Richard carmona will give an update on the latest research to improve survival rates from ieds and mass shooting incidents. We will also take your phone calls and you can join the conversation on facebook and twitter. Journal, live each morning at seven eastern on cspan. An executive from target said the company is investing 100 million to upgrade to a more advanced credit card system following the hacking of customer data. Testifying before a senate committee, the target cfo was asked about the Holiday Season cyber theft that has exposed the personal or Financial Data of millions of u. S. Shoppers. Because of the time of the opening of the senate, we are starting a little bit late. I apologize for that but i appreciate everybody who is here , from all over the state, including now snowing colorado. Were going to need to examine how we can protect americans, the growing danger of data breaches and cyber crime in the digital age. Safeguarding American Consumers and businesses from data breaches and cyber crimes has been a priority of this committee since i want to thank senator grassley for working with me very closely on this hearing. I hope we can continue working together to advance the personal data privacy and security act i recently introduced to protect American Consumers. You watch the news, you pick up the papers, you listen to the news, whatever. Most americans, myself included, have been alarmed by the recent data breaches at target and Nieman Marcus and michaels stores. The investigations of these butr attacks are ongoing, they compromise the privacy and security of millions of American Consumers, potentially putting one in three americans at risk of Identity Theft and other cyber crimes. I know my wife and i have been so in deciduous as checking our credit card bills, but that is the same with everybody. I mention those three stores, those are all excellent stores. They are major parts of our economy. But we have to have faith in them. If we dont have faith in businesses ability to protect the personal information, the economic recovery is going to falter. In the digital age, major data breaches involving our private information are not uncommon. There have been significant data breaches involving sony, epsilon, cocacola, also some federal government agencies, department of veterans affairs, energy, dated breaches of yahoo and others. Dge so it wont seem like we are singling out just a few businesses, more than 662 million records have been involved in data breaches since 2005. Agree, a cyber attack also for consumers who want to protect himself against further exposure, it is not like someone comes in and robs a store, you know where it happened and you have some general idea of where the perpetrator is. Here, the perpetrator could be thousands of miles away in another country. American consumers deserve to know when their private information has been compromised. Rely on being able to do a lot of our business electronically. But we should also remember that the businesses that suffer Cyber Attacks are also often the victims of a cyber crime. A recent study found that data breaches involved in malicious Cyber Attacks are the most hostile he data breaches around the globe. Cyberr capita cost of attacks in the United States was 277 per compromised record in 2013. Times that by millions upon millions. ,he highest cost for any nation fragileou are in a economic recovery, this is a significant hindrance to recovery. So before the judiciary , symantec, and we will hear from the u. S. Secret service, department of justice, federal trade commission. We are facing threats to our privacy and security unlike any time before in our nations own history. Aboute also had hearings threats to our privacy by her own government agencies. I hope in this particular one we can get some good bipartisan , get some data privacy legislation on here. I think we will all be better for it. Senator grassley. Very important that we have this hearing. We have had wellpublicized commercial data breaches. We are still learning about the details. This hearing will help bring more details out, i hope. It is clear that these and other breaches have intentionally impacted tens of millions of consumers nationwide. Todays opportunity is to learn about the challenges that both industry and Law Enforcement face in combating Cyber Attacks from wellorganized criminals. The witnesses have the unique ability to provide us various important perspectives as we consider the governments role in securing Sensitive Data and crafting a breach notification standard. I hope to learn where the committees expertise could be helpful in combating future attacks. Furthermore, i would like to use this hearing to explore areas of Common Ground so that we can determine what might be accomplished quickly. It had been a couple of years since our committee has considered Data Security legislation. In that time we have learned a lot about the subject, thanks to broader Cyber Security conversations. The proposals offered by the administration and discussed in congress along with other government initiatives and be helpful for us to proceed as we consider what to do with this legislation. When considering Data Security requirements, our approach should provide flexibility and also account for businesses of different sizes and different craftyes in a world of criminals, it seems to me that onesizefitsall approach will not work or lease will not work for everybody. Instead, lets see how the government can partner with private business to. Trengthen Data Security an example may be the National Institute of standards and technology Cyber Security framework am has received bipartisan support, and as far as the senate is concerned, unless it is bipartisan, it isnt going to go anywhere. Thats not because theres something wrong with democrats or republicans. That is the institution itself. As we discussed the creation of a federal breach notification standard, we must avoid the risk of consumer over notification, just as there is a potential for harm when a victim isnt notified of a breach, over notification can lead to harm and apathy. As time permits, i want to explore these and other issues toay, and will be available discuss things beyond the committee process, either with colleagues or with other people. If everyone works together, it seems to me we can tackled these problems and hopefully limit future attacks. Chairman. In, mr. I ask unanimous consent to theude my full statement in record along with statements we received from these groups, the National Business coalition on ecommerce and privacy, the payment card industry, the National Association of federal Credit Unions come in the american bankers association, National Retail federation, and the Retail Industry leaders association. Without objection that it be included in the record. Matt asked the four witnesses to please stand and raise your right hand. Let the record show that the all took thes oath. We will hear from each of the witnesses first and then we will ask questions. John mulligan is chief Financial Officer and executive vice , thedent for target secondlargest largest general merchandise retailer in the u. S. 1996. Ned target in his responsibility includes Financial Planning and analysis, financial operations, tax. Ssurance, Investor Relations he graduated from the university of wisconsin in 1988. 1996 he earned a masters of Business Administration degree from the university of minnesota. Good morning, members of the committee. My name is john mulligan. Im executive Vice President and chief Financial Officer of target. I appreciate the opportunity to be here today to discuss important issues surrounding data breaches and cyber crime. As you know, target recently experienced a data breach is altering from criminal attack on our systems. To begin, i want to say how deeply sorry we are for the impact this incident has had on our guest, your constituents. We know this breach has shaken their confidence in target and we are determined to work very hard to earn it back. Target we take our responsibility to our guest very seriously. His attack has only strengthened our resolve. We will learn from this incident and as a result, we hope to make target and our industry war secure for consumers in the future. I would now like to blame events of the breach as i currently understand them. Please recognize that i may not be able to provide specifics on certain matters because the criminal and forensic investigation or mains active and ongoing. We are working closely with the secret service and the department of justice on the investigation to help them bring to justice the criminals who committed this widespread attack business, american and consumers. On the evening of december 12, we were notified of the Justice Department of suspicious activity involving payment cards used at target. We merely started our internal investigation. Theecember 13, we met with Justice Department and the secret service. On december 14, we had an leadendent team of experts a thorough forensics investigation. On december 15, we confirm the had in our system am installed malware and potentially stolen guest payment card data. Over the next two days we began notifying the payment card processors and card networks, preparing to notify our guests and equipping our call centers and stores with the necessary information and resources to address the concerns of our guests. Our actions leading up to her a public announcement on december 19 and since have been guided by the principle of serving our guests. We have been moving as quickly as possible to ensure accurate and actionable information with the public. We know that the breach affected two types of data. Payment card data which affected proximally 49 million guest and certain personal data that affected up to 70 million guest. We believe the payment card data was accessed through malware placed on our pointofsale registers. It is designed to capture the data that resided on the magnetic script magnetic strip. This focused on supporting our guests and strengthening security. In addition to the media steps i described, we are taking the following concrete actions. First am a we are undertaking and into inferencing review of our and our network and will make security enhancements as appropriate. Fraud, we increased detection for our target red card guests. To date we have not seen any fraud on a proprietary credit and debit card do to this breach. We have seen only a very low amount of additional fraud on our target visa card. Her, we are issuing new target credit and debit cards to any guest who requests one. Fourth, we are offering one year of free credit monitoring and Identity Theft protection to anyone who has ever shopped in our u. S. Target stores. Guess they have zero liability for any fraudulent charges on the cards arising from this incident. Six, target has a is accelerating our investment in our target red card pointofsale terminals. Target has invested significant capital and resources in security technology, personnel, and processes. We had in place multiple layers of protection including firewalls, malware detection, intrusion set the texan and prevention capabilities and Data Loss Prevention tools. In fortunate reality is that we suffered a breach. All businesses and their customers are facing increasingly sophisticated threats from cyber criminals. In fact, news reports have indicated several other companies have been subjected to similar attacks. To prevent this from happening again, none of us can go it alone. We need to Work Together. Updating Payment Card Technology and strengthening protections for American Consumers is a shared responsibility and requires a collective and coordinated response. On behalf of target him i am committing that we will be an active part of the solution. Of you and allch of your constituents and our guests, i want to once again reiterate how sorry we are this happened and our ongoing commitment to making this right. Thank you for your time today. Click thank you very much, mr. Mulligan. Michael kingston is senior Vice President and chief Information Officer for Neiman Marcus as well as chief Information Officer, he oversees approximately 500 professionals responsible for all aspects of Information Technology and security including technology strategies. Information Technology Services for all Neiman Marcus clients, both its doors and website. Thank you for being here. Please go ahead, sir. Mr. Chairman, senator grassley, members of the committee am a good morning. My name is michael kingston and im chief Information Officer at Neiman Marcus group. I want to thank you for your invitation to appear today to share with you our experiences regarding the recent criminal Cyber Security incident at our company. Longersubmitted a written statement and appreciate the opportunity to make some brief opening remarks. We are in the midst of an ongoing forensic investigation and has revealed a cyber attack using very sophisticated malware. From the moment i learned there might be a compromise of payment card information involving our company, i have personally led the effort to ensure that we were acting swiftly month early, and responsibly to determine whether such a compromise had occurred, to protect our customers and the security of our systems, and to assist Law Enforcement in capturing the criminals. Isause our investigation ongoing, i may be limited in my ability to speak definitively or with specificity on some issues. There may be some questions i do not have the answers. Nevertheless, it is important to us as a company to make ourselves available to you to provide whatever information we can to assist in your important work. Our company was founded 107 years ago. One of our founding principles is based on delivering Exceptional Service to our customers and building longlasting relationships with them that have spanned generations. We take this commitment to our customers very seriously. It is part of who we are and what we do daily to distinguish ourselves from other retailers. We have never before been subjected to any sort of significant Cyber Security intrusion, so we have been particularly disturbed by this incident. Through our ongoing for investigation, we have learned that the malware which penetrate our system was exceedingly sophisticated. A conclusion that the secret service has confirmed to read a recent report prepared by the secret service crystallized the problem when they concluded that a specific type of malware, comparable and perhaps even less sophisticated than the one in our case, according to our investigators had a zero percent ejection rate by antivirus software. Able to capture payment card data in realtime, right after a card was swiped, and had sophisticated features that make it particularly difficult to detect, including some that were specifically customized to evade our multilayered Security Architecture that provided strong protection of our customers data in our systems. Because of the malwares sophisticated antidetection devices, we did not learn that we had a natural problem in our Computer System until january 2 and it was not until january 6 when the malware output had been disassembled and decrypted enough that we were able to determine that it was able to operate in our systems. Then, disabling it to ensure it was still not operating took until january 10. That day we sent our first notices to customers potential he affected and made widely reported public statements describing what we knew at that point about the incident. To january 2,ior despite our immediate efforts to have two separate firms of forensic investigators dig into attempt to in an define any Data Security compromise, no Data Security compromise in our systems had been identified. Based on the current state of evidence and the ongoing investigation, it now appears that the customer information that was potentially exposed to malware was payment card information and transactions in 77 of our 85 stores between july and october of 2013, at different periods of time within this date range at each store. In, we have no indication our transactions on her website are in our restaurants and compromise. Three, and data was not compromised, as we do not have been patently do not request pins. For, theres no indication that Social Security numbers or other personal information were exposed in any way. We have also offered to any customer who shops with us in the last year at either Neiman Marcus group stores our websites, whe