to the sites. -- theblem is, you start verification regime has degraded. it doesn't allow us to have a good insight into what russians are doing with respect to their strategic modernization. not respect to us, we are modernizing. we are planning on doubling new platforms. we are not developing any nuclear weapons or warheads. there is not much to observe their. since the situation in ukraine and crimea, are those inspections continuing? guest: yes, they have continued. r in: let's go to victo texas on our line for democrats. -- you i don't want to should be ashamed for having

this program. this is an insult to the intelligence -- to anybody. we are using nuclear deterrence. are you serious? out forebody is trying fox or something. at four clockup in the morning. for clock in the th 4:00 in the morning. you don't make up something about nuclear war. to talk aboutant your credentials and how long you have been studying this issue? guest: i've been studying this issue for almost seven years now. it is incredibly important that we talk about this issue because

if you ask nuclear deterrence that deterred war during the cold war and we were in much r, you want to adjust to new environments. the world is not getting any safer just because we wanted to be. quite contrary. i'm not saying we should go back to the cold war with putin. we should think seriously about how to maintain peace. host: michaela dodges with the is with the heritage foundation

>> on the next "washington kempe reviews president obama's trip last week. talk on the health care law extension. sal russo talks about the state of the tea party. and an examination of the situation with russia and the always, we will take your calls and you can join the conversation via facebook and twitter. eastern on0 a.m. c-span. is a pictorial report on the nato maneuvers of 1954. is a gigantic land maneuver under the direction of the fifth corps, u.s. army. it has many purposes, but an additional purpose may be to

display nato's might before the communists. two opposing forces, black and green. both sides have the american-built 280 millimeter atomic cannons. the atomic cannon has never been fired in europe. what you will see here is a simulated atomic explosion, but cannon can be fired in europe. the guns are ready. the men are ready. should the soldiers attacked anyone of nato's nations, the atomic dons will fire. >> from the u.s. army big picture series, nato maneuvers determined to deter soviet aggression in europe. sunday at 4:00 p.m. eastern on c-span3.

the recentlook at consumers security breaches at target and the university of maryland. from the senate commerce committee, this is two hours and 15 minutes. >> this hearing will come to order. this hearing is in order. it does not have to come to it, it is. we now move into the era of the data. we knew that -- that is not news to you, ok. whether we like it or not, companies are regularly collecting reams of information about us. i serve on the intelligence committee and i have since before 9/11. it is wild sometimes to read "thenew york times," washington post," they are the

culprits most times. hast could happen -- it happened, you see. that is the way you keep people scared. now people are reacting to that. oh, we have to get rid of this thing. we're not the soviets intelligence congress when it comes to national security. they are tracking our websites, when we visit stores, purchase products to rid some of the information may be monday and. a lot of it is highly sensitive. health problems, whatever. i think we can all agree at target or any company is going to collect detailed information about its customers, they need to do everything possible to protect them from identity thieves. whatse what is in fact -- everybody was bearing about the nsa, which is never come to be

true, has come to be true about the american private sector. that is the irony of the whole thing. this city is wrought with, you know, terrible things that could happen from the nsa, except nothing terrible has happened. terrible things are happening elsewhere. it is now known the target fell far short of doing this, that is protecting their customers. at last november, december, cyber thieves were able to infect their credit card payments terminals with malicious software, access a staggering amount of consumer information they could pick and choose from and then sell them for something called a prophet. -- a profit. there has been a lot of anxiety about the kinds of information -- i like making this point. date of american government has been collecting about american

citizens. but the truth is, private companies like target hold vastly larger amounts of sensitive information about us than the government could ever think of doing and they spend much less time and money protecting their sensitive data than the government does. you cannot penetrate the firewalls all the around the nsa. welcome, sir. >> [indiscernible] >> ok. federalearned that agencies notified 3000 companies last year their computer systems had been hacked. i am certain there are many more breaches we never hear about. number of years ago, i asked the fcc if they a requirement that every time someone was hacked into they had to be reported to

the sec, put on their website, for the advantage of the shareholders, because that is the kind of information they need to know, to buy or sell or haphazard att is best. so, target is going to tell us today they take data security very seriously and they have followed their industry's data security standards, but the fact remains it was not enough. of 40 card numbers million people and e-mail addresses of nearly 70 million people were potentially stolen under their watch. at my staff is carefully analyzed what we know at this point about the target breach. they identified many precise opportunities to prevent this from happening. it is a very interesting charts. i will hold it up. i ask unanimous consent that this may be made part of the record of this hearing. anyone who wants one of these as well can have it.

it is increasingly frustrating to me that organizations are resisting the need to invest in their security systems. it is a clarion call to target and others. i am just as disappointed by congress. and our failure to create federal standards for protecting consumer information. storescan imagine having in 35 or 40 states and every state has different rules. i mean, it is just impossible, a mess. recently i put forth legislation that builds on the long established history of the federal trade commission and state attorney general to protect consumers from data breaches. those set forth strong consumer

data security and breach notification standards by, one, directing the fcc to circulate rules requiring companies to adopt reasonable, but strong security protocols, requiring affected to notify consumers in the wake of a breach. that should just be automatic. ftc and thethe states attorneys general to take action. we have had major data breaches at companies large and small. many millions of americans have suffered the anza classes. while congress shares the blame for inaction, i am increasingly frustrated by the industry's disingenuous attempts at negotiations. this is my message to industry today. it is time to come to the table, be willing to compromise. i am willing to hear their concerns about the legislation,

my legislation or any other legislation. i am not willing to forfeit the basic rejections american consumers have her count on and i will not. did notbe remiss if i note that representatives from the company snap chat -- snapchat refused to testify today. when companies refused to testify, my instincts -- however they may be skewed -- are that they are hiding something. i call on my most distinguished -- the usual drill. >> ok. thank you, chairman rockefeller for holding this afternoon meeting on protecting consumers from breach of data information. i'm glad the target and the university of maryland accepted the invitation to be here today.

while the forensic investigations into these breaches are ongoing, it is clear that millions of individuals have been affected. i look forward to hearing what lessons target and the university of maryland have learned from these breaches and what steps they are taking to prevent them in the future and to better safeguard personal information. data breaches are clearly not unique to target and the university of maryland. the data breach report from verizon confirms 64,000 data breach disclosures and between -- between private and government entities. why are -- while we're are here to discuss breaches in the private secretary -- right at sector, we cannot forget the datanment holds financial and personal information. it is estimated that the federal government spent or team $.1 billion on i.t. security in 2012, but is not immune to cyberattacks and data breaches. at federal agencies reported 22,008 a breach incidents, more than double the amount reported

in 29. additionally, the government accountability office identified >> incidents where they failed to notify individuals in times of breaches or personal harm. in an affect consumers variety ways. is a risk of real harm stemming from a breach, we need to make sure the consumers have the information they need to protect themselves. that is why i support a uniform federal breach information thedard to the place pathways for laws in 44 states and the district of columbia. consumersnsure that are treated the same way. it would also remove uncertainty regarding timely notification benefits, which consumers and businesses. i also want to ensure that businesses are not burdened by

outdated or ill-suited security requirements but are rather divided the flexibility to develop tools to protect the information they are in trusted to protect. for these reasons, i cosponsored 93 with senator to me and a number of my colleagues on this committee. the bill would require companies to notify consumers in a timely manner if their information has been unlawfully taken. mr. chairman, i know that you have introduced legislation on this topic. i look for to working with you and our appropriateo pursue breach notification. of course we should acknowledge this issue is not a new one. the report included legislation 2007, butand again finding broad agreement on the path forward has proven difficult. we should heed the testimony of mr. wagner and not allow the

perfect become the enemy of the good. a report on the best practices and standards for cyber security gives me reason fraud to miss him. i was pleased to see that >> the witnesses of highlighted the good work done in that regard. as we noted in the past, legislation is needed to enhance information sharing of cyber threats with liability protections. data breach a curse, timely information on the sharing of cyber threats is key to responding to cyberattacks, whether it is a breach of data, theft, or an attack on infrastructure. i look forward to learning more about the new ownership between the merchant and financial associations that will share information and protect consumers. i hope that these a and target can elaborate on the work that they are doing so that the secure system is more

and consumers are better protected. i look forward to hearing from chairman ramirez from the federal trade commission on the work they are doing to prevent identity theft and fraud. i also know these secret service and the federal bureau of investigation are working hard to detect and prosecute cyber criminals and fraudsters. mr. chairman, i hope our witnesses can share their experiences, good or bad, working with federal agencies on our shared goal of ensuring information. i look forward to hearing from the witnesses. thank you, mr. chairman. >> thank you very much, sir. we are a very good combination. if you do not know that now, you will learn it. >> it is true. >> it is true. we both come from big states. [laughter] >> with tall people. >> that's right. and we love sports. first, we start with the

honorable -- ramirez, the chairman of the federal trade commission. and once again i issued the following words of comfort to you. never fear that the national gallery of art is going to take you over. you are going to be there 1000 years from now. whether they will be or not, i don't know, but you will. >> thank you. chairman rockefeller, ranking member to me, members of the committee -- it is my pleasure -- this committee has led critical efforts and congress to protect data security. with the recent examination of the data broker industry and the impact on consumers to proposing data requirements for industry, you and the members of this committee have sought to advance the same goals as the ftc and i want to thank you for your leadership.

aware, committee is well consumer data is at risk. recent data breaches remind us hackers seek to exploit vulnerabilities to access and misuse consumer data in ways that can cause serious harm to consumers and businesses. these threats affect more than payment card data. breaches in-- recent years have compromised social security numbers, account passwords, health data, and information about children. this occurs against the backdrop of identity theft, which has been the top ftc consumer complaint for the last 14 years. today, i am here to reiterate the commission's bipartisan call for an enactment of a strong data security and breach notification law. never has the need for legislation been greater. with reports of data breaches on the rise, congress must act. the ftc supports federal legislation that would

strengthen existing data security standards and require companies in appropriate circumstances to provide notification to consumers when there is a security breach. the security practices are critical to preventing data breaches and protecting consumers from id theft and other harm, and when breaches do occur, notify consumers helps them protect themselves from any harm that is likely to be caused by the misuse of their data. legislation should give the ftc authority to seek penalties, to help assure that ftc action as an appropriate deterrent effect. in addition, enabling the ftc to bring cases against nonprofits, such as universities and help -- health systems, which have supported a substantial number of breaches would help assure that whenever personal information is collected from consumers, into tees -- entities that maintain this data

adequately protected. finally, the rulemaking authority, like that used in one act, would allow the commission to ensure that as technology changes and the risks from the use of certain types of information evolves, the bunnies left businesses -- the businesses would be required to give adequate protection to such data. for example, whereas a decade ago, it would've been difficult and expensive for a company to track an individual's exact location, smartphones has made this information readily available. it is a growing problem with child identity theft that was brought to our attention, this can be combined with another person's information to steal an identity. using its existing authority, the ftc has devoted substantial resources to encourage companies to make their security a priority. the ftc has settled 50 cases against companies that we alleged put consumer data at risk. in all these cases, the touch tone to the commission approach has been reasonable less.

-- reasonableness. their basic security measures must be reasonable in light of the sensitivity and volume of consumer information it holds with its complexity of data operations and at a cost to improve security and reduce vulnerability. the commission has made clear that it doesn't require perfect security and that the fact that a breach occurred did not mean that a company has violated the law. as a commission case against a retailer illustrates, there are alleged failures to implement basic, fundamental safeguards. in 2007, one company announced one of the then largest known data breaches area according to the ftc subsequent complaint against them, a hacker obtained information from tens of millions of credit card and debit payment card information, as well as the information of approximately 455,000 consumers. the ftc alleged they engaged in a number of practices that taken together were not reasonable,

such as allowing network administrators to use weak passwords, failure to limit wireless access to in-store networks, not using firewalls to isolate computers processing data from the internet, and not having procedures to detect unauthorized access to its networks, such as virus software. in addition to our enforcement effort, it also undertakes policy initiatives. it undertakes policy initiatives to protect information. this is such as workshops on mobile security issues and child and senior id theft, and for those consumers who may have been affected by recent reaches, the ftc has posted information online about steps they should take to protect themselves. the ftc also provides guidance about reasonable security. thank you for the opportunity. we remain committed to providing

reasonable security for data. we look forward to working with the committee and congress on this issue. >> thank you very much. we are very honored to have the president of the american university here. i am sure that testifying before a congressional hearing is something you look forward to. >> thank you, chairman rockefeller, and ranking members. i spent most of my time testifying before the maryland legislature, and i hope that is good preparation for today. on february 18, after a major snowstorm paralyzed this, region, presidents' day weekend, we had a very sophisticated cyber attack.

somebody basically uploaded a trojan horse into the website of one of our colleges. this website was about 10 years old. there was the uploading of photographs, but instead, they uploaded malware. once they got into the website, they were able to peer into -- pierce into central systems, and they were obviously coding to do that, and they were able to get to the directory of the management. and find their passwords, and then change their passwords in order to issue orders, so they downloaded 310,000 names, social security numbers, university ids, and they intentionally left out photographs and so forth, that kind of information, because that would have a slow

-- that would have slowed the extrication of the data, and they did it because they were able to hide and we were just -- they were able to hide the point of origin of the attack. out because we have never been hacked before, we were just flying by the seat of our pants. it turns out we did exactly what you're though proposes to do. with regard to notification, we announced it within and we set -- we announced it within 24 hours. within 24 hours, we contacted credit rating centers, set up call centers, and this was notified all students and staff. within four or five days, we e-mailed and called everyone else, a total of 310,000. some of them are alumni going

back for 20 years, and everyone -- what they got was university ideas. 2000, everybody was using social security numbers as identification, and we have thousands of databases, and they just took that one database, where we have both the university id and the social security, so in terms of notification, not only did we notify, we offered to pay five years of protection, credit card protection, to all of the affected parties. that is approximately $20 per person alt applied by 310,000 over five years. to date, 30,000 have signed up for the free five-year protection. what we did in terms of data security is very much along the lines of what your bill has proposed.

purged all the unnecessary data. we have purged approximately 225,000 names from our records. of thempurged all because you need social security numbers for student financial purposes.ll those that remain, we are trying to reinforce. what we're trying to do, with the help of the fbi, the secret service, private security companies, is two things. one is to strengthen the perimeter defenses, and this involves penetration testing, and assuming they are still able offense will always be one step ahead of defense. month, we have migrated

almost all of our websites to the cloud. we have purged, as i said, lots of information. we have done penetration testing, and we have isolated information that is sensitive. and so on. and the cost is very, very high. but me conclude by saying that three weeks later, we had another major intrusion. fortunately, of course, they were working with us. within 36 hours, the fbi was able to identify and successfully mitigate the intrusion. no data was released except for the information of one individual. because they wanted everyone to know we were successful. thank you very much for all of your work in terms of requiring data notification and data security.

this is a very important issue, and i would conclude by saying this. security at a university is very different than security in the private sector, because the university is an open system. there are many points of access because it is freedom of information. by definition, that is the internet. in the private sector, you can centralize. you cannot do that at a university. we have to find a proper balance between security and access, and that is the challenge for all universities, because, as you know, in the past months, 50 have had major breaches, and not all of them bothered to report it. >> excellent testimony, and i thank you very much. mr. john mulligan is the chief financial officer of the target corporation, we welcome her. it is a pleasure to be with you today. >> i am the executive vice

president and chief financial officer of target. it is a pleasure to be with you today. target expressed a data breach resulting from a criminal attack on our systems. let me begin by reiterating how deeply sorry we are about the impact this has had on our guest s and your constituents. our top priority is always taking care of our guest. the reality is we experienced a data breach. our guests expect more, and we are working hard to do better. we know this has shaken their confidence, but we intend to earn it back. my written statement provides additional details about the breach and target's response. like you, we are asking hard questions about whether because -- whether we could have taken taken different actions before the breach was discovered that would have resulted in different outcomes. in particular, we are focused on what information we could have had that could have alerted us earlier, whether we have the right personnel, and assuring

that these measures were sound. we are working quickly to answer these questions. this afternoon, i would like to provide an update since i last testified, including the actions we are taking to further strengthen our security. on the outset, our response has been focused on taking action to protect them against constantly evolving cyber threats. we are taking a hard look at security across our network, but we do not know everything yet. we have initiated the following steps to better protect our perimeter to better secure our data. we are enhancing our security systems. we are increasing segmentation of key portions of our network. we have accelerated the installation of additional anti-malware tools, and we are expanding authentication. earlier this month, target became the first retailer to join the information sharing and

analysis center. the center shares critical information that facilitates detection and response to cyberattacks and productivity. we are accelerating our investment in chip technology because we believe it is critical to enhancing consumer protection. 10,000 already installed devices in target stores and expect to complete is installation and all stores by september, six months ahead of schedule. issue andto begin to enable chip enabled cards by early 2015. we have offered one year of free credit monitoring and identity theft protection to anyone who has ever shopped at our u.s. target stores. informed our guests they have zero liability on their cards arising from this incident. we believe responsible measures can further enhance security for our guests and all consumers. mr. chairman, i know you and other members of the committee

have introduced legislation designed to enhance data security. but iot a policy expert, have discussed the principles of your bill with our team. we agree a uniform standard would provide clarity and predictability. the standard would be uniform. we would support state attorney general enforcement. ifbelieve the standards appropriate restructured could provide additional protection for consumers. we have learned even robust security cannot completely shield a company from a criminal breach. the securitymore can be improved across the economy, the better protected consumers will be. for many years, target has invested significant capital and resources and technology, personnel, and processes. prior to the breach, we had in place multiple layers of protection and continually made enhancements to meet evolving threats. 2013, our systems

were certified compliant with standards. we met approximately 300 independent requirements of assessment. the reality is criminals breached our system. to prevent breaches from happening again, none of us can go it alone. all businesses and customers are facing frequent and sophisticated attacks by cyber terminals. protecting american consumers is a shared responsibility. target remains committed to being part of the solution. i want to say to you and our guests how sorry we are this happened. we are committed to getting things right. thank you. >> thank you, sir. now the chief enterprise risk officer for a small corporation called fisa -- visa. >> thank you, chairman rockefeller, and members of the committee. i appreciate the invitation to testify today.

everyone in our payment system is affected when data compromises occur because they jeopardize the trust we have worked to build for more than 50 years. we continue to work to maintain that trust every day by placing security at the forefront of everything we do. the payment industry has adopted a layered approach to data security. protect consumers from financial harm with zero liability policies that ensure they are not held responsible for fraudulent charges on their account. we work behind the scenes to protect their personal information and prevent fraud before it can happen. as a result, fraud rates have declined by more than 2/3 in the last two decades to just six cents for every $100 transacted. as recent cover my zoo show, our work is never done. a critical first set is to limit the amount of data that needs to be protected.

years ago we campaigned storesfully to eliminate data in large environments. this made it more difficult for criminals to steal large volumes of data. more sophisticated criminals today are stealing data in transit. strong security remains fundamental to our program to protect the payment system. the payment card industry standards establish a baseline which when consistently implemented has proven effective in protecting our stakeholders from cyber attack. difficultstands it is for any organization to maintain complete security all the time. we are working with others in the industry towards a paradigm shift that would reduce or eliminate vulnerable payment data from the margin environment. if the data can no longer be used to commit fraud, criminals would have no reason to attack.

we are joining with others in the industry to create a roadmap for the future of payment security with a focus on three technologies. microprocessor that can be embedded in payment cards. chip cards are nearly impossible to counterfeit. they eliminate one of the most important incentives for criminals to steal data today. it is not a silver bullet. in countries where it is widely used, fraud has moved to the online channel. to adjust that threat, we have proposed a new standard for digital payments known as thenization which replaces 16 digit account number with a digital token during the transaction process. it removes the sensitive data from the online merchant environment. it is the token and not the card number that goes to the merchant. the third element is

point-to-point encryption, a technology available today which protects data through the completion of the transaction process. securing data today and devaluing it tomorrow are the most critical components of our strategy. no layered approach assumes single strategy will be 100% effective. therefore, we also invest in prevention, analytical tools that identify and prevent billions of dollars of fraud each year. we also invest in breach response, continuously improving our ability to protect consumers when they occur. as a result, the vast majority of accounts exposed do not experience fraud. 5% experience fraud from the breach. are threeves there

areas where government help could be most effective. the government can help create a safe environment to share cyber threat information. second, the government can't continue to work with the international community to improve coordination -- can continue to work with the international community to improve coordination and prevent havens for tax. ae third can establish standard to replace state laws in place. we know cyber criminals will always be with us. they will continue to target any environment it contains valuable information. the payments industry has fought back as well as investing and sophisticated solutions to protect systems and consumers. as the criminals improve their technology, we have to improve ours as well. the key is to work together to defeat our common enemy. visa is fully committed to

working with all participants in the industry toward this objective. thank you for the opportunity to testify today. >> thank you very much indeed. now the executive vice president and general counsel of marshall clinton -- maclennan companies. >> as a former david rockefeller fellow, he gives me particular pleasure to be before this committee. i would like to focus my remarks this morning -- >> my uncle did this for free? >> something like that. >> very unusual. please. >> i would like to focus my remarks on a single and narrow topic of cyber insurance. what is it? who is buying it? what role might it play as part of a comprehensive mitigation

framework? as the world's leading insurance broker, our company has a unique respective on the cyber insurance marketplace. it assists clients in preparing and hason strategies issued its first cyber policy as far back as 1999 called net secure. there are three basic types of cyber insurance. the first and most fundamental is coverage that protects theof-pocket expenses university of maryland or another institution might suffer. expenses like credit monitoring or setting up call centers or notifying affected individuals. the second type of insurance is analogous to business interruption insurance. if your system is disabled for days or longer, you're able to recover the harm you have suffered in the form of lost half its. the third type of insurance is

for damage suffered by parties outside your company. customers or consumers or clients. that is called third-party insurance. to give the committee some insight into the dynamics in the market, we just conducted a survey of our cyber clients. to give you a sense of who is buying it and what the price of this insurance is. there are a couple of charts in my written testimony. you have some of them in front of you. >> they are in our packets. >> there are a couple of important headlines. the first is interest in cyber security is increasing rapidly. clients whof purchase standalone cyber insurance increased by more than 20% in the past year. rates are inake-up industries like financial

services, health care particularly because of the importance of protecting health-care data, also in the education space where there have been market increases. that is a breakdown by industry. in terms of size of companies, larger companies perceive a greater risk to cyber threats than smaller companies. we analyzed the take-up rates. if you are a company with revenues of more than $1 billion, your take-up rates are almost double a small company. on pricing, i hear the news is positive. throughout the past year even as goes up,ption of risk pricing has remained stable through the. -- the year. this is a product of new underwriters coming into the marketplace. that is the actual insurance.

the process of applying for insurance is instructive. the process of applying forces you to go through a gap analysis to benchmark yourself against industry standards and what are considered the best practices to see what you can do to position yourself as a better risk for the underwriting community. as this committee is well aware, this is a race without a finish line. our adversaries will continue to adopt new methods of attack and different strategies. it is important in combating this threat, government, the also theector, and nonprofit world partner together to try to respond effectively. thank you. >> thank you very much. that was a liquid and helpful. -- that was a liquid and helpful -- that was eloquent and

helpful. mr. david wagner? >> good afternoon. here toleased to be for aacilitate dialogue better understanding of cyber security issues. just over two years ago, we testified on a similar topic of cyber security. since that time, the situation has worsened. nationstates and criminals are continuing to use cyber to advance their interests. the december point-of-sale breaches are another example of escalation. we have no direct relationship with any of the victims of the december attacks. we can provide insight into the attacks. as we have heard earlier in testimony, criminals are using get pastoned tools to fences. social engineering and malware are the silent equivalent of

crowbars penetrating corporate networks. the criminal uses a stolen identity and virtually becomes someone on the network making them difficult to distinguish from normal network behavior. in the case of the retail breaches, when the criminal assumes the right identity, they are able to push malicious code to point-of-sale terminals. they are able to collect customer credit card data and in-store and carry it overseas. you can see from the attack scenarios they are sophisticated. they are sophisticated but not rocket science. they used stolen identities to access the victim company's network and use the i.t. tools to complete the crime. a determined attacker can overcome even strong remote fences. we need strategies to

strengthen the inside perimeter. good governance is vital. regulations are available to help build effective security architectures. with all of asking, this knowledge, guidance, and standards, how did the breaches occur? network not segmented to protect sensitive data? the network monitoring equipment capturing the patterns? nothing in the breaches was new. we know good governance requires investment in people and technology consistently over time. cultureate a where executives are aware? have we created regulations that evolve and change with technology?

if we have not, no tool or regulation will solve our problems. when a retailer is breached, financial institutions bear the cost of stolen data. thanks and credit unions bear the cost of card reissuance. consumers bear the pain of cleaning up accounts. risk assessment must consider the full value of the data. cyber crime poses a greater threat to the security of nations, corporations, and individuals than ever before. thechallenge is balancing importance of protecting data with the benefits of emerging technology. are chargeders, you with facilitating commerce and putting in place a structure for finding this balance. we recommend action in three areas. first, breach notification law needs to be passed. consumers need to know what is expected on a national level.

it will put the federal government in the role where it belongs. the federal government needs to continue to foster best practices and sharing of information across public and private sectors. collaboration fueled by real-world learning is critical to creating a strong, unified criminal groups cannot migrate to the next weakest target. third, we must change the cyber security culture. enterprises large and small, public and private, need to in brace -- embrace security governance. posture needsnse to be a federal priority. without changes to the security posture of our industry and infrastructure, cyber crime will continue to grow in frequency and potency. uponest path forward rests a public-private ecosystem that is built upon good security governance and assessment of vulnerability.

drive thiswill through incentive or other things, we need to move now. i urge your colleagues to not let 2014 expire without adopting measures that will better protect our economy and security posture. thank you for your time and your attention. >> thank you very much. because of an unusual circumstance and with the permission of might establish ranking member, the first question from our side will come from senator mccaskill. >> thank you. i adore you. [laughter] i wanted it on the record. i adore both of you. i believe that the market is more effective at controlling behavior than the government. let me start with the question that i don't think has been fully answered. youmulligan, can any of

shed light on how much fraud has resulted from this breach? >> are you speaking specifically to our breach? >> yes. >> i can only speak to about 15% of the cards that were taken that were target branded. the other 85% are third-party. we do not have visibility to do. cardve seen two of the products, what is a demo card and the other is a proprietary car. we have not seen incremental fraud on those two cards. we have a visa product that can be used broadly. billion on our $5.5 portfolio. we have seen too many in dollar -- $2 million in fraud. .01% increase. >> i mentioned in my testimony

that 2%-5% of accounts may be expected to experience incremental fraud. we are seeing much lower numbers from the target reach. i believe that the rapid notification the target provided, as well as the strong response from our member financial institutions is responsible for limiting fraud. >> what is the total, do you think? dollar wise? >> i don't have those figures available. >> does anyone? >> we can get those for you. we're still in the relative early stages but we can provide them. >> i'm trying to figure out how much fraud there was and who is holding the bag on the front. that peoplek understand that fisa does not necessarily hold the bag on any of it. most of its debit card fraud ends up with a local bank. they love the cost associated with the breach, in fact, the

majority of them fall to credit unions and local banks as opposed to target. of the $61 million that you have said it cost your company, mr. mulligan, how much of that was marketing to try to reassure -- and you are the good guys, by the way. i'm not trying to say you are not the good guys. how much that six to $1 million was marketing as opposed to $61 million was marketing as opposed to actual loss? any marketing -- >> any marketing understand it would have been reported. it was related to credit monitoring, activity such as that. >> the credit monitoring you are offering to customers, that is marketing. >> we did that as a way to help our guests in a difficult time for them. we provide for them not only credit monitoring and identity theft insurance. >> i think his turkic and smart

for you to do that and a wise corporate decision, but it was an optional activity you engaged repair the to try to damage that occurred as a result of the breach. >> we were focus on our guests. the estimate to the credit unions and banks is about $200 million and those not optional costs. them having to reissue the cards and bearing the cost of doing a. the payment card industry has importantly decided that the consumers do not bear the the fraud. there are commercial arrangements that provide for revenues that company like target pay him. they provide for remediation in situations like this. >> the point i'm trying to make is that i think it is confusing to the public where this law falls and what the costs are absorbed -- where the costs are absorbed. million mores $10

revenue to retailers as a result of interchange fees. were $19 billion before the durbin amendment and now there are less than $10 billion. there is $10 billion extra that flowed to retailers as a result of prices coming down. i am not saying that is a good or bad thing. what i'm trying to get at is that i think it is very important that the risk be borne by those who must engage in the activity to protect. if the risk goes somewheres else, it lessens the incentive to protect. i'm not going to argue that you had a terrible thing to your company -- terrible thing .appened to your company i thought you are covering all the cause. when you said that we are going to make sure that no customer loses a dime, i don't think that being -- i dimes are

don't think they realize that most of the dimes are not being a by the customer in the first place. it will be much better to align the risks with better incentives in the free market. that if going to say there is any lack of clarity about who is bearing the loss here in the committee, the financial institutions would full in theustomers first instance with her zero liability policy. the pay went -- payment networks costa program to shift the back to a merchant if the merchant has been shown to be out of compliance with industry standards. however, that program only covers a portion of their cost and the reason for that is to balance the incentives so that each party isn't scented -- inc

--ed to provide >> i would like to get the rate on that. >> you mean, right now? [laughter] >> no, i mean later. i want to understand how these risks are being shifted in the marketplace. 4 i'm -- >> i am going to recognize senator thurmond -- senator thune. we have five votes scheduled. we will work that out. recess ande a short come back and conclude the hearing. mulligan, we're still learning all the details of the target reach but we know that affected two types of data. one was the payment card data of approximately 40 million customers and personal data of up to 70 million customers.

the question is, what steps have you taken to provide your customers the assurance that their personal information is going to be protected going forward. we have taken several steps. we immediately removed the malware from our system. we close the portal that created the access point print we narrow the scope of who has access to the system. the scope of who has access to the system. we have a review of our entire data security, processes, and controls. from that we will have additional earnings and we have taken steps that we have learned from their. we have in hazard data segmentation. perimeterrdened our and we have increased malware detection was something called white listing. -- with something called whitelisting.

we have accelerated investment in chip and pin technology. we will be rolling out cards early next year. we have taken many steps and will continue to have learnings from our end to end review. you state in your testimony that although most states have rich notifications in place, having a strong national compliant would signify compliance by businesses while insuring all businesses are protected. i agree with that statement. i'm wondering if you could elaborate on the advantages of a consistent national requirement for breach notification. for legislation for various reasons. thatnk it is critical libby be comprehensive federal legislation in this area. andhink if the legislation standards set and that are

sufficiently strong, then the federal standard should preempt state notification laws. >> several of you have testified to the advantages of having a single federal standard. -- i wonder if you would like to underscore the value of federal preemption with what is aipac -- is in a patch work of state laws. >> it is also critical that states be allowed to enforce that there be concurrent jurisdiction on the part of the ftc as well as the state. >> anyone else want to comment on that? >> a couple of quick ones. we have talked about transparency today. it is absolutely critical. having a common bridge stand will be easier to aggregate the data to understand what is going on from a national perspective. they often have a

multi-state impact and very often and international impact. having the federal government involved in breach notification seems to make a lot of sense. 4 anyone else? that a single standard would ease the way for getting the notification out faster and spending less money on lawyers and more on informing consumers. today becausee the university of maryland experienced a security tack -- attack which expose names, social security numbers, and 300,000 hours of community. -- you stated that there was a second breach but that this time, this breach resulted only one senior university official having their data breached. question is, why is that?