[House Hearing, 115 Congress] [From the U.S. Government Publishing Office] DATA SECURITY: VULNERABILITIES AND OPPORTUNITIES FOR IMPROVEMENT ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON FINANCIAL INSTITUTIONS AND CONSUMER CREDIT OF THE COMMITTEE ON FINANCIAL SERVICES U.S. HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION __________ NOVEMBER 1, 2017 __________ Printed for the use of the Committee on Financial Services Serial No. 115-52 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] __________ U.S. GOVERNMENT PUBLISHING OFFICE 30-771 PDF WASHINGTON : 2018 ----------------------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. HOUSE COMMITTEE ON FINANCIAL SERVICES JEB HENSARLING, Texas, Chairman PATRICK T. McHENRY, North Carolina, MAXINE WATERS, California, Ranking Vice Chairman Member PETER T. KING, New York CAROLYN B. MALONEY, New York EDWARD R. ROYCE, California NYDIA M. VELAZQUEZ, New York FRANK D. LUCAS, Oklahoma BRAD SHERMAN, California STEVAN PEARCE, New Mexico GREGORY W. MEEKS, New York BILL POSEY, Florida MICHAEL E. CAPUANO, Massachusetts BLAINE LUETKEMEYER, Missouri WM. LACY CLAY, Missouri BILL HUIZENGA, Michigan STEPHEN F. LYNCH, Massachusetts SEAN P. DUFFY, Wisconsin DAVID SCOTT, Georgia STEVE STIVERS, Ohio AL GREEN, Texas RANDY HULTGREN, Illinois EMANUEL CLEAVER, Missouri DENNIS A. ROSS, Florida GWEN MOORE, Wisconsin ROBERT PITTENGER, North Carolina KEITH ELLISON, Minnesota ANN WAGNER, Missouri ED PERLMUTTER, Colorado ANDY BARR, Kentucky JAMES A. HIMES, Connecticut KEITH J. ROTHFUS, Pennsylvania BILL FOSTER, Illinois LUKE MESSER, Indiana DANIEL T. KILDEE, Michigan SCOTT TIPTON, Colorado JOHN K. DELANEY, Maryland ROGER WILLIAMS, Texas KYRSTEN SINEMA, Arizona BRUCE POLIQUIN, Maine JOYCE BEATTY, Ohio MIA LOVE, Utah DENNY HECK, Washington FRENCH HILL, Arkansas JUAN VARGAS, California TOM EMMER, Minnesota JOSH GOTTHEIMER, New Jersey LEE M. ZELDIN, New York VICENTE GONZALEZ, Texas DAVID A. TROTT, Michigan CHARLIE CRIST, Florida BARRY LOUDERMILK, Georgia RUBEN KIHUEN, Nevada ALEXANDER X. MOONEY, West Virginia THOMAS MacARTHUR, New Jersey WARREN DAVIDSON, Ohio TED BUDD, North Carolina DAVID KUSTOFF, Tennessee CLAUDIA TENNEY, New York TREY HOLLINGSWORTH, Indiana Kirsten Sutton Mork, Staff Director Subcommittee on Financial Institutions and Consumer Credit BLAINE LUETKEMEYER, Missouri, Chairman KEITH J. ROTHFUS, Pennsylvania, WM. LACY CLAY, Missouri, Ranking Vice Chairman Member EDWARD R. ROYCE, California CAROLYN B. MALONEY, New York FRANK D. LUCAS, Oklahoma GREGORY W. MEEKS, New York BILL POSEY, Florida DAVID SCOTT, Georgia DENNIS A. ROSS, Florida NYDIA M. VELAZQUEZ, New York ROBERT PITTENGER, North Carolina AL GREEN, Texas ANDY BARR, Kentucky KEITH ELLISON, Minnesota SCOTT TIPTON, Colorado MICHAEL E. CAPUANO, Massachusetts ROGER WILLIAMS, Texas DENNY HECK, Washington MIA LOVE, Utah GWEN MOORE, Wisconsin DAVID A. TROTT, Michigan CHARLIE CRIST, Florida BARRY LOUDERMILK, Georgia DAVID KUSTOFF, Tennessee CLAUDIA TENNEY, New York C O N T E N T S ---------- Page Hearing held on: November 1, 2017............................................. 1 Appendix: November 1, 2017............................................. 35 WITNESSES Wednesday, November 1, 2017 Bentsen, Hon. Kenneth, Jr., President and Chief Executive Officer, Securities Industry and Financial Markets Association. 3 Mennenoh, Daniel, ITP, NTP, President, H.B. Wilkinson Title Company, on behalf of the American Land Title Association...... 5 Mierzwinski, Edmund, Consumer Program Director, U.S. Public Interest Research Group........................................ 6 Schwartz, Debra, President and Chief Executive Officer, Mission Federal Credit Union, on behalf of the National Association of Federally-Insured Credit Unions................................ 8 APPENDIX Prepared statements: Bentsen, Hon. Kenneth, Jr.................................... 36 Mennenoh, Daniel............................................. 50 Mierzwinski, Edmund.......................................... 61 Schwartz, Debra.............................................. 78 Additional Material Submitted for the Record Luetkemeyer, Hon. Blaine: Written statement of the Food Marketing Institute............ 105 Written statement of the Independent Community Bankers of America.................................................... 107 Written statement of the American Bankers Association, the Consumer Bankers Association, the Credit Union National Association, the Financial Services Roundtable, the Independent Community Bankers of America, the National Association of Federally-Insured Credit Unions, and the The Clearing House............................................. 109 DATA SECURITY: VULNERABILITIES AND OPPORTUNITIES FOR IMPROVEMENT ---------- Wednesday, November 1, 2017 U.S. House of Representatives, Subcommittee on Financial Institutions and Consumer Credit, Committee on Financial Services, Washington, D.C. The subcommittee met, pursuant to notice, at 2:02 p.m., in room 2128, Rayburn House Office Building, Hon. Blaine Luetkemeyer [chairman of the subcommittee] presiding. Present: Representatives Luetkemeyer, Rothfus, Royce, Lucas, Ross, Pittenger, Barr, Tipton, Williams, Love, Trott, Loudermilk, Kustoff, Tenney, Clay, Maloney, Scott, and Crist. Chairman Luetkemeyer. The committee will come to order. Without objection, the chair is authorized to declare a recess of the committee at any time. This hearing is entitled ``Data Security: Vulnerabilities and Opportunities for Improvement.'' Before we begin, I would like to thank the witnesses for appearing today. We appreciate your participation and look forward to a productive discussion. I now recognize myself for 3 minutes for purposes of delivering an opening statement. More than 15 million Americans were victims of cyber fraud or identity theft last year. The number of those impacted in 2017 could be significantly more, depending on the damage caused by the Equifax breach. While data security has been a hot topic since that breach, Equifax isn't where the problem started, and if we don't act, it isn't where the problem will end. Year after year, consumers deal with compromised personally identifiable information resulting from breaches in financial companies, retailers, insurance providers, and even the Federal Government. The list goes on and on. This type of fraud can strike at any point, leaving no consumer immune to its effects. Financial firms face attempted breaches every single day, sometimes hundreds of attempts a day. Each attack seems to be more dangerous and more advanced than the last, and while the good guys have to be right every time, the bad guys only have to be right once. Data security has turned into a crisis, and the American people deserve better. As in any crisis, every aspect of data security should be examined. That includes having an honest conversation about the regulatory regime governing these breaches. The question is, does it adequately safeguard consumer data? Does it provide flexibility for companies to innovate, or do they spend too much time and energy trying to comply with State and Federal requirements? We need to discuss how data security liability is assessed and which entity has a duty to report a breach to the public and in what timeframe such a disclosure should be required. We cannot tolerate a system that is unnecessarily complicated or offers slow resolution for customers and consumers. We need to instead work collaboratively to reduce red tape, create a more prompt notification standard, and foster harmonization among Federal and State agencies charged with data security regulation. Today's hearing offers an opportunity to look at data security vulnerabilities through a wider lens. Our witnesses represent a number of different industries that offer unique perspectives and ideas on how to improve the system for the most important people in this conversation: their customers and our constituents. While today's hearing does not focus on a specific bill, I want to be clear that it is my intention to produce data security reform legislation. This conversation and many others our members have had and will continue to have with their constituents will inform our actions and drive our policy. I want to again thank our witnesses for being here today. We look forward to your testimony. The chair now recognizes the gentleman from Missouri, Mr. Clay, the ranking member of the subcommittee, for 5 minutes for an opening statement. Mr. Clay. Thank you, Mr. Chairman. Thank you for holding this hearing as well as all of the witnesses who are here today. I will forego an opening statement in order to hear from our witnesses. I yield back. Chairman Luetkemeyer. The gentleman yields back. With that, we go to the gentleman from Pennsylvania, the vice chair of the subcommittee, Mr. Rothfus, for 2 minutes for an opening statement. Mr. Rothfus. Thank you, Mr. Chairman. I would like to thank the chairman for holding today's hearing on data security. As the recent Equifax data breach reminded us, cybercrime is a constant and growing threat. But the Equifax incident, though terrible and expansive as it was, was just the latest in a string of major cybercrimes that have compromised our private information and put us all at risk. I am deeply concerned that bad actors, State-sponsored or otherwise, continue to relentlessly target our financial system, retailers, and the physical and digital infrastructure that allow our society to function. Cybercrime is a national security threat and a danger to our economy. It hurts millions of Americans, and it undermines the trust needed to conduct business in the 21st century. This committee has an important role in helping to address this growing threat. I am looking forward to hearing from our witnesses about how we can improve our current system for addressing and preventing cybercrime. Clearly, there is room for improvement as we seek to ensure that firms take the steps needed to protect private data, properly and promptly notify law enforcement and customers, and quickly move to close vulnerabilities and make victims whole. Many of my constituents contacted my office after the Equifax breach to seek help and express their frustrations. Families, students, small business owners, and retirees are concerned about what they are seeing and they want us to take steps to protect them. Again, I look forward to today's discussion, and I hope that it can form the basis for bipartisan collaboration on this important issue. I yield back. Chairman Luetkemeyer. The gentleman yields back. With that, today, we welcome the testimony of the Honorable Ken Bentsen, president and chief executive officer, Securities Industry and Financial Markets Association; Mr. Daniel Mennenoh, president, H.B. Wilkinson Title Company, on behalf of the American Land Title Association; Ms. Debra Schwartz, president and CEO, Mission Federally-Insured Credit Union, on behalf of the National Association of Federal Credit Unions; and Mr. Edmund Mierzwinski, consumer program director, U.S. Public Interest Research Group. Each of the witnesses will now be recognized for 5 minutes to give an oral presentation of their testimony. Without objection, each of your written statements will be made part of the record. Just a brief tutorial on the lighting system for those of you who haven't been here before. Green means go. The yellow light lights up, that means you have a minute to wrap up. Red means that we need to stop and go on to the next question/ answer session. With that, Mr. Bentsen, you are recognized for 5 minutes. STATEMENT OF THE HONORABLE KENNETH BENTSEN, JR. Mr. Bentsen. Thank you, Chairman Luetkemeyer and Ranking Member Clay and members of the subcommittee, for giving me an opportunity to testify today on the important topics of cybersecurity and data protection. SIFMA represents hundreds of banks, broker-dealers, and asset managers who are dedicated to protecting their systems and, more importantly, their clients' data from cyber attacks. There is likely no greater threat to financial stability than a large-scale cyber event. The financial services sector has invested tremendous monetary and human resources to develop and implement cyber defense and recovery mechanisms, and we welcome the opportunity to discuss the progress we have made today. Cybercrime is now a bigger criminal enterprise than the global narcotics trade. While data breaches of customer information dominate headlines and are rightfully a top priority for policymakers in the industry, a major cyber attack on critical financial market infrastructure or one that destroys records or financial data are also risks with a potentially far larger impact on the economy. It is important to recognize that no single sector, not the Federal Government nor any individual firm, has the resources to protect markets from these threats on their own. It is critical that we establish and maintain a robust partnership between industry and government to mitigate cyber threats and their impact. The industry's resiliency will not be fully effective without the government's help and vice versa. The answer cannot exclusively be more regulation. However, over the past few years, regulators in the U.S. and around the world have proposed or finalized over 30 new cyber rules applicable to the financial services industry. While regulations can help raise expectations and define strong standards for market participants, the volume of regulations has resulted in requirements which are sometimes duplicative and conflicting. Some of our members are subject to as many as 13 different Federal regulatory mandates in addition to State mandates. Turning to the threat we collectively face, I would like to highlight that every public and private sector institution which holds sensitive information can and, indeed, will be a target of malicious actors. Working with our members along with our sister trade associations, SIFMA has identified a number of best practices for protection of sensitive data in the financial services sector. These practices draw on the experience of our member firms and their own policies and procedures as well as industry standards, such as the NIST framework. Data protection begins with firms taking a risk-based look at the information they collect, and deciding if they have a business or regulatory purpose that requires them to hold this information. If sensitive information like a social security number is not directly relevant and necessary, firms should refrain from holding it. Once firms have collected sensitive data, they should ensure that they have controls in place to protect it while it is being used and stored. That includes ensuring that access to sensitive data is restricted only to authorized users who need it to perform their jobs. Firms should also work to reduce the risk by destroying sensitive data once it is no longer needed. As a highly regulated sector, our members also provide a tremendous amount of sensitive information to regulators in accord with their supervisory mandates, and given the ever- increasing risks, our sector is engaged in an important dialog with our government partners to ensure and enhance protections across the board. I would also like to spend a minute or so to focus on one particular important data protection challenge currently on the minds of many. As the Securities and Exchange Commission and the SROs move forward with the development of a Consolidated Audit Trail, it is critical that the CAT not introduce new data protection risk. Once complete, the CAT will be the world's largest data repository for securities transactions and one of the largest databases of any type. Each day, the system will ingest 58 billion records and maintain the data on over 100 million customer accounts. The current plan raises serious concerns around data protection and the ability to confidently secure the critical information it will contain. The CAT design requires firms to provide a significant amount of sensitive customer information, including names, social security numbers, and addresses. All this information will be held in a single database, creating a high-value target and bad actors will undoubtedly try to find the weakest link to gain access. While this concern existed well before the recent breaches at Equifax or EDGAR, many stakeholders have grown even more skeptical that the CAT, as currently designed, will be able to protect the massive amount of sensitive PII it will contain. Importantly, just as the industry should and does consider whether sensitive information needs to be collected and retained for a particular purpose, so too does the case need to be made that PII is required to be collected and reside in the CAT for effective surveillance by more than 3,000 users among 22 different SROs in the SEC. Along this line, we would urge Congress to consider among other possible actions amending the Market Data Protection Act to ensure the SROs who designed and built the CAT have appropriate risk controls in place before the CAT goes live. In conclusion, effective cybersecurity will be in a state of discussion and improvement for years to come. That security is a combination of activities that relies on strong defenses, information sharing, mitigation, and recovery planning. It can only be accomplished through constructive dialog and engagement among the private sector, policymakers, and regulators. Much work has been done, but as my written testimony lays out, there is much more work to do. SIFMA's members stand ready to do their part, and I look forward to answering your questions. [The prepared statement of Mr. Bentsen can be found on page 36 of the appendix.] Chairman Luetkemeyer. Thank you, Mr. Bentsen. Mr. Mennenoh, you are recognized for 5 minutes. STATEMENT OF DANIEL MENNENOH Mr. Mennenoh. Thank you. Chairman Luetkemeyer, Ranking Member Clay, and members of the subcommittee, I appreciate the opportunity to discuss one of the largest financial threats facing consumers, title companies, and our real estate system. My wife and I own H.B. Wilkinson Title Company in Galena, Illinois. We bought the company from my dad 20 years ago. We have 28 employees, with offices in seven counties. We close about 70 real estate transactions a month. Though we are a small business, by title industry standards, we are a big company. One of my favorite opportunities as president of ALTA was traveling the country to hear what was happening in local markets. The largest concerns I heard from title agents were on data security and the growing threat of criminals trying to steal our customers' money. Even my small company in Galena sees a couple of phishing attempts every week. Those attempts are often sent to multiple email addresses. Earlier this year, the FBI reported a 480 percent increase in criminals attempting to steal consumers' funds, and it is easy to see why. The average successful bank robber's haul is $3,816. The average successful wire fraud loss is $129,427. This is a much better return for a much less expensive and dangerous crime to commit. Overall, these scams have cost Americans $5.3 billion. Home buyers are the most common targets. Criminals gain access to the buyer's, seller's, or real estate professional's email account. They monitor traffic looking for a deal. Their goal is to convince the buyer to send their earnest money or downpayment to the criminal. Bloomberg reports that criminals can obtain verified email accounts, passwords, and security questions on the dark web for as little as $10. In Texas, I heard about a woman who saved nearly $25,000 for the downpayment on her first house. Prior to the lender finalizing the closing disclosure, the woman's email was hacked. Using information from her email, the criminal impersonated the title agency, used the closer's name, and instructed her to send the $25,000 using fraudulent wire instructions. Believing it was the title agency, she followed the instructions and wired the funds to the criminal's account. The home purchase fell through. The money was gone. The woman lost her life savings. This is a heartbreaking story, and it happens often. Title companies in each of your communities have stories just like these. Consumer losses due to a data breach pale in comparison to the loss of consumers' downpayment or earnest money deposit. I wish there was a silver bullet to protect our customers, but there is not. As an industry, we have improved our digital hygiene and have taken an array of steps to combat this fraud. This includes using secured email communications, verifying instructions with buyers using known phone numbers, and asking banks to match both the recipient's account number and payee information when we send wires. We issue warnings to our customers on websites and at the bottom of every email. What is so frustrating is there is no amount of money we can spend to protect our customers from being targeted by these criminals. Two years ago, we were the target, as title settlement agents. Now they are targeting our customers even before we get involved in the transaction, because we are at the end of the process. We believe we should focus on two key areas to stop these crimes. First, we need to increase awareness of these crimes for buyers, sellers, and the public. We need to get anyone involved in the real estate deal, real estate agents, banks, policymakers, consumer groups, title insurers, settlement agents and real estate attorneys, to help educate our customers about how to protect themselves. Think about movers. Think about surveyors, home inspectors. They are all part of the process. Second, financial institutions should match not only the account number, but also the payee's name. This simple authentication step can be the single biggest deterrent. We also need to better use both suspicious activity reports and IC3 data to detect trends. Even if more information does not lead to prosecutions of these criminals, it can help banks decide to place holds on the account to prevent the criminal from withdrawing funds. ALTA is eager to serve as a resource to the subcommittee, and I am happy to answer any questions. Thank you. [The prepared statement of Mr. Mennenoh can be found on page 50 of the appendix.] Chairman Luetkemeyer. Thank you, Mr. Mennenoh. Mr. Mierzwinski, you are recognized for 5 minutes. STATEMENT OF EDMUND MIERZWINSKI Mr. Mierzwinski. Thank you, Chairman Luetkemeyer, members of the committee. Last week, you held a minority day hearing on Equifax. I could talk about Equifax for my entire 5 minutes, but I think the State enforcement officials and the consumer advocates who spoke last week, I would simply like to associate my remarks with theirs last week on Equifax specifically. But I do want to continue to talk a little bit about how Equifax fits into the larger big data universe. First of all, to be clear, Equifax had one of the worst breaches ever. They lost our consumer DNA through a pretty amazing failure to protect it, and then they did a really bad job of notifying us and telling us what was going to happen after that. But what people don't understand, a lot of people may not know, Equifax is in the highly regulated business, credit reporting, part of the time, but all of the time Equifax is a data broker. There are thousands of underregulated and unregulated data brokers out there. In my testimony, I represent the views of the Federal Trade Commission which has said they need more authority over data brokers. I encourage the committee to read their reports. Going forward, people should understand that consumers have no control over their information, particularly with the credit bureaus. As was said often in many of the other hearings, we are not their customers; we are their products. Mr. Cordray refers to credit reporting as a dead-end market. You can change your bank if you don't like it. You cannot change your credit bureau. You cannot vote with your feet. With the lack of control, it is very difficult for consumers to do anything about misuse of their information. We have very little authority to vote, to determine that companies can't use our information, very limited under Gramm-Leach- Bliley. In most cases, companies simply collect information about us and sell it. We worked on the credit freeze as a way to return some control, starting about 20 years ago. The first credit freeze law passed in California about 15 years ago. It was revolutionary at the time, but what would make it more revolutionary is if the committee were to adopt--and I believe it has become a bipartisan issue--expand the availability of the free credit freeze. It is the only way you can at least exert some control over your consumer DNA. In addition, the committee should look at Ranking Member Waters' comprehensive bill to reform the credit bureaus themselves. Third, I think the committee should look very closely at the flaw in Gramm-Leach-Bliley where the Federal Trade Commission has authority over data security that was not transferred to the Consumer Bureau. Section 1093 should be looked at. I think the Consumer Bureau, because it has the ability to conduct examinations of credit bureaus, because it has the ability to impose penalties for the first violation of the law, not only after a company has violated a consent decree in the FTC's case, and because it has rulemaking authority that the FTC does not have. If you want to rein in the credit bureaus, you have to give the Consumer Bureau more power over them. The final point that I want to make in my testimony, and I make it extensively in my written testimony, is that the States are privacy innovators. The States are privacy first responders. The credit freeze, the data breach notification laws, all were passed by the States when Congress looked on and didn't do anything. We strongly support protecting the right of the States, as the two attorneys general offices testified last week. Going forward, we cannot preempt stronger State laws with some narrow Federal breach law that takes away States' rights not only to do breach notification, but States' rights to conduct other privacy examinations, and States' rights to strengthen the data security of their citizenry. I go into great detail on all of these matters in my testimony. I look forward to your questions. Thank you. [The prepared statement of Mr. Mierzwinski can be found on page 61 of the appendix.] Chairman Luetkemeyer. Thank you, Mr. Mierzwinski. Ms. Schwartz, you are recognized for 5 minutes. STATEMENT OF DEBRA SCHWARTZ Ms. Schwartz. Chairman Luetkemeyer, Ranking Member Clay, and members of the-- Chairman Luetkemeyer. Please turn on your microphone. Ms. Schwartz. It should be on. Chairman Luetkemeyer. Bring it closer to you then. There you go. Ms. Schwartz. OK, thank you. Chairman Luetkemeyer, Ranking Member Clay, and members of the subcommittee, thank you for the invitation to appear before you this afternoon. My name is Debra Schwartz, and I am testifying today on behalf of NAFCU. I currently serve as president and CEO of Mission Federal Credit Union, Mission Fed, headquartered in San Diego, California, and also serve on NAFCU's board of directors as treasurer. Data security needs to be everyone's responsibility. More can and must be done to protect consumers on this important issue. NAFCU has long supported comprehensive data security measures to protect consumers' sensitive data. Credit unions and other depository institutions already protect data, consistent with the provisions of 1999's Gramm-Leach-Bliley Act, GLBA. Unfortunately, there is no similar regulatory structure for other entities that may handle sensitive personal and financial data. Although credit bureaus are considered financial institutions under GLBA, they do not have the same regulatory oversight as credit unions and other depository institutions. GLBA and its implementing regulations have successfully limited data breaches among depository institutions. This standard, outlined in my written testimony, has a proven track record of success and should be recognized in any future requirements. Gramm-Leach-Bliley requires financial institutions to address the risks presented by the complexity and scope of their business. This allows flexibility and ensures the regulatory framework is workable for the largest and smallest financial institutions. GLBA is an example of how scalability is possible for varying size businesses. A data security breach can have a big impact on consumers, from waiting for new cards to be issued to updating all accounts connected with a compromised card. Breaches can also result in fraud losses, damaged credit ratings, and even identity theft. As the Equifax breach has demonstrated, data security breaches are not just a retailer problem, but occur across many industries. This highlights the need for a comprehensive national data security standard to protect data, akin to what is already in place for depository institutions under GLBA. A recent survey of NAFCU members found that respondents were alerted to potential merchant breaches an average of 189 times in 2016. Over 40 percent of the respondents said that they saw an increase in these alerts from 2015. At Mission Fed, we have received over 1,400 separate alerts of merchant data breaches since 2013. When credit unions are alerted to breaches, they take action to respond and protect their members. These actions have costs, such as card reissuance, fraud losses, and account monitoring. Ultimately, this takes away from providing other services to members. Unfortunately, credit unions rarely see any reimbursement for these costs. Even when there are recoupment opportunities, such as settlements, it is usually only pennies on the dollar, in terms of the real cost and losses incurred. Recognizing that finding a legislative solution is a complex issue, NAFCU has established a set of guiding principles we would like to see in data security legislation, including: reimbursement of all costs by the breached entity; national standards for safekeeping of information; breach notifications to financial institutions; disclosure of breached entity to consumers; and enforcement of data retention prohibitions. I outline all of our principles in detail in my written testimony. The time has come for Congress to enact a national standard on data protection for consumers' personal financial information. Additionally, credit bureaus, such as Equifax, should be subjected to examinations for compliance to data security standards, just as depository institutions already are. Consumers whose personal and financial data has been compromised have a right to be notified in a timely manner. NAFCU believes that the best legislative solution so far on this issue of data security is the bipartisan legislation that was introduced in the 114th Congress, H.R. 2205, the Data Security Act of 2015, which would have set a national data security standard that recognized those who already have one under the GLBA. We were pleased to see this bill get bipartisan support in this committee in the last Congress. Finally, as the committee is aware, data security is in the jurisdiction of several congressional committees. We appreciate the Financial Services Committee taking the lead to work with leaders in other committees to craft a bipartisan package that can enact a robust national data security standard into law. In conclusion, data security is a top challenge facing the credit union industry today. Protecting the payment system is the responsibility of all parties involved. It is time to level the playing field, establish a national data security standard for all who handle financial and sensitive personal data. This includes consumers and impacted parties receiving timely notification of data breaches. The standards for depository institutions under GLBA should be the model. NAFCU stands ready to work with you. Thank you for the opportunity to appear before you today. I welcome any questions you may have. [The prepared statement of Ms. Schwartz can be found on page 78 of the appendix.] Chairman Luetkemeyer. Thank you, Ms. Schwartz. I appreciate your testimony and all of the witnesses today. We will now begin the question-and-answer period of our hearing, and the chair recognizes himself for 5 minutes. Mr. Bentsen, you in your testimony talked about harmonization of State and Federal data security regulations. You even mentioned global standards. Where in this do you think this committee has a role to be able to help the situation the way it is right now? Mr. Bentsen. Thank you for the question, Mr. Chairman. It is a problem where the industry and the government are all trying to get to the same place. There is very little disagreement on that, and we believe it is very much a two-way street. We have a multifaceted regulatory structure for financial institutions, including both a Federal and State regulatory structure, and self-regulatory organizations, and we have many global institutions from the U.S. that operate in multiple jurisdictions. We need to find a way where regulators can come together, in terms of the type of guidance they are doing, the examinations, the supervision process that they want to do, to work around the same framework. Even in the U.S., U.S. regulators are not all using the NIST framework, which we think is the best framework for developing cyber resiliency. I think this committee can play a role with your oversight function of the agencies to start, and the SROs, where you have some indirect jurisdiction, to try and bring them together. To be fair, we have spent time with all of our regulators, brought them all together and said: We understand your individual mandates, but cyber and cyber protection is really a top-of- the-house-down program within all institutions. There has to be a better way to do this, so we don't have a situation where members are spending almost as much time on regulatory compliance as they are on cyber defense. Chairman Luetkemeyer. OK. With regards to the NIST standards, do you believe that they are adequate at this time and, if not, what concerns do you have, and in particular, with regards to notification? I am very concerned about notification. It doesn't seem like we have either some standards in place or they are not being adhered to. Can you elaborate a little bit on that? Mr. Bentsen. We think the NIST framework is the appropriate framework. It has been updated recently by NIST. We think it provides sufficient flexibility to the industry. We have mapped it out for our industry, and the capital markets and asset management business and other sectors are using it as well. In terms of notification, this is an important issue. I think everyone agrees that there does need to be timely notification. But I think we also have to be careful in setting deadlines that can be artificial, and we have to determine what the materiality is. We have to determine--in many cases, you can have a cyber event going on and you are in the process of trying to figure out how deep it is, what the impact of it is, if you have to do a forensic audit, if you have to call in the FBI, if it involves--whoever the perpetrator is, and to also be up against a deadline of having to notify before you know what is really going on adds additional risk factors. It is an important issue. As you know, Chairman Clayton of the SEC has raised this issue under the jurisdiction of this committee. I think it is something that, you all and the agencies are going to be spending a lot of time on. Chairman Luetkemeyer. Thank you. Ms. Schwartz, you were talking about the GLBA quite a bit. Do you believe that it is still adequate, or do you see some things that need to be changed in it or amended or added to, or what do you think? Ms. Schwartz. GLBA has been around since 1999, and it has been dynamic, scalable, and flexible. The nice thing about it is it works for institutions, whether you are a $10 million credit union or a multibillion dollar credit union. I think it provides an excellent model to be considered, because of those factors. Chairman Luetkemeyer. OK. With regards to notification, there is not a whole lot in Gramm-Leach-Bliley with regards to notification. Can you expound on what your position would be with regards to where we need to go with this? Do we need to put some guidelines in place or leave it alone or--Mr. Bentsen just indicated there are a lot of problems with how you go about that, but is there a way we can get through this and find a middle ground here? Ms. Schwartz. Notification is key. We found out about the Equifax breach probably the same time you did, when we read about it in the Wall Street Journal. We subscribe through Mastercard, who is our credit card partner, and receive ADC notifications from them. We have received 1,400 separate breach notifications since 2013. The faster we are notified, the faster we can work to protect our members, by putting warnings on their account, by reissuing cards. It is absolutely critical that we get notification as soon as possible. Chairman Luetkemeyer. I have just a few seconds left. Mr. Bentsen, you mentioned the Consolidated Audit Trail and the compounding of all information in there. Do you think that is really a good idea? Mr. Bentsen. Well-- Chairman Luetkemeyer. Very quickly. My time is up. Mr. Bentsen. Yes, the concept behind Consolidated Audit Trail is we think an appropriate concept. But we don't know that the question has been answered that you have to have all this personal information as part of the Consolidated Audit Trail in one place. We have no assurance from the builders and the contractor that they can protect it. Chairman Luetkemeyer. OK, thank you. My time has expired. With that, we go to the gentleman from Missouri, another gentleman from Missouri, the ranking member. Mr. Clay, you are recognized for 5 minutes. Mr. Clay. Thank you, Mr. Chairman. This question is for the entire panel, so we would start with Mr. Bentsen and go down the line. Good to see you again, Mr. Bentsen. Equifax learned of the data breach on July 29th, 2 days after it filed its quarterly report with the SEC. However, it was not until 6 weeks later, on September 7, that Equifax notified the public of the breach through a statement filed with the SEC. Now, in your view, what duties do public financial services companies owe consumers to provide timely notice of significant cybersecurity incidents? Do you believe that disclosure 6 weeks after a material event is timely? Could you elaborate whether this extended period with the Equifax incident, from when the company learned of it to when the public was made aware of it, may have violated some State breach notification laws, particularly given that some States require immediate notification and most States require notification within the most expedient time possible without reasonable delay? I will start with Mr. Bentsen and would like for each panelist to try to answer some of those questions. Mr. Bentsen. Thank you, Mr. Clay, and good to see you again as well. First of all, Equifax is not a member of ours. We don't represent the credit bureaus. Most of what I know about the Equifax issue is what I have read in the press. I can't really comment on what they did, whether it is appropriate or not, and I am sure the appropriate regulators are looking at the issue as it is. Again, I think there is a question of materiality. There is a question of your risk factors, when there has been a breach and if the person who is breaching is still there and who it is and how you are dealing with it. There is no question that there should be an effort to notify the affected parties, your clients in this case, as soon as it is practical that you can do so, weighing all those other factors. As it relates to Equifax they are not a member. I am not familiar with the facts of that case. Mr. Clay. Sure. But you are saying they did have a duty to inform the public. Mr. Bentsen. I think if it is a material issue, there are a number of requirements, both in terms of public company requirements and State--and I can't speak to all the States; Ed probably can--of what they have to comply with. Mr. Clay. Mr. Mennenoh. Mr. Mennenoh. Thank you, sir. Yes, I certainly would agree that consumers need to be notified promptly. Certainly from our perspective, when we have circumstances where consumer funds have been taken, we take immediate action to try to recover those funds. But with wire transfers, oftentimes, it is a case where if you don't address it within 24 hours, it is pretty difficult to get those funds back. Mr. Clay. 6 weeks was, in your opinion, quite a bit of time expired? Mr. Mennenoh. For our purposes, the money is gone. Chairman Luetkemeyer. Mr. Mierzwinski. Mr. Mierzwinski. Mr. Clay, I totally agree. You made a lot of the points in your opening remark here. Equifax probably violated the strongest State laws on immediate notification. It probably violated a number of State laws on attorney general notification. Massachusetts has already sued Equifax. Other State attorneys general have a multiState investigation going on right now. I think you will see additional litigation against the company. You will see private lawsuits as well. But they failed. They epically failed, and a lot more needs to be done. Mr. Clay. Thank you. Ms. Schwartz. Ms. Schwartz. Six weeks is clearly too long. I think, in additional to notifying consumers, notifying financial institutions is also critical. We are in a position where we can really help to mitigate fraud. We can put warnings on accounts; we can reissue cards. We can't do that if we are not told. A lot of fraud can happen in 6 weeks. Mr. Clay. Mr. Mierzwinski, in the event of a breach, what information should be provided to consumers to ensure they are fully informed of the rights and remedies available to them as well as the steps that they consider taking to protect against fraud, identity theft, and other crimes? Mr. Mierzwinski. I think consumers need to hear everything about their rights under Federal law and what the company is going to do, and they don't need to hear about all the changing kinds of results that Equifax provided them. You need to know what your rights are. You need to learn how to put a fraud alert. You need to learn how to put a credit freeze on. You need to learn all of these things. You need to understand that your Social Security number is the key to identity theft. They lost that. It is much worse than any merchant breach. Mr. Clay. Thank you. My time is up. Chairman Luetkemeyer. The gentleman's time has expired. With that, we go to the gentleman from Texas. Mr. Williams is recognized for 5 minutes. Mr. Williams. Thank you, Mr. Chairman. Thank all of you for being here today, and I appreciate your testimony this afternoon on the important subject of data security and how we can and must do better to protect private information. As a small business owner for 45 years, I recognize the importance of protecting the information of my customers, and I know firsthand the impact that cyber attacks can have on Main Street America. I am concerned by the increasing trend of breaches that has occurred over the past few years, and I hope to learn from all of you today how we can ensure that American consumers can rest easy, knowing that their personal information is in good hands. Mr. Bentsen, one of the things that I do worry about, not just when it comes to the industry but in general, is an issue with excessive regulations. When President Trump was elected, he pledged to fight against expanding the regulatory regime. I agree with his goals on that regard. One of the fears I have, which you also mentioned in your testimony, is that Congress creates regulations which result, I quote, ``in requirements which are sometimes overlapping, duplicative, and conflicting.'' How can Congress create effective rules while avoiding the problem of overburdensome regulations? Mr. Bentsen. I think in the case of cyber protection, including protection of sensitive data like PII, I think Congress plays a very important oversight role with the agencies that you set the authorization for, you fund, you set the laws that they execute on. In the case of the financial services sector, where you can have 5, and up to 13 different regulators, Congress can definitely play a role in trying to get better coordination among those regulators in how they are going to implement cyber rules, cyber defense rules, guidance, or whatever it may be, as well as on their examination process. We have members who, again, they have up to 13 different regulators before you get to the States. We have members who are going through multiple examinations because they have a bank, a broker-dealer, a futures commodities merchant. In many cases, they will have the SEC, the CFTC, the OCC, the Fed coming through, but that is before whoever their State regulator may be or whoever their SRO may be. If we can get some harmonization there, where we are all trying to do the same thing, and with Congress' oversight function working with those agencies, that could be very helpful. Mr. Williams. Thank you. Mr. Mennenoh, this question is for you. I mentioned earlier my background as a small business owner, and I am extremely concerned with protecting the nonpublic personal information of my customers. I am a car dealer. In your testimony, you discuss how the American Land Title Association, which represents many small businesses, has developed a set of voluntary standards for its members to use as part of their compliance programs. Can you expand on these standards, and to what extent do your members cooperate with law enforcement following a breach, and what steps would you recognize to take immediately following a breach? Mr. Mennenoh. Thank you. Yes, the standards that we put out, the voluntary ALTA best practices, do address very specifically how to protect data, how we should be addressing that in quite a bit of detail. But the other side of it too is that because we handle a lot of money for real estate transactions, we also have to protect the money. We have very high standards in terms of how we protect the money as the transactions are taking place. It is a process that we feel has raised the bar, if you will. I believe many of our members are doing a very, very good job of addressing this, but, as I mentioned in my testimony, the biggest issue for us is the money at this point. The small companies oftentimes use third-party data centers, that sort of thing, that have high security standards for the data security, but we have to make sure that we are protecting the money as well. That is a big issue for us, and we address this very, very aggressively. Mr. Williams. Thank you. Ms. Schwartz, one of the biggest issues in the wake of the Equifax breach was their notification process to consumers. In your testimony, you too acknowledge that Equifax failed in the area of consumer notification. Additionally, you discuss the need for timely notification of members after a breach has taken place. In your words, you say that this is important to manage an institution's reputation risk. What kinds of notification standards should Congress consider requiring, if any, and would such standards hamper the efforts of law enforcement following a breach? Ms. Schwartz. I think the most important thing is trying to avoid the breaches in the first place. But absent that, timely notification as soon as reasonably applicable. It is very difficult to put a certain timeframe on it, because I think there are issues, such as law enforcement actions, that could possibly delay it. But as soon as possible, financial institutions can do a lot to help mitigate any losses that could happen. We can reissue cards. We can also notify our members that their accounts have been compromised. We have a pretty good track record of them opening up the emails that they get from us. The notification standards as they are right now can be somewhat nebulous, particularly in California; I believe you can just put something in the newspaper. It puts a lot of pressure on the consumer to look up to see if it has been compromised. There is a lot of room there for improvement. Mr. Williams. Thank you for your testimony. I yield back. Chairman Luetkemeyer. The gentleman's time has expired. With that, we go to the distinguished gentleman from Georgia. Mr. Scott is recognized for 5 minutes. Mr. Scott. Thank you very much. Mr. Chairman, this issue is very important to all of the American people and all of us Members here in Congress, but it is expressly important to me because I am the representative from the great State of Georgia, a State I love. This extraordinarily careless breach that was allowed at Equifax is certainly very troublesome to me. I am very concerned about that. I have a commitment to help Equifax because I want to make sure that we can bring them out of this standing tall, standing big, and be able to renew the confidence of the American people. However, that is not going to happen for any of them, but certainly for Equifax: 145 million people, and their Social Securities are out there in the wind, their birth dates, all this vital information. While I want to do that, we on this committee and Members of Congress, can't do it without them. I don't know if you all know this, but they refused--can you imagine that?--to come before this Congress and speak. We cannot solve this problem, you and I. I know many of you. Mr. Bentsen, I know your great reputation. Ms. Schwartz. All of you. But neither you nor I can solve this problem if the CEOs, the people that run Equifax, that run TransUnion and these other companies are not willing to come and sit where you are so that we can find that. We have to get the message to these credit agencies that they have to get here in Congress, partner with all of us. This is a huge issue. I just hope that you all will convey that message to them. Now, with the time remaining, I just want to--I look at this as the American people look at it and want to get your responses to this. If Americans can't trust their credit and data, that it is going to be protected, let me ask you this, Mr. Bentsen, Ms. Schwartz, any of you: Why would they want to risk shopping online for their Christmas gifts? Can you see the damage that this would do to our economy through that? Or if Americans don't think that their local banks can keep their personal account numbers protected, why would they want to risk it by opening up a checking account? In other words, the whole foundation of our fantastic and yet complex financial system is registered in credit. If these credit agencies, 145 million Americans, Mr. Bentsen, I ask you and Ms. Schwartz, how many of these 145 million Americans do you believe even have been informed that their data is out floating and gone with the wind? Mr. Bentsen. Mr. Scott, I don't know the answer to that question, but certainly there has been a lot written about it, and I have been on the website myself. What I will say, I think you are absolutely correct that there are two things that are very important. The confidence in the system is incredibly important. In the industry at large-- we don't represent the credit bureaus, so I won't speak for them. The industry at large has a responsibility to work to maintain that confidence, and this industry does that day in and day out. No. 1, it is through defense; and No. 2, it is through recovery. We are taking efforts in both those areas, including understanding what happens if you have a major attack wiping out books and records. Can someone at the end of the day go back and say: What was my balance of my retail brokerage account yesterday? What was my balance in my checking account yesterday? These are the things we should be working on, which we are. Mr. Scott. Ms. Schwartz, let me ask you, because I have been concerned about Gramm-Leach-Bliley standards and the applicability of them to large as well as the smaller, the rural companies. I think you alluded to this in your testimony, and I would like for you to clear that up. Do you have confidence in that one size will fit all? Particularly when you look at our economic system, it is so diverse; it is so varied. To have the same standards for a big mega bank operating around the world, for a mom-and-pop store in my district in Stockbridge, Georgia? Are you saying that we don't have to worry about that, that it is applicable? Ms. Schwartz. No, I think your point is very well taken. One size fits all is not the answer. But I will say that the beauty of Gramm-Leach-Bliley is it is scalable, and it is flexible. It has been around for more than 17 years and is still helpful and provides a framework. I think a level playing field is very important. Some minimum standards that anyone along the payment system rails should follow I think is very important. Mr. Scott. Thank you. Thank you for the little extra time there, Mr. Chairman. I appreciate it. Chairman Luetkemeyer. Thank you, Mr. Scott. The gentleman's time has expired. With that, we go to the gentleman from Michigan. Mr. Trott is recognized for 5 minutes. Mr. Trott. Thank you, Mr. Chairman. I also want to thank the panel for their time this afternoon. Mr. Bentsen, I want to start with you. You talked in your opening comments about the need for partnership between industry and government to address this problem. I am just curious what is the most significant barrier in your mind to the creation of that partnership, and what does that partnership look like? Is it just less, more reasonable compliance, burdens, or what does the partnership look like, and how do we accomplish it? Mr. Bentsen. Congressman, thank you for that question. I think our partnership with the government on the broad question of cyber resiliency is quite good. I credit the Treasury Department, Homeland Security, and the various agencies for that. This is something where everybody is trying to row in the same direction. Frankly, through a lot of industry exercises and a lot of tabletop exercises with the government, and we have learned a lot. They have learned a lot, I think. We have learned a lot from them as well, and we want to keep doing that. That has led to new initiatives on both sides, I believe. Where I think things can break down is agencies operating under their own individual mandate, which is established by law and all of that. That is understandable, but it seems to us that we can do a better job of coordinating among those various agencies so there is more interchangeability between how firms are complying with requirements. That is really the point. Mr. Trott. Maybe 2 or 3 instead of 13 would be a good start? Mr. Bentsen. Or some substitution, yes. Mr. Trott. Thanks so much. Mr. Mennenoh, nice to see you again. We met up in Traverse City at the Michigan Land Title Association. You were the keynote speaker up there this summer. Mr. Mennenoh. Yes, we did. Mr. Trott. I hope you enjoyed your time in northern Michigan. Mr. Mennenoh. Absolutely. Mr. Trott. You discussed wire fraud and what a huge problem it is for the industry. It is a significant problem because, unlike some of these issues, really there is no good solution. Once it happens, the money is gone. Usually it is a lot of money, as you said. You discussed education, and it sounds like a good idea, but I wanted to get your thoughts on--one thought I had was maybe we put some kind of disclaimer or warning in the purchase agreement, or maybe the realtor's listing agreement has some kind of--or there is some form. But, that is probably not a great solution, and I want to get your thoughts on it, because you have a buyer who is excited to get their home. Maybe it is their first home. They don't even understand what a title agency does in the overall transaction, perhaps. Is the education going to make a difference, or is it really the financial institutions that have to be the solution in terms of the wire fraud? Mr. Mennenoh. Honestly, I think there is maybe a combination of the two. Certainly the financial institutions, if we can match the account name, the account owner to the account number and the routing number on a wire transfer, that would actually be a good deterrent. But I also think the education component is very important as well, in that all of the professions involved in real estate can work together, send the same message. It has to be a message that is being conveyed routinely, because, as you say, people buy a house and they may not buy another house for years. But providing that level of education from all of the professions that are involved in this process would be very, very helpful. As I mentioned before, we are at the end of the process. The parties that have first contact with the consumer can help with that process as well. For example, in January, I, along with the Board of Governors at ALTA, met with Director Cordray, and we were asking for a consumer alert to be issued. The Director's initial response was, how often does that really happen? We were telling him stories about things that have, in fact, happened. We followed up again in April. Then it wasn't until June that we actually had the CFPB issue a consumer alert. That is all we wanted to have them do. It is a difficult process. Mr. Trott. That is for sure. Thank you. Ms. Schwartz, so my friend from Georgia was quite articulate in how he described the ramifications to commerce, e-commerce in this country, given the Equifax breach. I want to ask a question with respect to Mission Federal. Can you say with 100 percent confidence that you can build a firewall that will protect your members' data? Ms. Schwartz. I don't think anybody can say with 100 percent confidence, but I can tell you we have had 245,752 attacks on our system through September 30th, none of which were successful. Mr. Trott. That is extraordinary. But your answer, I was hoping you would say that you couldn't say with 100 percent confidence that you could protect the data, because I think that is an accurate answer. My concern is, when we talk about notification and we are beating up Equifax for how poorly they handled that whole process, to some extent, we were really in damage control at that point. When we talk about a solution--and I am out of time here--I wonder if really we need to focus on a solution that changes the identification process that goes well beyond a Social Security number and date of birth and really makes it much more cumbersome for these cybercrimes to happen. But I will yield back. Thank you for the additional time, Chairman. Chairman Luetkemeyer. The gentleman's time has expired. With that, we go to the gentlelady from New York, Mrs. Maloney. She is recognized for 5 minutes. Mrs. Maloney. Thank you. I thank the chairman and ranking member for calling this important hearing and take this opportunity to welcome my former colleague and very good friend Ken Bentsen. We miss you. I hope you will run for Congress again. But, anyway, it is good to see you again. My question to Mr. Bentsen and actually everybody on the panel, as you know, last Congress, this committee considered a data security bill that would have created a national standard for data security and for breach notification procedures. I supported that bill because it would have subjected many more companies to the strong data security requirements that financial institutions already have, subject to the safeguards rule. But we cannot ignore the fact that Equifax was already subject to the safeguards rule, which is what the legislation would have done, yet it still suffered a massive data breach that affected a startling 145 million Americans. Not just today but for the rest of their lives, they are in threat with their security, their identification stolen, their Social Security number. My question to all of you is, in light of the Equifax breach, do you believe the safeguards rule needs to be updated at all to include things like encryption requirements and the two examples of startling mismanagement by Equifax. I know Ms. Schwartz was saying that you should have training so that you would be looking for these breaches. But in an unprecedented action, Equifax was notified by the Homeland Security Department that you will be breached: You will be breached in this way; take steps to protect your customers. Now, the other two companies took steps to protect their customers. Equifax did not. No matter how many training sessions you had, if someone tells you you are going to be breached this way and you don't correct it, training is not going to help you. The other two companies, it is my understanding--because I wrote them and they wrote me back and said they had these other safeguards--they had a system that once you told their system that there could be a breach in a certain way, the whole system closed down until you corrected it. Should Equifax be required to have the same updated system? Also, Equifax had a system that was different from the best practices that were put out by the safeguards rule. The best practices said that every firm should have an IT manager who is in charge of this, who is responsible. The other two firms had an IT manager whose sole job was to protect their customers, protect the system, make sure it is safe, but Equifax did not. They had everybody reporting to a, quote, ``general manager,'' who had conflicting responsibilities, such as managing the whole company, the general counsel, such as profits, such as new technologies or whatever else he was looking at. He wasn't focused on IT. Should that best practices idea that has been put out there be implemented in law so that people are following it? We have to take steps to make sure that this happens. Or do you just need to enforce the safeguards rule more? I would like to really go first to my colleague Mr. Bentsen and down the line. I know he has sponsored some data security forums that I have been privileged to attend. I would just like to hear your comments on what we need to do to protect this information. I am astounded that they were notified by the Homeland Security Department and they still couldn't figure out how to correct a breach that they were told they were going to get. Mr. Bentsen. How you describe the situation with Equifax would not be consistent with how the financial services industry approaches the issue of cyber defense, preparedness, and resiliency. And the industry is doing a lot on its own, through its own self-directed principles, in adhering to the NIST framework. Furthermore, though, our regulators will regularly look and see how we are complying with our cyber defenses and resiliency. Our concern is doing it 13 times the same way, but that is more of a process question. That would not be acceptable within our industry. Mrs. Maloney. Any other comments? Ms. Schwartz. I think examination is an important part of that. In the credit union industry, we receive regular examinations. There is not a regulatory body that routinely goes into any of the credit bureaus and ensures that they are following those best practices. We just completed a regulatory exam last Friday where they asked us to have a backup firewall to our backup site. We have a firewall, a backup firewall, a redundant site, and a backup firewall for that. I don't believe that the credit bureaus are subject to that same degree of scrutiny and examination. Chairman Luetkemeyer. The gentlelady's time-- Mr. Mierzwinski. Could I make a brief comment? Chairman Luetkemeyer. Very brief. Mr. Mierzwinski. Very briefly, Congresswoman, the Equifax mess is a mess, but the solution is examination authority. I think it should go to the Consumer Bureau. They have all the rest of the authority over Equifax, but everything they did was wrong. Chairman Luetkemeyer. OK. The gentlelady's time has expired. We go to the gentleman from Colorado, Mr. Tipton, recognized for 5 minutes. Mr. Tipton. Thank you, Mr. Chairman, and thank the panel for taking the time to be able to be here. I would like to start with Mr. Bentsen, in your testimony you had noted that approximately 40 percent of cybersecurity activities were focused on compliance rather than security. How is that impacting the ability to actually address what I think people are concerned about, and that is actually having real security? Mr. Bentsen. That is what our member firms report to us, in terms of having to deal with various compliance requirements, exercises, and all. Again, our point is we understand the need for this, but it is having to do it over and over and over again when--and having to deploy those resources when they could be deployed to frontline defense and resiliency and recovery planning. Second, I would point out, which is not in my testimony, but industry statistics have found that there is actually a shortage of cyberdefense personnel in the United States. This is something where I think we ought to be careful how we are deploying our resources. That we are not overtaxing when we don't really need to. We can accomplish the same thing for different regulators because of the way the industry approaches the question. Mr. Tipton. Well and you have spoken a lot to the harmonization that needs to happen. Would this actually help in terms of harmonizing some of the policies that are going through the different agencies so you aren't filing duplicate reports to the 13 different agencies to be able to address that? Mr. Bentsen. We think so. We are talking with our regulators about that. Again, we are all trying to do the same things. We can use the same nomenclature. We can try and adhere to the same framework, which we think it ought to be the NIST framework. If you were able to have a good exam with SEC, you ought to have a good exam with FINRA, likewise with the OCC, or whoever it may be. Mr. Tipton. Yes. Ms. Schwartz, is that pretty much your experience with the credit unions as well? Are you seeing dollars for compliance as opposed to security? Ms. Schwartz. It is absolutely true. But as a credit union, we are in the trust business a little bit as well, well, a lot as well, and our reputation is very, very important. Even absent the regulations, absent the compliance requirements, most of the things we would be doing anyway, because we would absolutely lose our membership if they can't be 100 percent confident that we are protecting their secure information, their private information. Mr. Tipton. Right. A lot of the concern really is about having that real confidence within the system. I think, probably everybody can agree there will be a tax, there will be breaches that are going to take place. Mr. Bentsen, through SIFMA, you have developed a program, I think through your industry, the Quantum Dawn, to be able to identify maybe some responses, to be able to rebuild those databases. What has been something that you have learned from that? Mr. Bentsen. Congressman, the Quantum Dawn is a industrywide exercise that we do biannually, and do simulate major attacks on market infrastructure, different sectors of the industry, with our government regulators looking over our shoulder. From those we learn a number of things, including better ways of information sharing, who you should call in the Government, depending on what type of account. Testing our playbooks and our recovery playbooks, for instance, of whether markets should open or close if there is a major attack on an infrastructure situation. The industry finds this very valuable. Our regulators, I think, find it very valuable. We have also done tabletop exercises with our regulators and going through different scenario planning. In those we have actually also come up with things that neither us nor the Government necessarily had thought about, and that has led to new initiatives that we think improve our resiliency. Mr. Tipton. Speaking to that, would you maybe speak a little bit to the Sheltered Harbor? Mr. Bentsen. The Sheltered Harbor is an initiative that came out of what is known as the Hamilton Exercises, which is a Treasury-led effort with the industry and the Government. Sheltered Harbor is an industry-led effort that SIFMA as well as the ABA, the FSR, the Clearinghouse, and a number of other industry participants and vendors participate in. It is now housed under the FS-ISAC. The idea here is if there is a major attack on a banker, broker, dealer, and all of their data is wiped out, and they are not able to stand back up. Are you able to recreate end of day balances from the day prior--and bring that up through a vendor or another institution. It is done through establishing a protocol that firms would adhere to. We are currently at about 70 percent of the bank retail deposits participating in the process, and about 50 percent--or 60 percent of broker dealer retail accounts. The idea is, again, to be able to go back through encrypted offline protocol that then could be reestablished. Again, it goes back to the question of confidence in the system in trying to solve that. That came out of our exercises. We didn't have a mechanism in place so now we are trying to create it. Mr. Tipton. Great. Well thank you. My time has expired, Mr. Chairman. Chairman Luetkemeyer. The gentleman's time has expired. With that, we go to the gentleman from Tennessee, Mr. Kustoff, you are recognized for 5 minutes. Mr. Kustoff. Thank you, Mr. Chairman. Thank you to the witnesses for being here this afternoon. Mr. Mennenoh, if we could, I know in your testimony you discussed the rapid increase in criminal attempts, almost--I think you said almost 500 percent--480 percent. Mr. Mennenoh. Yes. Mr. Kustoff. To steal customers' closing funds. In response to Mr. Trott, you talked about, in your testimony and in relation to his questions, education of the consumer. Could you also address, from a closer standpoint, a title company's standpoint, what best practices a typical closer or title company has implemented to protect customers' funds? Mr. Mennenoh. Yes. Absolutely. First of all, we use encrypted email when we communicate with our consumers. We also have secure platforms where we can exchange information with our customers on a transaction. In terms of actually protecting the funds and what we do, our escrow trust accounts we have many security measures in place to make sure that anything that goes through there is watched very closely. Most of our members do a three-way daily reconciliation of the account. We are reconciling our account every single day to make sure we see what activity is going through. We use Positive Pay for our checks. When we have an outgoing wire, we have a two-step authentication process. Once it reaches a certain level, there is a three-step process. To make sure that everything is being done, the wire instructions are correct, it is going to the right place. We take a number of steps like that to make sure that we are protecting the funds. Mr. Kustoff. Some of the practices you have described, are those recommended by the American Land Title Association? Mr. Mennenoh. Those are included in the ALTA best practices. Yes. Mr. Kustoff. Do you have an opinion or would you have any knowledge what percentage of ALTA members follow those best practices? Mr. Mennenoh. Honestly, I don't have a number for you. In traveling around the country, I can tell you that a lot of our members who are actively engaged in their State association or national association have implemented the best practices. But I don't have a number for you. Mr. Kustoff. Again, I understand you don't have a number. For those entities that maybe have not adopted those best practices standards, would the issue be cost, that is my first question. Can you elaborate on the difference between costs associated with cybersecurity for a small company and for a medium and large-sized company? Mr. Mennenoh. Certainly. Yes. Cost is certainly an issue. It is costly to implement these things, particularly for a small company. Implementing these types of security measures is a good example, for my company, the amount of fees that we pay to our bank is in the tens of thousands of dollars per year to implement these various procedures and protections that we have in place just with the bank. It is a cost issue, and for small companies that is a big problem. But many of our members who are very responsible and want to do the right thing are very inadvertent. Mr. Kustoff. Thank you. Ms. Schwartz, if I could. The collaborative efforts that have to be undertaken, if you will, by the financial sector and by law enforcement is incredibly important, I think we would all agree, in preventing and mitigating the risk that these cyber attacks pose. In the event of a cyber attack, how quickly would your institution engage with law enforcement? Ms. Schwartz. Happily, my institution has not been the victim directly of a cyber attack. We have had--our members have been the victim from data breaches that have happened at the merchant level. We, would of course, cooperate fully should that unfortunate event happen. But we have DDoS protection, and we haven't had any direct attacks since 2015. Mr. Kustoff. In those institutions, those members that would have attacks, are there law enforcement agencies that they typically go to, are they Federal, State, local? Who do they reach out to first and how do they collaborate? Ms. Schwartz. For our members, they would reach out to us, to say, What should we do? We would put everything in place, we could to protect them, whether it is the reissuance of cards, putting notification of fraud alerts on their accounts, best practices, webinars, telling them how they can put a freeze on their account through the credit bureaus. Typically, because we cover the losses, as a financial institution, they are less concerned with reaching out, frankly, to law enforcement because we have covered them from those losses. Mr. Kustoff. Thank you. My time is expired. Thank you, Mr. Chairman. Chairman Luetkemeyer. The gentleman's time has expired. Now we go to the gentleman from Kentucky, chairman of the Monetary Policy Subcommittee, Mr. Barr, recognized for 5 minutes. Mr. Barr. Thank you, Mr. Chairman. Thank you for holding this very important hearing. I hear very regularly from both retailers and the merchant community back in Kentucky, in addition to community financial institutions that serve consumers in central and eastern Kentucky, about the problem of data security, of course, the Equifax breach is a warning to us all that this is a very large scope problem. As we marked up the legislation last year to attempt to address this problem, the Carney/Neugebauer legislation, we got different competing stories from the various different actors that would be affected by this. I kind of want to unpack all of that discussion here. A community bank in Kentucky has told me that they have increased spending significantly over the last 18 months on data security. Why? Because they have seen the number of account take-overs triple. Meaning, scammers, through the use of personally identifiable information and security questions data try to gain access to an account by calling the bank and asking for addresses to be changed and new debit cards to be ordered. Et cetera. These same community banks and credit unions tell me that they are spending a whole lot of money dealing with the fraud and reissuance of cards. What they talk about is the weakest link in the data security system. My first question to Ms. Schwartz is where do you view the weakest link to be? Ms. Schwartz. In the payment market, they are absolutely right. The weakest link is where the criminals are going to go, and frankly, it is at the merchant level at this point. Mission Fed spent over a million dollars in 2017 for data security. Many of the merchants have little or no protocol in place for things as simple as getting rid of old data or shredding or virus protection. It doesn't have to cost a million dollars. There is basic financial hygiene, if you will, that can be implemented at a reasonable cost, no matter what your size. Again, going back to Gramm-Leach-Bliley, as a scaleable and flexible rule that does provide a nice framework for protecting important consumer privacy data, financial data. Mr. Barr. Now, what would you say, Ms. Schwartz, to the kind of response from the merchant community that the breach notification legislation that we voted for in the last Congress would subject retailers to stringent bank-style security rules, whereas, banks or credit unions would be subject only to discretionary guidance? Ms. Schwartz. I don't think it is discretionary for us. It is our reputation. We are responsible, on the hook monetarily, and we are very, very heavily regulated. I think H.R. 2205, which I believe is what you are referring to, did a very nice job at providing a level playing field, because again, if you don't have the standards throughout the whole payment systems infrastructure, the criminals are going to find the weakest link. Mr. Barr. Yes, I think, so community financial institutions in my district also would say that Regulation E forces them to pay when their customers are harmed, even though it is not their fault, when it is the fault of some other party. That is very understandable anxiety for those folks. But let me just kind of continue to try to unpack this, because the merchant community will say that small businesses simply don't pose the same kind of risk because they are only dealing with a small category of vulnerabilities, namely, credit card information, not a range of other kinds of sensitive information. What would you say in response to that? Ms. Schwartz. I would say in 2017 until the end of September, at my credit union alone, we have had 14,500 cases of reported fraud, costing us $1.7 million, money that could have been better spent serving our members. Again, basic financial hygiene of protecting sensitive data, updating virus protection, does not seem like an unreasonable standard for those merchants to have to follow in return for having a good business practice, a good name. Mr. Barr. Yes. I am very sympathetic to your point of view, at the same time, I want to figure out a way forward, especially with those small businesses that are pushing back. Any help that you all can give us in terms of working with the merchant community to come--to work through these issues would be appreciated, because we clearly need a solution. I think all parties, to their credit, have supported passage of some kind of Federal data breach notification law to replace the existing patchwork. I have run out of time so I will yield back. Chairman Luetkemeyer. The gentleman's time has expired. With that, we go to the gentleman from Georgia, Mr. Loudermilk, he is recognized for 5 minutes. Mr. Loudermilk. Thank you, Mr. Chairman. I appreciate the panel being here. This is--being in the IT arena for 30 years, and 20 of that in the private sector, and prior to that being in the intelligence community, security is something that has been a grave concern of mine over the years, especially when I have been in Congress. It is something that we are going to be continually chasing. One of the things that I emphasized on the businesses that I served in the IT industry, most of them small, medium size businesses, is it is impossible to protect yourself from a hack, from an intruder. The idea is, you make yourself a harder target than the other guy. That is sort of like the story of the two Georgians who went hiking in Alaska, one of them took a 357-magnum, the other took a pair of tennis shoes because they were afraid of bears. The guy with the gun said, you can't outrun a bear, why are you taking those? He said, I don't have to outrun the bear, I just have to outrun you. That is really the idea that cybersecurity is making yourself a harder target than the risk that you propose. The other aspect of that is something that we held when I was in the intelligence community when it came to security is that you don't have to protect what you don't have. It deals with data retention, which Ms. Schwartz indicated earlier, especially with small businesses, is the amount of data that you are keeping. If you don't need it, you need to destroy it, which leads to an area that I have begun looking into. I think that we, the Government, create a security issue ourselves by the regulations that we impose upon, especially the financial services industry, making these businesses obtain and maintain information for long periods of time that they really don't need. Ms. Schwartz, can you opine in this? Is there data in credit unions, and especially small banks, that we require you to get that you wouldn't obtain, except for the Government is telling you to keep it? Ms. Schwartz. I am not going to argue with the fact that we have to maintain and submit an awful lot of data to our regulators. When we do a mortgage, in particular, there is more and more data points that are being collected and provided. That is absolutely true. It has exponentially increased over the years as to how much we need to maintain, retain, and provide. Mr. Loudermilk. OK. Mr. Bentsen? Mr. Bentsen. It is a very good question. A lot of data collected and held for regulatory mandates and submitted to our regulators is with no malintent, it was part of the process. But as we moved into this age, it is really something that we really need to think about. It is part of our principles as well, do you need it in the first place? How long do you need it? Who should have access to it? When you don't need it, how do you get rid of it so you eliminate the target in that response? That is my point with Consolidated Audit Trail, which is something that was not designed to capture PII, but does in the current design. It is designed to monitor market activity. You are creating this massive database with a lot of sensitive PII in there. The question needs to be asked, just like the industry asks itself, do we need that to accomplish the underlying goal? Mr. Loudermilk. Exactly. Mr. Mennenoh? Mr. Mennenoh. A very simple example is many, many years ago the title industry was required by a regulation to collect information for the issuance of 1099s on real estate transactions. That means that we have to collect Social Security numbers so that we are effectively the watch dog for this, for the IRS, and this is something we have been forced into doing and we have to maintain that to prove that we have done what we are supposed to. Mr. Loudermilk. I am also a member of the Science, Space and Technology Committee, and we have been looking into cybersecurity risks for 3 years I have been in Congress. I asked the Inspector General, not long after the OPM data breach, if you would rate the Federal Government's ability to protect data, our cybersecurity preparedness, on a simply elementary school rating system, what would you rate the Federal Government? His answer was a D minus. He said, it was only because of the minimal changes that were made in APM, I am not giving it an F. But, yet, we are continually having to provide to the Federal Government massive amounts of data on your customers. That is why I keep addressing this is--maybe one of the theories we need to address that area of--the amount of data that you are required to obtain and maintain. One last question. I see I am running out of time, Mr. Chairman, so I will yield back. Thank you. Chairman Luetkemeyer. The gentleman yields back. With that, we will go to the gentlelady from New York, Ms. Tenney, is recognized for 5 minutes. Ms. Tenney. Thank you, Mr. Chairman and thank you panel. This is a complex issue, and actually, I am not sure who to address these questions to. I was a former member of the New York State Assembly, and as we--I don't think it was the wisest move, our Governor decided to consolidate our insurance and banking industries into one big institution, Government institution, and then obligated many of our banks and our institutions to provide data, much like Mr. Mennenoh was talking about with the 1099 data for real estate closings. I attended a cybersecurity event where a cybersecurity expert said, the worst place to reserve your data is in a Government entity. It is safer and better in banking institutions and financial institutions. As Ms. Schwartz cited, your reputation is on the line, and the incentive for you to protect that and be competitive in the marketplace is certainly much greater than Governments. I know we are trying to get to the bottom of this. But toward that end, and I will address this to Ms. Schwartz initially. Can you tell us some way that we can help in Congress to minimize your--the requirement that you come up with data--extra data turned over to Government with confidential information, with some other way that you can protect it, and we can know with assurances that without that data getting into the stream, how can we protect it in some way? Ms. Schwartz. I think much of the data is requested with the best of intentions. Ms. Tenney. Exactly. We know they are good intentions, but getting hacked is certainly by somebody without good intentions. Ms. Schwartz. But we are very heavily regulated, very heavily examined. Most of the data would be available at examination time, without needing to be transmitted on a loan by loan or account by account basis. Other than-- Ms. Tenney. You are suggesting that instead of turning the data over, as is sometimes required by say New York State, it would be sampling of data, as opposed to a full turnover of data. Ms. Schwartz. Or it could be a full turnover of data when the examiners are onsite. They can look at any anything they want while they are onsite without out having to electronically transmit it. Ms. Tenney. That sounds like a great option. I appreciate it. Mr. Mennenoh or Mr. Bentsen, would you like to comment or-- Mr. Bentsen. I agree with that. A situation we have now is about what is known as penetration testing, and this is something that firms do to test their own defense system, and they may do it with their own teams, or they may bring in an outside vendor to do it. Certain regulators in the U.S. and around the globe have wanted to create a mandate around using third party vendors, and the industry has become concerned, because in doing this you are kind of giving the keys to the castle to an outside party. Then in reporting to our regulators, if you have to report the whole road map, you are handing the keys over, again, to an outside party. We completely agree from the standpoint of, come in, sit down, look at the data, we will walk you through it, you can tell us what you don't like, or what you want us to change, but let's be very careful about spreading that all over the place, again, with the best of intent. Let's not create targets unnecessarily. Ms. Tenney. I appreciate that. Maybe you could comment--I agree a hundred percent. I think that, obviously, Government is well-intentioned, but it is unpredictable. The people in power change, the people in positions change, and so you have--it seems to me the data is just drifting across unsafe and unsecure regions. But maybe you can comment on that as well, Mr. Mennenoh. Mr. Mennenoh. I would agree that it is--we are being asked for information, certainly more frequently. Many States in our industry are regulated, they do have audits and those things that are being done. Certainly, an onsite audit of paper is a lot easier to secure than a digital audit that is being sent all over the place. It is troubling. Ms. Tenney. Thank you very much. I appreciate your testimony. I yield my time back. Thanks so much. Chairman Luetkemeyer. The gentlelady yields back. We will now go to the gentleman from California, Mr. Royce. Mr. Royce. Chairman, thank you. Thank you very much. I thank the panel here. I was looking through my notes, and every 2 years, like clockwork here, we hold a hearing and it follows always a major breach in consumer data by a U.S. company. Here we are again, and the massive Equifax breach exposed the personal information of 150 million consumers. Before that we had Anthem, we had Yahoo, we had Home Depot, and of course, Target, and even the Federal Government's Office of Personnel Management, as the Chairman of Homeland Security reminds me, since his data was stolen. These breaches have made the headlines, and then the hearings follow, and then, of course, outside of Gramm-Leach- Bliley, we have failed to pass legislation into law that puts in place national standards for data protection and national standards for breach notification. We have failed to do that on our part here. To be very clear, the Committee has acted, this Committee has acted repeatedly. We have passed legislation over and over again. But it is high time that we put any policy differences aside and enact a law that serves the American people. I know the chairman--I want you to know, Chairman, I stand ready to work with you. I suspect you will be the author of the bill. To do this, we have to convince our colleagues as we move it out of committee, which certainly you will, to take this seriously with respect to getting it over in the Senate, and then things will become more complicated. But we have to convince the Senators to move this legislation as well. I would like to ask Ms. Schwartz a question. Community financial institutions are often the face of data breach for your customer, although not necessarily the cause. In your testimony you cite a July 2017 NAFCU member survey. The estimated cost of data breaches in 2016 was $400,000 per credit union. Credit unions in California have been very hard hit. The target breach cost the Credit Union of Southern California $35,000. The Home Depot breach costs Schools First Federal Credit Union in my area, they are in Orange County, $700,000, with a 65 percent increase in card fraud. Coast Hills Credit Union watched $100,000 in fraud hit their system in 5 minutes because of that same breach. Do these numbers ring true for your credit union in San Diego as well? Ms. Schwartz. Sadly, absolutely. In 2017, we had 14,500 separate reported cases of fraud. It has cost my credit union $1.7 million so far this year. The holiday season is typically also a fraud season, so we expect to see more. Over $6 million since 2003 in fraud losses. Mr. Royce. Six million for your membership. How much reimbursement of your costs is covered by contracts with vendors and payments networks? Ms. Schwartz. Pennies on the dollar. The fraud losses I mentioned are simply the hard costs. There is also staff costs. The cost of us implementing security measures. The cost of educating our members, educating our employees. There is both the hard dollar costs and the soft costs. The remuneration is minimal. Mr. Royce. Do you think there is a better way to allocate financial responsibility for breaches in order to incentivize companies to better secure data? Ms. Schwartz. Absolutely. We very much support a level playing field. H.R. 2205, which was introduced in the 114th Congress, provided that, Gramm-Leach-Bliley is a dynamic, scaleable, flexible tool that should apply to largest and smallest. It applies to small credit unions, it could apply to small merchants. Mr. Royce. Let me get a quick question in here for Ken, if I could. As I mentioned in my opening, failures in cybersecurity systems have occurred in the private sector and in the Government--within the Government. Representing an industry that shares an enormous amount of sensitive customer data with regulators and other agencies, do you feel the Government is doing enough to shore-up its own systems to protect against cyber attacks? Mr. Bentsen. Thank you for the question, Congressman. This is an ever growing threat. I think the Government increasingly understands that, and we are engaged in dialog with our regulators about how we protect the data when we hold it, and the best practices that we use. The Treasury has been leading an effort to look at how they protect the data that they collect. This is an emerging issue that I think has gotten the spotlight with everything going on. Mr. Royce. Thank you. Thank you, Mr. Chairman. Chairman Luetkemeyer. The gentleman's time has expired. With that, we go to the gentlelady from Utah, Mrs. Love, who is recognized for 5 minutes. Mrs. Love. Thank you. Thank you for being here. I have a question that I want to address, Ms. Schwartz, you mentioned in your testimony that credit unions left often cleaning up the mess when another institution suffers from data breach. Institutions such as retailers that aren't subject to a data security structure like the Gramm-Leach-Bliley, you have written this in your testimony. Could you summarize for me what that mess looks like for credit unions like yours, and what kind of costs are involved in that? Ms. Schwartz. To scale it--my credit union has issued about 280,000 credit cards to our members. Over the past few years we have reissued 146,000. A significant number of our members have been impacted, some more than once, many more than once. Mrs. Love. Right. Ms. Schwartz. They don't always understand where the breach happened, most particularly because often we can't tell them where the breach happened. They tend to think that the financial institution is the responsible party, when we have not been. Mrs. Love. When you are reissuing over half, what does that cost look like? Ms. Schwartz. Just for fraud itself was $1.7 million for us so far this year, through September 30. We anticipate it will be well over $2 million just for the fraud occurrences. Reissuance of the cards depends on the type of card and whether the PIN was compromised. It ranges between $2 to $6 per PIN, just for the hard cost. Then, of course, there is the soft cost of answering all of those member questions. Mrs. Love. Right. OK. Are you able to break down those numbers by different types of breaches, such as by source? Ms. Schwartz. If it is a huge breach, we will typically go back and take a look and be able to determine. Oftentimes, because there are so many different cases, 1,400 different breaches is not practical for us to spend staff time to try and tie back every single bit. We are financially responsible to the members, we reimburse them, and then we move on to the next. Mrs. Love. OK. You also mentioned that one of the vulnerabilities in sectors beyond bank and credit unions is lack of examination for compliance with data security standards. You specifically mentioned that credit bureaus, like Equifax, are not examined for compliance with the GLBA. How big of an impact do you think this makes, and how should compliance be insured? Ms. Schwartz. I think it clearly makes a huge difference. If they had followed the Gramm-Leach-Bliley Act requirements, it is very possible the breach wouldn't have happened. The patch would have occurred in a more timely manner and the opportunity for the fraudsters to gather that data simply would not have been there. Absent a regulatory examination to ensure compliance, I don't think it happens. Mrs. Love. Would it be fair to say that if institutions or the credit bureaus, like Equifax, had as much skin in the game, in other words, if they were held responsible financially for these breaches, that you would see fewer of these things happening? Ms. Schwartz. No question. Mrs. Love. OK. I have a few more minutes. There was a part where you pointed out in your testimony that the breach may never come to fruition if an entity handles sensitive information, limits the amount of data collected on the front- end and is diligent in not storing sensitive personal data and financial data in their own systems. Do your consumers even know, for example, if they are sitting at their computers shopping online, what happens to their data, especially the data that they are being asked to supply? Ms. Schwartz. I think consumers are becoming more educated on this, but I think they are more concerned with the transaction than what is happening behind it. I am sure that they don't realize that many merchants can store that data for an unlimited period of time, even though they might not have shopped at a certain merchant, that data is going to linger out there forever. Mrs. Love. In other words, sitting at their computer, they probably feel like there is some vulnerability there, but they have no idea that the vulnerability lingers way past the time that they are actually sitting on the computer. Ms. Schwartz. Exactly. Mrs. Love. Over 1.4 million Utahans were affected by the Equifax breach, and as information is growing and changing, it is something that is incredibly concerning. I think that this is an example of how we need to have institutions that are holding onto this data have some skin in the game, that they know that they are absolutely responsible for those breaches, also. I think that where a lot of responsibility is given, you have to make sure that you take care of that responsibility carefully. Thank you for your testimony. Chairman Luetkemeyer. The gentlelady's time has expired. With that, we go to the gentleman from North Carolina, Mr. Pittenger, is recognized for 5 minutes. Mr. Pittenger. Thank you, Mr. Luetkemeyer, for hosting this hearing. I really appreciate each of you all being with us today, your input is extremely valuable. In North Carolina we have had a significant impact with 1.1 million North Carolinians' personal data stolen in various security breaches since 2015, up from 300,000 in 2014. The Equifax had an impact of 5 million North Carolinians. It is a clear indication of the concerns that we have with data and security concerns, as well as congressional action that needs to be provided. With that in mind, I would like to ask you, Mr. Bentsen. In your own statement you referenced that we need to have a combination of activities that relies on strong defenses, information sharing, mitigation, and recovery planning. To the point of information sharing, Mr. Mierzwinski conveyed that you cannot bifurcate data sharing and privacy issues. How would we mitigate the privacy concerns with the need that we truly do have for greater data sharing? Mr. Bentsen. That is a very good question. We are interested in information sharing, not only with the industry being able to share with the Government, the Government being able to share with the industry when there is a certain attack, but also to be able to share not data as much as sharing the types of attacks that are occurring across the sector. Mr. Loudermilk talked about this in the past, one of my defenses is having somebody else get attacked so they are not coming after me. What we have tried to do in the financial services industry is to be able to spread the information across the sector quickly if a certain type of attack is occurring so that others can recheck their defenses against that or their resiliency efforts against it. We think that is really important. At the same time, the industry feels very strongly, not only about our legal obligation with respect to protection of privacy, but as Ms. Schwartz says, our reputational obligation to our clients. It is a highly competitive industry, and if we are viewed as not protecting our clients' data, they are going to go somewhere else. It is a spot-on question. Mr. Pittenger. Recognizing this need, how would you frame legislation? How would you advise us to address this concern? Mr. Bentsen. We were not part of the legislation referenced from the 114th Congress, and obviously, you have parties on all sides who have--or interests on all sides who have legitimate concerns about that. Data breaches are just one component of this, but it is a huge component. It maybe has the biggest retail aspect in some respects, and a huge market failure would have a huge retail impact as well. This is an emerging issue that is only going to get worse. It is not going to get better. It is something where policymakers, such as Congress, are really going to have to dig in and bring the parties together, and by that, the interests-- political parties perhaps as well, but the interests together to really see how can we look into the future, because we are also going to see technology use increase. Technology is a good thing, it has improved efficiencies in the economy, it is only going to do more of that. But it is going to create new risk, and we need to be in front of those going forward. Mr. Pittenger. Thank you. Mr. Mennenoh, you stated in your remarks that policymakers should consider better ways to use both the SARS reports, and IC3 data to better detect accounts used by these criminals. Give us some examples of better ways that we should be employing? Mr. Mennenoh. That is a good question. I don't know that I have a clear answer for you on that without having the staff help me with that. But, certainly, I would say being able to provide information to all of the parties in the real estate transaction, the different industries that are involved in terms of where these problems occur, how they occur, and the warning signs, if you will, to detect them, to try to prevent them. I don't know that I can help you further than that. Mr. Pittenger. Ms. Schwartz, quickly, you stated that Congress needs to modernize data security laws to reflect the complexity of the current environment, insist that entities collecting and storing personal financial information adhere to strong Federal standard in this regard. How would you modernize those laws? Ms. Schwartz. I think Gramm-Leach-Bliley does provide a good model because it is scalable and flexible. I think it can apply to small and large, and it provides some basic guidelines that ensure sound practices. Mr. Pittenger. Thank you. My time is expired. Chairman Luetkemeyer. The gentleman's time has expired, and we are out of questioners. All of you on the panel are freed up here at this moment. Thank you for being here today. Just a few closing thoughts. We are a very data driven society. I am a big baseball fan. Even data drives the baseball games. I have been watching the World Series, and they talk about this batter can hit this pitch in this area and you have shifts on the defense to where you go, and they match up pitchers between the batters. It is all back to data, data, data, which is great to a certain extent. But I think, Mr. Bentsen, your last comment there was very succinct when you say, with all this data comes new risks, and how do we protect ourselves against those risks. I think that is what we are concerned about today, as we see these breaches continue. The gentleman from California a minute ago, Mr. Royce, said, here we are again. Here we are again. We have to figure out how to put some solutions on these problems, and hopefully your information today will help us. I think we need to look at notification. To me, that is a big issue. How do you make sure that the public, whose information that you as a business--or Government have, how do you notify them when you have been breached so that there is a level of trust there, so that you can give those folks notice that they can get themselves in a position where they can protect themselves. Who assumes the liability whenever there is a breach? To me, that is a big question. I think Mr. Barr asked that question a while ago. We need to figure out where that stands, because I can tell you there are some businesses, I think, one of them, I think maybe it was Andy here a minute ago, made the same comment with regards to businesses, who through no fault of their own, it is costing them thousands and thousands of dollars as a result of breaches. This has to go back to entities that caused the problem and they have to be held accountable. We are looking for help, we are looking for answers. We are going to continue to work with you on these issues. We certainly appreciate your being here today and all of your input, and again, as I said, welcome your input back to us on other concerns or questions that may have come up during the discussion. The Chair notes that some Members may have additional questions for this panel, which they may wish to submit in writing. Without objection, the hearing record will remain open for 5 legislative days for Members to submit written questions to these witnesses and to place their responses in the record. Also, without objection, Members will have 5 legislative days to submit extraneous materials to the Chair for inclusion in the record. [Whereupon, at 3:45 p.m., the subcommittee was adjourned.] A P P E N D I X November 1, 2017 [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]