[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
PROTECTING CONSUMER INFORMATION: CAN DATA BREACHES BE PREVENTED?
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
FEBRUARY 5, 2014
__________
Serial No. 113-115
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
88-611 WASHINGTON : 2015
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
FRED UPTON, Michigan
Chairman
RALPH M. HALL, Texas HENRY A. WAXMAN, California
JOE BARTON, Texas Ranking Member
Chairman Emeritus JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky Chairman Emeritus
JOHN SHIMKUS, Illinois FRANK PALLONE, Jr., New Jersey
JOSEPH R. PITTS, Pennsylvania BOBBY L. RUSH, Illinois
GREG WALDEN, Oregon ANNA G. ESHOO, California
LEE TERRY, Nebraska ELIOT L. ENGEL, New York
MIKE ROGERS, Michigan GENE GREEN, Texas
TIM MURPHY, Pennsylvania DIANA DeGETTE, Colorado
MICHAEL C. BURGESS, Texas LOIS CAPPS, California
MARSHA BLACKBURN, Tennessee MICHAEL F. DOYLE, Pennsylvania
Vice Chairman JANICE D. SCHAKOWSKY, Illinois
PHIL GINGREY, Georgia JIM MATHESON, Utah
STEVE SCALISE, Louisiana G.K. BUTTERFIELD, North Carolina
ROBERT E. LATTA, Ohio JOHN BARROW, Georgia
CATHY McMORRIS RODGERS, Washington DORIS O. MATSUI, California
GREGG HARPER, Mississippi DONNA M. CHRISTENSEN, Virgin
LEONARD LANCE, New Jersey Islands
BILL CASSIDY, Louisiana KATHY CASTOR, Florida
BRETT GUTHRIE, Kentucky JOHN P. SARBANES, Maryland
PETE OLSON, Texas JERRY McNERNEY, California
DAVID B. McKINLEY, West Virginia BRUCE L. BRALEY, Iowa
CORY GARDNER, Colorado PETER WELCH, Vermont
MIKE POMPEO, Kansas BEN RAY LUJAN, New Mexico
ADAM KINZINGER, Illinois PAUL TONKO, New York
H. MORGAN GRIFFITH, Virginia JOHN A. YARMUTH, Kentucky
GUS M. BILIRAKIS, Florida
BILL JOHNSON, Missouri
BILLY LONG, Missouri
RENEE L. ELLMERS, North Carolina
Subcommittee on Commerce, Manufacturing, and Trade
LEE TERRY, Nebraska
Chairman
JANICE D. SCHAKOWSKY, Illinois
LEONARD LANCE, New Jersey Ranking Member
Vice Chairman JOHN P. SARBANES, Maryland
MARSHA BLACKBURN, Tennessee JERRY McNERNEY, California
GREGG HARPER, Mississippi PETER WELCH, Vermont
BRETT GUTHRIE, Kentucky JOHN A. YARMUTH, Kentucky
PETE OLSON, Texas JOHN D. DINGELL, Michigan
DAVE B. McKINLEY, West Virginia BOBBY L. RUSH, Illinois
MIKE POMPEO, Kansas JIM MATHESON, Utah
ADAM KINZINGER, Illinois JOHN BARROW, Georgia
GUS M. BILIRAKIS, Florida DONNA M. CHRISTENSEN, Virgin
BILL JOHNSON, Missouri Islands
BILLY LONG, Missouri HENRY A. WAXMAN, California, ex
JOE BARTON, Texas officio
FRED UPTON, Michigan, ex officio
C O N T E N T S
----------
Page
Hon. Lee Terry, a Representative in Congress from the State of
Nebraska, opening statement.................................... 1
Prepared statement........................................... 2
Hon. Janice D. Schakowsky, a Representative in Congress from the
State of Illinois, opening statement........................... 4
Prepared statement........................................... 5
Hon. Fred Upton, a Representative in Congress from the State of
Michigan, opening statement.................................... 6
Prepared statement........................................... 7
Hon. Henry A. Waxman, a Representative in Congress from the State
of California, opening statement............................... 8
Witnesses
Edith Ramirez, Chairwoman, Federal Trade Commission.............. 10
Prepared statement........................................... 12
Answers to submitted questions............................... 153
Lisa Madigan, Attorney General, State of Illinois................ 24
Prepared statement........................................... 26
Answers to submitted questions \1\........................... 163
William Noonan, Deputy Special Agent in Charge, Criminal
Investigations Division, Cyber Operations, United States Secret
Service........................................................ 33
Prepared statement........................................... 35
Answers to submitted questions............................... 164
Lawrence Zelvin, Director of the National Cybersecurity and
Communications Integration Center, Department of Homeland
Security....................................................... 46
Prepared statement........................................... 48
John J. Mulligan, Executive Vice President & Chief Financial
Officer, Target Brands Incorporated............................ 78
Prepared statement........................................... 80
Answers to submitted questions............................... 170
Michael Kingston, Senior Vice President & Chief Information
Officer, The Neiman Marcus Group............................... 86
Prepared statement........................................... 88
Answers to submitted questions............................... 187
Bob Russo, General Manager, PCI Security Standards Council, LLC.. 96
Prepared statement........................................... 98
Answers to submitted questions............................... 194
Phillip J. Smith, Senior Vice President, Trustwave............... 104
Prepared statement........................................... 106
Answers to submitted questions............................... 199
Submitted material
Statement of Credit Union National Association................... 132
Statement of Independent Community Bankers of America............ 135
Statement of National Retail Federation.......................... 137
Statement of Retail Industry Leaders Association................. 150
----------
\1\ Ms. Madigan did not respond to submitted questions for the
record.
PROTECTING CONSUMER INFORMATION: CAN DATA BREACHES BE PREVENTED?
----------
WEDNESDAY, FEBRUARY 5, 2014
House of Representatives,
Subcommittee on Commerce, Manufacturing, and Trade,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 9:30 a.m., in
room 2123, Rayburn House Office Building, Hon. Lee Terry
(chairman of the subcommittee) presiding.
Present: Representatives Terry, Lance, Blackburn, Harper,
Guthrie, Olson, McKinley, Pompeo, Kinzinger, Bilirakis,
Johnson, Long, Barton, Upton (ex officio), Schakowsky,
Sarbanes, McNerney, Welch, Yarmuth, Dingell, Barrow,
Christensen, and Waxman (ex officio).
Staff Present: Charlotte Baker, Press Secretary; Kirby
Howard, Legislative Clerk; Nick Magallanes, Policy Coordinator,
CMT; Brian McCullough, Senior Professional Staff Member, CMT;
Gibb Mullan, Chief Counsel, CMT; Shannon Weinberg Taylor,
Counsel, CMT; Michelle Ash, Minority Chief Counsel; and Will
Wallace, Minority Professional Staff Member.
OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NEBRASKA
Mr. Terry. So, good morning everyone, and we have an
impressive two panels to testify this morning. Our first are
government witnesses. I will introduce you each as we go down,
but I want to thank all of you for being here. And the way we
do it, some of you haven't testified before us before, others
have, each side has basically 10 minutes of opening statements,
and then we get right into your testimony, so I will begin my
opening statement at this time.
And I just want to thank everyone for being here, and today
we are turning our focus to an important issue that has
affected nearly one-quarter of American consumers, a string of
recent data breaches at nationwide retailers, which resulted in
the loss of consumer payment card data, personal information
for millions of consumers. Millions of consumers are seeking
answers to questions about their personal and financial
security.
I am grateful to both Target and Neiman Marcus for agreeing
to appear before our subcommittee today. It is my hope that
they will be able to give the subcommittee as clear a view as
possible of what transpired, what was being done to protect
consumer information before these breaches, what steps have
been taken to mitigate the harm to consumers in the wake of
these breaches, and what more is being done and can be done to
prevent such breaches in the future.
We will also hear from public and private entities who
participated in developing security standards, protecting
consumer data, and taking enforcement actions against the
criminals who perpetrate these crime. Our objective today is
not to cast blame or point fingers. It's just like, just like
you, don't blame the homeowner whose home is broken into;
nevertheless, we must ensure that breaches like these do not
become the new norm.
Private sector has worked to try and prevent these crimes
to different degrees, including cooperation with government
entities. Clearly, there is more that can be done, which is the
reason for convening this hearing today. Already, the U.S.
accounts for 47 percent of the fraud credit and debit losses
worldwide while only accounting for 30 percent of the
transactions. We need to be realistic and recognize there is no
silver bullet that is going to fix this issue overnight. If we
are to seriously address the problem surrounding consumer data
security, it will take thoughtful and deliberate actions at all
stages of the payment chain.
I don't believe we can solve this problem by codifying
detailed technical standards or with overlaying cumbersome
mandates. Flexibility, quickness, and nimbleness are all
attributes that absolutely are necessary in the cybersecurity,
but run contrary to government's abilities. We must encourage
the private sector to keep improving on its consensus-driven
standards which are built to adapt over time changing threats
to data security.
While I have more of a statement, I would like to yield to
Mr. Olson the remainder of the time.
[The prepared statement of Mr. Terry follows:]
Prepared statement of Hon. Lee Terry
Welcome to our subcommittee's first hearing of 2014 and the
20th meeting of the 113th Congress.
Today, we are turning our focus to an important issue that
has affected nearly one-quarter of American consumers: a string
of recent data breaches at nationwide retailers, which resulted
in the loss of consumer payment card data and personal
information for millions of consumers.
Millions of consumers are seeking answers to questions
about their personal and financial security. I'm grateful to
both Target and Neiman Marcus for agreeing to appear before our
subcommittee today. It is my hope that they will be able to
give the subcommittee as clear a view as possible of what
transpired, what was being done to protect consumer information
before these breaches, what steps have been taken to mitigate
the harm to consumers in the wake of these breaches, and what
more is being done to prevent such breaches in the future.
We will also hear from public and private sector entities
who participate in developing security standards, protecting
consumer data, and taking enforcement actions against the
criminals who perpetrate these crimes.
Our objective today is not to cast blame or point fingers--
just like you don't blame the homeowner whose home is broken
into. Nevertheless, we must ensure that breaches like these do
not become the ``new normal.''
The private sector has worked to try and prevent these
crimes to different degrees, including cooperation with
government entities. Clearly, there is more than can be done,
which is the reason for convening today's hearing.
Already, the U.S. accounts for 47 percent of the fraudulent
credit and debit losses worldwide, while only accounting for 30
percent of the transactions.
We need to be realistic and recognize there is no ``silver
bullet'' that is going to fix this issue overnight. If we are
to seriously address the problems surrounding consumer data
security, it will take thoughtful and deliberate actions at all
stages of the payment chain.
I do not believe that we can solve this whole problem by
codifying detailed, technical standards or with overly
cumbersome mandates. Flexibility, quickness, and nimbleness are
all attributes that are absolutely necessary in cyber security
but run contrary to government's abilities.
I do believe that information sharing is an area that we
can be involved with. I would like to explore with our
witnesses today a role for Congress in information sharing and
analysis centers (ISACs).
We must encourage the private sector to keep improving on
its consensus-driven standards, which are built to adapt over
time to changing threats to data security.
There are areas where Congress can take action and lead in
a way in protecting consumers and combatting fraud. One such
area is a uniform data breach notification standard. Right now,
national retailers have to comply with as many as 46 different
state and territory notification rules, which can slow down how
quickly a business can notify customers of a breach by creating
confusion over who must be notified, how they must be notified,
and when they must be notified. Consumers need to know quickly
if their information is breached so that they protect
themselves. I am working on legislation that would foster
quicker notification by replacing the multiple--and sometimes
conflicting--state notification regimes with a single, uniform
federal breach notification regime.
The security of data itself is paramount in this
conversation, but as I have said, cumbersome statutory mandates
can be ill equipped to deal with evolving threats. Nonetheless,
I think this subcommittee would benefit from hearing about how
companies are dealing with this issue now, as well as in the
future.
I understand that the four largest credit card companies
have put a deadline of October 1, 2015, for merchants to adopt
point-of-sale portals that accept EMV-enabled cards--the so-
called chip-and-PIN. I am interested in hearing about how this
technology could benefit consumers, as well as what Congress'
role should be with regard to data security in general.
I look forward to hearing from these stakeholders and
officials on our panel today and I thank them for appearing.
Mr. Olson. Thank you, Mr. Chairman, and thank you to our
witnesses for coming this morning. As you all know, data
breaches are a very serious matter, and you must remember past
this issue that regardless of security measures taken to
protect data, the bad guys are always trying, always trying to
find new ways to grab that data. We have to be right 24 hours a
day, 7 days a week, 365 days a year, 366 during leap year, and
as you have seen, the bad guys can access data in less time it
takes to swipe a credit card.
It is a tough battle, but it is a battle we have to fight,
it is a battle we have to win. As we say in Houston, failure is
not an option. With that, I yield back, look forward to the
discussion. Thank you, Mr. Chairman.
Mr. Terry. Anybody else? Mr. Lance.
Mr. Lance. Thank you, Mr. Chairman, and I welcome the very
distinguished panel. The issue of data security has been
prominent in public debate dating back to at least 2005 when
160,000 records were acquired by hackers in the Choice Point
data breach. Over the last 8 years, 660 million records have
been made public through various data breaches. Data breaches
occur not just in commercial settings, but also hospitals,
educational institutions, banks, and insurance companies. There
is no doubt that every American could be at risk of a data
breach.
Since our last data security hearing in July, we have
learned of several additional data breach incidents that
occurred in 2013. Data breach incidents at Target, Neiman
Marcus and Michael's are recent reminders of the dangers data
breaches present to our economy. In our hearing last July, this
subcommittee examined the issue of data breach notification;
namely, what to do when data security has been compromised.
While that issue is still of paramount concern, equal if not
more attention should be given to how to prevent data breaches
from occurring in the first place.
Major credit card carriers have created a global data
security standard for businesses that accept payment cards
called the ``payment card industry data security standard.'' I
look forward to examining the best practices for today's
economy and for the safety of the American people.
Since the Choice Point data breach in 2005, technology has
evolved considerably. While data hackers' tactics have also
evolved, so has the potential to provide greater security for
Americans at risk of a data breach. I am pleased to have before
us today a distinguished panel from the public and private
sectors with expertise and personal experience in these issues.
I look forward to examining the issues before us today. Thank
you, Mr. Chairman.
Mr. Terry. The ranking member, Jan Schakowsky, is now
recognized for her 5 minutes.
OPENING STATEMENT OF HON. JANICE D. SCHAKOWSKY, A
REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS
Ms. Schakowsky. Thank you, Mr. Chairman. I am really happy
that we are having this important hearing on data security. I
think it is of great concern to the public, who is probably
watching carefully what happens here. As we discussed
previously, I hope and expect that we will work together to
address these issues.
I thank all of our witnesses for being here, but I would
like to take a moment to pay special attention and give special
thanks to my friend, Illinois Attorney General Lisa Madigan,
who has been at the forefront of this issue since taking office
in 2003 leading several efforts at the state level to defend
against cyber crime and prosecute those responsible. She is
also co-leading an investigation into the Target, Neiman
Marcus, and Michael's data breaches, and I look forward, as we
all do, I think, to gaining from her perspective about how we
can better protect data and inform consumers in the future.
The threat of data breaches isn't new. The Privacy Rights
Clearinghouse has identified over 650 million records
containing consumers' personal information that have been
compromised through thousands of data breaches since 2005;
nonetheless, the recent attacks at some of this country's most
popular retail stores should give us all renewed motivation to
address data security and breach notification.
I think every one of our witnesses today and every member
of the subcommittee wants to make sure that we do everything we
can to reduce the risk of future massive data breaches. Tens of
billions of dollars each year are lost to cyber fraud and
identity theft threatening consumer credit and stretching law
enforcement resources. The Target breach alone could cost as
much as $18 billion, and analysts suggest the company itself
could be on the hook for more than $1 billion in costs from
fraud. There are also Homeland Security concerns that we, I
hope, will hear about today.
It is important to note that there is no foolproof
regulatory scheme or encryption program to totally prevent data
breaches. Cyber criminals are incredibly innovative, and as
soon as we invent and implement new technologies, they are hard
at work looking for new vulnerabilities. But just because we
can't absolutely 100 percent guarantee the protection of
consumer data doesn't mean that we should not do anything.
There is currently no comprehensive Federal law that requires
companies to protect consumer or user data, nor is there a
federal requirement that companies inform their customers in
the event of a data breach. I believe it is critical that the
subcommittee move forward with legislation that will ensure
that best practices are followed at all retailers and that
consumers are informed as soon as possible after cyber theft is
discovered. That legislation should be technology neutral, in
my view, allowing the FTC and other regulatory agencies to
update requirements at the speed of innovation.
In the 111th Congress, I was one of four original co-
sponsors of H.R. 2221, the Data Accountability and Trust Act
data offered by Mr. Rush. The bill was bipartisan, and Chairman
Emeritus Barton was a co-sponsor. The bill had two main
provisions. One, an entity holding data containing personal
information had to adopt what we said were reasonable and
appropriate security measures to protect such data; and two,
that same entity had to notify affected consumers in the event
of a breach. Seems to me that those basic requirements should
be the basis for data security and breach legislation coming
out of this committee.
I want to thank our witnesses for appearing today. I look
forward to hearing from them about how we can better protect
against cyber theft in the future and ensure consumers are
informed as soon as possible when those protections fail, and I
yield back.
[The prepared statement of Ms. Schakowsky follows:]
Prepared statement of Hon. Janice D. Schakowsky
Thank you Mr. Chairman for holding this important hearing
on data security and breach notification. As we've discussed
previously, I hope and expect we will work together to address
these issues.
I thank all of our witnesses for being here, but I'd like
to take a moment to pay a special thanks to my friend, Illinois
Attorney General Lisa Madigan. She has been at the forefront of
this issue since taking office in 2003, leading several efforts
at the state level to defend against cyber crime and prosecute
those responsible. She is also co-leading an investigation into
the Target, Neiman Marcus, and Michaels data breaches. I look
forward to gaining from her perspective about how we can better
protect data and inform consumers in the future.
The threat of data breaches isn't new: the Privacy Rights
Clearinghouse has identified over 650 million records
containing consumers' personal information that have been
compromised through thousands of data breaches since 2005.
Nonetheless, the recent attacks at some of this country's most
popular retail stores should give us all renewed motivation to
address data security and breach notification.
I think every one of our witnesses today and every member
of this subcommittee wants to make sure that we do everything
we can to reduce the risk of future massive data breaches. Tens
of billions of dollars each year are lost to cyber fraud and
identity theft, threatening consumer credit and stretching law
enforcement resources. The Target breach alone could cost as
much as $18 billion, and analysts suggest the company itself
could be on the hook for more than $1 billion in costs from
fraud.
It is important to note that there is no foolproof
regulatory scheme or encryption program to prevent data
breaches. Cyber criminals are incredibly innovative, and as
soon as we invent and implement new technologies, they are hard
at work looking for vulnerabilities.
But just because we can't absolutely guarantee the
protection of consumer data doesn't mean we shouldn't try.
There is currently no comprehensive federal law that requires
companies to protect consumer or user data. Nor is there a
federal requirement that companies inform their customers in
the event of a data breach.
I believe it is critical that this subcommittee move
forward with legislation that will ensure that best practices
are followed at all retailers and that consumers are informed
as soon as possible after cyber theft is discovered. That
legislation should be technology-neutral, allowing the FTC and
other regulatory agencies to update requirements at the speed
of innovation.
In the 111th Congress, I was one of 4 original cosponsors
of HR 2221, the Data Accountability and Trust Act, offered by
Mr. Rush. The bill was bipartisan and counted Chairman Emeritus
Barton as a cosponsor. The bill had two main provisions: (1) an
entity holding data containing personal information had to
adopt reasonable and appropriate security measures to protect
such data; and (2) that same entity had to notify affected
consumers in the event of a breach. Those basic requirements
should be the basis for data security and breach legislation
coming out of this committee.
Our constituents can't afford another massive data breach
that threatens their credit and the protection of their
identity. We owe it to them to take steps to limit the
likelihood of data breach and ensure that they are informed
when that happens.
I thank our witnesses for appearing today, and I look
forward to hearing from them about how we can better protect
against cyber theft in the future and ensure that consumers are
informed as soon as possible when those protections fail.
Mr. Terry. Mr. Upton, you are recognized for your 5
minutes, and you control the time.
OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MICHIGAN
Mr. Upton. Well, thank you, Mr. Chairman. The recent data
thefts of consumer information at well known companies are a
reminder of the challenges that we certainly face today in a
digital-connected economy. We are well aware of the benefits to
consumers and businesses of instant communication and e-
commerce. The rapid evolution of technology allows consumers to
purchase goods and services on demand whenever and wherever
they want.
Despite the many new conveniences and efficiencies, the
unfortunate reality is that technology also facilitates the
ability of criminals to commit identity theft or other serious
crimes that can potentially injure far more consumers. What
originated as paper based fraud or identity theft gathered from
a dumpster or mailbox has changed with the times and adapted to
the Internet and digital economy.
Today, indeed, most transactions we conduct are either
transmitted or stored in a connected environment ensuring
almost every citizen has some digital footprint or profile, and
that the most sophisticated cyber criminals are successful in
infiltrating digital databases, they certainly can gain access
to data on millions of individuals. As long as the risk reward
payoff is sufficient to attract criminals, the problem will not
go away.
Congress recognized the importance of protecting our
personal information as the crimes of identity theft and
financial fraud became more pervasive in our economy. It is the
reason that we enacted laws specifically to address sensitive
consumer data that can be used by criminals for identity theft
or financial fraud, including the Gramm-Leach-Bliley Act for
financial institutions and HIPAA as well for the health care
industry. Additionally, we have also empowered the FTC to
address data breaches through the use of section 5 of the FTC
Act under which they have settled 50 data security cases.
Federal government is not the only layer of protection. A
handful of State laws mandates security for the data of their
citizens, and the private sector has developed extensive
standards through the PCI Security Standards Council, yet
breaches, identity theft, financial fraud continue, affecting
virtually every sector from the federal government to
merchants, banks, universities, and hospitals. We must consider
whether the current multi-layer approach to data security,
federal, state, and industry self-regulation can be more
effective, or whether we need to approach the issue
differently.
In short, the title of today's hearing is an appropriate
question to ask, ``Can data breaches be prevented?'' This is
the right venue to discuss what businesses can reasonably do to
protect data. Equally important, we need to find ways to
minimize or eliminate the ability of criminals to commit fraud
with data that they acquire. Americans deserve to have the
peace of mind that the government, law enforcement officials,
and private industry are doing everything necessary to protect
the public from future breaches, and I yield the balance of my
time to Mrs. Blackburn.
[The prepared statement of Mr. Upton follows:]
Prepared statement of Hon. Fred Upton
The recent data thefts of consumer information at well-
known companies are a reminder of the challenges that we face
in a digital, connected economy. We are well aware of the
benefits to consumers and businesses of instant communication
and e-commerce. The rapid evolution of technology allows
consumers to purchase goods and services on demand--whenever
and wherever they want. Despite the many new conveniences and
efficiencies, the unfortunate reality is that technology also
facilitates the ability of criminals to commit identity theft
or other crimes that can potentially injure far more consumers.
1What originated as paper-based fraud or identity theft
gathered from a dumpster or mailbox has changed with the times
and adapted to the Internet and the digital economy. Today,
most transactions we conduct are either transmitted or stored
in a connected environment, ensuring almost every citizen has
some digital footprint or profile. If the most sophisticated
cybercriminals are successful in infiltrating digital
databases, they can gain access to data on millions of
individuals. As long as the risk-reward payoff is sufficient to
attract criminals, the problem will not go away.
Congress recognized the importance of protecting our
personal information as the crimes of identity theft and
financial fraud became more pervasive in our economy. It is the
reason we enacted laws specifically to address sensitive
consumer data that can be used by criminals for identity theft
or financial fraud, including the Gramm Leach Bliley Act for
financial institutions and HIPAA (Health Information
Portability and Accountability Act) for healthcare industry
participants. Additionally, we also have empowered the FTC to
address data breaches through the use of Section 5 of the FTC
Act, under which they have settled 50 data security cases.
The federal government is not the only layer of protection.
A handful of state laws mandate security for the data of their
citizens, and the private sector has developed extensive
standards through the PCI Security Standards Council.
Yet breaches, identity theft, and financial fraud continue,
affecting every sector from the federal government to
merchants, banks, universities and hospitals. We must consider
whether the current multi-layer approach to data security--
federal, state, and industry self-regulation--can be more
effective, or whether we need to approach the issue
differently.
In short, the title of today's hearing is an appropriate
question to ask: ``Can Data Breaches be Prevented?'' This is
the right venue to discuss what businesses can reasonably do to
protect data. Equally important, we need to find ways to
minimize or eliminate the ability of criminals to commit fraud
with data they acquire. Americans deserve to have the peace of
mind that the government, law enforcement officials, and
private industry are doing everything necessary to protect the
public from future breaches.
Mrs. Blackburn. I thank the chairman, and I want to welcome
each of you. We are pleased to have you here. Privacy data
security is something that we are hearing about more and more
from our constituents. I sum it up by saying my constituents
want to know who owns the virtual you, which is you in your
presence online. Who has the rights to that? And I hope that
from listening to you-all and talking with you today, we can
gather some information to add to the work that we have been
doing in our bipartisan privacy data security working group
here at the committee.
What our constituents want to do is figure out how to build
out this toolbox that will allow them to protect themselves
online. They want to know what you are doing to provide the
assurance of data security, what are those protocols? They want
to know what the process will be, a kind of a standard business
process, for data breach notification. What are the
expectations? And then they want, both the private sector and
government, to meet and fulfill those expectations.
So, you have experience, some lessons learned, you have
made some mistakes, all of you, you are learning from those
mistakes, and we are looking at how we take the rules that are
on the books in the physical space, and apply that to the
virtual space and encourage commerce and the interaction,
transaction, and movement of data and commerce. I yield back
the balance of the time.
Mr. Terry. Mr. Johnson, you are recognized for 10 seconds.
Mr. Johnson. Well, thanks. As a 30-year IT professional
myself before coming to Congress, including a stint as the
director of the CIO staff for U.S. Special Operations Command,
I can tell you I understand the complexities of data security
and how complex it is. I am really looking forward to hearing
from you folks today on what we can do to position both our
commercial sector and our public sector to handle this problem.
Mr. Terry. Thank you. That concludes our time, but before I
officially recognize him, Mr. Waxman, ranking member of the
full committee, had made a surprise announcement and stunned
all of us that he is going to conclude his time with Congress
at the end of this session, and I just want to thank him for
his 40 years of service to the United States Congress, to the
people of California, and the United States, and job well done.
We may not agree on everything, but you are passionate, you
are zealous, and you are very involved, and you command respect
from everybody, Henry. Thank you for your service.
Mr. Waxman. Thank you, Mr. Chairman.
Mr. Terry. And you are recognized for 5 minutes.
OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Mr. Waxman. Thank you for your kind words and for holding
this hearing today. I think this may be the first of a series
of troubling cyber attacks on prominent retailers that are
going to tell us today about their experience, and we want to
evaluate how businesses and government can better protect the
security of consumers' personal information.
Late last year, Target, Neiman Marcus, and reportedly
Michael's all experienced breaches in which criminal intruders
stole consumers' payment card information leaving them at risk
for fraudulent charges. The Target breach, which involves not
only payment card data, but also marketing data that could be
used in phishing attacks is now reported to affect between 70
million and 110 million people, roughly one-third of the adult
U.S. population. Reports indicated that similar attacks have
likely affected many other retailers as well. Just last week,
White Lodging, a major hotel operator, announced that he was
investigating a potential breach affecting thousands of guests
who stayed at hotels under various brand names, including
Hilton, Marriott, Sheraton, and Westin. Given these constant
security threats, I hope that today's hearing will provide us
with the facts necessary to chart a path forward where
consumers can be more confident that companies will keep their
data safe.
The unprecedented scope and scale of these breaches is
alarming. It affects the confidence of consumers who rely on
retailers, banks, and payment card processors and networks to
safeguard their personal information, including their credit
card and debit card information. Millions of Americans have had
to contend with fraudulent charges on their financial
statements, identity theft schemes in which criminals open
phony accounts in their names, and the fear and uncertainty
about how criminals may use their information next.
There are many unanswered questions about these recent
attacks, including how they were carried out, and of course,
who was responsible. These breaches also raise important
questions about how well the industry polices itself, whether
these companies responded to early warnings and whether they
notified consumers in a timely manner. We also need to
understand the appropriate Federal role in both data security
and breach notification. Nearly all U.S. States and territories
now have laws that require notice for their own residents when
a data breach occurs.
The effectiveness of these laws vary greatly, but several
are quite strong, ensuring that consumers receive prompt,
adequate, and clear notification when their personal
information is breached, and providing them with resources to
protect their financial wellbeing. It could be a model for a
minimum Federal requirement.
After the fact, breach notification is only half of what is
needed. The private sector must also take stronger steps to
safeguard personal information. There could be a Federal rule
in ensuring they are proactive. There will always be bad actors
who will try to compromise large databases and obtain sensitive
information that can be leveraged for financial gain. We need
to have effective law enforcement to stop them. We also need to
make sure companies are doing enough to prevent breaches
because consumers are paying the price. Protecting consumer
data needs to be priority number 1.
I look forward to the witnesses' testimony and to our
discussion today of this important topic. I thank the witnesses
for being here. I want to apologize in advance because there is
another subcommittee that is meeting simultaneously with this
one, and I have to be at that subcommittee as well. But looking
forward to your testimony. In the short time I have left, is
anybody on the majority wish to take the 47, -6, -5, -4 seconds
noted. If not, Mr. Chairman, I yield back.
Mr. Terry. You said majority. Are you talking----
Mr. Waxman. Oh, did I say majority? I am always looking to
the future, Mr. Chairman, and I thank you for your kind words,
and I, of course, I am going to be here till December so we
will all be able to work together some more. Thank you.
Mr. Terry. Very good. Thank you, Henry.
Now, time to introduce our first panel. Edith Ramirez is
the chairwoman of the Federal Trade Commission, thank you for
your second appearance before this committee; Lisa Madigan,
Attorney General for the State of Illinois, thank you for
coming; William Noonan, deputy special agent in charge,
Criminal Investigation Division, Cyber Operations, United
States Secret Service, and I said it all in one breath. Mr.
Noonan, thank you for your appearance here today; Lawrence
Zelvin, director, National Cybersecurity and Communications
Integration Center, Department of Homeland Security. We always
go from my left to right, so we will start with Chairman
Ramirez. You are now recognized for your 5 minutes.
STATEMENTS OF HON. EDITH RAMIREZ, CHAIRWOMAN, FEDERAL TRADE
COMMISSION; HON. LISA MADIGAN, ATTORNEY GENERAL, STATE OF
ILLINOIS; WILLIAM NOONAN, DEPUTY SPECIAL AGENT IN CHARGE,
CRIMINAL INVESTIGATIONS DIVISION, CYBER OPERATIONS, UNITED
STATES SECRET SERVICE; AND LAWRENCE ZELVIN, DIRECTOR OF THE
NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER,
DEPARTMENT OF HOMELAND SECURITY
STATEMENT OF HON. EDITH RAMIREZ
Ms. Ramirez. Thank you. Chairman Terry, Ranking Member
Schakowsky, and members of the committee, thank you for the
opportunity to appear before you to discuss the Federal Trade
Commission's data security enforcement program. We live in an
increasingly connected world in which vast amounts of consumer
data is collected. As recent breaches of Target and other
retailers remind us, this data is susceptible to compromise by
those who seek to exploit security vulnerabilities. This takes
place against the background of the threat of identity theft,
which has been the FTC's top consumer complaint for the last 13
years. According to estimates of the Bureau of Justice
statistics, in 2012, this crime affected a staggering 7 percent
of all people in the United States age 16 and older.
The Commission is here today to reiterate its bipartisan
and unanimous call for Federal data security legislation. Never
has the need for such legislation been greater. With reports of
data breaches on the rise, Congress needs to act. We support
legislation that would strengthen existing data security
standards and require companies, in appropriate circumstances,
to notify consumers when there is a breach. Legislation should
give the FTC authority to seek civil penalties where warranted
to help ensure that FTC actions have an appropriate deterrent
effect.
It should also provide rulemaking authority under the
Administrative Procedure Act and jurisdiction over nonprofits,
which have been the source of a large number of breaches. Such
provisions would create a strong consistent standard and enable
the FTC to protect consumers more effectively. Using its
existing authority, the FTC has devoted substantial resources
to encourage companies to make data security a priority.
The FTC has brought 50 civil actions against companies that
we alleged put consumer data at risk. We have brought these
cases under our authority to combat effective and unfair
commercial practices as well as more targeted laws such as the
Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. In
all these cases, the touchstone of the Commission's approach
has been reasonableness. A company's data security measures
must be reasonable in light of the sensitivity and volume of
consumer information it holds, the size and complexity of its
data operations, and the cost of available tools to improve
security and reduce vulnerabilities.
The Commission has made clear that it does not require
perfect security and that the fact that a breach occurred does
not mean that a company has violated the law. Significantly, a
number of FTC enforcement actions have involved large breaches
of payment card information. For example, in 2008, the FTC
settled allegations that security deficiencies of retailer TJX
permitted hackers to obtain information about tens of millions
of credit and debit cards. To resolve these allegations, TJX
agreed to institute a comprehensive security program and to
submit to a series of security audits. At the same time, the
Justice Department successfully prosecuted a hacker behind the
TJX and other breaches. As the TJX case illustrates well, the
FTC and criminal authorities share complementary goals.
FTC actions help ensure, on the front end, that businesses
do not put their customers' data at unnecessary risk while
criminal enforcers help ensure that cyber criminals are caught
and punished. The dual approach to data security leverages
government resources and best serves the interest of consumers,
and to that end, the FTC and criminal enforcement agencies have
worked together to coordinate all respective data security
investigations.
The FTC appreciates the work of our fellow law enforcement
agencies at the Federal and State level. In addition to the
Commission's enforcement work, the FTC offers guidance to
consumers and businesses. For those consumers affected by
recent breaches, the FTC has posted information online about
steps they should take to protect themselves. These materials
are in addition to the large stable of other FTC resources we
have for ID theft victims, including an ID theft hotline. We
also engage in extensive policy initiatives on privacy and data
security issues.
For example, we recently conducted workshops on mobile
security and emerging forms of ID theft, such as child ID theft
and senior ID theft.
In closing, I want to thank the Committee for holding this
hearing and for the opportunity to provide the Commission's
views. Data security is among the Commission's highest
priorities, and we look forward to working with Congress on
this critical issue. Thank you.
Mr. Terry. Thank you, Chairman.
[The prepared statement of Ms. Ramirez follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Terry. Now, the gentlelady from Illinois, Ms. Madigan,
you are now recognized for 5 minutes.
STATEMENT OF HON. LISA MADIGAN
Ms. Madigan. Thank you, Chairman Terry, Ranking Member
Schakowsky, and members of the subcommittee, I appreciate
having an opportunity to testify on this important issue.
Addressing data breaches and preventing them is critical to our
financial security and our economy. Over the past decade, we
have faced an epidemic of data breaches that has affected
almost every American and has inflicted billions of dollars of
damage to our economy. Many have become accustomed to their
occurrence, but the recent Target breach served as a wake-up
call that government and the private sector need to take
serious meaningful actions to curb this growing problem.
To assist the subcommittee, I will explain the impact data
breaches have on consumers, the role the States play in
responding to breaches, the data security lapses we have seen
in the private sector, and the steps that private sector and
government can take to prevent future breaches.
Since 2005 there have been over 4,000 data breaches
nationally and over 733 million records compromised. The amount
of money lost because of identity theft is also sobering. In
2012, it was $21 billion. And over the last year alone, the
number of complaints my office has received on data breaches
has jumped more than 1,000 percent. When these breaches occur,
consumers are harmed primarily two ways: First, they are
exposed to the likelihood of unauthorized charges on their
existing accounts, and second, they are much more likely to
become victims of more costly identity theft. Consumers
affected by breaches must constantly monitor their financial
accounts for unauthorized charges, and when consumers discovery
them, clean up requires notifying their credit and debit card
issuers, closing accounts, canceling cards and waiting for new
cards to arrive, and for consumers with automatic bill pay,
alerting companies about the new account numbers to prevent
late fees, and those are the easy situations.
Victims of identity theft can spend months reporting
instances of fraud to creditors and reporting bureaus to
restore their credit. During this time, these victims are often
prevented from fully participating in our economy. Identity
theft takes a variety of forms and while it most commonly
affects consumers' financial account, identity thieves also use
consumers' information to open utility accounts and obtain
medical treatment and prescription drugs. All of these things
can happen simply because the consumers share their sensitive
data in the usual course with a business, a medical provider,
or the government.
The States have been inundated with consumers who need help
understanding and recovering from breaches and identity theft
damage. Because of this, I created an identity theft unit and
hotline back in 2006. Since then, we have received more than
40,000 requests for assistance and have helped remove over $26
million worth of fraudulent charges for Illinois residents. In
addition to this direct consumer assistance, my office also
conducts investigations of data breaches.
To confirm that companies complied with State laws by
notifying consumers of breaches within a reasonable time, and
to ensure that companies suffering breaches took reasonable
steps to protect their consumer sensitive data from disclosure.
My office, along with the Connecticut AG's office, is currently
leading multi-State investigations into breaches that affected
millions of Target and Neiman Marcus and Michael's customers.
During private breach investigations, we have instances where
companies failed to take basic steps to protect consumer data.
So the notion that companies are already doing everything they
can to prevent breaches is false.
We have found repeated instances where breaches occurred
because companies allowed consumer data to be maintained
unencrypted, failed to install security patches for known
software vulnerabilities, and retained data for longer than
necessary. The recent breaches have also led to discussions
about security technology that was available but not deployed
for reasons that allegedly ranged from high cost and increased
checkout times to disputes between banks and retailers.
Frankly, it is negligent that the United States is behind
the rest of the world when it comes to the security of our
payment networks, and it is the main reason that U.S.
consumers' information is targeted by criminals. It is past
time for the private sector to take data security seriously.
Consumers are rapidly losing confidence in companies' ability
to safeguard their personal information. Based upon our
experiences at the State level, I recommend the Congress take
the following actions. First, pass data security and breach
notification legislation that does not preempt State law.
Second, Congress should also recognize that the Federal
Government should assist the private sector in the same manner
it already does in other critical areas.
Congress should give an agency the responsibility and
authority to investigate large sophisticated data breaches in a
manner similar to NTSB investigations of aviation accidents.
Finally, please remember that States have been on the front
lines of this battle for a decade. Illinois residents
appreciate the important role my office plays, and they are not
asking for our State law to be weakened by preemption, but they
are panicked and they are angered the companies are not doing
more to protect their personal and financial information and
prevent these breaches from occurring in the first place. I am
happy to answer any questions you have. Thank you.
Mr. Terry. Thank you, General Madigan.
[The prepared statement of Ms. Madigan follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Terry. And now, Mr. Noonan, you are recognized for your
5 minutes.
STATEMENT OF WILLIAM NOONAN
Mr. Noonan. Good morning, Chairman Terry, Ranking Member
Schakowsky, and distinguished members of the subcommittee.
Thank you for the opportunity to testify on behalf of the
Department of Homeland Security regarding the ongoing trend of
criminal exploiting cyberspace to obtain sensitive, financial,
and identity information as part of a complex criminal scheme
to defraud our Nation's payment systems. Our modern financial
system depends heavily on information technology forconvenience
and efficiency.
Accordingly, criminals motivated by greed have adapted
their methods and are increasingly using cyberspace to exploit
our Nation's financial payment systems to engage in fraud and
other illicit activities. The widely reported data breaches of
Target and Neiman Marcus are just recent examples of this
trend. The Secret Service is investigating these recent data
breaches, and we are confident that we will bring the criminals
responsible to justice.
However, data breaches like these recent events are part of
a long trend. In 1984, Congress recognized the risk posed by
increasing use of information technology and established 18 USC
sections 1029 and 1030 through the Comprehensive Crime Control
Act. These statutes define access device fraud and misuse of
computers as Federal crimes, and explicitly assign the Secret
Service authority to investigate these crimes.
In support of the Department of Homeland Security's mission
to safeguard cyberspace, the Secret Service investigates cyber
crime through efforts of our highly trained special agents in
the work of our growing network of 33 electronic crimes task
forces which Congress assigned the mission of preventing,
detecting, and investigating various forms of electronic
crimes.
As a result of our cyber crime investigations, over the
past 4 years, the Secret Service has nearly arrested 5,000
cyber criminals. In total, these criminals were responsible for
over a billion dollars in fraud losses, and we estimate our
investigations prevented over a $11 billion in fraud losses.
The data breaches, like the recent reported occurrences, are
just one part of a complex criminal scheme executed by
organized cyber crime. These criminal groups are using
increasingly sophisticated technology to conduct a criminal
conspiracy consisting of five parts.
One, gaining unauthorized access to computer systems
carrying valuable protected information; two, deploying
specialized malware to capture and exfiltrate the data; three,
distributing or selling the sensitive data to their criminal
associates; four, engaging in sophisticated and distributed
frauds using the sensitive information that was obtained; and
five, laundering the proceeds of their illicit activity.
All five of these activities are criminal violations in and
of themselves, and when conducted by sophisticated
transnational networks of cyber criminals, this scheme has
yielded hundreds of millions of dollars in illicit proceeds.
The Secret Service is committed to protecting the Nation
from this threat. We disrupt every step of their five-part
criminal scheme through proactive criminal investigations and
defeat these transnational cyber criminals through coordinated
arrests and seizure of assets. Foundational to these efforts
are the private industry partners as well as close partnerships
that we have with State, local, Federal, and international law
enforcement. As a result of these partnerships, we are able to
prevent many cyber crimes by sharing criminal intelligence
regarding the plans of cyber criminals and minimizing financial
losses by stopping their criminal scheme.
Through our Department's National Cybersecurity and
Communications Integration Center, the NCCIC, the Secret
Service also quickly shares technical cybersecurity information
while protecting civil rights and civil liberties in order to
allow organizations to reduce their cyber risks by mitigating
technical vulnerabilities.
We also partner with the private sector in academia to
research cyber threats and publish information on cyber crime
trends through reports like Carnegie Mellon CERT Insider Threat
Study, the Verizon Data Breach Study, and the Trustwave Global
Security Report. The Secret Service has a long history of
protecting our Nation's financial system from threats. In 1865,
the threat we were founded to address was that of counterfeit
currency. As our financial payment system has evolved from
paper to plastic, now digital information, so, too, has our
investigative mission. The Secret Service is committed to
protecting our Nation's financial system even as criminals
increasingly exploit it through cyberspace. Through the
dedicated efforts of our electronic crimes task forces and by
working in close partnerships with the Department of Justice,
in particular, the criminal division and the local U.S.
Attorney's offices, the Secret Service will continue to bring
cyber criminals that perpetrate major data breaches to justice.
Thank you for the opportunity to testify on this important
topic, and we look forward to your questions.
Mr. Terry. Thank you, Mr. Noonan.
[The prepared statement of Mr. Noonan follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Terry. Mr. Zelvin, you are now recognized for your 5
minutes.
STATEMENT OF LARRY ZELVIN
Mr. Zelvin. Chairman Terry, Ranking Member Schakowsky,
distinguished members of the subcommittee. Thank you very much
for the opportunity to be here before you today. In my brief
opening comments, I would like to highlight the DHS National
Cybersecurity and Communications Integrations Center, or
NCCIC's role in preventing, responding to, and mitigating cyber
incidents, and then discuss our activities during the recent
point of sale compromises. I hope my remarks will demonstrate
the increasing importance of building and maintaining close
relationships among the wide range of partners in order to
address all aspects of malicious cyber activity, as well as to
reduce continuing vulnerabilities, protect against future
attacks, and mitigate the consequences of incidents that have
already occurred.
The importance of leveraging these complementary missions
has been consistently demonstrated over the last several years,
and is an increasingly critical part of the broader framework
used by the government and the private sector to cooperate
responding to malicious cyber activity.
As you well know, the Nation's economic vitality and the
national security depends on the secure cyberspace where
reasonable risk decisions can be made, and the flow of digital
goods and online interactions can occur safely and reliably. In
order to meet these objectives, we must share technical
characteristics of malicious cyber activity in a timely fashion
so we can discover, address, and mitigate cyber threats and
vulnerabilities. It is increasingly clear that no single
country, agency, company or individual can effectively respond
to the ever-rising threats of malicious cyber activity alone.
Effective responses require a whole nation effort,
including close coordination among entities such as the NCCIC,
the Secret Service, the Department of Justice, to include the
Federal Bureau of Investigation, the Intelligence Community,
sector specific agencies such as the Department of Treasury,
the private sector entities who are simply critical to these
efforts, and State, local, tribal, territorial, and
international governments.
In carrying out its particular responsibilities, the NCCIC
promotes and implements a unified approach to cybersecurity,
which enables the efforts of these diverse partners to quickly
share cybersecurity information in a manner which ensures the
protection of individuals' privacy, civil rights, and civil
liberties.
As you may already know, the NCCIC is a civilian
organization that provides an around-the-clock center where key
government, private sector, and international partners can work
collaboratively together in both physical and virtual
environments. The NCCIC is comprised of four branches, the
United States Computer Emergency Readiness Team, or US-CERT,
the Industrial Control Systems Cyber Emergency Response Team,
or ICS-CERT, the National Coordinating Center for
Communications, and Operations and Integration component.
In response to the recent retailer compromises, the NCCIC
specifically leveraged the resources and capabilities of US-
CERT, whose mission focuses specifically on computer network
defense that includes prevention, protection, mitigation,
response, and recovery activities. In executing this mission,
the NCCIC and US-CERT regularly publishes technical and
nontechnical information products assessing the characteristics
of malicious cyber activity, improving the ability of
organizations and individuals to reduce that risk.
When appropriate, all NCCIC components have onsite response
capabilities that can assist owners and operators at their
facilities. In addition, US-CERT's global partnership with over
200 other CERTs worldwide allow the team to work directly with
analysts from across international borders to develop a
comprehensive picture of malicious cyber activity and
mitigation options.
Increasingly, data from the NCCIC and US-CERT can be shared
in machine-readable formats using the Structured Threat
Information Expression, also known as STIX, which is being
currently being implemented and utilized. In some of the recent
point of sale incidents, NCCIC, US-CERT analyzed the malware
provided to us by the Secret Service and other relevant
technical data, and used findings, in part, to create a number
of information sharing products.
The first product, which is publicly available, can be
found on the US-CERT's Web site provides nontechnical overview
of risks to point of sale systems along with recommendations
for how businesses and individuals can better protect
themselves and mitigate their losses in the event of an
incident that has already occurred.
Other products have been more limited in distribution in
that they are meant for cybersecurity professionals in that
they provide detailed technical analysis and mitigation
recommendations to better enable experts to protect, discover,
respond, and recover from events. As a matter of strategic
intent, the NCCIC's goal is always to share information as
broadly as possible, which includes delivering products
tailored to specific audiences.
These efforts ensure that actionable details associated
with a major cyber incident are shared with the right partners
so they can protect themselves, their families, their
businesses and organizations quickly and accurately.
In the case of the point of sale compromises, we especially
benefited by the close coordination of the Financial Services
Information Sharing and Analysis Center, or the FS-ISAC. In
particular, the FS-ISAC's Payments Processing Information
Sharing Council has been particularly useful in that they
provide a form for sharing information about fraud, threats,
vulnerabilities and risk mitigation in the payments industry.
In conclusion, I want to again highlight that we in DHS and
the NCCIC strive every day to enhance the security and
resilience across cyberspace and the information technology
enterprise. We will accomplish these tasks using voluntary
means, ever mindful of the need to respect privacy, civil
liberties, and the law. I truly appreciate the opportunity to
speak with you today and look forward to your questions.
Mr. Terry. Thank you, Mr. Zelvin.
[The prepared statement of Mr. Zelvin follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Terry. And that begins our questions with the end of
your testimony. It is now the start of our questions. Each
member has 5 minutes for questions, and I get to go first. Jan
is second.
So, Mr. Noonan, you had mentioned that part of Secret
Service's job is to investigate when breaches occur like this.
Is the Secret Service, or are you involved in the investigation
into what happened at both Target and Neiman Marcus and other
entities?
Mr. Noonan. Yes, sir. So we are involved in the criminal
investigation of the Target breach, as well as the Neiman
Marcus case.
Mr. Terry. And so far, what have you been able to find out
that you can communicate to us?
Mr. Noonan. What we can determine at this point is that the
criminal organizations that we are looking at in pursuing are
highly technical, sophisticated criminal organizations that
study their targets and use sophisticated tools to be able to
compromise those various systems.
Mr. Terry. And the breach at Target and Neiman Marcus, we
have read through the news reports, was from a sophisticated
criminal entity, as you mentioned in your investigation. Does
your investigation also then go into how they exploited each of
those major retailers' data?
Mr. Noonan. Yes, sir.
Mr. Terry. And what did you find out?
Mr. Noonan. It is still an ongoing coordination
investigation in which we are working on right now; however, we
do know that the malware at this point in our investigation is
not the same criminal tools being used at either one of those
locations.
Mr. Terry. So they are distinct, separate attacks?
Mr. Noonan. Yes, sir.
Mr. Terry. By separate distinct different criminal
organizations?
Mr. Noonan. We are working on that part right now, sir.
Mr. Terry. OK. In your investigations, do you assess
whether each of the, say, Target and Neiman Marcus' cyber
standards or their cyber plans were adequate or inadequate or
vulnerable?
Mr. Noonan. The Secret Service does a criminal
investigation, and again, we are continuing to go after the
criminal organization that is perpetrating these. Both Neiman
Marcus and Target do use robust security plans in their
protection of their environment, and it comes back to the
criminal actors in going after the pot of gold or whatever they
can monetize. So, as good as security factors are, these
criminal organizations are looking at ways to go around
whatever security apparatuses had been set up, so these were
very sophisticated, coordinated events. It was not necessarily
from a singular actor. It's a coordination of pieces that were
used to do these intrusions.
Mr. Terry. Mr. Zelvin, you also, is your organization,
NCCIC, have you looked at or assessed the cybersecurity at the
entities that have been hacked?
Mr. Zelvin. Mr. Chairman, we have not. We have been working
closely with the Secret Service on identifying the malware that
had been used in these incidents, doing the analysis and then
sharing that with our partners across both the public and
private sector, but I can tell you that the malware, as we see
it, as Bill has said, is an incredibly sophisticated and could
be challenging the most robust security system.
Mr. Terry. What specifically makes it more sophisticated
than what we have seen before? Mr. Noonan.
Mr. Noonan. Sure, sir. What we have seen actually in the
development of the malware is that it is not an off-the-shelf
type of malware that is utilized. What makes these targeted
attacks unique is that the criminals are modifying and molding
specific types of malware to fit whatever network or intrusion
set they are going after.
Mr. Terry. So, it was specifically designed for that, for
Target?
Mr. Noonan. For whichever----
Mr. Terry. And a different one specifically designed for
Neiman Marcus?
Mr. Noonan. Depending on security platforms that are
available, yes, sir.
Mr. Terry. That is interesting.
Last, in future prevention, how important is an ISAC and
would it help if there was a retailer specific ISAC?
Mr. Zelvin. Mr. Chairman, the ISACs have been absolutely
critical in our ability to share information with the broadest
communities possible. As you well know, they are in all 16
critical infrastructure. In some of these infrastructures,
certain groups, specifically in aviation and transportation,
have made ISACs that are a subset of the larger ISAC. I would
be a proponent of having a retailer ISAC, but it is really for
the retailers to decide if it is useful for them.
We have been using the financial services ISAC in this
case, but we look forward that if the business community wants
to go that way, we would look forward to working with them.
Mr. Terry. And that is something that you would be the
umbrella organization to help?
Mr. Zelvin. Sir, these are public/private partnerships, and
DHS has worked with them for quite some time, so it is a model
that we are very accustomed to using.
Mr. Terry. There may be a few people in this audience that
doesn't know what an ISAC is. Can you tell what is the
advantage and just very quickly what it is?
Mr. Zelvin. Yes, sir, Information Sharing Analysis Centers
are predominantly around the 16 critical infrastructure,
transportation, energy, finance, health, there is obviously a
number of them, and it allows us, both in a public and private
way, to get out to thousands of companies and share information
in both directions.
So, it is a growing community, but it really allows us to
get to those cybersecurity professionals and talk to those
people that really do the network defense and have a
conversation with those experts in a very robust scale.
Mr. Terry. Thank you. Now it is my pleasure to recognize
the ranking member of our subcommittee, Ms. Schakowsky, for 5
minutes.
Ms. Schakowsky. Let me just say to Mr. Zelvin, I am sure
that the chairman would agree, we appreciate our visit to NCCIC
that we did this weekend in preparation for this hearing and
the very impressive work that you are doing.
I wanted to ask Attorney General Madigan a couple of
questions. You alluded to the Illinois law, the Personal
Information Protection Act that followed the Choice Point
breach in 2005. I believe you were here talking about that as
well.
Ms. Madigan. It is a different privacy matter, but I think
that is really when all the States started looking into it
seriously.
Ms. Schakowsky. So, our law in Illinois requires
corporations, financial institutions, retail operators,
government agencies, universities, other government entities to
discuss data breaches, and the law says ``In the most expedient
time possible and without unreasonable delay.''
How does your office determine what that is?
Ms. Madigan. Well, first of all, in every circumstance we
are going to look at what has taken place, but we are also
going to be very cognizant of what that company or that entity
needs to do in terms of ensuring that they have maintained the
integrity of their system, they put security in place, and if
they are ongoing, law enforcement investigations. We certainly
don't want to compromise those, and so we will wait in terms of
requiring notification. But as we have learned over the years,
and there are studies and reports out there that demonstrate
it, the sooner an individual is notified that their information
has been compromised, the less likely they are to actually face
any sort of unauthorized charges or even a full account
takeover, which will cost them a lot more money.
So, it is a case-by-case basis, and obviously, the sooner
that we can make sure that consumers are notified, the better
off everybody is in terms of the damage that is going to be
done to them individually and the losses to the economy.
Ms. Schakowsky. So the language is kind of general, but you
make the decision on a case-by-case basis in terms of
notification?
Ms. Madigan. Correct. We work with the companies to see
where they are in the process once we are alerted to the fact
that a breach has taken place, and obviously we are always
supportive of the work that the Secret Service and other law
enforcement agencies are doing in terms of the criminal
investigation. Really, the investigations that we do are civil
side, to make sure that our law is actually----
Ms. Schakowsky. Have you found companies that have not used
the most expedient time possibly or unreasonable delay?
Ms. Madigan. We always look at it, and there is always
questions, really on any side because I think there is a great
concern that many companies legitimately have about the hit it
is going to take to their public image if they do have to
reveal this, so there have been times that we think people
could move faster, and we work with them to make sure that they
actually get out that notice. We have not fined anybody for
that.
Ms. Schakowsky. You know, you mentioned a couple of times
about preemption, and I wanted to just ask you how important it
is that Illinois, and I guess other States as well, maintain
the right to require the disclosure of data breaches as quickly
as possible and other enforcement mechanisms?
Ms. Madigan. I think probably every State official who
would sit in front of you would say it is very important.
Obviously, over the last 10 years, the States have really been
able to be, as we like to say, and I think you also can
appreciate, the lavatories of innovation. When we started
seeing people coming to us because they have been victims of
identity theft, we needed to respond, and we needed to respond
by making sure that they were notified when their personal
information had been accessed and compromised, and we needed to
be able to respond to make sure that companies were actually
going to be putting in place stronger security measures. So
we----
Ms. Schakowsky. Well, I want to ask you about that, because
the Illinois law does not explicitly require minimum standards
of protection for personal data, and yet you cited that as a
problem. Who should do that then?
Ms. Madigan. Well, we have a growing number of States that
are actually putting those requirements in place in terms of
security, and I would have to say that looking back over the
investigations that we have done into data breaches, it is
clear that that has to be done, because there really is, we
like to talk about best practice of being in place, but the
reality is, oftentimes when we are doing these investigations,
we repeatedly see situations where information that is personal
and sensitive financial information is being maintained
unencrypted.
We have seen situations where literally the information is
obtained because documentation with sensitive information is
being thrown into a dumpster and people have gotten it out and
used that for illicit purposes. So, there is a minimum
standard, and then I think that, as Chairman Ramirez did a very
nice job of explaining, on a case-by-case basis with companies
considering the types of information, the volume of
information, the sensitivity of information, we have to have
increasing standards required.
Ms. Schakowsky. My time is up, but I look forward to
working with all of you to figure out what is the appropriate
Federal congressional response. Thank you. I yield back.
Mr. Terry. Thank you. I now recognize Chairman Emeritus Mr.
Barton for your 5 minutes.
Mr. Barton. Thank you, Mr. Chairman. I want to thank you
and the ranking member for holding this hearing. This is, I
think, potentially a very important hearing because this is one
of the few things that Republicans and Democrats both agree on
is a problem, and I think we maybe be able, with your
leadership, to reach agreement on what a solution might be, so
this is one of those rare days that something might actually
happen as a result of a congressional hearing.
I am a co-chairman of the Privacy Caucus in the House,
along with Congresswoman Diana DeGette, and Ms. Schakowsky is a
member of that caucus, and most of the Republicans on this
subcommittee are members. The gentlelady to my right is a
chairwoman of a task force that Mr. Terry and Mr. Upton have
put together on privacy, so we have got lots of people here
that are listening very closely to what you folks say.
My question is a general question. I am going to start with
the chairwoman of the Federal Trade Commission.
Madam Chairwoman, do you think it is possible to
legislatively eliminate, or at least severely restrict data
theft?
Ms. Ramirez. There is certainly no perfect solution to this
issue, but it is clear to me that congressional action is
necessary. I think it would be very helpful if there were a
robust Federal standard when it comes to data security as well
as to a robust standard when it comes to breach notification,
and I think it is time for Congress to act.
Mr. Barton. OK. Do the other members of the panel agree
with that statement?
Ms. Madigan. Yes.
Mr. Barton. You do. Good. I thought you might disagree
actually.
Ms. Madigan. As long as you don't completely preempt us.
Mr. Barton. Right. OK. Mr. Noonan and Mr. Zelvin?
Mr. Noonan. Yes, sir, from a law enforcement approach, the
Secret Service believes any notification perhaps to law
enforcement with jurisdiction would definitely assist in this
effort as well.
Mr. Zelvin. Chairman, I come from the operational side of
the Department, and there are things that Congress could do
that could be very helpful as we work across the Nation or
across the globe. You know, strengthening the ability on
information sharing, I will tell you it is often difficult to
get sometimes companies to share information with us because
there is no statutory basis, and they tend to be on the
conservative side.
Promoting establishing the adoption of cybersecurity
standards would be very helpful, codifying the interest of
authorities to help secure Federal civilian agency networks and
assist critical infrastructure and then the national data
breach reporting, we can't understand it if we don't know about
them, so those are just some of the things that would be
helpful.
Mr. Barton. OK. The instance with Neiman Marcus, and I
believe with Target also occurred when a criminal came into
their stores and used a credit card that infected their system
at the point of purchase. If we went to some sort of a, well,
is it possible with the current technology to prevent that type
of data theft? I see a lot of blank looks here.
Mr. Noonan. Well, sir, just to clarify, the two breaches
that we are talking about in Neiman Marcus and in Target were
done by people infiltrating the system through a computer
network.
Mr. Barton. Oh, I thought they came in with a card and it--
--
Mr. Noonan. No, sir.
Mr. Barton. OK.
Mr. Noonan. So it is very difficult to decide, and again,
these are very complex, sophisticated criminals that did this.
So they inserted actually a malware code, a malicious code into
the system which was able to collect----
Mr. Barton. They did it by penetrating the system from
outside through a computer link.
Mr. Noonan. Yes, sir.
Mr. Barton. Not by giving a card that they inserted? OK----
Mr. Noonan. And our investigation at this point is
indicating that it is from transnational criminals so from
criminals from outside the borders of the United States.
Mr. Barton. OK. Well, I would hope, since everybody agreed
that this is a problem, and that the Federal Government should
legislate, we can come up with a best practices set of
recommendations to present to the committee, and then let us
massage it only the way we can, and we will try to move on
something, hopefully in this Congress.
And with that, I am going to yield back 34 seconds to the
chair.
Mr. Lance [presiding]. Thank you very much, Mr. Barton.
The chair recognizes the Dean of the Congress, Mr. Dingell
of Michigan.
Mr. Dingell. Mr. Chairman, you are most courteous, and I
commend you for holding this important hearing.
I think we can all agree that the breaches at Target and
Neiman Marcus were tragic. We had a duty to protect the
American consumers from events like this in the future.
This committee and the House must act to pass data security
and breach notification legislation. The administration has
proposed similar legislation. Congress must act again, and we
must ensure that such legislation makes it's way to the
President's desk for signature.
To that end, I am most interested to hear any opinions of
the FTC, and what they may wish to share with us. All of my
questions this morning will be addressed to Chairwoman Ramirez.
Madam Chairman, welcome.
Now, Chairman, your written testimony indicates the
Commission enforces a patchwork of Federal data security
statutes, such as Gramm-Leach-Bliley, the Fair Credit Reporting
Act, Children's Online Privacy Protection Act. Do any of these
acts require an FTC-covered entity whose collection of personal
identification has been breached to notify customers so
affected? Yes or no?
Ms. Ramirez. No.
Mr. Dingell. That is needed I assume?
Ms. Ramirez. I am sorry?
Mr. Dingell. That is needed, I assume.
Ms. Ramirez. Yes, absolutely.
Mr. Dingell. Now, Madam Chairman, similarly, do any of
these acts require entities subject to the breach to notify the
Federal Trade Commission or law enforcement in general of such
a breach? Yes or no?
Ms. Ramirez. No.
Mr. Dingell. Madam Chairman, in view of this should the
Congress enact a Federal data security and breach notification
law? Yes or no?
Ms. Ramirez. Yes.
Mr. Dingell. Madam Chairman, under such law should FTC-
covered entities be exempted from breach notification
requirements if they are already in compliance with GLBA, FCRA,
and COPPA? Yes or no?
Ms. Ramirez. No.
Mr. Dingell. Now, Madam Chairman, should such a law be
administered by one Federal agency or by some kind of a collage
of agencies?
Ms. Ramirez. One agency.
Mr. Dingell. One agency. Now, I happen to think that that
should be the Federal Trade Commission because of its long
expertise in these matter. Do you agree?
Ms. Ramirez. I would agree.
Mr. Dingell. Madam Chairman, should a Federal data security
breach and notification law prescribe requirements for data
security practices according to the reasonableness standard
already employed at the Commission? Yes or no?
Ms. Ramirez. Yes.
Mr. Dingell. Madam Chairman, should that be expanded?
Should that be expanded?
Ms. Ramirez. Yes, I think there should be a robust Federal
standard.
Mr. Dingell. All right, I will ask you to contribute for
the record information on that view, if you please.
Ms. Ramirez. Yes.
Mr. Dingell. I ask unanimous consent that that be inserted
at the appropriate time.
And thank you, Mr. Chairman.
Now, Madam Chairman, should such a law address notification
methods, content requirement, and timeliness requirements? Yes
or no?
Ms. Ramirez. Yes.
Mr. Dingell. Wouldn't work very well without that would it?
Ms. Ramirez. That is right.
Mr. Dingell. Now, Madam Chairman, in the event of a data
breach, should such a comprehensive data security and breach
notification law require companies subject to a breach to
provide free credit monitoring services to the affected
consumers for a time certain? Yes or no?
Ms. Ramirez. Yes, with limited exceptions.
Mr. Dingell. Do you have authority to do that now?
Ms. Ramirez. No.
Mr. Dingell. Do you need it?
Ms. Ramirez. I think it would be appropriate to, again, to
impose it as a requirement with limited exceptions.
Mr. Dingell. Madam Chairman, I note that--well, let's ask
this question: Should violation of such law be treated as a
violation of a Federal Trade Commission rule promulgated under
the Federal Trade Commission Act? Yes or no?
Ms. Ramirez. Yes.
Mr. Dingell. Madam Chairman, would you please submit some
additional comments on that point to the record?
Ms. Ramirez. Absolutely.
Mr. Dingell. Now, Madam Chairman, should such a law be
enforceable by state attorneys general? Yes or no?
Ms. Ramirez. Yes.
Mr. Dingell. Madam Chairman, should such a law preempt
existing State data security, and breach notification laws? Yes
or no?
Ms. Ramirez. If the standards are robust enough, yes.
Mr. Dingell. Would you submit some additional information
to us on that point, please?
Ms. Ramirez. Yes.
Mr. Dingell. Madam Chairman, given advances in criminal
ingenuity which seems to be moving forward almost with the
speed of light, as potential in the future, should any
statutory definition of the term ``personal information''
included in a comprehensive Federal data security and breach
notification law be sufficiently broad so as to protect
consumers best? Yes or no?
Ms. Ramirez. Yes.
Mr. Dingell. Thank you, Madam Chairman.
Mr. Chairman, I want to thank you for your kindness to me
this morning. I urge the committee to work with the Federal
Trade Commission to draft and pass a comprehensive Federal data
security and breach notification legislation. I believe that
this should be done in a bipartisan fashion, and I think that
the Democrats and the Republicans can work together for this
purpose.
Meanwhile, I would note such legislation is not a panacea
for data theft, and hopefully, it will serve to reduce it and
better protect consumers.
I again, I thank you, Mr. Chairman, for your courtesy to
me, and I appreciate the holding of this hearing.
Madam Chairman, thank you for your courtesy.
Mr. Terry. Well done, and actually entertaining. So thank
you, Mr. Dingell.
Ms. Blackburn, you are now recognized for 5 minutes.
Mrs. Blackburn. Thank you, Mr. Chairman. I appreciate that,
and thank you all again.
Ms. Ramirez, I think I want to start with you for a minute.
You said in your testimony: ``Never has the need for
legislation been greater.''
And so taking that statement, it could mean that the
companies who suffered the breaches did not use reasonable
measures to protect consumer data. So, if that is your
statement then, is the FTC involved in the forensic
investigation regarding the Target, Neiman Marcus, Adobe, the
hotel chains, all of these breaches?
Ms. Ramirez. I am afraid that I can't discuss any
particular companies or discuss whether the FTC is involved in
any particular investigations, but let me explain what I meant
by that statement. I meant it as a general statement reflecting
what we are seeing in the marketplace, and that is that
companies continue to make very basic mistakes when it comes to
data security. And our role at the FTC is to protect consumers
and ensure that companies take reasonable and appropriate
measures to protect consumer information.
Mrs. Blackburn. OK, then let me stop you right there. So
you are saying that not due to this group, but because of
general, so you are basically reworking your testimony with me
on this? It is not that these specific breaches show that there
has never been a greater need. So you may want to submit a
little bit of clarification there.
Ms. Ramirez. I can answer right now if you wish.
Mrs. Blackburn. Well no, I want to move on. I have got 3
minutes and 14 seconds and about 5 pages of questions. So
submit it.
I also would like you to talk about or to submit to us what
is the reasonable standard? You have referenced it several
different times, but I have not seen a reasonableness standard
in writing, so what are you referencing?
Ms. Ramirez. We take a process-based approach to this
question. Technology is changing very rapidly. The threats that
companies face are also evolving very rapidly, so we think that
the appropriate way to proceed in this situation is to focus on
whether companies are looking very closely at the threats to
which their businesses are exposed, and whether they are
setting reasonable program security programs putting those in
place.
Mrs. Blackburn. OK, why don't we----
Ms. Ramirez. If I may, it is a very fact-specific inquiry--
--
Mrs. Blackburn. OK.
Ms. Ramirez [continuing]. And I think a reasonableness
standard is appropriate.
Mrs. Blackburn. I can appreciate that, but I think to use
that term repeatedly, what we need to know is what your
definition of reasonableness would be.
Mr. Zelvin, let me come to you. You know, we hear the
chairman say, well, you are not doing this, you are not doing
that. How quickly do the cybercriminals message evolve? You
have looked at this for a very long time. So and you sent out
updates, you know, daily, weekly, monthly, so how quickly is
the evolution of this process?
Mr. Zelvin. Congresswoman, the evolution is incredibly fast
and we are learning with each incident the complexity.
Mrs. Blackburn. OK.
Mr. Zelvin. So they are moving very quickly. They are very
sophisticated and we are in a chase to keep up with them.
Mrs. Blackburn. OK, Ms. Ramirez, back to you. Another
thing, you testified that in a number of the 50 data security
cases settled by the FTC, the companies simply and I am quoting
you, ``Failed to employee available cost-effective security
measures to minimize or to reduce the data risk.''
So I want you to give us some examples of the kind of
measures that the companies failed to use, because you hear
from Mr. Zelvin how quickly this evolution is taking place, and
the need for flexibility and nimbleness, and then we hear you
saying, but you have got to have a standard. And you have got
to do this. And we have taken these efforts in the 50 cases we
have settled. So for those of us that are looking at what
legislation would look like, we have to realize that it has got
to be nimble. You are saying you want something, but then you
are not giving us specifics or examples of what you think
people have failed to do. So I hope you are understanding, we
have got a little bit of a gap here. Go ahead.
Ms. Ramirez. So let me just say that I think the approach
that the FTC recommends for legislation is one of
reasonableness. We think that that is an appropriately flexible
standard that will allow for nimble action. And to give you an
example, as I mentioned in our experience, companies continue
to make very simple mistakes when it comes to data security. We
also have data that corroborates that and that includes the
Verizon data breach report that Mr. Noonan referenced in his
opening remarks.
So just to give you a few examples, this can span low-tech,
and high-tech mistakes but they could include the failure to
use strong passwords, the failure to encrypt personal
information, the failure to update security patches, so it is
these very basic mistakes that we encounter frequently.
Mrs. Blackburn. So it is consumer and not company failures?
Ms. Ramirez. No, this would be, I'm referring to company
failures.
Mrs. Blackburn. You are referring to company failures. OK,
thank you.
I yield back.
Mr. Terry. All right, thank you. And I now recognize the
gentleman from Vermont for his 5 minutes.
Mr. Welch. Thank you, Mr. Chairman.
The technology that we use is not the best, is that
correct, Chairwoman Ramirez? I mean, as I understand it, the
chip-and-PIN technology is what is now being used in Europe,
and it has better success in preventing fraud; is that right?
Ms. Ramirez. We don't recommend any particular technology.
We think that any legislation ought to be technology neutral.
That being said, we certainly would support any steps that are
taken at the payment card system end to protect or better
protect consumer information.
Mr. Welch. Well, are we still by and large using 1970s-era
magnetic stripe technology, General Madigan, is that your
understanding?
Ms. Madigan. Yes, that is accurate and so that puts us
behind virtually every other country in the world in terms of
the security of our payment systems.
Mr. Welch. All right. So then there is an ability on the
part of the card issuers to upgrade the technology to meet
basically standards that are being employed in Europe; is that
correct?
Ms. Madigan. That is correct. And when you look at the
amount of fraud losses that these other countries where the
chip-and-PIN technology is used, you can see that their levels
of fraud have decreased significantly, around 50 percent. So
chip-and-PIN technology won't completely eliminate fraud and
breaches, but it should significantly curb the amount that we
currently see.
Mr. Welch. That is good. And what I understand now is VISA
and MasterCard have announced a roadmap to chip-and-PIN
technology for U.S. payment cards. Do you think it would be
problematic if VISA and MasterCard decided to abandon the PIN
feature on chip cards given that PINs enhance security?
Ms. Madigan. I think it makes sense to use PINs, and when
there are problems people can obviously change their PINs as
they change passwords.
Mr. Welch. Mr. Noonan, how about you? I mean you have
frontline responsibility for trying to maintain the integrity
of the system and, obviously, it is extraordinarily important
to our merchants, to our banks, and to our consumers.
Mr. Noonan. Yes, sir, right now currently----
Mr. Terry. Would you pull the mike a little closer?
Mr. Noonan. Sure. Currently the Secret Service doesn't have
a metric in which to measure chip and PIN, obviously, here in
the United States it is not readily used. But however, the
Secret Service does support any sort of technology which would
assist in the security of that particular data.
Mr. Welch. But it is your understanding the same as General
Madigan's that technology, the chip-and-PIN technology that is
widely deployed in Europe has been much more successful in
reducing fraud?
Mr. Noonan. It could give another level of security which
again makes it more difficult for the criminals to get at that
data. I am not saying, again, that chin and PIN is the
solution. Of course, there is not 100 percent solution,
technological solution for the problem.
Mr. Welch. Right, but what it is is a better technology
than the 1970s-era magnetic swipe card, correct?
Mr. Noonan. Sure, it is. The magnetic stripe card is a 30-
year technology, sir.
Mr. Welch. Right. Mr. Zelvin, how about you?
Mr. Zelvin. Congressman, I agree with Mr. Noonan and the
other panelists, but there are other challenges as well.
Mr. Welch. Right.
Mr. Zelvin. Now you are using your phones now for payments.
You are using your computer, your laptop for payments. But
having that extra security on the card itself would be very
helpful, but we have to look at other things as well.
Mr. Welch. All right. I will go back to you, Chairwoman
Ramirez. There seems to be some consensus it would be good to
have a standard, but we can't pick winners and losers on
technology. So what would be sort of a concrete step that
Congress would take that would be practical and effective in
improving the status quo?
Ms. Ramirez. So number one, I think that just the Congress
taking action alone would be a very important statement. But
what we advocate is that a reasonableness standard be employed
along the lines of what the FTC has in place with the
Safeguards Rule. And I would be happy to work with the
committee on these issues, and my staff is available to do
that.
Mr. Welch. So it sounds like we can't, as a legislative
body, prescribe what the best technology is. We have got to let
industry figure that out and at least set a higher standard,
but on the other hand, you need some flexibility if steps are
being taken, or not taken that would enhance security----
Ms. Ramirez. Absolutely.
Mr. Welch [continuing]. For consumers and merchants?
Ms. Ramirez. Yes. I think flexibility is important and that
is one of the reasons that we are requesting that the FTC have
rulemaking authority in order to implement the legislation that
would allow the agency to take into account an evolution and
changes when it comes to technology.
Mr. Welch. And would this be helpful in the privacy
breaches as well? I mean, thieves are going in to get monetary
value, but they are ending up also with Social Security
numbers, personal information, things that can be used in
identity theft. So the better security, would it not only help
with the economic loss, but the identity theft assault? General
Madigan, I will ask you.
Ms. Madigan. Absolutely, so obviously, what we see is when
people's personal information is taken, it is frequently used
to commit identity theft. But it can certainly be used, not
just financial identity theft, but there are many other types
of----
Mr. Welch. Right.
Ms. Madigan [continuing]. Identity theft that take place.
Mr. Welch. I see my time is up.
I just want to thank this panel. Mr. Chairman, this is a
great panel. Thank you for assembling it.
Mr. Terry. Yes. Thank you.
And I now recognize the gentleman from New Jersey, Mr.
Lance, the vice chair.
Mr. Lance. Thank you, Mr. Chairman.
Mr. Zelvin, a recent Wall Street Journal article reported
that the software virus injected into Target's payment card
devices couldn't be detected by any known antivirus software;
is that accurate?
Mr. Zelvin. It is, sir.
Mr. Lance. And could you elaborate on that?
Mr. Zelvin. Certainly. Most of our detection systems use
signatures based, so there are known problems and there is a
technical formula we put into a machine that says, hey, you
told me to look for this. I found it. In some cases there are
intrusion prevention systems that prevent that malicious event
from getting to the endpoint. In this case, it looks like the
criminals modified it, what was a standard attack for point of
sale and modified it in such a way that it is undetectable.
Mr. Lance. Thank you very much.
Mr. Noonan, you stated that ``The Secret Service has
observed a marked increase in the quality, the quantity, and
the complexity of cyber crimes targeting private industry and
critical infrastructure over the decade-long trend of major
criminal data breaches.''
Can you give us some examples of how these criminals and
their tactics have evolved, and I presume these criminals are
not necessarily residents or citizens of the United States?
Mr. Noonan. Yes, sir. So we are talking about a network of
transnational cybercriminals.
You know, over time we can look back at the data breaches
at T.J. Maxx, we can look at Dave And Busters and the ones that
happened back around the era of 2006. And back during that
time, the cybercriminal was attacking databases, and
unencrypted data.
Mr. Lance. Yes.
Mr. Noonan. Which is credit card payments.
Mr. Lance. Yes.
Mr. Noonan. That got changed, it morphed in 2007, where the
focus ended up going towards credit card processing companies
where they were looking at ways to get into the same type of
data. But they were looking at credit card data as a pass
through credit card processors when it was unencrypted at that
time.
So encryption modification has been made now through that
system and you know information is now encrypted as it goes in
these systems. Today we have seen the change now, they are
looking at where the fence is and how to get around that fence.
So where they are attacking now is at the point of sale piece,
where from the point-of-sale terminal to back of the house
server, if you will, that piece of string has not been
encrypted.
Mr. Lance. Thank you.
Mr. Noonan. So it is happening at that point.
Mr. Lance. Thank you very much.
Mr. Noonan. Sure.
Madam Chairwoman, you answered Chairman Emeritus Dingell's
questions regarding preemption. I didn't understand your
answers; my fault, not your fault. Would you explain in a
little more detail your views on preemption, and I come at this
having been the minority leader in the New Jersey State Senate
and I certainly believe in a robust democracy with protections
both here in Washington and at State capitals, and if you could
just elaborate briefly on the preemption issue.
Ms. Ramirez. Yes, I believe that preemption is appropriate,
but provided that the standard that is set is sufficiently
strong, and also provided that the States have concurrent
ability to enforce.
Mr. Lance. Concurrent ability. So this----
Ms. Ramirez. Yes.
Mr. Lance [continuing]. Would not mean that the States
would not have a significant responsibility in this very
complicated and difficult issue?
Ms. Ramirez. The States do tremendous work in this area and
I think it is vital to have them with jurisdiction to enforce
the law.
Mr. Lance. Thank you.
Attorney General Madigan, it is a pleasure to meet you, and
although I do not know you, the New Yorker Magazine has come
into our house forever, and your husband is a brilliant
cartoonist, and certainly my wife and I enjoy his fine work.
Could you comment on the preemption issue?
Ms. Madigan. Obviously----
Mr. Terry. And could you move your microphone a little
closer?
Ms. Madigan. Sure.
In terms of preemption, I would concur with what the
chairwoman has said. As long as the Federal legislation has
strong enough standards and States still retain the ability to
enforce, as we do in a number of areas already, we understand
that it is potentially reasonable to say, OK, we are going to
preempt you in a certain manner.
And in fact, back in 2005 Congress received a letter from
the National Association of Attorneys General requesting
notification laws be put in place at the National level. And so
as long as we still retain the ability to respond to our
consumers, and this is looked at in some ways potentially
either as a floor, and not a ceiling, we understand your role.
Mr. Lance. Thank you very much.
Let me say, Mr. Chairman, that I believe that this
committee will, in a bipartisan capacity, work on this issue,
work to conclusion, and this is the committee in the Congress
that deals on these important, nonpartisan, or bipartisan
issues, and I have every confidence that we will meet the
challenge working with the distinguished panel, working with
the next panel, and I look forward to being involved to the
greatest extent possible.
Thank you, Mr. Chairman.
Mr. Terry. Thank you.
And I now recognize the gentleman from Kentucky, Mr.
Guthrie for 5 minutes.
Mr. Guthrie. Thank you, Mr. Chairman, and I want to thank
everybody for coming today. I have a business background, and I
know that anytime you have an issue with your customers it
takes a long time to build trust back up again.
So I know the incentives are for businesses to protect
their data as much as they can, but at the same time, I worked
in a retail store when I was in high school. My grandfather had
a grocery store and we had nowhere the data that you have to
deal with now. Everybody has to deal with data. So we need the
right incentives and the right things in place to make sure
that is protected. I want to talk to Agent Noonan.
You testified that it is really the victim company that
that first discovers the criminal's unauthorized access, and
why is that? Are they not paying attention?
Mr. Noonan. No, sir. For law enforcement and for the Secret
Service it is a result of a proactive approach to our law
enforcement. While we are out working with sources, we are
gathering information. We are working with our private-sector
partners specifically in the financial services sector, where
we are receiving data, and when we are receiving that data, a
lot of times what can occur is we can see a point of
compromise, a common point of compromise, whereas the retailer
might not necessarily see compromised data that is out in the
world.
And by looking at that data, we can go to that victim
company, make notification to that company, and advise them
that they have a leak. Now, it doesn't necessarily mean it is
that company. It can potentially be that company's credit card
processing company. It could be their bank, it could be a host
of other systems that are hooked into the main company. But it
is a point for us to us go to that potential victim and say
please look at your data, and see if you have a problem.
Mr. Guthrie. That was my question, I guess. So who
typically notices the breach first? Is it typically law
enforcement who is monitoring this and they see these
transactions, or is it all of a sudden one day a retailer
starts getting calls from a lot of their credit card companies
from a lot of their customers saying hey, I have got these
charges. The charges aren't mine, the charges aren't mine, the
charges aren't mine. And then it finally figures out what is in
common with these people and they went to a certain store? I
mean, is that, do you usually find it as it is going through
your monitoring or it is people reporting that they have
something done to them and you find the commonality or both.
Mr. Noonan. So to answer your question, both.
Mr. Guthrie. Typical, I guess. Both.
Mr. Noonan. I don't think that there is a typical, if you
will.
Mr. Guthrie. All right.
Mr. Noonan. But we do work closely with the banking
community, and as banking investigators look at those anomalies
and find those anomalies, obviously, they are getting calls
from their consumers and saying that there is a problem. They
will notice an anomaly, as well as we are targeting different
criminals, and in targeting those different criminals we have
different sources and we are able to some different things that
are happening in the criminal underground. And that is another
effective tool that we have at our disposal to be proactive in,
sometimes it is notification.
But you have got to realize, in law enforcement under that
approach, sometimes we are stopping the occurrence from
actually occurring, too. So we might go to a victim, a
potential victim company to allow them to know that they have
been compromised and in doing so, we stop the company from
losing a single dollar.
Mr. Guthrie. Yes the----
Mr. Noonan. As a result of a proactive approach, that is a
very successful method in which law enforcement is a tool for
consumers. They are out there out in front looking for that
type of behavior.
Mr. Guthrie. We certainly appreciate that effort. And Mr.
Zelvin, you mentioned the NCCIC's mitigation capabilities were
leveraged to coordinate efforts to secure assistance against
these attacks. Does the NCCIC provide technical recommendations
on how to secure systems?
Mr. Zelvin. We do, sir. And it is probably the most
important part of what we do. So it is not necessarily about
finding the fires and putting them out, but preventing them
from happening to begin with. So, and I think this is another
great example on the point of sale systems. Obviously, these
companies had to compromise. Our responsibility is to assist
them, but also to let the broader community know what they need
to go look for so they can go see if it is on their systems,
take it off, and then prevent it from hopefully happening to
them as well.
Mr. Guthrie. And also you described a product that you
recently disseminated to the industry that contains detailed
technical analysis, the mitigation recommendations regarding
the recent point of sale tax. Can you generally describe what
you mean by mitigation recommendations and tell us who develops
those recommendations?
Mr. Zelvin. Certainly, sir.
We work with a cross-section across the Nation with the
financial services sector, with technical experts from the
manage security services. And so we canvas the Nation as a
whole. And then we put out recommendations. In some cases it is
as simple as changing your passwords, but there is also
patching your systems. And I think the other panel is going to
talk about that.
If you just do some of the routine hygiene of cyberspace
you are in a far better place. A couple of things, are you
using fire walls and antivirus, restricting your Internet
access, and disabling remote access. Some of these things are
common sense. Some of the things are new as we discover, but
regardless, we want to get out as much information as we can to
help people defend their networks.
Mr. Guthrie. Yes, you even see a place where I buy gas
quite often has a little, like of strip of tape that says, if
this seal is broken, please notify us to keep people from,
where you do the pay at the pump.
And in your testimony, I guess the one thing I just want to
point out, and just to let you, I have got about, well, I am
about out of time. But you say: ``No country, industry,
community or individual is immune to the threat.''
Mr. Terry. Five seconds.
Mr. Guthrie. So everybody has to be vigilant continuously
because nobody is impervious to cyberthreats, right?
Mr. Zelvin. That would be correct, sir. And I would be
happy as elaborate later as needed.
Mr. Guthrie. I am sorry, I just ran out of time.
Mr. Terry. All right. The gentleman's time is expired.
The chair recognizes the gentleman from Texas, Mr. Olson,
for 5 minutes.
Mr. Olson. I thank the chair, and welcome to our witnesses.
If you review the testimony of this panel and the second
panel, and combine that information with my career as a naval
officer, we are engaged in combat here. It is warfare. In
combat, the first thing you do is get the lay of the
battlefield. A witness on the second panel names four separate
phases of an attack: Infiltration, access to data, propagation,
moving around by and as how you want, aggregation for the big
package, and then exfiltration, get it out to the black market.
All four steps have to happen, obviously, for a breach to
occur. It seems like we force the public sector to focus on
exfiltration, the last step; the private sector, at
infiltration the first step.
And obviously, if we get to exfiltration we are closing the
barn door after the cows have gotten out. Not an effective way
to fight this battle.
So my question is first to you, Mr. Zelvin. How can your
part of the public sector, the NCCIC, help with all four phases
of an attack, not just exfiltration. It seems like you have
done some outstanding work with that.
Mr. Zelvin. Yes, thank you, Congressman.
Where I tried to focus our efforts at the NCCIC and my
staff is just getting at that very first phase of the
adversaries' actions. We do not want to be the responders. We
want to be the prevention mechanisms and protection and
mitigation. So unfortunately, a lot of times where we discover
challenges is after they have already happened. So what we are
hoping to do is just learn from the bad experiences of one or a
few to hopefully protect the many.
I would like to highlight that our Industrial Control
System CERT, and we are doing more of this with the US-CERT. We
are actually doing experimentation to see if we can crack into
some boxes, see the vulnerabilities. And we work with the
private sector very closely to see where the vulnerabilities
are, and then close those doors as quickly as we find them.
Mr. Olson. Thank you. Mr. Noonan, you as well, sir. You are
law enforcement so you are probably, that is your nature. Right
at the end of the line there when those events happen. You
mention that just by having something out there you can delay
some future damages. So is that what you are limited to, or is
there something else you can do to attack the other phases?
Mr. Noonan. So in our investigations, we are pulling
evidence out of the crimes that have happened, too, in a
reactive approach. But the proactive approach, the former
proactive approach to that is we are information sharing. So as
we are seeing different tactics, different trends that are
happening in these intrusions, we are taking that information
and we are sharing that with our partners at the 33 electronic
crimes task forces that the Secret Service has set up around
the country and internationally, as well as we are taking in
information and we are pushing it to Mr. Zelvin's group at the
NCCIC. And that information is being pushed out to the sector.
So by observing the evidence and sharing what we are finding in
these different intrusions, we are better protecting the bigger
infrastructure, if you will.
Mr. Olson. General Madigan, any comments, ma'am, in law
enforcement for Illinois?
Ms. Madigan. Well, one of the things I would say in terms
of the last two responses is from our perspective there is an
enormous amount of work that also needs to be done to educate
the public as to how to protect themselves, and so many people
have adopted technology so quickly, they are not necessarily
putting in place the safeguards and monitoring their accounts,
and putting in place transaction alerts so that when these
types of breaches occur they can minimize the damage that they
have to their finances.
Mr. Olson. And finally Ms. Ramirez, any comments, Ma'am
on----
Ms. Ramirez. I will just say that I agree with Attorney
General Madigan. This issue is a complex one that requires a
multifaceted solution and that includes, again, companies
taking appropriate and reasonable measures to protect
information, and also of course, consumers also being educated
about how what they can do to protect information.
The main point and why I believe that action is really
needed today, is that these breaches remind us of how important
it is, how important this issue is, and given the amount of
personal information that is being collected from consumers and
used and retained, this is truly critically important.
Mr. Olson. Thank you.
One final question for you, General Madigan. A legal
question, I am curious. I went to law school at the University
of Texas, passed the bar, never practiced, but I am concerned
and wonder, why did you announce publicly the investigation of
Target, but not Neiman Marcus. Any reason why that----
Ms. Madigan. We announced both of them.
Mr. Olson. Both, OK. I thought you just announced Target,
so thanks for the clarification.
I yield back.
Mr. Terry. Thank you.
The chair now recognizes the gentleman from Kansas, Mr.
Pompeo, for 5 minutes.
Mr. Pompeo. Thank you, Mr. Chairman. I am not quite as
sanguine that we are in a place where we are quite ready to
move down this path. I am glad we are having this hearing, but
we often, when the New York Times gets wound up we in Congress
sometimes react in ways that I think are inappropriate to the
true challenge. And I want to talk about that for just a
second.
Ms. Ramirez, typically we regulate when there is a market
failure. That is the reason the Federal Government would come
in and regulate in this space is because we don't think that
private actions can respond to a particular concern or threat
in an appropriate way. I can understand the potential
justification for notification because sometimes someone might
not know that their material had been stolen, so I can
understand a potential justification for regulating with
respect to notification.
Why is it the case that consumers can't figure out that if
they are not happy with Target or Neiman Marcus, or whomever it
is allowed their data to be stolen, that they wouldn't migrate
somewhere else? Why is it the consumers won't analyze the risk
of their data being stolen and respond appropriately without
the Federal Government stepping into try and regulate?
Ms. Ramirez. I don't believe that the burden should be
placed on consumers when it comes to this issue.
Mr. Pompeo. Why is that, Ms. Ramirez? We do that in so many
other places. If you think your material is going to be stolen
from your home, you can buy a home security system. We have
lots of places where there are risks to our private property,
and we allow consumers to step in and decide if they want to
pay $60 a month, $200 a month, or $1,000 a month for their own
security.
Ms. Ramirez. I think consumers do have a role to play here,
as I mentioned earlier. I think there are steps that consumers
can take to be vigilant in this area, but I believe the role of
the FTC is to protect consumers. And when you look back at the
data that is available and that is out there, and it is also
consistent with our experience, let me cite specifically the
Verizon data breach report. They have an annual report that
studies what is happening in the area of data security, and
that information tells us that companies continue to make very
fundamental mistakes when it comes to data security. They are
not taking the reasonable and necessary steps that they need to
in order to protect the consumer information that they collect,
use, and retain.
Mr. Pompeo. I appreciate that, and that report is there,
and consumers might choose not to pick Verizon as a direct
result of that. I think we ought to make sure we appreciate
that.
Attorney General Madigan, do you have data that tells you
when folks call in, how much they are prepared to pay for
protection? That is, if they call and say, my data was stolen.
Do you know how much they are prepared to pay per incident?
Will they only bay $0.50 or $5 million to protect their data?
Do you have an analysis of what----
Ms. Madigan. We don't and we----
Mr. Pompeo. Because you said consumers are panic and
angered.
Ms. Madigan. Right.
Mr. Pompeo. I would presume that they are prepared to take
some of their hard-earned money to protect themselves. Do you
have data with respect to that?
Ms. Madigan. I can tell you that we have had $26 million
worth of fraudulent charges removed from Illinois residents'
accounts. And I can tell you based on the 34,224 people we have
had to work through to do that with, on average, these
individuals have lost or at least not lost, but had $762 in
fraudulent account amounts removed.
So I haven't asked them how much they would like to pay for
security. They feel as if they are having to actually pay the
price simply for engaging in everyday activity whether it is
commercial activity, or interacting with the government, or
being provided with medical services.
Mr. Pompeo. Do you think if we head down the path that you
are proposing that they ultimately won't pay for that, that
these costs won't be borne by consumers ultimately?
Ms. Madigan. I know that costs are going to be borne by
consumers, absolutely.
Mr. Pompeo. So might it not at be least an idea we should
consider to have them pay for that directly so they can see
those costs, and they respond appropriately, as opposed to
having them removed from their bills, or have the Federal
Government mask that real cost to them so they don't really
know the risk that they are presenting by particular use of
their own data?
Ms. Madigan. I am not exactly sure the scheme you are
trying to propose here, but you are correct in the sense that
if we are going to update, for instance, credit card technology
to adopt chips-and-PINs, obviously, consumers are going to pay
an increased cost. Retailers, they are going to pay in terms of
increased costs and fees at their banking institutions. So
consumers will pay and hopefully we will be able to improve our
security.
Mr. Pompeo. Thirty seconds. I am going to try two yes or no
questions. Do you think that there should be private rights of
actions associated with these rules as well?
Ms. Madigan. At this point we have been able to handle
these at the State level.
Mr. Pompeo. Great. And then you made a statement. You said,
in fact I will quote, ``Nearly ever other country in the world
is ahead of us.''
Surely, you don't mean Niger.
Ms. Madigan. There may be several African countries that--
--
Mr. Pompeo. I just came back from Europe and I will tell
you, they think our system is pretty good here, too. They are
very comfortable doing business across Asia, Europe, and North
America. And so I actually think our system may not be as dire
a situation as has been suggested this morning.
I yield back.
Mr. Terry. Thank you.
I now recognize the gentleman from Ohio, Mr. Johnson for 5
minutes.
Mr. Johnson. Thank you, Mr. Chairman, and I, again, want to
thank you folks for being here today.
I am very concerned about the increase and the
sophistication of the cyberattacks. And just to kind of get
your opinion on it, Mr. Noonan, how does the increasing level
of collaboration among cybercriminals that you referenced
increase the potential harm to companies and consumers?
Mr. Noonan. So the increasing collaboration between
cybercriminals just increases their capabilities, so when we
say that there is collaboration between these groups, these are
loosely-affiliated organized criminal groups that are doing
this. I have used the analogy of Oceans 11, of what this group
and what this network does.
So they have groups that will do infiltration into the
system to gain access. They have other people that will design
malware. They have people that go and map the different network
to figure out exactly how to get through the networks. There is
exfiltration of data that occurs in these situations as well,
and there is monetization so that data that is stolen has to be
sold. And then, of course there is money laundering, the
movement of money. So when you bring together a coordinated
group of sophisticated criminals, it does, it is a, you know,
they will find the edge of the fence and perpetrate our system.
Mr. Johnson. Now, once we identify who these folks are that
are perpetrating these attacks, well, first of all, are they
State side, or are they overseas for the most part?
Mr. Noonan. The majority of the criminals that we are
looking at are transnational criminals.
Mr. Johnson. OK, so outside of the United States.
Mr. Noonan. Yes, sir.
Mr. Johnson. OK. To what degree do we have the authority to
go after those folks when we identify them?
Mr. Noonan. Sure.
Mr. Johnson. And do you know of any ongoing actions to shut
them down?
Mr. Noonan. Sure. The Secret Service actually has a unique
history of success in this area. We have brought many of these
different perpetrators to justice. I mean, we go back and talk
about the TJX investigation as well as many others. But in the
TJX investigation, we were successful. We arrested domestically
in this case, Albert Gonzales. He is sentenced to 20 years in
prison here in the United States.
We, also in the summer of 2012, we arrested Dimitri
Salience and Vladimir Drinkman, responsible also in that
investigation over in the Netherlands. We were able to bring to
justice Aleksandr Suvorov in the Dave And Busters case where he
was sentenced to 7 years in prison here domestically. We also
were able to pick up three different Romanian hackers that were
responsible for the Subway sandwich shop intrusions that
occurred in 2008, and we have brought them to justice, where
the main leader was sentenced to 15 years in prison.
We have a rich history of being able to effectively
identify who these targets are, have them arrested, and work
with our international partners. We have a host of
international offices, and international working groups, and I
think it comes back to the relationships that we build
internationally that are assisting us in bringing these
different actors to justice.
Mr. Johnson. Well, obviously, most developed nations that
have a high degree of sophistication within their networks,
they are vulnerable to these things as well. So how robust are
our agreements with other nations to go after the criminals
that might reside in their countries?
Mr. Noonan. Absolutely, sir, we do. We have many different
agreements with numerous other countries over in Europe, and we
have been working successfully in partnering with those. We
worked very closely with the British, with the National Crime
Agency, in the Netherlands with the Dutch High Tech Crime Unit.
In German we the BKA. We have working groups in the Ukraine, as
well as an office that we established not too long ago in
Estonia. So it is through that host of relationships, and in
the laws that we are enforcing with them, that we are able to
gather some success in those areas.
Mr. Johnson. Good. Mr. Zelvin, you testified that no
country, industry, community, or individual is immune to threat
of a cyberattack. Does this mean, in your opinion, that you
believe no one can be impervious to cyberattacks?
Mr. Zelvin. Sir, I think it is one of those challenges that
it is like trying to prevent automobile deaths. You can do a
lot of things, but ultimately unfortunately, people may still
pass. I think there is a lot more we can do and should do, but
ultimately, I believe there will be vulnerabilities that
unfortunately will be exploited by very sophisticated actors.
Mr. Terry. Thank you, Mr. Johnson.
At this time I recognize the gentleman from Mississippi,
Mr. Harper for 5 minutes.
Mr. Harper. Thank you, Mr. Chairman, and thank each of you
for being here.
And if I may start with you Agent Noonan, I know this is
obviously ongoing investigations here, but do you have an early
indication, without revealing anything you shouldn't as to how
you think this might have been prevented?
Mr. Noonan. Again, I don't think it comes back to how it
could have been potentially prevented. I think what the
important part here is that we know that this is a
sophisticated criminal group. The different companies, they had
a plan, I think is the important takeaway here. The response
plan is something that every company should also think of. We
shouldn't think of if this is going to happen.
We should potentially think when this potentially may
happen to them. So a response plan is one in which you
incorporate law enforcement into your response plan. And it
brought back the information sharing piece. If you don't
incorporate law enforcement in your plan to help you find and
mitigate the problem, and then share that information with the
whole of government, with the infrastructure to better protect
other infrastructure, that is not necessarily a good plan.
We obviously would like to see companies have robust
forensic companies assigned to them so that when an intrusion
does happen, they are able to go in and effectively quickly
mitigate it so that there is no longer any bleeding that were
to occur.
Additionally, counsel is important for them to have, and
then also a plan for notification to victims. Again, those are
the important takeaways that we see in this case.
Mr. Harper. And are you satisfied in these cases that the
response has been satisfactory?
Mr. Noonan. Yes, sir.
Mr. Harper. OK, thank you.
Mr. Noonan. Thank you.
Mr. Harper. Chairwoman Ramirez, if I may ask you a few
questions.
Is there overlap between FTC's Safeguards Rule, and the PCI
data security standards and do the PCI standards incorporate
provisions of the Safeguards Rule, or do they go beyond the
Safeguards Rule. Can you shed a little light on that?
Ms. Ramirez. Sure. I am happy to speak to this. The way the
FTC approaches its data security enforcement work is that we,
again, we impose a reasonableness standard so we don't mandate
or prescribe any specific standard or technology, but we think
that as a matter of course, a company should of course, look to
relevant industry standards, best practices in evaluating what
measures they should have in place.
Mr. Harper. OK, would the PCI data security standards meet
the reasonable standards for purposes of Section 5 of the FTC
act?
Ms. Ramirez. Every case that we look at is really a fact-
specific one, so I really can't comment on hypotheticals. But
what I can tell you is that a company should of course be
looking to industry standards. They can be very valuable, and
that would be certainly one factor that we would examine in
looking at any matter.
Mr. Harper. You know, you make the point that the mere fact
that breaches occur does not mean a company violated the law,
and the companies need not have perfect security. Yet, we have
been told that it is unlikely any company subject to the PCI
standards that suffers a breach would be found to be 100
percent compliant at the time of the breach. While the PCI
standards provide an admirable and needed push to keep
companies vigilant, would there be problems of making that a
Federal Standard enforceable by the FTC if it is setting up
businesses to fail because it is often possible to find some
violation of the standards?
Ms. Ramirez. Again, we are going to be looking at each
situation, in a fact-specific way. We certainly understand that
there is no perfect solution. Security will not be perfect. We
have many more investigations than we do actual enforcement
cases.
Mr. Harper. How many cases has the Commission brought for
violation of Safeguards Rule?
Ms. Ramirez. Of the Safeguards Rule specifically, we have
brought approximately a dozen cases.
Mr. Harper. Has industry compliance improved over time as
the rule becomes more mature and the industry becomes more
familiar with it?
Ms. Ramirez. Generally speaking, and I am speaking broadly,
we continue to see basic failures when it comes to data
security and the data that we have available to us suggests the
companies do need to do more in this area.
Mr. Harper. OK, I yield back.
Mr. Terry. Thank you.
At this time, we recognize the gentleman from Florida, Mr.
Bilirakis, for 5 minutes.
Mr. Bilirakis. Thank you, Mr. Chairman, I appreciate it
very much and I thank the panel for their testimony.
This is for the entire panel. Data often moves without
respect to borders, as you know. Mr. Russo notes in his
testimony that championing stronger law enforcement efforts
worldwide can improve payment data security.
Mr. Noonan, in your testimony, you mentioned successful
cooperation with law enforcement entities during investigations
into these cybercrimes. Would you, as well as Mr. Zelvin expand
on what you believe Congress can do to enhance those
international efforts going forward? Is there a role for
examination of this issue, and future trade discussions such as
the Transatlantic Trade and Investment Partnership?
Mr. Noonan. I would recommend the continued support for our
efforts in our international field offices, as well as the
other working groups in which we are placing strategically
around the world. We have had a lot of great success in some of
those Eastern European countries. Within the last 2 years, we
have had some great successes. We have had an extradition of a
Romanian citizen from Romania to the United States based on the
collaboration that we have made here between Romanian
authorities and U.S. authorities.
A big part of that is the relationships that the DOJ has
also expanded in those different countries. The computer
crimes, intellectual property section, CCIPS as well as the
Office of International Affairs, have helped us in
strategically working with those different countries to bring
criminals that are affecting us here domestically to justice.
Mr. Bilirakis. Thank you.
Mr. Zelvin, you are welcome to----
Mr. Zelvin. Yes, sir.
My organization is neither a law enforcement, nor an
intelligence organization. We are purely civilian, and we have
a relationship with over 200-like CERTS around the world. So it
is really a technical-to-technical exchange.
Last week I was in Tel Aviv and in London and I will tell
you, I got to really see firsthand where our counterparts are,
and they are making extraordinary progress but in many cases we
in the United States are leading the way especially in the
Government's role in cybersecurity.
So I think a continued engagement, because as Mr. Noonan
had said, many of these threats are coming from overseas. Many
come from within our own countries, but it would be far better
if we could engage with our international partners and have
them use their legal means to go after these threats, and then
also provide an ability to cooperate with us such as when we
find an intrusion in their country to get them to shut it down
if they have the legal ability.
Mr. Bilirakis. Thank you.
Anyone else like to comment on that?
Ms. Ramirez. Just briefly, if I may.
I think the international cooperation is a very important
dimension of this issue. And we engage with international
counterparts in all of the work, all of the enforcement work
that we do, and this would be among them.
Mr. Bilirakis. Thank you. Thank you very much.
The next question for Chairwoman Ramirez. I represent
Florida's 12th congressional district. While more and more
seniors are becoming technologically adept, how would you
recommend notifying seniors of a data breach in a timely manner
if they are not reachable by email?
Ms. Ramirez. I think it is an issue that I am happy to work
with you on. I think seniors are increasingly becoming more
adept at email, but of course, if email is not an option then
mail notification would be appropriate, but we are happy to
work with the committee on addressing this and other issues.
We do look and have recently held a workshop on issues
relating to senior ID theft and understand that this population
can be particularly vulnerable to these set of issues so I
think mail notification would be the, you know, one option, but
there may be other ideas and we would be happy to discuss those
with you.
Mr. Bilirakis. Yes, I would like to work with you on that.
Thank you very much.
I appreciate it and I yield back.
Mr. Terry. Thank you.
At this time the gentleman from West Virginia is recognized
for 5 minutes.
Mr. McKinley. Thank you, Mr. Chairman.
I think we are going to have to go through an awful lot of
information that is being shared here today so I want to switch
horses. I think we have got something that we can chew on for a
little bit.
So I want to switch horses a little bit to understand a
little bit about what is happening with the data security with
the Affordable Care Act, if I could. To what level so to Mr.
Noonan, Mr. Zelvin, if you could participate with this, maybe
you can help me.
In December the HHS has reported that there were 32
security incidents. Maybe you could say slash breaches have
occurred with Obamacare. Were the individuals notified? Do you
know whether or not the individuals were notified?
Mr. Zelvin. Congressman, I apologize. I am not familiar
with that. If we can take that for the record, we can get back
to you.
Mr. McKinley. If you would, please.
Mr. Noonan, do you know anything about those breach that
occurred with Obamacare?
Mr. Noonan. And the same thing with me, sir. I don't have
any knowledge of those breaches right now.
Mr. McKinley. OK. If they were given the standard that we
have imposed on the private sector, should individuals be
notified if there are breaches with Federal healthcare? Just
your opinion.
Mr. Zelvin. Yes, sir, if there are breaches they should be
reported and people should have the opportunity to know about
that, and then also take the adequate precautions.
Mr. McKinley. Mr. Noonan.
Mr. Noonan. Yes, sir, I would concur as well.
Mr. McKinley. You would agree with that.
There is also a report that came out that some of the
software that was developed for the Obamacare, was developed in
Belarus, and there are reports that there may be some concern
for malware being included in that. Where are we in that
evaluation because, obviously, the people are still signing up
and we may have something that is contaminating our system. Can
any of you share with us what is going on internationally on
this?
Mr. Zelvin. Congressman, I can tell you what I know from
last night, and from this morning things may have changed. But
the intelligence product that was on that report has been
withdrawn and is being reevaluated. I believe the White House
did a statement last night saying that there is no evidence
that there has been any Belarusian software development in the
HHS. But HHS is looking at this carefully, and verifying that.
So I believe that is where we are right now.
Mr. McKinley. It just may have been someone just----
Mr. Zelvin. Well, there is something in a report that is
being reevaluated. And so I think there is some more
investigation to be done before reaching conclusions.
Mr. McKinley. Could you get back to us then on that and let
us know whether or not there is anything. I didn't understand
why we were having any of our software developed in Belarus
anyway, so, if there is something you can share with us, I
would sure like to understand that.
Mr. Zelvin. Absolutely, Congressman. To the best of my
knowledge right now, there was no software that was developed
in Belarus.
Mr. McKinley. OK.
Mr. Zelvin. And HHS is looking at it closely.
Mr. McKinley. Thank you.
For Illinois, I can't see your name tag from here on the
thing, but ma'am, could you, has the state of Illinois ever had
a data breach?
Ms. Madigan. Yes. And in fact in our law, there is a
requirement that state agencies notify individuals when their
personal information has been compromised.
Mr. McKinley. Do you use some kind of encryption
extensively? Do you have some encryption that you use for your
data?
Ms. Madigan. Different agencies will handle it different
ways, but they are all requirements in terms of how data is
handled for state agencies.
Mr. McKinley. OK. Thank you very much.
I yield back the balance of my time.
Mr. Terry. Thank you for yielding back.
No other members are here; therefore, that ends panel
number one. I do want to follow up.
So, the talk about the criminal syndicate, there was a
story that there was an 18-year old Russian boy that developed
this in his basement, this malware; is that accurate?
Mr. Noonan. Sir, don't believe everything you see in the
media, please.
Mr. Terry. I have learned that, too.
All right. Thank you. The first panel is dismissed, and we
thank you. We may have questions submitted to you. We will have
those to you within about 14 days if there are any, and we
would appreciate about a 14-day turnaround in answers. Thank
you.
We will give a few minutes break here so we can get some
water or something, and then we will be ready for our panel,
second panel.
[Recess.]
Mr. Terry. Well, since everyone's seated, let's go.
So, I apologize. I was hopeful that that first panel would
not last this long, but it did. So thank you, and I hope that
doesn't impact your rest of the schedule for the day, but
appreciate you staying around.
So, our second panel of the day is the nongovernment panel.
We have Michael Kingston, senior vice president and chief
information officer of Neiman Marcus Group, then John Mulligan,
executive vice president and chief financial officer, Target
Brands, Incorporated, Bob Russo, general manager of PCI
Security Standards Council, and then Phillip Smith, senior vice
president for Trustwave. Thank you all for being here today.
As we did with the first panel, we will go from my left.
So, Mr. Mulligan, you will start and you will have 5 minutes.
STATEMENTS OF MICHAEL KINGSTON, SENIOR VICE PRESIDENT & CHIEF
INFORMATION OFFICER, THE NEIMAN MARCUS GROUP; JOHN J. MULLIGAN,
EXECUTIVE VICE PRESIDENT & CHIEF FINANCIAL OFFICER, TARGET
BRANDS INCORPORATED; BOB RUSSO, GENERAL MANAGER, PCI SECURITY
STANDARDS COUNCIL, LLC; AND PHILLIP J. SMITH, SENIOR VICE
PRESIDENT, TRUSTWAVE
STATEMENT OF JOHN J. MULLIGAN
Mr. Mulligan. Good morning, Chairman Terry, Ranking Member
Schakowsky, and members of the subcommittee.
My name is John Mulligan. I am executive vice president and
chief financial officer of Target. I appreciate the opportunity
to be here today to discuss important issues surrounding data
breaches and cybercrime.
As you know, Target recently experienced a data breach
resulting from a criminal attack on our systems. To begin with,
let me say how deeply sorry we are for the impact this incident
has had on our guests, your constituents.
We know this breach has shaken their confidence in Target,
and we are determined to work very hard to earn it back. At
Target, we take our responsibility to our guests very
seriously, and this attack has only strengthened our resolve.
We will learn from this incident, and as a result, we hope to
make Target and our industry more secure for consumers in the
future.
I would now like to explain the events of the breach as I
currently understand them. Please recognize that I may not be
able to provide specifics on certain matters because the
criminal and forensic investigations remain active and ongoing.
We are working closely with the Secret Service and the
Department of Justice on the investigation to help them bring
to justice the criminals who committed this wide scale attack
on Target, American business, and consumers.
On the evening of December 12th, we were notified by the
Justice Department of suspicious activity involving payment
cards used at Target stores. We immediately started an internal
investigation. On December 13th, we met with the Justice
Department and Secret Service. On December 14th, we hired an
independent team of experts to lead a thorough forensics
investigation. On December 15th, we confirmed that criminals
had infiltrated our system, had installed malware on our point
of sale network, and had potentially stolen guest payment card
data. That same day we removed the malware from virtually all
registers in our U.S. stores.
Over the next two days, we began notifying the payment
processors and card networks, preparing to notify our guests
and equipping our call centers and stores with the necessary
information and resources to address the concerns of our
guests. Our actions leading up to our public announcement on
December 19th and since have been guided by the principle of
serving all guests, and we have been moving as quickly as
possible to share accurate and actionable information with the
public.
What we know today is that the breach affected two types of
data, payment card data, which affected approximately 40
million guests and certain personal data which affected up to
70 million guests. We believe the payment card data was
accessed through malware placed on our point of sale registers.
The malware was designed to capture the payment card data that
resides on the magnetic strip prior to its inscription within
our systems.
From the outset, our response to the breach has been
focused on supporting our guests and strengthening our
security. In addition to the immediate steps I already
described, we are taking the following concrete actions.
First, we are undertaking an end-to-end forensic review of
our entire network and will make security enhancements as
appropriate.
Second, we increased fraud detection for our Target Red
Card guests. To date, we have not seen any fraud on our
proprietary credit and debit cards due to this breach, and we
have only seen a very low amount of additional fraud on our
Target Visa card.
Third, we are reissuing new Target credit and debit cards
immediately to any guest who requests one.
Fourth, we are offering 1 year of free credit monitoring
and identity theft protection to anyone who has ever shopped in
our U.S. Target stores.
Fifth, we informed our guests that they have zero liability
for any fraudulent charges on their cards arising from this
incident, and sixth, Target is accelerating our investment in
chip technology for our Target Red Cards and our stores point
of sale terminals.
For many years, Target has invested significant capital and
resources in security technology, personnel, and processes. We
had in place multiple layers of protection, including
firewalls, malware detection, intruding detection and
prevention capabilities, and data loss prevention tools, but
the unfortunate reality is that we suffered a breach. All
businesses and their customers are facing increasingly
sophisticated threats from cyber criminals. In fact, news
reports have indicated that several other companies have been
subjected to similar attacks.
To prevent this from happening again, none of us can go it
alone. We need to work together. Updating payment card
technology and strengthening protections for American consumers
is a shared responsibility and requires a collective and
coordinated response. On behalf of Target, I am committing that
we will be an active part of the solution.
Members of the subcommittee, I want to once again reiterate
how sorry we are for the impact of this incident has had on
your constituents, our guests, and how committed we are to
making it right.
Thank you for your time today.
Mr. Terry. Thank you.
[The prepared statement of Mr. Mulligan follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Kingston, you are now recognized for 5 minutes.
STATEMENT OF MICHAEL KINGSTON
Mr. Kingston. Chairman Terry, Ranking Member Schakowsky,
members of the subcommittee.
Good morning, my name is Michael Kingston, and I am the
chief information officer at Neiman Marcus Group. I want to
thank you for your invitation to appear today to share with you
our experiences regarding the recent criminal cybersecurity
incident at our company. I have submitted a longer written
statement and appreciate the opportunity to make some brief
opening remarks.
We are in the midst of an ongoing forensic investigation
that has revealed a cyber attack using very sophisticated
malware. From the moment I learned there might be compromise of
payment card information involving our company, I have
personally led the effort to ensure that we were acting
swiftly, thoroughly, and responsibly to determine whether such
a compromise had occurred, to protect our customers and the
security of our systems, and to assist law enforcement in
capturing the criminals. Because our investigation is ongoing,
I may be limited in my ability to speak definitively or with
specificity on some issues, and there may be some questions to
which I do not have the answers. Nevertheless, it is important
to us as a company to make ourselves available to you to
provide whatever information we can to assist you in your
important work.
Our company was founded 107 years ago. One of our founding
principles is based on delivering exceptional service to our
customers, in building long lasting relationships with them
that have spanned generations. We take this commitment to our
customers very seriously. It is part of who we are and what we
do daily to distinguish ourselves from other retailers. We have
never before been subjected to any sort of significant
cybersecurity intrusion, so we have been particularly disturbed
by this incident.
For our ongoing forensic investigation, we have learned
that the malware which penetrated our system was exceedingly
sophisticated, a conclusion the Secret Service has confirmed. A
recent report prepared by the Secret Service crystallized the
problem when they concluded that a specific type of malware
comparable and perhaps even less sophisticated than the one in
our case, according to our investigators, had a zero percent
detection rate by antivirus software. The malware was evidently
able to capture payment card data in realtime after a card was
swiped and had sophisticated features that made it particularly
difficult to detect, including some that were specifically
customized to evade our multi-layered security architecture
that provided strong protection of our systems and customer
data.
Because of the malware sophisticated anti-detection
devices, we did not learn that we had an actual problem in our
computer system until January 2nd, and it was not until January
6th when the malware and its outputs had been disassembled and
decrypted enough that we were able to determine that it was
able to operate in our systems. Then, disabling it to ensure it
was not still operating took until January 10th. That day we
sent our first notices to customers potentially affected and
made widely reported public statements describing what we knew
at that point about this incident.
Simply put, prior to January 2nd, despite our immediate
efforts to have two separate firms of forensic investigators
dig into our systems and attempt to find any data security
compromise, no data security compromise in our systems have
been identified.
Based on the current state of evidence and the ongoing
investigation, one, it now appears that the customer
information that was potentially exposed to the malware was
payment card information from transactions in 77 of our 85
stores between July 15th and October 30th, 2013, at different
periods of time within this date range in each store.
Two, the number of payment cards used at all stores during
this period was approximately 1.1 million. This is the maximum
number of accounts potentially exposed to the malware, although
the actual number appears to be lower since the malware was not
active every day at every store during this period.
Three, we have no identification that transactions on our
Web sites or at our restaurants were compromised. Four, PIN
data was not compromised as we do not have PIN pads and we do
not request PINs. And five, there is no indication that Social
Security numbers or other personal information were exposed in
any way.
We have also offered to any customer who shopped with us in
the last year at either Neiman Marcus Group stores or Web
sites, whether their card was exposed to the malware or not, 1
year of free credit monitoring and identity theft insurance. We
will continue to provide the excellent service to our customers
that is our hallmark, and I know that the way we responded to
the situation is consistent with that commitment.
Thank you for your invitation to testify today, and I look
forward to answering your questions.
Mr. Terry. Thank you.
[The prepared statement of Mr. Kingston follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Terry. Mr. Russo, you are recognized for 5 minutes.
STATEMENT OF BOB RUSSO
Mr. Russo. Thank you.
My name is Bob Russo, and I am the general manager of the
PCI Security----
Mr. Terry. Can you pull the microphone a little closer to
you?
Mr. Russo. Sorry. It is on now.
Mr. Terry. And a little closer.
Mr. Russo. As I said, my name is Bob Russo, and I am the
general manager of the PCI Security Standards Council, a global
industry initiative and membership organization focused on
security payment card data.
Our approach to an effective security program combines
people, process, and technology as key parts of payment card
data protection. We believe the development of standards to
protect payment card data is something the private sector, and
in particular, PCI, is uniquely qualified to do. The global
reach, expertise, flexibility of PCI make it extremely
effective.
Our community of over 1,000 of the world's businesses is
tackling data security challenges from simple issues like
password. In fact, ``password'' is still the most commonly used
password out there to really complicated issues like proper
encryption.
We understand consumers are upset when their payment card
data is put at risk, and we know the harm caused by data
breaches. The council was created to proactively protect
consumers' payment card data. Our standards represent a solid
foundation for a multi-layered security approach. We focus on
removing card data if it is no longer needed. Simply put, if
you don't need it, don't store it. And if it is needed, then
protect it and reduce incentives for criminals to steal it.
Let me tell you how we do that. The data security standard
is built on 12 principles capturing everything from physical
security to logical security. This standard is updated
regularly through feedback from our global community. In
addition, we have developed other standards that cover
software, point of sale devices, secure manufacturing of cards
and much, much more. We work on technologies like tokenization
and point-to-point encryption. Tokenization and point-to-point
inscription work in concert with PCI standards to offer
additional protections.
Another technology, EMV chip is an extremely effective
method of reducing card fraud in a face-to-face environment.
That is why the council supports its adoption in the U.S.
through organizations such as the EMV migration from, and our
standards support EMV today in other worldwide markets.
However, EMV chip is only one piece of the puzzle. To move to
EMV and to do no more would not solve this problem. Additional
controls are needed to protect the integrity of payments online
and in others' channels. These include encryption, tamper-
resistant devices, malware protection, network monitoring, and
much, much more. These are all addressed in the PCI standards.
Used together, EMV chip and PCI can provide strong
protections for payment card data, but effective security
requires more than just standards. Standards without supporting
programs are only tools and not solutions. The council's
training and certification programs have educated tens of
thousands of individuals and make it easy for businesses to
choose products that have been lab tested and certified as
secure.
Finally, we conduct global campaigns to raise awareness of
payment card security. We welcome the Committee's attention to
this critical issue. The recent compromises underscore the
importance of a multi-layered approach to payment card security
and there are clear ways in which we think the Government can
help.
For example, leading stronger law enforcement efforts
worldwide by encouraging stiff penalties for these crimes,
promoting information sharing between the public and private
sector also merits attention. The council is an active
collaborator with government. We work with NIST, with DHS, with
many government organizations. We are ready and willing to do
much more. The recent breaches underscore the complex nature of
the payment card security. A multifaceted program cannot be
solved by a single technology, standard, mandate, or
regulation. It cannot be solved by a single sector of society.
We must work together to protect the financial and privacy
interests of consumers.
Today, as this committee focuses on recent breaches, we
know that the criminals are focusing on inventing the next
attack vector. There is no time to waste. The PCI Security
Standards Council and business must continue to provide a
multi-layered security protection while Congress leads the
efforts to combat global cyber crimes that threaten us. We
thank the Committee for taking a leadership role in seeking
solutions to one of the largest security concerns of our time.
Mr. Terry. Thank you, Mr. Russo.
[The prepared statement of Mr. Russo follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Terry. Mr. Smith, you are now recognized for 5 minutes.
STATEMENT OF PHILLIP J. SMITH
Mr. Smith. Good morning, Chairman Terry, Ranking Member
Schakowsky, subcommittee members, staff, and ladies and
gentlemen.
I want to thank you for the opportunity on behalf of
Trustwave to provide witness testimony on this important issue
related to data breaches.
I am both a former special agent of the United States
Secret Service and a senior trial attorney at the Department of
Justice Terrorism and Violent Crimes section. My law
enforcement experience in this area includes investigation,
prosecution of criminal credit card fraud, access device fraud,
and counterfeiting. I left the Justice Department in 2000 to
join Trustwave, a now global information security and
compliance services and technology company. I currently serve
in Trustwave's executive team as senior vice president, and I
was general counsel for 12 years.
Businesses and government agencies hire Trustwave to help
fight cyber crime, protect their sensitive data, and reduce
risk. Trustwave has customers ranging from the world's largest
multi-national companies to small and medium-sized businesses
in 96 countries. We specialize in the following areas:
Compliance and risk management, managed and cloud-based
security services, as well as threat intelligence, ethical
hacking, security research, and we also train law enforcement
on how to investigate network intrusion and data breach cases.
Today, I would offer our observations and recommendations
related to data breach and broader information security trends.
It is important I note that as a company we do not comment or
speculate on specific data breaches, and as such, we will not
be offering testimony today related to companies involved in
the latest string of data breaches. However, I believe our
company's experience in investigating thousands of data
breaches over the past several years, our advanced security
research and intelligence coming from our large global client
footprint will be of value to you and the industry as a whole.
My submitted written testimony discusses how card data is
stolen through malware attacks, the value of the Payment Card
Industry Data Security Standard, and why businesses must go
beyond PCI for increased security and technologies and
processes that can help. While I generally have time to discuss
each topic in depth, I would like to highlight a few items.
Each year our company publishes statistics and observations
from real-world data breach investigations in our Trustwave
Global Security Report. The focus of the report is around cyber
crime, states that attacks are carried out by professional
criminals, and most of them follow logical patterns as
described by the Secret Service. The 2013 Global Security
Report highlights data our experts analyzed from more than 450
data breach, incident response investigation locations,
thousands in penetration tests, millions of Web site and web
application attacks, tens of billions events.
The report states the retail industry is the top target in
2012, making up 45 percent of our investigation. Food and
beverage industry was second, followed by the hospitality
industry. Those rankings did not change in 2013. Cardholder
data was the primary target. Mobile malware increased 400
percent in 2012. Seventy-three percent of the victims were
located in the United States. Almost all the point of sale
breach investigations involved targeted malware. SQL injection
and remote access made up 73 percent of the infiltration
methods used by criminals, took businesses an average of 210
days to detect a breach, most took more than 90 days, and 5
percent took more than 3 years. Only 24 percent detected the
intrusion themselves. Most were informed by law enforcement.
Web applications emerged the post popular attack vector, E-
commerce sites being the most targeted asset. Weak passwords
with ``Password1'' being the most common password of choice.
I am running short on time, and refer to my written
testimony where I talk about many different security areas as
part of the defense and depth strategy, recommending multiple
layers of defense, detection, response, and ongoing training. I
would, however, make the following observations. PCI Data
Security Standard plays a critical role that has increased
awareness around securing data in the payment industry. The
threat landscape is more complex than ever, and keeping up with
and complying with the standard simply isn't enough.
A common misperception is that PCI was designed to be a
catch-all for security. We believe it serves as a good baseline
for security, giving businesses guidelines for basic security
controls to protect cardholder data. And we heard discussions
today about chip-and-PIN, end-to-end encryption and other
technologies, and these are all good, but there is no silver
bullet. A multi-layered approach to security involves people,
process, technology, and innovation, and I would take these few
minutes to highlight 3 particular ones.
Businesses should implement an incident response plan that
includes advanced detection techniques, containment strategies,
and response technologies. Web applications are a high value
target for attackers because they are easily accessible over
the net. Web applications are often at businesses' front door
and often connected to systems that contain private data. While
monitoring more than 200,000 Web sites, our researchers found
16,000 attacks occur on web applications per day. This is why
businesses need to adopt protections that include the ability
to detect vulnerabilities and prevent web applications.
Obviously, anti-malware is a big issue here, and what
companies need to do is to defend against this is deploy
gateways, and I stress this is not anti-virus technology. This
is, gateways specifically help to protect businesses in
realtime from threats like malware and zero-day vulnerabilities
and data loss.
I want to thank the Chairman and Ranking Member Schakowsky
for the opportunity to be here today, and happy to answer any
questions.
Mr. Terry. Thank you, Mr. Smith.
[The prepared statement of Mr. Smith follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Terry. And that does conclude the testimony of our
panel, and now it is time for us to ask you questions.
And I get to go first, so I recognize myself for 5 minutes.
Mr. Smith, based on your professional opinion in this
industry, are we--the United States suffering an increased
onslaught of data breaches and attacks or is it just simply we
are paying more attention in the media?
Mr. Smith. No, we are suffering more attacks, that is for
sure,
Mr. Terry. Can you quantify that in any way? Do you know
how many----
Mr. Smith. In numbers of attack? I mean I can only speak
for our company and how many we are involved in each year,
which involves, you know, a number of different investigations
as well as multi-national locations within----
Mr. Terry. Do you have an opinion why that has increased,
the number of attacks have increased?
Mr. Smith. I think any time there is something of value,
and the Web now gives the ability for these multi-national
attacks to occur from anywhere in the world, so as the
technology increases, so will the attacks, so will the value of
that data----
Mr. Terry. Right.
Mr. Smith [continuing]. That people are after.
Mr. Terry. Appreciate that. Thank you.
And for Mr. Mulligan and Mr. Kingston, I appreciate that
you accepted our invitation to come here. I think people should
know that you didn't have to accept that invitation, you don't
have to be here, but you agreed to be here, and A, I think that
speaks well for both of the companies that you work for and
your respect for the consumer to go on the record about what
occurred and what you are offering to your customers. I want to
thank you for that. It doesn't mean we don't ask you tough
questions.
So, let me start off the same question to both Mr. Mulligan
and Mr. Kingston. Both of you, you suffered point of sale
attacks, and at least with Target there was a portion of that
that was unencrypted and you were able to get the information
in plain language, plain text. Is that a shortcoming? Is that
standard? How much of a surprise to you or not surprise that
there was that vulnerability at the point of sale, Mr.
Mulligan?
Mr. Mulligan. Mr. Chairman, we know today----
Mr. Terry. Pull your microphone a little closer
Mr. Mulligan. We know today in the U.S. that credit card
information, payment card information, comes into point of sale
systems from the magnetic strip unencrypted. In our case, that
data was captured prior to us encrypting it. We have seen in
other geographies around the world where chip-and-PIN or chip-
enabled technology has been deployed, the fraud related to
payment cards has come down dramatically, and that is why we
have been supporters of that technology over a very long period
of time.
Mr. Terry. All right. Mr. Kingston.
Mr. Kingston. What we learned in our investigation,
Chairman, is that the information was scraped at a time
immediately following the swipe as well in basically
milliseconds.
Mr. Terry. In essence, commingled data so it was
undetectable, hidden in plain sight?
Mr. Kingston. Literally milliseconds before it is sent
through encrypted tunnels to payment processor for
authorization.
Mr. Terry. Wow. Back to Mr. Mulligan. Have you been able to
determine how they were able to get into the system and place
the malware at that very sensitive point?
Mr. Mulligan. That is my understanding the point of access
was a compromised set of vendor credentials or log-on I.D. and
password. Beyond that, we have an end-to-end review, forensic
review of all of our systems to understand that particular
question is one we share with you, Mr. Chairman.
Mr. Terry. So, it was a process failure?
Mr. Mulligan. We don't understand that today. At the
completion of our investigation, we are looking forward to
getting the facts about what transpired.
Mr. Terry. All right. Mr. Kingston.
Mr. Kingston. At this point in our investigation, we have
not yet found any evidence of how attackers were able to
infiltrate our network.
Mr. Terry. A lot of discretion on breach notification. Tell
us--first of all, we want to make sure that a consumer whose
data, whether it was their financial or personally identifiable
information, is notified in a timely manner. There is a
perception that perhaps you discover breach and you should push
send for notification. Does it really work that way? How much
time is a reasonable amount of time before you notice a
consumer of a breach? Mr. Mulligan.
Mr. Mulligan. Our focus was on providing certainly speed in
getting notice quickly, we think, is important. Balancing that,
and the lens that we were looking through was for our guests,
providing them accurate information to help them understand
what went on, and then actionable information, what could they
do about it.
In addition, given the magnitude of our enterprise, we knew
we would get significant requests from our guests, and we want
to be prepared with staffing up our call centers, having our
stores have the appropriate resources to respond to their
requests, and I think all of that is how we approached this
from a notification.
Mr. Terry. How many days from the time that you were told
of the breach versus when you were able to send them notice
out?
Mr. Mulligan. From the time we found the breach, we found
the malware on our system to the time we notified was 4 days.
Mr. Terry. All right. Mr. Kingston, same questions.
Mr. Kingston. So we also at Neiman Marcus believe that
prompt and specific notification is the best course of action.
I think there are two important things that need to be
established in order for that to happen and happen in a
reasonable way as you ask the question. The first is
understanding that you actually do have a breach or some sort
of risk of attack, and so in our case we learned that on
January 6th.
I think the second important thing is to protect customers
from any potential further harm, to make sure that you
contained, in our case, the malware that was discovered in our
systems. It took us 4 days to do that, and at that time, on
January 10th, we immediately began notifying customers.
Mr. Terry. All right. 4 days for each of you. All right.
Thank you.
And I recognize the Ranking Member Jan Schakowsky from
Illinois.
Ms. Schakowsky. Thank you.
Just a quick question to Mr. Russo. I think you do good
work, but you aren't suggesting that we shouldn't act as a
Congress, are you, in order to set some standards?
Mr. Russo. No, certainly I think there are plenty of things
that can be done, not the least of which is law enforcement and
information sharing.
Ms. Schakowsky. I understand. I am asking that really as a
yes or no question. Are you suggesting that it is inappropriate
or unnecessary for Congress to act on standards, et cetera?
Mr. Russo. I don't know. I have no opinion in that area.
Ms. Schakowsky. OK. I wanted to ask you, Mr. Kingston. You
discovered the breach internally? Neiman Marcus discovered it,
the breach itself?
Mr. Kingston. The first idea that we had that there was
anything potentially wrong in our system is on January 2nd when
our forensic investigator brought to our attention that they
had found some suspicious malware potentially capable of
scraping card data. It wasn't until the 6th because it took
them 4 days, based on the sophistication of this malware, to
actually decrypt it and decompose it to understand that it
actually could work in our----
Ms. Schakowsky. Who informed you?
Mr. Kingston. Our forensic investigator.
Ms. Schakowsky. Our?
Mr. Kingston. We hired a forensic investigator.
Ms. Schakowsky. Oh, your forensic investigator.
Mr. Kingston. Yes, forensic investigator.
Mr. Terry. Not Mr. Smith.
Ms. Schakowsky. OK. And Mr. Mulligan, you said that the
Justice Department informed you.
Mr. Mulligan. They came to us on December the 12th and
indicated they had a handful of cards that had been
compromised, and potentially one of the locations that was
compromised with Target. At that point, there was no indication
or evidence that there had been a breach. We found that breach
3 days later and shut it down within 12 hours.
Ms. Schakowsky. I actually wanted to talk more about the
breach of marketing data and which affected fully one-fourth to
one-third of all American adults, which is pretty serious, and
I am asking these questions because I believe the breach of
marketing data represents really a serious threat to consumer.
Payment card breaches are severe incidents that criminals tend
to obtain card data, spend money when they can, and then move
on, but names and contact information can be used in phishing
and social engineering schemes to try to perpetrate identity
theft, and so while harm from payment card breaches are acute,
harm from nonfinancial breaches linger, identity theft lasts.
So, I wanted to ask you about the way you informed the
consumers who had these marketing data breaches. Some consumers
received an email message during the week of January 12th
notifying them of a breach of Target customer information and
received that message from [email protected], and
scammers sometimes use legitimate names of companies and many
people were alarmed when they looked up the domain name and
found ``permission denied'' message. And so I wanted to know
how Target determined it would contract with a company to send
these messages and what you are doing about the confusion that
consumers may have felt.
Mr. Mulligan. Congresswoman, we wanted to notify, confirmed
on January 9th that that data had left our system, and on
January 10th we started notifying consumers. We sent out 56
million email addresses. That was the number we had available
to us. We also, as we did in the first breach, prior to broad
public disclosure of the issue so that everyone would have
information related it to, but one of the things we did and a
couple of things we did in response to some of the concerns you
are talking about, first, we communicated to our guest that
there was a single of truth on our corporate target.com Web
site. Any communication coming from Target was located there
and could be trusted.
Second, we provided free credit monitoring which provides
free identity theft protection, identity theft insurance for--
--
Ms. Schakowsky. Let me refer to that. There was a briefing
organized Monday by the Bipartisan Privacy Caucus, Ed
Mierzwinski of U.S. PIRG who said that credit monitoring, such
as the one offered by Target, doesn't stop fraud on existing
accounts and won't prevent new account identity theft. So I'm
wondering what the rationale is for this program, its
performance so far, and any ongoing alternatives or
improvements being considered or developed by Target.
Mr. Mulligan. My understanding, Congresswoman, is that
consumers have no liability for any fraud which occurs on their
cards as a result of this breach. A part of the package that we
offered in the free credit monitoring is identity theft
protection, identity theft insurance, and access to a frauds
protection specialist so that any guest who has ever shopped a
Target store has the ability to contact them well past the year
and ensure that their data is safe.
Ms. Schakowsky. So you would disagree with that conclusion
that it doesn't stop fraud on existing accounts and won't
prevent new account identity theft?
Mr. Mulligan. I can't speak to that data specifically. What
I can tell you is consumers have no liability for fraud on
their accounts that are a result of our breach.
Ms. Schakowsky. You are talking about fraud of----
Mr. Mulligan. Of existing accounts. I am sorry.
Ms. Schakowsky. Are you talking about fraud in a purchase?
I am talking about identity theft.
Mr. Mulligan. And we provide identity theft protection as
part of the free credit monitoring.
Ms. Schakowsky. Thank you.
Mr. Terry. Thank you.
I now recognize the vice chairman Mr. Lance of New Jersey.
Mr. Lance. Thank you very much. Mr. Chairman
To Mr. Mulligan. You testified that you were informed of
the breach by law enforcement on December 12th and 13th, hired
a forensic firm on the 14th, and on the 15th you both
discovered the infiltration, removed the malware from your
point of sale network. If it was relatively easy to find the
malware once you were made aware of it, why wasn't it detected
through your existing information security procedures?
Mr. Mulligan. It is excellent question, Congressman, one we
have asked many times. Our ongoing forensic investigation, we
believe, will provide the facts of what transpired and why the
significant investments we have made in multiple ways of
detecting and ensuring our systems are safe did not detect
this.
Mr. Lance. Can you give the committee an estimate as to
when you might know the answer to that question?
Mr. Mulligan. That investigation is being led by our
forensic investigator. They will take the time they need to
assess all of the facts, and certainly from that there will be
learnings and we will take action, so I don't have perspective
on how long that will take.
Mr. Lance. Thank you.
In addition to the 40 million payment card accounts that
were breached, your company also detected a breach involving
other personal information in 70 million consumers. Do you
know, Mr. Mulligan, how many of the 70 million accounts would
trigger a notice of breach under existing state laws.
Mr. Mulligan. I am not familiar with that, but as we
considered that, what was important is, as we have had accurate
and actionable information, we have disclosed information to
the public, and that was our approach there. On January 9th, it
was confirmed that that data was extracted from our systems,
and on January 10th we provided broad public notice and began
to email those guests for which we had email addresses.
Mr. Lance. Thank you.
To Mr. Kingston at Neiman Marcus. From the time you first
realized you had an actual problem in your system, and I
believe that was January 2nd, until you disassembled the
malware on January 10th, how did you conduct business with your
consumers? Were POS terminals used during that timeframe to
accept payments, and if so, how was that decision made?
Mr. Kingston. So, we did continue to conduct business for
our customers during that time. However, as we were learning
throughout the investigation more about this particular
sophisticated attack, we immediately began implementing
additional controls on top of all of the multi-layered security
controls that we had in place at that time, and so being very,
very careful with our forensic investigators as well as our
internal investigation to closely monitoring for any further
suspicious activity.
Mr. Lance. Do you know yet whether the suspicious activity
increased between January 2nd and January 10th?
Mr. Kingston. We have not seen any indication of that, no.
Mr. Lance. So that is an open question or are you likely to
concluded that----
Mr. Kingston. No additional suspicious activity was noted.
Mr. Lance. Thank you.
To the panel in general, as card security evolves, it seems
as though the chip is a better mouse trap. With a chip enabled
card, the critical pieces of consumer information are obscured
from would be thieves, and the ability to prevent card
duplication is achieved. But there are two types of chip
enabled cards, as I understand it, those that require a PIN and
those that require signature for authorization. To our experts,
what is the difference between the two and what do you believe
is preferable?
Mr. Russo, why don't we begin with you.
Mr. Russo. Well, the combination of PCI and EMV in any
form, be that chip-and-PIN, be that chip and signature, is a
powerful, powerful solution for as you indicated face-to-face
fraud and counterfeit cards. However, there are other channels
that that data can still be used, and so the powerful
combination of PCI and EMV, once again, in any form is a
powerful combination, and I think is something that needs to be
considered.
Mr. Lance. And from your professional perspective, who
should consider that? Should this be required statutorily by
the Congress or should this be determined at state capitals or
should it be at the option of the private sector?
Mr. Russo. That is beyond the purview of what the standard
and the security council does. Basically, we are responsible
for securing that data in whatever form it comes in, so be it
chip-and-PIN, chip and signature, regardless of who have
determines what it is going to be and when it is going to be,
our job is to make sure that that is protected.
Mr. Lance. Thank you, Mr. Russo.
Mr. Smith, do you have an opinion on my question?
Mr. Smith. I think the important point here is it is an
additional layer of secure, right. There is no silver bullet
here. There is multiple layers that need to be put in place.
Chip-and-PIN with end-to-end encryption will certainly help
matters, but again, nothing is going to stop the data breaches
Mr. Lance. And would you require this as a matter either a
statutory law or rule and regulation or does that go beyond
what is probably appropriate for Congress, given the fact that
technology advances as rapidly as it does?
Mr. Smith. Again, the chip-and-PIN technology has been
around for a long time. I think a lot of effort should be put
for new technology in securing mobile payments and things like
that. The technology is changing so quickly. The attack factors
are going to change, right, so much more is going to the mobile
side. So, implementing chip-and-PIN is a good thing for the
face-to-face transactions, but having innovation towards mobile
payments and other areas is just as important. Again, it is
defense in depth.
Mr. Lance. Thank you.
I have 12 seconds left. I look forward to working with
everyone on the committee, and I personally enjoy shopping at
Target, and I think my wife at Neiman Marcus.
Mr. Terry. Mr. Yarmuth, you are now recognized for 5
minutes.
Mr. Yarmuth. Thank you, Mr. Chairman.
Likewise, long time customer, first time questioner, and I
appreciate your testimony and your candor and forthrightness,
particularly from Target and Neiman Marcus, and not that you
are not being forthright.
One thing that I am curious about is that while we have
some more instances of this type of breach, and I don't know if
you want to speculate why people might have singled out Target
and Neiman Marcus among a group of retailers, but obviously
there are a lot of retailers out there, many of whom with
probably as much of a high profile as you, and my question is,
are you aware, are you able to discuss with your colleagues in
the industry whether they have been able to head off any cyber
attack that might distinguish them in some way from your
operations, or have you been informed by law enforcement of any
other attacks that have been fended off? And I open it up to
Mr. Russo and Mr. Smith as well.
Mr. Mulligan. Maybe I can start. We took several steps,
once we verified there was malware in our point of sale
systems. We have an ongoing relationship with law enforcement
and certainly shared that with them. We also shared the malware
with security firms who work with all businesses to look for
these types of malware.
Beyond that, we have pushed for and are beginning an
initiative with the retail industry around information sharing
across all retailers to share this kind of information. It is
an evolving threat. It is a shared responsibility for all of
us, and we believe information sharing is one path to
understanding the evolving threat and how we will collectively
deal with it.
Mr. Yarmuth. I am just curious as to whether there is any
indication that you have from any other source that somebody
tried to attack Sak's Fifth Avenue, somebody tried to attack
Walgreen, somebody tried to attack Wal-Mart, and they had
failed where they succeeded in your instance. Is there any
evidence of that somewhere?
Mr. Smith. I will take a look at that. I think we describe
this as a battleground every day. There are attacks going on
constantly and those attacks are being defeated. The situations
we are talking about are, again, sophisticated malware, but
every day, retailers, banking industry, they are defending
their networks against ongoing attacks, and I think that is an
important point that there is a lot of effort going on today
and will continue to go on. And again, increasing innovation
around security technology is an important part of that, and I
think that is where a lot of the players can come together and
spur that innovation.
Mr. Yarmuth. All right. Is there any legal impediment to
your comparing notes and talking to other competitors even? Is
that something that should be, you say you are sharing
information but----
Mr. Mulligan. We can totally benchmark, too, as well. Part
of our ongoing assessment of all our particular program is to
benchmark against other retailers and ensure that collectively
we are providing the best protection.
Mr. Yarmuth. But specifically with regard to Target, there
have been reports that some individuals received Target's
notification of a data breach when they have never shopped at
Target and some of it is a decade old. Are those reports
accurate, and if that is the case, how would they be in your
database if they had never shopped there?
Mr. Mulligan. Congressman, the vast majority of the data we
collect is done through the normal course of business. When a
guest uses our app on an iPod, when they sign up for an app
called ``Cartwheel,'' we periodically append information to
that on an existing guest, and very rarely, but from time to
time we do buy some guest information to provide them
promotions if we think they would benefit from the products and
services that we provide.
Mr. Yarmuth. Now, you have had a relationship with Amazon
for a period of time. Could any of that information have been
captured because of that relationship specifically? Is that
irrelevant?
Mr. Mulligan. It is my understanding that there was a
separation of the information between Amazon's customers and
our guests.
Mr. Yarmuth. OK. Well, I yield back. Thank you for your
testimony. I yield back, Mr. Chairman.
Mr. Terry. OK. At this time the Chair recognizes the vice
committee of the full committee, or vice chairman of the full
committee, Marsha Blackburn.
Mrs. Blackburn. Thank you, Mr. Chairman, and I want to
thank you-all for your patience this morning. I cannot tell you
how so many of our constituents have mentioned their
frustration with the data breaches and their desire to get some
clarity and some certainty in this process, and as you have
heard me mention in the earlier questioning and opening
statement, Mr. Welch, Ms. Schakowsky, and I are doing a data
security and privacy working group to make certain that what we
do when we do something on the issue, that we do it in the
appropriate manner and that be allowed the flexibility and the
nimbleness that is going to be needed. And Mr. Russo, you spoke
well to the need for that.
Mr. Kingston, if I could come to you, and going back to
your testimony with the malware that was there in your breach,
have any of the law enforcement agencies that are working with
you on this, have they ever seen this type malware before, and
what is the origin of that malware?
Mr. Kingston. Congressman, we have been working very
closely with law enforcement, specifically with the Secret
Service, and what they have been able to share with us so far
is that the malware is very, very, very sophisticated. As I
said earlier in my testimony, had a zero detection rate by
antivirus software, and it is not something that they have seen
before. It was very specifically designed for an attack on our
systems.
Mrs. Blackburn. OK. So it was designed specifically for an
attack.
Mr. Kingston. Yes.
Mrs. Blackburn. And do you know the origin yet?
Mr. Kingston. They have not shared that with us. I am not
sure at this time.
Mrs. Blackburn. They have not. OK.
Mr. Russo, when you look at this, and here is something
designed specifically to attack and to take down their
financial infrastructure, if you will, then what is your
guidance to us as we seek to look at that data share, which is
important, that information share, which is important. Mr.
Zelvin spoke to that in the previous panel. What is your
instruction to us? Because we know that the different agencies
send out threats and updates on a regular basis, and you have
something that is unique, so what is your instruction to us?
And then the second question I have for you in the interest of
time is what are the unique identifiers that you are seeing
creep up in some of this, this malware?
Mr. Russo. So, first of all, the council is a wonderful
forum in which to share information. Companies give us feedback
all the time as to what is going on. The forensic investigators
tell us about trends that they are seeing, which all gets
factored into creating these standards and making sure that
they are not only good for today but good for what we see
coming in the future.
So, it has been our experience that the standards are very,
very solid. We have a lot of history around this. I think we
have heard two or three times, as I can recall, during the
hearings the morning, that what we saw and what we continue to
see are basic threats that are being exploited, very basic
threats. You have heard me say, you heard Mr. Smith say about
passwords being used and so on, SQL injection is another one,
lest I get technical here, very, very basic things.
Within the standards now, there are a myriad of ways to
prevent this from happening and to prevent malware, as
sophisticated as it may be, from getting into the system. So,
at this point I don't have enough information in terms of what
actually happened, but I can tell you, up until now, everything
that we have seen in terms of these major breaches over the
last 7 years has been exactly what the panel before us
indicated, very, very basic exploits that easily, easily could
have been defeated. So, until we actually have some solid
information as opposed to what we are reading in the
newspapers, we really can't make a determination as to what
happened and if the standards need to be updated.
Mrs. Blackburn. I hope you will come back to us. When you
look at standards and compliance, and we know even going back
to the T.J. Maxx breach, they were compliant, they just weren't
secure, and there is a difference there.
Mr. Mulligan, at Target, how much have you-all invested in
secure networks?
Mr. Mulligan. Over the past several years, we have invested
hundreds of millions of dollars. Part of that has been in
technology, segmentation, malware detection, intrusion
detection and prevention, data loss prevention. Part of that
has been in teams. We have over 300 team members responsible
for information security. Part of that is in assessment.
PCI is one assessment that we do certainly as part of the
payment card industry. But we are constantly assessing
ourselves, having other third parties come in and do
penetration testing, benchmarking us against others and
benchmarking us against best in class. And we train 370,000
team members annually on the importance of information
security, so we have a wholistic view and we have invested
significantly.
Mrs. Blackburn. OK. Mr. Kingston, how much has Neiman spent
on security?
Mr. Kingston. So, we have spent tens of millions of dollars
on very specific security measures, and as Mr. Mulligan said,
it is really a combination of technology as well as people and
process. I think one of the things that we do at Neiman Marcus
that is really important that I think the subcommittee should
think about is the fact that we do annual security awareness
training for all Neiman Marcus associates that access systems,
and I think awareness is a big part of strong defense.
Mrs. Blackburn. Yes. Well, my time is expired. I will yield
back.
Mr. Mulligan, I am going to submit a question to you for a
written answer on the CVV security codes.
Mr. Mulligan. Happy to respond.
Mr. Terry. Thank you. And the Chair now recognizes another
gentleman from Kentucky, Mr. Guthrie.
Mr. Guthrie. Thank you, Mr. Chairman. Thank you for coming.
So, Mr. Russo, to follow up on what Ms. Blackburn asked, or you
said, to answer her question, you said that these breaches, I
guess the two that we are talking about today were basic?
Mr. Russo. No, today's breaches, I don't know----
Mr. Guthrie. I could have been defeated?
Mr. Russo. We don't have enough information yet.
Mr. Guthrie. You said that basically it could have been
defeated?
Mr. Russo. What we heard this morning from the other panel
was all of the breaches up until now----
Mr. Guthrie. OK
Mr. Russo [continuing]. Have been basic security exploits
that could have easily been prevented, and we don't actually
know what the situation is yet from the latest breaches.
Mr. Guthrie. OK. So, but because I knew that Mr. Kingston
said that they had zero detection rate by their software. It
didn't sound basic. So, I mean, OK, I am willing to clarify
what you said then. But based on what you do know, were Target
and Neiman Marcus compliant to the PCI standards?
Mr. Russo. Unfortunately, they do not report their
compliance to the council. The council, like many other
security bodies, basically puts together the best standards
that we possibly can. We are not responsible for enforcement
or----
Mr. Guthrie. Right. I knew that.
Mr. Russo. Nor do people report their compliance to us.
Mr. Guthrie. OK. So, there is no----
Mr. Russo. We have no insight as to whether or not they
were compliant or not.
Mr. Guthrie. You can't assess whether they were meeting the
standards or not.
Mr. Russo. Absolutely not.
Mr. Guthrie. So that is something to look at. So, one of
the other previous panelists said basically, I can't remember
the word, was retailers or business, but in essence she said in
her testimony to get serious, it is time to get serious about
this. You said you spent hundreds of millions of dollars, you
spent tens of millions of dollars.
How much do you think this incident in December and then
January, first with Target, I know you are the CFO. I know you
as the information officer, you may not know, but what do you
think this has cost your bills in terms of dollars? Not on
customer loyalty, customer anything, but just in terms of
dollars.
Mr. Mulligan. We don't have insight into that yet. We
disclosed publicly, probably 3 weeks ago, that the losses as a
result of this incident would be material to Target. I don't
have visibility. The primary driver here is fraud. I don't have
visibility of that from the majority of the financial
institutions, but what I can tell you is this: of the 40
million accounts that were taken, 6-and-a-half million of them
or 15 percent were Target cards, and what we have seen is on
our Target Red Card, the proprietary card, our Target debit
card, there has been no additional fraud, and on our Target
Visa card, which is a Visa card just like any other, we have
seen very low levels of fraud. So, we will have more
information as we go through the process.
Mr. Guthrie. So Neiman Marcus, what kind of expense or cost
has this been to your business?
Mr. Kingston. We are still in the midst of our
investigation, so you know, I don't have visibility to that
yet.
Mr. Guthrie. And then, Mr. Smith, we are hearing from two
Fortune 500 companies, very sophisticated companies, that have
sophisticated systems in place, it appears, and they are still
breached by very sophisticated criminals. So what about the
small guy? I know that is the kind of the area you look at, if
you are, where I get gasoline and gas at the pump and a small
locally-owned station, what processes are in place for these
guys?
Mr. Smith. Well, again, the PCI standards are across the
board for any store who transmits or processes data. You know,
the smaller merchants have a smaller platform to be attacked,
right, so they are able to defend their smaller presence on the
Internet. There are lots of, as Mr. Russo alluded to, basic
security principles that they can put in place, relatively
cheap to protect their network and their data. And there is a
lot of information out there including on our Web site for the
small merchants to, what technologies, what they should be
putting out there.
Mr. Russo. If I can interject.
Mr. Guthrie. Sure.
Mr. Russo. Being a small merchant is a very tough thing
these days. You not only have to worry about shoplifting and
somebody breaking into your store, but you now have to worry
about data security.
In an effort to make that a little bit easier, as Mr. Smith
indicated, on our Web site we certify different solutions that
they can go and choose. Not only do we certify different
solutions in the form of payment applications, as well as POS
devices that are secured and certified to be PCI compliant, but
also, we train installers throughout the Nation so that a small
merchant, as opposed to using his brother-in-law, to help
install a piece of software can actually go out and pick
somebody off this list to securely install this information for
them.
So we make it easier for the smaller merchant, but again,
the small merchant area is a very, very big problem.
Mr. Guthrie. Because they would be a portal into a whole--
--
Mr. Russo. Absolutely.
Mr. Guthrie. So one of the other panelists also said that
there is a list of different things people can do and they will
do some, but they won't do the others. Is that the case with
your, did you look back and say, wow, there was something we
should have known to do that we didn't do? Or is it, this was
so sophisticated that it went around a very sophisticated
system that you had. I guess I am out of time, I'm sorry.
But one of the panelists earlier basically said that. Not
necessarily your situation, but situations that there could
have been a check box and they decided not to check because it
cost money. I mean, that is what she said. Not word for word,
but is that what you all found to be the case, or has it been
so sophisticated that you had everything in place and you say,
wow, I can't believe they can get around that? Or did you find
something obviously you should have found.
Mr. Terry. Go ahead. But then you are done, Brett.
Mr. Guthrie. OK.
Mr. Mulligan. Congressman, as I said, we invested hundreds
of millions of dollars in technology and assessment. Part of
the ongoing end-to-end review of our systems will provide facts
when that is complete and there will be learning, certainly,
and we will respond to those learnings.
Mr. Guthrie. But there wasn't something obvious you didn't
do that led to this?
Mr. Terry. Brett?
Mr. Kingston, answer.
Mr. Kingston. I think at Neiman Marcus, we felt, and feel
very good about the high standards of security that we had in
place, and that we continue to have in place.
Obviously, there will be lessons learned out of this, and
certainly one of the takeaways so far, this is a very highly
sophisticated attack.
Mr. Terry. Mr. Johnson, you are recognized for 5 minutes.
Mr. Johnson. Well, thank you very much, Mr. Chairman.
And I, as I mentioned to the first panel, I spent my entire
professional career as an IT professional. One of those stents
was as the director of the CIO staff for U.S. Special
Operations Command, and you don't have an environment that is
any more concerned about network and computer security than our
national security. I mean, that is paramount.
So I understand the complexities that you folks have to
deal with on a daily basis to address this and I can empathize
with the struggles that you have.
Just real quickly, just a few questions. Mr. Mulligan, why
hasn't Target joined the financial services ISAC, the
Information Sharing and Analysis Center?
Mr. Mulligan. I don't know the answer to that specifically,
Congressman. I can tell you we have a long history of sharing
information with law enforcement as it relates to these type of
threats, and we certainly believe that information sharing, a
shared responsibility across all industries is essential to
dealing with this type of evolving threat.
Mr. Johnson. Is this most recent incident, has that given
you thought to consider joining?
Mr. Mulligan. Certainly, Congressman, and in fact, as I
stated earlier, we have implemented at least one step of that
with retailers for information sharing, but yours is another
that we are absolutely open to.
Mr. Johnson. What about large retailers like you folks? Do
you think it is time for large retailers like you guys to
consider having your own ISAC?
Mr. Mulligan. We absolutely believe that information
sharing is important, Congressman, absolutely.
Mr. Johnson. OK, what about empowering law enforcement to
share information with the private sector with respect to
ongoing threats and attacks? Do you think that is important
also?
Mr. Mulligan. We do. We have had an ongoing relationship
with law enforcement at many levels and have enjoyed a great
relationship with them historically, and certainly during this
period of time as well.
Mr. Johnson. OK. Mr. Kingston, what are the systems that
you had in place to guard against a data breach, and why did
they fail in this case?
Mr. Kingston. So Congressman, we had a multi-layered
security approach and architecture in place, and I will just
highlight some of the controls and different technologies. So
we had network behavioral analysis and monitoring technology in
place. We had network segmentation with the use of firewalls
and controlled intrusion detection systems, two-factor
authentication for remote access. We also deploy encryption
technologies, and we also utilize tokenization as a method to
protect and secure consumer information that is stored in our
system.
Mr. Johnson. So, and that sounds pretty robust. I mean, it
is the traditional kinds of things that folks do to provide
network and data security. Why do you think those things
failed, just the sophistication of the attack?
Mr. Kingston. So you know, with what we have learned so
far, and again, there are still some important questions that
we haven't answered in our investigation, but with what we have
learned so far, it really points back to the malware being so
sophisticated and customized to specifically evade those
different technologies and detections. Just to give you an
example, this particular malware was able to inject itself into
known point-of-sale programs, so that it could disguise itself
and continue to operate as if it was a normal program.
And then it was able to delete itself and clean up its
tracks, so very, very complex, very difficult to detect.
Mr. Johnson. Yes, yes. You have emphasized the
sophistication of the attack. You just talked about that, even
customizing the malware so it wouldn't be detected by today's
current antivirus programs. Can the criminals always stay one
step ahead of us like they appear to be doing in this case? Is
that a battle we are going to face?
Mr. Kingston. Clearly, it is going to be difficult for us,
both public and private sector. I certainly hope one day we get
to a point where we can at least be on par, if not ahead of the
criminals.
Mr. Johnson. OK. Does your recent experience equip you to
try some different techniques? Have you guys started thinking
about how do we make sure that they can't get through, and then
once they get through, that we can detect them?
Mr. Kingston. I think, undoubtedly, with the things that we
are learning through this investigation with the help of our
forensic teams and with the help of law enforcement, there are
definitely going to be things that we can consider to help even
further strengthen the security that we have in place today.
Mr. Johnson. Sure. Well, I have a gazillion questions, Mr.
Chairman, and I don't think you are going to give me a time to
ask them so I will yield back.
Mr. Terry. Not a gazillion, no, but we will let you have
one more after everyone else if you want to stay.
Mr. Terry. Mr. Bilirakis, you are now recognized for 5
minutes.
Mr. Bilirakis. Thank you, Mr. Chairman, I appreciate it
very much.
And I appreciate the panel's testimony today. And thanks
for your patience as well.
Mr. Mulligan, thank you again for testifying. In your
testimony, you note that December 16th and December 17th, you
began notifying the payment processors and card networks, and
on December 19th, made a public announcement regarding the
breach; and is that true?
Mr. Mulligan. That is accurate.
Mr. Bilirakis. OK, all right. Given that 47 states as well
as the U.S. and the U.S. territories have developed data breach
notification laws, often with different requirements, standards
of harm, and definitions of personally identifiable
information, did you or your company find it difficult to
navigate through these different standards?
Mr. Mulligan. Our focus, once we realized the malware was
on the system, we had two parallel tracks that we were
pursuing. The first was to shut down the malware, and then
assess what it was doing, and once we verify that it was taking
payment card information, we wanted to notify the processors,
and the brand so that they could begin their fraud deduction
and fire up their fraud detection policy.
The second path was on providing public notice as soon as
we had the scope, we had actionable information for our guests,
and had built the resources to respond what we knew invariably
would be a significant call volume.
Mr. Bilirakis. Well, again, I want to ask the question: Was
it difficult to navigate this process since, what is it, 47
different States have different laws, and I know you are
everywhere around the U.S.
Mr. Mulligan. It is my understanding that the majority of
those States' statutes provide for broad public disclosure. We
provided broad public disclosure on the 19th. As I am sure you
know, we were on the front page of every newspaper on December
20th, and so that was our approach. We also provided notice to
17 million guests by email for the guests that we had.
Mr. Bilirakis. OK, should there be, in your opinion, a
National standard with regard to notification, notifying
customers?
Mr. Mulligan. Certainly, one standard would be easier to
follow than 47, but we complied with all 47 state statutes.
Mr. Bilirakis. Thank you.
Mr. Kingston, the same question, should there be a National
standard as far as notifying customers?
Mr. Kingston. I mean, I don't have an opinion on whether
there should be a National standard. I would say that it is
important that there be flexibility within whatever legislation
standard you have, because I do think, as was noted in the
first panel, these investigations, these events are different,
and on a case-by-case basis, need to be handled differently.
Mr. Bilirakis. Anyone else on the panel wish to comment on
that? Should there be a national standard?
Mr. Russo. Outside the purview of the counsel.
Mr. Bilirakis. OK. Next question, in 2015, liability for
fraud losses will be to shift from card issuers to merchants.
Mr. Mulligan, you said you are accelerating chip technology for
Target's red cards. Do you believe the switch to chip-and-PIN
can save money in the long run?
Mr. Mulligan. We have been advocates to moving to chip-
enabled technology, and chip-and-PIN technology over a long
period of time, and while it certainly doesn't resolve all of
the issues, it is a significant step forward for our industry
in ensuring that that data is safe. So we have been proponents.
We are in the middle of rolling it out. We have 300 stores
already deployed with guest payment devices, what we call,
where you read the cards. We will finish that by the fourth
quarter of this year, and early next year all of our credit
products, the payment products we offer will also have chips
embedded on them.
Mr. Bilirakis. Very good. Will it save money in the long
run?
Mr. Mulligan. We believe so.
Mr. Bilirakis. All right, very good, Mr. Kingston.
Mr. Kingston. Sir, we are actively evaluating PIN-chip
technology at Neiman Marcus, and we will certainly, if
consumers are issued cards with PIN-chip in them, be ready and
able to support those transactions.
In addition, we are also looking at other technologies that
can also protect Neiman Marcus consumers that shop online. We
have a very robust online business which PIN chip doesn't
necessarily address, as well as the growing trend for mobile
payment transactions. So we believe that while PIN chip
technology is certainly going to enhance security, that there
are other solutions out there that we also will evaluate.
Mr. Bilirakis. Thank you.
Again, for Mr. Smith, do you believe it will save money in
the long run? You know, the switch to chip and PIN?
Mr. Smith. I can't really comment on the savings, but you
know, any security technologies that can be deployed to protect
cardholder data, you know, we would be supportive of.
Mr. Bilirakis. Mr. Russo?
Mr. Russo. I agree with Mr. Smith. Certainly, it will be
yet another level of security that is important.
Mr. Bilirakis. And that is our priority.
Thank you very much, I appreciate it. Thanks for your
question.
I yield back.
Mr. Terry. Thank you, Mr. Bilirakis. Now, you may think
this is over, but we have agreed between us to have a second
round. It is just that everybody has left but us two. So the
lucky part is that you are only going to get two extra
questions.
So my question to you is going to be to Mr. Mulligan and
Mr. Kingston, on specifics about audits and when they are done,
and when you last did them before the breaches were discovered.
Mr. Smith, I want you to answer it more not Neiman Marcus,
or Target-specific, but what is appropriate for audits and when
they should be done, and how frequently pursuant to your
expertise and professional opinions.
So with that, as I understand, the process or norms are
that you do audits throughout the year on your security
systems. So how often do you do those and when was the last
time an audit was done on your security before you discovered
the current hacks and malware that brings you before us today?
And also, do those audits include password integrity and
possible phishing, procedural process, or process deficiencies.
Mr. Mulligan?
Mr. Mulligan. We have a robust audit plan or assessment
plan, I would call it more broadly. Certainly it starts with
PCI assessment, which is done annually. It takes 9 months. We
have that performed by a third party. That is one step.
But beyond that, we have ongoing assessments, Congressman,
penetration testing, assessing our technology, the people, the
processes, the controls we have in place. It would be all-
encompassing. And we have a multiple of those every year.
We had a third-party global firm assess us against Fortune
100 retailers just last year and we were at or better than the
technology deployed in those retailers. So it is an ongoing
part of our data security program.
Mr. Terry. So the other two parts of that, though, was when
was the last one done, and does that also include password
integrity?
Mr. Mulligan. I am not sure. I can't give you the exact
date of our last one. It would include password protection
because it looks broadly at all of our processes. I am happy to
get you a date.
Mr. Terry. All right, thank you. Mr. Kingston.
Mr. Kingston. Chairman, I will answer the last part of the
question first. Our audits do address password integrity, but
we have several different forms which we audit and assess our
security controls, so I will start with periodic audits of IT
general controls, which include password strength and controls.
We also do a quarterly scan, a penetration scan of the
perimeter to see what potential vulnerabilities or risks are
coming into the networks as well as the internal networks. And
then the last part of the assessment that I point out is under
PCI.
Mr. Terry. All right. Mr. Smith?
Mr. Smith. You know, we conduct annual assessments under
PCI for our clients all the time. In addition to that, working
with our clients as partners, we do active penetration testing,
active testing all the time depending on if there is an
incident or if there is a security issue, or there is an area
that they want tested. We are constantly going in and out of
organizations, you know, frequently to test their systems.
Mr. Terry. How often?
Mr. Smith. I think it is going to depend on a PCI
compliance. It is an annual testing.
Mr. Terry. All right.
Mr. Smith. But as part of that, we do frequent, you know,
vulnerability scanning.
Mr. Terry. OK.
Mr. Smith. But again, if you are looking at beyond that, we
are actively involved with many of our clients doing active
penetration testing on an ongoing basis----
Mr. Terry. All right.
Mr. Smith [continuing]. Through all of their applications.
Mr. Terry. Thank you. Ms. Schakowsky, you are recognized.
Ms. Schakowsky. Thank you.
I really do want to thank the gentlemen representing Target
and Neiman Marcus for your patience today and for coming here,
as the chairman said, willingly, and sitting through a long
hearing. So I think that should be noted, and for your openness
and willingness to cooperate. But I have been disturbed, not
necessarily by what you have done, but there have been some
efforts in the courts to undermine the ability of government to
actually act in the area of data security.
Since 2002 the Federal Trade Commission has applied its
enforcement authority under Section 5 of the FTC act to the
area of data security by bringing legal actions against
companies that fail to reasonably protect customer data. Last
week the FTC announced its 50th data security settlement.
But in the court, there is a case FTC versus Wyndham that
is currently pending in the U.S. District Court for the
District of New Jersey, and Wyndham is challenging the FTC's
use of its unfairness authority to insist that companies have
minimum data security standards in place. And an amicus brief
has been filed by the Retail Litigation Center, an arm of the
Retail Industry Leaders Association, which I know at the very
least that Target is a member of, together with the U.S.
Chamber of Commerce, the American Hotel and Lodging
Association, and the National Federation of Independent
Businesses, which are in support of that position.
So I am just wondering from both of you, if you are part of
those amicus briefs through these associations, and whether
your companies agree with the position taken by Wyndham and
that the FTC lacks authority to enforce reasonable data
security measures. Mr. Mulligan?
Mr. Mulligan. I can begin. I should first note, Mr.
Chairman, to your question about the last assessment. We were
found PCI-compliant on September 20th of 2013.
To your question, I am not familiar with that. What I can
tell you is that we are committed to making this right, and we
are committed to engaging on this topic. And we are willing to
do so independent of RILA. Target is willing to engage on this
topic.
Ms. Schakowsky. Thank you, Mr. Kingston.
Mr. Kingston. So I am not intimately familiar with that
legislation or those issues either, but----
Ms. Schakowsky. This is a court case.
Mr. Kingston. And I apologize, I am not familiar with it.
But I will tell you that Neiman Marcus supports having
standards in place for data security and which is why we are
actively a participant in the PCI standards and assessment
process, and will often look to not only meet those, but exceed
them.
Ms. Schakowsky. Let me just finish in saying I hope both of
you would just talk with your companies and see if you are part
of something that would undermine the ability of the FTC to
protect consumers in cases of data security breaches. Thank
you.
I yield back.
Mr. Terry. And that does conclude all of our questions.
You can start wrapping up, but we will probably submit
questions, or at least every one of us have the right to send
you questions. We will try and get those to you if there are
any to you individually within 14 days, and ask the same amount
of time to return an answer.
Now, just some general business here. I ask unanimous
consent to include the hearing record statements from the
following four organizations: Credit Union National
Association, Independent Community Bankers of America, National
Retail Federation, Retail Industry Leaders Association. All of
these have been shared with the minority, without any
objection?
Ms. Schakowsky. No.
Mr. Terry. Hearing none, so ordered. Now, we are adjourned.
Thank you gentlemen.
[Whereupon, at 12:51 p.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]