Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  May 15, 2015 8:00am-10:01am EDT

8:00 am
say about the hearing room at the moment. in which case the chair now recognizes himself for three minutes for an opening statement. at today's hearing will be focused on protecting consumers and their private financial information in an age of computer hackers. the world has expressed a technology revolution, one that has brought remarkable benefits to consumers and the broader economy but it is also increased some risk on consumers and making the theft of the personal financial information a profitable enterprise for cybercriminals and computer hackers. ..
8:01 am
american consumers rightfully expect their personal information should be protected by their financial institution by their retailers, payment processors that neither federal government. consumer should be left to hope and pray that all information will be safe every time despite their debit or credit card or rent your information online. they deserve protection. today the committee will hear from representatives of organization to constitute major participation for the payment system. we welcome their expertise and insight. my hope is they carried out for
8:02 am
its members on both sides an opportunity to better understand what security measures are currently in place to prevent data breaches, how consumers are notified and what types of emergency technologies will help reduce the frequency and severity of breaches and what steps are being taken by the merchant in financial services communities to address the problem and where additional federal legislation may be warranted. i further hope the committee will engage in a thoughtful dialogue on a bipartisan basis in that regard i wish to thank chairman naga bauer and mr. kearney for starting this bipartisan dialogue off on the right foot by introducing a bipartisan bill to address this important problem. i will yield back the balance of my time to recognize the ranking member for three minutes. >> thank you mr. chairman.
8:03 am
americans are exclusively reliant on electronic means to communicate shop and manage finances. what brings substantial opportunity they also bring a range of new vulnerabilities or consumers. massive attacks on some of our nation's largest retailers and financial institutions are impacted virtually every sector of our economy and national security. consumers are not the only one to pay the price of a breach. the cost of recovering losses can be expensive and way particularly heavy on small community bank and credit unions. we all know companies face determining how best to secure customers financial and personally identifiable information. in addition we know there are
8:04 am
significant costs to comply with various state laws that provide notice after a breach. however as we consider setting national standards for safeguarding consumers personal information and ensuring the notification we must again acknowledge the good work of those states that for years have been at the front line. i believe any federal preemption should complement state protections and ensure at a minimum the state attorney generals continue to play an important role in enforcement and notification standards. instead of minimal standards we need to be careful not to have our state and federal regulators ability to continue adapting and straight in a protections for consumers. otherwise low limit the ability to keep up with type logical change and we must preserve a
8:05 am
private right of action where consumers and financial institution to ensure they have recourse and further consumers not as consistently provided with clear disclosures of the rights and remedies available so they remain aware of the various ways in which they can protect themselves from identity theft and fraud and other cybercrimes. mr. chairman efforts to regard against cyberthreats are critically important and should be bothered to the same partisan fault lines we have seen on far too many other issues before this committee such as baseless attacks like to see mpd and blocking efforts to reauthorize the charter of the export import bank which expires in just 22 legislative days. with that, i look forward to hearing from the witnesses and i
8:06 am
yield back the balance of my time. >> chair now recognizes the gentleman from texas, mr. neugebauer of the institution subcommittee. >> thank you, mr. chairman. we live in a world where the global marketplace is funded by the payment system to deliver services to consumers in the blink of a night with consumer information transferred and stored in any one transaction. the system is only as strong as its weakest link and today i look forward to learning more about the new pavement technologies you continue to facilitate payment efficiency speed and security. i'm hopeful we can never bust policy discussion about what data security standards are needed to level the playing field. this month congressman carney and i introduced bipartisan legislation. arp starting point was to the gramm-leach-bliley which laid
8:07 am
out a security framework of the institution 16 later the framework has worked very well. the security standards in h.r. 22 is based on certain core principles because they have a global payment system. we need a national data security standard and national breach notification standard. this must minimize regulatory requirements that must carry strong federal pricing mechanism. the data security standard must be technology neutral process. it must be reasonably identified a reasonably identified the core elements in the elements of ftc rulemaking. third it is absolutely necessary for security standard and scalable based on the size of the business come the scope of the operation information. legislation must recognize the corner market cannot and should not have the same standard as the largest retailer operating in 50 states. while i'm confident i'm open to working with any member of
8:08 am
interested groups to minimize unintended consequences and continue covering the legislation. we have shared interest in seeing the legislation signed into law giving consumers the safest payment system possible and without i want to thank our panel for being here this morning look forward to looking at the testimony entered. this will be very informative for members and i think it's good we have these different interests at the table today. mr. chairman, i look forward to a very informative. >> the general recognizes the gentleman from delaware for two minutes. >> thank you, mr. chairman. data breaches of compromise to delete records containing sensitive consumer financial information. would data breach in the united states is directly cost consumers an average of $290 per week. studies show cybercriminals
8:09 am
costco $100 billion a year. the current patchwork 447 different breach laws is failing to protect consumers. that's why mr. neugebauer and i worked together to develop a data security notification framework that all stakeholders can operate within. we think consumers rules of the road for protecting data. harville of the efforts by senator carper across the capital. the bill includes a data breach notification standard to enact a data security program is robust, scalable with the goal of protecting consumers information for breaches and if that's a reasonable standard for timely notice to consumers at a breach occurs. the bill's requirement to avoid a one-size-fits-all approach and allows companies of varying sizes and complexity to find a
8:10 am
program tailored and effective for their business. any comprehensive piece of legislation in our bill can always be improved. the example clarifying the preemption does not have unintended consequences outside. looking forward to working with colleagues on both sides of the aisle to make improvements to this legislation were necessary. the fact is the white house congress and the private sector consumers all agree the status quo is not acceptable and i'm encouraging this committee to have the hearing today and move forward to protect consumers and businesses in the american economy. i'd like to thank mr. neugebauer and i look forward to hearing the witness' testimony and feedback in the area this morning. i yield back. >> we welcome each and every one of our witnesses to the panel. first the honorable tim pawlenty
8:11 am
covered chief executive officer of the services roundtable and former governor of the state of minnesota. mr. bryan dodges the executive vice president of communications and strategic initiatives that the retail industry leaders association. mr. jason oxman as chief executive officer of the electronic transaction association. mr. stephen orfei as general manager at dci security standards council. last but not least these laura moy's senior policy counsel at the open technology institute. several of you have testified before congress. have a simple system. green means go yellow means hurry up because the very latest suit to follow. red means stop. yellow comes out with one minute to go. each of you will be back as for
8:12 am
five minutes to give an oral presentation of your testimony. but that objection, your statements will be made a part of the record in since we are brand-new and are refurbished space neil. ruby had to pull microphones close to you. now you could keep me somewhat comfortable distance. governor pawlenty, you are not recognized for your testimony. >> and warn you mr. chairman, ranking member waters for the opportunity to share a few thoughts this morning about the pressing issues facing our country and that is the emerging public related exponentially for a cyberwarfare taking place both commercially and otherwise across the globe to be visited upon american businesses and consumers in ways that should appear to give you a sense of a few measures of our applicants to their regard 80% reached in
8:13 am
2014 did not know they were preached until someone told them. sometimes the government, but a third-party and the average length of time with months after the fact. in addition here's another interesting fact. over half of the adult american population had their personal data exposed last year according to a cnn published report. the list goes on including we now know through public and confirmed reports that this is no longer college kids to their basement having fun trying to get into systems. these are nationstate actors including china north korea iran russia former soviet union sponsored state individual enterprises have very sophisticated international crime syndicates. if one of those entities
8:14 am
triangulate that a company can't a company, it's likely not going to end well for the company or customers. we need a more robust response to these threats and the fact this committee is paid attention to these issues we appreciate very much. thank you to the house for passing more than one occasion threat information legislation. we hope the senate does the same. we are not talking about sharing personal information, but that is very helpful to this cause became the country were prepared. as it relates to service the dirt and payment system, our secretary and chairman mentioned to dealing with these issues for quite some time. graham leach bliley in 1899 with enforcement mechanisms in vb examination process has served the industry well as you look at the percent of breaches taken place in recent years. our sector has the lowest breach
8:15 am
incident rates still have a lot of work to do but compared to other measures that there is a progress because of the good work done since graham leach bliley here we are about to launch more secure top-level thanks to hope that these issues. as it relates to the payment system, it's about to get better. we will move. if you want to avoid fraud liability make the transition towards the end of 2015. some say look were not ready but over the next couple years all the cards will be chipped cards and that will be held. that is technology from the 1960s. magnetic strips invented in the 1960s. chips more recently. it is moving well beyond the
8:16 am
discussion. the voice recognition, facial recognition, biometrics, location confirmation and a lot more. it is extremely rapid and will continue to evolve new technology emerges. as to the legislation before you congressman neugebauer, thank you very much for supporting. it's an excellent piece of work. but it does some important takes to create all sector is not just the health care sector for the financial service that here. it is really important and flexible. literally strongest to weakest link and we have strong standards but one of the other links of the chain to know. the whole system expose spirit thank you reported the marker down strong national data security standard. who strongly support that.
8:17 am
in many states including my own strong laws in this regard. as you think about cyberspace it doesn't make a lot of sense to have 50 standards come the 50 approaches, 50 responses to a breach relating to it. as you think about this we are not asking for current state initiatives to be diluted. i am out of time. thank you for the chance to be here this morning. thank you to congressman neugebauer for leadership on the issues. we support what you are trying to do. they make thank you governor. mr. dodge, you're recognized for five minutes. >> thank you, mr. chairman. chairman hensarling. my name is brian dodge. thank you for the opportunity to testify today for the steps of the retail industry is taken on the important issue of consumer protection.
8:18 am
the world's largest company. retailers embrace innovative technology he was unparalleled services and products. while technology presents great opportunities, nationstates, criminal organizations and other factors using to attack businesses, institutions and government. as we've seen organization is immune. we understand the defense against cyberattack must be an ongoing effort. as leaders in the community we take a new significant steps to enhance cybersecurity throughout the industry. last year the sharing center in partnership with america's most recognized retailers. it is open information sharing between retailers on course but another relevant stakeholders. also recently establishing a formal working relationship with the financial services, a move that will ensure collaboration on these issues.
8:19 am
we applaud now surpassing cyberinformation shared and hope they'll take up and adopt h.r. 1560 is a flexible approach. while we will discuss many cybersecurity topics today, one area of security that needs attention is payment card technology. woefully outdated by magnetic stripe technology is a chief audibility of ecosystem. retailers are estimated to be a $.6 billion to upgrade terminals to accept chip cards later this year. the new cards will not be issued within. chip and pin technology has proven to reduce fraud were deployed elsewhere around the world. contrast signature technology provide american consumers the best security available today. retailers believe the two factors enabled through chip and pin will prevent criminals from duplicating cards that these and devalue the data to retailers collect at the point-of-sale.
8:20 am
ultimately the stuff of a prude to substantially reduce the economic incentive for cybercriminals to launch this kind of cyberattacks. before i discuss what the policy consideration is i will highlight the data security and data breach notification laws with which retailers currently comply. 47 states district of columbia, guam puerto rico have adopted data breach notification laws. retailers are subject to robust data security regulatory regimes. the federal trade commission prosecuted the cases against businesses charged with failing to maintain reasonable data security practice. the actions greater common law that clearly spell out data security standards expected in businesses. inadequate measures for personal information lead to violation of express data security laws and
8:21 am
also a little ftc acts that can be used to enforce against what the attorney general deemed and secure data. retailers voluntarily and by contract following the writing standards putting those maintained by pci pierrot retailers comply with this range of data breach notice and data requirements a carefully crafted law can clear up regulatory confusion to better protect and notify customers. it supports legislation that is practical and proportional and sets a national standard. it supports data breach legislation that creates a single national notification standard to focus on providing individuals with actionable information. it ensures the notice is required for those financial risk of identity theft, economic loss or harm. it ensures the responsibility to notice the entity approach that provides flexibility to
8:22 am
determine the notifying party that establishes a precise target definition of personal information and recognizes retailers already have robust security obligations and security must be able to adapt over time. i think the committee for an baby today and look forward to answering questions. >> mr. oxman, you are now recognized. >> thank you, mr. chairman. i am jason oxman courtesy of the electronic transaction association. the trade association of the payments industry. our more than 500 member companies are focused on providing secure reliable and functional payment systems. electronic payment in the united states the united states alleged invisible to consumers because simply put they just work. u.s. consumers carry 1.2 billion credit, debit and prepaid cards and while it and they can use
8:23 am
those to pay electronically at more than 8 million merchants the united states. member companies process more than $5 trillion in the u.s. can do worse than being every here. that means thousands of transactions move across our network every second. consumers enjoy a wide variety of ways to pay electronically including an person with a card or mobile device or watch were remotely via phone or internet. for the moment a consumer initiates a payment, the transaction is securely transmitted authorize and process it in a matter of seconds. epa member companies take seriously the obligation to protect the security of customers information appeared consumers the united states choose payments because they benefit from zero liability for fraud making electronic payments the safest and most secure way to pay. today criminal fraud amounts to less than 6 cents of every $100
8:24 am
process. it's a fraction of the 10th of 1%. even though fraud represents a tiny percentage of overall trend action, we deploy cutting-edge technology in the self regulatory guidelines to bolster the fight against fraud. i will highlight three concrete steps to protect consumer information and prevent data breach. cpa members are deployed even if he enabled chip cards to fight the number one cause of card fraud. counterfeit cards represent two thirds of card present fraud in the u.s. today. chip cards prevent them from being counterfeited. they don't stop data breaches that they make it harder for criminals to reap the rewards of data breaches. check migration happening in the united states is the most complicated overhaul of our payment system technology in the
8:25 am
40 years since it was introduced. our banks replace more than 1 billion cars. more than 10 million locations while working together and getting it done. our industry is just a replacing card information within one time use token. even intercepted by criminals, tokens cannot be used to generate fraudulent transactions. think of a token of the mathematical program that can't be reduced. one well-known implementation is a mobile payments for the customer's phone or watch generate a token for use. tokens can also be used in environments as well and deploy tokenization technology have brick-and-mortar and online retail. third, epa members help merchants secured the point-of-sale by employing new technologies. point-to-point encryption is a
8:26 am
way to secure all entry points against an attack. it denies access they need to install now where another cyberhacking tools. as our industry deploys all of these technologies, i want to affirm epa's strong support for legislation that creates uniform national data standards and protection breached standards as well. such standards must be mr. natural, preemptive of state law and the approach set out in h.r. 2205. we applaud chairman neugebauer of mr. kearney for engaging in this important dialogue with the legislation. eta also supports legislation to promote information sharing. sharing of information across government and technology and manufacturing companies support prevention of an investigation
8:27 am
of breaches and ensure against cyberattacks. cybercriminals are increasingly sophisticated. they are global in scope and work proactively to address every thread. we must not forget data breaches of merchants and consumers become victims of crime. we share a desire to stamp out fraud and take seriously the responsibility to do so. thank you for the opportunity. i look forward to your questions. >> mr. stephen orfei come your testimony. >> good morning. my name is stephen orfei. i'm general manager of the pci security standards council. i had the privilege of leading a talented and deeply committed membership organization responsible for developing and made taming global security standards for the payment card industry. our approach combines people, process and technology. a continuous effort in applied
8:28 am
standards is the best line of defense against organized crime state funding back tears and criminals who threaten our way of life an attempt to undermine confidence in the financial system. everyone has been denies by criminals and we know the very real harm caused by breaches. developing standards to protect payment card data is something the private sector and specifically pci is uniquely qualified to do. consumers are understandably upset when the payment card data is put at risk. the council was created to protect the bleak protect payment card data. our community of 1000 of the world's leading businesses tackling data security challenges and simple issues. for example the word password is one of the most commonly used passwords into complex issues like encryption.
8:29 am
our standards are a solid foundation for a multilayered approach. we aim to remove payment card data if it is no longer needed. simply put, if you don't need it don't store it. if it is needed, protected and reduce the incentives for criminals to steal. here is how we do that. data security standard is built on 12 principles covering everything from logical to physical security and much more. it is updated regularly through feedback from our global community. we manage it other standards that cover car production payment applications and much, much more. we work on technologies can i best practices and provide market guidance. we have laboratory solutions that we list on our website. all of our information is free. our mission is to educate
8:30 am
empower and protect. our endgame strategy is to devalue the data so it is useless in the hands of the bad guys. we have three technologies that allow us to do so. emv at the point-of-sale point-to-point encryption and tokenization. when bundled and implemented properly, the data becomes useless and there's no reason to break in. satisfy the council supports adoption in the u.s. through organizations such as pnb migration for another standards support emv today another worldwide markets. ..
8:31 am
>> finally, we conduct global campaigns to raise awareness of payment card security. the committee's leadership on this critical issue is important, and there are clear ways many which the federal government can help. for example, by leading stronger cooperative law enforcement efforts worldwide, by encouraging stiff penalties for these crimes, and recent initiatives on information sharing are also proving to be invaluable. the council is an active collaborator with government. we work with nist, dhs treasury, secret service and many other government entities including global law enforcement such as interpol and europol.
8:32 am
in conclusion, payment card security is complex. silver bullet solutions do not exist. unilateral action is usually a disappointment. alliances, partnerships, information sharing and collaboration between the public and private sector is critical. the pci council stands ready and willing to do more to combat global cyber crimes that threaten our way of life and confidence in the financial systems of the world. we thank the committee for taking a leadership role in seeking solutions to one of the largest security concerns of our time. thank you. >> thank you. ms. moy, you're now recognized for your testimony. >> thank you. thank you so much, mr. chairman. thank you. good morning ranking member waters, other members of the committee. thank you so much for your commitment to addressing data security and day breaches and for the opportunity to -- data breaches and for the opportunity
8:33 am
to testify on this important issue. consumers today share tremendous amounts of information about themselves. consumers benefit from sharing information, but they can be harmed if that information is compromised. for the most part, the states are actively dealing with this issue in ways tailored to address the needs of their own residents, but with a large body of common elements. at least 29 states have introduced or are considering breach notification bills or resolutions this year alone. bills in 27 of those states would amend existing laws to account for changing needs and changing threats. only three states have no breach notification laws on the books, and two of those states have considered bills this year to change that. consumers would therefore be best served by a federal bill on this subject that sets a floor for disparate state laws, not a ceiling. but to the extent congress seriously considers broad preemption any new federal standards should strengthen or at least preserve important protections that consumers
8:34 am
currently enjoy at both the state and federal level. because any broad bill would bring an end, it would also need to provide a similarly agile mechanism for quickly adjusting the law in the future to match developing technology and new threats. unfortunately, a number of recent legislative proposals would actually diminish consumer protections in a number of ways by replacing strong and broad state protections with a weaker federal standard. in addition, a number of the bills do not provide the flexibility we need to make sure consumers' personal information remains protected as the information landscape changes. don't get me wrong many -- most of the bills we have seen would certainly offer some new benefits for consumer, but many consumer and privacy advocates myself included question whether those new benefits outweigh the potential harm to state jurisdiction and to consumers' existing protections. i will therefore, focus today
8:35 am
on four potential shortcomings of federal legislation that would need to be addressed in order to insure that any new bill represents a net gain for all consumers. first, federal legislation should not ignore the serious physical, emotional and other nonfinancial harms that consumers could suffer as a result of misuses of their personal information. a bill that would both preempt state laws and condition breach notification on demonstrated risk of financial harm could actually reduce consumer protections in 33 states and the district of columbia where the existing law either has no harm trigger or has one that is not limited to financial harm. second, federal legislation should not eliminate data security and breach notification protections for types of data that are currently protected under state or federal law. some current legislative proposals feature a narrow class. such legislation would eliminate protections consumers currently rely on at the state and
8:36 am
sometimes federal level. for example, many bills would eliminate protections in ten states for health information or eliminate federal protections for telecommunications cable and satellite records. third, federal legislation should provide a means to expand the range of information covered by the bill as technology develops. the ten-state breach notification laws that now cover health information represent a clear trend as states are currently updating existing consumer protections to respond to the growing threat of medical identity theft. we can't always forecast the next big threat years in advance, but unfortunately, we know that there will be one. federal legislation on this topic must provide flexibility to meet new threats whether by continuing to allow states to protect classes of information that fall outside the four corners of the bill, or by establishing agency rulemaking authority on the definition of personal information. fourth and finally federal legislation should include
8:37 am
enforcement authority for state attorneys general. thousands of data breaches are reported each year. many of which affect only a small number of consumers. federal agencies are well equipped to address large data security and breach notification cases, but they could be overwhelmed if they lose the compliment resupport of state a gs especially when it comes to providing guidance to small businesses and providing resources to local consumers. i and many of my fellow privacy stakeholders are not opposed to the breach notification legislation, but any such legislation must strike a careful balance between preempting existing laws and providing consumers with new protections. the open technology institute therefore, appreciates your close examination of this issue and i'm looking forward to your questions. thank you. >> the chair now yields himself fife minutes -- five minutes for questioning. so based on my unofficial survey of the good folks in the fifth
8:38 am
district of texas that i have the privilege of representing, cay data breach -- although they don't typically use that phrase -- certainly makes their top 20 anxiety list and probably their top 10 when they think of identity theft, other forms of theft, privacy laws. so it's a very serious matter. but as ms. moy was positing in her testimony, there is a cost and a benefit associated with anything we do around here. to state the obvious, we are lawmakers, and there was a law made about 15 years ago, graham-leech-bliley, that dictated standards. there's been a lot of innovation since graham-leech-bliley was written into law. so let's start with you governor pawlenty. what exactly is broke? what needs fixing here?
8:39 am
does graham-leech-bliley work or doesn't it work? >> mr. chairman, thank you, it's a great question. if you just accept back from how individuals might characterize it and ask them these questions how's the current system working? half the population has their personal data exposed in one year. it is not a stretch of the imagination to think that somebody could get into the electrical grid and shut it down for months on end. you do that and you lose electricity in your district, points of sales go down you can't transact anything electronically. you've got a very not existential, but very dramatic impact on country. so it requires i think a sense of urgency and a sense of understanding regarding the magnitude of the threat. as to graham-leech-bliley, it works. it's flexible, makes accommodations for the size of the business but given the importance of this infrastructure to the country if the payment system doesn't work,
8:40 am
it's stalled or people lose confidence in it, you're going to have a big piece of the economy grind to a halt. there's trillions of dollars of payments that flow through the northeastern united states per day. if that gets interrupted you've got a material, i would say bordering on existential threat to the economy of the country. so this is an urgent deal. it is growing in terms of its concern exponentially. graham-leech-bliley works however, no institution is immune. we have some of our biggest institutions have been breached, the best in the world. the nsa, 10 out of 10 in terms of capability in this regard, breached. so there is much more work to be done on all fronts, and we're the best of class. financial services gets breached sometimes, we manage it, people get their money back. it's inconvenient, but the other sectors that don't have these kinds of standards and capabilities need to up their game, and is you can help lead that effort. >> mr. oxman you in your testimony i think were lauding
8:41 am
the elements of the legislation mr. gnawing bauer mr. carney about preemption, national standards. it seems to be an open question in ms. moy's mind regarding preemption and perhaps national standards, so why do you consider preemption and national standards to be so important? >> mr. chairman, as a number of witnesses noted we all share an interest in insuring the consumers and merchants are protected. but when something does go wrong, we also need to make sure that we get the word out as quickly, efficiently as possible and make sure those protections that are available under law kick in. the reason the consumers use electronic payments is because they are 100 percent protected against any liability for fraud but we still need to get information out to them. there are 47 different regimes that companies have to subscribe to, and it's not just the payments industry, it's every company in the country that has
8:42 am
to subscribe to these 47 different regimes. they all appoint different time place and manner for the notification, they all have different triggers for what kind of notification has to take place. some of them are even contradictory. there's one state that actually requires the breach notification to include information detail about the breach itself. there's another state that makes it illegal to include any information about the breach itself. so in some cases they're contradictory. if we had a uniform national standard, it would allow everyone to work together toward the same goal which is to provide that reasonable notice that needs to be provided as quickly as possible. >> in my remaining time, governor pawlenty, back to you. so our colleagues on the energy and commerce committee have reported a piece of legislation with regard to a national breach notification law that only impacts retailers. should this committee not act from your vantage point, what does the world look like if that enc, energy and commerce, bill
8:43 am
becomes law? >> mr. chairman, i know time is short. don't let the perfect get in the way of the good. we'd like to have these standards applied across the board, otherwise their effect is delighted. if our partner in payments has a flawed outdated, weak system at a point of sale or back room at say, fill in the blank retailer or different sector, the whole chain of events gets compromised. it's only as good as the whole chain, and if you just do one piece, you're missing a very important part or opportunity. it's an ecosystem it has to be addressed holistically, or the whole system is compromise. >> my time has expired. chair now recognizes the ranking member for five minutes. >> thank you very much, mr. chairman. first, i'd like to thank mr. carney and mr. gnawing bauer for the work that they've done on this legislation. i believe that both sides of the
8:44 am
aisle are concerned about getting a strong piece of legislation that will protect our consumers. this is a bipartisan issue and we should not spend a lot of time fighting about some aspects of this initiative but rather we should work out whatever the differences may be. from what i can understand, there are those who believe that the federal law should be a floor rather than a ceiling. and there are those who believe that where you have states who have stronger laws, we should not preempt those states. as i understand it, despite the fact that we have vawrlying laws in our states now, they all have similarities. and so rather than thinking about this as states with such different laws that would somehow cause great complications, let's think about
8:45 am
this in terms of the fact that we want our state attorneys generals to be involved. we want them to be involved in enforcement. i think that's very important. so leapt us take a look at -- so let us take a look at what i think is the biggest obstacle to out -- to us getting the best legislation and deal with the preemption question. deal with the preemption question and think about states like california. ms. moy, can you tell us, for example, my state, california what are we doing with the cybersecurity? and is that stronger than what is being proposed here now? >> sure. yes, thank you. that's a good question and a good place to start because, you know, california passed the first breach notification law years ago and has really has really been a leader in this, in this area. so thank you for your work on that. california, for one thing, california recently passed a law
8:46 am
to include log-in and password for account authenticators. so not just for financial accounts, but for other type toes of accounts as well. for example my e-mail account if my log-in and my password were breached, i would get a notification which i certainly would want to because there's a lot of information in there that while it might not lead to financial harm, could lead to certainly, emotional harm if that information were breached and misused. california also has a it has a reasonable security standard much like the federal standard right now. but california does enforce that standard and has had a number of cases over the past few years and along with that has some very rich guidance for businesses attempting to comply with the reasonable security standard. so one thing that i think california's also very strong on is the type of guidance that the state ag's office provides to the consumers in the way that the state ag's office interacts with consumers and businesses to
8:47 am
provide that important guidance. >> thank you very much. so i'm sure that none of us would want to interfere with states' abilities to have the strongest possible laws for cybersecurity. and so, ms. moy don't you think that perhaps the federal law should be a floor and that we should certainly allow states that have tougher laws to be able to enforce those laws, and that would require the attorneys generals to be involved? do you think that is the best way to approach this? >> i do think that from the consumers' perspective that would provide the strongest protection. and you had mentioned previously that there's a discernible pattern among the various states as well. i think that is the case. when you look at the various breach notification laws of the states most of them cover a core of common information and have, and have very similar requirements in terms of what ought to be provided in the
8:48 am
notification, when the state ag and the consumer reporting agencies ought to be notified and then in addition to that some states have added on to that, and is so that's where for example you see states like texas and wyoming and just this year hawaii, montana have added medical information to the class of protected information in order to extend protection to categories where they see a developing threat that must be addressed. >> so we certainly would not want texas to be preempted with the good law that they have, particularly as it relates to medical information, would we, ms. moy? >> i do think that it's important not to preempt the not to preempt the protection for pieces of information like medical information including oh states -- other states the very state of mr. chairman texas. [laughter] >> thank you very much, and i yield back. [laughter] >> the chair understood the subtle point. [laughter] chair now recognizes another
8:49 am
gentleman from texas the chairman of our financial institution subcommittee, mr. nag bauer for five minutes. >> thank you, mr. chairman. i would note that if you let the federal standard be the floor and all the states then have an opportunity to start running up each other then basically we're right back where we are now and it defeats the purpose of having a federal standard. mr. dodge, in reading your testimony last night on our proposed debt security legislation, there's actually a lot that i think you and i agree on. i'm hoping today that maybe we can discuss some of the provisions where we maybe have a little bit of a difference of opinion in hopes that we can have a better understanding of where everybody is on issue. i like on page 7 of your -- i look on page 7 of your testimony. under h.r. 205 mr. carney and i laid out a data security standard that is process-specific and based on
8:50 am
certain key elements of data security programs that have worked well under graham-leech-bliley. to insure the smaller retailers are not unduly burdened we calibrate the standard to match the size, scope and type of information that those entities hold. there are some process requirements that say if they don't apply to you, you don't have to necessarily implement them. so the question is, can you identify the specific processes we've laid out in our carefully calibrated -- that aren't carefully calibrated and reasonable in your estimation? >> thank you for the question and i think, you know, first it's important that we be having this debate about the proper national data security standards to help businesses address this growing and sophisticated threat. it's the perspective of retailers that the graham-leech-bliley act which is the baseline for the legislation you introduced, especially the data security standards within it were expressly written for
8:51 am
the financial services community. the industries are very different. anybody who's ever filled out a mortgage understands that is the information that a bank holds is very different from that of a retailer. if we were to pursue legislation that replicated or shoehorned the graham-leech-bliley act to apply to the rest of the business community we would be applying this law to industries beyond the retail industry, of course well beyond us into high-tech, internet, app makers big and small. and so we think that the history of enforcement through the federal trade commission provides a good standard that is very clear and strong for businesses to adapt to, to meet today's challenges, and it evolves in the future. we don't think that you can regulate your way to security, that we need to employ layers of security. we need to start with the baseline that we believe is a strong standard, emboldening the federal trade commission to
8:52 am
enforce these standards and strengthening the payment system by advancing the security that's in that system today. >> now you mentioned, i think 50 ftc enforcement actions since 2001. that would be three 3 .1 a year. 3.1 a year. and so if you believe that ftc is your enforcement agency do you support then giving ftc then rulemaking authority to make a uniform standard? >> so the ftc has enforced these cases under the unfair and deceptive practices act or the section five of the ftc act. we think that giving them the express authority from congress is the right way to go about it, and it would preserve that flexibility that they needed in order to adapt to the threats as they changed over time. >> yeah. well, the question is would you support them promulgating standards that make sure that
8:53 am
the playing field is level and that you are doing the things that are specifically necessary in your industry to, you know have a uniform standard? >> so we wouldn't support rulemaking, because we think that's the purpose of passing a law. we think congress has the privilege of defining the law and then leave it to the agency to adapt it over time. they have the flexibility under current law under current -- >> isn't that what we're trying to do then? congress is trying to pass a uniform standard? >> are exactly. exactly. and we believe that providing the ftc the authority to enforce data security laws based on the case law i today, the common law based on the 50 cases provides them with -- would provide businesses not only with the clarity they need on what the expectations are of government, but the flexibility for the enforcement agency, in this case the ftc, to evolve over time to meet new threats.
8:54 am
>> so do your members take steps to protect consumers' data? >> absolutely. there's no more important relationship in the retail business than that that they build and maintain with their customers. and, obviously a data breach would be a breach of trust with those consumers. they work extremely hard to prevent day breaches. >> so if they're already doing it what's the objection to then, you know, just codifying that those are our standards and their all reasonable -- they're all reasonable and they should be applied across the industry? >> you're speaking specifically about a law that was written for the financial services community. >> i'm talking about the law -- i'm talking about my bill. >> right. so graham-leech-bliley which you would be expanding under your legislation expanding it to the rest of business community. what we're saying is we should stick within the current regulatory structure that has the federal trade commission as the regulator for most industries, and goba can remain cabin to the financial -- >> yeah. we took principles from this
8:55 am
but the this isn't a graham-leech-bliley rewrite, this is a uniform national federal standard. >> the time of the gentleman has expired. the chair now recognizes the gentleman from delaware, mr. carney. >> thank you, mr. chairman, and thank you to the panelists for coming today. i'd like to talk a little bit about this preemption issue, because i know it's a concern for many of the members and we've worked hard to try to address it. i said in my opening comments that the preemption provision in our bill should not have the unintended consequences outside the issues covered in the bill, so we don't believe it affects the medical debt issue which was raised a moment ago with respect to california. we'd certainly be willing to make that plain. ms. moy, you said -- i thought i heard you say that we shouldn't have 50 different standards it's not the answer. is that what you said, or did i mishear your comments? >> so what i have said is that, um, is that i think the best for
8:56 am
consumers would be to create a floor, not a ceiling so that -- >> so set a national standard? >> right. >> and then allow states -- >> allow states to protect additional categories of information for -- >> right. so my understanding is 13 states now currently have data breach notification and standards like this and that our legislation our federal legislation would be better than all of them except maybe one which is massachusetts. and i've been talking to some of my colleagues from massachusetts. would you agree with that? >> um, i think -- so i think that also oregon has a very, has a pretty good standard and i also think there are elements of other state laws that you might not consider specific data security laws -- >> so pretty high, a pretty high -- >> it is a pretty high standard, yes. >> so that's the starting point for us. how about there's been some discussion about the standard in energy and commerce. would you say that's a high standard or a higher standard than what our bill would propose or -- >> that standard is a
8:57 am
reasonableness standard that looks more like what the federal trade commission is currently doing, and so i think the difference here is not only, not only might there be a difference in what the language says in that bill, i think also, you know, we would be looking to the common law of the federal trade commission and others to flesh out what the specific requirements are. but it's also really important as we're thinking about how strong the security standard is to think about who has the enforcement power and who's actually going to be guiding the parties there because if the federal agencies are solely responsible for it, then even a very strong standard might not provide a strong protection as a general reasonableness standard that allows ags to continue to work on a piecemeal basis with entities are trying to comply. >> okay. so you think the standard in our bill is a pretty high standard but you believe that the states ought to have the flexibility to go beyond that. notwithstanding some of the issues that that might create in terms of having different standards. how about this enforcement question? have you looked at our bill in
8:58 am
terms of the enforcement provisions in the bill? how would you suggest that they be improved upon in your view? >> so i can't -- i have looked at it. unfortunately, i'm not prepared to provide a detailed response on the enforcement provision, so i would be happy to, in writing, if you would prefer that. but i do think that the key issue with respect to enforcement is that i believe your bill would only facilitate enforcement by federal agencies and, as i said -- >> so you've said a number of times, i think, what i heard you say is allowing the state a gs some kind of role there would be an improvement. again, not having looked at the details there. not to put words in your mouth. [laughter] >> yes yes. i believe that a very critical element here is that we must have have enforcement authority. >> so i explore these issues because as i said in my opening statement, mr. neugebauer and i are working to improve the bill so we can get a greater consensus around -- we believe that, as you said a national
8:59 am
standard is important to have. fifty different standards is not kind of the way to go. it's got to be a high bar and one that's enforceable. would any of the other panelists like to comment on the conversation that we've just had about preemption, about the standard and the enforceability of that standard? >> yeah. if i could, congressman carney, i think the bill on a bipartisan basis really takes on this issue in the right way and that is to recognize that the act of legislating to unify 47 disparate state regimes with a federal regime that is not preemptive would merely be adding a 48th regime and wouldn't serve the purposes that legislation seeks to undertake which is to protect consumers' financial information. and from eta's perspective, the bill takes the right approach to insure that federal regime is operative and is not interfered with. >>w3 and everybody agree that is we need a higher standard and
9:00 am
kind of one standard across the country? >> we fully agreeok that there should be a national standard. we think that the states deserve a tremendous amount of credit for having acted in a placeçó where the federal government has not yet, and that's why we believe that as a broad concept preemption strong law should offer state preemption and as a broad concept state ags should have the ability to play a role in favor of it. >> thank you, mr. chairman. >> the time of the gentleman has expired. the chair now recognizes the gentleman from new jersey, mr. gater. >> thank you -- mr. garrett. >> thank you for holding hearing, an issue that hits home for a lot of folks. let me just start at the basics, if i can. and, governor, i'll throw it to you. when there is a breach or someone does steal your card and they go to a retailer and buy a tv and you find out that you didn't -- so on and so forth -- who actually is responsible for
9:01 am
that? is it the does target have to pay bill for that? does the bank that issued my, well my mastercard or if it's not that, is it the bank, or is it the visa or mastercard or discover that's paying for that? >> congressman garrett, the answer's a little complicated, but the oversimplified version -- >> that's what i'm looking for -- [laughter] >> the consumer is made whole. >> right. >> and the issuing bank is the one who makes them whole. however, there's a secondary process managed and run by contract between the payment networks and various players in the payment system that gets resolved through a shall we say, contractual process between visa mastercard, retailers merchant acquirerrers issuer with people take issue with how that works from time to time but that's how it gets sorted out after the fact. >> oh. okay. does anyone else want to add -- >> i would just add to that. obviously, the merchant
9:02 am
ultimately pays for fraud in the wake of a data breach should the data breach have occurred at a retailer. they also pay a variety of fees total, the first one they pay on every transaction ever processed, the it's an interchange fee. a component of it is a prepayment of fraud or data breach should one ever occur and postbreach there's a fee associated with reissuing the cards -- >> right. so that's where the banks actually end up having to pay the $15 or whatever it is to send me a new card. >> the merchant reimburses for those fees -- >> really? i hear different stories on that. >> yeah. i've included a schedule of that repayment in my written testimony. >> i'll take a look. so i just got one of these cards that have the little chip on it and also just to be clear on this putting this chip on the card may help to some degree as far as the lost card or stolen card and the data breach as far as going to the retailer. but as someone else on the panel said -- and i know it was in the testimony -- this chip does
9:03 am
absolutely nothing with regard to when they steal that information and they use it online s that correct? >> i think it's important to note the chip, the technology that's available in the united states today predominantly magnetic stripe. europe introduced something called chip and pin technology more than a decade ago. >> right. and in europe, my understanding is you saw an uptick of the data breaches not on at the store anymore or the retailer anymore, but now online, is that correct? >> that's true. in fact fraud moved in two directions when chip and pin went into place in europe, online and in the united states because suddenly the united states had the weakest security in the world. when chip only goes into effect later this year, the united states will still have the weakest card technology in the world. >> and somebody said down here we can't solve all this stuff and bottom line is doing the chip is not going to solve it entirely. but also to the point of what seems to be a lot of discussion in the bill as well as far as
9:04 am
the disclosure information that as ms. moy has talked about a lot and others as well that doesn't do anything to -- that has nothing to do with preventing the fraud in the first place that just tells me as a consumer you were rob ared, and now this is -- robbed, and now this is who's going to pay for it. >> congressman if i could answer your specific question about the chip, you're absolutely right. the chip in the card prevents the card from being counterfeited. >> yeah. >> and that is, today the number one source of card proud in the u.s. it's about two-thirds of card fraud at retail, but it does not address the online issue. the online fraud issue is addressed by those other layers -- >> and real quick because my time's running faster than i want it to, the data that's on the card has my number right on it. i hope nobody can see this. does the retailer keep that information? >> the retailer transacts that information -- >> yeah. so they have that information. so if somebody breaches into -- >> but retailers are
9:05 am
instituting, many have to make sure that that -- >> so it's still a place, it's still a target, not to use that company, but it's still a target for the hacker to go into the retail -- or any establishment medical or whatever the hospital keeps that information too, i guess -- as a data source where they'll go try to breach it and they won't be going to the retailer to use it, but they'll be doing it online. so it's still a target and maybe now even a larger target because of that as well? >> i think it's important that we recognize the chip technology is really designed to button down the point of sale to defend against counterfeit and stolen. >> okay. >> it is but one critical layer of security. there are other technologies that have been referenced in testimony here today such as point-to-point encryption and tokennization that will protect that data from the cyber breach you're referencing congressman. >> okay. >> sorry if i may may i just
9:06 am
add a short comment in response to the point about notification -- >> fine with me. >> short. >> thank you. thank you so much. um so, yeah, i just wanted to say i think that notification actually does provide an important incentive for companies to keep information more secure. i can't remember actually whose written testimony it was, but it pointed out companies do suffer reputational harm as a result of reporting breaches, and i also think it's important because that provides information to consumers who are considering where to vote with their wallet so to speak as they're determining which service to go with. >> i get that, thanks. >> time of the gentleman has expired. the chair now recognizes the gentlelady from new york, the ranking member, ms. maloney. i think the button hasn't been pressed. >> okay, thank you. thank you, chairman and ranking member, for putting this together. it's an incredibly important issue because it affects everyone; consumers government retailers and financial institutions. and i also want to commend mr. carney and mr. neugebauer for putting forward a bill that
9:07 am
would create a national data security standard for all businesses that handle sensitive financial information for consumers. and this bill would significantly strengthen the data security procedures for businesses but in a way that is flexible and can involve -- evolve as cyber threats change and evolve. i am still concerned about the scope of the state preemption in the bill, and i want to keep working on the preemption and enforcement provisions. but i have signed on to this bill as a cosponsor because i think it is a serious, good faith effort to tackle what is a critically important issue to our economy. and again i'd like to commend mr. neugebauer and mr. carney for therapy hard work and leadership on this issue -- for their hard work and leadership on this issue and i look forward to working with them certainly the enforcement provisions in it. my first question is to governor pawlenty. i'd like to ask you about the
9:08 am
data security standards that graham-leech-bliley put in place for the financial institutions. you mentioned they had worked well in the financial institutions, but i also want to know have they proven to be overly burden so many for smaller -- burdensome for smaller banks and credit unions? >> congresswoman maloney no. >> okay. >> the standards have been flexible, and i think congressman neugebauer and congressman carney -- [laughter] have done a good job in doing the same thing in their bill which is to say look, we're going to have standards, but we're going to allow them to be scaled to the size and complexity of the question. >> in other words, they've worked well and not been too buddensome for smaller financial service institutions, and they won't be too burdensome for smaller retailers? and i'd also like to know your feelings about the, having a minimum or a floor standard.
9:09 am
i know that california, oregon have a standard that's higher. i think it's important you've got to have a floor. do you think it should be a floor, or do you think it should be a ceiling and why? >> congresswoman again another great question. and right now we have nothing. >> right. >> in these sectors. so something is better than nothing. >> absolutely. >> and so floor would be progress, but ceiling -- if it's set high. you know, i would just encourage you minnesota when i was governor we passed what we thought were nation-leading protection standards and notification standards. you wouldn't want a bill that undercuts the 13 or so states that have done this. so if you're going to set it, set it high. set it aspirationally, and i think that would be the best place to be, and it would serve the country best. and think about the way that people place data centers where they store data, how they store data, the fact that there's going to be wide variance between states doesn't sync with
9:10 am
how we know cyber commerce gets done. >> as a governor, you know how valuable the solutionings are that are -- solutions are that are adopted in this area. it seems to evolve every day with new technologies, new ways to threaten consumers and really the security of our information. i'd like to ask stephen orfei given your organization's experience in establishing data security protocols and procedures, what would you say are the most important aspects of a company's data security plan? in other words, what is the most important thing that a company could do to protect their customers, to protect their company against data breaches? >> thank you congresswoman for that question. i think what's most important is the pci standard is in our view the best defense against cyber criminal attacks. it's really become a question of vigilance. and being methodical and disciplined in your approach and
9:11 am
looking at and paying special attention to the fundamentals, doing the blocking and tackling looking at the physical security. it's day in and day out. it needs to be 24/7, it needs to be built into the dna of an organization from the ceo right down to the working level. >> okay. thank you. and you mentioned in your testimony, mr.-- [laughter] oxman, that you thought that sharing information was so important. and you just expand on that, on what we need to do additionally in expanding information in this area? there thank you congressman maloney. companies are barred from sharing information with each other and in some cases even with the government. the house passed a measure that we support that will eliminate those impediments to that kind of important information sharing. we support that legislation.
9:12 am
we hope the senate will move forward on it, and we need to make sure that companies can, without liability share information with each other and the government to prevent future threats. >> great, thank you. my time has expired, thank you. >> chair now recognizes the gentleman from missouri, mr. luetkemeyer. >> thank you, mr. chairman. kind of curious, i want to approach this from a different angle this morning from the standpoint of, you know, when we have a data breach and there is, you know, whose fault is it? if there's somebody at fault there's going to be some liability. and it would seem to me and, you know, my experience has been from the institutions i've been aware of and i appreciate the governor's description a minute ago of who winds up paying the bill on this. but generally the banks wind up the financial institutions issue the cards originally are the ones that wind up footing most of the bill. and it would seem to me to be at some point as a regulator i would think that you would go
9:13 am
into a financial institution and see a number of retailers a target line of credit, for instance, or any other local line of credit. in our area we had a supermarket thattished deck -- that issued debit cards. suddenly everybody in the whole area the whole region, actually, their information was broached, and as a result there was a tremendous cost to the financial institutions, and it would seem to me that as a regulator, you would look at this as a liability exposure from the bank from the standpoint of what you're going to have to incur by all of these retailers not having adequate protections. from mr. dodge's perspective it looks like, you know, i would think that the regulators would ask ask the financial institutions to force the retail folks to have a policy in place, insurance policy in place that would protect them against a data breach so that the banks would now be in the fallback position for a data breach. governor would you like to comment on that thought process?
9:14 am
am i off on that? >> i think you've connected the dots correctly. cyber insurance, that's an evolving area. there's some people that think their traditional insurance covers it, there's some disputes around that. there's some uncertainty around how you underwrite it, so that's an evolving and developing space and one that is -- >> how do the standards fit into that situation? >> well, the standards fit into that because i think if you set standards like the football service sector -- financial service sector has on other sectors, you decrease risk, you derisk the system. it's good for the financial institution, the payment system and, frankly everybody involved. to the chairman's point on energy and commerce's bill, that's a bill that says have reasonable standards. over time the courts are going to develop a standard, and it's going to say be reasonable, and that's a ten-year pathway. it's too slow, and it's too vague. or you're going to have a bunch
9:15 am
of states doing hodgepodge standards, some of which will be great, some of which not so great. so congress can play a role bringing this debate forward at a level of rig gore -- >> mr. dodge would you like to comment on my question? >> yeah. first, the suggestion that banks are not reimbursed in the wake of a data breach is simply not true. there's three major ways in which they pay, and there's certainly more than just those three, but the first is in the fees that they pay on every transaction and after a breach, through the contracts that they sign with the card networks there's a formula for reimbursement -- >> they still suffer a loss, mr. dodge. >> but my point is -- >> from a business -- >> but the issue is if the banks have an issue with that, it's with their facilitator which, in this case, is visa and mastercard. retailers sign those contracts and if there's a suggestion there's been a violation of those contracts, then there is certainly the legal avenue.
9:16 am
>> my question was with regards to the liability exposure that a bank would have with regards to the situation -- lot of retailers, and as this seems to be almost an epidemic. every day and every week you have another bity that's been breached. -- entity that's been breached. if you have lots if you do a lot of commercial lending to retailers, i see that as a problem that's going to have to be fixed. and i would assume that you'd be supportive of the idea of having retailers purchase a liability policy of some sort that would protect them as well as the institution against a breach. >> so as governor pawlenty said the cybersecurity insurance market is a new market. >> right. >> but many retailers are buying that kind of insurance there's no question about that. but the level of standard, the suggestion that there's no standards on retailers is belied by the fact that there's 50 cases where some of which were retailers, many were not where strong enforcement was brought down by the federal trade commission, enforcement that
9:17 am
includes not only substantial fines, but consent decrees that allow the commission to take up residence for 20 years. >> i've just got a few seconds left. mr. orfei, i'm disappointed that you gave everybody my password to my computers. [laughter] with that i yield back. >> thank you, sir. >> gentleman yields back and better put a fraud alert on all of his credit cards. [laughter] chair now recognizes the gentleman from california, mr. sherman. >> ah, governor pawlenty i do weird things that cause my credit card company to get very concerned, like i buy gasoline in los angeles, and a day later i buy gasoline in washington. so, of course their computers flip out. and you'd think what they'd do is send me an e-mail, but they don't. they either call me -- usually at the worst possible time -- or
9:18 am
if they're too lazy to do that, they freeze the account and force me to call them. is this entirely because they're not handling it right, or is there something in our statutes that we could do to facilitate or prod credit card companies to check with their cardholders by e-mail rather than by telephone? >> congressman, great question. i've had some interesting experience with cards myself personally -- >> you engage in similar -- [laughter] unusual activity. >> well, i'm not admitting to unusual activity, sir. [laughter] anyhow as -- >> another guy another guy going to iowa. >> i think the concern that you raise is a good one but it is being addressed in realtime by technology. the control that you can now set on many cards, and it's advancing by the day and the month, are getting really good. so, for example, on one card
9:19 am
that i have, i can get a text or e-mail alert if it goes over a certain amount any transaction. i can get a text or e-mail alert if it goes over a certain number of transactions per month, if it goes over a certain amount and soon i think i'm going to be able to get an alert -- >> i'm not looking for more alerts i'm simply looking for them to contact me by e-mail rather than by phone or freezing my account without telling me about it. >> i think if you can't many cards already do or will soon offer you the chance to be in the driver's seat as to exactly how you want to get that message. >> i'm sure your members are aware of e-mail -- i mean we're here talking about how to upgrade the technology, and i'm hoping that e-mail -- >> if you can't i can recommend a card that will get it to you. >> yeah. but not with the united airlines miles. basic economic theory is that you apply liability against the entity that should be investing in safety measures so that you
9:20 am
get that entity to spend the appropriate amount of money on safety measures. retailers ought to be spending more on safety to protect consumers and to protect the entire business system from the extraordinary costs that happen every time somebody hacks into one of these accounts. but retailers face no liability except the reputational liability which ms. moy referenced. but then we have these less known about day -- data breaches where the media doesn't know or barely reports to the general public some of the data breaches. is it problematic that consumers at some stores may have their data hacked, but they never hear about it? and does this mean that the merchant that has mishandled the
9:21 am
data faces no liability and no reputational risk? ms. moy, in order to have that reputational risk do we have to do more to make sure that every data breach is known by the public? >> yes i think we do. and i think that there are a couple ways to do that, and one one is to make sure -- as i mentioned multiple times -- that the bill is written in such a way that it covers classes of information that entities may hold that consumers consider personal, that they would want to be notified about but currently might not be notified about. for example, e-mail address and password. that's one that a lot of retailers hold it's one that could be breached if my e-mail address and password are breached, i would certainly like to know about it. and another thing that could be done is, again can sorry to be a broken record but providing state ags with the authority to enforce is really important. they will help work to make sure that these that these breaches
9:22 am
are notified. and in particular, many states have a threshold for notification of state ags and for consumer reporting agencies that's much lower than what we've seen in a lot of federal legislation. so in a lot of the federal bills that we've seen proposed, the threshold would be 10,000 affected consumers. many states have a threshold of 1,000, for example. i believe that just a couple months ago the massachusetts state ag's office appeared at another hearing on breach notification and data security, and they said that the average breach um, the size of the average breach was about 74 consumers. so it's really important that we have state ags working to insure that consumers are notified. >> congressman, if i could just jump in on that? >> yeah. i'll add another question and let you jump in on both. we're proposing federal legislation. is the work of the state ags and the states enough to prod retailers to spend enough on
9:23 am
safety? >> so to your question about liability, retailers face considerable liability. obviously, there's reputational harm you cited that. but under the enforcement through the ftc's current authority and what we've endorsed for stronger authority and at the state level there's enforcement liability. and the prospects of consent decrees that could take, allow the ftc to take up residence in a business for 20 years. >> i'll see if the governor can just chime in. do the retailers face enough reputational and financial liability to spend enough on safety, or do we need to do more? >> congressman, i would respond with a rhetorical question. how's the current system working? not so good. >> the verizon report? which is the gold standard for reporting on data breaches says there was 2100 breaches last year 277 were financial institutions 166 were merchants. there are, there is a thousand times more merchants. so the standards that are apply today the financial industry are
9:24 am
not -- applied to the financial industry are not perfect. >> time of the gentleman has now expired. the chair recognizes mr. high sink georgia chairman of the monetary policy and trade subcommittee. >> thank you, mr. chairman. i appreciate the opportunity to spend a little time with you. mr. orfei, over here. real quickly, while we're on the breaches mr. garrett's credit card is available widely on a russian web site. [laughter] in all seriousness though, i mean, that is the concern all of us have right? when we're calling in somewhere or buying something online in a very transient kind of economy that we have i think we all have a legitimate and serious concern. but i'm curious, mr. orfei from your perspective have you evaluated how many breached companies are in compliance with your pci standards at the time
9:25 am
of their breach? have they had those standards and then it's caused them to take action, or did they have them already and they still were breached? >> well, what i would reference is the verizon report which is an objective third party that looks at the data for breaches for the past ten years. and the findings, there's two significant data points that i would give you congressman. one is that 99 .9% of the breaches that have occurred were preventable and covered by the pci standard. the second point is that i think that the pci standard has done a very effective job, and there hasn't been one single compromise where the merchant or the entity was found in compliance. >> okay. i, i'm a former state legislator as well and, governor, good to see you again. i, like you had those
9:26 am
situations where we're sitting in state capitols, and we go what in the world is washington trying to do to us now. yet at the same time i understand when you have states doing various actions and not coordinating -- and often times that's like council of state governments and alec and other organizations like that -- are trying to get states to harmonize oftentimes. but what i'm struggling with on this and ms. moy, you mentioned this earlier as did my friend mr. neugebauer, how does setting a national floor but then allowing states to maintain a patchwork of other requirements, how is that different than what we have now? and i think maybe it was mr. oxman you said we'd go from 47 regimes to 48. so help me out somebody, with what we do on this.
9:27 am
i'd love to hear from golf pawlenty. >> congressman, i would think about this, you know, i'm a big fan of the tenth amendment, i'm a big fan of states' rights, i'm a big fan of laboratories of democracy for public policy at the state level. i believe in all of that profoundly. but i've come to think of this issue as a threat to national security and critical infrastructure of the united states of america. not just in the payment space but in the ability to do most of what we do. and so i think it rises to the level of being worthy of being viewed in that light and setting the table nationally because it does threaten our ability to funk, it presents -- to function, it presents taken to any sort of reasonable extension an existential threat to our economy and to our nation's security. and i could walk you through the scenarios, and they don't take a lot of imagination. but i think if you view it in that light, it rationalizes an aggressive and muscular -- >> that's what i struggle with as well, we can have a
9:28 am
constitutional debate whether this is part of the commerce clause or how this is affected. ms. moy, if you want to quickly -- >> thank you so much. just to repeat again i think most states certainly with breach notification there is a common core of elements that we see across the various across the 47 plus i think three territories laws, and then there are some additional elements above that. but i do think that it's really important, for example i believe in your own state there is a harm trigger for the breach notification law that is broader than just applying to financial harm. it's really important that we take that into account as, you know as governor pawlenty has said. if we're going to set a preemptive federal standard, let's set it high. let's not reduce protections like those in your own for consumers who are benefiting -- >> and i would agree. i think it would have to be high. and somebody help me out on what, as mr. sherman had said, me doesn't want more notifications. now, i'm a little confused if you have an e-mail breach, how are they supposed to notify you
9:29 am
through e-mail if that's been breached? but this cry wolf overnotification is that a real concern? >> congressman, we think that it is. we think it's important. i align myself with the most recent points made by the governor, we agree entirely on this. we hi it's important that consumers be able to get information quickly and information that they can take action on in order to protect themselves from financial harm. a standard beyond the financial harm would subject customers to repeat notifications and the worst case scenario is the customer would stop paying attention to those notifications and not take action to protect him or herself in the wake of something that could put them at risk. >> if i may just add a brief point which is i think in order to determine the answer to that, we should look to the state ags who have a ton of contact with consumers who are suffering from breaches and in the words of illinois attorney general lisa madigan consumers may be fatigued, but they are not
9:30 am
asking to be less informed about that. >> the time has expired. the chair now recognizes the gentleman from massachusetts mr. capuano. >> thank you, mr. chairman. i can barely see you guys, but we'll try to communicate. i'd like to submit a record from the massachusetts attorney general for the record. >> without objection. >> thank you, mr. chairman. gentlemen, does anybody at this table think that five or ten years from now the data security, the issues and the challenges you face will be the exact same that you face today? does anybody believe that to be true? ..
9:31 am
with no ability to change your comic to come it really when the problems change you are sitting here today because the congress is last to the issue. states are first to the issue appeared like in most issues, the federal government is often times the last 25 because we're the biggest of the most diverse night is the way the most diverse and that is the way it is always then. yet you are advocating for a situation that we have one that has no ability to be upgraded to regulation. this is why we have regulatory bodies because they are quicker than us. except come back to sms is to do
9:32 am
it all over again which in and of itself is the main problem. i don't know where and if you live, but i presume because you're all part of associations that you live in the washington area or at least have an apartment here. do you think the federal government, the epa, should tell the state of maryland that they have to live only to federal standards on drinking water, and that the state of maryland would then be totally preempted from saying no we like a little less arsenic in drinking water than the federal government requires. do you think the state of maryland should be told sorry coming yuki and you got? >> overspend, i spent seven years in the great commonwealth of massachusetts. i think you raise a very important question and that is how can we bring uniformity to an issue that has nationwide
9:33 am
implication indeed international applications talking about cybercrime without interfering. >> not just the power the responsibility. i like the idea. i'm happy we are talking about federal standards. i've gotten in trouble on a regular basis because i'm a liberal democrat. i'm all for for federally regulation. i'm all about regulation. assassinate friends. i didn't know some of my other friends wanted to join the socialist party. welcome. bernie sanders has cards. you can sign. i love the idea of creating federal standards, but i like to other things. i like flexibility and not because let's be honest most members of congress are not technologically capable. everyone of us stumbles up their cell phones. i call myself all the time.
9:34 am
this is broken seven times because i throw it. i know none of you have ever done that because you are technologically capable. we need the ability to move quickly because the rubble change tomorrow. that's the only thing i know. >> i would submit the epa supports the approach that chairman neugebauer and mr. kearney have taken in the bill because it has the exact flexibility. it doesn't take take any technical standards and in fact makes clear that it's not up to the federal government to dictate how we have a security but a requirement that the federal government security be implemented. >> we also have to know somebody who knows what they're talking about. number two i don't see why you take away the ability of the states to be more flexible. absolutely totally agree. we have the same issue on everything we do. every financial issue we deal with, we deal with the issue of how much of a federal standard
9:35 am
including insurance every day. every time we come close to thinking about the federal involvement, everybody gets worked up. i strongly suggest the concept is right. the approach needs to be significantly changed on those issues to provide flexibility and maintain the state's ability to do what they want as they see fit. >> i thank the gentleman. the gentleman from wisconsin, mr. duffy, chairman of her or say committee, for five minutes. >> thank you, mr. chairman. it's nice to see a member of mr. capuano endorsing bernie over hillary and throwing your flip phone around the capital. as mr. huizenga said i was not a governor but a former hockey player. do you agree with mr. dodge at the banks don't pay any fees and there is a data breach? how do you respond to the claim?
9:36 am
>> congressman duffy the system how this gets sorted out is complicated but through the issuing banks paid in all sorts of ways that there is a breach including the possible reimbursement in the future as well as making a consumer hole through a complicated series of transactions. >> just to be clear this whole panel support federal preemption? >> does anyone disagree with that concept? >> only for the high standard for consumers. >> we support it. >> goal percentage of the fraud comes from a fraudster who steals data and reproduces cards and makes purchases as opposed to the guy who had his wallet lifted and someone goes and uses the card. >> the majority of it is people scraping cards and using counterfeit cards and people who
9:37 am
do the lost and stolen, that is the minority. >> so when we talk of chip versus chicken pen if we get the chip, we will adjust the vast majority went in as president? is that fair to say? >> i would say it would have that effect but we don't live in a static world. the reality is a single line of defense between the fraudsters and their ability to commit fraud and in this case it would be chip. we've seen examples where they've done it already. we simply argue that one of the baseline tactics of cyberhygiene require that the point of sales. >> e. seymore pocket feeds out there? >> i'm same fraudsters will crack the chip and commit fraud. >> congressman duffy, the chip will defend at the point-of-sale. it will button on the point of
9:38 am
sale of the environment. once the environment is secure fraud will move to the present environment. what we observe in the pacific and european theaters. now the chip technology is you cannot clone it. so while we will see what my grade. how far are we from online purchases? >> tokenization has been around for 10 years and not the acquiring community are in the price points that have come down. point-to-point encryption token with publication at the point-of-sale is how we get to devaluing data so it's useless. >> said the technology is there but not implemented yet? >> apple pay has an early stage version of tokenization and some other breach issues. it is one of the first platforms to come the market. >> i want to be clear.
9:39 am
when we have a chip is a retailer able to maintain data about the card in their database if you just have a chip card as opposed to a magnetic strip? >> again, congressman, the chip is just going to work at the point-of-sale. >> my question is we heard about the retailers who had data breaches. if we migrate to the exclusive use of chips, does that mean retailers are no longer keeping consumer data in their databases which means they are not ever is to have breaches any longer? >> know, taking up the thread of the point-of-sale. is a critical layer but not a silver bullet. >> the information could be replaced by tokenization, could be projected point-to-point.
9:40 am
>> do you have any idea how long retailers keep financial information about consumers? how long should a retailer keep the information? >> it is not necessary to keep the information. >> a couple of things. first, many retailers instituted encryption so if there ever was acquired a format that would be useless. further, they have no desire to keep information they don't need. >> do they need any information? >> at it after 30 days like those six months of consumer data. you might only have 15 days or 30 days of consumer data. if and not so much data collected in the store not just the government, but from retailers. >> the information retailers collect is designed to allow them to provide concierge services they want. consumers want their returns.
9:41 am
does the element of information that we have this information. >> i don't know if i've ever been asked to volunteer. they are just offered to me and that is caps-on my card. i think there is a consumer protection issue and we are not asked. it is just given to us. >> the time is expired. the gentleman from texas mr. hinojosa. >> thank you chairman hensarling and ranking member waters for holding this hearing today in thank you to our panelists for your testimony. mr. chairman, before asking my request and i ask unanimous consent to my opening statement be made part of the record. >> without objection. >> my first question is to the
9:42 am
honorable tim pawlenty and ms. laura moy. how can a federal data security standard provide for more financial security while at the same time providing certainty to industries that would need to implement such a standard across all 50 states. >> congressman hinojosa, thank you for your questions. not including financial health care and a couple others, they don't have standards other than the 13 states. by creating a floor or ceiling, but we hope a high standard for the whole country you will live again in the expectation and the legal responsibilities for the fact reason mostly things that don't have a standard currently. this is the members of the committee knew by russia or china or semi-state agents were
9:43 am
about to compromise the payment system, the electrical grid you wouldn't say let's kick it to the states. let's let them handle it. i don't think he would do that. whatever you do will be helpful even if directionally. it will be better than what i have now are those who don't have been in the state. >> i would say a couple things. consumers are protected with the federal trade commission section five authority and the ftc is enforced and not. as we've heard they've been forced over 50 cases. since 2001. consumers in the other 47 states and jurisdictions are protected by breach notification. there are protections for consumers. said in a floor and not a feeling as a clear pattern in terms of what is covered by the stabilized. as a practical matter, most companies that have to comply with the loss of multiple states
9:44 am
are just complying with the strongest standard and are mostly okay under the other states. many states have a provision that allows to notify some of the consumers have been affected by breach by the standard of another state. i would add on if we have a federal grant a federal preemptive standard as i said before, it has to be a high one that has to provide flexibility not only in terms of what the security standard is but also in terms of what information is covered by the bill. that's a critical element we might be missing here. >> thank you for your response. my second question is addressed to mr. jason oxman and mr. brian dodge. given the ever-increasing sophistication in sheer numbers of cyberattacks on our financial institutions and markets do you think a catastrophic attack which can have severe repercussions on the financial system as a whole is imminent
9:45 am
and what can the federal government to to help prevent such an attack or repair to respond to such an attack? >> thank you for the question, congressman hinojosa. the possibility is always on the minds of the payment come needs pta represents and is something always included in all the operational plan that i represent our sincere hope is something like that never happens. we recognize the important role the infrastructure plays empowering commerce in this country and protecting our customers be merchants or consumers is always top of mind. we are focused on that. we are prepared for it is our sincere hope that nothing ever comes. >> mr. dodge. >> in terms of the question about congress can do to avoid such a catastrophic event is
9:46 am
incredibly important. we believe the way you get yourself to a stronger environment is layers of security if congress can help by doing at the house. last month but also as we talk about today providing clear strong guidance for businesses on how they should mean in their systems to ensure cybersecurity and providing flexibility for businesses and regulators to adapt to the thread over time. there is no doubt threat is increasing, the level of sophistication is growing extremely fast. we need to stay involved in it. the last point is we need to look to our greatest vulnerabilities are. right now our greatest vulnerability is the card we accepted the point-of-sale. a technology enabled the world today and when we move to chip technology without the pin like instituted in the rest of the industrialized world will still have the lowest level of
9:47 am
security continue to flow towards us. >> my time has expired and i yield back. >> to churn are to churn out recognizes the gentleman from south carolina mr. mulvaney. >> thank you, mr. chairman. thank you triple among the panel for helping us do something that we don't do enough which is due collect information. i have an honest-to-goodness question. i think it is directed to mr. pawlenty and mr. dodge. let's say mr. capuano steals my credit card which is possible because the fact kind of guy even though it's not here yet. he goes to my local gas station or his local gas station, slides it in there and maybe he knows my zip code and buys the gasoline with my stolen credit card. i catch it when my statement comes in the next week or maybe it e-mail notification which is a service.
9:48 am
i call my bank and say someone stole my credit card and a buy gas in massachusetts. louise loss? is it the retailer? the bank that issued my card who deep outlaws for the gasoline bow with a stolen credit card? >> first i was safe if it first i would say the tables required the fraud would've never occurred. secondly, there's a difference between data breach and fraud repayment. so they are the contracts the retailer signed. there would be an evaluation of where the leak weakest link in the system. if there was a stolen card that was three years i don't know the answer to that question. >> in many cases and almost all
9:49 am
cases, is brought in alan and? >> mr. pawlenty come initially somebody has to get the cash back or the value. it is the issuing bank and they sorted out afterwards as to who pays what appeared in terms of who eats most of it initially in our view over the long term of the discussion it is the banks. >> here is why ask the question. i have my banker friends come in and they say look we have to do something about this because we eat all of the loss. last week i had convenience are people say we have to do something about this. are both of them eating a little bit of the laws? >> i included in my testimony a schedule of repayment that shows the fees of the structure of the contracts obligate merchants to
9:50 am
repay. bear the cost to reissue the card and fraud associated with the breach. every single day on every transaction the merchant pays the fee called an interchange fee. and as a prepayment of fraud. it goes into account. whether fraud happens or not they prepay every single day. how that is divided by the banks is a great for them. we know we paid on every single transaction. >> congressmen if i could there's actually a pretty simple answer and that is the card issuer is responsible for the fraud. it is never the responsibility of the merchant. since it was stolen out of your pocket and you haven't yet reported as stolen, when it was authorized by the bank at the gas station, the bank has a responsibility. you don't have the merchant doesn't. >> thank you mr. oxman. leads me to my question.
9:51 am
bush capuano steals my credit card. i get it. he would do that too. if someone gets different target comic is my information, create a counterfeit card in music, is the outcome different? who bears the loss? >> as it stands today the analysis is exactly the same in the case of a counterfeit card the issuer has responsibility to merchant would not. the migration to bmp chance to talk about this morning changes the calculus is the responsibility for the fraud after october this year will follow the party to the transaction whether the merchant side or issue inside that is deployed the lesser form of security. if the card has been counterfeited and was a chip card in the issuer has issued chip cards that the merchant has an installed chip readers they'll have a responsibility for the fraud. that is a change to the current
9:52 am
system. >> i can at the indulgence for 15 more seconds. the third example today is the online fraud. we are online by an airplane tickets. who bears the risk of loss on that one? >> 100% the merchant is subject. >> gentlemen, thank you for the information. >> to churn out recognizes the gentleman from missouri, mr. clay ranking member. >> thank you mr. chairman. i want to note that i am so glad to be back in this refurbished hearing room. let me ask mr. orfei. you know at the end of your testimony that not a single company has been found to be compliant at the time of their breach but in many cases, firms that have been breached world one point pci compliance.
9:53 am
how does your compliance framework learned selfish at all to ongoing pci compliance and what role does the pci play in monitoring compliance? >> thank you for the question. 99.9% of the compromises were provided by the standard. if you think about our standard, while we are advocating is a move away from compliance to a risk taste approach and we are advocating vigilant and discipline and be methodical and paying close adherence to the standard. security is a 24 by seven responsibility. is not a manner of compliance. what we see happen is a company works digitally gently to bring its company into compliance. a high five each other on thursday and friday the environment starts to
9:54 am
deteriorate. it is about being disciplined methodical and paying attention. >> thank you for that response. mr. oxman although chip technology is there to the united states, it has been around decades and is ubiquitous in other parts of the world. given the rapid pace of technological development are we not at the point for other types of security measures are more appropriate for using u.s. payment cards and payments in general? >> thank you for the question, congressman clay. you're absolutely right that shift is a well developed technology. the payment industry recognizes that the chip addresses one type of fraud that happens to be the most prevalent form of flawed and that is counterfeit card fraud. the chip implementation will address that type of fraud. other types of security are
9:55 am
important as well which is why her industry is supplying labor security technology approach which includes the cards but also tokenization which replaces information with a one-time use mathematical cryptogram that can't be intercepted and reused. also includes 2.2. encryption into the payment system. that layered approach with multiple technologies as he suggests it is in recognition of the fact that chip card addresses one type of fraud but we need to do much more because criminals are much more sophisticated. >> thank you. for anyone on the panel how prevalent is fraud in the case of online checking? is that pretty secure? >> on my checking? >> certainly e-commerce is an environment with limited security options to employ right
9:56 am
now. if the frustration of merchants and the fact e-commerce is a big part of the economy is a considerable frustration. back to your first question i want to note jason's point about the levels of players and technology is a good one that we need to be involved in the next generation of technology and we need to find ways to make all these other things work specifically for the e-commerce environment. today there is 1.2 billion cards circulating united states which have 60s era technology and we will see early 2000 technology in the united states. we are keeping up with the biggest area were transaction is occurring and we need to do a better job of that. >> thank you so much for your response. mr. chairman, i yield back. >> the charter recognizes the gentleman from north carolina mr. fincher. >> thank you, mr. chairman.
9:57 am
thank you for hosting the hearing and thank you for being with us today. according to the identity theft resource center, financial institutions are responsible for less than 60% in 2014. some could draw the connection with this fact that financial institution has been subject to the graham leach bliley act and think 99. do you think this is a fair connection to make? >> congressmen come i do. i don't think there's much dispute that the most resiliency in this space but as everyone knows of the room financial institutions relative to other sectors where more than to give breach lies. it is the point of what caused that. investment, hardware, technology and i believe grandly shillelagh
9:58 am
and we get examined by regulators to the standard and that contributed to the state of the industry cyberdefenses in the relative good quality of it. >> thank you. >> i would note the verizon report, is sort of considered to be the gold standard for cyberreporting. they found last year 2100.allow cybersecurity intrusions. of that 277 international in to shin said 167 retail businesses are a thousand times by retailers in the u.s. i don't think we should have the philosophy that a single regulation can guide us to a successful -- >> let me build on that. building on mr. neugebauer statement earlier reference to legislation says to develop and maintain a comprehensive information security program that ensures security and
9:59 am
confidentiality it is appropriate. this is written to create some measure of flexibility so the standards are modified. do you think this is a good approach in terms of creating flexibilities? >> we applaud congress look in a lot of ways to address this issue. what is important as we look at the regulatory environment doesn't exist today and recognize the graham leach bliley act is written for the financial services community and there's a very strong regulatory regime that applies to most of the business community and that is of course the ftc. the ftc has moved aggressively over the last decade and they've established a clear and strong set of standards to comply with. >> let's refer to this. the provision bill says a covered entity information program shall be appropriate to the size and complexity of the
10:00 am
covered entity and the size and scope of the covered entity and the consumer financial information to be protected. .. >> based on your what you quoted, that sounds right but as i said we believe you nee


info Stream Only

Uploaded by TV Archive on