vimarsana.com

Which is massachusetts, and ive been talking to some of my colleagues from massachusetts. Would you agree with that . I think also oregon has a pretty good standard. There are elements of other state laws you may not consider specific data laws. A pretty High Standard . It is a pretty High Standard, yes. Thats the starting point for us. Theres been some discussion about the Standard Energy in commerce. Would you say its a higher standard than what our bill would propose. Our standard is a reasonableness standard. So i think the difference here is not only might there be a difference in what the language says in that bill i think, also, we would be looking to the common law of the ftc and others to flesh out what the specific requirements are but its really important as were thinking about how strong the security standard is, to think about who has the enforcement power and whos going to be guiding the parties there. If the federal agencies are solely responsible for it even a strong standard might not provide a strong protection as a general reasonableness standard that allows state ags to work on a piecemeal basis. You think the standard in our bill is pretty good, pretty High Standard in terms of federal standard . You believe the states ought to have the flexibility to go beyond that. Notwithstanding some of the issues that that might create in terms of having different standards. How about this enforcement question. Have you looked at our bill in terms of the enforcement provisions in the bill, and how would you suggest they would be improved upon in your view. I cant i have looked at it, im not prepared to provide a detailed response, i would be happy to in writing if you prethat. I do think the key issue with respect to enforcement, your bill would only facilitate enforcement by federal agencies whey heard you say is that allowing the state ags some kind of role there would be an improvement . Again, not having looked at the details there, not to put words in your mouth. Yes yes, i believe that a very credible element here is that we must have enforcement. We are willing to try to improve the bill so we can get a greater consensus around we believe that i think as you said, a National Standard is important to have. 50 different standards is not the way to go. Its got to be the high bar and one thats enforceable. Would any of the other panelists like to comment on the conversation that weve just had about preemption about the standard . I think the bill on a bipartisan basis really takes on this issue in the right way, that is to recognize that the act of legislating to unify 46 disparate regimes would be adding a 48th regime and wouldnt serve the purposes that the legislation seeks to undertake, which is to protect consumers Financial Information. And tas perspective, the bill takes the right approach to ensure that the federal regime is operative and not interfered with. Everyone agrees we need a higher standard and kind of one standard across the country. We fully agree there should be a National Standard, we think the states deserve a tremendous amount of credit for having acted in the place where the federal government has not yet. Thats why we believe as a broad concept, preemption should be offered as a broad concept, state ags should have the ability to play a role. The time of the gentleman is now expired. The gentleman from new jersey, mr. Garrett, chairman of our Capital Markets committee. Thank you, mr. Chairman thank you for holding this hearing, an issue that hits home for a lot of folks. Let me just start i have a couple questions, start at the basics, if i can. Governor, ill throw it to you. When there is a breach or someone does steal your card and they go to a retailer and buy a tv, and you find out that you didnt, so on and so forth. Who actually is responsible for that. Is it the does target have to pay the bill for that . Does the bank that issued my well, my mastercard or if daze not that, is it the bank, or is it the visa or mastercard or discover thats paying for that. The oversimplified versions. The consumer is made whole. And the issuing bank is the one that makes them whole. However, theres a secondary process managed and run by contract between the Payment Networks and various players in the Payment System that gets resolved through a should we say contractual process between visa mastercard retailers the issuer which people take issue with how that works from time to time, thats how it gets sorted out after the fact. Does anyone else want to give an over view. I would add to that. Its the merchant ultimately pays for fraud in the wake of a data breach should the data breach have occurred at a retailer, they pay a variety of fees, theres three real fees they pay total. The first one on every transaction ever processed, a component of it is prepayment of fraud should one occur. And then post breach, theres a Fee Associated with issuing the cards and so thats where the banks end up having to pay the 15 bucks or whatever it is to sends me a new card. The merchant reimburses on those fees. I hear different stories on that. Ive included a schedule in my written testimony. So i just got one of these cards that have the chip on it. And also, just to be clear on this putting this chip on the card may help to some degree as far as the lost card and the stolen card, as far as going to the retailer but as someone else on the panel said i know it was in the testimony. This chip does absolutely nothing with regard to when they steal that information and they use it online, is that correct . I think its important to note, the chip the technology thats available in the United States today 1960s Era Technology we introduced chip and Pin Technology more than an decade ago. You saw an uptick of the data breaches not at the store any more, but now online, is that correct . Thats true fraud moved in two directions online and the United States. Suddenly the United States had the weakest security in the world. It still does today. When chip only goes into effect later this year, the United States will still have the weakest technology. We cant solve all this stuff. The bottom line is doing the chip is not going to solve it entirely, also to the point, what seems to be a lot of discussion as far as the disclosure information. That doesnt do anything to actually, none of it that doesnt do anything as far as preventing the fraud in the first place that tells me as a consumer, you were robbed and this is whos going to pay for it. Congressman, i couldnt answer your specific question about the chip many youre absolutely right, the chip in the card prevents the card from being counterfeited, that is today the number one source of card fraud in the United States. Its about two thirds of card fraud at retail. It does not address the online issue. The online fraud issue is addressed by the other layers. The data thats on the card when i use this chip and put it through, has my number right on it, i dont know if you can see this. Does the retailer keep that information . The retailer trans acts that information. If someone breaches into it theyre instituting many all are moving toward it to make sure that that information it still is a target not to use that company, still a target for the hacker to go into the retail not just medical or whatever, the hospital keeps that information too i guess. As a data source where theyll go try to breach and they wont be going to the retailer to use it, but theyll be doing it online, still a target, maybe even a larger target . Is that true . Now with the chip . Is it a larger target because of in a as well . I think its important that we recognize the Chip Technology is really designed to button down the point of sale to defend against counterfeit lost and stolen. It is one critical layer of security there are other technologies that have been referenced in testimony today. Such as point to point encryption. If i may, may i just add a short comment in response to the point about notification . Fine with me. Sure. Thank you. Thank you so much. I just wanted to say, i think notification provides an important incentive for companies to keep information more secure. I cant remember whose written testimony it was. Companies do suffer reputational harm. I think its important because that provides information to consumers who are considering where to vote with their wallet as theyre determining which service to go with. I get that thanks. The time of the gentleman has expired. The chair recognizes the gentle lady from new york. Thank you. Thank you, chairman, and Ranking Member for putting this together. Its an incredibly important issue, because it affects everyone. Consumers, government, retailers and Financial Institutions, and i also want to commend mr. Carnie and mr. Nugenbauer for putting this together. This bill would significantly strengthen the Data Security procedures for businesses, but in a way that is flexible and can evolve as a cyber threat changes and evolves. I am still concerned about the scope of the state preempts in the bill and i want to keep working on the preemption enforcement. I have signed on to the bill as a co sponsor it is a serious good faith effort to tackle what is a critically important issue to our economy. Id like to commend them for their hard work and leadership on this issue. And i look forward to working with them on the enforcement and provisions in it. My first question is to governor polente. Id like to ask you about the standards that were put in place for the Financial Institutions. You mention they had worked well in the Financial Institutions, but i also want to know, have they proven to be overly burdensome for Smaller Banks and Credit Unions . Congresswoman maloney no. The standards have been flexible. I think congressman nugerbauer and congressman carnie have done a good job in doing the same thing in their bill, which is to say, were going to have standards and were going to allow them to be scaled. I think thats a good model. In other words theyve worked well and they wont be too burdensome for smaller institutions and retailers. Id also like to know your feelings about the having a minimum or a floor standard. I know that california oregon have a standard thats higher. I think its important you have to have a floor. Do you think it should be a floor or should it be a ceiling and why . Another great question. Right now we have nothing. Right. Something is better than nothing. Absolutely. And so floor would be progress, but ceiling, if its set high. We passed what we thought were nation leading standards and notification standards. You wouldnt want a bill that undercuts the 13 or so states that have done this. If youre going to set it set it high. Set it aspiration ali, and i think that would be the best place to be and it would serve the country best. Think about the way people place data center ss the fact that theres going to be wide variance with states. As a governor, you know how valuable the creativity of the state system is to come out with solutions that are adopted in this area, it seems to evolve every day with new technologies new ways to threaten consumers and really the security of our information. Id like to ask steven orfe given your experience what would you say are the most important aspects of a companys Data Security plan and other what is the most important thing that a company could do to protect their customers to protect their company against date de breaches . Thank you for that question. I think whats most important is, in our view, the best defense against cyber criminal attacks. It really becomes a question of vigilance. And being methodical and disciplined in your approach. And looking at and paying special attention to the fundamentals, doing the blocking and tackling looking at the physical. Its day in and day out. It needs to be 24 7. It needs to be built into the dna of an organization from the ceo right down to the working level. Okay, thank you, and you mentioned in your testimony mr. Oxman that you thought that sharing information was so important. And can you just expand on that . On what we need to do additionally, and expanding information in this area . Thank you, congresswoman maloney. The issue is companies are barred from sharing cyber threat information with each other. And in some cases with the government, the house fortunately passed a measure that we support that will eliminate those impediments to that kind of Important Information sharing. We support that legislation we hope the senate will move forward on it, and we need to make sure that companies can without liability, share information on each other. Thank you, my time has expired. The chair recognizes the gentleman from missouri, mr. Liukinmeyer. Thank you, mr. Chairman. Im curious, i want to approach this from a different angle this morning, from a standpoint of, when we have a data breach, whose fault is it . If someones at fault, theres going to be some liability. It would seem to me, my experience has been from the institutions ive been aware of and i appreciate the governors description a moment ago of who winds up paying the bill on this. Generally, the banks wind up. Theyre the ones that wind up footing most of the bill. It would seem to me that at some point as a regulator, i would think that you would go into a Financial Institution and see a number of retailers target line of credit for instance or any other local line of credit. We had a supermarket that issued debit cards suddenly everyone in the whole area the whole region actually their information from broached. There was a tremendous cost to the Financial Institutions, it would seem to me you would look at this as a liability exposure for the bank from the standpoint of what youre going to have to incur by all of these retailers not having adequate protections from mr. Dodds perspective, it looks like i think the regular laters would ask the folks to have a policy in place that would protect them so the banks wouldnt be the fall back for the breach. I think youve connected the dots correctly. On your last point about cyber insurance. Thats an evolving area theres some uncertainty about how you underwrite it, when you cant get your arms around it. Thats an evolving and developing space one that is. How do the standards fit into that . If you fit standards, and we get more resilient better systems, you decrease risk. Thats good for Financial Institutions, its good for the Payment System. A bill that says have reasonable standards. Everybodys suing everybody over time the courts are going to develop a standard that says be reasonable. Its a tenyear pathway. Its too slow and too vague. Congress can play a very Important Role bringing this debate forward. Mr. Dodd would you like to comment on my question . First, the suggestion that banks are not reimbursed is not true. Theres three ways we pay, the fees they pay on every transaction, after a breach through the contracts they sign theres a formula for reimbursement. They still suffer a loss. But my point is, if the banks have an issue with that its with the facilitator. Retailers sign those contracts, if theres a suggestion theres been a violation of those contracts, theres certainly the legal avenue for resolving. My question is, with regards to exposure this seems to be an epidemic, every week you have another entity thats been breached. If thats the case pretty soon, those institutions are going to have tremendous liability sitting there. I see that as a problem thats going to have to be fixed. I would assume you would have protection against the breach . Many retailers are buying that kind of insurance, no question about that, but the level of standard is belied by the fact that strong enforcement was brought down by the ftc the prospects that allow the ftc to take up residence for many years. Im disappointed you gave everyone my password to my computers. With that i yield back. Thank you, sir. The gentleman yields back the chair now recognizes the gentleman from california. I do weird things that cause my Credit Card Company to get concerned. I buy gasoline in los angeles and then a day later in washington. Of course their computers flip out. Youd think they would send me an email, but they dont. They either call me usual lyly at the worst possible time. Or if theyre too latzdy to do that, they freeze the account and force me to do them. Is this entirely because theyre not handling it right, or is there something in our statutes that we could do to facilitate or prod Credit Card Companies to check with their cardholders by email rather than by telephone . Great question ive had some interesting experience with cards myself personally, so you engage in similar unusual activity . Well, im not admitting to unusual activities, sir. Any how, as to the contact another guy going to iowa. I think the concern you raise is a good one, its being addressed in realtime by technology, the controls you can set on many cards, its advancing by the day and month are getting really good. On one card i have i can get a text or email alert if it goes over a certain amount any transaction, i can get a text or email alert. I can get a text or email alert if it goes over a certain amount, and soon i think im going to be able to get an alert. Im not looking for more alerts. Im simply looking for them to contact me by email rather than by phone or freezing my account without telling me about it. Many cards do or will soon offer you a chance to be in the drivers seat, as to how you want to get that message. Im sure your members are aware of email i mean were talking about how to upgrade to technology, and email is if you cant, i can recommend a card that will get it to you. Not with the United Airlines miles. You apply liability against the entity that should be investing in Safety Measures, so you get that entity to spend the appropriate amount of money on Safety Measures retailers ought to be spending more on safety to protect consumers and to protect the entire Business System from the extraordinary costs that happen every time somebody hacks into one of these accounts. But retailers face no liability except the reputational liability which was referenced. Then we have these less known about data breaches where the immediate where doesnt know or barely reports to the general public some of the data breaches. Is it problematic that consumers at some stores may have their data hacked, but they never hear about it . And does this mean that the merchant that has mishandled data faces no liability and no Reputational Risk . In order to have that Reputational Risk, do we have to do more to make sure that every data breach is known by the public . Yes i think we do. I think there are a couple ways to do that, one is to make sure as i mentioned multiple times the bill is written in such a way that it covers classes of information that entities may hold. Consumers consider personal they would want to be notified about, but currently may not be notified about for example email address and password thats one a lot of retailers hold, its one that could be breached, if my email address and password are breached, i would certainly like to know about it, and another thing that could be done is begin, providing the state ags with the authority to enforce is really important because they will help work to make sure that these breaches are notified, and in particular, many states have a threshold for notification of state ags, thats much lower than what weve seen in a lot of federal legislations. A lot of the proposals, many states have a threshold of 1,000. I believe that just a couple months ago, the massachusetts state ags office appeared at another hearing on breach notification and Data Security. They said that the average breach the size of the average breach was about 74 consumers. Its really important that we have state ags notified. Ill add another question. Were proposing legislation. Is it enough to prod retailers to spend enough on safety . To your question about liability, retailers face considerable liability. Theres reputational harm, you cited that under the enforcement available to the ftcs current authority. And what weve endorsed at the local authority. Theres enforcement liability. And the prospects of consent decrees that could take allow the ftc to take up residence and business for 20 years. Ill see if the governor can chime in. Do the retailers face enough reputation and financial liability to spend enough on safety or do we need to do more . I would respond with a rhetorical question. How does the Current System work . Not so good. The verizon report says there was 2100 breaches last year 277 were Financial Institutions 166 were merchants. Theyre 1,000 times more merchants. The standards that are applied to the financial industry are not perfect. The time of the gentleman has expired. The chair recognizes the gentleman in michigan. Thank you, i appreciate the opportunity to spend a little time with you all. Mr. Orfe hiding back here. Real quickly, while were on the breaches, id be remiss to say that mr. Garretts credit card has purchased three things online, and is available widely on a russian website. But the in all seriousness, though, that is the concern all of us have, right . When were calling in somewhere or buying something online in a very transient kind of economy that we have i think we all have a legitimate and serious concern. Im curious have you evaluated how breached companies are in compliance with your pci standards at the time of their breach . Or have they had those standards and its caused them to take action . Or did they have them already and they still were breached . What i would reference is the verizon report, an objective third party that looks at the breaches for the past 10 years the findings theres two significant data points i would give you one is that 99. 9 of the breaches that have occurred were preventable, and covered by the pci standard the second point is i think that the pci standard has done a very effective job and there hasnt been one single compromise where the merchant or the entity was found in compliance. Im a former state legislator as well governor good to see you again. I like you had those situations where were sitting in the state capitals, we go, what in the world is washington trying to do to us now . Yet at the same time, i understand when you have states doing various actions and not coordinating, and often times thats the counsel of state governments, alec, and other organizations like that are trying to get states to harmonize often times, but what im struggling with on this, you had mentioned this earlier, how does setting the national floor, but then allowing states to maintain a patchwork of other requirements how is that different than what we have now . You said wed go from 47 regimes to 48. Help me out somebody with what we do on this. Congressman. I would think about this you know, im a big fan of the 10th amendment, im a big fan of states rights, laboratories of democracy for Public Policy at the state level, i believe in all of that profoundly, i come to think of this issues aa threat to the Critical Infrastructure of the United States of america. Not just in the payment space but in the ability to do most of what we do. I think it rises to the level of being worthy of being viewed in that light and setting the table nationally, because it does threaten our ability to function. It presents. Taken to any sort of extension to our economy and the nations security. I think if you view it in that light, it rationalizes an aggressive and muscular thats whey struggle with as well. Whether this is a Commerce Clause or how this is affected. You want to quickly brief us. Most states certainly with brief notification, theres a common core of elements across the 47 plus three territories laws, and then there are some additional elements above that. I think its really important for example, i believe in your own state theres a harm trigger for the breach notification law that is broader than just applying to financial harm. Its really important that we take that into account as governor polenti has said. If were going to set a federal standard, lets set it high. I would agree i think it would have to be high and somebody help me out on what mr. Sherman has said. He doesnt want more notifications. How are they supposed to notify you through email if its been breached. What about this cry wolf overnotification . Is that a real concern . We think it is. We think its important. I align myself with the most recent points made by the governor. We think its important the consumers be able to get information quickly, information they can take action on in order to protect themselves from financial harm. A standard beyond financial harm would subject them to repeat notifications. The customer would stop paying attention to those notifications. Finally just add a brief point before that i think in order to determine the answer to that, we should look to the state ags who have a ton of contact with consumers. In the words of illinois attorney general lisa madigan consumers may be fatigued over breaches but they are not asking to be less informed. The chairman recognizes the gentleman from massachusetts. Thank you, mr. Chairman. I can barely see you guys, we moved everybody apart well try to communicate. Id like to submit a letter from the Massachusetts Attorney general for the record. Without objection. Does anyone at this table think that five to ten years from now, Data Security and issues and challenges you face will be the exact same you face today . Does anyone believe that to be true . Technology is changing so quickly, i think its highly unlikely the issues will be exactly the same. I think its highly unlikely, i mention in my written testimony, the example of several apps that now allow you to federal your physical keys to your house and your car. Thats great. Thank you, i dont think so either. But then again i dont know much about technology i struggle with a cell phone. And thats life the one thing i do know is that somethings going to be changing i guess i raise the issue, because to advocate for a congressional solution with no ability to change a year two, three four years when the problems change, except to come back to congress. You are sitting here today because the congress is last to the issue. State s states are first to the issue like in most issues. The federal government is the last one to the fight, because were the biggest, the most diverse, and thats the way it has been. And yet youre advocating for a situation, that we have one great law, it has no ability to be upgraded through regulation. Except to come back to us. And ask us to do this all over again which in and of itself to me is the main problem. The other issue i ask, i dont know where any of you live, i presume its you must live in the general washington area. Do you think the federal government, the epa should tell the state of maryland that they have to live only to federal standards on their Drinking Water, that the state of maryland would then be votely preempted from saying, no no, no, we like a little less arsenic in our Drinking Water than the federal government requires. Do you think the state of maryland should be told, sorry you cant do that . I spent seven years in the great commonwealth of massachusetts, i think you raise a very important question, how can we bring uniformity to an issue that has nationwide implications without interfering with the power of the commonwealth. Im happy were talking about federal standards. Im a liberal democrat i would regulate everything. I didnt know my friends on the other side wanted to join the socialist party. Bernie sand ards has cards, you can sign up thats my problem. I love the idea of creating federal standards, i like two other things flexibility in that because lets be honest most members of congress, we are not technologically capable. Every one of us fumbles with our cell phones. I call my staff all the time, kick them, drop them. I throw it, i know none of you have ever done that. We need flexibility we need the ability to move quickly, whatever the threat is today is going to change tomorrow. Thats what i knows. I would submit the eta supports the approach taken in this bill, because it has the exact flexibility youre talking about. Thats critical. It doesnt dictate any technical standards, its not up to the federal government to dictate how we protect federal security security. We also have to have someone that knows what theyre talking about, i dont know why you would want to take away the ability of the states to be more flexible than anyone else. Holding to a minimum standard . I totally agree we have the same issue on everything we do. Every financial issue we deal with, we deal with this issue. How much of a federal standard, we deal with insurance every day every time we come close to thinking about the federal government, everyone gets worked up, because the states do it the concept is right the approach needs to be changed on those issues, to provide flexibility and maintain the states ability to deal with it as they see fit. Its nice to see were making news today great visuals of you throwing your flip flown around the capital. He was a state legislator, i was not. I was a former hockey player. Do you agree, the banks dont pay any fees when theres a data breach . I havent heard anyone respond to that claim. How this gets sorted out is complicated, but its true. Subject to possible partial reimbursement in the future, as well as making the consumer hole. Just to be clear, does the whole Panel Support federal preemption. Does anyone disagree with that concept . I think i heard one say they agree agree. Just so i understand, talking about when the card is present. What percentage of the fraud comes from a fraud sister who steals data and reproduces cards and makes purchases as opposed to the guy who had his wallet lifted and someone goes and uses the action the majority of it is people scraping cards the people who do the lost and stolen. Thats a minority we talk about chip versus chip and pin if we get to chip were going to address a vast majority of the fraud its taking place right now . Is that fair to say . In an static worlds, that would be correct. Theres a single line of defense between the fraud sisters and their ability to commit fraud. Theyll focus all their energy on breaking that. Weve seen examples where theyve done it already, weve simply argued that one of the baseline tactics is two factor authentication. Are you saying theres more pocket fees out there . No, fraud sisters will develop new and innovative ways to correct the chip. Congressman duffy, if i may, the chip will defend against counterfeit loss and stolen at the point of sale. Once that environment is secured, fraud will move to the environment. Its what we observe in the asia pacific in european theaters who have had Chip Technology. The Chip Technology you cannot clone it what well see it how far away are we from tokenization . Ten years. Point to point encryption coupled with tokenization. Its how we get to devaluing the data so its useless. The technology is there, but not implemented yet . Apple pay has an early stage version of i dont want to say primitive, but early stage version of tokenization. Its the first, one of the first tokenization platforms to come to market. I want to be clear. When we have a chip, does a retailer are they able to be maintain data about the card in their database, if you just have a chip card . As opposed to a magnetic strip . Again the chip is just going to work at the point of sale. We heard about all the retailer that have data breaches. If we migrate to the exclusive use of chips does that mean that retailers are no longer keeping personal consumer data in their databases . No, no. Which means theyre not at risk to have breaches any longer . Its taking off the threat of the point of sale . Its a critical layer, but not a silver bullet. In the back end they dont store the information it could be replaced by tokenization could be protected by point to point. Do you have any recommendations how long retailers are recommended to keep Financial Information about consumers . How long should a retailer keep that information. Its not necessary to keep that information. Id like to jump in. A couple things first many retailers have instituted encorruption. If it ever was acquired, it would be in a for mat where it would be useless to a criminal. They have no desire to keep information they dont need, or keep information do they need any information. Could retailers after 30 days, wipe those databases clean so you dont have six months of consumer data or a year of consumer data . Isnt that really one of the risks we have so much data being collected and stored not just from the government but from retailers . The information that retailers collect is designed to allow them to provide the concierge Type Services they want. Consumers generally want the returns. Theres an element of information consumers have said we want to be able to you have this information so we can do these i dont know ive ever been asked to follow into the concierge services. That information is capped on my card. Were not asked, its just given to us. The time of the gentleman is expired. Youre now recognized the gentleman from texas, mr. Heen hinojosa. Thank you chairman for holding this important hearing today, and thank you to our panelists for your testimony before asking my questions, i request unanimous consent that my Opening Statement be made part of todays record. Without objection. My first question is to the honorable tim polente and miss laura moi. How can a federal Data Security standard provide for more Consumer Financial security while at the same time providing security to industries across all 50 states . Thank you for your question. For certain sectors, they dont have standards. Congress creating a floor or a ceiling. We hope that a High Standard for the whole country you will lift the game and the expectations and legal responsibilities for those sectors in those places that dont have a standard currently. And again this is my greated to international proportions, and i think if the members of this committee knew that russia or china or semistate agents were about to compromise the Payment System, you wouldnt say, lets kick it to the states. Lets let them handle it. I dont think youd do that. Whatever you do will be helpful. Even if direction ali, it will be better than what we have now. I would say a couple things one is that consumers are protected by the ftc section 5 authority, the ftc is enforcing that, theyve enforced over 50 cases since 2001 consumers in 47 states and 3 jurisdictions are protected by breach laws. I think setting a floor rather than a ceiling, theres a clear pattern of whats covered. As a practical matter most companies that have to comply with the laws of multiple states are just complying with the strongest standard and are mostly okay under the other states including many states have a provision that allows an entity to notify some consumers who have been affected by the breach under the standard of another state. I just i would add on that if we are going to have a federal preemptive standard it has to be a high one and has to provide flexibility. Not only in terms of what the security standard is, but what information is covered by the bill. Thats a criticalment element we may be missing here. My second question is addressed to mr. Jason oxman and mr. Brian dodge. Given the ever increasing sophistication of our cyber attacks, do you think a catastrophic attack which can have severe repercussions on the Financial System as a whole is imminent and what can the federal government do to help prevent such an attack or prepare to respond to such an attack attack. Thank you for the question. The possibility of such an attack is always on the minds of the payments companies, and preparation for those attacks is, of course, something that is always included in all the operational plans of all the companies that we represent. Our sincere hope is that Something Like that never happens, but we do recognize the Important Role that the infrastructure plays in empowering commerce in this country. And protecting we are focused and prepared for that. It is our sincere hope that nothing like that comes to pass. Thank you. Mr. Dodge. In terms of your question about what congress can do, i think the focus on Data Security to avoid such a catastrophic event is incredibly important. We believe that the way that you get yourself to a stronger environment is layers of security. And congress can help with that by doing as the house did last month, passing information sharing legislation. But also as were talking about today, providing clear and strong guidance for businesses on how they should maintain their systems to ensure cybersecurity. And then providing the flexibility for businesses and for regulators to adapt to that threat over time. Theres no doubt that the threat is increasing, the level of sophistication is growing fast, and we need to be able to stay involved. The last point is, we need to look to where our greatest vulnerabilities are. The greatest vulnerability from is the Merchant Community is the cards. The weakest Technology Security Technology Enabled in the world today. When we move to Chip Technology without the pin like has been instituted in the rest of the industrialized world, we will still have the lowest level of security in the world, and fraud will continue to flow toward us. Thank you. My time has expired. I yield back, mr. Chairman. Time of the gentleman has expired. The chair recognizes the gentleman from south carolina, mr. Mulvaney. Thank you mr. Chairman, and thank you to everyone on the panel for helping us try to do something we dont do enough, try and collect information, which is what im trying to do. Im not here to beat anybody up. I have an honesttogoodness question. I think its directed to mr. Pawlenty and mr. Dodge. I welcome everybody to chime in, okay. Say that mr. Capuano steals my credit card which is possible because hes that kind of guy even though hes not here yet. He goes to the he goes to my local gas station or his local gas station, slides it in there, happens to maybe he knows my zip code. And buys the gasoline with my stolen credit card. I catch it when my statement comes in next week or get an email notification, which i think is a service my Bank Provides which i enjoy. I catch it, call the bank and say someone stole my credit card and used it to buy gas in massachusetts. They say, okay, well take it off your bill. Who eats that loss . The retailer, the bank, who eats the loss for the gasoline bought with a stolen credit card . First i would say if a pin was required, the fraud would have never occurred in the first place. Okay. You wouldnt have that. Secondly, theres a difference between data breach, fraud repayment, and traditional fraud repayment. Okay. There would be based on the contracts that the retailer signed with the card networks, there would be an evaluation of where was the weakest link in the system. So if it was a stolen card, it was reused, then it would probably i dont know the answer to that question. Thats how it would go. It is determined by whoa, whoa. Is but on in many cases, almost all cases, an element of fraud was charged back to the retailers. Mr. Pawlenty . Initially somebody has to give the cash back if its a debit transaction or value. So its the bank. Again, im its the issue the credit transaction. Its the issuing bank and they sort it out afterwards as to who pays what. In terms of who eats most of it initially in our view over the long term of the discussion, its the banks. Heres why i ask the question, guys. And i have my banker friends come in and tell you, look, we have to do something because we eat all of this loss. Last week, i had some Convenience Store people come and say, look, we have to do something because we eat all of this loss. Are both of them eating a little bit of the loss . Is that what comes down to . I see some nodding their head, usually a good sign. I included in my testimony a schedule of repayment that shows the fees and structure of the contracts that obligate merchants to repay in the wake of a breach. Those are reissuance costs, costs to reissue cards, and fraud, fraud associated with the breach. Every day on every transaction processed, the merchant pays a fee, an interchange fee, swipe fee. An element of that fee is a prepayment of fraud. It goes into an account. Whether fraud happens or not, they prepay every day. How thats divided up by the banks is a great question for them. But we know we pay it on every single transaction. I got it. Congressman, if i could please, yes. The hypothetical you asked has a simple answer. That is the card issuer is responsible for that fraud. A lost and stolen fraud you described is never the responsibility of the merchant. Since your card was stolen out of your pocket and you hadnt reported it stolen, when the card was used and transaction authorized by the bank at the gas station, the issuing bank has responsibility. You dont, and the merchant doesnt. Thank you. I think that leads to my next question. Does the analysis change i think ive got it now for a stolen cart, capuano steals my credit card, i get it he would do that, too. What if the card is counterfeit . Is it any different if someone gets it from target, gets my information from target, create a counterfeit card and use it, is the outcome different . Is the distribution who bears the loss different . Mr. Oxman . As it stands, the analysis is exactly the same in the case of a counterfeit card. The issuer would have responsibility for that. The merchant would not. The migration to emv chips that weve been talking so much about this morning actually changes that calculus. And the responsibility for the fraud after october of this year will actually fall on the party to the transaction whether its the merchant side or issuing side that has deployed the lesser form of security. Not to get too complicated, but if that card that youre talking about has been counterfeited and it was a chip card and the issuer has issued chip cards but the merchant hasnt installed chip readers, then the merchant will have responsibility for that fraud. Thats a change to the Current System which is the issuer takes responsibility. Then finally, if i can have the indulgence of the the chairman for 15 more seconds, the third example of fraud is the online fraud. Theres no card present, were online buying airplane ticket. Who bears the risk of loss on that one . Merchant 100 . 100 , the merchant is subject to the fraud cost. Gentlemen, thank you very much. I appreciate the information. Time of the gentleman has expired. Chair recognizes the gentleman from missouri, mr. Clay. The Ranking Member of our Financial Institution subcommittee. Thank you, mr. Chairman, and im wanted to note that i am so glad to be back in this refurbished hearing room. Let me ask mr. Orfei, you know at the end of your testimony that not a Single Company has been found to be compliant at the time of their breach. But in many cases firms that have been breached were at one point pci compliant. How does your compliance framework lend itself if at all to ongoing monitoring of pci compliance . What role does the pci play in monitoring compliance . Thank you for that question. Yes. 99. 9 of compromises were preventable and covered by the standard. And if you think about our standard, what were advocating is a move away from compliance to a riskbased approach. And we are advocating vigilance and discipline and being methodical in close adherence to the standard. Security is a 24by7 responsibility. Its not a matter of compliance, what we see happens is a Company Works diligently to bring its organization into compliance, they high five each other on thursday and friday the environment starts to deteriorate. Its about being disciplined, methodical, and paying attention to the fundamentals, sir. Thank you for that response. Mr. Oxman, although Chip Technology is fairly new to the United States, its been around for decades and is ubiquitous in other parts of the world. Given the rapid pace of technological development, are we not at the point where other types of security measures are more appropriate for use in connection with u. S. Payment cards and payments in general . Thank you for that question, congressman clay. Youre right that the chip is a welldeveloped technology. The good news is the payments industry recognizes, as youve heard this morning, that the chip addresses one type of fraud that happens to be the most prevalent form of fraud here in the United States today. Thats counterfeit card fraud. So the chip implementation will address that type of fraud. But as you noted, other types of security are important, as well, which is why our industry is deploying a layered secured Technology Approach which includes the chip in cards. But tokenization which replaces account information with a onetimeuse cryptogram that cant be reused. It as includes point to point encryption. It secures all entry point into the Payment Systems. That layered approach with multiple different technologies, as you suggested, is in recognition of the fact that the chip card addresses one type of fraud, but we need to do much more. Criminals are much more sophisticated. Thank you. For anyone on the panel, how prevalent is fraud in the case of online checking . Is that pretty secure . Can anyone respond to that . Online checking . Yes. Certainly ecommerce is an environment where theres limited security options for merchants to employ right now. Its a frustration the fact that ecommerce is such a big part of the economy and no strong means of security is a considerable frustration. Back to your first question a moment ago, though, i want to note that jasons point about all the levels of the different layers of technology is a good one. That we need to be evolving to the next generation of technology. We need to be finding more ways to make tokenization and encryption work specifically for the ecommerce environment. Today theres 1. 2 billion cards circulating in the United States. Most of which have technology in. Later this year when we see more chip cards, well see early 2,000s technology. We arent keeping up and we need to do a better job of errors occurring. Thank you very much for your responses. Mr. Chairman, i yield back. The chair recognizes the gentleman from North Carolina, mr. Pittenger. Thank you, mr. Chairman. Thank you for hosting this hearing. And thank you, each of you, for being with us today. Governor pawlenty, according to the Identity Theft resource center, Financial Institutions responsible for less than 6 of breaches in 2014. Some could draw the connection with this fact that the Financial Institution has been subject to the grahamleachbliley act since 1999. Do you think this is fair . I do. I i dont think theres disputes that the Financial Sector has the best defense and capability and resiliency in the space. As everyone knows in the room, even Financial Institutions get breached. Relative to other sectors, were more advanced and get breached less. Thats not a bragging point, its about what caused that. It caused investment, caused by investment, hard work, technology. And i believe that grahamleachbliley set a standard, and people tried to adhere to the standard. Plus, we get examined by our regulators to the standard. I would say that contributed to the state of the industrys cyberdefenses in the relative good quality of it. Thank you. Yes, sir . Congressman, i would note that the annual verizon cybersecurity report is sort of considered to be the Gold Standard for cyberreporting. It found that last year there were 2,100 data loss cybersecurity intrusions. Of that, 277 Financial Institutions and 167 were retail businesses. There are 1,000 times more retailers operating in the u. S. I dont think we should have the philosophically that a single regulation can guide us to successful cybersecurity mr. Dodge, let me build on that. Building on the chairman luetkemeyers statement earlier and reference to legislation, it does to develop and implement a program that ensures security and confidentiality of sensitive information, it is appropriate to the size, scope, and sensitivity of this information. This is written to create some measure of flexibility so the standards are modified. Do you think this is a good approach in terms of creating these flexibilities of standards . So, you know, we applaud congress for looking at lots of ways to address this issue. I think whats important is that we look at the Regulatory Environment as it exists today and recognize that the grahamleachbliley act was written specifically for the Financial Services community, and that theres a very strong Regulatory Regime that applies to most of the rest of the Business Community. And that is enforced through the ftc. The ftc has moved aggressively over the last decade and established a clear and strong set of standards that businesses have to comply with. We think that is the way to go lets refer to this. It says the provision of the bill says a covered entitys Information Security program shall be appropriate to the size and complexity of the covered entity, the nature and scope of activities of the covered entity, and the sensitivity of the consumers Financial Information to be protected. What other flexibilities do you see would be needed that would ensure that consumers are protected but not prevent adaptability for future threats . So the language that you site is not dissimilar. We think businesses have to be a clear understanding of what their obligations are and that the Enforcement Agency has the ability to evolve their interpretation of that law over time to meet new threats. And businesses of different sizes and businesses that require that they collect different kinds of data should be treated based on their size and the kind of information and this legislation seeks to do that. Isnt that right . Based on your what you quoted, that sounds right. But as ive said, we believe you need to look at the Regulatory Environment as it exist today, and work within that. The debate here today is it how do we pass a law that could provide businesses with more clarity and the ability to evolve with the threat. I dont care that the objective should be to shoehorn a law that was written for one industry to apply to the entire Business Community. I dont think thats what this does, according to what i read. I think it clearly states the provisions reflect the size, scope it personalizes it, creates the flexibility. And i appreciate your focus on that because we agree with the need for flexibility. We simply are looking at the proposal in its entirety, and its hard to separate thing out without talking about how it would affect it when its merged together. Thank you. I yield back. The gentleman yields back. The chair now recognizes the gentleman from massachusetts who did not steal mr. Mulvaneys credit card in his hypothetical, mr. Lynch, recognized for five minutes. Thank you, mr. Chairman. I appreciate that. I want to thank the witnesses for your testimony. Ms. Moy, on the question of federal preemption, when we talk about complete federal preemption, were talking about a federal standard and at least as far as this legislation goes, were talking about federal enforcement as well, thats being taken away from the attorneys general of the states. Even further it looks like the notification for breach will be taken away from the fec and given to the ftc. Consolidating that, as well. As well, it might involve, if im im not sure if im getting this correct. If we have a federal standard and a retailer or business complies with that federal standard, does that imply some type of immunity for the individual retailer if theyre complying with what the feds require, is that holding them harmless from any liability . Im sorry, you mean in an environment where there is where this creates a floor and not a ceiling and states continue to have well, this would be a complete obliteration. Total preemption. Youll have one it would be a ceiling. Would be a ceiling. Is that implying some immunity or protection from liability for the complying company . Yeah. I mean, you know, a company would only then be liable as it would be held liable under the federal law. Any additional obligations of the state law that had previously existed would no longer be no longer be actively enforced. Under this legislation that would be problematic because, as your testimony indicated, it only recognizes financial harm. Right . Theres a trigger well, actually, personal theres a financial harm trigger. I think theres also a trigger for very narrow set of personal information. Actually, im not sure if there is i thought that i was under the impression that the financial harm trigger applies to everything. But perhaps youre right. Ill look at that if i may, congressman, the provisions of the bill of 2205 also provide for triggers related to Identity Theft, as well as financial harm. Right. Yes. Although many states, as i noted in my written testimony, either have no harm trigger at all recognizing that Consumers Want to be notified of breach of certain classes of information and want to be able to safeguard that information regardless of whether or not it could be used for Identity Theft or financial harm, and and a clear majority of states have either no trigger or a trigger thats broader than just financial in nature. One of the problems i have is that this introduces a federal standard. And it takes out the states massachusetts happens to have a very robust Consumer Protection privacy framework that i think will be harmed. We also have weve been blessed with attorneys general that have been very active in defending consumers. And some cases as you pointed out, i think the average case of breach in massachusetts, we had 2,400 last year. The average size was 74 consumers. Thats not the type of thing that the ftc will go after in my opinion. Thats right. Thats why we think its critically important if we want to ensure that all consumers are protected by a federal standard. Its really important that we have as many people keeping an eye on whats happening with breaches and working with companies to help develop their Security Standards and working with consumers to respond after their after the information has been breached and to watch out for potential harm that could be coming down the pike. Its really important to have the involvement of the state a. G. S in all of that. If we did introduce im in favor of introducing a very high floor across the board that i think would subsume maybe close to 40 states. I would like to have flexibility for states that, number one, theyre more flexible. Congress is not known for speed at all. Having the states out with the ability to provide additional protections especially in the face of the sophistication of some of these hackers is very, very important in my mind. There is incongruity in the bill. It talks about the federal standard, and then it says every covered entity will be responsible for adopting a system of Security Protection that is commensurate with their size, their complexity the gentleman from North Carolina brought this up in a different context. How do we deal with that where a pizza shop, coffee shop, a bank, banks were a different class. But each and every company is going to be able to right size the level of protection. But in reality, that stream of information that is breached may not be compartmentalized. Im sorry, what do you mean the information may not be compartmentalized . Im sorry. Well, if they hack into your email and password, that opens a whole other door of information that they can access that might not be readily evident, you know, based on where they entered the stream of information. Right. Sorry, may i respond a very brief answer. Sure. Yeah. I would say there are certainly login credentials that can be because people recycle passwords can be used across account. Thats an important reason. Thank you. Time of the gentleman has expired. The chair recognizes the gentleman from california, mr. Royce, the chairman of the House Foreign Affairs committee. Thank you, mr. Chairman. There has been a lot of discussion here about the current liability, what it looks like. I guess one of the questions is what it should look like. And if i could ask governor pawlenty, i had a question here. When a data breach occurs, how should we allocate the financial responsibility for that breach . For example, if a breach of sensitive customer information occurs at a Financial Institution and its shown that the institution did not protect the customer information as grahamleachbliley requires, do you agree that the Financial Institution should be responsible for the cost of the breach . Congressman royce, yes. We believe that the entity that was negligent or entities, plural, should be responsible for their negligence. Okay. Then governor, should the same be true of the merchant . If theres a breach with a high likelihood of harm being done to the consumer, should the merchant be responsible for the costs associated with that breach to the extent that the entity has not met minimum security requirements. Congressman royce, absolutely. Mr. Dodge, i would ask if you agree on that point. I would tell you that we do agree because that is what happens today. Today merchants are obligated if they have a breach by contracts signed with the card network to reimburse the banks for the fees associated with the costs. In addition to the fees they pay every day every time a transaction which is obligated to prepayment of fraud if it happens or even if it doesnt happen. Fees are being paid constantly. The next question i was going to ask governor pawlenty is, its been proposed by some that consumers should receive notification of a data breach directly from the company that was breached even if they have no relationship with that company. Wouldnt a simpler solution be to allow the notice to come from the company that the consumer gave Financial Information to directly while also allowing the company to identify where the breach occurred if it is known . Its my understanding that there is currently no law, no contractural obligation that would preclude a Financial Institution from identifying the institution where a data breach occurred when sending out a notification to their customer. Is that your understanding, as well . Congressman royce, yes, and of course you might imagine if theres a breach, it unfolds in the early hours and days with a great deal of uncertainty and sense of crisis around it so as people think about what theyre going to say publicly and sending out notices, particularly if it incriminates another company, you want to make sure that youre articulating that correctly and accurately for fear of liability. I think some companies dont name names in those initial notices over some of those concerns. You know, as we look at the cyberattacks and see this increasingly as we talk to the europeans and asian governments, a lot of these are being conducted now by state sponsored or statesanctioned entities. We actually, for example, see individuals traveling from a certain bureau in north korea to moscow to be trained. Then we see their conduct with respect to the Banking System in south korea and the attempt to implode the system in south korea with the direct attacks. What can or should be done in the view of some of the panel here to hold these countries accountable in situations like this . How do we do that . To the extent this has evolved into an encourage dynamic and you have state sponsored or semi statesponsored activity, the United States has to respond in kind at a level of countrytocountry discussions and fortunately consequences. As you may know, under current law the only entity that can fire back, if you will, in cyberspace is the u. S. Government. Private entities cannot hack back. And so the deterrent or consequences for this potential can only come from the u. S. Government. Lastly, there needs to be rules of the road internationally. We have rogue states, semi rogue states acting recklessly, irresponsibly in a very concerted fashion. What you see in terms of payment disruption is relatively minor. The consumers get reimbursed. Its inconvenient, menacing, concerning, you should act on that alone. But compared to some nottoofanciful scenarios where the entire Payment System is disrupted or another piece of Critical Infrastructure is disrupted, thats something you need to be thinking about. Weve seen the iranian attempts here. Have you seen that in your industry . Were cautioned not to attribute. But it has been reported publicly. North korea was involved in an incident, an attack that was attributed to them and i think you have seen public reports of russian sponsored entities and on down the list. Thank you very much. My time expired. Chairman, thank you. Time of the gentleman has expired. Recognize the gentleman from new york, mr. Meeks. Thank you, mr. Chairman. First, mr. Oxman, let me ask you this question. Same line after 9 11 we talked about having all of our intelligence agencies working closer together, et cetera. So here when you talk about preventing data breaches there with a number of entities that are concerned, whether youre device manufacturer, a network operator, a Financial Institution or app developer. Seems to me that would be important that these entities Work Together to develop an effective mobile Data Protection solutions. In your estimation is the industry working in a collaborative way all of the interested parties. And what if anything do you think congress can do to ensure greater collaboration so that we can make sure that everybody is working together to try to eliminate this huge problem . Thank you, congressman meeks. The good news is yes, sir. Theyre working enormously smoothly together to deploy the things we need out in the market against the increasingly sophisticated cyberattacks. Theyre working through pci to deploy Chip Technology and cards, like tokenization, and like encryption to secure points of entry against intrusion. The city is enormously complicated and involves a number of different players from Financial Institutions, merchants, consumers, device manufacturers. As we move to new technology its going to become more complicated. But the good news is were working very well together to deploy all of these next generation technologies because we share an interest across the ecosystem in ensuring our customers feel comfortable shopping at our stores and using Electronic Payments. What can congress do . I think hr 2205 represents the ideal vehicle of what we need congresss help me. That is unifying a patch work of state laws that are inconsistent and incompatible with one other to address how we let consumers know when something does go wrong. We need to make sure were all on the same page when we let our customers know if something happens. That ooh where i think congress can be helpful. Thank you. Let me ask mr. Pawlenty. I know and i believe from reading your testimony you noted that the emv chip cards have proven very effective. Ive got a number of cards to switch out on, make sure you have the chip. One of the questions this happens with my daughters, et cetera, theyre doing more and more shopping online. People not going to the store as much. Theyre going shopping online. And it seems as though that there are more frauds taking place when people are doing this shopping online. Can you stay with us ways in which firms are innovating to prevent customers, consumers who rely more on Online Shopping so we can prevent fraud in that regard. And, again, like i asked mr. Oxman, ways that congress can ensure greater data breach protection as we move away from instore purchases. It seems as the new generation is online my daughters wont go to stores anymore. Everythings online. What we can do in that regards. Congressman, great question. As was mentioned earlier, the chip wards will go a long way toward eliminating or greatly reducing cardpresent fraud for the reasons that were mentioned earlier. Thats progress and good, and we applaud that and enthusiastically embrace it. As weve seen in the other emvadopted countries, the fraud shifts to the online environment. What happens, of course, is if you make an order online, over the phone, or otherwise, you end use enter your credit card number and code and expiration date, and away you go. If i have that information from you, i can make the transaction online. Its loose to put it mildly. The future of that in the near term is a Technology Platform called tokenization which will allow that transaction to occur with a unique set of data that connects needed data to finalize the transaction, but the personally identifiable information isnt its necessarily transmitted as part. Its a token. Thats coming. Its just around the corner, and its in market to some extent. The cost is coming down, the ubiquity its becoming more ubiquitous. That will be a big part of the solution. It was invented ten years ago. There will be Something Else that will come next. The time of the gentleman has expired. The chair recognizes the gentleman from maine, mr. Poliquin. Thank you, mr. Chairman. I appreciate it very much. And thank you, all you folks, for being here today. I really appreciate it. Mr. Oxman, i know you and i both are from maine. Probably the safest state in america. We invite all kinds of other folks to come up and enjoy our state. That being said, we are not immune to folks who are stealing our credit card, credit card numbers or using our debit cards fraudulently, what have you. We know theres a problem, the problem is across the country, even the great state of maine. That being said, one of the things that ive heard this morning that im delighted about is that there seems to be some Common Ground, a lot of Common Ground when it comes to the fact that there is an issue with cybersecurity. We all know its there. You folks all agree to it. Even though youre from different parts of this space, if you will. And ive also heard, if im not mistaken, that theres theres consensus that we need. Instead of 48 individual laws that we have to deal with that one National Standard, it would be helpful when it comes to notification. Id like to hear from each of you, well start with you, governor, if you dont mind terribly, what is on the top of your list . What else would you like to inform this committee about that would be helpful for all the players in the space to make sure our consumers in maines Second District and throughout the country are well protected with bank accounts, credit cards, what have you. What could you advise us today . Youre members on the ground. Youre much closer to this problem than we could ever be. Please tell us. Thats a great question. You think about notification, it helps notify people that there was a problem and now we need to clean up the mess. Thats little consolation for people who have the mess visited. Its helpful. As to standards, it will help as people raise their game. I think this entire space is going to evolve in a very interesting and probably disruptive fashion over the next ten years. Things were talking about here today in terms of Technology Platforms as was mentioned earlier will look very differently ten years from now. I dont think well be Walking Around with pieces of plastic and pins. The whole thing is shifting increasingly to mobile and other ways to make payments. So i would say its going to come from the technology sector, big changes. Good changes. Mr. Dodge . Im glad some attention is being paid to collaboration. I think thats an important outcrop from these catastrophes. This focus. Last year, we collaborated with Financial Services roundtable and Electronic Transaction association, with a whole bunch of merchant and Financial Service associations to talk about the challenges. To try to find Common Ground. Collaboration has also found its way into the information sharing, threat information sharing world where businesses can share threat information. The rising tides for main term, rising tides lift all ships. The ability to see a threat deflected and share with others what you saw and how you did it. Important, and we congratulate congress for passing legislation on that last month. I think one of the thing we look toward is how do we enhance the security to the 21st century and beyond. The card security today is weak. It needs to improve. Theres a half step on the calendar for later this year. Its only a half step. We need to get beyond that. We want to see congress focus on that and certainly want to see the Business Community thats responsible for creating those cards to focus on it, as well. Mr. Oxman . Thank you, congressman. Im excited about the change in technology were seeing in our industry. I think if there were one thing for the committee to be aware of, its that there is no need for an inquiry into the technology because the industry is working together to deploy it. You know, my first job was as a bank teller, summer after first year in college, the heart of the Second District of maine. And the hot technology in the 80s was the atm machine. Today consumers can buy things with a watch. Its amazing whats happening out there. I think the good news from congress perspective, the industry is deploying technology safely, securely and reliably. Well get it done. Apple pay, google, four square, these are developing much more than i understand and how to pay with goods and services you buy on line through a mobile device. Do you see any problems coming down the road with those types of technology, or is that where its going to go and where it should go in your opinion . This technology is incredibly exciting particularly because it allows us to deploy more robust security alongside. The way to think about it is its a new means of implementing a payment transaction. Initiating that transaction, using your watch or phone instead of a plastic card. And that watch or phone or whatever device has many more security capability than the plastic cards. Its a good thing for consumers. Unless here in this country we go down this path where we continue to work on this problem and find solutions to it, arent we exposing consumers and families and businesses to more cyberrisk if europe is ahead of us and other developed countries, parts of the world are ahead of us . May i have that question . I think technology will evolve, and well have good answers. Particularly mobile will be the future of payments. I think whats key is this information sharing effort thats in progress now. Being able to collect information, translate it so its actionable intelligence, and that will allow us to preempt attacks from organized crime, rogue states, and statefunded actors. Thank you all very much. Appreciate it. Thank you, mr. Chairman. I yield my time. I thank the gentleman. The gentleman from georgia, mr. Scott, recognized for five minutes. Yes, governor pawlenty, id like for you to address this and they can chip in, as well. With the challenge for our migration of the emv Chip Technology in the United States basically due by october 15th, why are u. S. Consumers only now receiving the chip cards when consumers in europe and canada have had them for many years . Why are we behind the eight ball . Theres some unique history as it relates to how europe got to where it is, relating to technology. Their telecommunication system, how they did batch processing, how that works relative to how we did it in the United States. I think to sum it up here, i would say the transition from what we had to what we need and where were headed next has been is a very big transition. Think about the millions and millions and millions of point of sale terminals that would have to be chip ready. Now only about 25 of retailers can even take a chip card. They would have to flip their systems, point of sale systems, back room systems, Payment Networks have to do the same, the banks have to do the same. Its a massive transition. You know, would we have benefited from it being done earlier . Probably. But we are where we are, now we need to get it done as quickly as possible. This is highlighting the urgency of it. Okay. Now, sense we have such a brain trust of cybersecurity before us in this distinguished panel, i want to shift for a moment. Are you satisfied and how would you describe the National Security threat to our country as a result of cybersecurity as a National Security issue . I think its one we really, really have to deal with. And how would you relate that particularly when weve had attacks on our cybersecurity from china, russia, from iran, from north korea, isis, al qaeda, other terrorist, now our military bases are put on heightened terrorist attack alert at a level we havent seen since 9 11. How what is it that we need to do more, and how do you address and how do you rate this threat at its present time as a National Security issue . Governor pawlenty or any of you . Ill say, congressman, i would rate it as a clear and present danger. Thats why i said what i said earlier. I think for particularly folks who are on the republican side of the aisle, its comfort not as comfortable to say were just going do something uniform across the country. I think this is elevated. Not just the card and processing, but many other aspects of this to a National Security issue. We have known identifiable threats to Critical Infrastructure of this country that would impair not just the economy but the health and wellbeing of our citizens if deployed to any sort of scale. So it is a clear and present National Security threat that i think needs to be addressed with that kind of urgency and that kind of seriousness and that kind of weight behind it. And congressman scott, it is a question that is answered largely by technology. And thank you for your leadership and taking a founding role in the congressional Payment Technology caucus because technology companies, including many from the great state of georgia are out deploying systems networks. And theres no question that the payments industry is focused relentlessly on this because of the security of networks and reliability of networks and systems is why consumers choose Electronic Payments as their preferred method of engaging in commerce. We need to make sure that remains a confident factor for consumers. And, mr. Oxman, how ready will we be . Octobers right around the corner. What are your expectations . Have we set that date . Have we is it accomplishable . Yeah, congressman, the migration in october to the chip cards is a date that weve set as a milestone. And its a lot of work to do. 1. 2 billion cards in consumers wallets need to be replaced. More than eight million merchants in the u. S. Need to upgrade their systems in order to accept chip cards. Thats going to take some time. Will we be completely finished by october . The answer, frankly, is no. We wont be all done. Well be largely there. Most importantly, the industry is entirely unified in recognizing the important of making this infrastructure upgrade. Were doing it, were working together, merchants, Financial Institutions, payments companies, and consumers. Were going to get it done. Thank you, mr. Chairman. I yield back. I thank the gentleman. Now the gentleman from arkansas, mr. Hill, is recognized for five minutes. Thank you, mr. Chairman. I thank the panel for your being with us this morning. On mrs. Maloneys comments about grahamleach and the impact on banks having run a Community Bank for the entire history of grahamleachs existence, i do think it was flexible in the standards when it comes to examination and practice, both in scope of business and not. So i think thats something thats worked well in the Financial Services industry. One question i have id like the panel to react to, what role does reLiability Insurance Liability Insurance play . I know in our company we took out the coverage at the modest premium for notification coverage which was sort of what was recommended by the underwriters. Didnt find it very compelling or particularly useful. But in a large breach, it certainly would be helpful to pay the outofpocket expenses. But whats happening in the liability arena on insurance coverages for entities beyond that . What standard are they setting when they come to underwrite a retailer . Lets start with you, mr. Dodge, about data breach. Theres obviously a mathematical loss for one of your members. Sure. Ill acknowledge i dont claim to be an expert on cybersecurity Liability Insurance. I have perspective. First, its an immature market, pretty new, and rapidly evolving. I know the administration is working on ways to make that a more mature, more competitive market. Retailers, many retailers are looking into, many have purchased Liability Insurance as it relates to cybersecurity. I dont have a number, but i suspect the number is growing by the day. And one of the challenges they all face is where exactly to price it. They dont know how much to get, and they dont know if theyre getting a great value for it. But they know that its important to have. Theyre working on making sure that that improves over time. I think your points a good one. Also in the verizon report thats been mentioned, only about 20 of those breaches are as a result of the retail and Banking Industry which means 80 arent. And we havent heard one question about that today. Just last week, i got a letter from the Arkansas Medical Society where over 60 physicians had their identities stolen when they filed their income tax return. Didnt know it until they went to hit send electronically to the irs and suddenly learned they already filed their return which, of course, they havent. Can you reflect on standards that weve talked about today for that other 80 that we have not thats not represented here today . Or maybe mr. Oxman and mr. Orfei, you might take that one. Thank you, congressman hill. And i do think that is an important issue because the harm that consumers suffer from Identity Theft can in some circumstances be as impactful as the harm suffered from the theft of financial data. And i think h. R. 2205 does a good job of making sure that all entities, not just retailers and Financial Institutions and payment companies, but all entities that have storage or access to the sensitive personal information are required to abide by the federal standards that h. R. 2205 would put in place. And i do think thats a very important component of the bill. Anybody else want to add on that . Well, i think the fundamentals of the pci standard are applicable across all vertical markets. I also share your concern in my discussions with Law Enforcement that the Health Care Systems in particular will be the next big target. Protecting that data and following adherence to the pci standard would benefit those industries, as well. I think its a little, you know, odd that hipaa, we cant even have a conversation about our aunts health with a doctor without everybody jumping through hoops. But weve obviously got Health Care Data at risk, thats financial data. And this irs situation is financial loss. I mean, i think this is a serious matter. Certainly as serious as having your ones credit card number compromised. So im glad to hear you say that you have comfort that the standards in this bill will help in this other 80 of the issue that were not addressing today. Thank you. Mr. Dodge . I would say, you know, we also endorse a strong, reasonableness standard, one that provides businesses with a strong expectation of what government considers to be reasonable standard. We believe it should be enforced by the ftc. And weve endorsed the legislation that came out of the energy and Commerce Committee to do just that. We think its important as were addressing this issue that we first look at the regulatory landscape, and Design Solutions that fit within that rather than moving regulation design from one industry, in this case the Financial Services industry, to the rest of the economy. Thank you for that comment. I yield back. Thank you. I thank the gentleman. Now the gentlewoman from wisconsin, the Ranking Member of the policy committee, ms. Moore, recognized for five minutes. Thank you very much for that elevation. I just want to thank all of the witnesses for taking the time and being patient with us. And i can tell you that you guys almost and ms. Moy almost answered my questions when other members were asking it. So i do want to apologize if things seem redundant. Let me start with you, ms. Moy. You talked about having a federal standard of floor standard. You talked about the ftc really providing that service at this point. I guess i want your opinion or knowledge about whether or not you think the ftc is currently staffed up and resourced up enough to continue the stewardship. How much more would it cost to do it, how many more employees would we do you anticipate . Is there necessity to create a new agency . So i apologize because i dont have those numbers for you. Although i could do some research and try to help you answer that question. I mean, i do think the ftc is doing a pretty good job enforcing Data Security, specifically with the biggest cases. At the state level, the states are active in this area, as well. Also enforcing sometimes their own Data Security standard and sometimes a standard that they are drawing from there, from the authority of their general Consumer Protection acts, the mini ftc acts. But so i think its really important, though, to preserve the ability of what the states are doing, to preserve the ability of state a. G. S to continue to provide that important service. And and to set our new standards at a level that will continue to preserve protections for pieces of information that would not be covered by the legislative proposals weve seen. For example, in your own state of wisconsin, the breach notification standard would extend to dna and biometric data thats not necessarily covered by what weve seen in some legislative proposals. I really would like to know how much this will cost. And in keeping with that same theme, mr. Mulvaney was sort of going down this road about who pays for the cost of a breach. And on october 1, 2015, theres going to be a merchant liability shift. Were at the custard stand here, and ive gotten my smartphone to be able to swipe my card. You know, how much is this going to cost me, or do i just take risks and say ill just take chances for a few years until i get my business up and start franchising my custard store . How much will it cost me to be compliant . Congresswoman moore, the good news is for a Small Business interested in upgrading infrastructure, the costs are very low. You can get a emv chip device from square for 30. Okay. If you want to go that route. Or get it from a payments processor for not much more. The cost is very low for the merchant. The good news is that october liability shift date that youre talking about, if the merchant makes that small investment in the upgrade to chip cards and if the card issuer has issued chip cards, the liability for the fraudulent card rests with the issuer. The merchant is exactly the same as today. As long as they have made the investment in the infrastructure. Wye dont have liability for a counterfeit card transaction in that scenario. Its good news for the merchant. That was the answer that was escaping me this entire hearing. I mean, how much is it going to cost gwens custard stand to do it. Obviously there will be a lot of costs for atms and i guess thats a little more costly. How much will it cost to update all the atms . Yeah, the atms and actually fuel dispensaries, so gas stations actually have an extra two years to upgrade their infrastructure because its complicated to actually take the credit card equipment out of an atm or gas pump. They dont have to worry about upgrading infrastructure until october of 2017 for those two industries. Okay. My last time for governor pawlenty. I guess as the head of the Financial Services roundtable, i guess im curious about why its taken us so long to do this. Why were behind europe and canada. And you testified were going stay behind. Some of the countries that went to emv didnt have much Legacy Technology to begin with. They could just jump to it as first adopters. Other countries have other histories, like the u. K. , for example, in an era where telecom was expensive. They loaded up all the transactions and processed them at the end of the day called batch processing. The ability to do realtime communication via telecom had something to do with how and when things evolved. All that being said, i think the u. S. Has been slow to this issue. But the fact of the matter is we see the need, obviously everybody does, and moving as quickly as possible to implement it and for good cause mr. Chairman, i realize my time has expired. I want to ask governor pawlenty, are the vikings going to be as bad as they were last season . Did you say the packers . [ laughter ] the vikings . I think the big question is, is how do we get some of that custard. [ laughter ] the vikings are going to be better this year. The gentleman from florida now, mr. Ross, is recognized for five minutes. Thank you, mr. Chairman, and thank you, panelists. I can only preface my remarks by thinking back to the early 1980s when i was installing computer systems, 16bit processors in pharmacies across the eastern United States. We would use a dialup modem to update drug prices and process data. At that time war games came out starring Matthew Broderick showing how we can hack into the intelligence computer that started an International War game. And weve evolved today to where you go to Walt Disney World and get a magic band that has all your data, shows disney exactly where you are, what youre doing, what ride you want to be on, all your billing information. The evolution of technology has been a tremendous benefit to us. Its given us the path of expanding our commerce and economy tremendously. And obviously it has given opportunities to those that seek ill will against us. And thats why were here. One of the institutions of higher education, university of south florida, rests in my district. And two years ago, they were designated by the Florida Legislature to be the center of cybersecurity, an academic program. Now they have over 100 students seeking masters in this chemical arena. My question is, is there a great deal of cooperation between the private sector and the academic sector in trying to innovate ways to continue to fight cybersecurity . Anybody can address that. I can speak up and say i know the retailers who have sought such partnerships have found welcome partnerships. Last year we established something called the retail cyberintelligence sharing center. At the core of that is a retail isat. But wrapped around that is the opportunity for educational opportunities. I know that group has found great partners already in the academy could community looking for ways to identify ways to bring future chief Intelligence Security Information Security officers through the ranks and to share information so everybody has the best skills available today. It seems that would be a Good Partnership even though thats well over 80 of our commerce in the cyberworld is through the private sector. Mr. Dodge, let me ask you this question because as my colleague, mr. Mulvaney, was asking you about who bears the cost of a fraudulent transaction. Is it between the banks and the retailers. Is there not in existence any particular either express or implied right of indemnification between the parties that would allow that to be resolved absent the Fraud Development . Who pays after a breach and fraud is spelled out in the contract. The retailers are bound by the contracts and their unwillingness if they violate they risk losing the right to accept cards. Theres a limited negotiation i guess is what youre telling me. Retailer wants to accept the mastercard, they accept all of the terms and contracts without a negotiation. You sign the contract presented to you. One of the things that you talked about very well is the electronic mastercard visa chip. For some time this has been in practice in the european markets, has it not . It has. Just recently, had it not been for executive order, we would not be pursuing it as fast as we are in the United States. What has been the reason for the delay of the implementation of the Chip Technology here . The reason the Chip Technology is being deployed today in the United States and its been deployed already in europe is the following. In europe they dont have the ability that we have here to authorize a transaction online. When you swipe your card at the pointofsale, what happens is that transaction is transmitted through the payment worker for a yes or no answer. When the receipt is spit out 1. 4 seconds later with a yes answer its because that transaction was authorized and improved online. In europe they dont have the infrastructure to do that. The card authorized the transaction. Which means that chip isnt going anywhere. Its making the decision right there. Thats why the chip infrastructure is necessary in europe. Now were protecting the database of all the private information and its encoding or database and its encoding that particular transaction with a onetime identification and then that allows anybody who captures that to have really nothing. Thats exactly right. The way the system works today, your actual account number is transmitted. Cyber thieves are looking for credit card numbers. In a tokenized environment it takes the account number out of the equation. How fast are we moving in that direction . It is being deployed across all retail segments. We have an existing infrastructure that needs to be replace. It will take some time to get there. I know we talked about point of sale defenses today, but after the data has been breached, how effective are some of these companies out there that allegedly protect consumers from having their identity stolen . Is that good, bad or is it just somebody else i cant speak to any one of those companies. Everybody needs to be vigilant. You need to monitor yourself. I want to go back to a point about advanceing the technology in cards to get to where we are in europe. The migration thats happening in the United States is only a half step. Were only instituting a chip. Were not requiring a pin. It worked in europe. Its worked in canada. Its brought fraud down. Need to have it together and were not moving to that here in the United States because of decisions made by the card networks. Now the gentleman from arizona recognized for five minutes. Thank you mr. Chairman. Okay. Little discussion maybe a little way from the legislation thats being vetted. Mr. Oxman, you seem to be the most technical on the panel. Is that a fair yeah. Give it to him. Okay. Can we walk through a couple mechanics. First the philosophical box i want to work from is if you and i wanted to design as robust a system as possible, im not asking practical, possible today where i still have the use of my financial instruments, my credit cards online, at the retailer, in any fashion it may be, what would i be doing . Because when we sat through something in this regards a couple years ago, we had such high hopes for the tokenization handoffs and the randomization of the designs of those tokens. Is it token plus . If you and i were designing a system here, and making sure that as we work on the legislation that it has enough openness to grab tomorrows technology, what should we be doing . So a system designed from strach would ensure that actual information that can be tied back to you or your account cannot be intercepted. You would make sure you didnt transmit actual information in a way that could be taken by somebody else and used in the same form. Thats the real goal of all of the layered Security Technologies that you see deployed today. Its dynamic and it makes sure that intercepted information cannot be useful. But the real difference between the chip and mag stripe is it creates a unique code with each transaction. You wouldnt know the code for the next transaction so it would be useless to you. Its the handoff . Yeah, designing a system from scratch would make sure the information was dynamic and couldnt be tied back to anything. Heres my tokenization hand off mechanics and a biomechanic if im doing online, a ip algorithm saying is this a ip that matches what am i doing to make these things work . Thats the interesting thing about mobile payments for example. You beat me to our last minute of conversation but might as well move right as we all move to the mobile pay in sort of catching up with the rest of the world, is the technology in my Payment Systems on this is that my future of transaction security . It is a great future of transaction security because what that mobile device has on there is the token we were talking about earlier. It could have all three. It could have my biodata with my fingerprint and its version of not technically an ip, but it has its encrypted heres the device that goes with this. Thats right. So the future of technology that were working together to deploy has all of those elements to it. Its almost as if we have an opportunity to devise that utopian system from scratch. How do i enincentivize that. The future of payments is in mobile technology and were going there, but were not there yet. We need to make sure were locking down that while we are moving to the next generation. I wont try to wade into the dep technological comments. Its certainly mobile technology and the encryption in place today i think will work for a long period of time. So the end game really is you devalue the data so that its useless in the hands of criminals. Point of sale point to point encryption and tokenization. You implement it properly the value is useless. Theres no reason to break in. Even if you did, whatever you stole, you cant use it anywhere else. In the last 15 seconds, my fear is much of todays conversation was who holds the liability, who pays. And my fear at one level thats an absurd conversation to have. We should be having the conversation how do we build the Robust Technology so we dont have the problem. Good news its happening while mobile payments and some of the things you mentioned are a small part of the picture. The Adoption Rate is very high. So the future that youre foreshadowing is unfolding. I thank the chairman. Now the gentleman from indiana, chair of the Republican Policy Committee is recognized for five minutes. I thank the panel for being here. Thank you for your stamina. I think were getting close to wrapping up. I wanted to talk a little bit further about breach notification. I think couple times you got pretty close to this. I want to make sure i better understand your position. You stated earlier that you wanted clarity for the Business Community. You support the one sentence standard based on reasonableness found in the energy and Commerce Committee bill. If you look at section four of hr 2205, it has a set a process thats laid out that frankly is much clearer and i think more scaleable. Its based and modelled off of what banks have been doing for 16 years. Can you explain from your perspective why you believe 2205s clarity isnt sufficient. So the act and certainly the legislation youre referencing were designed primarily for the Financial Services industry. It was past in 1990, 2000 and enforced over the last 15 years. What we have argued is you have to look at the regulatory landscape as it is today and look at whats been done for regulations that apply to other industries. Theres been a substantial body of work in enforcing cybersecurity expectations of businesses. Thats established a decade worth of case law that merchants and businesses all under the authority of the fdc understand what the expectations are of them. While the energy and commerce bill has a one sentence standard you believe that one sentence incorporates the i do. And i think any business that would be forced to comply with it, and most businesses today are, dont look at the sentence that would be in the legislation. But they would look at what the body of work is so i make sure i understand your objection, is it to who the regulator would be . You believe under the commerce bill it would be a different regulator . How it builds upon the work undertaken by the ftc to date it makes sense. That is the best way to move the ball forward. Other members of the panel, i dont know if anybody would like to comment i would say while we recognize the brevity of it, to simply say go act reasonably. Thats just a negligent standard thats built into common law for everything. Were all under that duty. When youre facing a threat of this magnitude, this nature, accelerating to have the congress say hey act reasonably. I think that is under well ming as a standard and expectation as we enter the age of cyber battles. I would agree particularly when you have a road map thats worked for 16 years in another industry that you can lean on. Id like to talk a little bit about how unreasonable delay works in the real world. You know theres talk about whether a notice should be

© 2025 Vimarsana

vimarsana.com © 2020. All Rights Reserved.