[Senate Hearing 113-305]
[From the U.S. Government Publishing Office]
S. Hrg. 113-305
SAFEGUARDING CONSUMERS' FINANCIAL DATA
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
NATIONAL SECURITY AND INTERNATIONAL TRADE AND FINANCE
of the
COMMITTEE ON
BANKING,HOUSING,AND URBAN AFFAIRS
UNITED STATES SENATE
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
ON
EXAMINING THE PROCEDURES FOR OVERSEEING DATA SECURITY AND BREACHES OF
DATA SECURITY BY THE UNITED STATES SECRET SERVICE AND THE FEDERAL TRADE
COMMISSION
__________
FEBRUARY 3, 2014
__________
Printed for the use of the Committee on Banking, Housing, and Urban
Affairs
Available at: http: //www.fdsys.gov /
______
U.S. GOVERNMENT PUBLISHING OFFICE
88-374 PDF WASHINGTON : 2015
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS
TIM JOHNSON, South Dakota, Chairman
JACK REED, Rhode Island MIKE CRAPO, Idaho
CHARLES E. SCHUMER, New York RICHARD C. SHELBY, Alabama
ROBERT MENENDEZ, New Jersey BOB CORKER, Tennessee
SHERROD BROWN, Ohio DAVID VITTER, Louisiana
JON TESTER, Montana MIKE JOHANNS, Nebraska
MARK R. WARNER, Virginia PATRICK J. TOOMEY, Pennsylvania
JEFF MERKLEY, Oregon MARK KIRK, Illinois
KAY HAGAN, North Carolina JERRY MORAN, Kansas
JOE MANCHIN III, West Virginia TOM COBURN, Oklahoma
ELIZABETH WARREN, Massachusetts DEAN HELLER, Nevada
HEIDI HEITKAMP, North Dakota
Charles Yi, Staff Director
Gregg Richard, Republican Staff Director
Dawn Ratliff, Chief Clerk
Kelly Wismer, Hearing Clerk
Shelvin Simmons, IT Director
Jim Crowell, Editor
______
Subcommittee on National Security and International Trade and Finance
MARK R. WARNER, Virginia, Chairman
MARK KIRK, Illinois, Ranking Republican Member
SHERROD BROWN, Ohio JERRY MORAN, Kansas
JOE MANCHIN III, West Virginia
Milan Dilal, Subcommittee Staff Director
Lindsey Johnson, Republican Subcommittee Staff Director
(ii)
C O N T E N T S
----------
MONDAY, FEBRUARY 3, 2014
Page
Opening statement of Chairman Warner............................. 1
Opening statements, comments, or prepared statements of:
Senator Kirk................................................. 3
Prepared statement....................................... 35
WITNESSES
William Noonan, Deputy Special Agent in Charge, Secret Service,
Criminal Investigative Division, Cyber Operations Branch....... 4
Prepared statement........................................... 36
Jessica Rich, Director, Bureau of Consumer Protection, Federal
Trade Commission............................................... 5
Prepared statement........................................... 43
Response to written questions of:
Senator Kirk............................................. 75
James A. Reuter, Executive Vice President, FirstBank, on behalf
of the American Bankers Association............................ 18
Prepared statement........................................... 48
Response to written questions of:
Senator Kirk............................................. 77
Mallory Duncan, General Counsel and Senior Vice President,
National Retail Federation..................................... 19
Prepared statement........................................... 54
Response to written questions of:
Senator Kirk............................................. 79
Edmund Mierzwinski, Consumer Program Director, U.S. PIRG......... 21
Prepared statement........................................... 63
Troy Leach, Chief Technology Officer, PCI Security Standards
Council........................................................ 22
Prepared statement........................................... 69
Response to written questions of:
Senator Kirk............................................. 81
Additional Material Supplied for the Record
Letter from the Independent Community Bankers of America......... 86
Letter from the National Association of Federal Credit Unions.... 88
Letter from The ClearingHouse.................................... 92
Letter from the Credit Union National Association................ 94
.................................................................
(iii)
SAFEGUARDING CONSUMERS' FINANCIAL DATA
----------
MONDAY, FEBRUARY 3, 2014
U.S. Senate, Subcommittee on National Security and
International Trade and Finance,
Committee on Banking, Housing, and Urban Affairs,
Washington, DC.
The Subcommittee met at 3:05 p.m. in room SD-538, Dirksen
Senate Office Building, Hon. Mark Warner, Chairman of the
Subcommittee, presiding.
OPENING STATEMENT OF SENATOR MARK R. WARNER
Senator Warner. I call to order this hearing of the
National Security and International Trade and Finance
Subcommittee titled, ``Safeguarding Consumers' Financial
Data.'' I am going to go ahead and introduce the two witnesses
now and then make a brief opening statement and see if Senator
Kirk is here to make an opening statement. Since we have got
two panels, if my colleagues do not mind, we will go straight
then to let our witnesses give their presentations because we
have got--this is a subject that has generated an enormous
amount of interest, and I am very appreciative of both the
panels.
In the first panel, we are going to hear from Mr. William
``Bill'' Noonan, who is the Deputy Special Agent in Charge of
Secret Service's Criminal Investigative Division, Cyber
Operations. In this position he oversees the Service's cyber
portfolio. He has over 20 years of Federal Government
experience. Throughout his career he has initiated and managed
high-profile transnational fraud investigations which involve
network intrusions and the theft of data and intellectual
property from financial institutions and Government systems.
Welcome, Mr. Noonan.
Ms. Jessica Rich is the Director of the Bureau of Consumer
Protection at the FTC. She has held a number of senior
positions at the FTC, including Associate Director in charge of
the Division of Financial Practices and Assistant Director of
the Division of Privacy and Identity Protection. She joined the
FTC as a staff attorney more than 20 years ago. Welcome, Ms.
Rich.
This is a subject that has garnered a lot of public
attention recently, and I think as somebody who spent still a
longer career in technology than I have in Government, this is
an area that I think is going to--we are going to see an
exponential rise in consumer interest, press interest, and
others as we try to get our arms around a challenge that is
only going to grow in terms of all of our lives.
In recent weeks we have heard of massive data breaches at
Target, Neiman Marcus, and other retailers. For example, at
Target alone more than 40 million cards were compromised, and
up to an additional 70 million consumers' other information was
taken. So not only were the cards taken, but people whose
cards' data was not taken, their data was compromised as well.
Let me make clear that while we will talk about these
particular retailers, this is not a witch hunt, at least from
my perspective, about any particular retailers' actions or
inactions. Quite honestly, I think we are going to see--and I
know from my role in the Intel Committee, this is a crime that
happens daily to financial institutions and retailers at a
level that, frankly, if most Americans realized, I think would
find rather confounding.
I at one point had a much longer statement, but, you know,
there are three areas that I think we need to focus on. As we
sort through this issue, we need to understand that we do not
need another--I do not need, at least--long-term fight between
the bankers, the retailers, and the card industry. Many of us
up here have gone through the challenges rightfully felt around
the interchange battles, but a repeat of that kind of delay in
getting a solution serves no one. The hackers in Russia, China,
Ukraine, and throughout the world are not waiting for America
to get its act together on this issue. They are continuing to
strike us every day.
To better protect consumers, our financial institutions,
the networks, and merchants should work together to continue to
innovate on antifraud technology. As I said, the public cannot
afford a year or multiple years of legislative battles like we
saw over interchange fees. Every minute of every day the
hackers and the cyber thieves are attacking our
vulnerabilities.
Second, as somebody who has spent a career in technology,
in many ways this is fundamentally a technology problem, and
technology can provide part of the solution. We have already
seen data that shows that the card protection system used in
Europe, the so-called chip-and-PIN system, is much more
effective than what we have at present in the United States, in
terms of the swipe system, in terms of preventing fraud at
point of sale. But we should not assume that any single
technology is a silver bullet solution. Technology, as we all
know, will continue to evolve on a weekly/monthly basis, and we
have to continue to stay ahead. As a matter of fact, we have
seen in Europe that while the chip-and-PIN system dramatically
decreased, for example, in the U.K. the amount of fraud and
cyber theft at point of sale, we saw a dramatic increase then
in online fraud and cyber attacks. So I hope we are able to
discuss technology solutions, not just chip and PIN, but as we
look, for example, on the online issue, I think there is
enormous promise in this emerging field of tokenization, which
can provide a more encrypted solution set not just for point of
sale but for other solution sets.
Let me say again we are not here to endorse any specific
technology product or services, but, again, I think this is an
area where we need great collaboration.
Third, Government has a role to play. Industry has a role
to play. But as consumers, we need to be more vigilant as well.
Consumer financial exposure is more limited with credit cards.
Here is industry personal debit. I will try to hold the numbers
back a little bit. But I have to tell you, until a few weeks
ago I did not realize that my debit card protections are not as
great as my credit card products. I will let the record show
that I do not show the numbers on the other side. But that even
with debit card protections, there are--with this challenge
around debit card protections, we have got to see if we can
perhaps look at raising those standards to at least equaling
credit cards. Debit card use has been growing like mad,
transactions tripling since 2003. And, again, I think we look--
I think about my kids who have debit cards, and large portions
of the underserved community use debit cards. They are going to
be a fact of life, and we have to figure out a way to sort that
through.
And, finally, I think while we talk about--one of the most
frightening things that I heard as I sorted through this and we
are thinking about cards and protecting consumer privacy, in
many ways we have focused so far on the challenge around
protecting credit cards and debit cards, but the real potential
exposure we have is if people can actually get into our bank
account or online transactions that we all do more and more
online banking and other services. That offers an area where
there are very few protections at this point and almost
unlimited liability for consumers.
So one of the challenges we have is, yes, we have got a
role for industry, we have got a role for Government, but we
all have a role as Americans to make sure you take that extra
protection to occasionally change your PIN number, to make sure
you never reveal your bank account information number, that you
constantly report if you feel like there has been instances of
fraud. This is a role that all Americans are going to have to
play a continued increased vigilance in.
With that, I will ask for any opening comments from my
friend Senator Kirk, and then we will go to the witnesses.
STATEMENT OF SENATOR MARK KIRK
Senator Kirk. I thank you for having this hearing, Senator.
Mr. Chairman, I would just put a face to this crime that we are
talking about. Albert Gonzalez--if you could hold that up--was
convicted in 2010 of stealing 40 million credit card records
that he made so much money off this he even bought his own
Italian island off the profits. He is now serving 20 years in
prison, and that is in line with the legislation that I will be
introducing that calls for a 25-year Federal minimum mandatory
for the theft of a million records or more, just to say to
whoever would do this in a massive scare, good-bye, you are off
to prison for a significant portion of your life. I am looking
for bipartisan cosponsors.
Senator Warner. Well, I think that the question of
enforcement has got to be an area that we focus on. I think
there will be some bipartisan interest in it.
All right. With that, again, I look forward to an exciting
and robust discussion. And, Mr. Noonan, if you want to start,
and then we will go to Ms. Rich.
STATEMENT OF WILLIAM NOONAN, DEPUTY SPECIAL AGENT IN CHARGE,
SECRET SERVICE, CRIMINAL INVESTIGATIVE DIVISION, CYBER
OPERATIONS BRANCH
Mr. Noonan. Good afternoon, Chairman Warner, Ranking Member
Kirk, and distinguished Members of the Subcommittee. Thank you
for the opportunity to testify on behalf of the Department of
Homeland Security regarding the ongoing trend of criminals
exploiting cyberspace to obtain sensitive financial and
identity information as part of a complex criminal scheme to
defraud our Nation's payment systems.
Our modern financial system depends heavily on information
technology for convenience and efficiency. Accordingly,
criminals, motivated by greed, have adapted their methods and
are increasingly using cyberspace to exploit our Nation's
financial payment systems to engage in fraud and other illicit
activities. The widely reported data breaches of Target and
Neiman Marcus are just recent examples of this trend. The
Secret Service is investigating the recent breaches, and we are
confident we will bring these criminals responsible to justice.
However, data breaches like the recent events are part of a
long trend. In 1984, Congress recognized the risks posed by
increasing use of information technology and established 18
U.S.C. Sections 1029 and 1030 through the Comprehensive Crime
Control Act. These statutes defined access device fraud and
misuse of computers as Federal crimes and explicitly assigned
the Secret Service authorities to investigate these crimes.
In support of the Department of Homeland Security's mission
to safeguard cyberspace, the Secret Service investigates cyber
crime through the efforts of our highly trained special agents
and the work of our growing network of 33 Electronic Crimes
Task Forces, which Congress has assigned the mission of
preventing, detecting, and investigating various forms of
electronic crimes.
As a result of our cyber crime investigations, over the
past 4 years the Secret Service has arrested nearly 5,000 cyber
criminals. In total, these criminals were responsible for over
$1 billion in fraud losses, and we estimate our investigations
prevented over $11 billion in fraud losses.
Data breaches like the recently reported occurrences are
just one part of a complex scheme executed by organized cyber
crime. These criminal groups are using increasingly
sophisticated technology to conduct a criminal conspiracy
consisting of five parts:
One, gaining unauthorized access to computer systems
carrying valuable protected information; two, deploying
specialized malware to capture and exfiltrate this data; three,
distributing or selling the sensitive data to their criminal
associates; four, engaging in sophisticated and distributed
frauds using the sensitive information obtained; and, five,
laundering the proceeds of their illicit activity.
All five of these activities are criminal violations in and
of themselves, and when conducted by sophisticated
transnational networks of cyber criminals, this scheme has
yielded hundreds of millions of dollars in illicit proceeds.
The Secret Service is committed to protecting our Nation
from this threat. We disrupt every step of their five-part
criminal scheme through proactive criminal investigations, the
defeat of these transnational cyber criminals through
coordinated arrests, and seizure of assets. Foundational to
these efforts are our private industry partners as well as
their close partnerships with State, local, Federal, and
international law enforcement. As a result of these
partnerships, we were able to prevent many cyber crimes by
sharing criminal intelligence regarding the plans of cyber
criminals and minimizing financial losses by stopping their
cyber criminal schemes.
Through the Department's National Cybersecurity and
Communications Integration Center, the NCCIC, the Secret
Service also quickly shares technical cybersecurity information
while protecting civil rights and civil liberties in order to
allow organizations to reduce their cyber risks by mitigating
technical vulnerabilities. We also partner with the private
sector and academia to research cyber threats and publish
information on cyber crime trends through reports like the CERT
Insider Threat Study, the Verizon Data Breach Investigations
Report, and the Trustwave Global Security Report.
The Secret Service has a long history of protecting our
Nation's financial system from threats. In 1865, the threat we
were founded to address was that of counterfeit currency. As
our financial payments system has evolved from paper to
plastic, now digital information, so too has our investigative
mission. The Secret Service is committed to protecting our
Nation's financial system even as criminals increasingly
exploit it through cyberspace.
Through the dedicated efforts of our Electronic Crimes Task
Forces and by working in close partnership with the Department
of Justice, in particular the Criminal Division and the local
U.S. Attorney's Offices, the Secret Service will continue to
bring cyber criminals that perpetrate major data breaches to
justice.
Thank you for the opportunity to testify on this important
topic, and we are looking forward to your questions.
Senator Warner. Thank you.
Ms Rich.
STATEMENT OF JESSICA RICH, DIRECTOR, BUREAU OF CONSUMER
PROTECTION, FEDERAL TRADE COMMISSION
Ms. Rich. Chairman Warner, Ranking Member Kirk, and Members
of this Committee, I am Jessica Rich, Director of the Bureau of
Consumer Protection at the Federal Trade Commission. I really
appreciate this opportunity to present the Commission's
testimony on data security.
In today's interconnected world, personal information is
collected from consumers wherever they go. From the workplace
to shopping for groceries, from our smartphones to browsing the
Web at home, virtually every action we take involves the
collection of information, some of it very sensitive. Many of
these data uses have clear benefits, but the recent spate of
data breaches are a strong reminder that they also create risks
for consumers. Hackers and others seek to exploit
vulnerabilities to obtain and misuse consumers' personal
information. And all of this takes place against the backdrop
of the threat of identity theft, a pernicious crime that harms
both consumers and businesses.
The Bureau of Justice Statistics estimates that over 16
million people were victims of identity theft in 2012 alone.
The FTC is committed to protecting consumer privacy and data
security in the private sector. Since our first data security
case in 2001, the FTC's data security program has been a
strong, bipartisan effort that includes law enforcement,
education, and policy initiatives.
The FTC enforces several laws that protect consumer data.
Under the FTC Act, the agency can take action against companies
that engage in deceptive or unfair practices, including
deceptive or unfair data security practices. The FTC also
enforces several laws that require special protections in
certain business sectors--in the credit reporting industry,
among financial institutions, and also among online services
for our kids.
In enforcing these laws and investigating patient data
security failures, the Commission recognizes that there is no
such thing as perfect security and instead examines whether
companies have undertaken reasonable procedures to protect
consumer data from the risk of identity theft and other misuse.
Since 2001, the FTC has used its authority to obtain
settlements with businesses--to obtain 50 settlements with
businesses that failed to provide these protections. The FTC's
best-known case may be its 2006 action against ChoicePoint, a
data broker that allegedly sold sensitive information about
more than 160,000 consumers to thieves posing as ChoicePoint
clients. The Commission alleged that ChoicePoint failed to use
reasonable procedures to screen prospective purchasers of
consumer data and ignored obvious security red flags, resulting
in at least 800 cases of identity theft.
Before ChoicePoint, the FTC brought actions alleging
security failures by such companies as Microsoft, Petco, Guess,
BJ's Wholesale, and DSW Shoe Warehouse. And after ChoicePoint,
the FTC has brought cases alleging security failures by such
companies as TJX, Card Systems Solutions, Lexis/Nexis,
LifeLock, CVS, Rite Aid, and HTC. Many of our cases spanning
over the course of 14 years allege similar, commonly known
vulnerabilities and security failures.
In addition to enforcement, the Commission promotes strong
data security through consumer education, business guidance,
and policy initiatives. For example, our Web site contained
guidance for consumers about what to do in the event of a
breach. And perhaps our most important education piece is our
guide to businesses about how to develop a strong data security
program.
Sitting here today with my colleague from the Secret
Service, I want to emphasize that data security is a shared
responsibility among many different entities and people,
including the different law enforcement agencies that work in
this area. The Commission has a long history of working closely
with other Federal and State agencies on this important issue.
For example, the FTC's LifeLock case was a joint action with 35
State AGs, and the FTC received assistance from 39 State AGs in
its case against TJX. We also worked jointly with the
Department of Homeland Security in our cases against CVS and
Rite Aid.
The FTC also coordinates with criminal enforcement agencies
such as the FBI and Secret Service. The goals of the FTC and
the criminal agencies are complementary. Criminal actions seek
to punish hackers and other intruders that steal customer data
while FTC actions focus on shoring up security protections at
companies to prevent intruders from getting inside in the first
place.
Let me conclude with a final point on data security
legislation. Never has the need been greater. In its testimony,
the Commission reiterates its bipartisan support for Federal
legislation that would strengthen the FTC's existing authority
governing data security and require companies to notify
consumers when there has been a security breach.
Thank you for the opportunity to testify here today. The
Commission looks forward to continuing to work with Congress on
this critical issue.
Senator Warner. Thank you. Thank you both.
I also should point out that last week I asked a question
of DNI Clapper. He had made an estimate that cyber attacks on
our economy were in excess of $300 billion worth of damage, and
that was a last-year report. I asked him, he says that number
is probably dramatically increased, and that was in public
testimony last week. Obviously that goes beyond just the
question of individual data breach. But this is an issue that,
again, I believe is going to grow dramatically.
I also understand, Mr. Noonan, that the Secret Service does
not want to weigh in on specific technology solutions, chip-
and-PIN, EMV, tokenization. But we are going to need your
cooperation at some point and guidance on how working with
industry and whatever standards come about that we have got the
most cutting-edge technology.
I guess my first question for you, Mr. Noonan, is: Why is
it that the Secret Service or even security bloggers are
oftentimes the first to know about these attacks? I understand
we have got industry PCI standards that are set, but, you know,
this news keeps floating out more. The Target breach, to my
understanding, originally floated from a blogger, and in one of
these blogs, Brian Krebs said that they first identified the
malware that was involved in the Target breach back in 2011.
Why is it taking us so long to respond? And is that some
constraint on you? Or is that not enough aggressive action from
industry?
Mr. Noonan. Sir, first you got into the fact that sometimes
the Secret Service knows ahead of time about these breaches and
we are able to bring it to the attention of different victims.
So the fact that we do that, it is through proactive
investigations where we are out sometimes ahead, determining
and looking at data as it relates to financial industries. It
is through partnerships that we have in the financial industry
sector that is able sometimes to bring us data where we are
able to go through and parse through that data, be able to find
out where information is leaking into the criminal underground
from. So, too, is the same way, I believe, that some
journalists are able to get hold of some of that information as
well.
You also brought up the malware and the fact that it has
been around since 2011. I think what we are discussing here is
that it is the type of malware. So it is not necessarily that
exact type of malware. Malware can be molded and changed per
attack. Of course, these attackers are molding malware so it is
not picked up through antivirus and through technical means
that general IT security folks would have. So these are very
sophisticated criminal actors that are not using just regular
malware. They are modifying that malware for each particular
high-tech attack when we are talking about an attack of this
significance.
Senator Warner. Well, I guess one of the things that I know
my colleagues will want to press on, too--this is both for you
and Ms. Rich. How do you get the standard right on when it
becomes the duty of the company or the financial institution to
report an incursion? You know, particularly since this evolves
all the time, and, you know, I know there are standards set,
but that has got to be constantly evolutionary. Do we have it
right? Do you need more tools? Do we need to do this in--I
believe we need to do this in collaboration with industry,
setting a regulatory process that would be static in an area
that moves this quickly. I would like to get you both quickly
to weigh in on this, and then I have got one last quick
question for Mr. Noonan. Ms. Rich, do you want to start?
Ms. Rich. Well, the Commission supports Federal standards
for both data security and breach notification. Right now there
are State laws requiring breach notification, but no standard
at the Federal level and no civil penalties. And while we have
tools and we are using them to enforce--to address data
security failures by companies, it would be extremely helpful
to have a Federal law requiring data security, not just
notification, with civil penalties.
Senator Warner. How do you make sure that laws can evolve
quickly enough so you do not--if you think about NIST or other
standards, it sometimes takes 7 years to evolve. This is a
field that changes on a monthly basis.
Ms. Rich. We believe that the legal requirements should
require a process for developing appropriate data security so
that the specific technical standards can evolve and perhaps be
implemented through self-regulation or industry standards. But
we do have one regulation in the financial area that is already
a model for this called the Gramm-Leach-Bliley safeguards rule
that really sets forth a process. You have to put somebody in
charge, you know, your chief technology officer. You have to do
a formal risk assessment. You have to then implement safeguards
in key areas of risk, such as employee training, network and
physical security, service providers, et cetera. And it sets
out a process like that, and we are able to use that as a tool
for enforcement without mandating levels of encryption and
things that change over time.
Senator Warner. Mr. Noonan, could you add--and I want to
respect all my colleagues' time. Could you also identify for
us--we saw in the Target public indications that it might have
been from Ukraine, but where some of these criminal activities
seem to be generating from? And then we will move to Senator
Kirk.
Mr. Noonan. Sure, sir. Many of these international,
transnational cyber criminals are attacking us from Eastern
Europe. I do not want to say that it is one country versus
another country. What we are seeing is that largely the cyber
criminal world is using the Russian-speaking language--I say
Russian speaking in the fact that they are using the Russian
language as an operational security. So that is the piece that
the criminal underworld is using to hide themselves from U.S.
law enforcement.
Senator Warner. Senator Kirk?
Senator Kirk. A real quick question for Mr. Noonan. You
describe the general Russian origin of a lot of these attacks.
Could you describe your international cooperation with Russian
law enforcement on this issue?
Mr. Noonan. There have been many events where we have
worked with the Russian law enforcement to some degree of
cooperation. There are times----
Senator Kirk. Vladimir Putin is not exactly our best
friend. Could you give a grade to the level of cooperation that
we have received for----
Mr. Noonan. Yes, sir. We do most of our work through the
Office of International Affairs and through DOJ's computer
hacking--or CCIPS, Computer Crimes and Intellectual Property
Section. And, generally, the cooperation that we deal with with
the Russian authorities is generally through that mechanism,
through the CCIPS 24/7 notification process to get the process
taken care of in the Russian Federation.
Senator Kirk. The only quick follow-up I would say, have
you had any extraditions from Russia?
Mr. Noonan. Negative, sir. We have not had any extraditions
from Russia.
Senator Kirk. Thank you, Mr. Chairman.
Senator Warner. Senator Warren.
Senator Warren. Thank you, Mr. Chairman, Ranking Member.
Thank you for holding this hearing.
All of us have constituents who are affected by these data
breaches, and I think it is clear that the data protections we
have in place now are not enough. In 2012, 16.6 million people,
7 percent of the adult population, in a single year were
victims of identity theft. It is a huge number. So I would like
to get a better sense of how these laws are enforced.
The FTC has authority to go after companies that engage in
either deceptive or unfair practices. I want to break those two
out, if I can.
Ms. Rich, can you describe what a company must do with
regard to its data security standards for the FTC to bring a
claim for deceptive practices?
Ms. Rich. Well, our deception authority focuses on making
statements or omitting information that is material, and so our
cases in this area generally involve statements that can be
express--you know, ``We encrypt our data to the highest levels
of blah, blah, blah''--or implied, ``We really care about your
data security, the security of your data, and if you give data
to us, nothing bad will come of it.'' And we look to see if
those claims are true by asking a lot of questions, getting
data, doing hearings with officials at companies, and
consulting with experts to determine whether those claims are
true.
Senator Warren. OK. Ms. Rich, let me just clarify this. If
a company's security standards are inadequate but the company
says nothing about them, then the FTC is powerless, at least
under its authority, to go after deceptive practices. Is that
right?
Ms. Rich. We have two prongs of our Section 5 authority,
and the other is unfairness.
Senator Warren. I am going to come to unfairness in just a
minute. I just want to find out how helpful ``deceptive'' is
for a company that has totally inadequate data protection
standards. And I just want to clarify. I think what you are
saying to me is if the company never says they have great data
protection standards, then the answer is, under the deceptive
prong, the FTC has no authority to go after this company. Is
that right?
Ms. Rich. That is absolutely right, and that is one of the
reasons that we are supporting general data security
legislation. But let me say we do also have unfairness
authority and----
Senator Warren. So I am going to come there.
Ms. Rich.----and we use our deception authority to look at
not just what is stated in a privacy policy, but what the
company may claim in the context of its interaction with
consumers, including implied claims such as a seal.
Senator Warren. OK. But under your authority to go after
deceptive practices, I understand that the FTC has settled
about 30 data security cases since 2002. That would be about 3
per year. So I think it is fair to say that is not very many
given the number of data breaches that we have seen over the
last decade.
Ms. Rich. Well, I would emphasize that there is not strict
liability for a breach. When a breach happens, we look at the
underlying practices and not whether there was a breach and
then we automatically bring a case. And I would also emphasize
that we believe our 30 deception cases and our 20 unfairness
cases provide very strong general deterrence as well as
specific deterrence, especially given the kind of remedies we
seek. And we do believe that our work in this area has brought
a lot of attention to the need to secure data and has made a
difference in raising the stakes. But we do need more tools.
Senator Warren. Well, so let us talk about that just a
little more. In addition to the 30 cases you have brought over
the course of a decade under deceptive practices, I just want
to ask you about unfair practices. Can you describe what a
company must do with regard to data security standards for the
FTC to bring a claim for unfair practices?
Ms. Rich. Well, we have a three-prong test that we need to
meet to use our unfairness authority, and one of those is
substantial injury. But in many of these breach and--well,
these data failure cases--again, it is not strict liability for
breach--we have met that standard and we, therefore, have
brought those cases.
Senator Warner. So I understand--and if I am understanding
this correctly, you are describing a fairly demanding standard
since, as you say, it is more than breach, more than the fact
that people have been injured, more than the fact that a
company had very lax standards. In fact, as I understand it,
there is a great deal--there is some question around the FTC's
authority in this area, which may be why you have used unfair
practices in only 20 cases over 10 years.
I just want to say I think this is a real problem that the
FTC's enforcement authority in this area is so limited. The FTC
should have the enforcement authority it needs to protect
consumers, and it looks like to me it does not have that
authority right now. Data security problems are not going to go
away on their own, so Congress really needs to consider whether
to strengthen the FTC's hand.
Thank you, Mr. Chairman.
Senator Warner. Thank you, Senator Warren. I think an
interesting line of questioning, and I do think, you know, we
oftentimes see--you may have a series of players in an industry
who are meeting those standards. The challenge is you may have
that one weak link, and the whole industry sector could be
infected because of the weak link. So I think there should be
some more ability to collaborate here.
Senator Johanns.
Senator Johanns. Thank you, Mr. Chairman.
Let me start out in the international front, if I could,
and maybe follow up on Senator Kirk's questions a little bit.
Is there any data available that would illustrate to us what
percentage of attacks come from someplace outside of the United
States? Is that data available? Either one of you. Go ahead,
Mr. Noonan.
Mr. Noonan. Sure, I am certain that it is. I will have to--
if you do not mind, I can respond back to you in writing at
some point.
Senator Johanns. Yes.
Senator Johanns. Just for the purposes of the hearing,
would it be the majority of attacks, do you think?
Mr. Noonan. I would say a majority of the significant
attacks, sir, are from outside our borders.
Senator Johanns. And to put a finer point on that, would
the majority of attacks then be coming out of Eastern Europe
that are foreign attacks?
Mr. Noonan. Yes, sir, that is the belief of the Secret
Service.
Senator Johanns. Now, in terms of the cooperation that we
get out of that part of the world, can you think of any case at
all where there has been an extradition from Eastern Europe
where a hacker was sent to the United States for prosecution,
any case?
Mr. Noonan. Yes, just recently we had a case out of
Romania.
Senator Johanns. Romania?
Mr. Noonan. Yes, sir.
Senator Johanns. Is that rare?
Mr. Noonan. With the Romanian authorities, we are working
very, very closely with them at this point. So it is not rare
on that occasion. But in other countries within Eastern Europe,
potentially it could be rare, yes.
Senator Johanns. What I am getting to--and I am not trying
to be coy here--is that it looks to me like Eastern Europe or
substantial parts of Eastern Europe are a sanctuary if you are
a hacker, because the chances of being sent over here to face
prosecution and conviction and jail time are probably
nonexistent. Would you agree with that statement?
Mr. Noonan. Yes, I would agree.
Senator Johanns. That is kind of a bad deal, no matter how
secure you are, because at the end of the day, if those folks
are not facing the possibility of prosecution, they are just
going to keep going.
Mr. Noonan. Yes. However, we do have some very strong
partnerships within some of the countries over in Eastern
Europe, which it is through those collaborative efforts that we
are making gains against a number of the cyber criminals. So to
say that we do not have cooperation in Eastern Europe is not
100 percent accurate.
Senator Johanns. Sure.
Mr. Noonan. It is through many of the different law
enforcement authorities that we do have a strong collaborative
effort in moving toward some of these cyber criminals and
identifying who these actors are and learning more about their
networks.
Senator Johanns. Right. Let me, if I might, focus on breach
notification, because I think from the consumer's standpoint,
that is critical. You know, as consumers we want to have the
ability to trace a hacker to Romania or wherever. But the one
thing that we do have is, if we are given notification, that we
have the ability to stop using the card or tear it up or notify
our creditors. We can be proactive.
Ms. Rich, how important would you say breach notification
is in our effort to protect consumers?
Ms. Rich. I think for the very reasons you say, it is
extremely important, which is why we support a law at the
Federal level with civil penalties.
Senator Johanns. How do we do that--and I do not want to
get into a sensitive area, but this is a sensitive area. As a
former Cabinet member, I can tell you I know we had millions of
records from citizens that contain sensitive information:
Social Security numbers, data of birth, residence address, on
and on and on. And I will also add that oftentimes the Federal
Government's security system is not the best. I wish it was,
but it is not the best. And it could be the health care law, it
could be the VA, it could be the Department of Agriculture, it
could be a whole host of things.
What mandate do we have on the Federal Government that if
my information, at whatever department, has been compromised,
somebody is going to let me know that?
Ms. Rich. You mean what laws govern the Federal
Government's collection of information?
Senator Johanns. Yes.
Ms. Rich. There are laws that require--a number of laws
that require data security among Federal Government agencies as
well as breach notification. I am not completely familiar with
the details of all of those, but I know, that if any breach
happens in my Bureau, who we are supposed to report it to.
Senator Johanns. Do you know of any breach notification
requirements in the health care law?
Ms. Rich. I am not familiar with all the details of the
health care law. But I did want to add, on the point you were
making about Eastern Europe, that because there are always
going to be criminals and they may be coming from countries
where it is very difficult to trace, that is why it is this
partnership, this joint effort among different approaches and
different agencies. We cannot just count on criminal
enforcement. It is very important that companies also shore up
their systems as much as they can against attacks. We need to
attack this problem from different angles.
Senator Johanns. Thank you, Mr. Chairman.
Senator Warner. Thank you, Senator.
Senator Tester.
Senator Tester. Thank you, Mr. Chairman. Thank you for
holding this hearing.
As long as we are talking about breach, we will flesh it
out a little more. The breach I think you were talking about
with Senator Johanns was between the financial institution and
the card holder. Is there any breach requirements between the
retailer and the financial institution or the retailer and your
office, Mr. Noonan, or your office, Ms. Rich?
Ms. Rich. There are State laws that require breach
notification that may apply to retailers, but there is no
Federal breach notification law.
Senator Tester. OK. So there are no breach requirements
across the board, whether it is to the card holder or between
the retailer and the banks, or the retailer and the
investigative services, or the banks and the investigative
services. There is no breach requirements across the board?
Mr. Noonan. Again, not that I am aware of.
Senator Tester. Could you tell me when the breach happened
on Target?
Mr. Noonan. The breach at Target is still an ongoing
investigation.
Senator Tester. No, but when did it actually happen? When
did the breach happen? Maybe it is an unfair question. When did
the actual attack to their database happen? What date?
Mr. Noonan. Again, it is an active investigation, so we
cannot necessarily get into the specifics at this point.
Senator Tester. So you cannot tell me how much time it was
before you found out about it to be able to start your
investigation and when the breach actually happened?
Mr. Noonan. No, I cannot at this point.
Senator Tester. It was a period of time, though.
Mr. Noonan. Actually----
Senator Tester. It was not immediate?
Mr. Noonan. It is through proactive--I will get back to it
in a moment if I can----
Senator Tester. I do not want to put you on the spot. You
can just say you could take the Fifth, if you want. It does not
matter.
[Laughter.]
Senator Tester. OK.
Senator Warner. Senator, it has been in the public at least
from, I think, November 27th to December 15th, and then there
was an announcement on December 19th.
Senator Tester. I got that. My concern is this: there needs
to be breach notification across the board so you can get to
the bottom of it, because I think time is literally money in
this situation. And if there is a breach that happens and that
retailer withholds the information, or for some reason the
banking institution may want to disclose information--I do not
know why, but--I do not know why either one would want to,
quite frankly. But you guys need to know about it immediately
so you can start finding out where the bad guys are that did it
if we are going to get to the bottom of it, right?
Mr. Noonan. Yes, sir.
Senator Tester. OK. Mr. Noonan, your testimony focused
really on the retail industry as a point of entry for the
criminals, and you highlighted investigations of a number of
retail networks where cyber criminals were able to install
programs to be able to capture information from retailers. And
it has been already talked about by the Chairman. There were 40
million cards, 70 million personal--people with personal
information that was given out. Could you tell me why a
retailer would be storing sensitive payment information on
their own networks?
Mr. Noonan. I do not know if--I do not believe in this case
information on the cards were actually being stored on the
network.
Senator Tester. So how did they get them, then? How did
they get the information?
Mr. Noonan. The information was being collected as the data
was going through the process.
Senator Tester. OK. I got you. So how did they get the 70
million?
Mr. Noonan. It was a heavy period of collection time in
which the data was being collected by the criminals.
Senator Tester. OK. So the fact whether this was encrypted
or not makes very little difference. I was under the assumption
that this was on a database, the information was not encrypted.
The folks that got into that database then encrypted the
information and took it out.
Mr. Noonan. There is more--I think you are getting this
from the media perhaps. There is more to the investigation--
Senator Tester. Of course.
Mr. Noonan. Correct. Right.
[Laughter.]
Mr. Noonan. Right, and again, this is an ongoing
investigation. I cannot talk about the specifics of exactly how
that was being done.
Senator Tester. OK. Ms. Rich, I want to talk a little bit
about the enforcement that you have. Right now, I mean
seriously speaking, of all the things you have to deal with, do
you have any tools to work with that really work?
Ms. Rich. We are doing a lot in this area. This is one of
our areas of priority. We are bringing enforcement. We are
doing education. We are using the bully pulpit----
Senator Tester. I got you. I am not being critical of you.
I am being critical of us.
Ms. Rich. Well, we do want more tools. We do want more
tools.
Senator Tester. Yeah, and when was the last time your tools
dealing with this issue were dealt with from a policy
standpoint? I am talking about has there been a revamp of your
tools dealing with data breaches in the last 10, 15, 20, 50
years?
Ms. Rich. We have received some new authority in this area,
including we do have a data breach law for a narrow class of
health entities, PHRs, personal health records. But for the
most part--and Gramm-Leach-Bliley was passed in 1999 or 2000.
But it has been awhile.
Senator Tester. OK. We obviously have some work to do, Mr.
Chairman. Thank you.
Senator Warner. You are ceding back 30 seconds?
Senator Tester. Efficiency, baby.
[Laughter.]
Senator Warner. Senator Menendez.
Senator Menendez. Thank you, Mr. Chairman. I appreciate you
holding this hearing. When these issues broke in December,
Senator Schumer, myself, and yourself signed a letter to the
Chairman of the full Committee asking for hearings, and I am
glad that your Subcommittee is leading on this. And I
understand the Chairman is going to broaden some of his call
for hearings and include this topic. So this is extraordinarily
important.
Ms. Rich, I have two particular lines that I want to
pursue. I think Senator Warren opened the door to something
that I think is incredibly important, which is: What role
should the FTC and the Federal Government create in standards?
It seems to me that whatever high standard exists in the
marketplace readily available in technology is one that we
would want to have companies follow in order to ensure the
security of millions of Americans' private information,
critical information to themselves, to their credit histories,
to retailers, to banking institutions. And so if a company--if
we set a standard that basically says look what is available in
the marketplace, we cannot expect a company that gets hacked
and was already using the highest standards available in the
marketplace to be held responsible. But if, in fact, there was
a standard that was available and that company or companies
were not using that standard, then we have to question whether
or not they made an investment decision not to go ahead and
expend the resources for that higher standard.
So it seems to me that part of the question is--and I know
that the private sector has largely worked on creating its own
standards, but is there a role for the Federal Trade Commission
and the Federal Government to set a standard that says, look,
whatever is existing in the marketplace that, in fact, can be
achieved to give the highest protection available should be the
standard. And if you do not pursue that standard, then you are
subject to consequences thereof?
Ms. Rich. Well, that is incredibly similar to the way we
think about it now when we talk about having reasonable
security. So reasonable security means you take into account,
you know, what is--what the risks are in your business, what
kind of--what the sensitivity of information you collect, how
much information you collect, and the cost and availability of
measures that are out there in the marketplace. So that is
exactly how we analyze it. And the good----
Senator Menendez. The question is: Does the industry
understand that they are going to be held to those standards?
Because I do not get the sense that there is an obligation per
se to be held to that higher standard.
Ms. Rich. Well, one of the limitations we have in our work
is we do not have civil penalties or the kind of sanctions that
are needed to provide the right incentives to focus on this
issue.
Senator Menendez. But if we set a standard--I want to get
to civil penalties in a moment, because I sent a letter to your
Chairwoman, and she responded to me in that respect. If we set
a standard that at least everybody has notice, here is what we
expect of you; if we do not set standard, then we have a more
amorphous process of deciding what is the right standard or
not. And, of course, we should have industry input into that
standard. But it seems to me that we should be setting a
standard, because if we set a standard, then we have notice,
the essence of due process, notice and opportunity to be heard,
and then we go away with a standard. So I would like to pursue
with the agency whether or not such a standard is important,
Mr. Chairman.
And, secondly, with reference to additional authorities, in
my letter to Chairwoman Ramirez asking about the Commission's
efforts in the past, I notice that there were never civil
penalties, even though there were very large breaches--not as
large as this one now, but large for their time. And it seems
to me that she agreed that the authority to impose civil
penalties would be a helpful tool to have in addition to
current authorities like consumer restitution and disgorgement
of ill-gotten gains.
I do not think that is something that you want to levy
against every company. I think that goes back to the standard.
If you have the standard and you are pursuing the standard, you
should not be subject to penalty. If you have a standard and
you are not pursing the standard, then civil penalties may be
an option.
Do you agree with that line of thinking?
Ms. Rich. It is very important to have civil penalties as
an available remedy to make sure there is both specific and
general deterrence when there has been a failure.
Senator Menendez. OK. And the reason, if I can, Mr.
Chairman, finally, you know, your testimony reasserts the
Federal Trade Commission's longstanding assertion borne out
through case history that Section 5 of the FTC Act covers
instances where a company fails to adequately protect consumer
data. This assertion is based on the commonsense premise that
customers have an understanding that companies will take
reasonable steps to protect their data and failure to do so
would be an unfair or deceptive practice. However, such
companies as LabMD and Wyndham Worldwide have been challenging
this assertion.
So I think that if that is the case, that now they are
going to challenge that assertion, it seems to me to call for
not just voluntary efforts but to create a standard and
consequences of that standard that can give Americans the best
security that they can hope for. And I look forward to working
with the Committee and with the FTC in that regard.
Senator Warner. Thank you, Senator.
One last comment. I know we probably all have other
questions, but we have got a second panel, unless anybody wants
to make one comment. Then if anybody has got a burning, burning
question, we will go to the second panel. Just, you know, one--
following up on Senator Tester's comments, you know, trying to
get the notion of your obligation to disclose when you have
been breached, I think sorting that through is going to be a
challenge, because there are so many attacks every day, and we
have got to set a standard somewhere that you cross a
threshold, so you do not want to--what I get concerned about is
that you do not want to create the old--remember the Homeland
Security color code system, which everybody proceeded to
ignore. There has got to be a materiality piece in here
somewhere.
Senator Tester. I agree with you. On the other hand, if a
business withholds that information because it is in the heart
of Christmas shopping season----
Senator Warner. Amen.
Senator Tester.----and it might affect their bottom line--
--
Senator Warner. Amen.
Senator Tester.----they need to be hung out to dry.
Senator Warner. Amen. Well, the other point, too, following
up on Senator Menendez, an earlier point you made to Senator
Warren I thought was an interesting one, where companies in the
past have, in effect, put a seal or put some kind of Good
Housekeeping Seal of Approval that may or may not be valid
really troubles me greatly. But I thank both the witnesses, and
we will move to the second panel. Thank you both.
[Pause.]
Senator Warner. If the panel does not mind, I am going to
go ahead and start introducing you even as you are in the
process of being seated. I am going to start introducing you
once my staff gives me your introductions.
Gentlemen, thank you. The first panel was focused on our
governmental witnesses. Now we are going to focus more on
industry and consumers.
Mr. James Reuter?
Mr. Reuter. Reuter.
Senator Warner. Reuter, sorry. I should know that, like the
news agency. He is Executive Vice President of FirstBank,
located in Lakewood, Colorado, where he has been since 1987. He
is also President of First Data Corps, which provides all IT
and operational support services for more than 110 locations.
Welcome, Mr. Reuter.
Mr. Mallory Duncan is Executive Vice President and General
Counsel of the National Retail Federation where he is
responsible for coordinating strategic, legislative, and
regulatory issues involving customer data privacy, bankruptcy,
fair credit reporting, truth in lending. He previously worked
for J.C. Penney and for the FTC.
Mr. Troy Leach is the Chief--excuse me. Why don't we do Mr.
Mierzwinski? Mr. Ed Mierzwinski is the Federal Consumer Program
Director and Senior fellow for the U.S. PIRG, Public Interest
Research Groups. He has worked in the Federal offices of U.S.
PIRG since 1989 and is recognized as an expert in the wide area
of consumer issues with an emphasis on financial services,
banking, credit cards, credit reports, privacy, and identity
theft. Thank you, sir.
And Mr. Troy Leach is the Chief Technology Officer for the
PCI Security Standards Council. This is the industry council
that is setting the standards right now. In his role, Mr. Leach
partners with industry leaders to develop comprehensive
standards and strategies to secure payment, credit card data,
supporting information. He has a long history in the private
sector working on IT issues.
Gentlemen, thank you all very much. You have got a panel
that is anxious to ask you questions, so, Mr. Reuter, why don't
you start? Then we will just go down the line and get to
questions.
STATEMENT OF JAMES A. REUTER, EXECUTIVE VICE PRESIDENT,
FIRSTBANK, ON BEHALF OF THE AMERICAN BANKERS ASSOCIATION
Mr. Reuter. Chairman Warner, Ranking Member Kirk, and
Members of the Subcommittee, my name is James Reuter, President
of Support Services at FirstBank in Lakewood, Colorado. We are
a $13 billion institution with over 115 locations and 2,000
employees serving Colorado, Arizona, and California. My
operation provides information technology, payment processing
services, a 24-hour call center, and electronic banking
services for 115 FirstBank locations. I appreciate the
opportunity to be here to represent the ABA.
Even with the recent breaches, our payments system remains
strong and continues to support the $3 trillion that Americans
spend safely and securely each year with their credit and debit
cards, and with good reason: Customers can use these cards
confidently because their banks protect them by investing in
technology to detect and prevent fraud, reissuing cards and
absorbing fraud costs.
At the same time, these breaches have reignited the long-
running debate over consumer data security policy. The banking
industry recognizes the importance of a safe and secure
payments system to our Nation and its citizens. We thank the
Subcommittee for holding this hearing and welcome the ongoing
discussion.
Let me be clear. Protecting customers is the banking
industry's first priority. As the stewards of the direct
customer relationship, the banking industry's overarching
priority in breaches like that of Target's is to protect
consumers and make them whole from any loss due to fraud. When
a retailer like Target speaks of its customers having ``zero
liability'' from fraudulent transactions, it is because our
Nation's banks are making customers whole, not the retailer
that suffered the breach. Banks swiftly research and reimburse
customers for unauthorized transactions and normally exceed
legal requirements by making customers whole within days of the
customer alerting them.
Beyond reimbursing customers for fraudulent purchases,
banks often must reissue cards to affected customers. For our
bank, this cost is $5 per card. In the end, banks receive
pennies on the dollar for fraud losses and other costs incurred
while protecting their customers. In fact, banks bear over 60
percent of reported fraud losses, yet have accounted for less
than 8 percent of reported breaches since 2005.
More needs to be done to stop this kind of fraud in its
tracks. Having a national data breach standard is an important
step in this direction.
In many instances, the identity of the retailer that
suffered the breach is either not known or oftentimes
intentionally not revealed by the source. Understandably, a
retailer or other entity would rather pass the burden on to the
affected consumers' banks rather than taking the reputational
hit themselves. In such cases, the bank is put in the position
of notifying their customers that their credit or debit card
data is at risk without being able to divulge where the breach
actually occurred. Often customers, absent better information,
blame the bank for the breach itself and any inconvenience they
are now suffering.
Consumers' electronic payments are not confined by borders
between States. As such, a national standard for data security
and breach notification, as contained in Senate bill 1927, the
Data Security Act of 2014, is of paramount importance. It is
critical that all players in the payments system, including
retailers, must improve their internal security systems as the
criminal threat continues to evolve.
Criminal elements are growing increasingly sophisticated in
their efforts to breach the payments system. This disturbing
evolution, as demonstrated by the Target breach, will require
enhanced attention, resources, and diligence on the part of all
payments system participants.
Let me make one final point. Protecting the payments system
is a shared responsibility. Banks, retailers, processors, and
all participants in the payments system must share the
responsibility of keeping the system secure. That
responsibility should not fall predominantly on the financial
services sector. Banks are committed to doing our share, but
cannot be the sole bearer of that responsibility.
Policymakers, card networks, and all industry participants
have a vital role to play in addressing the regulatory gaps
that exist in our payments system, and we stand ready to assist
in that effort.
Thank you, and I would be happy to answer any questions you
might have.
Senator Warren. [Presiding.] Mr. Duncan, please.
STATEMENT OF MALLORY DUNCAN, GENERAL COUNSEL AND SENIOR VICE
PRESIDENT, NATIONAL RETAIL FEDERATION
Mr. Duncan. Thank you, Senator Warren, Ranking Member Kirk,
Members of the Subcommittee. Collectively, retailers spend
billions of dollars safeguarding consumers' data and fighting
fraud. Most of the U.S. data breaches we have seen--whether at
retailers you have heard about or at banks and card companies,
about which you have heard less--have been perpetrated by
criminals. The companies are victims. We need to reduce fraud;
that is, we should not be satisfied with deciding what to do
after a data breach occurs--who to notify and how to assign
liability. Instead, it is important to look at why such
breaches occur and what the perpetrators get out of them so
that we can find ways to reduce and prevent not only the
breaches but the fraudulent activity that is often their goal.
In its comprehensive 2013 data breach report, Verizon
revealed that 37 percent of breaches happened at financial
institutions, 24 percent at retail, and the remainder at
others. It may be surprising to some given recent media
coverage that more data breaches occur at financial
institutions than at retailers, but that thieves focus on banks
because they have the most sensitive financial information.
Still, fraud is devastating for retailers in the United States,
and it is rising.
In 2012, the United States accounted for nearly 30 percent
of credit and debit card charges but 47 percent of all fraud
losses. Who bears this cost? Independent studies vary. They say
retailers bear anywhere from 90 percent to 40 percent of the
payment card fraud costs. We think a fair assessment is that
retailers pay about half.
Why is card fraud increasing? Thieves go where the rewards
are plentiful and easiest to obtain. Unfortunately, our card
payment system is outdated and rife with opportunities for
fraud.
Despite the billions of dollars spent by merchants in hopes
of becoming PCI compliant, we still must accept fraud-prone
cards that are so attractive to data thieves. Unlike the rest
of the world, U.S. cards still use a signature and magnetic
stripe for authentication. The fraudsters rely on our system
being so porous.
What the card companies effectively say to merchants is
that even though this sensitive information is visibly printed
on the card, even though security information can be lifted off
a magstripe by a reasonably sophisticated 12-year-old, and even
though signatures are a virtually worthless form of
authentication, it is your responsibility to guard that
information at all costs. Retailers work very hard to do it,
but the request does not really make sense.
What is needed is for the networks and banks to issue cards
that are not so easily compromised. At a minimum, we need to
replace the signature with a PIN and the magstripe with a chip.
Even that will not be state-of-the-art. After all, it is
technology that is three-quarters of a generation old. But
fraud dropped 70 percent when it was adopted in Britain, and
fraud is growing here because we have not. We must adopt both
PIN and chip. The PIN authenticates the card holder and, thus,
helps protect her and the merchant. The chip authenticates the
card to her bank. Together they greatly reduce fraud.
The banks know this combination is very powerful. They
promote it all over the world. Yet here in the United States
they are proposing signature and chip cards, ``chip and
choice,'' as one of them cutely calls it. It is an ineffective
half measure, the locking of the back door while leaving the
front door open. Why adopt a halfway measure? Merchants would
still need to spend billions to install new equipment to read
cards that would combine 1990s technology--chip--with 1960s
relic--signature--in the face of 21st century threats. Frankly,
if Congress is seriously concerned about protecting our payment
card system against fraud, it ought to do oversight of any
group that is seriously advancing this absurd solution.
There are additional changes to the system that would be
helpful and provide greater security. Point-to-point encryption
of data is one, but it relies on banks and networks being able
to accept encrypted data, and that has been a challenge.
Chips are more advanced than magstripes, but their
sophistication pales in comparison with a smartphone. Today
smartphones are mini-computers. They could enable state-of-the-
art fraud protection, and if payment platforms are open and
competitive, they will only get better.
As to legislative solutions, we lay out a number of
proposals in our written testimony. It is important, however,
that the Federal law should ensure that all entities handling
the same type of sensitive consumer information, such as
payment card data, are subject to the same statutory rules and
penalties with respect to notifying consumers of a breach
affecting that information.
In closing, three brief points are uppermost:
First, retailers take the increasing incidence of payment
card fraud very seriously. Merchants already bear at least an
equal, or often a greater, cost of fraud than any other
participant in the payment card system. We did not design the
system; we do not configure the cards; we do not issue the
cards. We will work to effectively upgrade the system, but we
cannot do it alone.
Second, the vast majority of breaches are criminal
activity. No system is invulnerable to the most sophisticated
and dedicated of thieves. Consequently, eliminating all fraud
is likely to remain an aspiration. Nevertheless, we will do our
part to achieve that goal.
And, last, it is long past time for the United States to
adopt PIN and chip card technology. If the goal is to secure
data and reduce fraud, we must, at a minimum, do both.
Thank you.
Senator Warner. [Presiding.] Mr. Mierzwinski.
STATEMENT OF EDMUND MIERZWINSKI, CONSUMER PROGRAM DIRECTOR,
U.S. PIRG
Mr. Mierzwinski. Thank you, Chairman Warner, Senator Kirk,
Members of the Committee. I am Ed Mierzwinski. I am a consumer
advocate, and I have been working on these issues for some
time. And my views I think are somewhat in line with the
merchants, but also somewhat not in line with the merchants.
First, the Target breach itself, I want to make one point
about that. The breach occurred with information that allows
fraud to take place on your existing accounts in the first 40
million consumers who were breached. The additional 70 million,
the information that was collected allows phishing attacks to
try to obtain more information to commit identity theft. But I
think the biggest risk to customers of Target is fraud on
existing accounts. So the provision of credit monitoring, which
they are giving for free but is normally an overpriced, junky
product, really creates a false sense of security. It will not
stop fraud on your existing accounts, and it will not stop
identity theft. It will simply tell you when your Experian
account has changed. It could be because of identity theft, or
it could be because of something else. But it will be after the
fact. But that is one point I wanted to make about the Target
breach.
The thing about Target, again, is that they are not at
fault completely. They are maybe in violation--and I have seen
different stories on whether they were or they were not in
violation--of the current highest PCI standards. We will know
that more after they have testified in the next few days. But
whether or not they were in violation of the PCI standards,
those standards are cobbled on to an obsolete technological
platform. It is like they are trying to put disc brakes on a
Model T, airbags on an Edsel. I mean, the merchants are being
asked constantly to add different bells and whistles to an
obsolete system from the mid-20th century. So that is a
problem. I think the banks and the card industry have a lot to
answer to with these problems.
I want to make a couple of quick points that are all made
in my testimony.
First, I was encouraged, Chairman Warner, when you
mentioned that debit card protections maybe should be
increased. We strongly support that idea. All plastic should be
equal. The zero liability promise the banks make is just a
promise. It is not the law. I only use credit cards. I never
use debit cards. The other problem, of course, with a debit
card is you lose money from your account. Until they complete
the reinvestigation, you could have other checks bounce.
Second, any reforms should be technology neutral and
technology forcing. You really should have a reform that
encourages continuous increasing in the uses of better and
better technology. And as Mr. Duncan pointed out, it should be
on an open platform, and competitors should be allowed to come
in. I think today if you look at the networks, the two big ones
are a duopoly. They have all the standard characteristics of a
duopoly. They seek excess rents. They do not like new
technology. They do not like competitors. And that has really
been a problem.
I think you should look at the PCI standard-setting body.
Do the merchants have adequate input into it? Do the prudential
regulators or the FTC have enough review of it? You should not
enact any new legislation that preempts State laws. If Congress
enacts a good enough law, it does not have to preempt State
laws. The States will move on. They will do other things. But
if Congress does not enact a good enough law, you need the
States as first responders, and my testimony goes into detail.
After 2003, when the FACT Act amendments to the Fair Credit
Reporting Act did not include adequate identity theft reforms,
46 States passed breach laws; 49 States gave consumers the
right to freeze their credit report. And so those were
important things that the States did. Whereas, every bill that
I have seen to some extent not only preempts any breach law,
which is their nominal purpose, but goes further and preempts
any right of the States to do anything in the future. And that
is really, I think, the wrong way to go.
Another point that we make in our testimony is that if you
do enact a breach law, it should be on an acquisition standard.
There should not be a harm trigger. The company that did not
protect my information should not be allowed to decide whether
or not to give me notice.
One point that I do not make in my testimony but I have
made in previous testimony before the Commerce Committee is
that I strongly support any effort to increase the FTC's
authorities, including the right to impose civil penalties for
a first violation.
Thank you for the opportunity. I hope to answer any
questions you might have.
Senator Warner. Mr. Leach.
STATEMENT OF TROY LEACH, CHIEF TECHNOLOGY OFFICER, PCI SECURITY
STANDARDS COUNCIL
Mr. Leach. Thank you. My name is Troy Leach. I am the CTO
of the PCI Security Standards Council, a global industry
initiative focused on securing payment card data. Our approach
to an effective security program is people, process, and
technology as key parts of data protection.
Our community of over 1,000 of the world's leading
businesses tackles security challenges from simple issues--for
example, the word ``password'' still one of the most commonly
used passwords--to really complicated issues, such as proper
encryption. We understand consumers are upset when their
payment card data is put at risk and the harm that is caused by
these breaches.
The council was created as a forum for all stakeholders--
banks, merchants, manufacturers, and others--to proactively
protect consumers' card hold data. Our standards focus on
removing card holder data if it is no longer needed. Our mantra
is simple: If you do not need it, do not store it. If it is
needed, then protect it through a multilayered approach and
devalue it through innovative technologies that reduce the
incentive for criminals to steal it.
Let me tell you how we do that. The data security standard
is built on 12 principles, everything from strong access
control, monitoring and testing networks, annual risk
assessments, and much more. This standard is updated regularly
through feedback from our global community. In addition, we
have developed other standards that cover payment software,
point-of-sale devices, and the secure manufacturing of cards.
And we do much more as well. We develop standards and guidance
on emerging technologies like tokenization and point-to-point
encryption that remove the amount of card data kept in systems,
rendering it useless to cyber criminals. Tokenization and
point-to-point encryption work in concert with other PCI
standards to offer additional protections.
Now, another technology, EMV chip, has widespread use in
Europe and other markets. It is an extremely effective method
of reducing card fraud in face-to-face environments. That is
why the PCI Council supports the deployment of chip technology.
However, EMV chip is only one piece of the puzzle.
Additional controls are needed to protect the integrity of
payments online, on the telephone, and in other channels. These
controls include encryption, proper access, response from
tampering, malware protection, and more. These are all
addressed within the PCI standards. Used together, EMV chip and
PCI standards can provide strong protections for payment card
data.
But effective security requires more than just standards
and technology. Without ongoing adherence and supporting
programs, these are only tools and not solutions. The council
makes it easy for businesses to choose products that have been
lab tested and certified as secure. The council's certification
and training programs have educated tens of thousands of
individuals, including assessors, merchants, technology
companies, and government. Finally, we conduct global campaigns
to raise awareness of payment card security.
The council welcomes the Committee's attention to this
critical issue. The recent compromises underscore the
importance of a multilayered approach, and there are clear ways
in which the Government can help, for example, by leading
strong law enforcement efforts worldwide, particularly because
of the global nature of this threat, and by encouraging stiff
penalties for these crimes. Promoting information sharing
between the public and private sector also merits your
attention.
The council is an active collaborate with Government. We
work with NIST, DHS, and many other Government entities, and we
are ready and willing to do more.
We believe the development of standards to protect payment
card data is something that the private sector and PCI
specifically is uniquely qualified to do. But global reach,
expertise, and flexibility of PCI have made it an extremely
effective mechanism for protecting consumers.
Now, the recent breaches underscore the complex nature of
payment card security. A multifaceted problem cannot be solved
by a single technology, standard, mandate, or regulation. It
cannot be solved by a single sector of society. Business,
standards bodies, policymakers, and law enforcement must work
together to protect the privacy interests of consumers. Today,
as this Committee focuses on recent data breaches, we know that
criminals are focused on inventing the next attack.
There is no time to waste. The PCI Council and business
must continue to provide multilayered security protections
while Congress leads efforts to combat global cyber crimes that
threaten us all. We thank the Committee for taking a leadership
role in seeking solutions to one of the largest security
concerns of our time.
Senator Warner. Thank you all, gentlemen.
I made this comment in my opening statement, but I would
like to make it again with you all sitting in front of me. It
is my strong hope that as we approach this issue, we recognize,
rather than pointing blame at each other, the only way this is
going to work to protect consumers and give them the confidence
they need is for the banking industry, the retail industry, the
card and the industry at large to actually collaborate
together. We do not need, I do not believe, another replay of a
multiyear legislative battle here when the hackers are not
going to take a timeout and American consumers are going to be
increasingly at risk.
Mr. Leach, in the spirit of your comments, we are going to
do a lightning round here, so I would ask you to keep your
comments as close to yes or no as possible, recognizing, of
course, that there is not a single technology solution but
seeing a dramatic decrease in Europe in terms of fraud at face-
to-face transactions when they moved to the chip-and-PIN
system. What do each of you think in terms of our country
moving to the chip and PIN as one step forward?
Mr. Reuter. We have embraced the chip technology. In fact,
the card networks have laid out a timeline that involves a
pretty strong incentive for the industry by October 2015 to
move there. And so as----
Senator Warner. Let us get to everybody else. Mr. Duncan?
Mr. Duncan. Mr. Chairman, I take to heart your comments
about not pointing fingers at each group. As I said in my
testimony, if we are actually to have effective protection, it
has got to be, as you said, PIN and chip. If you listen to the
response that was just given, it only mentioned the chip. And
as I said, that is closing the back door and leaving the front
door open.
Senator Warner. So it sounds to me you are saying yes to
full chip and PIN.
Mr. Duncan. Yes.
Mr. Mierzwinski. Yes, absolutely to full chip and PIN, not
chip and signature, but do not leave that as the ceiling. Make
sure that you can go more.
Senator Warner. Mr. Leach?
Mr. Leach. We are supportive of chip technology as well,
but keep in mind that information----
Senator Warner. As I learn this, I might want to make sure
I am getting it right. Chip is different than chip and PIN. Are
you supportive of chip and PIN?
Mr. Leach. We are supportive of chip and PIN. Any type of
authentication added on to chip technology is an important form
of authentication. It is important to keep in mind, though----
Senator Warner. OK. I got it, and I think that is great
progress today, everybody agreeing. I would concur with Mr.
Mierzwinski that--and I thought I was a relatively informed
consumer. I did not realize my debit card did not have the same
protections. And, you know, I think again about the fact that
where the growth of debit cards is coming is younger folks and
the underbanked community, who potentially are the most
vulnerable if they do not have these protections. It would seem
to me that equalizing cards on a same standard makes common
sense. Give me a reason why not. Anyone?
Mr. Reuter. As a practical matter, we invoke a zero
liability policy, so we today, if a transaction--if you did not
authorize it, you are not responsible for it.
Senator Warner. I do not want to get you in trouble with
the ABA, but is that an endorsement of equalization in the
truth in lending--truth in reporting----
Mr. Reuter. I believe that from a legislation perspective,
the way we are all performing as banks, I am not sure
additional legislation is needed, because we are adhering to a
zero liability policy as a matter of our business practice.
Senator Warner. Would there be no practical reason why you
would not want to have the same standard between different
types of plastic?
Mr. Reuter. There would be no practical reason.
Senator Warner. Mr. Duncan?
Mr. Duncan. We believe it is a good idea.
Senator Warner. Mr. Leach? And you get the last word.
Mr. Leach. And just to follow up on the point, I just want
to emphasize that chip technology is in the clear, so we still
need additional security protections to that. We are supportive
as well.
Mr. Mierzwinski. I would just add, Senator, that the issue
here is that the zero liability may not occur in all
circumstances. It may only apply to signature transactions, not
to PIN-based transactions. That is the question, debit or
credit, which confuses consumers at the store. Debit means
using a PIN. Credit means it is still a debit card but you are
using it on the signature-based credit card network. And, also,
I would look at the zero liability contract and say what if I
had two violations in a year, do they honor the second one?
Because some banks do not.
Senator Warner. Let me level down. I am interested and I
would like to hear more. I guess the last point I want to
make--I am not sure I am going to get a question out, but we
have focused on the challenges around the cards. I would make
the comment, though, that the cards actually do add an extra
layer of protection because of some of the network, because of
even the technologies that may not be fully up to snuff at this
point, versus what may be our real Achilles heel, which is
everybody's movement toward online financial transactions. I
think about the fact of how many of us pay our utility bills or
I pay college tuition online. In a certain sense, that is, if
people can get into that personal data information, that is
something that is there are no limits on in terms of an
individual's exposure. We are much more, I believe, vulnerable.
And, again, my time has expired, but I would simply say chip
and PIN, good step forward; equalization of cards, good step
forward; but continuing, again, the notion that Mr. Leach said,
recognizing tokenization and other abilities that are online
transactions, trying to put a level of protection is something
that I think needs a lot more study and work.
Senator Kirk?
Senator Kirk. Let me just follow up with Mallory. I agree
with you that Parliament has done a much better job than
Congress moving to chip and PIN. I was struck by your comment
that fraud was reduced in the U.K. by 70 percent by using chip
and PIN. For those of us who have lots of friends in the U.K.,
you will see them pull out a credit or debit card with a chip
in it and disparage the technological backwardness of the
United States.
Can I just ask you on behalf of the Retail Federation, how
much would it cost your members to move to a full U.K.-based
chip and PIN?
Mr. Duncan. Senator, we would have to replace all of the
card readers in the store. There are approximately 3.5 million
retailers in the United States. Many of them are just a one-
store location, one checkout place; others have a dozen on each
floor. So if you multiply that times approximately an average
of 1,000 or more per unit, you are talking several billions of
dollars in order to replace those, and, of course, some amount
of time.
Senator Kirk. And, in general, I took from your testimony
that the Retail Federation would support making that move.
Mr. Duncan. We absolutely would. In fact, some retailers
have already begun to install chip-and-PIN readers in their
facilities in hopes that the banks will do the right thing.
Senator Kirk. Mallory, let us identify the heroes. Who was
the first who did that?
Mr. Duncan. I cannot tell you who the first was, but they
tend to be the larger retailers who experience more
international clients, so like a Home Depot, for example, or
maybe a Best Buy.
Senator Kirk. Thank you.
Senator Warner. Thank you. I am very supportive of moving
toward chip and PIN. I would only point out, as I dug into the
data on the U.K., when we saw chip and PIN and face-to-face
transaction fraud drop dramatically, it was like squeezing a
balloon, and you saw online fraud in the U.K. shoot up, I think
something like 30 percent.
Senator Warren?
Senator Warren. Thank you, Mr. Chairman.
So I will just pick up on the same point about chip and
PIN. We understand why chip and PIN works better, and it seems
that we are years behind Europe in developing adequate
technology, technology we know is out there, but applying
adequate technology here in the United States.
So I was interested in your testimony, Mr. Leach. You said
that you think that standards are best left to private
organizations such as yours. That is what we have done, and we
are now way behind in technology and have become the targets
for data attacks from around the world. So why should we leave
this to organizations like yours?
Mr. Leach. Well, Senator, it is a very fair question to
ask. I think for us we look at standards being people, process,
and technology, and recognize that while we have not migrated
to chip, we have advanced fraud monitoring tools in the United
States, the best in the world, as well as looking at other
technologies that are more cost-effective for merchants to move
to, like tokenization and point-to-point encryption.
Senator Warren. I am sorry, Mr. Leach. Let me just make
sure I am following you here. I thought I had heard in this
conversation that we were uniform in our agreement that the way
we should go now is to chip and PIN. And you are telling me we
have other things we can do, which I am not disagreeing with,
but I am asking the question: Why have we not hit the basic
chip-and-PIN standard?
Mr. Leach. Well, I think, Senator, that question is
probably not for a standards body like myself. My role and our
role is to actually develop secure standards for what we have
today.
Senator Warren. Well, fair enough, but your testimony was
not just we have great standards if someone wants to adopt
them. Your testimony, as I understood it, was that the
standards should be left to private organizations and not to
Government to say you have got to meet the standards put out by
other organizations or developed in other ways. And so that is
the point I am pushing on. It sounds like to me we may need
some pressure from the Government to make sure that the
toughest standards are used.
Maybe I could ask the question of Mr. Reuter. Why has chip
and PIN not been adopted already in the United States?
Mr. Reuter. Well, I would like to comment on why the rest
of the world is ahead of us on chip. The United States has a
very robust telecommunications system. Years ago, in other
parts of the world, they did not have as robust of a
telecommunications system, so as a result, they deployed chip
technology to solve that problem. It was not driven by fraud
measures. Today, as we have seen more breaches at retailers and
different things, we are embracing the chip technology here in
the United States.
The reason I keep leaving out PIN is one of my concerns
with PIN data is it is a static piece of information. The chip
brings the dynamic data to the transaction, which is really
what renders the compromised data useless. The PIN is a static
element, so I would--I appreciate and support the ongoing
debate on chip and signature--but I would hate to delay the
deployment of chip technology on this one issue because it has
the biggest impact on fraud.
Senator Warren. Well, let me actually hit both parts of
your question to make sure that I fully understand your point.
I understand that Europe had reasons to go to chip early on,
but are you saying that the banks have just now discovered that
chip and PIN would be a more secure system? Or have they had
some reason to know that for many, many years now?
Mr. Reuter. You know, we have been working toward putting
chip technology in. The card networks laid out the timeline we
are working toward in 2011. There are 8 million retailers,
14,000 financial institutions----
Senator Warren. So was it only in 2011 that the banks
figured out that chip and PIN would be a more secure system?
Mr. Reuter. No, there were conversations before that, but
that is when the actual timeline was laid out.
Senator Warren. All right. But the Europeans have done more
to protect themselves than we have. Now, as to the question
about chip and PIN, why don't I just invite Mr. Duncan to weigh
in on that issue about whether or not chip and signature would
be a better approach.
Mr. Duncan. Well, signature is worthless. I mean, your
signature is on the back of your card right now. If you lose it
and a thief finds it, there is an exemplar there for them to
copy your signature. It is essentially worthless. If you are
going to have security, you have to have PIN.
As for the idea that they are slightly different systems
and, therefore, we should not use both, imagine putting up a
burglar alarm system in your house. You have one sort of
protection for the doors when they open and a second sort of
protection for the windows. Why would you say, ``Well, this one
works differently so I am not going to alarm the windows''? If
you want security, you have got to have the whole system. It
has got to be PIN and chip. And I am just flummoxed as to why
anyone thinks otherwise.
Senator Warren. Thank you.
It sounds like to me, Mr. Chairman, that the banks have
delayed, the retailers have delayed, the Government has
delayed, and the ones who have paid the price are the consumers
whose data are being stolen.
Senator Warner. Senator Tester.
Senator Tester. Thank you, Mr. Chairman. I am getting
conflicting data here. I have got a bank that employs some of
my constituents in Montana that had 7 percent of their debit
cards--now, we are not talking credit, just debit--7 percent of
their debit cards that were impacted by the recent breach. That
was only 12,000 cards. In their particular case, it cost them
about 5 bucks a card, $60,000, to replace them. That was just
to replace the cards. It did not include any additional costs
bearing the cost of monitoring fraud.
When this breach happened, I actually got a call from the
credit union that is located in the Hart Building--the credit
union that is located in the Hart Building, where we have an
account--and it said, ``Your account has been breached. We
think it would be wise if you issued a new credit card.'' We
were very appreciative of that, and they did. And so I actually
visited with somebody from the credit union who said it cost
about 30 million bucks, this recent breach on them. And that
does not include any of the fees that were back there, because
I asked the credit union, I said, ``If this card is used
somewhere else by somebody else and they ring up a charge, am I
going to have to pay for it?'' And they said no, they would
take care of it.
So the question is, and this is for you, Mr. Reuter: In
this particular case, what do you think the prospects are for a
particular bank or credit union in this case will actually get
reimbursed for fraud costs?
Mr. Reuter. You know, our bank, we reissued almost 65,000
cards, and that came as a result of us learning more about the
breach, but also customer demand. Our call center, we took an
extra 30,000 calls over a 3-week period. So the bottom line is
we have already invested quite a bit, and at the end, when all
the dust settles, we will get, at the most, pennies on the
dollar.
Senator Tester. Now, Target has said that they are going to
make sure that--let me see if I can get the right quote here.
They are going to make sure that customers are made whole and
have zero liability. Who is going to pay the bill? Is it going
to be Target, or is it going to be the banks?
Mr. Reuter. We as banks shoulder that responsibility. We
are the ones reimbursing----
Senator Tester. Does Target reimburse you then?
Mr. Reuter. No, they do not.
Senator Tester. What has been your experience on you
recovering fraud costs in other breaches, like the TJX case?
Mr. Reuter. My experience has been we recover very little.
Senator Tester. Pennies on the dollar again?
Mr. Reuter. Pennies on the dollar.
Senator Tester. OK. Let us talk about the cards here for a
second again. I mean, look, I love to pay in cash. I would even
rather pay in checks, but that is not the way it works a lot of
times. And so I end up using my credit card a lot. I am like
Mr. Mierzwinski--and sorry about the pronunciation of the last
name. I use credit cards almost exclusively myself.
If merchants--and this is for you, Mr. Duncan. If they are
concerned about fraud, and I think they are concerned about
fraud, what is preventing them from doing more identity checks
when you go to the checkout line? I have got to tell you, they
do not even ask to look at my signature anymore. They do not
ask for a credit card. They do not ask for anything. They just
take the credit card, they swipe it. And sometimes they do not
even take the credit card and swipe it. They say, ``You swipe
it.''
So what are the merchants doing to help prove identity at
point of sale?
Mr. Duncan. Well, one thing we would like to do is to have
a PIN authentication. That would be one thing----
Senator Tester. OK, but we do not.
Mr. Duncan.----that would help. Number two----
Senator Tester. Just a second. We do not right now. OK? I
think we can all agree there, here, we would like to go that
way.
Mr. Duncan. Right.
Senator Tester. We had a breach. You guys, everybody at the
table said they were concerned about it. Everybody up here is
concerned about it. If the retailers are concerned about it,
what are they doing to help stop the breach now?
Mr. Duncan. Well, as I mentioned in my testimony, we have
put--there is a lot in your question. I mentioned in my
testimony we have spent billions hardening the system so that
the bad guys cannot get in and pull out information.
Senator Tester. OK.
Mr. Duncan. We encrypt the information. In terms of
signature at the checkout, the card associations have told us
that we are not allowed to ask for information along with that.
Senator Tester. Oh, really?
Mr. Duncan. It is considered--I guess they consider it a
hassle of the consumer if we ask for additional identification.
Some merchants do it anyway.
Senator Tester. Yes. Well, they used to do it all the time.
Mr. Duncan. Well, unfortunately we are told we are not
allowed to do it.
Senator Tester. That is interesting. I want to talk about
the cost with the chip and PIN. Mr. Duncan, you had said $3
billion it would cost the merchants. There are a lot of small
merchant folks out there that--I mean, that is probably quite a
bit per machine. Who would pay the $3 billion? Is that going to
be picked up by the retail association? And does that have any
impact on your support for chip and PIN?
Mr. Duncan. We would have to pay for that equipment, so it
would come out of the retailers' bottom line. We would do it to
improve security. And I should clarify my statement. What they
have told us is that we may not reject a transaction based on
the signature. So looking at a driver's license, the signature
does not match, you still cannot reject the transaction. So to
be precise, that is what they have told us.
Senator Tester. OK. That would be interesting to flesh that
out some more, too, because that does not sound particularly
good to me. But you cannot ask for an opportunity to compare
signatures. I think that is where the key is in a card if I
lose mine and you pick it up and use it, they are going to
know--well, they are probably going to know it is not Jon
Tester.
Mr. Duncan. But if it is feminine handwriting, they would
still have to accept the transaction.
Senator Tester. I got you. Well, thank you, Mr.----
Senator Warren. You have not seen his handwriting.
Senator Tester. Yes, exactly. It is pretty bad. It used to
be worse when I was left-handed. Anyway, thank you very much,
Mr. Chairman.
Senator Warner. Before I move to Senator Menendez, just two
quick points. One, you mentioned credit unions. We have got
lots of interest. We have got testimony from credit unions,
independent banks, other organizations who have submitted for
the record. And I would also just point out to Senator Tester,
you know, that second security check at the checkout, though,
think about how many transactions are going where you are
automated now.
Senator Tester. That is what I was talking about.
Senator Warner. We have got to get a technology--I am not
sure that human interaction piece is going to be----
Senator Tester. Right. I mean, that is what I said. A lot
of times they do not even take the card. They just say, ``You
swipe it.''
Senator Warner. Or you go to the grocery store and you
check out without a person.
Senator Tester. That is true. We do not have a lot of those
grocery stores.
Senator Warner. I am not going to ask you the price of
milk.
Senator Menendez?
Senator Menendez. Thank you, Mr. Chairman.
You have had a big discussion here on chip-and-PIN
technology, which has been around more than a decade. It is
widely used in Western Europe and other areas outside the
United States. So I see that several of you in your testimony
caution against adopting a similar standard by law that would
lock in any specific technology. However, even if we do not
adopt a Federal legal standard that favors one technology over
another, couldn't we still have a standard based on
performance? In other words, at what point should it be
considered an unreasonable security risk for a company not to
be using chip-and-PIN technology or something that performs
equivalently? Mr. Mierzwinski?
Mr. Mierzwinski. Well, Senator, I think my testimony, we
definitely say we should not adopt a specific standard, but I
certainly think, from what I understand--and I am not the
world's biggest expert on the tech--that chip and PIN is a
higher standard than chip and signature. So if you have a
technology-forcing standard, a performance standard, that chip
and PIN meets, I think that is a good way to go as long as it
is an open standard that encourages more and better technology
to come forward.
Senator Menendez. What about the banks and the retailers?
Mr. Reuter. You know, setting a specific technology
standard I would agree is not a good idea because of how
quickly the fraudsters keep changing and adapting. But as far
as setting standards that we all do the best we can with the
technology available, I think that that is fine.
Mr. Duncan. We would like our partners in this to do the
right thing and to adopt PIN-and-chip technology. However, as I
mentioned earlier, a number of retailers are already beginning
to explore mobile as a possibility, and we want to be careful
that Congress would not do something that might slow down that
transition to even more secure systems in the future.
Senator Menendez. Yes, well, that is why I am saying not
supporting a specific standard. I get the sense everybody is
worried about what Congress will do. We are worried about what
you all will do. I sit here and listen to the banks say
retailers should have more liability. I sit here and listen to
the retailers say banks should have more liability. In the
interim, the only entity that potentially is getting screwed
with all of their financial data and security is consumers. So
we have to have a different paradigm as to how we get here. And
so it seems to me, as I was posing the questions to the Federal
Trade Commission representative before, that creating some type
of standard that does not necessarily lock you into a
technology that may be in time, you know, a dinosaur but does
ultimately create a standard of responsibility is important for
both the banks and the retailers at the end of the day.
Now, I know that the industry, the card industry, likes
setting its own standards. I understand why. But at some point
there is a responsibility here to the consumers and to the
economy, because it is not good for retailers, it is not good
for banks when we have data breaches at the end of the day. And
it is not good for the card companies in terms of the
confidence in people who put it on their credit card.
So I would like to hear from Mr. Mierzwinski, you ask in
your testimony whether Federal regulators should have a greater
role in setting security standards. And, Mr. Reuter, in your
testimony you raise the question of whether we should have a
national standard that applies by force of law versus simply by
the force of contract to all parties in the chain of possession
of consumer financial and payments data. Isn't that really part
of the goal here so that we can have a standard that then can
be applied and that ultimately we can make judgments? Look, if
you met that standard and there is a data breach, there is
nothing more you could do. I mean, you know, you did all the
things that you could. But if you do not have a standard, we
never know what is the right engagement by both the banks and
the retailers in protection of consumers.
Mr. Mierzwinski. Well, Senator, I understand that you are
conducting an ongoing series of hearings. On Thursday the
regulators are coming in, and I think it is useful to ask them,
Should there be a Federal performance standard, as you point
out, a Federal performance standard that is enforceable by the
regulators? Should the regulators have the authority to look
at--and maybe they do already, and maybe they are already doing
something here, but they have not told me about it. Shouldn't
they have the authority to determine whether any industry
standards body, any voluntary industry standards body is
performing adequately to protect the safety and soundness of
the financial system? So, yes, I agree.
Senator Menendez. Yes, Mr. Reuter?
Mr. Reuter. Senator, we as a banking institution already
have to comply with a number of data security standards in the
Gramm-Leach-Bliley Act. It is not only something that is
written and we have instant response, but we are examined on it
on a regular basis. So as an industry, that is why we are not
opposed to setting standards. We are already obligated to
follow standards today.
Senator Menendez. And that may be different than what the
Federal Trade Commission might determine would be the standard
more broadly, but I appreciate that in Gramm-Leach-Bliley.
May I have one other question, Mr. Chairman, one final
question? And it goes to you, Mr. Mierzwinski, as a consumer
advocate here. You know, we have seen an economy that is
increasingly data driven in terms of companies collecting,
storing, processing even greater quantities of consumer
information, often against consumers' wishes or even without
their knowledge. The financial service industry, for example,
we hear stories about lenders data mining sources like social
media to help them form underwriting decisions on consumer
loans. Companies aggregate more data. The consequences of a
breach or improper use become greater as the risks expand
beyond simple fraud to identity theft and other hardships.
Target experienced breaches of at least two kinds of
customer information: payment card data and personal
information, such as names, email addresses, and phone numbers.
What if the next breach involves information like purchase
histories or Social Security numbers?
So my question is: Are you concerned about the rise of big
data? And what can we do to give consumers greater control over
their data, reduce the chances of a breach, and minimize the
harm to consumers if a breach occurs? And should we be putting
limits on what companies can store without a consumer's
affirmative opt-in?
Mr. Mierzwinski. Well, Senator, you have raised a question
that I could talk about for about an hour, 2 hours.
Senator Menendez. I am sure the Chairman would not want you
to do that.
Mr. Mierzwinski. I will not. But at the end of my
testimony, I refer to a recent Federal Trade Commission
comprehensive report on privacy and also to a Law Review paper
that I have written on this very subject of big data being used
for financial decisionmaking. And as Mr. Duncan pointed out,
much of the big data that has been collected is now starting to
be collected in the mobile landscape as well. So in addition to
credit card information, in addition to personal information
about the kinds of things that you buy with your cards, we also
now know where you are and what you are doing at any particular
time, and that new locational data is something that I think
Congress should look at as well.
But I would be very happy to talk to you about this
Internet ecosystem. It used to be that you had a bank and you
had a merchant and you had a credit bureau that had information
about you. And there were direct marketing companies, to be
sure, but they did not have very much information, and they
were not connected. There are hundreds of interconnected if not
thousands of interconnected business-to-business companies on
the Internet buying and selling information about you today and
auctioning you off in real time to the highest bidder. Many of
them are predatory lenders, the highest bidders. There are
companies on the Internet called ``lead generator sites'' that
I would encourage the Committee to just hold a hearing on lead
generation. You type, ``I want a loan,'' on the Internet. You
are taken to a site that just bids you out to the highest
bidder. Not the lowest bidder, the highest bidder.
So there is a lot of work that needs to be done. Consumers
need greater rights. There are some bills that address parts of
it, and we would be happy to talk further on it.
Senator Menendez. Mr. Chairman, I can see that there can be
some value, even to consumers, to have some degree of
information. But by the same token, I am increasingly concerned
about the degree, the depth, the breadth, and scope of where
that information is, and finding the right balance here I think
is incredibly important.
I thank the Chair for his indulgence.
Senator Warner. Well, let me thank the witnesses and thank
my colleagues.
A couple of closing comments. One is I do think I would
make my point for the third time. You know, we are just the
first of what was going to be a series of hearings. The
American public is very, very concerned about this issue, and
we can either do it in a collaborative fashion, or we can do it
in an adversarial fashion. And I am not even saying so much
Congress versus industry and consumer groups, but you all
collaborating together is terribly important.
I think we have seen today actually that across the panel
there was a sense that we need to move aggressively to chip and
PIN. I tend to agree with Mr. Duncan. I cannot imagine chip and
PIN versus chip and signature where you have automated systems.
It seems like Beta versus VHS. And a little bit of that in the
sense that--I think Mr. Leach made this point, and I want to
re-emphasize it. As I learn more, chip and PIN is not a
declaration of victory. You know, I would point back to the
U.K. circumstance where the point-to-point fraud went down, but
online fraud went up. And I think we have not seen the
potential vulnerability we have all for online transactions. I
was a technology guy, but boy, oh, boy, we have no consumer or
financial protections at all in that space.
Also, Mr. Mierzwinski, I think you may have gotten a win
today since I think they all agreed to increase the Truth in
Lending Act to equalize all cards to an equal standard. So
maybe we made some small progress as well.
I would just close out my comments with, you know, two
points.
One, if we think about this more holistically, I do think--
and I am just starting to learn this notion of tokenization and
some of these other things so that there is encrypted data
regardless of where your transaction takes place, is something
that we need to think through. And I am sensitive to Mr.
Duncan's members' concerns that, you know, you do not want to
go out and buy a terminal that is going to be outdated 6 months
or a year from now, so how you keep that in some kind of open
system so it cannot be cobbled on is something that makes
sense.
An issue we did not even get to--and I think Senator
Menendez raised it near the end, kind of not just broadly about
folks' access to our data, but whoever has the data, how is it
going to be kept secure? Wherever it stands in the financial
system or in our system, you know, what are the obligations to
keep that information in a secure fashion? Again, a topic that
is going to be--that we will come back to.
So I again want to thank my colleagues. I thank both the
first panel and the second panel. I go back to General
Clapper's comments that this was--his estimate was a $300
billion hit to our economy last year, and it is dramatically
going to be higher. We need to get ahead of this, and I look
forward to working to find those solutions. Thank you all.
And, again, these letters will be added.
Senator Warner. The hearing is adjourned.
[Whereupon, at 4:52 p.m., the hearing was adjourned.]
[Prepared statements, responses to written questions, and
additional material supplied for the record follow:]
PREPARED STATEMENT OF SENATOR MARK KIRK
I am very pleased to be having this hearing today. There has
obviously been considerable attention drawn to the issue of data
security recently, with a number of data breaches occurring at several
large retailers across the country. I am especially troubled because
these breaches have had such a widespread impact--consumers being hit
from all sides and with the more recent breaches impacting what is
possibly one-third of the U.S. population. I think we have reached an
inflection point. In the more recent data breaches, my constituents in
Illinois and across the country were targeted at one of the busiest
holiday shopping times, necessitating these individuals to replace
cards and sign up for additional credit and identity monitoring--not to
mention cope with substantial consumer anxiety.
Further, impacts are not only felt by consumers when a merchant is
breached, but also by any number of other third parties, including
banks whose customers shopped at the retailer. I have had one community
banker in Illinois tell me that the recent Target data breach will cost
their company roughly $100,000, and another regional bank has told me
that they expect to lose millions for card replacement as well as
millions for fraud. My bankers in Illinois tell me that nearly every
Illinois bank had at least some credit and debit cards compromised by
the breach, with about one-third of customers in State experiencing
fraudulent account activity. As a result, Illinois banks had to replace
large numbers of debit and credit cards, costing thousands in card
replacement and fraud costs. While these are substantial, we know that
any merchant that experiences a breach also suffers from brand damage,
lost revenues, legal fees and other costs.
I do think it is important to view these breaches as criminal
attacks and any entity that is breached as victims. It is also well
known that these criminal hackers are persistent and when one technique
is thwarted or secured against, these criminals will discover and
create new and even more cryptic techniques with which to wreak havoc.
However, I am hopeful that through this hearing, we can move beyond
being ``victims'' to understand what other safeguards can be taken. We
all saw and experienced the massive ramp up in national security
reforms post the September 11th terrorist attacks. While our country is
not completely without susceptibility, the United States has become
much safer over the past decade and continues to constantly evolve in
its security efforts to keep harm at bay.
While similar security efforts have been made in the cyber space, I
don't believe it has been quite as extensive--and there is most
definitely cause for considering whether we need to broaden the sphere
of those responsible for greater cyber security.
According to the Identify Theft Resource Center, more than 4,200
breaches have occurred since 2005 exposing more than 600 million
records, and in 2013 there were more than 600 reported breaches--an
increase of 30 percent over 2012 and the highest number of recorded
breaches since 2005.
In reviewing the spike in breaches, it is notable that the highest
number of breaches occurred in the healthcare sector, at 43 percent and
the business sector, which includes merchants, which accounted for
roughly 34 percent of the reported breaches. Banks, credit and the
financial sector accounted for only 4 percent of all breaches and less
than 2 percent of all breached records.
After some of the more recent data breaches at retailers, there
were claims made and questions asked whether the banks should have
updated their technologies--specifically through the use of ``chip and
pin''. While I look forward to hearing from the witnesses about these
and other protective measures industry can undertake to make the system
safer and more sound, I also understand that in several of the most
recent cases, chip and pin technology likely would not have prevented
these breaches. Just as with national security, this is a shared
responsibility of a number of parties and it is critical that all
parties that handle this sensitive personal information take all
possible steps to ensure that information is kept safe.
Through the Gramm-Leach-Bliley Act, Reg. E, the Fair Credit and
Reporting Act (FCRA) and a number of other regulatory requirements,
some of the Nation's most vulnerable institutions--namely banks and
financial institutions that house valuable and sensitive information--
have taken extraordinary measures to keep up with the ever present and
ever changing threats in the cyber security world. In addition to
heightened standards, banks also face penalties, such as prompt
corrective action, fines and other penalties often before a breach has
occurred--just for being noncompliant.
I think all of these heightened standards and oversight is the
right approach--financial institutions should have some of the highest
cyber security measures in place to protect American consumers and the
financial system. However, I think it is also appropriate to consider
if other entities that either store or handle the same type of
sensitive information should come under the same scrutiny and oversight
to protect consumers.
I hope to explore whether we should expand this ``sphere'' of
scrutiny and bring greater oversight and accountability to other
businesses and entities that have access to and in some instances store
large amounts of consumer data. Some of these considerations might
include whether the Federal Trade Commission (FTC) needs additional
regulatory authorities, including the ability to require heightened
standards as new threats emerge, additional oversight authority and the
authority to utilize penalties for those entities found noncompliant. I
also would like to explore whether our witnesses believe that creating
a merchant/retailer ISAC (Information Sharing and Analysis Center)
would help in preventing these breaches or, at a minimum, if an ISAC
could effectively prevent the spreading of these threats to other
merchants.
Finally, while industry must be vigilant and constantly evolve to
protect itself and U.S. consumers, we also must look at the role of law
enforcement in cyber security to see what else our Nation's law
enforcement community needs to effectively combat these threats. Part
of this may mean exploring what the Administration, Congress and
Federal agencies can do to incite international cooperation, especially
in areas where these criminal cells seem to exist. We also need to
ensure that our criminal statutes are updated to bring stiff sentences
to those engaging in these cyber crimes. Thank you again and I look
forward to hearing from our witnesses.
______
PREPARED STATEMENT OF WILLIAM NOONAN
Deputy Special Agent in Charge, United States Secret Service
Criminal Investigative Division, Cyber Operations Branch
February 3, 2014
Good afternoon Chairman Warner, Ranking Member Kirk, and
distinguished Members of the Committee. Thank you for the opportunity
to testify on the risks and challenges the Nation faces from large-
scale data breaches like those that have been recently reported and are
of great concern to our Nation. The U.S. Secret Service (Secret
Service) has decades of experience investigating large-scale criminal
cyber intrusions, in addition to other crimes that impact our Nation's
financial payment systems. Based on investigative experience and the
understanding we have developed regarding transnational organized cyber
criminals that are engaged in these data breaches and associated
frauds, I hope to provide this Committee useful insight into this issue
from a Federal law enforcement perspective to help inform your
deliberations.
The Role of the Secret Service
The Secret Service was founded in 1865 to protect the U.S.
financial system from the counterfeiting of our national currency. As
the Nation's financial system evolved from paper to plastic to
electronic transactions, so too has the Secret Service's investigative
mission. Today, our modern financial system depends heavily on
information technology for convenience and efficiency. Accordingly,
criminals have adapted their methods and are increasingly using
cyberspace to exploit our Nation's financial payment system by engaging
in fraud and other illicit activities. This is not a new trend;
criminals have been committing cyber financial crimes since at least
1970.\1\
---------------------------------------------------------------------------
\1\ Beginning in 1970, and over the course of 3 years, the chief
teller at the Park Avenue branch of New York's Union Dime Savings Bank
manipulated the account information on the bank's computer system to
embezzle over $1.5 million from hundreds of customer accounts. This
early example of cyber crime not only illustrates the long history of
cyber crime, but the difficulty companies have in identifying and
stopping cyber criminals in a timely manner--a trend that continues
today.
---------------------------------------------------------------------------
Congress established 18 USC � 1029-1030 as part of the
Comprehensive Crime Control Act of 1984; these statutes criminalized
unauthorized access to computers \2\ and the fraudulent use or
trafficking of access devices \3\--defined as any piece of information
or tangible item that is a means of account access that can be used to
obtain money, goods, services, or other thing of value.\4\ Congress
specifically gave the Secret Service authority to investigate
violations of both statutes.\5\
---------------------------------------------------------------------------
\2\ See 18 USC � 1030.
\3\ See 18 USC � 1029.
\4\ See 18 USC � 1029(e)(1).
\5\ See 18 USC � 1029(d) & 1030(d)(1).
---------------------------------------------------------------------------
Secret Service investigations have resulted in the arrest and
successful prosecution of cyber criminals involved in the largest known
data breaches, including those of TJ Maxx, Dave & Buster's, Heartland
Payment Systems, and others. Over the past 4 years Secret Service cyber
crime investigations have resulted in over 4,900 arrests, associated
with approximately $1.37 billion in fraud losses and the prevention of
over $11.24 billion in potential fraud losses. Through our work with
our partners at the Department of Justice (DOJ), in particular the
local U.S. Attorney Offices, the Computer Crimes and Intellectual
Property section (CCIPS), the International Organized Crime
Intelligence and Operations Center (IOC-2), and others, we are
confident we will continue to bring the cyber criminals that perpetrate
major data breaches to justice.
The Transnational Cyber Crime Threat
Advances in computer technology and greater access to personally
identifiable information (PII) via the Internet have created a virtual
marketplace for transnational cyber criminals to share stolen
information and criminal methodologies. As a result, the Secret Service
has observed a marked increase in the quality, quantity, and complexity
of cyber crimes targeting private industry and critical infrastructure.
These crimes include network intrusions, hacking attacks, malicious
software, and account takeovers leading to significant data breaches
affecting every sector of the world economy. The recently reported data
breaches of Target and Neiman Marcus are just the most recent, well-
publicized examples of this decade-long trend of major data breaches
perpetrated by cyber criminals who are intent on targeting our Nation's
retailers and financial payment systems.
The increasing level of collaboration among cyber-criminals allows
them to compartmentalize their operations, greatly increasing the
sophistication of their criminal endeavors and allowing for development
of expert specialization. These specialties raise both the complexity
of investigating these cases, as well as the level of potential harm to
companies and individuals. For example, illicit underground cyber crime
market places allow criminals to buy, sell and trade malicious
software, access to sensitive networks, spamming services, credit,
debit and ATM card data, PII, bank account information, brokerage
account information, hacking services, and counterfeit identity
documents. These illicit digital marketplaces vary in size, with some
of the more popular sites boasting membership of approximately 80,000
users. These digital marketplaces often use various digital currencies,
and cyber criminals have made extensive use of digital currencies to
pay for criminal goods and services or launder illicit proceeds.
The Secret Service has successfully investigated many underground
cyber criminal marketplaces. In one such infiltration, the Secret
Service initiated and conducted a 3-year investigation that led to the
indictment of 11 perpetrators allegedly involved in hacking nine major
U.S. retailers and the theft and sale of more than 40 million credit
and debit card numbers. The investigation revealed that defendants from
the United States, Estonia, China and Belarus successfully obtained
credit and debit card numbers by hacking into the wireless computer
networks of major retailers--including TJ Maxx, BJ's Wholesale Club,
Office Max, Boston Market, Barnes & Noble, Sports Authority and Dave &
Buster's. Once inside the networks, these cyber criminals installed
``sniffer'' programs \6\ that would capture card numbers, as well as
password and account information, as they moved through the retailers'
credit and debit processing networks. After the data was collected, the
conspirators concealed the information in encrypted computer servers
that they controlled in the United States and Eastern Europe. The
credit and debit card numbers were then sold through online
transactions to other criminals in the United States and Eastern
Europe. The stolen numbers were ``cashed out'' by encoding card numbers
on the magnetic strips of blank cards. The defendants then used these
fraudulent cards to withdraw tens of thousands of dollars at a time
from ATMs. The defendants were able to conceal and launder their
illegal proceeds by using anonymous Internet-based digital currencies
within the United States and abroad, and by channeling funds through
bank accounts in Eastern Europe.\7\
---------------------------------------------------------------------------
\6\ Sniffers are programs that detect particular information
transiting computer networks, and can be used by criminals to acquire
sensitive information from computer systems.
\7\ Additional information on the criminal use of digital
currencies can be referenced in testimony provided by U.S. Secret
Service Special Agent in Charge Edward Lowery before the Senate
Homeland Security and Governmental Affairs Committee in a hearing
titled, ``Beyond Silk Road: Potential Risks, Threats, and Promises of
Virtual Currencies'' (November 18, 2013).
---------------------------------------------------------------------------
In data breaches like these the effects of the criminal acts
extended well beyond the companies compromised, potentially affecting
millions of individual card holders. Proactive and swift law
enforcement action protects consumers by preventing and limiting the
fraudulent use of payment card data, identity theft, or both. Cyber
crime directly impacts the U.S. economy by requiring additional
investment in implementing enhanced security measures, inflicting
reputational damage on U.S. firms, and direct financial losses from
fraud--all costs that are ultimately passed on to consumers.
Secret Service Strategy for Combating This Threat
The Secret Service proactively investigates cyber crime using a
variety of investigative means to infiltrate these transnational cyber
criminal groups. As a result of these proactive investigations, the
Secret Service is often the first to learn of planned or ongoing data
breaches and is quick to notify financial institutions and the victim
companies with actionable information to mitigate the damage from the
data breach and terminate the criminal's unauthorized access to their
networks. One of the most poorly understood facts regarding data
breaches is that it is rarely the victim company that first discovers
the criminal's unauthorized access to their network; rather it is law
enforcement, financial institutions, or other third parties that
identify and notify the likely victim company of the data breach by
identifying the common point of origin of the sensitive data being
trafficked in cyber crime marketplaces.
A trusted relationship with the victim is essential for confirming
the crime, remediating the situation, beginning a criminal
investigation, and collecting evidence. The Secret Service's worldwide
network of 33 Electronic Crimes Task Forces (ECTF), located within our
field offices, are essential for building and maintaining these trusted
relationships, along with the Secret Service's commitment to protecting
victim privacy.
In order to confirm the source of data breaches and to stop the
continued theft of sensitive information and the exploitation of a
network, the Secret Service contacts the owner of the suspected
compromised computer systems. Once the victim of a data breach confirms
that unauthorized access to their networks has occurred, the Secret
Service works with the local U.S. Attorney's office, or appropriate
State and local officials, to begin a criminal investigation of the
potential violation of 18 USC � 1030. During the course of this
criminal investigation, the Secret Service identifies the malware and
means of access used to acquire data from the victim's computer
network. In order to enable other companies to mitigate their cyber
risk based on current cyber crime methods, we quickly share information
concerning the cybersecurity incident with the widest audience
possible, while protecting grand jury information, the integrity of
ongoing criminal investigations, and the victims' privacy. We share
this cybersecurity information through:
Our Department's National Cybersecurity & Communications
Integration Center (NCCIC);
The Information Sharing and Analysis Centers (ISAC);
Our ECTFs;
The publication of joint industry notices;
Our numerous partnerships developed over the past three
decades in investigating cyber crimes; and
Contributions to leading industry and academic reports like
the Verizon Data Breach Investigations Report, the Trustwave
Global Security Report, and the Carnegie Mellon CERT Insider
Threat Study.
As we share cybersecurity information discovered in the course of
our criminal investigation, we also continue our investigation in order
to apprehend and bring to justice those involved. Due to the inherent
challenges in investigating transnational crime, particularly the lack
of cooperation of some countries with law enforcement investigations,
occasionally it takes years to finally apprehend the top tier criminals
responsible. For example, Dmitriy Smilianets and Vladimir Drinkman were
arrested in June 2012, as part of a multi-year investigation Secret
Service investigation, while they were traveling in the Netherlands
thanks to the assistance of Dutch law enforcement. The alleged total
fraud loss from their cyber crimes exceeds $105 million.
As a part of our cyber crime investigations, the Secret Service
also targets individuals who operate illicit infrastructure that
supports the transnational organized cyber criminal. For example, in
May 2013 the Secret Service, as part of a joint investigation through
the Global Illicit Financial Team, shut down the digital currency
provider Liberty Reserve. Liberty Reserve is alleged to have had more
than one million users worldwide and to have laundered more than $6
billion in criminal proceeds. This case is believed to be the largest
money laundering case ever prosecuted in the United States and is being
jointly prosecuted by the U.S. Attorney's Office for the Southern
District of New York and DOJ's Asset Forfeiture and Money Laundering
Section. In a coordinated action with the Department of the Treasury,
Liberty Reserve was identified as a financial institution of primary
money laundering concern under Section 311 of the USA PATRIOT Act,
effectively cutting it off from the U.S. financial system.
Collaboration With Other Federal Agencies and International Law
Enforcement
While cyber-criminals operate in a world without borders, the law
enforcement community does not. The increasingly multi-national, multi-
jurisdictional nature of cyber crime cases has increased the time and
resources needed for successful investigation and adjudication. The
partnerships developed through our ECTFs, the support provided by our
Criminal Investigative Division, the liaison established by our
overseas offices, and the training provided to our special agents via
Electronic Crimes Special Agent Program are all instrumental to the
Secret Service's successful network intrusion investigations.
One example of the Secret Service's success in these investigations
is the case involving Heartland Payment Systems. As described in the
August 2009 indictment, a transnational organized criminal group
allegedly used various network intrusion techniques to breach security
and navigate the credit card processing environment. Once inside the
networks, they installed ``sniffer'' programs to capture card numbers,
as well as password and account information. The Secret Service
investigation, the largest and most complex data breach investigation
ever prosecuted in the United States, revealed that data from more than
130 million credit card accounts were at risk of being compromised and
exfiltrated to a command and control server operated by an
international group directly related to other ongoing Secret Service
investigations. During the course of the investigation, the Secret
Service uncovered that this international group committed other
intrusions into multiple corporate networks to steal credit and debit
card data. The Secret Service relied on various investigative methods,
including subpoenas, search warrants, and Mutual Legal Assistance
Treaty (MLAT) requests through our foreign law enforcement partners to
identify three main suspects. As a result of the investigation, these
primary suspects were indicted for various computer-related crimes. The
lead defendant in the indictment pled guilty and was sentenced to
twenty years in Federal prison. This investigation is ongoing with over
100 additional victim companies identified.
Recognizing these complexities, several Federal agencies are
collaborating to investigate cases and identify proactive strategies.
Greater collaboration within the Federal, State and local law
enforcement community enhances information sharing, promotes efficiency
in investigations, and facilitates efforts to de-conflict in cases of
concurrent jurisdiction. For example, the Secret Service has
collaborated extensively with DOJ's CCIPS, which ``prevents,
investigates, and prosecutes computer crimes by working with other
Government agencies, the private sector, academic institutions, and
foreign counterparts.''\8\ The Secret Service's ECTFs are a natural
complement to CCIPS, resulting in an excellent partnership over the
years. In the last decade, nearly every major cyber investigation
conducted by the Secret Service has benefited from CCIPS contributions.
---------------------------------------------------------------------------
\8\ U.S. Department of Justice. (n.d.). Computer Crime &
Intellectual Property Section: About CCIPS. Retrieved from http://
www.justice.gov/criminal/cybercrime/ccips.html.
---------------------------------------------------------------------------
The Secret Service also maintains a positive relationship with the
DOJ's Federal Bureau of Investigation (FBI). The Secret Service has a
permanent presence at the National Cyber Investigative Joint Task Force
(NCIJTF), which coordinates, integrates, and shares information related
to investigations of national security cyber threats. The Secret
Service also often partners with the FBI on various criminal cyber
investigations. For example, in August 2010, a joint operation
involving the Secret Service, FBI, and the Security Service of Ukraine
(SBU), yielded the seizure of 143 computer systems--one of the largest
international seizures of digital media gathered by U.S. law
enforcement--consisting of 85 terabytes of data, which was eventually
transferred to law enforcement authorities in the United States. The
data was seized from a criminal Internet service provider located in
Odessa, Ukraine, also referred to as a ``Bullet Proof Hoster.'' Thus
far, the forensic analysis of these systems has already identified a
significant amount of criminal information pertaining to numerous
investigations currently underway by both agencies, including malware,
criminal chat communications, and PII of U.S. citizens.
The case of Vladislav Horohorin is another example of successful
cooperation between the Secret Service and its law enforcement partners
around the world. Mr. Horohorin, one of the world's most notorious
traffickers of stolen financial information, was arrested on August 25,
2010, pursuant to a U.S. arrest warrant issued by the Secret Service.
Mr. Horohorin created the first fully automated online store which was
responsible for selling stolen credit card data. Both CCIPS and the
Office of International Affairs at DOJ played critical roles in this
apprehension. Furthermore, as a result of information sharing, the FBI
was able to bring additional charges against Mr. Horohorin for his
involvement in a Royal Bank of Scotland network intrusion. This type of
cooperation is crucial if law enforcement is to be successful in
disrupting and dismantling criminal organizations involved in cyber
crime.
This case demonstrates the importance of international law
enforcement cooperation. Through the Secret Service's 24 international
field offices the Service develops close partnerships with numerous
foreign law enforcement agencies in order to combat transnational
crime. Successfully investigating transnational crime depends not only
on the efforts of the Department of State and the DOJ's Office of
International Affairs to establish and execute MLATs, and other forms
of international law enforcement cooperation, but also on the personal
relationships that develop between U.S. law enforcement officers and
their foreign counterparts. Both the CCIPS and the Office of
International Affairs at DOJ played critical roles in this
apprehension. Furthermore, as a result of information sharing, the FBI
was able to bring additional charges against Mr. Horohorin for his
involvement in a Royal Bank of Scotland network intrusion. This type of
cooperation is crucial if law enforcement is to be successful in
disrupting and dismantling criminal organizations involved in cyber
crime.
Within DHS, the Secret Service benefits from a close relationship
with Immigration and Customs Enforcement's Homeland Security
Investigations (ICE-HSI). Since 1997, the Secret Service, ICE-HSI, and
IRS-CI have jointly trained on computer investigations through the
Electronic Crimes Special Agent Program (ECSAP). ICE-HSI is also a
member of Secret Service ECTFs, and ICE-HSI and the Secret Service have
partnered on numerous cyber crime investigations including the recent
take down of the digital currency Liberty Reserve.
To further its cybersecurity information sharing efforts, the
Secret Service has strengthened its relationship with the National
Protection and Programs Directorate (NPPD), including the NCCIC. As the
Secret Service identifies malware, suspicious IPs and other information
through its criminal investigations, it shares information with our
Department's NCCIC. The Secret Service continues to buildupon its full-
time presence at NCCIC to coordinate its cyber programs with other
Federal agencies.
As a part of these efforts, and to ensure that information is
shared in a timely and effective manner, the Secret Service has
personnel assigned to the following DHS and non-DHS entities:
NPPD's National Cybersecurity & Communications Integration
Center (NCCIC);
NPPD's Office of Infrastructure Protection;
DHS's Science and Technology Directorate (S&T);
DOJ National Cyber Investigative Joint Task Force (NCIJTF);
Each FBI Joint Terrorism Task Force (JTTF), including the
National JTTF;
Department of the Treasury--Office of Terrorist Financing
and Financial Crimes (TFFC);
Department of the Treasury--Financial Crimes Enforcement
Network (FinCEN);
Central Intelligence Agency;
DOJ, International Organized Crime and Intelligence
Operations Center (IOC-2);
Drug Enforcement Administration's Special Operations
Division;
EUROPOL; and
INTERPOL.
The Secret Service is committed to ensuring that all its
information sharing activities comply with applicable laws,
regulations, and policies, including those that pertain to privacy and
civil liberties.
Secret Service Framework
To protect our financial infrastructure, industry, and the American
public, the Secret Service has adopted a multi-faceted approach to
aggressively combat cyber and computer-related crimes.
Electronic Crimes Task Forces
In 1995, the Secret Service New York Field Office established the
New York Electronic Crimes Task Force (ECTF) to combine the resources
of academia, the private sector, and local, State and Federal law
enforcement agencies to combat computer-based threats to our financial
payment systems and critical infrastructures. In 2001, Congress
directed the Secret Service to establish a nationwide network of ECTFs
to ``prevent, detect, and investigate various forms of electronic
crimes, including potential terrorist attacks against critical
infrastructure and financial payment systems.''\9\
---------------------------------------------------------------------------
\9\ See Public Law 107-56 Section 105 (appears as note following 18
U.S.C. � 3056).
---------------------------------------------------------------------------
Secret Service field offices currently operate 33 ECTFs, including
two based overseas in Rome, Italy, and London, England. Membership in
our ECTFs includes: over 4,000 private sector partners; over 2,500
international, Federal, State and local law enforcement partners; and
over 350 academic partners. By joining our ECTFs, our partners benefit
from the resources, information, expertise and advanced research
provided by our international network of members while focusing on
issues with significant regional impact.
Cyber Intelligence Section
Another example of our partnership approach with private industry
is our Cyber Intelligence Section (CIS) which analyzes evidence
collected as a part of Secret Service investigations and disseminates
information in support of Secret Service investigations worldwide and
generates new investigative leads based upon its findings. CIS
leverages technology and information obtained through private sector
partnerships to monitor developing technologies and trends in the
financial payments industry for information that may be used to enhance
the Secret Service's capabilities to prevent and mitigate attacks
against the financial and critical infrastructures. CIS also has an
operational unit that investigates international cyber-criminals
involved in cyber-intrusions, identity theft, credit card fraud, bank
fraud, and other computer-related crimes. The information and
coordination provided by CIS is a crucial element to successfully
investigating, prosecuting, and dismantling international criminal
organizations.
Electronic Crimes Special Agent Program
A central component of the Secret Service's cyber-crime
investigations is its Electronic Crimes Special Agent Program (ECSAP),
which is comprised of nearly 1,400 Secret Service special agents who
have received at least one of three levels of computer crimes-related
training.
Level I--Basic Investigation of Computers and Electronic Crimes
(BICEP): The BICEP training program focuses on the investigation of
electronic crimes and provides a brief overview of several aspects
involved with electronic crimes investigations. This program provides
Secret Service agents and our State and local law enforcement partners
with a basic understanding of computers and electronic crime
investigations and is now part of our core curriculum for newly hired
special agents.
Level II--Network Intrusion Responder (ECSAP-NI): ECSAP-NI training
provides special agents with specialized training and equipment that
allows them to respond to and investigate network intrusions. These may
include intrusions into financial sector computer systems, corporate
storage servers, or various other targeted platforms. The Level II
trained agent will be able to identify critical artifacts that will
allow for effective investigation of identity theft, malicious hacking,
unauthorized access, and various other related electronic crimes.
Level III--Computer Forensics (ECSAP-CF): ECSAP-CF training
provides special agents with specialized training and equipment that
allows them to investigate and forensically obtain digital evidence to
be utilized in the prosecution of various electronic crimes cases, as
well as criminally focused protective intelligence cases.
These agents are deployed in Secret Service field offices
throughout the world and have received extensive training in forensic
identification, as well as the preservation and retrieval of
electronically stored evidence. ECSAP-trained agents are computer
investigative specialists, qualified to conduct examinations on all
types of electronic evidence. These special agents are equipped to
investigate the continually evolving arena of electronic crimes and
have proven invaluable in the successful prosecution of criminal groups
involved in computer fraud, bank fraud, identity theft, access device
fraud and various other electronic crimes targeting our financial
institutions and private sector.
National Computer Forensics Institute
The National Computer Forensics Institute (NCFI) initiative is the
result of a partnership between the Secret Service, NPPD, the State of
Alabama, and the Alabama District Attorney's Association. The goal of
this facility is to provide a national standard of training for a
variety of electronic crimes investigations. The program offers State
and local law enforcement officers, prosecutors, and judges the
training necessary to conduct computer forensics examinations.
Investigators are trained to respond to network intrusion incidents and
to conduct electronic crimes investigations. Since opening in 2008, the
institute has held over 110 cyber and digital forensics courses in 13
separate subjects and trained and equipped more than 2,500 State and
local officials, including more than 1,600 police investigators, 570
prosecutors and 180 judges from all 50 States and three U.S.
territories. These NCFI graduates represent more than 1,000 agencies
nationwide.
Partnerships with Academia
In August 2000, the Secret Service and Carnegie Mellon University
Software Engineering Institute (SEI) established the Secret Service
CERT \10\ Liaison Program to provide technical support, opportunities
for research and development, as well as public outreach and education
to more than 150 scientists and researchers in the fields of computer
and network security, malware analysis, forensic development, training
and education. Supplementing this effort is research into emerging
technologies being used by cyber-criminals and development of
technologies and techniques to combat them.
---------------------------------------------------------------------------
\10\ CERT--not an acronym--conducts empirical research and analysis
to develop and transition socio-technical solutions to combat insider
cyber threats.
---------------------------------------------------------------------------
The primary goals of the program are: to broaden the Secret
Service's knowledge of software engineering and networked systems
security; to expand and strengthen partnerships and relationships with
the technical and academic communities; partner with CERT-SEI and
Carnegie Mellon University to support research and development to
improve the security of cyberspace and improve the ability of law
enforcement to investigate crimes in a digital age; and to present the
results of this partnership at the quarterly meetings of our ECTFs.
In August 2004, the Secret Service partnered with CERT-SEI to
publish the first ``Insider Threat Study'' examining the illicit cyber
activity and insider fraud in the banking and finance sector. Due to
the overwhelming response to this initial study, the Secret Service and
CERT-SEI, in partnership with DHS Science & Technology (S&T), updated
the study and released the most recent version just last year, which is
published at http://www.cert.org/insider_threat/.
To improve law enforcement's ability to investigate crimes
involving mobile devices, the Secret Service opened the Cell Phone
Forensic Facility at the University of Tulsa in 2008. This facility has
a three-pronged mission: (1) training Federal, State and local law
enforcement agents in embedded device forensics; (2) developing novel
hardware and software solutions for extracting and analyzing digital
evidence from embedded devices; and (3) applying the hardware and
software solutions to support criminal investigations conducted by the
Secret Service and its partner agencies. To date, investigators trained
at the Cell Phone Forensic Facility have completed more than 6,500
examinations on cell phone and embedded devices nationwide. Secret
Service agents assigned to the Tulsa facility have contributed to over
300 complex cases that have required the development of sophisticated
techniques and tools to extract critical evidence.
These collaborations with academia, among others, have produced
valuable innovations that have helped strengthen the cyber ecosystem
and improved law enforcement's ability to investigate cyber crime. The
Secret Service will continue to partner closely with academia and DHS
S&T, particularly the Cyber Forensics Working Group, to support
research and development of innovate tools and methods to support
criminal investigations.
Legislative Action to Combat Data Breaches
While there is no single solution to prevent data breaches of U.S.
customer information, legislative action could help to improve the
Nation's cybersecurity, reduce regulatory costs on U.S. companies, and
strengthen law enforcement's ability to conduct effective
investigations. The Administration previously proposed law enforcement
provisions related to computer security through a letter from OMB
Director Lew to Congress on May 12, 2011, highlighting the importance
of additional tools to combat emerging criminal practices. We continue
to support changes like these that will keep up with rapidly evolving
technologies and uses.
Conclusion
The Secret Service is committed to safeguarding the Nation's
financial payment systems by investigating and dismantling criminal
organizations involved in cyber crime. Responding to the growth in
these types of crimes and the level of sophistication these criminals
employ requires significant resources and greater collaboration among
law enforcement and its public and private sector partners.
Accordingly, the Secret Service dedicates significant resources to
improving investigative techniques, providing training for law
enforcement partners, and raising public awareness. The Secret Service
will continue to be innovative in its approach to cyber crime and cyber
security and is pleased that the Committee recognizes the magnitude of
these issues and the evolving nature of these crimes.
______
PREPARED STATEMENT OF JESSICA RICH
Director of the Bureau of Consumer Protection
Federal Trade Commission
February 3, 2014
I. INTRODUCTION
Chairman Warner, Ranking Member Kirk, and Members of the
Subcommittee, I am Jessica Rich, Director of the Bureau of Consumer
Protection at the Federal Trade Commission (``FTC'' or
``Commission'').\1\ I appreciate the opportunity to present the
Commission's testimony on data security.
---------------------------------------------------------------------------
\1\ This written statement presents the views of the Federal Trade
Commission. My oral statements and responses to questions are my own
and do not necessarily reflect the views of the Commission or of any
Commissioner.
---------------------------------------------------------------------------
As recent publicly announced data breaches remind us,\2\ consumers'
information is subject to a variety of risks. Hackers and others seek
to exploit vulnerabilities, obtain unauthorized access to consumers'
sensitive information, and potentially misuse it in ways that can cause
serious harms to consumers as well as businesses. And in this
increasingly interconnected economy, all of this takes place against
the background of the threat of identity theft, a pernicious crime that
harms both consumers and financial institutions. The Bureau of Justice
Statistics estimates that 16.6 million persons--or 7 percent of all
U.S. residents ages 16 and older--were victims of identity theft in
2012.\3\
---------------------------------------------------------------------------
\2\ See Elizabeth A. Harris & Nicole Perlroth, For Target, the
Breach Numbers Grow, N.Y. Times, Jan. 10, 2014, available at http://
www.nytimes.com/2014/01/11/business/target-breach-affected-70-million-
customers.html (discussing recently announced breaches involving
payment card information by Target and Neiman Marcus); Nicole Perlroth,
Michaels Stores Is Investigating Data Breach, N.Y. Times, Jan. 25,
2014, available at http://www.nytimes.com/2014/01/26/technology/
michaels-stores-is-investigating-data-breach.html (announcement of
potential security breach involving payment card information).
\3\ See Bureau of Justice Statistics, Victims of Identity Theft,
2012 (Dec. 2013), available at http://www.bjs.gov/content/pub/pdf/
vit12.pdf.
---------------------------------------------------------------------------
As the Nation's leading privacy enforcement agency, the FTC is
committed to protecting consumer privacy and promoting data security in
the private sector and has settled 50 law enforcement actions against
businesses that we alleged failed to protect consumers' personal
information appropriately. Data security is of critical importance to
consumers. If companies do not protect the personal information they
collect and store, that information could fall into the wrong hands,
resulting in fraud and other harm, along with a potential loss of
consumer confidence in particular business sectors or entities, payment
methods, or types of transactions. Accordingly, the Commission has
undertaken substantial efforts for over a decade to promote data
security in the private sector through civil law enforcement,
education, and policy initiatives.
This testimony offers an overview of the Commission's recent
efforts in the enforcement, education, and policy areas. It then
describes the FTC's cooperation with Federal and State agencies on
issues of privacy and data security. Finally, while the testimony does
not offer views on any particular legislation, the Commission
reiterates its bipartisan support for Congress to enact data security
legislation that would (1) strengthen its existing authority governing
data security standards on companies and (2) require companies, in
appropriate circumstances, to provide notification to consumers when
there is a security breach.\4\
---------------------------------------------------------------------------
\4\ The Commission has long supported data security and breach
notification legislation. See, e.g., Prepared Statement of the Federal
Trade Commission, ``Privacy and Data Security: Protecting Consumers in
the Modern World,'' Before the Senate Committee on Commerce, Science,
and Transportation, 112th Cong., June 29, 2011, available at http://
www.ftc.gov/sites/default/files/documents/public_statements/prepared-
statement-federal-tradecommission-privacy-and-data-security-protecting-
consumers-modern/110629privacytestimonybrill.pdf; Prepared Statement of
the Federal Trade Commission, ``Data Security,'' Before Subcommittee on
Commerce, Manufacturing, and Trade of the House Committee on Energy and
Commerce, 112th Cong., June 15, 2011, available at http://www.ftc.gov/
sites/default/files/documents/public_statements/preparedstatement-
federal-trade-commission-data-security/110615datasecurity
house.pdf; FTC, Security in Numbers, SSNs and ID Theft (Dec. 2008),
available at http://www.ftc.gov/sites/default/files/documents/reports/
security-numbers-social-security-numbers-and-identity-theft-federal-
trade-commission-report/p075414ssnreport.pdf; President's Identity
Theft Task Force, Identity Theft Task Force Report (Sept. 2008),
available at http://www.ftc.gov/sites/default/files/documents/reports/
presidents-identity-theft-task-force-report/081021taskforcereport.pdf.
---------------------------------------------------------------------------
II. THE COMMISSION'S DATA SECURITY PROGRAM
A. Law Enforcement
To promote data security, the Commission enforces several statutes
and rules that impose obligations upon businesses that collect and
maintain consumer data. The Commission's Safeguards Rule, which
implements the Gramm-Leach-Bliley Act (``GLB Act''), for example,
provides data security requirements for nonbank financial
institutions.\5\ The Fair Credit Reporting Act (``FCRA'') requires
consumer reporting agencies to use reasonable procedures to ensure that
the entities to which they disclose sensitive consumer information have
a permissible purpose for receiving that information,\6\ and imposes
safe disposal obligations on entities that maintain consumer report
information.\7\ The Children's Online Privacy Protection Act (COPPA)
requires reasonable security for children's information collected
online.\8\
---------------------------------------------------------------------------
\5\ 16 C.F.R. Part 314, implementing 15 U.S.C. � 6801(b).
\6\ 15 U.S.C. � 1681e.
\7\ Id. at � 1681w. The FTC's implementing rule is at 16 C.F.R.
Part 682.
\8\ 15 U.S.C. �� 6501-6506; see also 16 C.F.R. Part 312 (``COPPA
Rule'').
---------------------------------------------------------------------------
In addition, the Commission enforces the proscription against
unfair or deceptive acts or practices in Section 5 of the FTC Act.\9\
If a company makes materially misleading statements or omissions about
a matter, including data security, and such statements or omissions are
likely to mislead reasonable consumers, they can be found to be
deceptive in violation of Section 5.\10\ Using its deception authority,
the Commission has settled more than 30 matters challenging companies'
express and implied claims that they provide reasonable security for
consumers' personal data. Further, if a company's data security
practices cause or are likely to cause substantial injury to consumers
that is neither reasonably avoidable by consumers nor outweighed by
countervailing benefits to consumers or to competition, those practices
can be found to be unfair and violate Section 5.\11\ The Commission has
settled more than 20 cases alleging that a company's failure to
reasonably safeguard consumer data was an unfair practice.\12\
---------------------------------------------------------------------------
\9\ 15 U.S.C. � 45(a).
\10\ See Federal Trade Commission Policy Statement on Deception,
appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984).
\11\ See Federal Trade Commission Policy Statement on Unfairness,
appended to Int'l Harvester Co., 104 F.T.C. 949, 1070 (1984) (``FTC
Unfairness Statement'').
\12\ Some of the Commission's data security settlements allege both
deception and unfairness.
---------------------------------------------------------------------------
In the data security context, the FTC conducts its investigations
with a focus on reasonableness--a company's data security measures must
be reasonable and appropriate in light of the sensitivity and volume of
consumer information it holds, the size and complexity of its business,
and the cost of available tools to improve security and reduce
vulnerabilities.\13\ In each investigation, the Commission examines
such factors as whether the risks at issue were well known or
reasonably foreseeable, the costs and benefits of implementing various
protections, and the tools that are currently available and used in the
marketplace.
---------------------------------------------------------------------------
\13\ In many of the FTC's data security cases based on deception,
the company has made an express or implied claim that its information
security practices are reasonable, which is analyzed through the same
lens.
---------------------------------------------------------------------------
Since 2001, the Commission has used its authority to settle 50
cases against businesses that it charged with failing to provide
reasonable protections for consumers' personal information.\14\ In each
of these cases, the Commission has examined a company's practices as a
whole and challenged alleged data security failures that were multiple
and systemic. Through these settlements, the Commission has made clear
that reasonable and appropriate security is a continuous process of
assessing and addressing risks; that there is no one-size-fits-all data
security program; that the Commission does not require perfect
security; and that the mere fact that a breach occurred does not mean
that a company has violated the law.
---------------------------------------------------------------------------
\14\ See Commission Statement Marking the FTC's 50th Data Security
Settlement, Jan. 31, 2014, available at http://www.ftc.gov/system/
files/documents/cases/140131gmrstatement.pdf.
---------------------------------------------------------------------------
In its most recent case, the FTC entered into a settlement with GMR
Transcription Services, Inc., a company that provides audio file
transcription services for its clients--which includes health care
providers.\15\ According to the complaint, GMR relies on service
providers and independent typists to perform this work, and conducts
its business primarily over the Internet by exchanging audio files and
transcripts with customers and typists by loading them on a file
server. As a result of GMR's alleged failure to implement reasonable
and appropriate security measures or to ensure its service providers
also implemented reasonable and appropriate security, at least 15,000
files containing sensitive personal information--including consumers'
names, birth dates, and medical histories--were available to anyone on
the Internet. The Commission's order prohibits GMR from making
misrepresentations about privacy and security, and requires the company
to implement a comprehensive information security program and undergo
independent audits for the next 20 years.
---------------------------------------------------------------------------
\15\ In the Matter of GMR Transcription Servs., Inc., et al.,
Matter No. 112-3120 (Dec. 16, 2013), available at http://www.ftc.gov/
news-events/press-releases/2014/01/provider-medical-transcript-
services-settles-ftc-charges-it.
---------------------------------------------------------------------------
The FTC also recently announced a case against TRENDnet, which
involved a video camera designed to allow consumers to monitor their
homes remotely.\16\ The complaint alleges that TRENDnet marketed its
SecurView cameras for purposes ranging from baby monitoring to home
security. Although TRENDnet claimed that the cameras were ``secure,''
they had faulty software that left them open to online viewing, and in
some instances listening, by anyone with the cameras' Internet address.
This resulted in hackers posting 700 consumers' live feeds on the
Internet. Under the FTC settlement, TRENDnet must maintain a
comprehensive security program, obtain outside audits, notify consumers
about the security issues and the availability of software updates to
correct them, and provide affected customers with free technical
support for the next 2 years.
---------------------------------------------------------------------------
\16\ In the Matter of TRENDnet, Inc., Matter No. 122-3090 (Sept. 4,
2013), available at http://www.ftc.gov/opa/2013/09/trendnet.shtm.
---------------------------------------------------------------------------
Finally, one of the best-known FTC data security cases is the 2006
action against ChoicePoint, Inc., a data broker that allegedly sold
sensitive information (including Social Security numbers in some
instances) concerning more than 160,000 consumers to data thieves
posing as ChoicePoint clients.\17\ In many instances, the thieves used
that information to steal the consumers' identities. The Commission
alleged that ChoicePoint failed to use reasonable procedures to screen
prospective purchasers of the consumers' information and ignored
obvious security red flags. For example, the FTC alleged that the
company approved as purchasers individuals who lied about their
credentials, used commercial mail drops as business addresses, and
faxed multiple applications from public commercial photocopying
facilities. In settling the case, ChoicePoint agreed to pay $10 million
in civil penalties for violations of the FCRA and $5 million in
consumer redress for identity theft victims, and agreed to undertake
comprehensive data security measures.\18\
---------------------------------------------------------------------------
\17\ United States v. ChoicePoint, Inc., No. 106-CV-0198 (N.D. Ga.)
(settlement entered on Feb. 15, 2006), available at http://www.ftc.gov/
enforcement/cases-and-proceedings/cases/2010/09/choicepoint-inc.
\18\ In 2009, the Commission charged that the company violated the
earlier court order and obtained a stipulated modified order under
which ChoicePoint agreed to expand its data security obligations and
pay monetary relief in the amount of $275,000. United States v.
ChoicePoint, Inc., No. 1:06-CV-0198-JTC (N.D. Ga. 2009) (settlement
entered on Oct. 14, 2009).
---------------------------------------------------------------------------
B. Policy Initiatives
The Commission also undertakes policy initiatives to promote
privacy and data security. For example, through its reports, the FTC
has encouraged companies to provide reasonable security for consumer
data by following certain key principles.\19\ First, companies should
know what consumer information they have and what personnel or third
parties have, or could have, access to it. Understanding how
information moves into, through, and out of a business is essential to
assessing its security vulnerabilities. Second, companies should limit
the information they collect and retain based on their legitimate
business needs, so that needless storage of data does not create
unnecessary risks of unauthorized access to the data. Third, businesses
should protect the information they maintain by assessing risks and
implementing protections in certain key areas--physical security,
electronic security, employee training, and oversight of service
providers. Fourth, companies should properly dispose of information
that they no longer need. Finally, companies should have a plan in
place to respond to security incidents, should they occur.\20\
---------------------------------------------------------------------------
\19\ FTC Report, Protecting Privacy in an Era of Rapid Change:
Recommendations for Businesses and Policymakers (Mar. 2012), available
at http://www.ftc.gov/sites/default/files/documents/reports/federal-
trade-commission-report-protecting-consumer-privacy-era-rapid-change-
recommendations/120326privacyreport.pdf.
\20\ Id. at 24-32.
---------------------------------------------------------------------------
The FTC also hosts workshops on business practices and technologies
affecting consumer data. For example, in November, the FTC held a
workshop on the phenomenon known as the ``Internet of Things''--i.e.,
Internet-connected refrigerators, thermostats, cars, and other products
and services that can communicate with each other and/or consumers.\21\
The workshop brought together academics, industry representatives, and
consumer advocates to explore the security and privacy issues from
increased connectivity in everyday devices, in areas as diverse as
smart homes, connected health and fitness devices, and connected cars.
Also, last June, the Commission hosted a public forum on mobile
security issues, including potential threats to U.S. consumers and
possible solutions to them.\22\ The forum brought together technology
researchers, industry members and academics to explore the security of
existing and developing mobile technologies and the roles various
members of the mobile ecosystem can play in protecting consumers from
potential security threats.
---------------------------------------------------------------------------
\21\ FTC Workshop, Internet of Things: Privacy & Security in a
Connected World (Nov. 19, 2013), available at http://www.ftc.gov/bcp/
workshops/internet-of-things/.
\22\ FTC Workshop, Mobile Security: Potential Threats and Solutions
(June 4, 2013), available at http://www.ftc.gov/bcp/workshops/mobile-
security/.
---------------------------------------------------------------------------
The Commission has also hosted programs on emerging forms of
identity theft, such as child identity theft and senior identity theft.
In these programs, the Commission discussed unique challenges facing
children and seniors, and worked with stakeholders to develop outreach
for these two communities. Since the workshops took place, the
Commission has continued to engage in such tailored outreach.
C. Consumer Education and Business Guidance
The Commission is also committed to promoting better data security
practices through consumer education and business guidance. On the
consumer education front, the Commission sponsors OnGuard Online, a Web
site designed to educate consumers about basic computer security.\23\
OnGuard Online and its Spanish-language counterpart, Alerta en
Linea,\24\ average more than 2.2 million unique visits per year. Also,
as part of its efforts to educate consumers about identity theft,
Commission staff have worked with Members of Congress to host numerous
town hall meetings on identity theft in order to educate their
constituents. And, for consumers who may have been affected by the
recent Target and other breaches, the FTC posted information online
about steps they should take to protect themselves.\25\
---------------------------------------------------------------------------
\23\ See http://www.onguardonline.gov.
\24\ See http://www.alertaenlinea.gov.
\25\ See Nicole Vincent Fleming, An Unfortunate Fact About
Shopping, FTC Consumer Blog, http://www.consumer.ftc.gov/blog/
unfortunate-fact-about-shopping (Jan. 27, 2014); Nicole Vincent
Fleming, Are you affected by the recent Target hack?, FTC Consumer
Blog, https://www.consumer.ftc.gov/blog/are-you-affected-recent-target-
hack. In addition to these materials posted in response to recent
breaches, the FTC has long published a victim recovery guide and other
resources to explain the immediate steps identity theft victims should
take to address the crime; how to obtain a free credit report and
correct fraudulent information in credit reports; how to file a police
report; and how to protect their personal information. See http://
www.consumer.ftc.gov/features/feature-0014-identity-theft.
---------------------------------------------------------------------------
The Commission directs its outreach to businesses as well. The FTC
widely disseminates its business guide on data security,\26\ along with
an online tutorial based on the guide.\27\ These resources are designed
to provide a variety of businesses--and especially small businesses--
with practical, concrete advice as they develop data security programs
and plans for their companies.
---------------------------------------------------------------------------
\26\ See Protecting Personal Information: A Guide for Business,
available at http://business.ftc.gov/documents/bus69-protecting-
personal-information-guide-business.
\27\ See Protecting Personal Information: A Guide for Business
(Interactive Tutorial), available at http://business.ftc.gov/
multimedia/videos/protecting-personal-information.
---------------------------------------------------------------------------
The Commission has also released articles directed toward a
nonlegal audience regarding basic data security issues for
businesses.\28\ For example, because mobile applications (``apps'') and
devices often rely on consumer data, the FTC has developed specific
security guidance for mobile app developers as they create, release,
and monitor their apps.\29\ The FTC also creates business educational
materials on specific topics--such as the risks associated with peer-
to-peer (``P2P'') file-sharing programs and companies' obligations to
protect consumer and employee information from these risks \30\ and how
to properly secure and dispose of information on digital copiers.\31\
---------------------------------------------------------------------------
\28\ See generally http://www.business.ftc.gov/privacy-and-
security/data-security.
\29\ See Mobile App Developers: Start with Security (Feb. 2013),
available at http://business.ftc.gov/documents/bus83-mobile-app-
developers-start-security.
\30\ See Peer-to-Peer File Sharing: A Guide for Business (Jan.
2010), available at http://business.ftc.gov/documents/bus46-peer-peer-
file-sharing-guide-business.
\31\ See Copier Data Security: A Guide for Business (Nov. 2010),
available at http://business.ftc.gov/documents/bus43-copier-data-
security.
---------------------------------------------------------------------------
III. COOPERATION WITH STATE AND FEDERAL AGENCIES
The Commission has a long history of working closely with Federal
and State agencies, as well as the private sector, to further its
mission of promoting privacy and data security. State, Federal, and
private sector entities each have served a unique role in data
security: States have innovated by passing data breach notification
laws; Federal banking agencies have protected consumers' security in
the banking sector; the FTC has protected the security of consumers'
information in retail, technology, and other sectors; Federal criminal
law enforcement agencies have prosecuted identity thieves; credit
reporting agencies have provided credit monitoring services to
consumers in the event of a breach; and trade associations sponsor
educational seminars and publish guidance to help their members
understand their legal obligations.
In terms of cooperation with States, the FTC works closely with
State Attorneys General to ensure that we coordinate our investigations
and leverage our resources most effectively. For example, in one of the
largest FTC-State coordinated settlements on record, LifeLock, Inc.
agreed to pay $11 million to the FTC and $1 million to 35 State
Attorneys General to settle charges that the company used false claims
to promote its identity theft protection services.\32\ As part of the
settlement, LifeLock and its principals are barred from making
deceptive claims and required to take more stringent measures to
safeguard the personal information they collect from customers. The FTC
also coordinated with the State AGs on cases such as TJX \33\ and
ChoicePoint.\34\
---------------------------------------------------------------------------
\32\ FTC v. LifeLock, Inc., et al., No. 2:10-cv-00530-NVW (D.
Ariz.) (filed Mar. 9, 2010), available at http://www.ftc.gov/
enforcement/cases-and-proceedings/cases/2010/11/lifelock-inc-
corporation.
\33\ In the Matter of The TJX Cos., Inc., No. C-4227 (F.T.C. July
29, 2008), available at http://www.ftc.gov/enforcement/cases-and-
proceedings/cases/2008/08/tjx-companies-inc-matter; see also Press
Release, Agency Announces Settlement of Separate Actions Against
Retailer TJX, and Data Brokers Reed Elsevier and Seisent for Failing to
Provide Adequate Security for Consumers' Data (Mar. 27, 2008),
available at http://www.ftc.gov/news-events/press-releases/2008/03/
agency-announces-settlement-separate-actions-against-retailer-tjx
(citing the Commission's coordination with 39 State Attorneys General).
\34\ United States v. ChoicePoint, Inc., supra note 17; see also
Press Release, ChoicePoint Settles Data Security Breach Charges; to Pay
$10 Million in Civil Penalties, $5 Million for Consumer Redress (Jan.
26, 2006), available at http://www.ftc.gov/news-events/press-releases/
2006/01/choicepoint-settles-data-security-breach-charges-pay-10-million
(mentioning the FTC's cooperation with the Department of Justice and
Securities and Exchange Commission).
---------------------------------------------------------------------------
In terms of Federal enforcement cooperation, the FTC has worked
with criminal law enforcement agencies such as the Federal Bureau of
Investigation and Secret Service. The goals of FTC and Federal criminal
law enforcement agencies are complementary: FTC actions send a message
that businesses need to protect their customers' data on the front end,
and criminal law enforcement actions send a message to identity
thieves, fraudsters, and other criminals that their efforts to
victimize consumers will be punished.
The FTC also works closely with State and Federal agencies to
educate consumers and businesses on issues involving data security and
privacy. For example, identity theft has been the top consumer
complaint to the FTC for 13 consecutive years, and tax identity theft--
which often begins by thieves obtaining Social Security numbers and
other personal information from consumers in order to obtain their tax
refund--has been an increasing share of the Commission's identity theft
complaints.\35\ Just last month, the FTC hosted 16 events across the
country, along with a series of national Webinars and Twitter chats as
part of Tax Identity Theft Awareness Week.\36\ The events, which
included representatives of the Internal Revenue Service, the American
Association of Retired Persons, and local U.S. Attorney's offices, were
designed to raise awareness about tax identity theft and provide
consumers with tips on how to protect themselves, and what to do if
they become victims.
---------------------------------------------------------------------------
\35\ In 2012, tax identity theft accounted for more than 43 percent
of the identity theft complaints, making it the largest category of
identity theft complaints by a substantial margin. See Press Release,
FTC Releases Top 10 Complaint Categories for 2012 (Feb. 26, 2013),
available at http://www.ftc.gov/newsevents/press-releases/2013/02/ftc-
releases-top-10-complaint-categories-2012.
\36\ Press Release, FTC's Tax Identity Theft Awareness Week Offers
Consumers Advice, Guidance (Jan. 10, 2014), available at http://
www.ftc.gov/news-events/press-releases/2014/01/ftcs-tax-identity-theft-
awareness-week-offers-consumers-advice.
---------------------------------------------------------------------------
IV. CONCLUSION
Thank you for the opportunity to provide the Commission's views on
data security. The FTC remains committed to promoting reasonable
security for consumer data and we look forward to continuing to work
with Congress on this critical issue.
______
PREPARED STATEMENT OF JAMES A. REUTER
Executive Vice President, FirstBank,
on behalf of the American Bankers Association
February 3, 2014
Chairman Warner, Ranking Member Kirk, and Members of the
Subcommittee, my name is James A. Reuter, Executive Vice President,
FirstBank, based in Lakewood, Colorado. Founded in 1963, FirstBank
currently has over $13 billion in assets, over 115 locations and 2,000
employees serving Colorado, Arizona, and California. I serve as
President of FirstBank Support Services, which provides information
technology, payment processing services, 24 hour call center, and
electronic banking services for 115 FirstBank locations. In addition, I
serve on the American Bankers Association's (ABA) Payments Systems
Administrative Committee, which focuses on emerging technologies that
affect the payments system and assesses the implications for the
financial services industry.
I appreciate the opportunity to be here to represent the ABA and
discuss the recent Target and other data security breaches. The ABA
represents banks of all sizes and charters and is the voice for the
Nation's $14 trillion banking industry and its two million employees.
Notwithstanding these recent breaches, our payment system remains
strong and functional. No security breach seems to stop the $3 trillion
that Americans spend safely and securely each year with their credit
and debit cards. And with good reason: Customers can use these cards
confidently because their banks protect them from losses by investing
in technology to detect and prevent fraud, reissuing cards and
absorbing fraud costs.
At the same time, these breaches have reignited the long-running
debate over consumer data security policy. ABA and the thousands of
community, mid-size, regional, and large banks we represent recognize
the paramount importance of a safe and secure payments system to our
Nation and its citizens. We thank the Subcommittee for holding this
hearing and welcome the ongoing discussion. From ABA's perspective,
Congress should examine the specific circumstances of the Target breach
and the broader data security issues involved, and we stand ready as a
resource to assist in your efforts.
In my testimony I will focus on four main points:
Protecting consumers is the banking industry's first
priority. As the stewards of the direct customer relationship,
the banking industry's overarching priority in breaches like
that of Target's is to protect consumers and make them whole
from any loss due to fraud.
A National data breach standard is essential. Consumers'
electronic payments are not confined by borders between States.
As such, a national standard for data security and breach
notification is of paramount importance, and we strongly
support S. 1927, the Data Security Act of 2014.
All players in the payments systems, including retailers,
must significantly improve their internal security systems as
the criminal threat continues to evolve.
Protecting the Payments System is a Shared Responsibility.
Banks, retailers, processors, and all of the participants in
the payments system must share the responsibility of keeping
the system secure, reliable, and functioning in order to
preserve consumer trust. That responsibility should not fall
predominantly on the financial services sector.
Before addressing each of these points in detail, it is important
to understand the data security vulnerabilities in our system. The
numbers are telling and point to the need for shared responsibility to
fight off the continual attacks on data.
I. Data Security: Where are the Vulnerabilities?
It is a sobering fact that, since January 2005, a total of over
4,200 breaches exposing almost 600 million records have occurred
nationwide. (Source: Identity Theft Resource Center) There were over
600 reported data breaches during 2013 alone, an increase of 30 percent
over 2012 and the third highest number of breaches over the last 9
years. The two sectors reporting the highest number of breaches were
the healthcare sector at 43 percent of reported breaches and the
business sector, including merchants, which accounted for nearly 34
percent of reported breaches.
Moreover, the business sector, because of the Target breach,
accounted for almost 82 percent of 2013's breached records. The
Banking, Credit and Financial sector accounted for only 4 percent of
all breaches and less than 2 percent of all breached records.\1\
However, in spite of the small percentage of actual data breaches, the
Banking, Credit and Financial sector bears a disproportionate share of
breach recovery and fraud expenses. This is a consistent trend since
2005, where over this 9-year period our sector accounted for
approximately 8 percent of all reported breaches. The business sector
accounted for approximately 36 percent and health care sector
approximately 23 percent of all breaches over the same time period.
---------------------------------------------------------------------------
\1\ 2013 Data Breach Category Summary, Identity Theft Resource
Center, January 1, 2014, available at: http://www.idtheftcenter.org/
images/breach/2013/BreachStatsReport
Summary2013.pdf
---------------------------------------------------------------------------
Source: Identity Theft Resource Center
These numbers point to the central challenge associated with
breaches of financial account data or personally identifiable
information: while the preponderance of data breaches occur at entities
far removed from the banking sector, it is the bank's customer
potentially at the end of the line who must be protected.
II. Protecting Consumers is Our First Priority
While the facts of the Target breach remain fluid, the company has
acknowledged that the breach occurred within its internal systems,
affecting nearly 40 million credit and debit card accounts while also
revealing the personally identifiable information (e.g., name, address,
email, telephone number) of potentially 70 million people. On average,
the Target breach has affected 10 percent of every bank's credit and
debit card customer base.
Paying for Fraud
When a retailer like Target speaks of its customers having ``zero
liability'' from fraudulent transactions, it is because our Nation's
banks are making customers whole, not the retailer that suffered the
breach. Banks are required to swiftly research and reimburse customers
for unauthorized transactions, and normally exceed legal requirements
by making customers whole within days of the customer alerting the bank
of the fraud, if not immediately.\2\
---------------------------------------------------------------------------
\2\ With traditional card payments, the rights and obligations of
all parties are well-defined by Federal statute when an unauthorized
transaction occurs. For example, Regulation E describes consumers'
rights and card issuers' obligations when a debit card is used, while
Regulation Z does so for credit card transactions. The payment networks
also have well-established rules for merchants and issuers. For
instance, while Regulation Z limits a customer's liability for
unauthorized transactions on a lost or stolen credit card to $50, the
card networks require issuers to provide their cardholders with zero
liability.
---------------------------------------------------------------------------
After the bank has reimbursed a customer for the fraudulent
transaction, it can then attempt to ``charge-back'' the retailer where
the transaction occurred. Unfortunately, and certainly in my
experience, the majority of these attempts are unsuccessful, with the
bank ultimately shouldering the vast majority of fraud loss and other
costs associated with the breach. Overall, for 2009, 62 percent of
reported debit card fraud losses were borne by banks, while 38 percent
were borne by merchants.\3\
---------------------------------------------------------------------------
\3\ 2009 Interchange Revenue, Covered Issuer Cost, and Covered
Issuer and Merchant Fraud Loss Related to Debit Card Transactions, June
2011, Board of the Governors of the Federal Reserve System, available
at: http://www.federalreserve.gov/paymentsystems/files/
debitfees_costs.pdf.
---------------------------------------------------------------------------
It is an unfortunate truth that, in the end (and often well after
the breach has occurred and the banks have made customers whole) banks
generally receive pennies for each dollar of fraud losses and other
costs that were incurred by banks in protecting their customers. This
minor level of reimbursement, when taken in concert with the fact that
banks bear over 60 percent of reported fraud losses yet have accounted
for less than 8 percent of reported breaches since 2005 is clearly
inequitable. We believe banks should be fully reimbursed for the costs
they bear for breaches that occur elsewhere.
Reissuing and Ongoing Monitoring
Each bank makes its own decision as to when and whether to reissue
cards, which in the case of our bank costs $5 per card. In the case of
the Target breach, the decision of whether to reissue cards was made
even more difficult considering the inconvenience this can cause during
the holiday season: breach or no breach, many consumers would not have
wanted their cards shut down leading up to Christmas. Those cards that
have not been reissued are being closely monitored for fraudulent
transactions. In some instances, banks gave customers an option of
keeping their cards open through the holidays until they could reissue
all cards in January or, if they were concerned, to shut their card
down and be reissued a new card immediately.
The Target compromise was also unique in terms of the high
awareness of the ``Target'' name, the sheer number of people affected,
and the media coverage of the event. In addition to proactively
communicating with customers about the breach, bank call centers and
branches have handled millions of calls and in-person inquiries
regarding the card compromise. Many smaller and community banks have
increased staffing to meet consumer demand. At the end of the day,
consumers expect answers and to be protected by their bank, which is
why they call us, not Target or whoever actually suffered the breach.
We also remain vigilant to the potential for fraud to occur in the
future as a result of the Target breach. Standard fraud mitigation
methods banks use on an ongoing basis include monitoring transactions,
reissuing cards, and blocking certain merchant or types of
transactions, for instance, based on the location of the merchant or a
transaction unusual for the customer. Most of us are familiar with that
call from a card issuer rightfully questioning a transaction and having
a card canceled as a result. In many cases, however, the lifespan of
compromised consumer data extends well beyond the weeks immediately
following the breach itself. Just because the headlines fade away does
not mean that banks can afford to relax their ongoing fraud protection
and screening efforts. In addition there are ongoing customer support
issues as customers setup new card numbers for recurring transactions
related to health club memberships, online stores such as iTunes, etc.
III. A National Data Breach Standard is Essential
In many instances, the identity of the entity that suffered the
breach is either not known or, oftentimes, intentionally not revealed
as there is no requirement to do so. Understandably, a retailer or
other entity would rather pass the burden on to the affected consumers'
banks rather than taking the reputational hit themselves. In such
cases, the bank is put in the position of notifying their customers
that their credit or debit card data is at risk without being able to
divulge where the breach occurred. Many banks have expressed great
frustration regarding this process, with their customers--absent better
information--blaming the bank for the breach itself and inconvenience
they are now suffering.
Like the well-defined Federal regulations surrounding consumer
protections for unauthorized credit or debit transactions, data breach
notification for State and nationally chartered banks is governed by
guidance from the Federal Financial Institutions Examination Council
(FFIEC), as enacted in the Gramm-Leach-Bliley Act, requiring every bank
to have a customer response program. Retail establishments have no
comparable Federal requirements. In addition, not only are retailers,
healthcare organizations, and others who suffer the majority of
breaches not subject to Federal regulatory requirements in this space,
no entity oversees them in any substantive way. Instead they are held
to a wide variety of State data breach laws that aren't always
consistent. Banks too must also abide by many of these State laws,
creating a patchwork of breach notification and customer response
standards that are confusing to consumers as well as to companies.
Currently, 46 States, three U.S. territories, and the District of
Columbia have enacted laws governing data security in some fashion,
such as standards for data breach notification and for the safeguarding
of consumer information. Although some of these laws are similar, many
have inconsistent and conflicting standards, forcing businesses to
comply with multiple regulations and leaving many consumers without
proper recourse and protections.
Establishing a national data security and notification law would
provide better protection for consumers nationwide. It is for this
reason that we applaud and fully support the introduction of the Data
Security Act of 2014 (S. 1927) by Senators Tom Carper (D-DE) and Roy
Blunt (R-MO). This bipartisan legislation would better protect
consumers by replacing the current patchwork of State laws and
establishing one set of national requirements. The bill requires any
business that maintains sensitive personal and financial information--
including banks, verified-retailers, and data brokers--to implement,
maintain, and enforce reasonable policies and procedures to protect the
confidentiality and security of sensitive information from unauthorized
use.
Our existing national payments system serves hundreds of millions
of consumers, retailers, banks, and the economy well. It only stands to
reason that such a system functions most effectively when it is
governed by a consistent national data breach policy.
IV. All Players in the Payments System Must Improve Their Internal
Systems as the Criminal Threat Continues to Evolve
While many details of the Target breach are still largely unknown,
it is clear that criminal elements responsible for such attacks are
growing increasingly sophisticated in their efforts to breach the
payments system. This disturbing evolution, as demonstrated by the
Target breach, will require enhanced attention, resources, and
diligence on the part of all payments system participants.
The increased sophistication and prevalence of breaches caused by
criminal attacks--as opposed to negligence or unintentional system
breaches is also borne out in a recent study by the Ponemon Institute.
Evaluating annual breach trends, the Institute found that 2012 was the
first year in which malicious or criminal attacks were the most
frequently encountered root cause of data breaches by organizations in
the study, at 41 percent.\4\
---------------------------------------------------------------------------
\4\ 2013 Cost of Data Breach Study: United States, May 2013,
Ponemon Institute, available at: http://www.symantec.com/content/en/us/
about/media/pdfs/b-cost-of-a-data-breach-us-
report-
2013.enus.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin
_
2013Jun_worldwide_CostofaDataBreach.
---------------------------------------------------------------------------
Emerging details of the Target breach are allowing us to see a
troubling picture of the direction the criminal evolution is taking,
and what it means for at-risk consumer data. For example:
While Target's last public statement on the issue stated
that the PINs that were compromised as part of the breach were
encrypted, the company originally stated that PINs were not
compromised at all. If the PINs were unencrypted, this would be
particularly troubling, as that would make bank customer
accounts vulnerable to ATM cash withdrawals as well as
unauthorized purchases. We call on law enforcement and those in
the forensics process to be as transparent as possible in
outlining what are the precise threats to our customers.
Even if the PINs that were breached were in fact encrypted,
there is still the potential that they could be decrypted,
placing our customers at just as much risk as if unencrypted
PINs had been captured.
Banks also do not know the extent to which their customers'
bank account numbers, which are linked to Target's RedCard,
were compromised as a result of the breach. If this information
was compromised, customers could be vulnerable to unauthorized
Automated Clearing House (ACH) transactions directly from their
accounts.
More generally, banks have also encountered significant
customer confusion as to the nature of Target's RedCard and the
bank's ability to help. Many believe the bank can cancel the
card and reissue it even though the card was issued by Target.
This confusion points to a broader problem with the emergence
of many nontraditional payments providers: customers have a
hard time understanding which payment entity is responsible for
what, and often just assume the bank is the responsible party.
These threats to bank customer accounts point to the security
vulnerabilities associated with nontraditional payments companies, such
as Target, having direct linkages to the payments system without
information security regulatory requirements comparable to that of
financial institutions.
V. Protecting the Payments System is a Shared Responsibility
While much has recently been made about the on-going disagreements
between the retail community and the banking industry over who is
responsible for protecting the payments system, in reality our Nation's
payments system is made up of a wide variety of players: banks, card
networks, retailers, processors, and even new entrants, such as Square,
Google, and PayPal. Protecting this system is a shared responsibility
of all parties involved and we need to work together and invest the
necessary resources to combat increasingly sophisticated threats to
breach the payments system.
We must work together to combat the ever-present threat of criminal
activity at our collective doorstops. Inter-industry squabbles, like
those over interchange, have had a substantial impact on bank resources
available to combat fraud. Policymakers must examine that impact
closely to ensure that the necessary resources are not diverted from
addressing the real concern at hand--the security of our Nation's
payment system and the need to protect consumers. All participants must
invest the necessary resources to combat this threat.
In the wake of this breach, there has been significant discussion
over how to enhance payment card security, focusing on the
implementation of chip-based security technology known as EMV.\5\ This
technology makes it much harder for criminals to create duplicate cards
or make sense of encrypted data that they steal.
---------------------------------------------------------------------------
\5\ EMV stands for Europay, Mastercard, and Visa, the developers of
a global standard for inter-operation of integrated circuit, or
``chip'' cards and chip card compatible point-of-sale terminals and
automated teller machines.
---------------------------------------------------------------------------
We encourage the implementation of chip technology, both on the
card and at the point-of-sale. In fact, the rollout of this technology
in the United States is well underway, with the next set of deadlines
for banks and retailers coming in late 2015. It takes time for full
implementation of chip technology in the United States, as our country
supports the largest economy in the world, with over 300 million
customers, 8 million retailers, and 14,000 financial institutions.
Even though EMV is an important step in the right direction, there
is no panacea for the everchanging threats that exist today. For
instance, EMV technology would not have prevented the potential harm of
the Target breach to the 70 million customers that had their name,
address, email, and/or telephone number compromised. Moreover, EMV
technology will help to address potential fraud at the point-of-sale,
but it does not address online security, nor is it a perfect solution
even at the point-of-sale as criminal efforts evolve. Because it is
impossible to anticipate what new challenges will come years from now,
we must therefore be cautious not to embrace any ``one'' solution as
the answer to all concerns.
VI. The Path Forward
Any system is only as strong as its weakest link. The same
certainly holds true in our rapidly changing consumer payments
marketplace. The innovations that are driving the industry forward and
presenting consumers with exciting new methods of making purchases is
also rapidly expanding beyond the bounds of our existing regulatory and
consumer protection regimes. And, as has historically been the case,
the criminals are often one step ahead as the marketplace searches for
consensus. That said, there are several positive steps policymakers can
take to facilitate a higher level of security for consumers going
forward. For example:
Raise all participants in the payments system to comparable levels
of security. Security within the payments system is currently uneven.
In addition to adhering to the Payment Card Industry Data Security
Standards, banks and other financial institutions are also subject to
significantly higher information security requirements than others that
facilitate electronic payments and house bank customer payment data.\6\
More must be done to buttress and enforce the current regulatory
requirements that merchants face.
---------------------------------------------------------------------------
\6\ For instance, banks are subject to the information security
requirements contained within the Gramm-Leach-Bliley Act, the FFIEC Red
Flag Rules regarding identity theft, and are continually examined
against these requirements.
---------------------------------------------------------------------------
Establish a national data security breach and notification
standard. A national data breach standard would provide better and more
consistent protection for consumers nationwide. We applaud and fully
support the introduction of The Data Security Act of 2014 (S. 1927) by
Senators Carper and Blunt and believe this legislation meets that goal
by replacing the current patchwork of State laws and establishing one
set of national requirements.
Make those responsible for data breaches responsible for their
costs. Banks bear the majority of costs associated with the fraud
caused by breaches even though our industry is responsible for only a
small percentage of the breaches that have occurred since 2005. When
any entity--be it a bank, merchant, college or hospital--is responsible
for a breach that compromises customer payment data or personally
identifiable information, that entity should be responsible for the
range of costs associated with that breach to the extent it was not
adhering to the necessary security requirements.
Increase the speed and transparency with which the results of
forensic investigations are shared with the financial community. When a
breach occurs, there is much banks and others do not know and are not
told for extended periods of time regarding the vulnerability of
certain aspects of their customers' data. Similar to the robust manner
in which banks and law enforcement currently share other cybersecurity
threat data, we must examine ways to share the topline threat data from
merchant and other breaches that does not impede the overall
investigation. For example, banks and payment networks currently share
an increasing amount of cybersecurity threat and fraud information
through groups such as the Financial Services Information Sharing and
Analysis Center and other groups within ABA. Our efforts would be
greatly enhanced if that information sharing capacity expanded to
include the merchant community. We would welcome such expansion and
look forward to working collectively with merchants to combat our
common adversaries.
Banks are committed to doing our share, but cannot be the sole
bearer of that responsibility. Policymakers, card networks, and all
industry participants have a vital role to play in addressing the
regulatory gaps that exist in our payments system, and we stand ready
to assist in that effort. Thank you for giving ABA the opportunity to
provide this testimony. We look forward to continuing to work with
Congress to enhance the security of our Nation's payment system, and
maintain the trust and confidence hundreds of millions of Americans
place in it every day.
______
PREPARED STATEMENT OF MALLORY DUNCAN
General Counsel and Senior Vice President
National Retail Federation
February 3, 2014
Chairman Warner, Ranking Member Kirk and Members of the
Subcommittee, thank you for giving me this opportunity to provide you
with my thoughts on safeguarding consumers' financial information. My
name is Mallory Duncan, and I am General Counsel of the National Retail
Federation (NRF). NRF is the world's largest retail trade association,
representing discount and department stores, home goods and specialty
stores, Main Street merchants, grocers, wholesalers, chain restaurants
and Internet retailers from the United States and more than 45
countries. Retail is the Nation's largest private sector employer,
supporting one in four U.S. jobs--42 million working Americans.
Contributing $2.5 trillion to annual GDP, retail is a daily barometer
for the Nation's economy.
Collectively, retailers spend billions of dollars safeguarding
consumers' data and fighting fraud. Data security is something that our
members strive to improve every day. Virtually all of the data breaches
we've seen in the United States during the past couple of months--from
those at retailers that have been prominent in the news to those at
banks and card network companies that have received less attention--
have been perpetrated by criminals that are breaking the law. All of
these companies are victims of these crimes and we should keep that in
mind as we explore this topic and public policy initiatives relating to
it.
This issue is one that we urge the Committee to examine in a
holistic fashion: we need to reduce fraud. That is, we should not be
satisfied with deciding what to do after a data breach occurs--who to
notify and how to assign liability. Instead, it's important to look at
why such breaches occur and what the perpetrators get out of them so
that we can find ways to reduce and prevent not only the breaches
themselves, but the fraudulent activity that is often the goal of these
events. If breaches become less profitable to criminals then they will
dedicate fewer resources to committing them and our goals will become
more achievable.
With that in mind, this testimony is designed to provide some
background on data breaches and on fraud, explain how these events
interact with our payments system, discuss some of the technological
advancements that could improve the current situation, raise some ways
to achieve those improvements, and then discuss the aftermath of data
breaches and some ways to approach things when problems do occur.
Data Breaches in the United States
Unfortunately, data breaches are a fact of life in the United
States. In its 2013 data breach investigations report, Verizon analyzed
more than 47,000 security incidents and 621 confirmed data breaches
that took place during the prior year. Virtually every part of the
economy was hit in some way: 37 percent of breaches happened at
financial institutions; 24 percent happened at retail; 20 percent
happened at manufacturing, transportation and utility companies; and 20
percent happened at information and professional services firms.
It may be surprising to some given recent media coverage that more
data breaches occur at financial institutions than at retailers. And,
it should be noted, even these figures obscure the fact that there are
far more merchants that are potential targets of criminals in this
area. There are hundreds of times as many merchants accepting card
payments in the United States than there are financial institutions
issuing and processing those payments. So, proportionally, and not
surprisingly, the thieves focus far more often on banks which have our
most sensitive financial information--including not just card account
numbers but bank account numbers, social security numbers and other
identifying data that can be used to steal identities beyond completing
some fraudulent transactions.
Source: 2013 Data Breach Investigations Report, Verizon
Nearly one-fifth of all of these breaches were perpetrated by
State-affiliated actors connected to China. Three in four breaches were
driven by financial motives. Two-thirds of the breaches took months or
more to discover and 69 percent of all breaches were discovered by
someone outside the affected organization.\1\
---------------------------------------------------------------------------
\1\ 2013 Data Breach Investigations Report, Verizon.
---------------------------------------------------------------------------
These figures are sobering. There are far too many breaches. And,
breaches are often difficult to detect and carried out in many cases by
criminals with real resources behind them. Financially focused crime
seems to most often come from organized groups in Eastern Europe rather
than State-affiliated actors in China, but the resources are there in
both cases. The pressure on our financial system due to the overriding
goal of many criminals intent on financial fraud is acute. We need to
recognize that this is a continuous battle against determined
fraudsters and be guided by that reality.
Background on Fraud
Fraud numbers raise similar concerns. Just a year ago, Forbes found
that Mexico and the United States were at the top of the charts
worldwide in credit and debit card fraud.\2\ And fraud losses in the
United States have been going up in recent years while some other
countries have had success reducing their fraud rates. The United
States in 2012 accounted for nearly 30 percent of credit and debit card
charges but 47 percent of all fraud losses.\3\ Credit and debit card
fraud losses totaled $11.27 billion in 2012.\4\ And retailers spend
$6.47 billion trying to prevent card fraud each year.\5\
---------------------------------------------------------------------------
\2\ ``Countries with the most card fraud: U.S. and Mexico,'' Forbes
by Halah Touryalai, Oct. 22, 2012.
\3\ ``U.S. credit cards, chipless and magnetized, lure global
fraudsters,'' by Howard Schneider, Hayley Tsukayama and Amrita
Jayakumar, Washington Post, January 21, 2014.
\4\ ``Credit Card and Debit Card Fraud Statistics,'' CardHub 2013,
available at http://www.cardhub.com/edu/creditdebit-card-fraud-
statistics/.
\5\ Id.
---------------------------------------------------------------------------
Fraud is particularly devastating for retailers in the United
States. LexisNexis and Javelin Strategy & Research have published an
annual report on the ``True Cost of Fraud'' each year for the last
several years. The 2009 report found, for example, that retailers
suffer fraud losses that are 10 times higher than financial
institutions and 20 times the cost incurred by consumers. This study
covered more than just card fraud and looked at fraudulent refunds/
returns, bounced checks, and stolen merchandise as well. Of the total,
however, more than half of what merchants lost came from unauthorized
transactions and card chargebacks.\6\ The founder and President of
Javelin Strategy, James Van Dyke, said at the time, ``We weren't
completely surprised that merchants are paying more than half of the
share of the cost of unauthorized transactions as compared to financial
institutions. But we were very surprised that it was 90-10.''\7\
Similarly, Consumer Reports wrote in June 2011, ``The Mercator report
estimates U.S. card issuers' total losses from credit- and debit-card
fraud at $2.4 billion. That figure does not include losses that are
borne by merchants, which probably run into tens of billions of dollars
a year.''\8\
---------------------------------------------------------------------------
\6\ A fraud chargeback is when the card-issuing bank and card
network take the money for a transaction away from the retailer so that
the retailer pays for the fraud.
\7\ ``Retailers are bearing the brunt: New report suggests what
they can do to fight back,'' by M.V. Greene, NRF Stores, Jan. 2010.
\8\ ``House of Cards: Why your accounts are vulnerable to
thieves,'' Consumer Reports, June 2011.
---------------------------------------------------------------------------
Online fraud is a significant problem. It has jumped 36 percent
from 2012 to 2013.\9\ In fact, estimates are that online and other
fraud in which there is no physical card present accounts for 90
percent of all card fraud in the United States.\10\ And, not
surprisingly, fraud correlates closely with data breaches among
consumers. More than 22 percent of breach victims suffered fraud while
less than 3 percent of consumers who didn't have their data breached
experienced fraud.\11\
---------------------------------------------------------------------------
\9\ 2013 True Cost of Fraud, LexisNexis at 6.
\10\ ``What you should know about the Target case,'' by Penny
Crosman, American Banker, Jan. 23, 2014.
\11\ 2013 True Cost of Fraud, LexisNexis at 20.
---------------------------------------------------------------------------
Source: 2013 True Cost of Fraud, LexisNexis
These numbers provide insights as to how to get to the right
solutions of better safeguarding consumer and cardholder data and the
need to improve authentication of transactions to protect against
fraud. But before delving into those areas, some background on our
payments system could be helpful.
The Payments System
Payments data is sought in breaches more often than any other type
of data.\12\ Now, every party in the payment system, financial
institutions, networks, processors, retailers and consumers, has a role
to play in reducing fraud. However, although all parties have a
responsibility, some of those parties are integral to the system's
design and promulgation while others, such as retailers and consumers,
must work with the system as it is delivered to them.
---------------------------------------------------------------------------
\12\ 2013 Data Breach Investigations Report, Verizon at 445, figure
35.
---------------------------------------------------------------------------
As the following chart shows, while the banks are intimately
connected to Visa and MasterCard, merchants and consumers have
virtually no role in designing the payment system. Rather, they are
bound to it by separate agreements issued by financial intermediaries.
Thus consumers are obligated to keep their cards safe and secure in
their wallets and avoid misuse, but must necessarily turn their card
data over to others in order to effectuate a transaction. Retailers are
likewise obligated to collect and protect the card data they receive,
but are obligated to deliver it to processors in order to complete a
transaction, resolve a dispute or process a refund. In contrast, those
inside the triangle have much more systemic control.
For example, retailers are essentially at the mercy of the dominant
credit card companies when it comes to protecting payment card data.
The credit card networks--Visa, MasterCard, American Express, Discover
and JCB--are responsible for an organization known as the PCI (which
stands for Payment Card Industry) data security council. PCI
establishes data security standards (PCI-DSS) for payment cards. While
well intentioned in concept, these standards have not worked quite as
well in practice. They have been inconsistently applied, and their
avowed purpose has been significantly altered.
PCI has in critical respects over time pushed card security costs
onto merchants even when other decisions might have more effectively
reduced fraud--or done so at lower cost. For example, retailers have
long been required by PCI to encrypt the payment card information that
they have. While that is appropriate, PCI has not required financial
institutions to be able to accept that data in encrypted form. That
means the data often has to be de-encrypted at some point in the
process in order for transactions to be processed.
Similarly, merchants are expected to annually demonstrate PCI
compliance to the card networks, often at considerable expense, in
order to benefit from a promise that the merchants would be relieved of
certain fraud inherent in the payment system, which PCI is supposed to
prevent. However, certification by the networks as PCI Compliant
apparently has not been able to adequately contain the growing fraud
and retailers report that the ``promise'' increasingly has been
abrogated or ignored. Unfortunately, as card security expert Avivah
Litan of Gartner Research wrote recently, ``The PCI (Payment Card
Industry) security standard has largely been a failure when you
consider its initial purpose and history.''\13\
---------------------------------------------------------------------------
\13\ ``How PCI Failed Target and U.S. Consumers,'' by Avivah Litan,
Gartner Blog Network, Jan. 20, 2014, available at http://
blogs.gartner.com/avivah-litan/2014/01/20/how-pci-failed-target-and-u-
s-consumers/.
---------------------------------------------------------------------------
PCI has not addressed many obvious deficiencies in cards
themselves. There has been much attention to the fact that the United
States is one of the last places on earth to put card information onto
magnetic stripes on the backs of cards that can easily be read and can
easily be counterfeited (in part because that data is static and
unchanging). We need to move past magstripe technology.
But, before we even get to that question, we need to recognize that
sensitive card data is right on the front of the card, embossed with
prominent characters. Simply seeing the front of a card is enough for
some fraudsters and there have been fraud schemes devised to trick
consumers into merely showing someone their cards. While having the
embossed card number on the front of the card might have made sense in
the days of knuckle-buster machines and carbon copies, those days are
long passed.
In fact, cards include the cardholder's name, card number,
expiration date, signature and card verification value (CVV) code.
Everything a fraudster needs is right there on the card. The bottom
line is that cards are poorly designed and fraud-prone products that
the system has allowed to continue to proliferate.
PCI has also failed to require that the identity of the cardholder
is actually verified or authenticated at the time of the transaction.
Signatures don't do this. Not only is it easy to fake a signature, but
merchants are not allowed by the major card networks to reject a
transaction based on a deficient signature. So, the card networks
clearly know a signature is a useless gesture which proves nothing more
than that someone was there purporting to be the cardholder.
The use of personal identification numbers (PINs) has actually
proven to be an effective way to authenticate the identity of the
cardholder. PIN numbers are personal to each cardholder and do not
appear on the cards themselves. While they are certainly not perfect,
their use is effective at reducing fraud. On debit transactions, for
example, PIN transactions have one-sixth the amount of fraud losses
that signature transactions have.\14\ But PINs are not required on
credit card transactions. Why? From a fraud prevention perspective,
there is no good answer except that the card networks which set the
issuance standards have failed to protect people in a very basic way.
---------------------------------------------------------------------------
\14\ See 77 Fed. Reg. 46261 (Aug. 3, 2012) reporting $1.11 billion
in signature debit fraud losses and $181 million in PIN debit fraud
losses.
---------------------------------------------------------------------------
As noted by LexisNexis, merchant fraud costs are much higher than
banks' fraud costs. When credit or debit card fraud occurs, Visa and
MasterCard have pages of rules providing ways that banks may be able to
charge back the transaction to the retailer (which is commonly referred
to as a ``chargeback''). That is, the bank will not pay the retailer
the money for the fraudulent transaction even though the retailer
provided the consumer with the goods in question. When this happens,
and it happens a lot, the merchant loses the goods and the money on the
sale. According to the Federal Reserve, this occurs more than 40
percent of the time when there is fraud on a signature debit
transaction,\15\ and our members tell us that the percentage is even
higher on credit transactions. In fact, for online transactions, which
as noted account for 90 percent of fraud, merchants pay for the vast
majority of fraudulent transactions.\16\
---------------------------------------------------------------------------
\15\ Id. at 46262.
\16\ Merchants assume 74 percent of fraud losses for online and
other card-not-present signature debit transactions. 77 Fed. Reg.
46262.
---------------------------------------------------------------------------
Retailers have spent billions of dollars on card security measures
and upgrades to comply with PCI card security requirements, but it
hasn't made them immune to data breaches and fraud. The card networks
have made those decisions for merchants and the increases in fraud
demonstrate that their decisions have not been as effective as they
should have been.
Improved Technology Solutions
There are technologies available that could reduce fraud. An
overhaul of the fraud-prone cards that are currently used in the U.S.
market is long overdue. As I noted, requiring the use of a PIN is one
way to reduce fraud. Doing so takes a vulnerable piece of data (the
card number) and makes it so that it cannot be used on its own. This
ought to happen not only in the brick-and-mortar environment in which a
physical card is used but also in the online environment in which the
physical card does not have to be used. Canada, for example, is
exploring the use of a PIN for online purchases. The same should be
true here. Doing so would help directly with the 90 percent of U.S.
fraud which occurs online. It is not happenstance that automated teller
machines (ATMs) require the entry of a PIN before dispensing cash.
Using the same payment cards for purchases should be just as secure as
using them at ATMs.
Cards should also be smarter and use dynamic data rather than
magnetic stripes. In much of the world this is done using computer
chips that are integrated into physical credit and debit cards. That is
a good next step for the United States. It is important to note,
however, that there are many types of technologies that may be employed
to make this upgrade. EMV, which is an acronym for Europay, MasterCard
and Visa, is merely one particular proprietary technology. As the name
indicates, EMV was established by Europay, MasterCard and Visa. A
proprietary standard could be a detriment to the other potentially
competitive networks.\17\ Adopting a closed system, such as EMV, means
we are locking out the synergistic benefits of competition.
---------------------------------------------------------------------------
\17\ There are issues with EMV because the technology is just one
privately owned solution. For example, EMV includes specifications for
near field communications that would form the technological basis of
Visa and MasterCard's mobile payments solutions. That raises serious
antitrust concerns for retailers because we are just starting to get
some competitors exploring mobile payments. If the currently dominant
card networks are able to lock-in their proprietary technology in a way
that locks-out competition in mobile payments, that would be a bad
result for merchants and consumers who might be on the verge of
enjoying the benefits of some new innovations and competition.
So, while chip cards would be a step forward in terms of improving
card products, if EMV is forced as the chip card technology that must
be used--rather than an open-source chip technology which would
facilitate competition and not predetermine mobile payment market-
share--it could be a classic case of one step forward and two steps
backward.
---------------------------------------------------------------------------
But even within that closed framework, it should also be noted that
everywhere in the world that EMV has been deployed to date the card
networks have required that the cards be used with a PIN. That makes
sense. But here, the dominant card networks are proposing to force
chips (or even EMV) on the U.S. market without requiring PIN
authentication. Doing that makes no sense and loses a significant part
of the fraud prevention benefits of chip technology. To do otherwise
would mean that merchants would spend billions to install new card
readers without they or their customers obtaining PINs' fraud-reducing
benefits. We would essentially be spending billions to combine a 1990s
technology (chips) with a 1960s relic (signature) in the face of 21st
century threats.
Another technological solution that could help deter and prevent
data breaches and fraud is encryption. Merchants are already required
by PCI standards to encrypt cardholder data but, as noted earlier, not
everyone in the payments chain is required to be able to accept data in
encrypted form. That means that data may need to be de-encrypted at
some points in the process. Experts have called for a change to require
``end-to-end'' (or point-to-point) encryption which is simply a way to
describe requiring everyone in the payment-handling chain to accept,
hold and transmit the data in encrypted form. According to the
September 2009 issue of the Nilson Report ``most recent cyber attacks
have involved intercepting data in transit from the point of sale to
the merchant or acquirer's host, or from that host to the payments
network.'' The reason this often occurs is that ``data must be
decrypted before being forwarded to a processor or acquirer because
Visa, MasterCard, American Express, and Discover networks can't accept
encrypted data at this time.''\18\
---------------------------------------------------------------------------
\18\ The Nilson Report, Issue 934, Sept. 2009 at 7.
---------------------------------------------------------------------------
Keeping sensitive data encrypted throughout the payments chain
would go a long way to convincing fraudsters that the data is not worth
stealing in the first place--at least, not unless they were prepared to
go through the arduous task of trying to de-encrypt the data which
would be necessary in order to make use of it. Likewise, using PIN-
authentication of cardholders now would offer some additional
protection against fraud should this decrypted payment data be
intercepted by a criminal during its transmission ``in the clear.''
Tokenization is another variant that could be helpful. Tokenization
is a system in which sensitive payment card information (such as the
account number) is replaced with another piece of data (the ``token'').
Sensitive payment data could be replaced with a token to represent each
specific transaction. Then, if a data breach occurred and the token
data were stolen, it could not be used in any other transactions
because it was unique to the transaction in question. This technology
has been available in the payment card space since at least 2005.\19\
---------------------------------------------------------------------------
\19\ For information on Shift4's 2005 launch of tokenization in the
payment card space see http://www.internetretailer.com/2005/10/13/
shift4-launches-security-tool-that-lets-merchants-re-use-credit.
---------------------------------------------------------------------------
And, mobile payments offer the promise of greater security as well.
In the mobile setting, consumers won't need to have a physical card--
and they certainly won't replicate the security problem of physical
cards by embossing their account numbers on the outside of their mobile
phones. It should be easy for consumers to enter a PIN or password to
use payment technology with their smart phones. Consumers are already
used to accessing their phones and a variety of services on them
through passwords. Indeed, if we are looking to leapfrog the already
aging current technologies, mobile-driven payments may be the answer.
Indeed, as much improved as they are, chips are essentially dumb
computers. Their dynamism makes them significantly more advanced than
magstripes, but their sophistication pales in comparison with the
common smartphone. Smartphones contain computing powers that could
easily enable comparatively state-of-the-art fraud protection
technologies. The phones soon may be nearly ubiquitous, and if their
payment platforms are open and competitive, they will only get better.
The dominant card networks have not made all of the technological
improvements suggested above to make the cards issued in the United
States more resistant to fraud, despite the availability of the
technology and their adoption of it in many other developed countries
of the world, including Canada, the United Kingdom, and most countries
of Western Europe.
In this section, I have merely described some of the solutions
available, but the United States isn't using any of them the way that
it should be. While everyone in the payments space has a responsibility
to do what they can to protect against fraud and data theft, the card
networks have arranged the establishment of the data security
requirements and yet, in light of the threats, there is much left to be
desired.
A Better System
How can we make progress toward the types of solutions that would
reduce the crimes of data theft and fraud? One thing seems clear at
this point: we won't get there by doing more of the same. We need PIN-
authentication of card holders, regardless of the chip technology used
on newly issued cards. We also need chip cards that use open standards
and allow for competition among payment networks as we move into a
world of growing mobile commerce. Finally, we need companies throughout
the payment system to work together on achieving end-to-end encryption
so that there are no weak links in the system where sensitive card
payment information may be acquired more easily than in other parts of
the system.
Steps Taken by Retailers After Discovery of a Breach of Security
In our view, it is after a fulsome evaluation of data breaches,
fraud, the payments system and how to improve each of those areas in
order to deter and prevent problems that we should turn to the issue of
what to do when breaches occur. Casting blame and trying to assign
liability is, at best, putting the cart before the horse and, at worst,
an excuse for some actors to ignore their own responsibility for trying
to prevent these crimes.
One cannot reasonably demand greater security of a system than the
system is reasonably capable of providing. Some participants act as if
the system is more robust than it is. Currently, when the existing card
products are hit in a criminal breach, that company is threatened from
many sides. The threats come from entities seeking to exact fines and
taking other penalizing action even before the victimized company can
secure its network from further breaches and determine through a
forensic analysis what has happened in order to notify potentially
affected customers. For example, retailers that have suffered a breach
are threatened with fines for the breach based on allegations of
noncompliance with PCI rules (even when the company has been certified
as PCI-compliant). Other actors may expect the breached party to pay
for all of the fraudulent transactions that take place on card accounts
that were misused, even though the design of the cards facilitated
their subsequent counterfeiting. Indeed, some have seriously suggested
that retailers reimburse financial institutions for the cost of
reissuing more fraud-prone cards. And, as a consequence of the breach,
some retailers must then pay higher fees on its card transactions going
forward. Retailers pay for these breaches over and over again, despite
often times being victims of sophisticated criminal methods not
reasonably anticipated prior to the attack.
Breaches require retailers to devote significant resources to
remedy the breach, help inform customers and take preventative steps to
ward off future attacks and any other potential vulnerabilities
discovered in the course of the breach investigation. Weeks or months
of forensic analysis may be necessary to definitively discover the
cause and scope of the breach. Any discovered weaknesses must be shored
up. Quiet and cooperative law enforcement efforts may be necessary in
an effort to identify and capture the criminals. Indeed, law
enforcement may temporarily discourage publication of the breach so as
to not alert the perpetrators that their efforts have been detected.
It is worth noting that in some of these cases involving payment
card data, retailers discover that they actually were not the source of
the breach and that someone else in the payments chain was victimized
or the network intrusion and theft occurred during the transmission of
the payment card data between various participants in the system. For
this reason, early attempts to assign blame and shift costs are often
misguided and policymakers should take heed of the fact that often the
earliest reports are the least accurate. Additionally, policymakers
should consider that there is no independent organization devoted to
determining where a breach occurred, and who is to blame--these
questions are often raised in litigation that can last for years. This
is another reason why it is best to at least wait until the forensic
analysis has been completed to determine what happened. Even then,
there may be questions unanswered if the attack and technology used was
sophisticated enough to cover the criminals' digital tracks.
The reality is that when a criminal breach occurs, particularly in
the payments system, all of the businesses that participate in that
system and their shared customers are victimized. Rather than resort to
blame and shame, parties should work together to ensure that the breach
is remedied and steps are taken to prevent future breaches of the same
type and kind.
Legislative Solutions
In addition to the marketplace and technological solutions
suggested above, NRF also supports a range of legislative solutions
that we believe would help improve the security of our networked
systems, ensure better law enforcement tools to address criminal
intrusions, and standardize and streamline the notification process so
that consumers may be treated equally across the Nation when it comes
to notification of data security breaches.
NRF supports the passage by Congress of the bipartisan ``Cyber
Intelligence Sharing and Protection Act'' (H.R. 624) so that the
commercial sector can lawfully share information about cyber-threats in
real-time and enable companies to defend their own networks as quickly
as possible from cyber-attacks as soon as they are detected elsewhere
by other business.
We also support legislation that provides more tools to law
enforcement to ensure that unauthorized network intrusions and other
criminal data security breaches are thoroughly investigated and
prosecuted, and that the criminals that breach our systems to commit
fraud with our customers' information are swiftly brought to justice.
Finally, and for nearly a decade, NRF has supported passage of
legislation that would establish one, uniform Federal breach
notification law that would be modeled on, and preempt, the varying
breach notification laws currently in operation in 46 States, the
District of Columbia and Federal territories. A Federal law could
ensure that all entities handling the same type of sensitive consumer
information, such as payment card data, are subject to the same
statutory rules and penalties with respect to notifying consumers of a
breach affecting that information, Further, a preemptive Federal breach
notification law would allow retailers and other businesses that have
been victimized by a criminal breach to focus their resources on
remedying the breach and notifying consumers rather than hiring outside
legal assistance to help guide them through the myriad and sometimes
conflicting set of 50 data breach notification standards in the State
and Federal jurisdictions. Additionally, the use of one set of
standardized notice rules would permit the offering to consumers of the
same notice and the same rights regardless of where they live.
Conclusion
In closing three points are uppermost.
First, retailers take the increasing incidence of payment card
fraud very seriously. We do so as Main Street members of the community,
because it affects our neighbors and our customers. We do so as
businesses, because it affects the bottom line. Merchants already bear
at least an equal, and often a greater, cost of fraud than any other
participant in the payment card system. We have every reason to want to
see fraud reduced, but we have only a portion of the ability to make
that happen. We did not design the system; we do not configure the
cards; we do not issue the cards. We will work to effectively upgrade
the system, but we cannot do it alone.
Second, the vast majority of breaches are criminal activity. The
hacked party, whether a financial institution, a card network, a
processor, a merchant, a governmental institution, or a consumer is the
victim of a crime. Traditionally, we don't blame the victim of violence
for the resulting stains; we should be similarly cautious about
penalizing the hackee for the hack. The payment system is complicated.
Every party has a role to play; we need to play it together. No system
is invulnerable to the most sophisticated and dedicated of thieves.
Consequently, eliminating all fraud is likely to remain an aspiration.
Nevertheless, we will do our part to help achieve that goal.
Third, it is long past time for the United States to adopt PIN and
chip card technology. The PIN authenticates and protects the consumer
and the merchant. The chip authenticates the card to the bank. If the
goal is to reduce fraud we must, at a minimum, do both.
PREPARED STATEMENT OF EDMUND MIERZWINSKI
Consumer Program Director, U.S. PIRG
February 3, 2014
Chairman Warner, Senator Kirk, Members of the Committee, I
appreciate the opportunity to testify before you on the important
matter of consumer data security. Since 1989, I have worked on data
privacy issues, among other financial system issues, for the U.S.
Public Interest Research Group. The State PIRGs are nonprofit,
nonpartisan public interest advocacy organizations that take on
powerful interests on behalf of their members.
Summary:
The authoritative Privacy Rights Clearinghouse has estimated that
since 2005, 663,182,386 records have been breached in a total of 4,163
separate data breaches.\1\ The latest exploit against Target Stores,
depending on how it is measured, is among the largest ever.
---------------------------------------------------------------------------
\1\ See ``Chronology of Data Breaches,'' Privacy Rights
Clearinghouse, last visited 30 January 2014: https://
www.privacyrights.org/data-breach.
---------------------------------------------------------------------------
Target should be held accountable for its failure to comply with
applicable security standards but that does not mean it is 100 percent
responsible for this breach. Merchants, and their customers, have been
forced by the card monopolies to use an unsafe payment card system that
relies on obsolete magnetic stripe technology. When the technology was
used only for safer credit cards, this may have been acceptable, but
since the banks and card networks have also aggressively promoted the
use of debit cards on the unsafe signature (not safer PIN) based
platform, consumer bank accounts have also been placed at risk.
Congress should carefully weigh its response to the breach.
Increasing consumer protections under the Electronic Funds Transfer Act
(EFTA), which applies to debit cards, to the gold standard levels of
the Truth In Lending Act, which applies to credit cards, should be the
first step. Facing higher liability may ``focus the mind'' of the banks
on improving security. Second, Congress should not preempt the
strongest State breach notification laws, especially with a Federal
breach law that may include a Trojan Horse preemption provision
eliminating not only State breach laws, but all future State actions to
protect privacy. That's the wrong response as we discuss below.
Finally, Congress should also investigate the deceptive marketing of
subscription-based credit monitoring and ID theft insurance products,
which are over-priced and provide a false sense of security. In this
case, although the highest risk to consumers is fraud on existing
accounts, the modest credit monitoring product offered (for free) to
Target customers will at best warn that you have become an identity
theft victim. We make additional recommendations in the testimony below
and are at all times available to brief Committee staff or members.
The Target Breach:
The card information acquired in the first 40 million breached
accounts that Target reported placed those debit/ATM or credit card
customers at risk of fraud on their existing accounts. Because the
scope of the records acquired in that RAM-scraping incident included
not only the card number but also the expiration date, 3-digit security
code (from the back of the card) and the (encrypted but probably
hackable) PIN number or password, these numbers became very valuable on
the underground market, as the Secret Service has already explained.
Target's later admission that additional information--including
telephone numbers and email addresses--for up to a total of 70-110
million consumer records (some may have been the same consumers) held
in a Customer Relations Management (CRM) database was also obtained,
placed those customers at the risk of new account identity theft.
Criminals will seek to obtain additional information, such as a
consumer's Social Security Number, which would enable them to submit
false applications for credit in your name.
When bad guys obtain emails and phone numbers, they make phishing
attacks to obtain more information: While the emails and phone numbers
are not enough information to commit identity theft, it is enough
information to conduct such ``phishing attacks'' designed to collect
additional information, including Social Security Numbers and encrypted
passwords, from consumers.
They do this either through placing dangerous links in emails or
various ``social engineering'' techniques to trick you into providing
more information. A phishing email will appear to be from your bank.
But if you click on any links, either a virus explodes on your computer
to collect any personal information stored on it, or you are redirected
to a site that will allow them to obtain the information they need. Or,
if they call you, they use the information that they have as a
validation that they are from the bank, to trick you into providing the
information that they need. The additional information the bad guys
seek, then, would either allow them direct access to your account
(through the PIN) or to open new accounts in your name (with your
Social Security Number) by committing identity theft. They use what
they know to convince you to tell them what they don't know. They want
your PIN, or your birth date and Social Security Number. They hope to
trick you into giving it up.
However, I believe the greater risk in this case is fraud on
existing accounts, not identity theft. That is why so many banks re-
issued debit and credit cards, or both, following the incident. But
disappointingly, Target's main response to consumers--offering a free
credit monitoring service--won't stop or warn of fraud on existing
accounts. That provides consumers a false sense of security.\2\
---------------------------------------------------------------------------
\2\ Even worse, consumers who accept the monitoring product,
ProtectmyID from the credit bureau Experian, must accept a boilerplate
forced arbitration clause that restricts their ability to sue Experian.
See http://www.protectmyid.com/terms/. And under current U.S. Supreme
Court jurisprudence, that clause's outrageous ban on joining a class
action is also permissible.
---------------------------------------------------------------------------
It actually won't even stop identity theft, it will simply notify
you after the fact of changes to your Experian credit report (but not
to your Trans Union or Equifax reports, which may include different
account information). Positively, the offered product terminates after
1 year, rather than auto-renewing for a monthly fee (when similar
products were offered after some previous breaches, the over-priced,
under-performing credit monitoring products were sometimes set to auto-
renew for a fee).
Despite my reservations about Target's delayed and drawn out
notifications to customers about the breach,\3\ and its provision of
the inadequate credit monitoring product, I don't believe that Target
or other merchants deserve all of the blame for the data breaches that
occur on their watch.
---------------------------------------------------------------------------
\3\ I understand that some State Attorneys General are
investigating whether adequate notification was made under their breach
laws.
---------------------------------------------------------------------------
The card networks are largely at fault. They have continued to use
an obsolete 1970s magnetic stripe technology well into the 21st
century. When the technology was solely tied to credit cards, where
consumers enjoy strong fraud rights and other consumer protections by
law, this may have been barely tolerable.
But when the big banks and credit card networks asked consumers to
expose their bank accounts to the unsafe signature-based payment
system, by piggybacking once safer PIN-only debit cards onto the
signature-based system, the omission became unacceptable. The vaunted
``zero-liability'' promises of the card networks and issuing banks are
by contract, not law. Of course, the additional problem any debit card
fraud victim faces is that she is missing money from her own account
while the bank conducts an allowable reinvestigation for 10 days or
more, even if the bank eventually lives up to its promise.\4\
---------------------------------------------------------------------------
\4\ Compare some of the Truth In Lending Act's robust credit card
protections by law to the Electronic Funds Transfer Act's weak debit
card consumer rights at this FDIC Web site: http://www.fdic.gov/
consumers/consumer/news/cnfall09/debit_vs_credit.html.
---------------------------------------------------------------------------
Further, the card networks' failure to upgrade, let alone enforce,
their PCI or security standards, despite the massive revenue stream
provided by consumers and merchants through swipe, or interchange,
fees, is yet another outrage by the banks and card networks.
Incredibly, the Federal Reserve Board's rule interpreting the
Durbin amendment limiting swipe fees on the debit cards of the biggest
banks also provides for additional fraud revenue to the banks in
several ways. Even though banks and card networks routinely pass along
virtually all costs of fraud to merchants in the form of chargebacks,
the Fed rule interpreting the Durbin amendment allows for much more
revenue. So, not only are banks and card networks compensated with
general revenue from the ever-increasing swipe fees, but the Fed allows
them numerous additional specific bites of the apple for fraud-related
fees.
To be sure, Target should be held accountable if it turns out, as
has been reported, that it was not in compliance with the latest and
highest level of security standards throughout its system. But
understand that that system was inadequate at best because, like acting
as any monopolists would, the card duopoly refused to make adequate
technological improvements to its system, preferring to extract excess
rents for as long as possible. For that reason, I cannot endorse any
reform that makes Target, or other merchants, the only ones at blame.
In many ways, the merchants are as much victims of the banks' unsecure
systems as consumers are.
Recommendations:
1) Congress should improve debit/ATM card consumer rights and make
all plastic equal:
Up until now, both banks and merchants have looked at fraud and
identity theft as a modest cost of doing business and have not
protected the payment system well enough. They have failed to look
seriously at harms to their customers from fraud and identity theft--
including not just monetary losses and the hassles of restoring their
good names, but also the emotional harm that they must face as they
wonder whether future credit applications will be rejected due to the
fraudulent accounts.
Currently, debit card fraud victims are reimbursed at ``zero
liability'' only by promise. The EFTA's fraud standard actually
provides for 3-tiers of consumer fraud losses. Consumers lose up to $50
if they notify the bank within 2 days of learning of the fraud, up to
$500 if they notify the bank within 60 days and up to their entire
loss, including from any linked accounts, if they notify the bank after
60 days. However, if the physical debit card itself is not lost or
stolen, consumers are not liable for any fraud charges if they report
them within 60 days of their bank statement.
This shared risk fraud standard under the EFTA, which governs debit
cards, appears to be vestigial, or left over from the days when debit
cards could only be used with a PIN. Since banks encourage consumers to
use debit cards, placing their bank accounts at risk, on the unsafe
signature debit platform, this fraud standard should be changed.
As a first step, Congress should institute the same fraud cap, $50,
on debit/ATM cards as exists on credit cards. (Or, even eliminate the
cap of $50 in all cases, since it is never imposed.) Congress should
also provide debit and prepaid card customers with the stronger billing
dispute rights and rights to dispute payment for products that do not
arrive or do not work as promised that credit card users enjoy (through
the Fair Credit Billing Act, a part of the Truth In Lending Act).\5\
---------------------------------------------------------------------------
\5\ For a detailed discussion of these problems and recommended
solutions, see Hillebrand, Gail (2008) ``Before the Grand Rethinking:
Five Things to Do Today with Payments Law and Ten Principles to Guide
New Payments Products and New Payments Law,'' Chicago-Kent Law Review:
Vol. 83, Iss. 2, Article 12, available at http://
scholarship.kentlaw.iit.edu/cklawreview/vol83/iss2/12.
---------------------------------------------------------------------------
Debit/ATM card customers already face the aforementioned cash-flow
and bounced check problems while banks investigate fraud under the
Electronic Funds Transfer Act. Reducing their possible liability by
law, not simply by promise, won't solve this particular problem, but it
will force banks to work harder to avoid fraud. If they face greater
liability to their customers and account holders, they will be more
likely to develop better security.
2) Congress should not endorse a specific technology, such as EMV
(parent technology of Chip and PIN and Chip and Signature). If
Congress takes steps to encourage use of higher standards, its
actions should be technology-neutral and apply equally to all
players.
Chip and PIN and CHIP and signature are variants of the EMV
technology standard commonly in use in Europe. The current pending U.S.
rollout of chip cards will allow use of the less-secure Chip and
Signature cards rather than the more-secure Chip and PIN cards. Why not
go to the higher Chip and PIN authentication standard immediately and
skip past Chip and Signature? As I understand the rollout schedule,
there is still time to make this improvement.
This example demonstrates why Congress should not embrace a
specific technology. Instead, it should take steps to encourage all
users to use the highest possible existing standard. Congress should
also take steps to ensure that additional technological improvements
and security innovations are not blocked by actions or rules of the
existing players.
If Congress does choose to impose higher standards, then it must
impose them equally on all players. For example, current legislative
proposals may unwisely impose softer regimes on financial institutions
subject to the weaker Gramm-Leach-Bliley rules than to merchants and
other nonfinancial institutions.
Further, as most observers are aware, chip technology will only
prevent the use of cloned cards in card-present (Point-of-Sale)
transactions. It is an improvement over obsolete magnetic stripe
technology in that regard, yet it will have no impact on online
transactions, where fraud volume is much greater already than in point-
of-sale transactions. Experiments, such as with ``virtual card
numbers'' for one-time use, are being carried out online. It would be
worthwhile for the Committee to inquire of the industry and the
regulators how well those experiments are proceeding and whether
requiring the use of virtual card numbers in all online debit and
credit transactions should be considered a best practice.
Further, as I understand it, had Chip and PIN (or Chip and
Signature) been in use, it would not have stopped the Target breach,
since unencrypted information was collected from the Target system's
internal RAM memory, after the cards had already been used.
3) Investigate card security standards bodies and ask the prudential
regulators for their views:
To ensure that improvements continue to be made in the system, the
Committee should also inquire into the governance and oversight of the
development of card network security standards. Do regulators sit on
the PCI board? As I understand it, merchants do not; they are only
allowed to sit on what may be a meaningless ``advisory'' board.
Further, do regulators have any mandatory oversight function over
standards body rules?
Recently, the networks have been in to see the Federal Reserve
Board ostensibly to talk about interchange fees. Since the Fed is not a
witness today, the Committee should ask the Fed and other prudential
regulators about these matters at its pending Oversight hearing on
these matters later this week. In particular, ask the Fed to testify as
to the purposes and discussions at these meetings. Its summary of one
of these meetings indicates that the issue was EMV (CHIP card
technology) rollout:
Summary (Meeting Between Federal Reserve Board Staff and
Representatives of Visa, January 8, 2014): Representatives of
Visa met with Federal Reserve Board staff to discuss their
observations of market developments related to the deployment
of EMV (i.e., chip-based) debit cards in the United States.
Topics discussed included an overview of their current EMV
roadmap and Visa's proposed common application for enabling
multiple networks on an EMV card while preserving merchant
routing and choice.\6\
---------------------------------------------------------------------------
\6\ Available at http://www.federalreserve.gov/newsevents/rr-
commpublic/pin-debit-networks-20131107.pdf.
4) Congress should not enact any new legislation sought by the banks
---------------------------------------------------------------------------
to impose their costs of replacement cards on the merchants:
Target should pay its share but this breach was not entirely
Target's fault. The merchants are forced to use an obsolete and unsafe
system designed by the banks and card networks, which, to make matters
worse, don't uniformly enforce their additional often-changing security
standards intended to ameliorate the flaws in the underlying platform.
Disputes over costs of replacement cards should be handled by contracts
and agreements between the players. How could you possibly draft a bill
to address all the possible shared liabilities?
Of course, the Federal Reserve has already allowed compensation to
banks for card replacement in circumstances where the Fed's Durbin
amendment rule applies. It states:
``Costs associated with research and development of new fraud-
prevention technologies, card reissuance due to fraudulent activity,
data security, card activation, and merchant blocking are all examples
of costs that are incurred to detect and prevent fraudulent electronic
debit transactions. Therefore, the Board has included the costs of
these activities in setting the fraud prevention adjustment amount to
the extent the issuers reported these costs in response to the survey
on 2009 costs.''\7\
---------------------------------------------------------------------------
\7\ See 77 Fed. Reg. page 46264 (August 3, 2012), available at
http://www.gpo.gov/fdsys/pkg/FR-2012-08-03/pdf/2012-18726.pdf.
Under the Fed's Durbin rules the amount of this compensation is as
follows: banks can also get 5 basis points per transaction for fraud
costs, 1.2 cents per transaction for transaction monitoring, and 1 cent
per transaction for the fraud prevention adjustment. Again, this is in
addition to merchants already paying chargebacks for fraud as well as
---------------------------------------------------------------------------
PCI violation fines, plus litigation damages.
5) Congress should not enact any Federal breach law that preempts
State breach laws or, especially, preempts other State data
security rights:
In 2003, when Congress, in the FACT Act, amended the Fair Credit
Reporting Act, it specifically did not preempt the right of the States
to enact stronger data security and identity theft protections.\8\ We
argued that since Congress hadn't solved all the problems, it shouldn't
prevent the States from doing so.
---------------------------------------------------------------------------
\8\ See ``conduct required'' language in Section 711 of the Fair
and Accurate Credit Transactions Act of 2003, Public Law 108-159. Also
see Hillebrand, Gail, ``After the FACT Act: What States Can Still Do to
Prevent Identity Theft,'' Consumers Union, 13 January 2004, available
at http://consumersunion.org/research/after-the-fact-act-what-states-
can-still-do-to-prevent-identity-theft/.
---------------------------------------------------------------------------
From 2004-today, 46 States enacted security breach notification
laws and 49 State-enacted security freeze laws. Many of these laws were
based on the CLEAN Credit and Identity Theft Protection Model State Law
developed by Consumers Union and U.S. PIRG.\9\
---------------------------------------------------------------------------
\9\ See http://consumersunion.org/wp-content/uploads/2013/02/
model.pdf.
---------------------------------------------------------------------------
A security freeze, not credit monitoring, is the best way to
prevent identity theft. If a consumer places a security freeze on her
credit reports, a criminal can apply for credit in her name, but the
new potential creditor cannot access your ``frozen'' credit report and
will reject the application. The freeze is not for everyone, since you
must unfreeze your report on a specific or general basis whenever you
re-enter the credit marketplace, but it is only way to protect your
credit report from unauthorized access. See this footnoted Consumers
Union page for a list of security freeze rights.\10\
---------------------------------------------------------------------------
\10\ http://defendyourdollars.org/document/guide-to-security-
freeze-protection.
---------------------------------------------------------------------------
The other problem with enacting a preemptive Federal breach
notification law is that industry lobbyists will seek language that not
only preempts breach notification laws but also prevents States from
enacting any future data security laws, despite the laudable 2003 FACT
Act example above.
Simply as an example, S. 1927 (Carper) includes sweeping preemption
language that is unacceptable to consumer and privacy groups and likely
also to most State Attorneys General:
SEC. 7. RELATION TO STATE LAW.
No requirement or prohibition may be imposed under the laws of
any State with respect to the responsibilities of any person
to----
(1) protect the security of information relating to consumers that
is maintained or communicated by, or on behalf of, the person;
(2) safeguard information relating to consumers from potential
misuse;
(3) investigate or provide notice of the unauthorized access to
information relating to consumers, or the potential misuse of
the information, for fraudulent, illegal, or other purposes; or
(4) mitigate any loss or harm resulting from the unauthorized
access or misuse of information relating to consumers.
Other bills before the Congress include similar, if not even more
sweeping, abuses of our Federal system, despite that at least one
merchant I have spoken with told me: ``Actually, Ed, it is relatively
easy to comply with the different State breach laws. We haven't had a
problem.''
Such broad preemption will prevent States from acting as first
responders to emerging privacy threats. Congress should not preempt the
States. In fact, Congress should think twice about whether a Federal
breach law that is weaker than the best State laws is needed at all.
6) Congress should allow for private enforcement and broad State and
local enforcement of any law it passes:
The marketplace only works when we have strong Federal laws and
strong enforcement of those laws, buttressed by State and local and
private enforcement.
Many of the data breach bills I have seen specifically state no
private right of action is created. Such clauses should be eliminated
and it should also be made clear that the bills have no effect on any
State private rights of action. Further, no bill should include
language reducing the scope of State Attorney General or other State-
level public official enforcement. Further, any Federal law should not
restrict State enforcement only to State Attorneys General.
For example, in California not only the State Attorney General but
also county District Attorneys and even city attorneys of large cities
can bring unfair practices cases.
Although we currently have a diamond age of Federal enforcement,
with strong but fair enforcement agencies including the CFPB, OCC and
FDIC, that may not always be the case. By preserving State remedies and
the authority of State and local enforcers, you can better protect your
constituents from the harms of fraud and identity theft.
7) Any Federal breach law should not include any ``harm trigger''
before notice is required:
The better State breach laws, starting with California's, require
breach notification if information is presumed to have been
``acquired.'' The weaker laws allow the company that failed to protect
the consumer's information in the first place to decide whether to tell
them, based on its estimate of the likelihood of identity theft or
other harm.
Only an acquisition standard will serve to force data collectors to
protect the financial information of their trusted customers, account
holders or, as Target calls them, ``guests,'' well enough to avoid the
costs, including to reputation, of a breach.
8) Congress should further investigate marketing of overpriced
credit monitoring and identity theft subscription products:
In 2005 and then again in 2007 the FTC imposed fines on the credit
bureau Experian for deceptive marketing of its various credit
monitoring products, which are often sold as add-ons to credit cards
and bank accounts. Prices range up to $19.99/month. While it is likely
that recent CFPB enforcement orders \11\ against several large credit
card companies for deceptive sale of the add-on products--resulting in
recovery of approximately $800 million to aggrieved consumers--may
cause banks to think twice about continuing these relationships with
third-party firms, the Committee should also consider its own
examination of the sale of these credit card add-on products.
---------------------------------------------------------------------------
\11\ We discuss some of the CFPB cases here http://www.uspirg.org/
news/usp/cfpb-gets-results-orders-chase-bank-repay-consumers-over-300-
million-over-sale-junky-credit.
---------------------------------------------------------------------------
In addition to profits from credit monitoring, banks and other
firms reap massive revenues from ID Theft insurance, sometimes sold in
the same package and sometimes sold separately. Companies that don't
protect our information as the law requires add insult to injury by
pitching us over-priced monitoring and insurance products. The
Committee should call in the companies that provide ID theft insurance
and force the industry to open its books and show what percentage of
premiums are paid out to beneficiaries. It is probable that the loss
ratio on these products is so low as to be meaningless, meaning profits
are sky-high.
Consumers who want credit monitoring can monitor their credit
themselves. No one should pay for it. You have the right under Federal
law to look at each of your 3 credit reports (Equifax, Experian and
TransUnion) once a year for free at the federally mandated central site
annualcreditreport.com. Don't like Web sites? You can also access your
Federal free report rights by phone or email. You can stagger these
requests--1 every 4 months--for a type of do-it-yourself no-cost
monitoring. And, if you suspect you are a victim of identity theft, you
can call each bureau directly for an additional free credit report. If
you live in Colorado, Georgia, Massachusetts, Maryland, Maine, New
Jersey, Puerto Rico or Vermont, you are eligible for yet another free
report annually under State law by calling each of the Big 3 credit
bureaus.
Although Federal authority against unfair monitoring marketing was
improved in the 2009 Credit CARD Act,\12\ the Committee should also ask
the regulators whether any additional changes are needed.
---------------------------------------------------------------------------
\12\ The Credit Card Accountability, Responsibility and Disclosure
(CARD) Act of 2009, Public Law 111-24. See Section 205.
9) Review Title V of the Gramm-Leach-Bliley Act and its data
---------------------------------------------------------------------------
security requirements:
The 1999 Gramm-Leach-Bliley Act imposed data security
responsibilities on regulated financial institutions, including banks.
The requirements include breach notification in certain
circumstances.\13\ The Committee should ask the regulators for
information on their enforcement of its requirements and should
determine whether additional legislation is needed. The Committee
should also recognize, as noted above, that compliance with GLBA should
not constitute constructive compliance with any additional security
duties imposed on other players in the card network system as that
could lead to a system where those other nonfinancial-institution
players are treated unfairly.
---------------------------------------------------------------------------
\13\ See the Federal Financial Institutions Examination Council's
``Final Guidance on Response Programs: Guidance on Response Programs
for Unauthorized Access to Customer Information and Customer Notice,''
2005, available at http://www.fdic.gov/news/news/financial/2005/
fil2705.html.
10) Congress should investigate the over-collection of consumer
information for marketing purposes. More information means more
information at risk of identity theft. It also means there is a
greater potential for unfair secondary marketing uses of
---------------------------------------------------------------------------
information:
In the Big Data world, companies are collecting vast troves of
information about consumers. Every day, the collection and use of
consumer information in a virtually unregulated marketplace is
exploding. New technologies allow a web of interconnected businesses--
many of which the consumer has never heard of--to assimilate and share
consumer data in real-time for a variety of purposes that the consumer
may be unaware of and may cause consumer harm. Increasingly, the
information is being collected in the mobile marketplace and includes a
new level of localized information.
Although the Fair Credit Reporting Act limits the use of financial
information for marketing purposes and gives consumers the right to
opt-out of the limited credit marketing uses allowed, these new Big
Data uses of information may not be fully regulated by the FCRA. The
development of the Internet marketing ecosystem, populated by a variety
of data brokers and advertisers buying and selling consumer information
without their knowledge and consent, is worthy of Congressional
inquiry.\14\
---------------------------------------------------------------------------
\14\ See the FTC's March 2012 report, ``Protecting Consumer Privacy
in an Era of Rapid Change: Recommendations For Businesses and
Policymakers,'' available at http://www.ftc.gov/news-events/press-
releases/2012/03/ftc-issues-final-commission-report-protecting-
consumer-privacy. Also see Edmund Mierzwinski and Jeff Chester,
``Selling Consumers Not Lists: The New World of Digital Decision-Making
and the Role of the Fair Credit Reporting Act,'' 46 Suffolk University
Law Review Vol. 3, page 845 (2013), also available at http://
suffolklawreview.org/selling-consumers-not-lists/.
---------------------------------------------------------------------------
Thank you for the opportunity to provide the Committee with our
views. We are happy to provide additional information to Members or
staff.
______
PREPARED STATEMENT OF TROY LEACH
Chief Technology Officer, Payment Card Industry Security Standards
Council
February 3, 2014
Introduction
Chairman Warner, Ranking Member Kirk, Members of the Subcommittee,
on behalf of the PCI Security Standards Council, thank you for inviting
us to testify today before the Subcommittee.
My name is Troy Leach and I am the Chief Technology Officer of the
Payment Card Industry (PCI) Security Standards Council (SSC), a global
industry initiative and membership organization, focused on securing
payment card data. Working with a global community of industry players,
our organization has created data security standards--notably the PCI
Data Security Standard (PCI DSS)-certification programs, training
courses and best practice guidelines to help improve payment card
security.
Together with our community of over one thousand of the world's
leading businesses, we're tackling data security challenges from
password complexity to proper protection of PIN entry devices on
terminals. Our work is broad for a simple reason: there is no single
answer to securing payment card data. No one technology is a panacea;
security requires a multi-layered approach across the payment chain.
The PCI Security Standards Council is an excellent example of
effective industry collaboration to develop private sector standards.
Simply put, the PCI Standards are the best line of defense against the
criminals seeking to steal payment card data. And while several recent
high profile breaches have captured the Nation's attention, great
progress has been made over the past 7 years in securing payment card
data, through a collaborative cross-industry approach, and we continue
to buildupon the way we protect this data.
Consumers are understandably upset when their payment card data is
put at risk of misuse and--while the PCI Security Standards Council is
not a name most consumers know--we are sensitive to the impact that
breaches cause for consumers. And consumers should take comfort from
the fact that a great number of the organizations they do business with
have joined the PCI SSC to collaborate in the effort to better protect
their payment card data.
Payment card security: a dynamic environment
Since the threat landscape is constantly evolving, the PCI SSC
expects its standards will do the same. Confidence that businesses are
protecting payment card data is paramount to a healthy economy and
payment process--both in person and online. That's why to date, more
than one thousand of the world's leading retailers, airlines, banks,
hotels, payment processors, Government agencies, universities, and
technology companies have joined the PCI Council as members and as part
of our assessor community to develop security standards that apply
across the spectrum of today's global multi-channel and online
businesses.
Our community members are living on the front lines of this
challenge and are therefore well placed, through the unique forum of
the PCI Security Standards Council, to provide input on threats they
are seeing and ideas for how to tackle these threats through the PCI
Standards.
The Council develops standards through a defined, published 3-year
lifecycle. Our Participating Organization members told us that 3 years
was the appropriate timeframe to update and deploy security approaches
in their organizations. In addition to the formal lifecycle, the
Council and the PCI community have the resources to continually monitor
and provide updates through standards, published FAQs, Special Interest
Group work, and guidance papers on emerging threats and new ways to
improve payment security. Examples include updated wireless guidance
and security guidelines for merchants wishing to accept mobile
payments.
This year, on January 1, 2014, our latest version of the PCI Data
Security Standard (PCI DSS) became effective. This is our overarching
data security standard, built on 12 principles that cover everything
from implementing strong access control, monitoring and testing
networks, to having an information security policy. During updates to
this standard, we received hundreds of pieces of feedback from our
community. This was almost evenly split between feedback from domestic
and international organizations, highlighting the global nature of
participation in the PCI SSC and the need to provide standards and
resources that can be adopted globally to support the international
nature of the payment system.
This feedback has enabled us to be directly responsive to
challenges that organizations are facing every day in securing
cardholder data. For example, in this latest round of PCI DSS
revisions, community feedback indicated changes were needed to secure
password recommendations. Password strength remains a challenge--as
``password'' is still among the most common password used by global
businesses--and is highlighted in industry reports as a common failure
leading to data compromise. Small merchants in particular often do not
change passwords on point of sale (POS) applications and devices. With
the help of the PCI community, the Council has updated requirements to
make clear that default passwords should never be used, all passwords
must be regularly changed and not continually repeated, should never be
shared, and must always be of appropriate strength. Beyond promulgating
appropriate standards, we have taken steps through training and public
outreach to educate the merchant community on the importance of
following proper password protocols.
Recognizing the need for a multi-layer approach, in addition to the
PCI DSS, the Council and community have developed standards that cover
payment applications and point of sale devices. In other areas, based
on community feedback, we are working on standards and guidance on
other technologies such as tokenization and point-to-point encryption.
These technologies can dramatically increase data security at
vulnerable points along the transactional chain. Tokenization and
point-to-point encryption remove or render payment card information
useless to cyber criminals, and work in concert with other PCI
Standards to offer additional protection to payment card data.
In addition to developing and updating standards, every year the
PCI community votes on which topics they would like to explore with the
Council and provide guidance on. Over the last few years the working
groups formed by the Council to address these concerns have drawn
hundreds of organizations to collaborate together to produce resources
on third party security assurance, cloud computing, best practices for
maintaining compliance, e-commerce guidelines, virtualization, and
wireless security. Other recent Council initiatives have addressed ATM
security, PIN security, and mobile payment acceptance security for
developers and merchants.
EMV Chip & PCI Standards--a strong combination
One technology that has garnered a great deal of attention in
recent weeks is EMV chip--a technology that has widespread use in
Europe and other markets. EMV chip is an extremely effective method of
reducing counterfeit and lost/stolen card fraud in a face-to-face
payments environment. That's why the PCI Security Standards Council
supports the deployment of EMV chip technology.
Global adoption of EMV chip, including broad deployment in the U.S.
market, does not preclude the need for a strong data security posture
to prevent the loss of cardholder data from intrusions and data
breaches. We must continue to strengthen data security protections that
are designed to prevent the unauthorized access and exfiltration of
cardholder data.
Payment cards are used in variety of remote channels--such as
electronic commerce--where today's EMV chip technology is not typically
an option for securing payment transactions. Security innovation
continues to occur for online payments beyond existing fraud detection
and prevention systems. Technologies such authentication, tokenization,
and other frameworks are being developed, including some solutions that
may involve EMV chip--yet broad adoption of these solutions is not on
the short-term horizon. Consequently, the industry needs to continue to
protect cardholder data across all payment channels to minimize the
ongoing risks of data loss and resulting cross-channel fraud such as
may be experienced in the online channel.
Nor does EMV chip negate the need for secure passwords, patching
systems, monitoring for intrusions, using firewalls, managing access,
developing secure software, educating employees, and having clear
processes for the handling of sensitive payment card data. These
processes are critical for all businesses--both large retailers and
small businesses--who themselves have become a target for cyber
criminals. At smaller businesses, EMV chip technology will have a
strong positive impact. But if small businesses are not aware of the
need to secure other parts of their systems, or if they purchase
services and products that are not capable of doing that for them, then
they will still be subject to the ongoing exposure of the compromise of
cardholder data and resulting financial or reputational risk.
Similarly, protection from malware-based attacks requires more than
just EMV chip technology. Reports in the press regarding recent
breaches point to insertion of complex malware. EMV chip technology
could not have prevented the unauthorized access, introduction of
malware, and subsequent exfiltration of cardholder data. Failure of
other security protocols required under Council standards is necessary
for malware to be inserted.
Finally, EMV chip technology does not prevent memory scraping, a
technique that has been highlighted in press reports of recent
breaches. Other safeguards are needed to do so. In our latest versions
of security standards for Point of Sale devices, (PCI PIN Transaction
Security Requirements), the Council includes requirements to further
counter this threat. These include improved tamper responsiveness so
that devices will ``self-destruct'' if they are opened or tampered with
and the creation of electronic signatures that prevent applications
that have not been ``whitelisted'' from being installed. Our recently
released update to the standard, PTS 4.0, requires a default reset
every 24 hours that would remove malware from memory and reduce the
risk of data being obtained in this way. By responding to the Council's
PTS requirements, POS manufacturers are bringing more secure products
to market that reflect a standards development process that
incorporates feedback from a broad base of diverse stakeholders.
Used together, EMV chip, PCI Standards, along with many other tools
can provide strong protections for payment card data. I want to take
this opportunity to encourage all parties in the payment chain--whether
they are EMV chip ready or not--to take a multi-layered approach to
protect consumers' payment card data. There are no easy answers and no
shortcuts to security.
Global adoption of EMV chip is necessary and important. Indeed,
when EMV chip technology does become broadly deployed in the U.S.
marketplace and fraud migrates to less secure transaction environments,
PCI Standards will remain critical.
Beyond Standards--building a support infrastructure
An effective security program through PCI is not focused on
technology alone; it includes people and process as key parts of
payment card data protection. PCI Standards highlight the need for
secure software development processes, regularly updated security
policies, clear access controls, and security awareness education for
employees. Employees have to know not to click on suspicious links, why
it is important to have secure passwords, and to question suspicious
activity at the point of sale.
Most standards' organizations create standards, and no more. PCI
Security Standards Council, however, recognizes that standards, without
more, are only tools, and not solutions. And this does not address the
critical challenges of training people and improving processes.
To help organizations improve payment data security, the Council
takes a holistic approach to securing payment card data, and its work
encompasses both PCI Standards development and maintenance of programs
that support standards implementation across the payment chain. The
Council believes that providing a full suite of tools to support
implementation is the most effective way to ensure the protection of
payment card data. To support successful implementation of PCI
Standards, the Council maintains programs that certify and validate
certain hardware and software products to support payment security. For
example, the Council wants to make it easy for merchants and financial
institutions to deploy the latest and most secure terminals and so
maintains a public listing on its Web site for them to consult before
purchasing products. We realize it takes time and money to upgrade POS
terminals and we encourage businesses that are looking to upgrade for
EMV chip to consider other necessary security measures by choosing a
POS terminal from this list. Similarly, we are supporting the adoption
of point-to-point encryption, and listing appropriate solutions on our
Web site to take a solutions-oriented approach to helping retailers
more readily implement security in line with the PCI standards.
Additionally, the Council runs a program that develops and
maintains a pool of global assessment personnel to help work with
organizations that deploy PCI Standards to assess their performance in
using PCI Standards. The Council also focuses on creating education and
training opportunities to build expertise in protecting payment card
data in different environments and from the various viewpoints of
stakeholders in the payment chain. Since our inception, we have trained
tens of thousands of individuals, including staff from large merchants,
leading technology companies and Government agencies, and are currently
under contract to train members of the United States Secret Service.
Finally, we devote substantial resources to creating public campaigns
to raise awareness of these resources and the issue of protecting
payment card data.
The PCI community and large organizations that accept, store, or
transmit payment card data worldwide have made important strides in
adopting globally consistent security protocols. However, the Council
recognizes that small organizations remain vulnerable. Smaller
businesses lack IT staff and budgets to devote resources to following
or participating in the development of industry standards. But they can
take simple steps like updating passwords, firewalls, and ensuring they
are configured to accept automatic security updates. Additionally, to
help this population, the Council promotes its listings of validated
products, and recently launched a program, the Qualified Integrator and
Reseller program (QIR) to provide a pool of personnel able to help
small businesses ensure high quality and secure installation of their
payment systems.
The work of the Council covers the entire payment security
environment with the goal of providing or facilitating access to all
the tools necessary--standards, products, assessors, educational
resources, and training--for stakeholders to successfully secure
payment card data. We do this because we believe that no one technology
is a panacea and effective security requires a multi-layered approach.
Public-private collaboration
The Council welcomes this hearing and the Government's attention on
this critical issue. The recent compromises underscore the importance
constant vigilance in the face of threats to payment card data. We are
hopeful that this hearing will help raise awareness of the importance
of a multi-layered approach to payment card security.
There are very clear ways in which the Government can help improve
the payment data security environment. For example, by championing
stronger law enforcement efforts worldwide, particularly due to the
global nature of these threats, and by encouraging stiff penalties for
crimes of this kind to act as a deterrent. There is much public
discussion about simplifying data breach notification laws and
promoting information sharing between public and private sector. These
are all opportunities for the Government to help tackle this challenge.
The Council is an active participant in Government research in this
area: we have provided resources, expertise and ideas to NIST, DHS, and
other Government entities, and we remain ready and willing to do so.
Almost 20 years ago, through its passage of the Technology Transfer
and Advancement Act of 1995, Congress recognized that Government should
rely on the private sector to develop standards rather than to develop
them itself. The substantial benefits of the unique, U.S. ``bottom up''
standards development process have been well recognized. They include
the more rapid development and adoption of standards that are more
responsive to market needs, representing an enormous savings in time to
Government and in cost to taxpayers.
The Council believes that the development of standards to protect
payment card data is something the private sector, and PCI
specifically, is uniquely qualified to do. It is unlikely any
Government agency could duplicate the expansive reach, expertise, and
decisiveness of PCI. High profile events such as the recent breaches
are a legitimate area of inquiry for the Congress, but should not serve
as a justification to impose new Government regulations. Any Government
standard in this area would likely be significantly less effective in
addressing current threats, and less nimble in protecting consumers
from future threats, than the constantly evolving PCI Standards.
Conclusion
In 2011, the Ponemon Institute, a nonpartisan research center
dedicated to privacy, data protection, and information security policy
wrote, ``The Payment Card Industry Data Security Standard (PCI DSS)
continues to be one of the most important regulations for all
organizations that hold, process or exchange cardholder information.''
While we are pleased to have earned accolades such as this, we
cannot rest on our laurels.
The recent breaches at retailers underscore the complex nature of
payment card security. A complex problem cannot be solved by any single
technology, standard, mandate, or regulation. It cannot be solved by a
single sector of society--business, standards-setting bodies,
policymakers, and law enforcement--must work together to protect the
financial and privacy interests of consumers. Today as this Committee
focuses on recent damaging data breaches we know that there are
criminals focusing on committing inventing the next threat.
There is no time to waste. The PCI Security Standards Council and
business must commit to promoting stronger security protections while
Congress leads efforts to combat global cyber-crimes that threaten us
all. We thank the Committee for taking an important leadership role in
seeking solutions to one of the largest security concerns of our time.
RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM JESSICA RICH
Q.1. Banks are bound by regulations (the Graham-Leach-Bliley
Act and Reg. E to name a few) regarding how to store consumer
data, and are regularly examined by Federal regulators to
ensure ongoing and accurate compliance. Regulators have a
number of enforcement mechanisms in place to deal with banks
found to be noncompliant, such as requiring prompt corrective
action for material violations--even before a breach occurs.
What are the rules binding merchants to protect consumer
information? How are they monitored and enforced?
A.1. The FTC enforces Section 5 of the FTC, which Act prohibits
unfair or deceptive acts or practices. A company acts
deceptively if it makes materially misleading statements or
omissions about data security, and such statements or omissions
are likely to mislead reasonable consumers. Further, a company
engages in unfair acts or practices if its data security
practices cause or are likely to cause substantial injury to
consumers that is neither reasonably avoidable by consumers nor
outweighed by countervailing benefits to consumers or to
competition. The FTC can bring an enforcement action against a
company engaged in deceptive or unfair practices, either
through administrative adjudication or in Federal district
court. Through these mechanisms, the FTC can obtain injunctive
relief, such as prohibitions on misrepresentations, additional
disclosures, implementation of comprehensive data security
programs, and outside third party audits.
Merchants may also be subject to other Federal laws that
contain data security requirements. For example, the Fair
Credit Reporting Act (``FCRA'') imposes safe disposal
obligations on any entity that maintains consumer report
information. The FTC's Safeguards Rule, which implements the
Gramm-Leach-Bliley Act, requires certain nonbank financial
institutions to implement a comprehensive information security
program. And, the Children's Online Privacy Protection Act
(``COPPA'') requires reasonable security for children's
information collected online. In addition to the injunctive
relief discussed above, the FTC can also seek civil penalties
against merchants violating the FCRA and COPPA. To date, the
Commission has settled 50 data security cases using its
authority.
Beyond Federal laws, State data security and breach
notification laws may place additional requirements on
merchants. And, merchants may also be subject to self-
regulatory standards that place additional security
requirements on data they maintain.
Q.2. There has been a 30 percent increase in data breaches from
2012 to 2013. Clearly, these criminals are getting more
sophisticated--but because the majority of these breaches are
occurring within the healthcare space and with retailers, is
there reason to believe more should be done in these spaces to
protect consumers?
A.2. Yes--companies should ensure that they have sound
information security practices. They can start by doing a
thorough risk assessment of their security practices for
managing personal information and then designing a security
program to control and limit these risks. This should be done
in all areas of a company's operations and not just its
computer networks. Many breaches we have seen have not involved
high-tech hacking or other sophisticated techniques. Some
occurred because companies did not do background checks on
employees with access to personal information, did not manage
the termination of an employee well, or did not properly secure
or dispose of paper records. In other cases, companies have
failed to implement basic technical security measures such as
requiring strong passwords, encrypting sensitive information,
or updating security patches.
The Commission's Safeguards Rule under the Gramm-Leach-
Bliley Act provides a good roadmap as to the procedures and
basic elements necessary to develop a sound security program.
Although it applies only to nonbank financial institutions, we
believe it provides helpful guidance to other companies as
well.
Finally, as discussed in more detail below, enacting a
Federal data security and data breach notification law would
help to ensure better data security practices, primarily by
imposing civil penalties against companies that do not maintain
reasonable security or do not send appropriate breach notices
to consumers. Civil penalties can help further deter lax data
security and breach notification practices.
Q.3. What additional authorities--such as additional
monitoring, increased penalties for noncompliance, etc.--should
we give to the FTC have to be more effective?
A.3. The FTC supports Federal legislation that would (1)
strengthen its existing authority governing data security
standards on companies and (2) require companies, in
appropriate circumstances, to provide notification to consumers
when there is a security breach. Legislation in both areas--
data security and breach notification--should give the FTC the
ability to seek civil penalties to help deter unlawful conduct,
rulemaking authority under the Administrative Procedure Act,
and jurisdiction over nonprofits. Under current laws, the FTC
only has the authority to seek civil penalties for data
security violations with regard to children's online
information under COPPA or credit report information under the
FCRA. To help ensure effective deterrence, we urge Congress to
allow the FTC to seek civil penalties for all data security and
breach notice violations in appropriate circumstances.
Likewise, enabling the FTC to bring cases against nonprofits,
such as universities and health systems, would help ensure that
whenever personal information is collected from consumers,
entities that maintain such data adequately protect it.
Finally, rulemaking authority under the Administrative
Procedure Act would enable the FTC to respond to changes in
technology in implementing the legislation.
Q.4. Do you feel that having a Merchant ISAC would be helpful
in ensuring information about malware is quickly communicated
to retail groups and others so that additional precautions can
be taken?
A.4. In light of the recent data breaches at a number of large
retailers, this is a particularly appropriate time to evaluate
whether more can be done to secure consumers' information.
Better information sharing, such as through ISACs, can be part
of the solution. ISACs enable companies to pool information
about security threats and defenses so that they can prepare
for new attacks and quickly address potential vulnerabilities.
This kind of information is valuable, and we are committed to
working with retail businesses and associations to discuss
these issues and to explore the formation of a Merchant ISAC,
or similar organization.
------
RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM JAMES A.
REUTER
Q.1. I understand that large banks and payment networks see and
stop illegal attempts to intercept customer information on a
daily basis. What have banks done to invest in keeping ahead of
the criminals and what is the relationship with law enforcement
to investigate and prosecute these crimes?
A.1. According to the American Bankers Association's (ABA's)
most recent Deposit Account Fraud Survey and other benchmarking
data, while fraud against bank deposit accounts cost the
industry $1.744 billion in losses in 2012, bank prevention
measures stopped approximately $13 billion in fraudulent
transactions during that year. The fact that, in 2012, banks
prevented over $7 in fraud for every $1 in actual fraud losses
that occurred speaks to the substantial investment banks have
made in counteracting attempts to compromise customer
information or conduct unauthorized transactions against
customer accounts.
In addition to individual institution efforts, banks
collaborate, through the Financial Services Information Sharing
and Analysis Center (FS-ISAC) to share vital cybersecurity
threat and vulnerability information. Over 4,500 companies
currently belong to the FS-ISAC. The ABA serves on the board of
the Center on behalf of its membership, and in that capacity
ensures that this information is also available to the broader
financial community that the Association represents.
Banks are also currently investing, through the FS-ISAC, in
an effort to automate that evaluation of threat data to the
greatest extent possible. This initiative is consistent with
the recently published NIST Cybersecurity Framework, which
noted that the automated sharing of indicator information can
provide organizations with timely, actionable information that
they can use to detect and respond to cybersecurity events as
they are occurring.
On February 13, 2014, ABA and other major financial
institution trade associations announced a significant
initiative with major merchant trade associations to work
together to ensure customer personal and financial information
is secure and protected. The partnership will focus on
exploring paths to increased information sharing, better card
security technology, and maintaining the trust of customers.
Banks have a strong relationship, at both the local and
national levels, with law enforcement in the investigation and
prosecution of cyber-crimes. The fact that many of the
criminals are attacking our banks and customers from overseas
does, however, make prosecution difficult. As an industry we
are heartened by the FBI's commitment to staffing offices in
foreign countries, and we encourage Congress to support these
efforts.
Q.2. How much does it cost to replace a single debit or credit
card? How much does your bank expect to lose from the most
recent Target data breach--including losses for both card
replacement and for fraud?
A.2. After a breach of a third party affecting customer card
data, each bank makes its own decision as to when and whether
to reissue cards, which in the case of FirstBank costs on
average $5 per card.
In addition to replacing the actual card, banks incur a
number of other expenses associated with breaches of third
parties, including sending notices to customers, increasing
call center staffing, and monitoring for potential fraud. In
some instances, losses due to fraud from the breach of a third
party can occur many months after the breach occurred. Because
of the sheer magnitude of the Target breach, impacting on
average 10 percent of the retail customer base of every bank in
the country, many banks, including FirstBank, made the decision
to reissue cards to all customers that shopped at Target during
the period the company's point-of-sale system was compromised.
This swift action on the part of our and other banks should
serve to limit fraud losses due to the breach.
Q.3. What recourse is available to community banks such as
yours for these breaches? How much do you typically recoup from
these breaches? Is 5 to 10 cents on the dollar a fairly good
estimate?
A.3. After a bank has reimbursed a customer for a fraudulent
transaction, it can then attempt to ``chargeback'' the retailer
where the transaction occurred. Unfortunately, and certainly in
my experience, the majority of these attempts are unsuccessful,
with the bank ultimately shouldering the vast majority of fraud
loss and other costs associated with the breach. In 2009,
according to the Federal Reserve Board, 62 percent of reported
debit card fraud losses were borne by banks, while 38 percent
were borne by merchants.
Five to 10 cents on the dollar is a good estimate of what a
community bank will typically recoup from the breach of a third
party. And this reimbursement generally occurs often well after
these banks have made customers whole. This minor level of
reimbursement, when taken in concert with the fact that banks
bear over 60 percent of reported fraud losses yet have
accounted for less than 8 percent of reported breaches since
2005 is clearly inequitable.
Q.4. Are smaller banks more negatively and unfairly impacted in
these payments? I am sure that, because this recourse is
determined by contracts drafted by PCI and others, the larger
banks might expect to get more back but the smaller banks often
see nothing returned.
A.4. The experience of ABA members is that banks of all sizes
are uniformly negatively and unfairly impacted by these
payments. Large and small banks alike receive pennies for each
dollar of fraud losses and other costs that were incurred by
banks in protecting their customers.
Q.5. I also understand that there are a number of smaller,
lower-profile breaches, and in those, in most instances, a
community bank can expect to receive nothing back. Correct?
A.5. In the case of smaller, lower-profile breaches, unless
enough information is known about the time period associated
with the breach and the specific cards that were compromised,
it may be difficult to attribute individual transactions a
customer deemed unauthorized to that breach. In those instances
the experience of both small and large banks is that very
little, if any reimbursement for fraud losses and other costs
will occur.
------
RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM MALLORY
DUNCAN
Q.1. What is the retailers' strategy to combat online fraud?
A.1. Online fraud may take many forms; some of these involve
payment card fraud. The payment cards in use in the United
States were designed for face-to-face transactions. The
authentication of the card is generally based on verifying the
numbers (and sometimes the codes) printed visibly on the card
or embedded in a magnetic stripe. Authentication of the
cardholder is premised on verifying the signature and
occasionally on some corroborating data. In an ideal face-to-
face transaction, the card is observed and the signed receipt
results in a perfect match for the signature on the card. This
is the customer authentication. In addition, the card's numbers
are transmitted to the issuing bank which supplies an approval
code to accomplish the former--the card authentication. If the
media involved in the transaction is saved for some months by
the retailer for use in subsequent retrieval requests, then the
merchant is promised a ``payment guarantee'' by the card
networks. All elements, including the contemporaneously signed
duplicate receipt containing identifying details and the
approval code indication must be present for payment to be
guaranteed.
U.S. cards were not designed for remote (``card not
present'') transactions. Card issuers are unwilling to allow
the transaction to be authenticated solely by the unobservable
card's number unless two conditions are met. First, the
interchange fee charged for the transaction is higher--
ostensibly to cover the greater risk of fraud. Second, the
merchant is essentially required to bear all risks of fraud--
i.e., there effectively is no payment guarantee.
In the early days of online sales, merchants with a tiny
online footprint--indeed many were literally one-store
sellers--were willing to accept these conditions on the
assumption that most purchasers were honest and that use of a
card was more efficient than was use of a check, as had been
common with mail order catalog sellers. As online sales grew
and become more mainstream, these requirements stuck. Thus
merchants generally bear virtually all of the risk of online
fraud. The transaction can be ``charged back'' to them and the
merchants will be out both the goods and the money.
Consequently, merchants have adopted numerous techniques to
reduce their exposure to, and to combat, online fraud. For
example, many merchants will not ship online orders to
nonphysical location addresses. This is because thieves often
use ``drop boxes'' where they can retrieve fraudulently
purchased merchandise without being readily observed. Thieves
are less likely to have fraudulently procured goods delivered
to their homes. Nevertheless, because some do, merchants' loss
prevention departments develop lists of names and physical
addresses that are known to receive fraudulent deliveries and
will not routinely ship to those locations as well. Merchants
may also monitor characteristics of online orders searching for
those that are indicative of fraud and respond accordingly. In
conjunction with card companies, merchants may request the
customer verification number (CVV) that is printed, rather than
embossed, on the payment card. This provides greater assurance
that the card used for the transaction was in the physical
possession of the individual placing the order, even if it does
not authenticate the customer to the merchant.
These and other techniques have allowed merchants to
restrain online fraud. If more fraud migrates to the 6 percent
of purchases that are now online, either more robust techniques
may be needed (e.g., computers with built-in chip readers;
open, competition-friendly tokenization technology; or new
mobile payment platforms) or merchants may need to more
stringently monitor, control and price the transactions in
which they will engage.
The development of payment platforms in which the loss of
fraud is more equitably shared by the proponents of the
platform would give all parties incentives to reduce online
fraud.
Q.2. It is already a requirement for merchants and banks to
move to chip technologies by 2015. Currently, less than 1
percent of U.S. retailers have chip-compatible point-of-sale
terminals. What percentage of retailers do you expect will
switch to chip-ready terminals by the end of next year?
A.2. It is not required that either banks or merchants move to
chip technologies by 2015. Rather, the card networks have said
they will abrogate their promise of a payment guarantee, and
not pay for fraud inherent in their system, if merchants do not
do so by that date. In short, the card networks have told
merchants to invest huge sums to correct problems with the card
networks' payment system, but have provided no equitable
sharing of the costs of that fix--only increased penalties for
not doing so.
There are approximately 15 million payment terminals in the
United States of which roughly 9 million are in retail
locations. Of these, approximately 18 percent are chip-ready.
Those merchants are hoping card networks will require, and
banks will begin issuing, fraud resistant PIN and Chip
authenticated credit and debit cards. Only one major bank has
suggested that it plans to do so. It will be difficult to
convince the remaining merchants to collectively invest tens of
billions of dollars to purchase and install new terminals if
most banks and credit unions continue issuing cards that do not
address obvious fraud flaws in the current system--i.e., if
they continue issuing signature authenticated cards. There is
considerable reluctance to spend hugeamounts of money to
accomplish a half-baked solution.
Policy makers could help by discouraging the continued
issuance of fraud prone cards.
Q.3. Why are NRF and other retail groups pushing for chip and
PIN and not tokenization?
A.3. Retailers are not opposed to tokenization. Like point-to-
point encryption, it is a potentially useful element in a more
secure payment card system. Successful nationwide deployment
would take years. Furthermore, in many models tokenization
occurs ``after the fact''--generally post authorization. Thus
some fraud risk remains. To deal with this point-to-point
encryption is preferred and would be complimentary to
tokenization. The former would occur between the card being
read and the assignment of a token. From the merchant's
perspective, tokenization involves significant operational
changes and could carry significant out-of-pocket costs.
Despite that, for the majority of transactions, tokenization
still may not address both ends of the security/authentication
equation as well as would PIN and Chip. It has greatest utility
in the 6 percent of transactions that currently do not occur
face-to-face. Consequently, while point-to-point encryption and
tokenization could be valuable adjuncts to PIN and Chip
authentication, they are not a substitute.
On the other hand, chip and PIN is relatively quickly
achievable, and indeed is already deployed successfully in
nearly all of the industrialized world (and much of the Third
World). Ideally, the United States would at least move to the
21st century standard before attempting to chase the next new
thing. Finally, the fact that 18 percent of U.S. retail point
of sale locations have already, at the card networks' urging,
invested billions of dollars to install PIN and Chip
authentication equipment is not an inconsequential
consideration.
Q.4. Could retailers voluntarily adopt tokenization?
A.4. To some extent we already have. Many retailers routinely
encrypt sensitive data at rest in their systems and take steps
to tokenize data in other locations on their own. For example
retailers print receipts with the credit and debit card in a
blocked format (i.e., xxx xxxx xxxx 4115). More elaborate forms
of encryption and tokenization would require coordinated
activity by all parties to the payment card system and several
years to fully deploy.
------
RESPONSE TO WRITTEN QUESTIONS OF SENATOR KIRK FROM TROY LEACH
Q.1. In your estimation, would chip and pin technology have
prevented the major recent retail breaches? If chip and pin is
not the silver bullet, what other options may work? What about
tokenization or encryption?
A.1. From the details emerging in the press,\1\ it does not
appear as though the use of EMV chip in and of itself,
regardless of whether it is used with or without PINs would
have prevented the recent major breaches. However, use of EMV
chip technology is likely to have reduced the value of the
compromised data as it would inhibit the creation of
counterfeit cards.
---------------------------------------------------------------------------
\1\See for example, http://krebsonsecurity.com/2014/02/email-
attack-on-vendor-set-up-breach-at-target/.
---------------------------------------------------------------------------
Tokenization and encryption are both important additional
technologies to further limit payment card data from being
stolen. As the market migrates payment terminals to support
deployment of EMV chip, the PCI Security Standards Council
(``the Council'') advocates for all involved to consider
additional layers of security for data protection through these
and other approaches. There are no silver bullets--one specific
technological approach will not address all security
challenges. The potential for a breach and damages caused by a
breach can be mitigated if the entity has preventative,
detective and incident response controls which employ a
combination of people, process and technology, like those
outlined in the PCI security standards. The PCI security
standards are a critical layer of defense in this battle
against cyber criminals.
Q.2. We've been told that retailers store some information to
make transactions, such as returns, easier. What information is
needed to process returns and for marketing purposes? Are
retailers required to store the 16-digit code and expiration
date to process returns? Why might retailers store credit card
information?
A.2. As a technical standards body, the Council does not have
insight into specific business processes of retailers or other
groups. We set our standards to be the framework that all
sectors of the payment chain can use to protect payment card
data. To the extent that a merchant chooses to store card data,
the PCI standards define how that data must be protected. This
question is best directed to the banking and credit card
companies that have contractual relationships with retailers.
That said, possible use cases might include loyalty, marketing
programs or legacy business processes.
To further minimize risk of payment card data exposure, the
Council advocates that retailers and others take advantage of
technologies and methods that help them reduce the amount of
payment card data vulnerable to compromise. Such approaches
include only storing the data that's needed; eliminating
unnecessary user access; limiting the number of systems and
networks used for payments; and deploying technologies such as
Point-to-Point Encryption (P2PE) and tokenization that protect
the data.
Q.3. Is the PIN technology that is widely touted a security
measure or used for other purposes? Do retailers really need
access to PINs?
A.3. The Personal Identification Number or PIN is used as a
security measure by means of authenticating the legitimacy of
the cardholder. Only cardholders themselves should have
knowledge of the PIN. It is one of a number of measures that
can be used to authenticate the legitimacy of the payment
transaction. The PIN is also universally used as a cardholder
authentication method for ATM transactions. PIN data should not
be used for other purposes.
However, PINs are extremely sensitive static data that can
be reused by criminals if stolen and requires special handling.
That is why PCI requirements in the PIN Transaction Security
(PTS) standards require that PINs be encrypted by an approved
POS terminal upon entry. When using a properly validated POS
terminal, merchants do not have access to non-encrypted PIN
data before a transaction is authorized. PTS requirements
prohibit the storage of PINs by merchants after authorization
of a transaction has been received by the acquiring bank. PINs
also require stronger encryption methods as well as physical
security to prevent shoulder surfing or pin hole cameras.
Q.4. Why would a retailer un-encrypt consumers' credit and
debit card data as it travels through their system? Is there
ever any reason that data should be unencrypted when it is
passed from the retailer to the processor?
A.4. The Council cannot speak to an individual retailers need
or decision to maintain unencrypted payment card data.
The Council recommends the use of point-to-point encryption
or P2PE technology, through its PCI P2PE standard and
supporting program. When implemented properly, current P2PE
technology solutions that are part of our program ensure that
payment card data is encrypted at the point of entry, such as a
secured POS terminal, and not decrypted until received into a
secured zone. The PCI Council is actively engaged with industry
stakeholders to continue developing encryption standards usable
for various types of merchant needs.
Q.5. Target was considered ``PCI compliant'' when it had its
annual audit September. It appears that a merchant or other
party can be PCI compliant and fall out of compliance the
minute auditors walk out the door. Is this, then, really the
best standard?
A.5. It is important to note that in order to remain compliant
with any security standard (SOX, HIPAA, PCI, etc.), merchants
must treat compliance efforts as ``business as usual'' rather
than as a once-per-year activity. If a merchant has been
validated as compliant, they generally only ``fall out'' of
compliance when choosing to implement insecure changes after
the auditor walks out the door. We encourage merchants to
allocate their resources to maintaining a secure posture year
round rather than focusing on being ``compliant'' once per
year.
Proper implementation and ongoing maintenance are critical
to protecting card data, as highlighted by the recently
released Verizon 2014 PCI Compliance Report.\2\ According to
Verizon they, ``continue to see many organizations viewing PCI
compliance as a single annual event, unaware that compliance
needs to have a 365 day-a-year focus.'' Organizations with
security controls in place as part of complying with PCI
security standards improve their chances both of avoiding a
breach in the first place, and of minimizing the resulting
damage if they are breached.
---------------------------------------------------------------------------
\2\ http://newscenter.verizon.com/corporate/news-articles/2014/02-
11-2014-pci-compliance-report/.
---------------------------------------------------------------------------
Organizations should focus on maintaining strong security
controls, day in and day out. The Council believes that
organizations following PCI Standards as the basis for their
security programs are best positioned to protect consumers'
payment card data. PCI security standards provide the baseline
of security controls for card data. Just like a lock is no good
if you forget to lock it, these controls are only effective if
they are implemented properly and as a part of an everyday,
ongoing business process.
To maintain the effectiveness of the standards, the Council
continues to develop and evolve PCI security standards to be
responsive to emerging threats. We do this through our unique
global industry forum, taking feedback from retailers,
hoteliers, airlines, restaurants, banks, processors, technology
vendors and all those involved in the payment transaction chain
around the world.
For example, based on industry feedback, with the release
of version 3.0 of the PCI DSS and Payment Application-Data
Security Standard (PA-DSS, the standard that covers payment
applications) we made changes to address emerging threat areas
such as third party remote access, POS terminal tampering, and
vendor accountability. All updates are aimed at providing the
right balance of flexibility, rigor and consistency to help
organizations make payment security part of their business-as-
usual activity, not something centered on an annual assessment.
PCI security standards are developed to provide business
process that must be performed consistently on a daily basis.
Failing to commit to security as a regular practice of business
operation is not meeting the intent of PCI DSS requirements.
Q.6. I understand that PCI sets the security standard and does
not enforce compliance, but does do an annual audit for the
larger retailers. In your opinion, should there be additional
audits, oversight and precautions large retailers should be
held to in order to best protect consumers' data?
A.6. It's important to clarify the PCI Council's role here. The
Council does not mandate retailers' compliance with or auditing
against any of the PCI standards. Additionally, the Council
itself does not conduct an annual audit for large retailers or
any type of audits for any organization. The Council's role is
to develop and manage the PCI DSS and other standards.
Frequency of assessment of an organization is determined
between a merchant and its acquiring bank or payment card brand
business partner.
To best protect consumers' payment card information, the
Council recommends retailers deploy and maintain the controls
outlined in the PCI DSS, which is a strong foundation for a
multi-layered security program. Additional layers of security
at the merchant level might include deployment of Point-to-
Point Encryption (P2PE) and tokenization solutions that would
devalue payment card data.
The Council also promotes the mantra ``if you don't need
it, don't store it'', encouraging organizations to examine
business process to reduce or eliminate storage of payment card
data.
To support implementation and maintenance of PCI security
controls the Council manages a number of programs and listings
of information on our public Website. In addition to standards,
Council programs include: Website listings of lab-tested secure
PIN and non-PIN POS terminals and other payment devices;
security of payment applications; testing and qualification of
assessors performing PCI DSS audits, training and qualifying
professionals to install payment equipment and software; and
many other programs focused on the integrity of payment systems
and third parties that merchants rely on to conduct business.
Q.7. Do you think that there should be a merchant ISAC formed?
A.7. Payment card security is a shared responsibility. The
Council encourages any information sharing and collaboration
that will drive greater awareness of risks, threats and
solutions, within industry sectors and across the payment chain
to help prevent future data breaches. From our own experience
the Council has found that global merchant input to PCI
security standards development through the lifecycle and
feedback process, PCI Special Interest Groups, task forces and
Board of Advisors participation continues to be highly
valuable.
Additional Material Supplied for the Record