they often have a multi-state impact and very often and international impact. having the federal government involved in breach notification seems to make a lot of sense. 4 anyone else? that a single standard would ease the way for getting the notification out faster and spending less money on lawyers and more on informing consumers. today becausee the university of maryland experienced a security tack -- attack which expose names, social security numbers, and 300,000 hours of community. -- you stated that there was a second breach but that this time, this breach resulted only one senior university official having their data breached. question is, why is that?

that really target of the preacher was because of steps taken after the first? they actually had on lawful access to for more information that was breached the first time. breach, call it a except for that one individual. it was not public or circulated. i want to thank the fbi for their very effective that resulted in the successful mitigation within 36 hours. the reason we are not saying anymore is because the investigation the is proceeding great -- proceeding. everything was put on the web and put on a public website. the intruder wanted to show how clever he or she was and wanted the world to know. >> i just have one last

question, mr. chairman. i want to come back to mr. mirus -- ms. ramirez. ftc uses both its unfairness and deception authority being relatively clear-cut. in that case, you have a company access. it makes materially misleading statements regarding sick dirty measures taken. a good number of the ftc's actions come under its unfairness authority, with some argue it provides less guides to companies that practice across the line. is aes not seem like there record of presidential value -- presidential value.

should they make public what they determine is unfair so the companies have better guidance? >> i have to disagree with the critiques of the ftc. i think that we have provided good guidance and the approach that we came when we exercise both are deception and unfairness authority is one of reasonableness. as a law enforcer, what we do is driven by specific facts of a given case. -- our documents which are part and parcel of our -- are part of our allegations -- what are we believe to be we have provided guidance and the actions we have taken go to very basic and fundamental failures on the part of companies that we think are unreasonable and therefore that would be a violation of our section five authority.

i do take issue with that. we provide a great deal of guidance. i believe that companies can discern the approach that we take as a -- take. it is a process-based approach. it is based on the types of information that they collect and use and if they develop a program that would be able to address any risk to which that information might be exposed. we think it is critical to have one person to be in charge of any data security program. >> is the guidance made public? >> absolutely. >> i see we're out of time. we have to run. for agoing to recess little while. i don't have a time certain. my guess it will be 40 minutes or so. i don't know exactly, depending on how many actual votes we have on the floor.

what we will do is recess and probably, just for everyone's benefit, we will try to start as we are doing our last vote on the floor because members can vote and then come back here. we're trying to do that. we will take a recess now and reconvene subject to the culture. thank you. -- call of chair. thank you. nice -- youl been all been nice? [laughter] we do a lot of reports. it is very interesting. i should not be saying it, but i'm interested so i will say it

and i am chairman, so i can say what i want. a lot of moving companies, if you want to move, you sign a contract. they put your stuff in the moving van and a ticket about two miles and then parked in an alley and park in an alley and say, the price has tripled. you say, that does not happen in america. the point is, it does. it is very disturbing. focus a lot on these kind of things. it is not that we are nasty. richard, you're not nasty, are you? senator blumenthal? >> ask my wife, mr. chairman. [laughter] never. >> that is right. -- yourdaughter

granddaughter and my wife were together in school. different levels. [laughter] report and ihis wanted to know if you read the report. >> i had a chance to review it last night. walk through the many steps that attackers had to go through in order to hack your company. it explains how target could have prevented the breach if you had stopped the attackers from completing just one of the steps . let me give you some examples. you could have prevented the breach if one of your vendors, a ,mall pennsylvania company mechanical service had better security practices. that they'rewledge

better security was a factor in the attack? >> yes. >> once he attackers got into the network, you did not stop them from gaining access to your company's haile-sensitive consumer data. we you would knowledge that target prop -- failed to properly monitor your computer network? >> it is my understanding that we did have proper segmentation monthse as recent as two prior to the attack. we are found to be pci compliant. your question is an excellent one. how they migrated one from the outermost portion of our network to our point of sale data is an excellent question. i do not have the answer to that. >> who is they? >> the intruder, excuse me. >> chairwoman ramirez, i congratulate the federal trade commission for the recent announcement of its 50th data

security case. underave been successful section five. legislation the ftc has consistently called for. can you talk about why you see the need for such legislation? why isn't your existing authority under the ftc act enough? >>.gov for your question. i want to thank you for your leadership in this area. has undertaken critically important work in this arena. i think what we see happening in the rest of -- any marketplace is showing that companies are continuing to under-and best it comes to data security. that is why more needs to be done in this area and why we think congress needs to take have a comprehensive

legislation that addresses the issues of data security. we want to highlight things that are critically important relative to enforcement authority on the part of the ftc. we feel it is critical the ftc have civil penalty authority so there can be appropriate deterrence. we feel it is important that any legislation has a ph rulemaking authorities -- apa rulemaking authority so the agency can implement legislation and adapt to changing technology in this arena. we feel it is important for the ftc to have jurisdiction over nonprofits. not have, we do jurisdiction over nonprofits and we see universities and other nonprofits are falling victim to intrusions and that is important to access the nonprofit sector

and have reasonable security measures and safe -- in place. will concisely tell you that self-regulation works. >> we believe that self-regulation is an important element of all of this. security is a complicated issue and in order to address it effectively, we need to do it in a multi-pronged way. we believe that self regulation that is robust and backup enforcement by the ftc would be a good and important complement to the civil law enforcement that we undertake. >> in -- >> in my mind, it is not enough. whether it is cyber security, whether it is anything else, self-regulation always solves the problem.

a water spill recently in charleston, west virginia. nine counties could not drink water. house -- myne house. it was not a pleasant experience. there is nothat figural -- no federal regulation, no state regulation. they can do as they please. one of the people who was trapped by this, who is my chief of staff of my west virginia operations come has two young children. i talked to her this morning. she said she had been on a trip to india. it was to look at new ways of doing water. two more leaks had been river,red on that causing one to be blindingly

angry and infuriated, at ourselves for allowing to that to happen. i never did anything about it. every time i drove into charleston, i was can directly towards those tanks that held all that toxic stuff which leaked. i said, that does not look very good to me. it looks kind of crummy. it's like the pictures in seattle, before everything went wrong. everything looked fine. if you knew that there was a lot of mud there, your mind would lead you to other kinds of conclusions, but your mind does not choose to dwell on inks that are not of the moment. increasingging hostility towards giving the ftc -- i am hearing this from others

-- authority to address over -- consumer protection issues. that is a common complaint from some. it reaches ears easily because people like to hear about the federal government not being able to do its work or failing to do its work area -- work. i'm not constantly hearing about the dangers of an overzealous ftc, over regulating and overburdening american businesses a lot. my data breach bills, which is 1976, gives your agency basic dataaking authority to set security standards, just as congress did. i don't think that is a controversial idea, but some people do.

chairwoman ramirez, can you explain to these skeptics, through me, how the ftc goes about setting these rules so that i can be satisfied that you are not out to ruin industry for the pure pleasure of doing it? you are trying to do your job. how the commission has a careful and deliver process that does not lend itself to the type of regulatory chaos that some fear, and how these rules will help protect sue -- consumers from data breaches? >> i would be happy to. the call for legislation in this area is a bipartisan call. the commission unanimously supports enactment of federal legislation in this area and supports specifically the pieces of the legislation that i have outlined. in response to the critics of the ftc, i believe that anyone

who looks closely at the work that we undertake can see that we do our work in a very balanced away. we absolutely want -- our job is to protect american consumers fundamentally. we do listen to the concerns of industry and when you look at the body of casework that we have in this area, the 50 security cases you mentioned, people will see exactly what the basis for these are and that actions that we took were justified. in response to your specific apation about how we employ rulemaking authority, i referenced an act which is one legislation where we were given rulemaking authority. any rule that the agency was undertaking would go through a notice and comment. od.comment peri

stakeholders could see and comment on any rule would ultimately impose. asked for that is because it is critical that the ftc have flexibility in this arena, to implement any legislation. two main issues are the one i want to highlight. one is, we have to recognize that technology is moving very the -- very rapidly. a decade ago, no one would have predicted that facial recognition technology would be so readily available or geolocation information would be so easily attainable. it is important that there be flexibility embedded in any legislation to allow the ftc to adapt any rules to emerging and evolving technology. by the same token, it can also be to the benefit of businesses to grant the ftc that flexibility because we may be able to list certain

requirements that may no longer be necessary over time. that has happened in connection with our implementation of the act. it would be to the advantage of >> i thank you. i'm well over my time. and it's time for another senator. >> thank you, mr. chairman, thank you for holding this important hearing and working on important legislation. i think we all know this is no longer one singular problem we heard from our witnesses today. in fact "the washington post" printed an article yesterday showing that the federal government notify 3,000 u.s. companies of a breach in just the last year. and i think it calls attention to the fact that we need to move on cybersecurity legislation, to move on the notification bills and the work that senator rockefeller is doing, senator leahy is doing. i'm on both committees.

i've been immersed in this as mr. mulligan knows we had another hearing and chairman ramirez in the judiciary committee. one of the things we focused on is one going after the people who did this and working on the justice department on that. that's got to be a top priority. number two, how we prevent this going forward. one of the things that i found pretty shocking is that in america we had 25% of credit card transactions in the world, but we had 50% of the world's fraud. and we know some of the other countries have moved to the chip and pin technology. i know that target tried some of this technology, maybe you can talk about that a few years back. but it wasn't adopted by other companies so i would think i would start with that. what do you think we need to do to stop this from happening in terms of adapt adopting some of the technology?

and how long do you think it will take when we have parts of the world that are already adopting this, it's currently the standard in europe. so maybe we -- maybe we can hear from ms. richey first? >> we do believe it's necessary for the united states to join most of the rest of the countries of the world in adopting the chip technology to control fraud in the face-to-face environment. we set out a road map for the emv chip adoption. we announced that in august of 2011 with the idea that it would take probably around four to seven years to get to a critical mass of chip adoption based on our experience in other countries. i'm encouraged by the level of enthusiasm towards the chip project we're seeing in the wake of the recent events and i'm hopeful that our liability shift date in 2015, october, 2015 that we will see substantial adoption in emergent and issuing bank side.

>> do you think it could be better to have the pin rather than signatures? would that be safer? >> safe is an interesting word in this content. >> would it lead to less fraud? >> it might initially lead to less fraud. p.i.n. does reduce lost and stolen fraud. so if p.i.n. does nothing to keep the criminal from counterfeiting the card, unfortunately. and 70% of the fraud that occurs in physical locations, brick and mortar store, is counterfeit, not lost and stolen. so we believe the bigger problem is counterfeit. it's also easier for the criminal to accomplish because they can do it by stealing data, not by having to take possession of, you know, thousands or millions of physical plastic cards. so we believe that the best thing for the industry to do is to focus on the chip and they're trying to change the environment between p.i.n., signature, and

no cardholder verification, which is our current methodologies will slow things down and increase the costs. so therefore, we're saying that the issuer could have the choice, based on their own risk profile, whether to issue with chip and p.i.n. or chip and signature and similarly in the merchant environment where today 2/3 don't currently deploy p.i.n. >> i mentioned mr. mulligan, you wanted to address this, target tried to go with the chip technology and what happened? >> we did. a little more than ten years ago, we introduced what we call guest payment devices to read chip cards and we introduced the target visa card with chips enabled in it 10 years ago. the benefit for consumers comes with wide adoption, though. when the cards are widely used and widely read throughout the economy. we've seen that in other geographies. after we went about three years by ourselves, we determined that

it didn't make much sense for us to continue given there was no real benefit to consumers broadly. we've continued to support -- in our case, chip and pin, but to moving to chip-enabled technology is moving forward. >> speeding up your adoption of that now? >> we are. we accelerated that, $100 million investment for us. we'll have the guest payment devices in september. we'll have the chip-enabled cards next year. >> the subsidiary of data card which is also a minnesota company, how does your company view the transmission to chip cards and how has trust and data cards been involve in making recommendations on the finance and payment networks on implementing new cards and security methods. >> they're a leader in financial magnetic cards, the stripe and emv. we're a big supporter of the emv technology. one of the things you combine energy, it's more secure way to do it but there's balance and

userability that needs to be considered. but the chip and p.i.n. is a more secure way to go about it. either is better than the current magnetic strip environment. >> can i ask one more question? many of the large data breeches and the hacking operations are perpetrated by people outside of the u.s. and there's no shortage of crimes they could be charged with but it could be hard to bring them to the courts because they operate largely overseas. in the case of the target breach, i understand that business weekly has identified a ukrainian operation that could be responsible. again, the investigation is under way. this is what we read in "business weekly," can you discuss how you work with law enforcement investigations, i know i asked this of the justice department in the judiciary hearing. but what steps do you think we could be taking to make it easier to get these international hackers into the

courtroom to stop them? >> as to your specific question, i do have to defer to the criminal law enforcement authorities to get into the details of that. but i will say that the ftc works very closely in terms of our own work in parallel with our criminal law partners in these areas. we, of course, are focused on the front end how retailers and other businesses are protecting consumer information. but, again, we work in parallel with and i think our efforts are complementary with the efforts of criminal law enforcers who are seeking to locate and punish perpetrators. we do a big amount of work on the international front working with civil law and agencies around the world to address the issues that is a significant part of our own engagement and we use authority that's been given to us by congressmen under the state act to purr sigh civil law enforcement where needed so we want to partner with other law enforcers because we have to these days.

>> should we be doing more as we negotiate as we work with the other countries as part of the security agreements in terms of trying to come up with the international standards. more and more of these cases are outside of our borders in terms of who's perpetrating them? >> increasingly, we need to be working with international partners around the world. and we absolutely have to focus on that set of issues as well. >> thank you very much. >> thank you. senator pryor? >> thank you, mr. chairman. and let me follow up on that if i can -- chairwoman ramirez. with the ftc working with other agencies, other federal and

state and other law enforcement agencies generally, plus the international community. is there a formal process there? i mean, do you have these formal relationships where you sit down every day or every week or every month with these folks. or is it more a case-by-case ad hoc basis? >> we do work regularly with sister agencies here domestic lip. it does operate on case-by-case basis. we also have specifically a criminal liaison unit because it's part of overall enforcement work, we do partner with u.s. attorney's offices. we also do close work with the department of -- of main justice and the fbi and secret service. so -- specifically on these issues, it tends to be in conjunction with specific investigations. on the more global level, we do work in -- through multilateral organizations as well as through specific bilateral relationships that we have with counterpart law enforcers around the globe

who have consumer protection authority and we also engage with -- necessary where appropriate with criminal authorities around the world as well. >> one reason i ask is my experience with law enforcement is that sometimes they'll form what are sometimes called task forces where they have multi-agency or multi-jurisdiction. i don't know if you serve -- if ftc serves on a task force-typesetting where you had regular meetings where people are focused on this trying to find solutions, trying to head some of this off before it starts. are y'all involved in anything like that? >> it's really more of a case-by-case basis. again, our focus is on the civil law enforcement side and on the front end. we will cooperate very closely where it's necessary and we do stay in close contact with

domestic criminal law enforcers. >> let me go down to the other end of the table there. mr. wagner, i know in both the rockefeller bill and also the tuny bill, they use the word, "reasonable policies," reasonable is the key word for policies to ensure consumers' private data is protected. and obviously reasonable is a little elastic, a little situational. that may be the best word to use. but could you please speak to that? and kind of talk about what principles are contained in the concept of reasonable. >> the key principles we would espouse are those for information security governments, understanding the risk that information has at a high level, in a corporate, a board level, understanding which information assets had value.

making sure it's not just an assessment of value to your organization but seeing the effect, ecosystemwide. making sure those asymmetric values get considered at the risk level at the corporate level to be dealt with. >> anyone else on the panel want to comment on reasonable and what that means, the context of what you do? >> were in accordance with those standards. >> is that a good starting

point? >> i believe so. >> did you have something? >> yes. the word reasonable was what caught my attention. section two of the bill. reasonable measures and procedures by information security. even though it is only been five weeks since her major data breach, the estimated cost have reasonable defenses, and protection of sensitive information. it can range from a few million dollars to as high as $50 million. these figures from other studies get saved. approximately $100 for every identity stolen. we have 310,000 stolen. the cost is 310,000 times $100.

the question i think mr. maldon raised, an excellent question, whose shares in the responsibility for protection? it will bankrupt most universities to spend 20-30,000,000 dollars when there is no guarantee any way. it is something that should be shared worldwide. to take one example. social security numbers. why don't we do you value social security numbers? why not require financial institutions not to use social security numbers? so there is no incentive to steal them? if one doesn't do that, one shifts the costs to higher education institutions.

it is a balancing between risks and costs. all i can tell you is that the cost can be staggering. even then, all of the experts we have retained are telling us there is no 100 person guarantee. >> i want to add a few words from the perspective of the federal trade commission. we believe reasonableness is the right approach. given the different types of companies that we have jurisdiction over, we think it is critical to have flexibility and a fact specific approach. we understand the challenges that dr. low has identified. going back to your question, one area where we have is a connection with identity theft. that task force was set up under the bush administration. we have made a number of different enteral agencies

recommendations about how to deal with issues and things such as social security numbers, minimizing the id theft. i think it is a complicated question. there are many things the government can play an important role. i think there are other things that need to be examined in the way personal information is being utilized. >> thank you. that philosophically and realistically was an interesting discussion. it gets back to something i talk about as often as i can. unless this country is willing to get serious about infrastructure, cyber security, to 200,000 pound water tankards

crossing 75,000 max pound bridges so they can build a platform. if we don't have the infrastructure, which is research, nih, alzheimer's, everything. plus the hard stuff, the roads, we have been through five lines in west virginia. nobody knows where they are. they carry gas. somebody goes into building house, and breaks through five layers of five line nobody knew were there. at some point there is no sense of forgiveness.

if we are going to be a serious country, continue to be a serious country, we have to do infrastructure. we have no choice. if you said are you for raising the gas tax, i would say yes. i believe in user fees. i always have area and if you have an objective you want, you want to bill rhodes, then you do that which is necessary to make it happen. if you choose not to, your ideologically pure, you win your next election, and you decline. or people make the conclusion as they have on our water spill for which there was no federal

regulation whatsoever, of which i was probably responsible because i was governor for eight years. but did nothing about it. if you don't take responsibility, you have no future. that gets to the very bottom of what divides this country. it is not republicans and democrats. roy blunt and i have been friends for years. he likes me, and i like him. things work. but, you have to be willing to raise taxes. to pay for things where we are eons behind. modern bridge structures. the list is endless.

you want a good way to find out where a good standard is, you go to nist. he will do it fairly and at low cost. to dr. low, who runs a university, which does not have endless amounts of money, i am full of sympathy. i can't walk away as a senator from being part of a solution to his problem. that is what we are doing here. we are walking away year after year from being part of the solution.

if you want good infrastructure, you have to pay for it. if you're going to pay for, you have to raise taxes. the question is how do you raise taxes? then you get into the one percent versus the regular. then that becomes a lot of talk. you get the infrastructure, or you don't. if you don't, your future is dead. it is interesting when the president called rush an important regional power. mr. putin must've been angry at that. it was accurate as of the size of his economy. because of what they have not done over the years in projecting power and toughness. they have not build things up. my son-in-law lives there. he knows. dukakis gave that. that is my editorial. it is the way we improve this country. the way we help dr. low.

the way we help everybody. we're in this together. we have to share responsibility. we are all to blame. we are in the habit of being comfortable. we are in the habit of thinking the world is as it was 30 years ago. it is totally true. i'm trying to make it tougher on us. i'm not running for reelection. it is easy for me to talk like that. i shouldn't run for the job. so, that is just my thought. i've got over my time. senator markey has been here. he doesn't like if i go over. i'm just going to ask my

question, and hope for roy and eggs forbearance. this is for you. according to press reports, attackers game access to the thing we have discussed already, does target required any particular level of security of its third-party vendors? >> we do assess the inherent risks of our third-party vendors. we have a process for doing so. >> i'm not sure what the answer is. >> we do. we have standards. we have an audit process to ensure they are meeting them. a lot of people, not all of them are enforced? >> we evaluate less often.

but to any third party vendors have access to point-of-sale systems? >> anyone who has access to her point-of-sale network has the same standards that would apply. anyone, our old team members, or technology contractors, they would apply similarly. lex we have the rhetoric of attention and auditing. but not necessarily the fact of it. one can still get away with rhetoric in this country. one can get on the evening news with brilliantly sculpted rhetoric.

it doesn't mean you are doing anything. i just threw that your direction. you are not a media hound. i'm not accusing you. i would've i knew my obvious -- i would've i knew my audience better. at the same time, who had target was ultimately responsible for the company data security? >> we have multiple teams at work upon data security. at the time of the breach, various elements reported to several executives. >> that worries me. you had a former cio. i want to make sure she doesn't get run over by a bus in this discussion. it is true that target has been divided up as you indicated to a variety of staff. not under a cheap information officer.

what i'm getting at in the future is that at some point, the ceo and the spurs have to accept responsibility of what has happened. >> that is why i mentioned with data breaches, they reported to the fcc. there was no law. i did the same thing both call minds. we have a lot of coal mine disasters. any time somebody is killed, it has to be reported. it is helpful to investors and shareholders about their decisions. i believe in responsibility. i think it has to come down to a point. i think that has to be the ceo. then you can scatter wherever you want. i have talked too long. now i have to figure out who got

here first. roy was here first. senator blunt, i'm sorry. >> the thing he talked me into doing was codesharing with him and effort to be sure we understood what the alternatives are out there. whether i wanted to know it or not, i needed to know it. once again, he figured out something that was better for me than i probably thought it would be. thank you all for being here. it has been a long afternoon. if everything hasn't been said it is ok to repeat it. whenever we set this hearing up, there were 46 different requirements to comply. there may have been more than that. there were at least that many. my question is simply, a yes or no question. do you believe that a uniform

national standard for data breach notification would benefit consumers? yes or no is all i'd like to have. >> es. -- yes. -- yes. >> yes. >> that's what i think. hopefully we can figure out how to do that. i think the attorney general recently called for the uniform standard as well. hopefully the congress can accomplish. at the time of the breach, was there more than multiple data in what happened in target and the last part of laster? >> two types of data was removed early in december. mid december, december 19, 40

million credit card account numbers have been removed from our systems. we also, on january 10, provided notice that certain personal information included names, address, e-mail and phone number, and various combinations, had also been removed. >> i find her stand this, you had all the information for all 40 million people? >> that is correct. it would be relatively simple process. there was at least 12 million of the records, and likely more than that.

>> you didn't know who that related to, is there a new -- who could you have notified if he wanted to notify an individual customer that the card had been shared in ways you wouldn't have wanted? >> given the nature, we have the best way to notify customers was broad disclosure. we did so on december 19. we did so again related to the personal data. we augmented that public disclosure. we e-mailed 17 million guests. in the second case, 47 million guests. >> how did you know who they were? >> we had their e-mail addresses.

>> for everybody in your particular file? >> is for the 70 million records. >> for the 47 out of the 70. what did the chairman saying? does your company require any level of security for the merchants who use the sub? are you changing with that level of security is? >> yes, we do require a level of security. it is the level embodied in the pci standards. we require large merchants that provide a validation by an independent security assessor. that is what we have in place

today. the pci council administers the standard and would review it periodically. >> have you given notice of a new level of standard you want merchants to have by sometime in 2015? >> there are two different things going on. one is the security standard. how they cure the data in their environment. the other is the d value of the data in their environment so they would no longer have valuable data be targeted by fees. the standard for october 2016 is for these emv chip cards. the card actually sends a one time use signal. even if you steal all of the

data, relative the card, it can't be read used to commit fraud. the standard for 2015 is to implement the emv standard by placing emv terminals in the stores. and outfitting them with the proper technology on the back end. failing which, the merchant would be liable for the fraud if it is used in the terminal. >> my last question to you. do you believe there is any benefit in congress in the law trying to specify exactly what the card standard should be? if we said in law, you would have to have a chip in the card. is that a good thing or unhelpful? >> generally speaking, i would say that our success across the world has been through the liability shift mechanism. it allows flexibility in the

different merchant environments to move in that direction. lex liability shift means that no secure things, they would have a higher liability as a merchant. >> that allows them to set the pace of their transition. >> we believe that should be effective. we have seen over and over again across the world. i hesitate. we would like to get out of the business ourselves, but the few governments that have tried to mandate technologies and other parts of the world, they tend to have unintended consequences that make it more difficult to move forward with new types of technology that can leapfrog current technology. >> anybody disagree with that? that was the thieves, the hackers would always be more nimble than the congress.

we prove that on a regular basis. if you are too specific in law, all you do is create a roadmap as to what you have to do if you want to break the code. >> i was going to agree. we believe that a flexible approach is the right way to get through. >> thank you. >> you have made it back. >> i have made it back. i have a reprieve on my presiding. i felt this hearing was important. >> so i had the pleasure of putting you in front of senator markey. senator blumenthal was here. >> thank you. thank you for your leadership in convening this hearing. thank you to the panel. i feel this afternoon is in a certain way and missed opportunity for all of us.

we've been bouncing in and out due to the votes and our schedules. this panel contribution has been very useful. i think it could be even more useful. i'm going to submit additional questions for the record that perhaps you can address. speaking of missed opportunities, the report done by the majority staff performs extraordinary service and provides an excellent backdrop and summary analysis. it uses the term opportunities, missed opportunities. very unfortunately, they were failed here. it brings home to me one of the truths that senator blunt was alluding to.

the best technology in the world is useless unless there is good management. here, to be blunt, there were multiple warnings from the company. a were missed by management. maybe because of lack of training a sense of confidence, complacence. the automated warnings of the signals that should have an indication not only of intrusion but the need for action were missed. that has created enormous cost. better management has to come with better technology. i take it by your silence you are agreeing. the other area that has not been

too star far is the notification. the breach occurring on 11-12, november 12, happened well before there was notification to consumers. the question was in a lot of consumers, was there timely enough notification here? what can be done to improve that in the future? let me ask ms. mulligan first. and press the others by what you think about the timing and the notification. >> first, we identified malware

honor system on this ar-15. >> should you have discovered it earlier? >> that is a reasonable question. it is asking a lot of hard questions. >> but me just state simply that there should have been earlier discoveries. whether you could have prevented the intrusion and stopped it earlier, that may be a subject of debate. it should've been discovered. and notified. >> we are understanding that. our team assessed them. they assess hundreds of alerts every day and may judgments based on those. given the circumstances we identified the malware on december 15 and provided public

notice four days later. we were very focused. on speed, and doing so quickly. >> thank you. for my perspectives, prompt notices are critical. we understand it is important for companies who have been victims of a breach incident to assess what transpired. it is critical that they receive accurate information. it should be 60 days at the upside. of course, it is critical consumers have an opportunity to protect themselves if their cremation has been exposed.

>> i want to thank you for your answers. my time has expired. i'm going to yield. i want to follow-up on this question of notification. anybody can be a victim of hacking. or intrusion. but, no one should in any way -- in any way delay notification. the ultimate cost often is borne by those consumers. >> in terms of the suffering and the pain, even if they are told by monitoring, or they get insurance. target has cooperated with my office and with this committee. i want to thank you for the comment you made today.

>> thank you. i don't how you pulled it off. you got that. you clearly care. we are grateful you are coming back. we are treated to edward markey. >> the university of maryland decided to provide five years of credit protection at your school. how did you determine five years was an appropriate time? >> we announced within 24 hours.

very quickly, the way most it is communicate is by social media. >> why the five years? >> they were complaining that we initially offered one year. they said one year is not adequate. >> what was your conclusion? >> i think they are right. it will cost more money, but it is the right thing to do. >> why? >> why is it the right thing to do? because it did happen. it is our responsibility to provide protection of our sensitive data. we have very strong senses -- but they were penetrated. that is no defense. we decided to up to five years. >> they have offered one year credit services.

my concern is the same. one year is to brief a time given the compromise of this information. why did you choose one year and not have a longer time? it is consistent with the risk consumer now runs. >> we certainly evaluated this. we reached out to other entities who had similar instances. one year would provide appropriate coverage. we have not received the same feedback. we have not received that feedback. if we did we would reconsider that. importantly, part of our coverage is that you have access to a specialist ongoing. that goes on for ever. >> my concern is the situation

has been compromised. one year is just an arbitrary time to select that it can be used if it comes back to haunt the individuals whose information has been compromised. a more lengthy time makes more sense. i also understand that credit monitoring [indiscernible] not the credit files maintained by trans union and aqua facts. with free monitoring of all three reports provide consumers with better protection following the breach? >> we reached out to several other entities when similar situations.

we understood they had a product that would work well for our consumers. it offered identity theft production, identity theft insurance, and the ongoing fraud access that was particularly important. we will with their particular product. >> i would suggest you look into a broader group of companies here. credit monitoring may provide consumers with a false sense of security. these services open new lines of credit. they do not watch for day to day on authorized charges on your credit card. tell us what target is doing to help consumers with that problem? >> that is an excellent problem. this is impacted them. we try to provide tools, communication. we have one spot on our website that provides all the

information to them. all with the focus to keep them informed about the information we have. >> ms. mulligan, what steps are you taking today to ensure that better ways of ensuring data keep up with new payment technologies? >> the dmv technology is a major improvement for repayment security. that is something that data guard is interested in. our commitment is to help our customers have the identity technology they need to provide strong layers of security in a mechanism. one of the things that is key to understand is that the malware has changed the way it operates

in the last several euros -- several years. they navel to overtake a network administrator, and move freely is a very different security risk than what we are dealing with 4-5 years ago. trying to educate the industry, that help companies understand risks, that is what we're trying to do. >> what we suggest is this. that it doesn't make any sense for the congress to mandate specific technologies. what it does make sense to do is to say to industries that you have to keep up with the changes. if you don't keep up with the changes, you are liable. to say that any of this is a surprise, it is just to say you're not keeping up. so, the chairman to call a hearing of the 5-6 smartest young geeks in america and make it explained to this committee. the truth is that the 5-6 in each one of your companies

should be having that meeting right now. these are the changes, these are the recommendations. the law requires us to keep up. so am i keep saying we're surprise of the changes, you haven't kept up. it doesn't mean that younger people in organizations have kept up. it should require a standard. if you don't have a radio on your boat in 1900, you're not derelict.

in 1920, now you have a problem. you can't say i didn't have one. that's not an excuse. you have to have known that a guy named marconi came along. young people have these devices now. there was a storm coming. you just can't exempt yourself from liability. that is the challenge here. that is why senator blumenthal and i introduced legislation to give the federal trade commission greater authority. they can acquire these security measures to be put in place. that consumers receive immediate notification of any breach that occurs.

it is important for us to act this year. this has been occurring over and over. t.j. maxx is in my old congressional district. they had a similar breach in 2007. it is not as though this doesn't keep happening over and over again. we keep treating it as though it is a huge surprise. senator blumenthal and i introduced the legislation to help accomplish that goal. we'll really have to deal with the issue. i think you. >> good questioning. i would like to be part of the bill. >> your staff was the first to receive a copy of the bill. >> good. you raise an important point.

we measure everything based upon what it was. and, that absolves us from the responsibility of saying what it might become. the only important question, whether you're talking a national security, anything, what it might become. that is why we are constantly surprised. the painful memory of the boston marathon, i'm not sure what the teaching of that was. that was a traditional act. we have something we should've known that there have been advances in technology. this job is not to say exactly what it should be for this month, next month to be.

that will reach many people who will object. >> may i say it is a good example. where the russians have given information about the suspects. the technology had worked. the human judgment of what to do with the information. the technology is something that now is available. younger people of course are familiar with it. do you want to spend the money? do you want to spend the money to keep up with the technological arms race that you necessarily have to because it has in common in the electronic era that each of these companies are embracing. you can think of that as a loss. you now have to suffer because

you have to build security. you have to think of as a necessary investment. we are not accustomed to that pattern of thought. that is what it is there for. you missed my speech on spending money on infrastructure. i will not paying you with repeating it. you already agree with it. >> we are passing a transportation bill? >> don't tease me with that. this is been an interesting and frustrating hearing for a couple of reasons. it is a complicated subject. we have the ftc. the president university of maryland. my former chief of staff. and, you all have great experience.