[House Hearing, 113 Congress] [From the U.S. Government Publishing Office] PROTECTING CONSUMER INFORMATION: CAN DATA BREACHES BE PREVENTED? ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED THIRTEENTH CONGRESS SECOND SESSION __________ FEBRUARY 5, 2014 __________ Serial No. 113-115 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Printed for the use of the Committee on Energy and Commerce energycommerce.house.gov ______ U.S. GOVERNMENT PUBLISHING OFFICE 88-611 WASHINGTON : 2015 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON ENERGY AND COMMERCE FRED UPTON, Michigan Chairman RALPH M. HALL, Texas HENRY A. WAXMAN, California JOE BARTON, Texas Ranking Member Chairman Emeritus JOHN D. DINGELL, Michigan ED WHITFIELD, Kentucky Chairman Emeritus JOHN SHIMKUS, Illinois FRANK PALLONE, Jr., New Jersey JOSEPH R. PITTS, Pennsylvania BOBBY L. RUSH, Illinois GREG WALDEN, Oregon ANNA G. ESHOO, California LEE TERRY, Nebraska ELIOT L. ENGEL, New York MIKE ROGERS, Michigan GENE GREEN, Texas TIM MURPHY, Pennsylvania DIANA DeGETTE, Colorado MICHAEL C. BURGESS, Texas LOIS CAPPS, California MARSHA BLACKBURN, Tennessee MICHAEL F. DOYLE, Pennsylvania Vice Chairman JANICE D. SCHAKOWSKY, Illinois PHIL GINGREY, Georgia JIM MATHESON, Utah STEVE SCALISE, Louisiana G.K. BUTTERFIELD, North Carolina ROBERT E. LATTA, Ohio JOHN BARROW, Georgia CATHY McMORRIS RODGERS, Washington DORIS O. MATSUI, California GREGG HARPER, Mississippi DONNA M. CHRISTENSEN, Virgin LEONARD LANCE, New Jersey Islands BILL CASSIDY, Louisiana KATHY CASTOR, Florida BRETT GUTHRIE, Kentucky JOHN P. SARBANES, Maryland PETE OLSON, Texas JERRY McNERNEY, California DAVID B. McKINLEY, West Virginia BRUCE L. BRALEY, Iowa CORY GARDNER, Colorado PETER WELCH, Vermont MIKE POMPEO, Kansas BEN RAY LUJAN, New Mexico ADAM KINZINGER, Illinois PAUL TONKO, New York H. MORGAN GRIFFITH, Virginia JOHN A. YARMUTH, Kentucky GUS M. BILIRAKIS, Florida BILL JOHNSON, Missouri BILLY LONG, Missouri RENEE L. ELLMERS, North Carolina Subcommittee on Commerce, Manufacturing, and Trade LEE TERRY, Nebraska Chairman JANICE D. SCHAKOWSKY, Illinois LEONARD LANCE, New Jersey Ranking Member Vice Chairman JOHN P. SARBANES, Maryland MARSHA BLACKBURN, Tennessee JERRY McNERNEY, California GREGG HARPER, Mississippi PETER WELCH, Vermont BRETT GUTHRIE, Kentucky JOHN A. YARMUTH, Kentucky PETE OLSON, Texas JOHN D. DINGELL, Michigan DAVE B. McKINLEY, West Virginia BOBBY L. RUSH, Illinois MIKE POMPEO, Kansas JIM MATHESON, Utah ADAM KINZINGER, Illinois JOHN BARROW, Georgia GUS M. BILIRAKIS, Florida DONNA M. CHRISTENSEN, Virgin BILL JOHNSON, Missouri Islands BILLY LONG, Missouri HENRY A. WAXMAN, California, ex JOE BARTON, Texas officio FRED UPTON, Michigan, ex officio C O N T E N T S ---------- Page Hon. Lee Terry, a Representative in Congress from the State of Nebraska, opening statement.................................... 1 Prepared statement........................................... 2 Hon. Janice D. Schakowsky, a Representative in Congress from the State of Illinois, opening statement........................... 4 Prepared statement........................................... 5 Hon. Fred Upton, a Representative in Congress from the State of Michigan, opening statement.................................... 6 Prepared statement........................................... 7 Hon. Henry A. Waxman, a Representative in Congress from the State of California, opening statement............................... 8 Witnesses Edith Ramirez, Chairwoman, Federal Trade Commission.............. 10 Prepared statement........................................... 12 Answers to submitted questions............................... 153 Lisa Madigan, Attorney General, State of Illinois................ 24 Prepared statement........................................... 26 Answers to submitted questions \1\........................... 163 William Noonan, Deputy Special Agent in Charge, Criminal Investigations Division, Cyber Operations, United States Secret Service........................................................ 33 Prepared statement........................................... 35 Answers to submitted questions............................... 164 Lawrence Zelvin, Director of the National Cybersecurity and Communications Integration Center, Department of Homeland Security....................................................... 46 Prepared statement........................................... 48 John J. Mulligan, Executive Vice President & Chief Financial Officer, Target Brands Incorporated............................ 78 Prepared statement........................................... 80 Answers to submitted questions............................... 170 Michael Kingston, Senior Vice President & Chief Information Officer, The Neiman Marcus Group............................... 86 Prepared statement........................................... 88 Answers to submitted questions............................... 187 Bob Russo, General Manager, PCI Security Standards Council, LLC.. 96 Prepared statement........................................... 98 Answers to submitted questions............................... 194 Phillip J. Smith, Senior Vice President, Trustwave............... 104 Prepared statement........................................... 106 Answers to submitted questions............................... 199 Submitted material Statement of Credit Union National Association................... 132 Statement of Independent Community Bankers of America............ 135 Statement of National Retail Federation.......................... 137 Statement of Retail Industry Leaders Association................. 150 ---------- \1\ Ms. Madigan did not respond to submitted questions for the record. PROTECTING CONSUMER INFORMATION: CAN DATA BREACHES BE PREVENTED? ---------- WEDNESDAY, FEBRUARY 5, 2014 House of Representatives, Subcommittee on Commerce, Manufacturing, and Trade, Committee on Energy and Commerce, Washington, DC. The subcommittee met, pursuant to call, at 9:30 a.m., in room 2123, Rayburn House Office Building, Hon. Lee Terry (chairman of the subcommittee) presiding. Present: Representatives Terry, Lance, Blackburn, Harper, Guthrie, Olson, McKinley, Pompeo, Kinzinger, Bilirakis, Johnson, Long, Barton, Upton (ex officio), Schakowsky, Sarbanes, McNerney, Welch, Yarmuth, Dingell, Barrow, Christensen, and Waxman (ex officio). Staff Present: Charlotte Baker, Press Secretary; Kirby Howard, Legislative Clerk; Nick Magallanes, Policy Coordinator, CMT; Brian McCullough, Senior Professional Staff Member, CMT; Gibb Mullan, Chief Counsel, CMT; Shannon Weinberg Taylor, Counsel, CMT; Michelle Ash, Minority Chief Counsel; and Will Wallace, Minority Professional Staff Member. OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF NEBRASKA Mr. Terry. So, good morning everyone, and we have an impressive two panels to testify this morning. Our first are government witnesses. I will introduce you each as we go down, but I want to thank all of you for being here. And the way we do it, some of you haven't testified before us before, others have, each side has basically 10 minutes of opening statements, and then we get right into your testimony, so I will begin my opening statement at this time. And I just want to thank everyone for being here, and today we are turning our focus to an important issue that has affected nearly one-quarter of American consumers, a string of recent data breaches at nationwide retailers, which resulted in the loss of consumer payment card data, personal information for millions of consumers. Millions of consumers are seeking answers to questions about their personal and financial security. I am grateful to both Target and Neiman Marcus for agreeing to appear before our subcommittee today. It is my hope that they will be able to give the subcommittee as clear a view as possible of what transpired, what was being done to protect consumer information before these breaches, what steps have been taken to mitigate the harm to consumers in the wake of these breaches, and what more is being done and can be done to prevent such breaches in the future. We will also hear from public and private entities who participated in developing security standards, protecting consumer data, and taking enforcement actions against the criminals who perpetrate these crime. Our objective today is not to cast blame or point fingers. It's just like, just like you, don't blame the homeowner whose home is broken into; nevertheless, we must ensure that breaches like these do not become the new norm. Private sector has worked to try and prevent these crimes to different degrees, including cooperation with government entities. Clearly, there is more that can be done, which is the reason for convening this hearing today. Already, the U.S. accounts for 47 percent of the fraud credit and debit losses worldwide while only accounting for 30 percent of the transactions. We need to be realistic and recognize there is no silver bullet that is going to fix this issue overnight. If we are to seriously address the problem surrounding consumer data security, it will take thoughtful and deliberate actions at all stages of the payment chain. I don't believe we can solve this problem by codifying detailed technical standards or with overlaying cumbersome mandates. Flexibility, quickness, and nimbleness are all attributes that absolutely are necessary in the cybersecurity, but run contrary to government's abilities. We must encourage the private sector to keep improving on its consensus-driven standards which are built to adapt over time changing threats to data security. While I have more of a statement, I would like to yield to Mr. Olson the remainder of the time. [The prepared statement of Mr. Terry follows:] Prepared statement of Hon. Lee Terry Welcome to our subcommittee's first hearing of 2014 and the 20th meeting of the 113th Congress. Today, we are turning our focus to an important issue that has affected nearly one-quarter of American consumers: a string of recent data breaches at nationwide retailers, which resulted in the loss of consumer payment card data and personal information for millions of consumers. Millions of consumers are seeking answers to questions about their personal and financial security. I'm grateful to both Target and Neiman Marcus for agreeing to appear before our subcommittee today. It is my hope that they will be able to give the subcommittee as clear a view as possible of what transpired, what was being done to protect consumer information before these breaches, what steps have been taken to mitigate the harm to consumers in the wake of these breaches, and what more is being done to prevent such breaches in the future. We will also hear from public and private sector entities who participate in developing security standards, protecting consumer data, and taking enforcement actions against the criminals who perpetrate these crimes. Our objective today is not to cast blame or point fingers-- just like you don't blame the homeowner whose home is broken into. Nevertheless, we must ensure that breaches like these do not become the ``new normal.'' The private sector has worked to try and prevent these crimes to different degrees, including cooperation with government entities. Clearly, there is more than can be done, which is the reason for convening today's hearing. Already, the U.S. accounts for 47 percent of the fraudulent credit and debit losses worldwide, while only accounting for 30 percent of the transactions. We need to be realistic and recognize there is no ``silver bullet'' that is going to fix this issue overnight. If we are to seriously address the problems surrounding consumer data security, it will take thoughtful and deliberate actions at all stages of the payment chain. I do not believe that we can solve this whole problem by codifying detailed, technical standards or with overly cumbersome mandates. Flexibility, quickness, and nimbleness are all attributes that are absolutely necessary in cyber security but run contrary to government's abilities. I do believe that information sharing is an area that we can be involved with. I would like to explore with our witnesses today a role for Congress in information sharing and analysis centers (ISACs). We must encourage the private sector to keep improving on its consensus-driven standards, which are built to adapt over time to changing threats to data security. There are areas where Congress can take action and lead in a way in protecting consumers and combatting fraud. One such area is a uniform data breach notification standard. Right now, national retailers have to comply with as many as 46 different state and territory notification rules, which can slow down how quickly a business can notify customers of a breach by creating confusion over who must be notified, how they must be notified, and when they must be notified. Consumers need to know quickly if their information is breached so that they protect themselves. I am working on legislation that would foster quicker notification by replacing the multiple--and sometimes conflicting--state notification regimes with a single, uniform federal breach notification regime. The security of data itself is paramount in this conversation, but as I have said, cumbersome statutory mandates can be ill equipped to deal with evolving threats. Nonetheless, I think this subcommittee would benefit from hearing about how companies are dealing with this issue now, as well as in the future. I understand that the four largest credit card companies have put a deadline of October 1, 2015, for merchants to adopt point-of-sale portals that accept EMV-enabled cards--the so- called chip-and-PIN. I am interested in hearing about how this technology could benefit consumers, as well as what Congress' role should be with regard to data security in general. I look forward to hearing from these stakeholders and officials on our panel today and I thank them for appearing. Mr. Olson. Thank you, Mr. Chairman, and thank you to our witnesses for coming this morning. As you all know, data breaches are a very serious matter, and you must remember past this issue that regardless of security measures taken to protect data, the bad guys are always trying, always trying to find new ways to grab that data. We have to be right 24 hours a day, 7 days a week, 365 days a year, 366 during leap year, and as you have seen, the bad guys can access data in less time it takes to swipe a credit card. It is a tough battle, but it is a battle we have to fight, it is a battle we have to win. As we say in Houston, failure is not an option. With that, I yield back, look forward to the discussion. Thank you, Mr. Chairman. Mr. Terry. Anybody else? Mr. Lance. Mr. Lance. Thank you, Mr. Chairman, and I welcome the very distinguished panel. The issue of data security has been prominent in public debate dating back to at least 2005 when 160,000 records were acquired by hackers in the Choice Point data breach. Over the last 8 years, 660 million records have been made public through various data breaches. Data breaches occur not just in commercial settings, but also hospitals, educational institutions, banks, and insurance companies. There is no doubt that every American could be at risk of a data breach. Since our last data security hearing in July, we have learned of several additional data breach incidents that occurred in 2013. Data breach incidents at Target, Neiman Marcus and Michael's are recent reminders of the dangers data breaches present to our economy. In our hearing last July, this subcommittee examined the issue of data breach notification; namely, what to do when data security has been compromised. While that issue is still of paramount concern, equal if not more attention should be given to how to prevent data breaches from occurring in the first place. Major credit card carriers have created a global data security standard for businesses that accept payment cards called the ``payment card industry data security standard.'' I look forward to examining the best practices for today's economy and for the safety of the American people. Since the Choice Point data breach in 2005, technology has evolved considerably. While data hackers' tactics have also evolved, so has the potential to provide greater security for Americans at risk of a data breach. I am pleased to have before us today a distinguished panel from the public and private sectors with expertise and personal experience in these issues. I look forward to examining the issues before us today. Thank you, Mr. Chairman. Mr. Terry. The ranking member, Jan Schakowsky, is now recognized for her 5 minutes. OPENING STATEMENT OF HON. JANICE D. SCHAKOWSKY, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS Ms. Schakowsky. Thank you, Mr. Chairman. I am really happy that we are having this important hearing on data security. I think it is of great concern to the public, who is probably watching carefully what happens here. As we discussed previously, I hope and expect that we will work together to address these issues. I thank all of our witnesses for being here, but I would like to take a moment to pay special attention and give special thanks to my friend, Illinois Attorney General Lisa Madigan, who has been at the forefront of this issue since taking office in 2003 leading several efforts at the state level to defend against cyber crime and prosecute those responsible. She is also co-leading an investigation into the Target, Neiman Marcus, and Michael's data breaches, and I look forward, as we all do, I think, to gaining from her perspective about how we can better protect data and inform consumers in the future. The threat of data breaches isn't new. The Privacy Rights Clearinghouse has identified over 650 million records containing consumers' personal information that have been compromised through thousands of data breaches since 2005; nonetheless, the recent attacks at some of this country's most popular retail stores should give us all renewed motivation to address data security and breach notification. I think every one of our witnesses today and every member of the subcommittee wants to make sure that we do everything we can to reduce the risk of future massive data breaches. Tens of billions of dollars each year are lost to cyber fraud and identity theft threatening consumer credit and stretching law enforcement resources. The Target breach alone could cost as much as $18 billion, and analysts suggest the company itself could be on the hook for more than $1 billion in costs from fraud. There are also Homeland Security concerns that we, I hope, will hear about today. It is important to note that there is no foolproof regulatory scheme or encryption program to totally prevent data breaches. Cyber criminals are incredibly innovative, and as soon as we invent and implement new technologies, they are hard at work looking for new vulnerabilities. But just because we can't absolutely 100 percent guarantee the protection of consumer data doesn't mean that we should not do anything. There is currently no comprehensive Federal law that requires companies to protect consumer or user data, nor is there a federal requirement that companies inform their customers in the event of a data breach. I believe it is critical that the subcommittee move forward with legislation that will ensure that best practices are followed at all retailers and that consumers are informed as soon as possible after cyber theft is discovered. That legislation should be technology neutral, in my view, allowing the FTC and other regulatory agencies to update requirements at the speed of innovation. In the 111th Congress, I was one of four original co- sponsors of H.R. 2221, the Data Accountability and Trust Act data offered by Mr. Rush. The bill was bipartisan, and Chairman Emeritus Barton was a co-sponsor. The bill had two main provisions. One, an entity holding data containing personal information had to adopt what we said were reasonable and appropriate security measures to protect such data; and two, that same entity had to notify affected consumers in the event of a breach. Seems to me that those basic requirements should be the basis for data security and breach legislation coming out of this committee. I want to thank our witnesses for appearing today. I look forward to hearing from them about how we can better protect against cyber theft in the future and ensure consumers are informed as soon as possible when those protections fail, and I yield back. [The prepared statement of Ms. Schakowsky follows:] Prepared statement of Hon. Janice D. Schakowsky Thank you Mr. Chairman for holding this important hearing on data security and breach notification. As we've discussed previously, I hope and expect we will work together to address these issues. I thank all of our witnesses for being here, but I'd like to take a moment to pay a special thanks to my friend, Illinois Attorney General Lisa Madigan. She has been at the forefront of this issue since taking office in 2003, leading several efforts at the state level to defend against cyber crime and prosecute those responsible. She is also co-leading an investigation into the Target, Neiman Marcus, and Michaels data breaches. I look forward to gaining from her perspective about how we can better protect data and inform consumers in the future. The threat of data breaches isn't new: the Privacy Rights Clearinghouse has identified over 650 million records containing consumers' personal information that have been compromised through thousands of data breaches since 2005. Nonetheless, the recent attacks at some of this country's most popular retail stores should give us all renewed motivation to address data security and breach notification. I think every one of our witnesses today and every member of this subcommittee wants to make sure that we do everything we can to reduce the risk of future massive data breaches. Tens of billions of dollars each year are lost to cyber fraud and identity theft, threatening consumer credit and stretching law enforcement resources. The Target breach alone could cost as much as $18 billion, and analysts suggest the company itself could be on the hook for more than $1 billion in costs from fraud. It is important to note that there is no foolproof regulatory scheme or encryption program to prevent data breaches. Cyber criminals are incredibly innovative, and as soon as we invent and implement new technologies, they are hard at work looking for vulnerabilities. But just because we can't absolutely guarantee the protection of consumer data doesn't mean we shouldn't try. There is currently no comprehensive federal law that requires companies to protect consumer or user data. Nor is there a federal requirement that companies inform their customers in the event of a data breach. I believe it is critical that this subcommittee move forward with legislation that will ensure that best practices are followed at all retailers and that consumers are informed as soon as possible after cyber theft is discovered. That legislation should be technology-neutral, allowing the FTC and other regulatory agencies to update requirements at the speed of innovation. In the 111th Congress, I was one of 4 original cosponsors of HR 2221, the Data Accountability and Trust Act, offered by Mr. Rush. The bill was bipartisan and counted Chairman Emeritus Barton as a cosponsor. The bill had two main provisions: (1) an entity holding data containing personal information had to adopt reasonable and appropriate security measures to protect such data; and (2) that same entity had to notify affected consumers in the event of a breach. Those basic requirements should be the basis for data security and breach legislation coming out of this committee. Our constituents can't afford another massive data breach that threatens their credit and the protection of their identity. We owe it to them to take steps to limit the likelihood of data breach and ensure that they are informed when that happens. I thank our witnesses for appearing today, and I look forward to hearing from them about how we can better protect against cyber theft in the future and ensure that consumers are informed as soon as possible when those protections fail. Mr. Terry. Mr. Upton, you are recognized for your 5 minutes, and you control the time. OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF MICHIGAN Mr. Upton. Well, thank you, Mr. Chairman. The recent data thefts of consumer information at well known companies are a reminder of the challenges that we certainly face today in a digital-connected economy. We are well aware of the benefits to consumers and businesses of instant communication and e- commerce. The rapid evolution of technology allows consumers to purchase goods and services on demand whenever and wherever they want. Despite the many new conveniences and efficiencies, the unfortunate reality is that technology also facilitates the ability of criminals to commit identity theft or other serious crimes that can potentially injure far more consumers. What originated as paper based fraud or identity theft gathered from a dumpster or mailbox has changed with the times and adapted to the Internet and digital economy. Today, indeed, most transactions we conduct are either transmitted or stored in a connected environment ensuring almost every citizen has some digital footprint or profile, and that the most sophisticated cyber criminals are successful in infiltrating digital databases, they certainly can gain access to data on millions of individuals. As long as the risk reward payoff is sufficient to attract criminals, the problem will not go away. Congress recognized the importance of protecting our personal information as the crimes of identity theft and financial fraud became more pervasive in our economy. It is the reason that we enacted laws specifically to address sensitive consumer data that can be used by criminals for identity theft or financial fraud, including the Gramm-Leach-Bliley Act for financial institutions and HIPAA as well for the health care industry. Additionally, we have also empowered the FTC to address data breaches through the use of section 5 of the FTC Act under which they have settled 50 data security cases. Federal government is not the only layer of protection. A handful of State laws mandates security for the data of their citizens, and the private sector has developed extensive standards through the PCI Security Standards Council, yet breaches, identity theft, financial fraud continue, affecting virtually every sector from the federal government to merchants, banks, universities, and hospitals. We must consider whether the current multi-layer approach to data security, federal, state, and industry self-regulation can be more effective, or whether we need to approach the issue differently. In short, the title of today's hearing is an appropriate question to ask, ``Can data breaches be prevented?'' This is the right venue to discuss what businesses can reasonably do to protect data. Equally important, we need to find ways to minimize or eliminate the ability of criminals to commit fraud with data that they acquire. Americans deserve to have the peace of mind that the government, law enforcement officials, and private industry are doing everything necessary to protect the public from future breaches, and I yield the balance of my time to Mrs. Blackburn. [The prepared statement of Mr. Upton follows:] Prepared statement of Hon. Fred Upton The recent data thefts of consumer information at well- known companies are a reminder of the challenges that we face in a digital, connected economy. We are well aware of the benefits to consumers and businesses of instant communication and e-commerce. The rapid evolution of technology allows consumers to purchase goods and services on demand--whenever and wherever they want. Despite the many new conveniences and efficiencies, the unfortunate reality is that technology also facilitates the ability of criminals to commit identity theft or other crimes that can potentially injure far more consumers. 1What originated as paper-based fraud or identity theft gathered from a dumpster or mailbox has changed with the times and adapted to the Internet and the digital economy. Today, most transactions we conduct are either transmitted or stored in a connected environment, ensuring almost every citizen has some digital footprint or profile. If the most sophisticated cybercriminals are successful in infiltrating digital databases, they can gain access to data on millions of individuals. As long as the risk-reward payoff is sufficient to attract criminals, the problem will not go away. Congress recognized the importance of protecting our personal information as the crimes of identity theft and financial fraud became more pervasive in our economy. It is the reason we enacted laws specifically to address sensitive consumer data that can be used by criminals for identity theft or financial fraud, including the Gramm Leach Bliley Act for financial institutions and HIPAA (Health Information Portability and Accountability Act) for healthcare industry participants. Additionally, we also have empowered the FTC to address data breaches through the use of Section 5 of the FTC Act, under which they have settled 50 data security cases. The federal government is not the only layer of protection. A handful of state laws mandate security for the data of their citizens, and the private sector has developed extensive standards through the PCI Security Standards Council. Yet breaches, identity theft, and financial fraud continue, affecting every sector from the federal government to merchants, banks, universities and hospitals. We must consider whether the current multi-layer approach to data security-- federal, state, and industry self-regulation--can be more effective, or whether we need to approach the issue differently. In short, the title of today's hearing is an appropriate question to ask: ``Can Data Breaches be Prevented?'' This is the right venue to discuss what businesses can reasonably do to protect data. Equally important, we need to find ways to minimize or eliminate the ability of criminals to commit fraud with data they acquire. Americans deserve to have the peace of mind that the government, law enforcement officials, and private industry are doing everything necessary to protect the public from future breaches. Mrs. Blackburn. I thank the chairman, and I want to welcome each of you. We are pleased to have you here. Privacy data security is something that we are hearing about more and more from our constituents. I sum it up by saying my constituents want to know who owns the virtual you, which is you in your presence online. Who has the rights to that? And I hope that from listening to you-all and talking with you today, we can gather some information to add to the work that we have been doing in our bipartisan privacy data security working group here at the committee. What our constituents want to do is figure out how to build out this toolbox that will allow them to protect themselves online. They want to know what you are doing to provide the assurance of data security, what are those protocols? They want to know what the process will be, a kind of a standard business process, for data breach notification. What are the expectations? And then they want, both the private sector and government, to meet and fulfill those expectations. So, you have experience, some lessons learned, you have made some mistakes, all of you, you are learning from those mistakes, and we are looking at how we take the rules that are on the books in the physical space, and apply that to the virtual space and encourage commerce and the interaction, transaction, and movement of data and commerce. I yield back the balance of the time. Mr. Terry. Mr. Johnson, you are recognized for 10 seconds. Mr. Johnson. Well, thanks. As a 30-year IT professional myself before coming to Congress, including a stint as the director of the CIO staff for U.S. Special Operations Command, I can tell you I understand the complexities of data security and how complex it is. I am really looking forward to hearing from you folks today on what we can do to position both our commercial sector and our public sector to handle this problem. Mr. Terry. Thank you. That concludes our time, but before I officially recognize him, Mr. Waxman, ranking member of the full committee, had made a surprise announcement and stunned all of us that he is going to conclude his time with Congress at the end of this session, and I just want to thank him for his 40 years of service to the United States Congress, to the people of California, and the United States, and job well done. We may not agree on everything, but you are passionate, you are zealous, and you are very involved, and you command respect from everybody, Henry. Thank you for your service. Mr. Waxman. Thank you, Mr. Chairman. Mr. Terry. And you are recognized for 5 minutes. OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF CALIFORNIA Mr. Waxman. Thank you for your kind words and for holding this hearing today. I think this may be the first of a series of troubling cyber attacks on prominent retailers that are going to tell us today about their experience, and we want to evaluate how businesses and government can better protect the security of consumers' personal information. Late last year, Target, Neiman Marcus, and reportedly Michael's all experienced breaches in which criminal intruders stole consumers' payment card information leaving them at risk for fraudulent charges. The Target breach, which involves not only payment card data, but also marketing data that could be used in phishing attacks is now reported to affect between 70 million and 110 million people, roughly one-third of the adult U.S. population. Reports indicated that similar attacks have likely affected many other retailers as well. Just last week, White Lodging, a major hotel operator, announced that he was investigating a potential breach affecting thousands of guests who stayed at hotels under various brand names, including Hilton, Marriott, Sheraton, and Westin. Given these constant security threats, I hope that today's hearing will provide us with the facts necessary to chart a path forward where consumers can be more confident that companies will keep their data safe. The unprecedented scope and scale of these breaches is alarming. It affects the confidence of consumers who rely on retailers, banks, and payment card processors and networks to safeguard their personal information, including their credit card and debit card information. Millions of Americans have had to contend with fraudulent charges on their financial statements, identity theft schemes in which criminals open phony accounts in their names, and the fear and uncertainty about how criminals may use their information next. There are many unanswered questions about these recent attacks, including how they were carried out, and of course, who was responsible. These breaches also raise important questions about how well the industry polices itself, whether these companies responded to early warnings and whether they notified consumers in a timely manner. We also need to understand the appropriate Federal role in both data security and breach notification. Nearly all U.S. States and territories now have laws that require notice for their own residents when a data breach occurs. The effectiveness of these laws vary greatly, but several are quite strong, ensuring that consumers receive prompt, adequate, and clear notification when their personal information is breached, and providing them with resources to protect their financial wellbeing. It could be a model for a minimum Federal requirement. After the fact, breach notification is only half of what is needed. The private sector must also take stronger steps to safeguard personal information. There could be a Federal rule in ensuring they are proactive. There will always be bad actors who will try to compromise large databases and obtain sensitive information that can be leveraged for financial gain. We need to have effective law enforcement to stop them. We also need to make sure companies are doing enough to prevent breaches because consumers are paying the price. Protecting consumer data needs to be priority number 1. I look forward to the witnesses' testimony and to our discussion today of this important topic. I thank the witnesses for being here. I want to apologize in advance because there is another subcommittee that is meeting simultaneously with this one, and I have to be at that subcommittee as well. But looking forward to your testimony. In the short time I have left, is anybody on the majority wish to take the 47, -6, -5, -4 seconds noted. If not, Mr. Chairman, I yield back. Mr. Terry. You said majority. Are you talking---- Mr. Waxman. Oh, did I say majority? I am always looking to the future, Mr. Chairman, and I thank you for your kind words, and I, of course, I am going to be here till December so we will all be able to work together some more. Thank you. Mr. Terry. Very good. Thank you, Henry. Now, time to introduce our first panel. Edith Ramirez is the chairwoman of the Federal Trade Commission, thank you for your second appearance before this committee; Lisa Madigan, Attorney General for the State of Illinois, thank you for coming; William Noonan, deputy special agent in charge, Criminal Investigation Division, Cyber Operations, United States Secret Service, and I said it all in one breath. Mr. Noonan, thank you for your appearance here today; Lawrence Zelvin, director, National Cybersecurity and Communications Integration Center, Department of Homeland Security. We always go from my left to right, so we will start with Chairman Ramirez. You are now recognized for your 5 minutes. STATEMENTS OF HON. EDITH RAMIREZ, CHAIRWOMAN, FEDERAL TRADE COMMISSION; HON. LISA MADIGAN, ATTORNEY GENERAL, STATE OF ILLINOIS; WILLIAM NOONAN, DEPUTY SPECIAL AGENT IN CHARGE, CRIMINAL INVESTIGATIONS DIVISION, CYBER OPERATIONS, UNITED STATES SECRET SERVICE; AND LAWRENCE ZELVIN, DIRECTOR OF THE NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER, DEPARTMENT OF HOMELAND SECURITY STATEMENT OF HON. EDITH RAMIREZ Ms. Ramirez. Thank you. Chairman Terry, Ranking Member Schakowsky, and members of the committee, thank you for the opportunity to appear before you to discuss the Federal Trade Commission's data security enforcement program. We live in an increasingly connected world in which vast amounts of consumer data is collected. As recent breaches of Target and other retailers remind us, this data is susceptible to compromise by those who seek to exploit security vulnerabilities. This takes place against the background of the threat of identity theft, which has been the FTC's top consumer complaint for the last 13 years. According to estimates of the Bureau of Justice statistics, in 2012, this crime affected a staggering 7 percent of all people in the United States age 16 and older. The Commission is here today to reiterate its bipartisan and unanimous call for Federal data security legislation. Never has the need for such legislation been greater. With reports of data breaches on the rise, Congress needs to act. We support legislation that would strengthen existing data security standards and require companies, in appropriate circumstances, to notify consumers when there is a breach. Legislation should give the FTC authority to seek civil penalties where warranted to help ensure that FTC actions have an appropriate deterrent effect. It should also provide rulemaking authority under the Administrative Procedure Act and jurisdiction over nonprofits, which have been the source of a large number of breaches. Such provisions would create a strong consistent standard and enable the FTC to protect consumers more effectively. Using its existing authority, the FTC has devoted substantial resources to encourage companies to make data security a priority. The FTC has brought 50 civil actions against companies that we alleged put consumer data at risk. We have brought these cases under our authority to combat effective and unfair commercial practices as well as more targeted laws such as the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. In all these cases, the touchstone of the Commission's approach has been reasonableness. A company's data security measures must be reasonable in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities. The Commission has made clear that it does not require perfect security and that the fact that a breach occurred does not mean that a company has violated the law. Significantly, a number of FTC enforcement actions have involved large breaches of payment card information. For example, in 2008, the FTC settled allegations that security deficiencies of retailer TJX permitted hackers to obtain information about tens of millions of credit and debit cards. To resolve these allegations, TJX agreed to institute a comprehensive security program and to submit to a series of security audits. At the same time, the Justice Department successfully prosecuted a hacker behind the TJX and other breaches. As the TJX case illustrates well, the FTC and criminal authorities share complementary goals. FTC actions help ensure, on the front end, that businesses do not put their customers' data at unnecessary risk while criminal enforcers help ensure that cyber criminals are caught and punished. The dual approach to data security leverages government resources and best serves the interest of consumers, and to that end, the FTC and criminal enforcement agencies have worked together to coordinate all respective data security investigations. The FTC appreciates the work of our fellow law enforcement agencies at the Federal and State level. In addition to the Commission's enforcement work, the FTC offers guidance to consumers and businesses. For those consumers affected by recent breaches, the FTC has posted information online about steps they should take to protect themselves. These materials are in addition to the large stable of other FTC resources we have for ID theft victims, including an ID theft hotline. We also engage in extensive policy initiatives on privacy and data security issues. For example, we recently conducted workshops on mobile security and emerging forms of ID theft, such as child ID theft and senior ID theft. In closing, I want to thank the Committee for holding this hearing and for the opportunity to provide the Commission's views. Data security is among the Commission's highest priorities, and we look forward to working with Congress on this critical issue. Thank you. Mr. Terry. Thank you, Chairman. [The prepared statement of Ms. Ramirez follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Terry. Now, the gentlelady from Illinois, Ms. Madigan, you are now recognized for 5 minutes. STATEMENT OF HON. LISA MADIGAN Ms. Madigan. Thank you, Chairman Terry, Ranking Member Schakowsky, and members of the subcommittee, I appreciate having an opportunity to testify on this important issue. Addressing data breaches and preventing them is critical to our financial security and our economy. Over the past decade, we have faced an epidemic of data breaches that has affected almost every American and has inflicted billions of dollars of damage to our economy. Many have become accustomed to their occurrence, but the recent Target breach served as a wake-up call that government and the private sector need to take serious meaningful actions to curb this growing problem. To assist the subcommittee, I will explain the impact data breaches have on consumers, the role the States play in responding to breaches, the data security lapses we have seen in the private sector, and the steps that private sector and government can take to prevent future breaches. Since 2005 there have been over 4,000 data breaches nationally and over 733 million records compromised. The amount of money lost because of identity theft is also sobering. In 2012, it was $21 billion. And over the last year alone, the number of complaints my office has received on data breaches has jumped more than 1,000 percent. When these breaches occur, consumers are harmed primarily two ways: First, they are exposed to the likelihood of unauthorized charges on their existing accounts, and second, they are much more likely to become victims of more costly identity theft. Consumers affected by breaches must constantly monitor their financial accounts for unauthorized charges, and when consumers discovery them, clean up requires notifying their credit and debit card issuers, closing accounts, canceling cards and waiting for new cards to arrive, and for consumers with automatic bill pay, alerting companies about the new account numbers to prevent late fees, and those are the easy situations. Victims of identity theft can spend months reporting instances of fraud to creditors and reporting bureaus to restore their credit. During this time, these victims are often prevented from fully participating in our economy. Identity theft takes a variety of forms and while it most commonly affects consumers' financial account, identity thieves also use consumers' information to open utility accounts and obtain medical treatment and prescription drugs. All of these things can happen simply because the consumers share their sensitive data in the usual course with a business, a medical provider, or the government. The States have been inundated with consumers who need help understanding and recovering from breaches and identity theft damage. Because of this, I created an identity theft unit and hotline back in 2006. Since then, we have received more than 40,000 requests for assistance and have helped remove over $26 million worth of fraudulent charges for Illinois residents. In addition to this direct consumer assistance, my office also conducts investigations of data breaches. To confirm that companies complied with State laws by notifying consumers of breaches within a reasonable time, and to ensure that companies suffering breaches took reasonable steps to protect their consumer sensitive data from disclosure. My office, along with the Connecticut AG's office, is currently leading multi-State investigations into breaches that affected millions of Target and Neiman Marcus and Michael's customers. During private breach investigations, we have instances where companies failed to take basic steps to protect consumer data. So the notion that companies are already doing everything they can to prevent breaches is false. We have found repeated instances where breaches occurred because companies allowed consumer data to be maintained unencrypted, failed to install security patches for known software vulnerabilities, and retained data for longer than necessary. The recent breaches have also led to discussions about security technology that was available but not deployed for reasons that allegedly ranged from high cost and increased checkout times to disputes between banks and retailers. Frankly, it is negligent that the United States is behind the rest of the world when it comes to the security of our payment networks, and it is the main reason that U.S. consumers' information is targeted by criminals. It is past time for the private sector to take data security seriously. Consumers are rapidly losing confidence in companies' ability to safeguard their personal information. Based upon our experiences at the State level, I recommend the Congress take the following actions. First, pass data security and breach notification legislation that does not preempt State law. Second, Congress should also recognize that the Federal Government should assist the private sector in the same manner it already does in other critical areas. Congress should give an agency the responsibility and authority to investigate large sophisticated data breaches in a manner similar to NTSB investigations of aviation accidents. Finally, please remember that States have been on the front lines of this battle for a decade. Illinois residents appreciate the important role my office plays, and they are not asking for our State law to be weakened by preemption, but they are panicked and they are angered the companies are not doing more to protect their personal and financial information and prevent these breaches from occurring in the first place. I am happy to answer any questions you have. Thank you. Mr. Terry. Thank you, General Madigan. [The prepared statement of Ms. Madigan follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Terry. And now, Mr. Noonan, you are recognized for your 5 minutes. STATEMENT OF WILLIAM NOONAN Mr. Noonan. Good morning, Chairman Terry, Ranking Member Schakowsky, and distinguished members of the subcommittee. Thank you for the opportunity to testify on behalf of the Department of Homeland Security regarding the ongoing trend of criminal exploiting cyberspace to obtain sensitive, financial, and identity information as part of a complex criminal scheme to defraud our Nation's payment systems. Our modern financial system depends heavily on information technology forconvenience and efficiency. Accordingly, criminals motivated by greed have adapted their methods and are increasingly using cyberspace to exploit our Nation's financial payment systems to engage in fraud and other illicit activities. The widely reported data breaches of Target and Neiman Marcus are just recent examples of this trend. The Secret Service is investigating these recent data breaches, and we are confident that we will bring the criminals responsible to justice. However, data breaches like these recent events are part of a long trend. In 1984, Congress recognized the risk posed by increasing use of information technology and established 18 USC sections 1029 and 1030 through the Comprehensive Crime Control Act. These statutes define access device fraud and misuse of computers as Federal crimes, and explicitly assign the Secret Service authority to investigate these crimes. In support of the Department of Homeland Security's mission to safeguard cyberspace, the Secret Service investigates cyber crime through efforts of our highly trained special agents in the work of our growing network of 33 electronic crimes task forces which Congress assigned the mission of preventing, detecting, and investigating various forms of electronic crimes. As a result of our cyber crime investigations, over the past 4 years, the Secret Service has nearly arrested 5,000 cyber criminals. In total, these criminals were responsible for over a billion dollars in fraud losses, and we estimate our investigations prevented over a $11 billion in fraud losses. The data breaches, like the recent reported occurrences, are just one part of a complex criminal scheme executed by organized cyber crime. These criminal groups are using increasingly sophisticated technology to conduct a criminal conspiracy consisting of five parts. One, gaining unauthorized access to computer systems carrying valuable protected information; two, deploying specialized malware to capture and exfiltrate the data; three, distributing or selling the sensitive data to their criminal associates; four, engaging in sophisticated and distributed frauds using the sensitive information that was obtained; and five, laundering the proceeds of their illicit activity. All five of these activities are criminal violations in and of themselves, and when conducted by sophisticated transnational networks of cyber criminals, this scheme has yielded hundreds of millions of dollars in illicit proceeds. The Secret Service is committed to protecting the Nation from this threat. We disrupt every step of their five-part criminal scheme through proactive criminal investigations and defeat these transnational cyber criminals through coordinated arrests and seizure of assets. Foundational to these efforts are the private industry partners as well as close partnerships that we have with State, local, Federal, and international law enforcement. As a result of these partnerships, we are able to prevent many cyber crimes by sharing criminal intelligence regarding the plans of cyber criminals and minimizing financial losses by stopping their criminal scheme. Through our Department's National Cybersecurity and Communications Integration Center, the NCCIC, the Secret Service also quickly shares technical cybersecurity information while protecting civil rights and civil liberties in order to allow organizations to reduce their cyber risks by mitigating technical vulnerabilities. We also partner with the private sector in academia to research cyber threats and publish information on cyber crime trends through reports like Carnegie Mellon CERT Insider Threat Study, the Verizon Data Breach Study, and the Trustwave Global Security Report. The Secret Service has a long history of protecting our Nation's financial system from threats. In 1865, the threat we were founded to address was that of counterfeit currency. As our financial payment system has evolved from paper to plastic, now digital information, so, too, has our investigative mission. The Secret Service is committed to protecting our Nation's financial system even as criminals increasingly exploit it through cyberspace. Through the dedicated efforts of our electronic crimes task forces and by working in close partnerships with the Department of Justice, in particular, the criminal division and the local U.S. Attorney's offices, the Secret Service will continue to bring cyber criminals that perpetrate major data breaches to justice. Thank you for the opportunity to testify on this important topic, and we look forward to your questions. Mr. Terry. Thank you, Mr. Noonan. [The prepared statement of Mr. Noonan follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Terry. Mr. Zelvin, you are now recognized for your 5 minutes. STATEMENT OF LARRY ZELVIN Mr. Zelvin. Chairman Terry, Ranking Member Schakowsky, distinguished members of the subcommittee. Thank you very much for the opportunity to be here before you today. In my brief opening comments, I would like to highlight the DHS National Cybersecurity and Communications Integrations Center, or NCCIC's role in preventing, responding to, and mitigating cyber incidents, and then discuss our activities during the recent point of sale compromises. I hope my remarks will demonstrate the increasing importance of building and maintaining close relationships among the wide range of partners in order to address all aspects of malicious cyber activity, as well as to reduce continuing vulnerabilities, protect against future attacks, and mitigate the consequences of incidents that have already occurred. The importance of leveraging these complementary missions has been consistently demonstrated over the last several years, and is an increasingly critical part of the broader framework used by the government and the private sector to cooperate responding to malicious cyber activity. As you well know, the Nation's economic vitality and the national security depends on the secure cyberspace where reasonable risk decisions can be made, and the flow of digital goods and online interactions can occur safely and reliably. In order to meet these objectives, we must share technical characteristics of malicious cyber activity in a timely fashion so we can discover, address, and mitigate cyber threats and vulnerabilities. It is increasingly clear that no single country, agency, company or individual can effectively respond to the ever-rising threats of malicious cyber activity alone. Effective responses require a whole nation effort, including close coordination among entities such as the NCCIC, the Secret Service, the Department of Justice, to include the Federal Bureau of Investigation, the Intelligence Community, sector specific agencies such as the Department of Treasury, the private sector entities who are simply critical to these efforts, and State, local, tribal, territorial, and international governments. In carrying out its particular responsibilities, the NCCIC promotes and implements a unified approach to cybersecurity, which enables the efforts of these diverse partners to quickly share cybersecurity information in a manner which ensures the protection of individuals' privacy, civil rights, and civil liberties. As you may already know, the NCCIC is a civilian organization that provides an around-the-clock center where key government, private sector, and international partners can work collaboratively together in both physical and virtual environments. The NCCIC is comprised of four branches, the United States Computer Emergency Readiness Team, or US-CERT, the Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, the National Coordinating Center for Communications, and Operations and Integration component. In response to the recent retailer compromises, the NCCIC specifically leveraged the resources and capabilities of US- CERT, whose mission focuses specifically on computer network defense that includes prevention, protection, mitigation, response, and recovery activities. In executing this mission, the NCCIC and US-CERT regularly publishes technical and nontechnical information products assessing the characteristics of malicious cyber activity, improving the ability of organizations and individuals to reduce that risk. When appropriate, all NCCIC components have onsite response capabilities that can assist owners and operators at their facilities. In addition, US-CERT's global partnership with over 200 other CERTs worldwide allow the team to work directly with analysts from across international borders to develop a comprehensive picture of malicious cyber activity and mitigation options. Increasingly, data from the NCCIC and US-CERT can be shared in machine-readable formats using the Structured Threat Information Expression, also known as STIX, which is being currently being implemented and utilized. In some of the recent point of sale incidents, NCCIC, US-CERT analyzed the malware provided to us by the Secret Service and other relevant technical data, and used findings, in part, to create a number of information sharing products. The first product, which is publicly available, can be found on the US-CERT's Web site provides nontechnical overview of risks to point of sale systems along with recommendations for how businesses and individuals can better protect themselves and mitigate their losses in the event of an incident that has already occurred. Other products have been more limited in distribution in that they are meant for cybersecurity professionals in that they provide detailed technical analysis and mitigation recommendations to better enable experts to protect, discover, respond, and recover from events. As a matter of strategic intent, the NCCIC's goal is always to share information as broadly as possible, which includes delivering products tailored to specific audiences. These efforts ensure that actionable details associated with a major cyber incident are shared with the right partners so they can protect themselves, their families, their businesses and organizations quickly and accurately. In the case of the point of sale compromises, we especially benefited by the close coordination of the Financial Services Information Sharing and Analysis Center, or the FS-ISAC. In particular, the FS-ISAC's Payments Processing Information Sharing Council has been particularly useful in that they provide a form for sharing information about fraud, threats, vulnerabilities and risk mitigation in the payments industry. In conclusion, I want to again highlight that we in DHS and the NCCIC strive every day to enhance the security and resilience across cyberspace and the information technology enterprise. We will accomplish these tasks using voluntary means, ever mindful of the need to respect privacy, civil liberties, and the law. I truly appreciate the opportunity to speak with you today and look forward to your questions. Mr. Terry. Thank you, Mr. Zelvin. [The prepared statement of Mr. Zelvin follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Terry. And that begins our questions with the end of your testimony. It is now the start of our questions. Each member has 5 minutes for questions, and I get to go first. Jan is second. So, Mr. Noonan, you had mentioned that part of Secret Service's job is to investigate when breaches occur like this. Is the Secret Service, or are you involved in the investigation into what happened at both Target and Neiman Marcus and other entities? Mr. Noonan. Yes, sir. So we are involved in the criminal investigation of the Target breach, as well as the Neiman Marcus case. Mr. Terry. And so far, what have you been able to find out that you can communicate to us? Mr. Noonan. What we can determine at this point is that the criminal organizations that we are looking at in pursuing are highly technical, sophisticated criminal organizations that study their targets and use sophisticated tools to be able to compromise those various systems. Mr. Terry. And the breach at Target and Neiman Marcus, we have read through the news reports, was from a sophisticated criminal entity, as you mentioned in your investigation. Does your investigation also then go into how they exploited each of those major retailers' data? Mr. Noonan. Yes, sir. Mr. Terry. And what did you find out? Mr. Noonan. It is still an ongoing coordination investigation in which we are working on right now; however, we do know that the malware at this point in our investigation is not the same criminal tools being used at either one of those locations. Mr. Terry. So they are distinct, separate attacks? Mr. Noonan. Yes, sir. Mr. Terry. By separate distinct different criminal organizations? Mr. Noonan. We are working on that part right now, sir. Mr. Terry. OK. In your investigations, do you assess whether each of the, say, Target and Neiman Marcus' cyber standards or their cyber plans were adequate or inadequate or vulnerable? Mr. Noonan. The Secret Service does a criminal investigation, and again, we are continuing to go after the criminal organization that is perpetrating these. Both Neiman Marcus and Target do use robust security plans in their protection of their environment, and it comes back to the criminal actors in going after the pot of gold or whatever they can monetize. So, as good as security factors are, these criminal organizations are looking at ways to go around whatever security apparatuses had been set up, so these were very sophisticated, coordinated events. It was not necessarily from a singular actor. It's a coordination of pieces that were used to do these intrusions. Mr. Terry. Mr. Zelvin, you also, is your organization, NCCIC, have you looked at or assessed the cybersecurity at the entities that have been hacked? Mr. Zelvin. Mr. Chairman, we have not. We have been working closely with the Secret Service on identifying the malware that had been used in these incidents, doing the analysis and then sharing that with our partners across both the public and private sector, but I can tell you that the malware, as we see it, as Bill has said, is an incredibly sophisticated and could be challenging the most robust security system. Mr. Terry. What specifically makes it more sophisticated than what we have seen before? Mr. Noonan. Mr. Noonan. Sure, sir. What we have seen actually in the development of the malware is that it is not an off-the-shelf type of malware that is utilized. What makes these targeted attacks unique is that the criminals are modifying and molding specific types of malware to fit whatever network or intrusion set they are going after. Mr. Terry. So, it was specifically designed for that, for Target? Mr. Noonan. For whichever---- Mr. Terry. And a different one specifically designed for Neiman Marcus? Mr. Noonan. Depending on security platforms that are available, yes, sir. Mr. Terry. That is interesting. Last, in future prevention, how important is an ISAC and would it help if there was a retailer specific ISAC? Mr. Zelvin. Mr. Chairman, the ISACs have been absolutely critical in our ability to share information with the broadest communities possible. As you well know, they are in all 16 critical infrastructure. In some of these infrastructures, certain groups, specifically in aviation and transportation, have made ISACs that are a subset of the larger ISAC. I would be a proponent of having a retailer ISAC, but it is really for the retailers to decide if it is useful for them. We have been using the financial services ISAC in this case, but we look forward that if the business community wants to go that way, we would look forward to working with them. Mr. Terry. And that is something that you would be the umbrella organization to help? Mr. Zelvin. Sir, these are public/private partnerships, and DHS has worked with them for quite some time, so it is a model that we are very accustomed to using. Mr. Terry. There may be a few people in this audience that doesn't know what an ISAC is. Can you tell what is the advantage and just very quickly what it is? Mr. Zelvin. Yes, sir, Information Sharing Analysis Centers are predominantly around the 16 critical infrastructure, transportation, energy, finance, health, there is obviously a number of them, and it allows us, both in a public and private way, to get out to thousands of companies and share information in both directions. So, it is a growing community, but it really allows us to get to those cybersecurity professionals and talk to those people that really do the network defense and have a conversation with those experts in a very robust scale. Mr. Terry. Thank you. Now it is my pleasure to recognize the ranking member of our subcommittee, Ms. Schakowsky, for 5 minutes. Ms. Schakowsky. Let me just say to Mr. Zelvin, I am sure that the chairman would agree, we appreciate our visit to NCCIC that we did this weekend in preparation for this hearing and the very impressive work that you are doing. I wanted to ask Attorney General Madigan a couple of questions. You alluded to the Illinois law, the Personal Information Protection Act that followed the Choice Point breach in 2005. I believe you were here talking about that as well. Ms. Madigan. It is a different privacy matter, but I think that is really when all the States started looking into it seriously. Ms. Schakowsky. So, our law in Illinois requires corporations, financial institutions, retail operators, government agencies, universities, other government entities to discuss data breaches, and the law says ``In the most expedient time possible and without unreasonable delay.'' How does your office determine what that is? Ms. Madigan. Well, first of all, in every circumstance we are going to look at what has taken place, but we are also going to be very cognizant of what that company or that entity needs to do in terms of ensuring that they have maintained the integrity of their system, they put security in place, and if they are ongoing, law enforcement investigations. We certainly don't want to compromise those, and so we will wait in terms of requiring notification. But as we have learned over the years, and there are studies and reports out there that demonstrate it, the sooner an individual is notified that their information has been compromised, the less likely they are to actually face any sort of unauthorized charges or even a full account takeover, which will cost them a lot more money. So, it is a case-by-case basis, and obviously, the sooner that we can make sure that consumers are notified, the better off everybody is in terms of the damage that is going to be done to them individually and the losses to the economy. Ms. Schakowsky. So the language is kind of general, but you make the decision on a case-by-case basis in terms of notification? Ms. Madigan. Correct. We work with the companies to see where they are in the process once we are alerted to the fact that a breach has taken place, and obviously we are always supportive of the work that the Secret Service and other law enforcement agencies are doing in terms of the criminal investigation. Really, the investigations that we do are civil side, to make sure that our law is actually---- Ms. Schakowsky. Have you found companies that have not used the most expedient time possibly or unreasonable delay? Ms. Madigan. We always look at it, and there is always questions, really on any side because I think there is a great concern that many companies legitimately have about the hit it is going to take to their public image if they do have to reveal this, so there have been times that we think people could move faster, and we work with them to make sure that they actually get out that notice. We have not fined anybody for that. Ms. Schakowsky. You know, you mentioned a couple of times about preemption, and I wanted to just ask you how important it is that Illinois, and I guess other States as well, maintain the right to require the disclosure of data breaches as quickly as possible and other enforcement mechanisms? Ms. Madigan. I think probably every State official who would sit in front of you would say it is very important. Obviously, over the last 10 years, the States have really been able to be, as we like to say, and I think you also can appreciate, the lavatories of innovation. When we started seeing people coming to us because they have been victims of identity theft, we needed to respond, and we needed to respond by making sure that they were notified when their personal information had been accessed and compromised, and we needed to be able to respond to make sure that companies were actually going to be putting in place stronger security measures. So we---- Ms. Schakowsky. Well, I want to ask you about that, because the Illinois law does not explicitly require minimum standards of protection for personal data, and yet you cited that as a problem. Who should do that then? Ms. Madigan. Well, we have a growing number of States that are actually putting those requirements in place in terms of security, and I would have to say that looking back over the investigations that we have done into data breaches, it is clear that that has to be done, because there really is, we like to talk about best practice of being in place, but the reality is, oftentimes when we are doing these investigations, we repeatedly see situations where information that is personal and sensitive financial information is being maintained unencrypted. We have seen situations where literally the information is obtained because documentation with sensitive information is being thrown into a dumpster and people have gotten it out and used that for illicit purposes. So, there is a minimum standard, and then I think that, as Chairman Ramirez did a very nice job of explaining, on a case-by-case basis with companies considering the types of information, the volume of information, the sensitivity of information, we have to have increasing standards required. Ms. Schakowsky. My time is up, but I look forward to working with all of you to figure out what is the appropriate Federal congressional response. Thank you. I yield back. Mr. Terry. Thank you. I now recognize Chairman Emeritus Mr. Barton for your 5 minutes. Mr. Barton. Thank you, Mr. Chairman. I want to thank you and the ranking member for holding this hearing. This is, I think, potentially a very important hearing because this is one of the few things that Republicans and Democrats both agree on is a problem, and I think we maybe be able, with your leadership, to reach agreement on what a solution might be, so this is one of those rare days that something might actually happen as a result of a congressional hearing. I am a co-chairman of the Privacy Caucus in the House, along with Congresswoman Diana DeGette, and Ms. Schakowsky is a member of that caucus, and most of the Republicans on this subcommittee are members. The gentlelady to my right is a chairwoman of a task force that Mr. Terry and Mr. Upton have put together on privacy, so we have got lots of people here that are listening very closely to what you folks say. My question is a general question. I am going to start with the chairwoman of the Federal Trade Commission. Madam Chairwoman, do you think it is possible to legislatively eliminate, or at least severely restrict data theft? Ms. Ramirez. There is certainly no perfect solution to this issue, but it is clear to me that congressional action is necessary. I think it would be very helpful if there were a robust Federal standard when it comes to data security as well as to a robust standard when it comes to breach notification, and I think it is time for Congress to act. Mr. Barton. OK. Do the other members of the panel agree with that statement? Ms. Madigan. Yes. Mr. Barton. You do. Good. I thought you might disagree actually. Ms. Madigan. As long as you don't completely preempt us. Mr. Barton. Right. OK. Mr. Noonan and Mr. Zelvin? Mr. Noonan. Yes, sir, from a law enforcement approach, the Secret Service believes any notification perhaps to law enforcement with jurisdiction would definitely assist in this effort as well. Mr. Zelvin. Chairman, I come from the operational side of the Department, and there are things that Congress could do that could be very helpful as we work across the Nation or across the globe. You know, strengthening the ability on information sharing, I will tell you it is often difficult to get sometimes companies to share information with us because there is no statutory basis, and they tend to be on the conservative side. Promoting establishing the adoption of cybersecurity standards would be very helpful, codifying the interest of authorities to help secure Federal civilian agency networks and assist critical infrastructure and then the national data breach reporting, we can't understand it if we don't know about them, so those are just some of the things that would be helpful. Mr. Barton. OK. The instance with Neiman Marcus, and I believe with Target also occurred when a criminal came into their stores and used a credit card that infected their system at the point of purchase. If we went to some sort of a, well, is it possible with the current technology to prevent that type of data theft? I see a lot of blank looks here. Mr. Noonan. Well, sir, just to clarify, the two breaches that we are talking about in Neiman Marcus and in Target were done by people infiltrating the system through a computer network. Mr. Barton. Oh, I thought they came in with a card and it-- -- Mr. Noonan. No, sir. Mr. Barton. OK. Mr. Noonan. So it is very difficult to decide, and again, these are very complex, sophisticated criminals that did this. So they inserted actually a malware code, a malicious code into the system which was able to collect---- Mr. Barton. They did it by penetrating the system from outside through a computer link. Mr. Noonan. Yes, sir. Mr. Barton. Not by giving a card that they inserted? OK---- Mr. Noonan. And our investigation at this point is indicating that it is from transnational criminals so from criminals from outside the borders of the United States. Mr. Barton. OK. Well, I would hope, since everybody agreed that this is a problem, and that the Federal Government should legislate, we can come up with a best practices set of recommendations to present to the committee, and then let us massage it only the way we can, and we will try to move on something, hopefully in this Congress. And with that, I am going to yield back 34 seconds to the chair. Mr. Lance [presiding]. Thank you very much, Mr. Barton. The chair recognizes the Dean of the Congress, Mr. Dingell of Michigan. Mr. Dingell. Mr. Chairman, you are most courteous, and I commend you for holding this important hearing. I think we can all agree that the breaches at Target and Neiman Marcus were tragic. We had a duty to protect the American consumers from events like this in the future. This committee and the House must act to pass data security and breach notification legislation. The administration has proposed similar legislation. Congress must act again, and we must ensure that such legislation makes it's way to the President's desk for signature. To that end, I am most interested to hear any opinions of the FTC, and what they may wish to share with us. All of my questions this morning will be addressed to Chairwoman Ramirez. Madam Chairman, welcome. Now, Chairman, your written testimony indicates the Commission enforces a patchwork of Federal data security statutes, such as Gramm-Leach-Bliley, the Fair Credit Reporting Act, Children's Online Privacy Protection Act. Do any of these acts require an FTC-covered entity whose collection of personal identification has been breached to notify customers so affected? Yes or no? Ms. Ramirez. No. Mr. Dingell. That is needed I assume? Ms. Ramirez. I am sorry? Mr. Dingell. That is needed, I assume. Ms. Ramirez. Yes, absolutely. Mr. Dingell. Now, Madam Chairman, similarly, do any of these acts require entities subject to the breach to notify the Federal Trade Commission or law enforcement in general of such a breach? Yes or no? Ms. Ramirez. No. Mr. Dingell. Madam Chairman, in view of this should the Congress enact a Federal data security and breach notification law? Yes or no? Ms. Ramirez. Yes. Mr. Dingell. Madam Chairman, under such law should FTC- covered entities be exempted from breach notification requirements if they are already in compliance with GLBA, FCRA, and COPPA? Yes or no? Ms. Ramirez. No. Mr. Dingell. Now, Madam Chairman, should such a law be administered by one Federal agency or by some kind of a collage of agencies? Ms. Ramirez. One agency. Mr. Dingell. One agency. Now, I happen to think that that should be the Federal Trade Commission because of its long expertise in these matter. Do you agree? Ms. Ramirez. I would agree. Mr. Dingell. Madam Chairman, should a Federal data security breach and notification law prescribe requirements for data security practices according to the reasonableness standard already employed at the Commission? Yes or no? Ms. Ramirez. Yes. Mr. Dingell. Madam Chairman, should that be expanded? Should that be expanded? Ms. Ramirez. Yes, I think there should be a robust Federal standard. Mr. Dingell. All right, I will ask you to contribute for the record information on that view, if you please. Ms. Ramirez. Yes. Mr. Dingell. I ask unanimous consent that that be inserted at the appropriate time. And thank you, Mr. Chairman. Now, Madam Chairman, should such a law address notification methods, content requirement, and timeliness requirements? Yes or no? Ms. Ramirez. Yes. Mr. Dingell. Wouldn't work very well without that would it? Ms. Ramirez. That is right. Mr. Dingell. Now, Madam Chairman, in the event of a data breach, should such a comprehensive data security and breach notification law require companies subject to a breach to provide free credit monitoring services to the affected consumers for a time certain? Yes or no? Ms. Ramirez. Yes, with limited exceptions. Mr. Dingell. Do you have authority to do that now? Ms. Ramirez. No. Mr. Dingell. Do you need it? Ms. Ramirez. I think it would be appropriate to, again, to impose it as a requirement with limited exceptions. Mr. Dingell. Madam Chairman, I note that--well, let's ask this question: Should violation of such law be treated as a violation of a Federal Trade Commission rule promulgated under the Federal Trade Commission Act? Yes or no? Ms. Ramirez. Yes. Mr. Dingell. Madam Chairman, would you please submit some additional comments on that point to the record? Ms. Ramirez. Absolutely. Mr. Dingell. Now, Madam Chairman, should such a law be enforceable by state attorneys general? Yes or no? Ms. Ramirez. Yes. Mr. Dingell. Madam Chairman, should such a law preempt existing State data security, and breach notification laws? Yes or no? Ms. Ramirez. If the standards are robust enough, yes. Mr. Dingell. Would you submit some additional information to us on that point, please? Ms. Ramirez. Yes. Mr. Dingell. Madam Chairman, given advances in criminal ingenuity which seems to be moving forward almost with the speed of light, as potential in the future, should any statutory definition of the term ``personal information'' included in a comprehensive Federal data security and breach notification law be sufficiently broad so as to protect consumers best? Yes or no? Ms. Ramirez. Yes. Mr. Dingell. Thank you, Madam Chairman. Mr. Chairman, I want to thank you for your kindness to me this morning. I urge the committee to work with the Federal Trade Commission to draft and pass a comprehensive Federal data security and breach notification legislation. I believe that this should be done in a bipartisan fashion, and I think that the Democrats and the Republicans can work together for this purpose. Meanwhile, I would note such legislation is not a panacea for data theft, and hopefully, it will serve to reduce it and better protect consumers. I again, I thank you, Mr. Chairman, for your courtesy to me, and I appreciate the holding of this hearing. Madam Chairman, thank you for your courtesy. Mr. Terry. Well done, and actually entertaining. So thank you, Mr. Dingell. Ms. Blackburn, you are now recognized for 5 minutes. Mrs. Blackburn. Thank you, Mr. Chairman. I appreciate that, and thank you all again. Ms. Ramirez, I think I want to start with you for a minute. You said in your testimony: ``Never has the need for legislation been greater.'' And so taking that statement, it could mean that the companies who suffered the breaches did not use reasonable measures to protect consumer data. So, if that is your statement then, is the FTC involved in the forensic investigation regarding the Target, Neiman Marcus, Adobe, the hotel chains, all of these breaches? Ms. Ramirez. I am afraid that I can't discuss any particular companies or discuss whether the FTC is involved in any particular investigations, but let me explain what I meant by that statement. I meant it as a general statement reflecting what we are seeing in the marketplace, and that is that companies continue to make very basic mistakes when it comes to data security. And our role at the FTC is to protect consumers and ensure that companies take reasonable and appropriate measures to protect consumer information. Mrs. Blackburn. OK, then let me stop you right there. So you are saying that not due to this group, but because of general, so you are basically reworking your testimony with me on this? It is not that these specific breaches show that there has never been a greater need. So you may want to submit a little bit of clarification there. Ms. Ramirez. I can answer right now if you wish. Mrs. Blackburn. Well no, I want to move on. I have got 3 minutes and 14 seconds and about 5 pages of questions. So submit it. I also would like you to talk about or to submit to us what is the reasonable standard? You have referenced it several different times, but I have not seen a reasonableness standard in writing, so what are you referencing? Ms. Ramirez. We take a process-based approach to this question. Technology is changing very rapidly. The threats that companies face are also evolving very rapidly, so we think that the appropriate way to proceed in this situation is to focus on whether companies are looking very closely at the threats to which their businesses are exposed, and whether they are setting reasonable program security programs putting those in place. Mrs. Blackburn. OK, why don't we---- Ms. Ramirez. If I may, it is a very fact-specific inquiry-- -- Mrs. Blackburn. OK. Ms. Ramirez [continuing]. And I think a reasonableness standard is appropriate. Mrs. Blackburn. I can appreciate that, but I think to use that term repeatedly, what we need to know is what your definition of reasonableness would be. Mr. Zelvin, let me come to you. You know, we hear the chairman say, well, you are not doing this, you are not doing that. How quickly do the cybercriminals message evolve? You have looked at this for a very long time. So and you sent out updates, you know, daily, weekly, monthly, so how quickly is the evolution of this process? Mr. Zelvin. Congresswoman, the evolution is incredibly fast and we are learning with each incident the complexity. Mrs. Blackburn. OK. Mr. Zelvin. So they are moving very quickly. They are very sophisticated and we are in a chase to keep up with them. Mrs. Blackburn. OK, Ms. Ramirez, back to you. Another thing, you testified that in a number of the 50 data security cases settled by the FTC, the companies simply and I am quoting you, ``Failed to employee available cost-effective security measures to minimize or to reduce the data risk.'' So I want you to give us some examples of the kind of measures that the companies failed to use, because you hear from Mr. Zelvin how quickly this evolution is taking place, and the need for flexibility and nimbleness, and then we hear you saying, but you have got to have a standard. And you have got to do this. And we have taken these efforts in the 50 cases we have settled. So for those of us that are looking at what legislation would look like, we have to realize that it has got to be nimble. You are saying you want something, but then you are not giving us specifics or examples of what you think people have failed to do. So I hope you are understanding, we have got a little bit of a gap here. Go ahead. Ms. Ramirez. So let me just say that I think the approach that the FTC recommends for legislation is one of reasonableness. We think that that is an appropriately flexible standard that will allow for nimble action. And to give you an example, as I mentioned in our experience, companies continue to make very simple mistakes when it comes to data security. We also have data that corroborates that and that includes the Verizon data breach report that Mr. Noonan referenced in his opening remarks. So just to give you a few examples, this can span low-tech, and high-tech mistakes but they could include the failure to use strong passwords, the failure to encrypt personal information, the failure to update security patches, so it is these very basic mistakes that we encounter frequently. Mrs. Blackburn. So it is consumer and not company failures? Ms. Ramirez. No, this would be, I'm referring to company failures. Mrs. Blackburn. You are referring to company failures. OK, thank you. I yield back. Mr. Terry. All right, thank you. And I now recognize the gentleman from Vermont for his 5 minutes. Mr. Welch. Thank you, Mr. Chairman. The technology that we use is not the best, is that correct, Chairwoman Ramirez? I mean, as I understand it, the chip-and-PIN technology is what is now being used in Europe, and it has better success in preventing fraud; is that right? Ms. Ramirez. We don't recommend any particular technology. We think that any legislation ought to be technology neutral. That being said, we certainly would support any steps that are taken at the payment card system end to protect or better protect consumer information. Mr. Welch. Well, are we still by and large using 1970s-era magnetic stripe technology, General Madigan, is that your understanding? Ms. Madigan. Yes, that is accurate and so that puts us behind virtually every other country in the world in terms of the security of our payment systems. Mr. Welch. All right. So then there is an ability on the part of the card issuers to upgrade the technology to meet basically standards that are being employed in Europe; is that correct? Ms. Madigan. That is correct. And when you look at the amount of fraud losses that these other countries where the chip-and-PIN technology is used, you can see that their levels of fraud have decreased significantly, around 50 percent. So chip-and-PIN technology won't completely eliminate fraud and breaches, but it should significantly curb the amount that we currently see. Mr. Welch. That is good. And what I understand now is VISA and MasterCard have announced a roadmap to chip-and-PIN technology for U.S. payment cards. Do you think it would be problematic if VISA and MasterCard decided to abandon the PIN feature on chip cards given that PINs enhance security? Ms. Madigan. I think it makes sense to use PINs, and when there are problems people can obviously change their PINs as they change passwords. Mr. Welch. Mr. Noonan, how about you? I mean you have frontline responsibility for trying to maintain the integrity of the system and, obviously, it is extraordinarily important to our merchants, to our banks, and to our consumers. Mr. Noonan. Yes, sir, right now currently---- Mr. Terry. Would you pull the mike a little closer? Mr. Noonan. Sure. Currently the Secret Service doesn't have a metric in which to measure chip and PIN, obviously, here in the United States it is not readily used. But however, the Secret Service does support any sort of technology which would assist in the security of that particular data. Mr. Welch. But it is your understanding the same as General Madigan's that technology, the chip-and-PIN technology that is widely deployed in Europe has been much more successful in reducing fraud? Mr. Noonan. It could give another level of security which again makes it more difficult for the criminals to get at that data. I am not saying, again, that chin and PIN is the solution. Of course, there is not 100 percent solution, technological solution for the problem. Mr. Welch. Right, but what it is is a better technology than the 1970s-era magnetic swipe card, correct? Mr. Noonan. Sure, it is. The magnetic stripe card is a 30- year technology, sir. Mr. Welch. Right. Mr. Zelvin, how about you? Mr. Zelvin. Congressman, I agree with Mr. Noonan and the other panelists, but there are other challenges as well. Mr. Welch. Right. Mr. Zelvin. Now you are using your phones now for payments. You are using your computer, your laptop for payments. But having that extra security on the card itself would be very helpful, but we have to look at other things as well. Mr. Welch. All right. I will go back to you, Chairwoman Ramirez. There seems to be some consensus it would be good to have a standard, but we can't pick winners and losers on technology. So what would be sort of a concrete step that Congress would take that would be practical and effective in improving the status quo? Ms. Ramirez. So number one, I think that just the Congress taking action alone would be a very important statement. But what we advocate is that a reasonableness standard be employed along the lines of what the FTC has in place with the Safeguards Rule. And I would be happy to work with the committee on these issues, and my staff is available to do that. Mr. Welch. So it sounds like we can't, as a legislative body, prescribe what the best technology is. We have got to let industry figure that out and at least set a higher standard, but on the other hand, you need some flexibility if steps are being taken, or not taken that would enhance security---- Ms. Ramirez. Absolutely. Mr. Welch [continuing]. For consumers and merchants? Ms. Ramirez. Yes. I think flexibility is important and that is one of the reasons that we are requesting that the FTC have rulemaking authority in order to implement the legislation that would allow the agency to take into account an evolution and changes when it comes to technology. Mr. Welch. And would this be helpful in the privacy breaches as well? I mean, thieves are going in to get monetary value, but they are ending up also with Social Security numbers, personal information, things that can be used in identity theft. So the better security, would it not only help with the economic loss, but the identity theft assault? General Madigan, I will ask you. Ms. Madigan. Absolutely, so obviously, what we see is when people's personal information is taken, it is frequently used to commit identity theft. But it can certainly be used, not just financial identity theft, but there are many other types of---- Mr. Welch. Right. Ms. Madigan [continuing]. Identity theft that take place. Mr. Welch. I see my time is up. I just want to thank this panel. Mr. Chairman, this is a great panel. Thank you for assembling it. Mr. Terry. Yes. Thank you. And I now recognize the gentleman from New Jersey, Mr. Lance, the vice chair. Mr. Lance. Thank you, Mr. Chairman. Mr. Zelvin, a recent Wall Street Journal article reported that the software virus injected into Target's payment card devices couldn't be detected by any known antivirus software; is that accurate? Mr. Zelvin. It is, sir. Mr. Lance. And could you elaborate on that? Mr. Zelvin. Certainly. Most of our detection systems use signatures based, so there are known problems and there is a technical formula we put into a machine that says, hey, you told me to look for this. I found it. In some cases there are intrusion prevention systems that prevent that malicious event from getting to the endpoint. In this case, it looks like the criminals modified it, what was a standard attack for point of sale and modified it in such a way that it is undetectable. Mr. Lance. Thank you very much. Mr. Noonan, you stated that ``The Secret Service has observed a marked increase in the quality, the quantity, and the complexity of cyber crimes targeting private industry and critical infrastructure over the decade-long trend of major criminal data breaches.'' Can you give us some examples of how these criminals and their tactics have evolved, and I presume these criminals are not necessarily residents or citizens of the United States? Mr. Noonan. Yes, sir. So we are talking about a network of transnational cybercriminals. You know, over time we can look back at the data breaches at T.J. Maxx, we can look at Dave And Busters and the ones that happened back around the era of 2006. And back during that time, the cybercriminal was attacking databases, and unencrypted data. Mr. Lance. Yes. Mr. Noonan. Which is credit card payments. Mr. Lance. Yes. Mr. Noonan. That got changed, it morphed in 2007, where the focus ended up going towards credit card processing companies where they were looking at ways to get into the same type of data. But they were looking at credit card data as a pass through credit card processors when it was unencrypted at that time. So encryption modification has been made now through that system and you know information is now encrypted as it goes in these systems. Today we have seen the change now, they are looking at where the fence is and how to get around that fence. So where they are attacking now is at the point of sale piece, where from the point-of-sale terminal to back of the house server, if you will, that piece of string has not been encrypted. Mr. Lance. Thank you. Mr. Noonan. So it is happening at that point. Mr. Lance. Thank you very much. Mr. Noonan. Sure. Madam Chairwoman, you answered Chairman Emeritus Dingell's questions regarding preemption. I didn't understand your answers; my fault, not your fault. Would you explain in a little more detail your views on preemption, and I come at this having been the minority leader in the New Jersey State Senate and I certainly believe in a robust democracy with protections both here in Washington and at State capitals, and if you could just elaborate briefly on the preemption issue. Ms. Ramirez. Yes, I believe that preemption is appropriate, but provided that the standard that is set is sufficiently strong, and also provided that the States have concurrent ability to enforce. Mr. Lance. Concurrent ability. So this---- Ms. Ramirez. Yes. Mr. Lance [continuing]. Would not mean that the States would not have a significant responsibility in this very complicated and difficult issue? Ms. Ramirez. The States do tremendous work in this area and I think it is vital to have them with jurisdiction to enforce the law. Mr. Lance. Thank you. Attorney General Madigan, it is a pleasure to meet you, and although I do not know you, the New Yorker Magazine has come into our house forever, and your husband is a brilliant cartoonist, and certainly my wife and I enjoy his fine work. Could you comment on the preemption issue? Ms. Madigan. Obviously---- Mr. Terry. And could you move your microphone a little closer? Ms. Madigan. Sure. In terms of preemption, I would concur with what the chairwoman has said. As long as the Federal legislation has strong enough standards and States still retain the ability to enforce, as we do in a number of areas already, we understand that it is potentially reasonable to say, OK, we are going to preempt you in a certain manner. And in fact, back in 2005 Congress received a letter from the National Association of Attorneys General requesting notification laws be put in place at the National level. And so as long as we still retain the ability to respond to our consumers, and this is looked at in some ways potentially either as a floor, and not a ceiling, we understand your role. Mr. Lance. Thank you very much. Let me say, Mr. Chairman, that I believe that this committee will, in a bipartisan capacity, work on this issue, work to conclusion, and this is the committee in the Congress that deals on these important, nonpartisan, or bipartisan issues, and I have every confidence that we will meet the challenge working with the distinguished panel, working with the next panel, and I look forward to being involved to the greatest extent possible. Thank you, Mr. Chairman. Mr. Terry. Thank you. And I now recognize the gentleman from Kentucky, Mr. Guthrie for 5 minutes. Mr. Guthrie. Thank you, Mr. Chairman, and I want to thank everybody for coming today. I have a business background, and I know that anytime you have an issue with your customers it takes a long time to build trust back up again. So I know the incentives are for businesses to protect their data as much as they can, but at the same time, I worked in a retail store when I was in high school. My grandfather had a grocery store and we had nowhere the data that you have to deal with now. Everybody has to deal with data. So we need the right incentives and the right things in place to make sure that is protected. I want to talk to Agent Noonan. You testified that it is really the victim company that that first discovers the criminal's unauthorized access, and why is that? Are they not paying attention? Mr. Noonan. No, sir. For law enforcement and for the Secret Service it is a result of a proactive approach to our law enforcement. While we are out working with sources, we are gathering information. We are working with our private-sector partners specifically in the financial services sector, where we are receiving data, and when we are receiving that data, a lot of times what can occur is we can see a point of compromise, a common point of compromise, whereas the retailer might not necessarily see compromised data that is out in the world. And by looking at that data, we can go to that victim company, make notification to that company, and advise them that they have a leak. Now, it doesn't necessarily mean it is that company. It can potentially be that company's credit card processing company. It could be their bank, it could be a host of other systems that are hooked into the main company. But it is a point for us to us go to that potential victim and say please look at your data, and see if you have a problem. Mr. Guthrie. That was my question, I guess. So who typically notices the breach first? Is it typically law enforcement who is monitoring this and they see these transactions, or is it all of a sudden one day a retailer starts getting calls from a lot of their credit card companies from a lot of their customers saying hey, I have got these charges. The charges aren't mine, the charges aren't mine, the charges aren't mine. And then it finally figures out what is in common with these people and they went to a certain store? I mean, is that, do you usually find it as it is going through your monitoring or it is people reporting that they have something done to them and you find the commonality or both. Mr. Noonan. So to answer your question, both. Mr. Guthrie. Typical, I guess. Both. Mr. Noonan. I don't think that there is a typical, if you will. Mr. Guthrie. All right. Mr. Noonan. But we do work closely with the banking community, and as banking investigators look at those anomalies and find those anomalies, obviously, they are getting calls from their consumers and saying that there is a problem. They will notice an anomaly, as well as we are targeting different criminals, and in targeting those different criminals we have different sources and we are able to some different things that are happening in the criminal underground. And that is another effective tool that we have at our disposal to be proactive in, sometimes it is notification. But you have got to realize, in law enforcement under that approach, sometimes we are stopping the occurrence from actually occurring, too. So we might go to a victim, a potential victim company to allow them to know that they have been compromised and in doing so, we stop the company from losing a single dollar. Mr. Guthrie. Yes the---- Mr. Noonan. As a result of a proactive approach, that is a very successful method in which law enforcement is a tool for consumers. They are out there out in front looking for that type of behavior. Mr. Guthrie. We certainly appreciate that effort. And Mr. Zelvin, you mentioned the NCCIC's mitigation capabilities were leveraged to coordinate efforts to secure assistance against these attacks. Does the NCCIC provide technical recommendations on how to secure systems? Mr. Zelvin. We do, sir. And it is probably the most important part of what we do. So it is not necessarily about finding the fires and putting them out, but preventing them from happening to begin with. So, and I think this is another great example on the point of sale systems. Obviously, these companies had to compromise. Our responsibility is to assist them, but also to let the broader community know what they need to go look for so they can go see if it is on their systems, take it off, and then prevent it from hopefully happening to them as well. Mr. Guthrie. And also you described a product that you recently disseminated to the industry that contains detailed technical analysis, the mitigation recommendations regarding the recent point of sale tax. Can you generally describe what you mean by mitigation recommendations and tell us who develops those recommendations? Mr. Zelvin. Certainly, sir. We work with a cross-section across the Nation with the financial services sector, with technical experts from the manage security services. And so we canvas the Nation as a whole. And then we put out recommendations. In some cases it is as simple as changing your passwords, but there is also patching your systems. And I think the other panel is going to talk about that. If you just do some of the routine hygiene of cyberspace you are in a far better place. A couple of things, are you using fire walls and antivirus, restricting your Internet access, and disabling remote access. Some of these things are common sense. Some of the things are new as we discover, but regardless, we want to get out as much information as we can to help people defend their networks. Mr. Guthrie. Yes, you even see a place where I buy gas quite often has a little, like of strip of tape that says, if this seal is broken, please notify us to keep people from, where you do the pay at the pump. And in your testimony, I guess the one thing I just want to point out, and just to let you, I have got about, well, I am about out of time. But you say: ``No country, industry, community or individual is immune to the threat.'' Mr. Terry. Five seconds. Mr. Guthrie. So everybody has to be vigilant continuously because nobody is impervious to cyberthreats, right? Mr. Zelvin. That would be correct, sir. And I would be happy as elaborate later as needed. Mr. Guthrie. I am sorry, I just ran out of time. Mr. Terry. All right. The gentleman's time is expired. The chair recognizes the gentleman from Texas, Mr. Olson, for 5 minutes. Mr. Olson. I thank the chair, and welcome to our witnesses. If you review the testimony of this panel and the second panel, and combine that information with my career as a naval officer, we are engaged in combat here. It is warfare. In combat, the first thing you do is get the lay of the battlefield. A witness on the second panel names four separate phases of an attack: Infiltration, access to data, propagation, moving around by and as how you want, aggregation for the big package, and then exfiltration, get it out to the black market. All four steps have to happen, obviously, for a breach to occur. It seems like we force the public sector to focus on exfiltration, the last step; the private sector, at infiltration the first step. And obviously, if we get to exfiltration we are closing the barn door after the cows have gotten out. Not an effective way to fight this battle. So my question is first to you, Mr. Zelvin. How can your part of the public sector, the NCCIC, help with all four phases of an attack, not just exfiltration. It seems like you have done some outstanding work with that. Mr. Zelvin. Yes, thank you, Congressman. Where I tried to focus our efforts at the NCCIC and my staff is just getting at that very first phase of the adversaries' actions. We do not want to be the responders. We want to be the prevention mechanisms and protection and mitigation. So unfortunately, a lot of times where we discover challenges is after they have already happened. So what we are hoping to do is just learn from the bad experiences of one or a few to hopefully protect the many. I would like to highlight that our Industrial Control System CERT, and we are doing more of this with the US-CERT. We are actually doing experimentation to see if we can crack into some boxes, see the vulnerabilities. And we work with the private sector very closely to see where the vulnerabilities are, and then close those doors as quickly as we find them. Mr. Olson. Thank you. Mr. Noonan, you as well, sir. You are law enforcement so you are probably, that is your nature. Right at the end of the line there when those events happen. You mention that just by having something out there you can delay some future damages. So is that what you are limited to, or is there something else you can do to attack the other phases? Mr. Noonan. So in our investigations, we are pulling evidence out of the crimes that have happened, too, in a reactive approach. But the proactive approach, the former proactive approach to that is we are information sharing. So as we are seeing different tactics, different trends that are happening in these intrusions, we are taking that information and we are sharing that with our partners at the 33 electronic crimes task forces that the Secret Service has set up around the country and internationally, as well as we are taking in information and we are pushing it to Mr. Zelvin's group at the NCCIC. And that information is being pushed out to the sector. So by observing the evidence and sharing what we are finding in these different intrusions, we are better protecting the bigger infrastructure, if you will. Mr. Olson. General Madigan, any comments, ma'am, in law enforcement for Illinois? Ms. Madigan. Well, one of the things I would say in terms of the last two responses is from our perspective there is an enormous amount of work that also needs to be done to educate the public as to how to protect themselves, and so many people have adopted technology so quickly, they are not necessarily putting in place the safeguards and monitoring their accounts, and putting in place transaction alerts so that when these types of breaches occur they can minimize the damage that they have to their finances. Mr. Olson. And finally Ms. Ramirez, any comments, Ma'am on---- Ms. Ramirez. I will just say that I agree with Attorney General Madigan. This issue is a complex one that requires a multifaceted solution and that includes, again, companies taking appropriate and reasonable measures to protect information, and also of course, consumers also being educated about how what they can do to protect information. The main point and why I believe that action is really needed today, is that these breaches remind us of how important it is, how important this issue is, and given the amount of personal information that is being collected from consumers and used and retained, this is truly critically important. Mr. Olson. Thank you. One final question for you, General Madigan. A legal question, I am curious. I went to law school at the University of Texas, passed the bar, never practiced, but I am concerned and wonder, why did you announce publicly the investigation of Target, but not Neiman Marcus. Any reason why that---- Ms. Madigan. We announced both of them. Mr. Olson. Both, OK. I thought you just announced Target, so thanks for the clarification. I yield back. Mr. Terry. Thank you. The chair now recognizes the gentleman from Kansas, Mr. Pompeo, for 5 minutes. Mr. Pompeo. Thank you, Mr. Chairman. I am not quite as sanguine that we are in a place where we are quite ready to move down this path. I am glad we are having this hearing, but we often, when the New York Times gets wound up we in Congress sometimes react in ways that I think are inappropriate to the true challenge. And I want to talk about that for just a second. Ms. Ramirez, typically we regulate when there is a market failure. That is the reason the Federal Government would come in and regulate in this space is because we don't think that private actions can respond to a particular concern or threat in an appropriate way. I can understand the potential justification for notification because sometimes someone might not know that their material had been stolen, so I can understand a potential justification for regulating with respect to notification. Why is it the case that consumers can't figure out that if they are not happy with Target or Neiman Marcus, or whomever it is allowed their data to be stolen, that they wouldn't migrate somewhere else? Why is it the consumers won't analyze the risk of their data being stolen and respond appropriately without the Federal Government stepping into try and regulate? Ms. Ramirez. I don't believe that the burden should be placed on consumers when it comes to this issue. Mr. Pompeo. Why is that, Ms. Ramirez? We do that in so many other places. If you think your material is going to be stolen from your home, you can buy a home security system. We have lots of places where there are risks to our private property, and we allow consumers to step in and decide if they want to pay $60 a month, $200 a month, or $1,000 a month for their own security. Ms. Ramirez. I think consumers do have a role to play here, as I mentioned earlier. I think there are steps that consumers can take to be vigilant in this area, but I believe the role of the FTC is to protect consumers. And when you look back at the data that is available and that is out there, and it is also consistent with our experience, let me cite specifically the Verizon data breach report. They have an annual report that studies what is happening in the area of data security, and that information tells us that companies continue to make very fundamental mistakes when it comes to data security. They are not taking the reasonable and necessary steps that they need to in order to protect the consumer information that they collect, use, and retain. Mr. Pompeo. I appreciate that, and that report is there, and consumers might choose not to pick Verizon as a direct result of that. I think we ought to make sure we appreciate that. Attorney General Madigan, do you have data that tells you when folks call in, how much they are prepared to pay for protection? That is, if they call and say, my data was stolen. Do you know how much they are prepared to pay per incident? Will they only bay $0.50 or $5 million to protect their data? Do you have an analysis of what---- Ms. Madigan. We don't and we---- Mr. Pompeo. Because you said consumers are panic and angered. Ms. Madigan. Right. Mr. Pompeo. I would presume that they are prepared to take some of their hard-earned money to protect themselves. Do you have data with respect to that? Ms. Madigan. I can tell you that we have had $26 million worth of fraudulent charges removed from Illinois residents' accounts. And I can tell you based on the 34,224 people we have had to work through to do that with, on average, these individuals have lost or at least not lost, but had $762 in fraudulent account amounts removed. So I haven't asked them how much they would like to pay for security. They feel as if they are having to actually pay the price simply for engaging in everyday activity whether it is commercial activity, or interacting with the government, or being provided with medical services. Mr. Pompeo. Do you think if we head down the path that you are proposing that they ultimately won't pay for that, that these costs won't be borne by consumers ultimately? Ms. Madigan. I know that costs are going to be borne by consumers, absolutely. Mr. Pompeo. So might it not at be least an idea we should consider to have them pay for that directly so they can see those costs, and they respond appropriately, as opposed to having them removed from their bills, or have the Federal Government mask that real cost to them so they don't really know the risk that they are presenting by particular use of their own data? Ms. Madigan. I am not exactly sure the scheme you are trying to propose here, but you are correct in the sense that if we are going to update, for instance, credit card technology to adopt chips-and-PINs, obviously, consumers are going to pay an increased cost. Retailers, they are going to pay in terms of increased costs and fees at their banking institutions. So consumers will pay and hopefully we will be able to improve our security. Mr. Pompeo. Thirty seconds. I am going to try two yes or no questions. Do you think that there should be private rights of actions associated with these rules as well? Ms. Madigan. At this point we have been able to handle these at the State level. Mr. Pompeo. Great. And then you made a statement. You said, in fact I will quote, ``Nearly ever other country in the world is ahead of us.'' Surely, you don't mean Niger. Ms. Madigan. There may be several African countries that-- -- Mr. Pompeo. I just came back from Europe and I will tell you, they think our system is pretty good here, too. They are very comfortable doing business across Asia, Europe, and North America. And so I actually think our system may not be as dire a situation as has been suggested this morning. I yield back. Mr. Terry. Thank you. I now recognize the gentleman from Ohio, Mr. Johnson for 5 minutes. Mr. Johnson. Thank you, Mr. Chairman, and I, again, want to thank you folks for being here today. I am very concerned about the increase and the sophistication of the cyberattacks. And just to kind of get your opinion on it, Mr. Noonan, how does the increasing level of collaboration among cybercriminals that you referenced increase the potential harm to companies and consumers? Mr. Noonan. So the increasing collaboration between cybercriminals just increases their capabilities, so when we say that there is collaboration between these groups, these are loosely-affiliated organized criminal groups that are doing this. I have used the analogy of Oceans 11, of what this group and what this network does. So they have groups that will do infiltration into the system to gain access. They have other people that will design malware. They have people that go and map the different network to figure out exactly how to get through the networks. There is exfiltration of data that occurs in these situations as well, and there is monetization so that data that is stolen has to be sold. And then, of course there is money laundering, the movement of money. So when you bring together a coordinated group of sophisticated criminals, it does, it is a, you know, they will find the edge of the fence and perpetrate our system. Mr. Johnson. Now, once we identify who these folks are that are perpetrating these attacks, well, first of all, are they State side, or are they overseas for the most part? Mr. Noonan. The majority of the criminals that we are looking at are transnational criminals. Mr. Johnson. OK, so outside of the United States. Mr. Noonan. Yes, sir. Mr. Johnson. OK. To what degree do we have the authority to go after those folks when we identify them? Mr. Noonan. Sure. Mr. Johnson. And do you know of any ongoing actions to shut them down? Mr. Noonan. Sure. The Secret Service actually has a unique history of success in this area. We have brought many of these different perpetrators to justice. I mean, we go back and talk about the TJX investigation as well as many others. But in the TJX investigation, we were successful. We arrested domestically in this case, Albert Gonzales. He is sentenced to 20 years in prison here in the United States. We, also in the summer of 2012, we arrested Dimitri Salience and Vladimir Drinkman, responsible also in that investigation over in the Netherlands. We were able to bring to justice Aleksandr Suvorov in the Dave And Busters case where he was sentenced to 7 years in prison here domestically. We also were able to pick up three different Romanian hackers that were responsible for the Subway sandwich shop intrusions that occurred in 2008, and we have brought them to justice, where the main leader was sentenced to 15 years in prison. We have a rich history of being able to effectively identify who these targets are, have them arrested, and work with our international partners. We have a host of international offices, and international working groups, and I think it comes back to the relationships that we build internationally that are assisting us in bringing these different actors to justice. Mr. Johnson. Well, obviously, most developed nations that have a high degree of sophistication within their networks, they are vulnerable to these things as well. So how robust are our agreements with other nations to go after the criminals that might reside in their countries? Mr. Noonan. Absolutely, sir, we do. We have many different agreements with numerous other countries over in Europe, and we have been working successfully in partnering with those. We worked very closely with the British, with the National Crime Agency, in the Netherlands with the Dutch High Tech Crime Unit. In German we the BKA. We have working groups in the Ukraine, as well as an office that we established not too long ago in Estonia. So it is through that host of relationships, and in the laws that we are enforcing with them, that we are able to gather some success in those areas. Mr. Johnson. Good. Mr. Zelvin, you testified that no country, industry, community, or individual is immune to threat of a cyberattack. Does this mean, in your opinion, that you believe no one can be impervious to cyberattacks? Mr. Zelvin. Sir, I think it is one of those challenges that it is like trying to prevent automobile deaths. You can do a lot of things, but ultimately unfortunately, people may still pass. I think there is a lot more we can do and should do, but ultimately, I believe there will be vulnerabilities that unfortunately will be exploited by very sophisticated actors. Mr. Terry. Thank you, Mr. Johnson. At this time I recognize the gentleman from Mississippi, Mr. Harper for 5 minutes. Mr. Harper. Thank you, Mr. Chairman, and thank each of you for being here. And if I may start with you Agent Noonan, I know this is obviously ongoing investigations here, but do you have an early indication, without revealing anything you shouldn't as to how you think this might have been prevented? Mr. Noonan. Again, I don't think it comes back to how it could have been potentially prevented. I think what the important part here is that we know that this is a sophisticated criminal group. The different companies, they had a plan, I think is the important takeaway here. The response plan is something that every company should also think of. We shouldn't think of if this is going to happen. We should potentially think when this potentially may happen to them. So a response plan is one in which you incorporate law enforcement into your response plan. And it brought back the information sharing piece. If you don't incorporate law enforcement in your plan to help you find and mitigate the problem, and then share that information with the whole of government, with the infrastructure to better protect other infrastructure, that is not necessarily a good plan. We obviously would like to see companies have robust forensic companies assigned to them so that when an intrusion does happen, they are able to go in and effectively quickly mitigate it so that there is no longer any bleeding that were to occur. Additionally, counsel is important for them to have, and then also a plan for notification to victims. Again, those are the important takeaways that we see in this case. Mr. Harper. And are you satisfied in these cases that the response has been satisfactory? Mr. Noonan. Yes, sir. Mr. Harper. OK, thank you. Mr. Noonan. Thank you. Mr. Harper. Chairwoman Ramirez, if I may ask you a few questions. Is there overlap between FTC's Safeguards Rule, and the PCI data security standards and do the PCI standards incorporate provisions of the Safeguards Rule, or do they go beyond the Safeguards Rule. Can you shed a little light on that? Ms. Ramirez. Sure. I am happy to speak to this. The way the FTC approaches its data security enforcement work is that we, again, we impose a reasonableness standard so we don't mandate or prescribe any specific standard or technology, but we think that as a matter of course, a company should of course, look to relevant industry standards, best practices in evaluating what measures they should have in place. Mr. Harper. OK, would the PCI data security standards meet the reasonable standards for purposes of Section 5 of the FTC act? Ms. Ramirez. Every case that we look at is really a fact- specific one, so I really can't comment on hypotheticals. But what I can tell you is that a company should of course be looking to industry standards. They can be very valuable, and that would be certainly one factor that we would examine in looking at any matter. Mr. Harper. You know, you make the point that the mere fact that breaches occur does not mean a company violated the law, and the companies need not have perfect security. Yet, we have been told that it is unlikely any company subject to the PCI standards that suffers a breach would be found to be 100 percent compliant at the time of the breach. While the PCI standards provide an admirable and needed push to keep companies vigilant, would there be problems of making that a Federal Standard enforceable by the FTC if it is setting up businesses to fail because it is often possible to find some violation of the standards? Ms. Ramirez. Again, we are going to be looking at each situation, in a fact-specific way. We certainly understand that there is no perfect solution. Security will not be perfect. We have many more investigations than we do actual enforcement cases. Mr. Harper. How many cases has the Commission brought for violation of Safeguards Rule? Ms. Ramirez. Of the Safeguards Rule specifically, we have brought approximately a dozen cases. Mr. Harper. Has industry compliance improved over time as the rule becomes more mature and the industry becomes more familiar with it? Ms. Ramirez. Generally speaking, and I am speaking broadly, we continue to see basic failures when it comes to data security and the data that we have available to us suggests the companies do need to do more in this area. Mr. Harper. OK, I yield back. Mr. Terry. Thank you. At this time, we recognize the gentleman from Florida, Mr. Bilirakis, for 5 minutes. Mr. Bilirakis. Thank you, Mr. Chairman, I appreciate it very much and I thank the panel for their testimony. This is for the entire panel. Data often moves without respect to borders, as you know. Mr. Russo notes in his testimony that championing stronger law enforcement efforts worldwide can improve payment data security. Mr. Noonan, in your testimony, you mentioned successful cooperation with law enforcement entities during investigations into these cybercrimes. Would you, as well as Mr. Zelvin expand on what you believe Congress can do to enhance those international efforts going forward? Is there a role for examination of this issue, and future trade discussions such as the Transatlantic Trade and Investment Partnership? Mr. Noonan. I would recommend the continued support for our efforts in our international field offices, as well as the other working groups in which we are placing strategically around the world. We have had a lot of great success in some of those Eastern European countries. Within the last 2 years, we have had some great successes. We have had an extradition of a Romanian citizen from Romania to the United States based on the collaboration that we have made here between Romanian authorities and U.S. authorities. A big part of that is the relationships that the DOJ has also expanded in those different countries. The computer crimes, intellectual property section, CCIPS as well as the Office of International Affairs, have helped us in strategically working with those different countries to bring criminals that are affecting us here domestically to justice. Mr. Bilirakis. Thank you. Mr. Zelvin, you are welcome to---- Mr. Zelvin. Yes, sir. My organization is neither a law enforcement, nor an intelligence organization. We are purely civilian, and we have a relationship with over 200-like CERTS around the world. So it is really a technical-to-technical exchange. Last week I was in Tel Aviv and in London and I will tell you, I got to really see firsthand where our counterparts are, and they are making extraordinary progress but in many cases we in the United States are leading the way especially in the Government's role in cybersecurity. So I think a continued engagement, because as Mr. Noonan had said, many of these threats are coming from overseas. Many come from within our own countries, but it would be far better if we could engage with our international partners and have them use their legal means to go after these threats, and then also provide an ability to cooperate with us such as when we find an intrusion in their country to get them to shut it down if they have the legal ability. Mr. Bilirakis. Thank you. Anyone else like to comment on that? Ms. Ramirez. Just briefly, if I may. I think the international cooperation is a very important dimension of this issue. And we engage with international counterparts in all of the work, all of the enforcement work that we do, and this would be among them. Mr. Bilirakis. Thank you. Thank you very much. The next question for Chairwoman Ramirez. I represent Florida's 12th congressional district. While more and more seniors are becoming technologically adept, how would you recommend notifying seniors of a data breach in a timely manner if they are not reachable by email? Ms. Ramirez. I think it is an issue that I am happy to work with you on. I think seniors are increasingly becoming more adept at email, but of course, if email is not an option then mail notification would be appropriate, but we are happy to work with the committee on addressing this and other issues. We do look and have recently held a workshop on issues relating to senior ID theft and understand that this population can be particularly vulnerable to these set of issues so I think mail notification would be the, you know, one option, but there may be other ideas and we would be happy to discuss those with you. Mr. Bilirakis. Yes, I would like to work with you on that. Thank you very much. I appreciate it and I yield back. Mr. Terry. Thank you. At this time the gentleman from West Virginia is recognized for 5 minutes. Mr. McKinley. Thank you, Mr. Chairman. I think we are going to have to go through an awful lot of information that is being shared here today so I want to switch horses. I think we have got something that we can chew on for a little bit. So I want to switch horses a little bit to understand a little bit about what is happening with the data security with the Affordable Care Act, if I could. To what level so to Mr. Noonan, Mr. Zelvin, if you could participate with this, maybe you can help me. In December the HHS has reported that there were 32 security incidents. Maybe you could say slash breaches have occurred with Obamacare. Were the individuals notified? Do you know whether or not the individuals were notified? Mr. Zelvin. Congressman, I apologize. I am not familiar with that. If we can take that for the record, we can get back to you. Mr. McKinley. If you would, please. Mr. Noonan, do you know anything about those breach that occurred with Obamacare? Mr. Noonan. And the same thing with me, sir. I don't have any knowledge of those breaches right now. Mr. McKinley. OK. If they were given the standard that we have imposed on the private sector, should individuals be notified if there are breaches with Federal healthcare? Just your opinion. Mr. Zelvin. Yes, sir, if there are breaches they should be reported and people should have the opportunity to know about that, and then also take the adequate precautions. Mr. McKinley. Mr. Noonan. Mr. Noonan. Yes, sir, I would concur as well. Mr. McKinley. You would agree with that. There is also a report that came out that some of the software that was developed for the Obamacare, was developed in Belarus, and there are reports that there may be some concern for malware being included in that. Where are we in that evaluation because, obviously, the people are still signing up and we may have something that is contaminating our system. Can any of you share with us what is going on internationally on this? Mr. Zelvin. Congressman, I can tell you what I know from last night, and from this morning things may have changed. But the intelligence product that was on that report has been withdrawn and is being reevaluated. I believe the White House did a statement last night saying that there is no evidence that there has been any Belarusian software development in the HHS. But HHS is looking at this carefully, and verifying that. So I believe that is where we are right now. Mr. McKinley. It just may have been someone just---- Mr. Zelvin. Well, there is something in a report that is being reevaluated. And so I think there is some more investigation to be done before reaching conclusions. Mr. McKinley. Could you get back to us then on that and let us know whether or not there is anything. I didn't understand why we were having any of our software developed in Belarus anyway, so, if there is something you can share with us, I would sure like to understand that. Mr. Zelvin. Absolutely, Congressman. To the best of my knowledge right now, there was no software that was developed in Belarus. Mr. McKinley. OK. Mr. Zelvin. And HHS is looking at it closely. Mr. McKinley. Thank you. For Illinois, I can't see your name tag from here on the thing, but ma'am, could you, has the state of Illinois ever had a data breach? Ms. Madigan. Yes. And in fact in our law, there is a requirement that state agencies notify individuals when their personal information has been compromised. Mr. McKinley. Do you use some kind of encryption extensively? Do you have some encryption that you use for your data? Ms. Madigan. Different agencies will handle it different ways, but they are all requirements in terms of how data is handled for state agencies. Mr. McKinley. OK. Thank you very much. I yield back the balance of my time. Mr. Terry. Thank you for yielding back. No other members are here; therefore, that ends panel number one. I do want to follow up. So, the talk about the criminal syndicate, there was a story that there was an 18-year old Russian boy that developed this in his basement, this malware; is that accurate? Mr. Noonan. Sir, don't believe everything you see in the media, please. Mr. Terry. I have learned that, too. All right. Thank you. The first panel is dismissed, and we thank you. We may have questions submitted to you. We will have those to you within about 14 days if there are any, and we would appreciate about a 14-day turnaround in answers. Thank you. We will give a few minutes break here so we can get some water or something, and then we will be ready for our panel, second panel. [Recess.] Mr. Terry. Well, since everyone's seated, let's go. So, I apologize. I was hopeful that that first panel would not last this long, but it did. So thank you, and I hope that doesn't impact your rest of the schedule for the day, but appreciate you staying around. So, our second panel of the day is the nongovernment panel. We have Michael Kingston, senior vice president and chief information officer of Neiman Marcus Group, then John Mulligan, executive vice president and chief financial officer, Target Brands, Incorporated, Bob Russo, general manager of PCI Security Standards Council, and then Phillip Smith, senior vice president for Trustwave. Thank you all for being here today. As we did with the first panel, we will go from my left. So, Mr. Mulligan, you will start and you will have 5 minutes. STATEMENTS OF MICHAEL KINGSTON, SENIOR VICE PRESIDENT & CHIEF INFORMATION OFFICER, THE NEIMAN MARCUS GROUP; JOHN J. MULLIGAN, EXECUTIVE VICE PRESIDENT & CHIEF FINANCIAL OFFICER, TARGET BRANDS INCORPORATED; BOB RUSSO, GENERAL MANAGER, PCI SECURITY STANDARDS COUNCIL, LLC; AND PHILLIP J. SMITH, SENIOR VICE PRESIDENT, TRUSTWAVE STATEMENT OF JOHN J. MULLIGAN Mr. Mulligan. Good morning, Chairman Terry, Ranking Member Schakowsky, and members of the subcommittee. My name is John Mulligan. I am executive vice president and chief financial officer of Target. I appreciate the opportunity to be here today to discuss important issues surrounding data breaches and cybercrime. As you know, Target recently experienced a data breach resulting from a criminal attack on our systems. To begin with, let me say how deeply sorry we are for the impact this incident has had on our guests, your constituents. We know this breach has shaken their confidence in Target, and we are determined to work very hard to earn it back. At Target, we take our responsibility to our guests very seriously, and this attack has only strengthened our resolve. We will learn from this incident, and as a result, we hope to make Target and our industry more secure for consumers in the future. I would now like to explain the events of the breach as I currently understand them. Please recognize that I may not be able to provide specifics on certain matters because the criminal and forensic investigations remain active and ongoing. We are working closely with the Secret Service and the Department of Justice on the investigation to help them bring to justice the criminals who committed this wide scale attack on Target, American business, and consumers. On the evening of December 12th, we were notified by the Justice Department of suspicious activity involving payment cards used at Target stores. We immediately started an internal investigation. On December 13th, we met with the Justice Department and Secret Service. On December 14th, we hired an independent team of experts to lead a thorough forensics investigation. On December 15th, we confirmed that criminals had infiltrated our system, had installed malware on our point of sale network, and had potentially stolen guest payment card data. That same day we removed the malware from virtually all registers in our U.S. stores. Over the next two days, we began notifying the payment processors and card networks, preparing to notify our guests and equipping our call centers and stores with the necessary information and resources to address the concerns of our guests. Our actions leading up to our public announcement on December 19th and since have been guided by the principle of serving all guests, and we have been moving as quickly as possible to share accurate and actionable information with the public. What we know today is that the breach affected two types of data, payment card data, which affected approximately 40 million guests and certain personal data which affected up to 70 million guests. We believe the payment card data was accessed through malware placed on our point of sale registers. The malware was designed to capture the payment card data that resides on the magnetic strip prior to its inscription within our systems. From the outset, our response to the breach has been focused on supporting our guests and strengthening our security. In addition to the immediate steps I already described, we are taking the following concrete actions. First, we are undertaking an end-to-end forensic review of our entire network and will make security enhancements as appropriate. Second, we increased fraud detection for our Target Red Card guests. To date, we have not seen any fraud on our proprietary credit and debit cards due to this breach, and we have only seen a very low amount of additional fraud on our Target Visa card. Third, we are reissuing new Target credit and debit cards immediately to any guest who requests one. Fourth, we are offering 1 year of free credit monitoring and identity theft protection to anyone who has ever shopped in our U.S. Target stores. Fifth, we informed our guests that they have zero liability for any fraudulent charges on their cards arising from this incident, and sixth, Target is accelerating our investment in chip technology for our Target Red Cards and our stores point of sale terminals. For many years, Target has invested significant capital and resources in security technology, personnel, and processes. We had in place multiple layers of protection, including firewalls, malware detection, intruding detection and prevention capabilities, and data loss prevention tools, but the unfortunate reality is that we suffered a breach. All businesses and their customers are facing increasingly sophisticated threats from cyber criminals. In fact, news reports have indicated that several other companies have been subjected to similar attacks. To prevent this from happening again, none of us can go it alone. We need to work together. Updating payment card technology and strengthening protections for American consumers is a shared responsibility and requires a collective and coordinated response. On behalf of Target, I am committing that we will be an active part of the solution. Members of the subcommittee, I want to once again reiterate how sorry we are for the impact of this incident has had on your constituents, our guests, and how committed we are to making it right. Thank you for your time today. Mr. Terry. Thank you. [The prepared statement of Mr. Mulligan follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Kingston, you are now recognized for 5 minutes. STATEMENT OF MICHAEL KINGSTON Mr. Kingston. Chairman Terry, Ranking Member Schakowsky, members of the subcommittee. Good morning, my name is Michael Kingston, and I am the chief information officer at Neiman Marcus Group. I want to thank you for your invitation to appear today to share with you our experiences regarding the recent criminal cybersecurity incident at our company. I have submitted a longer written statement and appreciate the opportunity to make some brief opening remarks. We are in the midst of an ongoing forensic investigation that has revealed a cyber attack using very sophisticated malware. From the moment I learned there might be compromise of payment card information involving our company, I have personally led the effort to ensure that we were acting swiftly, thoroughly, and responsibly to determine whether such a compromise had occurred, to protect our customers and the security of our systems, and to assist law enforcement in capturing the criminals. Because our investigation is ongoing, I may be limited in my ability to speak definitively or with specificity on some issues, and there may be some questions to which I do not have the answers. Nevertheless, it is important to us as a company to make ourselves available to you to provide whatever information we can to assist you in your important work. Our company was founded 107 years ago. One of our founding principles is based on delivering exceptional service to our customers, in building long lasting relationships with them that have spanned generations. We take this commitment to our customers very seriously. It is part of who we are and what we do daily to distinguish ourselves from other retailers. We have never before been subjected to any sort of significant cybersecurity intrusion, so we have been particularly disturbed by this incident. For our ongoing forensic investigation, we have learned that the malware which penetrated our system was exceedingly sophisticated, a conclusion the Secret Service has confirmed. A recent report prepared by the Secret Service crystallized the problem when they concluded that a specific type of malware comparable and perhaps even less sophisticated than the one in our case, according to our investigators, had a zero percent detection rate by antivirus software. The malware was evidently able to capture payment card data in realtime after a card was swiped and had sophisticated features that made it particularly difficult to detect, including some that were specifically customized to evade our multi-layered security architecture that provided strong protection of our systems and customer data. Because of the malware sophisticated anti-detection devices, we did not learn that we had an actual problem in our computer system until January 2nd, and it was not until January 6th when the malware and its outputs had been disassembled and decrypted enough that we were able to determine that it was able to operate in our systems. Then, disabling it to ensure it was not still operating took until January 10th. That day we sent our first notices to customers potentially affected and made widely reported public statements describing what we knew at that point about this incident. Simply put, prior to January 2nd, despite our immediate efforts to have two separate firms of forensic investigators dig into our systems and attempt to find any data security compromise, no data security compromise in our systems have been identified. Based on the current state of evidence and the ongoing investigation, one, it now appears that the customer information that was potentially exposed to the malware was payment card information from transactions in 77 of our 85 stores between July 15th and October 30th, 2013, at different periods of time within this date range in each store. Two, the number of payment cards used at all stores during this period was approximately 1.1 million. This is the maximum number of accounts potentially exposed to the malware, although the actual number appears to be lower since the malware was not active every day at every store during this period. Three, we have no identification that transactions on our Web sites or at our restaurants were compromised. Four, PIN data was not compromised as we do not have PIN pads and we do not request PINs. And five, there is no indication that Social Security numbers or other personal information were exposed in any way. We have also offered to any customer who shopped with us in the last year at either Neiman Marcus Group stores or Web sites, whether their card was exposed to the malware or not, 1 year of free credit monitoring and identity theft insurance. We will continue to provide the excellent service to our customers that is our hallmark, and I know that the way we responded to the situation is consistent with that commitment. Thank you for your invitation to testify today, and I look forward to answering your questions. Mr. Terry. Thank you. [The prepared statement of Mr. Kingston follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Terry. Mr. Russo, you are recognized for 5 minutes. STATEMENT OF BOB RUSSO Mr. Russo. Thank you. My name is Bob Russo, and I am the general manager of the PCI Security---- Mr. Terry. Can you pull the microphone a little closer to you? Mr. Russo. Sorry. It is on now. Mr. Terry. And a little closer. Mr. Russo. As I said, my name is Bob Russo, and I am the general manager of the PCI Security Standards Council, a global industry initiative and membership organization focused on security payment card data. Our approach to an effective security program combines people, process, and technology as key parts of payment card data protection. We believe the development of standards to protect payment card data is something the private sector, and in particular, PCI, is uniquely qualified to do. The global reach, expertise, flexibility of PCI make it extremely effective. Our community of over 1,000 of the world's businesses is tackling data security challenges from simple issues like password. In fact, ``password'' is still the most commonly used password out there to really complicated issues like proper encryption. We understand consumers are upset when their payment card data is put at risk, and we know the harm caused by data breaches. The council was created to proactively protect consumers' payment card data. Our standards represent a solid foundation for a multi-layered security approach. We focus on removing card data if it is no longer needed. Simply put, if you don't need it, don't store it. And if it is needed, then protect it and reduce incentives for criminals to steal it. Let me tell you how we do that. The data security standard is built on 12 principles capturing everything from physical security to logical security. This standard is updated regularly through feedback from our global community. In addition, we have developed other standards that cover software, point of sale devices, secure manufacturing of cards and much, much more. We work on technologies like tokenization and point-to-point encryption. Tokenization and point-to-point inscription work in concert with PCI standards to offer additional protections. Another technology, EMV chip is an extremely effective method of reducing card fraud in a face-to-face environment. That is why the council supports its adoption in the U.S. through organizations such as the EMV migration from, and our standards support EMV today in other worldwide markets. However, EMV chip is only one piece of the puzzle. To move to EMV and to do no more would not solve this problem. Additional controls are needed to protect the integrity of payments online and in others' channels. These include encryption, tamper- resistant devices, malware protection, network monitoring, and much, much more. These are all addressed in the PCI standards. Used together, EMV chip and PCI can provide strong protections for payment card data, but effective security requires more than just standards. Standards without supporting programs are only tools and not solutions. The council's training and certification programs have educated tens of thousands of individuals and make it easy for businesses to choose products that have been lab tested and certified as secure. Finally, we conduct global campaigns to raise awareness of payment card security. We welcome the Committee's attention to this critical issue. The recent compromises underscore the importance of a multi-layered approach to payment card security and there are clear ways in which we think the Government can help. For example, leading stronger law enforcement efforts worldwide by encouraging stiff penalties for these crimes, promoting information sharing between the public and private sector also merits attention. The council is an active collaborator with government. We work with NIST, with DHS, with many government organizations. We are ready and willing to do much more. The recent breaches underscore the complex nature of the payment card security. A multifaceted program cannot be solved by a single technology, standard, mandate, or regulation. It cannot be solved by a single sector of society. We must work together to protect the financial and privacy interests of consumers. Today, as this committee focuses on recent breaches, we know that the criminals are focusing on inventing the next attack vector. There is no time to waste. The PCI Security Standards Council and business must continue to provide a multi-layered security protection while Congress leads the efforts to combat global cyber crimes that threaten us. We thank the Committee for taking a leadership role in seeking solutions to one of the largest security concerns of our time. Mr. Terry. Thank you, Mr. Russo. [The prepared statement of Mr. Russo follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Terry. Mr. Smith, you are now recognized for 5 minutes. STATEMENT OF PHILLIP J. SMITH Mr. Smith. Good morning, Chairman Terry, Ranking Member Schakowsky, subcommittee members, staff, and ladies and gentlemen. I want to thank you for the opportunity on behalf of Trustwave to provide witness testimony on this important issue related to data breaches. I am both a former special agent of the United States Secret Service and a senior trial attorney at the Department of Justice Terrorism and Violent Crimes section. My law enforcement experience in this area includes investigation, prosecution of criminal credit card fraud, access device fraud, and counterfeiting. I left the Justice Department in 2000 to join Trustwave, a now global information security and compliance services and technology company. I currently serve in Trustwave's executive team as senior vice president, and I was general counsel for 12 years. Businesses and government agencies hire Trustwave to help fight cyber crime, protect their sensitive data, and reduce risk. Trustwave has customers ranging from the world's largest multi-national companies to small and medium-sized businesses in 96 countries. We specialize in the following areas: Compliance and risk management, managed and cloud-based security services, as well as threat intelligence, ethical hacking, security research, and we also train law enforcement on how to investigate network intrusion and data breach cases. Today, I would offer our observations and recommendations related to data breach and broader information security trends. It is important I note that as a company we do not comment or speculate on specific data breaches, and as such, we will not be offering testimony today related to companies involved in the latest string of data breaches. However, I believe our company's experience in investigating thousands of data breaches over the past several years, our advanced security research and intelligence coming from our large global client footprint will be of value to you and the industry as a whole. My submitted written testimony discusses how card data is stolen through malware attacks, the value of the Payment Card Industry Data Security Standard, and why businesses must go beyond PCI for increased security and technologies and processes that can help. While I generally have time to discuss each topic in depth, I would like to highlight a few items. Each year our company publishes statistics and observations from real-world data breach investigations in our Trustwave Global Security Report. The focus of the report is around cyber crime, states that attacks are carried out by professional criminals, and most of them follow logical patterns as described by the Secret Service. The 2013 Global Security Report highlights data our experts analyzed from more than 450 data breach, incident response investigation locations, thousands in penetration tests, millions of Web site and web application attacks, tens of billions events. The report states the retail industry is the top target in 2012, making up 45 percent of our investigation. Food and beverage industry was second, followed by the hospitality industry. Those rankings did not change in 2013. Cardholder data was the primary target. Mobile malware increased 400 percent in 2012. Seventy-three percent of the victims were located in the United States. Almost all the point of sale breach investigations involved targeted malware. SQL injection and remote access made up 73 percent of the infiltration methods used by criminals, took businesses an average of 210 days to detect a breach, most took more than 90 days, and 5 percent took more than 3 years. Only 24 percent detected the intrusion themselves. Most were informed by law enforcement. Web applications emerged the post popular attack vector, E- commerce sites being the most targeted asset. Weak passwords with ``Password1'' being the most common password of choice. I am running short on time, and refer to my written testimony where I talk about many different security areas as part of the defense and depth strategy, recommending multiple layers of defense, detection, response, and ongoing training. I would, however, make the following observations. PCI Data Security Standard plays a critical role that has increased awareness around securing data in the payment industry. The threat landscape is more complex than ever, and keeping up with and complying with the standard simply isn't enough. A common misperception is that PCI was designed to be a catch-all for security. We believe it serves as a good baseline for security, giving businesses guidelines for basic security controls to protect cardholder data. And we heard discussions today about chip-and-PIN, end-to-end encryption and other technologies, and these are all good, but there is no silver bullet. A multi-layered approach to security involves people, process, technology, and innovation, and I would take these few minutes to highlight 3 particular ones. Businesses should implement an incident response plan that includes advanced detection techniques, containment strategies, and response technologies. Web applications are a high value target for attackers because they are easily accessible over the net. Web applications are often at businesses' front door and often connected to systems that contain private data. While monitoring more than 200,000 Web sites, our researchers found 16,000 attacks occur on web applications per day. This is why businesses need to adopt protections that include the ability to detect vulnerabilities and prevent web applications. Obviously, anti-malware is a big issue here, and what companies need to do is to defend against this is deploy gateways, and I stress this is not anti-virus technology. This is, gateways specifically help to protect businesses in realtime from threats like malware and zero-day vulnerabilities and data loss. I want to thank the Chairman and Ranking Member Schakowsky for the opportunity to be here today, and happy to answer any questions. Mr. Terry. Thank you, Mr. Smith. [The prepared statement of Mr. Smith follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Terry. And that does conclude the testimony of our panel, and now it is time for us to ask you questions. And I get to go first, so I recognize myself for 5 minutes. Mr. Smith, based on your professional opinion in this industry, are we--the United States suffering an increased onslaught of data breaches and attacks or is it just simply we are paying more attention in the media? Mr. Smith. No, we are suffering more attacks, that is for sure, Mr. Terry. Can you quantify that in any way? Do you know how many---- Mr. Smith. In numbers of attack? I mean I can only speak for our company and how many we are involved in each year, which involves, you know, a number of different investigations as well as multi-national locations within---- Mr. Terry. Do you have an opinion why that has increased, the number of attacks have increased? Mr. Smith. I think any time there is something of value, and the Web now gives the ability for these multi-national attacks to occur from anywhere in the world, so as the technology increases, so will the attacks, so will the value of that data---- Mr. Terry. Right. Mr. Smith [continuing]. That people are after. Mr. Terry. Appreciate that. Thank you. And for Mr. Mulligan and Mr. Kingston, I appreciate that you accepted our invitation to come here. I think people should know that you didn't have to accept that invitation, you don't have to be here, but you agreed to be here, and A, I think that speaks well for both of the companies that you work for and your respect for the consumer to go on the record about what occurred and what you are offering to your customers. I want to thank you for that. It doesn't mean we don't ask you tough questions. So, let me start off the same question to both Mr. Mulligan and Mr. Kingston. Both of you, you suffered point of sale attacks, and at least with Target there was a portion of that that was unencrypted and you were able to get the information in plain language, plain text. Is that a shortcoming? Is that standard? How much of a surprise to you or not surprise that there was that vulnerability at the point of sale, Mr. Mulligan? Mr. Mulligan. Mr. Chairman, we know today---- Mr. Terry. Pull your microphone a little closer Mr. Mulligan. We know today in the U.S. that credit card information, payment card information, comes into point of sale systems from the magnetic strip unencrypted. In our case, that data was captured prior to us encrypting it. We have seen in other geographies around the world where chip-and-PIN or chip- enabled technology has been deployed, the fraud related to payment cards has come down dramatically, and that is why we have been supporters of that technology over a very long period of time. Mr. Terry. All right. Mr. Kingston. Mr. Kingston. What we learned in our investigation, Chairman, is that the information was scraped at a time immediately following the swipe as well in basically milliseconds. Mr. Terry. In essence, commingled data so it was undetectable, hidden in plain sight? Mr. Kingston. Literally milliseconds before it is sent through encrypted tunnels to payment processor for authorization. Mr. Terry. Wow. Back to Mr. Mulligan. Have you been able to determine how they were able to get into the system and place the malware at that very sensitive point? Mr. Mulligan. That is my understanding the point of access was a compromised set of vendor credentials or log-on I.D. and password. Beyond that, we have an end-to-end review, forensic review of all of our systems to understand that particular question is one we share with you, Mr. Chairman. Mr. Terry. So, it was a process failure? Mr. Mulligan. We don't understand that today. At the completion of our investigation, we are looking forward to getting the facts about what transpired. Mr. Terry. All right. Mr. Kingston. Mr. Kingston. At this point in our investigation, we have not yet found any evidence of how attackers were able to infiltrate our network. Mr. Terry. A lot of discretion on breach notification. Tell us--first of all, we want to make sure that a consumer whose data, whether it was their financial or personally identifiable information, is notified in a timely manner. There is a perception that perhaps you discover breach and you should push send for notification. Does it really work that way? How much time is a reasonable amount of time before you notice a consumer of a breach? Mr. Mulligan. Mr. Mulligan. Our focus was on providing certainly speed in getting notice quickly, we think, is important. Balancing that, and the lens that we were looking through was for our guests, providing them accurate information to help them understand what went on, and then actionable information, what could they do about it. In addition, given the magnitude of our enterprise, we knew we would get significant requests from our guests, and we want to be prepared with staffing up our call centers, having our stores have the appropriate resources to respond to their requests, and I think all of that is how we approached this from a notification. Mr. Terry. How many days from the time that you were told of the breach versus when you were able to send them notice out? Mr. Mulligan. From the time we found the breach, we found the malware on our system to the time we notified was 4 days. Mr. Terry. All right. Mr. Kingston, same questions. Mr. Kingston. So we also at Neiman Marcus believe that prompt and specific notification is the best course of action. I think there are two important things that need to be established in order for that to happen and happen in a reasonable way as you ask the question. The first is understanding that you actually do have a breach or some sort of risk of attack, and so in our case we learned that on January 6th. I think the second important thing is to protect customers from any potential further harm, to make sure that you contained, in our case, the malware that was discovered in our systems. It took us 4 days to do that, and at that time, on January 10th, we immediately began notifying customers. Mr. Terry. All right. 4 days for each of you. All right. Thank you. And I recognize the Ranking Member Jan Schakowsky from Illinois. Ms. Schakowsky. Thank you. Just a quick question to Mr. Russo. I think you do good work, but you aren't suggesting that we shouldn't act as a Congress, are you, in order to set some standards? Mr. Russo. No, certainly I think there are plenty of things that can be done, not the least of which is law enforcement and information sharing. Ms. Schakowsky. I understand. I am asking that really as a yes or no question. Are you suggesting that it is inappropriate or unnecessary for Congress to act on standards, et cetera? Mr. Russo. I don't know. I have no opinion in that area. Ms. Schakowsky. OK. I wanted to ask you, Mr. Kingston. You discovered the breach internally? Neiman Marcus discovered it, the breach itself? Mr. Kingston. The first idea that we had that there was anything potentially wrong in our system is on January 2nd when our forensic investigator brought to our attention that they had found some suspicious malware potentially capable of scraping card data. It wasn't until the 6th because it took them 4 days, based on the sophistication of this malware, to actually decrypt it and decompose it to understand that it actually could work in our---- Ms. Schakowsky. Who informed you? Mr. Kingston. Our forensic investigator. Ms. Schakowsky. Our? Mr. Kingston. We hired a forensic investigator. Ms. Schakowsky. Oh, your forensic investigator. Mr. Kingston. Yes, forensic investigator. Mr. Terry. Not Mr. Smith. Ms. Schakowsky. OK. And Mr. Mulligan, you said that the Justice Department informed you. Mr. Mulligan. They came to us on December the 12th and indicated they had a handful of cards that had been compromised, and potentially one of the locations that was compromised with Target. At that point, there was no indication or evidence that there had been a breach. We found that breach 3 days later and shut it down within 12 hours. Ms. Schakowsky. I actually wanted to talk more about the breach of marketing data and which affected fully one-fourth to one-third of all American adults, which is pretty serious, and I am asking these questions because I believe the breach of marketing data represents really a serious threat to consumer. Payment card breaches are severe incidents that criminals tend to obtain card data, spend money when they can, and then move on, but names and contact information can be used in phishing and social engineering schemes to try to perpetrate identity theft, and so while harm from payment card breaches are acute, harm from nonfinancial breaches linger, identity theft lasts. So, I wanted to ask you about the way you informed the consumers who had these marketing data breaches. Some consumers received an email message during the week of January 12th notifying them of a breach of Target customer information and received that message from [email protected], and scammers sometimes use legitimate names of companies and many people were alarmed when they looked up the domain name and found ``permission denied'' message. And so I wanted to know how Target determined it would contract with a company to send these messages and what you are doing about the confusion that consumers may have felt. Mr. Mulligan. Congresswoman, we wanted to notify, confirmed on January 9th that that data had left our system, and on January 10th we started notifying consumers. We sent out 56 million email addresses. That was the number we had available to us. We also, as we did in the first breach, prior to broad public disclosure of the issue so that everyone would have information related it to, but one of the things we did and a couple of things we did in response to some of the concerns you are talking about, first, we communicated to our guest that there was a single of truth on our corporate target.com Web site. Any communication coming from Target was located there and could be trusted. Second, we provided free credit monitoring which provides free identity theft protection, identity theft insurance for-- -- Ms. Schakowsky. Let me refer to that. There was a briefing organized Monday by the Bipartisan Privacy Caucus, Ed Mierzwinski of U.S. PIRG who said that credit monitoring, such as the one offered by Target, doesn't stop fraud on existing accounts and won't prevent new account identity theft. So I'm wondering what the rationale is for this program, its performance so far, and any ongoing alternatives or improvements being considered or developed by Target. Mr. Mulligan. My understanding, Congresswoman, is that consumers have no liability for any fraud which occurs on their cards as a result of this breach. A part of the package that we offered in the free credit monitoring is identity theft protection, identity theft insurance, and access to a frauds protection specialist so that any guest who has ever shopped a Target store has the ability to contact them well past the year and ensure that their data is safe. Ms. Schakowsky. So you would disagree with that conclusion that it doesn't stop fraud on existing accounts and won't prevent new account identity theft? Mr. Mulligan. I can't speak to that data specifically. What I can tell you is consumers have no liability for fraud on their accounts that are a result of our breach. Ms. Schakowsky. You are talking about fraud of---- Mr. Mulligan. Of existing accounts. I am sorry. Ms. Schakowsky. Are you talking about fraud in a purchase? I am talking about identity theft. Mr. Mulligan. And we provide identity theft protection as part of the free credit monitoring. Ms. Schakowsky. Thank you. Mr. Terry. Thank you. I now recognize the vice chairman Mr. Lance of New Jersey. Mr. Lance. Thank you very much. Mr. Chairman To Mr. Mulligan. You testified that you were informed of the breach by law enforcement on December 12th and 13th, hired a forensic firm on the 14th, and on the 15th you both discovered the infiltration, removed the malware from your point of sale network. If it was relatively easy to find the malware once you were made aware of it, why wasn't it detected through your existing information security procedures? Mr. Mulligan. It is excellent question, Congressman, one we have asked many times. Our ongoing forensic investigation, we believe, will provide the facts of what transpired and why the significant investments we have made in multiple ways of detecting and ensuring our systems are safe did not detect this. Mr. Lance. Can you give the committee an estimate as to when you might know the answer to that question? Mr. Mulligan. That investigation is being led by our forensic investigator. They will take the time they need to assess all of the facts, and certainly from that there will be learnings and we will take action, so I don't have perspective on how long that will take. Mr. Lance. Thank you. In addition to the 40 million payment card accounts that were breached, your company also detected a breach involving other personal information in 70 million consumers. Do you know, Mr. Mulligan, how many of the 70 million accounts would trigger a notice of breach under existing state laws. Mr. Mulligan. I am not familiar with that, but as we considered that, what was important is, as we have had accurate and actionable information, we have disclosed information to the public, and that was our approach there. On January 9th, it was confirmed that that data was extracted from our systems, and on January 10th we provided broad public notice and began to email those guests for which we had email addresses. Mr. Lance. Thank you. To Mr. Kingston at Neiman Marcus. From the time you first realized you had an actual problem in your system, and I believe that was January 2nd, until you disassembled the malware on January 10th, how did you conduct business with your consumers? Were POS terminals used during that timeframe to accept payments, and if so, how was that decision made? Mr. Kingston. So, we did continue to conduct business for our customers during that time. However, as we were learning throughout the investigation more about this particular sophisticated attack, we immediately began implementing additional controls on top of all of the multi-layered security controls that we had in place at that time, and so being very, very careful with our forensic investigators as well as our internal investigation to closely monitoring for any further suspicious activity. Mr. Lance. Do you know yet whether the suspicious activity increased between January 2nd and January 10th? Mr. Kingston. We have not seen any indication of that, no. Mr. Lance. So that is an open question or are you likely to concluded that---- Mr. Kingston. No additional suspicious activity was noted. Mr. Lance. Thank you. To the panel in general, as card security evolves, it seems as though the chip is a better mouse trap. With a chip enabled card, the critical pieces of consumer information are obscured from would be thieves, and the ability to prevent card duplication is achieved. But there are two types of chip enabled cards, as I understand it, those that require a PIN and those that require signature for authorization. To our experts, what is the difference between the two and what do you believe is preferable? Mr. Russo, why don't we begin with you. Mr. Russo. Well, the combination of PCI and EMV in any form, be that chip-and-PIN, be that chip and signature, is a powerful, powerful solution for as you indicated face-to-face fraud and counterfeit cards. However, there are other channels that that data can still be used, and so the powerful combination of PCI and EMV, once again, in any form is a powerful combination, and I think is something that needs to be considered. Mr. Lance. And from your professional perspective, who should consider that? Should this be required statutorily by the Congress or should this be determined at state capitals or should it be at the option of the private sector? Mr. Russo. That is beyond the purview of what the standard and the security council does. Basically, we are responsible for securing that data in whatever form it comes in, so be it chip-and-PIN, chip and signature, regardless of who have determines what it is going to be and when it is going to be, our job is to make sure that that is protected. Mr. Lance. Thank you, Mr. Russo. Mr. Smith, do you have an opinion on my question? Mr. Smith. I think the important point here is it is an additional layer of secure, right. There is no silver bullet here. There is multiple layers that need to be put in place. Chip-and-PIN with end-to-end encryption will certainly help matters, but again, nothing is going to stop the data breaches Mr. Lance. And would you require this as a matter either a statutory law or rule and regulation or does that go beyond what is probably appropriate for Congress, given the fact that technology advances as rapidly as it does? Mr. Smith. Again, the chip-and-PIN technology has been around for a long time. I think a lot of effort should be put for new technology in securing mobile payments and things like that. The technology is changing so quickly. The attack factors are going to change, right, so much more is going to the mobile side. So, implementing chip-and-PIN is a good thing for the face-to-face transactions, but having innovation towards mobile payments and other areas is just as important. Again, it is defense in depth. Mr. Lance. Thank you. I have 12 seconds left. I look forward to working with everyone on the committee, and I personally enjoy shopping at Target, and I think my wife at Neiman Marcus. Mr. Terry. Mr. Yarmuth, you are now recognized for 5 minutes. Mr. Yarmuth. Thank you, Mr. Chairman. Likewise, long time customer, first time questioner, and I appreciate your testimony and your candor and forthrightness, particularly from Target and Neiman Marcus, and not that you are not being forthright. One thing that I am curious about is that while we have some more instances of this type of breach, and I don't know if you want to speculate why people might have singled out Target and Neiman Marcus among a group of retailers, but obviously there are a lot of retailers out there, many of whom with probably as much of a high profile as you, and my question is, are you aware, are you able to discuss with your colleagues in the industry whether they have been able to head off any cyber attack that might distinguish them in some way from your operations, or have you been informed by law enforcement of any other attacks that have been fended off? And I open it up to Mr. Russo and Mr. Smith as well. Mr. Mulligan. Maybe I can start. We took several steps, once we verified there was malware in our point of sale systems. We have an ongoing relationship with law enforcement and certainly shared that with them. We also shared the malware with security firms who work with all businesses to look for these types of malware. Beyond that, we have pushed for and are beginning an initiative with the retail industry around information sharing across all retailers to share this kind of information. It is an evolving threat. It is a shared responsibility for all of us, and we believe information sharing is one path to understanding the evolving threat and how we will collectively deal with it. Mr. Yarmuth. I am just curious as to whether there is any indication that you have from any other source that somebody tried to attack Sak's Fifth Avenue, somebody tried to attack Walgreen, somebody tried to attack Wal-Mart, and they had failed where they succeeded in your instance. Is there any evidence of that somewhere? Mr. Smith. I will take a look at that. I think we describe this as a battleground every day. There are attacks going on constantly and those attacks are being defeated. The situations we are talking about are, again, sophisticated malware, but every day, retailers, banking industry, they are defending their networks against ongoing attacks, and I think that is an important point that there is a lot of effort going on today and will continue to go on. And again, increasing innovation around security technology is an important part of that, and I think that is where a lot of the players can come together and spur that innovation. Mr. Yarmuth. All right. Is there any legal impediment to your comparing notes and talking to other competitors even? Is that something that should be, you say you are sharing information but---- Mr. Mulligan. We can totally benchmark, too, as well. Part of our ongoing assessment of all our particular program is to benchmark against other retailers and ensure that collectively we are providing the best protection. Mr. Yarmuth. But specifically with regard to Target, there have been reports that some individuals received Target's notification of a data breach when they have never shopped at Target and some of it is a decade old. Are those reports accurate, and if that is the case, how would they be in your database if they had never shopped there? Mr. Mulligan. Congressman, the vast majority of the data we collect is done through the normal course of business. When a guest uses our app on an iPod, when they sign up for an app called ``Cartwheel,'' we periodically append information to that on an existing guest, and very rarely, but from time to time we do buy some guest information to provide them promotions if we think they would benefit from the products and services that we provide. Mr. Yarmuth. Now, you have had a relationship with Amazon for a period of time. Could any of that information have been captured because of that relationship specifically? Is that irrelevant? Mr. Mulligan. It is my understanding that there was a separation of the information between Amazon's customers and our guests. Mr. Yarmuth. OK. Well, I yield back. Thank you for your testimony. I yield back, Mr. Chairman. Mr. Terry. OK. At this time the Chair recognizes the vice committee of the full committee, or vice chairman of the full committee, Marsha Blackburn. Mrs. Blackburn. Thank you, Mr. Chairman, and I want to thank you-all for your patience this morning. I cannot tell you how so many of our constituents have mentioned their frustration with the data breaches and their desire to get some clarity and some certainty in this process, and as you have heard me mention in the earlier questioning and opening statement, Mr. Welch, Ms. Schakowsky, and I are doing a data security and privacy working group to make certain that what we do when we do something on the issue, that we do it in the appropriate manner and that be allowed the flexibility and the nimbleness that is going to be needed. And Mr. Russo, you spoke well to the need for that. Mr. Kingston, if I could come to you, and going back to your testimony with the malware that was there in your breach, have any of the law enforcement agencies that are working with you on this, have they ever seen this type malware before, and what is the origin of that malware? Mr. Kingston. Congressman, we have been working very closely with law enforcement, specifically with the Secret Service, and what they have been able to share with us so far is that the malware is very, very, very sophisticated. As I said earlier in my testimony, had a zero detection rate by antivirus software, and it is not something that they have seen before. It was very specifically designed for an attack on our systems. Mrs. Blackburn. OK. So it was designed specifically for an attack. Mr. Kingston. Yes. Mrs. Blackburn. And do you know the origin yet? Mr. Kingston. They have not shared that with us. I am not sure at this time. Mrs. Blackburn. They have not. OK. Mr. Russo, when you look at this, and here is something designed specifically to attack and to take down their financial infrastructure, if you will, then what is your guidance to us as we seek to look at that data share, which is important, that information share, which is important. Mr. Zelvin spoke to that in the previous panel. What is your instruction to us? Because we know that the different agencies send out threats and updates on a regular basis, and you have something that is unique, so what is your instruction to us? And then the second question I have for you in the interest of time is what are the unique identifiers that you are seeing creep up in some of this, this malware? Mr. Russo. So, first of all, the council is a wonderful forum in which to share information. Companies give us feedback all the time as to what is going on. The forensic investigators tell us about trends that they are seeing, which all gets factored into creating these standards and making sure that they are not only good for today but good for what we see coming in the future. So, it has been our experience that the standards are very, very solid. We have a lot of history around this. I think we have heard two or three times, as I can recall, during the hearings the morning, that what we saw and what we continue to see are basic threats that are being exploited, very basic threats. You have heard me say, you heard Mr. Smith say about passwords being used and so on, SQL injection is another one, lest I get technical here, very, very basic things. Within the standards now, there are a myriad of ways to prevent this from happening and to prevent malware, as sophisticated as it may be, from getting into the system. So, at this point I don't have enough information in terms of what actually happened, but I can tell you, up until now, everything that we have seen in terms of these major breaches over the last 7 years has been exactly what the panel before us indicated, very, very basic exploits that easily, easily could have been defeated. So, until we actually have some solid information as opposed to what we are reading in the newspapers, we really can't make a determination as to what happened and if the standards need to be updated. Mrs. Blackburn. I hope you will come back to us. When you look at standards and compliance, and we know even going back to the T.J. Maxx breach, they were compliant, they just weren't secure, and there is a difference there. Mr. Mulligan, at Target, how much have you-all invested in secure networks? Mr. Mulligan. Over the past several years, we have invested hundreds of millions of dollars. Part of that has been in technology, segmentation, malware detection, intrusion detection and prevention, data loss prevention. Part of that has been in teams. We have over 300 team members responsible for information security. Part of that is in assessment. PCI is one assessment that we do certainly as part of the payment card industry. But we are constantly assessing ourselves, having other third parties come in and do penetration testing, benchmarking us against others and benchmarking us against best in class. And we train 370,000 team members annually on the importance of information security, so we have a wholistic view and we have invested significantly. Mrs. Blackburn. OK. Mr. Kingston, how much has Neiman spent on security? Mr. Kingston. So, we have spent tens of millions of dollars on very specific security measures, and as Mr. Mulligan said, it is really a combination of technology as well as people and process. I think one of the things that we do at Neiman Marcus that is really important that I think the subcommittee should think about is the fact that we do annual security awareness training for all Neiman Marcus associates that access systems, and I think awareness is a big part of strong defense. Mrs. Blackburn. Yes. Well, my time is expired. I will yield back. Mr. Mulligan, I am going to submit a question to you for a written answer on the CVV security codes. Mr. Mulligan. Happy to respond. Mr. Terry. Thank you. And the Chair now recognizes another gentleman from Kentucky, Mr. Guthrie. Mr. Guthrie. Thank you, Mr. Chairman. Thank you for coming. So, Mr. Russo, to follow up on what Ms. Blackburn asked, or you said, to answer her question, you said that these breaches, I guess the two that we are talking about today were basic? Mr. Russo. No, today's breaches, I don't know---- Mr. Guthrie. I could have been defeated? Mr. Russo. We don't have enough information yet. Mr. Guthrie. You said that basically it could have been defeated? Mr. Russo. What we heard this morning from the other panel was all of the breaches up until now---- Mr. Guthrie. OK Mr. Russo [continuing]. Have been basic security exploits that could have easily been prevented, and we don't actually know what the situation is yet from the latest breaches. Mr. Guthrie. OK. So, but because I knew that Mr. Kingston said that they had zero detection rate by their software. It didn't sound basic. So, I mean, OK, I am willing to clarify what you said then. But based on what you do know, were Target and Neiman Marcus compliant to the PCI standards? Mr. Russo. Unfortunately, they do not report their compliance to the council. The council, like many other security bodies, basically puts together the best standards that we possibly can. We are not responsible for enforcement or---- Mr. Guthrie. Right. I knew that. Mr. Russo. Nor do people report their compliance to us. Mr. Guthrie. OK. So, there is no---- Mr. Russo. We have no insight as to whether or not they were compliant or not. Mr. Guthrie. You can't assess whether they were meeting the standards or not. Mr. Russo. Absolutely not. Mr. Guthrie. So that is something to look at. So, one of the other previous panelists said basically, I can't remember the word, was retailers or business, but in essence she said in her testimony to get serious, it is time to get serious about this. You said you spent hundreds of millions of dollars, you spent tens of millions of dollars. How much do you think this incident in December and then January, first with Target, I know you are the CFO. I know you as the information officer, you may not know, but what do you think this has cost your bills in terms of dollars? Not on customer loyalty, customer anything, but just in terms of dollars. Mr. Mulligan. We don't have insight into that yet. We disclosed publicly, probably 3 weeks ago, that the losses as a result of this incident would be material to Target. I don't have visibility. The primary driver here is fraud. I don't have visibility of that from the majority of the financial institutions, but what I can tell you is this: of the 40 million accounts that were taken, 6-and-a-half million of them or 15 percent were Target cards, and what we have seen is on our Target Red Card, the proprietary card, our Target debit card, there has been no additional fraud, and on our Target Visa card, which is a Visa card just like any other, we have seen very low levels of fraud. So, we will have more information as we go through the process. Mr. Guthrie. So Neiman Marcus, what kind of expense or cost has this been to your business? Mr. Kingston. We are still in the midst of our investigation, so you know, I don't have visibility to that yet. Mr. Guthrie. And then, Mr. Smith, we are hearing from two Fortune 500 companies, very sophisticated companies, that have sophisticated systems in place, it appears, and they are still breached by very sophisticated criminals. So what about the small guy? I know that is the kind of the area you look at, if you are, where I get gasoline and gas at the pump and a small locally-owned station, what processes are in place for these guys? Mr. Smith. Well, again, the PCI standards are across the board for any store who transmits or processes data. You know, the smaller merchants have a smaller platform to be attacked, right, so they are able to defend their smaller presence on the Internet. There are lots of, as Mr. Russo alluded to, basic security principles that they can put in place, relatively cheap to protect their network and their data. And there is a lot of information out there including on our Web site for the small merchants to, what technologies, what they should be putting out there. Mr. Russo. If I can interject. Mr. Guthrie. Sure. Mr. Russo. Being a small merchant is a very tough thing these days. You not only have to worry about shoplifting and somebody breaking into your store, but you now have to worry about data security. In an effort to make that a little bit easier, as Mr. Smith indicated, on our Web site we certify different solutions that they can go and choose. Not only do we certify different solutions in the form of payment applications, as well as POS devices that are secured and certified to be PCI compliant, but also, we train installers throughout the Nation so that a small merchant, as opposed to using his brother-in-law, to help install a piece of software can actually go out and pick somebody off this list to securely install this information for them. So we make it easier for the smaller merchant, but again, the small merchant area is a very, very big problem. Mr. Guthrie. Because they would be a portal into a whole-- -- Mr. Russo. Absolutely. Mr. Guthrie. So one of the other panelists also said that there is a list of different things people can do and they will do some, but they won't do the others. Is that the case with your, did you look back and say, wow, there was something we should have known to do that we didn't do? Or is it, this was so sophisticated that it went around a very sophisticated system that you had. I guess I am out of time, I'm sorry. But one of the panelists earlier basically said that. Not necessarily your situation, but situations that there could have been a check box and they decided not to check because it cost money. I mean, that is what she said. Not word for word, but is that what you all found to be the case, or has it been so sophisticated that you had everything in place and you say, wow, I can't believe they can get around that? Or did you find something obviously you should have found. Mr. Terry. Go ahead. But then you are done, Brett. Mr. Guthrie. OK. Mr. Mulligan. Congressman, as I said, we invested hundreds of millions of dollars in technology and assessment. Part of the ongoing end-to-end review of our systems will provide facts when that is complete and there will be learning, certainly, and we will respond to those learnings. Mr. Guthrie. But there wasn't something obvious you didn't do that led to this? Mr. Terry. Brett? Mr. Kingston, answer. Mr. Kingston. I think at Neiman Marcus, we felt, and feel very good about the high standards of security that we had in place, and that we continue to have in place. Obviously, there will be lessons learned out of this, and certainly one of the takeaways so far, this is a very highly sophisticated attack. Mr. Terry. Mr. Johnson, you are recognized for 5 minutes. Mr. Johnson. Well, thank you very much, Mr. Chairman. And I, as I mentioned to the first panel, I spent my entire professional career as an IT professional. One of those stents was as the director of the CIO staff for U.S. Special Operations Command, and you don't have an environment that is any more concerned about network and computer security than our national security. I mean, that is paramount. So I understand the complexities that you folks have to deal with on a daily basis to address this and I can empathize with the struggles that you have. Just real quickly, just a few questions. Mr. Mulligan, why hasn't Target joined the financial services ISAC, the Information Sharing and Analysis Center? Mr. Mulligan. I don't know the answer to that specifically, Congressman. I can tell you we have a long history of sharing information with law enforcement as it relates to these type of threats, and we certainly believe that information sharing, a shared responsibility across all industries is essential to dealing with this type of evolving threat. Mr. Johnson. Is this most recent incident, has that given you thought to consider joining? Mr. Mulligan. Certainly, Congressman, and in fact, as I stated earlier, we have implemented at least one step of that with retailers for information sharing, but yours is another that we are absolutely open to. Mr. Johnson. What about large retailers like you folks? Do you think it is time for large retailers like you guys to consider having your own ISAC? Mr. Mulligan. We absolutely believe that information sharing is important, Congressman, absolutely. Mr. Johnson. OK, what about empowering law enforcement to share information with the private sector with respect to ongoing threats and attacks? Do you think that is important also? Mr. Mulligan. We do. We have had an ongoing relationship with law enforcement at many levels and have enjoyed a great relationship with them historically, and certainly during this period of time as well. Mr. Johnson. OK. Mr. Kingston, what are the systems that you had in place to guard against a data breach, and why did they fail in this case? Mr. Kingston. So Congressman, we had a multi-layered security approach and architecture in place, and I will just highlight some of the controls and different technologies. So we had network behavioral analysis and monitoring technology in place. We had network segmentation with the use of firewalls and controlled intrusion detection systems, two-factor authentication for remote access. We also deploy encryption technologies, and we also utilize tokenization as a method to protect and secure consumer information that is stored in our system. Mr. Johnson. So, and that sounds pretty robust. I mean, it is the traditional kinds of things that folks do to provide network and data security. Why do you think those things failed, just the sophistication of the attack? Mr. Kingston. So you know, with what we have learned so far, and again, there are still some important questions that we haven't answered in our investigation, but with what we have learned so far, it really points back to the malware being so sophisticated and customized to specifically evade those different technologies and detections. Just to give you an example, this particular malware was able to inject itself into known point-of-sale programs, so that it could disguise itself and continue to operate as if it was a normal program. And then it was able to delete itself and clean up its tracks, so very, very complex, very difficult to detect. Mr. Johnson. Yes, yes. You have emphasized the sophistication of the attack. You just talked about that, even customizing the malware so it wouldn't be detected by today's current antivirus programs. Can the criminals always stay one step ahead of us like they appear to be doing in this case? Is that a battle we are going to face? Mr. Kingston. Clearly, it is going to be difficult for us, both public and private sector. I certainly hope one day we get to a point where we can at least be on par, if not ahead of the criminals. Mr. Johnson. OK. Does your recent experience equip you to try some different techniques? Have you guys started thinking about how do we make sure that they can't get through, and then once they get through, that we can detect them? Mr. Kingston. I think, undoubtedly, with the things that we are learning through this investigation with the help of our forensic teams and with the help of law enforcement, there are definitely going to be things that we can consider to help even further strengthen the security that we have in place today. Mr. Johnson. Sure. Well, I have a gazillion questions, Mr. Chairman, and I don't think you are going to give me a time to ask them so I will yield back. Mr. Terry. Not a gazillion, no, but we will let you have one more after everyone else if you want to stay. Mr. Terry. Mr. Bilirakis, you are now recognized for 5 minutes. Mr. Bilirakis. Thank you, Mr. Chairman, I appreciate it very much. And I appreciate the panel's testimony today. And thanks for your patience as well. Mr. Mulligan, thank you again for testifying. In your testimony, you note that December 16th and December 17th, you began notifying the payment processors and card networks, and on December 19th, made a public announcement regarding the breach; and is that true? Mr. Mulligan. That is accurate. Mr. Bilirakis. OK, all right. Given that 47 states as well as the U.S. and the U.S. territories have developed data breach notification laws, often with different requirements, standards of harm, and definitions of personally identifiable information, did you or your company find it difficult to navigate through these different standards? Mr. Mulligan. Our focus, once we realized the malware was on the system, we had two parallel tracks that we were pursuing. The first was to shut down the malware, and then assess what it was doing, and once we verify that it was taking payment card information, we wanted to notify the processors, and the brand so that they could begin their fraud deduction and fire up their fraud detection policy. The second path was on providing public notice as soon as we had the scope, we had actionable information for our guests, and had built the resources to respond what we knew invariably would be a significant call volume. Mr. Bilirakis. Well, again, I want to ask the question: Was it difficult to navigate this process since, what is it, 47 different States have different laws, and I know you are everywhere around the U.S. Mr. Mulligan. It is my understanding that the majority of those States' statutes provide for broad public disclosure. We provided broad public disclosure on the 19th. As I am sure you know, we were on the front page of every newspaper on December 20th, and so that was our approach. We also provided notice to 17 million guests by email for the guests that we had. Mr. Bilirakis. OK, should there be, in your opinion, a National standard with regard to notification, notifying customers? Mr. Mulligan. Certainly, one standard would be easier to follow than 47, but we complied with all 47 state statutes. Mr. Bilirakis. Thank you. Mr. Kingston, the same question, should there be a National standard as far as notifying customers? Mr. Kingston. I mean, I don't have an opinion on whether there should be a National standard. I would say that it is important that there be flexibility within whatever legislation standard you have, because I do think, as was noted in the first panel, these investigations, these events are different, and on a case-by-case basis, need to be handled differently. Mr. Bilirakis. Anyone else on the panel wish to comment on that? Should there be a national standard? Mr. Russo. Outside the purview of the counsel. Mr. Bilirakis. OK. Next question, in 2015, liability for fraud losses will be to shift from card issuers to merchants. Mr. Mulligan, you said you are accelerating chip technology for Target's red cards. Do you believe the switch to chip-and-PIN can save money in the long run? Mr. Mulligan. We have been advocates to moving to chip- enabled technology, and chip-and-PIN technology over a long period of time, and while it certainly doesn't resolve all of the issues, it is a significant step forward for our industry in ensuring that that data is safe. So we have been proponents. We are in the middle of rolling it out. We have 300 stores already deployed with guest payment devices, what we call, where you read the cards. We will finish that by the fourth quarter of this year, and early next year all of our credit products, the payment products we offer will also have chips embedded on them. Mr. Bilirakis. Very good. Will it save money in the long run? Mr. Mulligan. We believe so. Mr. Bilirakis. All right, very good, Mr. Kingston. Mr. Kingston. Sir, we are actively evaluating PIN-chip technology at Neiman Marcus, and we will certainly, if consumers are issued cards with PIN-chip in them, be ready and able to support those transactions. In addition, we are also looking at other technologies that can also protect Neiman Marcus consumers that shop online. We have a very robust online business which PIN chip doesn't necessarily address, as well as the growing trend for mobile payment transactions. So we believe that while PIN chip technology is certainly going to enhance security, that there are other solutions out there that we also will evaluate. Mr. Bilirakis. Thank you. Again, for Mr. Smith, do you believe it will save money in the long run? You know, the switch to chip and PIN? Mr. Smith. I can't really comment on the savings, but you know, any security technologies that can be deployed to protect cardholder data, you know, we would be supportive of. Mr. Bilirakis. Mr. Russo? Mr. Russo. I agree with Mr. Smith. Certainly, it will be yet another level of security that is important. Mr. Bilirakis. And that is our priority. Thank you very much, I appreciate it. Thanks for your question. I yield back. Mr. Terry. Thank you, Mr. Bilirakis. Now, you may think this is over, but we have agreed between us to have a second round. It is just that everybody has left but us two. So the lucky part is that you are only going to get two extra questions. So my question to you is going to be to Mr. Mulligan and Mr. Kingston, on specifics about audits and when they are done, and when you last did them before the breaches were discovered. Mr. Smith, I want you to answer it more not Neiman Marcus, or Target-specific, but what is appropriate for audits and when they should be done, and how frequently pursuant to your expertise and professional opinions. So with that, as I understand, the process or norms are that you do audits throughout the year on your security systems. So how often do you do those and when was the last time an audit was done on your security before you discovered the current hacks and malware that brings you before us today? And also, do those audits include password integrity and possible phishing, procedural process, or process deficiencies. Mr. Mulligan? Mr. Mulligan. We have a robust audit plan or assessment plan, I would call it more broadly. Certainly it starts with PCI assessment, which is done annually. It takes 9 months. We have that performed by a third party. That is one step. But beyond that, we have ongoing assessments, Congressman, penetration testing, assessing our technology, the people, the processes, the controls we have in place. It would be all- encompassing. And we have a multiple of those every year. We had a third-party global firm assess us against Fortune 100 retailers just last year and we were at or better than the technology deployed in those retailers. So it is an ongoing part of our data security program. Mr. Terry. So the other two parts of that, though, was when was the last one done, and does that also include password integrity? Mr. Mulligan. I am not sure. I can't give you the exact date of our last one. It would include password protection because it looks broadly at all of our processes. I am happy to get you a date. Mr. Terry. All right, thank you. Mr. Kingston. Mr. Kingston. Chairman, I will answer the last part of the question first. Our audits do address password integrity, but we have several different forms which we audit and assess our security controls, so I will start with periodic audits of IT general controls, which include password strength and controls. We also do a quarterly scan, a penetration scan of the perimeter to see what potential vulnerabilities or risks are coming into the networks as well as the internal networks. And then the last part of the assessment that I point out is under PCI. Mr. Terry. All right. Mr. Smith? Mr. Smith. You know, we conduct annual assessments under PCI for our clients all the time. In addition to that, working with our clients as partners, we do active penetration testing, active testing all the time depending on if there is an incident or if there is a security issue, or there is an area that they want tested. We are constantly going in and out of organizations, you know, frequently to test their systems. Mr. Terry. How often? Mr. Smith. I think it is going to depend on a PCI compliance. It is an annual testing. Mr. Terry. All right. Mr. Smith. But as part of that, we do frequent, you know, vulnerability scanning. Mr. Terry. OK. Mr. Smith. But again, if you are looking at beyond that, we are actively involved with many of our clients doing active penetration testing on an ongoing basis---- Mr. Terry. All right. Mr. Smith [continuing]. Through all of their applications. Mr. Terry. Thank you. Ms. Schakowsky, you are recognized. Ms. Schakowsky. Thank you. I really do want to thank the gentlemen representing Target and Neiman Marcus for your patience today and for coming here, as the chairman said, willingly, and sitting through a long hearing. So I think that should be noted, and for your openness and willingness to cooperate. But I have been disturbed, not necessarily by what you have done, but there have been some efforts in the courts to undermine the ability of government to actually act in the area of data security. Since 2002 the Federal Trade Commission has applied its enforcement authority under Section 5 of the FTC act to the area of data security by bringing legal actions against companies that fail to reasonably protect customer data. Last week the FTC announced its 50th data security settlement. But in the court, there is a case FTC versus Wyndham that is currently pending in the U.S. District Court for the District of New Jersey, and Wyndham is challenging the FTC's use of its unfairness authority to insist that companies have minimum data security standards in place. And an amicus brief has been filed by the Retail Litigation Center, an arm of the Retail Industry Leaders Association, which I know at the very least that Target is a member of, together with the U.S. Chamber of Commerce, the American Hotel and Lodging Association, and the National Federation of Independent Businesses, which are in support of that position. So I am just wondering from both of you, if you are part of those amicus briefs through these associations, and whether your companies agree with the position taken by Wyndham and that the FTC lacks authority to enforce reasonable data security measures. Mr. Mulligan? Mr. Mulligan. I can begin. I should first note, Mr. Chairman, to your question about the last assessment. We were found PCI-compliant on September 20th of 2013. To your question, I am not familiar with that. What I can tell you is that we are committed to making this right, and we are committed to engaging on this topic. And we are willing to do so independent of RILA. Target is willing to engage on this topic. Ms. Schakowsky. Thank you, Mr. Kingston. Mr. Kingston. So I am not intimately familiar with that legislation or those issues either, but---- Ms. Schakowsky. This is a court case. Mr. Kingston. And I apologize, I am not familiar with it. But I will tell you that Neiman Marcus supports having standards in place for data security and which is why we are actively a participant in the PCI standards and assessment process, and will often look to not only meet those, but exceed them. Ms. Schakowsky. Let me just finish in saying I hope both of you would just talk with your companies and see if you are part of something that would undermine the ability of the FTC to protect consumers in cases of data security breaches. Thank you. I yield back. Mr. Terry. And that does conclude all of our questions. You can start wrapping up, but we will probably submit questions, or at least every one of us have the right to send you questions. We will try and get those to you if there are any to you individually within 14 days, and ask the same amount of time to return an answer. Now, just some general business here. I ask unanimous consent to include the hearing record statements from the following four organizations: Credit Union National Association, Independent Community Bankers of America, National Retail Federation, Retail Industry Leaders Association. All of these have been shared with the minority, without any objection? Ms. Schakowsky. No. Mr. Terry. Hearing none, so ordered. Now, we are adjourned. Thank you gentlemen. [Whereupon, at 12:51 p.m., the subcommittee was adjourned.] [Material submitted for inclusion in the record follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] [all]