b"<html>\n<title> - DATABASE SECURITY: FINDING OUT WHEN YOUR INFORMATION HAS BEEN COMPROMISED</title>\n<body><pre>[Senate Hearing 108-520]\n[From the U.S. Government Printing Office]\n\n\n\n                                                        S. Hrg. 108-520\n\n     DATABASE SECURITY: FINDING OUT WHEN YOUR INFORMATION HAS BEEN \n                              COMPROMISED\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                 SUBCOMMITTEE ON TERRORISM, TECHNOLOGY\n                         AND HOMELAND SECURITY\n\n                                 of the\n\n                       COMMITTEE ON THE JUDICIARY\n                          UNITED STATES SENATE\n\n                      ONE HUNDRED EIGHTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            NOVEMBER 4, 2003\n\n                               __________\n\n                          Serial No. J-108-52\n\n                               __________\n\n         Printed for the use of the Committee on the Judiciary\n\n\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n94-638                      WASHINGTON : DC\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n                       COMMITTEE ON THE JUDICIARY\n\n                     ORRIN G. HATCH, Utah, Chairman\nCHARLES E. GRASSLEY, Iowa            PATRICK J. LEAHY, Vermont\nARLEN SPECTER, Pennsylvania          EDWARD M. KENNEDY, Massachusetts\nJON KYL, Arizona                     JOSEPH R. BIDEN, Jr., Delaware\nMIKE DeWINE, Ohio                    HERBERT KOHL, Wisconsin\nJEFF SESSIONS, Alabama               DIANNE FEINSTEIN, California\nLINDSEY O. GRAHAM, South Carolina    RUSSELL D. FEINGOLD, Wisconsin\nLARRY E. CRAIG, Idaho                CHARLES E. SCHUMER, New York\nSAXBY CHAMBLISS, Georgia             RICHARD J. DURBIN, Illinois\nJOHN CORNYN, Texas                   JOHN EDWARDS, North Carolina\n             Bruce Artim, Chief Counsel and Staff Director\n      Bruce A. Cohen, Democratic Chief Counsel and Staff Director\n                                 ------                                \n\n      Subcommittee on Terrorism, Technology and Homeland Security\n\n                       JON KYL, Arizona, Chairman\nORRIN G. HATCH, Utah                 DIANNE FEINSTEIN, California\nARLEN SPECTER, Pennsylvania          EDWARD M. KENNEDY, Massachusetts\nMIKE DeWINE, Ohio                    JOSEPH R. BIDEN, Jr., Delaware\nJEFF SESSIONS, Alabama               HERBERT KOHL, Wisconsin\nSAXBY CHAMBLISS, Georgia             JOHN EDWARDS, North Carolina\n                Stephen Higgins, Majority Chief Counsel\n                David Hantman, Democratic Chief Counsel\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                    STATEMENTS OF COMMITTEE MEMBERS\n\n                                                                   Page\n\nFeinstein, Hon. Dianne, a U.S. Senator from the State of \n  California.....................................................     3\n    prepared statement...........................................    21\nKyl, Hon. Jon, a U.S. Senator from the State of Arizona..........     1\n    prepared statement...........................................    31\nLeahy, Hon. Patrick J., a U.S. Senator from the State of Vermont, \n  prepared statement.............................................    34\n\n                               WITNESSES\n\nHendricks, Evan, Editor/Publisher, Privacy Times, Cabin John, \n  Maryland.......................................................     7\nMacCarthy, Mark, Senior Vice President for Public Policy, Visa \n  U.S.A., Inc., Washington, D.C..................................     6\nMcIntyre, David J., President and Chief Executive Office, TriWest \n  Healthcare Alliance, Phoenix, Arizona..........................     3\n\n                         QUESTIONS AND ANSWERS\n\nResponses of Evan Hendricks to questions submitted by Senator \n  Feinstein......................................................    16\nResponses of Mark MacCarthy to questions submitted by Senator \n  Feinstein......................................................    17\nResponses of David McIntyre to questions submitted by Senator \n  Feinstein......................................................    19\n\n                       SUBMISSIONS FOR THE RECORD\n\nHendricks, Evan, Editor/Publisher, Privacy Times, Cabin John, \n  Maryland, prepared statement...................................    25\nMacCarthy, Mark, Senior Vice President for Public Policy, Visa \n  U.S.A., Inc., Washington, D.C., prepared statement and letter..    36\nMcIntyre, David J., President and Chief Executive Office, TriWest \n  Healthcare Alliance, Phoenix, Arizona, prepared statement and \n  letter.........................................................    41\n\n \n     DATABASE SECURITY: FINDING OUT WHEN YOUR INFORMATION HAS BEEN \n                              COMPROMISED\n\n                              ----------                              \n\n\n                       TUESDAY, NOVEMBER 4, 2003\n\n                              United States Senate,\n        Subcommittee on Terrorism, Technology and Homeland \n                      Security, Committee on the Judiciary,\n                                                    Washington, DC.\n    The Subcommittee met, pursuant to notice, at 10:06 a.m., in \nRoom SD-226, Dirksen Senate Office Building, Hon. Jon Kyl, \nChairman of the Subcommittee, presiding.\n    Present: Senators Kyl, Feinstein, and Schumer.\n\n  OPENINGS STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE \n                        STATE OF ARIZONA\n\n    Chairman Kyl. Good morning. This hearing of the Judiciary \nCommittee Subcommittee on Terrorism, Technology and Homeland \nSecurity will come to order.\n    We have been holding a series of hearings that deal with \nthe nature of terrorism in order to help us better understand \nhow we can combat terrorism. Today, we are going to take time \nout from that series, and yet the subject with which we deal, \nlike almost everything else that this Subcommittee deals with, \nalso has implications with respect to terrorism.\n    When we see stories about the theft of a Social Security \nnumber, perhaps, by a hacker, or a driver's license or \nfinancial information, we understand that this can have many \nramifications. It can not only, of course, affect terrorism, as \nI noted, but can be financially devastating for the people \ninvolved, the victims. A criminal can use this information to \ncause great financial harm.\n    Senator Feinstein has introduced a bill, S. 1350, the \nNotification of Risk to Personal Data Act, which addresses the \nduty of a business maintaining a computerized database with \ncustomer-sensitive personal information and has provisions \nregarding informing customers of a hacking incident that would \ncompromise the personal financial data. Under the bill, notice \nwould be triggered if the hacker obtained access to a \ncustomer's Social Security number, driver's license number, or \na bank account, debit, or credit card number and the notice \nwould be provided in writing or through e-mail or by some \nsubstitute notice.\n    The notice includes notice by e-mail, the posting of notice \non the company or agency website, or notification of major \nmedia, and it is triggered if the business can demonstrate that \nthe cost of providing direct notice would be onerous, and there \nare specific provisions in the bill that relate to that.\n    Finally, under the bill, the Federal Trade Commission is \nempowered to fine entities if the violation persists. State \nAttorneys General could enforce the statute and inconsistent \nState laws would be preempted, but California's legislation on \nthis subject would be grandfathered in.\n    Today, the Committee will hear from three expert witnesses. \nThe first is from my home State of Arizona. He is no stranger \nhere to Washington, D.C., but he is involved in very successful \nventures today in Arizona. David McIntyre is the President and \nCEO of TriWest Healthcare Alliance. Mr. McIntyre has a \ndistinguished career in both health care policy and operations. \nEarlier this year, he guided TriWest in its successful bid for \nthe Defense Department's new West Region, serving military \nmembers, retirees, and their families in 21 Western States, \nincluding our Ranking Member's State of California, a total of \n2.6 million beneficiaries in all.\n    He will testify about the December 2002 break-in at its \nPhoenix, Arizona, offices, where thieves broke into a \nmanagement suite and stole laptop computers and computer hard \ndrives containing the names, address, telephone numbers, \nbirthdates, and Social Security numbers of 562,000 military \nservice members, dependents, and retirees. The thieves also \nstole medical claims records from people on active duty in the \nPersian Gulf.\n    The potential harm to a group obviously this large, \nparticularly to those who wear the uniform of the country, is, \nof course, staggering. And yet, to date, not a single \nindividual has suffered identity theft as a result of the crime \nagainst TriWest. Mr. McIntyre, we look forward to your \ndescription of those events and how your company responded to \nsuch a major information theft.\n    Mark MacCarthy, the Senior Vice President of Public Policy \nfor Visa, will testify about the steps that Visa takes to avoid \ndatabase security breaches and how Visa notifies its customers \nof security breaches. He will also comment on Senator \nFeinstein's legislation, S. 1350.\n    Evan Hendricks, Editor of Privacy Times, will testify about \nthe rise of database security breaches, the types of \ninformation stolen from such databases, the failure to notify \nconsumers of such breaches, and the value of notification.\n    I would like to note that the record will be kept open for \none week for questions as well as additional statements and \nwant to thank Senator Feinstein for her hard work in putting \ntogether this hearing. I must say that Senator Feinstein and \nher staff were the primary people helping to put this hearing \ntogether, and it is an illustration of the fact that I don't \nview my Chairmanship of this Committee as anything more than a \nCo-Chairmanship with Senator Feinstein when it comes to \naddressing important issues for the American people. So I thank \nyou, Senator Feinstein, for suggesting that we have this \nhearing and doing a great deal of the work in putting it \ntogether.\n\n  STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE \n                      STATE OF CALIFORNIA\n\n    Senator Feinstein. But you, Mr. Chairman, were the one who \nsaid, yes, let us do the hearing, and that counts for a lot, so \nthank you very much.\n    I think you have well described the bill. I think one thing \nhas to be said. I am just looking at a pre-publication version \nof the Richmond Journal of Law and Technology and there is a \nfootnote in it that is very interesting, and what it says is \nthat according to the Computer Security Institute's 2003 \nComputer Crime and Security Survey, they polled 376 \norganizations and each one admitted experiencing a security \nbreach in the past year. Half of them said they didn't do \nanything, and only a third of them reported it. So of a field, \neverybody has been hacked into and various personal information \nhas been violated, and yet nothing has happened.\n    California has passed a law. Other States are looking at \npassing laws. The problem is, will we have 50 different laws \nthroughout America?\n    Therefore, what this bill aims to do is provide a national \nstandard, a standard that will make sense, that, in essence, \ndefines what data we consider affected by the bill--Social \nSecurity numbers, as you just said, driver's license numbers, \ncredit card numbers, debit card numbers, or financial account \nnumbers.\n    And then, secondly, there is some--personal data is defined \nin the bill. It minimizes, we hope, the burdens on companies or \nagencies because we require that they would have to alert \nsomeone in writing or through e-mail, and then there are some \nexceptions. If the companies have developed their own \nreasonable notification policies, they have a safe harbor. \nEncrypted data is exempted, and where it is too expensive or \nimpractical to notify every individual who is harmed, the bill \nallows entities to send out an alternative form of notice \ncalled a substitute notice, and that includes posting notice on \na website or notifying major media.\n    I think we have a good bill. It may take amending, but one \nof the things I hope we are going to hear today is that a bill \nof this kind, a national standard, in effect, is really \nnecessary if we are to protect people's privacy. Thank you.\n    Chairman Kyl. Thank you, Senator Feinstein.\n    Let us go directly to our panel, and let us just go from my \nleft to right, first Mr. McIntyre, Mr. MacCarthy, and then Mr. \nHendricks. We will then interrupt--or rather than interrupting \nyou, let each of you make your statement and then we will \nquestion you at that time. I think we have a five-minute rule \nhere, so if you can stick to that, fine, but we will take all \nof your written testimony and put it in the record.\n    Mr. McIntyre?\n\n   STATEMENT OF DAVID J. MCINTYRE, JR., PRESIDENT AND CHIEF \n   EXECUTIVE OFFICER, TRIWEST HEALTHCARE ALLIANCE, PHOENIX, \n                            ARIZONA\n\n    Mr. McIntyre. Mr. Chairman, thank you for your very kind \nintroduction and for your long leadership in the important area \nof identity theft.\n    Mr. Chairman, Senator Feinstein, thank you for the \ninvitation to appear before you today to discuss an important \ntopic in the legislation before you that would require \norganizations that suffer the loss of consumer data to disclose \nthat loss to their customers so that they can take timely and \nmeaningful steps to protect themselves from becoming the \nvictims of identity theft. I am particularly honored to be \nbefore you today given your leadership in the effort to combat \nidentity theft.\n    My name is Dave McIntyre. As the Chairman said, I am \nPresident and CEO of TriWest Healthcare Alliance. As Chairman \nKyl stated, in mid-December, our company was the victim of a \nphysical theft of data. Thieves broke into our offices and \nstole the hard drives out of our server. We were the third such \ncrime to occur in the State of Arizona in a period of 6 months. \nPrior to that, there had been a bank that had been broken into \nafter hours and the same thing had occurred.\n    On our databases were 562,000 individuals' names, \naddresses, Social Security numbers, birthdates, and other \npersonal information. Thus, it placed those individuals, many \nof whom wear the uniform of the United States and are serving \ntoday in Iraq, in harm's way, in my opinion.\n    Health care professionals talk about the golden hour when \nthey refer to the window of time in which a heart attack victim \nmust receive medical attention in order to assure the high odds \nof survival followed by a reasonable quality of life. What I \nquickly discovered is that there is a golden hour when it comes \nto aiding consumers in protecting themselves against identity \ntheft.\n    I was told by industry experts that the most effective \nmeasures we could take in our case was to contact within \nseveral weeks all of our customers whose personal information \nwas contained in the database to inform them of the theft and \nassist them in contacting the credit bureaus so that they could \nplace fraud flags on their credit files.\n    It was this golden hour philosophy that guided our work and \nthat of the Department of Defense and my colleagues in that \nDepartment in the days and weeks that followed the theft, which \nran, obviously, right through the holiday period. Specifically, \nwe employed a comprehensive and integrated three-prong \ncommunication strategy.\n    First, given the holidays and the need to reach people \nregardless of where they happened to be, we contacted the media \nto aid their assistance in broadcasting nationwide the theft \nand stress the need for individuals to contact us and take \naction to protect themselves.\n    Second, given the mobile nature of our customer base, we \nworked through the military commands worldwide to disseminate \ninformation to every installation in the military.\n    Third, we sent a personal letter to every customer affected \nby the theft. We just sent out our fourth letter of such kind, \nadvising people of the theft, updating them on it now, and \ntelling them that they needed to add a fraud flag and then keep \nit updated so that they did not fall prey to whatever the \nthieves might have had in mind.\n    By the middle of January, our plan was fully executed, and \nI believe that the golden hour allowed those individuals to be \nprotected, and I have been told by authorities that not one \nindividual in that database has been confirmed as being a \nvictim of identity theft.\n    Based on what I have come to learn about the fastest rising \ncrime in America, identity theft, of which no American consumer \nis immune, I believe that there are three steps that Congress \nshould take to come to the aid of consumers.\n    First and perhaps most important is to require \norganizations that are the victims of the theft of their \ncustomers' personal information to take swift and effective \naction to inform the customers of the theft and what measures \nthey can take to protect themselves. I understand personally \nthe difficulty, the cost, and the awkward nature of such \ndisclosure, but to do anything less, in my opinion, is both \nwrong and indefensible. After all, it is not our organization's \ninformation. It is the information of the people who we serve \nand they have entrusted it to us so that we can serve their \nneeds.\n    It is for this reason that I appreciate Senator Feinstein's \nlong work in this area and that of the Chairman. I believe that \nthe constructive solutions of S. 1350 are something that need \nto be enacted, now that we know the risks of this and what the \npattern of practice needs to look like.\n    The second leg of the stool is that I believe that we need \nto standardize how credit card numbers are displayed on \nreceipts, to block out all but the last four numbers so that no \none can take information from a credit card receipt and begin \nspending in another consumer's name. I believe that such \nprovisions are contained in the legislation to reauthorize the \nFair Credit Reporting Act, which I understand will be on the \nSenate floor this morning for Senate consideration and I think \nit goes a long way in addressing that issue and worthy of \nsupport.\n    And third, I believe that Federal penalties need to be \nstrengthened so it will no longer be the case that someone \nspends more time cleaning up their credit than the individual \nwho perpetrated the crime.\n    Mr. Chairman, Senator Feinstein, I congratulate you on your \ngreat work in this area as a consumer. I thank you for your \nfocus and I thank you for the opportunity to be here today.\n    [The prepared statement of Mr. McIntyre appears as a \nsubmission for the record.]\n    Senator Feinstein. Mr. Chairman, may I say one thing?\n    Chairman Kyl. Certainly.\n    Senator Feinstein. First of all, thank you, Mr. McIntyre. \nAbout Mr. MacCarthy and his company, Visa, when we introduced \nour big identity theft bill, the CEO of Visa joined us at a \npress conference and, in essence, indicated that Visa was \nvoluntarily truncating all of their credit card numbers so that \nwhen you used a Visa card at a restaurant and you signed your \nreceipt, what you got back had only a part--I forget which \npart, but only a part of the entire--the last four digits of \nthe credit card. I believe that has been in effect for a \nsubstantial period of time. So I just wanted to say thank you \nto Visa. I think they are a very good corporate citizen and I \nreally appreciate it. Thank you.\n    Chairman Kyl. Thank you. Mr. MacCarthy?\n\n STATEMENT OF MARK MACCARTHY, SENIOR VICE PRESIDENT FOR PUBLIC \n          POLICY, VISA U.S.A., INC., WASHINGTON, D.C.\n\n    Mr. MacCarthy. Mr. Chairman, thank you very much for the \nkind introduction, and Senator Feinstein, thank you for \nrecognizing the work that Visa does in this area. Our CEO, Carl \nPascarella, was pleased to come to Washington to help in that \nannouncement.\n    The policy you describe, which is to black out all but the \nlast four digits, has been in place for new terminals since \nJune of this year, and after a transition period, it will \naffect all terminals out in the marketplace, and that was in \nlarge part in response to your initiative in the area to push \nlegislation that would address this issue at the Federal level.\n    Thank you for the invitation to talk about the important \nissue of consumer information security today. As you know, Visa \nconsiders information security to be a top priority. We have \nlong recognized that protecting customer information is \nimportant to the integrity of our own system. We are \nimplementing a comprehensive cardholder information security \nplan that applies to all entities that store, process, \ntransmit, or hold Visa cardholder data. All participating \nentities must comply with a Visa ``digital dozen,'' 12 basic \nrequirements for safeguarding account information.\n    In addition, the Visa system includes sophisticated neural \nnetworks that flag unusual spending patterns for fraud, and \nthese systems block the authorization of transactions where \nfraud is suspected.\n    Visa also has a zero liability policy for unauthorized \ntransactions, which means that customers pay nothing at all \nwhen the transaction is unauthorized.\n    Visa also maintains a worldwide database of account numbers \nthat are lost or stolen. All transactions routed through the \nVisa system are checked against this file.\n    Visa believes that the appropriate response to a security \nbreach depends on the specific factors of the breach and the \ntools available to the financial institutions involved and its \ncustomers to address the illicit use of customer information. \nThe response must balance the risk of illicit use of the \ninformation against the risk that the response itself may lead \nto customer cost and inconvenience and disruption in the \nmarketplace.\n    In the context of the Visa payment system, there are many \nsteps that can be taken to control these risks. The steps \navailable to the customer include closing accounts, putting \nfraud alerts on their credit reports, reviewing credit bureau \nfiles, but these steps serve merely as backstops to the far \nmore sophisticated fraud detection systems currently in place \nin the Visa system. Moreover, closing accounts, fraud alerts, \nthe review of files of credit bureaus, all involve costs and \ninconveniences for customers, for financial institutions, and \nfor the marketplace as a whole.\n    Visa strongly supports customer notification whenever \nunauthorized access to customer information results in a \nsignificant recognizable threat that requires customer action. \nHowever, for situations that do not indicate that kind of \nsignificant risk, customer notification is not necessary.\n    Visa believes that it is critical that any notification \nrequirements be sufficiently flexible to allow notice to be \nprovided by the account-holding institution, even if the \naccount-holding institution was not the operator of the system \nwhere the breach occurred, they were not the cardholder \ninformation custodian. For example, this kind of flexibility \nwould allow the account-holding institution to offer a new \naccount at the same time that it advises the customer that the \nexisting account has to be closed.\n    Visa is pleased to note that the legislation, S. 1350, is \nresponsive to these issues. It establishes a general policy for \ncustomer notification in the context of security breaches and \nit permits the use of alternative notification procedures in \nthe case that includes a security program that is designed to \nblock unauthorized transactions before they are charged to a \ncustomer's account, and that is subject to examination by the \nFederal banking regulators. S. 1350 also provides for the kind \nof flexibility in delivering required notices that I just \nreferred to.\n    Finally, Visa is pleased to note that S. 1350 recognizes \nthe importance of establishing consistent procedures for \nnotifying individuals about security breaches and supercedes \ninconsistent State and local laws.\n    I appreciate the opportunity to appear before you today. \nCombatting information security breaches, combatting identity \ntheft will continue to be a top priority for Visa and its \nmember financial institutions and I would be happy to answer \nany questions you have.\n    Chairman Kyl. I would note, Senator Feinstein, that this is \na great panel. They are right to the second on their 5 minutes, \nso we appreciate that very much. You are very succinct, but you \nhave said it all. Thank you very much.\n    [The prepared statement of Mr. MacCarthy appears as a \nsubmission for the record.]\n    Chairman Kyl. Mr. Hendricks?\n\n STATEMENT OF EVAN HENDRICKS, EDITOR/PUBLISHER, PRIVACY TIMES, \n                      CABIN JOHN, MARYLAND\n\n    Mr. Hendricks. The advantage of having a privacy expert \nappear before you, this brings a little history. I enjoyed back \nin the late 1990's working with your staff, Senator Kyl, and \nyour consistent, Mr. Hardle, in getting the first identity \ntheft law passed in this country on a national level and I have \nthoroughly enjoyed working with Senator Feinstein on the FCRA \nAmendments, which go to the floor today. We really appreciate \nyour leadership on trying to fight for Americans' right to \nprivacy on that. We don't want--\n    Senator Feinstein. It is an uphill battle.\n    Mr. Hendricks. Yes, it is an uphill battle and we don't \nwant a consumer protection law to be turned into something that \ndeprives people of hard-fought privacy rights, but whether \nshort-term or long-term, we are confident that you will prevail \non that, so thank you.\n    The issue of notification first came up for me in the early \n1990's when it was discovered that information brokers were \nbribing Social Security Administration employees for wage data. \nThis was a systematic and widespread assault which led to \nSenate hearings. At that time, the Social Security \nAdministration refused to notify the people who were the \nvictims of those very serious breaches and I started raising \nthe issue then.\n    What is interesting--the reason I think this bill is a very \ngood starting point and can accomplish a lot of good in setting \na national standard here is because it is true to some of the \nissues of fair information practice principles, which really \ngovern our privacy laws, like the Fair Credit Reporting Act and \nthe Privacy Act.\n    People think privacy is hiding in the closet or just trying \nto keep things secret, but how we really define it is how we \nabide by these principles which include access and correction, \ntransparency, data security, data minimization, and limiting \nthe purposes for which data can be used. And this bill \nunderstands, goes right to the heart of sunshine is the best \ndisinfectant. It brings out transparency for the issue of how \ndata is used, and you will see how--one reason Mr. McIntyre was \nso successful in responding to the crisis they had is they went \nvery public and brought a lot of attention to what was going \non. So I think that is why this is a good starting point.\n    I think one of the reasons it is needed is, as mentioned, \nidentity theft is the fastest growing crime in the United \nStates. There are so many studies out this summer by the FTC, \nthe GAO, the Gartner Group, Privacy in American Business, that \nsays it is far worse than we even expected and that the biggest \nthreat to information security is by authorized insiders using \ntheir authorized insiderness to use information for \nunauthorized purposes. So, therefore, that is a real threat, \nand more and more information is being collected in databases \nand we have to have a way of notifying people when things go \nwrong.\n    Another problem is that we don't have an organizational \nculture of privacy and security. We don't see the kind of \nconsciousness that you saw in TriWest and you don't normally \nsee the kind of leadership you saw in Visa on the issues \nSenator Feinstein mentioned.\n    Just in the recent Victoria's Secret case, which was \nprosecuted by New York Attorney General Elliott Spitzer, they \nfound out that you could get access to people's purchases \nthrough their website. It was just one of those glitches, but \nwhen a customer notified Victoria's Secret about it, they said \nthere were no credit card numbers involved so what is the big \ndeal? And it was only after he went to the media that he was \nable to get attention, and it was only because Attorney General \nSpitzer investigated that they were able to get notice to the \nNew Yorkers who were affected by that, and as far as I know, \nthe other people who were affected who weren't New Yorkers did \nnot receive notice. So you see there is going to be an ongoing \nproblem here.\n    Another thing that is very new that is just coming up this \nyear is the outsourcing of the personal data processing to \nother countries. We know that--I think the USDA does it with \nfood stamps. The San Francisco Chronicle just did a story \nOctober 22 saying that an employee in Pakistan who was doing \nmedical transcription then was not getting paid and so her way \nof handling that was to threaten to post the medical patient \ndetails on the Internet as a way of extorting--getting paid \nwhat she was owed. The San Francisco Chronicle is now hot on \nthis story and they are pursuing it.\n    We reported that the credit bureaus, the big credit \nbureaus, Equifax outsources to Jamaica and Experion and Trans \nUnion are going to be going to either the Philippines or India \nor both. These raise serious questions about how will data be \nprotected as it goes across our borders and can Americans feel \nsecure in that. So that is another reason why this bill is so \nimportant.\n    I mentioned that fair information practices are the gold \nstandard for measuring how well are we protecting privacy, and \nthat is why this bill is a good starting point. The other \nthings to consider is whether we should provide in this bill a \nright of access to people's information. People have this right \nunder the Fair Credit Reporting Act to their credit reports. \nThey have it under the Privacy Act and the Freedom of \nInformation Act for their government records, under HIPAA for \ntheir medical records. We need to keep filling the gaps here \nwhere people do not have access to their records because the \ndata kept about them says a lot about them and decisions are \nbeing made on that data.\n    I think, for this bill specifically, I think we should \nconsider when notification is not required and it is really not \nconsidered a thing where it is too costly to notify people, \nwhich I think is a reasonable standard, I think we still have \nto have a way that if people want to find out what happened or \nwhat was the practices and what is their system for notifying, \nthat people have a right to find out and the company has to \nanswer their questions, because we have seen in cases in the \npast when we know there is a hack, we know there is a problem, \nbut we can't find any more information, and so people are just \nleft in the dark, not knowing what happened.\n    I think another thing, since we are trying to advance data \nsecurity, we have the 30-year-old standard from the Privacy Act \nabout how organizations should just take appropriate \nadministrative, technical, and physical safeguards to ensure \nagainst anticipated threats that can harm individuals. That \nstandard is also sort of becoming the standard for financial \ninstitutions under the Gramm-Leach-Bliley regulations.\n    I think, finally, enforcement of this bill is left to the \nFTC and the State Attorney Generals, which have always been the \nleaders in enforcement in this area, but I still think you need \na private right of action for the most egregious cases. We will \nnever be able to build a bureaucracy big enough to enforce a \nsystem that is covering the records of 200 million Americans. \nWe don't want trivial or specious lawsuits brought, but we need \nto give people rights when the organizational behavior is \negregious or it has been going on for many years and there is a \npattern and practice, and where I think a good standard, a high \nstandard to meet for that is like gross negligence or reckless \ndisregard for people's rights. But we need to give individuals \nthe right to enforce their own rights.\n    The final thing is the Social Security number. There are \nbills pending by Senator Feinstein and others that would try \nand limit the circulation of SSNs in our society and, \nultimately, on the creation of a national standard. We think \nthis bill is a good bill to the extent that it creates a floor \nand says that you cannot have laws that are inconsistent with \nit. And I don't think you really need to out and out preempt \nstate laws because if, first of all, if you do this law, then \nStates will move on and they won't need to enact laws in the \nStates. They will see that the Congress is taking care of it, \nwhich is really why I commend you for getting out in front of \nthis issue. You save a lot of those problems.\n    Ultimately, though, I am reluctant to say we should shut \nout States altogether because this is such a fast-moving area \nand States often come up with some very creative solutions to \nthese fast-moving problems.\n    Thanks, and I apologize for going over my time.\n    Chairman Kyl. I am sure Senator Feinstein joins me in \nsaying these are all very constructive suggestions and things \nthat we obviously need to look at.\n    [The prepared statement of Mr. Hendricks appears as a \nsubmissions for the record.]\n    Chairman Kyl. The last point that you raised prompts me to \njust make an observation and raise this question, both with \nregard to the Social Security legislation and this legislation. \nThere are a large number of databases that are outside of the \nbusiness field, and that is obviously government of one kind or \nanother. I was just telling Senator Feinstein that the Clerk of \nthe County Court System in Maricopa County, Arizona, talked to \nme about the large volume of information which they have which \nis not in a form that would be easily protectable under the \nstandards of this legislation and it would be very good for us, \nif we are going to devise a new format, to be sure that we \ninclude that in government databases, which are also subject to \nthe same degree of hacking or theft that business databases \nare. If any of you have a comment on that, please make that.\n    Mr. Hendricks. You go first.\n    Mr. MacCarthy. I think that it is important to make sure \nthat as we are dealing with this issue, that we are dealing \nwith both hacking and physical theft, and I would say that from \nmy perspective, public institutions are not immune to this \nproblem.\n    Sir, you are talking about the Maricopa County system. The \nhead of the Arizona State University system and a number of the \nBoards of Regents, members of the Boards of Regents in Arizona \ntold me recently that our experience was an eye-opener to them, \nand they took this issue to the regents and started doing a \nstudy of the university system in the State. There isn't a week \nthat goes by in the State of Arizona that someone hasn't \nattempted to hack into either the financial, the grading \nsystem, or the personnel systems in that institution.\n    You know, this is a fast-moving train. What is going to be \ngood enough today isn't going to be good enough a couple of \nyears from now, and I think what you are doing is bringing a \nlot of necessary attention to this issue. But we do need to \nhave a dialogue about the public institutions, not just the \nprivate institutions.\n    Chairman Kyl. Thank you. I also note that we are planning \nright now a hearing on cyber terrorism for the first--after we \nreturn next year. It prompts me to think maybe we should expand \nthat slightly, not just to terrorism, but hacking generally and \nthe kind of things that can occur in the business sector and \nthe public sector with that.\n    Mr. MacCarthy. Right.\n    Chairman Kyl. Let me just ask two quick questions of each \nof you and then turn to Senator Feinstein. We are talking about \nsome kind of a uniform standard, I presume. My question really \nhas to do with the expense to business for that as well as how \nwe can make sure that we achieve the maximum notification for \nthe most efficient cost. Clearly--and this is a point, Mr. \nHendricks, that you mentioned--we don't want the obligations \nhere to be so onerous that we defeat our own purpose by making \nthem too expensive and, therefore, have blow-back against our \nideas here because of the expense. Mr. MacCarthy?\n    Mr. MacCarthy. Mr. Chairman, let me return to the previous \nquestion. Our cardholder information security program applies \nto all entities that touch Visa cardholder information, public \nor private. So we think any kind of security regime should \nextend across the board and include all people who hold \nsensitive data.\n    On the particular question, we think that the legislation \nis balanced. It does recognize the significant risk principle \nwhere information is provided to customers in the context of a \nsignificant risk of harm. We think it provides the flexibility \nfor working out the way that notification could take place. We \nlike its consistent national approach. We think it does--the \nkey elements that need to be in Federal legislation are \nincorporated in that bill.\n    Chairman Kyl. Thank you.\n    Mr. Hendricks. Yes, and I think this will always be a case-\nby-case, which is good about your bill, because you leave it to \nsort of you have to have a reasonableness standard. Let us say \nin California, all the public employees are hit by some hack. \nWell, if all those employees get the same newsletter or if you \nhave the e-mail addresses, then it becomes very inexpensive. \nAnd, of course, as we move into the electronic environment, \ncommunicating and notifying via e-mail is not expensive or \nburdensome at all. So that is something we have to look forward \nto.\n    I think that each case by case, you can get creative ways \nto try and notify people. But if you have just like a huge \npopulation, it is not feasible to have to send notice to like \n100 million people, and I don't see the bill ever requiring \nthat.\n    Mr. McIntyre. Sir, I would associate myself with the \nremarks of my colleagues on the panel.\n    Chairman Kyl. Senator Feinstein?\n    Senator Feinstein. Thank you very much. Senator Schumer \ncame in on a matter, and I missed part of your statement, Mr. \nMacCarthy, but I was going to ask you, you testified that a \nsignificant recognizable threat is necessary for disclosure. \nHow would you define significant recognizable threat?\n    Mr. MacCarthy. I think that may turn out to be a judgment \ncall, depending on the specific facts. It may be useful to \nexplain what happens in the Visa system when there is a breach \nto give you a sense of the kind of circumstance we are talking \nabout.\n    Senator Feinstein. Good. That would be helpful.\n    Mr. MacCarthy. When there is a breach, the cardholder \nnumbers that are affected are treated as a separate group of \naccount numbers, a portfolio, if you will--\n    Senator Feinstein. So you immediately know which \ncardholders are affected?\n    Mr. MacCarthy. If the merchant or the processor or the \nperson who had the breach notifies us, then given the \ncardholder numbers, we know immediately the financial \ninstitutions involved and they will know immediately the names \nof the people involved based on the cardholder number that they \nhave.\n    Senator Feinstein. Do you do regular reviews to find this?\n    Mr. MacCarthy. In the context that I am talking about--\n    Senator Feinstein. Because a hacker is not going to tell \nyou before they do it.\n    Mr. MacCarthy. No, they don't tell you before, but when \nthere is a breach, typically what happens is the entity that \nholds the cardholder information knows about the breach very \nshortly after it happens and they inform us directly. It is \nrequired under our rules that they tell Visa directly that \nthere has been a breach and provide us with the cardholder \nnumbers. When that happens, we then keep those numbers in a \ncentral computer location, treat them as a group. We also \nnotify the financial institutions immediately--\n    Senator Feinstein. Stop for a minute. You mean if I hold, \nsay, a Visa on Bank of America, the Bank of America would \nnotify you?\n    Mr. MacCarthy. For example, a merchant that--not Bank of \nAmerica, or it could be Bank of America if they are the \ncustodian of information that has had a cardholder breach. But \nin a typical circumstance, it is a third party, a merchant or a \nprocessor, that keeps Visa information on file as part of the \ntransaction that they have had with you.\n    Senator Feinstein. And explain to me, how does he know?\n    Mr. MacCarthy. Well, this is what happens when a breach \noccurs. The entity that is the custodian of the information \ntypically knows that there has been a breach, sometimes not \nimmediately, but typically they do find out, and when they do \nfind out that there has been a breach, they notify us. They \nnotify the FBI, the Secret Service. They work with law \nenforcement very, very quickly to see if they can control the \nconsequences of the breach.\n    Once we get the information, we have the cardholder \ninformation, we can look at those accounts and we can tell \nwhether or not there is any unusual pattern of fraud, any types \nof fraud, any elevated risk to cardholders. And when you notice \nthat there are those patterns of excess fraud, unusual patterns \nor suspicious patterns, the cardholder's institution and Visa \nwork together to make sure that the cardholder is notified, and \nin some situations, instead of just notification, the account \nis terminated and a new card is issued.\n    Senator Feinstein. Can you just give us an approximate \nnumber of breaches that you would have this way in a year?\n    Mr. MacCarthy. I can't give you that information at this \npoint. Let me go back and work on that and see if I can get \nback to you on it.\n    Senator Feinstein. I mean, is it thousands?\n    Mr. MacCarthy. In some circumstances, in single breaches, \nyou could have a large number of cardholders' information that \nare compromised, and those, as I say, are then put on special \nwatch to make sure that there is no risk of harm to consumers \nin that kind of context.\n    And also in that kind of circumstance, if there is \nunauthorized use of cardholder information, the cardholder \nhimself or herself is not responsible for paying the bill. It \nis unauthorized use. They have zero liability.\n    Senator Feinstein. Thank you. Anybody else?\n    Mr. Hendricks. In the case earlier this year, the famous \none, which I think was called DPI, it was a credit card \nprocessing company, it was known that there were over 10 \nmillion credit card numbers were taken in that hack, but there \nis no evidence that anything was ever done with them.\n    One of the problems that we had from our side in that is \nthat you couldn't find out which member banks were the ones \nhit, because under contract, they are not allowed to disclose \nthat. So their contracts did not allow the kind of transparency \nwe needed to assure consumers that they were safe in this \nthing.\n    You asked, well, how do you define a significant threat? I \nthink one way you don't want to do is restrict it to simply \neconomic harm or theft of your credit card number and purchases \nmade. What I have seen over the years, and statistics bear me \nout, what Americans really care about is protection of their \nreputation and their good name, and that is why you see the \ncomplaints to the Federal Trade Commission are overwhelmingly \nabout identity theft, because they don't lose money out of \npocket on that, but it directly attacks their reputation and \ngood name, where complaints about Internet scams and other \nforms of fraud which do involve out-of-pocket losses are down \nin the eight to ten percent level where identity theft is up in \nthe 42 percent level. So we want to make sure that we define it \nin a way so we include both economic harm, harm to reputation \nand good name, and the emotional distress arising from when you \nknow your information is taken and the steps are not being \ntaken to protect it.\n    Senator Feinstein. Thank you. Thank you.\n    Mr. McIntyre, do you have any comments on that point?\n    Mr. McIntyre. I think Mr. MacCarthy had a follow-up and \nthen I would be glad to comment.\n    Senator Feinstein. All right, fine.\n    Mr. MacCarthy. Back on the DIP case, Evan is right that \nthere were about ten million cards that were compromised. Some \nof them were Visa cards, but there were also Master Card, \nAmerican Express, and Discover cards involved. We put them on a \nwatch on the Visa cards and there is no excess of fraud among \nthose cards. So the harm to consumer isn't present in that kind \nof circumstance.\n    We did, however, think that the processor involved hadn't \ndone everything that they could do to keep the information \nsafe. They had not been in compliance with our cardholder \ninformation security program and the violation wasn't small, it \nwas egregious. We fined them $500,000.\n    Senator Feinstein. Wow.\n    Mr. MacCarthy. And they are on special watch at this point. \nThey can't sign up any more merchants until they have satisfied \nus that their procedures in place are adequate.\n    Senator Feinstein. Good for you.\n    Mr. McIntyre. Senator, I think that the definition around \nwhat is significant will be fluid and I think the way your \nlegislation is written provides for reasonable coverage of that \ndefinition. From a business point of view, I don't find it to \nbe egregious at all.\n    The issue with regard to what Mark was talking about on the \nVisa side, I have been monitoring this issue very closely at a \npersonal level since the middle of December, since I learned a \nlot more about this topic, and it was ironic, because the day \nafter our theft when we started working on what we were going \nto do in response to it, I got a call from my Visa card company \nsaying, we wanted to make sure that you were traveling to such-\nand-such a location and such-and-such a location and such-and-\nsuch a location, because I had been in three States in 1 day, \nand that is not the typical pattern of travel for most people, \nand I had shopped or eaten in three different places in a day. \nI think the Visa card companies have done a great job in being \nable to track that.\n    Significant to the standard today is going to be different \nthan significant to the standard 2 years from now when we are \nmuch more complex in terms of the capability to both see \nphysical theft as well as hacking in this area.\n    Senator Feinstein. [Presiding.] Very good. Incidentally, \nSenator Kyl had to leave. He had an urgent appointment, so I \nwould essentially like to do this. I think you have all \nreviewed the legislation. If you have any other comments on how \nwe might strengthen it or, Mr. MacCarthy, for example, on the \nsafe harbor, if a company has its own procedures that are \nadequate, that may need some more defining, we would really \nappreciate it.\n    Let me ask you if you have any other remarks to make on the \nsubject. If not, I will close the hearing.\n    Mr. McIntyre. The last observation that I would offer, and \nI know that this has been an area of great focus for you for \nsome time, and that is the use of Social Security numbers. \nAfter we suffered the theft in our State, we made a commitment \nthat this was a public affairs area that we are going to remain \nin for some time because we went so public and it gave us a \nplatform to help other businesses and entities in the State of \nArizona.\n    And one of the things that we did as a spinoff from that \nwas to let the Blue Cross-Blue Shield Association know that \nhaving your Social Security number on your insurance card \nprobably isn't a very good idea and that there needs to be some \nway to begin to pare down those numbers. They are looking at \nthat issue.\n    You know, when you get into the health care space, everyone \nsees doctors every year and gets health care experience in the \nmarketplace every year, and oftentimes what they get back is a \nreport from their insurance company through the claims \nprocessor. And more often than not, what is contained on those \nforms is your entire Social Security number.\n    I reviewed this issue with the Department of Defense, as \nwell, because we used to have an identification number for \nmilitary personnel. Prior to that, it was Social Security \nnumbers. Now we are at a Social Security number again. And the \nquestion was, what do we do to protect the military personnel \nfrom the misuse of their identity through payroll acquisition \nor whatever?\n    And in looking at that, it seems to me that the same \nprinciple could be applied as the one that is being applied on \nthe credit card side, which is to ``X'' out all but the last \nfour numbers. We have proposed that to the DOD on the health \ncare side and we are in the process of working that through.\n    Senator Feinstein. On the Social Security number?\n    Mr. McIntyre. That is correct, in addition to the credit \ncards. So you could apply the same concept there. It is easy to \nbuild software from a practical operations perspective to put \nin place to scrub the numbers as they go through. But to upend \nan entire system and go to a new identification number is \nsomething that is fraught with all kinds of other issues. And \neven then, I would say you need to truncate those numbers \nexcept for all but very critical use.\n    So you are on the right issue. This is a very, very \nimportant area and I think that you have got your arms wrapped \naround the right legs of the stool and look forward to \nsupporting you as you move forward.\n    Senator Feinstein. Thank you. One thing that you might be \nable to help with is Senator Gregg and I have had a Social \nSecurity number bill--\n    Mr. McIntyre. Yes, ma'am.\n    Senator Feinstein. --to prevent its commercialization and \nselling it and that kind of thing. We have had a devil of a \ntime getting it out of the Finance Committee, where it seems to \nbe residing, and we don't want it to find its burial place \nthere. So anything you could do to weigh in on that, and \nperhaps take a look at the bill and see if you have any \nconcerns about it--\n    Mr. McIntyre. We would be glad to do that.\n    Senator Feinstein. We would appreciate that very much.\n    Mr. McIntyre. Yes, Senator, and we look forward to serving \nthe constituents in your good State.\n    Senator Feinstein. Thank you. Thank you very much. And the \nsame would go for you, Mr. Hendricks, and even Mr. MacCarthy, \nif you would like.\n    Let me thank you for your testimony today. I think it has \nbeen very useful. I think this is a hard area to negotiate in \nand to legislate in because the technology moves so fast, it is \nhard to keep up with it. But I really appreciate your testimony \nand I appreciate your support of the bill. So thank you very \nmuch, and the hearing is adjourned.\n    [Whereupon, at 10:50 a.m., the Subcommittee was adjourned.]\n    [Questions and answers and submissions for the record \nfollow.]\n\n[GRAPHIC] [TIFF OMITTED] T4638.001\n\n[GRAPHIC] [TIFF OMITTED] T4638.002\n\n[GRAPHIC] [TIFF OMITTED] T4638.003\n\n[GRAPHIC] [TIFF OMITTED] T4638.004\n\n[GRAPHIC] [TIFF OMITTED] T4638.005\n\n[GRAPHIC] [TIFF OMITTED] T4638.006\n\n[GRAPHIC] [TIFF OMITTED] T4638.007\n\n[GRAPHIC] [TIFF OMITTED] T4638.008\n\n[GRAPHIC] [TIFF OMITTED] T4638.009\n\n[GRAPHIC] [TIFF OMITTED] T4638.010\n\n[GRAPHIC] [TIFF OMITTED] T4638.011\n\n[GRAPHIC] [TIFF OMITTED] T4638.012\n\n[GRAPHIC] [TIFF OMITTED] T4638.013\n\n[GRAPHIC] [TIFF OMITTED] T4638.014\n\n[GRAPHIC] [TIFF OMITTED] T4638.015\n\n[GRAPHIC] [TIFF OMITTED] T4638.016\n\n[GRAPHIC] [TIFF OMITTED] T4638.017\n\n[GRAPHIC] [TIFF OMITTED] T4638.018\n\n[GRAPHIC] [TIFF OMITTED] T4638.019\n\n[GRAPHIC] [TIFF OMITTED] T4638.020\n\n[GRAPHIC] [TIFF OMITTED] T4638.021\n\n[GRAPHIC] [TIFF OMITTED] T4638.022\n\n[GRAPHIC] [TIFF OMITTED] T4638.023\n\n[GRAPHIC] [TIFF OMITTED] T4638.024\n\n[GRAPHIC] [TIFF OMITTED] T4638.025\n\n[GRAPHIC] [TIFF OMITTED] T4638.026\n\n[GRAPHIC] [TIFF OMITTED] T4638.027\n\n[GRAPHIC] [TIFF OMITTED] T4638.028\n\n[GRAPHIC] [TIFF OMITTED] T4638.029\n\n[GRAPHIC] [TIFF OMITTED] T4638.030\n\n[GRAPHIC] [TIFF OMITTED] T4638.031\n\n[GRAPHIC] [TIFF OMITTED] T4638.032\n\n[GRAPHIC] [TIFF OMITTED] T4638.033\n\n[GRAPHIC] [TIFF OMITTED] T4638.034\n\n[GRAPHIC] [TIFF OMITTED] T4638.035\n\n[GRAPHIC] [TIFF OMITTED] T4638.036\n\n[GRAPHIC] [TIFF OMITTED] T4638.037\n\n                                 <all>\n\x1a\n</pre></body></html>\n"