inconsistent state laws and regulation should be preempted in favor of strong protection and notification requirements. second any data protection and notification requirement must recognize some industries, including financial services, are already required to maintain robust internal projections. they are also required to protect consumer information and notify customers when a breach occurs within their systems that would put customers at risk. we believe extensive reporting requirements currently in place for banks provide an effective basis for any national data breach reporting requirement for businesses generally. finally, there must be a strong national data protection requirement. associated with any data breach law. all parties must share responsibility and cost for protecting consumers. the cost of a data breach should ultimately be borne by the

entity that anchors the breach. preventing such breaches, any requirement must have strong data protection. requirements applicable to any party with access to important consumer financial information. thank you. i will be happy to answer any questions you may have. >> attorney general medic? >> thank you, chairman moran. members of the subcommittee. i appreciate the opportunity to testify. data security is one of the biggest challenges we face as a nation. it is an ongoing struggle for all americans and companies that hold our personal information. while last year's massive data breaches reawakened many in the public, breaches are not a new problem. because of that, 10 years ago, i joined 43 attorneys general including attorney general blumenthal, in a bipartisan call

for a strong, meaningful national breach notification law. for over a decade, my office has helped individuals cleanup from identity theft and investigated major breaches. in 2005, i drafted illinois's breach notification law to ensure consumers are told when their personal information was copper must. in 2006, i created an identity theft unit and hotline to help consumers restore their credit when their information was obtained and used without their authorization. so far, we have helped over 37,000 people remove over $27 million worth of fraudulent charges from their credit. at this point, americans realize it is not a matter of if but when they will be a victim of some form of identity theft. the question is, what do we do to best assist them to prevent data breaches and reduce identity theft? first, i want you to recognize that for the most part, we are you have data breach notification in this country. as you are aware 47 a tableau

is requiring companies to notify people when their personal financial information is compromised. many states are working to pass a second or third update to their laws in response to the constant threats revealed by the 4500 publicly known breaches that have affected over 900 million records since 2005. in this environment, americans need and expect more transparency in data breaches, not less. last year, i held over 25 roundtables on data breaches throughout illinois with nearly 1000 residents including local government officials law-enforcement, small business owners, religious leaders senior citizens, head of social service agencies, as well as consumers. . here is what they told me. their concern about the increasing numbers of breaches. further information is stolen, they want to know. they want to know what they can do to protect themselves from identity theft. they want to know whether entities are doing enough to prevent breaches and protect their information.

so a week national law that restricts what most state laws have provided will not meet americans' increasing expectations they be told whether information has been stolen. instead, any definition of protected personal information should be brought and include growing types of sensitive information that entities are collecting from individuals. and the ftc should be able to update the definition in response to threats. in terms of whether entities are doing enough to protect data, unfortunately, as you have heard from ms. maguire, and i can tell you from my own investigations, it has been revealed that entities too often fail to take basic cautions. we have found numerous instances where entities allowed sensitive personal data to be maintained on unencrypted. failed to install patches for known software vulnerabilities. collected sensitive data that was not needed. retained data longer than necessary.

failed to protect against copper mise login credentials. next an entity who suffers a breach should not be conducting a self-serving harm analysis to determine whether consumers get notified about a data breach. imagine if a landlord learns that a renter's home was robbed and the renter -- land lord had the opportunity to decide whether the city that stolen items were significant in that. further, congress should designate a federal entity to investigate when massive data breaches affect millions of americans. similar to how the ntsb investigates accidents. i know the colors will consider preempting state data breach notification laws. i oppose federal legislation that limits our ability at the state level to respond and safeguard our residents. if congress preamp's the state the preemption provision must be

narrow. it must preserve the state ability to use consumer protection laws and congress should give the states the right to enforce federal law. i would be happy to answer any questions you have. >> thank you very much. ms. wyman? >> thank you. chairman, ranking member blumenthal, and members of the subcommittee, thank you for the opportunity to testify today. i am the vice president for mobile privacy policy and general counsel at the information technology industry council, known as iti. prior to joining an 2013, i spent more than 10 years at the federal trade commission. most recently as an attorney advisor to commissioner julie brill. i began my career at the ftc in enforcement. sharing that company -- ensuring

that companies were complying. the 59 companies that iti represents our leaders and innovators in the technology sector. when consumer information is breached, individuals may be at risk of identity theft or other financial harm. year after year, identity theft tops the list as the number one complaint reported to the ftc. consumers can take steps to protect themselves from identity theft or other financial harm following a data breach. federal breach notification legislation would put consumers in the best possible position to protect themselves. i take this opportunity to outline three important principles in connection with federal data breach notification legislation. first, is preemption.

a federal breach notification framework that preempts existing state and territory breach notification laws provides an opportunity to streamline the notification process. complying with 51 laws, 47 states, three territories, and one district, each one with its own unique provisions, is complex. and it slows down the notification process to consumers while an organization addresses the nuances in each of these 51 loss. complying with 51 different laws also result in notices across the country that are inconsistent and confusing to consumers. a federal breach notification law without state preemption would merely add to the mosaic resulting in a total of 52 different frameworks. the second principle is the timing of consumer notification.

an influx of all mandate that would require organizations to notify consumers within a prescribed timeframe is counterproductive. following a breach, there is much to be done. vulnerabilities must be identified and remedy. the scope of the breach must be determined. cooperation with law enforcement is imperative. and impacted consumers must be notified. premature notification can subject organizations to further attack if they have not yet been able to secure the system. further jeopardizing sensitive personal information. premature notification might interfere with law-enforcement's efforts to identify the intruders. the hackers might cover their tracks more aggressively upon learning that the breach had been discovered. notification to consumers before

an organization has identified the full scope of the breach could yield inaccurate and incomplete information. organizations have every incentive to notify impacted consumers in a timely manner. but a strict deadline does not afford the necessary fungibility. -- flexibility. the third risible is deciding which consumers should be notified. notifying individuals their information has been compromised enables them to take protective measures. it is not productive, however if all data breaches result in notification. if inundated with notices, consumers would be unable to determine which ones warned action. notification should be made to consumers if they are at significant risk of identity theft or financial harm. a number of factors would be considered in making that determination. including the nature of the breach information as well as if

that information was unreadable. unreadable information would not warrant a notification. upon receiving a notice, individuals can take steps to help avoid being financially damaged. the three printable's i have outlined today are included in the set of principles iti has developed in conjunction with federal data breach legislation. i request these be submitted for the record. 2014 has been referred to as the year of the data breach. i think many of us would like to see 2015 as the year of federal data breach notification legislation. >> thank you. thank you to all our witness. attorney general, you seem to be in the minority on this panel in the issue of preemption. how you respond to the concern that has been raised particularly by mr. duncan

about 51 or 52 standards across the country? is there a way to preempt state law but continue to have states involved in the enforcement of that new standard? >> to answer the second question first, of course there is. it happens frequently at the federal level. where you will set a national standard but still allow state attorneys general to enforce the law. obviously, if that is what happens, that is one of our most important concerns. because there will be instances where there are significant data breaches. they may be smaller. they may be confined to one or a few states. it will not be a circumstance where the ftc are the ones with the enforcement authority and will look into it. it is part of the same situation in terms we have of different jurisdictions. even for criminal matters.

some of the u.s. attorneys office have thresholds. we still need and want the ability to respond and safeguard our own residents. in terms of the concern, that i do appreciate, of having as many as 51 different laws that organizations have to comply with in terms of notification, i would say to some extent, the concern is overblown. in a very real sense, someone mentioned, if there is a lawyer that's it down and determines what the notice has got to be and produces a notice that can be used across the country, that certain he happens in terms of the target breach. i remember getting that notification. there are different provisions depending on the state. it is not impossible to do. it does not take such an and or miss amount of time that need to be contended with our eight or. so it is not a necessity. but i do think it is imperative.

i think everyone agrees that, if you set a national standard, it cannot be a week one. it has to be a higher one than some of the first generation states notification laws. the are seeing an increasing number of breaches with an increasing amount of sensitive information being breached. you will have to look into the biometric data. things that during the first generation, few if any states considered. >> thank you very much. is there any indication that from state to state, depending upon the law that the effectiveness of that law has a consequence such there are fewer hackers? is there any suggestion that a state law discourages hacking from taking place in that state? in other words, is it effective as a preventive measure? is there any suggestion that a state law has increased the

standards of businesses who operate in those states? is there a different level of compliance? is there a different level of desire to attack in a certain state because of state laws? mr. duncan? >> senator, as i mentioned in my testimony, the very nature of this problem is that it is a state -- interstate. if you look any situation with a small start up, they have conductivity throughout the entire united face to sell merchandise. it is the fact of notice regardless of state, that drives the interest in trying to have greater standards. it is not really a state issue. this is a national problem. >> the often things of the states are laboratories. i assume if we develop a national standard we will look at see what standard make sense. what i want to make certain there was no suggestion that a particular state has found a way

to prevent or discourage this kind of behavior. i think your answer is no. mr. duncan? >> i would echo that the answer is no. it points to a need to have a data security standard. attendant to any data breach standard. if you do not have both pieces you do not have the ability to raise the bar from a security standpoint. i do not believe breach notification in itself motivates businesses to essentially raise the cyber security bar. >> thank you, mr. johnson. is there any developing insurance coverage market for data breach? your banks have been -- have had a standard in place today. is there insurance that covers the consequences of a data breach? >> there is. it is a maturing market. we have an insurance company that offers some of those policies as well.

i think it is a market that needs further refinement. as an industry, we are looking at that very carefully in a number of different passions. working with treasury and the administration generally to try to figure out ways to improve the market and try to build insurance as a private incentive as opposed to building public incentives towards greater cyber security. >> thank you. senator blumenthal? >> thank you, mr. chairman. i want to follow up on a couple of questions that the chairman asked. you make the point that preemption has sometimes been narrow in our laws. in fact, that concept of narrow protection is that there should be preemption only of state laws that are inconsistent with federal laws and only to the extent of the inconsistency. and that is a quote from one of those statutes.

in the health information technology for economic and clinical health act, that principle of narrow preemption has been adopted. has the experience been, with that narrow approach to preemption, that there are horrible inconsistencies or confusion that our witnesses seem to raise as a specter of avoiding preemption? >> know, senator. the concern from the state level, as you are aware assuming you guys will pass something this year, it took 10 years for congress to patch a breached notification law. to the extent that there are new threats out there or threats that specifically target a group

of people, consumers in our state, we need to be able to respond. or if there is a rapidly changing area, we want to be able to respond. i think that is the real concern. we have not seen significant problems where states both retain enforcement authority of a federal law or the preemption is narrow. i think it works best that way. again, federal resources tend to go to larger issues, where state resources go to some of the smaller issues. >> mr. duncan, i am troubled by the failure of retailers to take responsible steps to protect their consumers. in fact, some of them i am told, have actually blocked some of

the new technology that could have been available. i do not want to call any out, but i am happy to name them if you wish. i am disturbed that these major retailers have moved to block innovations by disabling their contact list transaction terminals that they offered to consumers for many years. mobile payment technology like apple pay and google wallet. efforts are underway. but they still have not been deployed as they should be. are you disappointed that retailers have not done more to protect consumers? >> is not a matter of disappointment in terms of what retailers have done in the past. i can tell you that i have sat in the board meetings of the national retail federation. i have heard the ceo's of some of the best-known companies in

this country talk long and seriously about the steps they have to take to address this very serious problem. >> i'm sure they talk about it. >> they are also adopting new technologies. this is a very complicated issue to address. there are so many ways that bad actors can get in. you have to develop very particular systems that will effectively block the. >> retailers disabled or terminals. >> there are some technologies that either are unproven, extraordinarily expensive, or take control of the company's operations away from the company. each company has to make its own decision on that element. but that is completely separate from a decision about how you secure data in your files.

>> i am struck that you have recommended to the panel that there be preemption. not only of state statutory law but also common law. that is a broad preemption isn't it? >> if you do not have preemption strong and across-the-board ultimately experience has shown us the courts will strike down the preemption. and the proliferation of conflicting laws will reemerge. we have to have a very strong law. it has to be a uniform law if it is to be effective. >> isn't that principle virtually unprecedented? >> i do not think so. >> where else has it been adopted? >> let's look at the telemarketing sales rule that the ftc enforces. they are essentially the same kind of approach. all power was placed with the ftc.

you do not see individual actions under that rule. >> my time has expired. >> the attorney jacks and -- general's action is under that rule. >> my time is expired, but i would suggest that approach to preemption is broader than this committee should consider. and that a more narrow view of preemption, such as attorney general madigan has suggested if there is to be any preemption at all, is one that is more appropriate. thank you. >> senator fisher? >> thank you, mr. chairman. thank you for holding this hearing today. ms. maguire, as you know numerous reports have linked nationstate actors to cyberattacks. some of the same countries implicated in these reports may require u.s. i.t. companies to turn over intellectual property including operating software,

source code, in exchange for market access. are you concerned that such information, in the hands of what we could call and irresponsible after, could pose additional security risks? >> thank you for the question. we are concerned about having to turn over any of our intellectual property to any country. we believe that is an infringement on our ownership of intellectual property that we have clearly spent extensive resources to develop. and that we should be allowed to protect it accordingly. certainly, if it is passed to a third-party or second party, then it does expose us to potential vulnerabilities. in short, we believe that we should not have to share intellectual property. >> that there are instances, i believe, where companies are being pressured by foreign

governments to share that property? do you know how prevalent that is? >> there are some new requirements. some not so new requirements in some countries. i cannot tell you how prevalent it is. but we are certainly seen a growth in those kinds of requests from many different countries around the world. >> how dangerous is that if we continue to see growth? an increase in market access, for example. how dangerous is that two other companies in our country when that property is shared, when they put your security and other companies' security at risk? >> it could potentially put other organizations at risk. i am not sure how -- that i can

quantify how much. but any time you have to provide the source code to another party, it can provide additional openings for risk. >> also, our federal rate or protection framework -- it is largely based on who is collecting the information rather than tailoring enforcement based on what is being collected. wouldn't it be better for consumers and businesses alike if we would apply a more uniform regime for all entities so enforcement is based on the sensitivity of the information being collected? >> yes, that is our view. that it should be a risk-based application and threshold for what kind of data, potentially is breached. >> for all the witnesses, if i could just ask a couple yes or no questions. do you support a federal data

breach notification standard that is consistent for all consumers? ms. mcguire. >> absolutely. >>. yes. >> yes, if it is strong and meaningful. >> i will be the outlier. and ask for further clarification of the question. when you say consumers, which particular type of data? is that your question? do you not want to distinguish between types of data? >> i think the approach that we have in the united states has worked to a large extent with regard to financial data and health data. since the desire is to get federal breach notification legislation across the finish line in 2015, anything that could potentially slow that down is something we should carefully consider.

>> do you think it would be easier to get something across the finish line if exceptions are made or targeting made on what kind of data is collected? >> i think it would make it easier to get it across the finish line if entities that are already subject to data breach notification requirements and in specialized areas have those remain intact. >> senator fisher, with all due respect, a specific approach are anathema to the kind of approach we are going to need to have effective protection for consumers in the national retail federation. >> so we have disagreement. i am over my time. thank you very much. >> senator schatz? >> ms. weinman, you and others

have talked about the balance to strike in terms of over notification. i think we realize that we do not want to inundate consumers and others with notification of breaches if they are not significant enough. and it would become meaningless. my question is, who determines whether there is a significant risk of identity theft? do you figure that gets enshrined in the statute? is that the attorneys general to determine? is that the courts? individual companies? i think that is one of the key issues here. we can all agree in principle we do not want to be over notifying. but where that responsibility and authority resides is key. >> thank you. i am glad that we can agree in principle that over notification is not something that would be desirable. i think an organization that

data -- holds the data and has a sense of what information has been compromised would be in the best position to make that determination. >> what standard would they be held to? libby under the law? or just under their own judgment about whether this would be harmful to consumers? that is the question. >> i think the level of risk would be something that would be codified in a statute. like significant risk of identity theft or financial harm. i think that would be in the letter of the law. >> ms. mcguire, you're talking about a risk-based analysis. i would like you to elaborate. >> along the same lines of what kind of data has been breached and what the risk is to the consumer or the organization that might have been part of that, as i stated in my statement, we believe a

component of that statute is to be that the data has been rendered unreadable or unusable the encryption or other technologies, so that if the data has been accessed, it is meaningless to the perpetrator. that is a key component. >> that is your line? >> yes. >> attorney general madigan maybe take some time to elaborate on that. >> i do not think there is any such thing as over notification going on at this point. notification keeps consumers alert to the possibility of identity theft. it certainly depends on what other information criminals may have access do in terms of what they could be using, information we would deem individually not to pose risk to them. but it could potentially of combined with other information. there is no over notification going on at this point. >> i agree that there may not be

over notification. we do not want to greet a scenario where i am getting e-mails to or three times a week. and i do not know what to panic about or ignore. i agree that we are not there in reality. if you could articulate what would constitute a sufficiently strong standard to kind of satisfy your concerns, because i respect that the california law and other statutes are pretty good marks to make. i see a few heads nodding. i see a few shaking. that is fun. i would like to hear what you think would suffice in terms of a trade-off for preempting state laws. >> the strategy i talked about here is that you should look at the state laws out there. california being one of the high marks. it is not just california. this is a bipartisan issue.

texas, florida indiana they already have some of the most progressive laws in the country. you need to look and see what the changes have been since a first generation event, such as illinois, where it will be your first name and last initial along with unencrypted social security number, driver's license. now we are moving to biometric data. e-mail addresses with login passwords. as a changes, you need to look and see what is the high water mark. and make sure that is really your floor. >> mr. johnson i will let you have the last word on this. what would suffice as a strong enough standard that we would all feel comfortable preempting the 50 yard state laws? >> the federal law, i think what

we are doing at the federal level as a standard associated with when a company makes evaluation. such as who has the responsibility to make determination as to when to notify substantial harm. i think the financial services companies, even if the breach is not occurring at a financial services company, has a lot of experience with those breaches as well. i think that is what i would look to. >> thank you. >> senator? >> thank you chairman. thank you for having this hearing. we had a similar hearing in this committee last march. at that time, all the panelists were for preemption. attorney general madigan, i tend to be in favor of the underdog, but i would seldom imagine you would be the underdog on this issue.

you might be in terms of where other people are tending to wind up. a lot of the questions we have asked have are even asked on the topic of preemption. we will just see where that goes. i think the president and the attorney general have taken a position on this since last march that they agree with the idea of creation. senator carper and i introduced a bill last year. we are working on one this year. one of the things we have not done in that legislation so far is established an arbitrary time for an. there is an argument about whether there should be a timeframe established in the law as opposed to established by circumstances. so far, i have stayed on we need to have some flexibility in that timeframe. i am not sure i understand or the committee understands all of the impact you can have here.

i did notice in the anthem data breach this week, they sent a general notice. i heard mr. schatz say he was becoming the victim of breach fatigue died being notified he could be in a group that information has been breached. many people, somebody, many people in that group are impacted. we have not come up with the idea that we need an arbitrary deadline. i guess i have a couple questions for whoever wants to answer. starting with ms. weinman. the question would be, what would you perceive, in terms of how a deadline to be established or criteria for what would be a reasonable response, and your

view on whether an arbitrary deadline is something that should be included in a data breach notification. >> thank you. i think an arbitrary deadline, a specific time frame, is not useful in that it sets an objective standard. each data breach incident is different. each incident requires special consideration to address boehner abilities. cooperate with law enforcement. cooperating with different types of law enforcement. i do not think a specific deadline is useful. that being said, a number of states have deadlines that do not involve specific days. i think that is the right approach to give sufficient fox ability -- flexibility. >> are there any guidelines you would look like as to whether or not a response was appropriate? if a guideline becomes an

appropriate timeframe, what would be a triggering factor of whether the response was appropriately quick or not? >> i think the buzzword we hear a lot is without reasonable delay. that type of construct works well in this situation. in examining whether the notification was done without unreasonable delay, you would look at what the company has done up until that point when it requires -- decides to make that notification. have a dotted all the i's and crossed all the t's? listened to law enforcement, it long for -- if law-enforcement asked them to delay notification. >> anybody that feels a guideline should be specific

anybody want to respond to that? >> i do not agree with ms. weinman and agree that there should be a standard for reasonable notification. i think it is important to recognize there are different types of reaches. the difference between losing a laptop with a lot of data on it and a network that has been penetrated, that may require different responses and investigation timelines. i think that is an important criteria to consider. >> i would agree with my colleagues that there may be some flexibility there. small organizations are not going to have the resources that bigger organizations can bring to bear. some flex ability would be essential. >> i am out of time. i am not a lawyer, but my one concern about reasonable response is it sounds like time in court to me for someone to

try to determine whether the response was reasonable or not and contend that it was not. i am out of time. >> we are honored to be joined by chairman thing -- thune. >> thank you for holding this hearing and focusing a light on this issue that is important to our country and something that congress has been trying to fix for over a decade. hopefully this will be the year that we find the path forward that allows us to put in place a workable solution that protects consumers and addresses the important issue, which, again, we are reading about today. millions of americans impacted by a another data breach. i want to ask -- and the question has been asked many times -- ms. weinman, i'm curious. you have extensive experience in this issue.

could you give us your explanation of why you think a single federal law is so preferable for businesses and consumers? >> thank you. i have a chart with me that is 19 pages long that goes through the various state laws. that reason alone, i think lends itself to having one federal breach notification standard to enable companies to act quickly and provide required notice. i think it is both business friendly and more importantly consumer friendly. >> mr. duncan, your testimony today highlighted a need for congress to enact a primitive federal data breach notification law. i agree that doing so would provide clarity for companies, including retailers and merchants that you count as members.

it would also provide needed consistency for consumers, and that is an issue that congress has dealt with in the past in various legislative proposals that have called not only for uniform notification procedures but also for uniform federal data security standards. and i appreciate your observations about some of the risks of ftc enforcement. since that enforcement can already occur, wouldn't retailers benefit from a federal law saying that reasonable data security measures must take into account the size and scope of the organization, sensitivity of data collected? >> thank you senator. the ftc effectively has a reasonable standard under deception or unfairness right now. once you begin putting a lot of different factors into that standard, you essentially set up a situation whether it was as reasonable to a, b, c, or d.

if a business cannot check the box on all of those factors, they are likely to be in bad shape. that kind of standard works better when you are developing guidance. that is a big distinction between glp standards that mr. johnson has talked about and a uniform national standard. if you have an examiner sitting next to you and you can work through each of those various elements, that may work. but if you are trying to set one standard for every type of commerce and every type of business in the country, having multiple components is going to make it impossible with any certainty for the average american company to respond. >> could nrf support a security requirement? >> if there is a standard comparable to the ftc is currently a forcing, and if that is coupled with a robust notice of requirement, that would work. >> i have a question for

attorney general madigan. ms. mcguire, her testimony suggests that any notification standard should minimize noting -- notifying individuals before their information was stolen. i am wondering kind of what your thoughts are including the breach notice legislation. perhaps how the illinois state law approaches that issue. >> it is the right thing to do. i agree with them on that front. in illinois law, if the information is encrypted, you do not get notification of a breach. we have seen this in some of the breach is taking place. encrypted information has been compromised, and encryption key

has been stolen. in those circumstances, there should be notice. if it is encrypted, unreadable notification does not need to take place under illinois law. >> thank you. >> thank you. senator? >> thank you for holding this hearing. i apologize for being late. we had a judiciary markup. very exciting. i am here on a topic that is near and dear to our hearts in minnesota. one of our retailers experienced a breach. there is not a day that goes by that we do not hear about cyberattacks in local communities or on the national scene were even on the internationals. last night, the media reported that anthem, the second-largest health insurance was breached. as many as 80 million customers could have had their names birthdays, actor says -- addresses stolen. these attacks are increasing and scope.

i sponsored some of the bills in the last congress. i hope, given that we have had a hearing this congress, and i appreciate the ship -- your leadership. i hope that we can move ahead in this area of cyber security. my first question was about what i just raised. attorney general, welcome. i appreciate your work. with this disclosure, it is important to discuss what is and isn't covered under the affordable health care act. with the information in the information breach be covered by headbutt -- hipa? >> they claimed medical information was not breached. it would fall under the various state laws to determine if personal information definition is met in various states.

it remains to be seen with the total extent of the breach as. >> i think we do not know yet. in your experience, when something like this happens, not this exact case, how would agencies coordinate with the attorney general's, whether it is the department of health and human services, ftc, to enforce consumer protections? is there more that can be done when it comes to coordination? >> we have certainly had a good relationship with the ftc. we had jurisdiction over consumer matters. we probably do not have as much interaction with other entities dealing with some of the health information. in illinois, the way our breach notification law works is that type of information is taken -- we want the ability to be able to make sure that people are notified. obviously, coordination i think helps everybody. particularly when we have limited resources. concern is all the same.

we are trying to protect individuals from any sort of identity theft, financial damage that could occur. we are always looking to cooperate at the state level or federal level. >> mr. duncan, i'm going to focus on the retail issues. we are proud to have target and best buy in minnesota. great companies. last year, many of my colleagues and the media have talked about the need to move to chip and pin technologies, similar to what we are seeing in europe and elsewhere. following the push for the change, the industry made a voluntary commit to switch over to chip and pin card readers by the end of october 2015. that is an important timeline for consumers. we learn from the home depot data breach that impacted both canadians and americans that cars from canada were actually less valuable on the black market than american cars.

because they had chip and in technology. we tended to be a target because we have not improved that technology, despite the work of companies like target, who had tried to. as we know, it is not universal. mr. duncan, what percentage of your members have already adopted chip and in technology and have the necessary technology to read cards at point-of-sale? >> this is a quickly changing number. i have data from several months ago. in which case, it was in excess of a quarter of the nation's retail terminals. the concern that many of our members have is that the investment in chip and pin technology is expensive. it will cost between 25 billion dollars and $30 billion to re-terminal lies the entire country. it is worth it if you get an improvement in fraud reduction.

unfortunately, many banks are not issuing chip and pin cards. they are only issuing chip and signature cards. as you know, that is a virtually worthless security device. retailers are being asked to stand for security that is going to be illusory. >> talking to target and best buy, they are committed to the october deadline, which is great. but talking about the 25%, those are want that are have not done it yet? you expect a higher percentage of october? >> it is a huge effort to re-terminalize and interconnected operation. we expect a significant portion of the industry to be there. not 100%. >> your point is it is important to have the full technology with chip and pin. >> if we are going to spend the money to reduce fraud, let's reduce fraud.

>> any other comments? mr. johnson. >> thank you for the opportunity. when we had this conversation one of the things we forget sometimes is that the card market is really two markets. it is the debit card market and credit card market. credit cards have been -- pis -- pins. what we have learned from the credit side is that -- as well as customer behavior -- in a credit environment, customers prefer to use their signature. if they want to be protected by a pin, they can use their debit card. they have effective choice to accomplish that. >> i think what mr. duncan said is that you get more protection. certainly the situation we saw with home depot, were less

valuable if we know one technology protects better, it seems like we would not just want it for debit cards. i know from having a bunch of cards in my purse. i do not think through what kind of card it is. >> i think the most important thing here is to work towards getting rid of static numbers. what we have in the environment right now is credit card numbers and pins that are static numbers that make us vulnerable. to the extent that we have developed technology such as tokenization, where numbers are meaningless, if someone was to reach target and capture the numbers associated with those transactions, the numbers would be meaningless. they would only work for one transaction. i think that is what we need to be working towards. making those numbers absolutely worthless to criminals.

and that is what is going to protect the customer at the end of the day. >> my last thing is for the good of my hometown companies. target fix the breach and everyone can go shopping or. >> senator daines, a vote is scheduled at 11:30. we intended to take a second round of questions, but that may not be possible. senator daines. >> this morning, 80 million anthem insurance customers will up to learn that their personal identifiable information could have been stolen. in fact, we just received this over the fax machine. a notice from anthem that says, to our members. i am quoting from the letter. it could be 80 million members. these attackers gained unauthorized access to anthem's i.t. system and obtained

personal information from our current and former members, such as names, birthdays, medical ids , social security numbers, street addresses, e-mail addresses, and employment information, including income data. last year in the house, i offered an amendment that would strengthen victim notification requirements. i am eager to work with the chairman on strengthening these requirements again in future legislation. i have a question for anyone on the panel this morning. in light of -- there has been discussion about past breaches. and now it looks like this most recent and serious breach -- what is an appropriate notification time period for these 80 million customers? we still don't know for sure when this occurred. but we are hearing it might have been last week.

for these 80 million customers that are waking up this morning to hear and learn that there information could have been stolen. >> i would respond this way. it sounds unusual and helpful that anthem has notify people even if we do not know the full extent of the breach, as quickly as they have. there are situations where there are retailers who waited months and months some may be as long as six months, to notify people. which is clearly too long to notify. we have had extensive discussion about whether there should be a 30 day deadline, should it be more flexible. at the state level, there are some that have time frames. we have been very reasonable. basically saying to do this as expeditiously as possible. when you look into if that has taken place, we determine when did the breach take place? when did the company know about it?

do they have time to secure the system? obviously, exceptions if they need to continue to work with law enforcement. a flexible deadline would be a good one. it cannot be that there is seemingly such a. likable. that on that you never have to notify or could wait months. our goal is to let people know that their information is out there. >> i spent 28 years in business. half that time at procter & gamble. we pride ourselves in good customer service. the other half that time as part of a technology startup. oracle acquired as a couple years ago. i was the vice president of customer service, working with literally millions of users and thousands of customers. we sold a b to c solution.

when i was running customer service and we had a problem our policy was we would notify our customers as soon as we were aware of the problem. maybe not understanding the magnitude of it. we believed we owed it to our customers to get back to them. i am frankly surprised to think we might be thinking in terms of 30 days. frankly, i think that is unacceptable. the consumers in this country should be served better than that. and we should ensure that when we are dealing with pii, recognizing we do not know the scope of the problem at the time, but the customers ought to know there is a problem and that we are working to resolve the. if there are any other comments on the panel please. >> we would support the notice regime contained within illinois law. it is less important as to what number of days are attached to it as long as you provide a time

for law enforcement. they may not want to notify because they want to set a trap who have invaded and had a way of catching them and taking them off the street. you have to allow for that. you want to clean up the holes so people can't come back inside. once you have taken care of that, 10 days, 30 days, does not matter. i will say to the point made a moment ago, one of our members had a breach they initially interpreted to be a million-card data that had been released. once the exam at it was only 35,000. the idea that you would have given notices to 965,000 people unnecessarily is a serious problem. there is no easy answer here. >> if i may comment. in terms of customer service, i agree that quick notification is import. on the other hand, serious

situations, some foot ability is necessary in this situation. one of the biggest threats to any organization is loss of trust. anthem has been very quick at reaching out to people. hopefully they learn from past challenges they have had. loss of trust is a very big regiment -- detriment. people have to quickly respond. >> i hope we continue to work on this issue, trying to establish what we think would be without unreasonable delay and try to put that are guardrails on that. i think it is in the eye of the beholder sometimes. my experience and years of working with cloud-based computing companies, i believe it is better to err on the side of the consumer and their protection.

i fully understand that it can create a bigger problem by notifying people without understanding what really has happened. but if we lean one way or the other, i would this -- encourage us to lean towards a quicker response. i think it is better safe than sorry. particularly in looking at this notification that went out. these are social security numbers, personal income data. very serious. i think the consumer has the right to know about that sooner than perhaps waiting a week. as we try to walk the fine >> i think we should be trying to make this writighter.i hope we can work to something we can divide . -- we can define. >> we will conclude this meeting momentarily. i will not ask any additional

questions. i would be glad to have you visit with my staff. you know what small businesses should be worried about. what innovators might be deterred from a greater innovation as a result of this legislation. then i would be interested in hearing from any of the witnesses from gramm leach and its potential being used as a standard. i would like to know whether the bankers --whether there is information that banks have that is not covered by gramm leach. also the question related to havehipaa. is there something we should be considering, a standard or a starting point and we look at broader breach opportunities, or is that just a bad idea? >> i agree with you that gramm leach offers a potential model here.

mr. johnson, i gather you feel that production language that you -- used, that banks provide an effective basis for information gathering support. i think that may provide common ground. i invite the witnesses, i know mr. duncan, you may have been able to provide a full answer. i invite you to supplement your answer in writing, if you wish. i'd value your further comment. thank you mr. chairman. >> senator blumenthal, i would emphasize that gramm leach essentially guides us. it says you should, you ought to, something like that. that differs quite a bit from

state laws that have a mandate and requirement. we would favor a mandate and requirement rather than something is merely pregnant or agmatic. >> senator klobuchar has exceeded her time. [laughter] integrate tradition ofintegrate tradition of in the great tradition of senators, that is what we do. i would like to establish a matrix of what i go into a reasonable standard. is there anyone on the panel that is concerned about congress pursuing a reasonable standard along the lines that have been outlined as opposed to a specific notification period? >> we are talking about timeframe?

>> we are. nobody is proposing that we should include a specific timeframe in any law that we require notification in. >> senator, what i can tell you is the reasonable timeframe. we have seen it abused. the idea that you would put in a specific deadline may be within the most expedient time, " no circumstances less than" put some kind of writing in which it is less than six months. by then, your data is long gone, purchased on the black market, who knows. you need to have further discussion about how to better define what the timeline is going to be for notification. >> anyone else? think you. >> to be bipartisan in my admonition, senator dames also exceeded his time allotment.

[laughter] senator klobuchar was also effective in putting me in my place. we appreciate the information that was conveyed to us. the hearing record will remain open for two weeks. during that time, senators are asked to submit any questions for the record. the witnesses are requested to respond to those as soon as possible. i thank the witnesses for their testimony and i conclude this hearing. we are adjourned. >> next on c-span, a hearing on the future of the guantanamo bay was in an detention center. then president obama talks about religious freedom at the national prayer breakfast. that is followed by a hearing on data security issues and consumer rights. on the next washington journal representative donna edwards of maryland, cochair of the credit

curing and policy committee, discusses how president obama's 2060 effects the federal workforce. then covers when john fleming a louisiana talks about his membership in the newly formed freedom caucus, a group designed to challenge the republican study committee. washington journal's life every is live every morning. share with us your tweets and comments. susan rice is at the brookings institution friday for a speech on president obama's national security strategy. live coverage of the event starts at 1 p.m. eastern here on c-span. this sunday, onto q&a, david looks, columnist for the new york times, on a an article for the times and the awards he

gives out at the end of the year. the sidney awards. >> the sidney awards are given to the best magazine essays of the year. they can be journals, something like the you work new yorker, and obscure literary magazine. it comes out the two weeks before christmas. that is a good week to not read any insignificant stuff. the time to read something deeper and longer. is to celebrate those longer pieces. i believe magazines change history. in the republic, until its recent destruction, was one of the most influential magazines in the 20th century. accreted progressivism. conservatism barely existed until buckley formed the national review and gave it a voice. >> on c-span's q&a. thursday, defense department and

national intelligence officials testify against the future of the guantanamo bay is an u.s. detention policy. this is the eight hearing of the senate armed services committee sent john mccain took over as chairman in the new congress. this is two hours. >> senator mccain is asked to call order. he is currently at the national

prayer breakfast. that is not finishing as promptly as they anticipated. as such, what i'm going to do is ask consent centered mccain's opening statement be submitted and my statement be submitted to the record and at this time, call on the panel for their testimony. then we will begin a round of questioning. with that, mr. rasmussen, are you prepared to go first? go ahead, mr. secretary. >> members of the committee, thank you for the opportunity to testify today on the detention center on guantanamo bay. on retaining detainees and related issues. in january 22, 2009, president obama signed executive order 13492, which ordered the closure of the detention center of

guantanamo bay, cuba. pursuant to that order, a task force was set to discuss the detainees and determine the possibility of their release. through that rigorous effort, a certain number of detainees were approved for transfer and review and a certain number for detention. since then, pursuant to the executive order 13567 signed on , march 2011 for fiscal 2012 a periodic review board has begun to review the status of those detainees not currently eligible for transfer except for whom charges are pending or judgment of conviction has been entered. when the president came into office six years ago, there were 242 detainees at guantanamo bay. today, because of the task force and subsequent efforts, 122 detainees remain.

of these, 54 are eligible for transfer. 10 are being prosecuted or have been sentenced and 58 reviewed by the periodic review process. in his nearly two years as secretary, secretary hagel has approved the transfer of 44 detainees, 11 of whom were transferred, 28 transferred last year and five transferred this year. the great majority of these transfers authorized by the secretary occurred under the authorities of section 1035 of the nda for fiscal 14. we urge you to maintain these authorities. mr. chairman, members of the committee, i want to make a fundamental point regarding the detention facility at guantanamo. the president has determined that closing it is a national security imperative. the president, and his national security team believe that the continued operation of the facility weakens our national

security by draining resources damaging our relationships with key allies and used by violent extremists to incite local populations. it is no coincidence the recent isis videos showing the barbaric burning of a jordan pilot and savage execution of a japanese hostage each show the victims clothed in an orange jumpsuit believed by many to be the symbol of a guantanamo detention facility. 40 military leaders, all retired flag officers wrote this to the committee last week and stated it is hard to oversay it how the continuing existence of the detention facility at guantanamo has been and continues to be. it is a critical national security issue. many of us have been told by countries around the world the greatest action the united states can take to fight terrorism is to close guantanamo bay. this letter is signed by retired general charles kulak, retired of the marine corps and the first commanding general of the task force at guantanamo.

many leaders encourage closing of the facility including general dempsey and admiral mullen. in 2010 general petraeus stated , i've been on the record well over a year stating guantanamo should be closed. i think when ever we have taken expedient measures, it has turned around and beaten us on the backside. senior figures across the political spectrum have made clear guantanamo should be closed. former secretary gates and pennetta and current secretary all support closure of guantanamo. finally, president george w. bush concluded the guantanamo closure was a "propaganda tool

for enemies and distraction for our allies. i will address some of the letters raised by the letter of invitation. 27 detainees have been transferred since november 2014. these detainees have been transferred to nine different countries. key features of the process that leads to a decision to transfer include a comprehensive inner agency review and rigorous examination of information regarding the detainee and the security situation of the host country and willingness to maintain appropriate compliance of security measures. those reviews were conducted by career professionals across the government. next, any transfer decision requires assessment of the receiving country and willingness and capability of that country to comply with security assurances. we also have the ic look at that issue. finally, each has been subject to unanimous agreement of six principles, secretary of state secretary of homeland security director of national intelligence, attorney general chairman of the joint chiefs and

finally secretary of defense. under section 1035 of the nda , the secretary may approve the transfer if it is in the action of the united states and if actions plan to be taken to substantial substantially reduce the risk of the terrorist engaging in terrorist or hostile activity that threatens the united states or u.s. primary interests. the primary interest of a potential transfer is whether the detainee will return to the fight. or otherwise reengage in acts of terrorism that threaten u.s. persons. we take the possible of re-engagement very seriously. the most recent public data on re-engagement of former detainees was released last september and the data is current as of july 2014. there is a lag in the public reporting. i know you may have seen a more recent classified report on this matter. the office of the director of national intelligence categories

categorizes the figures in three ways. the totals for before 22nd january 2009, when president obama signed the executive order and total after january 22nd 2009 referring to detainees who departed after that date. this is how the data break down. the total number is 17.3% confirmed of re-engaging, 12.4% suspected of re-engaging for a total of 29.7% confirmed or suspected. before january 2009, that is those transferred in the last administration the numbers show 19% confirmed. 14.3% suspected re-engageing for a total of 33%. the data after january 2009 shows 6.8% confirmed of re-engaging. 6 out of 88 transfers. 1.1% suspected for a total of 7.9.

in other words, the rate of re-engagement has been much lower for those transferred since 2009 which attests to the rigor of this new process. of the detainees transferred during this administration, over 90% are neither confirmed or suspected of having re-engaged. this speaks to the scrutiny given to the transfer of the review process and security measures the refugee government intends to take pursuant to its domestic laws and determinations to mitigate the threat. one additional point. of the 107 confirmed of re-engaging. the vast majority transferred before 2009. 48 are either dead or in custody. re-engagement is not a free pass. we take it seriously and work with partners to mitigate re-engagement or follow-up action. i cannot discuss the specific security searches from foreign

governments with specification. i can tell you, among the types of measures we see is the ability to restrict travel monitor, provide integration and rehabilitation or reintegration programs. before transfer we had details specific conversations with receiveing countries about the threat they pose for transfer and what the receiving countries will take to mitigate the risk. we review the ability of that country and security and track record adhering to private agreements. -- prior agreements. let me talk about the periodic review process briefly. the interagency process established to review whether continued detention of detainees in guantanamo is a continuing threat to security and we will provide your staff detainee risk assessment.

to date, the results of 10 full hearings of detainees have been made public and six eligible for security assurances pursuant to this process. two of the detainees made eligible by this process already been transferred, one to kuwait and the other to saudi arabia. the other three detainees remain subject to law of detention. efforts are being made to expedite this process and prioritize hearings. you asked us to address legislation introduced by senator ayotte and several other members, which i understand may be marked up by the committee next week. in our view this legislation would effectively ban most transfers from guantanamo for two years and reverts to the previous regime for fiscal 12 and 13 which resulted in only court ordered transfers, transfers pursuant to plea agreements, and use of only a few national security waivers. in addition, it adds a proposal to limit transfers based on jtf gitmo threat assessments that may be outdated or not include

all available information. we believe any decisions on transfers should be based on current information and individual assessments of current detainees. because this legislation if enacted would effectively block progress towards the goal of closing the guantanamo bay detention center. the administration will oppose it. the posed legislation bars transfers for any detainees for two years. 76 yemeni nationals remain. 47 eligible for transfer. 26 for prb review and two have charges referred and one is serving presentence confinement. a ban on transfers is to yemen is unnecessary because we are not at the present time seeking to transfer any of them to yemen, especially in light of the recent further deterioration in the security situation there. since the president's moratorium on detainees transfers to yemen was lifted two years ago in favor of a case by case analysis, not a single detainee has been transferred to yemen.

the 12 who have been transferred have been transferred to five other countries. we are currently seeking other countries to take additional yemenis. let's may briefly talk about what our plan is. our plan to close guantanamo has three main elements. first, we continue the process of responsibly transferring 54 detainees eligible for transfer. second, we will continue the prosecution of the detainees in the military commission's process and if possible in federal court. third, we will continue and expedite the prb process. when we have concluded these three lines of effort, it is likely several detainees cannot be prosecuted because they are too dangerous and will remain in our custody. ultimately closing the detention center at guantanamo bay will require us to consider other options, including secure facility in the united states.

the department of justice has concluded in the event the detainees are located to the united states, existing statutory safeguards and executive and congressional authorities provide robust protection of national security. we understand such transfers are currently barred by statute. as a result, the government has prohibited from prosecuting any detainees in the u.s., even if it represents the best or only option for bringing the detainee to justice. the president has consistently opposed these researches, which could help options for reducing the detainee population. to asked us to address what happens if someone is captured on the battlefield. the disposition of an individual captured in the future will be handled on a case-by-case basis, and buy a process that is credible and sustainable. when a nation is engaged in hostility, detaining the enemy to keep them off the battlefield is permissible, and is a few minutes are in alternative to legal action.

some will be transferred to third countries. in others, they will be transferred to the u.s. for federal prosecution after interrogation. some cases may be appropriate for tension. --for detention. the president has made clear we will not add to the population at time of day. -- at guantanamo bay. i asked the the president and his and his recent work hard to achieve that objective. we are closer to this goal than many may think. of the nearly 800 detainees held at guantanamo since 2002, the vast majority have already been transferred, including more than 500 detainees transferred by the previous administration. the president and national security experts leave it should be closed, as do senior military leaders and civilian leadership at the department of defense.

we believe the issue is not whether to close on tamil, the issue is how to do it. thank you very much for listening, and i look forward to your question. >> let me do something i neglected to do prior. i am a little rusty at this. secretary mckeon -- admiral ross myers is vice deputy director of homeland defense. do you have a statement? >> mr. ranking member. thank you for the opportunity to appear for this discussion concerning guantanamo detainees. i will begin by discussing the transfer process that ryan outlined in some detail, specifically the analysis the intelligence community provides.

the community provides tailored assessments and at helping -- >> your mic -- >> i'm sorry, it provides tailored assessments helping policymakers make decisions on the transfer of detainees from the guantanamo facility. these include profiles whether detainees pose active threats to our allies or the u.s. to echo ryan's remarks, we take the engagement very seriously. tothe community works to keep decision-makers informed with threats to the united states. as you know, we faced threats from a wide range of actors, from al qaeda and its affiliates, to isil end those inspired by extremist messaging the full force is felt most acutely in iraq syria and regionally in the middle east in

north africa. the threat in western country is largely characterized right smaller scale attack. majority of attacks conducted in the west in the last eight months were conducted by individual terrorist. accordingly, the analysis on current guantanamo detainees focuses most on the potential for these detainees to threaten the u.s. and its interests overseas after they leave guantanamo. these assessments aim to provide a cover hands of assessment of the detainees back on, mindset, and any links to groups that. pose a threat to our interest. those assessments also take in account the evolving threat to the u.s., as well as overseas, including the detainees country and conflict zones and potential transfer destinations. intelligence community products do not state whether a detainee poses a high, medium, or low

risk of re-engagement. we assess the likelihood of a detainee to reengage shaped by a synthesis of environmental and personal factors. in addition to this individually focused analysis, the ic has analysis about destination countries and their willingness to mitigate potential detainees threat. ryan also mentioned re-engagement. i want to discuss monitoring those in the intelligence committee for possible terrorism. once a detainee is transferred from guantanamo the ic monitors the chance of re-engagement. we work with liaison partners to the fullest understanding before detainees activities. the formal and structured coronation process draws on the assessment of eight intelligence agencies, we determined whether to designate a former detainee as reengaged.

we determined a former detainee as confirmed as a re-engaging when information identifies that individual as directly involved with insurgent activities. we determined that a former detainee is suspected of terrorism when plausible or unverified, or in some cases single source reporting indicates an individual is directly involved. is important to note engagement in anti-u.s. statements or engagement in a propaganda activities does not by itself: by as terrorism oprr insurgent activity. some detainees have been added to this list and then later removed when information came to light suggestinng they would not reengage. 107, or 17.3% of the detainees transferred from guantanamo have

been confirmed of re-engagement in terrorist activities as of september 2014. at the same time, an additional 77 detainees, an additional 12%, were suspected of re-engagement. of the 88 transferred since the inter-agency process that the director of national intelligence to state and implanted in 2009, 6 .8% of those transferred during that time have been confirmed of the engagement with another 1% suspected every engagement. the next unclassified report that the intelligence committee will put out on a real engagement numbers is expected in early march. we will update as numbers and they will update reflect recent activity. they will largely be in line with the trends i just outlined. i will stop there, and i look forward to your questions.

[video clip] >> i look forward to answering your questions. thank you for your statement admiral. it is a sinking to the point. -- it is to saint and to the point. it is succient andnt and to the point. let me recognize my colleagues.

the trendline is going down significantly. you see this continuing in terms of recidivism, which is a critical issue. >> it is probably too soon to say if they have reengaged -- we do not have any indication, we feel good about where we are. >> as you analyze these cases are you using it to inform the circumstances going forward -- the company or the country that he or she goes back to?

is it a continued learning experience, are you capable of making judgments and the usefulness? >> the answer to that is yes sir. we take a casereful look. the embassy helps us with that kind of assessment. there is a check on the assurances that are given, and we are confident they have the capacity and the will.

>> we continue to monitor the assessment. one of the points you made specifically, with the continued operation of guantanamo -- it gives our adversaries a propaganda point with respect to recruitment. magnifying their operations. is that your assessment in the community? >> yes, sir. >> yes, senator, from the perspective of weighing these decision from the national center of intelligence, what underpins his decisions in this regard an analytical judgment of the benefits from closing guantanamo in many cases outweigh the risks occurred by

releasing individual detainees. precisely because of that continued featuring of guantanamo in the terrorist narrative he's made that calculation. the fact guantanamo features in terrorist recruitment and propaganda signifies it has significant use terrorist are tries to recruit on. isil has used guantanamo in english language propagation in the english magazine and the magazine in yemen has used guantanamo in their propaganda and also noteworthy al qaeda's senior leader ayman al zar wa hi continues to use it to those around the world. >> this is a specific issue we have to face. general kelly of the u.s. south command is concerned about the medical facilities there.

you have an aging population of individuals. last year in the senate version of the authorization bill we put in language that would allow for temporary transfer because of the medical condition of an individual to more appropriate facility, care in the united states. this was not ultimately adopted. is that something that concerns you going forward, just in terms of a population that obviously is going to be -- as this closure is delayed more and more in need of specialized care? >> it does. there are members of the population who have acute health care issues and as they get older those will continue to get worse. i was down to visit a couple months ago and had a conversation with the jtf commander about this. his concern is it's quite expensive.

they have to bring in specialists to treat these individual matters from the states. i think we would prefer, if we could, on a short term basis, as you indicated in your legislation, bring them to the united states for such specialist care as needed. >> thank you very much. senator tillis. >> thank you, senator reed. gentlemen, thank you for being here today. i have a question about the five talabanis who were released. i think we got notified through the press, back in may of last year. my question for any on the panel would be, were the five talabanis who were released subject to the periodic review? >> they were not, sir. >> they were not. >> and if not, why? >> i was not in the department at that time, sir. i would have to go back and ask that question. as you know, it was part of an

exchange for sergeant bergdahl. >> so the assessment of their risk level didn't go through the processes that were established? >> i didn't want to leave you with that impression. the periodic review board process makes a determineation whether the detention of the person is still permissible. the statute you have given us requires the secretary to make the determination prior to any transfer of the national security interests and the substantial mitigation of the risks. that, sir, that was undertaken. >> i don't believe you were there at the time, but why do you think the department decided not to notify congress, as per the statutes? >> sir, i believe the secretary -- >> perhaps, what's the legal basis for that as well? >> sir, i used to be -- i'm still a lawyer technically and counselor on the senate foreign

relations committee for several years but they stopped paying me to give legal judgments and it would be malpractice for me to try to opine on it. my understanding the department of justice and mr. preston, the general council of the department interpreted the president's powers because of the security risk and safety of sergeant bergdahl necessitated proceeding without the 30 day notice. i'm happy to get you the more refined legal answer because i'm not the person to do that for the department. >> thank you. another release of four afghanistan nationals, i believe, back in december, why did the administration not require continued detention of these four detainees? >> sir, these individuals had, i believe, approved for transfer in 2009 by -- >> did they go through the -- >> no, they -- they were already

cleared cleared -- approved for transfer by the 2009 task force, sir. >> another question i had is with respect to the process. i noted that the detainee is entitled to having counsel which presumably means the information that the periodic review board uses to determine or to make a determination is available to that counsel. is that same information available to the public or congress on the periodic review cases that have gone through? >> sir, with the periodic review board, the detainee has a right to a personal representative who's a military officer. he can employee private counsel. if that person is give an clearance, we can share certain classified information. we have tried to have some measure of transparency with the prb process in releasing information about the hearings

on the department website. we are not able to share everything that's available to the prb because some of the information is classified. >> thank you. thank you, senator reed. >> thank you very much. senator king, please. >> thank you. mr. rasmussen, it seems to me the key question here is weighing the risk of individual recidivism versus what i would call a reputational risk or recruiting risk of the facility itself. could you elaborate on what the director of national intelligence -- that's what -- that's what this is all about it seems to me, is it more dangerous for national interests to keep guantanamo open because of its use as a recruiting tool or greater risk of the people being released re-engaging. give me your thinking on that. is that the question? >> sure. happy to answer that, senator king.

because the director of national intelligence does have a voice in the process to approve a transfer, he does look at, as i said earlier, all the relevant information related to the detainee's specific background. background while going to gan guantanamo and background in the course of detention at guantanamo and any information in which he might be transferred. at the same time he has that underlying analytic judgment the director of national intelligence has been very clear about, is there a cost in terms of our national security we're bearing because of the continued operation of guantanamo in the context of recruitment and potential radicalization of future terrorist adversaries. the weighing process he goes through looks at both factors. that does not mean in all cases he will look at detainees and saying continuing to operate at guantanamo creates too big an obstacle to pose a transfer. there are some detainees he

would consider too dangerous to return in a transfer, almost -- unless there were extraordinary arrangements made for their monitoring and disposition overseas. that calculus made is not a single cookie cutter calculus in every case but is overlying assessment. >> if this is one of the key questions, it sounds like it is, i would appreciate if you or some of the witnesses could supply to this committee data supporting evidence of this recruiting factor, just rather than a reference to what al baghdadi said or something -- a real set of materials, written materials, the way it's being used. it seems to me that's one of the most important questions we have. if we're going to decide to close the facility

collectively the united states government will decide to close the facility, based upon that we better know it's real and not just a perceived threat. mr. mckeon, is the administration contemplating a further executive order to close the facility beyond what the current process -- how the current process operates? >> i'm unaware of any contemplation of an additional executive order. as i said in my statement, senator, we're working on the three lines of effort, transfers, the prb process, i'm blanking out on the third one. >> you don't know of contemplation of additional exercise of executive authority to simply close the facility? >> i'm not, sir. we are operating under the president's

executive order from 2009. >> any question that bothers me, okay, if we decide it's in the national interests to close it there still are some people there very dangerous. can we hold these people in the united states under the law of war, and the second question is how does the law of war analysis work if the war, which was the war in afghanistan, is officially over? does that undermine the legal analysis? in other words, we could bring very bad guys here and put them in maximum security prisons under the assumption they're law of war detainees only to find we get a where it of habeas and don't have enough to keep them in a federal court. you understand where i'm going with the legal question? >> i do, sir. on the second question, the detainees are already subject to habeas or can file habeas petitions in then d.c. circuit pursuant to supreme court rulings. >> there's no difference between guantanamo and some place in the united states in that legal

regard regard? >> that's correct. as to the question of the legal authority to continue to hold them, we are relying on the 2001 aumf that's the law of war and if we reach a point it is either repealed by the congress or decided it was no longer sustainable based on the situation in afghanistan, then we would have an authority issue to wrestle with, no question about that. >> thank you, gentlemen, thank you for your testimony. thank you. mr. chair, welcome back. >> thank you. other members in attendance at the national prayer daybreak fast will be coming in and that obviously is the reason for me being late. i want to thank the witnesses and thank you, senator reed for proceeding. i will hold my question until

senator sullivan. >> thank you, mr. chair and thank you, gentlemen. mr. rasmussen, congratulations on your recent appointment. i want to follow-up on senator king aes king's questions. there's a lot of discussion here abtout how guantanamo potentially weakens national security that you made in your testimony. at the same time, i think we would all agree that allowing known terrorists back on the battlefield to engage our troops, our citizens, also weakens our national security. i think that that is one of the big concerns, certainly of the -- this committee and members of congress. and, i'm certain, also members of the administration. so from a broad perspective, of

the remaining gitmo detainees, how many are currently assessed to be high or movement risk? >> senator, i don't have those numbers at my fingertips. if you're referring to the assessments that were done by j.t.f. gitmo back in the last decade, my impression is knowing the population of that which we already transferred using those categories, i think we have transferred most of those who are low risk. i don't know then precise data. we have to get that to you, sir. >> but i mean of the current remaining detainees we don't have handle on who's high or movement risk right now? >> i don't have that at my fingertips. as we -- both i and nick

rasmussen explained, when we bring forward a case for possible transfer we look at the totality of the evidence, what the detainee had done on the battlefield, how they behaved at guantanamo, what their current -- what our assessment is of their intentions. it's not just to look at the assessments done. >> mr. secretary, you're not answering the question, if you don't have the answer then submit it. it's important to this committee to know who's low risk, medium risk and high risk. i would have expected you to come to this hearing with that information. >> yes, mr. chairman. i should add these risk levels in terms of who's in what category is classified and we'd be happy to have that conversation with you in a classified session as well. i don't have those numbers at my fingertips it's safe to say many are in the medium or high risk category. >> it would be very important for us to know that as we move forward. senator tillis touched on this issue of the notification of congress.

i think a lot of people were very disturbed by that, just by reading int the paper. can you again -- if you don't have it here, perhaps with the attorney general's help, provide a detailed -- detailed legal reasoning of why a very simple statutory requirement for notification of congress on the release of the taliban five was not undertaken? because i think one of the things that is troubling is there's a lack of trust here. there's a lack of trust on the numbers. there's not certainty on what the end game is. and when a simple request -- it's not a request, it's the law, one of the things i've been concerned more broadly with the administration is they view certain statutes as advisory, maybe they need to do them, maybe they don't. this was

a clear directive from the congress in the law that this administration violated. and as far as i can tell, there's been no good explanation. i read about them in the press. they seem to change. it would be very important to get a definitive explanation from this administration on why they violated that statute. to me, it seems like a clear violation of that statute. can we get that? >> certainly. you may already have it, sir. i believe the jo did a review on the legal issue in the department and probably the department of justice provided a detailed explanation of our position and i think we provided it to the committee and if we have not, we will submit it. >> one other thing, i understand there was an mou between -- regarding the taliban five, that they have a -- my understanding is a one year restriction with regard to their activities and movements. after a year, are they free to do whatever they want? return back to afghanistan?

that's a concern by this committee and the people. >> you are correct. the agreement between our two governments is classified and we briefed it to your staff and i think some of the members in closed session. i'd want to get into that in a closed session about what happens after one year. >> okay. thank you, mr. chairman. >> senator donnelly. >> thank you, mr. chairman. a recent department of justice report noted there are a number of statutory provisions that should render guantanamo detainees relocated to the u.s. inadmissible under immigration laws. but one of the most difficult scenarios hinted at in the report involves what happens if a judge order the release of a detainee because the laws of war no longer permit their detention. in that case, if a detainee cannot be repatriated to their

home country or third country, the u.s. could face the need to keep that detainee in the u.s. so where does that individual go? >> sir, if we come to that position, which i think we're some ways away from that day it's a very good question and we have to plan for that possibility. we don't expect that would happen if we brought the detainees here. >> but it can. we don't expect it but we can so what do we do with that person that has been suggested -- i've heard some say an immigration detention center. you know, i think the people of the country want a better answer than that when you're talking about the people we're dealing with. >> if we were to bring them to the united states, we would make sure we had some continuing

authority to keep them. i don't think we would roll the dice on losing the authority to detain them. >> then additionally, what's your assessment of the risks involved in this situation? that's, i think, as we looking through this whole process, this is one of those conundrums we have to have an answer to. what's your assessment of the risks on that, sir? >> i'm not an immigration lawyer, sir, i'm probably not qualified to give you an answer on that. i do know and believe the department of justice report speaks in some -- homeland security department analyses all these issues in some detail. we are, of course, currently barred from bringing the detainees to the united states. >> understand. but if they do come here, that's -- i was -- i was on a trip to ganuantanamo recently. this is one of the subjects that we talked about and said, you know, i think before you get all

the answers on this, you need an answer on this, where if they're in the u.s. and this happens, what do you do with the person at that point? >> i understand. if and when we get to that point, where we propose an option to bring them to the united states, we will have an answer. >> i think we need an answer at that point. thank you. in terms of other than the taliban five piece, how many 30 day congressional notifications meeting the requirements of the nda has been sent to the committee in the past year? >> i don't know the number. in other cases the 30 day notification was provided. >> and then there's some concern that the detainees that are being transferred, it's on an assessment from more than three years ago by the guantanamo review task force.

as we look at this, the periodic review process was created in part to regularly update this. do you know what has caused the slowness of this? do you find that to be true and do you know what caused the slowness of this? >> i want to separate two things here, sir. if somebody's already been cleared by the 2009 task force and we find a place to which we can transfer them and a package is brought to the secretary to make the determination, we have an updated assessment on the individual. we're not relying solely on the 2009 task force work. the prb is looking at people who were not previously cleared, taking another look at whether we should continue to hold them under law of detention or if they can be approved for transfer. we had -- it took some time to stand up the prb process. it's gone a little bit slowly but we're trying to pick up the pace. >> okay. just to -- as i wrap up here

from that trip that was a little bit ago the question i asked has stuck with me, what are we going to do with this person, we hope for the best but plan for the worst. i think that's something that has to be answered. by the way mr. secretary, i think you showed great wisdom in your choice of colleges when you were younger as well. >> thank you, mr. chairman. >> senator graham. >> thank you, thank you all three for dealing with what i think is a very difficult issue, the issue of great national security importance. i know you've got a tough portfolio to deal with. i want to go into the questioning with that understand understanding. senator donnelly, i had this very conversation with president obama probably three years ago. i was supporting transferring the prisoners from guantanamo bay back to illinois in a

maximum security setting controlled by the military. we worked through what would happen. all these people have had habeas hearings entitled to a habeas hearing. no one is at guantanamo today without a federal judge finding the government's evidence is sufficient to hold them as an enemy combatant. if you transfer them back to the united states you create new legal rights. we had a law of war statute to govern that to make sure they wouldn't walk out the door. we went through that process. the problem is you've got to admit we're at war. you have to tell our friends on the left these are not just common criminals and they will be governed by the law of war, not common criminal concepts. it's unfortunate we could not close that discussion because i think it would have been better for all of us. my goal is to keep people in jail that represent a national security threat to the united states. common sense would tell us that if you're still in guantanamo bay after all these years,

you're probably a high risk -- >> let's have the rule of law back! those people, most of them were innocent! all right. arrest me! this country is disgusting! you have betrayed the constitution. what is wrong with you american people! what's wrong with you, america! what's wrong with you! i don't care, put me in jail. i don't care. >> i think he may get his wish. i'm a military lawyer, served with this man behind you. i really want to conduct the war within the values of our country. i want to be tough on the enemy, but also follow principles that have guided us as well like the genevieve geneva convention and treating people under the law consistent with the requirements of the law of war. would you agree with me anybody

left in guantanamo today is probably a high risk threat? we wouldn't have kept them that long? just common sense tells you if you're still in jail after all these years, you've had numerous review boards, that you're probably dangerous in the eyes of the people who say you still should be there? >> i would agree that all of them pose some risk. there are however many -- >> i'm not talking about some risk. i'm talking about obvious common sense here. >> i would say, senator, several of these people remaining were cleared or approved for transfer six years ago. we just have not found a place to send them. >> well, is that -- what percentage of the population falls in that category? >> it's around -- around 50. >> okay. so what percentage -- what percentage -- they were cleared six years ago, holding 50 people because we can't find a place to put them. >> 54, sir. >> 54 out of how many?

>> 122 remain. >> so of the rest of them, would you agree they are high risk? >> several of them are under prosecution, so definitely in those cases. >> take them off the table right? >> the remainder have previously been determined to be held and should be held under law or detention and we didn't have a prosecution option but those are going through the prb process to take another look. >> we have 50 people no place to send them and the rest of them are either going to be prosecutor prosecuted or represent a high risk to the country. >> like i said, we're taking a new look at the prb process. >> the previous prbs concluded they had a high risk, right or they wouldn't still be there. the only thing is are you going to create a new prb process politically motivated to let these guys out or go with past judgments. because i don't think these guys are getting any better. do you agree with the obama administration we're at the end