That really target of the preacher was because of steps taken after the first . They actually had on lawful access to for more information that was breached the first time. Breach, call it a except for that one individual. It was not public or circulated. I want to thank the fbi for their very effective that resulted in the successful mitigation within 36 hours. The reason we are not saying anymore is because the investigation the is proceeding great proceeding. Everything was put on the web and put on a public website. The intruder wanted to show how clever he or she was and wanted the world to know. I just have one last question, mr. Chairman. I want to come back to mr. Mirus ms. Ramirez. Ftc uses both its unfairness and deception authority being relatively clearcut. In that case, you have a company access. It makes materially misleading statements regarding sick dirty measures taken. A good number of the ftcs actions come under its Unfairness Authority, with some argue it provides less guides to companies that practice across the line. Is aes not seem like there record of president ial value president ial value. Should they make public what they determine is unfair so the companies have better guidance . I have to disagree with the critiques of the ftc. I think that we have provided good guidance and the approach that we came when we exercise both are deception and Unfairness Authority is one of reasonableness. As a law enforcer, what we do is driven by specific facts of a given case. Our documents which are part and parcel of our are part of our allegations what are we believe to be we have provided guidance and the actions we have taken go to very basic and fundamental failures on the part of companies that we think are unreasonable and therefore that would be a violation of our section five authority. I do take issue with that. We provide a great deal of guidance. I believe that companies can discern the approach that we take as a take. It is a processbased approach. It is based on the types of information that they collect and use and if they develop a program that would be able to address any risk to which that information might be exposed. We think it is critical to have one person to be in charge of any Data Security program. Is the guidance made public . Absolutely. I see were out of time. We have to run. For agoing to recess little while. I dont have a time certain. My guess it will be 40 minutes or so. I dont know exactly, depending on how many actual votes we have on the floor. What we will do is recess and probably, just for everyones benefit, we will try to start as we are doing our last vote on the floor because members can vote and then come back here. Were trying to do that. We will take a recess now and reconvene subject to the culture. Thank you. Call of chair. Thank you. Nice youl been all been nice . [laughter] we do a lot of reports. It is very interesting. I should not be saying it, but im interested so i will say it and i am chairman, so i can say what i want. A lot of moving companies, if you want to move, you sign a contract. They put your stuff in the moving van and a ticket about two miles and then parked in an alley and park in an alley and say, the price has tripled. You say, that does not happen in america. The point is, it does. It is very disturbing. Focus a lot on these kind of things. It is not that we are nasty. Richard, youre not nasty, are you . Senator blumenthal . Ask my wife, mr. Chairman. [laughter] never. That is right. Yourdaughter granddaughter and my wife were together in school. Different levels. [laughter] report and ihis wanted to know if you read the report. I had a chance to review it last night. Walk through the many steps that attackers had to go through in order to hack your company. It explains how target could have prevented the breach if you had stopped the attackers from completing just one of the steps. Let me give you some examples. You could have prevented the breach if one of your vendors, a ,mall Pennsylvania Company mechanical service had better security practices. That theyrewledge better security was a factor in the attack . Yes. Once he attackers got into the network, you did not stop them from gaining access to your companys hailesensitive consumer data. We you would knowledge that target prop failed to properly monitor your Computer Network . It is my understanding that we did have proper segmentation monthse as recent as two prior to the attack. We are found to be pci compliant. Your question is an excellent one. How they migrated one from the outermost portion of our network to our point of sale data is an excellent question. I do not have the answer to that. Who is they . The intruder, excuse me. Chairwoman ramirez, i congratulate the federal trade commission for the recent announcement of its 50th Data Security case. Underave been successful section five. Legislation the ftc has consistently called for. Can you talk about why you see the need for such legislation . Why isnt your existing authority under the ftc act enough . Gov for your question. I want to thank you for your leadership in this area. Has undertaken critically important work in this arena. I think what we see happening in the rest of any marketplace is showing that companies are continuing to underand best it comes to Data Security. That is why more needs to be done in this area and why we think Congress Needs to take have a comprehensive legislation that addresses the issues of Data Security. We want to highlight things that are critically important relative to Enforcement Authority on the part of the ftc. We feel it is critical the ftc have Civil Penalty Authority so there can be appropriate deterrence. We feel it is important that any legislation has a ph rulemaking authorities apa Rulemaking Authority so the agency can implement legislation and adapt to changing technology in this arena. We feel it is important for the ftc to have jurisdiction over nonprofits. Not have, we do jurisdiction over nonprofits and we see universities and other nonprofits are falling victim to intrusions and that is important to access the Nonprofit Sector and have reasonable security measures and safe in place. Will concisely tell you that selfregulation works. We believe that selfregulation is an important element of all of this. Security is a complicated issue and in order to address it effectively, we need to do it in a multipronged way. We believe that self regulation that is robust and backup enforcement by the ftc would be a good and important complement to the civil Law Enforcement that we undertake. In in my mind, it is not enough. Whether it is cyber security, whether it is anything else, selfregulation always solves the problem. A water spill recently in charleston, West Virginia. Nine counties could not drink water. House myne house. It was not a pleasant experience. There is nothat figural no federal regulation, no state regulation. They can do as they please. One of the people who was trapped by this, who is my chief of staff of my West Virginia operations come has two young children. I talked to her this morning. She said she had been on a trip to india. It was to look at new ways of doing water. Two more leaks had been river,red on that causing one to be blindingly angry and infuriated, at ourselves for allowing to that to happen. I never did anything about it. Every time i drove into charleston, i was can directly towards those tanks that held all that toxic stuff which leaked. I said, that does not look very good to me. It looks kind of crummy. Its like the pictures in seattle, before everything went wrong. Everything looked fine. If you knew that there was a lot of mud there, your mind would lead you to other kinds of conclusions, but your mind does not choose to dwell on inks that are not of the moment. Increasingging hostility towards giving the ftc i am hearing this from Others Authority to address over Consumer Protection issues. That is a common complaint from some. It reaches ears easily because people like to hear about the federal government not being able to do its work or failing to do its work area work. Im not constantly hearing about the dangers of an overzealous ftc, over regulating and overburdening american businesses a lot. My data breach bills, which is 1976, gives your agency basic dataaking authority to set security standards, just as congress did. I dont think that is a controversial idea, but some people do. Chairwoman ramirez, can you explain to these skeptics, through me, how the ftc goes about setting these rules so that i can be satisfied that you are not out to ruin industry for the pure pleasure of doing it . You are trying to do your job. How the commission has a careful and deliver process that does not lend itself to the type of regulatory chaos that some fear, and how these rules will help protect sue consumers from data breaches . I would be happy to. The call for legislation in this area is a bipartisan call. The commission unanimously supports enactment of federal legislation in this area and supports specifically the pieces of the legislation that i have outlined. In response to the critics of the ftc, i believe that anyone who looks closely at the work that we undertake can see that we do our work in a very balanced away. We absolutely want our job is to protect American Consumers fundamentally. We do listen to the concerns of industry and when you look at the body of casework that we have in this area, the 50 security cases you mentioned, people will see exactly what the basis for these are and that actions that we took were justified. In response to your specific apation about how we employ Rulemaking Authority, i referenced an act which is one legislation where we were given Rulemaking Authority. Any rule that the agency was undertaking would go through a notice and comment. Od. Comment peri stakeholders could see and comment on any rule would ultimately impose. Asked for that is because it is critical that the ftc have flexibility in this arena, to implement any legislation. Two main issues are the one i want to highlight. One is, we have to recognize that technology is moving very the very rapidly. A decade ago, no one would have predicted that facial Recognition Technology would be so readily available or geolocation information would be so easily attainable. It is important that there be flexibility embedded in any legislation to allow the ftc to adapt any rules to emerging and evolving technology. By the same token, it can also be to the benefit of businesses to grant the ftc that flexibility because we may be able to list certain requirements that may no longer be necessary over time. That has happened in connection with our implementation of the act. It would be to the advantage of i thank you. Im well over my time. And its time for another senator. Thank you, mr. Chairman, thank you for holding this important hearing and working on important legislation. I think we all know this is no longer one singular problem we heard from our witnesses today. In fact the Washington Post printed an article yesterday showing that the federal government notify 3,000 u. S. Companies of a breach in just the last year. And i think it calls attention to the fact that we need to move on cybersecurity legislation, to move on the notification bills and the work that senator rockefeller is doing, senator leahy is doing. Im on both committees. Ive been immersed in this as mr. Mulligan knows we had another hearing and chairman ramirez in the judiciary committee. One of the things we focused on is one going after the people who did this and working on the Justice Department on that. Thats got to be a top priority. Number two, how we prevent this going forward. One of the things that i found pretty shocking is that in america we had 25 of credit Card Transactions in the world, but we had 50 of the worlds fraud. And we know some of the other countries have moved to the chip and pin technology. I know that target tried some of this technology, maybe you can talk about that a few years back. But it wasnt adopted by other companies so i would think i would start with that. What do you think we need to do to stop this from happening in terms of adapt adopting some of the technology . And how long do you think it will take when we have parts of the world that are already adopting this, its currently the standard in europe. So maybe we maybe we can hear from ms. Richey first . We do believe its necessary for the United States to join most of the rest of the countries of the world in adopting the Chip Technology to control fraud in the facetoface environment. We set out a road map for the emv chip adoption. We announced that in august of 2011 with the idea that it would take probably around four to seven years to get to a Critical Mass of chip adoption based on our experience in other countries. Im encouraged by the level of enthusiasm towards the chip project were seeing in the wake of the recent events and im hopeful that our liability shift date in 2015, october, 2015 that we will see substantial adoption in emergent and issuing bank side. Do you think it could be better to have the pin rather than signatures . Would that be safer . Safe is an interesting word in this content. Would it lead to less fraud . It might initially lead to less fraud. P. I. N. Does reduce lost and stolen fraud. So if p. I. N. Does nothing to keep the criminal from counterfeiting the card, unfortunately. And 70 of the fraud that occurs in physical locations, brick and mortar store, is counterfeit, not lost and stolen. So we believe the bigger problem is counterfeit. Its also easier for the criminal to accomplish because they can do it by stealing data, not by having to take possession of, you know, thousands or millions of physical plastic cards. So we believe that the best thing for the industry to do is to focus on the chip and theyre trying to change the environment between p. I. N. , signature, and no cardholder verification, which is our current methodologies will slow things down and increase the costs. So therefore, were saying that the issuer could have the choice, based on their own risk profile, whether to issue with chip and p. I. N. Or chip and signature and similarly in the merchant environment where today 2 3 dont currently deploy p. I. N. I mentioned mr. Mulligan, you wanted to address this, target tried to go with the Chip Technology and what happened . We did. A little more than ten years ago, we introduced what we call guest payment devices to read chip cards and we introduced the target visa card with chips enabled in it 10 years ago. The benefit for consumers comes with wide adoption, though. When the cards are widely used and widely read throughout the economy. Weve seen that in other geographies. After we went about three years by ourselves, we determined that it didnt make much sense for us to continue given there was no real benefit to consumers broadly. Weve continued to support in our case, chip and pin, but to moving to chipenabled technology is moving forward. Speeding up your adoption of that now . We are. We accelerated that, 100 Million Investment for us. Well have the guest payment devices in september. Well have the chipenabled cards next year. The subsidiary of data card which is also a minnesota company, how does your company view the transmission to chip cards and how has trust and data cards been involve in making recommendations on the finance and Payment Networks on implementing new cards and security methods. Theyre a leader in financial magnetic cards, the stripe and emv. Were a big supporter of the emv technology. One of the things you combine energy, its more secure way to do it but theres balance and userability that needs to be considered. But the chip and p. I. N. Is a more secure way to go about it. Either is better than the current magnetic strip environment. Can i ask one more question . Many of the large data breeches and the hacking operations are perpetrated by people outside of the u. S. And theres no shortage of crimes they could be charged with but it could be hard to bring them to the courts because they operate largely overseas. In the case of the target breach, i understand that business weekly has identified a ukrainian operation that could be responsible. Again, the investigation is under way. This is what we read in business weekly, can you discuss how you work with Law Enforcement investigations, i know i asked this of the Justice Department in the judiciary hearing. But what steps do you think we could be taking to make it easier to get these International Hackers into the courtroom to stop them . As to your specific question, i do have to defer to the criminal Law Enforcement authorities to get into the details of that. But i will say that the ftc works very closely in terms of our own work in parallel with our criminal law partners in these areas. We, of course, are focused on the front end how retailers and other businesses are protecting consumer information. But, again, we work in parallel with and i think our efforts are complementary with the efforts of criminal law enforcers who are seeking to locate and punish perpetrators. We do a big amount of work on the International Front working with civil law and agencies around the world to address the issues that is a significant part of our own engagement and we use authority thats been given to us by congressmen under the state act to purr sigh civil Law Enforcement where needed so we want to partner with other law enforcers because we have to these days. Should we be doing more as we negotiate as we work with the other countries as part