Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  March 26, 2014 9:00pm-11:01pm EDT

9:00 pm
i'd like to see all of the overly partisan political e-mails. i'd like to see if he e-mailed relatives. staff members, this mitty. i think that would be relevant to putting in context his khiendings, and to determining whether he, in fact, is an objective source of information and analysis. but that's a different matter. mr. koskinen, as i said the declaration of independence, written largely initially the first draft by thomas jefferson but it was subject to an editorial committee. he didn't like that. he thought his words were pretty good. among those words were, americans were entitled to life, liberty, now hear the editorial committee did not act. he said, and the pursuit of happiness. but it sounds like some people would substitute that, unfettered and unquestioned
9:01 pm
access to 501(c)3 and 501(c)(4) stacks extell status. do you read that in the declaration of independence? >> i don't read that -- >> no it doesn't read that way. so it's not really an explicit entitlement or right. it's a process you have to qualify for, is that correct? >> correct. >> there are many different ways of trying to figure out how somebody qualifies, and whether they qualify, is that correct? >> yes. >> and by and large, historically, irs has had a standard operating procedure for determining those -- that status. either 501(c)3 or 501(c)(4) or other status. is that correct? >> correct. >> in this particular case, what we're all excited about is that a filter was created in a regional office that seemed to target people for their political views, both right and left, but apparently mostly right. is that right? >> they were -- as noted,
9:02 pm
inappropriate criteria used primarily 9 name of the organization to select them for further review. >> now one of the problems with that here is an add verb. the word used in the statute is exclusively, a social welfare exclusively devoted to that purpose. is that correct? >> that's correct. >> and yet despite the fact that congress wrote that adverb into the law, irs took upon itself, long before your tenure, to actually interpret that meaning primarily. is that correct? >> that's correct. >> now, if i said to my spouse, honey, we have an exclusive relationship and i mean by that 29%. i'd probably have problems in my relationship to her, and to me exclusively means, just you. all the time. 100%. so how in the world could we get to a situation where the irs, on
9:03 pm
its own, outside of statutory authority, decided to interpret this as primarily? because to me that's part of the problem. exclusively ought to mean exclusively. and if congress wants to change that we should change the law. but, i don't remember congress investing irs with the authority to actually decide to interpret it radically different. not just, well, kind of a little fudge factor here. this is radically different. and it seems to me, therein is the problem. because clearly some of these organizations are not exclusively social welfare agents. i mean, clearly they're largely designed to be political. partisanly political. that concern the chairman has over-partisan communication. and i share that concern. and all too many of these organizations hide under the umbrella of social welfare when, in facts what they really mean is partisan political activity. can you address this dilemma for me. how the irs could possibly take
9:04 pm
the word exclusively, and reinterpret it to mean mostly, sometimes, just shy of 50% primarily? >> needless to say i wasn't around in 1959 when that regulation was -- >> which is -- >> -- with the irs. one of the reasons in response to the inspector general's recommendation that clarification be provided, that the draft regulations were issued for comment, was to, in fact, solicit discussions about what the definition of political activity ought to be. how much of it ought to be allowed before you jeopardize your tax exemption or are ineligible for a tax exemption and to which organizations in the 501 c complex should that be applied. the 150,000 comments address all three of those issues. the proposed draft was designed to, in fact, review and revisit with the public and with comments and with congress exactly that issue.
9:05 pm
what should exclusively really mean. >> thank you. my time is up, mr. chairman. i certainly hope after all the sturm and drang for this issue we might come together on a bipartisan basis. >> i certainly hope so. i hope the gentleman remembers that 501(c)(4)s are not tax exempt to the contributor. so they really are no different than any corporation that spends all of its money doing anything. but, it is an interesting question of what social welfare was in 1959, and whether promoting a reduction in smoking, or something else would have been considered political prior to the creation of the federal election commission. >> you know, mr. chairman, if i may, we may even decide, frankly, look, let's just have a new category that, if you want to be political, and you want to hide who your donors are, hopefully you don't, there's this category. so that we're not playing,
9:06 pm
frankly, with words, and in a sense all being complicit in this disingenuous exercise. so i take the chairman's point, and would add to it. thank you. >> i thank the gentleman. we now go to gentleman from ohio. >> thank you, mr. chairman. mr. koskinen, what part of "all" don't you and the irs understand? you've said like ten times now, if you give us all lois lerner's e-mails we're going to get irrelevant information. frankly, with all due respect, we don't care what you think is irrelevant. the committee has asked for every single -- if i asked for it clear back in august from danny wuerffel and he told me the same thing you did, we're trying we're going to get there some day, some time. we want them all. because if you limit it to what you said earlier to determinations of appeals, exams and rule making just those categories what if there's an e-mail from the white house that says halo us, keep up the great work, we appreciate what you're doing. what if there's that kind of e-mail. that wouldn't fit under the
9:07 pm
categories and search terms that you're talking about where we say all, we want every single e-mail in the time period in the subpoena that was sent to you. plain and simple. now, let me ask you this, do you agree with the audit report that came out, you agree there are columns and you're trying to comply with the audit report is that accurate, mr. koskinen? >> that's correct. >> i'd like to put up slide one. these are inappropriate criteria and questions that were sent out to tea party groups that tigta identified as going too far, inappropriate, issues that are important to the organization and asked that the organization indicate regarding such issues, type of conversations you have in your meetings, inappropriate questions you can see they're highlighted there. second slide. this is one of your -- this is judith kindell e-mail she sent to holly paz, same list talking
9:08 pm
about how these were inappropriate questions that were asked of tea party groups. now we move to the proposed rule that's gotten so much controversy, i think approximately 150,000 comments, more comments than any other rule the irs has ever proposed. is that accurate mr. koskinen? >> make sure you take all the comments from the last seven years and double them. >> yes. and is it fair to say the vast majority of those comments are negative? >> i have no idea. they're being analyzed -- >> based on what we've heard based on the hearing we had just a few weeks ago where we had the aclu and the tea party saying this things stinks and we shouldn't have it, vast majority of those i'm going to hazard a guess are negative comments. if we could go to the third slide now. this is a -- this is a newsletter that came out just three weeks ago. irs exempt organization newsletter march 4th, 2014. are you familiar with this newsletter that goes out to the exempt organizations division of the internal revenue service?
9:09 pm
>> i do not see those. >> okay. well this is put out by the exempt organizations division, same division where all these problems took place over the last three years, it came out, again, just five days after the comment period on the proposed rule ended, at the end of february. and i want to just highlight a few of the questions that are asked, so there's a category that says, what if the irs needs more information about your c-4 application. new sample questions. if we could put up the side by side. now the first slide are the targeted questions that tigta said were inappropriate and you agree are inappropriate. judith kindell agreed are inappropriate. and now just five days after the proposed rule comment period ends, you issue a newsletter from the exempt organizations division highlighting the new questions you're going to ask. and i just want to look how similar the two questions are. let's take the second category whether an officer director has
9:10 pm
run for public office. the new question says this, do you support a candidate for public office who is one of our founders, officers or board members? same thing -- i mean, it's basically the same -- this reminds me of when i was in grade school and the teachers told us we shouldn't plagiarize and you change a few words and basically plagiarize. this is the same thing. here's what i don't understand if you're trying to comply with the tigta report, if the new c-4 rule is a way to deal with what the audit said and not what i believe, as what i believe is a continuation of the project lois lerner started, why are you asking the same darn questions? >> as i noted, i haven't seen that and can't read it on the chart. i would be delighted to sit down and go over all of those questions with you and with the exempt organization organization. all of the tigta report didn't blanket say you should never ask questions about this. thank you for the chart. >> let me read from your testimony, mr. koskinen. page 7 of your testimony you submitted to the committee yesterday.
9:11 pm
talking about our notice of proposed rulemaking is consistent with the tigta recommendation. you said this in your testimony you gave the committee. >> well, okay. >> and yet consistent with tigta recommendations, they said these kinds of questions are inappropriate and now just three weeks ago, exempt organizations division issues a newsletter where you're asking almost verbatim, a few word changes so you don't look just like you're totally plagiarizing or doing the exact same question almost ver baiten the same darn question. >> i don't think -- the first question says provide a list of all issues that are important to your organization and indicate your position regarding those. the new question says describe how you prepare voter guides. >> what do you think voter guides are about? they're about the issues. they're about issues important to organizations. have you ever seen a voter guide? i have, i've answered those questions. >> i submit -- >> as a candidate for office i've answered those. >> i appreciate having a copy of this. that if i look at the first question and the revision the revision is very different -- >> very different. oh, yeah, right. >> the third question, what type of conversations and discussions about your members and participants have during the
9:12 pm
activity. that is now, describe how you determined what questions to ask of candidates. doesn't say anything about what discussions or conversations your member had. it's -- >> you think they don't discuss it? >> doesn't ask for your conversation. >> okay. >> -- participation -- >> you defend that. you defend that. and you defend the statement that you're complying with our notice for rulemaking proposed rulemaking is consistent with the tigta recommendations. i don't think it is. what i know is the same day this comes out you send me a letter our primary goal, same day, letter you responded, one of my primary goals and responsibility is to restore whatever public trust has been lost over the course of the last several months. yet you're asking almost, almost the same questions that your people said were inappropriate to ask pea party groups when all the targeting took place. and now as a response to the new c-4r rule oh, we've changed the questions a little bit. >> i think if you ask an organization independently which are the questions have there been changes i think that these are new questions.
9:13 pm
they do not probe the discussions you had the conversations you had. they don't disclose how do you disclose your position on this. these are, in fact, new questions. >> i would disagree and i think the vast majority of people who were harassed over the last three years would agree with my position. >> i'm happy to have this in the record and let the public decide whether or not we responded appropriately. >> let me ask you one other question. >> the gentleman's time has expired. i apologize. we now go to the gentleman from missouri, mr. clay. >> thank you, mr. chairman. and commissioner, the chairman issa wrote a letter to you yesterday complaining that you are guilty of a failure to comply with the committee's demands for documents. he also said, and i quote, your continued noncompliance with these requests also contravenes your pledge to fully cooperate with congressional investigation. so even though you have already produced more than 400,000 pages
9:14 pm
to the committee, even though you have 250 employees working on producing more, he accuses you of violating your pledge and frustrating congressional oversight. and i think this is shameful, and it's even more so when you actually look at the unbelievably broad demands the chairman has made. let's look at just one of these demands. number eight, in mr. issa's letter, it demands the following, and i quote, all documents referring or relating to the evaluation of tax exempt applications or the examination of tax exempt organizations from january 1, 2009, to august 2nd, 2013. let me read that again, all documents from 2009 to 2013,
9:15 pm
nearly four years, referring or relating in any way to tax exempt applications. mr. commissioner, how broad is this request? >> that request would be not thousands but probably millions of documents. the chairman is focusing on e-mails but you're exactly right. the full sweep of the subpoena will mean that we will be at this for months, if not years, collecting that information, redacting it, and then providing it. >> let me ask you this. the evaluation of tax exempt applications is the function of the exempt organization division of the irs. is it my understanding that about 800 people work in the division. is that correct? >> that's correct. >> so the chairman has gone on national television and threatening you with contempt unless the irs produces every document produced by 800 people
9:16 pm
over nearly a four-year time period. is that -- mr. commissioner, even if you wanted to comply with this demand, how long would you estimate that it would take the irs to complete this document? >> we've already spent ten months, $15 million, and had 100,000 hours and 250 people working to produce the documents that we, in fact, agreed with the committee would be relevant. this is a much broader, more sweeping request to all of those documents. and i have continued to press our people, because i am anxious to get documents to the committees and investigators as fast as possible, how long it would take even to complete the redaction and i cannot get a clear answer, because it's a very complicated, difficult process. my guess is, there's no way we would get you this information totally before the end of the year. >> to me, this shows how our
9:17 pm
committee has moved from government oversight to government abuse. these ridiculous demands are not overbroad, and irrelevant, but they will force to me, this is a partisan witch hunt, which has already cost the irs more than $14 billion. in compliance with these outranlgs requests will only cause that number to continue to
9:18 pm
grow and it certainly doesn't reflect a good oversight, mr. chairman. and i'm really, really appalled at this, that this investigation has gone to this level. >> will the gentleman yield? zblie certainly do. >> do you feel asking for all of lois lerner's e-mails so we can search through whether or not she inappropriately was, in fact, actively doing more than we already know, do you think that's inappropriate? >> i don't have a problem asking for lois lerner's e-mail. i do have an issue of asking for 800 people's e-mail. are all 800 connected to this investigation? >> like i say, we haven't received all of lois lerner's e-mails, one of the things we asked for. >> can we be more specific about what we're looking for, for lois
9:19 pm
lerner, from her e-mail? >> no, we cannot. >> the gentleman's time has expired. we now go to chaffetz. >> did you receive the subpoena, correct? >> yes. >> the date on this is february 14th? >> correct. >> you understand what it means stlch . is there any question on what it means? >> i don't think so. >> do you believe it was duly issued by the house of representatives? >> i'm assuming that. i have no independent basis for determining that. >> the schedule, which is just eight items all communications sent or received by lois lerner to august 22nd, 2013, is there any ambiguity in your mind? >> no. if you want to go through all
9:20 pm
eight i have no doubt of what any of them mean. as noted some of them mean you're going to take months or years to get the information. there's no doubt about it. >> there's no -- so you have no ambiguity about what it means. you believe it's been a duly issued subpoena. >> right. >> and you have not complied with it. is that correct? >> there is physically no way anyone could have complied between february 14th and now. we have never said we won't comply. we have said, in fact -- >> are you going to comply or not? >> we are complying. i will tell you, to comply with this -- >> no, no. >> you will be next year still getting document. >> commissioner, what e-mail system do you use there at the irs? >> what e-mail system? >> outlook or -- >> microsoft. at least i have microsoft office. >> you go on there. you want to find all the items you sent under your name, how long would that take? >> well, it would take a while. because they're not all on my computer. they're all stored somewhere. >> but your i.t. specialist, how long do you think it takes of
9:21 pm
the 90 plus thousand employees there at the irs, how long would it take to find all the e-mail that is included her e-mail address? >> just lois lerner's alone? >> just lois lerner. >> it would take a while. >> how long? minutes? >> there are millions of e-mails -- i don't know. i don't think it would be minutes. >> that's one of the brilliance of the e-mail system. you go in and check the sent box and the inbox and you suddenly have all the e-mails. correct? >> right. they get taken off and stored in servers and you have 90,000 employees. >> i'm asking to find one. they type in her e-mail address. >> we could find and we are, in fact, searching -- we can find lois lerner's e-mails. >> how long would that take? >> i have no idea how long. >> would it take a day? >> as i said, i have no idea. >> well, i just don't understand. you have a duly issued subpoena. if you were in the private sector and somebody was issued a subpoena and you didn't comply with it, what would happen to
9:22 pm
you? >> for this subpoena, the court would actually rule that it is far too -- >> oh, so you're going to make the determination? >> you asked the question. let me answer the question. in a court of law, if you had provided that subpoena, a judge would not enforce it. >> wait, wait, wait, wait. stop right there. so you're going to be the judge? >> i'm not being the judge. >> yes, you are. yes, you are. >> you asked me -- >> you have a duly issued subpoena. are you or are you not going to provide this committee the e-mails as indicated in the subpoena, yes or no? >> we are -- we never said we wouldn't cooperate. >> i'm asking you, yes or no? >> we are going to respond to the subpoena. >> no, sir it's -- >> we are going to respond to the subpoena. to respond fully for the subpoena we're going to be at this for years not months. >> and i don't understand that. just specific to item one, lois lerner, sir, are you or are you not going to provide this committee all of lois lerne rechlt's e-mails? >> yes. we will do that.
9:23 pm
>> yes. by when? when can we have them? >> i can only tell you it's going to take me -- my group, i asked this question. just to get you the lois lerner e-mails redacted, because you have to get them redacted for examinations, appeals -- >> no, no, no. is that what the subpoena says? >> would you like to hear the answer? >> nochlt i want to know if you're going to fully comply with the subpoena. not your version of the subpoena. the actual subpoena. >> you asked me how long it would take to respond to the lois lerner e-mails. i'm explaining to you why it's going to take time just to respond to the -- >> i don't want you to redact it. i don't want you to take certain category that is you want. that's not what this duly issued subpoena says. >> i'm telling you, just to supply the lois lerner e-mails, which we are going to supply for examinations. >> no, no, no. >> can i answer the question? >> no, sir. when it says all e-mails, why are you qualifying that? under what authority do you
9:24 pm
change this subpoena? >> i was not qualifying. you were asking how long it was going to take and i was giving you an example of why it was going to take a long time. we have to redact all of the 6103 information. we're working hard to get you the lois lerner e-mails. it's going to take you several weeks to get the e-mails for examinations, appeal. >> why are you -- it would be easier to just give them to us all. >> no. we have to redact the rest of them. we actually selected those because in a letter from senate -- the ways and means committee also saying they need help, they focused on what they're looking for is those categories. so, prioritizing, we said we would provide -- >> the gentleman's time has expired. >> we'll be happy to provide you the rest -- >> this commissioner has no intention of fully complying with this duly issued subpoena. that's the case. that's where both of us, on both sides of the aisle need to stand up for the integrity of the
9:25 pm
house of representatives. when you have a duly issued subpoena, you comply with it. it's not optional. >> thank you. >> may i say -- >> all time has expired. the gentleman from maryland is unanimous in his consent. one minute. >> mr. chairman, i never heard mr. -- the commissioner say that he was not going to obey his subpoena. matter of fact that's all he has been saying. >> actually, if the gentleman would yield, he is, on every single question, failed to say yes, i will give you all the e-mails. he has gone into the ones that he is prepared to give, the one that he could give to ways and means in an hour. once you do the search, you just dump it to them. he said it would take a couple of weeks. of course, the subpoena is many months old. >> i'm just saying, reclaiming this for a second.
9:26 pm
>> i just want this to be clear. what i said before, you seem to have an understanding and we seem to have an understanding and they don't seem to be the same. so, are you going to provide the documents for lois lerner? >> yes. >> that were subpoenaed ? >> yes. >> and how long will that take? >> i do not know. i know it will take us several weeks. i asked that question yesterday. simply for the categories we're already working on and i was told that to redact those will take us several weeks longer. it will take us much longer than that, but we will provide them. notwithstanding the congressman who has now departed, his view,
9:27 pm
we never said we wouldn't comply. we're simply trying to help refine the search so that, in fact, we could get this done some time in the near future. that is, this year. but at the rate we're going, if, as noted by an earlier question, if you want all the categories of all the applications of everybody who has been through the c-4 process for the last four years, we can do that and we will do that, but it's going to take years. >> thank you. >> i thank the gentleman. thank you for your questions. but hopefully, we all understand that asking for all the e-mails, the ones that you seem to be least willing to put first are the ones that probably have no 6103. they're very quick to go through and somebody simply looks and goes oh, she's talking to an outside entity. by definition there can't be any 6103 there. right? >> correct. all the ones that are easy are easy. the ones that are difficult are difficult. there are more of the difficult ones than we would all like. >> of course, the ones that was gentleman was asking for before he had to leave were the ones
9:28 pm
that were not being given, which by definition very often are ea easy? >> right. i would just note for the record that all the lerner quacks on the next washington journal, congressman lee terry on his support for building the keystone pipeline. discussing national defense policy. >> we are on the brink of enacting an independent bill for the disabled of america.
9:29 pm
they will henceforth look at this is the independence day for those who have been disabled but have the willingness, the desire, and are qualified and have the ability to delay participate in america, in the promise of america, and the pursuit of happiness. mr. speaker, there were some concerns raised about this bill. there are those who will present a motion to recommit this bill, and they are very open. they want to discriminate against individuals. they want to discriminate against individuals who have a communicable disease. this bill does not allow that. this bill does say you can't do that if it poses a risk to the
9:30 pm
the united states senate recognized that concern and adopted an amendment offered by senator dole and senator hatch, and that amendment was adopted 99-1. members concluded, i would concern that the public was protected by the amendment which was adopted in this bill. there was another concern was also taken care of. other than that, this bill represents the work of the house of representatives. it represents a bipartisan effort of the general men who have spoken on behalf of the conference report -- the gentleman. i would say on this is stored
9:31 pm
day that now is the time, now is the time to open the door of american life to all of the disabled in our country, today, tonight. do not delay this bill one minute more. let us act more. to the disabled, you are fully part of america. which isis amendment, unnecessary, unwise, discriminatory, arbitrary, and capricious. it is not based on medical evidence. it is opposed, i would suggest to you by the secretary of human services, and let me say this in closing. coding the president of the united states. today i call on the house of representatives to get on the law thatssing the prohibits discrimination against people with hiv and aids. we are going to fight against
9:32 pm
the disease, not fight against people, and we will not and must not in america tolerate discrimination. tolerateon to recommit discrimination. reject it out of hand. move on with this bill. say yes to the disabled. defeat the motion -- the motion. >> the gentleman's time is expired, and all time is expired. [captions copyright national cable satellite corp. 2014] [captioning performed by national captioning institute] >> find more on our facebook page. c-span, created 35 years ago and brought to you today as a public service by your local cable or satellite company. >> recent security breaches at target and the university of compromised the financial data of their customers and student. the senate commerce committee had a hearing on these computer executives atith target and the university of
9:33 pm
maryland president. members also questioned the head of the federal trade commission and an executive from visa. this is just over two hours. >> this is in order. it is. this is the era of big data. you knew that, senator mccaskill? that is not news to you. not,er we like it or companies are collecting reams of information about us as we go about our daily lives. crazy, when they talk about people having an invasion of privacy, if it could happen, but it has happened. that is that you keep people scared, and now people are reacting to it, saying, we have got to get rid of this thing.
9:34 pm
we are not necessarily an intelligent congress when it comes to our security. are tracking they us as we visit websites, stores, as we purchase products, where the information may be mundane, but a lot of it is highly sensitive. in may have to deal with health, family problems, whatever, and i think we can all agree that if target or any other company is going to collect detailed information about its customers, they need to do everything possible to protect them from identity thieves, because what is, in fact, what everybody was fearing about the nsa, which has never come out to be true has come to be true about the american private sector. that is the irony of the whole thing. with, youis rocked know, terrible things that could nsa, exceptthe
9:35 pm
nothing terrible has happened, but some terrible things are happening elsewhere, so it is now well-known that target cell well short in doing this. is, protecting their customers. last november, december, cyber thieves were able to infect their credit card terminals with a malicious software, lupe their computer servers, access a staggering amount of consumer information, which they can pick and choose from, and then sell them for something called a prophet. there has been a lot of anxiety recently about this type of information. i am making my point again. i like making this point. what they have been collecting on citizens about the terrorist threat, but the truth is, why did companies like target collect vastly more pieces of sensitive information that the government does, and they spend much less time and much less money protecting their sensitive data than the government does.
9:36 pm
you cannot penetrate the firewalls, all the firewalls around the nsa. senator thune, welcome. so we learned yesterday that federal agents notified more than 3000 companies last year that their computer systems had been hacked. i am certain there are many more breaches that we never hear about. in my zeal a number of years if theysked the sec would sort of make it a requirement that whenever somebody was hacked into, that sec,o be recorded at the put on their website, for the advantage of the shareholders, is that is the type of information that they need to know if they are going to buy or best,that is haphazard or so target is going to tell us
9:37 pm
today that they take data security very seriously and that they have followed their industry's data security standards, but the fact remains it was not enough. the credit card numbers of 40 million people and the e-mail addresses of nearly 70 million people were potentially stolen under their watch. my staff has carefully analyzed what we know at this point about the target .reach in a new report, they identify opportunities they had to prevent this from happening. it is a very interesting chart of where they could have, and i will hold it up and ask unanimous consent that this be made a part of the record of this hearing, and anybody who wants one of these is welcome to have it. i hope people at the press table have it. it is increasingly frustrating to me that organizations are resisting the need to invest in their security systems. must be a clarion call to businesses, both large and small, at it is time to invest
9:38 pm
in some changes. well, i am disappointed that many companies have failed to take responsibility for their data security weaknesses, and i am just as disappointed by congress and our failure to create standards to protect consumer information. if you can imagine having stores in 45 or 35 states, and every state has different rules and regulations, i mean, it is just impossible the mess. recently, i put forth legislation that builds on the long, well-established history of the federal trade commission occasion and state attorneys general in protecting consumers from data breaches. the bill set forth strong federal security and standards by, one, directing the ftc to circulate rules requiring companies to adopt reasonable ,ut strong security protocols requiring companies to notify
9:39 pm
affected consumers in the wake that shouldh -- just be automatic, authorizing both the ftc and the state attorneys general to seek civil penalties for violations of that law. for nearly a decade, we have had major data breaches at companies large and small. millions of consumers have suffered the consequences. of thedeserves its share blame for in action. i am increasingly frustrated by the industry's disingenuous attempt at negotiations, so this is my message to the industry today. it is time to come to the table, be willing to compromise, and i am willing to hear their legislation,t the my legislation, or any other legislation. i am not willing to forfeit the basic protections that consumers have a right to counsel, and i will not. finally, i would be remiss if i did not note that representatives of the company my invitationned
9:40 pm
to testify today. when people decline to testify in front of this committee, my instincts, which may be skewered, are that nevertheless they are hiding something, and on this subject, i think it more and closer scrutiny. on my most distinguished -- i will not go through my usual. >> thank you, chairman rockefeller, for holding this afternoon's hearing i data breaches and protecting consumer information. protecting consumers from fraud and harm is certainly something that all of us share. i am glad the university of maryland and target representatives are here to tell us of their recent and well-publicized reaches. while forensics investigations into these incidents are still going, millions have been affected. i look forward to hearing what lessons target and the university of maryland have learned from these and what steps they are taking to prevent them in the future and to better
9:41 pm
safeguard people's personal information. yet data breaches are not exclusive to the university of maryland and target. there were more than 600 breaches in at least 44 million compromised records in 2012 alone. while we are here today primarily to discuss data breaches in the private sector, he cannot forget that the u.s. government also holds vast amounts of information. it is estimated that the federal government spends billions in security, including in fiscal year 2012, but it is not immune to cyberattacks and data breaches. more than 22,000 data breach incidents were reported, a number that was more than double what was reported in 2009. in addition, a recent report from the government accountability office, the government watchdog, identified several incidents when they fail to notify people. in many ways,ibo
9:42 pm
ranging from the inconvenience of having a credit card replaced to the harm of identity theft, where a criminal runs up large bills.r runs up we have to make sure that consumers have the information they need to protect themselves. that is why i support a federal brief notification standard to replace the patchwork of laws in the 46 states and the district of columbia. a single federal standard would assure that all are protected been treated the same way. -- and treated the same way. this benefits both consumers and businesses. i also want to ensure that businesses are not burdened by -- outdated requirements but also of the flexibility for innovative tools to secure the information that they are entrusted to protect. for these reasons, i cosponsored the data security and breach
9:43 pm
notification act of 2013 with senator toomey and others. this requires people possessing personal data to notify people in a timely manner if their information has been taken. i look forward to working with you, whom i know has also had legislation. assure appropriate breach notification. of course, we should acknowledge that this issue is not a new one. the committee reported breach legislation in 2005 and again in 2007, but finding broad agreement on the path forward has proved difficult. we should heed the testimony of mr. wagner and not allow the perfect become the enemy of the good. for the identification of voluntary best practices and standards for cyber security, this gives me reason for optimism, and i was pleased to see that several of the witnesses have highlighted the good work done in that regard.
9:44 pm
as was noted in the past, legislation is also needed to legislation with cyber threats and liability protection. not all data breaches occur because of a cyber attack. sharing the information is key, whether it is theft of intellectual property or an attack on critical infrastructure, so i look forward to learning more about the new partnership between the merchant and financial associations that will focus on sharing more information on cyber threats and protecting consumers. i also hope that visa and target can't elaborate on the work they at -- that they can't elaborate. elaborate.y can we are also wanting to hear on what they are doing to protect from fraud with education. there is the industry and
9:45 pm
government partners that are working hard in an attempt to prosecute cyber criminals and iaudsters, so, mr. chairman, hope our witnesses can share their experiences good and bad, working on our shared goal of safeguarding personal information, and i look forward to hearing from our witnesses. thank you, mr. chairman. >> thank you very much, senator thune. good team.ry if you do not know it, you will. we come from big states with tall people. and we love sports. thet, let's start with who isle edith ramirez, chairman of the federal trade commission, and once again, i issue the following words of comfort to you. nationalr that the gallery of art is going to take
9:46 pm
you over. you are going to be there a thousand years. whether they will or not, i do not know, but you will be. [laughter] >> thank you. chairman rockefeller and members of the committee, i appreciate being able to provide testimony on data security. under your leadership, chairman rockefeller, this committee has led critical efforts in congress to protect consumer privacy and data security. from the recent examination of the data broker industry and its proposingconsumers to data security requirements for industry, you and the members of this committee have sought to advance the same goals as the ftc, and i want to thank you for your leadership. aware, committee is well consumer data is at risk. recent data breaches remind us that hackers seek to exploit vulnerabilities in order to access and misuse consumer data in ways that kids -- that can cause harm to consumers and
9:47 pm
businesses. these threats affect more than just payment card data. years,mple, in recent they have also compromised social security numbers, account passwords, health data, and information about children. this occurs against the backdrop of identity theft, which has been the top ftc consumer complaint for the last 14 years. i am here to reiterate the commission's bipartisan call for an enactment of a strong data security and breach notification law. never has the need for legislation been greater. with reports of data breaches on the rise, congress must act. the ftc supports federal legislation that would strengthen existing data security standards and require companies in appropriate circumstances to provide notification to consumers when there is a security breach. security practices are critical to preventing data
9:48 pm
breaches and protecting consumers from id theft and other harm, and when breaches do occur, notify consumers helps them protect themselves from any harm that is likely to be caused by the misuse of their data. legislation should give the ftc tohority to seek penalties, help assure that ftc action as an appropriate deterrent effect. in addition, enabling the ftc to bring cases against nonprofits, such as universities and help systems, which have supported a substantial number of breaches would help assure that whatever personal information is collected from consumers, and duties that maintain this data adequately protected. finally, the rulemaking authority, like that used in one act, would allow the commission to ensure that as technology changes and the risks from the use of certain types of information evolves, the bunnies would be required to give adequate protection to such data. whereas a decade
9:49 pm
ago, it would've been difficult and expensive for a company to track an individual's exact location, smartphones has made this information readily available, and it is a growing problem with child identity theft that was brought to our attention, this can be combined with another person' is information to steal an identity. its existing authority, the ftc has devoted substantial resources to encourage companies a make their security priority. the ftc has settled 50 cases against companies that we put consumer data at risk. and all these cases, the touch tone to the commission approach has been reasonable less. their basic security measures must be reasonable in light of the sensitivity and volume of consumer information it holds with its complexity of data operations and at a cost to improve security and reduce vulnerability. the commission has made clear that it doesn't require perfect
9:50 pm
security and that the fact that a breach occurred did not mean that a company has violated the law. as a commission case against a retailer web, there are alleged failures to implement basic, fundamental safeguards. announcedne company one of the then largest known data breaches area according to the ftc subsequent complaint against them, a hacker obtained information from tens of millions of credit card and debit payment card information, ofwell as the information approximately 455,000 consumers. alleged they engaged in a number of practices that taken together were not reasonable, such as allowing network administrators to use weak passwords, failure to limit wireless access to in-store networks, not using firewalls to
9:51 pm
work with computers, and not having procedures to detect unauthorized access to its networks, such as virus software. in addition to our enforcement effort, it also undertakes policy initiatives. workshops onas mobile security issues and child and senior id theft, and for those consumers who may have been affected by recent reaches, the ftc has posted information online about steps they should take to protect themselves. the ftc also provides guidance about reasonable security. they should have reasonable security for consumer data, and we look forward to working with the committee and congress on this issue. >> thank you very much. very honored to have the president of the american university here.
9:52 pm
i am sure that testifying before a congressional hearing is something you look forward to. >> thank you, chairman rockefeller, and ranking members. i spent most of my time testifying before the maryland legislature, and i hope that is good preparation for today. 18, after a major snowstorm paralyzed this, presidents' day weekend, we had a very sophisticated cyber attack. uploaded asically website ofe into the one of our colleges.
9:53 pm
there was the uploading of photographs, but instead, they uploaded malware. once they got into the website, they were able to peer into central systems, and they were to do that, and they were able to get to the directory of the management. passwords, and then change their passwords in order to issue orders, so they , socialed 310,000 names security numbers, university ids, and they intentionally left out photographs and so forth, that kind of information, because that would have a slow situation with the data, and they did it because they were and we were just
9:54 pm
flying by the seat of our pants. and with regard to notification, and weunced it within and thisll centers, was affecting students. there were e-mails and calls, and we were sending letters to everybody else, a total of 310,000, and some of them are alumni going back for 20 years, the country was
9:55 pm
using social security numbers as identification, and we have thousands of databases, and they just took that one database, where we have both the university id and the social security, so in terms of notification, not only did we notify, we offered to pay five years of protection, credit card protection, to all of the affected parties. this was per person multiplied by the years. and in terms of data security and we have approximately 220 5000 names from our records that we have purged.
9:56 pm
what we're trying to do, with the help of the fbi, the secret service, private security companies is two things. one is to strengthen the , and thisdefenses ,nvolves penetration testing and there are the people who play offense who will always be one step ahead of those who are playing defense. we need to tighten the security around the sensitive databases. so what we have done in one almosts we have migrated all of our websites to the cloud. we have purged, as i said, lots of information. we have done penetration testing , and we have isolated
9:57 pm
information that is sensitive. and so on. and the cost is very, very high. later, we had another major intrusion. fortunately, of course, they were working with us. within 36 hours, the fbi was able to identify and successfully mitigate the situation. no data was released. and they wanted everyone to know we were successful. thank you very much for all of your work in terms of requiring data notification and data security. this is a very important issue, and i would conclude by saying this. security at a university is very different than security in the private sector, because the university is an open system. there are many point of access
9:58 pm
because it is freedom of information. in the private sector, you can centralize. and we have to find a proper balance between security and access, and that is the challenge for all universities, because, as you know, in the have had major breaches, and not all of them bothered to report it. >> excellent testimony, and i thank you very much. is the chiefigan executive officer of the target corporation, we welcome her. it is a pleasure to be with you today. let me say how deeply sorry
9:59 pm
we are about the impact this has had on our guest and constituents. our top priority is always taking care of our guest. the reality is we experienced a data breach. our guests expect more, and we are working hard to do better. we know this has shaken their confidence, but we intend to earn it back. my written statement provides additional details about the breach and target's response. we are asking hard questions about whether because of taken different actions before the breach was discovered that would have resulted in different outcomes. in particular, we are focused on what information we could have had that could have alerted us earlier, whether we have the right personnel, and assuring that these measures were sound. we are working quickly to answer these questions. this afternoon, i would like to provide an update since i last testified, including the actions
10:00 pm
we are taking to further strengthen our security. this has been focused on taking action to protect them against constantly evolving cyber threats. we are taking a hard look at security across our network, but we do not know everything yet. we have initiated the following steps to better protect our perimeter to better secure our data. we are enhancing our security systems. we are increasing segmentation of key portions of our network. there is the addition we have accelerated additional hardening the nd network perimeter by expanding occasion.if earlier, target became the first retailer to join the information sharing and analysis center. it shares critical information, detection, g prevention, and response to cyberattacks and fraud activity. axel rating the investment
10:01 pm
in chip technology because we elieve it's critical in enhancing consumer protection. we installed approximately chip-enabled devices in target stores and expect to complete this installation in stores by september, six months ahead of schedule. we may also expect to begin to and accept chip-enabled cards by early 2015. one year of free credit monitoring and identity theft protection to anyone who's shopped at our u.s. target stores and we informed our guests they have zero liability any fraudulent charges on their cards arising from this incident. policy ve responsible measures can further enhanced security for our guests and all consumers. chairman, i know you and other members of the committee ave introduced legislation designed to enhance data security. 'm not a policy expert, i discussed the principles your bill with our routine. uniformed at a
10:02 pm
standard would provide clarity nd predictability to consumer notifications. while the standard is uniform, e enforce state and federal attorneys general enforcement. we believe the standards if ppropriately structured could provide additional protection for consumers. e have learned that robust security can't shield a company from a criminal breach. however, the more the data approved across the economy, the better protected consumers will be. invested ears, target capital in personnel and processes. layers of iple protection and continually made enhancements to meet evolving threats. in september of 2013, we're certified compliant with data meaning that ards we met approximately 300 ndependent requirements of the assessment. yet the reality is that criminals breached our system. this vent breeches like
10:03 pm
from happening again, none of us can go it alone. ll businesses and their customers are facing frequent and increasingly sophisticated signer criminals. protecting american consumers a shared responsibility and target remains committed to that solution. want to say to you and to our guests how sorry we are this happened. we are committed to getting things right, thank you. thank you, sir. the advisor for a small "visa". ion called >> thank you, chairman rockefeller, ranking member, and the committee. i appreciate the invitation to testify today. veryone in our payment system, merchants, financial institutions, networks, and when lders is affected this occurs because they jeopardize the trust we've
10:04 pm
worked to build for more than 50 years. we continue to work to maintain that trust every day by placing security at the forefront of we do.ing the payments industry has approached yer of data security. first we protect consumers from zero ial harm from fraudulence. scenes to ind the prevent information and prevent fraud before it happens. rates have fraud declined by more than 2/3 in the tot two decades to six cents every $100 transacted. show, nt compromises however, our work is never done. critical first step in data the amount to limit f data that needs to be protected. eliminated the storage of
10:05 pm
card information in large merchantings. this made it more difficult for criminals to steal large amounts of data. they're stealing it in transit. therefore, strong security remains fundamental to the to protect the system. the card industry established a fully and ich when has stently implemented proven effective in protecting our stakeholders from cyberattack. for any icult organization to maintain complete security all of the time. with that in mind, we're working others in the industry towards a paradigm shift that in reduce or would eliminate vulnerable payment data from the merchant environment. data available in the environment could no longer be eused to commit fraud, criminals would have no reason to attack. data.ll this devaluing the we joined others to create a road map in the future of data a road map of three technologies, the chip,
10:06 pm
point-to-point encryption. the chip is a microprocessor embedded in payment cards. they're nearly impossible to counterfeit. one of the most important incentives for criminals to steal data today. proper opportunity for counterfeit cards. but emv is not a silver bullet. countries where it's widely used, fraud has simply moved to on-line channel. we o address that threat, introduced a new standard known add tokenization which places account number with additional token in the process.on tokenization removes it data from the on-line environment token, not the card number that goes to the her chnt. the third is point-to-point encryption, a technology available today and protects account data from the moment it of sale e point terminal to the completion of the transaction process.
10:07 pm
ecuritying data today and are the it tomorrow most approaches of the strategy. strategy will ever be 100% effective. invest in fraud protection, analytical tools, some of the most advanced in the identify and prevent billions of dollars of fraud each year. breach nvest in response, continually improving the ability to identify respond quickly, and protect consumers when they occur. as a result, the vast majority accounts exposed in large data breeches do not experience fraud. of the 2% to 5% accounts exposed incur fraud resulting from the breach. visa observes three areas where government help could be protective. have a safe uld environment to share cyberthreat information.
10:08 pm
second, the government could continue to work with the international community to improve coordination among law nforcement agencies and to eliminate the havens from which cybercriminals launch their financial system. the government can establish a uniform breach notification to increase the state laws in place. and finally in closing, let me that we know cybercriminals will always be with us. target anyontinue to environment that contains valuable information. the payments industry has fought and investing in sophisticated solutions that and the he system consumers who rely on it. but, as the criminals have improved their technologies, we improve ours as well. he key is to work together, to defeat our common enemy, and visa is fully committed to orking with all of the participants in the payments industry towards this objective. thank you, again, for the opportunity to testify today.
10:09 pm
>> thank you very much. much indeed. brusher, executive vice president of council, companies. ennan >> i'm peter beshar. s a former david rockefeller fellow, it gives me particular pleasure to be before this committee. like to focus my remarks this morning. >> for free? >> i'm sorry. >> my uncle did this for free? >> something like that, mr. chairman. >> very unusual. please? you. ank >> i'd like to focus my remarks this morning, this afternoon, on narp row topic of cyberinsurance. what is it? who's buying it? as part might it play of a comprehensive risk mitigation framework? as the world's leading insurance broker, our company has a unique perspective on the cyberinsurance marketplace.
10:10 pm
preparing nts and risk mitigation strategies and issued the first cyberpolicy as at 1999 called net secure. three basic types of yberinsurance, the first and most fundamental is coverage that protects out of pocket university of he maryland or another institution ight suffer, expenses like credit monitoring or setting up call centers, or notifying affected individuals. analogous to business interruption insurance. so if you're disabled days or longer you're able to recover you suffered in the form of lost profits. the third type of insurance is for damage that might be by parties outside of your company. so customers or consumers or that's called third
10:11 pm
party insurance. to give the committee some insight to the dynamics of the we just rance market, conducted a survey of our cyberclients. it ive you the who's buying and what the takeup charge is. there are reports in front of you? each of our pact packets. you.hank there are a couple of headlines, interest in cybersecurity is rapidly.g the number of marsh clients who purchase stand-alone cyberinsurance increased by more than 20% in the past year. hippa statutes,e and also, interestingly, the
10:12 pm
where there ce, have been marked increases. that's a breakdown by industry. size of companies, larger companies perceive a greater risk to cyberthreat than companies do. so we annualized the take up a company f you're with revenues of more than $1 illion, your takeup rates are almost double what they are if you're a smaller company. lastly, on pricing. hear the news is quite positive that throughout the , it's been stable years.hout the this is because of any entrants in the marketplace. that's the actual insurance. of applying, is it self-constructed. the process forces you to go
10:13 pm
analysis, to try to benchmark yourself against industry standards and what are onsidered to be the best practices and see what you can do to position yourself as a better risk for the underwriting community. so just in closing, mr. as this this is -- committee is all too aware, this line.race without a finish our adversaries will continue to adopt new methods of attack and strategies, and it's extraordinarily important that threat, ting this government, the private sector, and also the nonprofit world try to together to respond effectively. thank you. >> thank you very much. eloquent and helpful. mr. david wagner, president in incorporated. >> good afternoon, chairman, ranking member, and committee members. in trust -- good afternoon,
10:14 pm
pleased to be here to help facilitate and continue the ialogue for better understanding of cybersecurity issues. entrustr two years ago, similar topic e of cybersecurity. since that time, the situation has worsened. nation states and criminals are use cyberto advance their interests. in december, point of sale reeches are another example of the escalation. entrust has no direct relationship with any of the of sale f the point attacks, we can provide general insight to the attacks. as we heard earlier in these testimonies, criminals are using tricks and d con ybertools to get past mope style defenses. social engineering and malware equivalent to crowbars penetrating the corporate networks. once past the defenses, the a stolen identity and becomes someone on the
10:15 pm
making them difficult to distinguish from normal network behavior. n the case of the retail breeches, once the criminals assumed the right identity, they malicious codesh to the point of sale terminals. hey were able to collect customer credit card data from the magnetic stripes. ex-fill stored and traited that data overseas. you can see from the attack cenarios that they're sophisticated. they're sophisticated, but not rocket science. to use stolen identities access the victim company's network. the victim company's i.t. tools to complete the crime. cyberattacker can overcome even strong mope defenses. strategies to strengthen the defenses inside the perimeter. ood information security governance is vital. and industry regulations like and frameworks like sands,
10:16 pm
nd iso are available to help build the architectures. you might be asking how did the breeches oh can you are? stronger t accounts than using a pass word? why wasn't the network segmented sensitive data? why weren't alerts responded to monitoring equipment capturing the unauthorized traffic patterns. nothing in the breeches was new. if we created the culture that understand thend risk, how do we create regulations that evolve and if we with technology, haven't, then no regulation or no security tool will solve our problem. thes and credit unions bear
10:17 pm
cost of car reissuance and they suffer the pain of cards and accounts. risk assessments where sensitive must consider the data. cybercrime poses a greater individuals than ever before. the challenge is balancing, balancing the importance of the cting data with benefits of emerging technology. as policy makers, you're charged facilitating commerce and putting in place a structure for finding this balance. in ust recommends actions three areas, first, federal breach notification law needs to be passed. t will put the federal government in the role where it belongs. second, the federal government needs to copt to foster best
10:18 pm
sharing information across the and vooift sectors. collaboration is critical to unified front ng so criminal groups can't simply migrate the next weakest target. we must change the cybersecurity culture. interprizes large and small, private, need to embrace information security governance as a core responsibility. approach needs to move forward now. without changes to the security osture for most important industries and infrastructure, cybercrimes will continue to and potency.ency the best path forward rests upon public-private ecosystem built upon good security governance, identities, and constant assessment of vulnerabilities. whether we drive adoption incentives or directives, we need to proceed now. i urge you, your colleagues, and the administration not to let 2014 expire without adoption of
10:19 pm
easures that will better protect our economy and secure pohls euro. thank you for the time this your attention to this important matter of cybersecurity. >> thank you very, very much. because of unusual circumstances, and with of the ranking member, the first question will from our side. >> thank you, i adore you, i the record, i adore both of you. i believe the ultimately the arket is more effective in controlling behavior than the government. so let me start with the uestion i don't think has been fully answered. mr. mulligan or ms. ritchie, can of you shed light on how has resulted from this breach? >> are you speaking specifically
10:20 pm
to our breach? to the target breach? >> i'll start. i feel free. i can only speak to about 15% of that were taken were product cards. the other 85% are cards we don't to.e visibility two of card products. proprietary card, a card used at target. we haven't seen any incremental on the two particular cards. we have a visa product that can be used broadly like anywhere else. they're on the $5.5 billion portfolio. e've seen about $2 million of incremental fraud or about .1% increase. >> a tiny amount then on your 15%. s. ritchie, do you have any figures in terms of. >> yes. i would mention in my testimony 2% to 5% of accounts might be expected to experience in incremental fraud. we're seeing much lower numbers from the target breach.
10:21 pm
i do believe that the rapid notification that target strong as well as the response from our member financial institutions is responsible for limiting the fraud. >> okay. what's the total, do you think? dollar-wise. don't have those dollars available. >> does anybody? >> we can get those for you. realize you have to we're still in relatively early stages but we could provide those. figure out trying to here is how much fraud there was and who's holding the bag on the fraud. think people don't understand that this -- i don't think people understand that necessarily hold the bag on any of it that most of this debit card fraud ends up the local bank. that a lot of the costs associated with this breach, in majority of them, fall to credit unions and local banks opposed to target. of the $61 million that you have mr. it costs your company, mulligan, how much of that was
10:22 pm
try to reassure your customers -- you are the guys, how much of the money was marketing for the loss that suffered. >> the $61 million we recorded in the fourth quarter, any arketing expenses that we undertook would have been recorded in the normal course of our business. to $61 million was related response costs, credit monitoring, activities such as that. monitoring credit that you're offering to your customers, that, in fact, is marketing. view that as a way to respond and help our guests for what we know is a difficult time for them, provide credit monitoring and identity theft identity theft insurance. >> i think it's terrific that you're doing it. i think it was smart that you're doing it. think it's a wise corporate decision. t was an optional activity you're engaged in to try to repair the damage that incurred
10:23 pm
breach. ult of the >> we're focused on the guests, absolutely. andoo estimate to the banks credit unions is $200 million. are not optional to them. that's them reis issuing the cards and bearing the cost to do that. >> the credit card industry has collectively determined that consumers don't bear any liability to the fraud. there are commercial underpin that.at the commercial arrangements provide the revenues for the pay-in, they provide for remediation in situations like this. make point i'm trying to here is that it's confusing to consuming public where the costs falls and where the costs are absorbed. know there's $10 billion in more revenue as a result of the overnment being involved in interchange fees. interchange fees were $19 the durbin re amendment and now they're less
10:24 pm
than $10 billion. there was $10 billion extra that flowed to retailers as a result of the prices coming down. that was a aying good or bad thing. guess what i'm trying to get at here is i think it's very risk be born the by those who must engage in the activity to protect. risks go the somewhere else, it lessens the incentive to protect. i'm not going to argue that you all have had a terrible thing happen to your company and you're working hard to recover it and you have been damaged, but there are many think es where people there's been a breach. i think americans thought you costs of covering the this. i'm going n you said to make sure no customer loses a think they realized nobody paid it in the first place. the risk is important for us because it will be much better
10:25 pm
with the he risks right incentives in the free market. just going to say that if there's any lack of clarity about who's bearing the loss committee, the financial institutions would make their customers whole in as we know stance with the zero liability policies. then, the payment networks, both a a and mavser card do have program to shift the costs back isa merchant if the merchant shown to have been out of compliance with our industry standards. okay. >> however, that program covers only a portion of their costs just e reason for that is as you said to balance the incentives so that each party is to reduce the risk and protect the consumer. >> i would love to get into the if you would help us with that information, ms. richey. mean right now? >> no, i mean later. oh, no, i'm done.
10:26 pm
no, i mean later. really want to understand how these risks are being shifted in the marketplace. >> thank you. >> i'm going to recognize thune and just for the committee's information, we will we have r a vote and four votes scheduled, i believe. five votes scheduled. that out. work but i wanted the committee to know, we'll go to senator thune. short a recess as we can and come back and conclude the hearing. >> thank you, mr. chairman. mr. mulligan, we're learning a all of the details of the target breach. we know it affected two types of data. of was the payment card data approximately $40 million target shoppers and other personal data to 70 million customers. the question is what steps have provide your customers the assurance their personal information is going to protected going forward. >> snarlt, we've taken several
10:27 pm
upon immediately identifying the malware. we closed the portal that in the the access point first place. we narrowed the scope of who has systems.o our we began an investigation and to d a third party advisor do an end-to-end review. analysis, forensic but the entire processes and controls. from that, we have additional we've taken steps that we've learned from there. data ances the eggmentation, we hardened the and we increased malware protection with wait listing, we accelerated that. that allows only the programs we to run on our point of sale terminals to run. accelerated our pin and chip technology, it will complete the nstallation of guest payment devices this year and roll out the cards next year.
10:28 pm
we'll take the steps and to have earnings and we'll expect to continue to make changes. >> i quote most laws have the simplify ace would compliance by businesses while ensuring all consumers are protected, end quote. agree with that statement. maybe if you ring can elaborate on the advantages of a consistent national requirement for breach notification. >> it's comprehensive federal legislation in this area. if we think that legislation and the standards set in that are sufficiently strong, that in federal ance, the standards should preempt state breach notification laws. >> okay. -- several of you, i think, have testified to the
10:29 pm
having a single federal standard. i'm just wondering if you'd like value of ore the federal preemption of what is a patchwork right now of state laws. >> i'm sorry, if i may add one more point that i want to make of is also clear in terms our position at the ftc, it's also critical that the states be this ted to enforce in area that there be concurrent jurisdiction on the part of the the states. s >> all right. anybody else want to comment on the value of having a national -- of quick couple comments. we talked about transparency on he panel here today and transparency is critical. having a common breach standard easier to it aggregate the data to know what's going on from a national perspective. we know from these crimes they most often have a multistate often and very international impact in having the federal government involved in the breach notification seems make a lot of sense. >> anybody else?
10:30 pm
>> a single standard would ease mote -- or getting the faster and out spend less time on lawyers and more time informing consumers. you're here because the university of maryland experienced a security attack the names and social security numbers and dates of births as you noted of of your embers community. you state that the university of maryland experienced a second 15.ach on march ut at this time, that breach resulted only in one senior official having their data breached. so the question is why is that? that officially the only target of that breach? or was it because of steps taken after the first breach? had unlawful ly access to far more information
10:31 pm
than was breached the first time. we don't call it a breach because -- except for individual, it was not a public -- it was not circulated. nd, again, i want to thank the fbi for their very expeditious intervention that resulted in the successful mitigation within 36 hours. we're not saying anything more is because the investigation is still but it is the case that no other information has made available the fact that one senior university official's name, i.d., everything was put on the public website and read was simply well, the intruder wanted to show how clever he or wanted the world to know it. >> i just have one last chairman, and that has to do, again, i wanted to come back to ms. ramirez. that the ied today role at the ftc is to protect
10:32 pm
sure they takeke appropriate measured to protect consumer information. ftc uses both e the fairness and deception uthority, the deception authority being relatively clear cut. materially misleading statements or omissions regarding the security measure taken. but the good number of the ftc's ctions in data security have come under the unfairness authority which some argue rovides less guides to companies regarding which practices cross the line. result most of the cases in consent agreements, its produce a record of value. short of regulations, should the rationale blic the they used to determine what is unfair? so that companies have better guidance? >> senator, i have to disagree with the critiques that have ftc in this th the arena. i think that we have provided
10:33 pm
good guidance. that we take when e xer sites frankly both our deception authority and our fairness authority in this area is one of reasonableness. as a law enforcementer, we look the driven facts of the specific case and the documents of are part and par spell our consent decrees demonstrate the basis of our allegations and remedies and actions that we should undertake. in our view, we have provided the actions we have taken really go to basic and fundamental failures on the part companies that we think are unreasonable and therefore that violation of our section 5 authorities. so i do take issue with that. great deal of guidance, also, to businesses as part of the outreach and efforts.al and i believe that companies can discern the approach we take it
10:34 pm
process-based approach where we urge companies to deal assessment h risk based on the type of information and they collect and use then they in turn develop a program that they would be able o address any risks to which that information might be exposed. have nk it's critical to one person at least who will be in charge of any security program. guidance made public? >> absolutely. >> i see we're out of time and vote.e to run and >> that's what we'll do. for a -- a to recess little while. i don't have a time certain. guess is it will be 40 minutes or so. but i don't know exactly depending on how many actual we have on the floor. and there's a little conflicting information about it. five votes. we'll recess and probably just or everybody's benefit, we'll probably try to start as we are doing our last vote on the floor
10:35 pm
members can vote and then come back here. trying to do that. so with that what we'll do is it we'll take a recess now and subject to the call of chair. thank you. you all been nice? okay. my staff, as you know, analyzing breach at your company. and we do a lot of reports. very -- it's very interesting. ne has nothing to do with you or the question. and i shouldn't even be saying it, i'm interested so i'm going it.say i'm chairman so i can say what i want. lot of moving companies, if you want to move, you sign a contract. put your stuff in the moving van, and then they take it about alley es and park in an and call you up and say the price has just tripled.
10:36 pm
say that now, you doesn't happen in america. point is it does. it's very disturbing. it's very disturbing. so that's why we focus a lot on kinds of things. not that we're nasty. you're not nasty, are you? senator blumenthal, you're not nasty? ask my wife, mr. chairman. >> never. >> that's right. grand daughter and his wife -- >> wife. >> are together at school. and -- your grand daughter and my wife -- grand dn't mean your daughter -- >> your grand daughter and my daughter were together in school. >> yes. different levels. >> right. >> yeah. we've prepared this report. and i want to know if you read the report? have. i had a chance to review it last night.
10:37 pm
>> you did last night. >> the report walked through the steps the attackers had to go through in order to hack your company. and then it explains how target could have prevented the breach you had stopped the attackers -- just leting each even one of the steps. examples.ve you a few you could have prevented the breach if one of your vendors, a mall pennsylvania company called -- is it fazio? fazio nderstand it's mechanical service had better security practices. acknowledge that poor vendor security was a factor in this attack? >> yes. >> and once the attackers had gotten into your network, you them from gaining access to your company's highly data, would sumer you acknowledge the target ailed to properly monitor your computer network for the intruders? >> senator, it's my
10:38 pm
that we did have proper segmentation in place, as recent as two months prior to attack, we were found to be pci compliant and that includes segmentation. but your question is an excellent one. how they migrated from the outer network to of your the point of sale data is an excellent question, i don't have the answer to that. okay. >> who is "they?" >> the intruder, excuse me. >> okay. chairman ramirez? i congratulate the federal trade commission for its recent 50th data t of the security case. the ftc has been successful in data security cases using the authority under section 5 of the ftc act. know, senator finestein prior nelson and i have security data information to senator prior and have done in previous years, all to no avail so far. the legislature and the ftc has
10:39 pm
consistently called for. about why you see the need for such legislation, why isn't your existing under the ftc act enough? >> chairman, thank you for your question. and, again, i want to thank you for your leadership in this area, if your leadership in this area. the ftc has undertaken very in ically important work this arena. but i think our experience in what we see happening in the does show really that companies are continuing to underinvest when it comes to security. that's why we believe that more needs to be done in this area. congress think that absolutely needs to take action comprehensive -- a federal comprehensive legislation that addresses the security. data and in particular, we want to highlight things that we think important lly relative to enforcement authority on the -- on the part of the ftc. it's s that we feel that critical that the ftc have civil
10:40 pm
enalty authority so that there deter appropriate deter rans. we feel that we should have rule aking authority so that the agency can have the flexibility to implement any legislation and adapt to changing technology in this arena. and then in addition we feel this is also important for the have jurisdiction over nonprofit, currently we do not have jurisdiction over and we do see that universities and other falling victim to intrusions and important for the sector also to have reasonable security measures in place so that americans can -- their information can be protectled. >> they want to precisely at hat point tell you that self-regulation works. >> we believe that self-regulation is an important element of all of this.
10:41 pm
is a complicated issue and in order to really effectively, we need to do it in a multipronged way. believe that it's robust and where you have backup enforcement by the ftc, for instance, that that would be a good and important complement to the civil law enforcement that we undertake. >> but in essence -- it's not -- in my mind, it's not -- >> it's not enough. >> that's correct. >> yeah. >> but whether it's sooib security, this, almost anything else, self-regulation always solves the problem when the over -- we had as you know the water spill in charleston, in west virginia, counties s and nine couldn't drink water. house.ing my it was not a pleasant experience. i found out that rather quickly that there is no
10:42 pm
-- under no federal regulation, no state regulation, they an do exactly as please. and so one of the people who was this who is myby sort of chief of staff, my west operations, has two young children and i talked to she said orning and she had just been on a trip to india, in fact, to look at ways of doing water. that two more leaks had been on that river. one to be blindly infuriated. at ourselves for allowing that to happen. for eight year, never did anything about it. every time i drove to charleston times, iid hundreds of always came directly towards
10:43 pm
thee tanks that held all of toxic stuff which leaked. and i said that doesn't look very good to me. looks kind of crummy. it's sort of like the pictures seattle before the -- before everything went wrong -- everything looked fine. was a lot knew there of mud there, your mind would lead you to other kinds of but your mind doesn't choose to dwell on the s that aren't of moment. anyway, i'm encouraging -- increasing towards the ftc, i'm hearing authority to he protect consumers from data breaches. complaint from some. and it reaches ears easily to hear eople like about the federal government not being able to do its work or failing to do its work. unlike years past when this
10:44 pm
gave the ftctinely the tools it needs do the job, i'm now constantly hearing about dangers of an overzealous and verregular latering overburdening american businesses a lot. hearing it a lot. and in this committee. is ata breach bills which 1976 gives your agency basic to set ing authority data security standards, just as grand beach in the riley and the children's on-line privacy laws. i don't think that's a controversial idea. but some people do. chairman ramirez, can you skepticsplease, to the through me how the ftc goes about setting these rules so that, one, i can be satisfied that you're not out to ruin ndustry for the pure pleasure of doing it, but you're trying
10:45 pm
how the r job commission has a careful and process it does not lend itself to the regulatory chaos that some fear. can you explain how the rules help to protect consumers from data breeches? >> i'd be happy to. me just say that first of all, the call for legislation in bipartisan call. it -- the commission unanimously supports the enactment of federal legislation in this area the upport that may be pieces of the legislation that i've outlined. in responsesay that to the critics of the ftc, i that anyone who looks closely at the work that we undertake can see that we do our work in a very balanced way. and that we absolutely want to job is to protect american consumers fundamentally, but we do listen and e concerns of industry i think if you look at certainly the body of case work that we
10:46 pm
this area, the 50 day security cases that you mention md, i think people will see exactly what the basis for these are, and in fact the actions we took were justified. in response to your specific about how we employ apa rule-making authority in my remarks, i referenced he can span act which is one example of the legislation where we were given the rule making authority any rule with the would undertake would go through a notice and comment period so stakeholders would the opportunity to give input. we would hat ultimately impose would -- it ould be based on this evidentiary record that would be developed over the course of the rule-making process. we ask for that is it's critical that the ftc have in this arena we implement any of this legislation and two main issues
10:47 pm
re the ones i want to highlight. one is that we have to recognize that technology is moving rapidly. decade ago, no one would that facial d recognition technology would be so readily available, for geolocation information would be so easily attainable today. critically important that there be flexibility that's embedded in any legislation to ftc to adapt any rule o emerging and evolving technology. by the same token, it can also of businesses it to grant the ftc that flexibility because we may be certain ift requirements that may no longer be necessary over time. happened in nly connection with the our mplementation with the can of spam act so in our view, it would be consumers as well as grant us ommunity to that flexibility. >> i thank you.
10:48 pm
i'm well over my time. another time for senator. >> thank you, mr. chairman, thank you for holding this and working onng important legislation. think we all know this is no longer one singular problem we heard from our witnesses today. n fact "the washington post" printed an article yesterday showing that the federal overnment notify 3,000 u.s. companies of a breach in just the last year. and i think it calls attention we need to move legislation, toy move on the notification bills and the work that senator rockefeller is doing, senator is doing. i'm on both committees. i've been immersed in this as knows we had another hearing and chairman in the judiciary committee. on of the things we focused is one going after the people who did this and working on the
10:49 pm
justice department on that. that's got to be a top priority. number two, how we prevent this going forward. things that i found pretty shocking is that in merica we had 25% of credit card transactions in the world, but we had 50% of the world's fraud. nd we know some of the other countries have moved to the chip and pin technology. tried some ofrget this technology, maybe you can years out that a few back. but it wasn't adopted by other companies so i would think i that. start with what do you think we need to do o stop this from happening in terms of adapt adopting some of the technology? it how long do you think will take when we have parts of the world that are already currently is, it's the standard in europe. can hearwe -- maybe we from ms. richey first? >> we do believe it's necessary the united states to join most of the rest of the countries of the world in
10:50 pm
technology to ip control fraud in the environment. we set out a road map for the emv chip adoption. announced that in august of 2011 with the idea that it would take probably around four to seven years to get to a critical ass of chip adoption based on our experience in other countries. i'm encouraged by the level of enthusiasm towards the chip wakect we're seeing in the of the recent events and i'm hopeful that our liability shift 2015, october, 2015 that substantial adoption in emergent and issuing bank side. > do you think it could be better to have the pin rather than signatures? would that be safer? is an interesting word in this content. >> would it lead to less fraud? initially lead to less fraud.
10:51 pm
lost and s reduce stolen fraud. p.i.n. does nothing to keep the criminal from the card, ing unfortunately. and 70% of the fraud that occurs locations, brick and mortar store, is counterfeit, not lost and stolen. problemlieve the bigger is counterfeit. it's also easier for the criminal to accomplish because stealing data,by not by having to take possession or you know, thousands millions of physical plastic cards. so we believe that the best thing for the industry to do is focus on the chip and they're trying to change the environment p.i.n., signature, and no cardholder verification, which is our current will slow things down and increase the costs. so therefore, we're saying that issuer could have the choice, based on their own risk with e, whether to issue chip and p.i.n. or xhip and
10:52 pm
in the e and similarly merchant environment where today currently deploy p.i.n. >> i mentioned mr. mulligan, you target o address this, tried to go with the chip technology and what happened? >> we did. a little more than ten years call e introduced what we guest payment devices to read chip cards and we introduced the card with chips enabled in it 10 years ago. comes efit for consumers with wide adoption, though. when the cards are widely used and widely read throughout the economy. we've seen that in other geographies. after we went about three years ourselves, we determined that it didn't make much sense for us to continue given there was no benefit to consumers broadly. we've continued to support -- in chip and pin, but to moving to chip-enabled forward. y is moving >> speeding up your adoption of that now?
10:53 pm
>> we are. that, $100 ted million investment for us. we'll have the guest payment september. we'll have the chip-enabled year. next >> the subsidiary of data card which is also a minnesota company how does your view the transmission to chip cards and how has trust and data in making involve recommendations on the finance nd payment networks on implementing new cards and security methods. in financialleader magnetic cards, the stripe and emv. we're a big supporter of the emv technology. things you combine energy, it's more secure way to and but there's balance userability that needs to be considered. ut the chip and p.i.n. is a more secure way to go about it. than the better current magnetic strip
10:54 pm
environment. >> can i ask one more question? data breeches ge and the hacking operations are ofpetrated by people outside the u.s. and there's no shortage of they could be charged with but it could be hard to bring them to the courts because they operate largely overseas. in the case of the target breach, i understand that business weekly has identified a that could eration be responsible. again, the investigation is way.r this is what we read in "business weekly," can you you work with law enforcement investigations, i know i asked this of the justice department in the judiciary hearing. but what steps do you think we could be taking to make it get these international hackers into the courtroom to stop them? >> as to your specific question, i do have to defer to the law enforcement authorities to get into the details of that. ftc i will say that the works very closely in terms of
10:55 pm
in parallel with partners in law these areas. we, of course, are focused on and ront end how retailers other businesses are protecting consumer information. we work in parallel with and i think our efforts are the efforts with enforcers who are seeking to locate and punish perpetrators. we do a big amount of work on the international front working civil law and agencies around the world to address the issues that is a significant engagement and we use authority that's been congressmen under the state act to purr sigh civil where needed so we want to partner with other law enforcers because we have to days. >> should we be doing more as we negotiate as we work with the
10:56 pm
as part of the security agreements in terms of with the come up international standards. more and more of these cases are outside of our borders in terms perpetrating them? >> increasingly, we need to be orking with international partners around the world. and we absolutely have to focus on that set of issues as well. >> thank you very much. >> thank you. senator pryor? >> thank you, mr. chairman. on that if ollow up ramirez.chairwoman with the ftc working with other other federal and state and other law enforcement agencies generally, plus the international community. is there a formal process there? i mean, do you have these formal relationships where you sit down every day or every week or every month with these folks. a case-by-case ad hoc basis?
10:57 pm
work regularly with sister agencies here domestic lip. on case-by-case basis. e also have specifically a criminal liaison unit because it's part of overall enforcement we do partner with u.s. attorney's offices. close work with the justicent of -- of main and the fbi and secret service. so -- specifically on these issues, it tends to be in conjunction with specific investigations. global level, we do work in -- through multilateral as well as through specific bilateral relationships have with counterpart the globe rs around who have consumer protection authority and we also engage -- necessary where appropriate with criminal
10:58 pm
authorities around the world as well. one reason i ask is my experience with law enforcement they'll form mes what are sometimes called task orces where they have multi-agency or multi-jurisdiction. i don't know if you serve -- if ftc serves on a task force-typesetting where you had meetings where people are focused on this trying to find solutions, trying to head ome of this off before it starts. are y'all involved in anything like that? >> it's really more of a case-by-case basis. civil our focus is on the law enforcement side and on the front end. we will cooperate very closely and we do necessary tay in close contact with domestic criminal law enforcers. >> let me go down to the other end of the table there. wagner, i know in both the rockefeller bill and also the bill, they use the word,
10:59 pm
policies," reasonable is the key word for policies to ensure consumers' data is protected. and obviously reasonable is a little elastic, a little situational. may be the best word to use. but could you please speak to that? and kind of talk about what are contained in the concept of reasonable. > the key principles we would espouse are those for information security governments, understanding the that information has at a high level, in a corporate, a understanding which information assets had value. making sure it's not just an value to your organization but seeing the effect, ecosystemwide. those asymmetric values get considered at the at the corporate level to be dealt with. >> anyone else on the panel want
11:00 pm
comment on reasonable and what that means, the context of what you do? there is a whole custom and practice of the trade that you want to look at based on the risks you identified. >> is that a good starting point? >> i believe so. >> did you have something? >> yes. the word reasonable was what caught my attention. section two of the bill. reasonable measures and procedures by information security. even though it is only been five weeks

44 Views

info Stream Only

Uploaded by TV Archive on