tv Key Capitol Hill Hearings CSPAN May 14, 2015 9:00pm-11:01pm EDT
my opening comments. the prevention provision should not have the unintended consequences outside the issues covered in the bill. we don't believe it affects the medical debt issue that was raised a moment ago with respect to california 37 we would be willing to make that plain. >> you said -- i thought i heard you say that we shouldn't have 50 different standards is not the answer. is that what you said or did i mishear your comments? >> so what i have said is that i think the best for consumers would be to create a floor not a ceiling, so that states can continue. >> set a national standard? >> right and then -- >> allow states -- >> to protect judicial categories -- >> my understanding is that 13 states now currently have data breach notification and standards like this, and that our legislation, our federal legislation would be better than all of them except maybe one,
which is massachusetts, and i've been talking to some of my colleagues from massachusetts. would you agree with that? >> i think also oregon has a pretty good standard. there are elements of other state laws you may not consider specific data laws. >> a pretty high standard? >> it is a pretty high standard, yes. >> that's the starting point for us. there's been some discussion about the standard energy in commerce. would you say it's a higher standard than what our bill would propose. >> our standard is a reasonableness standard. so i think the difference here is not only might there be a difference in what the language says in that bill i think, also, we would be looking to the common law of the ftc and others to flesh out what the specific requirements are but it's really important as we're thinking about how strong the security standard is, to think about who has the enforcement
power and who's going to be guiding the parties there. if the federal agencies are solely responsible for it even a strong standard might not provide a strong protection as a general reasonableness standard that allows state ag's to work on a piecemeal basis. >> you think the standard in our bill is pretty good, pretty high standard in terms of federal standard? you believe the states ought to have the flexibility to go beyond that. notwithstanding some of the issues that that might create in terms of having different standards. how about this enforcement question. have you looked at our bill in terms of the enforcement provisions in the bill, and how would you suggest they would be improved upon in your view. >> i can't -- i have looked at it, i'm not prepared to provide a detailed response, i would be happy to in writing if you prethat. i do think the key issue with respect to enforcement, your bill would only facilitate
enforcement by federal agencies -- >> whey heard you say is that allowing the state ag's some kind of role there would be an improvement? again, not having looked at the details there, not to put words in your mouth. >> yes yes, i believe that a very credible element here is that we must have enforcement. >> we are willing to try to improve the bill so we can get a greater consensus around we believe that -- i think as you said, a national standard is important to have. 50 different standards is not the way to go. it's got to be the high bar and one that's enforceable. would any of the other panelists like to comment on the conversation that we've just had about preemption about the standard? >> i think the bill on a bipartisan basis really takes on this issue in the right way,
that is to recognize that the act of legislating to unify 46 disparate regimes would be adding a 48th regime and wouldn't serve the purposes that the legislation seeks to undertake, which is to protect consumers financial information. and ta's perspective, the bill takes the right approach to ensure that the federal regime is operative and not interfered with. >> everyone agrees we need a higher standard and kind of one standard across the country. >> we fully agree there should be a national standard, we think the states deserve a tremendous amount of credit for having acted in the place where the federal government has not yet. that's why we believe as a broad concept, preemption should be offered as a broad concept, state ag's should have the ability to play a role.
>> the time of the gentleman is now expired. the gentleman from new jersey, mr. garrett, chairman of our capital markets committee. >> thank you, mr. chairman thank you for holding this hearing, an issue that hits home for a lot of folks. let me just start -- i have a couple questions, start at the basics, if i can. governor, i'll throw it to you. >> when there is a breach or someone does steal your card and they go to a retailer and buy a tv, and you find out that you didn't, so on and so forth. who actually is responsible for that. is it the -- does target have to pay the bill for that? does the bank that issued my -- well, my mastercard or if daze not that, is it the bank, or is it the visa or mastercard or discover that's paying for that. >> the oversimplified versions. >> the consumer is made whole.
and the issuing bank is the one that makes them whole. however, there's a secondary process managed and run by contract between the payment networks and various players in the payment system that gets resolved through a -- should we say contractual process between visa mastercard retailers the issuer which people take issue with how that works from time to time, that's how it gets sorted out after the fact. >> does anyone else want to give an over view. >> i would add to that. it's the merchant ultimately pays for fraud in the wake of a data breach should the data breach have occurred at a retailer, they pay a variety of fees, there's three real fees they pay total. the first one on every transaction ever processed, a component of it is prepayment of fraud should one occur. and then post breach, there's a fee associated with issuing the cards and -- >> so that's where the banks end
up having to pay the 15 bucks or whatever it is to sends me a new card. >> the merchant reimburses on those fees. >> i hear different stories on that. >> i've included a schedule in my written testimony. >> so i just got one of these cards that have the chip on it. and also, just to be clear on this putting this chip on the card may help to some degree as far as the lost card and the stolen card, as far as going to the retailer but as someone else on the panel said i know it was in the testimony. this chip does absolutely nothing with regard to when they steal that information and they use it online, is that correct? >> i think it's important to note, the chip the technology that's available in the united states today -- 1960s era technology we introduced chip and pin technology more than an decade ago. you saw an uptick of the data
breaches not at the store any more, but now online, is that correct? >> that's true fraud moved in two directions online and the united states. suddenly the united states had the weakest security in the world. it still does today. when chip only goes into effect later this year, the united states will still have the weakest technology. >> we can't solve all this stuff. the bottom line is doing the chip is not going to solve it entirely, also to the point, what seems to be a lot of discussion as far as the disclosure information. that doesn't do anything to -- actually, none of it -- that doesn't do anything as far as preventing the fraud in the first place that tells me as a consumer, you were robbed and this is who's going to pay for it. >> congressman, i couldn't answer your specific question about the chip many you're absolutely right, the chip in the card prevents the card from
being counterfeited, that is today the number one source of card fraud in the united states. it's about two thirds of card fraud at retail. it does not address the online issue. the online fraud issue is addressed by the other layers. >> the data that's on the card when i use this chip and put it through, has my number right on it, i don't know if you can see this. does the retailer keep that information? >> the retailer trans acts that information. >> if someone breaches into it -- >> they're instituting many -- all are moving toward it to make sure that that information -- >> it still is a target not to use that company, still a target for the hacker to go into the retail -- not just medical or whatever, the hospital keeps that information too i guess. as a data source where they'll go try to breach and they won't be going to the retailer to use it, but they'll be doing it online, still a target, maybe
even a larger target? is that true? now with the chip? is it a larger target because of in a as well? >> i think it's important that we recognize the chip technology is really designed to button down the point of sale to defend against counterfeit lost and stolen. it is one critical layer of security there are other technologies that have been referenced in testimony today. such as point to point encryption. >> if i may, may i just add a short comment in response to the point about notification? >> fine with me. >> sure. >> thank you. thank you so much. >> i just wanted to say, i think notification provides an important incentive for companies to keep information more secure. i can't remember whose written testimony it was. companies do suffer reputational harm. i think it's important because that provides information to consumers who are considering where to vote with their wallet
as they're determining which service to go with. >> i get that thanks. >> the time of the gentleman has expired. the chair recognizes the gentle lady from new york. >> thank you. thank you, chairman, and ranking member for putting this together. it's an incredibly important issue, because it affects everyone. consumers, government, retailers and financial institutions, and i also want to commend mr. carnie and mr. nugenbauer for putting this together. this bill would significantly strengthen the data security procedures for businesses, but in a way that is flexible and can evolve as a cyber threat changes and evolves. i am still concerned about the scope of the state preempts in the bill and i want to keep
working on the preemption enforcement. i have signed on to the bill as a co sponsor it is a serious good faith effort to tackle what is a critically important issue to our economy. i'd like to commend them for their hard work and leadership on this issue. and i look forward to working with them on the enforcement and provisions in it. my first question is to governor polente. i'd like to ask you about the standards that were put in place for the financial institutions. you mention they had worked well in the financial institutions, but i also want to know, have they proven to be overly burdensome for smaller banks and credit unions? >> congresswoman maloney no. the standards have been flexible. i think congressman nugerbauer
and congressman carnie have done a good job in doing the same thing in their bill, which is to say, we're going to have standards and we're going to allow them to be scaled. i think that's a good model. >> in other words they've worked well and they won't be too burdensome for smaller institutions and retailers. >> i'd also like to know your feelings about the -- having a minimum or a floor standard. i know that california/oregon have a standard that's higher. i think it's important you have to have a floor. do you think it should be a floor or should it be a ceiling and why? >> another great question. right now we have nothing. >> right. >> something is better than nothing. >> absolutely. >> and so floor would be
progress, but ceiling, if it's set high. we passed what we thought were nation leading standards and notification standards. you wouldn't want a bill that undercuts the 13 or so states that have done this. if you're going to set it set it high. set it aspiration ali, and i think that would be the best place to be and it would serve the country best. think about the way people place data center ss the fact that there's going to be wide variance with states. >> as a governor, you know how valuable the creativity of the state system is to come out with solutions that are adopted in this area, it seems to evolve every day with new technologies new ways to threaten consumers and really the security of our information. i'd like to ask steven orfe given your experience what
would you say are the most important aspects of a company's data security plan and other -- what is the most important thing that a company could do to protect their customers to protect their company against date de breaches? >> thank you for that question. i think what's most important is, in our view, the best defense against cyber criminal attacks. it really becomes a question of vigilance. and being methodical and disciplined in your approach. and looking at and paying special attention to the fundamentals, doing the blocking and tackling looking at the physical. it's day in and day out. it needs to be 24/7. it needs to be built into the dna of an organization from the ceo right down to the working level. >> okay, thank you, and you mentioned in your testimony mr.
oxman that you thought that sharing information was so important. and can you just expand on that? on what we need to do additionally, and expanding information in this area? >> thank you, congresswoman maloney. the issue is companies are barred from sharing cyber threat information with each other. and in some cases with the government, the house fortunately passed a measure that we support that will eliminate those impediments to that kind of important information sharing. we support that legislation we hope the senate will move forward on it, and we need to make sure that companies can without liability, share information on each other. >> thank you, my time has expired. >> the chair recognizes the gentleman from missouri, mr. liukinmeyer. >> thank you, mr. chairman. i'm curious, i want to approach this from a different angle this morning, from a standpoint of, when we have a data breach,
whose fault is it? if someone's at fault, there's going to be some liability. it would seem to me, my experience has been from the institutions i've been aware of and i appreciate the governor's description a moment ago of who winds up paying the bill on this. generally, the banks wind up. they're the ones that wind up footing most of the bill. it would seem to me that at some point as a regulator, i would think that you would go into a financial institution and see a number of retailers target line of credit for instance or any other local line of credit. we had a supermarket that issued debit cards suddenly everyone in the whole area the whole region actually their information from broached. there was a tremendous cost to the financial institutions, it would seem to me you would look at this as a liability exposure
for the bank from the standpoint of what you're going to have to incur by all of these retailers not having adequate protections from mr. dodd's perspective, it looks like i think the regular laters would ask the folks to have a policy in place that would protect them so the banks wouldn't be the fall back for the breach. >> i think you've connected the dots correctly. on your last point about cyber insurance. that's an evolving area there's some uncertainty about how you underwrite it, when you can't get your arms around it. that's an evolving and developing space one that is. >> how do the standards fit into
that? >> if you fit standards, and we get more resilient better systems, you decrease risk. that's good for financial institutions, it's good for the payment system. a bill that says have reasonable standards. everybody's suing everybody over time the courts are going to develop a standard that says be reasonable. it's a ten-year pathway. it's too slow and too vague. congress can play a very important role bringing this debate forward. >> mr. dodd would you like to comment on my question? >> first, the suggestion that banks are not reimbursed is not true.
there's three ways we pay, the fees they pay on every transaction, after a breach through the contracts they sign there's a formula for reimbursement. >> they still suffer a loss. >> but my point is, if the banks have an issue with that it's with the facilitator. retailers sign those contracts, if there's a suggestion there's been a violation of those contracts, there's certainly the legal avenue for resolving. >> my question is, with regards to exposure this seems to be an epidemic, every week you have another entity that's been breached. if that's the case pretty soon, those institutions are going to have tremendous liability sitting there. i see that as a problem that's going to have to be fixed.
i would assume you would have protection against the breach? many retailers are buying that kind of insurance, no question about that, but the level of standard is belied by the fact that strong enforcement was brought down by the ftc the prospects that allow the ftc to take up residence for many years. >> i'm disappointed you gave everyone my password to my computers. with that i yield back. >> thank you, sir.
>> the gentleman yields back the chair now recognizes the gentleman from california. >> i do weird things that cause my credit card company to get concerned. i buy gasoline in los angeles and then a day later in washington. of course their computers flip out. you'd think they would send me an e-mail, but they don't. they either call me usual lyly at the worst possible time. or if they're too latzdy to do that, they freeze the account and force me to do them. is this entirely because they're not handling it right, or is there something in our statutes that we could do to facilitate or prod credit card companies to check with their cardholders by e-mail rather than by telephone?
>> great question i've had some interesting experience with cards myself personally, so -- >> you engage in similar unusual activity? >> well, i'm not admitting to unusual activities, sir. any how, as to the contact -- >> another guy going to iowa. >> i think the concern you raise is a good one, it's being addressed in realtime by technology, the controls you can set on many cards, it's advancing by the day and month are getting really good. on one card i have i can get a text or e-mail alert if it goes over a certain amount any transaction, i can get a text or e-mail alert. i can get a text or e-mail alert if it goes over a certain amount, and soon i think i'm going to be able to get an alert. >> i'm not looking for more alerts. i'm simply looking for them to contact me by e-mail rather than by phone or freezing my account
without telling me about it. >> many cards do or will soon offer you a chance to be in the driver's seat, as to how you want to get that message. >> i'm sure your members are aware of e-mail -- i mean we're talking about how to upgrade to technology, and e-mail is -- >> if you can't, i can recommend a card that will get it to you. >> not with the united airlines miles. you apply liability against the entity that should be investing in safety measures, so you get that entity to spend the appropriate amount of money on safety measures retailers ought to be spending more on safety to protect consumers and to protect the entire business system from the extraordinary costs that happen every time somebody hacks into one of these accounts. but retailers face no liability
except the reputational liability which was referenced. then we have these less known about data breaches where the immediate where doesn't know or barely reports to the general public some of the data breaches. is it problematic that consumers at some stores may have their data hacked, but they never hear about it? and does this mean that the merchant that has mishandled data faces no liability and no reputational risk? in order to have that reputational risk, do we have to do more to make sure that every data breach is known by the public? >> yes i think we do. i think there are a couple ways to do that, one is to make sure as i mentioned multiple times the bill is written in such a way that it covers classes of
information that entities may hold. consumers consider personal they would want to be notified about, but currently may not be notified about for example e-mail address and password that's one a lot of retailers hold, it's one that could be breached, if my e-mail address and password are breached, i would certainly like to know about it, and another thing that could be done is begin, providing the state ag's with the authority to enforce is really important because they will help work to make sure that these breaches are notified, and in particular, many states have a threshold for notification of state ag's, that's much lower than what we've seen in a lot of federal legislations. a lot of the proposals, many states have a threshold of 1,000. i believe that just a couple months ago, the massachusetts state ag's office appeared at
another hearing on breach notification and data security. they said that the average breach the size of the average breach was about 74 consumers. it's really important that we have state ag's notified. >> i'll add another question. we're proposing legislation. is it enough to prod retailers to spend enough on safety? >> to your question about liability, retailers face considerable liability. there's reputational harm, you cited that under the enforcement available to the ftc's current authority. and what we've endorsed at the local authority. there's enforcement liability. and the prospects of consent decrees that could take -- allow the ftc to take up residence and business for 20 years. >> i'll see if the governor can
chime in. do the retailers face enough reputation and financial liability to spend enough on safety or do we need to do more? >> i would respond with a rhetorical question. how does the current system work? not so good. >> the verizon report says there was 2100 breaches last year 277 were financial institutions 166 were merchants. they're 1,000 times more merchants. the standards that are applied to the financial industry are not perfect. >> the time of the gentleman has expired. the chair recognizes the gentleman in michigan. >> thank you, i appreciate the opportunity to spend a little time with you all. mr. orfe hiding back here. real quickly, while we're on the breaches, i'd be remiss to say that mr. garrett's credit card
has purchased three things online, and is available widely on a russian website. but the -- in all seriousness, though, that is the concern all of us have, right? when we're calling in somewhere or buying something online in a very transient kind of economy that we have i think we all have a legitimate and serious concern. i'm curious have you evaluated how breached companies are in compliance with your pci standards at the time of their breach? or have they had those standards and it's caused them to take action? or did they have them already and they still were breached? >> what i would reference is the verizon report, an objective third party that looks at the breaches for the past 10 years the findings there's two significant data points i would give you one is that 99.9% of the breaches that have occurred
were preventable, and covered by the pci standard the second point is i think that the pci standard has done a very effective job and there hasn't been one single compromise where the merchant or the entity was found in compliance. >> i'm a former state legislator as well governor good to see you again. i like you had those situations where we're sitting in the state capitals, we go, what in the world is washington trying to do to us now? yet at the same time, i understand when you have states doing various actions and not coordinating, and often times that's the counsel of state governments, alec, and other organizations like that are trying to get states to
harmonize often times, but what i'm struggling with on this, you had mentioned this earlier, how does setting the national floor, but then allowing states to maintain a patchwork of other requirements -- how is that different than what we have now? you said we'd go from 47 regimes to 48. help me out somebody with what we do on this. >> congressman. i would think about this you know, i'm a big fan of the 10th amendment, i'm a big fan of states rights, laboratories of democracy for public policy at the state level, i believe in all of that profoundly, i come to think of this issues aa threat to the critical infrastructure of the united states of america. not just in the payment space
but in the ability to do most of what we do. i think it rises to the level of being worthy of being viewed in that light and setting the table nationally, because it does threaten our ability to function. it presents. taken to any sort of extension to our economy and the nation's security. i think if you view it in that light, it rationalizes an aggressive and muscular -- >> that's whey struggle with as well. >> whether this is a commerce clause or how this is affected. you want to quickly brief us. >> most states certainly with brief notification, there's a common core of elements across the 47 plus three territories laws, and then there are some additional elements above that. i think it's really important for example, i believe in your own state there's a harm
trigger for the breach notification law that is broader than just applying to financial harm. it's really important that we take that into account as governor polenti has said. if we're going to set a federal standard, let's set it high. >> i would agree i think it would have to be high and somebody help me out on what mr. sherman has said. he doesn't want more notifications. how are they supposed to notify you through e-mail if it's been breached. what about this cry wolf overnotification? is that a real concern? >> we think it is. we think it's important. i align myself with the most recent points made by the governor. we think it's important the consumers be able to get information quickly, information they can take action on in order to protect themselves from
financial harm. a standard beyond financial harm would subject them to repeat notifications. the customer would stop paying attention to those notifications. >> finally just add a brief point before that i think in order to determine the answer to that, we should look to the state ag's who have a ton of contact with consumers. in the words of illinois attorney general lisa madigan consumers may be fatigued over breaches but they are not asking to be less informed. >> the chairman recognizes the gentleman from massachusetts. >> thank you, mr. chairman. i can barely see you guys, we moved everybody apart we'll try to communicate. i'd like to submit a letter from the massachusetts attorney general for the record. >> without objection. >> does anyone at this table think that five to ten years
from now, data security and issues and challenges you face will be the exact same you face today? does anyone believe that to be true? >> technology is changing so quickly, i think it's highly unlikely the issues will be exactly the same. >> i think it's highly unlikely, i mention in my written testimony, the example of several apps that now allow you to federal your physical keys to your house and your car. >> that's great. >> thank you, i don't think so either. but then again i don't know much about technology i struggle with a cell phone. and that's life the one thing i do know is that something's going to be changing i guess i raise the issue, because to advocate for a congressional solution with no ability to change a year two, three four years when the problems change, except to come back to congress. you are sitting here today because the congress is last to
the issue. state s states are first to the issue like in most issues. the federal government is the last one to the fight, because we're the biggest, the most diverse, and that's the way it has been. and yet you're advocating for a situation, that we have one great law, it has no ability to be upgraded through regulation. except to come back to us. and ask us to do this all over again which in and of itself to me is the main problem. the other issue i ask, i don't know where any of you live, i presume it's you must live in the general washington area. do you think the federal government, the epa should tell the state of maryland that they have to live only to federal
standards on their drinking water, that the state of maryland would then be votely preempted from saying, no no, no, we like a little less arsenic in our drinking water than the federal government requires. >> do you think the state of maryland should be told, sorry you can't do that? >> i spent seven years in the great commonwealth of massachusetts, i think you raise a very important question, how can we bring uniformity to an issue that has nationwide implications without interfering with the power of the commonwealth. >> i'm happy we're talking about federal standards. i'm a liberal democrat i would regulate everything. i didn't know my friends on the other side wanted to join the
socialist party. bernie sand ards has cards, you can sign up that's my problem. i love the idea of creating federal standards, i like two other things flexibility in that because let's be honest most members of congress, we are not technologically capable. every one of us fumbles with our cell phones. i call my staff all the time, kick them, drop them. i throw it, i know none of you have ever done that. we need flexibility we need the ability to move quickly, whatever the threat is today is going to change tomorrow. that's what i knows. >> i would submit the eta supports the approach taken in this bill, because it has the exact flexibility you're talking about. >> that's critical. >> it doesn't dictate any technical standards, it's not up to the federal government to
dictate how we protect federal security security. >> we also have to have someone that knows what they're talking about, i don't know why you would want to take away the ability of the states to be more flexible than anyone else. holding to a minimum standard? i totally agree we have the same issue on everything we do. every financial issue we deal with, we deal with this issue. how much of a federal standard, we deal with insurance every day every time we come close to thinking about the federal government, everyone gets worked up, because the states do it the concept is right the approach needs to be changed on those issues, to provide flexibility and maintain the state's ability to deal with it as they see fit.
>> it's nice to see we're making news today great visuals of you throwing your flip flown around the capital. he was a state legislator, i was not. i was a former hockey player. do you agree, the banks don't pay any fees when there's a data breach? i haven't heard anyone respond to that claim. >> how this gets sorted out is complicated, but it's true. subject to possible partial reimbursement in the future, as well as making the consumer hole. >> just to be clear, does the whole panel support federal preemption. does anyone disagree with that concept?
i think i heard one say they agree agree. >> just so i understand, talking about when the card is present. what percentage of the fraud comes from a fraud sister who steals data and reproduces cards and makes purchases as opposed to the guy who had his wallet lifted and someone goes and uses the action -- >> the majority of it is people scraping cards the people who do the lost and stolen. that's a minority -- >> we talk about chip versus chip and pin if we get to chip we're going to address a vast majority of the fraud it's taking place right now? >> is that fair to say? >> in an static worlds, that would be correct. there's a single line of defense between the fraud sisters and their ability to commit fraud. they'll focus all their energy
on breaking that. we've seen examples where they've done it already, we've simply argued that one of the baseline tactics is two factor authentication. >> are you saying there's more pocket fees out there? >> no, fraud sisters will develop new and innovative ways to correct the chip. >> congressman duffy, if i may, the chip will defend against counterfeit loss and stolen at the point of sale. once that environment is secured, fraud will move to the environment. it's what we observe in the asia pacific in european theaters who have had chip technology. the chip technology you cannot clone it what we'll see it -- >> how far away are we from tokenization?
>> ten years. point to point encryption coupled with tokenization. it's how we get to devaluing the data so it's useless. >> the technology is there, but not implemented yet? >> apple pay has an early stage version of -- i don't want to say primitive, but early stage version of tokenization. it's the first, one of the first tokenization platforms to come to market. >> i want to be clear. when we have a chip, does a retailer -- are they able to be maintain data about the card in their database, if you just have a chip card? >> as opposed to a magnetic strip? >> again the chip is just going to work at the point of sale. >> we heard about all the retailer that have data
breaches. if we migrate to the exclusive use of chips does that mean that retailers are no longer keeping personal consumer data in their databases? >> no, no. >> which means they're not at risk to have breaches any longer? >> it's taking off the threat of the point of sale? >> it's a critical layer, but not a silver bullet. >> in the back end -- >> they don't store the information -- it could be replaced by tokenization could be protected by point to point. >> do you have any recommendations how long retailers are recommended to keep financial information about consumers? how long should a retailer keep that information. >> it's not necessary to keep that information. >> i'd like to jump in. a couple things first many retailers have instituted encorruption. if it ever was acquired, it would be in a for mat where it would be useless to a criminal. they have no desire to keep information they don't need, or keep information --
>> do they need any information. >> could retailers after 30 days, wipe those databases clean so you don't have six months of consumer data or a year of consumer data? isn't that really one of the risks we have so much data being collected and stored -- not just from the government but from retailers? >> the information that retailers collect is designed to allow them to provide the concierge type services they want. consumers generally want the returns. there's an element of information consumers have said we want to be able to -- you have this information so we can do these -- >> i don't know i've ever been asked to follow into the concierge services. that information is capped on my card. we're not asked, it's just given to us. >> the time of the gentleman is expired. you're now recognized the gentleman from texas, mr. heen
hinojosa. >> thank you chairman for holding this important hearing today, and thank you to our panelists for your testimony before asking my questions, i request unanimous consent that my opening statement be made part of today's record. >> without objection. >> my first question is to the honorable tim polente and miss laura moi. how can a federal data security standard provide for more consumer financial security while at the same time providing security to industries across all 50 states? >> thank you for your question.
for certain sectors, they don't have standards. congress creating a floor or a ceiling. we hope that a high standard for the whole country you will lift the game and the expectations and legal responsibilities for those sectors in those places that don't have a standard currently. and again this is my greated to international proportions, and i think if the members of this committee knew that russia or china or semistate agents were about to compromise the payment system, you wouldn't say, let's kick it to the states. let's let them handle it. i don't think you'd do that. whatever you do will be helpful. even if direction ali, it will be better than what we have now. >> i would say a couple things one is that consumers are protected by the ftc section 5 authority, the ftc is enforcing
that, they've enforced over 50 cases since 2001 consumers in 47 states and 3 jurisdictions are protected by breach laws. i think setting a floor rather than a ceiling, there's a clear pattern of what's covered. as a practical matter most companies that have to comply with the laws of multiple states are just complying with the strongest standard and are mostly okay under the other states including -- many states have a provision that allows an entity to notify some consumers who have been affected by the breach under the standard of another state. i just -- i would add on that if we are going to have a federal preemptive standard it has to be a high one and has to provide flexibility.
not only in terms of what the security standard is, but what information is covered by the bill. that's a criticalment element we may be missing here. >> my second question is addressed to mr. jason oxman and mr. brian dodge. given the ever increasing sophistication of our cyber attacks, do you think a catastrophic attack which can have severe repercussions on the financial system as a whole is imminent and what can the federal government do to help prevent such an attack or prepare to respond to such an attack attack. >> thank you for the question. the possibility of such an attack is always on the minds of the payments companies, and preparation for those attacks is, of course, something that is always included in all the operational plans of all the companies that we represent.
our sincere hope is that something like that never happens, but we do recognize the important role that the infrastructure plays in empowering commerce in this country. and protecting we are focused and prepared for that. it is our sincere hope that nothing like that comes to pass. >> thank you. mr. dodge. >> in terms of your question about what congress can do, i think the focus on data security to avoid such a catastrophic event is incredibly important. we believe that the way that you get yourself to a stronger environment is layers of security. and congress can help with that by doing as the house did last month, passing information sharing legislation. but also as we're talking about today, providing clear and strong guidance for businesses on how they should maintain their systems to ensure cybersecurity. and then providing the flexibility for businesses and for regulators to adapt to that threat over time. there's no doubt that the threat
is increasing, the level of sophistication is growing fast, and we need to be able to stay involved. the last point is, we need to look to where our greatest vulnerabilities are. the greatest vulnerability from is the merchant community is the cards. the weakest technology -- security technology enabled in the world today. when we move to chip technology without the pin like has been instituted in the rest of the industrialized world, we will still have the lowest level of security in the world, and fraud will continue to flow toward us. >> thank you. my time has expired. i yield back, mr. chairman. >> time of the gentleman has expired. the chair recognizes the gentleman from south carolina, mr. mulvaney. >> thank you mr. chairman, and thank you to everyone on the panel for helping us try to do something we don't do enough, try and collect information, which is what i'm trying to do. i'm not here to beat anybody up. i have an honest-to-goodness question. i think it's directed to mr. pawlenty and mr. dodge.
i welcome everybody to chime in, okay. say that mr. capuano steals my credit card which is possible because he's that kind of guy even though he's not here yet. he goes to the -- he goes to my local gas station or his local gas station, slides it in there, happens to -- maybe he knows my zip code. and buys the gasoline with my stolen credit card. i catch it when my statement comes in next week or get an e-mail notification, which i think is a service my bank provides which i enjoy. i catch it, call the bank and say someone stole my credit card and used it to buy gas in massachusetts. they say, okay, we'll take it off your bill. who eats that loss? the retailer, the bank, who eats the loss for the gasoline bought with a stolen credit card? >> first i would say if a pin was required, the fraud would have never occurred in the first place. >> okay.
>> you wouldn't have that. secondly, there's a difference between data breach, fraud repayment, and traditional fraud repayment. >> okay. >> there would be based on the contracts that the retailer signed with the card networks, there would be an evaluation of where was the weakest link in the system. so if it was a stolen card, it was reused, then it would probably -- i don't know the answer to that question. that's how it would go. it is determined by -- >> whoa, whoa. is -- >> but on -- in many cases, almost all cases, an element of fraud was charged back to the retailers. >> mr. pawlenty? >> initially somebody has to give the cash back if it's a debit transaction or value. so it's the bank. >> again, i'm -- >> it's the issue -- >> the credit transaction. >> it's the issuing bank and they sort it out afterwards as to who pays what. in terms of who eats most of it initially in our view over the long term of the discussion, it's the banks. >> here's why i ask the question, guys.
and -- i have my banker friends come in and tell you, look, we have to do something because we eat all of this loss. last week, i had some convenience store people come and say, look, we have to do something because we eat all of this loss. are both of them eating a little bit of the loss? is that what comes down to? i see some nodding their head, usually a good sign. >> i included in my testimony a schedule of repayment that shows the fees and structure of the contracts that obligate merchants to repay in the wake of a breach. those are reissuance costs, costs to reissue cards, and fraud, fraud associated with the breach. every day on every transaction processed, the merchant pays a fee, an interchange fee, swipe fee. an element of that fee is a prepayment of fraud. it goes into an account. whether fraud happens or not, they prepay every day. how that's divided up by the banks is a great question for them. but we know we pay it on every single transaction. >> i got it. >> congressman, if i could -- >> please, yes.
>> the hypothetical you asked has a simple answer. that is the card issuer is responsible for that fraud. a lost and stolen fraud you described is never the responsibility of the merchant. since your card was stolen out of your pocket and you hadn't reported it stolen, when the card was used and transaction authorized by the bank at the gas station, the issuing bank has responsibility. you don't, and the merchant doesn't. >> thank you. i think that leads to my next question. does the analysis change -- i think i've got it now -- for a stolen cart, capuano steals my credit card, i get it -- he would do that, too. what if the card is counterfeit? is it any different if someone gets it from target, gets my information from target, create a counterfeit card and use it, is the outcome different? is the distribution -- who bears the loss different? mr. oxman? >> as it stands, the analysis is exactly the same in the case of a counterfeit card. the issuer would have responsibility for that. the merchant would not. the migration to emv chips that we've been talking so much about this morning actually changes
that calculus. and the responsibility for the fraud after october of this year will actually fall on the party to the transaction whether it's the merchant side or issuing side that has deployed the lesser form of security. not to get too complicated, but if that card that you're talking about has been counterfeited and it was a chip card and the issuer has issued chip cards but the merchant hasn't installed chip readers, then the merchant will have responsibility for that fraud. that's a change to the current system which is the issuer takes responsibility. >> then finally, if i can have the indulgence of the the chairman for 15 more seconds, the third example of fraud is the online fraud. there's no card present, we're online buying airplane ticket. who bears the risk of loss on that one? >> merchant 100%. 100%, the merchant is subject to the fraud cost. >> gentlemen, thank you very much. i appreciate the information. >> time of the gentleman has expired. chair recognizes the gentleman from missouri, mr. clay. the ranking member of our financial institution subcommittee.
>> thank you, mr. chairman, and i'm wanted to note that i am so glad to be back in this refurbished hearing room. let me ask mr. orfei, you know at the end of your testimony that not a single company has been found to be compliant at the time of their breach. but in many cases firms that have been breached were at one point pci compliant. how does your compliance framework lend itself if at all to ongoing monitoring of pci compliance? what role does the pci play in monitoring compliance? >> thank you for that question. yes. 99.9% of compromises were preventable and covered by the standard. and if you think about our standard, what we're advocating
is a move away from compliance to a risk-based approach. and we are advocating vigilance and discipline and being methodical in close adherence to the standard. security is a 24-by-7 responsibility. it's not a matter of compliance, what we see happens is a company works diligently to bring its organization into compliance, they high five each other on thursday and friday the environment starts to deteriorate. it's about being disciplined, methodical, and paying attention to the fundamentals, sir. >> thank you for that response. mr. oxman, although chip technology is fairly new to the united states, it's been around for decades and is ubiquitous in other parts of the world. given the rapid pace of
technological development, are we not at the point where other types of security measures are more appropriate for use in connection with u.s. payment cards and payments in general? >> thank you for that question, congressman clay. you're right that the chip is a well-developed technology. the good news is the payments industry recognizes, as you've heard this morning, that the chip addresses one type of fraud that happens to be the most prevalent form of fraud here in the united states today. that's counterfeit card fraud. so the chip implementation will address that type of fraud. but as you noted, other types of security are important, as well, which is why our industry is deploying a layered secured technology approach which includes the chip in cards. but tokenization which replaces account information with a one-time-use cryptogram that can't be reused. it as includes point to point encryption. it secures all entry point into
the payment systems. that layered approach with multiple different technologies, as you suggested, is in recognition of the fact that the chip card addresses one type of fraud, but we need to do much more. criminals are much more sophisticated. >> thank you. for anyone on the panel, how prevalent is fraud in the case of online checking? is that pretty secure? can anyone respond to that? >> online checking? >> yes. >> certainly e-commerce is an environment where there's limited security options for merchants to employ right now. it's a frustration the fact that e-commerce is such a big part of the economy and no strong means of security is a considerable frustration. back to your first question a moment ago, though, i want to note that jason's point about all the levels of the different layers of technology is a good one. that we need to be evolving to the next generation of technology. we need to be finding more ways
to make tokenization and encryption work specifically for the e-commerce environment. today there's 1.2 billion cards circulating in the united states. most of which have technology in. later this year when we see more chip cards, we'll see early 2,000s technology. we aren't keeping up and we need to do a better job of errors occurring. >> thank you very much for your responses. mr. chairman, i yield back. >> the chair recognizes the gentleman from north carolina, mr. pittenger. >> thank you, mr. chairman. thank you for hosting this hearing. and thank you, each of you, for being with us today. governor pawlenty, according to the identity theft resource center, financial institution's responsible for less than 6% of breaches in 2014. some could draw the connection with this fact that the financial institution has been subject to the graham-leach-bliley act since
1999. do you think this is fair? >> i do. i i don't think there's disputes that the financial sector has the best defense and capability and resiliency in the space. as everyone knows in the room, even financial institutions get breached. relative to other sectors, we're more advanced and get breached less. that's not a bragging point, it's about what caused that. it caused investment, caused by investment, hard work, technology. and i believe that graham-leach-bliley set a standard, and people tried to adhere to the standard. plus, we get examined by our regulators to the standard. i would say that contributed to the state of the industry's cyber-defenses in the relative good quality of it. >> thank you. yes, sir? >> congressman, i would note that the annual verizon cybersecurity report is sort of considered to be the gold standard for cyber-reporting. it found that last year there were 2,100 data loss cybersecurity intrusions.
of that, 277 financial institutions and 167 were retail businesses. there are 1,000 times more retailers operating in the u.s. i don't think we should have the philosophically that a single regulation can guide us to successful cybersecurity -- >> mr. dodge, let me build on that. building on the chairman luetkemeyer's statement earlier and reference to legislation, it does to develop and implement a program that ensures security and confidentiality of sensitive information, it is appropriate to the size, scope, and sensitivity of this information. this is written to create some measure of flexibility so the standards are modified. do you think this is a good approach in terms of creating these flexibilities of standards? >> so, you know, we applaud congress for looking at lots of ways to address this issue. i think what's important is that we look at the regulatory environment as it exists today and recognize that the
graham-leach-bliley act was written specifically for the financial services community, and that there's a very strong regulatory regime that applies to most of the rest of the business community. and that is enforced through the ftc. the ftc has moved aggressively over the last decade and established a clear and strong set of standards that businesses have to comply with. we think that is the way to go -- >> let's refer to this. it says the provision of the bill says a covered entity's information security program shall be appropriate to the size and complexity of the covered entity, the nature and scope of activities of the covered entity, and the sensitivity of the consumer's financial information to be protected. what other flexibilities do you see would be needed that would ensure that consumers are protected but not prevent adaptability for future threats? >> so the language that you site is not dissimilar.
we think businesses have to be a clear understanding of what their obligations are and that the enforcement agency has the ability to evolve their interpretation of that law over time to meet new threats. and businesses of different sizes and businesses that require that they collect different kinds of data should be treated based on their size and the kind of information -- >> and this legislation seeks to do that. isn't that right? >> based on your -- what you quoted, that sounds right. but as i've said, we believe you need to look at the regulatory environment as it exist today, and work within that. the debate here today is it how do we pass a law that could provide businesses with more clarity and the ability to evolve with the threat. i don't care that the objective should be to shoehorn a law that was written for one industry to apply to the entire business community. >> i don't think that's what
this does, according to what i read. i think it clearly states the provisions reflect the size, scope -- it personalizes it, creates the flexibility. >> and i appreciate your focus on that because we agree with the need for flexibility. we simply are looking at the proposal in its entirety, and it's hard to separate thing out without talking about how it would affect it when it's merged together. >> thank you. i yield back. >> the gentleman yields back. the chair now recognizes the gentleman from massachusetts who did not steal mr. mulvaney's credit card in his hypothetical, mr. lynch, recognized for five minutes. >> thank you, mr. chairman. i appreciate that. i want to thank the witnesses for your testimony. ms. moy, on the question of federal preemption, when we talk about complete federal preemption, we're talking about a federal standard and at least as far as this legislation goes, we're talking about federal enforcement as well, that's
being taken away from the attorneys general of the states. even further it looks like the notification for breach will be taken away from the fec and given to the ftc. consolidating that, as well. as well, it might involve, if i'm -- i'm not sure if i'm getting this correct. if we have a federal standard and a retailer or business complies with that federal standard, does that imply some type of immunity for the individual retailer if they're complying with what the feds require, is that holding them harmless from any liability? >> i'm sorry, you mean in an environment where there is -- where this creates a floor and not a ceiling and states continue to have -- >> well, this would be a
complete obliteration. total preemption. you'll have one -- it would be a ceiling. would be a ceiling. is that implying some immunity or protection from liability for the complying company? >> yeah. i mean, you know, a company would only then be liable as it would be held liable under the federal law. any additional obligations of the state law that had previously existed would no longer be -- no longer be actively enforced. >> under this legislation that would be problematic because, as your testimony indicated, it only recognizes financial harm. right? there's a trigger -- well, actually, personal -- there's a financial harm trigger. i think there's also a trigger for very narrow set of personal information. >> actually, i'm not sure if there is -- i thought that -- i was under the impression that the financial harm trigger applies to everything.
but perhaps you're right. i'll look at that -- >> if i may, congressman, the provisions of the bill of 2205 also provide for triggers related to identity theft, as well as financial harm. >> right. yes. although many states, as i noted in my written testimony, either have no harm trigger at all recognizing that consumers want to be notified of breach of certain classes of information and want to be able to safeguard that information regardless of whether or not it could be used for identity theft or financial harm, and -- and a clear majority of states have either no trigger or a trigger that's broader than just financial in nature. >> one of the problems i have is that this introduces a federal standard. and it takes out the states -- massachusetts happens to have a very robust consumer protection privacy framework that i think will be harmed. we also have -- we've been blessed with attorneys general
that have been very active in defending consumers. and some cases as you pointed out, i think the average case of breach in massachusetts, we had 2,400 last year. the average size was 74 consumers. that's not the type of thing that the ftc will go after in my opinion. >> that's right. that's why we think it's critically important if we want to ensure that all consumers are protected by a federal standard. it's really important that we have as many people keeping an eye on what's happening with breaches and working with companies to help develop their security standards and working with consumers to respond after their -- after the information has been breached and to watch out for potential harm that could be coming down the pike. it's really important to have the involvement of the state a.g.s in all of that. >> if we did introduce -- i'm in favor of introducing a very high floor across the board that i
think would subsume maybe close to 40 states. i would like to have flexibility for states that, number one, they're more flexible. congress is not known for speed at all. having the states out with the ability to provide additional protections especially in the face of the sophistication of some of these hackers is very, very important in my mind. there is incongruity in the bill. it talks about the federal standard, and then it says every covered entity will be responsible for adopting a system of security protection that is commensurate with their size, their complexity -- the gentleman from north carolina brought this up in a different context. how do we deal with that where a
pizza shop, coffee shop, a bank, banks were a different class. but each and every company is going to be able to right size the level of protection. but in reality, that stream of information that is breached may not be compartmentalized. >> i'm sorry, what do you mean the information may not be compartmentalized? i'm sorry. >> well, if they hack into your e-mail and password, that opens a whole other door of information that they can access that might not be readily evident, you know, based on where they entered the stream of information. >> right. sorry, may i respond -- >> a very brief answer. >> sure. yeah. i would say there are certainly log-in credentials that can be -- because people recycle passwords can be used across account. that's an important reason. >> thank you. time of the gentleman has expired. the chair recognizes the gentleman from california, mr. royce, the chairman of the house foreign affairs committee. >> thank you, mr. chairman. there has been a lot of discussion here about the current liability, what it looks like. i guess one of the questions is what it should look like. and if i could ask governor
pawlenty, i had a question here. when a data breach occurs, how should we allocate the financial responsibility for that breach? for example, if a breach of sensitive customer information occurs at a financial institution and it's shown that the institution did not protect the customer information as graham-leach-bliley requires, do you agree that the financial institution should be responsible for the cost of the breach? >> congressman royce, yes. we believe that the entity that was negligent or entities, plural, should be responsible for their negligence. >> okay. then governor, should the same be true of the merchant? if there's a breach with a high likelihood of harm being done to the consumer, should the merchant be responsible for the costs associated with that breach to the extent that the entity has not met minimum security requirements.
>> congressman royce, absolutely. >> mr. dodge, i would ask if you agree on that point. >> i would tell you that we do agree because that is what happens today. today merchants are obligated if they have a breach by contracts signed with the card network to reimburse the banks for the fees associated with the costs. in addition to the fees they pay every day every time a transaction which is obligated to prepayment of fraud if it happens or even if it doesn't happen. fees are being paid constantly. >> the next question i was going to ask governor pawlenty is, it's been proposed by some that consumers should receive notification of a data breach directly from the company that was breached even if they have no relationship with that company. wouldn't a simpler solution be to allow the notice to come from the company that the consumer gave financial information to directly while also allowing the company to identify where the breach occurred if it is known?
it's my understanding that there is currently no law, no contractural obligation that would preclude a financial institution from identifying the institution where a data breach occurred when sending out a notification to their customer. is that your understanding, as well? >> congressman royce, yes, and of course you might imagine if there's a breach, it unfolds in the early hours and days with a great deal of uncertainty and sense of crisis around it so as people think about what they're going to say publicly and sending out notices, particularly if it incriminates another company, you want to make sure that you're articulating that correctly and accurately for fear of liability. i think some companies don't name names in those initial notices over some of those concerns. >> you know, as we look at the
cyber-attacks and see this increasingly as we talk to the europeans and asian governments, a lot of these are being conducted now by state sponsored or state-sanctioned entities. we actually, for example, see individuals traveling from a certain bureau in north korea to moscow to be trained. then we see their conduct with respect to the banking system in south korea and the attempt to implode the system in south korea with the direct attacks. what can or should be done in the view of some of the panel here to hold these countries accountable in situations like this? how do we do that? >> to the extent this has evolved into an encourage dynamic and you have state sponsored or semi state-sponsored activity, the united states has to respond in kind at a level of country-to-country discussions and fortunately consequences.
as you may know, under current law the only entity that can fire back, if you will, in cyber-space is the u.s. government. private entities cannot hack back. and so the deterrent or consequences for this potential can only come from the u.s. government. lastly, there needs to be rules of the road internationally. we have rogue states, semi rogue states acting recklessly, irresponsibly in a very concerted fashion. what you see in terms of payment disruption is relatively minor. the consumers get reimbursed. it's inconvenient, menacing, concerning, you should act on that alone. but compared to some not-too-fanciful scenarios where the entire payment system is disrupted or another piece of critical infrastructure is disrupted, that's something you need to be thinking about. >> we've seen the iranian attempts here. have you seen that in your industry? >> we're cautioned not to attribute. but it has been reported publicly. north korea was involved in an incident, an attack that was attributed to them and i think
you have seen public reports of russian sponsored entities and on down the list. >> thank you very much. my time expired. chairman, thank you. >> time of the gentleman has expired. recognize the gentleman from new york, mr. meeks. >> thank you, mr. chairman. first, mr. oxman, let me ask you this question. same line after 9/11 we talked about having all of our intelligence agencies working closer together, et cetera. so here when you talk about preventing data breaches there with a number of entities that are concerned, whether you're device manufacturer, a network operator, a financial institution or app developer. seems to me that would be important that these entities work together to develop an effective mobile data protection solutions. in your estimation is the industry working in a
collaborative way all of the interested parties. and what if anything do you think congress can do to ensure greater collaboration so that we can make sure that everybody is working together to try to eliminate this huge problem? >> thank you, congressman meeks. the good news is yes, sir. they're working enormously smoothly together to deploy the things we need out in the market against the increasingly sophisticated cyberattacks. they're working through pci to deploy chip technology and cards, like tokenization, and like encryption to secure points of entry against intrusion. the city is enormously complicated and involves a number of different players from
financial institutions, merchants, consumers, device manufacturers. as we move to new technology it's going to become more complicated. but the good news is we're working very well together to deploy all of these next generation technologies because we share an interest across the ecosystem in ensuring our customers feel comfortable shopping at our stores and using electronic payments. what can congress do? i think hr 2205 represents the ideal vehicle of what we need congress's help me. that is unifying a patch work of state laws that are inconsistent and incompatible with one other to address how we let consumers know when something does go wrong. we need to make sure we're all on the same page when we let our customers know if something happens. that ooh where i think congress can be helpful. >> thank you. let me ask mr. pawlenty.
i know and i believe from reading your testimony you noted that the emv chip cards have proven very effective. i've got a number of cards to switch out on, make sure you have the chip. one of the questions -- this happens with my daughters, et cetera, they're doing more and more shopping online. people not going to the store as much. they're going shopping online. and it seems as though that there are more frauds taking place when people are doing this shopping online. can you stay with us ways in which firms are innovating to prevent customers, consumers who rely more on online shopping so we can prevent fraud in that regard. and, again, like i asked mr. oxman, ways that congress can ensure greater data breach protection as we move away from in-store purchases. it seems as the new generation
is online -- my daughters won't go to stores anymore. everything's online. what we can do in that regards. >> congressman, great question. as was mentioned earlier, the chip wards will go a long way toward eliminating or greatly reducing card-present fraud for the reasons that were mentioned earlier. that's progress and good, and we applaud that and enthusiastically embrace it. as we've seen in the other emv-adopted countries, the fraud shifts to the online environment. what happens, of course, is if you make an order online, over the phone, or otherwise, you end -- use enter your credit card number and code and expiration date, and away you go. if i have that information from you, i can make the transaction online. it's loose to put it mildly. the future of that in the near term is a technology platform called tokenization which will allow that transaction to occur with a unique set of data that connects needed data to finalize the transaction, but the
personally identifiable information isn't it's necessarily transmitted as part. it's a token. that's coming. it's just around the corner, and it's in market to some extent. the cost is coming down, the ubiquity -- it's becoming more ubiquitous. that will be a big part of the solution. it was invented ten years ago. there will be something else that will come next. >> the time of the gentleman has expired. the chair recognizes the gentleman from maine, mr. poliquin. >> thank you, mr. chairman. i appreciate it very much. and thank you, all you folks, for being here today. i really appreciate it. mr. oxman, i know you and i both are from maine. probably the safest state in america. we invite all kinds of other folks to come up and enjoy our state. that being said, we are not immune to folks who are stealing our credit card, credit card numbers or using our debit cards fraudulently, what have you. we know there's a problem, the problem is across the country, even the great state of maine.
that being said, one of the things that i've heard this morning that i'm delighted about is that there seems to be some common ground, a lot of common ground when it comes to the fact that there is an issue with cybersecurity. we all know it's there. you folks all agree to it. even though you're from different parts of this space, if you will. and i've also heard, if i'm not mistaken, that there's -- there's consensus that we need. instead of 48 individual laws that we have to deal with that one national standard, it would be helpful when it comes to notification. i'd like to hear from each of you, we'll start with you, governor, if you don't mind terribly, what is on the top of your list? what else would you like to inform this committee about that would be helpful for all the players in the space to make sure our consumers in maine's second district and throughout the country are well protected with bank accounts, credit cards, what have you. what could you advise us today? you're members on the ground. you're much closer to this problem than we could ever be.
please tell us. >> that's a great question. you think about notification, it helps notify people that there was a problem and now we need to clean up the mess. that's little consolation for people who have the mess visited. it's helpful. as to standards, it will help as people raise their game. i think this entire space is going to evolve in a very interesting and probably disruptive fashion over the next ten years. things we're talking about here today in terms of technology platforms as was mentioned earlier will look very differently ten years from now. i don't think we'll be walking around with pieces of plastic and pins. the whole thing is shifting increasingly to mobile and other ways to make payments. so i would say it's going to come from the technology sector, big changes. good changes. >> mr. dodge? >> i'm glad some attention is being paid to collaboration. i think that's an important outcrop from these catastrophes. this focus. last year, we collaborated with
financial services roundtable and electronic transaction association, with a whole bunch of merchant and financial service associations to talk about the challenges. to try to find common ground. collaboration has also found its way into the information sharing, threat information sharing world where businesses can share threat information. the rising tides for -- main term, rising tides lift all ships. the ability to see a threat deflected and share with others what you saw and how you did it. important, and we congratulate congress for passing legislation on that last month. i think one of the thing we look toward is how do we enhance the security to the 21st century and beyond. the card security today is weak. it needs to improve. there's a half step on the calendar for later this year. it's only a half step. we need to get beyond that. we want to see congress focus on that and certainly want to see the business community that's responsible for creating those cards to focus on it, as well. >> mr. oxman? >> thank you, congressman. i'm excited about the change in
technology we're seeing in our industry. i think if there were one thing for the committee to be aware of, it's that there is no need for an inquiry into the technology because the industry is working together to deploy it. you know, my first job was as a bank teller, summer after first year in college, the heart of the second district of maine. and the hot technology in the '80s was the atm machine. today consumers can buy things with a watch. it's amazing what's happening out there. i think the good news from congress' perspective, the industry is deploying technology safely, securely and reliably. we'll get it done. >> apple pay, google, four square, these are developing much more than i understand and how to pay with goods and services you buy on line through a mobile device. do you see any problems coming down the road with those types of technology, or is that where it's going to go and where it should go in your opinion? >> this technology is incredibly exciting particularly because it
allows us to deploy more robust security alongside. the way to think about it is it's a new means of implementing a payment transaction. initiating that transaction, using your watch or phone instead of a plastic card. and that watch or phone or whatever device has many more security capability than the plastic cards. it's a good thing for consumers. >> unless here in this country we go down this path where we continue to work on this problem and find solutions to it, aren't we exposing consumers and families and businesses to more cyber-risk if europe is ahead of us and other developed countries, parts of the world are ahead of us? >> may i have that question? i think technology will evolve, and we'll have good answers. particularly mobile will be the future of payments. i think what's key is this information sharing effort that's in progress now. being able to collect information, translate it so it's actionable intelligence, and that will allow us to
preempt attacks from organized crime, rogue states, and state-funded actors. >> thank you all very much. appreciate it. thank you, mr. chairman. i yield my time. >> i thank the gentleman. the gentleman from georgia, mr. scott, recognized for five minutes. >> yes, governor pawlenty, i'd like for you to address this and they can chip in, as well. with the challenge for our migration of the emv chip technology in the united states basically due by october 15th, why are u.s. consumers only now receiving the chip cards when consumers in europe and canada have had them for many years? why are we behind the eight ball? >> there's some unique history as it relates to how europe got to where it is, relating to technology. their telecommunication system, how they did batch processing,
how that works relative to how we did it in the united states. i think to sum it up here, i would say the transition from what we had to what we need and where we're headed next has been -- is a very big transition. think about the millions and millions and millions of point of sale terminals that would have to be chip ready. now only about 25% of retailers can even take a chip card. they would have to flip their systems, point of sale systems, back room systems, payment networks have to do the same, the banks have to do the same. it's a massive transition. you know, would we have benefited from it being done earlier? probably. but we are where we are, now we need to get it done as quickly as possible. this is highlighting the urgency of it. >> okay. now, sense we have such a brain trust of cybersecurity before us in this distinguished panel, i want to shift for a moment. are you satisfied and how would you describe the national
security threat to our country as a result of cybersecurity as a national security issue? i think it's one we really, really have to deal with. and how would you relate that particularly when we've had attacks on our cybersecurity from china, russia, from iran, from north korea, isis, al qaeda, other terrorist, now our military bases are put on heightened terrorist attack alert at a level we haven't seen since 9/11. how -- what is it that we need to do more, and how do you address and how do you rate this threat at its present time as a national security issue?
governor pawlenty or any of you? >> i'll say, congressman, i would rate it as a clear and present danger. that's why i said what i said earlier. i think for particularly folks who are on the republican side of the aisle, it's comfort -- not as comfortable to say we're just going do something uniform across the country. i think this is elevated. not just the card and processing, but many other aspects of this to a national security issue. we have known identifiable threats to critical infrastructure of this country that would impair not just the economy but the health and well-being of our citizens if deployed to any sort of scale. so it is a clear and present national security threat that i think needs to be addressed with that kind of urgency and that kind of seriousness and that kind of weight behind it. >> and congressman scott, it is a question that is answered largely by technology. and thank you for your leadership and taking a founding role in the congressional
payment technology caucus because technology companies, including many from the great state of georgia are out deploying systems networks. and there's no question that the payments industry is focused relentlessly on this because of the security of networks and reliability of networks and systems is why consumers choose electronic payments as their preferred method of engaging in commerce. we need to make sure that remains a confident factor for consumers. >> and, mr. oxman, how ready will we be? october's right around the corner. what are your expectations? have we set that date? have we -- is it accomplishable? >> yeah, congressman, the migration in october to the chip cards is a date that we've set as a milestone. and it's a lot of work to do. 1.2 billion cards in consumers' wallets need to be replaced. more than eight million merchants in the u.s. need to
upgrade their systems in order to accept chip cards. that's going to take some time. will we be completely finished by october? the answer, frankly, is no. we won't be all done. we'll be largely there. most importantly, the industry is entirely unified in recognizing the important of making this infrastructure upgrade. we're doing it, we're working together, merchants, financial institutions, payments companies, and consumers. we're going to get it done. >> thank you, mr. chairman. i yield back. >> i thank the gentleman. now the gentleman from arkansas, mr. hill, is recognized for five minutes. >> thank you, mr. chairman. i thank the panel for your being with us this morning. on mrs. maloney's comments about graham-leach and the impact on banks having run a community bank for the entire history of graham-leach's existence, i do think it was flexible in the standards when it comes to examination and practice, both
in scope of business and not. so i think that's something that's worked well in the financial services industry. one question i have i'd like the panel to react to, what role does reliability insurance -- liability insurance play? i know in our company we took out the coverage at the modest premium for notification coverage which was sort of what was recommended by the underwriters. didn't find it very compelling or particularly useful. but in a large breach, it certainly would be helpful to pay the out-of-pocket expenses. but what's happening in the liability arena on insurance coverages for entities beyond that? what standard are they setting when they come to underwrite a retailer? let's start with you, mr. dodge, about data breach. there's obviously a mathematical loss for one of your members. >> sure. i'll acknowledge i don't claim
to be an expert on cybersecurity liability insurance. i have perspective. first, it's an immature market, pretty new, and rapidly evolving. i know the administration is working on ways to make that a more mature, more competitive market. retailers, many retailers are looking into, many have purchased liability insurance as it relates to cybersecurity. i don't have a number, but i suspect the number is growing by the day. and one of the challenges they all face is where exactly to price it. they don't know how much to get, and they don't know if they're getting a great value for it. but they know that it's important to have. they're working on making sure that that improves over time. i think your point's a good one. >> also in the verizon report that's been mentioned, only about 20% of those breaches are as a result of the retail and banking industry which means 80% aren't. and we haven't heard one question about that today. just last week, i got a letter from the arkansas medical society where over 60 physicians
had their identities stolen when they filed their income tax return. didn't know it until they went to hit "send" electronically to the irs and suddenly learned they already filed their return which, of course, they haven't. can you reflect on standards that we've talked about today for that other 80% that we have not -- that's not represented here today? or maybe mr. oxman and mr. orfei, you might take that one. >> thank you, congressman hill. and i do think that is an important issue because the harm that consumers suffer from identity theft can in some circumstances be as impactful as the harm suffered from the theft of financial data. and i think h.r. 2205 does a good job of making sure that all entities, not just retailers and financial institutions and payment companies, but all entities that have storage or access to the sensitive personal information are required to
abide by the federal standards that h.r. 2205 would put in place. and i do think that's a very important component of the bill. >> anybody else want to add on that? >> well, i think the fundamentals of the pci standard are applicable across all vertical markets. i also share your concern in my discussions with law enforcement that the health care systems in particular will be the next big target. protecting that data and following adherence to the pci standard would benefit those industries, as well. >> i think it's a little, you know, odd that hipaa, we can't even have a conversation about our aunt's health with a doctor without everybody jumping through hoops. but we've obviously got health care data at risk, that's financial data. and this irs situation is financial loss. i mean, i think this is a serious matter. certainly as serious as having your one's credit card number compromised. so i'm glad to hear you say that
you have comfort that the standards in this bill will help in this other 80% of the issue that we're not addressing today. thank you. mr. dodge? >> i would say, you know, we also endorse a strong, reasonableness standard, one that provides businesses with a strong expectation of what government considers to be reasonable standard. we believe it should be enforced by the ftc. and we've endorsed the legislation that came out of the energy and commerce committee to do just that. we think it's important as we're addressing this issue that we first look at the regulatory landscape, and design solutions that fit within that rather than moving regulation design from one industry, in this case the financial services industry, to the rest of the economy. >> thank you for that comment. i yield back. thank you. >> i thank the gentleman. now the gentlewoman from wisconsin, the ranking member of the policy committee, ms. moore, recognized for five minutes. >> thank you very much for that elevation. i just want to thank all of the witnesses for taking the time and being patient with us.
and i can tell you that you guys almost -- and ms. moy almost answered my questions when other members were asking it. so i do want to apologize if things seem redundant. let me start with you, ms. moy. you talked about having a federal standard of floor standard. you talked about the ftc really providing that service at this point. i guess i want your opinion or knowledge about whether or not you think the ftc is currently staffed up and resourced up enough to continue the stewardship. how much more would it cost to do it, how many more employees would we -- do you anticipate? is there necessity to create a new agency? >> so i apologize because i don't have those numbers for you.
although i could do some research and try to help you answer that question. i mean, i do think the ftc is doing a pretty good job enforcing data security, specifically with the biggest cases. at the state level, the states are active in this area, as well. also enforcing sometimes their own data security standard and sometimes a standard that they are drawing from there, from the authority of their general consumer protection acts, the mini ftc acts. but -- so i think it's really important, though, to preserve the ability of what the states are doing, to preserve the ability of state a.g.s to continue to provide that important service. and -- and to set our new standards at a level that will continue to preserve protections for pieces of information that would not be covered by the legislative proposals we've seen. for example, in your own state of wisconsin, the breach notification standard would extend to dna and biometric data that's not necessarily covered
by what we've seen in some legislative proposals. >> i really would like to know how much this will cost. and in keeping with that same theme, mr. mulvaney was sort of going down this road about who pays for the cost of a breach. and on october 1, 2015, there's going to be a merchant liability shift. we're at the custard stand here, and i've gotten my smartphone to be able to swipe my card. you know, how much is this going to cost me, or do i just take risks and say i'll just take chances for a few years until i get my business up and start franchising my custard store? how much will it cost me to be compliant? >> congresswoman moore, the good
news is for a small business interested in upgrading infrastructure, the costs are very low. you can get a emv chip device from square for $30. >> okay. >> if you want to go that route. or get it from a payments processor for not much more. the cost is very low for the merchant. the good news is that october liability shift date that you're talking about, if the merchant makes that small investment in the upgrade to chip cards and if the card issuer has issued chip cards, the liability for the fraudulent card rests with the issuer. the merchant is exactly the same as today. as long as they have made the investment in the infrastructure. wye don't have liability for a counterfeit card transaction in that scenario. it's good news for the merchant. >> that was the answer that was escaping me this entire hearing. i mean, how much is it going to cost gwen's custard stand to do it.
obviously there will be a lot of costs for atms and i guess that's a little more costly. how much will it cost to update all the atms? >> yeah, the atms and actually fuel dispensaries, so gas stations actually have an extra two years to upgrade their infrastructure because it's complicated to actually take the credit card equipment out of an atm or gas pump. they don't have to worry about upgrading infrastructure until october of 2017 for those two industries. >> okay. my last time for governor pawlenty. i guess as the head of the financial services roundtable, i guess i'm curious about why it's taken us so long to do this. why we're behind europe and canada. and you testified we're going stay behind. >> some of the countries that went to emv didn't have much legacy technology to begin with. they could just jump to it as
first adopters. other countries have other histories, like the u.k., for example, in an era where telecom was expensive. they loaded up all the transactions and processed them at the end of the day called batch processing. the ability to do real-time communication via telecom had something to do with how and when things evolved. all that being said, i think the u.s. has been slow to this issue. but the fact of the matter is we see the need, obviously everybody does, and moving as quickly as possible to implement it and for good cause -- >> mr. chairman, i realize my time has expired. i want to ask governor pawlenty, are the vikings going to be as bad as they were last season? >> did you say the packers? [ laughter ] >> the vikings? >> i think the big question is, is how do we get some of that custard. [ laughter ] >> the vikings are going to be better this year. >> the gentleman from florida now, mr. ross, is recognized for five minutes. >> thank you, mr. chairman, and thank you, panelists. i can only preface my remarks by
thinking back to the early 1980s when i was installing computer systems, 16-bit processors in pharmacies across the eastern united states. we would use a dial-up modem to update drug prices and process data. at that time "war games" came out starring matthew broderick showing how we can hack into the intelligence computer that started an international war game. and we've evolved today to where you go to walt disney world and get a magic band that has all your data, shows disney exactly where you are, what you're doing, what ride you want to be on, all your billing information. the evolution of technology has been a tremendous benefit to us. it's given us the path of expanding our commerce and economy tremendously. and obviously it has given opportunities to those that seek ill will against us. and that's why we're here. one of the institutions of higher education, university of south florida, rests in my district. and two years ago, they were designated by the florida legislature to be the center of cybersecurity, an academic
program. now they have over 100 students seeking masters in this chemical arena. my question is, is there a great deal of cooperation between the private sector and the academic sector in trying to innovate ways to continue to fight cybersecurity? anybody can address that. >> i can speak up and say i know the retailers who have sought such partnerships have found welcome partnerships. last year we established something called the retail cyber-intelligence sharing center. at the core of that is a retail isat. but wrapped around that is the opportunity for educational opportunities. i know that group has found great partners already in the academy could community looking for ways to identify ways to bring future chief intelligence security -- information security officers through the ranks and to share information so everybody has the best skills available today. >> it seems that would be a good partnership even though that's
well over 80% of our commerce in the cyber-world is through the private sector. mr. dodge, let me ask you this question because as my colleague, mr. mulvaney, was asking you about who bears the cost of a fraudulent transaction. is it between the banks and the retailers. is there not in existence any particular either express or implied right of indemnification between the parties that would allow that to be resolved absent the fraud development? >> who pays after a breach and fraud is spelled out in the contract. the retailers are bound by the contracts and their unwillingness if they violate they risk losing the right to accept cards. >> there's a limited negotiation i guess is what you're telling me. retailer wants to accept the mastercard, they accept all of the terms and contracts without a negotiation. >> you sign the contract
presented to you. >> one of the things that you talked about very well is the electronic mastercard/visa chip. for some time this has been in practice in the european markets, has it not? >> it has. >> just recently, had it not been for executive order, we would not be pursuing it as fast as we are in the united states. what has been the reason for the delay of the implementation of the chip technology here? >> the reason the chip technology is being deployed today in the united states and it's been deployed already in europe is the following. in europe they don't have the ability that we have here to authorize a transaction online. when you swipe your card at the point-of-sale, what happens is that transaction is transmitted through the payment worker for a yes or no answer. when the receipt is spit out 1.4 seconds later with a yes answer it's because that transaction was authorized and improved online. in europe they don't have the infrastructure to do that. the card authorized the transaction. which means that chip isn't going anywhere.
it's making the decision right there. that's why the chip infrastructure is necessary in europe. >> now we're protecting the database of all the private information and it's encoding or database and it's encoding that particular transaction with a one-time identification and then that allows anybody who captures that to have really nothing. >> that's exactly right. the way the system works today, your actual account number is transmitted. cyber thieves are looking for credit card numbers. in a tokenized environment it takes the account number out of the equation. >> how fast are we moving in that direction? >> it is being deployed across all retail segments. we have an existing infrastructure that needs to be replace. it will take some time to get
there. >> i know we talked about point of sale defenses today, but after the data has been breached, how effective are some of these companies out there that allegedly protect consumers from having their identity stolen? is that good, bad or is it just somebody else -- >> i can't speak to any one of those companies. everybody needs to be vigilant. you need to monitor yourself. i want to go back to a point about advanceing the technology in cards to get to where we are in europe. the migration that's happening in the united states is only a half step. we're only instituting a chip. we're not requiring a pin. it worked in europe. it's worked in canada. it's brought fraud down. need to have it together and
we're not moving to that here in the united states because of decisions made by the card networks. >> now the gentleman from arizona recognized for five minutes. >> thank you mr. chairman. okay. little discussion maybe a little way from the legislation that's being vetted. mr. oxman, you seem to be the most technical on the panel. is that a fair -- >> yeah. >> give it to him. okay. can we walk through a couple mechanics. first the philosophical box i want to work from is if you and i wanted to design as robust a system as possible, i'm not asking practical, possible today where i still have the use of my financial instruments, my credit cards online, at the retailer,
in any fashion it may be, what would i be doing? because when we sat through something in this regards a couple years ago, we had such high hopes for the tokenization hand-offs and the randomization of the designs of those tokens. is it token plus? if you and i were designing a system here, and making sure that as we work on the legislation that it has enough openness to grab tomorrow's technology, what should we be doing? >> so a system designed from strach would ensure that actual information that can be tied back to you or your account cannot be intercepted. you would make sure you didn't transmit actual information in a way that could be taken by somebody else and used in the same form. that's the real goal of all of the layered security
technologies that you see deployed today. it's dynamic and it makes sure that intercepted information cannot be useful. but the real difference between the chip and mag stripe is it creates a unique code with each transaction. you wouldn't know the code for the next transaction so it would be useless to you. >> it's the hand-off? >> yeah, designing a system from scratch would make sure the information was dynamic and couldn't be tied back to anything. >> here's my tokenization hand off mechanics and a biomechanic if i'm doing online, a ip algorithm saying is this a ip that matches -- what am i doing to make these things work? >> that's the interesting thing about mobile payments for example. >> you beat me to our last
minute of conversation but might as well move -- >> right -- >> as we all move to the mobile pay in sort of catching up with the rest of the world, is the technology in my payment systems on this is that my future of transaction security? >> it is a great future of transaction security because what that mobile device has on there is the token we were talking about earlier. >> it could have all three. it could have my biodata with my fingerprint and its version of not technically an ip, but it has -- >> it's encrypted -- >> here's the device that goes with this. >> that's right. so the future of technology that we're working together to deploy has all of those elements to it. it's almost as if we have an opportunity to devise that utopian system from scratch. >> how do i enincentivize that.
>> the future of payments is in mobile technology and we're going there, but we're not there yet. we need to make sure we're locking down that while we are moving to the next generation. i won't try to wade into the dep technological comments. it's certainly mobile technology and the encryption in place today i think will work for a long period of time. >> so the end game really is you devalue the data so that it's useless in the hands of criminals. point of sale point to point encryption and tokenization. you implement it properly the value is useless. there's no reason to break in. even if you did, whatever you stole, you can't use it anywhere else. >> in the last 15 seconds, my fear is much of today's conversation was who holds the
liability, who pays. and my fear at one level that's an absurd conversation to have. we should be having the conversation how do we build the robust technology so we don't have the problem. >> good news it's happening while mobile payments and some of the things you mentioned are a small part of the picture. the adoption rate is very high. so the future that you're foreshadowing is unfolding. >> i thank the chairman. now the gentleman from indiana, chair of the republican policy committee is recognized for five minutes. >> i thank the panel for being here. thank you for your stamina. i think we're getting close to wrapping up. i wanted to talk a little bit further about breach notification. i think couple times you got pretty close to this. i want to make sure i better understand your position. you stated earlier that you wanted clarity for the business
community. you support the one sentence standard based on reasonableness found in the energy and commerce committee bill. if you look at section four of hr 2205, it has a set -- a process that's laid out that frankly is much clearer and i think more scaleable. it's based and modelled off of what banks have been doing for 16 years. can you explain from your perspective why you believe 2205's clarity isn't sufficient. >> so the act and certainly the legislation you're referencing were designed primarily for the financial services industry. it was past in 1990, 2000 and enforced over the last 15 years. what we have argued is you have to look at the regulatory landscape as it is today and look at what's been done for
regulations that apply to other industries. there's been a substantial body of work in enforcing cybersecurity expectations of businesses. that's established a decade worth of case law that merchants and businesses all under the authority of the fdc understand what the expectations are of them. >> while the energy and commerce bill has a one sentence standard you believe that one sentence incorporates the -- >> i do. and i think any business that would be forced to comply with it, and most businesses today are, don't look at the sentence that would be in the legislation. but they would look at what the body of work is -- >> so i make sure i understand your objection, is it to who the regulator would be? you believe under the commerce bill it would be a different regulator? >> how it builds upon the work undertaken by the ftc to date it makes sense.
that is the best way to move the ball forward. >> other members of the panel, i don't know if anybody would like to comment -- >> i would say while we recognize the brevity of it, to simply say go act reasonably. that's just a negligent standard that's built into common law for everything. we're all under that duty. when you're facing a threat of this magnitude, this nature, accelerating to have the congress say hey act reasonably. i think that is under well ming as a standard and expectation as we enter the age of cyber battles. >> i would agree particularly when you have a road map that's worked for 16 years in another industry that you can lean on. i'd like to talk a little bit about how unreasonable delay works in the real world. you know there's talk about whether a notice should be