[Senate Hearing 108-520]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 108-520

     DATABASE SECURITY: FINDING OUT WHEN YOUR INFORMATION HAS BEEN 
                              COMPROMISED

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON TERRORISM, TECHNOLOGY
                         AND HOMELAND SECURITY

                                 of the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                            NOVEMBER 4, 2003

                               __________

                          Serial No. J-108-52

                               __________

         Printed for the use of the Committee on the Judiciary



                    U.S. GOVERNMENT PRINTING OFFICE
94-638                      WASHINGTON : DC
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                       COMMITTEE ON THE JUDICIARY

                     ORRIN G. HATCH, Utah, Chairman
CHARLES E. GRASSLEY, Iowa            PATRICK J. LEAHY, Vermont
ARLEN SPECTER, Pennsylvania          EDWARD M. KENNEDY, Massachusetts
JON KYL, Arizona                     JOSEPH R. BIDEN, Jr., Delaware
MIKE DeWINE, Ohio                    HERBERT KOHL, Wisconsin
JEFF SESSIONS, Alabama               DIANNE FEINSTEIN, California
LINDSEY O. GRAHAM, South Carolina    RUSSELL D. FEINGOLD, Wisconsin
LARRY E. CRAIG, Idaho                CHARLES E. SCHUMER, New York
SAXBY CHAMBLISS, Georgia             RICHARD J. DURBIN, Illinois
JOHN CORNYN, Texas                   JOHN EDWARDS, North Carolina
             Bruce Artim, Chief Counsel and Staff Director
      Bruce A. Cohen, Democratic Chief Counsel and Staff Director
                                 ------                                

      Subcommittee on Terrorism, Technology and Homeland Security

                       JON KYL, Arizona, Chairman
ORRIN G. HATCH, Utah                 DIANNE FEINSTEIN, California
ARLEN SPECTER, Pennsylvania          EDWARD M. KENNEDY, Massachusetts
MIKE DeWINE, Ohio                    JOSEPH R. BIDEN, Jr., Delaware
JEFF SESSIONS, Alabama               HERBERT KOHL, Wisconsin
SAXBY CHAMBLISS, Georgia             JOHN EDWARDS, North Carolina
                Stephen Higgins, Majority Chief Counsel
                David Hantman, Democratic Chief Counsel


                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Feinstein, Hon. Dianne, a U.S. Senator from the State of 
  California.....................................................     3
    prepared statement...........................................    21
Kyl, Hon. Jon, a U.S. Senator from the State of Arizona..........     1
    prepared statement...........................................    31
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont, 
  prepared statement.............................................    34

                               WITNESSES

Hendricks, Evan, Editor/Publisher, Privacy Times, Cabin John, 
  Maryland.......................................................     7
MacCarthy, Mark, Senior Vice President for Public Policy, Visa 
  U.S.A., Inc., Washington, D.C..................................     6
McIntyre, David J., President and Chief Executive Office, TriWest 
  Healthcare Alliance, Phoenix, Arizona..........................     3

                         QUESTIONS AND ANSWERS

Responses of Evan Hendricks to questions submitted by Senator 
  Feinstein......................................................    16
Responses of Mark MacCarthy to questions submitted by Senator 
  Feinstein......................................................    17
Responses of David McIntyre to questions submitted by Senator 
  Feinstein......................................................    19

                       SUBMISSIONS FOR THE RECORD

Hendricks, Evan, Editor/Publisher, Privacy Times, Cabin John, 
  Maryland, prepared statement...................................    25
MacCarthy, Mark, Senior Vice President for Public Policy, Visa 
  U.S.A., Inc., Washington, D.C., prepared statement and letter..    36
McIntyre, David J., President and Chief Executive Office, TriWest 
  Healthcare Alliance, Phoenix, Arizona, prepared statement and 
  letter.........................................................    41

 
     DATABASE SECURITY: FINDING OUT WHEN YOUR INFORMATION HAS BEEN 
                              COMPROMISED

                              ----------                              


                       TUESDAY, NOVEMBER 4, 2003

                              United States Senate,
        Subcommittee on Terrorism, Technology and Homeland 
                      Security, Committee on the Judiciary,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 10:06 a.m., in 
Room SD-226, Dirksen Senate Office Building, Hon. Jon Kyl, 
Chairman of the Subcommittee, presiding.
    Present: Senators Kyl, Feinstein, and Schumer.

  OPENINGS STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE 
                        STATE OF ARIZONA

    Chairman Kyl. Good morning. This hearing of the Judiciary 
Committee Subcommittee on Terrorism, Technology and Homeland 
Security will come to order.
    We have been holding a series of hearings that deal with 
the nature of terrorism in order to help us better understand 
how we can combat terrorism. Today, we are going to take time 
out from that series, and yet the subject with which we deal, 
like almost everything else that this Subcommittee deals with, 
also has implications with respect to terrorism.
    When we see stories about the theft of a Social Security 
number, perhaps, by a hacker, or a driver's license or 
financial information, we understand that this can have many 
ramifications. It can not only, of course, affect terrorism, as 
I noted, but can be financially devastating for the people 
involved, the victims. A criminal can use this information to 
cause great financial harm.
    Senator Feinstein has introduced a bill, S. 1350, the 
Notification of Risk to Personal Data Act, which addresses the 
duty of a business maintaining a computerized database with 
customer-sensitive personal information and has provisions 
regarding informing customers of a hacking incident that would 
compromise the personal financial data. Under the bill, notice 
would be triggered if the hacker obtained access to a 
customer's Social Security number, driver's license number, or 
a bank account, debit, or credit card number and the notice 
would be provided in writing or through e-mail or by some 
substitute notice.
    The notice includes notice by e-mail, the posting of notice 
on the company or agency website, or notification of major 
media, and it is triggered if the business can demonstrate that 
the cost of providing direct notice would be onerous, and there 
are specific provisions in the bill that relate to that.
    Finally, under the bill, the Federal Trade Commission is 
empowered to fine entities if the violation persists. State 
Attorneys General could enforce the statute and inconsistent 
State laws would be preempted, but California's legislation on 
this subject would be grandfathered in.
    Today, the Committee will hear from three expert witnesses. 
The first is from my home State of Arizona. He is no stranger 
here to Washington, D.C., but he is involved in very successful 
ventures today in Arizona. David McIntyre is the President and 
CEO of TriWest Healthcare Alliance. Mr. McIntyre has a 
distinguished career in both health care policy and operations. 
Earlier this year, he guided TriWest in its successful bid for 
the Defense Department's new West Region, serving military 
members, retirees, and their families in 21 Western States, 
including our Ranking Member's State of California, a total of 
2.6 million beneficiaries in all.
    He will testify about the December 2002 break-in at its 
Phoenix, Arizona, offices, where thieves broke into a 
management suite and stole laptop computers and computer hard 
drives containing the names, address, telephone numbers, 
birthdates, and Social Security numbers of 562,000 military 
service members, dependents, and retirees. The thieves also 
stole medical claims records from people on active duty in the 
Persian Gulf.
    The potential harm to a group obviously this large, 
particularly to those who wear the uniform of the country, is, 
of course, staggering. And yet, to date, not a single 
individual has suffered identity theft as a result of the crime 
against TriWest. Mr. McIntyre, we look forward to your 
description of those events and how your company responded to 
such a major information theft.
    Mark MacCarthy, the Senior Vice President of Public Policy 
for Visa, will testify about the steps that Visa takes to avoid 
database security breaches and how Visa notifies its customers 
of security breaches. He will also comment on Senator 
Feinstein's legislation, S. 1350.
    Evan Hendricks, Editor of Privacy Times, will testify about 
the rise of database security breaches, the types of 
information stolen from such databases, the failure to notify 
consumers of such breaches, and the value of notification.
    I would like to note that the record will be kept open for 
one week for questions as well as additional statements and 
want to thank Senator Feinstein for her hard work in putting 
together this hearing. I must say that Senator Feinstein and 
her staff were the primary people helping to put this hearing 
together, and it is an illustration of the fact that I don't 
view my Chairmanship of this Committee as anything more than a 
Co-Chairmanship with Senator Feinstein when it comes to 
addressing important issues for the American people. So I thank 
you, Senator Feinstein, for suggesting that we have this 
hearing and doing a great deal of the work in putting it 
together.

  STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE 
                      STATE OF CALIFORNIA

    Senator Feinstein. But you, Mr. Chairman, were the one who 
said, yes, let us do the hearing, and that counts for a lot, so 
thank you very much.
    I think you have well described the bill. I think one thing 
has to be said. I am just looking at a pre-publication version 
of the Richmond Journal of Law and Technology and there is a 
footnote in it that is very interesting, and what it says is 
that according to the Computer Security Institute's 2003 
Computer Crime and Security Survey, they polled 376 
organizations and each one admitted experiencing a security 
breach in the past year. Half of them said they didn't do 
anything, and only a third of them reported it. So of a field, 
everybody has been hacked into and various personal information 
has been violated, and yet nothing has happened.
    California has passed a law. Other States are looking at 
passing laws. The problem is, will we have 50 different laws 
throughout America?
    Therefore, what this bill aims to do is provide a national 
standard, a standard that will make sense, that, in essence, 
defines what data we consider affected by the bill--Social 
Security numbers, as you just said, driver's license numbers, 
credit card numbers, debit card numbers, or financial account 
numbers.
    And then, secondly, there is some--personal data is defined 
in the bill. It minimizes, we hope, the burdens on companies or 
agencies because we require that they would have to alert 
someone in writing or through e-mail, and then there are some 
exceptions. If the companies have developed their own 
reasonable notification policies, they have a safe harbor. 
Encrypted data is exempted, and where it is too expensive or 
impractical to notify every individual who is harmed, the bill 
allows entities to send out an alternative form of notice 
called a substitute notice, and that includes posting notice on 
a website or notifying major media.
    I think we have a good bill. It may take amending, but one 
of the things I hope we are going to hear today is that a bill 
of this kind, a national standard, in effect, is really 
necessary if we are to protect people's privacy. Thank you.
    Chairman Kyl. Thank you, Senator Feinstein.
    Let us go directly to our panel, and let us just go from my 
left to right, first Mr. McIntyre, Mr. MacCarthy, and then Mr. 
Hendricks. We will then interrupt--or rather than interrupting 
you, let each of you make your statement and then we will 
question you at that time. I think we have a five-minute rule 
here, so if you can stick to that, fine, but we will take all 
of your written testimony and put it in the record.
    Mr. McIntyre?

   STATEMENT OF DAVID J. MCINTYRE, JR., PRESIDENT AND CHIEF 
   EXECUTIVE OFFICER, TRIWEST HEALTHCARE ALLIANCE, PHOENIX, 
                            ARIZONA

    Mr. McIntyre. Mr. Chairman, thank you for your very kind 
introduction and for your long leadership in the important area 
of identity theft.
    Mr. Chairman, Senator Feinstein, thank you for the 
invitation to appear before you today to discuss an important 
topic in the legislation before you that would require 
organizations that suffer the loss of consumer data to disclose 
that loss to their customers so that they can take timely and 
meaningful steps to protect themselves from becoming the 
victims of identity theft. I am particularly honored to be 
before you today given your leadership in the effort to combat 
identity theft.
    My name is Dave McIntyre. As the Chairman said, I am 
President and CEO of TriWest Healthcare Alliance. As Chairman 
Kyl stated, in mid-December, our company was the victim of a 
physical theft of data. Thieves broke into our offices and 
stole the hard drives out of our server. We were the third such 
crime to occur in the State of Arizona in a period of 6 months. 
Prior to that, there had been a bank that had been broken into 
after hours and the same thing had occurred.
    On our databases were 562,000 individuals' names, 
addresses, Social Security numbers, birthdates, and other 
personal information. Thus, it placed those individuals, many 
of whom wear the uniform of the United States and are serving 
today in Iraq, in harm's way, in my opinion.
    Health care professionals talk about the golden hour when 
they refer to the window of time in which a heart attack victim 
must receive medical attention in order to assure the high odds 
of survival followed by a reasonable quality of life. What I 
quickly discovered is that there is a golden hour when it comes 
to aiding consumers in protecting themselves against identity 
theft.
    I was told by industry experts that the most effective 
measures we could take in our case was to contact within 
several weeks all of our customers whose personal information 
was contained in the database to inform them of the theft and 
assist them in contacting the credit bureaus so that they could 
place fraud flags on their credit files.
    It was this golden hour philosophy that guided our work and 
that of the Department of Defense and my colleagues in that 
Department in the days and weeks that followed the theft, which 
ran, obviously, right through the holiday period. Specifically, 
we employed a comprehensive and integrated three-prong 
communication strategy.
    First, given the holidays and the need to reach people 
regardless of where they happened to be, we contacted the media 
to aid their assistance in broadcasting nationwide the theft 
and stress the need for individuals to contact us and take 
action to protect themselves.
    Second, given the mobile nature of our customer base, we 
worked through the military commands worldwide to disseminate 
information to every installation in the military.
    Third, we sent a personal letter to every customer affected 
by the theft. We just sent out our fourth letter of such kind, 
advising people of the theft, updating them on it now, and 
telling them that they needed to add a fraud flag and then keep 
it updated so that they did not fall prey to whatever the 
thieves might have had in mind.
    By the middle of January, our plan was fully executed, and 
I believe that the golden hour allowed those individuals to be 
protected, and I have been told by authorities that not one 
individual in that database has been confirmed as being a 
victim of identity theft.
    Based on what I have come to learn about the fastest rising 
crime in America, identity theft, of which no American consumer 
is immune, I believe that there are three steps that Congress 
should take to come to the aid of consumers.
    First and perhaps most important is to require 
organizations that are the victims of the theft of their 
customers' personal information to take swift and effective 
action to inform the customers of the theft and what measures 
they can take to protect themselves. I understand personally 
the difficulty, the cost, and the awkward nature of such 
disclosure, but to do anything less, in my opinion, is both 
wrong and indefensible. After all, it is not our organization's 
information. It is the information of the people who we serve 
and they have entrusted it to us so that we can serve their 
needs.
    It is for this reason that I appreciate Senator Feinstein's 
long work in this area and that of the Chairman. I believe that 
the constructive solutions of S. 1350 are something that need 
to be enacted, now that we know the risks of this and what the 
pattern of practice needs to look like.
    The second leg of the stool is that I believe that we need 
to standardize how credit card numbers are displayed on 
receipts, to block out all but the last four numbers so that no 
one can take information from a credit card receipt and begin 
spending in another consumer's name. I believe that such 
provisions are contained in the legislation to reauthorize the 
Fair Credit Reporting Act, which I understand will be on the 
Senate floor this morning for Senate consideration and I think 
it goes a long way in addressing that issue and worthy of 
support.
    And third, I believe that Federal penalties need to be 
strengthened so it will no longer be the case that someone 
spends more time cleaning up their credit than the individual 
who perpetrated the crime.
    Mr. Chairman, Senator Feinstein, I congratulate you on your 
great work in this area as a consumer. I thank you for your 
focus and I thank you for the opportunity to be here today.
    [The prepared statement of Mr. McIntyre appears as a 
submission for the record.]
    Senator Feinstein. Mr. Chairman, may I say one thing?
    Chairman Kyl. Certainly.
    Senator Feinstein. First of all, thank you, Mr. McIntyre. 
About Mr. MacCarthy and his company, Visa, when we introduced 
our big identity theft bill, the CEO of Visa joined us at a 
press conference and, in essence, indicated that Visa was 
voluntarily truncating all of their credit card numbers so that 
when you used a Visa card at a restaurant and you signed your 
receipt, what you got back had only a part--I forget which 
part, but only a part of the entire--the last four digits of 
the credit card. I believe that has been in effect for a 
substantial period of time. So I just wanted to say thank you 
to Visa. I think they are a very good corporate citizen and I 
really appreciate it. Thank you.
    Chairman Kyl. Thank you. Mr. MacCarthy?

 STATEMENT OF MARK MACCARTHY, SENIOR VICE PRESIDENT FOR PUBLIC 
          POLICY, VISA U.S.A., INC., WASHINGTON, D.C.

    Mr. MacCarthy. Mr. Chairman, thank you very much for the 
kind introduction, and Senator Feinstein, thank you for 
recognizing the work that Visa does in this area. Our CEO, Carl 
Pascarella, was pleased to come to Washington to help in that 
announcement.
    The policy you describe, which is to black out all but the 
last four digits, has been in place for new terminals since 
June of this year, and after a transition period, it will 
affect all terminals out in the marketplace, and that was in 
large part in response to your initiative in the area to push 
legislation that would address this issue at the Federal level.
    Thank you for the invitation to talk about the important 
issue of consumer information security today. As you know, Visa 
considers information security to be a top priority. We have 
long recognized that protecting customer information is 
important to the integrity of our own system. We are 
implementing a comprehensive cardholder information security 
plan that applies to all entities that store, process, 
transmit, or hold Visa cardholder data. All participating 
entities must comply with a Visa ``digital dozen,'' 12 basic 
requirements for safeguarding account information.
    In addition, the Visa system includes sophisticated neural 
networks that flag unusual spending patterns for fraud, and 
these systems block the authorization of transactions where 
fraud is suspected.
    Visa also has a zero liability policy for unauthorized 
transactions, which means that customers pay nothing at all 
when the transaction is unauthorized.
    Visa also maintains a worldwide database of account numbers 
that are lost or stolen. All transactions routed through the 
Visa system are checked against this file.
    Visa believes that the appropriate response to a security 
breach depends on the specific factors of the breach and the 
tools available to the financial institutions involved and its 
customers to address the illicit use of customer information. 
The response must balance the risk of illicit use of the 
information against the risk that the response itself may lead 
to customer cost and inconvenience and disruption in the 
marketplace.
    In the context of the Visa payment system, there are many 
steps that can be taken to control these risks. The steps 
available to the customer include closing accounts, putting 
fraud alerts on their credit reports, reviewing credit bureau 
files, but these steps serve merely as backstops to the far 
more sophisticated fraud detection systems currently in place 
in the Visa system. Moreover, closing accounts, fraud alerts, 
the review of files of credit bureaus, all involve costs and 
inconveniences for customers, for financial institutions, and 
for the marketplace as a whole.
    Visa strongly supports customer notification whenever 
unauthorized access to customer information results in a 
significant recognizable threat that requires customer action. 
However, for situations that do not indicate that kind of 
significant risk, customer notification is not necessary.
    Visa believes that it is critical that any notification 
requirements be sufficiently flexible to allow notice to be 
provided by the account-holding institution, even if the 
account-holding institution was not the operator of the system 
where the breach occurred, they were not the cardholder 
information custodian. For example, this kind of flexibility 
would allow the account-holding institution to offer a new 
account at the same time that it advises the customer that the 
existing account has to be closed.
    Visa is pleased to note that the legislation, S. 1350, is 
responsive to these issues. It establishes a general policy for 
customer notification in the context of security breaches and 
it permits the use of alternative notification procedures in 
the case that includes a security program that is designed to 
block unauthorized transactions before they are charged to a 
customer's account, and that is subject to examination by the 
Federal banking regulators. S. 1350 also provides for the kind 
of flexibility in delivering required notices that I just 
referred to.
    Finally, Visa is pleased to note that S. 1350 recognizes 
the importance of establishing consistent procedures for 
notifying individuals about security breaches and supercedes 
inconsistent State and local laws.
    I appreciate the opportunity to appear before you today. 
Combatting information security breaches, combatting identity 
theft will continue to be a top priority for Visa and its 
member financial institutions and I would be happy to answer 
any questions you have.
    Chairman Kyl. I would note, Senator Feinstein, that this is 
a great panel. They are right to the second on their 5 minutes, 
so we appreciate that very much. You are very succinct, but you 
have said it all. Thank you very much.
    [The prepared statement of Mr. MacCarthy appears as a 
submission for the record.]
    Chairman Kyl. Mr. Hendricks?

 STATEMENT OF EVAN HENDRICKS, EDITOR/PUBLISHER, PRIVACY TIMES, 
                      CABIN JOHN, MARYLAND

    Mr. Hendricks. The advantage of having a privacy expert 
appear before you, this brings a little history. I enjoyed back 
in the late 1990's working with your staff, Senator Kyl, and 
your consistent, Mr. Hardle, in getting the first identity 
theft law passed in this country on a national level and I have 
thoroughly enjoyed working with Senator Feinstein on the FCRA 
Amendments, which go to the floor today. We really appreciate 
your leadership on trying to fight for Americans' right to 
privacy on that. We don't want--
    Senator Feinstein. It is an uphill battle.
    Mr. Hendricks. Yes, it is an uphill battle and we don't 
want a consumer protection law to be turned into something that 
deprives people of hard-fought privacy rights, but whether 
short-term or long-term, we are confident that you will prevail 
on that, so thank you.
    The issue of notification first came up for me in the early 
1990's when it was discovered that information brokers were 
bribing Social Security Administration employees for wage data. 
This was a systematic and widespread assault which led to 
Senate hearings. At that time, the Social Security 
Administration refused to notify the people who were the 
victims of those very serious breaches and I started raising 
the issue then.
    What is interesting--the reason I think this bill is a very 
good starting point and can accomplish a lot of good in setting 
a national standard here is because it is true to some of the 
issues of fair information practice principles, which really 
govern our privacy laws, like the Fair Credit Reporting Act and 
the Privacy Act.
    People think privacy is hiding in the closet or just trying 
to keep things secret, but how we really define it is how we 
abide by these principles which include access and correction, 
transparency, data security, data minimization, and limiting 
the purposes for which data can be used. And this bill 
understands, goes right to the heart of sunshine is the best 
disinfectant. It brings out transparency for the issue of how 
data is used, and you will see how--one reason Mr. McIntyre was 
so successful in responding to the crisis they had is they went 
very public and brought a lot of attention to what was going 
on. So I think that is why this is a good starting point.
    I think one of the reasons it is needed is, as mentioned, 
identity theft is the fastest growing crime in the United 
States. There are so many studies out this summer by the FTC, 
the GAO, the Gartner Group, Privacy in American Business, that 
says it is far worse than we even expected and that the biggest 
threat to information security is by authorized insiders using 
their authorized insiderness to use information for 
unauthorized purposes. So, therefore, that is a real threat, 
and more and more information is being collected in databases 
and we have to have a way of notifying people when things go 
wrong.
    Another problem is that we don't have an organizational 
culture of privacy and security. We don't see the kind of 
consciousness that you saw in TriWest and you don't normally 
see the kind of leadership you saw in Visa on the issues 
Senator Feinstein mentioned.
    Just in the recent Victoria's Secret case, which was 
prosecuted by New York Attorney General Elliott Spitzer, they 
found out that you could get access to people's purchases 
through their website. It was just one of those glitches, but 
when a customer notified Victoria's Secret about it, they said 
there were no credit card numbers involved so what is the big 
deal? And it was only after he went to the media that he was 
able to get attention, and it was only because Attorney General 
Spitzer investigated that they were able to get notice to the 
New Yorkers who were affected by that, and as far as I know, 
the other people who were affected who weren't New Yorkers did 
not receive notice. So you see there is going to be an ongoing 
problem here.
    Another thing that is very new that is just coming up this 
year is the outsourcing of the personal data processing to 
other countries. We know that--I think the USDA does it with 
food stamps. The San Francisco Chronicle just did a story 
October 22 saying that an employee in Pakistan who was doing 
medical transcription then was not getting paid and so her way 
of handling that was to threaten to post the medical patient 
details on the Internet as a way of extorting--getting paid 
what she was owed. The San Francisco Chronicle is now hot on 
this story and they are pursuing it.
    We reported that the credit bureaus, the big credit 
bureaus, Equifax outsources to Jamaica and Experion and Trans 
Union are going to be going to either the Philippines or India 
or both. These raise serious questions about how will data be 
protected as it goes across our borders and can Americans feel 
secure in that. So that is another reason why this bill is so 
important.
    I mentioned that fair information practices are the gold 
standard for measuring how well are we protecting privacy, and 
that is why this bill is a good starting point. The other 
things to consider is whether we should provide in this bill a 
right of access to people's information. People have this right 
under the Fair Credit Reporting Act to their credit reports. 
They have it under the Privacy Act and the Freedom of 
Information Act for their government records, under HIPAA for 
their medical records. We need to keep filling the gaps here 
where people do not have access to their records because the 
data kept about them says a lot about them and decisions are 
being made on that data.
    I think, for this bill specifically, I think we should 
consider when notification is not required and it is really not 
considered a thing where it is too costly to notify people, 
which I think is a reasonable standard, I think we still have 
to have a way that if people want to find out what happened or 
what was the practices and what is their system for notifying, 
that people have a right to find out and the company has to 
answer their questions, because we have seen in cases in the 
past when we know there is a hack, we know there is a problem, 
but we can't find any more information, and so people are just 
left in the dark, not knowing what happened.
    I think another thing, since we are trying to advance data 
security, we have the 30-year-old standard from the Privacy Act 
about how organizations should just take appropriate 
administrative, technical, and physical safeguards to ensure 
against anticipated threats that can harm individuals. That 
standard is also sort of becoming the standard for financial 
institutions under the Gramm-Leach-Bliley regulations.
    I think, finally, enforcement of this bill is left to the 
FTC and the State Attorney Generals, which have always been the 
leaders in enforcement in this area, but I still think you need 
a private right of action for the most egregious cases. We will 
never be able to build a bureaucracy big enough to enforce a 
system that is covering the records of 200 million Americans. 
We don't want trivial or specious lawsuits brought, but we need 
to give people rights when the organizational behavior is 
egregious or it has been going on for many years and there is a 
pattern and practice, and where I think a good standard, a high 
standard to meet for that is like gross negligence or reckless 
disregard for people's rights. But we need to give individuals 
the right to enforce their own rights.
    The final thing is the Social Security number. There are 
bills pending by Senator Feinstein and others that would try 
and limit the circulation of SSNs in our society and, 
ultimately, on the creation of a national standard. We think 
this bill is a good bill to the extent that it creates a floor 
and says that you cannot have laws that are inconsistent with 
it. And I don't think you really need to out and out preempt 
state laws because if, first of all, if you do this law, then 
States will move on and they won't need to enact laws in the 
States. They will see that the Congress is taking care of it, 
which is really why I commend you for getting out in front of 
this issue. You save a lot of those problems.
    Ultimately, though, I am reluctant to say we should shut 
out States altogether because this is such a fast-moving area 
and States often come up with some very creative solutions to 
these fast-moving problems.
    Thanks, and I apologize for going over my time.
    Chairman Kyl. I am sure Senator Feinstein joins me in 
saying these are all very constructive suggestions and things 
that we obviously need to look at.
    [The prepared statement of Mr. Hendricks appears as a 
submissions for the record.]
    Chairman Kyl. The last point that you raised prompts me to 
just make an observation and raise this question, both with 
regard to the Social Security legislation and this legislation. 
There are a large number of databases that are outside of the 
business field, and that is obviously government of one kind or 
another. I was just telling Senator Feinstein that the Clerk of 
the County Court System in Maricopa County, Arizona, talked to 
me about the large volume of information which they have which 
is not in a form that would be easily protectable under the 
standards of this legislation and it would be very good for us, 
if we are going to devise a new format, to be sure that we 
include that in government databases, which are also subject to 
the same degree of hacking or theft that business databases 
are. If any of you have a comment on that, please make that.
    Mr. Hendricks. You go first.
    Mr. MacCarthy. I think that it is important to make sure 
that as we are dealing with this issue, that we are dealing 
with both hacking and physical theft, and I would say that from 
my perspective, public institutions are not immune to this 
problem.
    Sir, you are talking about the Maricopa County system. The 
head of the Arizona State University system and a number of the 
Boards of Regents, members of the Boards of Regents in Arizona 
told me recently that our experience was an eye-opener to them, 
and they took this issue to the regents and started doing a 
study of the university system in the State. There isn't a week 
that goes by in the State of Arizona that someone hasn't 
attempted to hack into either the financial, the grading 
system, or the personnel systems in that institution.
    You know, this is a fast-moving train. What is going to be 
good enough today isn't going to be good enough a couple of 
years from now, and I think what you are doing is bringing a 
lot of necessary attention to this issue. But we do need to 
have a dialogue about the public institutions, not just the 
private institutions.
    Chairman Kyl. Thank you. I also note that we are planning 
right now a hearing on cyber terrorism for the first--after we 
return next year. It prompts me to think maybe we should expand 
that slightly, not just to terrorism, but hacking generally and 
the kind of things that can occur in the business sector and 
the public sector with that.
    Mr. MacCarthy. Right.
    Chairman Kyl. Let me just ask two quick questions of each 
of you and then turn to Senator Feinstein. We are talking about 
some kind of a uniform standard, I presume. My question really 
has to do with the expense to business for that as well as how 
we can make sure that we achieve the maximum notification for 
the most efficient cost. Clearly--and this is a point, Mr. 
Hendricks, that you mentioned--we don't want the obligations 
here to be so onerous that we defeat our own purpose by making 
them too expensive and, therefore, have blow-back against our 
ideas here because of the expense. Mr. MacCarthy?
    Mr. MacCarthy. Mr. Chairman, let me return to the previous 
question. Our cardholder information security program applies 
to all entities that touch Visa cardholder information, public 
or private. So we think any kind of security regime should 
extend across the board and include all people who hold 
sensitive data.
    On the particular question, we think that the legislation 
is balanced. It does recognize the significant risk principle 
where information is provided to customers in the context of a 
significant risk of harm. We think it provides the flexibility 
for working out the way that notification could take place. We 
like its consistent national approach. We think it does--the 
key elements that need to be in Federal legislation are 
incorporated in that bill.
    Chairman Kyl. Thank you.
    Mr. Hendricks. Yes, and I think this will always be a case-
by-case, which is good about your bill, because you leave it to 
sort of you have to have a reasonableness standard. Let us say 
in California, all the public employees are hit by some hack. 
Well, if all those employees get the same newsletter or if you 
have the e-mail addresses, then it becomes very inexpensive. 
And, of course, as we move into the electronic environment, 
communicating and notifying via e-mail is not expensive or 
burdensome at all. So that is something we have to look forward 
to.
    I think that each case by case, you can get creative ways 
to try and notify people. But if you have just like a huge 
population, it is not feasible to have to send notice to like 
100 million people, and I don't see the bill ever requiring 
that.
    Mr. McIntyre. Sir, I would associate myself with the 
remarks of my colleagues on the panel.
    Chairman Kyl. Senator Feinstein?
    Senator Feinstein. Thank you very much. Senator Schumer 
came in on a matter, and I missed part of your statement, Mr. 
MacCarthy, but I was going to ask you, you testified that a 
significant recognizable threat is necessary for disclosure. 
How would you define significant recognizable threat?
    Mr. MacCarthy. I think that may turn out to be a judgment 
call, depending on the specific facts. It may be useful to 
explain what happens in the Visa system when there is a breach 
to give you a sense of the kind of circumstance we are talking 
about.
    Senator Feinstein. Good. That would be helpful.
    Mr. MacCarthy. When there is a breach, the cardholder 
numbers that are affected are treated as a separate group of 
account numbers, a portfolio, if you will--
    Senator Feinstein. So you immediately know which 
cardholders are affected?
    Mr. MacCarthy. If the merchant or the processor or the 
person who had the breach notifies us, then given the 
cardholder numbers, we know immediately the financial 
institutions involved and they will know immediately the names 
of the people involved based on the cardholder number that they 
have.
    Senator Feinstein. Do you do regular reviews to find this?
    Mr. MacCarthy. In the context that I am talking about--
    Senator Feinstein. Because a hacker is not going to tell 
you before they do it.
    Mr. MacCarthy. No, they don't tell you before, but when 
there is a breach, typically what happens is the entity that 
holds the cardholder information knows about the breach very 
shortly after it happens and they inform us directly. It is 
required under our rules that they tell Visa directly that 
there has been a breach and provide us with the cardholder 
numbers. When that happens, we then keep those numbers in a 
central computer location, treat them as a group. We also 
notify the financial institutions immediately--
    Senator Feinstein. Stop for a minute. You mean if I hold, 
say, a Visa on Bank of America, the Bank of America would 
notify you?
    Mr. MacCarthy. For example, a merchant that--not Bank of 
America, or it could be Bank of America if they are the 
custodian of information that has had a cardholder breach. But 
in a typical circumstance, it is a third party, a merchant or a 
processor, that keeps Visa information on file as part of the 
transaction that they have had with you.
    Senator Feinstein. And explain to me, how does he know?
    Mr. MacCarthy. Well, this is what happens when a breach 
occurs. The entity that is the custodian of the information 
typically knows that there has been a breach, sometimes not 
immediately, but typically they do find out, and when they do 
find out that there has been a breach, they notify us. They 
notify the FBI, the Secret Service. They work with law 
enforcement very, very quickly to see if they can control the 
consequences of the breach.
    Once we get the information, we have the cardholder 
information, we can look at those accounts and we can tell 
whether or not there is any unusual pattern of fraud, any types 
of fraud, any elevated risk to cardholders. And when you notice 
that there are those patterns of excess fraud, unusual patterns 
or suspicious patterns, the cardholder's institution and Visa 
work together to make sure that the cardholder is notified, and 
in some situations, instead of just notification, the account 
is terminated and a new card is issued.
    Senator Feinstein. Can you just give us an approximate 
number of breaches that you would have this way in a year?
    Mr. MacCarthy. I can't give you that information at this 
point. Let me go back and work on that and see if I can get 
back to you on it.
    Senator Feinstein. I mean, is it thousands?
    Mr. MacCarthy. In some circumstances, in single breaches, 
you could have a large number of cardholders' information that 
are compromised, and those, as I say, are then put on special 
watch to make sure that there is no risk of harm to consumers 
in that kind of context.
    And also in that kind of circumstance, if there is 
unauthorized use of cardholder information, the cardholder 
himself or herself is not responsible for paying the bill. It 
is unauthorized use. They have zero liability.
    Senator Feinstein. Thank you. Anybody else?
    Mr. Hendricks. In the case earlier this year, the famous 
one, which I think was called DPI, it was a credit card 
processing company, it was known that there were over 10 
million credit card numbers were taken in that hack, but there 
is no evidence that anything was ever done with them.
    One of the problems that we had from our side in that is 
that you couldn't find out which member banks were the ones 
hit, because under contract, they are not allowed to disclose 
that. So their contracts did not allow the kind of transparency 
we needed to assure consumers that they were safe in this 
thing.
    You asked, well, how do you define a significant threat? I 
think one way you don't want to do is restrict it to simply 
economic harm or theft of your credit card number and purchases 
made. What I have seen over the years, and statistics bear me 
out, what Americans really care about is protection of their 
reputation and their good name, and that is why you see the 
complaints to the Federal Trade Commission are overwhelmingly 
about identity theft, because they don't lose money out of 
pocket on that, but it directly attacks their reputation and 
good name, where complaints about Internet scams and other 
forms of fraud which do involve out-of-pocket losses are down 
in the eight to ten percent level where identity theft is up in 
the 42 percent level. So we want to make sure that we define it 
in a way so we include both economic harm, harm to reputation 
and good name, and the emotional distress arising from when you 
know your information is taken and the steps are not being 
taken to protect it.
    Senator Feinstein. Thank you. Thank you.
    Mr. McIntyre, do you have any comments on that point?
    Mr. McIntyre. I think Mr. MacCarthy had a follow-up and 
then I would be glad to comment.
    Senator Feinstein. All right, fine.
    Mr. MacCarthy. Back on the DIP case, Evan is right that 
there were about ten million cards that were compromised. Some 
of them were Visa cards, but there were also Master Card, 
American Express, and Discover cards involved. We put them on a 
watch on the Visa cards and there is no excess of fraud among 
those cards. So the harm to consumer isn't present in that kind 
of circumstance.
    We did, however, think that the processor involved hadn't 
done everything that they could do to keep the information 
safe. They had not been in compliance with our cardholder 
information security program and the violation wasn't small, it 
was egregious. We fined them $500,000.
    Senator Feinstein. Wow.
    Mr. MacCarthy. And they are on special watch at this point. 
They can't sign up any more merchants until they have satisfied 
us that their procedures in place are adequate.
    Senator Feinstein. Good for you.
    Mr. McIntyre. Senator, I think that the definition around 
what is significant will be fluid and I think the way your 
legislation is written provides for reasonable coverage of that 
definition. From a business point of view, I don't find it to 
be egregious at all.
    The issue with regard to what Mark was talking about on the 
Visa side, I have been monitoring this issue very closely at a 
personal level since the middle of December, since I learned a 
lot more about this topic, and it was ironic, because the day 
after our theft when we started working on what we were going 
to do in response to it, I got a call from my Visa card company 
saying, we wanted to make sure that you were traveling to such-
and-such a location and such-and-such a location and such-and-
such a location, because I had been in three States in 1 day, 
and that is not the typical pattern of travel for most people, 
and I had shopped or eaten in three different places in a day. 
I think the Visa card companies have done a great job in being 
able to track that.
    Significant to the standard today is going to be different 
than significant to the standard 2 years from now when we are 
much more complex in terms of the capability to both see 
physical theft as well as hacking in this area.
    Senator Feinstein. [Presiding.] Very good. Incidentally, 
Senator Kyl had to leave. He had an urgent appointment, so I 
would essentially like to do this. I think you have all 
reviewed the legislation. If you have any other comments on how 
we might strengthen it or, Mr. MacCarthy, for example, on the 
safe harbor, if a company has its own procedures that are 
adequate, that may need some more defining, we would really 
appreciate it.
    Let me ask you if you have any other remarks to make on the 
subject. If not, I will close the hearing.
    Mr. McIntyre. The last observation that I would offer, and 
I know that this has been an area of great focus for you for 
some time, and that is the use of Social Security numbers. 
After we suffered the theft in our State, we made a commitment 
that this was a public affairs area that we are going to remain 
in for some time because we went so public and it gave us a 
platform to help other businesses and entities in the State of 
Arizona.
    And one of the things that we did as a spinoff from that 
was to let the Blue Cross-Blue Shield Association know that 
having your Social Security number on your insurance card 
probably isn't a very good idea and that there needs to be some 
way to begin to pare down those numbers. They are looking at 
that issue.
    You know, when you get into the health care space, everyone 
sees doctors every year and gets health care experience in the 
marketplace every year, and oftentimes what they get back is a 
report from their insurance company through the claims 
processor. And more often than not, what is contained on those 
forms is your entire Social Security number.
    I reviewed this issue with the Department of Defense, as 
well, because we used to have an identification number for 
military personnel. Prior to that, it was Social Security 
numbers. Now we are at a Social Security number again. And the 
question was, what do we do to protect the military personnel 
from the misuse of their identity through payroll acquisition 
or whatever?
    And in looking at that, it seems to me that the same 
principle could be applied as the one that is being applied on 
the credit card side, which is to ``X'' out all but the last 
four numbers. We have proposed that to the DOD on the health 
care side and we are in the process of working that through.
    Senator Feinstein. On the Social Security number?
    Mr. McIntyre. That is correct, in addition to the credit 
cards. So you could apply the same concept there. It is easy to 
build software from a practical operations perspective to put 
in place to scrub the numbers as they go through. But to upend 
an entire system and go to a new identification number is 
something that is fraught with all kinds of other issues. And 
even then, I would say you need to truncate those numbers 
except for all but very critical use.
    So you are on the right issue. This is a very, very 
important area and I think that you have got your arms wrapped 
around the right legs of the stool and look forward to 
supporting you as you move forward.
    Senator Feinstein. Thank you. One thing that you might be 
able to help with is Senator Gregg and I have had a Social 
Security number bill--
    Mr. McIntyre. Yes, ma'am.
    Senator Feinstein. --to prevent its commercialization and 
selling it and that kind of thing. We have had a devil of a 
time getting it out of the Finance Committee, where it seems to 
be residing, and we don't want it to find its burial place 
there. So anything you could do to weigh in on that, and 
perhaps take a look at the bill and see if you have any 
concerns about it--
    Mr. McIntyre. We would be glad to do that.
    Senator Feinstein. We would appreciate that very much.
    Mr. McIntyre. Yes, Senator, and we look forward to serving 
the constituents in your good State.
    Senator Feinstein. Thank you. Thank you very much. And the 
same would go for you, Mr. Hendricks, and even Mr. MacCarthy, 
if you would like.
    Let me thank you for your testimony today. I think it has 
been very useful. I think this is a hard area to negotiate in 
and to legislate in because the technology moves so fast, it is 
hard to keep up with it. But I really appreciate your testimony 
and I appreciate your support of the bill. So thank you very 
much, and the hearing is adjourned.
    [Whereupon, at 10:50 a.m., the Subcommittee was adjourned.]
    [Questions and answers and submissions for the record 
follow.]

[GRAPHIC] [TIFF OMITTED] T4638.001

[GRAPHIC] [TIFF OMITTED] T4638.002

[GRAPHIC] [TIFF OMITTED] T4638.003

[GRAPHIC] [TIFF OMITTED] T4638.004

[GRAPHIC] [TIFF OMITTED] T4638.005

[GRAPHIC] [TIFF OMITTED] T4638.006

[GRAPHIC] [TIFF OMITTED] T4638.007

[GRAPHIC] [TIFF OMITTED] T4638.008

[GRAPHIC] [TIFF OMITTED] T4638.009

[GRAPHIC] [TIFF OMITTED] T4638.010

[GRAPHIC] [TIFF OMITTED] T4638.011

[GRAPHIC] [TIFF OMITTED] T4638.012

[GRAPHIC] [TIFF OMITTED] T4638.013

[GRAPHIC] [TIFF OMITTED] T4638.014

[GRAPHIC] [TIFF OMITTED] T4638.015

[GRAPHIC] [TIFF OMITTED] T4638.016

[GRAPHIC] [TIFF OMITTED] T4638.017

[GRAPHIC] [TIFF OMITTED] T4638.018

[GRAPHIC] [TIFF OMITTED] T4638.019

[GRAPHIC] [TIFF OMITTED] T4638.020

[GRAPHIC] [TIFF OMITTED] T4638.021

[GRAPHIC] [TIFF OMITTED] T4638.022

[GRAPHIC] [TIFF OMITTED] T4638.023

[GRAPHIC] [TIFF OMITTED] T4638.024

[GRAPHIC] [TIFF OMITTED] T4638.025

[GRAPHIC] [TIFF OMITTED] T4638.026

[GRAPHIC] [TIFF OMITTED] T4638.027

[GRAPHIC] [TIFF OMITTED] T4638.028

[GRAPHIC] [TIFF OMITTED] T4638.029

[GRAPHIC] [TIFF OMITTED] T4638.030

[GRAPHIC] [TIFF OMITTED] T4638.031

[GRAPHIC] [TIFF OMITTED] T4638.032

[GRAPHIC] [TIFF OMITTED] T4638.033

[GRAPHIC] [TIFF OMITTED] T4638.034

[GRAPHIC] [TIFF OMITTED] T4638.035

[GRAPHIC] [TIFF OMITTED] T4638.036

[GRAPHIC] [TIFF OMITTED] T4638.037

                                 
