[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
DATA SECURITY: VULNERABILITIES AND
OPPORTUNITIES FOR IMPROVEMENT
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON FINANCIAL INSTITUTIONS
AND CONSUMER CREDIT
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
NOVEMBER 1, 2017
__________
Printed for the use of the Committee on Financial Services
Serial No. 115-52
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
__________
U.S. GOVERNMENT PUBLISHING OFFICE
30-771 PDF WASHINGTON : 2018
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
HOUSE COMMITTEE ON FINANCIAL SERVICES
JEB HENSARLING, Texas, Chairman
PATRICK T. McHENRY, North Carolina, MAXINE WATERS, California, Ranking
Vice Chairman Member
PETER T. KING, New York CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma BRAD SHERMAN, California
STEVAN PEARCE, New Mexico GREGORY W. MEEKS, New York
BILL POSEY, Florida MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri WM. LACY CLAY, Missouri
BILL HUIZENGA, Michigan STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin DAVID SCOTT, Georgia
STEVE STIVERS, Ohio AL GREEN, Texas
RANDY HULTGREN, Illinois EMANUEL CLEAVER, Missouri
DENNIS A. ROSS, Florida GWEN MOORE, Wisconsin
ROBERT PITTENGER, North Carolina KEITH ELLISON, Minnesota
ANN WAGNER, Missouri ED PERLMUTTER, Colorado
ANDY BARR, Kentucky JAMES A. HIMES, Connecticut
KEITH J. ROTHFUS, Pennsylvania BILL FOSTER, Illinois
LUKE MESSER, Indiana DANIEL T. KILDEE, Michigan
SCOTT TIPTON, Colorado JOHN K. DELANEY, Maryland
ROGER WILLIAMS, Texas KYRSTEN SINEMA, Arizona
BRUCE POLIQUIN, Maine JOYCE BEATTY, Ohio
MIA LOVE, Utah DENNY HECK, Washington
FRENCH HILL, Arkansas JUAN VARGAS, California
TOM EMMER, Minnesota JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York VICENTE GONZALEZ, Texas
DAVID A. TROTT, Michigan CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia RUBEN KIHUEN, Nevada
ALEXANDER X. MOONEY, West Virginia
THOMAS MacARTHUR, New Jersey
WARREN DAVIDSON, Ohio
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
TREY HOLLINGSWORTH, Indiana
Kirsten Sutton Mork, Staff Director
Subcommittee on Financial Institutions and Consumer Credit
BLAINE LUETKEMEYER, Missouri, Chairman
KEITH J. ROTHFUS, Pennsylvania, WM. LACY CLAY, Missouri, Ranking
Vice Chairman Member
EDWARD R. ROYCE, California CAROLYN B. MALONEY, New York
FRANK D. LUCAS, Oklahoma GREGORY W. MEEKS, New York
BILL POSEY, Florida DAVID SCOTT, Georgia
DENNIS A. ROSS, Florida NYDIA M. VELAZQUEZ, New York
ROBERT PITTENGER, North Carolina AL GREEN, Texas
ANDY BARR, Kentucky KEITH ELLISON, Minnesota
SCOTT TIPTON, Colorado MICHAEL E. CAPUANO, Massachusetts
ROGER WILLIAMS, Texas DENNY HECK, Washington
MIA LOVE, Utah GWEN MOORE, Wisconsin
DAVID A. TROTT, Michigan CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
C O N T E N T S
----------
Page
Hearing held on:
November 1, 2017............................................. 1
Appendix:
November 1, 2017............................................. 35
WITNESSES
Wednesday, November 1, 2017
Bentsen, Hon. Kenneth, Jr., President and Chief Executive
Officer, Securities Industry and Financial Markets Association. 3
Mennenoh, Daniel, ITP, NTP, President, H.B. Wilkinson Title
Company, on behalf of the American Land Title Association...... 5
Mierzwinski, Edmund, Consumer Program Director, U.S. Public
Interest Research Group........................................ 6
Schwartz, Debra, President and Chief Executive Officer, Mission
Federal Credit Union, on behalf of the National Association of
Federally-Insured Credit Unions................................ 8
APPENDIX
Prepared statements:
Bentsen, Hon. Kenneth, Jr.................................... 36
Mennenoh, Daniel............................................. 50
Mierzwinski, Edmund.......................................... 61
Schwartz, Debra.............................................. 78
Additional Material Submitted for the Record
Luetkemeyer, Hon. Blaine:
Written statement of the Food Marketing Institute............ 105
Written statement of the Independent Community Bankers of
America.................................................... 107
Written statement of the American Bankers Association, the
Consumer Bankers Association, the Credit Union National
Association, the Financial Services Roundtable, the
Independent Community Bankers of America, the National
Association of Federally-Insured Credit Unions, and the The
Clearing House............................................. 109
DATA SECURITY: VULNERABILITIES
AND OPPORTUNITIES FOR IMPROVEMENT
----------
Wednesday, November 1, 2017
U.S. House of Representatives,
Subcommittee on Financial Institutions
and Consumer Credit,
Committee on Financial Services,
Washington, D.C.
The subcommittee met, pursuant to notice, at 2:02 p.m., in
room 2128, Rayburn House Office Building, Hon. Blaine
Luetkemeyer [chairman of the subcommittee] presiding.
Present: Representatives Luetkemeyer, Rothfus, Royce,
Lucas, Ross, Pittenger, Barr, Tipton, Williams, Love, Trott,
Loudermilk, Kustoff, Tenney, Clay, Maloney, Scott, and Crist.
Chairman Luetkemeyer. The committee will come to order.
Without objection, the chair is authorized to declare a
recess of the committee at any time.
This hearing is entitled ``Data Security: Vulnerabilities
and Opportunities for Improvement.''
Before we begin, I would like to thank the witnesses for
appearing today. We appreciate your participation and look
forward to a productive discussion.
I now recognize myself for 3 minutes for purposes of
delivering an opening statement.
More than 15 million Americans were victims of cyber fraud
or identity theft last year. The number of those impacted in
2017 could be significantly more, depending on the damage
caused by the Equifax breach. While data security has been a
hot topic since that breach, Equifax isn't where the problem
started, and if we don't act, it isn't where the problem will
end.
Year after year, consumers deal with compromised personally
identifiable information resulting from breaches in financial
companies, retailers, insurance providers, and even the Federal
Government. The list goes on and on.
This type of fraud can strike at any point, leaving no
consumer immune to its effects. Financial firms face attempted
breaches every single day, sometimes hundreds of attempts a
day. Each attack seems to be more dangerous and more advanced
than the last, and while the good guys have to be right every
time, the bad guys only have to be right once.
Data security has turned into a crisis, and the American
people deserve better. As in any crisis, every aspect of data
security should be examined. That includes having an honest
conversation about the regulatory regime governing these
breaches. The question is, does it adequately safeguard
consumer data? Does it provide flexibility for companies to
innovate, or do they spend too much time and energy trying to
comply with State and Federal requirements?
We need to discuss how data security liability is assessed
and which entity has a duty to report a breach to the public
and in what timeframe such a disclosure should be required. We
cannot tolerate a system that is unnecessarily complicated or
offers slow resolution for customers and consumers. We need to
instead work collaboratively to reduce red tape, create a more
prompt notification standard, and foster harmonization among
Federal and State agencies charged with data security
regulation.
Today's hearing offers an opportunity to look at data
security vulnerabilities through a wider lens. Our witnesses
represent a number of different industries that offer unique
perspectives and ideas on how to improve the system for the
most important people in this conversation: their customers and
our constituents.
While today's hearing does not focus on a specific bill, I
want to be clear that it is my intention to produce data
security reform legislation. This conversation and many others
our members have had and will continue to have with their
constituents will inform our actions and drive our policy.
I want to again thank our witnesses for being here today.
We look forward to your testimony.
The chair now recognizes the gentleman from Missouri, Mr.
Clay, the ranking member of the subcommittee, for 5 minutes for
an opening statement.
Mr. Clay. Thank you, Mr. Chairman. Thank you for holding
this hearing as well as all of the witnesses who are here
today. I will forego an opening statement in order to hear from
our witnesses. I yield back.
Chairman Luetkemeyer. The gentleman yields back.
With that, we go to the gentleman from Pennsylvania, the
vice chair of the subcommittee, Mr. Rothfus, for 2 minutes for
an opening statement.
Mr. Rothfus. Thank you, Mr. Chairman. I would like to thank
the chairman for holding today's hearing on data security. As
the recent Equifax data breach reminded us, cybercrime is a
constant and growing threat. But the Equifax incident, though
terrible and expansive as it was, was just the latest in a
string of major cybercrimes that have compromised our private
information and put us all at risk.
I am deeply concerned that bad actors, State-sponsored or
otherwise, continue to relentlessly target our financial
system, retailers, and the physical and digital infrastructure
that allow our society to function. Cybercrime is a national
security threat and a danger to our economy. It hurts millions
of Americans, and it undermines the trust needed to conduct
business in the 21st century.
This committee has an important role in helping to address
this growing threat. I am looking forward to hearing from our
witnesses about how we can improve our current system for
addressing and preventing cybercrime. Clearly, there is room
for improvement as we seek to ensure that firms take the steps
needed to protect private data, properly and promptly notify
law enforcement and customers, and quickly move to close
vulnerabilities and make victims whole.
Many of my constituents contacted my office after the
Equifax breach to seek help and express their frustrations.
Families, students, small business owners, and retirees are
concerned about what they are seeing and they want us to take
steps to protect them.
Again, I look forward to today's discussion, and I hope
that it can form the basis for bipartisan collaboration on this
important issue.
I yield back.
Chairman Luetkemeyer. The gentleman yields back.
With that, today, we welcome the testimony of the Honorable
Ken Bentsen, president and chief executive officer, Securities
Industry and Financial Markets Association; Mr. Daniel
Mennenoh, president, H.B. Wilkinson Title Company, on behalf of
the American Land Title Association; Ms. Debra Schwartz,
president and CEO, Mission Federally-Insured Credit Union, on
behalf of the National Association of Federal Credit Unions;
and Mr. Edmund Mierzwinski, consumer program director, U.S.
Public Interest Research Group.
Each of the witnesses will now be recognized for 5 minutes
to give an oral presentation of their testimony.
Without objection, each of your written statements will be
made part of the record.
Just a brief tutorial on the lighting system for those of
you who haven't been here before. Green means go. The yellow
light lights up, that means you have a minute to wrap up. Red
means that we need to stop and go on to the next question/
answer session.
With that, Mr. Bentsen, you are recognized for 5 minutes.
STATEMENT OF THE HONORABLE KENNETH BENTSEN, JR.
Mr. Bentsen. Thank you, Chairman Luetkemeyer and Ranking
Member Clay and members of the subcommittee, for giving me an
opportunity to testify today on the important topics of
cybersecurity and data protection.
SIFMA represents hundreds of banks, broker-dealers, and
asset managers who are dedicated to protecting their systems
and, more importantly, their clients' data from cyber attacks.
There is likely no greater threat to financial stability than a
large-scale cyber event. The financial services sector has
invested tremendous monetary and human resources to develop and
implement cyber defense and recovery mechanisms, and we welcome
the opportunity to discuss the progress we have made today.
Cybercrime is now a bigger criminal enterprise than the
global narcotics trade. While data breaches of customer
information dominate headlines and are rightfully a top
priority for policymakers in the industry, a major cyber attack
on critical financial market infrastructure or one that
destroys records or financial data are also risks with a
potentially far larger impact on the economy.
It is important to recognize that no single sector, not the
Federal Government nor any individual firm, has the resources
to protect markets from these threats on their own. It is
critical that we establish and maintain a robust partnership
between industry and government to mitigate cyber threats and
their impact. The industry's resiliency will not be fully
effective without the government's help and vice versa.
The answer cannot exclusively be more regulation. However,
over the past few years, regulators in the U.S. and around the
world have proposed or finalized over 30 new cyber rules
applicable to the financial services industry. While
regulations can help raise expectations and define strong
standards for market participants, the volume of regulations
has resulted in requirements which are sometimes duplicative
and conflicting. Some of our members are subject to as many as
13 different Federal regulatory mandates in addition to State
mandates.
Turning to the threat we collectively face, I would like to
highlight that every public and private sector institution
which holds sensitive information can and, indeed, will be a
target of malicious actors. Working with our members along with
our sister trade associations, SIFMA has identified a number of
best practices for protection of sensitive data in the
financial services sector. These practices draw on the
experience of our member firms and their own policies and
procedures as well as industry standards, such as the NIST
framework.
Data protection begins with firms taking a risk-based look
at the information they collect, and deciding if they have a
business or regulatory purpose that requires them to hold this
information. If sensitive information like a social security
number is not directly relevant and necessary, firms should
refrain from holding it. Once firms have collected sensitive
data, they should ensure that they have controls in place to
protect it while it is being used and stored. That includes
ensuring that access to sensitive data is restricted only to
authorized users who need it to perform their jobs. Firms
should also work to reduce the risk by destroying sensitive
data once it is no longer needed.
As a highly regulated sector, our members also provide a
tremendous amount of sensitive information to regulators in
accord with their supervisory mandates, and given the ever-
increasing risks, our sector is engaged in an important dialog
with our government partners to ensure and enhance protections
across the board.
I would also like to spend a minute or so to focus on one
particular important data protection challenge currently on the
minds of many. As the Securities and Exchange Commission and
the SROs move forward with the development of a Consolidated
Audit Trail, it is critical that the CAT not introduce new data
protection risk. Once complete, the CAT will be the world's
largest data repository for securities transactions and one of
the largest databases of any type. Each day, the system will
ingest 58 billion records and maintain the data on over 100
million customer accounts.
The current plan raises serious concerns around data
protection and the ability to confidently secure the critical
information it will contain. The CAT design requires firms to
provide a significant amount of sensitive customer information,
including names, social security numbers, and addresses. All
this information will be held in a single database, creating a
high-value target and bad actors will undoubtedly try to find
the weakest link to gain access.
While this concern existed well before the recent breaches
at Equifax or EDGAR, many stakeholders have grown even more
skeptical that the CAT, as currently designed, will be able to
protect the massive amount of sensitive PII it will contain.
Importantly, just as the industry should and does consider
whether sensitive information needs to be collected and
retained for a particular purpose, so too does the case need to
be made that PII is required to be collected and reside in the
CAT for effective surveillance by more than 3,000 users among
22 different SROs in the SEC.
Along this line, we would urge Congress to consider among
other possible actions amending the Market Data Protection Act
to ensure the SROs who designed and built the CAT have
appropriate risk controls in place before the CAT goes live.
In conclusion, effective cybersecurity will be in a state
of discussion and improvement for years to come. That security
is a combination of activities that relies on strong defenses,
information sharing, mitigation, and recovery planning. It can
only be accomplished through constructive dialog and engagement
among the private sector, policymakers, and regulators. Much
work has been done, but as my written testimony lays out, there
is much more work to do. SIFMA's members stand ready to do
their part, and I look forward to answering your questions.
[The prepared statement of Mr. Bentsen can be found on page
36 of the appendix.]
Chairman Luetkemeyer. Thank you, Mr. Bentsen.
Mr. Mennenoh, you are recognized for 5 minutes.
STATEMENT OF DANIEL MENNENOH
Mr. Mennenoh. Thank you.
Chairman Luetkemeyer, Ranking Member Clay, and members of
the subcommittee, I appreciate the opportunity to discuss one
of the largest financial threats facing consumers, title
companies, and our real estate system. My wife and I own H.B.
Wilkinson Title Company in Galena, Illinois. We bought the
company from my dad 20 years ago. We have 28 employees, with
offices in seven counties. We close about 70 real estate
transactions a month. Though we are a small business, by title
industry standards, we are a big company.
One of my favorite opportunities as president of ALTA was
traveling the country to hear what was happening in local
markets. The largest concerns I heard from title agents were on
data security and the growing threat of criminals trying to
steal our customers' money. Even my small company in Galena
sees a couple of phishing attempts every week. Those attempts
are often sent to multiple email addresses.
Earlier this year, the FBI reported a 480 percent increase
in criminals attempting to steal consumers' funds, and it is
easy to see why. The average successful bank robber's haul is
$3,816. The average successful wire fraud loss is $129,427.
This is a much better return for a much less expensive and
dangerous crime to commit. Overall, these scams have cost
Americans $5.3 billion.
Home buyers are the most common targets. Criminals gain
access to the buyer's, seller's, or real estate professional's
email account. They monitor traffic looking for a deal. Their
goal is to convince the buyer to send their earnest money or
downpayment to the criminal. Bloomberg reports that criminals
can obtain verified email accounts, passwords, and security
questions on the dark web for as little as $10.
In Texas, I heard about a woman who saved nearly $25,000
for the downpayment on her first house. Prior to the lender
finalizing the closing disclosure, the woman's email was
hacked. Using information from her email, the criminal
impersonated the title agency, used the closer's name, and
instructed her to send the $25,000 using fraudulent wire
instructions. Believing it was the title agency, she followed
the instructions and wired the funds to the criminal's account.
The home purchase fell through. The money was gone. The woman
lost her life savings. This is a heartbreaking story, and it
happens often. Title companies in each of your communities have
stories just like these.
Consumer losses due to a data breach pale in comparison to
the loss of consumers' downpayment or earnest money deposit. I
wish there was a silver bullet to protect our customers, but
there is not. As an industry, we have improved our digital
hygiene and have taken an array of steps to combat this fraud.
This includes using secured email communications, verifying
instructions with buyers using known phone numbers, and asking
banks to match both the recipient's account number and payee
information when we send wires. We issue warnings to our
customers on websites and at the bottom of every email.
What is so frustrating is there is no amount of money we
can spend to protect our customers from being targeted by these
criminals. Two years ago, we were the target, as title
settlement agents. Now they are targeting our customers even
before we get involved in the transaction, because we are at
the end of the process.
We believe we should focus on two key areas to stop these
crimes. First, we need to increase awareness of these crimes
for buyers, sellers, and the public. We need to get anyone
involved in the real estate deal, real estate agents, banks,
policymakers, consumer groups, title insurers, settlement
agents and real estate attorneys, to help educate our customers
about how to protect themselves. Think about movers. Think
about surveyors, home inspectors. They are all part of the
process.
Second, financial institutions should match not only the
account number, but also the payee's name. This simple
authentication step can be the single biggest deterrent. We
also need to better use both suspicious activity reports and
IC3 data to detect trends. Even if more information does not
lead to prosecutions of these criminals, it can help banks
decide to place holds on the account to prevent the criminal
from withdrawing funds.
ALTA is eager to serve as a resource to the subcommittee,
and I am happy to answer any questions. Thank you.
[The prepared statement of Mr. Mennenoh can be found on
page 50 of the appendix.]
Chairman Luetkemeyer. Thank you, Mr. Mennenoh.
Mr. Mierzwinski, you are recognized for 5 minutes.
STATEMENT OF EDMUND MIERZWINSKI
Mr. Mierzwinski. Thank you, Chairman Luetkemeyer, members
of the committee.
Last week, you held a minority day hearing on Equifax. I
could talk about Equifax for my entire 5 minutes, but I think
the State enforcement officials and the consumer advocates who
spoke last week, I would simply like to associate my remarks
with theirs last week on Equifax specifically. But I do want to
continue to talk a little bit about how Equifax fits into the
larger big data universe.
First of all, to be clear, Equifax had one of the worst
breaches ever. They lost our consumer DNA through a pretty
amazing failure to protect it, and then they did a really bad
job of notifying us and telling us what was going to happen
after that. But what people don't understand, a lot of people
may not know, Equifax is in the highly regulated business,
credit reporting, part of the time, but all of the time Equifax
is a data broker. There are thousands of underregulated and
unregulated data brokers out there.
In my testimony, I represent the views of the Federal Trade
Commission which has said they need more authority over data
brokers. I encourage the committee to read their reports.
Going forward, people should understand that consumers have
no control over their information, particularly with the credit
bureaus. As was said often in many of the other hearings, we
are not their customers; we are their products. Mr. Cordray
refers to credit reporting as a dead-end market. You can change
your bank if you don't like it. You cannot change your credit
bureau. You cannot vote with your feet.
With the lack of control, it is very difficult for
consumers to do anything about misuse of their information. We
have very little authority to vote, to determine that companies
can't use our information, very limited under Gramm-Leach-
Bliley. In most cases, companies simply collect information
about us and sell it.
We worked on the credit freeze as a way to return some
control, starting about 20 years ago. The first credit freeze
law passed in California about 15 years ago. It was
revolutionary at the time, but what would make it more
revolutionary is if the committee were to adopt--and I believe
it has become a bipartisan issue--expand the availability of
the free credit freeze. It is the only way you can at least
exert some control over your consumer DNA. In addition, the
committee should look at Ranking Member Waters' comprehensive
bill to reform the credit bureaus themselves.
Third, I think the committee should look very closely at
the flaw in Gramm-Leach-Bliley where the Federal Trade
Commission has authority over data security that was not
transferred to the Consumer Bureau. Section 1093 should be
looked at. I think the Consumer Bureau, because it has the
ability to conduct examinations of credit bureaus, because it
has the ability to impose penalties for the first violation of
the law, not only after a company has violated a consent decree
in the FTC's case, and because it has rulemaking authority that
the FTC does not have. If you want to rein in the credit
bureaus, you have to give the Consumer Bureau more power over
them.
The final point that I want to make in my testimony, and I
make it extensively in my written testimony, is that the States
are privacy innovators. The States are privacy first
responders. The credit freeze, the data breach notification
laws, all were passed by the States when Congress looked on and
didn't do anything.
We strongly support protecting the right of the States, as
the two attorneys general offices testified last week. Going
forward, we cannot preempt stronger State laws with some narrow
Federal breach law that takes away States' rights not only to
do breach notification, but States' rights to conduct other
privacy examinations, and States' rights to strengthen the data
security of their citizenry.
I go into great detail on all of these matters in my
testimony. I look forward to your questions. Thank you.
[The prepared statement of Mr. Mierzwinski can be found on
page 61 of the appendix.]
Chairman Luetkemeyer. Thank you, Mr. Mierzwinski.
Ms. Schwartz, you are recognized for 5 minutes.
STATEMENT OF DEBRA SCHWARTZ
Ms. Schwartz. Chairman Luetkemeyer, Ranking Member Clay,
and members of the--
Chairman Luetkemeyer. Please turn on your microphone.
Ms. Schwartz. It should be on.
Chairman Luetkemeyer. Bring it closer to you then. There
you go.
Ms. Schwartz. OK, thank you.
Chairman Luetkemeyer, Ranking Member Clay, and members of
the subcommittee, thank you for the invitation to appear before
you this afternoon. My name is Debra Schwartz, and I am
testifying today on behalf of NAFCU. I currently serve as
president and CEO of Mission Federal Credit Union, Mission Fed,
headquartered in San Diego, California, and also serve on
NAFCU's board of directors as treasurer.
Data security needs to be everyone's responsibility. More
can and must be done to protect consumers on this important
issue. NAFCU has long supported comprehensive data security
measures to protect consumers' sensitive data. Credit unions
and other depository institutions already protect data,
consistent with the provisions of 1999's Gramm-Leach-Bliley
Act, GLBA.
Unfortunately, there is no similar regulatory structure for
other entities that may handle sensitive personal and financial
data. Although credit bureaus are considered financial
institutions under GLBA, they do not have the same regulatory
oversight as credit unions and other depository institutions.
GLBA and its implementing regulations have successfully
limited data breaches among depository institutions. This
standard, outlined in my written testimony, has a proven track
record of success and should be recognized in any future
requirements. Gramm-Leach-Bliley requires financial
institutions to address the risks presented by the complexity
and scope of their business. This allows flexibility and
ensures the regulatory framework is workable for the largest
and smallest financial institutions. GLBA is an example of how
scalability is possible for varying size businesses.
A data security breach can have a big impact on consumers,
from waiting for new cards to be issued to updating all
accounts connected with a compromised card. Breaches can also
result in fraud losses, damaged credit ratings, and even
identity theft. As the Equifax breach has demonstrated, data
security breaches are not just a retailer problem, but occur
across many industries. This highlights the need for a
comprehensive national data security standard to protect data,
akin to what is already in place for depository institutions
under GLBA.
A recent survey of NAFCU members found that respondents
were alerted to potential merchant breaches an average of 189
times in 2016. Over 40 percent of the respondents said that
they saw an increase in these alerts from 2015. At Mission Fed,
we have received over 1,400 separate alerts of merchant data
breaches since 2013.
When credit unions are alerted to breaches, they take
action to respond and protect their members. These actions have
costs, such as card reissuance, fraud losses, and account
monitoring. Ultimately, this takes away from providing other
services to members. Unfortunately, credit unions rarely see
any reimbursement for these costs. Even when there are
recoupment opportunities, such as settlements, it is usually
only pennies on the dollar, in terms of the real cost and
losses incurred.
Recognizing that finding a legislative solution is a
complex issue, NAFCU has established a set of guiding
principles we would like to see in data security legislation,
including: reimbursement of all costs by the breached entity;
national standards for safekeeping of information; breach
notifications to financial institutions; disclosure of breached
entity to consumers; and enforcement of data retention
prohibitions. I outline all of our principles in detail in my
written testimony.
The time has come for Congress to enact a national standard
on data protection for consumers' personal financial
information. Additionally, credit bureaus, such as Equifax,
should be subjected to examinations for compliance to data
security standards, just as depository institutions already
are. Consumers whose personal and financial data has been
compromised have a right to be notified in a timely manner.
NAFCU believes that the best legislative solution so far on
this issue of data security is the bipartisan legislation that
was introduced in the 114th Congress, H.R. 2205, the Data
Security Act of 2015, which would have set a national data
security standard that recognized those who already have one
under the GLBA. We were pleased to see this bill get bipartisan
support in this committee in the last Congress.
Finally, as the committee is aware, data security is in the
jurisdiction of several congressional committees. We appreciate
the Financial Services Committee taking the lead to work with
leaders in other committees to craft a bipartisan package that
can enact a robust national data security standard into law.
In conclusion, data security is a top challenge facing the
credit union industry today. Protecting the payment system is
the responsibility of all parties involved. It is time to level
the playing field, establish a national data security standard
for all who handle financial and sensitive personal data. This
includes consumers and impacted parties receiving timely
notification of data breaches.
The standards for depository institutions under GLBA should
be the model. NAFCU stands ready to work with you. Thank you
for the opportunity to appear before you today. I welcome any
questions you may have.
[The prepared statement of Ms. Schwartz can be found on
page 78 of the appendix.]
Chairman Luetkemeyer. Thank you, Ms. Schwartz. I appreciate
your testimony and all of the witnesses today.
We will now begin the question-and-answer period of our
hearing, and the chair recognizes himself for 5 minutes.
Mr. Bentsen, you in your testimony talked about
harmonization of State and Federal data security regulations.
You even mentioned global standards. Where in this do you think
this committee has a role to be able to help the situation the
way it is right now?
Mr. Bentsen. Thank you for the question, Mr. Chairman. It
is a problem where the industry and the government are all
trying to get to the same place. There is very little
disagreement on that, and we believe it is very much a two-way
street.
We have a multifaceted regulatory structure for financial
institutions, including both a Federal and State regulatory
structure, and self-regulatory organizations, and we have many
global institutions from the U.S. that operate in multiple
jurisdictions. We need to find a way where regulators can come
together, in terms of the type of guidance they are doing, the
examinations, the supervision process that they want to do, to
work around the same framework. Even in the U.S., U.S.
regulators are not all using the NIST framework, which we think
is the best framework for developing cyber resiliency.
I think this committee can play a role with your oversight
function of the agencies to start, and the SROs, where you have
some indirect jurisdiction, to try and bring them together. To
be fair, we have spent time with all of our regulators, brought
them all together and said: We understand your individual
mandates, but cyber and cyber protection is really a top-of-
the-house-down program within all institutions.
There has to be a better way to do this, so we don't have a
situation where members are spending almost as much time on
regulatory compliance as they are on cyber defense.
Chairman Luetkemeyer. OK. With regards to the NIST
standards, do you believe that they are adequate at this time
and, if not, what concerns do you have, and in particular, with
regards to notification? I am very concerned about
notification. It doesn't seem like we have either some
standards in place or they are not being adhered to. Can you
elaborate a little bit on that?
Mr. Bentsen. We think the NIST framework is the appropriate
framework. It has been updated recently by NIST. We think it
provides sufficient flexibility to the industry. We have mapped
it out for our industry, and the capital markets and asset
management business and other sectors are using it as well.
In terms of notification, this is an important issue. I
think everyone agrees that there does need to be timely
notification. But I think we also have to be careful in setting
deadlines that can be artificial, and we have to determine what
the materiality is. We have to determine--in many cases, you
can have a cyber event going on and you are in the process of
trying to figure out how deep it is, what the impact of it is,
if you have to do a forensic audit, if you have to call in the
FBI, if it involves--whoever the perpetrator is, and to also be
up against a deadline of having to notify before you know what
is really going on adds additional risk factors.
It is an important issue. As you know, Chairman Clayton of
the SEC has raised this issue under the jurisdiction of this
committee. I think it is something that, you all and the
agencies are going to be spending a lot of time on.
Chairman Luetkemeyer. Thank you.
Ms. Schwartz, you were talking about the GLBA quite a bit.
Do you believe that it is still adequate, or do you see some
things that need to be changed in it or amended or added to, or
what do you think?
Ms. Schwartz. GLBA has been around since 1999, and it has
been dynamic, scalable, and flexible. The nice thing about it
is it works for institutions, whether you are a $10 million
credit union or a multibillion dollar credit union. I think it
provides an excellent model to be considered, because of those
factors.
Chairman Luetkemeyer. OK. With regards to notification,
there is not a whole lot in Gramm-Leach-Bliley with regards to
notification. Can you expound on what your position would be
with regards to where we need to go with this? Do we need to
put some guidelines in place or leave it alone or--Mr. Bentsen
just indicated there are a lot of problems with how you go
about that, but is there a way we can get through this and find
a middle ground here?
Ms. Schwartz. Notification is key. We found out about the
Equifax breach probably the same time you did, when we read
about it in the Wall Street Journal. We subscribe through
Mastercard, who is our credit card partner, and receive ADC
notifications from them. We have received 1,400 separate breach
notifications since 2013. The faster we are notified, the
faster we can work to protect our members, by putting warnings
on their account, by reissuing cards. It is absolutely critical
that we get notification as soon as possible.
Chairman Luetkemeyer. I have just a few seconds left.
Mr. Bentsen, you mentioned the Consolidated Audit Trail and
the compounding of all information in there. Do you think that
is really a good idea?
Mr. Bentsen. Well--
Chairman Luetkemeyer. Very quickly. My time is up.
Mr. Bentsen. Yes, the concept behind Consolidated Audit
Trail is we think an appropriate concept. But we don't know
that the question has been answered that you have to have all
this personal information as part of the Consolidated Audit
Trail in one place. We have no assurance from the builders and
the contractor that they can protect it.
Chairman Luetkemeyer. OK, thank you. My time has expired.
With that, we go to the gentleman from Missouri, another
gentleman from Missouri, the ranking member. Mr. Clay, you are
recognized for 5 minutes.
Mr. Clay. Thank you, Mr. Chairman.
This question is for the entire panel, so we would start
with Mr. Bentsen and go down the line. Good to see you again,
Mr. Bentsen.
Equifax learned of the data breach on July 29th, 2 days
after it filed its quarterly report with the SEC. However, it
was not until 6 weeks later, on September 7, that Equifax
notified the public of the breach through a statement filed
with the SEC.
Now, in your view, what duties do public financial services
companies owe consumers to provide timely notice of significant
cybersecurity incidents? Do you believe that disclosure 6 weeks
after a material event is timely? Could you elaborate whether
this extended period with the Equifax incident, from when the
company learned of it to when the public was made aware of it,
may have violated some State breach notification laws,
particularly given that some States require immediate
notification and most States require notification within the
most expedient time possible without reasonable delay?
I will start with Mr. Bentsen and would like for each
panelist to try to answer some of those questions.
Mr. Bentsen. Thank you, Mr. Clay, and good to see you again
as well.
First of all, Equifax is not a member of ours. We don't
represent the credit bureaus. Most of what I know about the
Equifax issue is what I have read in the press. I can't really
comment on what they did, whether it is appropriate or not, and
I am sure the appropriate regulators are looking at the issue
as it is.
Again, I think there is a question of materiality. There is
a question of your risk factors, when there has been a breach
and if the person who is breaching is still there and who it is
and how you are dealing with it. There is no question that
there should be an effort to notify the affected parties, your
clients in this case, as soon as it is practical that you can
do so, weighing all those other factors.
As it relates to Equifax they are not a member. I am not
familiar with the facts of that case.
Mr. Clay. Sure. But you are saying they did have a duty to
inform the public.
Mr. Bentsen. I think if it is a material issue, there are a
number of requirements, both in terms of public company
requirements and State--and I can't speak to all the States; Ed
probably can--of what they have to comply with.
Mr. Clay. Mr. Mennenoh.
Mr. Mennenoh. Thank you, sir.
Yes, I certainly would agree that consumers need to be
notified promptly. Certainly from our perspective, when we have
circumstances where consumer funds have been taken, we take
immediate action to try to recover those funds. But with wire
transfers, oftentimes, it is a case where if you don't address
it within 24 hours, it is pretty difficult to get those funds
back.
Mr. Clay. 6 weeks was, in your opinion, quite a bit of time
expired?
Mr. Mennenoh. For our purposes, the money is gone.
Chairman Luetkemeyer. Mr. Mierzwinski.
Mr. Mierzwinski. Mr. Clay, I totally agree. You made a lot
of the points in your opening remark here. Equifax probably
violated the strongest State laws on immediate notification. It
probably violated a number of State laws on attorney general
notification. Massachusetts has already sued Equifax. Other
State attorneys general have a multiState investigation going
on right now. I think you will see additional litigation
against the company. You will see private lawsuits as well. But
they failed. They epically failed, and a lot more needs to be
done.
Mr. Clay. Thank you.
Ms. Schwartz.
Ms. Schwartz. Six weeks is clearly too long. I think, in
additional to notifying consumers, notifying financial
institutions is also critical. We are in a position where we
can really help to mitigate fraud. We can put warnings on
accounts; we can reissue cards. We can't do that if we are not
told. A lot of fraud can happen in 6 weeks.
Mr. Clay. Mr. Mierzwinski, in the event of a breach, what
information should be provided to consumers to ensure they are
fully informed of the rights and remedies available to them as
well as the steps that they consider taking to protect against
fraud, identity theft, and other crimes?
Mr. Mierzwinski. I think consumers need to hear everything
about their rights under Federal law and what the company is
going to do, and they don't need to hear about all the changing
kinds of results that Equifax provided them. You need to know
what your rights are. You need to learn how to put a fraud
alert. You need to learn how to put a credit freeze on. You
need to learn all of these things. You need to understand that
your Social Security number is the key to identity theft. They
lost that. It is much worse than any merchant breach.
Mr. Clay. Thank you.
My time is up.
Chairman Luetkemeyer. The gentleman's time has expired.
With that, we go to the gentleman from Texas. Mr. Williams
is recognized for 5 minutes.
Mr. Williams. Thank you, Mr. Chairman.
Thank all of you for being here today, and I appreciate
your testimony this afternoon on the important subject of data
security and how we can and must do better to protect private
information.
As a small business owner for 45 years, I recognize the
importance of protecting the information of my customers, and I
know firsthand the impact that cyber attacks can have on Main
Street America.
I am concerned by the increasing trend of breaches that has
occurred over the past few years, and I hope to learn from all
of you today how we can ensure that American consumers can rest
easy, knowing that their personal information is in good hands.
Mr. Bentsen, one of the things that I do worry about, not
just when it comes to the industry but in general, is an issue
with excessive regulations. When President Trump was elected,
he pledged to fight against expanding the regulatory regime. I
agree with his goals on that regard. One of the fears I have,
which you also mentioned in your testimony, is that Congress
creates regulations which result, I quote, ``in requirements
which are sometimes overlapping, duplicative, and
conflicting.''
How can Congress create effective rules while avoiding the
problem of overburdensome regulations?
Mr. Bentsen. I think in the case of cyber protection,
including protection of sensitive data like PII, I think
Congress plays a very important oversight role with the
agencies that you set the authorization for, you fund, you set
the laws that they execute on.
In the case of the financial services sector, where you can
have 5, and up to 13 different regulators, Congress can
definitely play a role in trying to get better coordination
among those regulators in how they are going to implement cyber
rules, cyber defense rules, guidance, or whatever it may be, as
well as on their examination process.
We have members who, again, they have up to 13 different
regulators before you get to the States. We have members who
are going through multiple examinations because they have a
bank, a broker-dealer, a futures commodities merchant. In many
cases, they will have the SEC, the CFTC, the OCC, the Fed
coming through, but that is before whoever their State
regulator may be or whoever their SRO may be.
If we can get some harmonization there, where we are all
trying to do the same thing, and with Congress' oversight
function working with those agencies, that could be very
helpful.
Mr. Williams. Thank you.
Mr. Mennenoh, this question is for you. I mentioned earlier
my background as a small business owner, and I am extremely
concerned with protecting the nonpublic personal information of
my customers. I am a car dealer.
In your testimony, you discuss how the American Land Title
Association, which represents many small businesses, has
developed a set of voluntary standards for its members to use
as part of their compliance programs. Can you expand on these
standards, and to what extent do your members cooperate with
law enforcement following a breach, and what steps would you
recognize to take immediately following a breach?
Mr. Mennenoh. Thank you. Yes, the standards that we put
out, the voluntary ALTA best practices, do address very
specifically how to protect data, how we should be addressing
that in quite a bit of detail. But the other side of it too is
that because we handle a lot of money for real estate
transactions, we also have to protect the money. We have very
high standards in terms of how we protect the money as the
transactions are taking place.
It is a process that we feel has raised the bar, if you
will. I believe many of our members are doing a very, very good
job of addressing this, but, as I mentioned in my testimony,
the biggest issue for us is the money at this point. The small
companies oftentimes use third-party data centers, that sort of
thing, that have high security standards for the data security,
but we have to make sure that we are protecting the money as
well. That is a big issue for us, and we address this very,
very aggressively.
Mr. Williams. Thank you.
Ms. Schwartz, one of the biggest issues in the wake of the
Equifax breach was their notification process to consumers. In
your testimony, you too acknowledge that Equifax failed in the
area of consumer notification. Additionally, you discuss the
need for timely notification of members after a breach has
taken place. In your words, you say that this is important to
manage an institution's reputation risk.
What kinds of notification standards should Congress
consider requiring, if any, and would such standards hamper the
efforts of law enforcement following a breach?
Ms. Schwartz. I think the most important thing is trying to
avoid the breaches in the first place. But absent that, timely
notification as soon as reasonably applicable. It is very
difficult to put a certain timeframe on it, because I think
there are issues, such as law enforcement actions, that could
possibly delay it. But as soon as possible, financial
institutions can do a lot to help mitigate any losses that
could happen. We can reissue cards. We can also notify our
members that their accounts have been compromised. We have a
pretty good track record of them opening up the emails that
they get from us.
The notification standards as they are right now can be
somewhat nebulous, particularly in California; I believe you
can just put something in the newspaper. It puts a lot of
pressure on the consumer to look up to see if it has been
compromised. There is a lot of room there for improvement.
Mr. Williams. Thank you for your testimony.
I yield back.
Chairman Luetkemeyer. The gentleman's time has expired.
With that, we go to the distinguished gentleman from
Georgia. Mr. Scott is recognized for 5 minutes.
Mr. Scott. Thank you very much. Mr. Chairman, this issue is
very important to all of the American people and all of us
Members here in Congress, but it is expressly important to me
because I am the representative from the great State of
Georgia, a State I love. This extraordinarily careless breach
that was allowed at Equifax is certainly very troublesome to
me. I am very concerned about that. I have a commitment to help
Equifax because I want to make sure that we can bring them out
of this standing tall, standing big, and be able to renew the
confidence of the American people. However, that is not going
to happen for any of them, but certainly for Equifax: 145
million people, and their Social Securities are out there in
the wind, their birth dates, all this vital information.
While I want to do that, we on this committee and Members
of Congress, can't do it without them. I don't know if you all
know this, but they refused--can you imagine that?--to come
before this Congress and speak. We cannot solve this problem,
you and I. I know many of you.
Mr. Bentsen, I know your great reputation.
Ms. Schwartz.
All of you. But neither you nor I can solve this problem if
the CEOs, the people that run Equifax, that run TransUnion and
these other companies are not willing to come and sit where you
are so that we can find that. We have to get the message to
these credit agencies that they have to get here in Congress,
partner with all of us. This is a huge issue. I just hope that
you all will convey that message to them.
Now, with the time remaining, I just want to--I look at
this as the American people look at it and want to get your
responses to this. If Americans can't trust their credit and
data, that it is going to be protected, let me ask you this,
Mr. Bentsen, Ms. Schwartz, any of you: Why would they want to
risk shopping online for their Christmas gifts? Can you see the
damage that this would do to our economy through that? Or if
Americans don't think that their local banks can keep their
personal account numbers protected, why would they want to risk
it by opening up a checking account?
In other words, the whole foundation of our fantastic and
yet complex financial system is registered in credit. If these
credit agencies, 145 million Americans, Mr. Bentsen, I ask you
and Ms. Schwartz, how many of these 145 million Americans do
you believe even have been informed that their data is out
floating and gone with the wind?
Mr. Bentsen. Mr. Scott, I don't know the answer to that
question, but certainly there has been a lot written about it,
and I have been on the website myself.
What I will say, I think you are absolutely correct that
there are two things that are very important. The confidence in
the system is incredibly important. In the industry at large--
we don't represent the credit bureaus, so I won't speak for
them. The industry at large has a responsibility to work to
maintain that confidence, and this industry does that day in
and day out. No. 1, it is through defense; and No. 2, it is
through recovery. We are taking efforts in both those areas,
including understanding what happens if you have a major attack
wiping out books and records. Can someone at the end of the day
go back and say: What was my balance of my retail brokerage
account yesterday? What was my balance in my checking account
yesterday?
These are the things we should be working on, which we are.
Mr. Scott. Ms. Schwartz, let me ask you, because I have
been concerned about Gramm-Leach-Bliley standards and the
applicability of them to large as well as the smaller, the
rural companies. I think you alluded to this in your testimony,
and I would like for you to clear that up.
Do you have confidence in that one size will fit all?
Particularly when you look at our economic system, it is so
diverse; it is so varied. To have the same standards for a big
mega bank operating around the world, for a mom-and-pop store
in my district in Stockbridge, Georgia? Are you saying that we
don't have to worry about that, that it is applicable?
Ms. Schwartz. No, I think your point is very well taken.
One size fits all is not the answer. But I will say that the
beauty of Gramm-Leach-Bliley is it is scalable, and it is
flexible. It has been around for more than 17 years and is
still helpful and provides a framework. I think a level playing
field is very important. Some minimum standards that anyone
along the payment system rails should follow I think is very
important.
Mr. Scott. Thank you.
Thank you for the little extra time there, Mr. Chairman. I
appreciate it.
Chairman Luetkemeyer. Thank you, Mr. Scott.
The gentleman's time has expired.
With that, we go to the gentleman from Michigan. Mr. Trott
is recognized for 5 minutes.
Mr. Trott. Thank you, Mr. Chairman.
I also want to thank the panel for their time this
afternoon.
Mr. Bentsen, I want to start with you. You talked in your
opening comments about the need for partnership between
industry and government to address this problem. I am just
curious what is the most significant barrier in your mind to
the creation of that partnership, and what does that
partnership look like? Is it just less, more reasonable
compliance, burdens, or what does the partnership look like,
and how do we accomplish it?
Mr. Bentsen. Congressman, thank you for that question. I
think our partnership with the government on the broad question
of cyber resiliency is quite good. I credit the Treasury
Department, Homeland Security, and the various agencies for
that. This is something where everybody is trying to row in the
same direction. Frankly, through a lot of industry exercises
and a lot of tabletop exercises with the government, and we
have learned a lot. They have learned a lot, I think. We have
learned a lot from them as well, and we want to keep doing
that. That has led to new initiatives on both sides, I believe.
Where I think things can break down is agencies operating
under their own individual mandate, which is established by law
and all of that. That is understandable, but it seems to us
that we can do a better job of coordinating among those various
agencies so there is more interchangeability between how firms
are complying with requirements. That is really the point.
Mr. Trott. Maybe 2 or 3 instead of 13 would be a good
start?
Mr. Bentsen. Or some substitution, yes.
Mr. Trott. Thanks so much.
Mr. Mennenoh, nice to see you again. We met up in Traverse
City at the Michigan Land Title Association. You were the
keynote speaker up there this summer.
Mr. Mennenoh. Yes, we did.
Mr. Trott. I hope you enjoyed your time in northern
Michigan.
Mr. Mennenoh. Absolutely.
Mr. Trott. You discussed wire fraud and what a huge problem
it is for the industry. It is a significant problem because,
unlike some of these issues, really there is no good solution.
Once it happens, the money is gone. Usually it is a lot of
money, as you said.
You discussed education, and it sounds like a good idea,
but I wanted to get your thoughts on--one thought I had was
maybe we put some kind of disclaimer or warning in the purchase
agreement, or maybe the realtor's listing agreement has some
kind of--or there is some form. But, that is probably not a
great solution, and I want to get your thoughts on it, because
you have a buyer who is excited to get their home. Maybe it is
their first home. They don't even understand what a title
agency does in the overall transaction, perhaps. Is the
education going to make a difference, or is it really the
financial institutions that have to be the solution in terms of
the wire fraud?
Mr. Mennenoh. Honestly, I think there is maybe a
combination of the two. Certainly the financial institutions,
if we can match the account name, the account owner to the
account number and the routing number on a wire transfer, that
would actually be a good deterrent.
But I also think the education component is very important
as well, in that all of the professions involved in real estate
can work together, send the same message. It has to be a
message that is being conveyed routinely, because, as you say,
people buy a house and they may not buy another house for
years. But providing that level of education from all of the
professions that are involved in this process would be very,
very helpful.
As I mentioned before, we are at the end of the process.
The parties that have first contact with the consumer can help
with that process as well. For example, in January, I, along
with the Board of Governors at ALTA, met with Director Cordray,
and we were asking for a consumer alert to be issued. The
Director's initial response was, how often does that really
happen? We were telling him stories about things that have, in
fact, happened.
We followed up again in April. Then it wasn't until June
that we actually had the CFPB issue a consumer alert. That is
all we wanted to have them do. It is a difficult process.
Mr. Trott. That is for sure. Thank you.
Ms. Schwartz, so my friend from Georgia was quite
articulate in how he described the ramifications to commerce,
e-commerce in this country, given the Equifax breach. I want to
ask a question with respect to Mission Federal. Can you say
with 100 percent confidence that you can build a firewall that
will protect your members' data?
Ms. Schwartz. I don't think anybody can say with 100
percent confidence, but I can tell you we have had 245,752
attacks on our system through September 30th, none of which
were successful.
Mr. Trott. That is extraordinary. But your answer, I was
hoping you would say that you couldn't say with 100 percent
confidence that you could protect the data, because I think
that is an accurate answer.
My concern is, when we talk about notification and we are
beating up Equifax for how poorly they handled that whole
process, to some extent, we were really in damage control at
that point. When we talk about a solution--and I am out of time
here--I wonder if really we need to focus on a solution that
changes the identification process that goes well beyond a
Social Security number and date of birth and really makes it
much more cumbersome for these cybercrimes to happen.
But I will yield back. Thank you for the additional time,
Chairman.
Chairman Luetkemeyer. The gentleman's time has expired.
With that, we go to the gentlelady from New York, Mrs.
Maloney. She is recognized for 5 minutes.
Mrs. Maloney. Thank you. I thank the chairman and ranking
member for calling this important hearing and take this
opportunity to welcome my former colleague and very good friend
Ken Bentsen. We miss you. I hope you will run for Congress
again. But, anyway, it is good to see you again.
My question to Mr. Bentsen and actually everybody on the
panel, as you know, last Congress, this committee considered a
data security bill that would have created a national standard
for data security and for breach notification procedures. I
supported that bill because it would have subjected many more
companies to the strong data security requirements that
financial institutions already have, subject to the safeguards
rule.
But we cannot ignore the fact that Equifax was already
subject to the safeguards rule, which is what the legislation
would have done, yet it still suffered a massive data breach
that affected a startling 145 million Americans. Not just today
but for the rest of their lives, they are in threat with their
security, their identification stolen, their Social Security
number.
My question to all of you is, in light of the Equifax
breach, do you believe the safeguards rule needs to be updated
at all to include things like encryption requirements and the
two examples of startling mismanagement by Equifax.
I know Ms. Schwartz was saying that you should have
training so that you would be looking for these breaches. But
in an unprecedented action, Equifax was notified by the
Homeland Security Department that you will be breached: You
will be breached in this way; take steps to protect your
customers.
Now, the other two companies took steps to protect their
customers. Equifax did not. No matter how many training
sessions you had, if someone tells you you are going to be
breached this way and you don't correct it, training is not
going to help you.
The other two companies, it is my understanding--because I
wrote them and they wrote me back and said they had these other
safeguards--they had a system that once you told their system
that there could be a breach in a certain way, the whole system
closed down until you corrected it. Should Equifax be required
to have the same updated system?
Also, Equifax had a system that was different from the best
practices that were put out by the safeguards rule. The best
practices said that every firm should have an IT manager who is
in charge of this, who is responsible. The other two firms had
an IT manager whose sole job was to protect their customers,
protect the system, make sure it is safe, but Equifax did not.
They had everybody reporting to a, quote, ``general manager,''
who had conflicting responsibilities, such as managing the
whole company, the general counsel, such as profits, such as
new technologies or whatever else he was looking at. He wasn't
focused on IT.
Should that best practices idea that has been put out there
be implemented in law so that people are following it? We have
to take steps to make sure that this happens. Or do you just
need to enforce the safeguards rule more?
I would like to really go first to my colleague Mr. Bentsen
and down the line. I know he has sponsored some data security
forums that I have been privileged to attend. I would just like
to hear your comments on what we need to do to protect this
information. I am astounded that they were notified by the
Homeland Security Department and they still couldn't figure out
how to correct a breach that they were told they were going to
get.
Mr. Bentsen. How you describe the situation with Equifax
would not be consistent with how the financial services
industry approaches the issue of cyber defense, preparedness,
and resiliency. And the industry is doing a lot on its own,
through its own self-directed principles, in adhering to the
NIST framework.
Furthermore, though, our regulators will regularly look and
see how we are complying with our cyber defenses and
resiliency. Our concern is doing it 13 times the same way, but
that is more of a process question.
That would not be acceptable within our industry.
Mrs. Maloney. Any other comments?
Ms. Schwartz. I think examination is an important part of
that. In the credit union industry, we receive regular
examinations. There is not a regulatory body that routinely
goes into any of the credit bureaus and ensures that they are
following those best practices.
We just completed a regulatory exam last Friday where they
asked us to have a backup firewall to our backup site. We have
a firewall, a backup firewall, a redundant site, and a backup
firewall for that. I don't believe that the credit bureaus are
subject to that same degree of scrutiny and examination.
Chairman Luetkemeyer. The gentlelady's time--
Mr. Mierzwinski. Could I make a brief comment?
Chairman Luetkemeyer. Very brief.
Mr. Mierzwinski. Very briefly, Congresswoman, the Equifax
mess is a mess, but the solution is examination authority. I
think it should go to the Consumer Bureau. They have all the
rest of the authority over Equifax, but everything they did was
wrong.
Chairman Luetkemeyer. OK. The gentlelady's time has
expired. We go to the gentleman from Colorado, Mr. Tipton,
recognized for 5 minutes.
Mr. Tipton. Thank you, Mr. Chairman, and thank the panel
for taking the time to be able to be here. I would like to
start with Mr. Bentsen, in your testimony you had noted that
approximately 40 percent of cybersecurity activities were
focused on compliance rather than security.
How is that impacting the ability to actually address what
I think people are concerned about, and that is actually having
real security?
Mr. Bentsen. That is what our member firms report to us, in
terms of having to deal with various compliance requirements,
exercises, and all. Again, our point is we understand the need
for this, but it is having to do it over and over and over
again when--and having to deploy those resources when they
could be deployed to frontline defense and resiliency and
recovery planning.
Second, I would point out, which is not in my testimony,
but industry statistics have found that there is actually a
shortage of cyberdefense personnel in the United States. This
is something where I think we ought to be careful how we are
deploying our resources. That we are not overtaxing when we
don't really need to. We can accomplish the same thing for
different regulators because of the way the industry approaches
the question.
Mr. Tipton. Well and you have spoken a lot to the
harmonization that needs to happen. Would this actually help in
terms of harmonizing some of the policies that are going
through the different agencies so you aren't filing duplicate
reports to the 13 different agencies to be able to address
that?
Mr. Bentsen. We think so. We are talking with our
regulators about that. Again, we are all trying to do the same
things. We can use the same nomenclature. We can try and adhere
to the same framework, which we think it ought to be the NIST
framework. If you were able to have a good exam with SEC, you
ought to have a good exam with FINRA, likewise with the OCC, or
whoever it may be.
Mr. Tipton. Yes. Ms. Schwartz, is that pretty much your
experience with the credit unions as well? Are you seeing
dollars for compliance as opposed to security?
Ms. Schwartz. It is absolutely true. But as a credit union,
we are in the trust business a little bit as well, well, a lot
as well, and our reputation is very, very important. Even
absent the regulations, absent the compliance requirements,
most of the things we would be doing anyway, because we would
absolutely lose our membership if they can't be 100 percent
confident that we are protecting their secure information,
their private information.
Mr. Tipton. Right. A lot of the concern really is about
having that real confidence within the system. I think,
probably everybody can agree there will be a tax, there will be
breaches that are going to take place.
Mr. Bentsen, through SIFMA, you have developed a program, I
think through your industry, the Quantum Dawn, to be able to
identify maybe some responses, to be able to rebuild those
databases.
What has been something that you have learned from that?
Mr. Bentsen. Congressman, the Quantum Dawn is a
industrywide exercise that we do biannually, and do simulate
major attacks on market infrastructure, different sectors of
the industry, with our government regulators looking over our
shoulder. From those we learn a number of things, including
better ways of information sharing, who you should call in the
Government, depending on what type of account. Testing our
playbooks and our recovery playbooks, for instance, of whether
markets should open or close if there is a major attack on an
infrastructure situation.
The industry finds this very valuable. Our regulators, I
think, find it very valuable. We have also done tabletop
exercises with our regulators and going through different
scenario planning. In those we have actually also come up with
things that neither us nor the Government necessarily had
thought about, and that has led to new initiatives that we
think improve our resiliency.
Mr. Tipton. Speaking to that, would you maybe speak a
little bit to the Sheltered Harbor?
Mr. Bentsen. The Sheltered Harbor is an initiative that
came out of what is known as the Hamilton Exercises, which is a
Treasury-led effort with the industry and the Government.
Sheltered Harbor is an industry-led effort that SIFMA as well
as the ABA, the FSR, the Clearinghouse, and a number of other
industry participants and vendors participate in. It is now
housed under the FS-ISAC.
The idea here is if there is a major attack on a banker,
broker, dealer, and all of their data is wiped out, and they
are not able to stand back up. Are you able to recreate end of
day balances from the day prior--and bring that up through a
vendor or another institution. It is done through establishing
a protocol that firms would adhere to. We are currently at
about 70 percent of the bank retail deposits participating in
the process, and about 50 percent--or 60 percent of broker
dealer retail accounts.
The idea is, again, to be able to go back through encrypted
offline protocol that then could be reestablished. Again, it
goes back to the question of confidence in the system in trying
to solve that. That came out of our exercises. We didn't have a
mechanism in place so now we are trying to create it.
Mr. Tipton. Great. Well thank you. My time has expired, Mr.
Chairman.
Chairman Luetkemeyer. The gentleman's time has expired.
With that, we go to the gentleman from Tennessee, Mr. Kustoff,
you are recognized for 5 minutes.
Mr. Kustoff. Thank you, Mr. Chairman. Thank you to the
witnesses for being here this afternoon. Mr. Mennenoh, if we
could, I know in your testimony you discussed the rapid
increase in criminal attempts, almost--I think you said almost
500 percent--480 percent.
Mr. Mennenoh. Yes.
Mr. Kustoff. To steal customers' closing funds. In response
to Mr. Trott, you talked about, in your testimony and in
relation to his questions, education of the consumer. Could you
also address, from a closer standpoint, a title company's
standpoint, what best practices a typical closer or title
company has implemented to protect customers' funds?
Mr. Mennenoh. Yes. Absolutely. First of all, we use
encrypted email when we communicate with our consumers. We also
have secure platforms where we can exchange information with
our customers on a transaction. In terms of actually protecting
the funds and what we do, our escrow trust accounts we have
many security measures in place to make sure that anything that
goes through there is watched very closely.
Most of our members do a three-way daily reconciliation of
the account. We are reconciling our account every single day to
make sure we see what activity is going through. We use
Positive Pay for our checks. When we have an outgoing wire, we
have a two-step authentication process. Once it reaches a
certain level, there is a three-step process. To make sure that
everything is being done, the wire instructions are correct, it
is going to the right place. We take a number of steps like
that to make sure that we are protecting the funds.
Mr. Kustoff. Some of the practices you have described, are
those recommended by the American Land Title Association?
Mr. Mennenoh. Those are included in the ALTA best
practices. Yes.
Mr. Kustoff. Do you have an opinion or would you have any
knowledge what percentage of ALTA members follow those best
practices?
Mr. Mennenoh. Honestly, I don't have a number for you. In
traveling around the country, I can tell you that a lot of our
members who are actively engaged in their State association or
national association have implemented the best practices. But I
don't have a number for you.
Mr. Kustoff. Again, I understand you don't have a number.
For those entities that maybe have not adopted those best
practices standards, would the issue be cost, that is my first
question. Can you elaborate on the difference between costs
associated with cybersecurity for a small company and for a
medium and large-sized company?
Mr. Mennenoh. Certainly. Yes. Cost is certainly an issue.
It is costly to implement these things, particularly for a
small company. Implementing these types of security measures is
a good example, for my company, the amount of fees that we pay
to our bank is in the tens of thousands of dollars per year to
implement these various procedures and protections that we have
in place just with the bank. It is a cost issue, and for small
companies that is a big problem. But many of our members who
are very responsible and want to do the right thing are very
inadvertent.
Mr. Kustoff. Thank you. Ms. Schwartz, if I could. The
collaborative efforts that have to be undertaken, if you will,
by the financial sector and by law enforcement is incredibly
important, I think we would all agree, in preventing and
mitigating the risk that these cyber attacks pose.
In the event of a cyber attack, how quickly would your
institution engage with law enforcement?
Ms. Schwartz. Happily, my institution has not been the
victim directly of a cyber attack. We have had--our members
have been the victim from data breaches that have happened at
the merchant level. We, would of course, cooperate fully should
that unfortunate event happen. But we have DDoS protection, and
we haven't had any direct attacks since 2015.
Mr. Kustoff. In those institutions, those members that
would have attacks, are there law enforcement agencies that
they typically go to, are they Federal, State, local? Who do
they reach out to first and how do they collaborate?
Ms. Schwartz. For our members, they would reach out to us,
to say, What should we do? We would put everything in place, we
could to protect them, whether it is the reissuance of cards,
putting notification of fraud alerts on their accounts, best
practices, webinars, telling them how they can put a freeze on
their account through the credit bureaus.
Typically, because we cover the losses, as a financial
institution, they are less concerned with reaching out,
frankly, to law enforcement because we have covered them from
those losses.
Mr. Kustoff. Thank you. My time is expired. Thank you, Mr.
Chairman.
Chairman Luetkemeyer. The gentleman's time has expired. Now
we go to the gentleman from Kentucky, chairman of the Monetary
Policy Subcommittee, Mr. Barr, recognized for 5 minutes.
Mr. Barr. Thank you, Mr. Chairman. Thank you for holding
this very important hearing. I hear very regularly from both
retailers and the merchant community back in Kentucky, in
addition to community financial institutions that serve
consumers in central and eastern Kentucky, about the problem of
data security, of course, the Equifax breach is a warning to us
all that this is a very large scope problem.
As we marked up the legislation last year to attempt to
address this problem, the Carney/Neugebauer legislation, we got
different competing stories from the various different actors
that would be affected by this. I kind of want to unpack all of
that discussion here.
A community bank in Kentucky has told me that they have
increased spending significantly over the last 18 months on
data security. Why? Because they have seen the number of
account take-overs triple. Meaning, scammers, through the use
of personally identifiable information and security questions
data try to gain access to an account by calling the bank and
asking for addresses to be changed and new debit cards to be
ordered. Et cetera.
These same community banks and credit unions tell me that
they are spending a whole lot of money dealing with the fraud
and reissuance of cards. What they talk about is the weakest
link in the data security system. My first question to Ms.
Schwartz is where do you view the weakest link to be?
Ms. Schwartz. In the payment market, they are absolutely
right. The weakest link is where the criminals are going to go,
and frankly, it is at the merchant level at this point. Mission
Fed spent over a million dollars in 2017 for data security.
Many of the merchants have little or no protocol in place for
things as simple as getting rid of old data or shredding or
virus protection. It doesn't have to cost a million dollars.
There is basic financial hygiene, if you will, that can be
implemented at a reasonable cost, no matter what your size.
Again, going back to Gramm-Leach-Bliley, as a scaleable and
flexible rule that does provide a nice framework for protecting
important consumer privacy data, financial data.
Mr. Barr. Now, what would you say, Ms. Schwartz, to the
kind of response from the merchant community that the breach
notification legislation that we voted for in the last Congress
would subject retailers to stringent bank-style security rules,
whereas, banks or credit unions would be subject only to
discretionary guidance?
Ms. Schwartz. I don't think it is discretionary for us. It
is our reputation. We are responsible, on the hook monetarily,
and we are very, very heavily regulated. I think H.R. 2205,
which I believe is what you are referring to, did a very nice
job at providing a level playing field, because again, if you
don't have the standards throughout the whole payment systems
infrastructure, the criminals are going to find the weakest
link.
Mr. Barr. Yes, I think, so community financial institutions
in my district also would say that Regulation E forces them to
pay when their customers are harmed, even though it is not
their fault, when it is the fault of some other party. That is
very understandable anxiety for those folks.
But let me just kind of continue to try to unpack this,
because the merchant community will say that small businesses
simply don't pose the same kind of risk because they are only
dealing with a small category of vulnerabilities, namely,
credit card information, not a range of other kinds of
sensitive information.
What would you say in response to that?
Ms. Schwartz. I would say in 2017 until the end of
September, at my credit union alone, we have had 14,500 cases
of reported fraud, costing us $1.7 million, money that could
have been better spent serving our members.
Again, basic financial hygiene of protecting sensitive
data, updating virus protection, does not seem like an
unreasonable standard for those merchants to have to follow in
return for having a good business practice, a good name.
Mr. Barr. Yes. I am very sympathetic to your point of view,
at the same time, I want to figure out a way forward,
especially with those small businesses that are pushing back.
Any help that you all can give us in terms of working with the
merchant community to come--to work through these issues would
be appreciated, because we clearly need a solution. I think all
parties, to their credit, have supported passage of some kind
of Federal data breach notification law to replace the existing
patchwork.
I have run out of time so I will yield back.
Chairman Luetkemeyer. The gentleman's time has expired.
With that, we go to the gentleman from Georgia, Mr. Loudermilk,
he is recognized for 5 minutes.
Mr. Loudermilk. Thank you, Mr. Chairman. I appreciate the
panel being here. This is--being in the IT arena for 30 years,
and 20 of that in the private sector, and prior to that being
in the intelligence community, security is something that has
been a grave concern of mine over the years, especially when I
have been in Congress. It is something that we are going to be
continually chasing.
One of the things that I emphasized on the businesses that
I served in the IT industry, most of them small, medium size
businesses, is it is impossible to protect yourself from a
hack, from an intruder. The idea is, you make yourself a harder
target than the other guy. That is sort of like the story of
the two Georgians who went hiking in Alaska, one of them took a
357-magnum, the other took a pair of tennis shoes because they
were afraid of bears. The guy with the gun said, you can't
outrun a bear, why are you taking those? He said, I don't have
to outrun the bear, I just have to outrun you.
That is really the idea that cybersecurity is making
yourself a harder target than the risk that you propose. The
other aspect of that is something that we held when I was in
the intelligence community when it came to security is that you
don't have to protect what you don't have. It deals with data
retention, which Ms. Schwartz indicated earlier, especially
with small businesses, is the amount of data that you are
keeping. If you don't need it, you need to destroy it, which
leads to an area that I have begun looking into.
I think that we, the Government, create a security issue
ourselves by the regulations that we impose upon, especially
the financial services industry, making these businesses obtain
and maintain information for long periods of time that they
really don't need.
Ms. Schwartz, can you opine in this? Is there data in
credit unions, and especially small banks, that we require you
to get that you wouldn't obtain, except for the Government is
telling you to keep it?
Ms. Schwartz. I am not going to argue with the fact that we
have to maintain and submit an awful lot of data to our
regulators. When we do a mortgage, in particular, there is more
and more data points that are being collected and provided.
That is absolutely true. It has exponentially increased over
the years as to how much we need to maintain, retain, and
provide.
Mr. Loudermilk. OK. Mr. Bentsen?
Mr. Bentsen. It is a very good question. A lot of data
collected and held for regulatory mandates and submitted to our
regulators is with no malintent, it was part of the process.
But as we moved into this age, it is really something that we
really need to think about. It is part of our principles as
well, do you need it in the first place? How long do you need
it? Who should have access to it? When you don't need it, how
do you get rid of it so you eliminate the target in that
response? That is my point with Consolidated Audit Trail, which
is something that was not designed to capture PII, but does in
the current design. It is designed to monitor market activity.
You are creating this massive database with a lot of sensitive
PII in there. The question needs to be asked, just like the
industry asks itself, do we need that to accomplish the
underlying goal?
Mr. Loudermilk. Exactly. Mr. Mennenoh?
Mr. Mennenoh. A very simple example is many, many years ago
the title industry was required by a regulation to collect
information for the issuance of 1099s on real estate
transactions. That means that we have to collect Social
Security numbers so that we are effectively the watch dog for
this, for the IRS, and this is something we have been forced
into doing and we have to maintain that to prove that we have
done what we are supposed to.
Mr. Loudermilk. I am also a member of the Science, Space
and Technology Committee, and we have been looking into
cybersecurity risks for 3 years I have been in Congress. I
asked the Inspector General, not long after the OPM data
breach, if you would rate the Federal Government's ability to
protect data, our cybersecurity preparedness, on a simply
elementary school rating system, what would you rate the
Federal Government? His answer was a D minus. He said, it was
only because of the minimal changes that were made in APM, I am
not giving it an F. But, yet, we are continually having to
provide to the Federal Government massive amounts of data on
your customers.
That is why I keep addressing this is--maybe one of the
theories we need to address that area of--the amount of data
that you are required to obtain and maintain.
One last question. I see I am running out of time, Mr.
Chairman, so I will yield back. Thank you.
Chairman Luetkemeyer. The gentleman yields back. With that,
we will go to the gentlelady from New York, Ms. Tenney, is
recognized for 5 minutes.
Ms. Tenney. Thank you, Mr. Chairman and thank you panel.
This is a complex issue, and actually, I am not sure who to
address these questions to. I was a former member of the New
York State Assembly, and as we--I don't think it was the wisest
move, our Governor decided to consolidate our insurance and
banking industries into one big institution, Government
institution, and then obligated many of our banks and our
institutions to provide data, much like Mr. Mennenoh was
talking about with the 1099 data for real estate closings.
I attended a cybersecurity event where a cybersecurity
expert said, the worst place to reserve your data is in a
Government entity. It is safer and better in banking
institutions and financial institutions. As Ms. Schwartz cited,
your reputation is on the line, and the incentive for you to
protect that and be competitive in the marketplace is certainly
much greater than Governments.
I know we are trying to get to the bottom of this. But
toward that end, and I will address this to Ms. Schwartz
initially. Can you tell us some way that we can help in
Congress to minimize your--the requirement that you come up
with data--extra data turned over to Government with
confidential information, with some other way that you can
protect it, and we can know with assurances that without that
data getting into the stream, how can we protect it in some
way?
Ms. Schwartz. I think much of the data is requested with
the best of intentions.
Ms. Tenney. Exactly. We know they are good intentions, but
getting hacked is certainly by somebody without good
intentions.
Ms. Schwartz. But we are very heavily regulated, very
heavily examined. Most of the data would be available at
examination time, without needing to be transmitted on a loan
by loan or account by account basis. Other than--
Ms. Tenney. You are suggesting that instead of turning the
data over, as is sometimes required by say New York State, it
would be sampling of data, as opposed to a full turnover of
data.
Ms. Schwartz. Or it could be a full turnover of data when
the examiners are onsite. They can look at any anything they
want while they are onsite without out having to electronically
transmit it.
Ms. Tenney. That sounds like a great option. I appreciate
it. Mr. Mennenoh or Mr. Bentsen, would you like to comment or--
Mr. Bentsen. I agree with that. A situation we have now is
about what is known as penetration testing, and this is
something that firms do to test their own defense system, and
they may do it with their own teams, or they may bring in an
outside vendor to do it. Certain regulators in the U.S. and
around the globe have wanted to create a mandate around using
third party vendors, and the industry has become concerned,
because in doing this you are kind of giving the keys to the
castle to an outside party.
Then in reporting to our regulators, if you have to report
the whole road map, you are handing the keys over, again, to an
outside party. We completely agree from the standpoint of, come
in, sit down, look at the data, we will walk you through it,
you can tell us what you don't like, or what you want us to
change, but let's be very careful about spreading that all over
the place, again, with the best of intent. Let's not create
targets unnecessarily.
Ms. Tenney. I appreciate that. Maybe you could comment--I
agree a hundred percent. I think that, obviously, Government is
well-intentioned, but it is unpredictable. The people in power
change, the people in positions change, and so you have--it
seems to me the data is just drifting across unsafe and
unsecure regions. But maybe you can comment on that as well,
Mr. Mennenoh.
Mr. Mennenoh. I would agree that it is--we are being asked
for information, certainly more frequently. Many States in our
industry are regulated, they do have audits and those things
that are being done. Certainly, an onsite audit of paper is a
lot easier to secure than a digital audit that is being sent
all over the place. It is troubling.
Ms. Tenney. Thank you very much. I appreciate your
testimony. I yield my time back. Thanks so much.
Chairman Luetkemeyer. The gentlelady yields back. We will
now go to the gentleman from California, Mr. Royce.
Mr. Royce. Chairman, thank you. Thank you very much. I
thank the panel here. I was looking through my notes, and every
2 years, like clockwork here, we hold a hearing and it follows
always a major breach in consumer data by a U.S. company. Here
we are again, and the massive Equifax breach exposed the
personal information of 150 million consumers. Before that we
had Anthem, we had Yahoo, we had Home Depot, and of course,
Target, and even the Federal Government's Office of Personnel
Management, as the Chairman of Homeland Security reminds me,
since his data was stolen.
These breaches have made the headlines, and then the
hearings follow, and then, of course, outside of Gramm-Leach-
Bliley, we have failed to pass legislation into law that puts
in place national standards for data protection and national
standards for breach notification. We have failed to do that on
our part here.
To be very clear, the Committee has acted, this Committee
has acted repeatedly. We have passed legislation over and over
again. But it is high time that we put any policy differences
aside and enact a law that serves the American people. I know
the chairman--I want you to know, Chairman, I stand ready to
work with you. I suspect you will be the author of the bill. To
do this, we have to convince our colleagues as we move it out
of committee, which certainly you will, to take this seriously
with respect to getting it over in the Senate, and then things
will become more complicated. But we have to convince the
Senators to move this legislation as well.
I would like to ask Ms. Schwartz a question. Community
financial institutions are often the face of data breach for
your customer, although not necessarily the cause. In your
testimony you cite a July 2017 NAFCU member survey. The
estimated cost of data breaches in 2016 was $400,000 per credit
union.
Credit unions in California have been very hard hit. The
target breach cost the Credit Union of Southern California
$35,000. The Home Depot breach costs Schools First Federal
Credit Union in my area, they are in Orange County, $700,000,
with a 65 percent increase in card fraud. Coast Hills Credit
Union watched $100,000 in fraud hit their system in 5 minutes
because of that same breach.
Do these numbers ring true for your credit union in San
Diego as well?
Ms. Schwartz. Sadly, absolutely. In 2017, we had 14,500
separate reported cases of fraud. It has cost my credit union
$1.7 million so far this year. The holiday season is typically
also a fraud season, so we expect to see more. Over $6 million
since 2003 in fraud losses.
Mr. Royce. Six million for your membership. How much
reimbursement of your costs is covered by contracts with
vendors and payments networks?
Ms. Schwartz. Pennies on the dollar. The fraud losses I
mentioned are simply the hard costs. There is also staff costs.
The cost of us implementing security measures. The cost of
educating our members, educating our employees. There is both
the hard dollar costs and the soft costs. The remuneration is
minimal.
Mr. Royce. Do you think there is a better way to allocate
financial responsibility for breaches in order to incentivize
companies to better secure data?
Ms. Schwartz. Absolutely. We very much support a level
playing field. H.R. 2205, which was introduced in the 114th
Congress, provided that, Gramm-Leach-Bliley is a dynamic,
scaleable, flexible tool that should apply to largest and
smallest. It applies to small credit unions, it could apply to
small merchants.
Mr. Royce. Let me get a quick question in here for Ken, if
I could. As I mentioned in my opening, failures in
cybersecurity systems have occurred in the private sector and
in the Government--within the Government. Representing an
industry that shares an enormous amount of sensitive customer
data with regulators and other agencies, do you feel the
Government is doing enough to shore-up its own systems to
protect against cyber attacks?
Mr. Bentsen. Thank you for the question, Congressman. This
is an ever growing threat. I think the Government increasingly
understands that, and we are engaged in dialog with our
regulators about how we protect the data when we hold it, and
the best practices that we use. The Treasury has been leading
an effort to look at how they protect the data that they
collect. This is an emerging issue that I think has gotten the
spotlight with everything going on.
Mr. Royce. Thank you. Thank you, Mr. Chairman.
Chairman Luetkemeyer. The gentleman's time has expired.
With that, we go to the gentlelady from Utah, Mrs. Love, who is
recognized for 5 minutes.
Mrs. Love. Thank you. Thank you for being here. I have a
question that I want to address, Ms. Schwartz, you mentioned in
your testimony that credit unions left often cleaning up the
mess when another institution suffers from data breach.
Institutions such as retailers that aren't subject to a data
security structure like the Gramm-Leach-Bliley, you have
written this in your testimony.
Could you summarize for me what that mess looks like for
credit unions like yours, and what kind of costs are involved
in that?
Ms. Schwartz. To scale it--my credit union has issued about
280,000 credit cards to our members. Over the past few years we
have reissued 146,000. A significant number of our members have
been impacted, some more than once, many more than once.
Mrs. Love. Right.
Ms. Schwartz. They don't always understand where the breach
happened, most particularly because often we can't tell them
where the breach happened. They tend to think that the
financial institution is the responsible party, when we have
not been.
Mrs. Love. When you are reissuing over half, what does that
cost look like?
Ms. Schwartz. Just for fraud itself was $1.7 million for us
so far this year, through September 30. We anticipate it will
be well over $2 million just for the fraud occurrences.
Reissuance of the cards depends on the type of card and whether
the PIN was compromised. It ranges between $2 to $6 per PIN,
just for the hard cost. Then, of course, there is the soft cost
of answering all of those member questions.
Mrs. Love. Right. OK. Are you able to break down those
numbers by different types of breaches, such as by source?
Ms. Schwartz. If it is a huge breach, we will typically go
back and take a look and be able to determine. Oftentimes,
because there are so many different cases, 1,400 different
breaches is not practical for us to spend staff time to try and
tie back every single bit. We are financially responsible to
the members, we reimburse them, and then we move on to the
next.
Mrs. Love. OK. You also mentioned that one of the
vulnerabilities in sectors beyond bank and credit unions is
lack of examination for compliance with data security
standards. You specifically mentioned that credit bureaus, like
Equifax, are not examined for compliance with the GLBA. How big
of an impact do you think this makes, and how should compliance
be insured?
Ms. Schwartz. I think it clearly makes a huge difference.
If they had followed the Gramm-Leach-Bliley Act requirements,
it is very possible the breach wouldn't have happened. The
patch would have occurred in a more timely manner and the
opportunity for the fraudsters to gather that data simply would
not have been there. Absent a regulatory examination to ensure
compliance, I don't think it happens.
Mrs. Love. Would it be fair to say that if institutions or
the credit bureaus, like Equifax, had as much skin in the game,
in other words, if they were held responsible financially for
these breaches, that you would see fewer of these things
happening?
Ms. Schwartz. No question.
Mrs. Love. OK. I have a few more minutes. There was a part
where you pointed out in your testimony that the breach may
never come to fruition if an entity handles sensitive
information, limits the amount of data collected on the front-
end and is diligent in not storing sensitive personal data and
financial data in their own systems.
Do your consumers even know, for example, if they are
sitting at their computers shopping online, what happens to
their data, especially the data that they are being asked to
supply?
Ms. Schwartz. I think consumers are becoming more educated
on this, but I think they are more concerned with the
transaction than what is happening behind it. I am sure that
they don't realize that many merchants can store that data for
an unlimited period of time, even though they might not have
shopped at a certain merchant, that data is going to linger out
there forever.
Mrs. Love. In other words, sitting at their computer, they
probably feel like there is some vulnerability there, but they
have no idea that the vulnerability lingers way past the time
that they are actually sitting on the computer.
Ms. Schwartz. Exactly.
Mrs. Love. Over 1.4 million Utahans were affected by the
Equifax breach, and as information is growing and changing, it
is something that is incredibly concerning. I think that this
is an example of how we need to have institutions that are
holding onto this data have some skin in the game, that they
know that they are absolutely responsible for those breaches,
also. I think that where a lot of responsibility is given, you
have to make sure that you take care of that responsibility
carefully. Thank you for your testimony.
Chairman Luetkemeyer. The gentlelady's time has expired.
With that, we go to the gentleman from North Carolina, Mr.
Pittenger, is recognized for 5 minutes.
Mr. Pittenger. Thank you, Mr. Luetkemeyer, for hosting this
hearing. I really appreciate each of you all being with us
today, your input is extremely valuable.
In North Carolina we have had a significant impact with 1.1
million North Carolinians' personal data stolen in various
security breaches since 2015, up from 300,000 in 2014. The
Equifax had an impact of 5 million North Carolinians. It is a
clear indication of the concerns that we have with data and
security concerns, as well as congressional action that needs
to be provided.
With that in mind, I would like to ask you, Mr. Bentsen. In
your own statement you referenced that we need to have a
combination of activities that relies on strong defenses,
information sharing, mitigation, and recovery planning.
To the point of information sharing, Mr. Mierzwinski
conveyed that you cannot bifurcate data sharing and privacy
issues. How would we mitigate the privacy concerns with the
need that we truly do have for greater data sharing?
Mr. Bentsen. That is a very good question. We are
interested in information sharing, not only with the industry
being able to share with the Government, the Government being
able to share with the industry when there is a certain attack,
but also to be able to share not data as much as sharing the
types of attacks that are occurring across the sector.
Mr. Loudermilk talked about this in the past, one of my
defenses is having somebody else get attacked so they are not
coming after me. What we have tried to do in the financial
services industry is to be able to spread the information
across the sector quickly if a certain type of attack is
occurring so that others can recheck their defenses against
that or their resiliency efforts against it. We think that is
really important.
At the same time, the industry feels very strongly, not
only about our legal obligation with respect to protection of
privacy, but as Ms. Schwartz says, our reputational obligation
to our clients. It is a highly competitive industry, and if we
are viewed as not protecting our clients' data, they are going
to go somewhere else. It is a spot-on question.
Mr. Pittenger. Recognizing this need, how would you frame
legislation? How would you advise us to address this concern?
Mr. Bentsen. We were not part of the legislation referenced
from the 114th Congress, and obviously, you have parties on all
sides who have--or interests on all sides who have legitimate
concerns about that. Data breaches are just one component of
this, but it is a huge component. It maybe has the biggest
retail aspect in some respects, and a huge market failure would
have a huge retail impact as well.
This is an emerging issue that is only going to get worse.
It is not going to get better. It is something where
policymakers, such as Congress, are really going to have to dig
in and bring the parties together, and by that, the interests--
political parties perhaps as well, but the interests together
to really see how can we look into the future, because we are
also going to see technology use increase. Technology is a good
thing, it has improved efficiencies in the economy, it is only
going to do more of that. But it is going to create new risk,
and we need to be in front of those going forward.
Mr. Pittenger. Thank you. Mr. Mennenoh, you stated in your
remarks that policymakers should consider better ways to use
both the SARS reports, and IC3 data to better detect accounts
used by these criminals.
Give us some examples of better ways that we should be
employing?
Mr. Mennenoh. That is a good question. I don't know that I
have a clear answer for you on that without having the staff
help me with that. But, certainly, I would say being able to
provide information to all of the parties in the real estate
transaction, the different industries that are involved in
terms of where these problems occur, how they occur, and the
warning signs, if you will, to detect them, to try to prevent
them. I don't know that I can help you further than that.
Mr. Pittenger. Ms. Schwartz, quickly, you stated that
Congress needs to modernize data security laws to reflect the
complexity of the current environment, insist that entities
collecting and storing personal financial information adhere to
strong Federal standard in this regard.
How would you modernize those laws?
Ms. Schwartz. I think Gramm-Leach-Bliley does provide a
good model because it is scalable and flexible. I think it can
apply to small and large, and it provides some basic guidelines
that ensure sound practices.
Mr. Pittenger. Thank you. My time is expired.
Chairman Luetkemeyer. The gentleman's time has expired, and
we are out of questioners. All of you on the panel are freed up
here at this moment. Thank you for being here today.
Just a few closing thoughts. We are a very data driven
society. I am a big baseball fan. Even data drives the baseball
games. I have been watching the World Series, and they talk
about this batter can hit this pitch in this area and you have
shifts on the defense to where you go, and they match up
pitchers between the batters. It is all back to data, data,
data, which is great to a certain extent.
But I think, Mr. Bentsen, your last comment there was very
succinct when you say, with all this data comes new risks, and
how do we protect ourselves against those risks. I think that
is what we are concerned about today, as we see these breaches
continue. The gentleman from California a minute ago, Mr.
Royce, said, here we are again. Here we are again.
We have to figure out how to put some solutions on these
problems, and hopefully your information today will help us. I
think we need to look at notification. To me, that is a big
issue. How do you make sure that the public, whose information
that you as a business--or Government have, how do you notify
them when you have been breached so that there is a level of
trust there, so that you can give those folks notice that they
can get themselves in a position where they can protect
themselves.
Who assumes the liability whenever there is a breach? To
me, that is a big question. I think Mr. Barr asked that
question a while ago. We need to figure out where that stands,
because I can tell you there are some businesses, I think, one
of them, I think maybe it was Andy here a minute ago, made the
same comment with regards to businesses, who through no fault
of their own, it is costing them thousands and thousands of
dollars as a result of breaches. This has to go back to
entities that caused the problem and they have to be held
accountable.
We are looking for help, we are looking for answers. We are
going to continue to work with you on these issues. We
certainly appreciate your being here today and all of your
input, and again, as I said, welcome your input back to us on
other concerns or questions that may have come up during the
discussion.
The Chair notes that some Members may have additional
questions for this panel, which they may wish to submit in
writing. Without objection, the hearing record will remain open
for 5 legislative days for Members to submit written questions
to these witnesses and to place their responses in the record.
Also, without objection, Members will have 5 legislative days
to submit extraneous materials to the Chair for inclusion in
the record.
[Whereupon, at 3:45 p.m., the subcommittee was adjourned.]
A P P E N D I X
November 1, 2017
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]