b"<html>\n<title> - SUBCOMMITTEE HEARING ON DATA SECURITY: SMALL BUSINESS PERSPECTIVES</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n\n\n                 SUBCOMMITTEE HEARING ON DATA SECURITY:\n                      SMALL BUSINESS PERSPECTIVES\n\n=======================================================================\n\n                    SUBCOMMITTEE ON FINANCE AND TAX\n                      COMMITTEE ON SMALL BUSINESS\n                 UNITED STATES HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              JUNE 6, 2007\n\n                               __________\n\n                          Serial Number 110-27\n\n                               __________\n\n         Printed for the use of the Committee on Small Business\n\n\n Available via the World Wide Web: http://www.access.gpo.gov/congress/\n                                 house\n\n\n\n\n\n\n\n\n                     U.S. GOVERNMENT PRINTING OFFICE\n\n36-102 PDF                 WASHINGTON DC:  2007\n---------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing\nOffice  Internet: bookstore.gpo.gov Phone: toll free (866)512-1800\nDC area (202)512-1800  Fax: (202) 512-2250 Mail Stop SSOP, \nWashington, DC 20402-0001\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                   HOUSE COMMITTEE ON SMALL BUSINESS\n\n                NYDIA M. VELAZQUEZ, New York, Chairwoman\n\n\nWILLIAM JEFFERSON, Louisiana         STEVE CHABOT, Ohio, Ranking Member\nHEATH SHULER, North Carolina         ROSCOE BARTLETT, Maryland\nCHARLIE GONZALEZ, Texas              SAM GRAVES, Missouri\nRICK LARSEN, Washington              TODD AKIN, Missouri\nRAUL GRIJALVA, Arizona               BILL SHUSTER, Pennsylvania\nMICHAEL MICHAUD, Maine               MARILYN MUSGRAVE, Colorado\nMELISSA BEAN, Illinois               STEVE KING, Iowa\nHENRY CUELLAR, Texas                 JEFF FORTENBERRY, Nebraska\nDAN LIPINSKI, Illinois               LYNN WESTMORELAND, Georgia\nGWEN MOORE, Wisconsin                LOUIE GOHMERT, Texas\nJASON ALTMIRE, Pennsylvania          DEAN HELLER, Nevada\nBRUCE BRALEY, Iowa                   DAVID DAVIS, Tennessee\nYVETTE CLARKE, New York              MARY FALLIN, Oklahoma\nBRAD ELLSWORTH, Indiana              VERN BUCHANAN, Florida\nHANK JOHNSON, Georgia                JIM JORDAN, Ohio\nJOE SESTAK, Pennsylvania\n\n                  Michael Day, Majority Staff Director\n                 Adam Minehardt, Deputy Staff Director\n                      Tim Slattery, Chief Counsel\n               Kevin Fitzpatrick, Minority Staff Director\n\n\n                    SUBCOMMITTEE ON FINANCE AND TAX\n\n\n\n                   MELISSA BEAN, Illinois, Chairwoman\n\n\nRAUL GRIJALVA, Arizona               DEAN HELLER, Nevada, Ranking\nMICHAEL MICHAUD, Maine               BILL SHUSTER, Pennsylvania\nBRAD ELLSWORTH, Indiana              STEVE KING, Iowa\nHANK JOHNSON, Georgia                VERN BUCHANAN, Florida\nJOE SESTAK, Pennsylvania             JIM JORDAN, Ohio\n\n                                 ______\n\n\n                                  (ii)\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                           OPENING STATEMENTS\n\n                                                                   Page\n\nBean, Hon. Melissa...............................................     1\nHeller, Hon. Dean................................................     3\n\n                               WITNESSES\n\nMilazzo, John, National Association of Federal Credit Unions.....     4\nMacCarthy, Mark, Visa U.S.A., Inc................................     6\nDuncan, Mallory, National Retail Federation......................     8\nCochetti, Roger, CompTIA.........................................    10\nDelBianco, Steve, Association for Competitive Technology.........    12\n\n                                APPENDIX\n\n\nPrepared Statements:\nBean, Hon. Melissa...............................................    28\nHeller, Hon. Dean................................................    30\nMilazzo, John, National Association of Federal Credit Unions.....    32\nMacCarthy, Mark, Visa U.S.A., Inc................................    44\nDuncan, Mallory, National Retail Federation......................    51\nCochetti, Roger, CompTIA.........................................    66\nDelBianco, Steve, Association for Competitive Technology.........    76\n\n                                 (iii)\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n \n                      SUBCOMMITTEE HEARING ON DATA\n                 SECURITY: SMALL BUSINESS PERSPECTIVES\n\n                              ----------                              \n\n\n                        WEDNESDAY, JUNE 6, 2007\n\n                     U.S. House of Representatives,\n                               Committee on Small Business,\n                            Subcommittee on Finance and Tax\n                                                    Washington, DC.\n    The Committee met, pursuant to call, at 10:00 a.m., in Room \n2360 Rayburn House Office Building, Hon. Melissa Bean \n[Chairwoman of the Subcommittee] presiding.\n    Present: Representatives Bean, Ellsworth, Heller and \nJordan.\n\n              OPENING STATEMENT OF CHAIRWOMAN BEAN\n\n    ChairwomanBean. Good morning. I call this hearing to order \nto address Data Security: Small Business Perspectives. With \nbreaches of personal data being reported with increasing \nregularity, the issue of data security has become one of great \nconcern to consumers and the small businesses they do business \nwith.\n    Over the past few years, tens of millions of records of \ndata containing Social Security, bank account, credit card, and \ndriver's license numbers have been compromised. A few weeks \nago, The New York Times published a troubling cover story on \nidentity theft in the elderly. The story discussed the data \nbroker InfoUSA, one of the largest compilers of consumer \ninformation which sold contact lists of elderly consumers to \nknown law breakers. The thieves posted as government officials \nand acquired bank account information which was used to empty \nout those accounts. According to the article, InfoUSA \nadvertised lists of suffering seniors, 4.7 million people with \ncancer or Alzheimer's. Data brokers fall outside the scope of \nmost current federal privacy regulations.\n    A major reason for the increased awareness of breaches is \ndue to a California law implemented in 2003 that requires \nnotice of security breaches to be sent to affected consumers. \nThe law was the first of its kind in the nation. Subsequently, \n35 states have enacted legislation requiring companies or state \nagencies to disclose security breaches involving personal \nfinancial information. Complying with a patchwork of state laws \nis challenging for all businesses and financial institutions, \nbut particularly difficult for small firms. There have been \nmany calls for federal legislation to address the issue of data \nsecurity. In the last Congress, I introduced two data security \nbills and worked closely with my colleagues on the Financial \nServices Committee to craft a federal solution to this \nimportant issue.\n    As a former small business owner, I understand the value of \ntime. Small businesses are often dependent on the efforts of \nfew, if not one person, to run their business. Owners' \nregulations can take a business owner's time away from focusing \non their core business and their customers. Small businesses \nlack in-house counsel and expertise and information security. \nBurdensome data security law or regulations requires small \nbusinesses to retain outside consultants and highly specialized \nlegal and regulatory areas. Small businesses typically lack \nexperience in managing those outside vendors and when a \ncomplicated law requires systemic changes to their IT systems, \nthis may make them more vulnerable to expensive service \nagreements.\n    When examining this issue at the federal level, there are \nseveral considerations to keep in mind for small businesses and \nsmall financial institutions. First, a clear standard for \ntriggering notification is critical. A vague standard could \nlead to a large volume of unnecessary notifications, \ndesensitizing consumers and causing them to ignore more serious \nwarnings. It's also important to consider that notification is \ncostly, particularly so for small businesses to absorb.\n    Second, financial institutions are already subject to \nfederal regulations on data security. Subjecting them, and \nsmall banks in particular, to a duplicate layer of federal \nregulations could burden them unnecessarily.\n    Third, while Congress should encourage adoption of best \npractices for securing private financial data, we should avoid \nmandating particular technologies in law or regulation. \nSecurity threats change rapidly and businesses must be given \nthe flexibility to respond quickly. Firms must be able to \ndeploy the latest security measures, mandating a particular \nproduct or technology could slow development of improved \ncounter measures and leaves businesses one step behind the \ncriminals.\n    Finally, legislation should contemplate the protection \nlevel of compromised data such as encrypted information and how \nmuch of a risk a breach realistically poses to consumers. As \nCongress contemplates legislation, there are steps businesses \ncan take on their own to reduce security risks. Government may \nbe able to play a beneficial role in education small businesses \nabout the basics of data security.\n    Properly training employees can reduce the incidents of \ndata breaches, while larger businesses with sophisticated \ncompliance departments can create training programs, risk \nassessments, and written compliance plans. It's important to \nconsider that small businesses may lack this ability and thus \nrequire assistance from regulators.\n    Small businesses are increasingly being confronted with the \nissue of data security as breaches occur with more frequency. \nSmall firms are taking steps to better secure customer \ninformation through internal procedures and upgrading \ninformation technology. As we move forward with federal \nlegislation on data security, unique needs of small businesses \nshould be integral to our efforts, because compromising the \nprofitability of small businesses would ultimately pass on \ncosts to the very consumers we're trying to protect.\n    I look forward to today's testimony and thank the witnesses \nfor their participation.\n    I now want to recognize Ranking Member Mr. Heller for his \nopening statement.\n\n                OPENING STATEMENT OF MR. HELLER\n\n    Mr.Heller. Well, good morning, and thank you very much, \nMadam Chair, I know this issue is important to you and you have \nspent a tremendous amount of time looking into this and I \nappreciate your efforts. I want to also thank the witnesses \nthat are here today, taking time out of their schedules to be \nin front of us today.\n    Nevada is one of the fastest growing states in small \nbusinesses. As Secretary of State, I was responsible for \nregistering tens of thousands of businesses a year and I fought \nto keep Nevada friendly to small businesses.\n    I look forward to continuing to keep small business vibrant \nand healthy in America and in the State of Nevada. To this end, \nelectronic commerce or e-commerce has enabled small businesses \nto become participants in both the national economy and the \ninternational economy. E-commerce requires data to be \ncollected, processed, and stored electronically and transmitted \nacross networks. Therefore, data security is a very important \nbusiness requirement that requires the on-going process of \nexercising due care and due diligence by all participants in e-\ncommerce. A robust national and international economy requires \nprotecting data from unauthorized access and use.If consumers \nlose confidence in e-commerce based on the lack of data \nsecurity, this loss of confidence will inhibit the growth ofe-\ncommerce and small businesses, not to mention the effect of \ndata breach can have on individual victims.\n    The impact on small businesses will be disproportionately \ngreater because right or wrong, consumers will perceive large \nbusinesses offering their customers more recourse in the event \nof a problem. Also, all participants in e-commerce will be \nlooking for assurances that their business partners, both large \nand small, are operating under proper data security policies \nand procedures. Any business' lack of information security \nreadiness will spread the risk throughout all levels of the \neconomy. What we must do is devise a way to ensure that all the \nparties involved are effectively protecting the information \nthey collect without putting small businesses to a disadvantage \nwhen we do so. All too often small firms are at a distinct \ndisadvantage when these proposals are being debated and \nimplemented. Imposing a large one size fits all data security \nbill or regulation on the nation at large could be more \nexpensive for small firms because fixed costs \ndisproportionately impacts small businesses.\n    Additionally, because the owner of local hardware stores \nknow hardware, not high-end encryption and data security \nservices, it may require the hiring of outside vendors and \nconsultants do implement data security and regulatory \nrequirements because of that lack of expertise and anybody who \nruns a small business already knows that the time and attention \nof top management is already stretched too thin to be directly \ninvolved with issues such as these. Simply put, imposition of \nany additional costs will place small companies in a \ncompetitive disadvantage because their pre-unit costs of \ncompliance will be greater than those of large businesses.\n    Today, we live in a digital economy where both beneficial \nand potentially harmful uses of personal information are \nmultiplying. Information about individuals is used by \nbusinesses to provide consumers with an unprecedented array of \ngoods and services, increased productivity and protect \nindividual businesses and society from fraud and other \nmisdeeds.\n    However, that same information can also be misused to harm \nindividuals with results such as identify theft, deception, \nunwarranted intrusion, embarrassment, and the loss of consumer \nconfidence. This is a very complicated and important matter, \nand I applaud the Chairwoman for her leadership on this timely \nissue. Just yesterday, I read in the USA Today a story of how \nDavid Joe Hernandez, who returned from service overseas in the \nAir Force, only to find that his identity was stolen and the \ncollection agents were hunting him down to make good on some \ndelinquent accounts. This recent case demonstrates that all \nbusinesses must ensure consumer protection and I look forward \nto hearing the testimony today and working with each of you to \nensure that we devise a workable plan that achieves greater \nsecurity and confidence in e-commerce without harming small \nbusinesses.\n    Thank you, again, Madam Chairwoman. I appreciate your \nlooking forward on this particular issue, and I yield back the \nbalance of my time.\n    ChairwomanBean. Are there any other Members who have \nopening statements? Okay.\n    We'll now move to testimony from the witnesses. Witnesses \nwill have five minutes to deliver their prepared statements. \nThe timer begins when the green light is illuminated. When one \nminute of time remains, the light will turn yellow. The red \nlight will come on when time is out.\n     Our first witness is Mr. John Milazzo. Mr. John Milazzo is \npresident and CEO of Campus Federal Credit Union in Baton \nRouge, Louisiana. He served in that role since 1985. Campus \nFederal is a $320 million multi-branch statewide credit union \nserving 39,000 members. He's testifying on behalf of the \nNational Association of Federal Credit Unions. The membership \nof the National Association of Federal Credit Unions consists \nof the nation's innovative and dynamic federal credit unions \nhaving various and diverse membership bases and operations.\n    You may proceed with your testimony.\n\n STATEMENT OF JOHN MILAZZO, CHAIRMAN, NATIONAL ASSOCIATION OF \n                     FEDERAL CREDIT UNIONS\n\n    Mr.Milazzo. Thank you. Good morning, Chairwoman Bean, \nRanking Member Heller, and Members of the Subcommittee. My name \nas stated is John Milazzo and I'm the present Chief Executive \nOfficer of Campus Federal Credit Union headquartered in Baton \nRouge, Louisiana. I'm testifying today on behalf of the \nNational Association of Federal Credit Unions where I serve as \nthe chairman of its board. NAFCU appreciates this opportunity \nto participate in this hearing regarding data security.\n    Looking to a few high profile examples, the TJX data breach \nhas already cost Campus Federal Credit Union over $11,000. When \nCredit Card Systems Solution suffered a breach, Campus Federal \nspent over $20,000 to issue new cards and to respond to \nmembers' concerns and this does not include the detrimental \neffects to our institution's reputation and credibility.\n    In 2006, Campus Federal charged off nearly $50,000 in fraud \nlosses on our debit cards. Additionally, Campus Federal charged \noff $130,000 on other fraud. The cost of insurance for credit \nand debit cards is increasing dramatically. In the last six \nyears, Campus Federal's premiums have increased by more than 64 \npercent. At the same time, our deductible for payment card \nlosses has also increased significantly. From 2001 to 2004, our \ndeductible for payment card fraud and forgeries averaged $100. \nToday, our deductible is $1500, an increase of 1400 percent in \nsix years.\n    Campus Federal's situation is not unique among credit \nunions. Information from those that provide bonds to credit \nunions indicate that credit unions incurred over $100 million \nin payment card fraud in each of the last few years. The costs \nassociated with issuing a payment card can run as high as $10 \nor more, a cost that the 89 million Americans who are credit \nunion members ultimately pay. Because of economies of scales, \nthis cost is often higher for smaller credit unions.\n    When Campus Federal is notified a data breach impacting \ncredit cards, we follow a 16-step flow chart that includes at \nleast two methods of notification to our members. We also keep \nenough credit card stock in-house to cover at least 15 percent \nof our card base, allowing us to reissue cards in a very timely \nmanner. NAFCU supports the effort to enact a comprehensive \nproposal to protect consumers' personal data. Credit unions and \nother financial institutions already protect data consistent \nwith the provisions of the Gramm-Leach-Bliley Act. The act, and \nits implementing regulations have successfully limited data \nbreaches among financial institutions. There's no similar \ncomprehensive regulatory structure for retailers. There should \nbe a comprehensive regulatory scheme for industries that are \nnot already subject to oversight.\n    Any new legislation should create a safe harbor for \nfinancial institutions already in compliance with Gramm-Leach-\nBliley. Failing to do so would place undue burden on financial \ninstitutions. AFCU believes that any data security bill should \nplace the burden of addressing a data breach on an entity \nresponsible for the breach. Under the current law, some \nindustries do not have a strong enough incentive for protecting \nthe sensitivity of their information. The first notification \nthat people receive that their information may have been \ncompromised is often from their credit union. Thus, the \ncompanies responsible for the data breach oftentimes do not \nsuffer any loss of consumer good will while consumer confidence \nin financial institutions suffer.\n    Unfortunately, no matter how quickly government and \nindustry reacts, criminals will always find a way around \nsecurity measures. Therefore, it is important that there be \nstiff penalties to prohibit and punish the actual crooks who \ncommit these breaches. Current data security standards with \npayment card companies such as Visa and Master Card prohibit \nstoring sensitive data, yet these contracts often aren't \nenforced and the data ends up being compromised. Some states \nsuch as Minnesota recently have enacted tougher standards to \nhold those responsible accountable. We believe any federal data \nsecurity bill needs to do the same.\n    In conclusion, NAFCU believes that the most effective way \nto addressing the growing number of data breaches is to create \na comprehensive regulatory scheme for those entities that \ncurrently have known. AFCU believes that a safe harbor for \nfinancial institutions already in compliance with Gramm-Leach-\nBliley should be included in any data security bill.\n    Finally, financial institutions, merchants, retailers, data \nbrokers, and any other party that holds customer information \nshould be held financially accountable if it is responsible for \na data breach. I thank you for this opportunity to appear and I \nwould welcome your questions.\n     [The prepared statement of John Milazzo may be found in \nthe Appendix on page 32.]\n\n    ChairwomanBean. Thank you for your testimony.\n    We're going to hold questions until we've heard all who are \ntestifying today.\n    Next up is Mr. Mark MacCarthy who is Senior Vice President \nfor Public Policy of Visa U.S.A. The Visa payment system is the \nlargest consumer payment system in the world. Prior to joining \nVisa, Mr. MacCarthy was a principal and senior director with \nthe Wexler Group. From 1981 to 1988 he was a professional staff \nmember of the House Committee on Energy and Commerce.\n    Please proceed and thank you for being here.\n\n  STATEMENT OF MARK MACCARTHY, SENIOR VICE PRESIDENT, PUBLIC \n                   POLICY, VISA U.S.A., INC.\n\n    Mr.MacCarthy. Thank you, Chairwoman Bean, and Ranking \nMember Heller and Members of the Subcommittee. I'm Senior Vice \nPresident for Public Policy as the Chairwoman Bean noted. Visa \ncommends the Subcommittee for holding this hearing. It's an \nimportant topic, especially focusing on small businesses and \nI'm pleased to be able to talk about today.\n    Madam Chairwoman, for Visa, cardholder security is about \ntrust. Our goal is to protect the consumers, the merchants, the \nbanks, the credit unions and other financial institutions that \nare part of the Visa system by preventing fraud from taking \nplace in the first place.\n    Our card security system starts with our zero liability \npolicy which ensures that card holders are not liable for \nunauthorized use to their cards. And because we have that \nliability allocation, that creates a financial incentive for us \nto practice good security and to encourage our members and \npeople associated with the Visa system to practice good \nsecurity.\n    Because the card holders don't pay the costs of a data \nbreach, the member financial institutions within the Visa \nsystem have to pay these costs. And as John has noted, these \ncosts are substantial. They include the fraud losses \nthemselves. They include the monitoring costs, the reissuance \ncosts, the reputational risks which are intangible, but are \nnevertheless real. Visa aggressively protects card holder data \nin order to protect our members from these financial costs.\n    We employ a multi-faceted approach to combat fraud. Visa \nhas implemented a comprehensive and aggressive information \nsecurity program. We call it the Cardholder Information and \nSecurity Program or CISP. This program was pioneered by Visa. \nIt applies to all entities that store, process, or transmit \nVisa cardholder data including merchants, retailers and \nprocessors. And this program includes three elements. It's got \nthe data security standards themselves. It's got compliance \nverification. As you're aware, companies have to demonstrate to \nus that they're in compliance. And there are sanctions for \nfailure to comply with the standards.\n    In 2005, we issued penalties associated with failure to \ncomply with this. It was $3.4 million in fines. In 2006, our \nfines went up to $4.6 million. So we're taking aggressive \nefforts to enforce the standards that we've got in place. This \nwas the gold standard for data security. It's been widely \nimitated and thought as a model for other industries. And it's \nthe basis for the common set of industry-wide data security \nrequirements which is now known as the Payment Card Industry \nData Security Standard.\n    Visa has also led the industry in providing sophisticated \nneural networks that flag unusual spending patterns. These \nneural networks enable our member banks to block a suspected \ntransaction even before the fraud has taken place. We've also \nput in place a cost recovery program that enables our members \nto resolve disputes related to account compromises. Visa \npioneered a number of other security measures designed to \ndetect and prevent fraud. We have an Address Verification \nService that matches address and other information to confirm \nthat a transaction is valid. All of the transactions processed \nthrough the Visa system are checked against an exception file. \nThis is the file of world-wide accounts of lost or stolen \ncards.\n    Other security measures have to do with special security \ncodes on our cards. The Cardholder Verification Value, it's \ncalled CVV, is a three-digit code. It's included in the \nmagnetic stripe on the card. You can't see this code on the \ncard itself, but it's checked electronically at the time of a \ntransaction to ensure that a valid card is present. The CVV2 \ncode is also a special three-digit security code. It's printed \non the signature stripe on the back of the Visa card. On-line \nor telephone merchants can verify that their customers have the \nactual card by requesting this security code.\n    For on-line transactions, we have verified by Visa which \nallows on-line merchants to verify that their cardholders are \nthe people that they say they are at the time of an on-line \ntransaction. And last, we have an Advanced Authorization \nService that provides an instantaneous analysis for the \npotential for fraud at the very time of the transaction. As a \nresult of these strong security measures, fraud within the Visa \nsystem is extremely low. It's about 5 to 6 cents for every $100 \nof transactions.\n    We also have a security program that's designed to address \nthe special needs of small businesses. Small business account \nfor the vast majority of the six million merchants that accept \nVisa cards in the United States. To promote sound security \npractices for small businesses, we've done a variety of things. \nWe've conducted numerous webinars, conference calls, and other \ntraining programs that are targeted at small merchants. We have \npublished a number of security alerts and articles to notify \nbanks and merchants of the latest security vulnerabilities.\n    In addition, Visa and the U.S. Chamber of Commerce recently \nconducted a 12-city nationwide data security education campaign \nto involve both the payments industry and merchants, including \nsmall merchants, in a fight to collect card holder information.\n    Madam Chairwoman, on legislation, Visa favors reasonable \nrisk-based security and notification requirements that apply to \nall entities that have sensitive information. These standards \nshould be flexible to permit an entity to consider its size and \ncomplexity as well as the nation and scope of its activities. \nWe also believe that standards should be consistent nationwide \nto avoid a clash of conflicting state laws. We favor stronger \npenalties for identify theft and additional resources for law \nenforcement to combat identity theft, and we agree with John of \nNAFCU that the Gramm-Leach-Bliley security rules should \ncontinue to be applicable to financial institutions, but should \ncontinue to be enforced by the federal financial regulators.\n    Thank you for this opportunity to testify. I would be happy \nto answer any questions.\n    [The prepared statement of Mr. MacCarthy may be found in \nthe Appendix on page 44.]\n\n    ChairwomanBean. Thank you for your testimony. We will come \nback to you with questions.\n    Our next testimony comes from Mr. Mallory Duncan, Senior \nVice President, General Counsel for the National Retail \nFederation. He is responsible for coordinating strategic \nlegislative and regulatory initiatives. NRF is the world's \nlargest retail trade association with membership that comprises \nall retail formats and channels of distribution. Prior to \njoining NRF, Duncan served as corporate counsel in the \nWashington office of J.C. Penney's and was attorney advisor in \nthe Office of Policy Planning at the Federal Trade Commission. \nWelcome and please proceed.\n\nSTATEMENT OF MALLORY DUNCAN, SENIOR VICE PRESIDENT AND GENERAL \n              COUNSEL, NATIONAL RETAIL FEDERATION\n\n    Mr.Duncan. Thank you, Madam Chair, Ranking Member Heller, \nand Members of the Committee. NRS membership includes retailers \nof all sizes, as you've mentioned. My focus today, however, is \non our smaller members. All of us are concerned by the growth \nof high-tech scams that use data about individuals to commit \nfinancial fraud. Reaches have ranged from the mistaken sale of \nthousands of files full of sensitive personal information by \nbrokers to criminals posing as legitimate businesses, the loss \nof encrypted bank account data-tapes from the cargo hold of an \nairplane, to criminals attacking and hacking into retailer's \ncomputer systems in order to steal card numbers.\n    While each of these high-profile events was disclosed to \nthe public as a data breach, they involve a broad spectrum of \nnonpublic information, from the most sensitive to the least. \nEach poses a different level of risk to consumers and to \nbusinesses. The most sensitive information, such as Social \nSecurity Numbers, driver's license numbers, and dates of birth \nare elements that if combined with names, addresses, and other \nidentifying information, can lead to real cases of identity \ntheft, that is the opening of new accounts, which a consumer is \ncompletely unaware.\n    These types of crimes, such as the Ranking Member just \nreferenced, are difficult for consumers to clear up and in some \ncases can bring significant financial distress. They also tend \nto result in the greatest loss for businesses that are duped by \nthese thieves.\n    The breach of other types of information, such as the \nmisuse of card numbers, typically result in account fraud. This \nis the misuse of an existing account. In that case, the \nconsumer is likely to learn of any fraudulent charges quickly, \neither by being alerted by their financial institutions, as Mr. \nMacCarthy just mentioned, or through their own monthly account \nreview. Further, Congress generally ensure that consumers can \nerase bad charges or withdrawals by calling their bank or card \ncompany.\n    This distinction between true identify theft and card fraud \nis very important. Not only are the intrusions different, but \nthe remedies that apply to one can make little sense when \napplied to the other. So my point number one is that data \nbreach laws need to be carefully targeted. To date, most \nlegislators have recognized that the public concern is not with \none off thefts that result in the loss of a few files. Rather, \nit is the massive intentional hacks by criminals seeking tens \nof thousands of data files at a time that has driven this \nissue.\n    For the data thieves, this literally is a numbers game. \nThey go where it's efficient to gather the greatest amount of \nuseful electronic information. Fortunately, most small \nbusinesses do not store the large caches of sensitive \ninformation that can cause the most harm. Any law should be \nsensitive to this distinction.\n    Second, the proposal by some to extend data-breach \nnotification to paper is an area of particular sensitivity for \nsmall businesses, and should be for all businesses, because of \nthe variety of paper records required to be kept for day-to-day \noperations. Indeed, some are required by federal mandate.\n    But small businesses in particular tend to keep forms on \npaper. While it is conceivable that someone might steal \nhundreds of thousands of paper identity records, experience and \ncommon sense indicate that is not nearly as likely as a \ncomputer breach, where such a massive loss can happen at the \nclick of a mouse. Paper breaches are more likely to be a one-\noff crime, and while not diminishing their impact on any single \nidentity theft victim, they certainly do not require the same \nfederal mandate to act as do cases involving thousands or even \nmillions of consumers.\n    Fortunately, businesses and consumers have had a longer \nhistory of dealing with paper records than they have with \nelectronic data files. Imposing a new regulatory scheme on top \nof existing practices would add potentially great cost for very \nlittle real benefit. Tellingly, of the 35 states that have \nconsidered and adapted data breach statutes, only two have \nincluded paper. Congress would be wise not to turn a focused \nbill into an unchecked regulatory burden by expanding its reach \nfar beyond the electronic data breaches that have prompted it.\n    Even given that, 35 differing state laws is a lot. Frankly, \na uniform national breach standard with a strong preemption is \nthe best way to ensure that all consumers are treated fair \nequally when it comes to notification. Preemption would also \nlesson the compliance burden for all businesses and allow for \none clear notice to be given to all affected customers.\n    Finally, and here I must disagree with my fellow panelist, \nMr. Milazzo, and would be happy to go into this is in the \nquestion and answer period. Congress should proceed with \ncaution. It is asked to allocate costs and blame in a credit \ncard breach situation. The card associations' current system, \nwhile far from perfect for merchants and banks alike, attempts \nto balance the equities between all of the parties involved in \na complex credit card transaction. Any interference by Congress \ncould easily skew the cost of security for the card system \ndisproportionately to some participants and leave issuing banks \nlittle responsibility for the ultimate security of their \ncustomers' cards.\n    Thank you for this opportunity to speak today and I will be \nhappy to answer questions.\n    [The prepared statement of Mallory Duncan may be found in \nthe Appendix on page 51.]\n\n    ChairwomanBean. Thank you, Mr. Duncan.\n    Our next testimony comes from Roger Cochetti, who is the \ngroup director of U.S. Public Policy for the Computing \nTechnology Industry Association. Before coming to CompTIA, \nRoger was senior vice president for policy at VeriSign and a \nprogram director for policy with IBM. We welcome Mr. Cochetti's \n11-year old son, Emmet, in the audience today, who I understand \nis attending his first congressional hearing and will be \nreporting back to his teacher on what he thought of it.\n    CompTIA has more than 22,000 member companies in over 100 \ncountries around the world, serves as the voice of the world's \n1 trillion plus IT industries, specifically all the VARS around \nthe country and is based in Chicago, in my State of Illinois. \nWelcome.\n\n  STATEMENT OF ROGER COCHETTI, GROUP DIRECTOR OF U.S. PUBLIC \n                        POLICY, CompTIA\n\n    Mr.Cochetti. Thank you very much, Madam Chair, and Ranking \nMember Heller, Members of the Subcommittee. My name is Roger \nCochetti and I am group director of U.S. Public Policy for the \nComputing Technology Industry Association, CompTIA. I am here \ntoday on behalf of our 20,000 member companies. Madam Chair, I \nwant to thank you and the Members of your Subcommittee for \nholding this important hearing on the state of small business \ndata security, and I ask that my full written testimony be \nsubmitted for the hearing record.\n    We believe that your efforts to focus public attention on \nthe factors that affect data security and small business will \nhelp American small business more ably address data and related \nIT security issues. Madam Chair, the Computer Technology \nIndustry Association is the nation's oldest and largest trade \nassociation representing the information technology, or IT \nindustry. While we represent every major segment of the IT \nindustry, nearly 75 percent of our members are small IT \nbusinesses who provide integrated computer systems to American \nsmall business.\n    The IT needs of American small business are mainly \naddressed by an important segment of the computer industry \ncalled value-added resellers, or VARs. VARs create and \nmaintain, for example, the computer system in your dentist's \noffice, the on-line store in which you shop on the Internet, \nand for your local plumber. VARs are on the front line of \nAmerica's defense against IT security threats. An estimated \n32,000 American VARs buy and resell about one-third of all \ncomputer hardware and software in the United States today, \nmostly to small businesses.\n    Also Madam Chair, for most people who work in the computer \ntechnology industry, CompTIA is well-known for its non-policy \nrelated services to the entire IT industry. Non-technical \nstandards, industry education, and particularly relevant to \nthis hearing, professional IT certifications. Some of the \nservices that we offer that are relevant to this hearing \ninclude we have developed and managed the industry's standard \nbasic professional certification for cyber security, which we \ncall Security+. While almost one million American technology \nworkers today hold some type of professional certification from \nCompTIA, around 35,000 hold this Security+ certification.\n    Over the past year, we have launched educational programs \nfor thousands of our members on the technical implications of \nGramm-Leach-Bliley and HIPAA regulations for small businesses. \nAnd in doing so have introduced the technical issues of data \nsecurity to much of the small business segment. In 2005, we \nbegan a series of conferences for VARs, and through them, the \nsmall businesses that they serve on cyber security. These \nprograms uniquely deal with small business technical issues \naddressing issues of IT security, cyber security, and data \nsecurity.\n    Beginning in 2002, CompTIAs has commissioned a major annual \nsurvey on IT security. While this annual survey collects \ninformation about all sectors of the economy, about half of the \nparticipants are from small businesses, making it the \ncountries' best barometer of small business IT security \ndevelopments. The principle findings of the most recent CompTIA \nIT security survey are that the IT security issues of small \nbusinesses are serious and that the principal cause of IT \nsecurity breaches is human error.\n    Among the key findings of this year's CompTIA IT security \nsurvey are nearly 34 percent of all businesses experienced an \nIT security breach within the last year. While that number has \ndeclined from 2005, the survey found a higher level of severity \nin the breaches that have occurred. Over 32 percent of all \nbusinesses reported either successful or attempted data thefts, \nalmost double the number from 2004. And 61 percent of small \nbusinesses do not have written IT security policy in place, \nalthough a written policy without IT awareness and training \ndoesn't amount to much.\n    Eighty-one percent of all participants in the survey \nbelieve that major IT security breaches can be reduced as a \nresult of IT security training and certification. Seventy-four \npercent of all IT security breaches were the result of human \nerror, either alone or in combination with a technical \nmalfunction. Among human errors, employee failure to follow \nsecurity procedures was a factor that was most often cited.\n    In conclusion, Madam Chair, encouraging proper IT security \ntraining and certification of all relevant employees of small \nbusinesses is the single most important step that this \nSubcommittee could take to promote data security among small \nbusinesses. An example of an important way to accomplish this \ngoal is the Technology Retraining and Investment Now Act for \nthe 21st Century, H.R. 244, which embodies principles that we \nhave supported for some time. TRAIN would provide a federal tax \ncredit to organizations and individuals for increasing their IT \ntraining.\n    More importantly, Madam Chair, is it clear to any one \nfamiliar with American small businesses that VARs much play a \ncentral role in any effort to reach out to small business in \nthe areas of data security and cyber security. We believe that \nwhat is most needed is a government industry partnership to \naddress small business IT security issues that takes advantage \nof the unique perspective of thousands of VARs in small \nbusinesses themselves. In this regard, Madam Chair, last year \nwe called on this Committee and the Small Business \nAdministration to create a public/private task force that would \nwork to identify and address the IT security issues of small \nbusiness.\n    Such a task force could include VARs, small businesses, \nrepresentatives from SBA, DHS, Department of Justice, experts \nand providers of IT security tools. It would identify specific \nsmall business IT security issues and make recommendations. \nSimilarly, Madam Chair, we've called on the Committee and the \nDepartment of Homeland Security and the Small Business \nAdministration to undertake a comprehensive outreach effort on \ndata security and cyber security specifically for small \nbusiness. Using the nation's VARs as a key link in cyber \nsecurity business education, we as an association and our \nmembers stand ready to cooperate with such an outreach effort. \nWe renew both of these recommendations today.\n    Madam Chair, thank you again for conducting these important \nhearings. I'll be happy to answer any questions.\n    [The prepared statement of Roger Cochetti may be found in \nthe Appendix on page 66.]\n\n    ChairwomanBean. Thank you for your testimony.\n    Final testimony is from Steve DelBianco, serving as vice \npresident for public policy of the Association for Competitive \nTechnology. ACT or ACT is an international grass-roots advocacy \nand education organization representing more than 3,000 small \nand mid-sized information technology firms from around the \nworld. Before joining ACT, Steve was president of Financial \nDynamics, an IT consulting firm. Thank you for being here.\n\nSTATEMENT OF STEVE DelBIANCO, VICE PRESIDENT FOR PUBLIC POLICY, \n             ASSOCIATION FOR COMPETITIVE TECHNOLOGY\n\n    Mr.DelBianco. Good morning, Chairman Bean, Ranking Member \nHeller, Members of the Committee. I'd like to thank the chair \nfor being a real friend to the IT and tech community and for \nholding hearing on the impact of data security threats and the \nthreats of data security regulation on small businesses.\n    As you indicated, ACT represents thousands of tech and e-\ncommerce businesses, many of whom handle sensitive data for \ncustomer billing and for payroll records. And as you indicated, \nI'm hereafter making my own small business odyssey out there in \nthe real world. I started that IT consulting firm back in '84. \nGrew it to $20 million and 200 employees. And then sold it \nbefore moving to help found ACT. So I'm a small business \nsurvivor in front of you today.\n    Last night, I took my boys, my two boys to the Nationals \ngame at RFK and the Nationals attempted a valiant comeback from \nbeing five runs down, only to come up one run short because the \numpire completely below a call at home plate.\n    And my boys were very upset. They were whining about the \numpire. And I stopped and reminded them, wait a minute. There's \nno crying in baseball. And the same is true with running a \nsmall business, I can tell you. You take what the world gives \nyou every day. Make the best of it. You try to survive to fight \nthe next day.\n    There's no crying in small business either. So I'm not here \nto whine. But since you asked. For the small business \nperspective on data security let me just share three insights \nand three suggestions.\n    Insight number one, it takes a thief to commit identify \ntheft and card fraud. We seem to have lost sight of this some \ntimes. It's not a crime if a laptop is left at the airport or \nan employee walks off with my customer file. Crime happens when \nsomeone uses your card to run up charges or uses a new account \nin your name. So law enforcement will be a key element of any \ndata security effort we undertake.\n    So insight number two, that ID theft has multiple victims. \nWe know about the consumers, retailers, and lenders, credit \nunions, but there's also the business and institution who has \nbeen hacked or lost the data. Together, those victims have \nspent $55 billion on ID theft and card fraud in 2005, according \nto the Rubin & Lenard study.\n    And what I would like you to remember is that ten times as \nmuch of those costs were incurred by businesses, as by the \nconsumers themselves. In other words, 50 of the 55 billion. So \nlet's be careful not to create more victims by piling \nunworkable regulatory burdens on small business.\n    Insight number three, new costs as the chair indicated, are \nfor security disproportionately impact small budgets. You've \nall heard that before, but there are those more subtle ways \nthat small businesses are more vulnerable. An owner's attention \nis stretched incredibly thin and I was always too busy fighting \nfires to spend any time trying to prevent them. It's just the \nway of life of the small business. And as you indicated, it's \nvery rare for small business to have the expertise in-house to \nsolicit, manage, and understand what consultants are telling us \nwhen it came to complex IT issues.\n    This makes compliance incredibly expensive for small \nbusiness. That's a lesson we've all learned with the Sarbanes-\nOxley implementation which affected notably businesses that are \nstill much larger than the small businesses affected here.\n    I'm not quite as convinced as my fellow panelists that we \nabsolutely need new data protection regulation to make small \nbusiness care about data security or that new regulation would \nactually put a big dent in identify theft. But I'm a realist \nand regulation is coming. You can feel the momentum building \nand there's good reasons for it. Consumers, for instance, will \nbetter be able to protect themselves when they receive a notice \nof a data breach, provided that the notice is based on a real \nrisk that ID theft may occur.\n    And second, as you heard, 35 states have now created a \npatchwork of notice laws and we need to replace that with the \nsingle national standard.\n    So if you do create a national standard data security law, \nI have just three suggestions from the small business \nperspective. Suggestion number one, we need broad and deep \npreemption of state laws. Gramm-Leach-Bliley preemption gives \nthe states a floor, but no ceiling, therefore allowing the \nstates to preserve a patchwork of state laws and even add \nparticularly onerous state laws such as the strict liability \nstandard that Mr. Milazzo spoke of. I believe the strict \nliability standard to reimburse costs incurred by banks and \ncredit unions, even where the company that lost the data was \nnot negligent at all in the way in which the data was lost.\n    The industry, the credit card industry and retailers have \nworked together for 20 years to build a phenomenally commerce \nindustry through contracts in cooperation, in sharing of costs \nand the sharing of burdens. Legislative is not the way to \ninterfere with an ecosystem that has worked so well for e-\ncommerce and credit card transactions.\n    Suggestion number two, it's a great idea to add incentives \nto the business will make that maybe lost or stolen data can't \nbe used when the bad guys get their hands on it. That is to say \nencryption standards. So encryption software is what most of us \nuse today, but legislation should not lock in today's \ntechnology only. So please, make any incentives for encryption \nbroad enough to include tomorrow's data protection \ntechnologies.\n    Third and final suggestion, if you're going to extend the \ndata safeguard rules, as distinct from notice, data safeguard \nrules are millions of small businesses that are not currently \nregulated. Please don't assume that a small business will ever \nbe able to meet the current GLB data safeguards standards. \nPrior data security bills in Congress, would have covered, \n``anyone handling personal information for interstate \ncommerce.'' That is literally anyone who accepts anything other \nthan cash for a sale. So it's true that flexibility is way \nbetter than prescriptive standards, but flexible can still be \nvery hard and expensive for a small business. A small business \nreally doesn't know where they are in terms of risk and they \nalways have a tough time figuring out where they need to end \nup.\n    The PCI standards that Mark spoke of, for instance, are \nabout 176 individual items of security compliance. That's a \ndizzying array for a small business to understand how to \nimplement. Small businesses need road maps, road maps to get \nfrom where we are, to where we need to be to adhere to a \nstandard. Regulators, I would encourage, should evaluate the \nbest practices industries using, including PCI, a great start, \nand figure out where it meets the standard, and then let the \neco-system of It companies, Roger's members in mind.\n    So in closing, just please remember that there are \ncriminals behind ID theft and the small business is one of the \nvictims, not the villain along with the consumers and others at \nthe table. And please don['t force small business to implement \nbrand new data safeguard standards until there are approved \nroadmaps to help small business get there.\n    Thank you.\n    [The prepared statement of Steve DelBianco may be found in \nthe Appendix on page 76.]\n\n    ChairwomanBean. Thank you for your testimony.\n    Thank you all for your expertise and your perspective from \nyour varying industries and from your members.\n    My first question is for Mr. MacCarthy. You talked about \nthe Visa payment system and the Cardholder Information Security \nProgram which aims to secure cardholder data, wherever that \nresides. I'd like to know a little bit more about how you \nimplement that and what resources you provide to assist small \nbusinesses with complying with those standards and I want to \ngive you an example of a couple of things I ran into just this \nweekend and see if they would sort of be covered in what you \nseek to set as your standards.\n    This weekend, my eighth-grader graduated and so I had a \nparty in the back yard and called a rental company I've worked \nwith in the past to set up a tent in the backyard and some \ntables and chairs and they're great to work with and they said \nwe're all set up. I said let me give you my Visa number. They \nsaid ``that's okay, I've got it right here in the system from \nwhen you did your party two years ago for your other \ndaughter.'' I'm wondering if that kind of thing would be \ncovered.\n    Then I took my oldest daughter, who is going to be a junior \nand we were going through some college brochures from College \nNight at the school recently. We went out to dinner to one of \nour favorite restaurants and when I signed my credit card, it \nwasn't just the four numbers on the credit card on the \nsignature, it was the entire credit card number.\n    These are two local businesses that get a good amount of \nbusiness. Do a great job for our community, but I'm just \nwondering as I saw both of those things as flags this weekend, \nhow prevalent that is and to what degree you're seeing some of \nyour standards curb those activities.\n    Mr.MacCarthy. Let me address the two specifics first, so \nthat we can then go on to more general enforcement for small \nbusinesses and large businesses in general. On the example of \nthe guy getting the card and he had your information from a \nyear before, that's a perfectly legitimate business practice. \nSmall businesses, large businesses often have a reason to \nretain cardholder information. Retaining the card number for \npurposes of customer service, for purposes of charge backs or \nproblems associated with the transaction later on, that's a \nperfectly legitimate use of the cardholder information and Visa \nrules do not prohibit that.\n    Nevertheless, if they do save that information, they are \nrequired to keep it safe and secure, but it is not a piece of \ninformation that they should be prohibited from retaining.\n    On the other hand, those security codes that I mentioned in \nmy testimony, the CVV 1 and 2, those are the kinds of codes \nwhich if they're retained in a computer system and that \ncomputer system is then hacked, the person who gets that \ninformation can then go on the Internet and resell the \ninformation. That can create the possibility that a counterfeit \ncard can be made. Without those security codes, the counterfeit \ncard cannot be made. And so the risks of a card being \nmanufactured and used for fraudulent transactions at a large \nnumber of other merchants is significantly lower.\n    So we have a rule that says do not save the security codes. \nThere's no business reason to do that. There's no customer \nservice involved in retaining that code. There's no \nverification or authorization that you need in order to save \nthat code. Don't save the code.\n    So what your vendor did in that kind of circumstance as far \nas I can tell was perfectly legitimate in saving the number. \nMay or may not, if he saved also the security code, that could \nhave created a problem. We have no way of knowing that just by \nthe description that you gave.\n    The truncation problem, there's a federal law, Visa was \nheavily involved in working with Congress with Senator \nFeinstein, with Members of the Financial Services Committee in \nputting in place a requirement in federal law that says that on \nthe customer receipt the only thing that should appear is the \nlast four digits of the card account number. And that's \ndesigned to create difficulty for the dumpster divers who might \ngo in and find a receipt later on.\n    That's been in effect for a couple of years. There was a \ntransition period of time to allow small businesses and others \nto upgrade the systems to come into compliance. That transition \nperiod has passed. And those--they should be in place already. \nIt's the kind of thing where the FTC is beginning to look more \ncarefully at enforcement mechanisms. There have been a number \nof lawsuits filed in the area to try to create more incentive \nfor the small businesses and others to come into compliance \nwith that. But it is a matter of federal law that you come into \ncompliance with that truncation requirement.\n    More generally, we have found that the major problem in the \npayment card world with respect to data security comes not from \nsmall businesses, not from the six million or so small \nbusinesses that we think of as Level 4 merchants, of a small \nnumber of transactions. The major problem comes from the larger \nmerchants. Almost the vast majority of the card accounts that \nare compromised come from large merchants and we have an \nincentive program to move them forward into compliance.\n    I'm happy to report that in the last several years, \nfollowing the ChoicePoint incidents and the CSSI incidents, DSW \nand BJ's, the perception has grown among the merchant and \nretailer community and the processor community. That's \nimportant to practice good security.\n    Our compliance rates have gone up dramatically. And that \nkey area of saving the security code, we now have among the \nlarger merchants, 93 percent compliance and the remaining 7 \npercent are subject to monthly fines so we expect them to be \ncoming into compliance with that requirement very soon.\n    For the more general of security rules, the whole PCI \nstandard is such between 85 and 90 percent of our larger \nmerchants have either given us a report that indicates that \nthey're in compliance or have given us a report that indicates \nhow they will come into compliance, a remediation plan for \nmoving forward in that area. So the news is good. We still have \nto aggressively enforce our requirements and the intent to do \nso, going into the future.\n    ChairwomanBean. Thank you. I have some other questions, but \nI'd first like to yield to Ranking Member Heller for some \nquestions?\n    Mr.Heller. Thank you, Madam Chairwoman. I want to go to Mr. \nMacCarthy also. I have a Visa debit card.\n    Mr.MacCarthy. Thank you. Use it well.\n    (Laughter.)\n    Mr.Heller. It was put on hold last week during the \nrecess.It was put on hold and I actually thank the gentleman on \nthe other end of the line because a transaction was made in \nWashington, D.C., San Francisco, and Reno, Nevada in one day. \nAnd for that reason, when I went to fill up a tank of gasoline \nthe card was rejected and we worked it out, but tell me more \nabout that process. And what you guys do to protect the \nconsumer under similar circumstances.\n    Mr.MacCarthy. I can't speak to the exact facts of the case, \nbut it sounds to me since you have the card, it sounds to me \nwhat happened is likely there was a data breach somewhere and \nthe card information was improperly stored and a counterfeit \ncard, maybe more than one counterfeit card was created based \nupon that stolen information. And then the fraudsters went \nthrough a number of locations and committed--\n    Mr.Heller. By the way, I made all those transactions.\n    Mr.MacCarthy. Pardon?\n    Mr.Heller. I made all of those transactions.The transaction \nin Washington, San Francisco and Reno were made by me.\n    Mr.MacCarthy. Okay.\n    Mr.Heller. Just so you know, there wasn't misuse of the \ncard.\n    Mr.MacCarthy. I misunderstood. So the--what looked as \nthough happened is that the neural network that I described in \nmy testimony, looked at those pattern of transactions and said \nto you, that doesn't look like something you would normally do. \nThat's out of character. It looks to us like exactly what I \njust described, a series of transactions that were committed by \na fraudster. So to protect you and to protect themselves from \nthe fraud losses, they put a stop on the card until they could \ntalk to you directly and say are these transactions that you \nwere involved in? And if you said oh yeah, I did that, then \nthey know the problem is not a real problem. If, on the other \nhand you said no, no. I didn't do any of that stuff, then they \nknow they've got a counterfeit fraud problem on their hands and \nthey would have to re-issue the card.\n    Mr.Heller. Explain again your Zero Liability policy.\n    Mr.MacCarthy. That's a policy that we put in place to \nsupplement the federal rules that exist in this area for credit \ncards and for debit cards. There's limitations on liability for \ncredits cards. No more than $50 of fraudulent transactions can \nbe charged go the cardholder. Visa and the other card companies \nin the last five, to six years, decided to move that policy to \nzero. And what it means is that if there is fraudulent \ntransactions on your account, if your card has been lost or \nstolen or it's been the subject of a counterfeit and the \ntransactions were made, but not by you, you are not responsible \nfor any of the losses associated with that. So in that context \nthat I just described, if you said I didn't do that, these are \nnot my transactions, they would immediately expunge those debts \nfrom your record and you would not be responsible for paying.\n    Mr.Heller. Who is responsible for those?\n    Mr.MacCarthy. As I said in my testimony, in the first \ninstance, the entity that's responsible for those fraud losses \nare the financial institutions that issue you the card. So \nJohn's members would be in the first instance responsible for \nthose fraud losses.\n    And that gives us a full reason to move ahead with \nproviding good information security programs because our member \nbanks bear the fraud loss. For example, if the card had been \nused at Circuit City to buy some electronic equipment, it's a \nfraudulent transaction. The merchant though didn't do anything \nwrong. So they typically get paid in that context, right? So \nthey get their money. The cardholder is protected. He doesn't \nhave to pay anything because it wasn't his transaction. So the \nentity that gets stuck paying the bill is the financial \ninstitution that issued the card, John's members.\n    That's why we really have to step up to do something to fix \nthis kind of problem.\n    Mr.Heller. I was wondering if the burden was more on the \nmerchant as it was the financial institution. It is the \nfinancial institution.\n    Mr.MacCarthy. Yes.\n    Mr.Heller. Mr. Duncan?\n    Mr.Duncan. May I say a little bit to that? Mark is correct. \nThe initial burden is on the financial institution. But I \nincluded in your package a charge that shows the system works. \nIt's this. And these are the rules and regulations, Visa, \nMastercard at the top of it, the issuing banks like the credit \nunion and there are other merchant banks who actually have a \ncontract with the individual merchants.\n    If it turns out in this case, now within this system, there \nwill be reimbursement paid for cost of issuing the cards, \nwhatever else. It was a fraud. To the credit union. But if \nturns out there was a breach say in--to use the example, TJX. \nTJX also had a merchant bank. Ultimately what happens is that \nthe merchant bank goes back after reimbursing the credit unions \nand others. It goes back to TJX, outside the system and says \nTJX, you have to pay us. So the initial payment is made within \nthe system so that ultimately if there's a fraud, it goes back \nto the retailer outside. And that's actually one of the reasons \nwhy if--this is such a complicated system. You want to be very \ncareful before you start reallocating what's going on. We \nfrankly think the folks in Minnesota have made a mistake \nbecause they didn't understand how this system worked when they \nwent ahead and reallocated.\n    Mr.Heller. Thank you very much. Madam Chairwoman, so you \nknow I have a markup in a Resource Committee. I appreciate your \ntime and energy. I want to thank all the witnesses. Congressman \nJordan will take my place as we move forward.\n    ChairwomanBean. I recognize Mr. Jordan for five minutes. He \nhas some questions.\n    Mr.Jordan. Thank you, Madam Chair. What percentage of sales \ntoday are credit card versus cash or check? Any idea of the \npercentage?\n    Mr.Duncan. It varies with the type of merchant. Obviously, \nif you're talking on-line merchants, it's virtually 100 \npercent.\n    Mr.Jordan. Right.\n    Mr.Duncan. If you're talking in a grocery store, I think \nthe last numbers I saw were approaching 55 percent of \ntransactions are on plastic. More traditional department \nstores, it might even be higher than that.\n    So it's the majority of purchases. Now there are other \nareas, for example, in fast food industry which has \ntraditionally be a cash business where the number might be \ncloser to 15 percent.\n    Mr.Jordan. According to the Federal Reserve over half of \nall retail transactions are electronic inform. In the Visa \nsystem, over 60 percent of our transactions are with debit \ncards and over 50 percent of the dollar volume is with debit \ncards, not with credit cards.\n    Mr.Jordan. Let me to go to, and I apologize I didn't catch \neveryone's testimony earlier, but Mr. DelBianco, you had \nmentioned in your testimony, I think this is a quote, \n``roadmaps not regulation'' is what you would advocate. Seems \nto make sense to me. As much as we possibly can let the \nmarketplace drive what has to happen on data security.\n    Because if a company or anybody is having some problems \nthat's not good for business. They get an incentive to do it \nright. Walk me through what you mean exactly by the roadmaps \nversus some of the regulation that may be proposed?\n    Mr.DelBianco. Thank you, Congressman. I'll draw a \ndistinction. The way the GLB, Gramm-Leach-Bliley data \nsafeguards rule was implemented has turned out to create a very \nflexible way of addressing through an audit risk assessments \nand then handling. It's in the final appendix of my testimony \nand then various industries will then take that on. For \ninstance, Mark's industry, the payment card industry took that \non and they had currently said here's how we think banks should \nimplement or merchants should implement GLB compliant data \nsafeguards. And again, this has nothing to do with notification \nof breach. It's just the data safeguards rules that are put \ninto place.\n    So what Mark considers to be a roadmap is a 12 page, 176 \nindividual items that is very daunting as Mark will acknowledge \nfor small businesses to implement, for small merchants to \nimplement. So the small merchant looks at that and says there \nare a myriad, an infinite number of ways to actually satisfy \nthat standard. What we need are more implementable ways to say \nhere's a plan to implement it, if you've got a website that \ndoes e-commerce. You can very strictly say, website is doing e-\ncommerce, capturing credit cards for single time billing. \nHere's the roadmap to be compliant with whatever data safeguard \nyou issue.\n    So it's not just the vendor telling our small business \nhere's what I think you ought to do and it may be compliant. \nThe vendor would say look, here's the roadmap. This has been \napproved b the regulatory authority, so you can follow it. \nThere might be a different roadmap though. Some of my employees \nuse laptop computers and travel with them. And there's customer \ndata on the laptop. A different set of roadmaps for that on how \nI secure and encrypt that information.\n    And finally, let's suppose I've got some work at home moms \ndoing tech support for me on my small tech firm and we did. \nWell, they're working at home on the Internet on their own \ncomputers. Well, there may be a separate set of roadmap rules \nfor how do I secure information that shows up on their \nmachines. These are simple implementable steps that we would \nwelcome and actually there would be central for small \nbusinesses to be able to afford implementation.\n    Mr.Jordan. Good. Thank you. Thank you, Madam Chair.\n    ChairwomanBean. Thank you. I wanted to follow up with Mr. \nDuncan. You talked about how the merchants are required to \ncomply with the various standards. Can you tell me how that's \nworking for the merchants' perspective. Are they finding it \neasy to comply? Is it very challenging for them? Can you give \nme some examples?\n    Mr.Duncan. Are you referring to the current notification \nstandards within the states?\n    ChairwomanBean. Also from the payment card industry as \nwell.\n    Mr.Duncan. That has been and I think Mark and I wanted to \nraise this, it's been challenging. This was a relatively new \nproposal that's come up in response to a real need, the fact \nthat there are bad guys out there who are trying to break into \nsystems. The difficulty for many of the larger merchants is \nthat there is no one single way to comply. I think, in fact, \nthere are about 221 individual requirements. And many \nmerchants, there's some ambiguity as to some of those \nrequirements and some of those have actually changed over time. \nSome of them because the payment card industry has gone back \nand looked at them and realized maybe we didn't say this quite \nright, but other times because of the face of new threats. This \nnot bad. It's an evolving entity, but it has been extremely \nchallenging. And of course, if your--our primary business is \ntrying to bring product into our stores, sell merchandise, make \ncustomers happy. And if you've got all of these requirements \nyou have to look at, as a separate part of your business just \nin order to be able to take payment, and if those are changing, \nand it's costing you millions of dollars each time you're \nmaking those changes, it can be very challenging. But we are \ntrying very hard, as Mark said, to our largest members to get \ninto compliance.\n    I think you have a very story when you're talking about \nsmaller businesses and you have--and the payment card industry \nhas recognized that they have to have some variation in their \nstandards for the smaller businesses. but even there we have to \nbe careful that we don't put on requirements that it's simply \nbeyond the capability of a sole proprietorship to handle.\n    ChairwomanBean. Do you have perspective from the state regs \nas well?\n    Mr.Duncan. From the state regs, there is a fair amount of \nconflict out there. For example, some states may give you a \ngreat deal of flexibility to work with law enforcement before \nyou make any notice of disclosure. Others don't give that \nflexibility. Well, if you've got customers coming from \ndifferent states which approach do you take and you don't want \nto inadvertently cross over the line. So there are real \nchallenges which is why a uniform standard with preemption \nwould be desirable.\n    Mr.MacCarthy. Madam Chairman, can I jump in on the PCI \nstandard issue?\n    ChairwomanBean. Yes, please.\n    Mr.MacCarthy. On the question of the large merchants and \ntheir ability to comply, I think Mallory is right, this was a \nchallenge at the beginning and there were some intense \ndiscussions before we moved ahead. The standard that Visa \ndeveloped was designed for enforceability and testability. It \nwas based upon private standard instead of being developed by \nISO that were sort of general recommendations to do good things \nin this area.\n    We took that and made it specific enough so that it could \nactually be tested against so that an outside vendor could come \nin, look at a system that was designed to handle payments and \nsay are you in compliance with these rules or not?\n    So it's flexible in the sense that it has many different \nways of complying, but one of those ways of compliance is \nsomething that could be detected by an outside vendor and as I \nsay in my comments before, the large merchants have moved ahead \nvery, very effectively in this area.\n    The small merchants tend to be less of the problem because \nthey have, as Mallory said, less of a honey pot for the thieves \nto go after. So the enforcement there has to be less stringent \nand our validation requirements are tiered to make sure that we \ndon't put an unnecessary burden on the companies. Many of the \nsmall businesses, they have computer systems. And then they \nhave the point of sale terminal that connects up to the payment \nsystem, but they don't link the two. The two are separate \nsystems and so there's no storage of information in the \ncomputer system. When they get to be more sophisticated and \nthey want to do more customer service, like your vendor, they \nmight link the two systems and store cardholder information in \ntheir computer systems in a way that could create a security \nproblem.\n    We have decided to move ahead with recommendations for our \nsmall businesses and for our large businesses. There are \npayment system applications that do not improperly store data \nin that context. We've listed those on our website. They're \npublicly available. All you have to do is go to the Visa site \nand find it. There's also a list of point of sale applications \nwhich we do not recommend, which have the flaw in them and we \nknow that there is a problem associated with that. And so the \nsmall businesses and others can go there and say don't use \nthose point of sale applications. They will create a problem.\n    So we're taking seriously our obligation to provide \ninformation, guidance and training for small businesses to \nallow them to move ahead. When they move to try to link their \ntwo systems, they can turn to Visa or to the acquiring bank \nthat they work with for guidance on how best to do that.\n    Mr.Cochetti. Madam Chair, may I offer one very quick \ncomment and that is much of the conversation has been about the \nimportance of procedures and this trickle down of procedures. I \nthink it is important to keep in mind that the vast majority of \ninstances in which data breach occurs, particularly in small \nbusiness, when it does occur, it is not a result of a failure \nof procedures, but it's a result of human error that occurs. \nYou can have a merchant or small business owner or larger \nbusiness owner or sort of sign up to procedures and you can \nhave the technology tools that the vendors will provide, but if \nyou don't have employees who are trained, and comply with them, \nthat's where breaches very often occur. So I think the \nSubcommittee would be wise to keep in mind the importance of \nthe human element in all of this. Thank you.\n    ChairwomanBean. I'd like to get back to you, Mr. Cochetti, \nand I also want to ask Mr. Milazzo as well, given--I know that \nyou have entities across the country that you train with, I \nthink you called it your Security+ Program, also have 35 state \nregs to try to comply with makes it difficult to have a \nconsistent training program or to adhere to a certain best \npractices model, so I would think that it would serve your \nmembership and their customers as well.\n    Mr.Cochetti. Yes, I think, Madam Chair, the issue for us is \nprobably less sensitive to the compliance questions that the \nretail firms and the credit card issuers have to deal with, \nbecause they're in the compliance chain. What we do in our \nSecurity+ certification is basic security tools so that one \nunderstands how they work.\n    For the most part, these have been able to be accommodated \nin the existing patchwork of state standards. However, as the \npatchwork itself grows and varies, it puts enormous stretches \non the ability to have a standard professional certification. \nSo you're absolutely right.\n    Thank you.\n    ChairwomanBean. I'd like to address that to Mr. Milazzo and \nfor your membership, how challenging is that having 35 \ndifferent laws to--\n    Mr.Milazzo. It's extremely challenging. Yes, ma'am. We in \nthe credit union industry take great lengths to train our \nemployees as well to be compliant. We do that internally. In my \ninstance, we have an internal training facility that actually \ntrains any employee that has contact or have any input in the \nplastic card or payment system on what policies, procedures, \nnot only are impacted by our own credit union and its policies, \nbut those of the credit card industry itself. We take that very \nseriously and it's a great cost, a great burden to our \ninstitution, as I'm sure the institutions in our industry.\n    I might mention also that there has been a great deal of \ntalk about small companies, or small entities and the cost of \ncompliance. I might remind you then that in the credit union \nworld, many credit unions are very small. Mine is a credit \nunion of 300 and roughly $20 million in assets. In the world of \nfinancial institutions, I'm a small business. The cost, the \nburden to me to comply with GLB is great to me but we take it \nvery seriously. We find a way to do that and those tools that \nwe don't have internally, we'll find externally. We'll go to \nour associations or we will go to our vendors. We'll go to \noutside resources to make that happen.\n    ChairwomanBean. All right. I would like to open up to the \npanel a question that is essentially addresses what we have all \nbeen talking about on some level, in that small businesses tend \nto lack the infrastructure. They don't have compliance \ndepartments, sometimes they don't have IT departments even to \nmanage their data. What can be done to assist them, not only in \nthe training--certainly you are doing some things, Mr. \nCochetti, through your membership as far as training of \nemployees, but in order to develop their security plans? Mr. \nDelBianco?\n    Mr.DelBianco. Thank you. I already sort of addressed the \nroad map, but in a general sense, Sarbanes-Oxley would be a \nroad map on how not to do it, a road map to nowhere. Part of it \ndepends on the ecosystem of vendors. Roger's members and mine, \nwho actually implement solutions for businesses that you've \ndescribed, that ecosystem typically comes out of the box, \nhandling the biggest customers first. Same with Sarbanes-Oxley. \nThe big consulting firms took care of the largest businesses \nfirst for compliance. Those are very expensive contracts, \nbecause they're large and complex systems, but both the vendors \nand the customers are sort of learning the ropes as to what is \ngoing to satisfy the congressional mandate.\n    So it takes time--years, for those vendors to actually \nfigure it out, come up with a cook book, their own road maps of \nimplementing systems. They will come up with a road map for an \nERP system, a road map for an in-house database. And only after \nthey have sort of skimmed the cream of the big customers do \nthey start to move into the middle tier and the smaller firms. \nSo the ecosystem of industry will do a great job implementing \nit, but it cannot do it overnight and it will start at the top \nand work its way down. Therefore you need a graduated series of \ndeadlines for implementation that are sensitive to the small \nbusinesses that will be the last ones that will be looked at. \nIf Mark is right, that the vast majority of ID theft and card \nfraud occurs at very, very large institutions, I think it would \nbe appropriate to work our way from a top down in terms of risk \nassessments. Thank you.\n    ChairwomanBean. Alright. Thank you. Others? Mr. Duncan?\n    Mr.Duncan. Yes, as I've suggested in my testimony, we \nreally need to focus on where the core of the problem is first \nand it is the thieves who for a minimal amount of work relative \nto the number of names they will get will tend to focus on \ncertain sizes and caches of data. Fortunately, small businesses \naren't the prime opportunity. If there is anything that the \nCommittee can do, the Subcommittee can do it, it would be to \nkeep an eye out to make certain that some in a zeal to say I'm \ngoing to fix this problem once and for all, don't end up \nputting burdens on small businesses that are totally \nunrealistic. It's very important.\n    ChairwomanBean. Thank you. I think, Mr. Milazzo, you \nwanted--\n    Mr.Milazzo. I guess I would follow by saying that I think \nthe real cause, obviously, are all the crooks that are out \nthere, they are looking for ways that are taking great strides \nin trying to find the ways to break systems. If they use those \ntalents to do something fruitful, there is no telling what they \ncould accomplish. I think that the real key to all of this is \nto keep that in mind and to put teeth into the laws that \nprohibit that. Those people that are found and prosecuted ought \nto serve time and ought to do things to make restitution to \nmake less attractive those activities to others.\n    ChairwomanBean. Absolutely. It wouldn't be bad if we could \npublicize those penalties as well.\n    Mr.MacCarthy. I think just to finish up, we do have small \nbusiness validation dates that are significantly farther into \nthe future than for the larger companies for exactly the \nreasons that they described earlier. As we get better and \nbetter at fixing the problem at the large databases retained by \nlarge processors and merchants, the crooks are going to say \nwhere else can I go? They're going to start to go down the \nchain and ultimately they're going to get to the smaller \nbusinesses. So we're working with the middle-sized businesses \nnow and, you know, we're going to be ultimately having to work \nwith the small businesses. It's a matter of time before, you \nknow, the problem shifts down to that level. I do think we have \nto begin the process now so that we're ahead of the crooks. We \ndon't wait for them to discover the new honey pots. I'm saying \nnow we've got a rich trove here to create problems for members, \nfor other merchants, for customers, and so on. So I think the \nprocess has to be slow. It has to be gradual, but it has to be \nongoing.\n    ChairwomanBean. Absolutely. Mr. Cochetti?\n    Mr.Cochetti. Just a couple. I did want to emphasize the \nimportance that Mr. DelBianco's point earlier of \ndifferentiating among the different segments. Most of the \nconversation that we've had today has focused on retail \nmerchants. Indeed, among small businesses retail merchants are \nimportant and for data security issues, perhaps the most \nimportant. But the first differentiation is the vast \ndifferentiation between large and small. But it is also \nimportant to keep in mind that among small business, almost \nhalf of the clients of our members are not retail merchants.\n    ChairwomanBean. They're B2B.\n    Mr.Cochetti. Excuse me?\n    ChairwomanBean. They're B2B.\n    Mr.Cochetti. Of course. Or, you know, they are attorneys, \nthey're real estate agents, they're manicurists, they're the \nenormous variety. Only a quarter of the small businesses in the \nUnited States today are retail merchants. The other two thirds \nprimarily think of themselves--they may use a credit card from \ntime to time for billing purposes, but they don't think of \nthemselves as retail merchants. So let's differentiate those \nand let's make sure that we understand that when we think about \nroad maps, there are really very different road maps that fit \nvery different types of small businesses. At the end of the \nday, the people who know this best are the merchants and the IT \npeople who work with them because they know exactly what that \nbusiness is. They know exactly what data they store and where \nit is stored. So I think our number one recommendation \ncontinues to be the importance of an education and outreach \neffort, so that the various segments can sort of among \nthemselves begin to figure out, with help from DHS, SBA, and \neveryone else, can begin to figure out what makes sense for \nthem. Thank you.\n    ChairwomanBean. I have a final question. Probably for Mr. \nCochetti, but others may have some comments as well about the \ncost of data security insurance which has become an issue in \nmore and more in looking at sort of cyber insurance. Some are \nfinding it too costly. Do you have any comments on that?\n    For Mr. Cochetti, specifically what IT investments can \nsmall businesses make maybe as an alternative to that to better \nprotect themselves?\n    Mr.Cochetti. Madam Chair, we have found over the past few \nyears in particular as the issues have been more visible and \nthese liability issues have become noteworthy, that there has \nbeen the development of an insurance service for data breaches. \nIt has been difficult for that service to reach down to small \nbusiness, and I think that's one of the issues that our members \nhave been trying to work with their customers on as sort of \nwhat can they do to develop a compliance package that would \nsatisfy and ensure that they should qualify for coverage?\n    We haven't gotten there yet, but it is an on-going \nactivity. I think on the second point, what can be done, I \nthink the main tools that one looks to deal with this on the \npart of any small business are sort at the abstract level \nfairly common. They're procedures. They are technology tools, \nboth hardware and principally software and then there is \ntraining. You know, I think at all three levels we work with \nsmall business to help them understand what are the best \npractices or what are the tools, what are the procedures that \nfit them. But that varies very much from segment to segment. \nFor technology tools, there is a vast array of them available \nin the marketplace. There is no shortage of tools. That's the \none area where you can say there is no shortage of tools \navailable out there and training is the one that usually gets \nthe short end of it and the one that we feel needs additional \nsupport and encouragement from the federal government.\n    ChairwomanBean. Okay, before I get to Mr. DelBianco, I just \nwant to comment. I also in my District, we do a lot on identity \ntheft and also Internet safety for kids. Being a parent of \nteenage girls, it particularly hits home for me. One of the \nfrustrations as a parent and even as we coach people on certain \nthings they can do, it requires a level of technical aptitude. \nEven though I come out of high tech, I certainly haven't been \nkeeping up in recent years to try to protect your kids from \ncyber criminals.\n    I look to the VARs and the integrators that are out there \nand have said to them do any of you have a here's my, you know, \nkid's safe program, if I just buy that, that package, you come \nin, you lock everything up and now it is safe. There really \nisn't that. Partly because of the evolving technology, but \npartly because there hasn't been standards set that these are \nthe core things you minimally have to do and different folks \nrecommend different solutions.\n    So I particularly like what you're talking about here, \nabout having a road map, trying to set some at least core best \npractices to try to achieve in the industry.\n    I know, Mr. DelBianco, you wanted to add some comments of \nyour own?\n    Mr.DelBianco. Thank you, Madam Chair. Appendix A to my \ntestimony included a simple chart which I called the security \nstack. It's really just meant to imply that there is no silver \nbullet, no one point of vulnerability, but a whole stack. Of \ncourse, it starts with user habits and human error and goes all \nthe way down to networking and support.\n    ChairwomanBean. Physical error, yes.\n    Mr.DelBianco. Exactly. But the one place where because you \nasked the question of where would you start, and one place you \nwould start is the second layer of the stack called the \napplication software. That would take care of the problem that \nMark MacCarthy brought up. First thing that business would do \nis to encrypt customer account numbers. If they have to store \nthem at all, you encrypt them so that if a breach should occur \nthrough some other layer of the stack, the data itself is not \nsubject to abuse. That allows the risk trigger to be pulled and \nthe company doesn't have to do notice. The company doesn't have \nto go through the problems, because it's not going to create a \nrisk of identity fraud.\n    ChairwomanBean. Thank you.\n    Mr.Cochetti. Just if I could briefly say that many of the \ntools that have been developed for industry are applicable to \nconsumers in home use. But there's a very substantial effort \nunder way which I am happy to say CompTIA is a supporter and \nfounder, to develop tools and services for consumers at the \nhome level to provide on-line safety for children.\n    Mr.MacCarthy. Madame Chairman, can I jump in on the--\n    ChairwomanBean. I'm going to let you, you know, each make a \ncomment on this because we're going to wrap on this one. I \nthink we've covered--no, I did ask Mr. Jordan. He didn't have a \nquestion. So go ahead, Mr. Duncan.\n    Mr.Duncan. I think your question illuminates something. \nIt's very important for small businesses. They are running a \nbusiness, and while IT may be part of that business, they \nfrankly don't know--\n    ChairwomanBean. They don't want to be in that business.\n    Mr.Duncan. They don't know a lot about what is going on. We \nhad a case of a retailer who had a cash register system within \nhis store, and he frankly thought he was fully compliant, that \nhe was not preserving the kinds of codes, and he knew enough to \nask the vendor that if information is going being stored, and \nhe was told not.\n    Well, what happened of course was that the information was \nbeing stored, but it was wiped out at the close of each \nbusiness day. So from the vendor's standpoint, the information \nwas not being stored.\n    ChairwomanBean. Not being stored.\n    Mr.Duncan. And from the retailer's standpoint, he thought \nhe had done--he knows no more about what's in that system than \nI know what is going on in my Windows. And yet, he found \nhimself subject of a data breach because someone, a former \nemployee of that company realized that there was a back door \nand was pulling the data out at 4:30 in the evening before he \nshut down. So we have to be realistic about what is actually \nachievable, and not put knowledge burdens on merchants that \nthey literally can't achieve.\n    ChairwomanBean. Well, it's your point many parents--talked \nabout parents wanting to just buy safety for their children. \nSmall businesses want to buy--just give me the Security+ \npackage. I don't want to have to learn it or know it. I'm \nfocused on revenue generation, I don't want to have focus on \nthat. So I think that to the degree that we can achieve a \nroadmap where there will be those in the business who can offer \nthat as a commodified product in the market.\n    Mr.Duncan. And just finally, because it's a very \ncompetitive business and profit margins are very thin, you \ncan't buy that system here.\n    ChairwomanBean. Well, every business model is different to \nthe degree to how much you're storing and how much customer or \nfinancial information you're keeping as well.\n    Mr.Milazzo. Madame Chair, I think your original question \nhad to do with insurance. I might want to share with you the \nfact that in the financial industry, and particularly in credit \nunions, we find that the cost as I had shared with you earlier \nis going up. It's increasing from year to year with the \ncoverage for plastic card and payment card systems. It's gotten \nto the point too that many of the insurers have found that not \nto be a profitable business--\n    ChairwomanBean. Thank you, Emmet.\n    (Laughter.)\n    ChairwomanBean. That is not a profitable business in spite \nof the rise in the premiums, to the point that some are \nactually considering, as I understand, dropping that coverage. \nIf they do that, it gives financial institutions fewer choices \nto go to for that type of insurance which only drives that cost \nup from those that do provide it. It may cause some financial \ninstitutions to self-insure, which is I think somewhat \ndangerous. Or, in other cases, to sell their portfolios, which \nmeans basically they get out of the business. I think all those \nare detrimental.\n    ChairwomanBean. All right, Mark, did you have a final \ncomment, too?\n    Mr.MacCarthy. A comment on Duncan's example of the retailer \ndoesn't know what--I mean, that's one reason why Visa took the \nstep of putting the approved payment applications on the \nInternet and putting the disapproved one on there at all. Maybe \nthe retailer shouldn't know that, but the vendor who is \nproviding the service would be able to check the site and get \none of the application programs that doesn't save it even for a \nbrief period of time. So we're trying to do what we can to get \nthe information out into the marketplace to resolve exactly \nthose kinds of difficulties.\n    On Steve's mention that, you know, the first thing to do is \nencrypt the data--maybe. One of our requirements is protect, \nstore data. It is not encrypt, store data. There may be reasons \nwhy in a given kind of circumstance that encryption isn't the \nright solution. You might have to redact it or otherwise make \nit unusable. So the requirement is protect the stored data, \nwhich actually has an implication for legislation. We shouldn't \nhave something that says encrypt and only encrypt. The standard \nin the legislation should be encrypt the information or \notherwise make it unusable. It's the kind of standard that is \nalready built into what the industry is doing.\n    ChairwomanBean. Well, thank you all for your insightful \ntestimony. In conclusion, I'm going to ask unanimous consent \nthat members will have five days to submit statements and \nsupporting materials for the record. No one is here to object, \nso without objection, so ordered this hearing is now adjourned.\n    [Whereupon, at 11:31 a.m., the hearing was concluded.]\n\n\n\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n                                 <all>\n\x1a\n</pre></body></html>\n"