Which is massachusetts, and ive been talking to some of my colleagues from massachusetts. Would you agree with that . I think also oregon has a pretty good standard. There are elements of other state laws you may not consider specific data laws. A pretty High Standard . It is a pretty High Standard, yes. Thats the starting point for us. Theres been some discussion about the Standard Energy in commerce. Would you say its a higher standard than what our bill would propose. Our standard is a reasonableness standard. So i think the difference here is not only might there be a difference in what the language says in that bill i think, also, we would be looking to the common law of the ftc and others to flesh out what the specific requirements are but its really important as were thinking about how strong the security standard is, to think about who has the enforcement power and whos going to be guiding the parties there. If the federal agencies are solely responsible for it even a strong standard might not provide a strong protection as a general reasonableness standard that allows state ags to work on a piecemeal basis. You think the standard in our bill is pretty good, pretty High Standard in terms of federal standard . You believe the states ought to have the flexibility to go beyond that. Notwithstanding some of the issues that that might create in terms of having different standards. How about this enforcement question. Have you looked at our bill in terms of the enforcement provisions in the bill, and how would you suggest they would be improved upon in your view. I cant i have looked at it, im not prepared to provide a detailed response, i would be happy to in writing if you prethat. I do think the key issue with respect to enforcement, your bill would only facilitate enforcement by federal agencies whey heard you say is that allowing the state ags some kind of role there would be an improvement . Again, not having looked at the details there, not to put words in your mouth. Yes yes, i believe that a very credible element here is that we must have enforcement. We are willing to try to improve the bill so we can get a greater consensus around we believe that i think as you said, a National Standard is important to have. 50 different standards is not the way to go. Its got to be the high bar and one thats enforceable. Would any of the other panelists like to comment on the conversation that weve just had about preemption about the standard . I think the bill on a bipartisan basis really takes on this issue in the right way, that is to recognize that the act of legislating to unify 46 disparate regimes would be adding a 48th regime and wouldnt serve the purposes that the legislation seeks to undertake, which is to protect consumers Financial Information. And tas perspective, the bill takes the right approach to ensure that the federal regime is operative and not interfered with. Everyone agrees we need a higher standard and kind of one standard across the country. We fully agree there should be a National Standard, we think the states deserve a tremendous amount of credit for having acted in the place where the federal government has not yet. Thats why we believe as a broad concept, preemption should be offered as a broad concept, state ags should have the ability to play a role. The time of the gentleman is now expired. The gentleman from new jersey, mr. Garrett, chairman of our Capital Markets committee. Thank you, mr. Chairman thank you for holding this hearing, an issue that hits home for a lot of folks. Let me just start i have a couple questions, start at the basics, if i can. Governor, ill throw it to you. When there is a breach or someone does steal your card and they go to a retailer and buy a tv, and you find out that you didnt, so on and so forth. Who actually is responsible for that. Is it the does target have to pay the bill for that . Does the bank that issued my well, my mastercard or if daze not that, is it the bank, or is it the visa or mastercard or discover thats paying for that. The oversimplified versions. The consumer is made whole. And the issuing bank is the one that makes them whole. However, theres a secondary process managed and run by contract between the Payment Networks and various players in the Payment System that gets resolved through a should we say contractual process between visa mastercard retailers the issuer which people take issue with how that works from time to time, thats how it gets sorted out after the fact. Does anyone else want to give an over view. I would add to that. Its the merchant ultimately pays for fraud in the wake of a data breach should the data breach have occurred at a retailer, they pay a variety of fees, theres three real fees they pay total. The first one on every transaction ever processed, a component of it is prepayment of fraud should one occur. And then post breach, theres a Fee Associated with issuing the cards and so thats where the banks end up having to pay the 15 bucks or whatever it is to sends me a new card. The merchant reimburses on those fees. I hear different stories on that. Ive included a schedule in my written testimony. So i just got one of these cards that have the chip on it. And also, just to be clear on this putting this chip on the card may help to some degree as far as the lost card and the stolen card, as far as going to the retailer but as someone else on the panel said i know it was in the testimony. This chip does absolutely nothing with regard to when they steal that information and they use it online, is that correct . I think its important to note, the chip the technology thats available in the United States today 1960s Era Technology we introduced chip and Pin Technology more than an decade ago. You saw an uptick of the data breaches not at the store any more, but now online, is that correct . Thats true fraud moved in two directions online and the United States. Suddenly the United States had the weakest security in the world. It still does today. When chip only goes into effect later this year, the United States will still have the weakest technology. We cant solve all this stuff. The bottom line is doing the chip is not going to solve it entirely, also to the point, what seems to be a lot of discussion as far as the disclosure information. That doesnt do anything to actually, none of it that doesnt do anything as far as preventing the fraud in the first place that tells me as a consumer, you were robbed and this is whos going to pay for it. Congressman, i couldnt answer your specific question about the chip many youre absolutely right, the chip in the card prevents the card from being counterfeited, that is today the number one source of card fraud in the United States. Its about two thirds of card fraud at retail. It does not address the online issue. The online fraud issue is addressed by the other layers. The data thats on the card when i use this chip and put it through, has my number right on it, i dont know if you can see this. Does the retailer keep that information . The retailer trans acts that information. If someone breaches into it theyre instituting many all are moving toward it to make sure that that information it still is a target not to use that company, still a target for the hacker to go into the retail not just medical or whatever, the hospital keeps that information too i guess. As a data source where theyll go try to breach and they wont be going to the retailer to use it, but theyll be doing it online, still a target, maybe even a larger target . Is that true . Now with the chip . Is it a larger target because of in a as well . I think its important that we recognize the Chip Technology is really designed to button down the point of sale to defend against counterfeit lost and stolen. It is one critical layer of security there are other technologies that have been referenced in testimony today. Such as point to point encryption. If i may, may i just add a short comment in response to the point about notification . Fine with me. Sure. Thank you. Thank you so much. I just wanted to say, i think notification provides an important incentive for companies to keep information more secure. I cant remember whose written testimony it was. Companies do suffer reputational harm. I think its important because that provides information to consumers who are considering where to vote with their wallet as theyre determining which service to go with. I get that thanks. The time of the gentleman has expired. The chair recognizes the gentle lady from new york. Thank you. Thank you, chairman, and Ranking Member for putting this together. Its an incredibly important issue, because it affects everyone. Consumers, government, retailers and Financial Institutions, and i also want to commend mr. Carnie and mr. Nugenbauer for putting this together. This bill would significantly strengthen the Data Security procedures for businesses, but in a way that is flexible and can evolve as a cyber threat changes and evolves. I am still concerned about the scope of the state preempts in the bill and i want to keep working on the preemption enforcement. I have signed on to the bill as a co sponsor it is a serious good faith effort to tackle what is a critically important issue to our economy. Id like to commend them for their hard work and leadership on this issue. And i look forward to working with them on the enforcement and provisions in it. My first question is to governor polente. Id like to ask you about the standards that were put in place for the Financial Institutions. You mention they had worked well in the Financial Institutions, but i also want to know, have they proven to be overly burdensome for Smaller Banks and Credit Unions . Congresswoman maloney no. The standards have been flexible. I think congressman nugerbauer and congressman carnie have done a good job in doing the same thing in their bill, which is to say, were going to have standards and were going to allow them to be scaled. I think thats a good model. In other words theyve worked well and they wont be too burdensome for smaller institutions and retailers. Id also like to know your feelings about the having a minimum or a floor standard. I know that california oregon have a standard thats higher. I think its important you have to have a floor. Do you think it should be a floor or should it be a ceiling and why . Another great question. Right now we have nothing. Right. Something is better than nothing. Absolutely. And so floor would be progress, but ceiling, if its set high. We passed what we thought were nation leading standards and notification standards. You wouldnt want a bill that undercuts the 13 or so states that have done this. If youre going to set it set it high. Set it aspiration ali, and i think that would be the best place to be and it would serve the country best. Think about the way people place data center ss the fact that theres going to be wide variance with states. As a governor, you know how valuable the creativity of the state system is to come out with solutions that are adopted in this area, it seems to evolve every day with new technologies new ways to threaten consumers and really the security of our information. Id like to ask steven orfe given your experience what would you say are the most important aspects of a companys Data Security plan and other what is the most important thing that a company could do to protect their customers to protect their company against date de breaches . Thank you for that question. I think whats most important is, in our view, the best defense against cyber criminal attacks. It really becomes a question of vigilance. And being methodical and disciplined in your approach. And looking at and paying special attention to the fundamentals, doing the blocking and tackling looking at the physical. Its day in and day out. It needs to be 24 7. It needs to be built into the dna of an organization from the ceo right down to the working level. Okay, thank you, and you mentioned in your testimony mr. Oxman that you thought that sharing information was so important. And can you just expand on that . On what we need to do additionally, and expanding information in this area . Thank you, congresswoman maloney. The issue is companies are barred from sharing cyber threat information with each other. And in some cases with the government, the house fortunately passed a measure that we support that will eliminate those impediments to that kind of Important Information sharing. We support that legislation we hope the senate will move forward on it, and we need to make sure that companies can without liability, share information on each other. Thank you, my time has expired. The chair recognizes the gentleman from missouri, mr. Liukinmeyer. Thank you, mr. Chairman. Im curious, i want to approach this from a different angle this morning, from a standpoint of, when we have a data breach, whose fault is it . If someones at fault, theres going to be some liability. It would seem to me, my experience has been from the institutions ive been aware of and i appreciate the governors description a moment ago of who winds up paying the bill on this. Generally, the banks wind up. Theyre the ones that wind up footing most of the bill. It would seem to me that at some point as a regulator, i would think that you would go into a Financial Institution and see a number of retailers target line of credit for instance or any other local line of credit. We had a supermarket that issued debit cards suddenly everyone in the whole area the whole region actually their information from broached. There was a tremendous cost to the Financial Institutions, it would seem to me you would look at this as a liability exposure for the bank from the standpoint of what youre going to have to incur by all of these retailers not having adequate protections from mr. Dodds perspective, it looks like i think the regular laters would ask the folks to have a policy in place that would protect them so the banks wouldnt be the fall back for the breach. I think youve connected the dots correctly. On your last point about cyber insurance. Thats an evolving area theres some uncertainty about how you underwrite it, when you cant get your arms around it. Thats an evolving and developing space one that is. How do the standards fit into that . If you fit standards, and we get more resilient better systems, you decrease risk. Thats good for Financial Institutions, its good for the Payment System. A bill that says have reasonable standards. Everybodys suing everybody over time the courts are going to develop a standard that says be reasonable. Its a tenyear pathway. Its too slow and too vague. Congress can play a very Important Role bringing this debate forward. Mr. Dodd would you like to comment on my question . First, the suggestion that banks are not reimbursed is not true. Theres three ways we pay, the fees they pay on every transaction, after a breach through the contracts they sign theres a formula for reimbursement. They still suffer a loss. But my point is, if the banks have an issue with that its with the facilitator. Retailers sign those contracts, if theres a suggestion theres been a violation of those contracts, theres certainly the legal avenue for resolving. My question is, with regards to exposure this seems to be an epidemic, every week you have another entity thats been breached. If thats the case pretty soon, those institutions are going to have tremendous liability sitting there. I see that as a problem thats going to have to be fixed. I would assume you would have protection against the breach . Many retailers are buying that kind of insurance, no question about that, but the level of standard is belied by the fact that strong enforcement was brought down by the ftc the prospects that allow the ftc to take up residence for many years. Im disappointed you gave everyone my password to my computers. With that i yield back. Thank you, sir. The gentleman yields back the chair now recognizes the gentleman from california. I do weird things that cause my Credit Card Company to get concerned. I buy gasoline in los angeles and then a day later in washington. Of course their computers flip out. Youd think they would send me an email, but they dont. They either call me usual lyly at the worst possible time. Or if theyre too latzdy to do that, they freeze the account and force me to do them. Is this entirely because theyre not handling it right, or is there something in our statutes that we could do to facilitate or prod Credit Card Companies to check with their cardholders by email rather than by telephone . Great question ive had some interesting experience with cards myself personally, so you engage in similar unusual activity . Well, im not admitting to unusual activities, sir. Any how, as to the contact another guy going to iowa. I think the concern you raise is a good one, its being addressed in realtime by technology, the controls you can set on many cards, its advancing by the day and month are getting really good. On one card i have i can get a text or email alert if it goes over a certain amount any transaction, i can get a text or email alert. I can get a text or email alert if it goes over a certain amount, and soon i think im going to be able to get an alert. Im not looking for more alerts. Im simply looking for them to contact me by email rather than by phone or freezing my account without telling me about it. Many cards do or will soon offer you a chance to be in the drivers seat, as to how you want to get that message. Im sure your members are aware of email i mean were talking about how to upgrade to technology, and email is if you cant, i can recommend a card that will get it to you. Not with the United Airl