in 45 or 35 states, and every state has different rules and regulations, i mean, it is just impossible the mess. recently, i put forth legislation that builds on the long, well-established history of the federal trade commission occasion and state attorneys general in protecting consumers from data breaches. the bill set forth strong federal security and standards by, one, directing the ftc to circulate rules requiring companies to adopt reasonable ,ut strong security protocols

requiring companies to notify affected consumers in the wake that shouldh -- just be automatic, authorizing both the ftc and the state attorneys general to seek civil penalties for violations of that law. for nearly a decade, we have had major data breaches at companies large and small. millions of consumers have suffered the consequences. of thedeserves its share blame for in action. i am increasingly frustrated by the industry's disingenuous attempt at negotiations, so this is my message to the industry today. it is time to come to the table, be willing to compromise, and i am willing to hear their legislation,t the my legislation, or any other legislation. i am not willing to forfeit the basic protections that consumers have a right to counsel, and i will not. finally, i would be remiss if i did not note that

representatives of the company my invitationned to testify today. when people decline to testify in front of this committee, my instincts, which may be skewered, are that nevertheless they are hiding something, and on this subject, i think it more and closer scrutiny. on my most distinguished -- i will not go through my usual. >> thank you, chairman rockefeller, for holding this afternoon's hearing i data breaches and protecting consumer information. protecting consumers from fraud and harm is certainly something that all of us share. i am glad the university of maryland and target representatives are here to tell us of their recent and well-publicized reaches. while forensics investigations into these incidents are still going, millions have been affected. i look forward to hearing what lessons target and the university of maryland have

learned from these and what steps they are taking to prevent them in the future and to better safeguard people's personal information. yet data breaches are not exclusive to the university of maryland and target. there were more than 600 breaches in at least 44 million compromised records in 2012 alone. while we are here today primarily to discuss data breaches in the private sector, he cannot forget that the u.s. government also holds vast amounts of information. it is estimated that the federal government spends billions in security, including in fiscal year 2012, but it is not immune to cyberattacks and data breaches. more than 22,000 data breach incidents were reported, a number that was more than double what was reported in 2009. in addition, a recent report from the government accountability office, the government watchdog, identified several incidents when they fail to notify people.

in many ways,ibo ranging from the inconvenience of having a credit card replaced to the harm of identity theft, where a criminal runs up large bills.r runs up we have to make sure that consumers have the information they need to protect themselves. that is why i support a federal brief notification standard to replace the patchwork of laws in the 46 states and the district of columbia. a single federal standard would assure that all are protected been treated the same way. -- and treated the same way. this benefits both consumers and businesses. i also want to ensure that businesses are not burdened by -- outdated requirements but also of the flexibility for innovative tools to secure the information that they are entrusted to protect.

for these reasons, i cosponsored the data security and breach notification act of 2013 with senator toomey and others. this requires people possessing personal data to notify people in a timely manner if their information has been taken. i look forward to working with you, whom i know has also had legislation. assure appropriate breach notification. of course, we should acknowledge that this issue is not a new one. the committee reported breach legislation in 2005 and again in 2007, but finding broad agreement on the path forward has proved difficult. we should heed the testimony of mr. wagner and not allow the perfect become the enemy of the good. for the identification of voluntary best practices and standards for cyber security, this gives me reason for

optimism, and i was pleased to see that several of the witnesses have highlighted the good work done in that regard. as was noted in the past, legislation is also needed to legislation with cyber threats and liability protection. not all data breaches occur because of a cyber attack. sharing the information is key, whether it is theft of intellectual property or an attack on critical infrastructure, so i look forward to learning more about the new partnership between the merchant and financial associations that will focus on sharing more information on cyber threats and protecting consumers. i also hope that visa and target can't elaborate on the work they at -- that they can't elaborate. elaborate.y can we are also wanting to hear on what they are doing to protect

from fraud with education. there is the industry and government partners that are working hard in an attempt to prosecute cyber criminals and iaudsters, so, mr. chairman, hope our witnesses can share their experiences good and bad, working on our shared goal of safeguarding personal information, and i look forward to hearing from our witnesses. thank you, mr. chairman. >> thank you very much, senator thune. good team.ry if you do not know it, you will. we come from big states with tall people. and we love sports. thet, let's start with who isle edith ramirez, chairman of the federal trade commission, and once again, i issue the following words of comfort to you. nationalr that the

gallery of art is going to take you over. you are going to be there a thousand years. whether they will or not, i do not know, but you will be. [laughter] >> thank you. chairman rockefeller and members of the committee, i appreciate being able to provide testimony on data security. under your leadership, chairman rockefeller, this committee has led critical efforts in congress to protect consumer privacy and data security. from the recent examination of the data broker industry and its proposingconsumers to data security requirements for industry, you and the members of this committee have sought to advance the same goals as the ftc, and i want to thank you for your leadership. aware, committee is well consumer data is at risk. recent data breaches remind us that hackers seek to exploit vulnerabilities in order to access and misuse consumer data

in ways that kids -- that can cause harm to consumers and businesses. these threats affect more than just payment card data. years,mple, in recent they have also compromised social security numbers, account passwords, health data, and information about children. this occurs against the backdrop of identity theft, which has been the top ftc consumer complaint for the last 14 years. i am here to reiterate the commission's bipartisan call for an enactment of a strong data security and breach notification law. never has the need for legislation been greater. with reports of data breaches on the rise, congress must act. the ftc supports federal legislation that would strengthen existing data security standards and require companies in appropriate circumstances to provide notification to consumers when there is a security breach.

security practices are critical to preventing data breaches and protecting consumers from id theft and other harm, and when breaches do occur, notify consumers helps them protect themselves from any harm that is likely to be caused by the misuse of their data. legislation should give the ftc tohority to seek penalties, help assure that ftc action as an appropriate deterrent effect. in addition, enabling the ftc to bring cases against nonprofits, such as universities and help systems, which have supported a substantial number of breaches would help assure that whatever personal information is collected from consumers, and duties that maintain this data adequately protected. finally, the rulemaking authority, like that used in one act, would allow the commission to ensure that as technology changes and the risks from the use of certain types of information evolves, the bunnies would be required to give adequate protection to such

data. whereas a decade ago, it would've been difficult and expensive for a company to track an individual's exact location, smartphones has made this information readily available, and it is a growing problem with child identity theft that was brought to our attention, this can be combined with another person' is information to steal an identity. its existing authority, the ftc has devoted substantial resources to encourage companies a make their security priority. the ftc has settled 50 cases against companies that we put consumer data at risk. and all these cases, the touch tone to the commission approach has been reasonable less. their basic security measures must be reasonable in light of the sensitivity and volume of consumer information it holds with its complexity of data operations and at a cost to

improve security and reduce vulnerability. the commission has made clear that it doesn't require perfect security and that the fact that a breach occurred did not mean that a company has violated the law. as a commission case against a retailer web, there are alleged failures to implement basic, fundamental safeguards. announcedne company one of the then largest known data breaches area according to the ftc subsequent complaint against them, a hacker obtained information from tens of millions of credit card and debit payment card information, ofwell as the information approximately 455,000 consumers. alleged they engaged in a number of practices that taken together were not reasonable, such as allowing network administrators to use weak passwords, failure to limit wireless access to in-store

networks, not using firewalls to work with computers, and not having procedures to detect unauthorized access to its networks, such as virus software. in addition to our enforcement effort, it also undertakes policy initiatives. workshops onas mobile security issues and child and senior id theft, and for those consumers who may have been affected by recent reaches, the ftc has posted information online about steps they should take to protect themselves. the ftc also provides guidance about reasonable security. they should have reasonable security for consumer data, and we look forward to working with the committee and congress on this issue. >> thank you very much. very honored to have the

president of the american university here. i am sure that testifying before a congressional hearing is something you look forward to. >> thank you, chairman rockefeller, and ranking members. i spent most of my time testifying before the maryland legislature, and i hope that is good preparation for today. 18, after a major snowstorm paralyzed this, presidents' day weekend, we had a very sophisticated cyber attack. uploaded asically website ofe into the one of our colleges.

there was the uploading of photographs, but instead, they uploaded malware. once they got into the website, they were able to peer into central systems, and they were to do that, and they were able to get to the directory of the management. passwords, and then change their passwords in order to issue orders, so they , socialed 310,000 names security numbers, university ids, and they intentionally left out photographs and so forth, that kind of information, because that would have a slow situation with the data, and they did it because they were and we were just

flying by the seat of our pants. and with regard to notification, and weunced it within and thisll centers, was affecting students. there were e-mails and calls, and we were sending letters to everybody else, a total of 310,000, and some of them are alumni going back for 20 years,

the country was using social security numbers as identification, and we have thousands of databases, and they just took that one database, where we have both the university id and the social security, so in terms of notification, not only did we notify, we offered to pay five years of protection, credit card protection, to all of the affected parties. this was per person multiplied by the years. and in terms of data security and we have approximately 220

5000 names from our records that we have purged. what we're trying to do, with the help of the fbi, the secret service, private security companies is two things. one is to strengthen the , and thisdefenses ,nvolves penetration testing and there are the people who play offense who will always be one step ahead of those who are playing defense. we need to tighten the security around the sensitive databases. so what we have done in one almosts we have migrated all of our websites to the cloud. we have purged, as i said, lots of information. we have done penetration testing

, and we have isolated information that is sensitive. and so on. and the cost is very, very high. later, we had another major intrusion. fortunately, of course, they were working with us. within 36 hours, the fbi was able to identify and successfully mitigate the situation. no data was released. and they wanted everyone to know we were successful. thank you very much for all of your work in terms of requiring data notification and data security. this is a very important issue, and i would conclude by saying this. security at a university is very different than security in the

private sector, because the university is an open system. there are many point of access because it is freedom of information. in the private sector, you can centralize. and we have to find a proper balance between security and access, and that is the challenge for all universities, because, as you know, in the have had major breaches, and not all of them bothered to report it. >> excellent testimony, and i thank you very much. is the chiefigan executive officer of the target corporation, we welcome her. it is a pleasure to be with you today. let me say how deeply sorry

we are about the impact this has had on our guest and constituents. our top priority is always taking care of our guest. the reality is we experienced a data breach. our guests expect more, and we are working hard to do better. we know this has shaken their confidence, but we intend to earn it back. my written statement provides additional details about the breach and target's response. we are asking hard questions about whether because of taken different actions before the breach was discovered that would have resulted in different outcomes. in particular, we are focused on what information we could have had that could have alerted us earlier, whether we have the right personnel, and assuring that these measures were sound. we are working quickly to answer these questions.

this afternoon, i would like to provide an update since i last testified, including the actions we are taking to further strengthen our security. this has been focused on taking action to protect them against constantly evolving cyber threats. we are taking a hard look at security across our network, but we do not know everything yet. we have initiated the following steps to better protect our perimeter to better secure our data. we are enhancing our security systems. we are increasing segmentation of key portions of our network. there is the addition we have accelerated additional hardening the nd network perimeter by expanding occasion.if earlier, target became the first retailer to join the information sharing and analysis center. it shares critical information, detection, g

prevention, and response to cyberattacks and fraud activity. axel rating the investment in chip technology because we elieve it's critical in enhancing consumer protection. we installed approximately chip-enabled devices in target stores and expect to complete this installation in stores by september, six months ahead of schedule. we may also expect to begin to and accept chip-enabled cards by early 2015. one year of free credit monitoring and identity theft protection to anyone who's shopped at our u.s. target stores and we informed our guests they have zero liability any fraudulent charges on their cards arising from this incident. policy ve responsible measures can further enhanced security for our guests and all consumers. chairman, i know you and other members of the committee ave introduced legislation designed to enhance data security. 'm not a policy expert, i

discussed the principles your bill with our routine. uniformed at a standard would provide clarity nd predictability to consumer notifications. while the standard is uniform, e enforce state and federal attorneys general enforcement. we believe the standards if ppropriately structured could provide additional protection for consumers. e have learned that robust security can't shield a company from a criminal breach. however, the more the data approved across the economy, the better protected consumers will be. invested ears, target capital in personnel and processes. layers of iple protection and continually made enhancements to meet evolving threats. in september of 2013, we're certified compliant with data meaning that ards we met approximately 300 ndependent requirements of the

assessment. yet the reality is that criminals breached our system. this vent breeches like from happening again, none of us can go it alone. ll businesses and their customers are facing frequent and increasingly sophisticated signer criminals. protecting american consumers a shared responsibility and target remains committed to that solution. want to say to you and to our guests how sorry we are this happened. we are committed to getting things right, thank you. thank you, sir. the advisor for a small "visa". ion called >> thank you, chairman rockefeller, ranking member, and the committee. i appreciate the invitation to testify today. veryone in our payment system, merchants, financial institutions, networks, and

when lders is affected this occurs because they jeopardize the trust we've worked to build for more than 50 years. we continue to work to maintain that trust every day by placing security at the forefront of we do.ing the payments industry has approached yer of data security. first we protect consumers from zero ial harm from fraudulence. scenes to ind the prevent information and prevent fraud before it happens. rates have fraud declined by more than 2/3 in the tot two decades to six cents every $100 transacted. show, nt compromises however, our work is never done. critical first step in data the amount to limit f data that needs to be protected. eliminated the storage of

card information in large merchantings. this made it more difficult for criminals to steal large amounts of data. they're stealing it in transit. therefore, strong security remains fundamental to the to protect the system. the card industry established a fully and ich when has stently implemented proven effective in protecting our stakeholders from cyberattack. for any icult organization to maintain complete security all of the time. with that in mind, we're working others in the industry towards a paradigm shift that in reduce or would eliminate vulnerable payment data from the merchant environment. data available in the environment could no longer be eused to commit fraud, criminals would have no reason to attack. data.ll this devaluing the we joined others to create a road map in the future of data

a road map of three technologies, the chip, point-to-point encryption. the chip is a microprocessor embedded in payment cards. they're nearly impossible to counterfeit. one of the most important incentives for criminals to steal data today. proper opportunity for counterfeit cards. but emv is not a silver bullet. countries where it's widely used, fraud has simply moved to on-line channel. we o address that threat, introduced a new standard known add tokenization which places account number with additional token in the process.on tokenization removes it data from the on-line environment token, not the card number that goes to the her chnt. the third is point-to-point encryption, a technology available today and protects account data from the moment it

of sale e point terminal to the completion of the transaction process. ecuritying data today and are the it tomorrow most approaches of the strategy. strategy will ever be 100% effective. invest in fraud protection, analytical tools, some of the most advanced in the identify and prevent billions of dollars of fraud each year. breach nvest in response, continually improving the ability to identify respond quickly, and protect consumers when they occur. as a result, the vast majority accounts exposed in large data breeches do not experience fraud. of the 2% to 5% accounts exposed incur fraud resulting from the breach. visa observes three areas where government help could be

protective. have a safe uld environment to share cyberthreat information. second, the government could continue to work with the international community to improve coordination among law nforcement agencies and to eliminate the havens from which cybercriminals launch their financial system. the government can establish a uniform breach notification to increase the state laws in place. and finally in closing, let me that we know cybercriminals will always be with us. target anyontinue to environment that contains valuable information. the payments industry has fought and investing in sophisticated solutions that and the he system consumers who rely on it. but, as the criminals have improved their technologies, we improve ours as well. he key is to work together, to defeat our common enemy, and visa is fully committed to orking with all of the participants in the payments industry towards this objective. thank you, again, for the

opportunity to testify today. >> thank you very much. much indeed. brusher, executive vice president of council, companies. ennan >> i'm peter beshar. s a former david rockefeller fellow, it gives me particular pleasure to be before this committee. like to focus my remarks this morning. >> for free? >> i'm sorry. >> my uncle did this for free? >> something like that, mr. chairman. >> very unusual. please? you. ank >> i'd like to focus my remarks this morning, this afternoon, on narp row topic of cyberinsurance. what is it? who's buying it? as part might it play of a comprehensive risk mitigation framework? as the world's leading insurance broker, our company has a unique perspective on the

cyberinsurance marketplace. preparing nts and risk mitigation strategies and issued the first cyberpolicy as at 1999 called net secure. three basic types of yberinsurance, the first and most fundamental is coverage that protects out of pocket university of he maryland or another institution ight suffer, expenses like credit monitoring or setting up call centers, or notifying affected individuals. analogous to business interruption insurance. so if you're disabled days or longer you're able to recover you suffered in the form of lost profits. the third type of insurance is for damage that might be by parties outside of your company.

so customers or consumers or that's called third party insurance. to give the committee some insight to the dynamics of the we just rance market, conducted a survey of our cyberclients. it ive you the who's buying and what the takeup charge is. there are reports in front of you? each of our pact packets. you.hank there are a couple of headlines, interest in cybersecurity is rapidly.g the number of marsh clients who purchase stand-alone cyberinsurance increased by more than 20% in the past year.

hippa statutes,e and also, interestingly, the where there ce, have been marked increases. that's a breakdown by industry. size of companies, larger companies perceive a greater risk to cyberthreat than companies do. so we annualized the take up a company f you're with revenues of more than $1 illion, your takeup rates are almost double what they are if you're a smaller company. lastly, on pricing. hear the news is quite positive that throughout the , it's been stable years.hout the this is because of any entrants in the marketplace. that's the actual insurance.

of applying, is it self-constructed. the process forces you to go analysis, to try to benchmark yourself against industry standards and what are onsidered to be the best practices and see what you can do to position yourself as a better risk for the underwriting community. so just in closing, mr. as this this is -- committee is all too aware, this line.race without a finish our adversaries will continue to adopt new methods of attack and strategies, and it's extraordinarily important that threat, ting this government, the private sector, and also the nonprofit world try to together to respond effectively. thank you. >> thank you very much. eloquent and helpful. mr. david wagner, president in incorporated. >> good afternoon, chairman,

ranking member, and committee members. in trust -- good afternoon, pleased to be here to help facilitate and continue the ialogue for better understanding of cybersecurity issues. entrustr two years ago, similar topic e of cybersecurity. since that time, the situation has worsened. nation states and criminals are use cyberto advance their interests. in december, point of sale reeches are another example of the escalation. entrust has no direct relationship with any of the of sale f the point attacks, we can provide general insight to the attacks. as we heard earlier in these testimonies, criminals are using tricks and d con ybertools to get past mope style defenses. social engineering and malware equivalent to crowbars penetrating the corporate networks.

once past the defenses, the a stolen identity and becomes someone on the making them difficult to distinguish from normal network behavior. n the case of the retail breeches, once the criminals assumed the right identity, they malicious codesh to the point of sale terminals. hey were able to collect customer credit card data from the magnetic stripes. ex-fill stored and traited that data overseas. you can see from the attack cenarios that they're sophisticated. they're sophisticated, but not rocket science. to use stolen identities access the victim company's network. the victim company's i.t. tools to complete the crime. cyberattacker can overcome even strong mope defenses. strategies to strengthen the defenses inside the perimeter. ood information security governance is vital.

and industry regulations like and frameworks like sands, nd iso are available to help build the architectures. you might be asking how did the breeches oh can you are? stronger t accounts than using a pass word? why wasn't the network segmented sensitive data? why weren't alerts responded to monitoring equipment capturing the unauthorized traffic patterns. nothing in the breeches was new. if we created the culture that understand thend risk, how do we create regulations that evolve and if we with technology, haven't, then no regulation or no security tool will solve our problem.

thes and credit unions bear cost of car reissuance and they suffer the pain of cards and accounts. risk assessments where sensitive must consider the data. cybercrime poses a greater individuals than ever before. the challenge is balancing, balancing the importance of the cting data with benefits of emerging technology. as policy makers, you're charged facilitating commerce and putting in place a structure for finding this balance. in ust recommends actions three areas, first, federal breach notification law needs to be passed. t will put the federal government in the role where it

belongs. second, the federal government needs to copt to foster best sharing information across the and vooift sectors. collaboration is critical to unified front ng so criminal groups can't simply migrate the next weakest target. we must change the cybersecurity culture. interprizes large and small, private, need to embrace information security governance as a core responsibility. approach needs to move forward now. without changes to the security osture for most important industries and infrastructure, cybercrimes will continue to and potency.ency the best path forward rests upon public-private ecosystem built upon good security governance, identities, and constant assessment of vulnerabilities. whether we drive adoption incentives or directives, we need to proceed

now. i urge you, your colleagues, and the administration not to let 2014 expire without adoption of easures that will better protect our economy and secure pohls euro. thank you for the time this your attention to this important matter of cybersecurity. >> thank you very, very much. because of unusual circumstances, and with of the ranking member, the first question will from our side. >> thank you, i adore you, i the record, i adore both of you. i believe the ultimately the arket is more effective in controlling behavior than the government. so let me start with the uestion i don't think has been fully answered. mr. mulligan or ms. ritchie, can of you shed light on how

has resulted from this breach? >> are you speaking specifically to our breach? to the target breach? >> i'll start. i feel free. i can only speak to about 15% of that were taken were product cards. the other 85% are cards we don't to.e visibility two of card products. proprietary card, a card used at target. we haven't seen any incremental on the two particular cards. we have a visa product that can be used broadly like anywhere else. they're on the $5.5 billion portfolio. e've seen about $2 million of incremental fraud or about .1% increase. >> a tiny amount then on your 15%. s. ritchie, do you have any figures in terms of. >> yes. i would mention in my testimony 2% to 5% of accounts might be expected to experience in

incremental fraud. we're seeing much lower numbers from the target breach. i do believe that the rapid notification that target strong as well as the response from our member financial institutions is responsible for limiting the fraud. >> okay. what's the total, do you think? dollar-wise. don't have those dollars available. >> does anybody? >> we can get those for you. realize you have to we're still in relatively early stages but we could provide those. figure out trying to here is how much fraud there was and who's holding the bag on the fraud. think people don't understand that this -- i don't think people understand that necessarily hold the bag on any of it that most of this debit card fraud ends up the local bank. that a lot of the costs associated with this breach, in majority of them, fall to credit unions and local banks opposed to target. of the $61 million that you have

mr. it costs your company, mulligan, how much of that was try to reassure your customers -- you are the guys, how much of the money was marketing for the loss that suffered. >> the $61 million we recorded in the fourth quarter, any arketing expenses that we undertook would have been recorded in the normal course of our business. to $61 million was related response costs, credit monitoring, activities such as that. monitoring credit that you're offering to your customers, that, in fact, is marketing. view that as a way to respond and help our guests for what we know is a difficult time for them, provide credit monitoring and identity theft identity theft insurance. >> i think it's terrific that you're doing it. i think it was smart that you're doing it. think it's a wise corporate decision. t was an optional activity

you're engaged in to try to repair the damage that incurred breach. ult of the >> we're focused on the guests, absolutely. andoo estimate to the banks credit unions is $200 million. are not optional to them. that's them reis issuing the cards and bearing the cost to do that. >> the credit card industry has collectively determined that consumers don't bear any liability to the fraud. there are commercial underpin that.at the commercial arrangements provide the revenues for the pay-in, they provide for remediation in situations like this. make point i'm trying to here is that it's confusing to consuming public where the costs falls and where the costs are absorbed. know there's $10 billion in more revenue as a result of the overnment being involved in interchange fees. interchange fees were $19

the durbin re amendment and now they're less than $10 billion. there was $10 billion extra that flowed to retailers as a result of the prices coming down. that was a aying good or bad thing. guess what i'm trying to get at here is i think it's very risk be born the by those who must engage in the activity to protect. risks go the somewhere else, it lessens the incentive to protect. i'm not going to argue that you all have had a terrible thing happen to your company and you're working hard to recover it and you have been damaged, but there are many think es where people there's been a breach. i think americans thought you costs of covering the this. i'm going n you said to make sure no customer loses a think they realized nobody paid it in the first

place. the risk is important for us because it will be much better with the he risks right incentives in the free market. just going to say that if there's any lack of clarity about who's bearing the loss committee, the financial institutions would make their customers whole in as we know stance with the zero liability policies. then, the payment networks, both a a and mavser card do have program to shift the costs back isa merchant if the merchant shown to have been out of compliance with our industry standards. okay. >> however, that program covers only a portion of their costs just e reason for that is as you said to balance the incentives so that each party is to reduce the risk and protect the consumer. >> i would love to get into the if you would help us with that information, ms.

richey. mean right now? >> no, i mean later. oh, no, i'm done. no, i mean later. really want to understand how these risks are being shifted in the marketplace. >> thank you. >> i'm going to recognize thune and just for the committee's information, we will we have r a vote and four votes scheduled, i believe. five votes scheduled. that out. work but i wanted the committee to know, we'll go to senator thune. short a recess as we can and come back and conclude the hearing. >> thank you, mr. chairman. mr. mulligan, we're learning a all of the details of the target breach. we know it affected two types of data. of was the payment card data approximately $40 million target shoppers and other personal data to 70 million customers. the question is what steps have provide your customers the assurance their

personal information is going to protected going forward. >> snarlt, we've taken several upon immediately identifying the malware. we closed the portal that in the the access point first place. we narrowed the scope of who has systems.o our we began an investigation and to d a third party advisor do an end-to-end review. analysis, forensic but the entire processes and controls. from that, we have additional we've taken steps that we've learned from there. data ances the eggmentation, we hardened the and we increased malware protection with wait listing, we accelerated that. that allows only the programs we to run on our point of sale terminals to run. accelerated our pin and chip technology, it will complete the

nstallation of guest payment devices this year and roll out the cards next year. we'll take the steps and to have earnings and we'll expect to continue to make changes. >> i quote most laws have the simplify ace would compliance by businesses while ensuring all consumers are protected, end quote. agree with that statement. maybe if you ring can elaborate on the advantages of a consistent national requirement for breach notification. >> it's comprehensive federal legislation in this area. if we think that legislation and the standards set in that are sufficiently strong, that in federal ance, the standards should preempt state breach notification laws.

>> okay. -- several of you, i think, have testified to the having a single federal standard. i'm just wondering if you'd like value of ore the federal preemption of what is a patchwork right now of state laws. >> i'm sorry, if i may add one more point that i want to make of is also clear in terms our position at the ftc, it's also critical that the states be this ted to enforce in area that there be concurrent jurisdiction on the part of the the states. s >> all right. anybody else want to comment on the value of having a national -- of quick couple comments. we talked about transparency on he panel here today and transparency is critical. having a common breach standard easier to it aggregate the data to know what's going on from a national perspective. we know from these crimes they most often have a multistate often and very international impact in having the federal government involved

in the breach notification seems make a lot of sense. >> anybody else? >> a single standard would ease mote -- or getting the faster and out spend less time on lawyers and more time informing consumers. you're here because the university of maryland experienced a security attack the names and social security numbers and dates of births as you noted of of your embers community. you state that the university of maryland experienced a second 15.ach on march ut at this time, that breach resulted only in one senior official having their data breached. so the question is why is that? that officially the only target of that breach? or was it because of steps taken after the first breach?

had unlawful ly access to far more information than was breached the first time. we don't call it a breach because -- except for individual, it was not a public -- it was not circulated. nd, again, i want to thank the fbi for their very expeditious intervention that resulted in the successful mitigation within 36 hours. we're not saying anything more is because the investigation is still but it is the case that no other information has made available the fact that one senior university official's name, i.d., everything was put on the public website and read was simply well, the intruder wanted to show how clever he or wanted the world to know it. >> i just have one last chairman, and that has to do, again, i wanted to

come back to ms. ramirez. that the ied today role at the ftc is to protect sure they takeke appropriate measured to protect consumer information. ftc uses both e the fairness and deception uthority, the deception authority being relatively clear cut. materially misleading statements or omissions regarding the security measure taken. but the good number of the ftc's ctions in data security have come under the unfairness authority which some argue rovides less guides to companies regarding which practices cross the line. result most of the cases in consent agreements, its produce a record of value. short of regulations, should the rationale blic the they used to determine what is unfair? so that companies have better guidance? >> senator, i have to disagree

with the critiques that have ftc in this th the arena. i think that we have provided good guidance. that we take when e xer sites frankly both our deception authority and our fairness authority in this area is one of reasonableness. as a law enforcementer, we look the driven facts of the specific case and the documents of are part and par spell our consent decrees demonstrate the basis of our allegations and remedies and actions that we should undertake. in our view, we have provided the actions we have taken really go to basic and fundamental failures on the part companies that we think are unreasonable and therefore that violation of our section 5 authorities. so i do take issue with that. great deal of guidance, also, to businesses as

part of the outreach and efforts.al and i believe that companies can discern the approach we take it process-based approach where we urge companies to deal assessment h risk based on the type of information and they collect and use then they in turn develop a program that they would be able o address any risks to which that information might be exposed. have nk it's critical to one person at least who will be in charge of any security program. guidance made public? >> absolutely. >> i see we're out of time and vote.e to run and >> that's what we'll do. for a -- a to recess little while. i don't have a time certain. guess is it will be 40 minutes or so. but i don't know exactly depending on how many actual we have on the floor. and there's a little conflicting information about it. five votes. we'll recess and probably just

or everybody's benefit, we'll probably try to start as we are doing our last vote on the floor members can vote and then come back here. trying to do that. so with that what we'll do is it we'll take a recess now and subject to the call of chair. thank you. you all been nice? okay. my staff, as you know, analyzing breach at your company. and we do a lot of reports. very -- it's very interesting. ne has nothing to do with you or the question. and i shouldn't even be saying it, i'm interested so i'm going it.say i'm chairman so i can say what i want. lot of moving companies, if you want to move, you sign a contract. put your stuff in the moving van, and then they take it about

alley es and park in an and call you up and say the price has just tripled. say that now, you doesn't happen in america. point is it does. it's very disturbing. it's very disturbing. so that's why we focus a lot on kinds of things. not that we're nasty. you're not nasty, are you? senator blumenthal, you're not nasty? ask my wife, mr. chairman. >> never. >> that's right. grand daughter and his wife -- >> wife. >> are together at school. and -- your grand daughter and my wife -- grand dn't mean your daughter -- >> your grand daughter and my daughter were together in school. >> yes. different levels. >> right. >> yeah. we've prepared this report. and i want to know if you read

the report? have. i had a chance to review it last night. >> you did last night. >> the report walked through the steps the attackers had to go through in order to hack your company. and then it explains how target could have prevented the breach you had stopped the attackers -- just leting each even one of the steps. examples.ve you a few you could have prevented the breach if one of your vendors, a mall pennsylvania company called -- is it fazio? fazio nderstand it's mechanical service had better security practices. acknowledge that poor vendor security was a factor in this attack? >> yes. >> and once the attackers had gotten into your network, you them from gaining access to your company's highly data, would sumer you acknowledge the target

ailed to properly monitor your computer network for the intruders? >> senator, it's my that we did have proper segmentation in place, as recent as two months prior to attack, we were found to be pci compliant and that includes segmentation. but your question is an excellent one. how they migrated from the outer network to of your the point of sale data is an excellent question, i don't have the answer to that. okay. >> who is "they?" >> the intruder, excuse me. >> okay. chairman ramirez? i congratulate the federal trade commission for its recent 50th data t of the security case. the ftc has been successful in data security cases using the authority under section 5 of the ftc act. know, senator finestein prior nelson and i have security data information to senator prior and have done in previous years, all

to no avail so far. the legislature and the ftc has consistently called for. about why you see the need for such legislation, why isn't your existing under the ftc act enough? >> chairman, thank you for your question. and, again, i want to thank you for your leadership in this area, if your leadership in this area. the ftc has undertaken very in ically important work this arena. but i think our experience in what we see happening in the does show really that companies are continuing to underinvest when it comes to security. that's why we believe that more needs to be done in this area. congress think that absolutely needs to take action comprehensive -- a federal comprehensive legislation that addresses the security. data and in particular, we want to highlight things that we think important lly relative to enforcement authority on the -- on the part

of the ftc. it's s that we feel that critical that the ftc have civil enalty authority so that there deter appropriate deter rans. we feel that we should have rule aking authority so that the agency can have the flexibility to implement any legislation and adapt to changing technology in this arena. and then in addition we feel this is also important for the have jurisdiction over nonprofit, currently we do not have jurisdiction over and we do see that universities and other falling victim to intrusions and important for the sector also to have reasonable security measures in place so that americans can -- their information can be protectled. >> they want to precisely at hat point tell you that self-regulation works.

>> we believe that self-regulation is an important element of all of this. is a complicated issue and in order to really effectively, we need to do it in a multipronged way. believe that it's robust and where you have backup enforcement by the ftc, for instance, that that would be a good and important complement to the civil law enforcement that we undertake. >> but in essence -- it's not -- in my mind, it's not -- >> it's not enough. >> that's correct. >> yeah. >> but whether it's sooib security, this, almost anything else, self-regulation always solves the problem when the over -- we had as you know the water spill in charleston, in west virginia, counties s and nine couldn't drink water. house.ing my it was not a pleasant experience.

i found out that rather quickly that there is no -- under no federal regulation, no state regulation, they an do exactly as please. and so one of the people who was this who is myby sort of chief of staff, my west operations, has two young children and i talked to she said orning and she had just been on a trip to india, in fact, to look at ways of doing water. that two more leaks had been on that river. one to be blindly infuriated. at ourselves for allowing that to happen. for eight year, never did anything about it.

every time i drove to charleston times, iid hundreds of always came directly towards thee tanks that held all of toxic stuff which leaked. and i said that doesn't look very good to me. looks kind of crummy. it's sort of like the pictures seattle before the -- before everything went wrong -- everything looked fine. was a lot knew there of mud there, your mind would lead you to other kinds of but your mind doesn't choose to dwell on the s that aren't of moment. anyway, i'm encouraging -- increasing towards the ftc, i'm hearing authority to he protect consumers from data breaches. complaint from some. and it reaches ears easily to hear eople like about the federal government not

being able to do its work or failing to do its work. unlike years past when this gave the ftctinely the tools it needs do the job, i'm now constantly hearing about dangers of an overzealous and verregular latering overburdening american businesses a lot. hearing it a lot. and in this committee. is ata breach bills which 1976 gives your agency basic to set ing authority data security standards, just as grand beach in the riley and the children's on-line privacy laws. i don't think that's a controversial idea. but some people do. chairman ramirez, can you skepticsplease, to the through me how the ftc goes about setting these rules so that, one, i can be satisfied that you're not out to ruin

ndustry for the pure pleasure of doing it, but you're trying how the r job commission has a careful and process it does not lend itself to the regulatory chaos that some fear. can you explain how the rules help to protect consumers from data breeches? >> i'd be happy to. me just say that first of all, the call for legislation in bipartisan call. it -- the commission unanimously supports the enactment of federal legislation in this area the upport that may be pieces of the legislation that i've outlined. in responsesay that to the critics of the ftc, i that anyone who looks closely at the work that we undertake can see that we do our work in a very balanced way. and that we absolutely want to job is to protect american consumers

fundamentally, but we do listen and e concerns of industry i think if you look at certainly the body of case work that we this area, the 50 day security cases that you mention md, i think people will see exactly what the basis for these are, and in fact the actions we took were justified. in response to your specific about how we employ apa rule-making authority in my remarks, i referenced he can span act which is one example of the legislation where we were given the rule making authority any rule with the would undertake would go through a notice and comment period so stakeholders would the opportunity to give input. we would hat ultimately impose would -- it ould be based on this evidentiary record that would be developed over the course of the rule-making process. we ask for that is it's critical that the ftc have

in this arena we implement any of this legislation and two main issues re the ones i want to highlight. one is that we have to recognize that technology is moving rapidly. decade ago, no one would that facial d recognition technology would be so readily available, for geolocation information would be so easily attainable today. critically important that there be flexibility that's embedded in any legislation to ftc to adapt any rule o emerging and evolving technology. by the same token, it can also of businesses it to grant the ftc that flexibility because we may be certain ift requirements that may no longer be necessary over time. happened in nly connection with the our mplementation with the can of spam act so in our view, it

would be consumers as well as grant us ommunity to that flexibility. >> i thank you. i'm well over my time. another time for senator. >> thank you, mr. chairman, thank you for holding this and working onng important legislation. think we all know this is no longer one singular problem we heard from our witnesses today. n fact "the washington post" printed an article yesterday showing that the federal overnment notify 3,000 u.s. companies of a breach in just the last year. and i think it calls attention we need to move legislation, toy move on the notification bills and the work that senator rockefeller is doing, senator is doing. i'm on both committees. i've been immersed in this as knows we had another hearing and chairman in the judiciary

committee. on of the things we focused is one going after the people who did this and working on the justice department on that. that's got to be a top priority. number two, how we prevent this going forward. things that i found pretty shocking is that in merica we had 25% of credit card transactions in the world, but we had 50% of the world's fraud. nd we know some of the other countries have moved to the chip and pin technology. tried some ofrget this technology, maybe you can years out that a few back. but it wasn't adopted by other companies so i would think i that. start with what do you think we need to do o stop this from happening in terms of adapt adopting some of the technology? it how long do you think will take when we have parts of the world that are already currently is, it's the standard in europe. can hearwe -- maybe we from ms. richey first?

>> we do believe it's necessary the united states to join most of the rest of the countries of the world in technology to ip control fraud in the environment. we set out a road map for the emv chip adoption. announced that in august of 2011 with the idea that it would take probably around four to seven years to get to a critical ass of chip adoption based on our experience in other countries. i'm encouraged by the level of enthusiasm towards the chip wakect we're seeing in the of the recent events and i'm hopeful that our liability shift 2015, october, 2015 that substantial adoption in emergent and issuing bank side. > do you think it could be better to have the pin rather than signatures? would that be safer? is an interesting word in this content.

>> would it lead to less fraud? initially lead to less fraud. lost and s reduce stolen fraud. p.i.n. does nothing to keep the criminal from the card, ing unfortunately. and 70% of the fraud that occurs locations, brick and mortar store, is counterfeit, not lost and stolen. problemlieve the bigger is counterfeit. it's also easier for the criminal to accomplish because stealing data,by not by having to take possession or you know, thousands millions of physical plastic cards. so we believe that the best thing for the industry to do is focus on the chip and they're trying to change the environment p.i.n., signature, and no cardholder verification, which is our current will slow things down and increase the costs. so therefore, we're saying that issuer could have the choice, based on their own risk

with e, whether to issue chip and p.i.n. or xhip and in the e and similarly merchant environment where today currently deploy p.i.n. >> i mentioned mr. mulligan, you target o address this, tried to go with the chip technology and what happened? >> we did. a little more than ten years call e introduced what we guest payment devices to read chip cards and we introduced the card with chips enabled in it 10 years ago. comes efit for consumers with wide adoption, though. when the cards are widely used and widely read throughout the economy. we've seen that in other geographies. after we went about three years ourselves, we determined that it didn't make much sense for us to continue given there was no benefit to consumers broadly. we've continued to support -- in chip and pin, but to

moving to chip-enabled forward. y is moving >> speeding up your adoption of that now? >> we are. that, $100 ted million investment for us. we'll have the guest payment september. we'll have the chip-enabled year. next >> the subsidiary of data card which is also a minnesota company how does your view the transmission to chip cards and how has trust and data in making involve recommendations on the finance nd payment networks on implementing new cards and security methods. in financialleader magnetic cards, the stripe and emv. we're a big supporter of the emv technology. things you combine energy, it's more secure way to and but there's balance userability that needs to be considered. ut the chip and p.i.n. is a more secure way to go about it.

than the better current magnetic strip environment. >> can i ask one more question? data breeches ge and the hacking operations are ofpetrated by people outside the u.s. and there's no shortage of they could be charged with but it could be hard to bring them to the courts because they operate largely overseas. in the case of the target breach, i understand that business weekly has identified a that could eration be responsible. again, the investigation is way.r this is what we read in "business weekly," can you you work with law enforcement investigations, i know i asked this of the justice department in the judiciary hearing. but what steps do you think we could be taking to make it get these international hackers into the courtroom to stop them? >> as to your specific question, i do have to defer to the law enforcement authorities to get into the

details of that. ftc i will say that the works very closely in terms of in parallel with partners in law these areas. we, of course, are focused on and ront end how retailers other businesses are protecting consumer information. we work in parallel with and i think our efforts are the efforts with enforcers who are seeking to locate and punish perpetrators. we do a big amount of work on the international front working civil law and agencies around the world to address the issues that is a significant engagement and we use authority that's been congressmen under the state act to purr sigh civil where needed so we want to partner with other law enforcers because we have to

days. >> should we be doing more as we negotiate as we work with the as part of the security agreements in terms of with the come up international standards. more and more of these cases are outside of our borders in terms perpetrating them? >> increasingly, we need to be orking with international partners around the world. and we absolutely have to focus on that set of issues as well. >> thank you very much. >> thank you. senator pryor? >> thank you, mr. chairman. on that if ollow up ramirez.chairwoman with the ftc working with other other federal and state and other law enforcement agencies generally, plus the international community. is there a formal process there? i mean, do you have these formal relationships where you sit down every day or every week or every

month with these folks. a case-by-case ad hoc basis? work regularly with sister agencies here domestic lip. on case-by-case basis. e also have specifically a criminal liaison unit because it's part of overall enforcement we do partner with u.s. attorney's offices. close work with the justicent of -- of main and the fbi and secret service. so -- specifically on these issues, it tends to be in conjunction with specific investigations. global level, we do work in -- through multilateral as well as through specific bilateral relationships have with counterpart the globe rs around who have consumer protection authority and we also engage

-- necessary where appropriate with criminal authorities around the world as well. one reason i ask is my experience with law enforcement they'll form mes what are sometimes called task orces where they have multi-agency or multi-jurisdiction. i don't know if you serve -- if ftc serves on a task force-typesetting where you had meetings where people are focused on this trying to find solutions, trying to head ome of this off before it starts. are y'all involved in anything like that? >> it's really more of a case-by-case basis. civil our focus is on the law enforcement side and on the front end. we will cooperate very closely and we do necessary tay in close contact with domestic criminal law enforcers. >> let me go down to the other end of the table there. wagner, i know in both the

rockefeller bill and also the bill, they use the word, policies," reasonable is the key word for policies to ensure consumers' data is protected. and obviously reasonable is a little elastic, a little situational. may be the best word to use. but could you please speak to that? and kind of talk about what are contained in the concept of reasonable. > the key principles we would espouse are those for information security governments, understanding the that information has at a high level, in a corporate, a understanding which information assets had value. making sure it's not just an value to your organization but seeing the effect, ecosystemwide. those asymmetric values get considered at the

at the corporate level to be dealt with. >> anyone else on the panel want comment on reasonable and what that means, the context of what you do? there is a whole custom and practice of the trade that you want to look at based on the risks you identified. >> is that a good starting point? >> i believe so. >> did you have something? >> yes. the word reasonable was what caught my attention. section two of the bill. reasonable measures and procedures by information security.

even though it is only been five weeks since her major data the estimated cost have reasonable defenses, and protection of sensitive information. from a few million dollars to as high as $50 million. these figures from other studies get saved. approximately $100 for every identity stolen. we have 310,000 stolen. is 310,000 times $100. the question i think mr. maldon raised, an excellent question, whose shares in the responsibility for protection? it will bankrupt most universities to spend

20-30,000,000 dollars when there is no guarantee any way. it is something that should be shared worldwide laying -- worldwide. take one example. social security numbers. social't we do you value security numbers? why not require financial institutions not to use social security numbers? so there is no incentive to steal them? if one doesn't do that, one shifts the costs to higher education institutions. it is a balancing between risks and costs. all i can tell you is that the cost can be staggering. even then, all of the experts we have retained are telling us there is no 100 person guarantee.

>> i want to add a few words from the perspective of the federal trade commission. we believe reasonableness is the right approach. given the different types of companies that we have jurisdiction over, we think it is critical to have flexibility and a fact specific approach. we understand the challenges that dr. low has identified. going back to your question, one area where we have is a connection with identity theft. that task force was set up under the bush administration. we have made a number of different enteral agencies recommendations about how to deal with issues and things such as social security numbers, minimizing the id theft. i think it is a complicated question. there are many things the government can play an important role.

are other things that need to be examined in the way personal information is being utilized. lex thank you. -- >> thank you. that philosophically and realistically was an interesting discussion. it gets back to something i talk about as often as i can. country is willing to get serious about infrastructure, cyber security, to 200,000 pound water tankards 75,000 max pound bridges so they can build a platform.

if we don't have the infrastructure, which is research, nih, alzheimer's, everything. roads,e hard stuff, the we have been through five lines in west virginia. nobody knows where they are. they carry gas. somebody goes into building house, and breaks through five layers of five line nobody knew were there. at some point there is no sense of forgiveness. to be a serious country, continue to be a serious country, we have to do infrastructure. we have no choice. said are you for raising

the gas tax, i would say yes. i believe in user fees. i always have area and if you have an objective you want, you want to bill rhodes, then you do that which is necessary to make it happen. if you choose not to, your ideologically pure, you win your next election, and you decline. or people make the conclusion as spill foron our water which there was no federal regulation whatsoever, of which i was probably responsible because i was governor for eight years. but did nothing about it. responsibilityke

, you have no future. bottom ofto the very what divides this country. it is not republicans and democrats. roy blunt and i have been friends for years. he likes me, and i like him. things work. but, you have to be willing to raise taxes. to pay for things where we are eons behind. modern bridge structures. the list is endless. you want a good way to find out where a good standard is, you go to nist.

he will do it fairly and at low cost. to dr. low, who runs a university, which does not have endless amounts of money, i am full of sympathy. away as a senator from being part of a solution to his problem. that is what we are doing here. we are walking away year after year from being part of the solution. if you want good infrastructure, you have to pay for it. if you're going to pay for, you have to raise taxes. the question is how do you raise taxes? then you get into the one percent versus the regular. then that becomes a lot of talk. you get the infrastructure, or

you don't. if you don't, your future is dead. it is interesting when the president called rush an important regional power. angry at must've been that. it was accurate as of the size of his economy. because of what they have not done over the years in projecting power and toughness. they have not build things up. my son-in-law lives there. he knows. dukakis gave that. that is my editorial. we improve this country. the way we help dr. low. the way we help everybody. we're in this together. we have to share responsibility. we are all to blame. we are in the habit of being comfortable.

we are in the habit of thinking the world is as it was 30 years ago. it is totally true. make it tougher on us. i'm not running for reelection. it is easy for me to talk like that. i shouldn't run for the job. so, that is just my thought. i've got over my time. senator markey has been here. he doesn't like if i go over. . . rding to press reports, attackers game access to the thing we have discussed already,

does target required any particular level of security of its third-party vendors? >> we do assess the inherent risks of our third-party vendors. process for doing so. >> i'm not sure what the answer is. >> we do. we have standards. we have an audit process to ensure they are meeting them. , not all ofevil them are in force question mark -- >> a lot of people, not all of them are enforced? less often.te but to any third party vendors have access to point-of-sale systems?

>> anyone who has access to her point-of-sale network has the same standards that would apply. anyone, our old team members, or technology contractors, they would apply similarly. rhetoric ofthe attention and auditing. but not necessarily the fact of it. one can still get away with rhetoric in this country. one can get on the evening news with brilliantly sculpted rhetoric. it doesn't mean you are doing anything. i just threw that your direction. you are not a media hound. i'm not accusing you. --ould've i knew my obvious i would've i knew my audience better. at the same time, who had target was ultimately responsible for the company data security?

>> we have multiple teams at work upon data security. at the time of the breach, various elements reported to several executives. >> that worries me. former cio. i want to make sure she doesn't get run over by a bus in this discussion. it is true that target has been divided up as you indicated to a variety of staff. not under a cheap information officer. what i'm getting at in the future is that at some point, the ceo and the spurs have to accept responsibility of what has happened. that is why i mentioned with data breaches, they reported to the fcc.

there was no law. i did the same thing both call minds. we have a lot of coal mine disasters. killed, itmebody is has to be reported. it is helpful to investors and shareholders about their decisions. i believe in responsibility. i think it has to come down to a point. be the ceo. has to wherevercan scatter you want. i have talked too long. now i have to figure out who got here first. roy was here first. senator blunt, i'm sorry. the thing he talked me into doing was codesharing with him

and effort to be sure we understood what the alternatives are out there. i wanted to know it or not, i needed to know it. once again, he figured out something that was better for me than i probably thought it would be. thank you all for being here. long afternoon. hasn't been said it is ok to repeat it. set this hearing up, there were 46 different requirements to comply. there may have been more than that. there were at least that many. , a yes orn is simply no question. do you believe that a uniform for datastandard breach notification would benefit consumers?

yes or no is all i'd like to have. >> es. -- yes. >> es. -- yes. >> yes. >> that's what i think. hopefully we can figure out how to do that. i think the attorney general recently called for the uniform standard as well. hopefully the congress can accomplish. at the time of the breach, was there more than multiple data in what happened in target and the last part of laster? >> two types of data was removed early in december. 19, 40ember, december

million credit card account numbers have been removed from our systems. providedon january 10, notice that certain personal information included names, address, e-mail and phone number , and various combinations, had also been removed. this, youher stand had all the information for all 40 million people? >> that is correct. it would be relatively simple process. there was at least 12 million of the records, and likely more than that. know who that related to, is there a new --

who could you have notified if he wanted to notify an individual customer that the card had been shared in ways you wouldn't have wanted? , we have thenature best way to notify customers was broad disclosure. we did so on december 19. again related to the personal data. we augmented that public disclosure. we e-mailed 17 million guests. in the second case, 47 million guests. >> how did you know who they were? >> we had their e-mail addresses. >> for everybody in your particular file? >> is for the 70 million records

. >> for the 47 out of the 70. what did the chairman saying? set, a of security was does about the company -- your company require any level of security for the merchants who use the sub? are you changing with that level of security is? >> yes, we do require a level of security. it is the level embodied in the pci standards. we require large merchants that provide a validation by an independent security assessor. that is what we have in place

today. the pci council administers the standard and would review it periodically. >> have you given notice of a new level of standard you want merchants to have by sometime in 2015? >> there are two different things going on. one is the security standard. how they cure the data in their environment. theother is the d value of data in their environment so they would no longer have valuable data be targeted by fees. the standard for october 2016 is for these emv chip cards. the card actually sends a one time use signal. even if you steal all of the data, relative the card, it can't be read used to commit fraud. the standard for 2015 is to implement the emv standard by placing emv terminals in the stores. and outfitting them with the

proper technology on the back end. failing which, the merchant would be liable for the fraud if it is used in the terminal. >> my last question to you. do you believe there is any benefit in congress in the law trying to specify exactly what the card standard should be? law, you would have to have a chip in the card. is that a good thing or unhelpful? >> generally speaking, i would say that our success across the world has been through the liability shift mechanism. it allows flexibility in the different merchant environments to move in that direction. lex liability shift means that no secure things, they would have a higher liability as a merchant. >> that allows them to set the pace of their transition.

>> we believe that should be effective. we have seen over and over again across the world. i hesitate. we would like to get out of the the few ourselves, but governments that have tried to mandate technologies and other parts of the world, they tend to have unintended consequences that make it more difficult to move forward with new types of technology that can leapfrog current technology. >> anybody disagree with that? was the thieves, the hackers would always be more nimble than the congress. we prove that on a regular basis. if you are too specific in law, all you do is create a roadmap as to what you have to do if you want to break the code. agree.s going to

we believe that a flexible approach is the right way to get through. >> thank you. have made it back. >> i have made it back. i have a reprieve on my presiding. i felt this hearing was important. >> so i had the pleasure of putting you in front of senator markey. senator blumenthal was here. >> thank you. leadership inyour convening this hearing. thank you to the panel. i feel this afternoon is in a certain way and missed opportunity for all of us. we've been bouncing in and out due to the votes and our schedules. this panel contribution has been very useful. i think it could be even more useful.

i'm going to submit additional questions for the record that perhaps you can address. speaking of missed opportunities, the report done staff performs extraordinary service and backdropan excellent and summary analysis. opportunities,m missed opportunities. unfortunately, they were failed here. me one of the to truths that senator blunt was alluding to. the best technology in the world is useless unless there is good management. blunt, there were multiple warnings from the company